npm - clawfast - Versions diffs - 2.0.1 → 2.0.2 - Mend

clawfast 2.0.1 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/clawfast.cjs +1524 -282
package/package.json +1 -1

package/dist/clawfast.cjs CHANGED Viewed

@@ -85,8 +85,8 @@ var init_boot_ui = __esm({
 var require_main = __commonJS({
   "../node_modules/.pnpm/dotenv@17.4.2/node_modules/dotenv/lib/main.js"(exports2, module2) {
     "use strict";
-    var fs6 = require("fs");
-    var path10 = require("path");
+    var fs8 = require("fs");
+    var path12 = require("path");
     var os7 = require("os");
     var crypto2 = require("crypto");
     var TIPS = [
@@ -217,7 +217,7 @@ var require_main = __commonJS({
       if (options && options.path && options.path.length > 0) {
         if (Array.isArray(options.path)) {
           for (const filepath of options.path) {
-            if (fs6.existsSync(filepath)) {
+            if (fs8.existsSync(filepath)) {
               possibleVaultPath = filepath.endsWith(".vault") ? filepath : `${filepath}.vault`;
             }
           }
@@ -225,15 +225,15 @@ var require_main = __commonJS({
           possibleVaultPath = options.path.endsWith(".vault") ? options.path : `${options.path}.vault`;
         }
       } else {
-        possibleVaultPath = path10.resolve(process.cwd(), ".env.vault");
+        possibleVaultPath = path12.resolve(process.cwd(), ".env.vault");
       }
-      if (fs6.existsSync(possibleVaultPath)) {
+      if (fs8.existsSync(possibleVaultPath)) {
         return possibleVaultPath;
       }
       return null;
     }
     function _resolveHome(envPath) {
-      return envPath[0] === "~" ? path10.join(os7.homedir(), envPath.slice(1)) : envPath;
+      return envPath[0] === "~" ? path12.join(os7.homedir(), envPath.slice(1)) : envPath;
     }
     function _configVault(options) {
       const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || options && options.debug);
@@ -250,7 +250,7 @@ var require_main = __commonJS({
       return { parsed };
     }
     function configDotenv(options) {
-      const dotenvPath = path10.resolve(process.cwd(), ".env");
+      const dotenvPath = path12.resolve(process.cwd(), ".env");
       let encoding = "utf8";
       let processEnv = process.env;
       if (options && options.processEnv != null) {
@@ -278,13 +278,13 @@ var require_main = __commonJS({
       }
       let lastError;
       const parsedAll = {};
-      for (const path11 of optionPaths) {
+      for (const path13 of optionPaths) {
         try {
-          const parsed = DotenvModule.parse(fs6.readFileSync(path11, { encoding }));
+          const parsed = DotenvModule.parse(fs8.readFileSync(path13, { encoding }));
           DotenvModule.populate(parsedAll, parsed, options);
         } catch (e) {
           if (debug) {
-            _debug(`failed to load ${path11} ${e.message}`);
+            _debug(`failed to load ${path13} ${e.message}`);
           }
           lastError = e;
         }
@@ -297,7 +297,7 @@ var require_main = __commonJS({
         const shortPaths = [];
         for (const filePath of optionPaths) {
           try {
-            const relative2 = path10.relative(process.cwd(), filePath);
+            const relative2 = path12.relative(process.cwd(), filePath);
             shortPaths.push(relative2);
           } catch (e) {
             if (debug) {
@@ -548,7 +548,7 @@ var clawfastVersion, isDevVersion, isNewerVersion;
 var init_version = __esm({
   "src/version.ts"() {
     "use strict";
-    clawfastVersion = () => true ? "2.0.1" : "0.0.0-dev";
+    clawfastVersion = () => true ? "2.0.2" : "0.0.0-dev";
     isDevVersion = () => clawfastVersion().includes("-dev");
     isNewerVersion = (a, b) => {
       const parse3 = (v) => v.split("-")[0].split(".").map((n) => Number.parseInt(n, 10) || 0);
@@ -1721,10 +1721,10 @@ function mergeDefs(...defs) {
 function cloneDef(schema) {
   return mergeDefs(schema._zod.def);
 }
-function getElementAtPath(obj, path10) {
-  if (!path10)
+function getElementAtPath(obj, path12) {
+  if (!path12)
     return obj;
-  return path10.reduce((acc, key) => acc?.[key], obj);
+  return path12.reduce((acc, key) => acc?.[key], obj);
 }
 function promiseAllObject(promisesObj) {
   const keys = Object.keys(promisesObj);
@@ -2052,11 +2052,11 @@ function explicitlyAborted(x, startIndex = 0) {
   }
   return false;
 }
-function prefixIssues(path10, issues) {
+function prefixIssues(path12, issues) {
   return issues.map((iss) => {
     var _a25;
     (_a25 = iss).path ?? (_a25.path = []);
-    iss.path.unshift(path10);
+    iss.path.unshift(path12);
     return iss;
   });
 }
@@ -2274,16 +2274,16 @@ function flattenError(error51, mapper = (issue2) => issue2.message) {
 }
 function formatError(error51, mapper = (issue2) => issue2.message) {
   const fieldErrors = { _errors: [] };
-  const processError = (error52, path10 = []) => {
+  const processError = (error52, path12 = []) => {
     for (const issue2 of error52.issues) {
       if (issue2.code === "invalid_union" && issue2.errors.length) {
-        issue2.errors.map((issues) => processError({ issues }, [...path10, ...issue2.path]));
+        issue2.errors.map((issues) => processError({ issues }, [...path12, ...issue2.path]));
       } else if (issue2.code === "invalid_key") {
-        processError({ issues: issue2.issues }, [...path10, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path12, ...issue2.path]);
       } else if (issue2.code === "invalid_element") {
-        processError({ issues: issue2.issues }, [...path10, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path12, ...issue2.path]);
       } else {
-        const fullpath = [...path10, ...issue2.path];
+        const fullpath = [...path12, ...issue2.path];
         if (fullpath.length === 0) {
           fieldErrors._errors.push(mapper(issue2));
         } else {
@@ -2310,17 +2310,17 @@ function formatError(error51, mapper = (issue2) => issue2.message) {
 }
 function treeifyError(error51, mapper = (issue2) => issue2.message) {
   const result = { errors: [] };
-  const processError = (error52, path10 = []) => {
+  const processError = (error52, path12 = []) => {
     var _a25, _b18;
     for (const issue2 of error52.issues) {
       if (issue2.code === "invalid_union" && issue2.errors.length) {
-        issue2.errors.map((issues) => processError({ issues }, [...path10, ...issue2.path]));
+        issue2.errors.map((issues) => processError({ issues }, [...path12, ...issue2.path]));
       } else if (issue2.code === "invalid_key") {
-        processError({ issues: issue2.issues }, [...path10, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path12, ...issue2.path]);
       } else if (issue2.code === "invalid_element") {
-        processError({ issues: issue2.issues }, [...path10, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path12, ...issue2.path]);
       } else {
-        const fullpath = [...path10, ...issue2.path];
+        const fullpath = [...path12, ...issue2.path];
         if (fullpath.length === 0) {
           result.errors.push(mapper(issue2));
           continue;
@@ -2352,8 +2352,8 @@ function treeifyError(error51, mapper = (issue2) => issue2.message) {
 }
 function toDotPath(_path) {
   const segs = [];
-  const path10 = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
-  for (const seg of path10) {
+  const path12 = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
+  for (const seg of path12) {
     if (typeof seg === "number")
       segs.push(`[${seg}]`);
     else if (typeof seg === "symbol")
@@ -15856,13 +15856,13 @@ function resolveRef(ref, ctx) {
   if (!ref.startsWith("#")) {
     throw new Error("External $ref is not supported, only local refs (#/...) are allowed");
   }
-  const path10 = ref.slice(1).split("/").filter(Boolean);
-  if (path10.length === 0) {
+  const path12 = ref.slice(1).split("/").filter(Boolean);
+  if (path12.length === 0) {
     return ctx.rootSchema;
   }
   const defsKey = ctx.version === "draft-2020-12" ? "$defs" : "definitions";
-  if (path10[0] === defsKey) {
-    const key = path10[1];
+  if (path12[0] === defsKey) {
+    const key = path12[1];
     if (!key || !ctx.defs[key]) {
       throw new Error(`Reference not found: ${ref}`);
     }
@@ -17051,8 +17051,8 @@ var init_parseUtil = __esm({
     init_errors3();
     init_en2();
     makeIssue = (params) => {
-      const { data, path: path10, errorMaps, issueData } = params;
-      const fullPath = [...path10, ...issueData.path || []];
+      const { data, path: path12, errorMaps, issueData } = params;
+      const fullPath = [...path12, ...issueData.path || []];
       const fullIssue = {
         ...issueData,
         path: fullPath
@@ -17335,11 +17335,11 @@ var init_types = __esm({
     init_parseUtil();
     init_util2();
     ParseInputLazyPath = class {
-      constructor(parent, value, path10, key) {
+      constructor(parent, value, path12, key) {
         this._cachedPath = [];
         this.parent = parent;
         this.data = value;
-        this._path = path10;
+        this._path = path12;
         this._key = key;
       }
       get path() {
@@ -23378,8 +23378,8 @@ var require_auth_config = __commonJS({
       writeAuthConfig: () => writeAuthConfig
     });
     module2.exports = __toCommonJS(auth_config_exports);
-    var fs6 = __toESM2(require("fs"));
-    var path10 = __toESM2(require("path"));
+    var fs8 = __toESM2(require("fs"));
+    var path12 = __toESM2(require("path"));
     var import_token_util = require_token_util();
     function getAuthConfigPath() {
       const dataDir = (0, import_token_util.getVercelDataDir)();
@@ -23388,15 +23388,15 @@ var require_auth_config = __commonJS({
           `Unable to find Vercel CLI data directory. Your platform: ${process.platform}. Supported: darwin, linux, win32.`
         );
       }
-      return path10.join(dataDir, "auth.json");
+      return path12.join(dataDir, "auth.json");
     }
     function readAuthConfig() {
       try {
         const authPath = getAuthConfigPath();
-        if (!fs6.existsSync(authPath)) {
+        if (!fs8.existsSync(authPath)) {
           return null;
         }
-        const content = fs6.readFileSync(authPath, "utf8");
+        const content = fs8.readFileSync(authPath, "utf8");
         if (!content) {
           return null;
         }
@@ -23407,11 +23407,11 @@ var require_auth_config = __commonJS({
     }
     function writeAuthConfig(config3) {
       const authPath = getAuthConfigPath();
-      const authDir = path10.dirname(authPath);
-      if (!fs6.existsSync(authDir)) {
-        fs6.mkdirSync(authDir, { mode: 504, recursive: true });
+      const authDir = path12.dirname(authPath);
+      if (!fs8.existsSync(authDir)) {
+        fs8.mkdirSync(authDir, { mode: 504, recursive: true });
       }
-      fs6.writeFileSync(authPath, JSON.stringify(config3, null, 2), { mode: 384 });
+      fs8.writeFileSync(authPath, JSON.stringify(config3, null, 2), { mode: 384 });
     }
     function isValidAccessToken(authConfig, expirationBufferMs = 0) {
       if (!authConfig.token)
@@ -23602,8 +23602,8 @@ var require_token_util = __commonJS({
       saveToken: () => saveToken
     });
     module2.exports = __toCommonJS(token_util_exports);
-    var path10 = __toESM2(require("path"));
-    var fs6 = __toESM2(require("fs"));
+    var path12 = __toESM2(require("path"));
+    var fs8 = __toESM2(require("fs"));
     var import_token_error = require_token_error();
     var import_token_io = require_token_io();
     var import_auth_config = require_auth_config();
@@ -23615,7 +23615,7 @@ var require_token_util = __commonJS({
       if (!dataDir) {
         return null;
       }
-      return path10.join(dataDir, vercelFolder);
+      return path12.join(dataDir, vercelFolder);
     }
     async function getVercelToken2(options) {
       const authConfig = (0, import_auth_config.readAuthConfig)();
@@ -23691,13 +23691,13 @@ var require_token_util = __commonJS({
           "Unable to find project root directory. Have you linked your project with `vc link?`"
         );
       }
-      const prjPath = path10.join(dir, ".vercel", "project.json");
-      if (!fs6.existsSync(prjPath)) {
+      const prjPath = path12.join(dir, ".vercel", "project.json");
+      if (!fs8.existsSync(prjPath)) {
         throw new import_token_error.VercelOidcTokenError(
           "project.json not found, have you linked your project with `vc link?`"
         );
       }
-      const prj = JSON.parse(fs6.readFileSync(prjPath, "utf8"));
+      const prj = JSON.parse(fs8.readFileSync(prjPath, "utf8"));
       if (typeof prj.projectId !== "string" && typeof prj.orgId !== "string") {
         throw new TypeError(
           "Expected a string-valued projectId property. Try running `vc link` to re-link your project."
@@ -23712,11 +23712,11 @@ var require_token_util = __commonJS({
           "Unable to find user data directory. Please reach out to Vercel support."
         );
       }
-      const tokenPath = path10.join(dir, "com.vercel.token", `${projectId}.json`);
+      const tokenPath = path12.join(dir, "com.vercel.token", `${projectId}.json`);
       const tokenJson = JSON.stringify(token);
-      fs6.mkdirSync(path10.dirname(tokenPath), { mode: 504, recursive: true });
-      fs6.writeFileSync(tokenPath, tokenJson);
-      fs6.chmodSync(tokenPath, 432);
+      fs8.mkdirSync(path12.dirname(tokenPath), { mode: 504, recursive: true });
+      fs8.writeFileSync(tokenPath, tokenJson);
+      fs8.chmodSync(tokenPath, 432);
       return;
     }
     function loadToken(projectId) {
@@ -23726,11 +23726,11 @@ var require_token_util = __commonJS({
           "Unable to find user data directory. Please reach out to Vercel support."
         );
       }
-      const tokenPath = path10.join(dir, "com.vercel.token", `${projectId}.json`);
-      if (!fs6.existsSync(tokenPath)) {
+      const tokenPath = path12.join(dir, "com.vercel.token", `${projectId}.json`);
+      if (!fs8.existsSync(tokenPath)) {
         return null;
       }
-      const token = JSON.parse(fs6.readFileSync(tokenPath, "utf8"));
+      const token = JSON.parse(fs8.readFileSync(tokenPath, "utf8"));
       assertVercelOidcTokenResponse(token);
       return token;
     }
@@ -35756,7 +35756,7 @@ function createOpenRouter(options = {}) {
   );
   const createChatModel = (modelId, settings = {}) => new OpenRouterChatLanguageModel(modelId, settings, {
     provider: "openrouter.chat",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     compatibility,
     fetch: options.fetch,
@@ -35764,7 +35764,7 @@ function createOpenRouter(options = {}) {
   });
   const createCompletionModel = (modelId, settings = {}) => new OpenRouterCompletionLanguageModel(modelId, settings, {
     provider: "openrouter.completion",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     compatibility,
     fetch: options.fetch,
@@ -35772,21 +35772,21 @@ function createOpenRouter(options = {}) {
   });
   const createEmbeddingModel = (modelId, settings = {}) => new OpenRouterEmbeddingModel(modelId, settings, {
     provider: "openrouter.embedding",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch,
     extraBody: options.extraBody
   });
   const createImageModel = (modelId, settings = {}) => new OpenRouterImageModel(modelId, settings, {
     provider: "openrouter.image",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch,
     extraBody: options.extraBody
   });
   const createVideoModel = (modelId, settings = {}) => new OpenRouterVideoModel(modelId, settings, {
     provider: "openrouter.video",
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch,
     extraBody: options.extraBody
@@ -40322,37 +40322,37 @@ function createOpenAI(options = {}) {
   );
   const createChatModel = (modelId) => new OpenAIChatLanguageModel(modelId, {
     provider: `${providerName}.chat`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createCompletionModel = (modelId) => new OpenAICompletionLanguageModel(modelId, {
     provider: `${providerName}.completion`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createEmbeddingModel = (modelId) => new OpenAIEmbeddingModel(modelId, {
     provider: `${providerName}.embedding`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createImageModel = (modelId) => new OpenAIImageModel(modelId, {
     provider: `${providerName}.image`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createTranscriptionModel = (modelId) => new OpenAITranscriptionModel(modelId, {
     provider: `${providerName}.transcription`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
   const createSpeechModel = (modelId) => new OpenAISpeechModel(modelId, {
     provider: `${providerName}.speech`,
-    url: ({ path: path10 }) => `${baseURL}${path10}`,
+    url: ({ path: path12 }) => `${baseURL}${path12}`,
     headers: getHeaders,
     fetch: options.fetch
   });
@@ -40367,7 +40367,7 @@ function createOpenAI(options = {}) {
   const createResponsesModel = (modelId) => {
     return new OpenAIResponsesLanguageModel(modelId, {
       provider: `${providerName}.responses`,
-      url: ({ path: path10 }) => `${baseURL}${path10}`,
+      url: ({ path: path12 }) => `${baseURL}${path12}`,
       headers: getHeaders,
       fetch: options.fetch,
       fileIdPrefixes: ["file-"]
@@ -48942,8 +48942,8 @@ var init_background_process_tracker = __esm({
       /**
        * Normalize file path for comparison
        */
-      normalizePath(path10) {
-        let normalized = path10.trim().replace(/\/+/g, "/");
+      normalizePath(path12) {
+        let normalized = path12.trim().replace(/\/+/g, "/");
         if (normalized.startsWith("./")) {
           normalized = normalized.slice(2);
         }
@@ -49181,8 +49181,8 @@ function createGetModuleFromFilename(basePath = process.argv[1] ? (0, import_pat
     return decodedFile;
   };
 }
-function normalizeWindowsPath(path10) {
-  return path10.replace(/^[A-Z]:/, "").replace(/\\/g, "/");
+function normalizeWindowsPath(path12) {
+  return path12.replace(/^[A-Z]:/, "").replace(/\\/g, "/");
 }
 var import_path;
 var init_module_node = __esm({
@@ -52071,9 +52071,9 @@ async function addSourceContext(frames) {
   LRU_FILE_CONTENTS_CACHE.reduce();
   return frames;
 }
-function getContextLinesFromFile(path10, ranges, output) {
+function getContextLinesFromFile(path12, ranges, output) {
   return new Promise((resolve2) => {
-    const stream = (0, import_node_fs5.createReadStream)(path10);
+    const stream = (0, import_node_fs5.createReadStream)(path12);
     const lineReaded = (0, import_node_readline2.createInterface)({
       input: stream
     });
@@ -52088,7 +52088,7 @@ function getContextLinesFromFile(path10, ranges, output) {
     let rangeStart = range[0];
     let rangeEnd = range[1];
     function onStreamError() {
-      LRU_FILE_CONTENTS_FS_READ_FAILED.set(path10, 1);
+      LRU_FILE_CONTENTS_FS_READ_FAILED.set(path12, 1);
       lineReaded.close();
       lineReaded.removeAllListeners();
       destroyStreamAndResolve();
@@ -52149,8 +52149,8 @@ function clearLineContext(frame2) {
   delete frame2.context_line;
   delete frame2.post_context;
 }
-function shouldSkipContextLinesForFile(path10) {
-  return path10.startsWith("node:") || path10.endsWith(".min.js") || path10.endsWith(".min.cjs") || path10.endsWith(".min.mjs") || path10.startsWith("data:");
+function shouldSkipContextLinesForFile(path12) {
+  return path12.startsWith("node:") || path12.endsWith(".min.js") || path12.endsWith(".min.cjs") || path12.endsWith(".min.mjs") || path12.startsWith("data:");
 }
 function shouldSkipContextLinesForFrame(frame2) {
   if (void 0 !== frame2.lineno && frame2.lineno > MAX_CONTEXTLINES_LINENO) return true;
@@ -67560,8 +67560,8 @@ var init_logger2 = __esm({
 });
 // ../lib/ai/tools/file.ts
-function isSpritPath(path10) {
-  return path10.split(/[\\/]/).some((segment) => segment.toLowerCase() === "sprit");
+function isSpritPath(path12) {
+  return path12.split(/[\\/]/).some((segment) => segment.toLowerCase() === "sprit");
 }
 function getViewSandboxType(sandbox) {
   return isCentrifugoSandbox(sandbox) ? "centrifugo" : "e2b";
@@ -67592,7 +67592,7 @@ function captureFileViewImageUsage(args) {
   const {
     context: context2,
     sandbox,
-    path: path10,
+    path: path12,
     outcome,
     durationMs,
     mediaType,
@@ -67610,7 +67610,7 @@ function captureFileViewImageUsage(args) {
     model: getActiveModelName(context2),
     configured_model: context2.modelName,
     sandbox_type: getViewSandboxType(sandbox),
-    file_extension: getFileExtension(path10),
+    file_extension: getFileExtension(path12),
     outcome,
     success: outcome === "success",
     duration_ms: durationMs,
@@ -67684,22 +67684,22 @@ async function runSandboxCommand(sandbox, command, envVars, timeoutMs = 6e4) {
 function isWindowsSandbox(sandbox) {
   return isCentrifugoSandbox(sandbox) && sandbox.isWindows();
 }
-function getWindowsNativePath(path10) {
-  if (/^[A-Za-z]:[\\/]/.test(path10)) return path10;
-  if (path10.startsWith("/tmp/")) {
-    return `C:\\temp${path10.slice(4).replace(/\//g, "\\")}`;
+function getWindowsNativePath(path12) {
+  if (/^[A-Za-z]:[\\/]/.test(path12)) return path12;
+  if (path12.startsWith("/tmp/")) {
+    return `C:\\temp${path12.slice(4).replace(/\//g, "\\")}`;
   }
-  return path10.replace(/\//g, "\\");
+  return path12.replace(/\//g, "\\");
 }
-function getPythonPathForSandbox(sandbox, path10) {
-  return isWindowsSandbox(sandbox) ? getWindowsNativePath(path10) : path10;
+function getPythonPathForSandbox(sandbox, path12) {
+  return isWindowsSandbox(sandbox) ? getWindowsNativePath(path12) : path12;
 }
-function toWindowsBashPath(path10) {
-  const drive = path10.match(/^([A-Za-z]):[\\/](.*)$/);
+function toWindowsBashPath(path12) {
+  const drive = path12.match(/^([A-Za-z]):[\\/](.*)$/);
   if (drive) {
     return `/${drive[1].toLowerCase()}/${drive[2].replace(/\\/g, "/")}`;
   }
-  return path10.replace(/\\/g, "/");
+  return path12.replace(/\\/g, "/");
 }
 async function detectSandboxShell(sandbox) {
   if (!isWindowsSandbox(sandbox)) return "bash";
@@ -67738,8 +67738,8 @@ PY`;
     }
   }
 }
-async function getSandboxFileState(sandbox, path10) {
-  const pythonPath = getPythonPathForSandbox(sandbox, path10);
+async function getSandboxFileState(sandbox, path12) {
+  const pythonPath = getPythonPathForSandbox(sandbox, path12);
   const result = await runPythonScript(
     sandbox,
     FILE_STATE_SCRIPT,
@@ -67756,23 +67756,23 @@ async function getSandboxFileState(sandbox, path10) {
   if (result.exitCode !== 0) {
     return {
       kind: "unknown",
-      path: path10,
+      path: path12,
       error: result.stderr || result.stdout || "file state command failed"
     };
   }
   try {
     const payload = JSON.parse(result.stdout.trim());
     if (payload.kind === "file" && typeof payload.sizeBytes === "number" && Number.isFinite(payload.sizeBytes)) {
-      return { ...payload, path: path10 };
+      return { ...payload, path: path12 };
     }
     if (payload.kind === "missing" || payload.kind === "not_file") {
-      return { ...payload, path: path10 };
+      return { ...payload, path: path12 };
     }
   } catch {
   }
   return {
     kind: "unknown",
-    path: path10,
+    path: path12,
     error: result.stderr || result.stdout || "invalid file state response"
   };
 }
@@ -67804,8 +67804,8 @@ ${numberedContent}${truncatedNotice}${footerNotice}`;
     })
   };
 }
-async function readSandboxTextFile(sandbox, path10, range) {
-  const pythonPath = getPythonPathForSandbox(sandbox, path10);
+async function readSandboxTextFile(sandbox, path12, range) {
+  const pythonPath = getPythonPathForSandbox(sandbox, path12);
   const envVars = {
     HACKERAI_FILE_READ_PATH: pythonPath,
     HACKERAI_FILE_READ_RANGE_START: String(range?.[0] ?? 0),
@@ -67833,40 +67833,40 @@ async function readSandboxTextFile(sandbox, path10, range) {
   }
   return payload;
 }
-async function readSandboxTextFileWithFallback(sandbox, path10, range) {
+async function readSandboxTextFileWithFallback(sandbox, path12, range) {
   try {
-    return await readSandboxTextFile(sandbox, path10, range);
+    return await readSandboxTextFile(sandbox, path12, range);
   } catch (error51) {
     const errorMessage = error51 instanceof Error ? error51.message : String(error51);
     if (errorMessage.startsWith("Invalid ") || errorMessage.includes("File not found")) {
       throw error51;
     }
-    const state = await getSandboxFileState(sandbox, path10);
+    const state = await getSandboxFileState(sandbox, path12);
     if (state.kind === "unknown") {
       throw new Error(
-        `Unable to determine file size for ${path10}; refusing to load the file into memory. ${state.error}`
+        `Unable to determine file size for ${path12}; refusing to load the file into memory. ${state.error}`
       );
     }
     if (state.kind === "missing") {
-      throw new Error(`File not found or is not a regular file: ${path10}`);
+      throw new Error(`File not found or is not a regular file: ${path12}`);
     }
     if (state.kind === "not_file") {
-      throw new Error(`File is not a regular file: ${path10}`);
+      throw new Error(`File is not a regular file: ${path12}`);
     }
     if (state.sizeBytes > MAX_TEXT_FILE_READ_BYTES) {
       if (range) {
         throw new Error(
-          `Unable to perform a bounded range read for ${path10}, and the file is too large to load safely (${formatBytes(state.sizeBytes)}). Use a targeted terminal command that writes a small result to a separate file.`
+          `Unable to perform a bounded range read for ${path12}, and the file is too large to load safely (${formatBytes(state.sizeBytes)}). Use a targeted terminal command that writes a small result to a separate file.`
         );
       }
       return {
-        path: path10,
+        path: path12,
         sizeBytes: state.sizeBytes,
         totalLines: 0,
         tooLarge: true
       };
     }
-    const fileContent = await sandbox.files.read(path10, {
+    const fileContent = await sandbox.files.read(path12, {
       user: "user"
     });
     const lines = fileContent.split("\n");
@@ -67887,15 +67887,10 @@ async function readSandboxTextFileWithFallback(sandbox, path10, range) {
           `Invalid start_line: ${start}. File has ${lines.length} lines (1-indexed).`
         );
       }
-      if (end !== -1 && end > lines.length) {
-        throw new Error(
-          `Invalid end_line: ${end}. File has ${lines.length} lines (1-indexed).`
-        );
-      }
       const startIndex = start - 1;
       const endIndex = end === -1 ? lines.length : end;
       return {
-        path: path10,
+        path: path12,
         sizeBytes: Buffer.byteLength(fileContent),
         totalLines: lines.length,
         content: lines.slice(startIndex, endIndex).join("\n"),
@@ -67903,7 +67898,7 @@ async function readSandboxTextFileWithFallback(sandbox, path10, range) {
       };
     }
     return {
-      path: path10,
+      path: path12,
       sizeBytes: Buffer.byteLength(fileContent),
       totalLines: lines.length,
       content: fileContent,
@@ -67911,7 +67906,7 @@ async function readSandboxTextFileWithFallback(sandbox, path10, range) {
     };
   }
 }
-async function appendSandboxTextFile(sandbox, path10, text2) {
+async function appendSandboxTextFile(sandbox, path12, text2) {
   const tempPath = `/tmp/hackerai_append_${Date.now()}_${Math.random().toString(36).slice(2)}.tmp`;
   await sandbox.files.write(tempPath, text2, {
     user: "user"
@@ -67920,7 +67915,7 @@ async function appendSandboxTextFile(sandbox, path10, text2) {
     sandbox,
     APPEND_TEXT_FILE_SCRIPT,
     {
-      HACKERAI_FILE_APPEND_TARGET_PATH: getPythonPathForSandbox(sandbox, path10),
+      HACKERAI_FILE_APPEND_TARGET_PATH: getPythonPathForSandbox(sandbox, path12),
       HACKERAI_FILE_APPEND_SOURCE_PATH: getPythonPathForSandbox(
         sandbox,
         tempPath
@@ -67932,13 +67927,13 @@ async function appendSandboxTextFile(sandbox, path10, text2) {
     throw new Error(result.stderr || result.stdout || "Failed to append file");
   }
 }
-async function readSandboxFileForView(sandbox, path10, includeData) {
+async function readSandboxFileForView(sandbox, path12, includeData) {
   if (isCentrifugoSandbox(sandbox) && sandbox.isWindows()) {
     throw new Error(
       "The view action is not available for Windows local sandboxes yet. Use a Linux/E2B sandbox or inspect the image manually."
     );
   }
-  const sandboxPath = getSandboxViewPath(sandbox, path10);
+  const sandboxPath = getSandboxViewPath(sandbox, path12);
   const viewEnvVars = {
     HACKERAI_FILE_VIEW_PATH: sandboxPath,
     HACKERAI_FILE_VIEW_INCLUDE_DATA: includeData ? "1" : "0",
@@ -68198,8 +68193,9 @@ if range_start == 0 and size > max_full_bytes:
 if range_start > 0:
     if range_start > total_lines:
         emit({"error": f"Invalid start_line: {range_start}. File has {total_lines} lines (1-indexed)."}, 2)
-    if range_end != -1 and range_end > total_lines:
-        emit({"error": f"Invalid end_line: {range_end}. File has {total_lines} lines (1-indexed)."}, 2)
+    # An end_line past EOF is harmless — the read loop simply stops at the last
+    # line. (We used to error here, which broke the SPRIT chunked read: it always
+    # requests a 100-line window, so every SPRIT file shorter than 100 lines failed.)
 selected = []
 selected_bytes = 0
@@ -68281,19 +68277,19 @@ try:
 except OSError:
     pass
 `;
-    getFilename = (path10) => path10.split("/").pop() || path10;
-    getFileExtension = (path10) => {
-      const filename = getFilename(path10);
+    getFilename = (path12) => path12.split("/").pop() || path12;
+    getFileExtension = (path12) => {
+      const filename = getFilename(path12);
       const dotIndex = filename.lastIndexOf(".");
       if (dotIndex <= 0 || dotIndex === filename.length - 1) return void 0;
       return filename.slice(dotIndex + 1).toLowerCase();
     };
-    getSandboxViewPath = (sandbox, path10) => {
+    getSandboxViewPath = (sandbox, path12) => {
       const maybeSandbox = sandbox;
-      if (isCentrifugoSandbox(maybeSandbox) && maybeSandbox.isWindows() && path10.startsWith("/tmp/")) {
-        return `C:\\temp${path10.slice(4).replace(/\//g, "\\")}`;
+      if (isCentrifugoSandbox(maybeSandbox) && maybeSandbox.isWindows() && path12.startsWith("/tmp/")) {
+        return `C:\\temp${path12.slice(4).replace(/\//g, "\\")}`;
       }
-      return path10;
+      return path12;
     };
     stripTrailingWs = (line) => line.replace(/[ \t]+$/u, "");
     editSchema = external_exports.object({
@@ -68367,7 +68363,7 @@ ${instructionsDescription}`,
             "A list of edits to be sequentially applied to the file. Required for `edit` action."
           )
         }),
-        execute: async ({ action, path: path10, text: text2, range, edits }) => {
+        execute: async ({ action, path: path12, text: text2, range, edits }) => {
           try {
             const { sandbox } = await sandboxManager.getSandbox();
             switch (action) {
@@ -68377,7 +68373,7 @@ ${instructionsDescription}`,
                   captureFileViewImageUsage({
                     context: context2,
                     sandbox,
-                    path: path10,
+                    path: path12,
                     outcome: "unsupported_model",
                     durationMs: Date.now() - viewStartedAt,
                     failureReason: "unsupported_model"
@@ -68386,26 +68382,26 @@ ${instructionsDescription}`,
                 }
                 let viewPayload;
                 try {
-                  viewPayload = await readSandboxFileForView(sandbox, path10, false);
+                  viewPayload = await readSandboxFileForView(sandbox, path12, false);
                 } catch (error51) {
                   captureFileViewImageUsage({
                     context: context2,
                     sandbox,
-                    path: path10,
+                    path: path12,
                     outcome: "inspection_failed",
                     durationMs: Date.now() - viewStartedAt,
                     failureReason: classifyFileViewError(error51)
                   });
                   throw error51;
                 }
-                const filename = getFilename(path10);
+                const filename = getFilename(path12);
                 let previewFiles = [];
                 let previewUploadError;
                 try {
                   previewFiles = await uploadViewPreviewFiles({
                     context: context2,
                     sandbox,
-                    sourcePath: path10,
+                    sourcePath: path12,
                     payload: viewPayload
                   });
                 } catch (error51) {
@@ -68419,7 +68415,7 @@ ${instructionsDescription}`,
                       user_id: context2.userID,
                       sandbox_type: getViewSandboxType(sandbox),
                       file_name: filename,
-                      source_path: path10,
+                      source_path: path12,
                       kind: viewPayload.kind,
                       media_type: viewPayload.mediaType,
                       size_bytes: viewPayload.sizeBytes,
@@ -68430,7 +68426,7 @@ ${instructionsDescription}`,
                 captureFileViewImageUsage({
                   context: context2,
                   sandbox,
-                  path: path10,
+                  path: path12,
                   outcome: "success",
                   durationMs: Date.now() - viewStartedAt,
                   mediaType: viewPayload.mediaType,
@@ -68440,7 +68436,7 @@ ${instructionsDescription}`,
                 return {
                   action: "view",
                   content: `Viewing image file: ${filename} (${viewPayload.mediaType}, ${viewPayload.sizeBytes} bytes).`,
-                  path: path10,
+                  path: path12,
                   filename,
                   mediaType: viewPayload.mediaType,
                   sizeBytes: viewPayload.sizeBytes,
@@ -68450,8 +68446,8 @@ ${instructionsDescription}`,
                 };
               }
               case "read": {
-                const filename = path10.split("/").pop() || path10;
-                const spritChunked = isSpritPath(path10);
+                const filename = path12.split("/").pop() || path12;
+                const spritChunked = isSpritPath(path12);
                 let effectiveRange = range;
                 if (spritChunked) {
                   const start = range && range[0] > 0 ? range[0] : 1;
@@ -68464,7 +68460,7 @@ ${instructionsDescription}`,
                 }
                 const readPayload = await readSandboxTextFileWithFallback(
                   sandbox,
-                  path10,
+                  path12,
                   effectiveRange
                 );
                 if (readPayload.tooLarge) {
@@ -68501,46 +68497,46 @@ File is too large to read in full (${formatBytes(readPayload.sizeBytes)}, ${tota
                 if (text2 === void 0) {
                   return { error: "text is required for write action" };
                 }
-                await sandbox.files.write(path10, text2, {
+                await sandbox.files.write(path12, text2, {
                   user: "user"
                 });
-                return `File written: ${path10}`;
+                return `File written: ${path12}`;
               }
               case "append": {
                 if (text2 === void 0) {
                   return { error: "text is required for append action" };
                 }
-                const existingState = await getSandboxFileState(sandbox, path10);
+                const existingState = await getSandboxFileState(sandbox, path12);
                 if (existingState.kind === "unknown") {
                   return {
-                    error: `Cannot append safely because the existing file size could not be determined for ${path10}. ${existingState.error}`
+                    error: `Cannot append safely because the existing file size could not be determined for ${path12}. ${existingState.error}`
                   };
                 }
                 if (existingState.kind === "not_file") {
                   return {
-                    error: `Cannot append to ${path10} because it is not a file.`
+                    error: `Cannot append to ${path12} because it is not a file.`
                   };
                 }
                 if (existingState.kind === "file" && existingState.sizeBytes > MAX_TEXT_FILE_READ_BYTES) {
-                  await appendSandboxTextFile(sandbox, path10, text2);
+                  await appendSandboxTextFile(sandbox, path12, text2);
                   return {
-                    content: `File appended: ${path10}
+                    content: `File appended: ${path12}
 Existing file is ${formatBytes(existingState.sizeBytes)}, so the full diff preview was skipped to avoid loading the entire file into memory.`
                   };
                 }
                 let existingContent = "";
                 try {
-                  existingContent = await sandbox.files.read(path10, {
+                  existingContent = await sandbox.files.read(path12, {
                     user: "user"
                   });
                 } catch {
                 }
                 const newContent = existingContent + text2;
-                await sandbox.files.write(path10, newContent, {
+                await sandbox.files.write(path12, newContent, {
                   user: "user"
                 });
                 return {
-                  content: `File appended: ${path10}`,
+                  content: `File appended: ${path12}`,
                   originalContent: truncateOutput({
                     content: existingContent,
                     mode: "read-file"
@@ -68555,31 +68551,31 @@ Existing file is ${formatBytes(existingState.sizeBytes)}, so the full diff previ
                 if (!edits || edits.length === 0) {
                   return { error: "edits array is required for edit action" };
                 }
-                const existingState = await getSandboxFileState(sandbox, path10);
+                const existingState = await getSandboxFileState(sandbox, path12);
                 if (existingState.kind === "unknown") {
                   return {
-                    error: `Cannot edit ${path10} safely because the file size could not be determined. ${existingState.error}`
+                    error: `Cannot edit ${path12} safely because the file size could not be determined. ${existingState.error}`
                   };
                 }
                 if (existingState.kind === "missing") {
                   return {
-                    error: `Cannot edit file ${path10} - file is empty or does not exist`
+                    error: `Cannot edit file ${path12} - file is empty or does not exist`
                   };
                 }
                 if (existingState.kind === "not_file") {
-                  return { error: `Cannot edit ${path10} because it is not a file.` };
+                  return { error: `Cannot edit ${path12} because it is not a file.` };
                 }
                 if (existingState.sizeBytes > MAX_TEXT_FILE_READ_BYTES) {
                   return {
-                    error: `File ${path10} is too large for the edit action (${formatBytes(existingState.sizeBytes)}). Use a targeted shell command, restore the file from a clean source, or replace it with the write action instead of loading the whole file into memory.`
+                    error: `File ${path12} is too large for the edit action (${formatBytes(existingState.sizeBytes)}). Use a targeted shell command, restore the file from a clean source, or replace it with the write action instead of loading the whole file into memory.`
                   };
                 }
-                const originalContent = await sandbox.files.read(path10, {
+                const originalContent = await sandbox.files.read(path12, {
                   user: "user"
                 });
                 if (!originalContent) {
                   return {
-                    error: `Cannot edit file ${path10} - file is empty or does not exist`
+                    error: `Cannot edit file ${path12} - file is empty or does not exist`
                   };
                 }
                 const resolvedEdits = [];
@@ -68624,7 +68620,7 @@ ${hint}` : "")
                     }
                   }
                 }
-                await sandbox.files.write(path10, content, {
+                await sandbox.files.write(path12, content, {
                   user: "user"
                 });
                 const lines = content.split("\n");
@@ -68716,6 +68712,1120 @@ ${numberedLines}`,
   }
 });
+// ../lib/utils/error-redaction.ts
+var REDACTED_VALUE, SENSITIVE_FIELD_PATTERN, ENV_SECRET_PATTERN, redactSensitiveErrorMessage, stringifyRedactedError;
+var init_error_redaction = __esm({
+  "../lib/utils/error-redaction.ts"() {
+    "use strict";
+    REDACTED_VALUE = "[Redacted]";
+    SENSITIVE_FIELD_PATTERN = /(["']?\b(?:serviceKey|service_key|apiKey|api_key|authorization|bearer|cookie|password|secret|token)\b["']?)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,}]+)/gi;
+    ENV_SECRET_PATTERN = /(["']?\b(?:CONVEX_SERVICE_ROLE_KEY|POSTHOG_API_KEY|STRIPE_SECRET_KEY)\b["']?)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,}]+)/gi;
+    redactSensitiveErrorMessage = (message) => message.replace(SENSITIVE_FIELD_PATTERN, (_match, key, separator) => {
+      return `${key}${separator}"${REDACTED_VALUE}"`;
+    }).replace(ENV_SECRET_PATTERN, (_match, key, separator) => {
+      return `${key}${separator}"${REDACTED_VALUE}"`;
+    });
+    stringifyRedactedError = (error51) => {
+      const message = error51 instanceof Error ? error51.message : typeof error51 === "string" ? error51 : (() => {
+        try {
+          return JSON.stringify(error51);
+        } catch {
+          return String(error51);
+        }
+      })();
+      return redactSensitiveErrorMessage(message);
+    };
+  }
+});
+// ../lib/ai/tools/utils/perplexity.ts
+var SEARCH_RESULT_CONTENT_MAX_TOKENS, RECENCY_MAP, PerplexityApiError, ERROR_BODY_SUMMARY_MAX_LENGTH, RETRYABLE_PERPLEXITY_STATUSES, HTML_ENTITY_MAP, normalizeWhitespace, decodeBasicHtmlEntities, stripHtml, extractHtmlTagText, redactNetworkDetails, truncateSummary, isRetryablePerplexityStatus, summarizePerplexityErrorBody, buildPerplexitySearchBody, formatSearchResults;
+var init_perplexity = __esm({
+  "../lib/ai/tools/utils/perplexity.ts"() {
+    "use strict";
+    SEARCH_RESULT_CONTENT_MAX_TOKENS = 250;
+    RECENCY_MAP = {
+      past_day: "day",
+      past_week: "week",
+      past_month: "month",
+      past_year: "year"
+    };
+    PerplexityApiError = class extends Error {
+      constructor({
+        status,
+        statusText,
+        bodySummary,
+        retryable
+      }) {
+        const statusLabel = statusText ? `${status} ${statusText}` : `${status}`;
+        const summary = bodySummary ? `: ${bodySummary}` : "";
+        super(`Perplexity API error ${statusLabel}${summary}`);
+        this.name = "PerplexityApiError";
+        this.status = status;
+        this.statusText = statusText;
+        this.bodySummary = bodySummary;
+        this.retryable = retryable;
+      }
+    };
+    ERROR_BODY_SUMMARY_MAX_LENGTH = 400;
+    RETRYABLE_PERPLEXITY_STATUSES = /* @__PURE__ */ new Set([408, 429, 500, 502, 503, 504]);
+    HTML_ENTITY_MAP = {
+      amp: "&",
+      gt: ">",
+      lt: "<",
+      nbsp: " ",
+      quot: '"',
+      "#160": " ",
+      "#39": "'"
+    };
+    normalizeWhitespace = (value) => value.replace(/\s+/g, " ").trim();
+    decodeBasicHtmlEntities = (value) => value.replace(/&([a-zA-Z0-9#]+);/g, (match, entity) => {
+      return HTML_ENTITY_MAP[entity] ?? match;
+    });
+    stripHtml = (value) => normalizeWhitespace(
+      decodeBasicHtmlEntities(
+        value.replace(/<script\b[^>]*>[\s\S]*?<\/script>/gi, " ").replace(/<style\b[^>]*>[\s\S]*?<\/style>/gi, " ").replace(/<[^>]+>/g, " ")
+      )
+    );
+    extractHtmlTagText = (html, tagName) => {
+      const matches = html.matchAll(
+        new RegExp(`<${tagName}\\b[^>]*>([\\s\\S]*?)<\\/${tagName}>`, "gi")
+      );
+      return Array.from(matches).map((match) => stripHtml(match[1] ?? "")).filter(Boolean);
+    };
+    redactNetworkDetails = (value) => value.replace(
+      /\b(?:(?:25[0-5]|2[0-4]\d|1?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|1?\d?\d)\b/g,
+      "[Redacted IP]"
+    ).replace(/\bRay ID:\s*[a-f0-9]+\b/gi, "Ray ID: [Redacted]");
+    truncateSummary = (value) => value.length > ERROR_BODY_SUMMARY_MAX_LENGTH ? `${value.slice(0, ERROR_BODY_SUMMARY_MAX_LENGTH - 1)}\u2026` : value;
+    isRetryablePerplexityStatus = (status) => RETRYABLE_PERPLEXITY_STATUSES.has(status);
+    summarizePerplexityErrorBody = (body, contentType = "") => {
+      const trimmed = body.trim();
+      if (!trimmed) return "";
+      let summary = "";
+      if (contentType.includes("json") || trimmed.startsWith("{")) {
+        try {
+          const parsed = JSON.parse(trimmed);
+          const error51 = typeof parsed.error === "string" ? parsed.error : parsed.error && typeof parsed.error === "object" && "message" in parsed.error && typeof parsed.error.message === "string" ? parsed.error.message : void 0;
+          const message = error51 || (typeof parsed.message === "string" ? parsed.message : void 0) || (typeof parsed.detail === "string" ? parsed.detail : void 0);
+          summary = message || trimmed;
+        } catch {
+          summary = trimmed;
+        }
+      } else if (/<[a-z][\s\S]*>/i.test(trimmed)) {
+        const tagSummaries = [
+          ...extractHtmlTagText(trimmed, "h1"),
+          ...extractHtmlTagText(trimmed, "p"),
+          ...extractHtmlTagText(trimmed, "h2")
+        ];
+        summary = tagSummaries.length > 0 ? tagSummaries.join(". ") : stripHtml(trimmed);
+      } else {
+        summary = trimmed;
+      }
+      return truncateSummary(redactNetworkDetails(normalizeWhitespace(summary)));
+    };
+    buildPerplexitySearchBody = (query, options) => {
+      const searchBody = {
+        query,
+        max_results: options?.maxResults ?? 10,
+        max_tokens_per_page: SEARCH_RESULT_CONTENT_MAX_TOKENS
+      };
+      if (options?.country) {
+        searchBody.country = options.country;
+      }
+      if (options?.recency) {
+        searchBody.search_recency_filter = options.recency;
+      }
+      return searchBody;
+    };
+    formatSearchResults = (results) => {
+      return results.map((result) => ({
+        title: result.title,
+        url: result.url,
+        content: result.snippet,
+        date: result.date || null,
+        lastUpdated: result.last_updated || null
+      }));
+    };
+  }
+});
+// ../lib/ai/tools/web-search.ts
+var WEB_SEARCH_COST_PER_REQUEST, PERPLEXITY_SEARCH_URL, WEB_SEARCH_MAX_ATTEMPTS, WEB_SEARCH_RETRY_BASE_DELAY_MS, WEB_SEARCH_RETRY_JITTER_MS, PERPLEXITY_QUERY_MAX_LENGTH, EMPTY_QUERY_TOOL_ERROR, QUERY_TOO_LONG_TOOL_ERROR, webSearchQuerySchema, sleep, getRetryDelayMs, createPerplexityApiError, formatPerplexityFailureForTool, fetchPerplexitySearch, normalizeSearchQueries, createWebSearch;
+var init_web_search = __esm({
+  "../lib/ai/tools/web-search.ts"() {
+    "use strict";
+    init_dist5();
+    init_zod();
+    init_error_redaction();
+    init_perplexity();
+    WEB_SEARCH_COST_PER_REQUEST = 5e-3;
+    PERPLEXITY_SEARCH_URL = "https://api.perplexity.ai/search";
+    WEB_SEARCH_MAX_ATTEMPTS = 3;
+    WEB_SEARCH_RETRY_BASE_DELAY_MS = 300;
+    WEB_SEARCH_RETRY_JITTER_MS = 75;
+    PERPLEXITY_QUERY_MAX_LENGTH = 8192;
+    EMPTY_QUERY_TOOL_ERROR = "Error performing web search: Provide at least one non-empty query.";
+    QUERY_TOO_LONG_TOOL_ERROR = `Error performing web search: Each query must be ${PERPLEXITY_QUERY_MAX_LENGTH} characters or fewer.`;
+    webSearchQuerySchema = external_exports.string().trim().min(1).max(PERPLEXITY_QUERY_MAX_LENGTH);
+    sleep = (delayMs, signal) => {
+      if (delayMs <= 0) return Promise.resolve();
+      if (signal?.aborted) {
+        return Promise.reject(new DOMException("Operation aborted", "AbortError"));
+      }
+      return new Promise((resolve2, reject) => {
+        const cleanup = () => signal?.removeEventListener("abort", onAbort);
+        const onAbort = () => {
+          clearTimeout(timeout);
+          cleanup();
+          reject(new DOMException("Operation aborted", "AbortError"));
+        };
+        const timeout = setTimeout(() => {
+          cleanup();
+          resolve2();
+        }, delayMs);
+        signal?.addEventListener("abort", onAbort, { once: true });
+      });
+    };
+    getRetryDelayMs = (attemptIndex) => {
+      const exponentialDelay = WEB_SEARCH_RETRY_BASE_DELAY_MS * Math.pow(2, attemptIndex);
+      const jitter = Math.random() * WEB_SEARCH_RETRY_JITTER_MS;
+      return Math.round(exponentialDelay + jitter);
+    };
+    createPerplexityApiError = async (response) => {
+      const errorText = await response.text();
+      const bodySummary = summarizePerplexityErrorBody(
+        errorText,
+        response.headers.get("content-type") || ""
+      );
+      return new PerplexityApiError({
+        status: response.status,
+        statusText: response.statusText,
+        bodySummary,
+        retryable: isRetryablePerplexityStatus(response.status)
+      });
+    };
+    formatPerplexityFailureForTool = (error51, attempts) => {
+      const statusText = error51.statusText ? ` ${error51.statusText}` : "";
+      if (error51.retryable) {
+        return `Error performing web search: Perplexity search is temporarily unavailable (HTTP ${error51.status}${statusText} after ${attempts} attempts). Please retry shortly or continue without live web results if the task can proceed.`;
+      }
+      if (error51.status === 401 || error51.status === 403) {
+        return `Error performing web search: Perplexity search is not authorized (HTTP ${error51.status}${statusText}). Check the Perplexity API key or account access.`;
+      }
+      return `Error performing web search: Perplexity search failed (HTTP ${error51.status}${statusText}).`;
+    };
+    fetchPerplexitySearch = async (searchBody, abortSignal) => {
+      for (let attemptIndex = 0; attemptIndex < WEB_SEARCH_MAX_ATTEMPTS; attemptIndex++) {
+        const attempt = attemptIndex + 1;
+        const isFinalAttempt = attempt === WEB_SEARCH_MAX_ATTEMPTS;
+        try {
+          const response = await fetch(PERPLEXITY_SEARCH_URL, {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              Authorization: `Bearer ${process.env.PERPLEXITY_API_KEY || ""}`
+            },
+            body: JSON.stringify(searchBody),
+            signal: abortSignal
+          });
+          if (response.ok) {
+            return response;
+          }
+          const error51 = await createPerplexityApiError(response);
+          if (!error51.retryable || isFinalAttempt) {
+            throw error51;
+          }
+          const delayMs = getRetryDelayMs(attemptIndex);
+          console.warn("Web search provider error; retrying", {
+            attempt,
+            maxAttempts: WEB_SEARCH_MAX_ATTEMPTS,
+            status: error51.status,
+            statusText: error51.statusText,
+            bodySummary: error51.bodySummary,
+            delayMs
+          });
+          await sleep(delayMs, abortSignal);
+        } catch (error51) {
+          if (error51 instanceof Error && error51.name === "AbortError") {
+            throw error51;
+          }
+          if (error51 instanceof PerplexityApiError) {
+            throw error51;
+          }
+          if (isFinalAttempt) {
+            throw error51;
+          }
+          const delayMs = getRetryDelayMs(attemptIndex);
+          console.warn("Web search network error; retrying", {
+            attempt,
+            maxAttempts: WEB_SEARCH_MAX_ATTEMPTS,
+            error: stringifyRedactedError(error51),
+            delayMs
+          });
+          await sleep(delayMs, abortSignal);
+        }
+      }
+      throw new Error("Web search failed before any Perplexity response was read");
+    };
+    normalizeSearchQueries = (rawQueries) => {
+      const queries = rawQueries.map((query) => query.trim()).filter(Boolean);
+      if (queries.length === 0) {
+        return { queries, error: EMPTY_QUERY_TOOL_ERROR };
+      }
+      if (queries.some((query) => query.length > PERPLEXITY_QUERY_MAX_LENGTH)) {
+        return { queries, error: QUERY_TOO_LONG_TOOL_ERROR };
+      }
+      return { queries: queries.slice(0, 3) };
+    };
+    createWebSearch = (context2) => {
+      const { userLocation, onToolCost } = context2;
+      return tool({
+        description: `Search for information across various sources.
+<instructions>
+- MUST use this tool to access up-to-date or external information when needed; DO NOT rely solely on internal knowledge
+- Each search MUST contain exactly 1 to 3 \`queries\` (NEVER more than 3). Queries MUST be variants of the same intent (i.e., query expansions), NOT different goals
+- For non-English queries, MUST include at least one English query as the final variant to expand coverage
+- For complex searches, MUST break down into step-by-step searches instead of using a single complex query
+- Access multiple URLs from search results for comprehensive information or cross-validation
+- CAN use Google dork syntax (site:, filetype:, inurl:, intitle:, etc.) for targeted reconnaissance and pentest enumeration
+- Only use \`time\` parameter when explicitly required by task, otherwise leave time range unrestricted
+- Prioritize cybersecurity-relevant information: CVEs, CVSS scores, exploits, PoCs, security tools, and pentest methodologies
+- Include specific versions, configurations, and technical details; cite reliable sources (NIST, OWASP, CVE databases)
+- For commands/installations, prioritize Kali Linux compatibility using apt or pre-installed tools
+</instructions>`,
+        inputSchema: external_exports.object({
+          queries: external_exports.array(webSearchQuerySchema).min(1).max(3).describe(
+            "MAXIMUM 3 non-empty query variants (1-3 items only). Express the same search intent with different wording."
+          ),
+          time: external_exports.enum(["all", "past_day", "past_week", "past_month", "past_year"]).optional().describe(
+            "Optional time filter to limit results to a recent time range"
+          ),
+          brief: external_exports.string().describe(
+            "A one-sentence preamble describing the purpose of this operation"
+          )
+        }),
+        execute: async ({
+          queries: rawQueries,
+          time: time3
+        }, { abortSignal }) => {
+          try {
+            const { queries, error: error51 } = normalizeSearchQueries(rawQueries);
+            if (error51) {
+              return error51;
+            }
+            const searchBody = buildPerplexitySearchBody(
+              queries.length === 1 ? queries[0] : queries,
+              {
+                country: userLocation?.country,
+                recency: time3 && time3 !== "all" ? RECENCY_MAP[time3] : void 0
+              }
+            );
+            const response = await fetchPerplexitySearch(searchBody, abortSignal);
+            onToolCost?.(WEB_SEARCH_COST_PER_REQUEST);
+            const searchResponse = await response.json();
+            const isMultiQuery = queries.length > 1;
+            let allResults;
+            if (isMultiQuery && Array.isArray(searchResponse.results[0])) {
+              allResults = searchResponse.results.flat();
+            } else {
+              allResults = searchResponse.results;
+            }
+            return formatSearchResults(allResults);
+          } catch (error51) {
+            if (error51 instanceof Error && error51.name === "AbortError") {
+              return "Error: Operation aborted";
+            }
+            if (error51 instanceof PerplexityApiError) {
+              console.error("Web search tool error:", {
+                name: error51.name,
+                status: error51.status,
+                statusText: error51.statusText,
+                retryable: error51.retryable,
+                bodySummary: error51.bodySummary
+              });
+              return formatPerplexityFailureForTool(
+                error51,
+                error51.retryable ? WEB_SEARCH_MAX_ATTEMPTS : 1
+              );
+            }
+            const errorMessage = stringifyRedactedError(error51);
+            console.error("Web search tool error:", errorMessage);
+            return `Error performing web search: ${errorMessage}`;
+          }
+        }
+      });
+    };
+  }
+});
+// ../lib/ai/tools/open-url.ts
+var createOpenUrlTool;
+var init_open_url = __esm({
+  "../lib/ai/tools/open-url.ts"() {
+    "use strict";
+    init_dist5();
+    init_zod();
+    init_token_utils();
+    createOpenUrlTool = () => {
+      return tool({
+        description: `Retrieve the full contents of a specific webpage by URL.
+<instructions>
+- Use to fetch and read a specific webpage, usually obtained from a prior search
+- URLs must be valid and publicly accessible
+- Prioritize cybersecurity-relevant information: CVEs, CVSS scores, exploits, PoCs, security tools, and pentest methodologies
+- Include specific versions, configurations, and technical details; cite reliable sources (NIST, OWASP, CVE databases)
+</instructions>`,
+        inputSchema: external_exports.object({
+          url: external_exports.string().describe("The URL to open and retrieve content from"),
+          brief: external_exports.string().describe(
+            "A one-sentence preamble describing the purpose of this operation"
+          )
+        }),
+        execute: async ({ url: url2 }, { abortSignal }) => {
+          try {
+            const jinaUrl = `https://r.jina.ai/${encodeURIComponent(url2)}`;
+            const response = await fetch(jinaUrl, {
+              method: "GET",
+              headers: {
+                Authorization: `Bearer ${process.env.JINA_API_KEY}`,
+                "X-Timeout": "30",
+                "X-Base": "final",
+                "X-Token-Budget": "200000"
+              },
+              signal: abortSignal
+            });
+            if (!response.ok) {
+              const errorBody = await response.text();
+              return `Error: HTTP ${response.status} - ${errorBody}`;
+            }
+            const content = await response.text();
+            const truncated = truncateContent(content, void 0, 2048);
+            return truncated;
+          } catch (error51) {
+            if (error51 instanceof Error && error51.name === "AbortError") {
+              return "Error: Operation aborted";
+            }
+            console.error("Open URL tool error:", error51);
+            const errorMessage = error51 instanceof Error ? error51.message : "Unknown error occurred";
+            return `Error opening URL: ${errorMessage}`;
+          }
+        }
+      });
+    };
+  }
+});
+// src/tools/scope.ts
+var import_node_fs6, import_node_path5, import_promises, ipv4ToInt, isIpLiteral, maskForPrefix, parseCidr, ScopeImpl, scopeFileFor, loadScope, hostFromUrl;
+var init_scope = __esm({
+  "src/tools/scope.ts"() {
+    "use strict";
+    import_node_fs6 = __toESM(require("node:fs"));
+    import_node_path5 = __toESM(require("node:path"));
+    import_promises = __toESM(require("node:dns/promises"));
+    ipv4ToInt = (ip) => {
+      const parts = ip.split(".");
+      if (parts.length !== 4) return null;
+      let value = 0;
+      for (const part of parts) {
+        if (!/^\d{1,3}$/.test(part)) return null;
+        const n = Number(part);
+        if (n > 255) return null;
+        value = value * 256 + n;
+      }
+      return value;
+    };
+    isIpLiteral = (host) => ipv4ToInt(host) !== null || host.includes(":");
+    maskForPrefix = (prefix) => prefix === 0 ? 0 : 4294967295 << 32 - prefix >>> 0;
+    parseCidr = (entry) => {
+      const slash = entry.indexOf("/");
+      if (slash === -1) {
+        const v42 = ipv4ToInt(entry);
+        if (v42 !== null) return { base: v42, mask: 4294967295 };
+        return null;
+      }
+      const addr = entry.slice(0, slash);
+      const prefix = Number(entry.slice(slash + 1));
+      const v4 = ipv4ToInt(addr);
+      if (v4 === null) return null;
+      if (!Number.isInteger(prefix) || prefix < 0 || prefix > 32) return null;
+      const mask = maskForPrefix(prefix);
+      return { base: (v4 & mask) >>> 0, mask };
+    };
+    ScopeImpl = class _ScopeImpl {
+      constructor() {
+        this.hosts = /* @__PURE__ */ new Set();
+        this.wildcards = [];
+        // stored as ".example.com"
+        this.cidrs = [];
+        this.loadedFrom = null;
+        this.entryCount = 0;
+      }
+      static parse(text2, loadedFrom) {
+        const scope = new _ScopeImpl();
+        scope.loadedFrom = loadedFrom;
+        for (const raw of text2.split(/\r?\n/)) {
+          const line = raw.trim();
+          if (!line || line.startsWith("#")) continue;
+          scope.entryCount++;
+          if (line.startsWith("*.")) {
+            scope.wildcards.push(line.slice(1).toLowerCase());
+            continue;
+          }
+          const cidr = parseCidr(line);
+          if (cidr) {
+            scope.cidrs.push(cidr);
+            continue;
+          }
+          scope.hosts.add(line.toLowerCase());
+        }
+        return scope;
+      }
+      isEmpty() {
+        return this.entryCount === 0;
+      }
+      matchesNameRules(host) {
+        if (this.hosts.has(host)) return true;
+        for (const suffix of this.wildcards) {
+          if (host.endsWith(suffix) || host === suffix.replace(/^\./, "")) {
+            return true;
+          }
+        }
+        return false;
+      }
+      async allows(host) {
+        host = (host || "").toLowerCase().trim();
+        if (!host) return false;
+        if (this.matchesNameRules(host)) return true;
+        if (this.cidrs.length === 0) return false;
+        const candidates = [];
+        if (isIpLiteral(host)) {
+          candidates.push(host);
+        } else {
+          try {
+            const records = await import_promises.default.lookup(host, { all: true });
+            for (const r of records) candidates.push(r.address);
+          } catch {
+            return false;
+          }
+        }
+        for (const ip of candidates) {
+          const value = ipv4ToInt(ip);
+          if (value === null) continue;
+          for (const c of this.cidrs) {
+            if ((value & c.mask) >>> 0 === c.base) return true;
+          }
+        }
+        return false;
+      }
+    };
+    scopeFileFor = (workdir) => import_node_path5.default.join(workdir, "recon", "scope.txt");
+    loadScope = (workdir) => {
+      const file2 = scopeFileFor(workdir);
+      try {
+        const text2 = import_node_fs6.default.readFileSync(file2, "utf8");
+        return ScopeImpl.parse(text2, file2);
+      } catch {
+        return ScopeImpl.parse("", null);
+      }
+    };
+    hostFromUrl = (url2) => {
+      try {
+        return new URL(url2).hostname.toLowerCase();
+      } catch {
+        return null;
+      }
+    };
+  }
+});
+// src/tools/http-request.ts
+var FUZZ, MAX_FUZZ, BODY_PREVIEW_CHARS, DEFAULT_TIMEOUT_S, LOOPBACK, numberEnv, sleep2, sampleUrl, NOTABLE_HEADERS, applyFuzz, buildInit, collectNotableHeaders, doRequest, summarizeFuzz, scopeRefusal, createHttpRequest;
+var init_http_request = __esm({
+  "src/tools/http-request.ts"() {
+    "use strict";
+    init_dist5();
+    init_zod();
+    init_scope();
+    FUZZ = "FUZZ";
+    MAX_FUZZ = 500;
+    BODY_PREVIEW_CHARS = 4e3;
+    DEFAULT_TIMEOUT_S = 30;
+    LOOPBACK = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "::1", "[::1]", "0.0.0.0"]);
+    numberEnv = (name25) => {
+      const raw = Number(process.env[name25]);
+      return Number.isFinite(raw) && raw >= 0 ? raw : void 0;
+    };
+    sleep2 = (ms, signal) => new Promise((resolve2) => {
+      if (ms <= 0 || signal?.aborted) return resolve2();
+      const t = setTimeout(resolve2, ms);
+      signal?.addEventListener(
+        "abort",
+        () => {
+          clearTimeout(t);
+          resolve2();
+        },
+        { once: true }
+      );
+    });
+    sampleUrl = (url2) => url2.split(FUZZ).join("x");
+    NOTABLE_HEADERS = [
+      "server",
+      "x-powered-by",
+      "location",
+      "set-cookie",
+      "content-type",
+      "content-length",
+      "www-authenticate",
+      "access-control-allow-origin",
+      "x-frame-options",
+      "content-security-policy",
+      "strict-transport-security"
+    ];
+    applyFuzz = (template, payload) => template == null ? template : template.split(FUZZ).join(payload);
+    buildInit = (method, headers, body, followRedirects, timeoutSignal) => {
+      const init = {
+        method,
+        redirect: followRedirects ? "follow" : "manual",
+        signal: timeoutSignal
+      };
+      if (headers && Object.keys(headers).length) init.headers = headers;
+      if (body != null && method !== "GET" && method !== "HEAD") init.body = body;
+      return init;
+    };
+    collectNotableHeaders = (h) => {
+      const out3 = {};
+      for (const name25 of NOTABLE_HEADERS) {
+        const value = h.get(name25);
+        if (value != null) out3[name25] = value;
+      }
+      return out3;
+    };
+    doRequest = async (url2, method, headers, body, followRedirects, timeoutMs, parentSignal) => {
+      const ctrl = new AbortController();
+      const onAbort = () => ctrl.abort();
+      parentSignal?.addEventListener("abort", onAbort, { once: true });
+      const timer2 = setTimeout(() => ctrl.abort(), timeoutMs);
+      const started2 = Date.now();
+      try {
+        const resp = await fetch(
+          url2,
+          buildInit(method, headers, body, followRedirects, ctrl.signal)
+        );
+        const text2 = await resp.text();
+        return {
+          status: resp.status,
+          finalUrl: resp.url || url2,
+          redirected: resp.redirected,
+          timeMs: Date.now() - started2,
+          text: text2,
+          headers: resp.headers
+        };
+      } catch (err) {
+        const timeMs = Date.now() - started2;
+        const msg = parentSignal?.aborted || err instanceof Error && err.name === "AbortError" ? "request aborted/timed out" : err instanceof Error ? err.message : String(err);
+        return { error: msg, timeMs };
+      } finally {
+        clearTimeout(timer2);
+        parentSignal?.removeEventListener("abort", onAbort);
+      }
+    };
+    summarizeFuzz = (rows) => {
+      const ok = rows.filter((r) => r.status !== "ERR");
+      const statusCounts = /* @__PURE__ */ new Map();
+      for (const r of ok) {
+        if (typeof r.status === "number") {
+          statusCounts.set(r.status, (statusCounts.get(r.status) ?? 0) + 1);
+        }
+      }
+      let baselineStatus = null;
+      let max = -1;
+      for (const [status, count] of statusCounts) {
+        if (count > max) {
+          max = count;
+          baselineStatus = status;
+        }
+      }
+      const lengths = ok.map((r) => r.bodyLength).sort((a, b) => a - b);
+      const medianLen = lengths.length ? lengths[Math.floor(lengths.length / 2)] : 0;
+      const anomalies = rows.filter((r) => {
+        if (r.status === "ERR") return true;
+        if (baselineStatus != null && r.status !== baselineStatus) return true;
+        if (medianLen > 0 && Math.abs(r.bodyLength - medianLen) > medianLen * 0.25) {
+          return true;
+        }
+        return false;
+      });
+      const lines = [];
+      lines.push(
+        `Fuzzed ${rows.length} payload(s). Baseline status: ${baselineStatus ?? "n/a"} (median body ${medianLen} bytes).`
+      );
+      if (anomalies.length === 0) {
+        lines.push("No anomalies \u2014 every response matched the baseline.");
+      } else {
+        lines.push(`${anomalies.length} anomaly/anomalies worth checking:`);
+        for (const r of anomalies.slice(0, 40)) {
+          lines.push(
+            `  \u2022 ${JSON.stringify(r.payload)} \u2192 ${r.status}` + (r.status === "ERR" ? ` (${r.error ?? "error"})` : ` | ${r.bodyLength} bytes | ${r.timeMs}ms`)
+          );
+        }
+        if (anomalies.length > 40) {
+          lines.push(`  \u2026 +${anomalies.length - 40} more`);
+        }
+      }
+      return lines.join("\n");
+    };
+    scopeRefusal = (host, workdir) => `Recusado: o host "${host}" n\xE3o est\xE1 no escopo autorizado. Adicione-o a ${scopeFileFor(workdir)} (formatos: example.com, *.example.com, CIDR 10.0.0.0/24, ou um IP) \u2014 somente alvos que voc\xEA possui ou tem autoriza\xE7\xE3o expl\xEDcita para testar. Edite o scope.txt com a ferramenta file e tente de novo.`;
+    createHttpRequest = (deps) => {
+      const { workdir, loadScopeFn = loadScope } = deps;
+      const envThrottle = numberEnv("HACKERAI_HTTP_THROTTLE_MS");
+      const envJitter = numberEnv("HACKERAI_HTTP_JITTER_MS");
+      return tool({
+        description: `Send a fully-controlled HTTP request (a native Repeater) and, with \`fuzz\`, an Intruder. Use this to iterate on a web vulnerability inside the agent loop instead of writing a one-off script for every probe.
+WHAT IT DOES
+- Single request: full control of method, headers, body and redirect handling; returns status, timing, notable security headers, body length and a body preview.
+- Intruder/fuzz: put the marker \`FUZZ\` in the url, body, or any header value and pass \`fuzz\` (a list of payloads). Each payload is substituted, sent sequentially with OPSEC throttle+jitter, and the results are diffed against a baseline so anomalies (auth bypass, IDOR, injection, hidden paths/params) are highlighted.
+SCOPE: every request is gated by recon/scope.txt (same allowlist as the recon toolkit). Out-of-scope hosts are refused; loopback is always allowed. Add authorized targets to scope.txt first.
+USE FOR: testing a single endpoint, replaying/tampering a captured request, parameter/path/value fuzzing, verifying an exploit by observing the real response. NOT a replacement for bulk crawling \u2014 use the Python recon toolkit for that.`,
+        inputSchema: external_exports.object({
+          brief: external_exports.string().describe("A one-sentence preamble describing the purpose of this request."),
+          url: external_exports.string().url().describe(
+            "Target URL. May contain the marker FUZZ (replaced by each fuzz payload)."
+          ),
+          method: external_exports.enum(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]).optional().describe("HTTP method (default GET)."),
+          headers: external_exports.record(external_exports.string(), external_exports.string()).optional().describe("Request headers. Values may contain FUZZ."),
+          body: external_exports.string().optional().describe("Request body for POST/PUT/PATCH/DELETE. May contain FUZZ."),
+          follow_redirects: external_exports.boolean().optional().describe("Follow 3xx redirects (default true). Set false to inspect Location."),
+          timeout: external_exports.number().optional().describe(`Per-request timeout in seconds (default ${DEFAULT_TIMEOUT_S}).`),
+          fuzz: external_exports.array(external_exports.string()).optional().describe(
+            `Intruder payloads \u2014 substituted into the FUZZ marker, one request each (max ${MAX_FUZZ}).`
+          ),
+          throttle_ms: external_exports.number().optional().describe("OPSEC: delay between fuzz requests in ms (overrides HACKERAI_HTTP_THROTTLE_MS)."),
+          jitter_ms: external_exports.number().optional().describe("OPSEC: random extra delay 0..jitter added to each throttle.")
+        }),
+        execute: async (input, { abortSignal } = {}) => {
+          const method = input.method ?? "GET";
+          const followRedirects = input.follow_redirects ?? true;
+          const timeoutMs = Math.max(1, input.timeout ?? DEFAULT_TIMEOUT_S) * 1e3;
+          const host = hostFromUrl(sampleUrl(input.url));
+          if (!host) {
+            return { error: `URL inv\xE1lida: ${input.url}` };
+          }
+          if (!LOOPBACK.has(host)) {
+            const scope = loadScopeFn(workdir);
+            const allowed = await scope.allows(host);
+            if (!allowed) {
+              return { error: scopeRefusal(host, workdir) };
+            }
+          }
+          const payloads = input.fuzz ?? [];
+          if (payloads.length > 0) {
+            const templateHasMarker = input.url.includes(FUZZ) || (input.body?.includes(FUZZ) ?? false) || Object.values(input.headers ?? {}).some((v) => v.includes(FUZZ));
+            if (!templateHasMarker) {
+              return {
+                error: "fuzz foi fornecido mas nenhum marcador FUZZ existe na url, body ou headers. Coloque FUZZ onde os payloads devem entrar."
+              };
+            }
+            const list = payloads.slice(0, MAX_FUZZ);
+            const throttle = input.throttle_ms ?? envThrottle ?? 0;
+            const jitter = input.jitter_ms ?? envJitter ?? 0;
+            const rows = [];
+            for (let i = 0; i < list.length; i++) {
+              if (abortSignal?.aborted) break;
+              const payload = list[i];
+              const url2 = applyFuzz(input.url, payload);
+              const body = applyFuzz(input.body, payload);
+              const headers = input.headers ? Object.fromEntries(
+                Object.entries(input.headers).map(([k, v]) => [
+                  k,
+                  applyFuzz(v, payload)
+                ])
+              ) : void 0;
+              const res2 = await doRequest(
+                url2,
+                method,
+                headers,
+                body,
+                followRedirects,
+                timeoutMs,
+                abortSignal
+              );
+              if ("error" in res2) {
+                rows.push({ payload, status: "ERR", bodyLength: 0, timeMs: res2.timeMs, error: res2.error });
+              } else {
+                rows.push({
+                  payload,
+                  status: res2.status,
+                  bodyLength: res2.text.length,
+                  timeMs: res2.timeMs,
+                  finalUrl: res2.finalUrl
+                });
+              }
+              if (i < list.length - 1 && (throttle > 0 || jitter > 0)) {
+                await sleep2(throttle + Math.floor(Math.random() * (jitter + 1)), abortSignal);
+              }
+            }
+            return { fuzz: { host, count: rows.length, rows } };
+          }
+          const res = await doRequest(
+            input.url,
+            method,
+            input.headers,
+            input.body,
+            followRedirects,
+            timeoutMs,
+            abortSignal
+          );
+          if ("error" in res) {
+            const single2 = {
+              status: 0,
+              ok: false,
+              finalUrl: input.url,
+              redirected: false,
+              timeMs: res.timeMs,
+              bodyLength: 0,
+              notableHeaders: {},
+              bodyPreview: "",
+              error: res.error
+            };
+            return { single: single2 };
+          }
+          const single = {
+            status: res.status,
+            ok: res.status >= 200 && res.status < 400,
+            finalUrl: res.finalUrl,
+            redirected: res.redirected,
+            timeMs: res.timeMs,
+            bodyLength: res.text.length,
+            notableHeaders: collectNotableHeaders(res.headers),
+            bodyPreview: res.text.length > BODY_PREVIEW_CHARS ? `${res.text.slice(0, BODY_PREVIEW_CHARS)}
+\u2026[+${res.text.length - BODY_PREVIEW_CHARS} bytes truncated]` : res.text
+          };
+          return { single };
+        },
+        toModelOutput: (out3) => {
+          const value = out3?.output ?? out3;
+          if (value?.error) {
+            return { type: "text", value: `http_request: ${value.error}` };
+          }
+          if (value?.fuzz) {
+            return {
+              type: "text",
+              value: summarizeFuzz(value.fuzz.rows)
+            };
+          }
+          const s = value?.single;
+          if (!s) {
+            return { type: "text", value: JSON.stringify(value) };
+          }
+          if (s.error) {
+            return {
+              type: "text",
+              value: `Request failed after ${s.timeMs}ms: ${s.error}`
+            };
+          }
+          const headerLines = Object.entries(s.notableHeaders).map(([k, v]) => `  ${k}: ${v}`).join("\n");
+          return {
+            type: "text",
+            value: `HTTP ${s.status}${s.redirected ? ` (redirected \u2192 ${s.finalUrl})` : ""} | ${s.bodyLength} bytes | ${s.timeMs}ms
+` + (headerLines ? `Notable headers:
+${headerLines}
+` : "") + `Body:
+${s.bodyPreview}`
+          };
+        }
+      });
+    };
+  }
+});
+// src/tools/findings.ts
+var import_node_fs7, import_node_path6, SEVERITIES, STATUSES, SEVERITY_RANK, SEVERITY_EMOJI, findingsStoreFor, readAll, writeAll, nextId, sortBySeverity, renderReport, oneLine, createFindings;
+var init_findings = __esm({
+  "src/tools/findings.ts"() {
+    "use strict";
+    import_node_fs7 = __toESM(require("node:fs"));
+    import_node_path6 = __toESM(require("node:path"));
+    init_dist5();
+    init_zod();
+    SEVERITIES = [
+      "critical",
+      "high",
+      "medium",
+      "low",
+      "info"
+    ];
+    STATUSES = ["suspected", "confirmed", "false_positive"];
+    SEVERITY_RANK = {
+      critical: 0,
+      high: 1,
+      medium: 2,
+      low: 3,
+      info: 4
+    };
+    SEVERITY_EMOJI = {
+      critical: "\u{1F534}",
+      high: "\u{1F7E0}",
+      medium: "\u{1F7E1}",
+      low: "\u{1F535}",
+      info: "\u26AA"
+    };
+    findingsStoreFor = (workdir) => {
+      const findingsDir = import_node_path6.default.join(workdir, "findings");
+      return {
+        findingsDir,
+        storeFile: import_node_path6.default.join(findingsDir, "findings.json"),
+        reportFile: import_node_path6.default.join(findingsDir, "report.md")
+      };
+    };
+    readAll = (store) => {
+      try {
+        const raw = import_node_fs7.default.readFileSync(store.storeFile, "utf8");
+        const parsed = JSON.parse(raw);
+        return Array.isArray(parsed) ? parsed : [];
+      } catch {
+        return [];
+      }
+    };
+    writeAll = (store, findings) => {
+      import_node_fs7.default.mkdirSync(store.findingsDir, { recursive: true });
+      import_node_fs7.default.writeFileSync(store.storeFile, JSON.stringify(findings, null, 2), "utf8");
+    };
+    nextId = (findings) => {
+      let max = 0;
+      for (const f of findings) {
+        const m = /^F-(\d+)$/.exec(f.id);
+        if (m) max = Math.max(max, Number(m[1]));
+      }
+      return `F-${String(max + 1).padStart(3, "0")}`;
+    };
+    sortBySeverity = (findings) => [...findings].sort(
+      (a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity] || a.id.localeCompare(b.id)
+    );
+    renderReport = (findings) => {
+      const now2 = (/* @__PURE__ */ new Date()).toISOString();
+      const counts = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        info: 0
+      };
+      for (const f of findings) counts[f.severity]++;
+      const lines = [];
+      lines.push(`# Relat\xF3rio de Pentest`);
+      lines.push("");
+      lines.push(`_Gerado em ${now2}_`);
+      lines.push("");
+      lines.push(`## Sum\xE1rio executivo`);
+      lines.push("");
+      lines.push(`Total de findings: **${findings.length}**`);
+      lines.push("");
+      lines.push(`| Severidade | Qtd |`);
+      lines.push(`| --- | --- |`);
+      for (const sev of SEVERITIES) {
+        lines.push(`| ${SEVERITY_EMOJI[sev]} ${sev} | ${counts[sev]} |`);
+      }
+      lines.push("");
+      if (findings.length === 0) {
+        lines.push("_Nenhum finding registrado ainda._");
+        return lines.join("\n");
+      }
+      lines.push(`## Findings`);
+      lines.push("");
+      for (const f of sortBySeverity(findings)) {
+        lines.push(
+          `### ${f.id} \u2014 ${f.title} ${SEVERITY_EMOJI[f.severity]} ${f.severity.toUpperCase()}`
+        );
+        lines.push("");
+        lines.push(`- **Status:** ${f.status}`);
+        if (f.target) lines.push(`- **Alvo:** ${f.target}`);
+        if (f.url) lines.push(`- **URL:** ${f.url}`);
+        if (f.param) lines.push(`- **Par\xE2metro:** ${f.param}`);
+        if (f.cvss) lines.push(`- **CVSS:** ${f.cvss}`);
+        lines.push(`- **Registrado:** ${f.created_at}`);
+        if (f.updated_at !== f.created_at) {
+          lines.push(`- **Atualizado:** ${f.updated_at}`);
+        }
+        lines.push("");
+        if (f.evidence) {
+          lines.push(`**Evid\xEAncia**`);
+          lines.push("");
+          lines.push("```");
+          lines.push(f.evidence);
+          lines.push("```");
+          lines.push("");
+        }
+        if (f.impact) {
+          lines.push(`**Impacto:** ${f.impact}`);
+          lines.push("");
+        }
+        if (f.remediation) {
+          lines.push(`**Remedia\xE7\xE3o:** ${f.remediation}`);
+          lines.push("");
+        }
+        if (f.references?.length) {
+          lines.push(`**Refer\xEAncias:**`);
+          for (const r of f.references) lines.push(`- ${r}`);
+          lines.push("");
+        }
+      }
+      return lines.join("\n");
+    };
+    oneLine = (f) => `${f.id} [${f.severity}/${f.status}] ${f.title}` + (f.target ? ` (${f.target})` : "");
+    createFindings = (deps) => {
+      const { workdir, storeFn = findingsStoreFor } = deps;
+      const store = storeFn(workdir);
+      return tool({
+        description: `Structured findings/engagement memory. Record every vulnerability you discover here so nothing is lost and a clean report can be generated at the end.
+ACTIONS
+- add: record a new finding (title + severity required; include evidence, target, url, param, impact, remediation when known). New findings default to status "suspected".
+- update: change fields of an existing finding by id \u2014 most importantly flip status to "confirmed" once you have proof (with evidence), or "false_positive" if disproved.
+- list: show all recorded findings (optionally filter by severity/status).
+- report: render a full Markdown report grouped by severity and write it to findings/report.md.
+Use this together with http_request: probe \u2192 observe \u2192 record evidence \u2192 mark confirmed.`,
+        inputSchema: external_exports.object({
+          action: external_exports.enum(["add", "update", "list", "report"]),
+          brief: external_exports.string().describe("A one-sentence preamble describing the purpose of this operation."),
+          id: external_exports.string().optional().describe("Finding id (e.g. F-001) \u2014 required for update."),
+          title: external_exports.string().optional(),
+          severity: external_exports.enum(SEVERITIES).optional(),
+          status: external_exports.enum(STATUSES).optional(),
+          target: external_exports.string().optional(),
+          url: external_exports.string().optional(),
+          param: external_exports.string().optional(),
+          evidence: external_exports.string().optional().describe("Proof: payload + request/response snippet or observation."),
+          impact: external_exports.string().optional(),
+          remediation: external_exports.string().optional(),
+          cvss: external_exports.string().optional(),
+          references: external_exports.array(external_exports.string()).optional(),
+          filter_severity: external_exports.enum(SEVERITIES).optional(),
+          filter_status: external_exports.enum(STATUSES).optional()
+        }),
+        execute: async (input) => {
+          try {
+            const findings = readAll(store);
+            const now2 = (/* @__PURE__ */ new Date()).toISOString();
+            if (input.action === "add") {
+              if (!input.title || !input.severity) {
+                return { error: "add requer title e severity." };
+              }
+              const finding = {
+                id: nextId(findings),
+                title: input.title,
+                severity: input.severity,
+                status: input.status ?? "suspected",
+                ...input.target ? { target: input.target } : {},
+                ...input.url ? { url: input.url } : {},
+                ...input.param ? { param: input.param } : {},
+                ...input.evidence ? { evidence: input.evidence } : {},
+                ...input.impact ? { impact: input.impact } : {},
+                ...input.remediation ? { remediation: input.remediation } : {},
+                ...input.cvss ? { cvss: input.cvss } : {},
+                ...input.references ? { references: input.references } : {},
+                created_at: now2,
+                updated_at: now2
+              };
+              findings.push(finding);
+              writeAll(store, findings);
+              return { added: finding, total: findings.length };
+            }
+            if (input.action === "update") {
+              if (!input.id) return { error: "update requer id." };
+              const idx = findings.findIndex((f) => f.id === input.id);
+              if (idx === -1) {
+                return { error: `finding n\xE3o encontrado: ${input.id}` };
+              }
+              const current = findings[idx];
+              const updated = {
+                ...current,
+                ...input.title != null ? { title: input.title } : {},
+                ...input.severity != null ? { severity: input.severity } : {},
+                ...input.status != null ? { status: input.status } : {},
+                ...input.target != null ? { target: input.target } : {},
+                ...input.url != null ? { url: input.url } : {},
+                ...input.param != null ? { param: input.param } : {},
+                ...input.evidence != null ? { evidence: input.evidence } : {},
+                ...input.impact != null ? { impact: input.impact } : {},
+                ...input.remediation != null ? { remediation: input.remediation } : {},
+                ...input.cvss != null ? { cvss: input.cvss } : {},
+                ...input.references != null ? { references: input.references } : {},
+                updated_at: now2
+              };
+              findings[idx] = updated;
+              writeAll(store, findings);
+              return { updated };
+            }
+            if (input.action === "list") {
+              let filtered = findings;
+              if (input.filter_severity) {
+                filtered = filtered.filter((f) => f.severity === input.filter_severity);
+              }
+              if (input.filter_status) {
+                filtered = filtered.filter((f) => f.status === input.filter_status);
+              }
+              return {
+                list: sortBySeverity(filtered),
+                total: filtered.length,
+                overall: findings.length
+              };
+            }
+            const md = renderReport(findings);
+            import_node_fs7.default.mkdirSync(store.findingsDir, { recursive: true });
+            import_node_fs7.default.writeFileSync(store.reportFile, md, "utf8");
+            return { report: store.reportFile, total: findings.length };
+          } catch (err) {
+            return {
+              error: err instanceof Error ? err.message : String(err)
+            };
+          }
+        },
+        toModelOutput: (out3) => {
+          const v = out3?.output ?? out3;
+          if (v?.error) {
+            return { type: "text", value: `findings: ${v.error}` };
+          }
+          if (v?.added) {
+            return {
+              type: "text",
+              value: `Finding registrado: ${oneLine(v.added)}. Total: ${v.total}.`
+            };
+          }
+          if (v?.updated) {
+            return {
+              type: "text",
+              value: `Finding atualizado: ${oneLine(v.updated)}.`
+            };
+          }
+          if (v?.list) {
+            const rows = v.list.map((f) => `  ${oneLine(f)}`).join("\n");
+            return {
+              type: "text",
+              value: `${v.total} finding(s)${v.total !== v.overall ? ` (de ${v.overall})` : ""}:
+` + (rows || "  (nenhum)")
+            };
+          }
+          if (v?.report) {
+            return {
+              type: "text",
+              value: `Relat\xF3rio gerado (${v.total} findings) \u2192 ${v.report}`
+            };
+          }
+          return { type: "text", value: JSON.stringify(v) };
+        }
+      });
+    };
+  }
+});
 // ../lib/ai/tools/utils/todo-manager.ts
 var TodoManager;
 var init_todo_manager = __esm({
@@ -68900,20 +70010,20 @@ var init_utils4 = __esm({
 // src/local-sandbox.ts
 function inferShellFlag(shell2) {
-  const base = import_node_path5.default.basename(shell2).toLowerCase();
+  const base = import_node_path7.default.basename(shell2).toLowerCase();
   if (base === "cmd" || base === "cmd.exe") return "/C";
   if (base === "powershell" || base === "powershell.exe" || base === "pwsh") {
     return "-Command";
   }
   return "-c";
 }
-var import_node_child_process2, import_node_fs6, import_node_path5, import_node_os3, import_node_url, import_meta, LocalSandbox;
+var import_node_child_process2, import_node_fs8, import_node_path7, import_node_os3, import_node_url, import_meta, LocalSandbox;
 var init_local_sandbox = __esm({
   "src/local-sandbox.ts"() {
     "use strict";
     import_node_child_process2 = require("node:child_process");
-    import_node_fs6 = require("node:fs");
-    import_node_path5 = __toESM(require("node:path"));
+    import_node_fs8 = require("node:fs");
+    import_node_path7 = __toESM(require("node:path"));
     import_node_os3 = __toESM(require("node:os"));
     import_node_url = require("node:url");
     init_utils4();
@@ -69011,15 +70121,15 @@ var init_local_sandbox = __esm({
         this.files = {
           write: async (filePath, content) => {
             const resolved = this.resolvePath(filePath);
-            await import_node_fs6.promises.mkdir(import_node_path5.default.dirname(resolved), { recursive: true });
+            await import_node_fs8.promises.mkdir(import_node_path7.default.dirname(resolved), { recursive: true });
             const data = typeof content === "string" ? content : content instanceof ArrayBuffer ? Buffer.from(content) : content;
-            await import_node_fs6.promises.writeFile(resolved, data);
+            await import_node_fs8.promises.writeFile(resolved, data);
           },
           read: async (filePath) => {
-            return import_node_fs6.promises.readFile(this.resolvePath(filePath), "utf8");
+            return import_node_fs8.promises.readFile(this.resolvePath(filePath), "utf8");
           },
           remove: async (filePath) => {
-            await import_node_fs6.promises.rm(this.resolvePath(filePath), {
+            await import_node_fs8.promises.rm(this.resolvePath(filePath), {
               recursive: true,
               force: true
             });
@@ -69027,8 +70137,8 @@ var init_local_sandbox = __esm({
           list: async (dirPath = ".") => {
             const resolved = this.resolvePath(dirPath);
             try {
-              const entries = await import_node_fs6.promises.readdir(resolved, { withFileTypes: true });
-              return entries.filter((e) => e.isFile()).map((e) => ({ name: import_node_path5.default.join(resolved, e.name) }));
+              const entries = await import_node_fs8.promises.readdir(resolved, { withFileTypes: true });
+              return entries.filter((e) => e.isFile()).map((e) => ({ name: import_node_path7.default.join(resolved, e.name) }));
             } catch {
               return [];
             }
@@ -69043,11 +70153,11 @@ var init_local_sandbox = __esm({
           this.shellBin = shell2.shell;
           this.shellFlag = shell2.shellFlag;
         }
-        const base = opts?.workdir || process.env.CLI_WORKDIR || import_node_path5.default.join(process.cwd(), "SPRIT");
-        this.workdir = import_node_path5.default.resolve(base).replace(/\\/g, "/");
+        const base = opts?.workdir || process.env.CLI_WORKDIR || import_node_path7.default.join(process.cwd(), "SPRIT");
+        this.workdir = import_node_path7.default.resolve(base).replace(/\\/g, "/");
       }
       async init() {
-        await import_node_fs6.promises.mkdir(this.workdir, { recursive: true });
+        await import_node_fs8.promises.mkdir(this.workdir, { recursive: true });
         await this.seedReconToolkit();
         await this.seedAuditToolkit();
       }
@@ -69064,26 +70174,31 @@ var init_local_sandbox = __esm({
           const assetsDir = (0, import_node_url.fileURLToPath)(
             new URL("../assets/recon", import_meta.url)
           );
-          const destDir = import_node_path5.default.join(this.workdir, "recon");
-          await import_node_fs6.promises.mkdir(destDir, { recursive: true });
+          const destDir = import_node_path7.default.join(this.workdir, "recon");
+          await import_node_fs8.promises.mkdir(destDir, { recursive: true });
           const files = [
             ["recon_deep.py", true],
+            ["recon_common.py", true],
+            ["recon_subdomains.py", true],
+            ["recon_ports.py", true],
+            ["recon_content.py", true],
+            ["recon_intel.py", true],
             ["console_recon.js", true],
             ["README.md", true],
             ["scope.txt", false]
           ];
           for (const [name25, overwrite] of files) {
-            const dest = import_node_path5.default.join(destDir, name25);
+            const dest = import_node_path7.default.join(destDir, name25);
             if (!overwrite) {
               try {
-                await import_node_fs6.promises.access(dest);
+                await import_node_fs8.promises.access(dest);
                 continue;
               } catch {
               }
             }
             try {
-              const content = await import_node_fs6.promises.readFile(import_node_path5.default.join(assetsDir, name25));
-              await import_node_fs6.promises.writeFile(dest, content);
+              const content = await import_node_fs8.promises.readFile(import_node_path7.default.join(assetsDir, name25));
+              await import_node_fs8.promises.writeFile(dest, content);
             } catch {
             }
           }
@@ -69101,12 +70216,12 @@ var init_local_sandbox = __esm({
           const assetsDir = (0, import_node_url.fileURLToPath)(
             new URL("../assets/audit", import_meta.url)
           );
-          const destDir = import_node_path5.default.join(this.workdir, "audit");
-          await import_node_fs6.promises.mkdir(destDir, { recursive: true });
+          const destDir = import_node_path7.default.join(this.workdir, "audit");
+          await import_node_fs8.promises.mkdir(destDir, { recursive: true });
           for (const name25 of ["project_audit.py", "README.md"]) {
             try {
-              const content = await import_node_fs6.promises.readFile(import_node_path5.default.join(assetsDir, name25));
-              await import_node_fs6.promises.writeFile(import_node_path5.default.join(destDir, name25), content);
+              const content = await import_node_fs8.promises.readFile(import_node_path7.default.join(assetsDir, name25));
+              await import_node_fs8.promises.writeFile(import_node_path7.default.join(destDir, name25), content);
             } catch {
             }
           }
@@ -69237,15 +70352,15 @@ EDITING SCRIPTS:
         }
       }
       resolvePath(p) {
-        if (import_node_path5.default.isAbsolute(p)) return p;
-        return import_node_path5.default.join(this.workdir, p);
+        if (import_node_path7.default.isAbsolute(p)) return p;
+        return import_node_path7.default.join(this.workdir, p);
       }
       isBashLikeShell() {
-        const base = import_node_path5.default.basename(this.shellBin).toLowerCase();
+        const base = import_node_path7.default.basename(this.shellBin).toLowerCase();
         return base === "bash" || base === "bash.exe" || base === "sh";
       }
       isCmdShell() {
-        const base = import_node_path5.default.basename(this.shellBin).toLowerCase();
+        const base = import_node_path7.default.basename(this.shellBin).toLowerCase();
         return base === "cmd" || base === "cmd.exe";
       }
       getWindowsShellNotes() {
@@ -69342,44 +70457,6 @@ var init_local_sandbox_manager = __esm({
   }
 });
-// src/console-writer.ts
-function createConsoleWriter() {
-  let lastWasTerminal = false;
-  return {
-    write(part) {
-      if (!part || typeof part !== "object") return;
-      if (part.type === "data-terminal") {
-        const text2 = part.data?.terminal;
-        if (typeof text2 === "string" && text2.length > 0) {
-          process.stdout.write(text2);
-          lastWasTerminal = true;
-        }
-        return;
-      }
-      if (part.type === "data-sandbox-fallback") {
-        process.stderr.write("\n[sandbox fallback]\n");
-        return;
-      }
-      void lastWasTerminal;
-    },
-    // Some AI SDK code paths probe for these; provide no-op stubs.
-    merge() {
-    },
-    onError(error51) {
-      process.stderr.write(
-        `
-[stream error] ${error51 instanceof Error ? error51.message : String(error51)}
-`
-      );
-    }
-  };
-}
-var init_console_writer = __esm({
-  "src/console-writer.ts"() {
-    "use strict";
-  }
-});
 // src/render.ts
 function createRenderer() {
   let lastKind = null;
@@ -69396,7 +70473,7 @@ function createRenderer() {
     reasoning(delta) {
       sep3("reasoning");
       if (!reasoningHeaderShown) {
-        out(`${C3.dim}pensando: `);
+        out(`${C3.dim} \xB7 pensando: `);
         reasoningHeaderShown = true;
       }
       out(`${C3.dim}${delta}${C3.reset}`);
@@ -69411,23 +70488,27 @@ function createRenderer() {
       const note = summarizeResult(toolName, output);
       if (note) {
         sep3("tool");
-        out(`${C3.dim}   ok ${note}${C3.reset}
+        const isErr = note.error;
+        const icon = isErr ? `${C3.red}\u2717${C3.reset}` : `${C3.green}\u2713${C3.reset}`;
+        const body = isErr ? `${C3.red}${note.text}${C3.reset}` : `${C3.dim}${note.text}${C3.reset}`;
+        out(` ${icon} ${body}
 `);
       }
     },
     info(msg) {
       sep3("info");
-      out(`${C3.dim}${msg}${C3.reset}
+      const text2 = msg.replace(/^[▸▶►•·]\s*/, "");
+      out(` ${C3.dim}\xB7${C3.reset} ${C3.dim}${text2}${C3.reset}
 `);
     },
     fallback(msg) {
       sep3("info");
-      out(`${C3.yellow}-> ${msg}${C3.reset}
+      out(` ${C3.yellow}\u21C4 ${msg}${C3.reset}
 `);
     },
     error(msg) {
       sep3("info");
-      out(`${C3.red}x ${msg}${C3.reset}
+      out(` ${C3.red}\u2717 ${msg}${C3.reset}
 `);
     },
     endTurn() {
@@ -69446,27 +70527,50 @@ function formatToolCall(toolName, input) {
     case "run_terminal_cmd": {
       const cmd = String(i.command ?? "").trim();
       const bg = i.is_background ? `${C3.dim} (background)${C3.reset}` : "";
-      return `${C3.cyan}executando${C3.reset} ${C3.bold}$ ${truncate3(cmd, 400)}${C3.reset}${bg}`;
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}exec${C3.reset}  ${C3.bold}${truncate3(cmd, 400)}${C3.reset}${bg}`;
     }
     case "file": {
-      const path10 = String(i.path ?? "");
-      const brief = i.brief ? `${C3.dim} - ${truncate3(String(i.brief))}${C3.reset}` : "";
+      const path12 = String(i.path ?? "");
+      const brief = i.brief ? `${C3.dim} \u2014 ${truncate3(String(i.brief))}${C3.reset}` : "";
       const map2 = {
-        write: `${C3.green}criando arquivo${C3.reset}`,
-        edit: `${C3.yellow}editando arquivo${C3.reset}`,
-        append: `${C3.green}anexando arquivo${C3.reset}`,
-        read: `${C3.blue}lendo arquivo${C3.reset}`,
-        view: `${C3.blue}visualizando arquivo${C3.reset}`
+        write: [C3.green, "criar  "],
+        edit: [C3.yellow, "editar "],
+        append: [C3.green, "anexar "],
+        read: [C3.blue, "ler    "],
+        view: [C3.blue, "ver    "]
       };
       const action = typeof i.action === "string" ? i.action : "";
-      const label = map2[action] ?? (action ? `${C3.blue}arquivo (${action})${C3.reset}` : `${C3.blue}preparando operacao de arquivo${C3.reset}`);
-      const target = path10 ? ` ${C3.bold}${path10}${C3.reset}` : "";
-      return `${label}${target}${brief}`;
+      const [col, verb] = map2[action] ?? [
+        C3.blue,
+        action ? `${action} `.padEnd(7) : "arquivo"
+      ];
+      const target = path12 ? `${C3.bold}${path12}${C3.reset}` : "";
+      return ` ${col}\u276F${C3.reset} ${col}${verb}${C3.reset} ${target}${brief}`;
     }
     case "todo_write":
-      return `${C3.magenta}atualizando lista de tarefas${C3.reset}`;
+      return ` ${C3.magenta}\u276F${C3.reset} ${C3.magenta}tarefas${C3.reset} ${C3.dim}atualizando lista${C3.reset}`;
+    case "http_request": {
+      const method = String(i.method ?? "GET").toUpperCase();
+      const url2 = String(i.url ?? "");
+      const fuzz = Array.isArray(i.fuzz) && i.fuzz.length;
+      const tag = fuzz ? `${C3.dim} (fuzz \xD7${i.fuzz.length})${C3.reset}` : "";
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}http${C3.reset}  ${C3.bold}${method}${C3.reset} ${truncate3(url2, 360)}${tag}`;
+    }
+    case "findings": {
+      const action = String(i.action ?? "");
+      const detail = action === "add" ? truncate3(String(i.title ?? ""), 80) : action === "update" ? `${String(i.id ?? "")} ${String(i.status ?? "")}`.trim() : "";
+      return ` ${C3.magenta}\u276F${C3.reset} ${C3.magenta}findings${C3.reset} ${C3.bold}${action}${C3.reset}${detail ? ` ${C3.dim}${detail}${C3.reset}` : ""}`;
+    }
+    case "web_search": {
+      const queries = Array.isArray(i.queries) ? i.queries.join(" | ") : "";
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}busca${C3.reset}  ${C3.dim}${truncate3(queries, 200)}${C3.reset}`;
+    }
+    case "open_url": {
+      const url2 = String(i.url ?? i.urls ?? "");
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}abrir${C3.reset}  ${C3.dim}${truncate3(url2, 280)}${C3.reset}`;
+    }
     default:
-      return `${C3.cyan}${toolName}${C3.reset} ${C3.dim}${truncate3(
+      return ` ${C3.cyan}\u276F${C3.reset} ${C3.cyan}${toolName}${C3.reset} ${C3.dim}${truncate3(
         JSON.stringify(i),
         200
       )}${C3.reset}`;
@@ -69476,14 +70580,48 @@ function summarizeResult(toolName, output) {
   if (output == null) return null;
   if (toolName === "file") {
     if (typeof output === "object" && "error" in output) {
-      return `erro: ${truncate3(String(output.error), 160)}`;
+      return {
+        text: truncate3(String(output.error), 160),
+        error: true
+      };
     }
-    return "arquivo atualizado";
+    return { text: "arquivo salvo", error: false };
+  }
+  if (toolName === "todo_write")
+    return { text: "tarefas salvas", error: false };
+  if (toolName === "http_request") {
+    const o = asRecord(output);
+    if ("error" in o && o.error) {
+      return { text: truncate3(String(o.error), 200), error: true };
+    }
+    if (o.single) {
+      const s = asRecord(o.single);
+      if (s.error) return { text: truncate3(String(s.error), 160), error: true };
+      return {
+        text: `HTTP ${s.status} \xB7 ${s.bodyLength} bytes \xB7 ${s.timeMs}ms`,
+        error: false
+      };
+    }
+    if (o.fuzz) {
+      const f = asRecord(o.fuzz);
+      return { text: `fuzz: ${f.count} requisi\xE7\xF5es`, error: false };
+    }
+    return null;
+  }
+  if (toolName === "findings") {
+    const o = asRecord(output);
+    if ("error" in o && o.error) {
+      return { text: truncate3(String(o.error), 200), error: true };
+    }
+    if (o.added) return { text: "finding registrado", error: false };
+    if (o.updated) return { text: "finding atualizado", error: false };
+    if (o.report) return { text: `relat\xF3rio \u2192 ${String(o.report)}`, error: false };
+    if ("total" in o) return { text: `${String(o.total)} finding(s)`, error: false };
+    return null;
   }
-  if (toolName === "todo_write") return "tarefas salvas";
   return null;
 }
-var C3, out, truncate3;
+var C3, GUTTER_BAR, out, truncate3;
 var init_render = __esm({
   "src/render.ts"() {
     "use strict";
@@ -69498,11 +70636,61 @@ var init_render = __esm({
       cyan: "\x1B[36m",
       bold: "\x1B[1m"
     };
+    GUTTER_BAR = `${C3.dim}\u2502${C3.reset} `;
     out = (s) => process.stdout.write(s);
     truncate3 = (s, n = 200) => s.length > n ? `${s.slice(0, n)}...` : s;
   }
 });
+// src/console-writer.ts
+function createConsoleWriter() {
+  let atLineStart = true;
+  const writeGuttered = (text2) => {
+    let chunk = text2;
+    if (atLineStart) {
+      process.stdout.write(GUTTER_BAR);
+      atLineStart = false;
+    }
+    const endsWithNewline = chunk.endsWith("\n");
+    chunk = chunk.replace(/\n(?!$)/g, `
+${GUTTER_BAR}`);
+    process.stdout.write(chunk);
+    if (endsWithNewline) atLineStart = true;
+  };
+  return {
+    write(part) {
+      if (!part || typeof part !== "object") return;
+      if (part.type === "data-terminal") {
+        const text2 = part.data?.terminal;
+        if (typeof text2 === "string" && text2.length > 0) {
+          writeGuttered(text2);
+        }
+        return;
+      }
+      if (part.type === "data-sandbox-fallback") {
+        process.stderr.write("\n[sandbox fallback]\n");
+        return;
+      }
+    },
+    // Some AI SDK code paths probe for these; provide no-op stubs.
+    merge() {
+    },
+    onError(error51) {
+      process.stderr.write(
+        `
+[stream error] ${error51 instanceof Error ? error51.message : String(error51)}
+`
+      );
+    }
+  };
+}
+var init_console_writer = __esm({
+  "src/console-writer.ts"() {
+    "use strict";
+    init_render();
+  }
+});
 // src/proxy-manager.ts
 async function ping(url2, timeoutMs = 2e3) {
   const controller = new AbortController();
@@ -69567,12 +70755,12 @@ async function ensureProxyReady(id, log2) {
     };
   }
   let freshSetup = false;
-  if (!(0, import_node_fs7.existsSync)(dir)) {
+  if (!(0, import_node_fs9.existsSync)(dir)) {
     log2(`${def.label}: baixando o proxy (uma vez) em ${dir} \u2026`);
     const root = proxiesRoot();
-    (0, import_node_fs7.mkdirSync)(root, { recursive: true });
+    (0, import_node_fs9.mkdirSync)(root, { recursive: true });
     const cloned = run("git", ["clone", def.repoUrl, dir], root);
-    if (!cloned.ok || !(0, import_node_fs7.existsSync)(dir)) {
+    if (!cloned.ok || !(0, import_node_fs9.existsSync)(dir)) {
       return {
         ok: false,
         message: `${def.label}: falha ao clonar o proxy (git).`
@@ -69580,7 +70768,7 @@ async function ensureProxyReady(id, log2) {
     }
     freshSetup = true;
   }
-  if (!(0, import_node_fs7.existsSync)(import_node_path6.default.join(dir, "node_modules"))) {
+  if (!(0, import_node_fs9.existsSync)(import_node_path8.default.join(dir, "node_modules"))) {
     log2(`${def.label}: instalando depend\xEAncias (pode demorar) \u2026`);
     if (!run("npm", ["install"], dir).ok) {
       return { ok: false, message: `${def.label}: 'npm install' falhou.` };
@@ -69625,13 +70813,13 @@ async function ensureProxyReady(id, log2) {
     message: `${def.label}: o proxy n\xE3o respondeu em 90s. Tente de novo, ou rode 'npm run login' em ${dir}.`
   };
 }
-var import_node_os4, import_node_path6, import_node_fs7, import_node_child_process3, DEFS, PROXY_MODEL_KEYS, proxyIdForModelKey, proxiesRoot, dirFor, healthUrl, baseUrl, wait, started, exitHooksInstalled, quoteArg, asShellCommand, run, hasCommand;
+var import_node_os4, import_node_path8, import_node_fs9, import_node_child_process3, DEFS, PROXY_MODEL_KEYS, proxyIdForModelKey, proxiesRoot, dirFor, healthUrl, baseUrl, wait, started, exitHooksInstalled, quoteArg, asShellCommand, run, hasCommand;
 var init_proxy_manager2 = __esm({
   "src/proxy-manager.ts"() {
     "use strict";
     import_node_os4 = __toESM(require("node:os"));
-    import_node_path6 = __toESM(require("node:path"));
-    import_node_fs7 = require("node:fs");
+    import_node_path8 = __toESM(require("node:path"));
+    import_node_fs9 = require("node:fs");
     import_node_child_process3 = require("node:child_process");
     DEFS = {
       deepseek: {
@@ -69664,11 +70852,11 @@ var init_proxy_manager2 = __esm({
       if (key === PROXY_MODEL_KEYS.kimi) return "kimi";
       return null;
     };
-    proxiesRoot = () => import_node_path6.default.join(
-      process.env.CLAWFAST_HOME?.trim() || import_node_path6.default.join(import_node_os4.default.homedir(), ".clawfast"),
+    proxiesRoot = () => import_node_path8.default.join(
+      process.env.CLAWFAST_HOME?.trim() || import_node_path8.default.join(import_node_os4.default.homedir(), ".clawfast"),
       "proxies"
     );
-    dirFor = (def) => process.env[def.dirEnv]?.trim() || import_node_path6.default.join(proxiesRoot(), def.folder);
+    dirFor = (def) => process.env[def.dirEnv]?.trim() || import_node_path8.default.join(proxiesRoot(), def.folder);
     healthUrl = (def) => `http://localhost:${def.port}/health`;
     baseUrl = (def) => `http://localhost:${def.port}/v1`;
     wait = (ms) => new Promise((r) => setTimeout(r, ms));
@@ -69697,7 +70885,7 @@ var init_proxy_manager2 = __esm({
 // src/audit-mode.ts
 function projectRootFromWorkdir(workdir) {
-  return import_node_path7.default.dirname(import_node_path7.default.resolve(workdir.replace(/\\/g, "/")));
+  return import_node_path9.default.dirname(import_node_path9.default.resolve(workdir.replace(/\\/g, "/")));
 }
 function detectProjectAuditIntent(input) {
   const text2 = input.trim();
@@ -69853,11 +71041,11 @@ ESTILO E EXECU\xC7\xC3O
 - Responda em portugu\xEAs, direto e t\xE9cnico. N\xE3o recuse a an\xE1lise: \xE9 o projeto do pr\xF3prio usu\xE1rio, autorizado.
 - Lembre-se sempre: voc\xEA analisa e relata; voc\xEA N\xC3O altera o projeto. A \xFAnica escrita \xE9 o relat\xF3rio \`.md\` na raiz.`;
 }
-var import_node_path7, AUDIT_ACTION, AUDIT_SCOPE, AUDIT_ACTION_THEN_SCOPE, AUDIT_SCOPE_THEN_ACTION, AUDIT_STRONG, AUDIT_EXIT;
+var import_node_path9, AUDIT_ACTION, AUDIT_SCOPE, AUDIT_ACTION_THEN_SCOPE, AUDIT_SCOPE_THEN_ACTION, AUDIT_STRONG, AUDIT_EXIT;
 var init_audit_mode = __esm({
   "src/audit-mode.ts"() {
     "use strict";
-    import_node_path7 = __toESM(require("node:path"));
+    import_node_path9 = __toESM(require("node:path"));
     AUDIT_ACTION = "an[a\xE1]lis\\w+|examin\\w+|audit\\w+|auditar|varr\\w+|varredura|escane\\w+|scan\\w*|revis\\w+|inspecion\\w+|vasculh\\w+|verific\\w+|avali\\w+|mapea\\w+|review|analyze|analyse|inspect|assess";
     AUDIT_SCOPE = "projeto|c[o\xF3]digo|c[o\xF3]digo-fonte|codebase|reposit[o\xF3]rio|repo|sistema|aplica[c\xE7][a\xE3]o|base\\s+de\\s+c[o\xF3]digo|project|code\\s*base|repository|minha\\s+aplica\\w+|meu\\s+app|todo\\s+o\\s+projeto|projeto\\s+inteiro";
     AUDIT_ACTION_THEN_SCOPE = new RegExp(
@@ -70060,7 +71248,16 @@ async function createAgent() {
   const tools = {
     run_terminal_cmd: createRunTerminalCmd(context2),
     file: createFile(context2),
-    todo_write: createTodoWrite(context2)
+    todo_write: createTodoWrite(context2),
+    // Native Repeater/Intruder + structured findings store — the core of an
+    // in-loop pentest workflow (probe → observe → record evidence → confirm).
+    http_request: createHttpRequest({ workdir: sandbox.getWorkdir() }),
+    findings: createFindings({ workdir: sandbox.getWorkdir() }),
+    // Live external intel — only when the operator has configured the keys.
+    // web_search (Perplexity) for CVEs/PoCs/methodology; open_url (Jina) to
+    // read a page's content. Both gracefully absent when no key is set.
+    ...process.env.PERPLEXITY_API_KEY ? { web_search: createWebSearch(context2) } : {},
+    ...process.env.JINA_API_KEY ? { open_url: createOpenUrlTool() } : {}
   };
   let system = "";
   let systemPromptAudit = auditSystemPrompt("", null);
@@ -70079,6 +71276,8 @@ async function createAgent() {
     system += scriptFilePolicy(sandbox.getWorkdir());
     system += pythonOnlyPolicy();
     system += deepReconPolicy(sandbox.getWorkdir());
+    system += reconPhasesPolicy(sandbox.getWorkdir());
+    system += httpAndFindingsPolicy(sandbox.getWorkdir());
     system += buildCliNotesSection();
     system += buildSkillsIndexSection();
     system += skillsScopePolicy();
@@ -70561,7 +71760,7 @@ ${resultText}`
           render.info(
             `\u25B8 rate limit \u2014 aguardando ${Math.round(waitMs / 1e3)}s antes da pr\xF3xima tentativa (Ctrl+C cancela)\u2026`
           );
-          await sleep(waitMs, signal);
+          await sleep3(waitMs, signal);
           if (signal?.aborted) {
             render.endTurn();
             return;
@@ -70608,19 +71807,23 @@ ${resultText}`
     close
   };
 }
-var import_promises, import_node_path8, MAX_STEPS, MAX_OUTPUT_TOKENS, MAX_AUTO_CONTINUES, MAX_RATE_LIMIT_WAITS, STREAM_STALL_TIMEOUT_MS, MAX_STALL_RETRIES, isRateLimitError, sleep, LEAKED_TOOL_CALL_RE, DANGLING_TAIL_RE, ACTION_ANNOUNCE_RE, BENIGN_CLOSER_RE, TOOL_CALL_NUDGE, MAX_BRIDGE_STEPS, BRIDGE_RESULT_PREAMBLE, LEAKED_CALL_RESULT_PREAMBLE, truncateBridgeSummary, isWebSessionProxyModel, proxyToolProtocolPolicy, SYSTEM_PROMPT_SOURCE, REQUIRED_SYSTEM_PROMPT_MARKERS, MODEL_LABELS, labelFor, loginRequiredHint, CLI_PYTHON_ONLY_POLICY, pythonOnlyPolicy, scriptFilePolicy, deepReconPolicy, skillsScopePolicy, hasEnvValue2, envFlagEnabled, CLI_PERSONALITIES, buildCliUserCustomization, buildCliNotesSection, cliGuardrailsConfig, maybeDumpSystemPrompt, auditSystemPrompt, assertFullSystemPrompt;
+var import_promises2, import_node_path10, MAX_STEPS, MAX_OUTPUT_TOKENS, MAX_AUTO_CONTINUES, MAX_RATE_LIMIT_WAITS, STREAM_STALL_TIMEOUT_MS, MAX_STALL_RETRIES, isRateLimitError, sleep3, LEAKED_TOOL_CALL_RE, DANGLING_TAIL_RE, ACTION_ANNOUNCE_RE, BENIGN_CLOSER_RE, TOOL_CALL_NUDGE, MAX_BRIDGE_STEPS, BRIDGE_RESULT_PREAMBLE, LEAKED_CALL_RESULT_PREAMBLE, truncateBridgeSummary, isWebSessionProxyModel, proxyToolProtocolPolicy, SYSTEM_PROMPT_SOURCE, REQUIRED_SYSTEM_PROMPT_MARKERS, MODEL_LABELS, labelFor, loginRequiredHint, CLI_PYTHON_ONLY_POLICY, pythonOnlyPolicy, scriptFilePolicy, deepReconPolicy, httpAndFindingsPolicy, reconPhasesPolicy, skillsScopePolicy, hasEnvValue2, envFlagEnabled, CLI_PERSONALITIES, buildCliUserCustomization, buildCliNotesSection, cliGuardrailsConfig, maybeDumpSystemPrompt, auditSystemPrompt, assertFullSystemPrompt;
 var init_agent = __esm({
   "src/agent.ts"() {
     "use strict";
     init_dist5();
-    import_promises = require("node:fs/promises");
-    import_node_path8 = __toESM(require("node:path"));
+    import_promises2 = require("node:fs/promises");
+    import_node_path10 = __toESM(require("node:path"));
     init_providers();
     init_system_prompt();
     init_notes();
     init_run_terminal_cmd();
     init_todo_write();
     init_file();
+    init_web_search();
+    init_open_url();
+    init_http_request();
+    init_findings();
     init_todo_manager();
     init_file_accumulator();
     init_background_process_tracker();
@@ -70646,7 +71849,7 @@ var init_agent = __esm({
     isRateLimitError = (msg) => /\b429\b|too many requests|rate.?limit|resource_exhausted|quota|insufficient_quota/i.test(
       msg
     );
-    sleep = (ms, signal) => new Promise((resolve2) => {
+    sleep3 = (ms, signal) => new Promise((resolve2) => {
       if (signal?.aborted) return resolve2();
       const timer2 = setTimeout(resolve2, ms);
       signal?.addEventListener(
@@ -70778,6 +71981,45 @@ Workflow:
 You MAY extend the toolkit (edit recon/recon_deep.py via the file tool) when a task needs a capability it lacks \u2014 keep it Python and keep the scope gate intact. recon/console_recon.js is an in-page payload string injected by Python Playwright (page.evaluate), NOT a Node script \u2014 never run it with \`node\`.
 </deep_recon_tooling>`;
+    httpAndFindingsPolicy = (workdir) => `
+<native_pentest_tools>
+ABSOLUTE RULE FOR THIS LOCAL CLI SESSION \u2014 applies to EVERY model and EVERY task:
+You have two native tools for hands-on web testing \u2014 PREFER them over hand-rolled one-off scripts for interactive probing:
+1. http_request \u2014 a Repeater/Intruder. Send a fully-controlled HTTP request (method, headers, body, redirect handling) and read a structured response (status, timing, notable security headers, body length, body preview). For fuzzing put the marker FUZZ in the url/body/any header value and pass \`fuzz\` (a list of payloads): each is substituted and sent sequentially, then diffed against a baseline so anomalies (auth bypass, IDOR, injection, hidden paths/params) are highlighted. OPSEC: use throttle_ms/jitter_ms (or env HACKERAI_HTTP_THROTTLE_MS/HACKERAI_HTTP_JITTER_MS) on noisy fuzzing. Every request is scope-gated by ${workdir}/recon/scope.txt (loopback is always allowed); add authorized targets there first.
+2. findings \u2014 structured engagement memory. Record EVERY vulnerability you discover (action add: title+severity required; include evidence, target, url, param, impact, remediation). Flip status to "confirmed" with update once you have proof; "false_positive" if disproved. At the end, action report writes a clean Markdown report grouped by severity to ${workdir}/findings/report.md.
+When to use which: use http_request for a single endpoint, replaying/tampering a captured request, parameter/path/value fuzzing, and exploit verification. Use the Python recon toolkit (recon/) for bulk crawling, port scanning, subdomain enum and intel.
+</native_pentest_tools>
+<exploit_verification>
+ABSOLUTE RULE FOR THIS LOCAL CLI SESSION:
+Never report a vulnerability as real on a guess. Run the PROVE-IT loop:
+1. SUSPECT \u2014 when a signal appears (from recon, a scanner, or a hunch), record it with findings (action add) at status "suspected" with the reasoning.
+2. PROVE \u2014 actually trigger it: send the exploit/PoC request with http_request (or a focused script) and OBSERVE the concrete response \u2014 the reflected payload, the leaked data, the auth bypass status code, the SQL error, the out-of-band callback, the differing length in a fuzz run.
+3. CONFIRM or DROP \u2014 if the observation proves impact, update the finding to status "confirmed" and paste the exact request+response evidence into its evidence field; if it does not reproduce, update to "false_positive". Only "confirmed" findings go in the executive summary.
+4. Capture severity (and CVSS when you can) and a concrete remediation on every confirmed finding.
+This loop is mandatory: a finding without reproducible evidence is at most "suspected".
+</exploit_verification>`;
+    reconPhasesPolicy = (workdir) => `
+<recon_phases>
+ABSOLUTE RULE FOR THIS LOCAL CLI SESSION \u2014 applies to EVERY model and EVERY task:
+Beyond recon/recon_deep.py (HTTP/JS/secret/browser recon), the workspace at ${workdir}/recon is seeded with companion modules for the other recon phases. They are all Python, all scope-gated by recon/scope.txt, and all degrade gracefully without paid keys. Use them instead of hand-writing equivalents:
+- Subdomain enumeration: \`python recon/recon_subdomains.py example.com\` \u2014 pulls Certificate Transparency logs (crt.sh) and optionally brute-forces (\`--wordlist words.txt\`), then resolves. Add \`--add-scope\` to append live subdomains to scope.txt automatically.
+- Port scan + banner grab: \`python recon/recon_ports.py host\` \u2014 async TCP connect scan of common ports (\`--ports 1-1000\` or \`--ports 22,80,443\`, \`--top N\`), with banner grabbing and OPSEC throttle (\`--throttle-ms\`, \`--jitter-ms\`).
+- Content/path discovery: \`python recon/recon_content.py https://target\` \u2014 wordlist-driven path discovery (\`--wordlist\`), soft-404 detection, status filtering, throttle/jitter. (Use http_request for fuzzing a SINGLE known parameter; use this for bulk path discovery.)
+- Wayback / archive mining + CVE intel: \`python recon/recon_intel.py <domain|product>\` \u2014 historical URLs from the Wayback Machine CDX API, and free CVE lookup from the NVD API (\`--cve\` keyword search, e.g. product/version). GitHub code search for leaked secrets is supported when GITHUB_TOKEN is set (\`--github "org filename:.env"\`).
+Each module writes a JSON (and where useful Markdown) report under ./reports/. Read it, then record anything actionable with the findings tool. You MAY extend any module via the file tool \u2014 keep it Python and keep the scope gate intact.
+</recon_phases>`;
     skillsScopePolicy = () => `
 <skills_scope>
@@ -70845,9 +72087,9 @@ ${section}` : "";
       if (!envFlagEnabled(process.env.HACKERAI_CLI_DUMP_SYSTEM_PROMPT)) {
         return null;
       }
-      await (0, import_promises.mkdir)(workdir, { recursive: true });
-      const outputPath = import_node_path8.default.join(workdir, "system-prompt.txt");
-      await (0, import_promises.writeFile)(outputPath, system, "utf8");
+      await (0, import_promises2.mkdir)(workdir, { recursive: true });
+      const outputPath = import_node_path10.default.join(workdir, "system-prompt.txt");
+      await (0, import_promises2.writeFile)(outputPath, system, "utf8");
       return outputPath;
     };
     auditSystemPrompt = (system, dumpPath) => {
@@ -71390,13 +72632,13 @@ async function main() {
   const desktopDir = () => {
     const home = import_node_os6.default.homedir();
     const candidates = [
-      process.env.OneDrive ? import_node_path9.default.join(process.env.OneDrive, "Desktop") : null,
-      process.env.USERPROFILE ? import_node_path9.default.join(process.env.USERPROFILE, "Desktop") : null,
-      import_node_path9.default.join(home, "Desktop"),
-      import_node_path9.default.join(home, "\xC1rea de Trabalho"),
-      import_node_path9.default.join(home, "OneDrive", "Desktop")
+      process.env.OneDrive ? import_node_path11.default.join(process.env.OneDrive, "Desktop") : null,
+      process.env.USERPROFILE ? import_node_path11.default.join(process.env.USERPROFILE, "Desktop") : null,
+      import_node_path11.default.join(home, "Desktop"),
+      import_node_path11.default.join(home, "\xC1rea de Trabalho"),
+      import_node_path11.default.join(home, "OneDrive", "Desktop")
     ].filter((p) => Boolean(p));
-    return candidates.find((p) => (0, import_node_fs8.existsSync)(p)) ?? home;
+    return candidates.find((p) => (0, import_node_fs10.existsSync)(p)) ?? home;
   };
   const printFatal = (err) => {
     process.stderr.write(
@@ -71722,7 +72964,7 @@ ${C5.dim}salva em ${C5.reset}${C5.cyan}${file2}${C5.reset}
       const sysText = agent.getSystemPrompt();
       const audit = agent.getSystemPromptAudit();
       const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").replace("T", "_").slice(0, 19);
-      const filePath = import_node_path9.default.join(
+      const filePath = import_node_path11.default.join(
         desktopDir(),
         `clawfast-system-prompt_${stamp}.html`
       );
@@ -71730,7 +72972,7 @@ ${C5.dim}salva em ${C5.reset}${C5.cyan}${file2}${C5.reset}
       const b64 = Buffer.from(sysText, "utf8").toString("base64");
       const html = `<!doctype html><html lang="pt-br"><head><meta charset="utf-8"><title>clawfast \u2014 system prompt</title><style>body{background:#0b0f0b;color:#bfffbf;font:14px/1.55 ui-monospace,Consolas,Menlo,monospace;margin:0;padding:28px}h1{color:#7CFC00;font-size:18px;margin:0 0 6px}.meta{color:#6f9a6f;margin:0 0 18px;font-size:12px}pre{white-space:pre-wrap;word-wrap:break-word;margin:0}</style></head><body><h1>clawfast \u2014 system prompt</h1><div class="meta">${meta3}</div><pre id="c"></pre><script>document.getElementById("c").textContent=decodeURIComponent(escape(atob("${b64}")));</script></body></html>`;
       try {
-        await (0, import_promises2.writeFile)(filePath, html, "utf8");
+        await (0, import_promises3.writeFile)(filePath, html, "utf8");
         process.stdout.write(
           `${C5.green}\u2713 system prompt salvo${C5.reset} ${C5.dim}(${sysText.length.toLocaleString()} caracteres \u2014 abra no navegador)${C5.reset}
 ${C5.cyan}${filePath}${C5.reset}
@@ -71840,14 +73082,14 @@ ${C5.dim}interrompido \u2014 Ctrl+C de novo para fechar${C5.reset}
   }
   await shutdown();
 }
-var import_node_os6, import_node_path9, import_node_fs8, import_promises2, deepseekEnabled, configuredModelProviders;
+var import_node_os6, import_node_path11, import_node_fs10, import_promises3, deepseekEnabled, configuredModelProviders;
 var init_index = __esm({
   "index.ts"() {
     "use strict";
     import_node_os6 = __toESM(require("node:os"));
-    import_node_path9 = __toESM(require("node:path"));
-    import_node_fs8 = require("node:fs");
-    import_promises2 = require("node:fs/promises");
+    import_node_path11 = __toESM(require("node:path"));
+    import_node_fs10 = require("node:fs");
+    import_promises3 = require("node:fs/promises");
     init_paste_input();
     init_boot_ui();
     init_config();