clawfast 2.0.0 → 2.0.2

package/dist/clawfast.cjs

@@ -85,8 +85,8 @@ var init_boot_ui = __esm({
 var require_main = __commonJS({
   "../node_modules/.pnpm/dotenv@17.4.2/node_modules/dotenv/lib/main.js"(exports2, module2) {
     "use strict";
-    var fs6 = require("fs");
-    var path10 = require("path");
+    var fs8 = require("fs");
+    var path12 = require("path");
     var os7 = require("os");
     var crypto2 = require("crypto");
     var TIPS = [
@@ -217,7 +217,7 @@ var require_main = __commonJS({
       if (options && options.path && options.path.length > 0) {
         if (Array.isArray(options.path)) {
           for (const filepath of options.path) {
-            if (fs6.existsSync(filepath)) {
+            if (fs8.existsSync(filepath)) {
               possibleVaultPath = filepath.endsWith(".vault") ? filepath : `${filepath}.vault`;
             }
           }
@@ -225,15 +225,15 @@ var require_main = __commonJS({
           possibleVaultPath = options.path.endsWith(".vault") ? options.path : `${options.path}.vault`;
         }
       } else {
-        possibleVaultPath = path10.resolve(process.cwd(), ".env.vault");
+        possibleVaultPath = path12.resolve(process.cwd(), ".env.vault");
       }
-      if (fs6.existsSync(possibleVaultPath)) {
+      if (fs8.existsSync(possibleVaultPath)) {
         return possibleVaultPath;
       }
       return null;
     }
     function _resolveHome(envPath) {
-      return envPath[0] === "~" ? path10.join(os7.homedir(), envPath.slice(1)) : envPath;
+      return envPath[0] === "~" ? path12.join(os7.homedir(), envPath.slice(1)) : envPath;
     }
     function _configVault(options) {
       const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || options && options.debug);
@@ -250,7 +250,7 @@ var require_main = __commonJS({
       return { parsed };
     }
     function configDotenv(options) {
-      const dotenvPath = path10.resolve(process.cwd(), ".env");
+      const dotenvPath = path12.resolve(process.cwd(), ".env");
       let encoding = "utf8";
       let processEnv = process.env;
       if (options && options.processEnv != null) {
@@ -278,13 +278,13 @@ var require_main = __commonJS({
       }
       let lastError;
       const parsedAll = {};
-      for (const path11 of optionPaths) {
+      for (const path13 of optionPaths) {
         try {
-          const parsed = DotenvModule.parse(fs6.readFileSync(path11, { encoding }));
+          const parsed = DotenvModule.parse(fs8.readFileSync(path13, { encoding }));
           DotenvModule.populate(parsedAll, parsed, options);
         } catch (e) {
           if (debug) {
-            _debug(`failed to load ${path11} ${e.message}`);
+            _debug(`failed to load ${path13} ${e.message}`);
           }
           lastError = e;
         }
@@ -297,7 +297,7 @@ var require_main = __commonJS({
         const shortPaths = [];
         for (const filePath of optionPaths) {
           try {
-            const relative2 = path10.relative(process.cwd(), filePath);
+            const relative2 = path12.relative(process.cwd(), filePath);
             shortPaths.push(relative2);
           } catch (e) {
             if (debug) {
@@ -426,6 +426,52 @@ ${line}
   }
   import_node_fs.default.writeFileSync(filePath, content, { encoding: "utf8", mode: 384 });
 }
+function fileDefines(filePath, key) {
+  try {
+    const content = import_node_fs.default.readFileSync(filePath, "utf8");
+    return new RegExp(`^${key}=`, "m").test(content);
+  } catch {
+    return false;
+  }
+}
+function swapNvidiaKey(key) {
+  const local = import_node_path.default.resolve(process.cwd(), ".env.local");
+  const target = fileDefines(local, "NVIDIA_API_KEY") ? local : clawfastEnvPath();
+  setEnvVar(target, "NVIDIA_API_KEY", key);
+  process.env.NVIDIA_API_KEY = key;
+  return target;
+}
+async function testNvidiaKey(key) {
+  const baseURL = process.env.NVIDIA_BASE_URL || "https://integrate.api.nvidia.com/v1";
+  try {
+    const res = await fetch(`${baseURL.replace(/\/$/, "")}/chat/completions`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${key}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        model: "openai/gpt-oss-120b",
+        messages: [{ role: "user", content: "hi" }],
+        max_tokens: 1
+      })
+    });
+    if (res.ok) return { ok: true, status: res.status, detail: "OK" };
+    let detail = res.statusText || `HTTP ${res.status}`;
+    try {
+      const body = await res.json();
+      detail = body.detail || body.error?.message || body.title || detail;
+    } catch {
+    }
+    return { ok: false, status: res.status, detail };
+  } catch (err) {
+    return {
+      ok: false,
+      status: 0,
+      detail: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
 function promptLine(question) {
   const rl = import_node_readline.default.createInterface({
     input: process.stdin,
@@ -502,7 +548,7 @@ var clawfastVersion, isDevVersion, isNewerVersion;
 var init_version = __esm({
   "src/version.ts"() {
     "use strict";
-    clawfastVersion = () => true ? "2.0.0" : "0.0.0-dev";
+    clawfastVersion = () => true ? "2.0.2" : "0.0.0-dev";
     isDevVersion = () => clawfastVersion().includes("-dev");
     isNewerVersion = (a, b) => {
       const parse3 = (v) => v.split("-")[0].split(".").map((n) => Number.parseInt(n, 10) || 0);
@@ -869,14 +915,140 @@ var init_skills = __esm({
   }
 });
 
+// src/ui.ts
+var ui_exports = {};
+__export(ui_exports, {
+  C: () => C2,
+  agentHeader: () => agentHeader,
+  buildBanner: () => buildBanner,
+  shellPrompt: () => shellPrompt,
+  shortCwd: () => shortCwd,
+  ui: () => ui,
+  vlen: () => vlen
+});
+function shortCwd() {
+  const cwd = process.cwd();
+  const home = import_node_os2.default.homedir();
+  const rel = cwd.startsWith(home) ? "~" + cwd.slice(home.length) : cwd;
+  const norm = rel.replace(/\\/g, "/");
+  if (norm.length <= 30) return norm;
+  const parts = norm.split("/");
+  return parts.length > 3 ? `${parts[0]}/\u2026/${parts[parts.length - 1]}` : norm.slice(-30);
+}
+function asciiTitle(text2) {
+  const rows = 6;
+  const out3 = [];
+  for (let r = 0; r < rows; r++) {
+    out3.push(
+      [...text2].map((ch) => GLYPHS[ch] ? GLYPHS[ch][r] : "      ").join(" ")
+    );
+  }
+  return out3;
+}
+function buildBanner(_systemPromptChars, version3 = "1") {
+  const user = (import_node_os2.default.userInfo().username || "hacker").toLowerCase();
+  const host = (import_node_os2.default.hostname() || "localhost").split(".")[0].toLowerCase();
+  const art = asciiTitle("CLAWFAST");
+  const artW = vlen(art[0]);
+  const slogan = "Com o clawfast voc\xEA faz tudo";
+  const header = [
+    "",
+    ...art.map((line) => `${C2.greenB}${C2.bold}${line}${C2.reset}`),
+    "",
+    `${C2.cyanB}${C2.bold}${center(slogan, artW)}${C2.reset}`,
+    ""
+  ];
+  const info = [
+    { text: "" },
+    { text: `Bem-vindo de volta, ${user}!`, accent: true },
+    { text: "" },
+    { text: "clawfast usa a pasta SPRIT/ para criar" },
+    { text: "arquivos, scripts e tudo mais." },
+    { text: "" },
+    { text: `${user}@${host} \xB7 sem limites` },
+    { text: shortCwd() },
+    { text: "" }
+  ];
+  const title = `clawfast v${version3}`;
+  const topFill = "\u2500".repeat(Math.max(0, BOX_W - vlen(title) - 5));
+  const top = `${C2.green}\u256D\u2500 ${C2.greenB}${C2.bold}${title}${C2.reset}${C2.green} ${topFill}\u256E${C2.reset}`;
+  const bottom = `${C2.green}\u2570${"\u2500".repeat(BOX_W - 2)}\u256F${C2.reset}`;
+  const cardLines = info.map(({ text: text2, accent }) => {
+    const color = accent ? `${C2.greenB}${C2.bold}` : C2.green;
+    const body = `${color}${padEndV(text2, INNER)}${C2.reset}`;
+    return `${C2.green}\u2502 ${C2.reset}${body}${C2.green} \u2502${C2.reset}`;
+  });
+  const card = [top, ...cardLines, bottom];
+  return "\n" + [...header, ...card].join("\n") + "\n";
+}
+function shellPrompt() {
+  const user = (import_node_os2.default.userInfo().username || "hacker").toLowerCase();
+  const host = (import_node_os2.default.hostname() || "localhost").split(".")[0].toLowerCase();
+  const W = 52;
+  const label = " \u2709  mensagem ";
+  const topFill = "\u2500".repeat(Math.max(0, W - vlen(label) - 3));
+  const top = `${C2.green}\u256D\u2500${C2.greenB}${C2.bold}${label}${C2.reset}${C2.green}${topFill}\u256E${C2.reset}`;
+  const id = `${user}\u327F${host} \xB7 ${shortCwd()}`;
+  const mid = `${C2.green}\u2502 ${C2.dim}${id}${C2.reset}`;
+  const bottom = `${C2.green}\u2570\u2500${C2.greenB}${C2.bold}\u276F${C2.reset} `;
+  return `
+${top}
+${mid}
+${bottom}`;
+}
+function agentHeader() {
+  return `${C2.magenta}\u256D\u2500 clawfast ${"\u2500".repeat(20)}${C2.reset}
+`;
+}
+var import_node_os2, ESC, C2, INNER, BOX_W, vlen, padEndV, center, GLYPHS, ui;
+var init_ui = __esm({
+  "src/ui.ts"() {
+    "use strict";
+    import_node_os2 = __toESM(require("node:os"));
+    ESC = "\x1B[";
+    C2 = {
+      reset: `${ESC}0m`,
+      bold: `${ESC}1m`,
+      dim: `${ESC}90m`,
+      green: `${ESC}32m`,
+      greenB: `${ESC}92m`,
+      cyan: `${ESC}36m`,
+      cyanB: `${ESC}96m`,
+      magenta: `${ESC}95m`,
+      yellow: `${ESC}93m`,
+      red: `${ESC}91m`
+    };
+    INNER = 42;
+    BOX_W = INNER + 4;
+    vlen = (s) => [...s.replace(/\x1b\[[0-9;]*m/g, "")].length;
+    padEndV = (s, w) => s + " ".repeat(Math.max(0, w - vlen(s)));
+    center = (s, w) => {
+      const pad = Math.max(0, w - vlen(s));
+      const left = Math.floor(pad / 2);
+      return " ".repeat(left) + s + " ".repeat(pad - left);
+    };
+    GLYPHS = {
+      C: [" \u2588\u2588\u2588\u2588\u2588", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", " \u2588\u2588\u2588\u2588\u2588"],
+      L: ["\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588\u2588\u2588\u2588\u2588"],
+      A: [" \u2588\u2588\u2588\u2588 ", "\u2588\u2588  \u2588\u2588", "\u2588\u2588  \u2588\u2588", "\u2588\u2588\u2588\u2588\u2588\u2588", "\u2588\u2588  \u2588\u2588", "\u2588\u2588  \u2588\u2588"],
+      W: ["\u2588\u2588   \u2588\u2588", "\u2588\u2588   \u2588\u2588", "\u2588\u2588 \u2588 \u2588\u2588", "\u2588\u2588 \u2588 \u2588\u2588", "\u2588\u2588\u2588\u2588\u2588\u2588\u2588", " \u2588\u2588 \u2588\u2588 "],
+      F: ["\u2588\u2588\u2588\u2588\u2588\u2588", "\u2588\u2588    ", "\u2588\u2588\u2588\u2588\u2588 ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    "],
+      S: [" \u2588\u2588\u2588\u2588\u2588", "\u2588\u2588    ", " \u2588\u2588\u2588\u2588 ", "    \u2588\u2588", "    \u2588\u2588", "\u2588\u2588\u2588\u2588\u2588 "],
+      T: ["\u2588\u2588\u2588\u2588\u2588\u2588", "  \u2588\u2588  ", "  \u2588\u2588  ", "  \u2588\u2588  ", "  \u2588\u2588  ", "  \u2588\u2588  "]
+    };
+    ui = { C: C2, buildBanner, shellPrompt, agentHeader };
+  }
+});
+
 // src/news.ts
-var import_node_fs4, import_node_path4, NEWS, latestNewsVersion, renderNews, stateFile, readState, writeState, consumePostUpdateLaunch;
+var import_node_fs4, import_node_path4, NEWS, latestNewsVersion, wrapText, renderNews, stateFile, readState, writeState, consumePostUpdateLaunch;
 var init_news = __esm({
   "src/news.ts"() {
     "use strict";
     import_node_fs4 = __toESM(require("node:fs"));
     import_node_path4 = __toESM(require("node:path"));
     init_config();
+    init_ui();
     NEWS = {
       "2.0.0": [
         'Modo ANALISE DE PROJETO (somente leitura): peca "analise/varredura/auditoria do meu projeto" e o clawfast troca sozinho para um auditor dedicado \u2014 sem /comando. Diga "modo normal" para sair.',
@@ -889,7 +1061,7 @@ var init_news = __esm({
       "1.0.3": [
         "Atualizacao: `clawfast update` atualiza o CLI e mostra as boas-vindas; aparece um aviso quando ha versao nova; /nov lista as novidades.",
         "Skills: /skillcreator cria ou cola uma skill (de qualquer tamanho), /skills lista e /skill delete remove. As skills viram conhecimento disponivel para TODOS os modelos.",
-        "Modelos na NVIDIA build: mistral-medium-3.5, kimi-k2.6, glm-5.1 e qwen3.5-397b \u2014 todos com function calling de verdade (as ferramentas disparam).",
+        "Modelos na NVIDIA build: mistral-medium-3.5, gpt-oss-120b, glm-5.1 e qwen3.5-397b \u2014 todos com function calling de verdade (as ferramentas disparam).",
         "Resiliencia a rate limit (429): cai para os outros modelos como contingencia e espera/retenta a cadeia automaticamente."
       ]
     };
@@ -905,14 +1077,50 @@ var init_news = __esm({
         return 0;
       })[0];
     };
+    wrapText = (text2, width) => {
+      const words = text2.split(/\s+/).filter(Boolean);
+      const lines = [];
+      let line = "";
+      for (const word of words) {
+        if (line && vlen(line) + 1 + vlen(word) > width) {
+          lines.push(line);
+          line = word;
+        } else {
+          line = line ? `${line} ${word}` : word;
+        }
+      }
+      if (line) lines.push(line);
+      return lines.length ? lines : [""];
+    };
     renderNews = (version3) => {
       const key = NEWS[version3] ? version3 : latestNewsVersion();
       if (!key || !NEWS[key]) {
-        return "Sem novidades registradas para esta versao.";
-      }
-      const lines = NEWS[key].map((item) => `  \u2022 ${item}`).join("\n");
-      return `Novidades da versao ${key}:
-${lines}`;
+        return `${C2.dim}Sem novidades registradas para esta versao.${C2.reset}`;
+      }
+      const cols2 = process.stdout.columns || 80;
+      const BOX = Math.min(Math.max(cols2 - 2, 48), 80);
+      const INNER2 = BOX - 4;
+      const BULLET = "\u2022 ";
+      const INDENT = " ".repeat(BULLET.length);
+      const title = `Novidades \xB7 v${key}`;
+      const topFill = "\u2500".repeat(Math.max(0, BOX - vlen(title) - 5));
+      const top = `${C2.green}\u256D\u2500 ${C2.greenB}${C2.bold}${title}${C2.reset}${C2.green} ${topFill}\u256E${C2.reset}`;
+      const bottom = `${C2.green}\u2570${"\u2500".repeat(BOX - 2)}\u256F${C2.reset}`;
+      const row = (content) => {
+        const pad = " ".repeat(Math.max(0, INNER2 - vlen(content)));
+        return `${C2.green}\u2502 ${C2.reset}${content}${pad}${C2.green} \u2502${C2.reset}`;
+      };
+      const body = [row("")];
+      NEWS[key].forEach((item, idx) => {
+        if (idx > 0) body.push(row(""));
+        const wrapped = wrapText(item, INNER2 - BULLET.length);
+        wrapped.forEach((line, i) => {
+          const prefix = i === 0 ? `${C2.cyanB}${BULLET}${C2.reset}` : INDENT;
+          body.push(row(`${prefix}${line}`));
+        });
+      });
+      body.push(row(""));
+      return [top, ...body, bottom].join("\n");
     };
     stateFile = () => import_node_path4.default.join(clawfastHome(), "state.json");
     readState = () => {
@@ -1513,10 +1721,10 @@ function mergeDefs(...defs) {
 function cloneDef(schema) {
   return mergeDefs(schema._zod.def);
 }
-function getElementAtPath(obj, path10) {
-  if (!path10)
+function getElementAtPath(obj, path12) {
+  if (!path12)
     return obj;
-  return path10.reduce((acc, key) => acc?.[key], obj);
+  return path12.reduce((acc, key) => acc?.[key], obj);
 }
 function promiseAllObject(promisesObj) {
   const keys = Object.keys(promisesObj);
@@ -1844,11 +2052,11 @@ function explicitlyAborted(x, startIndex = 0) {
   }
   return false;
 }
-function prefixIssues(path10, issues) {
+function prefixIssues(path12, issues) {
   return issues.map((iss) => {
     var _a25;
     (_a25 = iss).path ?? (_a25.path = []);
-    iss.path.unshift(path10);
+    iss.path.unshift(path12);
     return iss;
   });
 }
@@ -2066,16 +2274,16 @@ function flattenError(error51, mapper = (issue2) => issue2.message) {
 }
 function formatError(error51, mapper = (issue2) => issue2.message) {
   const fieldErrors = { _errors: [] };
-  const processError = (error52, path10 = []) => {
+  const processError = (error52, path12 = []) => {
     for (const issue2 of error52.issues) {
       if (issue2.code === "invalid_union" && issue2.errors.length) {
-        issue2.errors.map((issues) => processError({ issues }, [...path10, ...issue2.path]));
+        issue2.errors.map((issues) => processError({ issues }, [...path12, ...issue2.path]));
       } else if (issue2.code === "invalid_key") {
-        processError({ issues: issue2.issues }, [...path10, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path12, ...issue2.path]);
       } else if (issue2.code === "invalid_element") {
-        processError({ issues: issue2.issues }, [...path10, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path12, ...issue2.path]);
       } else {
-        const fullpath = [...path10, ...issue2.path];
+        const fullpath = [...path12, ...issue2.path];
         if (fullpath.length === 0) {
           fieldErrors._errors.push(mapper(issue2));
         } else {
@@ -2102,17 +2310,17 @@ function formatError(error51, mapper = (issue2) => issue2.message) {
 }
 function treeifyError(error51, mapper = (issue2) => issue2.message) {
   const result = { errors: [] };
-  const processError = (error52, path10 = []) => {
+  const processError = (error52, path12 = []) => {
     var _a25, _b18;
     for (const issue2 of error52.issues) {
       if (issue2.code === "invalid_union" && issue2.errors.length) {
-        issue2.errors.map((issues) => processError({ issues }, [...path10, ...issue2.path]));
+        issue2.errors.map((issues) => processError({ issues }, [...path12, ...issue2.path]));
       } else if (issue2.code === "invalid_key") {
-        processError({ issues: issue2.issues }, [...path10, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path12, ...issue2.path]);
       } else if (issue2.code === "invalid_element") {
-        processError({ issues: issue2.issues }, [...path10, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path12, ...issue2.path]);
       } else {
-        const fullpath = [...path10, ...issue2.path];
+        const fullpath = [...path12, ...issue2.path];
         if (fullpath.length === 0) {
           result.errors.push(mapper(issue2));
           continue;
@@ -2144,8 +2352,8 @@ function treeifyError(error51, mapper = (issue2) => issue2.message) {
 }
 function toDotPath(_path) {
   const segs = [];
-  const path10 = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
-  for (const seg of path10) {
+  const path12 = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
+  for (const seg of path12) {
     if (typeof seg === "number")
       segs.push(`[${seg}]`);
     else if (typeof seg === "symbol")
@@ -15648,13 +15856,13 @@ function resolveRef(ref, ctx) {
   if (!ref.startsWith("#")) {
     throw new Error("External $ref is not supported, only local refs (#/...) are allowed");
   }
-  const path10 = ref.slice(1).split("/").filter(Boolean);
-  if (path10.length === 0) {
+  const path12 = ref.slice(1).split("/").filter(Boolean);
+  if (path12.length === 0) {
     return ctx.rootSchema;
   }
   const defsKey = ctx.version === "draft-2020-12" ? "$defs" : "definitions";
-  if (path10[0] === defsKey) {
-    const key = path10[1];
+  if (path12[0] === defsKey) {
+    const key = path12[1];
     if (!key || !ctx.defs[key]) {
       throw new Error(`Reference not found: ${ref}`);
     }
@@ -16843,8 +17051,8 @@ var init_parseUtil = __esm({
     init_errors3();
     init_en2();
     makeIssue = (params) => {
-      const { data, path: path10, errorMaps, issueData } = params;
-      const fullPath = [...path10, ...issueData.path || []];
+      const { data, path: path12, errorMaps, issueData } = params;
+      const fullPath = [...path12, ...issueData.path || []];
       const fullIssue = {
         ...issueData,
         path: fullPath
@@ -17127,11 +17335,11 @@ var init_types = __esm({
     init_parseUtil();
     init_util2();
     ParseInputLazyPath = class {
-      constructor(parent, value, path10, key) {
+      constructor(parent, value, path12, key) {
         this._cachedPath = [];
         this.parent = parent;
         this.data = value;
-        this._path = path10;
+        this._path = path12;
         this._key = key;
       }
       get path() {
@@ -23170,8 +23378,8 @@ var require_auth_config = __commonJS({
       writeAuthConfig: () => writeAuthConfig
     });
     module2.exports = __toCommonJS(auth_config_exports);
-    var fs6 = __toESM2(require("fs"));
-    var path10 = __toESM2(require("path"));
+    var fs8 = __toESM2(require("fs"));
+    var path12 = __toESM2(require("path"));
     var import_token_util = require_token_util();
     function getAuthConfigPath() {
       const dataDir = (0, import_token_util.getVercelDataDir)();
@@ -23180,15 +23388,15 @@ var require_auth_config = __commonJS({
           `Unable to find Vercel CLI data directory. Your platform: ${process.platform}. Supported: darwin, linux, win32.`
         );
       }
-      return path10.join(dataDir, "auth.json");
+      return path12.join(dataDir, "auth.json");
     }
     function readAuthConfig() {
       try {
         const authPath = getAuthConfigPath();
-        if (!fs6.existsSync(authPath)) {
+        if (!fs8.existsSync(authPath)) {
           return null;
         }
-        const content = fs6.readFileSync(authPath, "utf8");
+        const content = fs8.readFileSync(authPath, "utf8");
         if (!content) {
           return null;
         }
@@ -23199,11 +23407,11 @@ var require_auth_config = __commonJS({
     }
     function writeAuthConfig(config3) {
       const authPath = getAuthConfigPath();
-      const authDir = path10.dirname(authPath);
-      if (!fs6.existsSync(authDir)) {
-        fs6.mkdirSync(authDir, { mode: 504, recursive: true });
+      const authDir = path12.dirname(authPath);
+      if (!fs8.existsSync(authDir)) {
+        fs8.mkdirSync(authDir, { mode: 504, recursive: true });
       }
-      fs6.writeFileSync(authPath, JSON.stringify(config3, null, 2), { mode: 384 });
+      fs8.writeFileSync(authPath, JSON.stringify(config3, null, 2), { mode: 384 });
     }
     function isValidAccessToken(authConfig, expirationBufferMs = 0) {
       if (!authConfig.token)
@@ -23394,8 +23602,8 @@ var require_token_util = __commonJS({
       saveToken: () => saveToken
     });
     module2.exports = __toCommonJS(token_util_exports);
-    var path10 = __toESM2(require("path"));
-    var fs6 = __toESM2(require("fs"));
+    var path12 = __toESM2(require("path"));
+    var fs8 = __toESM2(require("fs"));
     var import_token_error = require_token_error();
     var import_token_io = require_token_io();
     var import_auth_config = require_auth_config();
@@ -23407,7 +23615,7 @@ var require_token_util = __commonJS({
       if (!dataDir) {
         return null;
       }
-      return path10.join(dataDir, vercelFolder);
+      return path12.join(dataDir, vercelFolder);
     }
     async function getVercelToken2(options) {
       const authConfig = (0, import_auth_config.readAuthConfig)();
@@ -23483,13 +23691,13 @@ var require_token_util = __commonJS({
           "Unable to find project root directory. Have you linked your project with `vc link?`"
         );
       }
-      const prjPath = path10.join(dir, ".vercel", "project.json");
-      if (!fs6.existsSync(prjPath)) {
+      const prjPath = path12.join(dir, ".vercel", "project.json");
+      if (!fs8.existsSync(prjPath)) {
         throw new import_token_error.VercelOidcTokenError(
           "project.json not found, have you linked your project with `vc link?`"
         );
       }
-      const prj = JSON.parse(fs6.readFileSync(prjPath, "utf8"));
+      const prj = JSON.parse(fs8.readFileSync(prjPath, "utf8"));
       if (typeof prj.projectId !== "string" && typeof prj.orgId !== "string") {
         throw new TypeError(
           "Expected a string-valued projectId property. Try running `vc link` to re-link your project."
@@ -23504,11 +23712,11 @@ var require_token_util = __commonJS({
           "Unable to find user data directory. Please reach out to Vercel support."
         );
       }
-      const tokenPath = path10.join(dir, "com.vercel.token", `${projectId}.json`);
+      const tokenPath = path12.join(dir, "com.vercel.token", `${projectId}.json`);
       const tokenJson = JSON.stringify(token);
-      fs6.mkdirSync(path10.dirname(tokenPath), { mode: 504, recursive: true });
-      fs6.writeFileSync(tokenPath, tokenJson);
-      fs6.chmodSync(tokenPath, 432);
+      fs8.mkdirSync(path12.dirname(tokenPath), { mode: 504, recursive: true });
+      fs8.writeFileSync(tokenPath, tokenJson);
+      fs8.chmodSync(tokenPath, 432);
       return;
     }
     function loadToken(projectId) {
@@ -23518,11 +23726,11 @@ var require_token_util = __commonJS({
           "Unable to find user data directory. Please reach out to Vercel support."
         );
       }
-      const tokenPath = path10.join(dir, "com.vercel.token", `${projectId}.json`);
-      if (!fs6.existsSync(tokenPath)) {
+      const tokenPath = path12.join(dir, "com.vercel.token", `${projectId}.json`);
+      if (!fs8.existsSync(tokenPath)) {
         return null;
       }
-      const token = JSON.parse(fs6.readFileSync(tokenPath, "utf8"));
+      const token = JSON.parse(fs8.readFileSync(tokenPath, "utf8"));
       assertVercelOidcTokenResponse(token);
       return token;
     }
@@ -35548,7 +35756,7 @@ function createOpenRouter(options = {}) {
   );
   const createChatModel = (modelId, settings = {}) => new OpenRouterChatLanguageModel(modelId, settings, {
     provider: "openrouter.chat",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     compatibility,
     fetch: options.fetch,
@@ -35556,7 +35764,7 @@ function createOpenRouter(options = {}) {
   });
   const createCompletionModel = (modelId, settings = {}) => new OpenRouterCompletionLanguageModel(modelId, settings, {
     provider: "openrouter.completion",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     compatibility,
     fetch: options.fetch,
@@ -35564,21 +35772,21 @@ function createOpenRouter(options = {}) {
   });
   const createEmbeddingModel = (modelId, settings = {}) => new OpenRouterEmbeddingModel(modelId, settings, {
     provider: "openrouter.embedding",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch,
     extraBody: options.extraBody
   });
   const createImageModel = (modelId, settings = {}) => new OpenRouterImageModel(modelId, settings, {
     provider: "openrouter.image",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch,
     extraBody: options.extraBody
   });
   const createVideoModel = (modelId, settings = {}) => new OpenRouterVideoModel(modelId, settings, {
     provider: "openrouter.video",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch,
     extraBody: options.extraBody
@@ -40114,37 +40322,37 @@ function createOpenAI(options = {}) {
   );
   const createChatModel = (modelId) => new OpenAIChatLanguageModel(modelId, {
     provider: `${providerName}.chat`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createCompletionModel = (modelId) => new OpenAICompletionLanguageModel(modelId, {
     provider: `${providerName}.completion`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createEmbeddingModel = (modelId) => new OpenAIEmbeddingModel(modelId, {
     provider: `${providerName}.embedding`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createImageModel = (modelId) => new OpenAIImageModel(modelId, {
     provider: `${providerName}.image`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createTranscriptionModel = (modelId) => new OpenAITranscriptionModel(modelId, {
     provider: `${providerName}.transcription`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createSpeechModel = (modelId) => new OpenAISpeechModel(modelId, {
     provider: `${providerName}.speech`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
@@ -40159,7 +40367,7 @@ function createOpenAI(options = {}) {
   const createResponsesModel = (modelId) => {
     return new OpenAIResponsesLanguageModel(modelId, {
       provider: `${providerName}.responses`,
-      url: ({ path: path10 }) => `${baseURL}${path10}`,
+      url: ({ path: path12 }) => `${baseURL}${path12}`,
       headers: getHeaders,
       fetch: options.fetch,
       fileIdPrefixes: ["file-"]
@@ -45557,25 +45765,29 @@ var init_providers = __esm({
       };
     };
     nvidiaPatchFetch = async (url2, init) => {
-      if (init?.body && typeof init.body === "string") {
+      const key = process.env.NVIDIA_API_KEY?.trim();
+      const headers = new Headers(init?.headers);
+      if (key) headers.set("Authorization", `Bearer ${key}`);
+      let nextInit = { ...init, headers };
+      if (typeof nextInit.body === "string") {
         try {
-          const parsed = JSON.parse(init.body);
+          const parsed = JSON.parse(nextInit.body);
           const patched = applyNvidiaMistralConfig(parsed);
           if (patched.changed) {
-            return globalThis.fetch(url2, {
-              ...init,
-              body: JSON.stringify(patched.body)
-            });
+            nextInit = { ...nextInit, body: JSON.stringify(patched.body) };
           }
         } catch {
         }
       }
-      return globalThis.fetch(url2, init);
+      return globalThis.fetch(url2, nextInit);
     };
     nvidia = createOpenAI({
       name: "nvidia",
       baseURL: process.env.NVIDIA_BASE_URL || "https://integrate.api.nvidia.com/v1",
-      apiKey: process.env.NVIDIA_API_KEY,
+      // Placeholder so the SDK never throws "missing API key" at request build time
+      // when the env is empty at load — nvidiaPatchFetch sets the real Authorization
+      // header from process.env on every request (see above).
+      apiKey: process.env.NVIDIA_API_KEY || "nvapi-clawfast-runtime",
       fetch: nvidiaPatchFetch
     });
     deepseek = createOpenAI({
@@ -45607,7 +45819,7 @@ var init_providers = __esm({
       "model-nvidia-mistral-medium-3.5": nvidia.chat(
         "mistralai/mistral-medium-3.5-128b"
       ),
-      "model-nvidia-kimi-k2.6": nvidia.chat("moonshotai/kimi-k2.6"),
+      "model-nvidia-gpt-oss-120b": nvidia.chat("openai/gpt-oss-120b"),
       "model-nvidia-glm-5.1": nvidia.chat("z-ai/glm-5.1"),
       "model-nvidia-qwen3.5-397b": nvidia.chat("qwen/qwen3.5-397b-a17b"),
       // Extra explicit keys for the CLI.
@@ -45645,8 +45857,8 @@ var init_providers = __esm({
       ...hasEnvValue("NVIDIA_API_KEY") ? [
         "model-nvidia-mistral-medium-3.5",
         // NVIDIA mistralai/mistral-medium-3.5-128b
-        "model-nvidia-kimi-k2.6",
-        // NVIDIA moonshotai/kimi-k2.6
+        "model-nvidia-gpt-oss-120b",
+        // NVIDIA openai/gpt-oss-120b
         "model-nvidia-glm-5.1",
         // NVIDIA z-ai/glm-5.1
         "model-nvidia-qwen3.5-397b"
@@ -45672,7 +45884,7 @@ var init_providers = __esm({
       "model-opus-4.6": "May 2025",
       "model-kimi-k2.6": "April 2024",
       "model-nvidia-mistral-medium-3.5": "Unknown",
-      "model-nvidia-kimi-k2.6": "April 2024",
+      "model-nvidia-gpt-oss-120b": "June 2024",
       "model-nvidia-glm-5.1": "Unknown",
       "model-nvidia-qwen3.5-397b": "Unknown",
       "model-deepseek-proxy": "July 2024",
@@ -45696,7 +45908,7 @@ var init_providers = __esm({
       "model-opus-4.6": "Anthropic Claude Opus 4.6",
       "model-kimi-k2.6": "Moonshot Kimi K2.6",
       "model-nvidia-mistral-medium-3.5": "NVIDIA - Mistral Medium 3.5",
-      "model-nvidia-kimi-k2.6": "NVIDIA - Moonshot Kimi K2.6",
+      "model-nvidia-gpt-oss-120b": "NVIDIA - OpenAI GPT-OSS 120B",
       "model-nvidia-glm-5.1": "NVIDIA - Z.ai GLM 5.1",
       "model-nvidia-qwen3.5-397b": "NVIDIA - Qwen3.5 397B A17B",
       "model-deepseek-proxy": "DeepSeek (sessao web logada / deepsproxy)",
@@ -48730,8 +48942,8 @@ var init_background_process_tracker = __esm({
       /**
        * Normalize file path for comparison
        */
-      normalizePath(path10) {
-        let normalized = path10.trim().replace(/\/+/g, "/");
+      normalizePath(path12) {
+        let normalized = path12.trim().replace(/\/+/g, "/");
         if (normalized.startsWith("./")) {
           normalized = normalized.slice(2);
         }
@@ -48969,8 +49181,8 @@ function createGetModuleFromFilename(basePath = process.argv[1] ? (0, import_pat
     return decodedFile;
   };
 }
-function normalizeWindowsPath(path10) {
-  return path10.replace(/^[A-Z]:/, "").replace(/\\/g, "/");
+function normalizeWindowsPath(path12) {
+  return path12.replace(/^[A-Z]:/, "").replace(/\\/g, "/");
 }
 var import_path;
 var init_module_node = __esm({
@@ -51859,9 +52071,9 @@ async function addSourceContext(frames) {
   LRU_FILE_CONTENTS_CACHE.reduce();
   return frames;
 }
-function getContextLinesFromFile(path10, ranges, output) {
+function getContextLinesFromFile(path12, ranges, output) {
   return new Promise((resolve2) => {
-    const stream = (0, import_node_fs5.createReadStream)(path10);
+    const stream = (0, import_node_fs5.createReadStream)(path12);
     const lineReaded = (0, import_node_readline2.createInterface)({
       input: stream
     });
@@ -51876,7 +52088,7 @@ function getContextLinesFromFile(path10, ranges, output) {
     let rangeStart = range[0];
     let rangeEnd = range[1];
     function onStreamError() {
-      LRU_FILE_CONTENTS_FS_READ_FAILED.set(path10, 1);
+      LRU_FILE_CONTENTS_FS_READ_FAILED.set(path12, 1);
       lineReaded.close();
       lineReaded.removeAllListeners();
       destroyStreamAndResolve();
@@ -51937,8 +52149,8 @@ function clearLineContext(frame2) {
   delete frame2.context_line;
   delete frame2.post_context;
 }
-function shouldSkipContextLinesForFile(path10) {
-  return path10.startsWith("node:") || path10.endsWith(".min.js") || path10.endsWith(".min.cjs") || path10.endsWith(".min.mjs") || path10.startsWith("data:");
+function shouldSkipContextLinesForFile(path12) {
+  return path12.startsWith("node:") || path12.endsWith(".min.js") || path12.endsWith(".min.cjs") || path12.endsWith(".min.mjs") || path12.startsWith("data:");
 }
 function shouldSkipContextLinesForFrame(frame2) {
   if (void 0 !== frame2.lineno && frame2.lineno > MAX_CONTEXTLINES_LINENO) return true;
@@ -67348,8 +67560,8 @@ var init_logger2 = __esm({
 });
 
 // ../lib/ai/tools/file.ts
-function isSpritPath(path10) {
-  return path10.split(/[\\/]/).some((segment) => segment.toLowerCase() === "sprit");
+function isSpritPath(path12) {
+  return path12.split(/[\\/]/).some((segment) => segment.toLowerCase() === "sprit");
 }
 function getViewSandboxType(sandbox) {
   return isCentrifugoSandbox(sandbox) ? "centrifugo" : "e2b";
@@ -67380,7 +67592,7 @@ function captureFileViewImageUsage(args) {
   const {
     context: context2,
     sandbox,
-    path: path10,
+    path: path12,
     outcome,
     durationMs,
     mediaType,
@@ -67398,7 +67610,7 @@ function captureFileViewImageUsage(args) {
     model: getActiveModelName(context2),
     configured_model: context2.modelName,
     sandbox_type: getViewSandboxType(sandbox),
-    file_extension: getFileExtension(path10),
+    file_extension: getFileExtension(path12),
     outcome,
     success: outcome === "success",
     duration_ms: durationMs,
@@ -67472,22 +67684,22 @@ async function runSandboxCommand(sandbox, command, envVars, timeoutMs = 6e4) {
 function isWindowsSandbox(sandbox) {
   return isCentrifugoSandbox(sandbox) && sandbox.isWindows();
 }
-function getWindowsNativePath(path10) {
-  if (/^[A-Za-z]:[\\/]/.test(path10)) return path10;
-  if (path10.startsWith("/tmp/")) {
-    return `C:\\temp${path10.slice(4).replace(/\//g, "\\")}`;
+function getWindowsNativePath(path12) {
+  if (/^[A-Za-z]:[\\/]/.test(path12)) return path12;
+  if (path12.startsWith("/tmp/")) {
+    return `C:\\temp${path12.slice(4).replace(/\//g, "\\")}`;
   }
-  return path10.replace(/\//g, "\\");
+  return path12.replace(/\//g, "\\");
 }
-function getPythonPathForSandbox(sandbox, path10) {
-  return isWindowsSandbox(sandbox) ? getWindowsNativePath(path10) : path10;
+function getPythonPathForSandbox(sandbox, path12) {
+  return isWindowsSandbox(sandbox) ? getWindowsNativePath(path12) : path12;
 }
-function toWindowsBashPath(path10) {
-  const drive = path10.match(/^([A-Za-z]):[\\/](.*)$/);
+function toWindowsBashPath(path12) {
+  const drive = path12.match(/^([A-Za-z]):[\\/](.*)$/);
   if (drive) {
     return `/${drive[1].toLowerCase()}/${drive[2].replace(/\\/g, "/")}`;
   }
-  return path10.replace(/\\/g, "/");
+  return path12.replace(/\\/g, "/");
 }
 async function detectSandboxShell(sandbox) {
   if (!isWindowsSandbox(sandbox)) return "bash";
@@ -67526,8 +67738,8 @@ PY`;
     }
   }
 }
-async function getSandboxFileState(sandbox, path10) {
-  const pythonPath = getPythonPathForSandbox(sandbox, path10);
+async function getSandboxFileState(sandbox, path12) {
+  const pythonPath = getPythonPathForSandbox(sandbox, path12);
   const result = await runPythonScript(
     sandbox,
     FILE_STATE_SCRIPT,
@@ -67544,23 +67756,23 @@ async function getSandboxFileState(sandbox, path10) {
   if (result.exitCode !== 0) {
     return {
       kind: "unknown",
-      path: path10,
+      path: path12,
       error: result.stderr || result.stdout || "file state command failed"
     };
   }
   try {
     const payload = JSON.parse(result.stdout.trim());
     if (payload.kind === "file" && typeof payload.sizeBytes === "number" && Number.isFinite(payload.sizeBytes)) {
-      return { ...payload, path: path10 };
+      return { ...payload, path: path12 };
     }
     if (payload.kind === "missing" || payload.kind === "not_file") {
-      return { ...payload, path: path10 };
+      return { ...payload, path: path12 };
     }
   } catch {
   }
   return {
     kind: "unknown",
-    path: path10,
+    path: path12,
     error: result.stderr || result.stdout || "invalid file state response"
   };
 }
@@ -67592,8 +67804,8 @@ ${numberedContent}${truncatedNotice}${footerNotice}`;
     })
   };
 }
-async function readSandboxTextFile(sandbox, path10, range) {
-  const pythonPath = getPythonPathForSandbox(sandbox, path10);
+async function readSandboxTextFile(sandbox, path12, range) {
+  const pythonPath = getPythonPathForSandbox(sandbox, path12);
   const envVars = {
     HACKERAI_FILE_READ_PATH: pythonPath,
     HACKERAI_FILE_READ_RANGE_START: String(range?.[0] ?? 0),
@@ -67621,40 +67833,40 @@ async function readSandboxTextFile(sandbox, path10, range) {
   }
   return payload;
 }
-async function readSandboxTextFileWithFallback(sandbox, path10, range) {
+async function readSandboxTextFileWithFallback(sandbox, path12, range) {
   try {
-    return await readSandboxTextFile(sandbox, path10, range);
+    return await readSandboxTextFile(sandbox, path12, range);
   } catch (error51) {
     const errorMessage = error51 instanceof Error ? error51.message : String(error51);
     if (errorMessage.startsWith("Invalid ") || errorMessage.includes("File not found")) {
       throw error51;
     }
-    const state = await getSandboxFileState(sandbox, path10);
+    const state = await getSandboxFileState(sandbox, path12);
     if (state.kind === "unknown") {
       throw new Error(
-        `Unable to determine file size for ${path10}; refusing to load the file into memory. ${state.error}`
+        `Unable to determine file size for ${path12}; refusing to load the file into memory. ${state.error}`
       );
     }
     if (state.kind === "missing") {
-      throw new Error(`File not found or is not a regular file: ${path10}`);
+      throw new Error(`File not found or is not a regular file: ${path12}`);
     }
     if (state.kind === "not_file") {
-      throw new Error(`File is not a regular file: ${path10}`);
+      throw new Error(`File is not a regular file: ${path12}`);
     }
     if (state.sizeBytes > MAX_TEXT_FILE_READ_BYTES) {
       if (range) {
         throw new Error(
-          `Unable to perform a bounded range read for ${path10}, and the file is too large to load safely (${formatBytes(state.sizeBytes)}). Use a targeted terminal command that writes a small result to a separate file.`
+          `Unable to perform a bounded range read for ${path12}, and the file is too large to load safely (${formatBytes(state.sizeBytes)}). Use a targeted terminal command that writes a small result to a separate file.`
         );
       }
       return {
-        path: path10,
+        path: path12,
         sizeBytes: state.sizeBytes,
         totalLines: 0,
         tooLarge: true
       };
     }
-    const fileContent = await sandbox.files.read(path10, {
+    const fileContent = await sandbox.files.read(path12, {
       user: "user"
     });
     const lines = fileContent.split("\n");
@@ -67675,15 +67887,10 @@ async function readSandboxTextFileWithFallback(sandbox, path10, range) {
           `Invalid start_line: ${start}. File has ${lines.length} lines (1-indexed).`
         );
       }
-      if (end !== -1 && end > lines.length) {
-        throw new Error(
-          `Invalid end_line: ${end}. File has ${lines.length} lines (1-indexed).`
-        );
-      }
       const startIndex = start - 1;
       const endIndex = end === -1 ? lines.length : end;
       return {
-        path: path10,
+        path: path12,
         sizeBytes: Buffer.byteLength(fileContent),
         totalLines: lines.length,
         content: lines.slice(startIndex, endIndex).join("\n"),
@@ -67691,7 +67898,7 @@ async function readSandboxTextFileWithFallback(sandbox, path10, range) {
       };
     }
     return {
-      path: path10,
+      path: path12,
       sizeBytes: Buffer.byteLength(fileContent),
       totalLines: lines.length,
       content: fileContent,
@@ -67699,7 +67906,7 @@ async function readSandboxTextFileWithFallback(sandbox, path10, range) {
     };
   }
 }
-async function appendSandboxTextFile(sandbox, path10, text2) {
+async function appendSandboxTextFile(sandbox, path12, text2) {
   const tempPath = `/tmp/hackerai_append_${Date.now()}_${Math.random().toString(36).slice(2)}.tmp`;
   await sandbox.files.write(tempPath, text2, {
     user: "user"
@@ -67708,7 +67915,7 @@ async function appendSandboxTextFile(sandbox, path10, text2) {
     sandbox,
     APPEND_TEXT_FILE_SCRIPT,
     {
-      HACKERAI_FILE_APPEND_TARGET_PATH: getPythonPathForSandbox(sandbox, path10),
+      HACKERAI_FILE_APPEND_TARGET_PATH: getPythonPathForSandbox(sandbox, path12),
       HACKERAI_FILE_APPEND_SOURCE_PATH: getPythonPathForSandbox(
         sandbox,
         tempPath
@@ -67720,13 +67927,13 @@ async function appendSandboxTextFile(sandbox, path10, text2) {
     throw new Error(result.stderr || result.stdout || "Failed to append file");
   }
 }
-async function readSandboxFileForView(sandbox, path10, includeData) {
+async function readSandboxFileForView(sandbox, path12, includeData) {
   if (isCentrifugoSandbox(sandbox) && sandbox.isWindows()) {
     throw new Error(
       "The view action is not available for Windows local sandboxes yet. Use a Linux/E2B sandbox or inspect the image manually."
     );
   }
-  const sandboxPath = getSandboxViewPath(sandbox, path10);
+  const sandboxPath = getSandboxViewPath(sandbox, path12);
   const viewEnvVars = {
     HACKERAI_FILE_VIEW_PATH: sandboxPath,
     HACKERAI_FILE_VIEW_INCLUDE_DATA: includeData ? "1" : "0",
@@ -67986,8 +68193,9 @@ if range_start == 0 and size > max_full_bytes:
 if range_start > 0:
     if range_start > total_lines:
         emit({"error": f"Invalid start_line: {range_start}. File has {total_lines} lines (1-indexed)."}, 2)
-    if range_end != -1 and range_end > total_lines:
-        emit({"error": f"Invalid end_line: {range_end}. File has {total_lines} lines (1-indexed)."}, 2)
+    # An end_line past EOF is harmless — the read loop simply stops at the last
+    # line. (We used to error here, which broke the SPRIT chunked read: it always
+    # requests a 100-line window, so every SPRIT file shorter than 100 lines failed.)
 
 selected = []
 selected_bytes = 0
@@ -68069,19 +68277,19 @@ try:
 except OSError:
     pass
 `;
-    getFilename = (path10) => path10.split("/").pop() || path10;
-    getFileExtension = (path10) => {
-      const filename = getFilename(path10);
+    getFilename = (path12) => path12.split("/").pop() || path12;
+    getFileExtension = (path12) => {
+      const filename = getFilename(path12);
       const dotIndex = filename.lastIndexOf(".");
       if (dotIndex <= 0 || dotIndex === filename.length - 1) return void 0;
       return filename.slice(dotIndex + 1).toLowerCase();
     };
-    getSandboxViewPath = (sandbox, path10) => {
+    getSandboxViewPath = (sandbox, path12) => {
       const maybeSandbox = sandbox;
-      if (isCentrifugoSandbox(maybeSandbox) && maybeSandbox.isWindows() && path10.startsWith("/tmp/")) {
-        return `C:\\temp${path10.slice(4).replace(/\//g, "\\")}`;
+      if (isCentrifugoSandbox(maybeSandbox) && maybeSandbox.isWindows() && path12.startsWith("/tmp/")) {
+        return `C:\\temp${path12.slice(4).replace(/\//g, "\\")}`;
       }
-      return path10;
+      return path12;
     };
     stripTrailingWs = (line) => line.replace(/[ \t]+$/u, "");
     editSchema = external_exports.object({
@@ -68155,7 +68363,7 @@ ${instructionsDescription}`,
             "A list of edits to be sequentially applied to the file. Required for `edit` action."
           )
         }),
-        execute: async ({ action, path: path10, text: text2, range, edits }) => {
+        execute: async ({ action, path: path12, text: text2, range, edits }) => {
           try {
             const { sandbox } = await sandboxManager.getSandbox();
             switch (action) {
@@ -68165,7 +68373,7 @@ ${instructionsDescription}`,
                   captureFileViewImageUsage({
                     context: context2,
                     sandbox,
-                    path: path10,
+                    path: path12,
                     outcome: "unsupported_model",
                     durationMs: Date.now() - viewStartedAt,
                     failureReason: "unsupported_model"
@@ -68174,26 +68382,26 @@ ${instructionsDescription}`,
                 }
                 let viewPayload;
                 try {
-                  viewPayload = await readSandboxFileForView(sandbox, path10, false);
+                  viewPayload = await readSandboxFileForView(sandbox, path12, false);
                 } catch (error51) {
                   captureFileViewImageUsage({
                     context: context2,
                     sandbox,
-                    path: path10,
+                    path: path12,
                     outcome: "inspection_failed",
                     durationMs: Date.now() - viewStartedAt,
                     failureReason: classifyFileViewError(error51)
                   });
                   throw error51;
                 }
-                const filename = getFilename(path10);
+                const filename = getFilename(path12);
                 let previewFiles = [];
                 let previewUploadError;
                 try {
                   previewFiles = await uploadViewPreviewFiles({
                     context: context2,
                     sandbox,
-                    sourcePath: path10,
+                    sourcePath: path12,
                     payload: viewPayload
                   });
                 } catch (error51) {
@@ -68207,7 +68415,7 @@ ${instructionsDescription}`,
                       user_id: context2.userID,
                       sandbox_type: getViewSandboxType(sandbox),
                       file_name: filename,
-                      source_path: path10,
+                      source_path: path12,
                       kind: viewPayload.kind,
                       media_type: viewPayload.mediaType,
                       size_bytes: viewPayload.sizeBytes,
@@ -68218,7 +68426,7 @@ ${instructionsDescription}`,
                 captureFileViewImageUsage({
                   context: context2,
                   sandbox,
-                  path: path10,
+                  path: path12,
                   outcome: "success",
                   durationMs: Date.now() - viewStartedAt,
                   mediaType: viewPayload.mediaType,
@@ -68228,7 +68436,7 @@ ${instructionsDescription}`,
                 return {
                   action: "view",
                   content: `Viewing image file: ${filename} (${viewPayload.mediaType}, ${viewPayload.sizeBytes} bytes).`,
-                  path: path10,
+                  path: path12,
                   filename,
                   mediaType: viewPayload.mediaType,
                   sizeBytes: viewPayload.sizeBytes,
@@ -68238,8 +68446,8 @@ ${instructionsDescription}`,
                 };
               }
               case "read": {
-                const filename = path10.split("/").pop() || path10;
-                const spritChunked = isSpritPath(path10);
+                const filename = path12.split("/").pop() || path12;
+                const spritChunked = isSpritPath(path12);
                 let effectiveRange = range;
                 if (spritChunked) {
                   const start = range && range[0] > 0 ? range[0] : 1;
@@ -68252,7 +68460,7 @@ ${instructionsDescription}`,
                 }
                 const readPayload = await readSandboxTextFileWithFallback(
                   sandbox,
-                  path10,
+                  path12,
                   effectiveRange
                 );
                 if (readPayload.tooLarge) {
@@ -68289,46 +68497,46 @@ File is too large to read in full (${formatBytes(readPayload.sizeBytes)}, ${tota
                 if (text2 === void 0) {
                   return { error: "text is required for write action" };
                 }
-                await sandbox.files.write(path10, text2, {
+                await sandbox.files.write(path12, text2, {
                   user: "user"
                 });
-                return `File written: ${path10}`;
+                return `File written: ${path12}`;
               }
               case "append": {
                 if (text2 === void 0) {
                   return { error: "text is required for append action" };
                 }
-                const existingState = await getSandboxFileState(sandbox, path10);
+                const existingState = await getSandboxFileState(sandbox, path12);
                 if (existingState.kind === "unknown") {
                   return {
-                    error: `Cannot append safely because the existing file size could not be determined for ${path10}. ${existingState.error}`
+                    error: `Cannot append safely because the existing file size could not be determined for ${path12}. ${existingState.error}`
                   };
                 }
                 if (existingState.kind === "not_file") {
                   return {
-                    error: `Cannot append to ${path10} because it is not a file.`
+                    error: `Cannot append to ${path12} because it is not a file.`
                   };
                 }
                 if (existingState.kind === "file" && existingState.sizeBytes > MAX_TEXT_FILE_READ_BYTES) {
-                  await appendSandboxTextFile(sandbox, path10, text2);
+                  await appendSandboxTextFile(sandbox, path12, text2);
                   return {
-                    content: `File appended: ${path10}
+                    content: `File appended: ${path12}
 Existing file is ${formatBytes(existingState.sizeBytes)}, so the full diff preview was skipped to avoid loading the entire file into memory.`
                   };
                 }
                 let existingContent = "";
                 try {
-                  existingContent = await sandbox.files.read(path10, {
+                  existingContent = await sandbox.files.read(path12, {
                     user: "user"
                   });
                 } catch {
                 }
                 const newContent = existingContent + text2;
-                await sandbox.files.write(path10, newContent, {
+                await sandbox.files.write(path12, newContent, {
                   user: "user"
                 });
                 return {
-                  content: `File appended: ${path10}`,
+                  content: `File appended: ${path12}`,
                   originalContent: truncateOutput({
                     content: existingContent,
                     mode: "read-file"
@@ -68343,31 +68551,31 @@ Existing file is ${formatBytes(existingState.sizeBytes)}, so the full diff previ
                 if (!edits || edits.length === 0) {
                   return { error: "edits array is required for edit action" };
                 }
-                const existingState = await getSandboxFileState(sandbox, path10);
+                const existingState = await getSandboxFileState(sandbox, path12);
                 if (existingState.kind === "unknown") {
                   return {
-                    error: `Cannot edit ${path10} safely because the file size could not be determined. ${existingState.error}`
+                    error: `Cannot edit ${path12} safely because the file size could not be determined. ${existingState.error}`
                   };
                 }
                 if (existingState.kind === "missing") {
                   return {
-                    error: `Cannot edit file ${path10} - file is empty or does not exist`
+                    error: `Cannot edit file ${path12} - file is empty or does not exist`
                   };
                 }
                 if (existingState.kind === "not_file") {
-                  return { error: `Cannot edit ${path10} because it is not a file.` };
+                  return { error: `Cannot edit ${path12} because it is not a file.` };
                 }
                 if (existingState.sizeBytes > MAX_TEXT_FILE_READ_BYTES) {
                   return {
-                    error: `File ${path10} is too large for the edit action (${formatBytes(existingState.sizeBytes)}). Use a targeted shell command, restore the file from a clean source, or replace it with the write action instead of loading the whole file into memory.`
+                    error: `File ${path12} is too large for the edit action (${formatBytes(existingState.sizeBytes)}). Use a targeted shell command, restore the file from a clean source, or replace it with the write action instead of loading the whole file into memory.`
                   };
                 }
-                const originalContent = await sandbox.files.read(path10, {
+                const originalContent = await sandbox.files.read(path12, {
                   user: "user"
                 });
                 if (!originalContent) {
                   return {
-                    error: `Cannot edit file ${path10} - file is empty or does not exist`
+                    error: `Cannot edit file ${path12} - file is empty or does not exist`
                   };
                 }
                 const resolvedEdits = [];
@@ -68412,7 +68620,7 @@ ${hint}` : "")
                     }
                   }
                 }
-                await sandbox.files.write(path10, content, {
+                await sandbox.files.write(path12, content, {
                   user: "user"
                 });
                 const lines = content.split("\n");
@@ -68504,6 +68712,1120 @@ ${numberedLines}`,
   }
 });
 
+// ../lib/utils/error-redaction.ts
+var REDACTED_VALUE, SENSITIVE_FIELD_PATTERN, ENV_SECRET_PATTERN, redactSensitiveErrorMessage, stringifyRedactedError;
+var init_error_redaction = __esm({
+  "../lib/utils/error-redaction.ts"() {
+    "use strict";
+    REDACTED_VALUE = "[Redacted]";
+    SENSITIVE_FIELD_PATTERN = /(["']?\b(?:serviceKey|service_key|apiKey|api_key|authorization|bearer|cookie|password|secret|token)\b["']?)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,}]+)/gi;
+    ENV_SECRET_PATTERN = /(["']?\b(?:CONVEX_SERVICE_ROLE_KEY|POSTHOG_API_KEY|STRIPE_SECRET_KEY)\b["']?)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,}]+)/gi;
+    redactSensitiveErrorMessage = (message) => message.replace(SENSITIVE_FIELD_PATTERN, (_match, key, separator) => {
+      return `${key}${separator}"${REDACTED_VALUE}"`;
+    }).replace(ENV_SECRET_PATTERN, (_match, key, separator) => {
+      return `${key}${separator}"${REDACTED_VALUE}"`;
+    });
+    stringifyRedactedError = (error51) => {
+      const message = error51 instanceof Error ? error51.message : typeof error51 === "string" ? error51 : (() => {
+        try {
+          return JSON.stringify(error51);
+        } catch {
+          return String(error51);
+        }
+      })();
+      return redactSensitiveErrorMessage(message);
+    };
+  }
+});
+
+// ../lib/ai/tools/utils/perplexity.ts
+var SEARCH_RESULT_CONTENT_MAX_TOKENS, RECENCY_MAP, PerplexityApiError, ERROR_BODY_SUMMARY_MAX_LENGTH, RETRYABLE_PERPLEXITY_STATUSES, HTML_ENTITY_MAP, normalizeWhitespace, decodeBasicHtmlEntities, stripHtml, extractHtmlTagText, redactNetworkDetails, truncateSummary, isRetryablePerplexityStatus, summarizePerplexityErrorBody, buildPerplexitySearchBody, formatSearchResults;
+var init_perplexity = __esm({
+  "../lib/ai/tools/utils/perplexity.ts"() {
+    "use strict";
+    SEARCH_RESULT_CONTENT_MAX_TOKENS = 250;
+    RECENCY_MAP = {
+      past_day: "day",
+      past_week: "week",
+      past_month: "month",
+      past_year: "year"
+    };
+    PerplexityApiError = class extends Error {
+      constructor({
+        status,
+        statusText,
+        bodySummary,
+        retryable
+      }) {
+        const statusLabel = statusText ? `${status} ${statusText}` : `${status}`;
+        const summary = bodySummary ? `: ${bodySummary}` : "";
+        super(`Perplexity API error ${statusLabel}${summary}`);
+        this.name = "PerplexityApiError";
+        this.status = status;
+        this.statusText = statusText;
+        this.bodySummary = bodySummary;
+        this.retryable = retryable;
+      }
+    };
+    ERROR_BODY_SUMMARY_MAX_LENGTH = 400;
+    RETRYABLE_PERPLEXITY_STATUSES = /* @__PURE__ */ new Set([408, 429, 500, 502, 503, 504]);
+    HTML_ENTITY_MAP = {
+      amp: "&",
+      gt: ">",
+      lt: "<",
+      nbsp: " ",
+      quot: '"',
+      "#160": " ",
+      "#39": "'"
+    };
+    normalizeWhitespace = (value) => value.replace(/\s+/g, " ").trim();
+    decodeBasicHtmlEntities = (value) => value.replace(/&([a-zA-Z0-9#]+);/g, (match, entity) => {
+      return HTML_ENTITY_MAP[entity] ?? match;
+    });
+    stripHtml = (value) => normalizeWhitespace(
+      decodeBasicHtmlEntities(
+        value.replace(/<script\b[^>]*>[\s\S]*?<\/script>/gi, " ").replace(/<style\b[^>]*>[\s\S]*?<\/style>/gi, " ").replace(/<[^>]+>/g, " ")
+      )
+    );
+    extractHtmlTagText = (html, tagName) => {
+      const matches = html.matchAll(
+        new RegExp(`<${tagName}\\b[^>]*>([\\s\\S]*?)<\\/${tagName}>`, "gi")
+      );
+      return Array.from(matches).map((match) => stripHtml(match[1] ?? "")).filter(Boolean);
+    };
+    redactNetworkDetails = (value) => value.replace(
+      /\b(?:(?:25[0-5]|2[0-4]\d|1?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|1?\d?\d)\b/g,
+      "[Redacted IP]"
+    ).replace(/\bRay ID:\s*[a-f0-9]+\b/gi, "Ray ID: [Redacted]");
+    truncateSummary = (value) => value.length > ERROR_BODY_SUMMARY_MAX_LENGTH ? `${value.slice(0, ERROR_BODY_SUMMARY_MAX_LENGTH - 1)}\u2026` : value;
+    isRetryablePerplexityStatus = (status) => RETRYABLE_PERPLEXITY_STATUSES.has(status);
+    summarizePerplexityErrorBody = (body, contentType = "") => {
+      const trimmed = body.trim();
+      if (!trimmed) return "";
+      let summary = "";
+      if (contentType.includes("json") || trimmed.startsWith("{")) {
+        try {
+          const parsed = JSON.parse(trimmed);
+          const error51 = typeof parsed.error === "string" ? parsed.error : parsed.error && typeof parsed.error === "object" && "message" in parsed.error && typeof parsed.error.message === "string" ? parsed.error.message : void 0;
+          const message = error51 || (typeof parsed.message === "string" ? parsed.message : void 0) || (typeof parsed.detail === "string" ? parsed.detail : void 0);
+          summary = message || trimmed;
+        } catch {
+          summary = trimmed;
+        }
+      } else if (/<[a-z][\s\S]*>/i.test(trimmed)) {
+        const tagSummaries = [
+          ...extractHtmlTagText(trimmed, "h1"),
+          ...extractHtmlTagText(trimmed, "p"),
+          ...extractHtmlTagText(trimmed, "h2")
+        ];
+        summary = tagSummaries.length > 0 ? tagSummaries.join(". ") : stripHtml(trimmed);
+      } else {
+        summary = trimmed;
+      }
+      return truncateSummary(redactNetworkDetails(normalizeWhitespace(summary)));
+    };
+    buildPerplexitySearchBody = (query, options) => {
+      const searchBody = {
+        query,
+        max_results: options?.maxResults ?? 10,
+        max_tokens_per_page: SEARCH_RESULT_CONTENT_MAX_TOKENS
+      };
+      if (options?.country) {
+        searchBody.country = options.country;
+      }
+      if (options?.recency) {
+        searchBody.search_recency_filter = options.recency;
+      }
+      return searchBody;
+    };
+    formatSearchResults = (results) => {
+      return results.map((result) => ({
+        title: result.title,
+        url: result.url,
+        content: result.snippet,
+        date: result.date || null,
+        lastUpdated: result.last_updated || null
+      }));
+    };
+  }
+});
+
+// ../lib/ai/tools/web-search.ts
+var WEB_SEARCH_COST_PER_REQUEST, PERPLEXITY_SEARCH_URL, WEB_SEARCH_MAX_ATTEMPTS, WEB_SEARCH_RETRY_BASE_DELAY_MS, WEB_SEARCH_RETRY_JITTER_MS, PERPLEXITY_QUERY_MAX_LENGTH, EMPTY_QUERY_TOOL_ERROR, QUERY_TOO_LONG_TOOL_ERROR, webSearchQuerySchema, sleep, getRetryDelayMs, createPerplexityApiError, formatPerplexityFailureForTool, fetchPerplexitySearch, normalizeSearchQueries, createWebSearch;
+var init_web_search = __esm({
+  "../lib/ai/tools/web-search.ts"() {
+    "use strict";
+    init_dist5();
+    init_zod();
+    init_error_redaction();
+    init_perplexity();
+    WEB_SEARCH_COST_PER_REQUEST = 5e-3;
+    PERPLEXITY_SEARCH_URL = "https://api.perplexity.ai/search";
+    WEB_SEARCH_MAX_ATTEMPTS = 3;
+    WEB_SEARCH_RETRY_BASE_DELAY_MS = 300;
+    WEB_SEARCH_RETRY_JITTER_MS = 75;
+    PERPLEXITY_QUERY_MAX_LENGTH = 8192;
+    EMPTY_QUERY_TOOL_ERROR = "Error performing web search: Provide at least one non-empty query.";
+    QUERY_TOO_LONG_TOOL_ERROR = `Error performing web search: Each query must be ${PERPLEXITY_QUERY_MAX_LENGTH} characters or fewer.`;
+    webSearchQuerySchema = external_exports.string().trim().min(1).max(PERPLEXITY_QUERY_MAX_LENGTH);
+    sleep = (delayMs, signal) => {
+      if (delayMs <= 0) return Promise.resolve();
+      if (signal?.aborted) {
+        return Promise.reject(new DOMException("Operation aborted", "AbortError"));
+      }
+      return new Promise((resolve2, reject) => {
+        const cleanup = () => signal?.removeEventListener("abort", onAbort);
+        const onAbort = () => {
+          clearTimeout(timeout);
+          cleanup();
+          reject(new DOMException("Operation aborted", "AbortError"));
+        };
+        const timeout = setTimeout(() => {
+          cleanup();
+          resolve2();
+        }, delayMs);
+        signal?.addEventListener("abort", onAbort, { once: true });
+      });
+    };
+    getRetryDelayMs = (attemptIndex) => {
+      const exponentialDelay = WEB_SEARCH_RETRY_BASE_DELAY_MS * Math.pow(2, attemptIndex);
+      const jitter = Math.random() * WEB_SEARCH_RETRY_JITTER_MS;
+      return Math.round(exponentialDelay + jitter);
+    };
+    createPerplexityApiError = async (response) => {
+      const errorText = await response.text();
+      const bodySummary = summarizePerplexityErrorBody(
+        errorText,
+        response.headers.get("content-type") || ""
+      );
+      return new PerplexityApiError({
+        status: response.status,
+        statusText: response.statusText,
+        bodySummary,
+        retryable: isRetryablePerplexityStatus(response.status)
+      });
+    };
+    formatPerplexityFailureForTool = (error51, attempts) => {
+      const statusText = error51.statusText ? ` ${error51.statusText}` : "";
+      if (error51.retryable) {
+        return `Error performing web search: Perplexity search is temporarily unavailable (HTTP ${error51.status}${statusText} after ${attempts} attempts). Please retry shortly or continue without live web results if the task can proceed.`;
+      }
+      if (error51.status === 401 || error51.status === 403) {
+        return `Error performing web search: Perplexity search is not authorized (HTTP ${error51.status}${statusText}). Check the Perplexity API key or account access.`;
+      }
+      return `Error performing web search: Perplexity search failed (HTTP ${error51.status}${statusText}).`;
+    };
+    fetchPerplexitySearch = async (searchBody, abortSignal) => {
+      for (let attemptIndex = 0; attemptIndex < WEB_SEARCH_MAX_ATTEMPTS; attemptIndex++) {
+        const attempt = attemptIndex + 1;
+        const isFinalAttempt = attempt === WEB_SEARCH_MAX_ATTEMPTS;
+        try {
+          const response = await fetch(PERPLEXITY_SEARCH_URL, {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              Authorization: `Bearer ${process.env.PERPLEXITY_API_KEY || ""}`
+            },
+            body: JSON.stringify(searchBody),
+            signal: abortSignal
+          });
+          if (response.ok) {
+            return response;
+          }
+          const error51 = await createPerplexityApiError(response);
+          if (!error51.retryable || isFinalAttempt) {
+            throw error51;
+          }
+          const delayMs = getRetryDelayMs(attemptIndex);
+          console.warn("Web search provider error; retrying", {
+            attempt,
+            maxAttempts: WEB_SEARCH_MAX_ATTEMPTS,
+            status: error51.status,
+            statusText: error51.statusText,
+            bodySummary: error51.bodySummary,
+            delayMs
+          });
+          await sleep(delayMs, abortSignal);
+        } catch (error51) {
+          if (error51 instanceof Error && error51.name === "AbortError") {
+            throw error51;
+          }
+          if (error51 instanceof PerplexityApiError) {
+            throw error51;
+          }
+          if (isFinalAttempt) {
+            throw error51;
+          }
+          const delayMs = getRetryDelayMs(attemptIndex);
+          console.warn("Web search network error; retrying", {
+            attempt,
+            maxAttempts: WEB_SEARCH_MAX_ATTEMPTS,
+            error: stringifyRedactedError(error51),
+            delayMs
+          });
+          await sleep(delayMs, abortSignal);
+        }
+      }
+      throw new Error("Web search failed before any Perplexity response was read");
+    };
+    normalizeSearchQueries = (rawQueries) => {
+      const queries = rawQueries.map((query) => query.trim()).filter(Boolean);
+      if (queries.length === 0) {
+        return { queries, error: EMPTY_QUERY_TOOL_ERROR };
+      }
+      if (queries.some((query) => query.length > PERPLEXITY_QUERY_MAX_LENGTH)) {
+        return { queries, error: QUERY_TOO_LONG_TOOL_ERROR };
+      }
+      return { queries: queries.slice(0, 3) };
+    };
+    createWebSearch = (context2) => {
+      const { userLocation, onToolCost } = context2;
+      return tool({
+        description: `Search for information across various sources.
+
+<instructions>
+- MUST use this tool to access up-to-date or external information when needed; DO NOT rely solely on internal knowledge
+- Each search MUST contain exactly 1 to 3 \`queries\` (NEVER more than 3). Queries MUST be variants of the same intent (i.e., query expansions), NOT different goals
+- For non-English queries, MUST include at least one English query as the final variant to expand coverage
+- For complex searches, MUST break down into step-by-step searches instead of using a single complex query
+- Access multiple URLs from search results for comprehensive information or cross-validation
+- CAN use Google dork syntax (site:, filetype:, inurl:, intitle:, etc.) for targeted reconnaissance and pentest enumeration
+- Only use \`time\` parameter when explicitly required by task, otherwise leave time range unrestricted
+- Prioritize cybersecurity-relevant information: CVEs, CVSS scores, exploits, PoCs, security tools, and pentest methodologies
+- Include specific versions, configurations, and technical details; cite reliable sources (NIST, OWASP, CVE databases)
+- For commands/installations, prioritize Kali Linux compatibility using apt or pre-installed tools
+</instructions>`,
+        inputSchema: external_exports.object({
+          queries: external_exports.array(webSearchQuerySchema).min(1).max(3).describe(
+            "MAXIMUM 3 non-empty query variants (1-3 items only). Express the same search intent with different wording."
+          ),
+          time: external_exports.enum(["all", "past_day", "past_week", "past_month", "past_year"]).optional().describe(
+            "Optional time filter to limit results to a recent time range"
+          ),
+          brief: external_exports.string().describe(
+            "A one-sentence preamble describing the purpose of this operation"
+          )
+        }),
+        execute: async ({
+          queries: rawQueries,
+          time: time3
+        }, { abortSignal }) => {
+          try {
+            const { queries, error: error51 } = normalizeSearchQueries(rawQueries);
+            if (error51) {
+              return error51;
+            }
+            const searchBody = buildPerplexitySearchBody(
+              queries.length === 1 ? queries[0] : queries,
+              {
+                country: userLocation?.country,
+                recency: time3 && time3 !== "all" ? RECENCY_MAP[time3] : void 0
+              }
+            );
+            const response = await fetchPerplexitySearch(searchBody, abortSignal);
+            onToolCost?.(WEB_SEARCH_COST_PER_REQUEST);
+            const searchResponse = await response.json();
+            const isMultiQuery = queries.length > 1;
+            let allResults;
+            if (isMultiQuery && Array.isArray(searchResponse.results[0])) {
+              allResults = searchResponse.results.flat();
+            } else {
+              allResults = searchResponse.results;
+            }
+            return formatSearchResults(allResults);
+          } catch (error51) {
+            if (error51 instanceof Error && error51.name === "AbortError") {
+              return "Error: Operation aborted";
+            }
+            if (error51 instanceof PerplexityApiError) {
+              console.error("Web search tool error:", {
+                name: error51.name,
+                status: error51.status,
+                statusText: error51.statusText,
+                retryable: error51.retryable,
+                bodySummary: error51.bodySummary
+              });
+              return formatPerplexityFailureForTool(
+                error51,
+                error51.retryable ? WEB_SEARCH_MAX_ATTEMPTS : 1
+              );
+            }
+            const errorMessage = stringifyRedactedError(error51);
+            console.error("Web search tool error:", errorMessage);
+            return `Error performing web search: ${errorMessage}`;
+          }
+        }
+      });
+    };
+  }
+});
+
+// ../lib/ai/tools/open-url.ts
+var createOpenUrlTool;
+var init_open_url = __esm({
+  "../lib/ai/tools/open-url.ts"() {
+    "use strict";
+    init_dist5();
+    init_zod();
+    init_token_utils();
+    createOpenUrlTool = () => {
+      return tool({
+        description: `Retrieve the full contents of a specific webpage by URL.
+
+<instructions>
+- Use to fetch and read a specific webpage, usually obtained from a prior search
+- URLs must be valid and publicly accessible
+- Prioritize cybersecurity-relevant information: CVEs, CVSS scores, exploits, PoCs, security tools, and pentest methodologies
+- Include specific versions, configurations, and technical details; cite reliable sources (NIST, OWASP, CVE databases)
+</instructions>`,
+        inputSchema: external_exports.object({
+          url: external_exports.string().describe("The URL to open and retrieve content from"),
+          brief: external_exports.string().describe(
+            "A one-sentence preamble describing the purpose of this operation"
+          )
+        }),
+        execute: async ({ url: url2 }, { abortSignal }) => {
+          try {
+            const jinaUrl = `https://r.jina.ai/${encodeURIComponent(url2)}`;
+            const response = await fetch(jinaUrl, {
+              method: "GET",
+              headers: {
+                Authorization: `Bearer ${process.env.JINA_API_KEY}`,
+                "X-Timeout": "30",
+                "X-Base": "final",
+                "X-Token-Budget": "200000"
+              },
+              signal: abortSignal
+            });
+            if (!response.ok) {
+              const errorBody = await response.text();
+              return `Error: HTTP ${response.status} - ${errorBody}`;
+            }
+            const content = await response.text();
+            const truncated = truncateContent(content, void 0, 2048);
+            return truncated;
+          } catch (error51) {
+            if (error51 instanceof Error && error51.name === "AbortError") {
+              return "Error: Operation aborted";
+            }
+            console.error("Open URL tool error:", error51);
+            const errorMessage = error51 instanceof Error ? error51.message : "Unknown error occurred";
+            return `Error opening URL: ${errorMessage}`;
+          }
+        }
+      });
+    };
+  }
+});
+
+// src/tools/scope.ts
+var import_node_fs6, import_node_path5, import_promises, ipv4ToInt, isIpLiteral, maskForPrefix, parseCidr, ScopeImpl, scopeFileFor, loadScope, hostFromUrl;
+var init_scope = __esm({
+  "src/tools/scope.ts"() {
+    "use strict";
+    import_node_fs6 = __toESM(require("node:fs"));
+    import_node_path5 = __toESM(require("node:path"));
+    import_promises = __toESM(require("node:dns/promises"));
+    ipv4ToInt = (ip) => {
+      const parts = ip.split(".");
+      if (parts.length !== 4) return null;
+      let value = 0;
+      for (const part of parts) {
+        if (!/^\d{1,3}$/.test(part)) return null;
+        const n = Number(part);
+        if (n > 255) return null;
+        value = value * 256 + n;
+      }
+      return value;
+    };
+    isIpLiteral = (host) => ipv4ToInt(host) !== null || host.includes(":");
+    maskForPrefix = (prefix) => prefix === 0 ? 0 : 4294967295 << 32 - prefix >>> 0;
+    parseCidr = (entry) => {
+      const slash = entry.indexOf("/");
+      if (slash === -1) {
+        const v42 = ipv4ToInt(entry);
+        if (v42 !== null) return { base: v42, mask: 4294967295 };
+        return null;
+      }
+      const addr = entry.slice(0, slash);
+      const prefix = Number(entry.slice(slash + 1));
+      const v4 = ipv4ToInt(addr);
+      if (v4 === null) return null;
+      if (!Number.isInteger(prefix) || prefix < 0 || prefix > 32) return null;
+      const mask = maskForPrefix(prefix);
+      return { base: (v4 & mask) >>> 0, mask };
+    };
+    ScopeImpl = class _ScopeImpl {
+      constructor() {
+        this.hosts = /* @__PURE__ */ new Set();
+        this.wildcards = [];
+        // stored as ".example.com"
+        this.cidrs = [];
+        this.loadedFrom = null;
+        this.entryCount = 0;
+      }
+      static parse(text2, loadedFrom) {
+        const scope = new _ScopeImpl();
+        scope.loadedFrom = loadedFrom;
+        for (const raw of text2.split(/\r?\n/)) {
+          const line = raw.trim();
+          if (!line || line.startsWith("#")) continue;
+          scope.entryCount++;
+          if (line.startsWith("*.")) {
+            scope.wildcards.push(line.slice(1).toLowerCase());
+            continue;
+          }
+          const cidr = parseCidr(line);
+          if (cidr) {
+            scope.cidrs.push(cidr);
+            continue;
+          }
+          scope.hosts.add(line.toLowerCase());
+        }
+        return scope;
+      }
+      isEmpty() {
+        return this.entryCount === 0;
+      }
+      matchesNameRules(host) {
+        if (this.hosts.has(host)) return true;
+        for (const suffix of this.wildcards) {
+          if (host.endsWith(suffix) || host === suffix.replace(/^\./, "")) {
+            return true;
+          }
+        }
+        return false;
+      }
+      async allows(host) {
+        host = (host || "").toLowerCase().trim();
+        if (!host) return false;
+        if (this.matchesNameRules(host)) return true;
+        if (this.cidrs.length === 0) return false;
+        const candidates = [];
+        if (isIpLiteral(host)) {
+          candidates.push(host);
+        } else {
+          try {
+            const records = await import_promises.default.lookup(host, { all: true });
+            for (const r of records) candidates.push(r.address);
+          } catch {
+            return false;
+          }
+        }
+        for (const ip of candidates) {
+          const value = ipv4ToInt(ip);
+          if (value === null) continue;
+          for (const c of this.cidrs) {
+            if ((value & c.mask) >>> 0 === c.base) return true;
+          }
+        }
+        return false;
+      }
+    };
+    scopeFileFor = (workdir) => import_node_path5.default.join(workdir, "recon", "scope.txt");
+    loadScope = (workdir) => {
+      const file2 = scopeFileFor(workdir);
+      try {
+        const text2 = import_node_fs6.default.readFileSync(file2, "utf8");
+        return ScopeImpl.parse(text2, file2);
+      } catch {
+        return ScopeImpl.parse("", null);
+      }
+    };
+    hostFromUrl = (url2) => {
+      try {
+        return new URL(url2).hostname.toLowerCase();
+      } catch {
+        return null;
+      }
+    };
+  }
+});
+
+// src/tools/http-request.ts
+var FUZZ, MAX_FUZZ, BODY_PREVIEW_CHARS, DEFAULT_TIMEOUT_S, LOOPBACK, numberEnv, sleep2, sampleUrl, NOTABLE_HEADERS, applyFuzz, buildInit, collectNotableHeaders, doRequest, summarizeFuzz, scopeRefusal, createHttpRequest;
+var init_http_request = __esm({
+  "src/tools/http-request.ts"() {
+    "use strict";
+    init_dist5();
+    init_zod();
+    init_scope();
+    FUZZ = "FUZZ";
+    MAX_FUZZ = 500;
+    BODY_PREVIEW_CHARS = 4e3;
+    DEFAULT_TIMEOUT_S = 30;
+    LOOPBACK = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "::1", "[::1]", "0.0.0.0"]);
+    numberEnv = (name25) => {
+      const raw = Number(process.env[name25]);
+      return Number.isFinite(raw) && raw >= 0 ? raw : void 0;
+    };
+    sleep2 = (ms, signal) => new Promise((resolve2) => {
+      if (ms <= 0 || signal?.aborted) return resolve2();
+      const t = setTimeout(resolve2, ms);
+      signal?.addEventListener(
+        "abort",
+        () => {
+          clearTimeout(t);
+          resolve2();
+        },
+        { once: true }
+      );
+    });
+    sampleUrl = (url2) => url2.split(FUZZ).join("x");
+    NOTABLE_HEADERS = [
+      "server",
+      "x-powered-by",
+      "location",
+      "set-cookie",
+      "content-type",
+      "content-length",
+      "www-authenticate",
+      "access-control-allow-origin",
+      "x-frame-options",
+      "content-security-policy",
+      "strict-transport-security"
+    ];
+    applyFuzz = (template, payload) => template == null ? template : template.split(FUZZ).join(payload);
+    buildInit = (method, headers, body, followRedirects, timeoutSignal) => {
+      const init = {
+        method,
+        redirect: followRedirects ? "follow" : "manual",
+        signal: timeoutSignal
+      };
+      if (headers && Object.keys(headers).length) init.headers = headers;
+      if (body != null && method !== "GET" && method !== "HEAD") init.body = body;
+      return init;
+    };
+    collectNotableHeaders = (h) => {
+      const out3 = {};
+      for (const name25 of NOTABLE_HEADERS) {
+        const value = h.get(name25);
+        if (value != null) out3[name25] = value;
+      }
+      return out3;
+    };
+    doRequest = async (url2, method, headers, body, followRedirects, timeoutMs, parentSignal) => {
+      const ctrl = new AbortController();
+      const onAbort = () => ctrl.abort();
+      parentSignal?.addEventListener("abort", onAbort, { once: true });
+      const timer2 = setTimeout(() => ctrl.abort(), timeoutMs);
+      const started2 = Date.now();
+      try {
+        const resp = await fetch(
+          url2,
+          buildInit(method, headers, body, followRedirects, ctrl.signal)
+        );
+        const text2 = await resp.text();
+        return {
+          status: resp.status,
+          finalUrl: resp.url || url2,
+          redirected: resp.redirected,
+          timeMs: Date.now() - started2,
+          text: text2,
+          headers: resp.headers
+        };
+      } catch (err) {
+        const timeMs = Date.now() - started2;
+        const msg = parentSignal?.aborted || err instanceof Error && err.name === "AbortError" ? "request aborted/timed out" : err instanceof Error ? err.message : String(err);
+        return { error: msg, timeMs };
+      } finally {
+        clearTimeout(timer2);
+        parentSignal?.removeEventListener("abort", onAbort);
+      }
+    };
+    summarizeFuzz = (rows) => {
+      const ok = rows.filter((r) => r.status !== "ERR");
+      const statusCounts = /* @__PURE__ */ new Map();
+      for (const r of ok) {
+        if (typeof r.status === "number") {
+          statusCounts.set(r.status, (statusCounts.get(r.status) ?? 0) + 1);
+        }
+      }
+      let baselineStatus = null;
+      let max = -1;
+      for (const [status, count] of statusCounts) {
+        if (count > max) {
+          max = count;
+          baselineStatus = status;
+        }
+      }
+      const lengths = ok.map((r) => r.bodyLength).sort((a, b) => a - b);
+      const medianLen = lengths.length ? lengths[Math.floor(lengths.length / 2)] : 0;
+      const anomalies = rows.filter((r) => {
+        if (r.status === "ERR") return true;
+        if (baselineStatus != null && r.status !== baselineStatus) return true;
+        if (medianLen > 0 && Math.abs(r.bodyLength - medianLen) > medianLen * 0.25) {
+          return true;
+        }
+        return false;
+      });
+      const lines = [];
+      lines.push(
+        `Fuzzed ${rows.length} payload(s). Baseline status: ${baselineStatus ?? "n/a"} (median body ${medianLen} bytes).`
+      );
+      if (anomalies.length === 0) {
+        lines.push("No anomalies \u2014 every response matched the baseline.");
+      } else {
+        lines.push(`${anomalies.length} anomaly/anomalies worth checking:`);
+        for (const r of anomalies.slice(0, 40)) {
+          lines.push(
+            `  \u2022 ${JSON.stringify(r.payload)} \u2192 ${r.status}` + (r.status === "ERR" ? ` (${r.error ?? "error"})` : ` | ${r.bodyLength} bytes | ${r.timeMs}ms`)
+          );
+        }
+        if (anomalies.length > 40) {
+          lines.push(`  \u2026 +${anomalies.length - 40} more`);
+        }
+      }
+      return lines.join("\n");
+    };
+    scopeRefusal = (host, workdir) => `Recusado: o host "${host}" n\xE3o est\xE1 no escopo autorizado. Adicione-o a ${scopeFileFor(workdir)} (formatos: example.com, *.example.com, CIDR 10.0.0.0/24, ou um IP) \u2014 somente alvos que voc\xEA possui ou tem autoriza\xE7\xE3o expl\xEDcita para testar. Edite o scope.txt com a ferramenta file e tente de novo.`;
+    createHttpRequest = (deps) => {
+      const { workdir, loadScopeFn = loadScope } = deps;
+      const envThrottle = numberEnv("HACKERAI_HTTP_THROTTLE_MS");
+      const envJitter = numberEnv("HACKERAI_HTTP_JITTER_MS");
+      return tool({
+        description: `Send a fully-controlled HTTP request (a native Repeater) and, with \`fuzz\`, an Intruder. Use this to iterate on a web vulnerability inside the agent loop instead of writing a one-off script for every probe.
+
+WHAT IT DOES
+- Single request: full control of method, headers, body and redirect handling; returns status, timing, notable security headers, body length and a body preview.
+- Intruder/fuzz: put the marker \`FUZZ\` in the url, body, or any header value and pass \`fuzz\` (a list of payloads). Each payload is substituted, sent sequentially with OPSEC throttle+jitter, and the results are diffed against a baseline so anomalies (auth bypass, IDOR, injection, hidden paths/params) are highlighted.
+
+SCOPE: every request is gated by recon/scope.txt (same allowlist as the recon toolkit). Out-of-scope hosts are refused; loopback is always allowed. Add authorized targets to scope.txt first.
+
+USE FOR: testing a single endpoint, replaying/tampering a captured request, parameter/path/value fuzzing, verifying an exploit by observing the real response. NOT a replacement for bulk crawling \u2014 use the Python recon toolkit for that.`,
+        inputSchema: external_exports.object({
+          brief: external_exports.string().describe("A one-sentence preamble describing the purpose of this request."),
+          url: external_exports.string().url().describe(
+            "Target URL. May contain the marker FUZZ (replaced by each fuzz payload)."
+          ),
+          method: external_exports.enum(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]).optional().describe("HTTP method (default GET)."),
+          headers: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("Request headers. Values may contain FUZZ."),
+          body: external_exports.string().optional().describe("Request body for POST/PUT/PATCH/DELETE. May contain FUZZ."),
+          follow_redirects: external_exports.boolean().optional().describe("Follow 3xx redirects (default true). Set false to inspect Location."),
+          timeout: external_exports.number().optional().describe(`Per-request timeout in seconds (default ${DEFAULT_TIMEOUT_S}).`),
+          fuzz: external_exports.array(external_exports.string()).optional().describe(
+            `Intruder payloads \u2014 substituted into the FUZZ marker, one request each (max ${MAX_FUZZ}).`
+          ),
+          throttle_ms: external_exports.number().optional().describe("OPSEC: delay between fuzz requests in ms (overrides HACKERAI_HTTP_THROTTLE_MS)."),
+          jitter_ms: external_exports.number().optional().describe("OPSEC: random extra delay 0..jitter added to each throttle.")
+        }),
+        execute: async (input, { abortSignal } = {}) => {
+          const method = input.method ?? "GET";
+          const followRedirects = input.follow_redirects ?? true;
+          const timeoutMs = Math.max(1, input.timeout ?? DEFAULT_TIMEOUT_S) * 1e3;
+          const host = hostFromUrl(sampleUrl(input.url));
+          if (!host) {
+            return { error: `URL inv\xE1lida: ${input.url}` };
+          }
+          if (!LOOPBACK.has(host)) {
+            const scope = loadScopeFn(workdir);
+            const allowed = await scope.allows(host);
+            if (!allowed) {
+              return { error: scopeRefusal(host, workdir) };
+            }
+          }
+          const payloads = input.fuzz ?? [];
+          if (payloads.length > 0) {
+            const templateHasMarker = input.url.includes(FUZZ) || (input.body?.includes(FUZZ) ?? false) || Object.values(input.headers ?? {}).some((v) => v.includes(FUZZ));
+            if (!templateHasMarker) {
+              return {
+                error: "fuzz foi fornecido mas nenhum marcador FUZZ existe na url, body ou headers. Coloque FUZZ onde os payloads devem entrar."
+              };
+            }
+            const list = payloads.slice(0, MAX_FUZZ);
+            const throttle = input.throttle_ms ?? envThrottle ?? 0;
+            const jitter = input.jitter_ms ?? envJitter ?? 0;
+            const rows = [];
+            for (let i = 0; i < list.length; i++) {
+              if (abortSignal?.aborted) break;
+              const payload = list[i];
+              const url2 = applyFuzz(input.url, payload);
+              const body = applyFuzz(input.body, payload);
+              const headers = input.headers ? Object.fromEntries(
+                Object.entries(input.headers).map(([k, v]) => [
+                  k,
+                  applyFuzz(v, payload)
+                ])
+              ) : void 0;
+              const res2 = await doRequest(
+                url2,
+                method,
+                headers,
+                body,
+                followRedirects,
+                timeoutMs,
+                abortSignal
+              );
+              if ("error" in res2) {
+                rows.push({ payload, status: "ERR", bodyLength: 0, timeMs: res2.timeMs, error: res2.error });
+              } else {
+                rows.push({
+                  payload,
+                  status: res2.status,
+                  bodyLength: res2.text.length,
+                  timeMs: res2.timeMs,
+                  finalUrl: res2.finalUrl
+                });
+              }
+              if (i < list.length - 1 && (throttle > 0 || jitter > 0)) {
+                await sleep2(throttle + Math.floor(Math.random() * (jitter + 1)), abortSignal);
+              }
+            }
+            return { fuzz: { host, count: rows.length, rows } };
+          }
+          const res = await doRequest(
+            input.url,
+            method,
+            input.headers,
+            input.body,
+            followRedirects,
+            timeoutMs,
+            abortSignal
+          );
+          if ("error" in res) {
+            const single2 = {
+              status: 0,
+              ok: false,
+              finalUrl: input.url,
+              redirected: false,
+              timeMs: res.timeMs,
+              bodyLength: 0,
+              notableHeaders: {},
+              bodyPreview: "",
+              error: res.error
+            };
+            return { single: single2 };
+          }
+          const single = {
+            status: res.status,
+            ok: res.status >= 200 && res.status < 400,
+            finalUrl: res.finalUrl,
+            redirected: res.redirected,
+            timeMs: res.timeMs,
+            bodyLength: res.text.length,
+            notableHeaders: collectNotableHeaders(res.headers),
+            bodyPreview: res.text.length > BODY_PREVIEW_CHARS ? `${res.text.slice(0, BODY_PREVIEW_CHARS)}
+\u2026[+${res.text.length - BODY_PREVIEW_CHARS} bytes truncated]` : res.text
+          };
+          return { single };
+        },
+        toModelOutput: (out3) => {
+          const value = out3?.output ?? out3;
+          if (value?.error) {
+            return { type: "text", value: `http_request: ${value.error}` };
+          }
+          if (value?.fuzz) {
+            return {
+              type: "text",
+              value: summarizeFuzz(value.fuzz.rows)
+            };
+          }
+          const s = value?.single;
+          if (!s) {
+            return { type: "text", value: JSON.stringify(value) };
+          }
+          if (s.error) {
+            return {
+              type: "text",
+              value: `Request failed after ${s.timeMs}ms: ${s.error}`
+            };
+          }
+          const headerLines = Object.entries(s.notableHeaders).map(([k, v]) => `  ${k}: ${v}`).join("\n");
+          return {
+            type: "text",
+            value: `HTTP ${s.status}${s.redirected ? ` (redirected \u2192 ${s.finalUrl})` : ""} | ${s.bodyLength} bytes | ${s.timeMs}ms
+` + (headerLines ? `Notable headers:
+${headerLines}
+` : "") + `Body:
+${s.bodyPreview}`
+          };
+        }
+      });
+    };
+  }
+});
+
+// src/tools/findings.ts
+var import_node_fs7, import_node_path6, SEVERITIES, STATUSES, SEVERITY_RANK, SEVERITY_EMOJI, findingsStoreFor, readAll, writeAll, nextId, sortBySeverity, renderReport, oneLine, createFindings;
+var init_findings = __esm({
+  "src/tools/findings.ts"() {
+    "use strict";
+    import_node_fs7 = __toESM(require("node:fs"));
+    import_node_path6 = __toESM(require("node:path"));
+    init_dist5();
+    init_zod();
+    SEVERITIES = [
+      "critical",
+      "high",
+      "medium",
+      "low",
+      "info"
+    ];
+    STATUSES = ["suspected", "confirmed", "false_positive"];
+    SEVERITY_RANK = {
+      critical: 0,
+      high: 1,
+      medium: 2,
+      low: 3,
+      info: 4
+    };
+    SEVERITY_EMOJI = {
+      critical: "\u{1F534}",
+      high: "\u{1F7E0}",
+      medium: "\u{1F7E1}",
+      low: "\u{1F535}",
+      info: "\u26AA"
+    };
+    findingsStoreFor = (workdir) => {
+      const findingsDir = import_node_path6.default.join(workdir, "findings");
+      return {
+        findingsDir,
+        storeFile: import_node_path6.default.join(findingsDir, "findings.json"),
+        reportFile: import_node_path6.default.join(findingsDir, "report.md")
+      };
+    };
+    readAll = (store) => {
+      try {
+        const raw = import_node_fs7.default.readFileSync(store.storeFile, "utf8");
+        const parsed = JSON.parse(raw);
+        return Array.isArray(parsed) ? parsed : [];
+      } catch {
+        return [];
+      }
+    };
+    writeAll = (store, findings) => {
+      import_node_fs7.default.mkdirSync(store.findingsDir, { recursive: true });
+      import_node_fs7.default.writeFileSync(store.storeFile, JSON.stringify(findings, null, 2), "utf8");
+    };
+    nextId = (findings) => {
+      let max = 0;
+      for (const f of findings) {
+        const m = /^F-(\d+)$/.exec(f.id);
+        if (m) max = Math.max(max, Number(m[1]));
+      }
+      return `F-${String(max + 1).padStart(3, "0")}`;
+    };
+    sortBySeverity = (findings) => [...findings].sort(
+      (a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity] || a.id.localeCompare(b.id)
+    );
+    renderReport = (findings) => {
+      const now2 = (/* @__PURE__ */ new Date()).toISOString();
+      const counts = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        info: 0
+      };
+      for (const f of findings) counts[f.severity]++;
+      const lines = [];
+      lines.push(`# Relat\xF3rio de Pentest`);
+      lines.push("");
+      lines.push(`_Gerado em ${now2}_`);
+      lines.push("");
+      lines.push(`## Sum\xE1rio executivo`);
+      lines.push("");
+      lines.push(`Total de findings: **${findings.length}**`);
+      lines.push("");
+      lines.push(`| Severidade | Qtd |`);
+      lines.push(`| --- | --- |`);
+      for (const sev of SEVERITIES) {
+        lines.push(`| ${SEVERITY_EMOJI[sev]} ${sev} | ${counts[sev]} |`);
+      }
+      lines.push("");
+      if (findings.length === 0) {
+        lines.push("_Nenhum finding registrado ainda._");
+        return lines.join("\n");
+      }
+      lines.push(`## Findings`);
+      lines.push("");
+      for (const f of sortBySeverity(findings)) {
+        lines.push(
+          `### ${f.id} \u2014 ${f.title} ${SEVERITY_EMOJI[f.severity]} ${f.severity.toUpperCase()}`
+        );
+        lines.push("");
+        lines.push(`- **Status:** ${f.status}`);
+        if (f.target) lines.push(`- **Alvo:** ${f.target}`);
+        if (f.url) lines.push(`- **URL:** ${f.url}`);
+        if (f.param) lines.push(`- **Par\xE2metro:** ${f.param}`);
+        if (f.cvss) lines.push(`- **CVSS:** ${f.cvss}`);
+        lines.push(`- **Registrado:** ${f.created_at}`);
+        if (f.updated_at !== f.created_at) {
+          lines.push(`- **Atualizado:** ${f.updated_at}`);
+        }
+        lines.push("");
+        if (f.evidence) {
+          lines.push(`**Evid\xEAncia**`);
+          lines.push("");
+          lines.push("```");
+          lines.push(f.evidence);
+          lines.push("```");
+          lines.push("");
+        }
+        if (f.impact) {
+          lines.push(`**Impacto:** ${f.impact}`);
+          lines.push("");
+        }
+        if (f.remediation) {
+          lines.push(`**Remedia\xE7\xE3o:** ${f.remediation}`);
+          lines.push("");
+        }
+        if (f.references?.length) {
+          lines.push(`**Refer\xEAncias:**`);
+          for (const r of f.references) lines.push(`- ${r}`);
+          lines.push("");
+        }
+      }
+      return lines.join("\n");
+    };
+    oneLine = (f) => `${f.id} [${f.severity}/${f.status}] ${f.title}` + (f.target ? ` (${f.target})` : "");
+    createFindings = (deps) => {
+      const { workdir, storeFn = findingsStoreFor } = deps;
+      const store = storeFn(workdir);
+      return tool({
+        description: `Structured findings/engagement memory. Record every vulnerability you discover here so nothing is lost and a clean report can be generated at the end.
+
+ACTIONS
+- add: record a new finding (title + severity required; include evidence, target, url, param, impact, remediation when known). New findings default to status "suspected".
+- update: change fields of an existing finding by id \u2014 most importantly flip status to "confirmed" once you have proof (with evidence), or "false_positive" if disproved.
+- list: show all recorded findings (optionally filter by severity/status).
+- report: render a full Markdown report grouped by severity and write it to findings/report.md.
+
+Use this together with http_request: probe \u2192 observe \u2192 record evidence \u2192 mark confirmed.`,
+        inputSchema: external_exports.object({
+          action: external_exports.enum(["add", "update", "list", "report"]),
+          brief: external_exports.string().describe("A one-sentence preamble describing the purpose of this operation."),
+          id: external_exports.string().optional().describe("Finding id (e.g. F-001) \u2014 required for update."),
+          title: external_exports.string().optional(),
+          severity: external_exports.enum(SEVERITIES).optional(),
+          status: external_exports.enum(STATUSES).optional(),
+          target: external_exports.string().optional(),
+          url: external_exports.string().optional(),
+          param: external_exports.string().optional(),
+          evidence: external_exports.string().optional().describe("Proof: payload + request/response snippet or observation."),
+          impact: external_exports.string().optional(),
+          remediation: external_exports.string().optional(),
+          cvss: external_exports.string().optional(),
+          references: external_exports.array(external_exports.string()).optional(),
+          filter_severity: external_exports.enum(SEVERITIES).optional(),
+          filter_status: external_exports.enum(STATUSES).optional()
+        }),
+        execute: async (input) => {
+          try {
+            const findings = readAll(store);
+            const now2 = (/* @__PURE__ */ new Date()).toISOString();
+            if (input.action === "add") {
+              if (!input.title || !input.severity) {
+                return { error: "add requer title e severity." };
+              }
+              const finding = {
+                id: nextId(findings),
+                title: input.title,
+                severity: input.severity,
+                status: input.status ?? "suspected",
+                ...input.target ? { target: input.target } : {},
+                ...input.url ? { url: input.url } : {},
+                ...input.param ? { param: input.param } : {},
+                ...input.evidence ? { evidence: input.evidence } : {},
+                ...input.impact ? { impact: input.impact } : {},
+                ...input.remediation ? { remediation: input.remediation } : {},
+                ...input.cvss ? { cvss: input.cvss } : {},
+                ...input.references ? { references: input.references } : {},
+                created_at: now2,
+                updated_at: now2
+              };
+              findings.push(finding);
+              writeAll(store, findings);
+              return { added: finding, total: findings.length };
+            }
+            if (input.action === "update") {
+              if (!input.id) return { error: "update requer id." };
+              const idx = findings.findIndex((f) => f.id === input.id);
+              if (idx === -1) {
+                return { error: `finding n\xE3o encontrado: ${input.id}` };
+              }
+              const current = findings[idx];
+              const updated = {
+                ...current,
+                ...input.title != null ? { title: input.title } : {},
+                ...input.severity != null ? { severity: input.severity } : {},
+                ...input.status != null ? { status: input.status } : {},
+                ...input.target != null ? { target: input.target } : {},
+                ...input.url != null ? { url: input.url } : {},
+                ...input.param != null ? { param: input.param } : {},
+                ...input.evidence != null ? { evidence: input.evidence } : {},
+                ...input.impact != null ? { impact: input.impact } : {},
+                ...input.remediation != null ? { remediation: input.remediation } : {},
+                ...input.cvss != null ? { cvss: input.cvss } : {},
+                ...input.references != null ? { references: input.references } : {},
+                updated_at: now2
+              };
+              findings[idx] = updated;
+              writeAll(store, findings);
+              return { updated };
+            }
+            if (input.action === "list") {
+              let filtered = findings;
+              if (input.filter_severity) {
+                filtered = filtered.filter((f) => f.severity === input.filter_severity);
+              }
+              if (input.filter_status) {
+                filtered = filtered.filter((f) => f.status === input.filter_status);
+              }
+              return {
+                list: sortBySeverity(filtered),
+                total: filtered.length,
+                overall: findings.length
+              };
+            }
+            const md = renderReport(findings);
+            import_node_fs7.default.mkdirSync(store.findingsDir, { recursive: true });
+            import_node_fs7.default.writeFileSync(store.reportFile, md, "utf8");
+            return { report: store.reportFile, total: findings.length };
+          } catch (err) {
+            return {
+              error: err instanceof Error ? err.message : String(err)
+            };
+          }
+        },
+        toModelOutput: (out3) => {
+          const v = out3?.output ?? out3;
+          if (v?.error) {
+            return { type: "text", value: `findings: ${v.error}` };
+          }
+          if (v?.added) {
+            return {
+              type: "text",
+              value: `Finding registrado: ${oneLine(v.added)}. Total: ${v.total}.`
+            };
+          }
+          if (v?.updated) {
+            return {
+              type: "text",
+              value: `Finding atualizado: ${oneLine(v.updated)}.`
+            };
+          }
+          if (v?.list) {
+            const rows = v.list.map((f) => `  ${oneLine(f)}`).join("\n");
+            return {
+              type: "text",
+              value: `${v.total} finding(s)${v.total !== v.overall ? ` (de ${v.overall})` : ""}:
+` + (rows || "  (nenhum)")
+            };
+          }
+          if (v?.report) {
+            return {
+              type: "text",
+              value: `Relat\xF3rio gerado (${v.total} findings) \u2192 ${v.report}`
+            };
+          }
+          return { type: "text", value: JSON.stringify(v) };
+        }
+      });
+    };
+  }
+});
+
 // ../lib/ai/tools/utils/todo-manager.ts
 var TodoManager;
 var init_todo_manager = __esm({
@@ -68688,21 +70010,21 @@ var init_utils4 = __esm({
 
 // src/local-sandbox.ts
 function inferShellFlag(shell2) {
-  const base = import_node_path5.default.basename(shell2).toLowerCase();
+  const base = import_node_path7.default.basename(shell2).toLowerCase();
   if (base === "cmd" || base === "cmd.exe") return "/C";
   if (base === "powershell" || base === "powershell.exe" || base === "pwsh") {
     return "-Command";
   }
   return "-c";
 }
-var import_node_child_process2, import_node_fs6, import_node_path5, import_node_os2, import_node_url, import_meta, LocalSandbox;
+var import_node_child_process2, import_node_fs8, import_node_path7, import_node_os3, import_node_url, import_meta, LocalSandbox;
 var init_local_sandbox = __esm({
   "src/local-sandbox.ts"() {
     "use strict";
     import_node_child_process2 = require("node:child_process");
-    import_node_fs6 = require("node:fs");
-    import_node_path5 = __toESM(require("node:path"));
-    import_node_os2 = __toESM(require("node:os"));
+    import_node_fs8 = require("node:fs");
+    import_node_path7 = __toESM(require("node:path"));
+    import_node_os3 = __toESM(require("node:os"));
     import_node_url = require("node:url");
     init_utils4();
     import_meta = {};
@@ -68799,15 +70121,15 @@ var init_local_sandbox = __esm({
         this.files = {
           write: async (filePath, content) => {
             const resolved = this.resolvePath(filePath);
-            await import_node_fs6.promises.mkdir(import_node_path5.default.dirname(resolved), { recursive: true });
+            await import_node_fs8.promises.mkdir(import_node_path7.default.dirname(resolved), { recursive: true });
             const data = typeof content === "string" ? content : content instanceof ArrayBuffer ? Buffer.from(content) : content;
-            await import_node_fs6.promises.writeFile(resolved, data);
+            await import_node_fs8.promises.writeFile(resolved, data);
           },
           read: async (filePath) => {
-            return import_node_fs6.promises.readFile(this.resolvePath(filePath), "utf8");
+            return import_node_fs8.promises.readFile(this.resolvePath(filePath), "utf8");
           },
           remove: async (filePath) => {
-            await import_node_fs6.promises.rm(this.resolvePath(filePath), {
+            await import_node_fs8.promises.rm(this.resolvePath(filePath), {
               recursive: true,
               force: true
             });
@@ -68815,8 +70137,8 @@ var init_local_sandbox = __esm({
           list: async (dirPath = ".") => {
             const resolved = this.resolvePath(dirPath);
             try {
-              const entries = await import_node_fs6.promises.readdir(resolved, { withFileTypes: true });
-              return entries.filter((e) => e.isFile()).map((e) => ({ name: import_node_path5.default.join(resolved, e.name) }));
+              const entries = await import_node_fs8.promises.readdir(resolved, { withFileTypes: true });
+              return entries.filter((e) => e.isFile()).map((e) => ({ name: import_node_path7.default.join(resolved, e.name) }));
             } catch {
               return [];
             }
@@ -68827,15 +70149,15 @@ var init_local_sandbox = __esm({
           this.shellBin = shellOverride;
           this.shellFlag = process.env.CLI_SHELL_FLAG || inferShellFlag(shellOverride);
         } else {
-          const shell2 = getDefaultShell(import_node_os2.default.platform());
+          const shell2 = getDefaultShell(import_node_os3.default.platform());
           this.shellBin = shell2.shell;
           this.shellFlag = shell2.shellFlag;
         }
-        const base = opts?.workdir || process.env.CLI_WORKDIR || import_node_path5.default.join(process.cwd(), "SPRIT");
-        this.workdir = import_node_path5.default.resolve(base).replace(/\\/g, "/");
+        const base = opts?.workdir || process.env.CLI_WORKDIR || import_node_path7.default.join(process.cwd(), "SPRIT");
+        this.workdir = import_node_path7.default.resolve(base).replace(/\\/g, "/");
       }
       async init() {
-        await import_node_fs6.promises.mkdir(this.workdir, { recursive: true });
+        await import_node_fs8.promises.mkdir(this.workdir, { recursive: true });
         await this.seedReconToolkit();
         await this.seedAuditToolkit();
       }
@@ -68852,26 +70174,31 @@ var init_local_sandbox = __esm({
           const assetsDir = (0, import_node_url.fileURLToPath)(
             new URL("../assets/recon", import_meta.url)
           );
-          const destDir = import_node_path5.default.join(this.workdir, "recon");
-          await import_node_fs6.promises.mkdir(destDir, { recursive: true });
+          const destDir = import_node_path7.default.join(this.workdir, "recon");
+          await import_node_fs8.promises.mkdir(destDir, { recursive: true });
           const files = [
             ["recon_deep.py", true],
+            ["recon_common.py", true],
+            ["recon_subdomains.py", true],
+            ["recon_ports.py", true],
+            ["recon_content.py", true],
+            ["recon_intel.py", true],
             ["console_recon.js", true],
             ["README.md", true],
             ["scope.txt", false]
           ];
           for (const [name25, overwrite] of files) {
-            const dest = import_node_path5.default.join(destDir, name25);
+            const dest = import_node_path7.default.join(destDir, name25);
             if (!overwrite) {
               try {
-                await import_node_fs6.promises.access(dest);
+                await import_node_fs8.promises.access(dest);
                 continue;
               } catch {
               }
             }
             try {
-              const content = await import_node_fs6.promises.readFile(import_node_path5.default.join(assetsDir, name25));
-              await import_node_fs6.promises.writeFile(dest, content);
+              const content = await import_node_fs8.promises.readFile(import_node_path7.default.join(assetsDir, name25));
+              await import_node_fs8.promises.writeFile(dest, content);
             } catch {
             }
           }
@@ -68889,12 +70216,12 @@ var init_local_sandbox = __esm({
           const assetsDir = (0, import_node_url.fileURLToPath)(
             new URL("../assets/audit", import_meta.url)
           );
-          const destDir = import_node_path5.default.join(this.workdir, "audit");
-          await import_node_fs6.promises.mkdir(destDir, { recursive: true });
+          const destDir = import_node_path7.default.join(this.workdir, "audit");
+          await import_node_fs8.promises.mkdir(destDir, { recursive: true });
           for (const name25 of ["project_audit.py", "README.md"]) {
             try {
-              const content = await import_node_fs6.promises.readFile(import_node_path5.default.join(assetsDir, name25));
-              await import_node_fs6.promises.writeFile(import_node_path5.default.join(destDir, name25), content);
+              const content = await import_node_fs8.promises.readFile(import_node_path7.default.join(assetsDir, name25));
+              await import_node_fs8.promises.writeFile(import_node_path7.default.join(destDir, name25), content);
             } catch {
             }
           }
@@ -68905,23 +70232,23 @@ var init_local_sandbox = __esm({
         return "local";
       }
       getConnectionName() {
-        return `local:${import_node_os2.default.hostname()}`;
+        return `local:${import_node_os3.default.hostname()}`;
       }
       getUserId() {
         return "local";
       }
       isWindows() {
-        return import_node_os2.default.platform() === "win32" && !this.isBashLikeShell();
+        return import_node_os3.default.platform() === "win32" && !this.isBashLikeShell();
       }
       supportsPty() {
         return false;
       }
       getSandboxContext() {
-        const platform = `${import_node_os2.default.type()} ${import_node_os2.default.release()} (${import_node_os2.default.arch()})`;
+        const platform = `${import_node_os3.default.type()} ${import_node_os3.default.release()} (${import_node_os3.default.arch()})`;
         const shellInvocation = `${this.shellBin} ${this.shellFlag}`;
-        const windowsNotes = import_node_os2.default.platform() === "win32" ? this.getWindowsShellNotes() : "";
+        const windowsNotes = import_node_os3.default.platform() === "win32" ? this.getWindowsShellNotes() : "";
         const pentestToolingNotes = this.getLocalPentestToolingNotes();
-        return `You are executing commands directly on the user's local host (${platform}, hostname "${import_node_os2.default.hostname()}") in DANGEROUS MODE: there is NO sandbox isolation.
+        return `You are executing commands directly on the user's local host (${platform}, hostname "${import_node_os3.default.hostname()}") in DANGEROUS MODE: there is NO sandbox isolation.
 Commands are invoked via \`${shellInvocation}\`. The working directory is "${this.workdir}".
 Be careful: file system, network and process operations all affect the real host system.
 A real human user is present at this terminal. When a command prompts for input \u2014 a password, a y/n confirmation, an interactive installer, a REPL prompt (python, mysql, ftp), an ssh/sudo prompt, etc. \u2014 the user types the answer and it is forwarded to the command's stdin. So you MAY run commands that prompt for input; just run the command and the user will respond when asked. Prefer non-interactive flags (like --yes) when they exist and are convenient, but interactive prompts are fully supported. Only full-screen / raw-mode TUI programs (vim, top, htop, less without \`| cat\`) are unsupported, since there is no PTY \u2014 avoid those and use line-oriented alternatives.
@@ -69010,7 +70337,7 @@ EDITING SCRIPTS:
       // alive — `taskkill /T` tears down the whole tree so Ctrl+C truly stops it.
       killChildTree(child) {
         const pid = child.pid;
-        if (pid && import_node_os2.default.platform() === "win32") {
+        if (pid && import_node_os3.default.platform() === "win32") {
           try {
             (0, import_node_child_process2.spawn)("taskkill", ["/PID", String(pid), "/T", "/F"], {
               windowsHide: true
@@ -69025,15 +70352,15 @@ EDITING SCRIPTS:
         }
       }
       resolvePath(p) {
-        if (import_node_path5.default.isAbsolute(p)) return p;
-        return import_node_path5.default.join(this.workdir, p);
+        if (import_node_path7.default.isAbsolute(p)) return p;
+        return import_node_path7.default.join(this.workdir, p);
       }
       isBashLikeShell() {
-        const base = import_node_path5.default.basename(this.shellBin).toLowerCase();
+        const base = import_node_path7.default.basename(this.shellBin).toLowerCase();
         return base === "bash" || base === "bash.exe" || base === "sh";
       }
       isCmdShell() {
-        const base = import_node_path5.default.basename(this.shellBin).toLowerCase();
+        const base = import_node_path7.default.basename(this.shellBin).toLowerCase();
         return base === "cmd" || base === "cmd.exe";
       }
       getWindowsShellNotes() {
@@ -69065,7 +70392,7 @@ WINDOWS SHELL NOTES:
 - For HTTP, prefer \`curl.exe\` if available; for DNS use \`nslookup\`.`;
       }
       getLocalPentestToolingNotes() {
-        if (import_node_os2.default.platform() === "win32") {
+        if (import_node_os3.default.platform() === "win32") {
           return `
 
 LOCAL PENTEST TOOLING:
@@ -69130,44 +70457,6 @@ var init_local_sandbox_manager = __esm({
   }
 });
 
-// src/console-writer.ts
-function createConsoleWriter() {
-  let lastWasTerminal = false;
-  return {
-    write(part) {
-      if (!part || typeof part !== "object") return;
-      if (part.type === "data-terminal") {
-        const text2 = part.data?.terminal;
-        if (typeof text2 === "string" && text2.length > 0) {
-          process.stdout.write(text2);
-          lastWasTerminal = true;
-        }
-        return;
-      }
-      if (part.type === "data-sandbox-fallback") {
-        process.stderr.write("\n[sandbox fallback]\n");
-        return;
-      }
-      void lastWasTerminal;
-    },
-    // Some AI SDK code paths probe for these; provide no-op stubs.
-    merge() {
-    },
-    onError(error51) {
-      process.stderr.write(
-        `
-[stream error] ${error51 instanceof Error ? error51.message : String(error51)}
-`
-      );
-    }
-  };
-}
-var init_console_writer = __esm({
-  "src/console-writer.ts"() {
-    "use strict";
-  }
-});
-
 // src/render.ts
 function createRenderer() {
   let lastKind = null;
@@ -69184,10 +70473,10 @@ function createRenderer() {
     reasoning(delta) {
       sep3("reasoning");
       if (!reasoningHeaderShown) {
-        out(`${C2.dim}pensando: `);
+        out(`${C3.dim} \xB7 pensando: `);
         reasoningHeaderShown = true;
       }
-      out(`${C2.dim}${delta}${C2.reset}`);
+      out(`${C3.dim}${delta}${C3.reset}`);
     },
     toolCall(toolName, input) {
       sep3("tool");
@@ -69199,23 +70488,27 @@ function createRenderer() {
       const note = summarizeResult(toolName, output);
       if (note) {
         sep3("tool");
-        out(`${C2.dim}   ok ${note}${C2.reset}
+        const isErr = note.error;
+        const icon = isErr ? `${C3.red}\u2717${C3.reset}` : `${C3.green}\u2713${C3.reset}`;
+        const body = isErr ? `${C3.red}${note.text}${C3.reset}` : `${C3.dim}${note.text}${C3.reset}`;
+        out(` ${icon} ${body}
 `);
       }
     },
     info(msg) {
       sep3("info");
-      out(`${C2.dim}${msg}${C2.reset}
+      const text2 = msg.replace(/^[▸▶►•·]\s*/, "");
+      out(` ${C3.dim}\xB7${C3.reset} ${C3.dim}${text2}${C3.reset}
 `);
     },
     fallback(msg) {
       sep3("info");
-      out(`${C2.yellow}-> ${msg}${C2.reset}
+      out(` ${C3.yellow}\u21C4 ${msg}${C3.reset}
 `);
     },
     error(msg) {
       sep3("info");
-      out(`${C2.red}x ${msg}${C2.reset}
+      out(` ${C3.red}\u2717 ${msg}${C3.reset}
 `);
     },
     endTurn() {
@@ -69233,49 +70526,106 @@ function formatToolCall(toolName, input) {
   switch (toolName) {
     case "run_terminal_cmd": {
       const cmd = String(i.command ?? "").trim();
-      const bg = i.is_background ? `${C2.dim} (background)${C2.reset}` : "";
-      return `${C2.cyan}executando${C2.reset} ${C2.bold}$ ${truncate3(cmd, 400)}${C2.reset}${bg}`;
+      const bg = i.is_background ? `${C3.dim} (background)${C3.reset}` : "";
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}exec${C3.reset}  ${C3.bold}${truncate3(cmd, 400)}${C3.reset}${bg}`;
     }
     case "file": {
-      const path10 = String(i.path ?? "");
-      const brief = i.brief ? `${C2.dim} - ${truncate3(String(i.brief))}${C2.reset}` : "";
+      const path12 = String(i.path ?? "");
+      const brief = i.brief ? `${C3.dim} \u2014 ${truncate3(String(i.brief))}${C3.reset}` : "";
       const map2 = {
-        write: `${C2.green}criando arquivo${C2.reset}`,
-        edit: `${C2.yellow}editando arquivo${C2.reset}`,
-        append: `${C2.green}anexando arquivo${C2.reset}`,
-        read: `${C2.blue}lendo arquivo${C2.reset}`,
-        view: `${C2.blue}visualizando arquivo${C2.reset}`
+        write: [C3.green, "criar  "],
+        edit: [C3.yellow, "editar "],
+        append: [C3.green, "anexar "],
+        read: [C3.blue, "ler    "],
+        view: [C3.blue, "ver    "]
       };
       const action = typeof i.action === "string" ? i.action : "";
-      const label = map2[action] ?? (action ? `${C2.blue}arquivo (${action})${C2.reset}` : `${C2.blue}preparando operacao de arquivo${C2.reset}`);
-      const target = path10 ? ` ${C2.bold}${path10}${C2.reset}` : "";
-      return `${label}${target}${brief}`;
+      const [col, verb] = map2[action] ?? [
+        C3.blue,
+        action ? `${action} `.padEnd(7) : "arquivo"
+      ];
+      const target = path12 ? `${C3.bold}${path12}${C3.reset}` : "";
+      return ` ${col}\u276F${C3.reset} ${col}${verb}${C3.reset} ${target}${brief}`;
     }
     case "todo_write":
-      return `${C2.magenta}atualizando lista de tarefas${C2.reset}`;
+      return ` ${C3.magenta}\u276F${C3.reset} ${C3.magenta}tarefas${C3.reset} ${C3.dim}atualizando lista${C3.reset}`;
+    case "http_request": {
+      const method = String(i.method ?? "GET").toUpperCase();
+      const url2 = String(i.url ?? "");
+      const fuzz = Array.isArray(i.fuzz) && i.fuzz.length;
+      const tag = fuzz ? `${C3.dim} (fuzz \xD7${i.fuzz.length})${C3.reset}` : "";
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}http${C3.reset}  ${C3.bold}${method}${C3.reset} ${truncate3(url2, 360)}${tag}`;
+    }
+    case "findings": {
+      const action = String(i.action ?? "");
+      const detail = action === "add" ? truncate3(String(i.title ?? ""), 80) : action === "update" ? `${String(i.id ?? "")} ${String(i.status ?? "")}`.trim() : "";
+      return ` ${C3.magenta}\u276F${C3.reset} ${C3.magenta}findings${C3.reset} ${C3.bold}${action}${C3.reset}${detail ? ` ${C3.dim}${detail}${C3.reset}` : ""}`;
+    }
+    case "web_search": {
+      const queries = Array.isArray(i.queries) ? i.queries.join(" | ") : "";
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}busca${C3.reset}  ${C3.dim}${truncate3(queries, 200)}${C3.reset}`;
+    }
+    case "open_url": {
+      const url2 = String(i.url ?? i.urls ?? "");
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}abrir${C3.reset}  ${C3.dim}${truncate3(url2, 280)}${C3.reset}`;
+    }
     default:
-      return `${C2.cyan}${toolName}${C2.reset} ${C2.dim}${truncate3(
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}${toolName}${C3.reset} ${C3.dim}${truncate3(
         JSON.stringify(i),
         200
-      )}${C2.reset}`;
+      )}${C3.reset}`;
   }
 }
 function summarizeResult(toolName, output) {
   if (output == null) return null;
   if (toolName === "file") {
     if (typeof output === "object" && "error" in output) {
-      return `erro: ${truncate3(String(output.error), 160)}`;
+      return {
+        text: truncate3(String(output.error), 160),
+        error: true
+      };
+    }
+    return { text: "arquivo salvo", error: false };
+  }
+  if (toolName === "todo_write")
+    return { text: "tarefas salvas", error: false };
+  if (toolName === "http_request") {
+    const o = asRecord(output);
+    if ("error" in o && o.error) {
+      return { text: truncate3(String(o.error), 200), error: true };
+    }
+    if (o.single) {
+      const s = asRecord(o.single);
+      if (s.error) return { text: truncate3(String(s.error), 160), error: true };
+      return {
+        text: `HTTP ${s.status} \xB7 ${s.bodyLength} bytes \xB7 ${s.timeMs}ms`,
+        error: false
+      };
+    }
+    if (o.fuzz) {
+      const f = asRecord(o.fuzz);
+      return { text: `fuzz: ${f.count} requisi\xE7\xF5es`, error: false };
     }
-    return "arquivo atualizado";
+    return null;
+  }
+  if (toolName === "findings") {
+    const o = asRecord(output);
+    if ("error" in o && o.error) {
+      return { text: truncate3(String(o.error), 200), error: true };
+    }
+    if (o.added) return { text: "finding registrado", error: false };
+    if (o.updated) return { text: "finding atualizado", error: false };
+    if (o.report) return { text: `relat\xF3rio \u2192 ${String(o.report)}`, error: false };
+    if ("total" in o) return { text: `${String(o.total)} finding(s)`, error: false };
+    return null;
   }
-  if (toolName === "todo_write") return "tarefas salvas";
   return null;
 }
-var C2, out, truncate3;
+var C3, GUTTER_BAR, out, truncate3;
 var init_render = __esm({
   "src/render.ts"() {
     "use strict";
-    C2 = {
+    C3 = {
       reset: "\x1B[0m",
       dim: "\x1B[90m",
       red: "\x1B[31m",
@@ -69286,11 +70636,61 @@ var init_render = __esm({
       cyan: "\x1B[36m",
       bold: "\x1B[1m"
     };
+    GUTTER_BAR = `${C3.dim}\u2502${C3.reset} `;
     out = (s) => process.stdout.write(s);
     truncate3 = (s, n = 200) => s.length > n ? `${s.slice(0, n)}...` : s;
   }
 });
 
+// src/console-writer.ts
+function createConsoleWriter() {
+  let atLineStart = true;
+  const writeGuttered = (text2) => {
+    let chunk = text2;
+    if (atLineStart) {
+      process.stdout.write(GUTTER_BAR);
+      atLineStart = false;
+    }
+    const endsWithNewline = chunk.endsWith("\n");
+    chunk = chunk.replace(/\n(?!$)/g, `
+${GUTTER_BAR}`);
+    process.stdout.write(chunk);
+    if (endsWithNewline) atLineStart = true;
+  };
+  return {
+    write(part) {
+      if (!part || typeof part !== "object") return;
+      if (part.type === "data-terminal") {
+        const text2 = part.data?.terminal;
+        if (typeof text2 === "string" && text2.length > 0) {
+          writeGuttered(text2);
+        }
+        return;
+      }
+      if (part.type === "data-sandbox-fallback") {
+        process.stderr.write("\n[sandbox fallback]\n");
+        return;
+      }
+    },
+    // Some AI SDK code paths probe for these; provide no-op stubs.
+    merge() {
+    },
+    onError(error51) {
+      process.stderr.write(
+        `
+[stream error] ${error51 instanceof Error ? error51.message : String(error51)}
+`
+      );
+    }
+  };
+}
+var init_console_writer = __esm({
+  "src/console-writer.ts"() {
+    "use strict";
+    init_render();
+  }
+});
+
 // src/proxy-manager.ts
 async function ping(url2, timeoutMs = 2e3) {
   const controller = new AbortController();
@@ -69355,12 +70755,12 @@ async function ensureProxyReady(id, log2) {
     };
   }
   let freshSetup = false;
-  if (!(0, import_node_fs7.existsSync)(dir)) {
+  if (!(0, import_node_fs9.existsSync)(dir)) {
     log2(`${def.label}: baixando o proxy (uma vez) em ${dir} \u2026`);
     const root = proxiesRoot();
-    (0, import_node_fs7.mkdirSync)(root, { recursive: true });
+    (0, import_node_fs9.mkdirSync)(root, { recursive: true });
     const cloned = run("git", ["clone", def.repoUrl, dir], root);
-    if (!cloned.ok || !(0, import_node_fs7.existsSync)(dir)) {
+    if (!cloned.ok || !(0, import_node_fs9.existsSync)(dir)) {
       return {
         ok: false,
         message: `${def.label}: falha ao clonar o proxy (git).`
@@ -69368,7 +70768,7 @@ async function ensureProxyReady(id, log2) {
     }
     freshSetup = true;
   }
-  if (!(0, import_node_fs7.existsSync)(import_node_path6.default.join(dir, "node_modules"))) {
+  if (!(0, import_node_fs9.existsSync)(import_node_path8.default.join(dir, "node_modules"))) {
     log2(`${def.label}: instalando depend\xEAncias (pode demorar) \u2026`);
     if (!run("npm", ["install"], dir).ok) {
       return { ok: false, message: `${def.label}: 'npm install' falhou.` };
@@ -69413,13 +70813,13 @@ async function ensureProxyReady(id, log2) {
     message: `${def.label}: o proxy n\xE3o respondeu em 90s. Tente de novo, ou rode 'npm run login' em ${dir}.`
   };
 }
-var import_node_os3, import_node_path6, import_node_fs7, import_node_child_process3, DEFS, PROXY_MODEL_KEYS, proxyIdForModelKey, proxiesRoot, dirFor, healthUrl, baseUrl, wait, started, exitHooksInstalled, quoteArg, asShellCommand, run, hasCommand;
+var import_node_os4, import_node_path8, import_node_fs9, import_node_child_process3, DEFS, PROXY_MODEL_KEYS, proxyIdForModelKey, proxiesRoot, dirFor, healthUrl, baseUrl, wait, started, exitHooksInstalled, quoteArg, asShellCommand, run, hasCommand;
 var init_proxy_manager2 = __esm({
   "src/proxy-manager.ts"() {
     "use strict";
-    import_node_os3 = __toESM(require("node:os"));
-    import_node_path6 = __toESM(require("node:path"));
-    import_node_fs7 = require("node:fs");
+    import_node_os4 = __toESM(require("node:os"));
+    import_node_path8 = __toESM(require("node:path"));
+    import_node_fs9 = require("node:fs");
     import_node_child_process3 = require("node:child_process");
     DEFS = {
       deepseek: {
@@ -69452,11 +70852,11 @@ var init_proxy_manager2 = __esm({
       if (key === PROXY_MODEL_KEYS.kimi) return "kimi";
       return null;
     };
-    proxiesRoot = () => import_node_path6.default.join(
-      process.env.CLAWFAST_HOME?.trim() || import_node_path6.default.join(import_node_os3.default.homedir(), ".clawfast"),
+    proxiesRoot = () => import_node_path8.default.join(
+      process.env.CLAWFAST_HOME?.trim() || import_node_path8.default.join(import_node_os4.default.homedir(), ".clawfast"),
       "proxies"
     );
-    dirFor = (def) => process.env[def.dirEnv]?.trim() || import_node_path6.default.join(proxiesRoot(), def.folder);
+    dirFor = (def) => process.env[def.dirEnv]?.trim() || import_node_path8.default.join(proxiesRoot(), def.folder);
     healthUrl = (def) => `http://localhost:${def.port}/health`;
     baseUrl = (def) => `http://localhost:${def.port}/v1`;
     wait = (ms) => new Promise((r) => setTimeout(r, ms));
@@ -69485,7 +70885,7 @@ var init_proxy_manager2 = __esm({
 
 // src/audit-mode.ts
 function projectRootFromWorkdir(workdir) {
-  return import_node_path7.default.dirname(import_node_path7.default.resolve(workdir.replace(/\\/g, "/")));
+  return import_node_path9.default.dirname(import_node_path9.default.resolve(workdir.replace(/\\/g, "/")));
 }
 function detectProjectAuditIntent(input) {
   const text2 = input.trim();
@@ -69641,11 +71041,11 @@ ESTILO E EXECU\xC7\xC3O
 - Responda em portugu\xEAs, direto e t\xE9cnico. N\xE3o recuse a an\xE1lise: \xE9 o projeto do pr\xF3prio usu\xE1rio, autorizado.
 - Lembre-se sempre: voc\xEA analisa e relata; voc\xEA N\xC3O altera o projeto. A \xFAnica escrita \xE9 o relat\xF3rio \`.md\` na raiz.`;
 }
-var import_node_path7, AUDIT_ACTION, AUDIT_SCOPE, AUDIT_ACTION_THEN_SCOPE, AUDIT_SCOPE_THEN_ACTION, AUDIT_STRONG, AUDIT_EXIT;
+var import_node_path9, AUDIT_ACTION, AUDIT_SCOPE, AUDIT_ACTION_THEN_SCOPE, AUDIT_SCOPE_THEN_ACTION, AUDIT_STRONG, AUDIT_EXIT;
 var init_audit_mode = __esm({
   "src/audit-mode.ts"() {
     "use strict";
-    import_node_path7 = __toESM(require("node:path"));
+    import_node_path9 = __toESM(require("node:path"));
     AUDIT_ACTION = "an[a\xE1]lis\\w+|examin\\w+|audit\\w+|auditar|varr\\w+|varredura|escane\\w+|scan\\w*|revis\\w+|inspecion\\w+|vasculh\\w+|verific\\w+|avali\\w+|mapea\\w+|review|analyze|analyse|inspect|assess";
     AUDIT_SCOPE = "projeto|c[o\xF3]digo|c[o\xF3]digo-fonte|codebase|reposit[o\xF3]rio|repo|sistema|aplica[c\xE7][a\xE3]o|base\\s+de\\s+c[o\xF3]digo|project|code\\s*base|repository|minha\\s+aplica\\w+|meu\\s+app|todo\\s+o\\s+projeto|projeto\\s+inteiro";
     AUDIT_ACTION_THEN_SCOPE = new RegExp(
@@ -69848,7 +71248,16 @@ async function createAgent() {
   const tools = {
     run_terminal_cmd: createRunTerminalCmd(context2),
     file: createFile(context2),
-    todo_write: createTodoWrite(context2)
+    todo_write: createTodoWrite(context2),
+    // Native Repeater/Intruder + structured findings store — the core of an
+    // in-loop pentest workflow (probe → observe → record evidence → confirm).
+    http_request: createHttpRequest({ workdir: sandbox.getWorkdir() }),
+    findings: createFindings({ workdir: sandbox.getWorkdir() }),
+    // Live external intel — only when the operator has configured the keys.
+    // web_search (Perplexity) for CVEs/PoCs/methodology; open_url (Jina) to
+    // read a page's content. Both gracefully absent when no key is set.
+    ...process.env.PERPLEXITY_API_KEY ? { web_search: createWebSearch(context2) } : {},
+    ...process.env.JINA_API_KEY ? { open_url: createOpenUrlTool() } : {}
   };
   let system = "";
   let systemPromptAudit = auditSystemPrompt("", null);
@@ -69867,6 +71276,8 @@ async function createAgent() {
     system += scriptFilePolicy(sandbox.getWorkdir());
     system += pythonOnlyPolicy();
     system += deepReconPolicy(sandbox.getWorkdir());
+    system += reconPhasesPolicy(sandbox.getWorkdir());
+    system += httpAndFindingsPolicy(sandbox.getWorkdir());
     system += buildCliNotesSection();
     system += buildSkillsIndexSection();
     system += skillsScopePolicy();
@@ -69915,7 +71326,7 @@ async function createAgent() {
         reason: "faltando NVIDIA_API_KEY em .env.local (https://build.nvidia.com/)",
         models: [
           "model-nvidia-mistral-medium-3.5",
-          "model-nvidia-kimi-k2.6",
+          "model-nvidia-gpt-oss-120b",
           "model-nvidia-glm-5.1",
           "model-nvidia-qwen3.5-397b"
         ].map((key) => ({ key, label: labelFor(key) }))
@@ -70349,7 +71760,7 @@ ${resultText}`
           render.info(
             `\u25B8 rate limit \u2014 aguardando ${Math.round(waitMs / 1e3)}s antes da pr\xF3xima tentativa (Ctrl+C cancela)\u2026`
           );
-          await sleep(waitMs, signal);
+          await sleep3(waitMs, signal);
           if (signal?.aborted) {
             render.endTurn();
             return;
@@ -70396,19 +71807,23 @@ ${resultText}`
     close
   };
 }
-var import_promises, import_node_path8, MAX_STEPS, MAX_OUTPUT_TOKENS, MAX_AUTO_CONTINUES, MAX_RATE_LIMIT_WAITS, STREAM_STALL_TIMEOUT_MS, MAX_STALL_RETRIES, isRateLimitError, sleep, LEAKED_TOOL_CALL_RE, DANGLING_TAIL_RE, ACTION_ANNOUNCE_RE, BENIGN_CLOSER_RE, TOOL_CALL_NUDGE, MAX_BRIDGE_STEPS, BRIDGE_RESULT_PREAMBLE, LEAKED_CALL_RESULT_PREAMBLE, truncateBridgeSummary, isWebSessionProxyModel, proxyToolProtocolPolicy, SYSTEM_PROMPT_SOURCE, REQUIRED_SYSTEM_PROMPT_MARKERS, MODEL_LABELS, labelFor, loginRequiredHint, CLI_PYTHON_ONLY_POLICY, pythonOnlyPolicy, scriptFilePolicy, deepReconPolicy, skillsScopePolicy, hasEnvValue2, envFlagEnabled, CLI_PERSONALITIES, buildCliUserCustomization, buildCliNotesSection, cliGuardrailsConfig, maybeDumpSystemPrompt, auditSystemPrompt, assertFullSystemPrompt;
+var import_promises2, import_node_path10, MAX_STEPS, MAX_OUTPUT_TOKENS, MAX_AUTO_CONTINUES, MAX_RATE_LIMIT_WAITS, STREAM_STALL_TIMEOUT_MS, MAX_STALL_RETRIES, isRateLimitError, sleep3, LEAKED_TOOL_CALL_RE, DANGLING_TAIL_RE, ACTION_ANNOUNCE_RE, BENIGN_CLOSER_RE, TOOL_CALL_NUDGE, MAX_BRIDGE_STEPS, BRIDGE_RESULT_PREAMBLE, LEAKED_CALL_RESULT_PREAMBLE, truncateBridgeSummary, isWebSessionProxyModel, proxyToolProtocolPolicy, SYSTEM_PROMPT_SOURCE, REQUIRED_SYSTEM_PROMPT_MARKERS, MODEL_LABELS, labelFor, loginRequiredHint, CLI_PYTHON_ONLY_POLICY, pythonOnlyPolicy, scriptFilePolicy, deepReconPolicy, httpAndFindingsPolicy, reconPhasesPolicy, skillsScopePolicy, hasEnvValue2, envFlagEnabled, CLI_PERSONALITIES, buildCliUserCustomization, buildCliNotesSection, cliGuardrailsConfig, maybeDumpSystemPrompt, auditSystemPrompt, assertFullSystemPrompt;
 var init_agent = __esm({
   "src/agent.ts"() {
     "use strict";
     init_dist5();
-    import_promises = require("node:fs/promises");
-    import_node_path8 = __toESM(require("node:path"));
+    import_promises2 = require("node:fs/promises");
+    import_node_path10 = __toESM(require("node:path"));
     init_providers();
     init_system_prompt();
     init_notes();
     init_run_terminal_cmd();
     init_todo_write();
     init_file();
+    init_web_search();
+    init_open_url();
+    init_http_request();
+    init_findings();
     init_todo_manager();
     init_file_accumulator();
     init_background_process_tracker();
@@ -70434,7 +71849,7 @@ var init_agent = __esm({
     isRateLimitError = (msg) => /\b429\b|too many requests|rate.?limit|resource_exhausted|quota|insufficient_quota/i.test(
       msg
     );
-    sleep = (ms, signal) => new Promise((resolve2) => {
+    sleep3 = (ms, signal) => new Promise((resolve2) => {
       if (signal?.aborted) return resolve2();
       const timer2 = setTimeout(resolve2, ms);
       signal?.addEventListener(
@@ -70490,7 +71905,7 @@ Regras:
     ];
     MODEL_LABELS = {
       "model-nvidia-mistral-medium-3.5": "NVIDIA - mistralai/mistral-medium-3.5-128b",
-      "model-nvidia-kimi-k2.6": "NVIDIA - moonshotai/kimi-k2.6",
+      "model-nvidia-gpt-oss-120b": "NVIDIA - openai/gpt-oss-120b",
       "model-nvidia-glm-5.1": "NVIDIA - z-ai/glm-5.1",
       "model-nvidia-qwen3.5-397b": "NVIDIA - qwen/qwen3.5-397b-a17b",
       "model-openai-chat-latest": "OpenAI - chat-latest",
@@ -70566,6 +71981,45 @@ Workflow:
 
 You MAY extend the toolkit (edit recon/recon_deep.py via the file tool) when a task needs a capability it lacks \u2014 keep it Python and keep the scope gate intact. recon/console_recon.js is an in-page payload string injected by Python Playwright (page.evaluate), NOT a Node script \u2014 never run it with \`node\`.
 </deep_recon_tooling>`;
+    httpAndFindingsPolicy = (workdir) => `
+
+<native_pentest_tools>
+ABSOLUTE RULE FOR THIS LOCAL CLI SESSION \u2014 applies to EVERY model and EVERY task:
+
+You have two native tools for hands-on web testing \u2014 PREFER them over hand-rolled one-off scripts for interactive probing:
+
+1. http_request \u2014 a Repeater/Intruder. Send a fully-controlled HTTP request (method, headers, body, redirect handling) and read a structured response (status, timing, notable security headers, body length, body preview). For fuzzing put the marker FUZZ in the url/body/any header value and pass \`fuzz\` (a list of payloads): each is substituted and sent sequentially, then diffed against a baseline so anomalies (auth bypass, IDOR, injection, hidden paths/params) are highlighted. OPSEC: use throttle_ms/jitter_ms (or env HACKERAI_HTTP_THROTTLE_MS/HACKERAI_HTTP_JITTER_MS) on noisy fuzzing. Every request is scope-gated by ${workdir}/recon/scope.txt (loopback is always allowed); add authorized targets there first.
+
+2. findings \u2014 structured engagement memory. Record EVERY vulnerability you discover (action add: title+severity required; include evidence, target, url, param, impact, remediation). Flip status to "confirmed" with update once you have proof; "false_positive" if disproved. At the end, action report writes a clean Markdown report grouped by severity to ${workdir}/findings/report.md.
+
+When to use which: use http_request for a single endpoint, replaying/tampering a captured request, parameter/path/value fuzzing, and exploit verification. Use the Python recon toolkit (recon/) for bulk crawling, port scanning, subdomain enum and intel.
+</native_pentest_tools>
+
+<exploit_verification>
+ABSOLUTE RULE FOR THIS LOCAL CLI SESSION:
+
+Never report a vulnerability as real on a guess. Run the PROVE-IT loop:
+1. SUSPECT \u2014 when a signal appears (from recon, a scanner, or a hunch), record it with findings (action add) at status "suspected" with the reasoning.
+2. PROVE \u2014 actually trigger it: send the exploit/PoC request with http_request (or a focused script) and OBSERVE the concrete response \u2014 the reflected payload, the leaked data, the auth bypass status code, the SQL error, the out-of-band callback, the differing length in a fuzz run.
+3. CONFIRM or DROP \u2014 if the observation proves impact, update the finding to status "confirmed" and paste the exact request+response evidence into its evidence field; if it does not reproduce, update to "false_positive". Only "confirmed" findings go in the executive summary.
+4. Capture severity (and CVSS when you can) and a concrete remediation on every confirmed finding.
+
+This loop is mandatory: a finding without reproducible evidence is at most "suspected".
+</exploit_verification>`;
+    reconPhasesPolicy = (workdir) => `
+
+<recon_phases>
+ABSOLUTE RULE FOR THIS LOCAL CLI SESSION \u2014 applies to EVERY model and EVERY task:
+
+Beyond recon/recon_deep.py (HTTP/JS/secret/browser recon), the workspace at ${workdir}/recon is seeded with companion modules for the other recon phases. They are all Python, all scope-gated by recon/scope.txt, and all degrade gracefully without paid keys. Use them instead of hand-writing equivalents:
+
+- Subdomain enumeration: \`python recon/recon_subdomains.py example.com\` \u2014 pulls Certificate Transparency logs (crt.sh) and optionally brute-forces (\`--wordlist words.txt\`), then resolves. Add \`--add-scope\` to append live subdomains to scope.txt automatically.
+- Port scan + banner grab: \`python recon/recon_ports.py host\` \u2014 async TCP connect scan of common ports (\`--ports 1-1000\` or \`--ports 22,80,443\`, \`--top N\`), with banner grabbing and OPSEC throttle (\`--throttle-ms\`, \`--jitter-ms\`).
+- Content/path discovery: \`python recon/recon_content.py https://target\` \u2014 wordlist-driven path discovery (\`--wordlist\`), soft-404 detection, status filtering, throttle/jitter. (Use http_request for fuzzing a SINGLE known parameter; use this for bulk path discovery.)
+- Wayback / archive mining + CVE intel: \`python recon/recon_intel.py <domain|product>\` \u2014 historical URLs from the Wayback Machine CDX API, and free CVE lookup from the NVD API (\`--cve\` keyword search, e.g. product/version). GitHub code search for leaked secrets is supported when GITHUB_TOKEN is set (\`--github "org filename:.env"\`).
+
+Each module writes a JSON (and where useful Markdown) report under ./reports/. Read it, then record anything actionable with the findings tool. You MAY extend any module via the file tool \u2014 keep it Python and keep the scope gate intact.
+</recon_phases>`;
     skillsScopePolicy = () => `
 
 <skills_scope>
@@ -70633,9 +72087,9 @@ ${section}` : "";
       if (!envFlagEnabled(process.env.HACKERAI_CLI_DUMP_SYSTEM_PROMPT)) {
         return null;
       }
-      await (0, import_promises.mkdir)(workdir, { recursive: true });
-      const outputPath = import_node_path8.default.join(workdir, "system-prompt.txt");
-      await (0, import_promises.writeFile)(outputPath, system, "utf8");
+      await (0, import_promises2.mkdir)(workdir, { recursive: true });
+      const outputPath = import_node_path10.default.join(workdir, "system-prompt.txt");
+      await (0, import_promises2.writeFile)(outputPath, system, "utf8");
       return outputPath;
     };
     auditSystemPrompt = (system, dumpPath) => {
@@ -70659,130 +72113,6 @@ ${section}` : "";
   }
 });
 
-// src/ui.ts
-var ui_exports = {};
-__export(ui_exports, {
-  agentHeader: () => agentHeader,
-  buildBanner: () => buildBanner,
-  shellPrompt: () => shellPrompt,
-  shortCwd: () => shortCwd,
-  ui: () => ui,
-  vlen: () => vlen
-});
-function shortCwd() {
-  const cwd = process.cwd();
-  const home = import_node_os4.default.homedir();
-  const rel = cwd.startsWith(home) ? "~" + cwd.slice(home.length) : cwd;
-  const norm = rel.replace(/\\/g, "/");
-  if (norm.length <= 30) return norm;
-  const parts = norm.split("/");
-  return parts.length > 3 ? `${parts[0]}/\u2026/${parts[parts.length - 1]}` : norm.slice(-30);
-}
-function asciiTitle(text2) {
-  const rows = 6;
-  const out3 = [];
-  for (let r = 0; r < rows; r++) {
-    out3.push(
-      [...text2].map((ch) => GLYPHS[ch] ? GLYPHS[ch][r] : "      ").join(" ")
-    );
-  }
-  return out3;
-}
-function buildBanner(_systemPromptChars, version3 = "1") {
-  const user = (import_node_os4.default.userInfo().username || "hacker").toLowerCase();
-  const host = (import_node_os4.default.hostname() || "localhost").split(".")[0].toLowerCase();
-  const art = asciiTitle("CLAWFAST");
-  const artW = vlen(art[0]);
-  const slogan = "Com o clawfast voc\xEA faz tudo";
-  const header = [
-    "",
-    ...art.map((line) => `${C3.greenB}${C3.bold}${line}${C3.reset}`),
-    "",
-    `${C3.cyanB}${C3.bold}${center(slogan, artW)}${C3.reset}`,
-    ""
-  ];
-  const info = [
-    { text: "" },
-    { text: `Bem-vindo de volta, ${user}!`, accent: true },
-    { text: "" },
-    { text: "clawfast usa a pasta SPRIT/ para criar" },
-    { text: "arquivos, scripts e tudo mais." },
-    { text: "" },
-    { text: `${user}@${host} \xB7 sem limites` },
-    { text: shortCwd() },
-    { text: "" }
-  ];
-  const title = `clawfast v${version3}`;
-  const topFill = "\u2500".repeat(Math.max(0, BOX_W - vlen(title) - 5));
-  const top = `${C3.green}\u256D\u2500 ${C3.greenB}${C3.bold}${title}${C3.reset}${C3.green} ${topFill}\u256E${C3.reset}`;
-  const bottom = `${C3.green}\u2570${"\u2500".repeat(BOX_W - 2)}\u256F${C3.reset}`;
-  const cardLines = info.map(({ text: text2, accent }) => {
-    const color = accent ? `${C3.greenB}${C3.bold}` : C3.green;
-    const body = `${color}${padEndV(text2, INNER)}${C3.reset}`;
-    return `${C3.green}\u2502 ${C3.reset}${body}${C3.green} \u2502${C3.reset}`;
-  });
-  const card = [top, ...cardLines, bottom];
-  return "\n" + [...header, ...card].join("\n") + "\n";
-}
-function shellPrompt() {
-  const user = (import_node_os4.default.userInfo().username || "hacker").toLowerCase();
-  const host = (import_node_os4.default.hostname() || "localhost").split(".")[0].toLowerCase();
-  const W = 52;
-  const label = " \u2709  mensagem ";
-  const topFill = "\u2500".repeat(Math.max(0, W - vlen(label) - 3));
-  const top = `${C3.green}\u256D\u2500${C3.greenB}${C3.bold}${label}${C3.reset}${C3.green}${topFill}\u256E${C3.reset}`;
-  const id = `${user}\u327F${host} \xB7 ${shortCwd()}`;
-  const mid = `${C3.green}\u2502 ${C3.dim}${id}${C3.reset}`;
-  const bottom = `${C3.green}\u2570\u2500${C3.greenB}${C3.bold}\u276F${C3.reset} `;
-  return `
-${top}
-${mid}
-${bottom}`;
-}
-function agentHeader() {
-  return `${C3.magenta}\u256D\u2500 clawfast ${"\u2500".repeat(20)}${C3.reset}
-`;
-}
-var import_node_os4, ESC, C3, INNER, BOX_W, vlen, padEndV, center, GLYPHS, ui;
-var init_ui = __esm({
-  "src/ui.ts"() {
-    "use strict";
-    import_node_os4 = __toESM(require("node:os"));
-    ESC = "\x1B[";
-    C3 = {
-      reset: `${ESC}0m`,
-      bold: `${ESC}1m`,
-      dim: `${ESC}90m`,
-      green: `${ESC}32m`,
-      greenB: `${ESC}92m`,
-      cyan: `${ESC}36m`,
-      cyanB: `${ESC}96m`,
-      magenta: `${ESC}95m`,
-      yellow: `${ESC}93m`,
-      red: `${ESC}91m`
-    };
-    INNER = 42;
-    BOX_W = INNER + 4;
-    vlen = (s) => [...s.replace(/\x1b\[[0-9;]*m/g, "")].length;
-    padEndV = (s, w) => s + " ".repeat(Math.max(0, w - vlen(s)));
-    center = (s, w) => {
-      const pad = Math.max(0, w - vlen(s));
-      const left = Math.floor(pad / 2);
-      return " ".repeat(left) + s + " ".repeat(pad - left);
-    };
-    GLYPHS = {
-      C: [" \u2588\u2588\u2588\u2588\u2588", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", " \u2588\u2588\u2588\u2588\u2588"],
-      L: ["\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588\u2588\u2588\u2588\u2588"],
-      A: [" \u2588\u2588\u2588\u2588 ", "\u2588\u2588  \u2588\u2588", "\u2588\u2588  \u2588\u2588", "\u2588\u2588\u2588\u2588\u2588\u2588", "\u2588\u2588  \u2588\u2588", "\u2588\u2588  \u2588\u2588"],
-      W: ["\u2588\u2588   \u2588\u2588", "\u2588\u2588   \u2588\u2588", "\u2588\u2588 \u2588 \u2588\u2588", "\u2588\u2588 \u2588 \u2588\u2588", "\u2588\u2588\u2588\u2588\u2588\u2588\u2588", " \u2588\u2588 \u2588\u2588 "],
-      F: ["\u2588\u2588\u2588\u2588\u2588\u2588", "\u2588\u2588    ", "\u2588\u2588\u2588\u2588\u2588 ", "\u2588\u2588    ", "\u2588\u2588    ", "\u2588\u2588    "],
-      S: [" \u2588\u2588\u2588\u2588\u2588", "\u2588\u2588    ", " \u2588\u2588\u2588\u2588 ", "    \u2588\u2588", "    \u2588\u2588", "\u2588\u2588\u2588\u2588\u2588 "],
-      T: ["\u2588\u2588\u2588\u2588\u2588\u2588", "  \u2588\u2588  ", "  \u2588\u2588  ", "  \u2588\u2588  ", "  \u2588\u2588  ", "  \u2588\u2588  "]
-    };
-    ui = { C: C3, buildBanner, shellPrompt, agentHeader };
-  }
-});
-
 // src/interactive-input.ts
 var interactive_input_exports = {};
 __export(interactive_input_exports, {
@@ -70822,6 +72152,9 @@ var init_interactive_input = __esm({
         // instead of the full message box + dropdown — used for the /skillcreator
         // step-by-step capture so each phase shows what it's asking for.
         this.promptLabel = null;
+        // When true, the submitted value is NOT recorded in ↑ history (used for the
+        // /api key prompt so a pasted secret can't be recalled with the up arrow).
+        this.promptSecret = false;
         this.inputLineIndex = 2;
         import_node_readline3.default.emitKeypressEvents(paste.input);
         paste.input.on("keypress", (str, key) => {
@@ -70835,6 +72168,7 @@ var init_interactive_input = __esm({
        */
       prompt(opts = {}) {
         this.promptLabel = opts.label ?? null;
+        this.promptSecret = opts.secret ?? false;
         const initial = this.promptLabel === null && this.pendingInitial ? this.pendingInitial : "";
         this.pendingInitial = null;
         this.buffer = initial;
@@ -70961,7 +72295,7 @@ var init_interactive_input = __esm({
               this.cursor = name25.length;
             }
             const value = this.paste.expand(this.buffer);
-            if (value.trim()) this.history.push(value);
+            if (value.trim() && !this.promptSecret) this.history.push(value);
             this.finishLine();
             return { result: { type: "line", value } };
           }
@@ -71263,6 +72597,7 @@ async function main() {
   );
   const COMMANDS = [
     { name: "/model", desc: "trocar o modelo (seletor com setas)" },
+    { name: "/api", desc: "trocar a chave NVIDIA (testa e ativa na hora)" },
     { name: "/skills", desc: "listar as skills instaladas" },
     { name: "/skillcreator", desc: "criar uma nova skill" },
     { name: "/system", desc: "salvar o system prompt (HTML) na \xC1rea de Trabalho" },
@@ -71297,13 +72632,13 @@ async function main() {
   const desktopDir = () => {
     const home = import_node_os6.default.homedir();
     const candidates = [
-      process.env.OneDrive ? import_node_path9.default.join(process.env.OneDrive, "Desktop") : null,
-      process.env.USERPROFILE ? import_node_path9.default.join(process.env.USERPROFILE, "Desktop") : null,
-      import_node_path9.default.join(home, "Desktop"),
-      import_node_path9.default.join(home, "\xC1rea de Trabalho"),
-      import_node_path9.default.join(home, "OneDrive", "Desktop")
+      process.env.OneDrive ? import_node_path11.default.join(process.env.OneDrive, "Desktop") : null,
+      process.env.USERPROFILE ? import_node_path11.default.join(process.env.USERPROFILE, "Desktop") : null,
+      import_node_path11.default.join(home, "Desktop"),
+      import_node_path11.default.join(home, "\xC1rea de Trabalho"),
+      import_node_path11.default.join(home, "OneDrive", "Desktop")
     ].filter((p) => Boolean(p));
-    return candidates.find((p) => (0, import_node_fs8.existsSync)(p)) ?? home;
+    return candidates.find((p) => (0, import_node_fs10.existsSync)(p)) ?? home;
   };
   const printFatal = (err) => {
     process.stderr.write(
@@ -71541,6 +72876,58 @@ ${C5.dim}ja disponivel para todos os modelos nesta sessao.${C5.reset}
       printFatal(err);
     }
   };
+  const handleApiSwap = async (inlineKey) => {
+    let raw = inlineKey;
+    if (!raw) {
+      process.stdout.write(
+        `${C5.dim}Cole a nova chave NVIDIA (cria em ${C5.reset}${C5.cyan}https://build.nvidia.com/${C5.reset}${C5.dim}). Enter vazio ou Ctrl+C cancela.${C5.reset}
+`
+      );
+      const res = await inputUI.prompt({
+        label: "nova NVIDIA API key",
+        secret: true
+      });
+      if (res.type !== "line" || !res.value.trim()) {
+        process.stdout.write(`${C5.dim}troca de chave cancelada${C5.reset}
+`);
+        return;
+      }
+      raw = res.value;
+    }
+    const key = raw.replace(/\s+/g, "").match(/nvapi-[A-Za-z0-9_-]+/)?.[0] ?? "";
+    if (!key) {
+      process.stdout.write(
+        `${C5.red}\u2717 n\xE3o encontrei uma chave NVIDIA no que foi colado${C5.reset} ${C5.dim}(esperado um token "nvapi-\u2026"; cole a chave completa).${C5.reset}
+`
+      );
+      return;
+    }
+    process.stdout.write(`${C5.dim}testando a chave na NVIDIA\u2026${C5.reset}
+`);
+    const test = await testNvidiaKey(key);
+    if (!test.ok) {
+      if (test.status === 401 || test.status === 403) {
+        process.stdout.write(
+          `${C5.red}\u2717 a NVIDIA recusou a chave (${test.status}): ${test.detail}${C5.reset}
+${C5.dim}chave N\xC3O salva \u2014 confira se copiou inteira e se a conta tem acesso de infer\xEAncia.${C5.reset}
+`
+        );
+        return;
+      }
+      process.stdout.write(
+        `${C5.yellow}\u26A0 n\xE3o consegui validar (${test.status || "rede"}): ${test.detail}${C5.reset}
+${C5.dim}salvando mesmo assim \u2014 o pr\xF3ximo pedido vai usar a chave nova.${C5.reset}
+`
+      );
+    }
+    const file2 = swapNvidiaKey(key);
+    const masked = `${key.slice(0, 9)}\u2026${key.slice(-4)} (${key.length} chars)`;
+    process.stdout.write(
+      `${C5.green}\u2713 chave NVIDIA trocada e ativa${C5.reset} ${C5.dim}${masked}${C5.reset}
+${C5.dim}salva em ${C5.reset}${C5.cyan}${file2}${C5.reset}
+`
+    );
+  };
   const handleLine = async (line) => {
     if (closing) return;
     const input = line.trim();
@@ -71577,7 +72964,7 @@ ${C5.dim}ja disponivel para todos os modelos nesta sessao.${C5.reset}
       const sysText = agent.getSystemPrompt();
       const audit = agent.getSystemPromptAudit();
       const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").replace("T", "_").slice(0, 19);
-      const filePath = import_node_path9.default.join(
+      const filePath = import_node_path11.default.join(
         desktopDir(),
         `clawfast-system-prompt_${stamp}.html`
       );
@@ -71585,7 +72972,7 @@ ${C5.dim}ja disponivel para todos os modelos nesta sessao.${C5.reset}
       const b64 = Buffer.from(sysText, "utf8").toString("base64");
       const html = `<!doctype html><html lang="pt-br"><head><meta charset="utf-8"><title>clawfast \u2014 system prompt</title><style>body{background:#0b0f0b;color:#bfffbf;font:14px/1.55 ui-monospace,Consolas,Menlo,monospace;margin:0;padding:28px}h1{color:#7CFC00;font-size:18px;margin:0 0 6px}.meta{color:#6f9a6f;margin:0 0 18px;font-size:12px}pre{white-space:pre-wrap;word-wrap:break-word;margin:0}</style></head><body><h1>clawfast \u2014 system prompt</h1><div class="meta">${meta3}</div><pre id="c"></pre><script>document.getElementById("c").textContent=decodeURIComponent(escape(atob("${b64}")));</script></body></html>`;
       try {
-        await (0, import_promises2.writeFile)(filePath, html, "utf8");
+        await (0, import_promises3.writeFile)(filePath, html, "utf8");
         process.stdout.write(
           `${C5.green}\u2713 system prompt salvo${C5.reset} ${C5.dim}(${sysText.length.toLocaleString()} caracteres \u2014 abra no navegador)${C5.reset}
 ${C5.cyan}${filePath}${C5.reset}
@@ -71599,12 +72986,15 @@ ${C5.cyan}${filePath}${C5.reset}
       }
       return;
     }
+    if (input === "/api" || input.startsWith("/api ")) {
+      await handleApiSwap(input.replace(/^\/api\s*/, "").trim());
+      return;
+    }
     if (input === "/nov" || input === "/novidades") {
-      process.stdout.write(
-        `
-${C5.cyan}${renderNews(clawfastVersion())}${C5.reset}
-`
-      );
+      process.stdout.write(`
+${renderNews(clawfastVersion())}
+
+`);
       return;
     }
     if (!input) return;
@@ -71692,14 +73082,14 @@ ${C5.dim}interrompido \u2014 Ctrl+C de novo para fechar${C5.reset}
   }
   await shutdown();
 }
-var import_node_os6, import_node_path9, import_node_fs8, import_promises2, deepseekEnabled, configuredModelProviders;
+var import_node_os6, import_node_path11, import_node_fs10, import_promises3, deepseekEnabled, configuredModelProviders;
 var init_index = __esm({
   "index.ts"() {
     "use strict";
     import_node_os6 = __toESM(require("node:os"));
-    import_node_path9 = __toESM(require("node:path"));
-    import_node_fs8 = require("node:fs");
-    import_promises2 = require("node:fs/promises");
+    import_node_path11 = __toESM(require("node:path"));
+    import_node_fs10 = require("node:fs");
+    import_promises3 = require("node:fs/promises");
     init_paste_input();
     init_boot_ui();
     init_config();