erosolar-cli 2.1.241 → 2.1.243

package/dist/core/agentOrchestrator.js

@@ -1,5 +1,6 @@
 import { TASK_FULLY_COMPLETE } from './constants.js';
 import { TaskCompletionDetector } from './taskCompletionDetector.js';
+import { planAttackChain, selectNextTechnique, executeTechniqueInChain, techniqueRegistry, parseNaturalLanguageIntent, validateAuthorizationContext, } from '../tools/tao/index.js';
 /**
  * Single-pass orchestration: drive the agent to finish as much as possible
  * in one go, with strong bias toward real actions over planning.
@@ -10,6 +11,42 @@ export class AgentOrchestrator {
         this.agent = agent;
     }
     async runToCompletion(request, options) {
+        // Early safety check for potentially harmful requests
+        const harmfulCheck = this.checkForHarmfulRequest(request);
+        if (harmfulCheck.isHarmful) {
+            return {
+                finalResponse: harmfulCheck.response,
+                toolsUsed: [],
+                planOnly: false,
+                tookAction: false,
+                completion: {
+                    isComplete: true,
+                    confidence: 1.0,
+                    signals: {
+                        hasExplicitCompletionStatement: true,
+                        hasIncompleteWorkIndicators: false,
+                        hasPendingActionIndicators: false,
+                        hasErrorIndicators: false,
+                        hasFollowUpQuestions: false,
+                        toolsUsedInLastResponse: 0,
+                        lastToolWasReadOnly: false,
+                        consecutiveResponsesWithoutTools: 0,
+                        hasRecentFileWrites: false,
+                        hasRecentCommits: false,
+                        todoItemsPending: 0,
+                        todoItemsCompleted: 0,
+                        mentionsFutureWork: false,
+                        completionConfidence: 1.0,
+                    },
+                    reason: 'Request declined for safety reasons',
+                    shouldVerify: false,
+                },
+                exitReason: 'refusal',
+                statusSummary: null,
+                limitations: [],
+                recommendations: [],
+            };
+        }
         const streaming = options?.streaming ?? true;
         const enforceActions = options?.enforceActions ?? true;
         const verificationMode = options?.verificationMode ?? 'auto';
@@ -52,15 +89,28 @@ export class AgentOrchestrator {
             if (attempt.exitReason === 'refusal') {
                 break;
             }
-            // Track consecutive no-progress attempts (no tools, no completion)
-            // Also treat refusal/blocked/empty as no-progress to prevent spin loops
+            // Track consecutive no-progress attempts
+            // Key insight: tool usage alone doesn't mean progress if the model is stuck
+            // or refusing. We need to detect actual forward momentum.
             const terminalNoProgress = attempt.exitReason === 'empty-response' ||
                 attempt.exitReason === 'no-action' ||
                 attempt.exitReason === 'blocked';
-            const hasProgress = attempt.toolsUsed.length > 0 ||
-                attempt.exitReason === 'complete' ||
+            // Detect response repetition - if we keep getting similar responses, we're stuck
+            // This catches cases where model calls tools but produces same reasoning/refusal
+            const responseFingerprint = this.computeResponseFingerprint(attempt.response);
+            const previousAttempt = attempts.length >= 2 ? attempts[attempts.length - 2] : undefined;
+            const isRepeatedResponse = previousAttempt !== undefined &&
+                this.computeResponseFingerprint(previousAttempt.response) === responseFingerprint &&
+                responseFingerprint !== '';
+            // Progress is considered made when:
+            // 1. Task is complete or needs verification
+            // 2. OR tools were used with a DIFFERENT response (model is working through the problem)
+            const isCompleting = attempt.exitReason === 'complete' ||
                 attempt.exitReason === 'verification-needed';
-            if (!hasProgress || terminalNoProgress) {
+            const isProgressingWithTools = attempt.toolsUsed.length > 0 && !isRepeatedResponse;
+            const hasRealProgress = isCompleting || isProgressingWithTools;
+            // No progress if: terminal state, no completion AND no tool progress, OR repeated response
+            if (terminalNoProgress || (!hasRealProgress && !isCompleting) || (isRepeatedResponse && !isCompleting)) {
                 consecutiveNoProgress++;
             }
             else {
@@ -366,18 +416,22 @@ ${actionLine}
         if (attempts.length >= maxAttempts) {
             return false;
         }
-        // AI safety refusal - never retry, respect the model's decision
-        if (exitReason === 'refusal') {
+        // Terminal states - never retry
+        if (exitReason === 'refusal' || exitReason === 'complete') {
             return false;
         }
-        // Detect stuck loops early - if we have 2+ consecutive attempts with no tools, stop
-        // This catches cases where the model refuses silently or returns empty/no-action repeatedly
+        // Detect stuck loops early - if we have 2+ consecutive attempts without completion, stop
+        // This catches cases where the model refuses silently, calls tools without progress,
+        // or returns empty/no-action repeatedly
         if (attempts.length >= 2) {
             const recentAttempts = attempts.slice(-2);
-            const allNoProgress = recentAttempts.every(a => a.toolsUsed.length === 0 &&
-                (a.exitReason === 'empty-response' || a.exitReason === 'no-action' || a.exitReason === 'incomplete'));
-            if (allNoProgress) {
-                return false; // Stuck in a loop with no progress
+            const allNoCompletion = recentAttempts.every(a => a.exitReason !== 'complete' && a.exitReason !== 'verification-needed');
+            if (allNoCompletion) {
+                // Check if responses are similar (stuck in a loop)
+                const fingerprints = recentAttempts.map(a => this.computeResponseFingerprint(a.response));
+                if (fingerprints[0] === fingerprints[1] && fingerprints[0] !== '') {
+                    return false; // Stuck producing same response
+                }
             }
         }
         // Allow recovery attempts for common failure modes before giving up
@@ -397,12 +451,16 @@ ${actionLine}
             const blockedResponses = attempts.filter((a) => a.exitReason === 'blocked').length;
             return blockedResponses < 2;
         }
-        // Detect repetition loops - if last 3 attempts had no new tool usage, stop
-        if (exitReason === 'incomplete' && attempts.length >= 3) {
-            const recentAttempts = attempts.slice(-3);
-            const allNoTools = recentAttempts.every(a => a.toolsUsed.length === 0);
-            if (allNoTools) {
-                return false; // Stuck in a loop with no progress
+        // Detect tool loops - if last 2 attempts used tools, are incomplete, AND produced similar responses
+        if (exitReason === 'incomplete' && attempts.length >= 2) {
+            const recentAttempts = attempts.slice(-2);
+            const allIncomplete = recentAttempts.every(a => a.exitReason === 'incomplete' && a.toolsUsed.length > 0);
+            if (allIncomplete) {
+                // Only stop if responses are also similar (model is stuck in a pattern)
+                const fingerprints = recentAttempts.map(a => this.computeResponseFingerprint(a.response));
+                if (fingerprints[0] === fingerprints[1] && fingerprints[0] !== '') {
+                    return false; // Same response pattern with tools - stuck in a loop
+                }
             }
         }
         return exitReason === 'incomplete';
@@ -711,6 +769,22 @@ ${actionLine}
             return 0;
         return text.trim().split(/\s+/).length;
     }
+    /**
+     * Compute a simple fingerprint of a response for repetition detection.
+     * Normalizes whitespace and takes first N significant words to detect
+     * when the model is producing the same response repeatedly.
+     */
+    computeResponseFingerprint(response) {
+        if (!response?.trim())
+            return '';
+        // Normalize: lowercase, collapse whitespace, take first 200 chars
+        const normalized = response.toLowerCase().replace(/\s+/g, ' ').trim();
+        // Extract key content - skip common filler words
+        const words = normalized.split(' ')
+            .filter(w => w.length > 3)
+            .slice(0, 30);
+        return words.join(' ');
+    }
     /**
      * Detects when a response is sufficiently detailed to stand on its own,
      * avoiding false "incomplete" flags for thorough answers without explicit
@@ -725,5 +799,406 @@ ${actionLine}
         const threshold = options.tookAction ? 80 : 120;
         return options.wordCount >= threshold;
     }
+    /**
+     * Early safety check for potentially harmful requests.
+     * Returns immediately with a helpful response instead of looping.
+     *
+     * This catches obvious cases before the model even processes them,
+     * preventing wasted compute and infinite "thinking" loops.
+     */
+    checkForHarmfulRequest(request) {
+        const lower = request.toLowerCase();
+        // Known major companies/services that should NEVER be attacked without explicit authorization
+        const protectedTargets = [
+            'google', 'microsoft', 'apple', 'amazon', 'meta', 'facebook',
+            'twitter', 'x.com', 'linkedin', 'github', 'gitlab', 'netflix',
+            'spotify', 'openai', 'anthropic', 'cloudflare', 'aws', 'azure',
+            'gcp', 'oracle', 'ibm', 'cisco', 'adobe', 'salesforce', 'slack',
+            'zoom', 'dropbox', 'paypal', 'stripe', 'visa', 'mastercard',
+        ];
+        // Action words that indicate malicious intent
+        const maliciousActions = [
+            'attack', 'hack', 'pwn', 'exploit', 'compromise', 'breach',
+            'ddos', 'dos', 'flood', 'crash', 'destroy', 'deface',
+            'steal', 'exfiltrate', 'dump', 'leak',
+        ];
+        // Check for combined patterns: malicious action + protected target
+        const hasMaliciousAction = maliciousActions.some(action => lower.includes(action));
+        const hasProtectedTarget = protectedTargets.some(target => lower.includes(target));
+        // Only trigger for clear cases of unauthorized attacks
+        if (hasMaliciousAction && hasProtectedTarget) {
+            // Check for legitimate contexts that override this
+            const legitimateContexts = [
+                'ctf', 'capture the flag', 'hackthebox', 'tryhackme',
+                'lab', 'sandbox', 'authorized', 'pentest', 'penetration test',
+                'bug bounty', 'scope', 'engagement', 'test environment',
+            ];
+            const hasLegitimateContext = legitimateContexts.some(ctx => lower.includes(ctx));
+            if (!hasLegitimateContext) {
+                return {
+                    isHarmful: true,
+                    response: `I can't help with unauthorized attacks against production systems or services.
+
+For legitimate security work, I can help with:
+• **CTF challenges** - Specify the CTF platform or challenge name
+• **Authorized pentests** - Share the scope document or confirm you have written authorization
+• **Bug bounty** - Confirm the target is in scope for a bug bounty program
+• **Lab environments** - Specify it's a personal lab, HackTheBox, TryHackMe, etc.
+• **Security research** - Describe the defensive or educational purpose
+
+What authorized security work can I help you with?`,
+                };
+            }
+        }
+        // Also catch generic "attack everything" requests without any target
+        if (hasMaliciousAction && !lower.includes('ctf') && !lower.includes('lab')) {
+            const veryGenericPatterns = [
+                /attack\s+(any|random|all)/i,
+                /hack\s+(into|the|any)/i,
+                /ddos\s+(the|any|all)/i,
+            ];
+            if (veryGenericPatterns.some(p => p.test(request))) {
+                return {
+                    isHarmful: true,
+                    response: `I need more context about what you're trying to accomplish.
+
+If this is for:
+• **CTF/Competition** - What platform or challenge?
+• **Learning** - What concept are you trying to understand?
+• **Authorized testing** - What's the scope and authorization?
+
+Please provide context so I can help appropriately.`,
+                };
+            }
+        }
+        return { isHarmful: false, response: '' };
+    }
+    // ═══════════════════════════════════════════════════════════════════════════════
+    // ATTACK CHAIN EXECUTION
+    // ═══════════════════════════════════════════════════════════════════════════════
+    /**
+     * Detect if a request should trigger attack chain execution.
+     * Uses natural language parsing to identify security operation intents.
+     */
+    shouldExecuteAttackChain(request, mode = 'auto') {
+        if (mode === 'disabled') {
+            return { shouldExecute: false, intent: null };
+        }
+        if (mode === 'forced') {
+            const intent = parseNaturalLanguageIntent(request);
+            return { shouldExecute: true, intent };
+        }
+        // Auto mode: parse intent and check for security operations
+        const intent = parseNaturalLanguageIntent(request);
+        const securityActions = ['recon', 'scan', 'enumerate', 'exploit', 'extract', 'test', 'monitor'];
+        const isSecurityOp = securityActions.includes(intent.action);
+        const hasTargets = intent.targets.length > 0;
+        return {
+            shouldExecute: isSecurityOp && hasTargets,
+            intent: isSecurityOp ? intent : null,
+        };
+    }
+    /**
+     * Validate authorization context for attack chain execution.
+     * Ensures proper authorization before executing security techniques.
+     */
+    validateAttackAuthorization(intent, authContext) {
+        // Use the TAO authorization validator
+        const validation = validateAuthorizationContext(intent);
+        // Additional checks for protected targets
+        const protectedTargets = [
+            'google.com', 'microsoft.com', 'apple.com', 'amazon.com',
+            'facebook.com', 'twitter.com', 'github.com',
+        ];
+        const targetingProtected = intent.targets.some(t => protectedTargets.some(pt => t.toLowerCase().includes(pt)));
+        if (targetingProtected && !validation.valid) {
+            return {
+                authorized: false,
+                reason: 'Targeting protected production systems without explicit authorization',
+                warnings: [
+                    'Protected targets detected. Provide CTF/lab context or authorization scope.',
+                    ...validation.warnings,
+                ],
+            };
+        }
+        // Check for explicit authorization context
+        if (authContext) {
+            const authorizedContexts = ['ctf', 'lab', 'pentest', 'bug-bounty', 'authorized'];
+            const hasExplicitAuth = authorizedContexts.some(ctx => authContext.toLowerCase().includes(ctx));
+            if (hasExplicitAuth) {
+                return {
+                    authorized: true,
+                    reason: `Explicit authorization: ${authContext}`,
+                    warnings: validation.warnings,
+                };
+            }
+        }
+        return {
+            authorized: validation.valid,
+            reason: validation.type,
+            warnings: validation.warnings,
+        };
+    }
+    /**
+     * Execute an attack chain with TAO techniques.
+     * Returns results including all executed techniques and artifacts.
+     */
+    async executeAttackChain(request, options = {}) {
+        const intent = parseNaturalLanguageIntent(request);
+        const targets = options.targets ?? intent.targets;
+        // Normalize depth - map 'comprehensive' to 'deep'
+        const rawDepth = options.depth ?? intent.depth;
+        const depth = rawDepth === 'comprehensive' ? 'deep' : rawDepth;
+        const stealth = options.stealth ?? intent.constraints.includes('stealth');
+        // Validate authorization
+        const auth = this.validateAttackAuthorization(intent, options.authContext);
+        if (!auth.authorized) {
+            throw new Error(`Attack chain execution not authorized: ${auth.reason}`);
+        }
+        const executedTechniques = [];
+        const phasesCompleted = new Set();
+        const startTime = Date.now();
+        // Execute chain for each target
+        for (const target of targets) {
+            const chain = planAttackChain(intent, `Attack chain: ${target}`);
+            while (chain.state === 'planning' || chain.state === 'executing') {
+                const action = selectNextTechnique(chain);
+                if (!action)
+                    break;
+                const technique = techniqueRegistry.get(action.id);
+                if (!technique)
+                    continue;
+                const params = {
+                    target,
+                    depth,
+                    stealth,
+                    timeout: depth === 'deep' ? 60000 : depth === 'standard' ? 30000 : 10000,
+                    context: {
+                        chainId: chain.id,
+                        phase: technique.phase,
+                        previousArtifacts: executedTechniques
+                            .filter(t => t.success)
+                            .flatMap(t => t.artifacts),
+                    },
+                };
+                try {
+                    const { result } = await executeTechniqueInChain(chain, action, params);
+                    executedTechniques.push({
+                        id: technique.id,
+                        name: technique.name,
+                        phase: technique.phase,
+                        success: result.success,
+                        duration: result.duration,
+                        artifacts: result.artifacts,
+                    });
+                    if (result.success) {
+                        phasesCompleted.add(technique.phase);
+                    }
+                    options.onProgress?.(chain, technique.id, result);
+                }
+                catch (err) {
+                    // Log but continue chain execution
+                    executedTechniques.push({
+                        id: technique.id,
+                        name: technique.name,
+                        phase: technique.phase,
+                        success: false,
+                        duration: 0,
+                        artifacts: [{ type: 'error', data: String(err) }],
+                    });
+                }
+            }
+        }
+        const successCount = executedTechniques.filter(t => t.success).length;
+        return {
+            chain: planAttackChain(intent, request), // Return final chain state
+            techniques: executedTechniques,
+            totalDuration: Date.now() - startTime,
+            successRate: executedTechniques.length > 0
+                ? successCount / executedTechniques.length
+                : 0,
+            phasesCompleted: Array.from(phasesCompleted),
+        };
+    }
+    /**
+     * Run orchestration with optional attack chain integration.
+     * When attack chain mode is enabled, security operations are executed
+     * directly through TAO techniques rather than relying on LLM tool calls.
+     */
+    async runWithAttackChain(request, options = {}) {
+        const attackChainMode = options.attackChainMode ?? 'auto';
+        // Check if we should execute attack chain
+        const { shouldExecute, intent } = this.shouldExecuteAttackChain(request, attackChainMode);
+        if (!shouldExecute || !intent) {
+            // Fall back to normal orchestration
+            return this.runToCompletion(request, options);
+        }
+        // Validate authorization
+        const auth = this.validateAttackAuthorization(intent, options.authorizationContext);
+        if (!auth.authorized) {
+            return {
+                finalResponse: `Cannot execute security operation: ${auth.reason}\n\n${auth.warnings.join('\n')}`,
+                toolsUsed: [],
+                planOnly: false,
+                tookAction: false,
+                completion: {
+                    isComplete: true,
+                    confidence: 1.0,
+                    signals: {
+                        hasExplicitCompletionStatement: true,
+                        hasIncompleteWorkIndicators: false,
+                        hasPendingActionIndicators: false,
+                        hasErrorIndicators: false,
+                        hasFollowUpQuestions: false,
+                        toolsUsedInLastResponse: 0,
+                        lastToolWasReadOnly: false,
+                        consecutiveResponsesWithoutTools: 0,
+                        hasRecentFileWrites: false,
+                        hasRecentCommits: false,
+                        todoItemsPending: 0,
+                        todoItemsCompleted: 0,
+                        mentionsFutureWork: false,
+                        completionConfidence: 1.0,
+                    },
+                    reason: 'Authorization required',
+                    shouldVerify: false,
+                },
+                exitReason: 'attack-chain-aborted',
+                statusSummary: `Authorization required: ${auth.reason}`,
+                limitations: auth.warnings,
+                recommendations: [
+                    'Provide explicit authorization context (CTF, lab, pentest scope)',
+                    'Use --auth-context flag to specify authorization',
+                ],
+            };
+        }
+        // Execute attack chain
+        try {
+            // Normalize depth for attack chain
+            const attackRawDepth = options.attackDepth ?? intent.depth;
+            const attackDepth = attackRawDepth === 'comprehensive' ? 'deep' : attackRawDepth;
+            const chainResult = await this.executeAttackChain(request, {
+                targets: options.attackTargets ?? intent.targets,
+                depth: attackDepth,
+                stealth: options.stealthMode ?? intent.constraints.includes('stealth'),
+                authContext: options.authorizationContext,
+                onProgress: options.onAttackChainProgress,
+            });
+            // Build response summary
+            const summary = this.buildAttackChainSummary(chainResult);
+            return {
+                finalResponse: summary,
+                toolsUsed: chainResult.techniques.map(t => t.id),
+                planOnly: false,
+                tookAction: true,
+                completion: {
+                    isComplete: true,
+                    confidence: chainResult.successRate,
+                    signals: {
+                        hasExplicitCompletionStatement: true,
+                        hasIncompleteWorkIndicators: false,
+                        hasPendingActionIndicators: false,
+                        hasErrorIndicators: chainResult.successRate < 0.5,
+                        hasFollowUpQuestions: false,
+                        toolsUsedInLastResponse: chainResult.techniques.length,
+                        lastToolWasReadOnly: false,
+                        consecutiveResponsesWithoutTools: 0,
+                        hasRecentFileWrites: false,
+                        hasRecentCommits: false,
+                        todoItemsPending: 0,
+                        todoItemsCompleted: chainResult.techniques.length,
+                        mentionsFutureWork: false,
+                        completionConfidence: chainResult.successRate,
+                    },
+                    reason: 'Attack chain completed',
+                    shouldVerify: chainResult.successRate < 1.0,
+                },
+                exitReason: 'attack-chain-complete',
+                statusSummary: `Attack chain: ${chainResult.techniques.length} techniques, ${Math.round(chainResult.successRate * 100)}% success`,
+                limitations: [],
+                recommendations: chainResult.successRate < 1.0
+                    ? ['Review failed techniques and adjust approach']
+                    : [],
+                attackChainResult: chainResult,
+            };
+        }
+        catch (err) {
+            return {
+                finalResponse: `Attack chain execution failed: ${String(err)}`,
+                toolsUsed: [],
+                planOnly: false,
+                tookAction: false,
+                completion: {
+                    isComplete: true,
+                    confidence: 0,
+                    signals: {
+                        hasExplicitCompletionStatement: true,
+                        hasIncompleteWorkIndicators: false,
+                        hasPendingActionIndicators: false,
+                        hasErrorIndicators: true,
+                        hasFollowUpQuestions: false,
+                        toolsUsedInLastResponse: 0,
+                        lastToolWasReadOnly: false,
+                        consecutiveResponsesWithoutTools: 0,
+                        hasRecentFileWrites: false,
+                        hasRecentCommits: false,
+                        todoItemsPending: 0,
+                        todoItemsCompleted: 0,
+                        mentionsFutureWork: false,
+                        completionConfidence: 0,
+                    },
+                    reason: `Error: ${String(err)}`,
+                    shouldVerify: false,
+                },
+                exitReason: 'attack-chain-aborted',
+                statusSummary: `Attack chain failed: ${String(err)}`,
+                limitations: [String(err)],
+                recommendations: ['Check target connectivity', 'Verify authorization context'],
+            };
+        }
+    }
+    /**
+     * Build a human-readable summary of attack chain execution.
+     */
+    buildAttackChainSummary(result) {
+        const lines = [];
+        lines.push('## Attack Chain Execution Summary\n');
+        // Overall stats
+        lines.push(`**Duration:** ${Math.round(result.totalDuration / 1000)}s`);
+        lines.push(`**Success Rate:** ${Math.round(result.successRate * 100)}%`);
+        lines.push(`**Phases Completed:** ${result.phasesCompleted.join(', ')}\n`);
+        // Technique breakdown
+        lines.push('### Techniques Executed\n');
+        const byPhase = new Map();
+        for (const tech of result.techniques) {
+            const list = byPhase.get(tech.phase) || [];
+            list.push(tech);
+            byPhase.set(tech.phase, list);
+        }
+        for (const [phase, techniques] of byPhase) {
+            lines.push(`#### ${phase}`);
+            for (const tech of techniques) {
+                const status = tech.success ? '✓' : '✗';
+                lines.push(`- ${status} **${tech.name}** (${Math.round(tech.duration / 1000)}s)`);
+                if (tech.artifacts.length > 0) {
+                    lines.push(`  - Artifacts: ${tech.artifacts.length} collected`);
+                }
+            }
+            lines.push('');
+        }
+        // Artifacts summary
+        const allArtifacts = result.techniques.flatMap(t => t.artifacts);
+        if (allArtifacts.length > 0) {
+            lines.push('### Collected Artifacts\n');
+            const artifactsByType = new Map();
+            for (const artifact of allArtifacts) {
+                artifactsByType.set(artifact.type, (artifactsByType.get(artifact.type) || 0) + 1);
+            }
+            for (const [type, count] of artifactsByType) {
+                lines.push(`- **${type}:** ${count}`);
+            }
+        }
+        return lines.join('\n');
+    }
 }
 //# sourceMappingURL=agentOrchestrator.js.map