npm - pentesting - Versions diffs - 0.14.1 → 0.16.2 - Mend

pentesting 0.14.1 → 0.16.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +105 -21
package/dist/main.js +3103 -0
package/package.json +8 -8
package/dist/chunk-3RG5ZIWI.js +0 -10
package/dist/chunk-5KIJPRTS.js +0 -832
package/dist/chunk-M2IFHZDV.js +0 -602
package/dist/index.js +0 -18815
package/dist/skill-NGH4KQUH.js +0 -611
package/dist/web-search-IOD4SUIR.js +0 -49
package/src/agents/specs/crypto.yaml +0 -79
package/src/agents/specs/default.yaml +0 -60
package/src/agents/specs/exploit.yaml +0 -70
package/src/agents/specs/privesc.yaml +0 -83
package/src/agents/specs/recon.yaml +0 -65
package/src/agents/specs/web.yaml +0 -73
/package/dist/{index.d.ts → main.d.ts} +0 -0

package/dist/main.js ADDED Viewed

@@ -0,0 +1,3103 @@
+#!/usr/bin/env node
+// src/platform/tui/main.tsx
+import { render } from "ink";
+import { Command } from "commander";
+import chalk from "chalk";
+import gradient from "gradient-string";
+// src/platform/tui/app.tsx
+import { useState, useEffect, useCallback, useRef } from "react";
+import { Box as Box2, Text as Text2, useInput, useApp, Static } from "ink";
+import TextInput from "ink-text-input";
+import Spinner from "ink-spinner";
+// src/shared/constants/agent.ts
+var AGENT_LIMITS = {
+  /** Maximum number of iterations before stopping */
+  MAX_ITERATIONS: 50,
+  /** Maximum number of retries for failed tool execution */
+  MAX_RETRIES: 3,
+  /** Maximum tokens for LLM response */
+  MAX_TOKENS: 4096
+};
+var DISPLAY_LIMITS = {
+  /** Maximum characters for console output summary */
+  OUTPUT_SUMMARY: 200,
+  /** Maximum characters for thought display */
+  THOUGHT_SNIPPET: 100,
+  /** Maximum characters for tool input display */
+  TOOL_INPUT_SNIPPET: 100,
+  /** Maximum characters for final response preview */
+  RESPONSE_PREVIEW: 200,
+  /** Maximum items to display in summary lists */
+  SUMMARY_LIST_ITEMS: 10,
+  /** Maximum items to display in compact lists */
+  COMPACT_LIST_ITEMS: 7
+};
+var ID_LENGTH = 7;
+var ID_RADIX = 36;
+var APP_NAME = "Pentest AI";
+var APP_VERSION = "0.15.0";
+var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
+// src/shared/constants/protocol.ts
+var PHASES = {
+  RECON: "recon",
+  VULN_ANALYSIS: "vulnerability_analysis",
+  EXPLOIT: "exploit",
+  POST_EXPLOIT: "post_exploitation",
+  PRIV_ESC: "privilege_escalation",
+  LATERAL: "lateral_movement",
+  PERSISTENCE: "persistence",
+  EXFIL: "exfiltration",
+  REPORT: "report"
+};
+var AGENT_ROLES = {
+  ORCHESTRATOR: "orchestrator",
+  RECON: "recon",
+  WEB: "web",
+  EXPLOTER: "exploit",
+  DATABASE: "database",
+  INFRA: "infra"
+};
+var SERVICES = {
+  HTTP: "http",
+  HTTPS: "https",
+  SSH: "ssh",
+  FTP: "ftp",
+  SMB: "smb",
+  AD: "ad",
+  MYSQL: "mysql",
+  MSSQL: "mssql",
+  POSTGRES: "postgresql",
+  MONGODB: "mongodb",
+  REDIS: "redis",
+  ELASTIC: "elasticsearch",
+  API: "api"
+};
+var SERVICE_CATEGORIES = {
+  NETWORK: "network",
+  WEB: "web",
+  DATABASE: "database",
+  AD: "ad",
+  EMAIL: "email",
+  REMOTE_ACCESS: "remote_access",
+  FILE_SHARING: "file_sharing",
+  CLOUD: "cloud",
+  CONTAINER: "container",
+  API: "api",
+  WIRELESS: "wireless",
+  ICS: "ics"
+};
+var APPROVAL_LEVELS = {
+  AUTO: "auto",
+  CONFIRM: "confirm",
+  REVIEW: "review",
+  BLOCK: "block"
+};
+var DANGER_LEVELS = {
+  PASSIVE: "passive",
+  ACTIVE: "active",
+  EXPLOIT: "exploit"
+};
+var TOOL_NAMES = {
+  // Basic Tools
+  RUN_CMD: "run_cmd",
+  READ_FILE: "read_file",
+  WRITE_FILE: "write_file",
+  // Mid-level Tools
+  PARSE_NMAP: "parse_nmap",
+  SEARCH_CVE: "search_cve",
+  WEB_SEARCH: "web_search",
+  EXTRACT_URLS: "extract_urls",
+  // High-level / Engine Tools
+  SPAWN_SUB: "spawn_sub",
+  ADD_FINDING: "add_finding",
+  UPDATE_TODO: "update_todo",
+  GET_STATE: "get_state",
+  SET_SCOPE: "set_scope",
+  ADD_TARGET: "add_target",
+  ASK_USER: "ask_user",
+  HELP: "help",
+  // Database Specialized
+  SQLMAP_BASIC: "sqlmap_basic",
+  SQLMAP_ADVANCED: "sqlmap_advanced",
+  MYSQL_ENUM: "mysql_enum",
+  POSTGRES_ENUM: "postgres_enum",
+  REDIS_ENUM: "redis_enum",
+  DB_BRUTE: "db_brute_common",
+  // Network Specialized
+  NMAP_QUICK: "nmap_quick",
+  NMAP_FULL: "nmap_full",
+  RUSTSCAN: "rustscan_fast",
+  // Web Specialized
+  HTTP_FINGERPRINT: "http_fingerprint",
+  WAF_DETECT: "waf_detect",
+  DIRSEARCH: "dirsearch",
+  NUCLEI_WEB: "nuclei_web",
+  // AD Specialized
+  BLOODHOUND_COLLECT: "bloodhound_collect",
+  KERBEROAST: "kerberoast",
+  LDAP_ENUM: "ldap_enum",
+  // API Specialized
+  API_DISCOVER: "api_discover",
+  GRAPHQL_INTROSPECT: "graphql_introspect",
+  SWAGGER_PARSE: "swagger_parse",
+  API_FUZZ: "api_fuzz",
+  // Cloud Specialized
+  AWS_S3_CHECK: "aws_s3_check",
+  CLOUD_META_CHECK: "cloud_meta_check",
+  // Container Specialized
+  DOCKER_PS: "docker_ps",
+  KUBE_GET_PODS: "kube_get_pods",
+  // Service Enumeration
+  SMTP_ENUM: "smtp_enum",
+  FTP_ENUM: "ftp_enum",
+  SMB_ENUM: "smb_enum",
+  MODBUS_ENUM: "modbus_enum",
+  SSH_ENUM: "ssh_enum",
+  RDP_ENUM: "rdp_enum",
+  WIFI_SCAN: "wifi_scan"
+};
+var TODO_STATUSES = {
+  PENDING: "pending",
+  IN_PROGRESS: "in_progress",
+  DONE: "done",
+  SKIPPED: "skipped"
+};
+var TODO_ACTIONS = {
+  ADD: "add",
+  COMPLETE: "complete",
+  REMOVE: "remove"
+};
+var CORE_BINARIES = {
+  NMAP: "nmap",
+  MASSCAN: "masscan",
+  NUCLEI: "nuclei",
+  NIKTO: "nikto",
+  FFUF: "ffuf",
+  GOBUSTER: "gobuster",
+  SQLMAP: "sqlmap",
+  METASPLOIT: "msfconsole"
+};
+var PRIORITIES = {
+  HIGH: "high",
+  MEDIUM: "medium",
+  LOW: "low"
+};
+var NOISE_LEVELS = {
+  LOW: "low",
+  MEDIUM: "medium",
+  HIGH: "high"
+};
+// src/engine/state.ts
+var SharedState = class {
+  data;
+  constructor() {
+    this.data = {
+      engagement: null,
+      targets: /* @__PURE__ */ new Map(),
+      findings: [],
+      loot: [],
+      todo: [],
+      actionLog: [],
+      currentPhase: PHASES.RECON
+    };
+  }
+  // Engagement
+  setEngagement(engagement) {
+    this.data.engagement = engagement;
+  }
+  getEngagement() {
+    return this.data.engagement;
+  }
+  // Scope
+  getScope() {
+    return this.data.engagement?.scope || null;
+  }
+  setScope(scope) {
+    if (this.data.engagement) {
+      this.data.engagement.scope = scope;
+    } else {
+      this.data.engagement = {
+        id: Math.random().toString(36).slice(2, 10),
+        name: "auto-engagement",
+        client: "unknown",
+        scope,
+        phase: this.data.currentPhase,
+        startedAt: Date.now()
+      };
+    }
+  }
+  // Targets
+  addTarget(target) {
+    this.data.targets.set(target.ip, target);
+  }
+  getTarget(ip) {
+    return this.data.targets.get(ip);
+  }
+  getAllTargets() {
+    return Array.from(this.data.targets.values());
+  }
+  getTargets() {
+    return this.data.targets;
+  }
+  /**
+   * Update target with service fingerprint
+   */
+  addServiceFingerprint(ip, fingerprint) {
+    const target = this.getTarget(ip);
+    if (target) {
+      if (!target.services) {
+        target.services = [];
+      }
+      target.services.push(fingerprint);
+      target.primaryCategory = this.getMostCommonCategory(target.services);
+    }
+  }
+  /**
+   * Get most common service category for target
+   */
+  getMostCommonCategory(services) {
+    const counts = /* @__PURE__ */ new Map();
+    for (const s of services) {
+      counts.set(s.category, (counts.get(s.category) || 0) + 1);
+    }
+    let max = 0;
+    let result = SERVICE_CATEGORIES.NETWORK;
+    for (const [cat, count] of counts) {
+      if (count > max) {
+        max = count;
+        result = cat;
+      }
+    }
+    return result;
+  }
+  /**
+   * Get targets by category
+   */
+  getTargetsByCategory(category) {
+    return this.getAllTargets().filter(
+      (t) => t.primaryCategory === category || t.services?.some((s) => s.category === category)
+    );
+  }
+  /**
+   * Get high-risk targets
+   */
+  getHighRiskTargets() {
+    const highRisk = [SERVICE_CATEGORIES.ICS, SERVICE_CATEGORIES.AD, SERVICE_CATEGORIES.DATABASE, SERVICE_CATEGORIES.CLOUD, SERVICE_CATEGORIES.CONTAINER];
+    return this.getAllTargets().filter(
+      (t) => highRisk.includes(t.primaryCategory || SERVICE_CATEGORIES.NETWORK)
+    );
+  }
+  // Findings
+  addFinding(finding) {
+    this.data.findings.push(finding);
+  }
+  getFindings() {
+    return this.data.findings;
+  }
+  getFindingsBySeverity(severity) {
+    return this.data.findings.filter((f) => f.severity === severity);
+  }
+  /**
+   * Get findings by category
+   */
+  getFindingsByCategory(category) {
+    return this.data.findings.filter((f) => f.category === category);
+  }
+  /**
+   * Get findings by attack tactic
+   */
+  getFindingsByTactic(tactic) {
+    return this.data.findings.filter((f) => f.attackPattern === tactic);
+  }
+  /**
+   * Get verified findings only
+   */
+  getVerifiedFindings() {
+    return this.data.findings.filter((f) => f.verified);
+  }
+  /**
+   * Get findings with available exploits
+   */
+  getExploitableFindings() {
+    return this.data.findings.filter((f) => f.exploitAvailable === true);
+  }
+  /**
+   * Get chainable findings (attack chains)
+   */
+  getChainableFindings() {
+    const chains = /* @__PURE__ */ new Map();
+    for (const f of this.data.findings) {
+      if (f.chainable && f.chainable.length > 0) {
+        chains.set(f.id, [f, ...this.data.findings.filter((o) => f.chainable?.includes(o.id))]);
+      }
+    }
+    return chains;
+  }
+  // Loot
+  addLoot(loot) {
+    this.data.loot.push(loot);
+  }
+  getLoot() {
+    return this.data.loot;
+  }
+  /**
+   * Get loot by category
+   */
+  getLootByCategory(category) {
+    return this.data.loot.filter((l) => l.category === category);
+  }
+  /**
+   * Get loot by type
+   */
+  getLootByType(type) {
+    return this.data.loot.filter((l) => l.type === type);
+  }
+  /**
+   * Get crackable loot (hashes, tickets)
+   */
+  getCrackableLoot() {
+    return this.data.loot.filter((l) => l.crackable === true && !l.cracked);
+  }
+  // TODO List Management
+  addTodo(content, priority = "medium") {
+    const id = Math.random().toString(ID_RADIX).substring(ID_LENGTH);
+    const todo = {
+      id,
+      content,
+      status: TODO_STATUSES.PENDING,
+      priority
+    };
+    this.data.todo.push(todo);
+    return id;
+  }
+  updateTodo(id, updates) {
+    const index = this.data.todo.findIndex((t) => t.id === id);
+    if (index !== -1) {
+      this.data.todo[index] = { ...this.data.todo[index], ...updates };
+    }
+  }
+  getTodo() {
+    return this.data.todo;
+  }
+  completeTodo(id) {
+    this.updateTodo(id, { status: TODO_STATUSES.DONE });
+  }
+  // Action Log
+  logAction(action) {
+    const log = {
+      id: Math.random().toString(ID_RADIX).substring(ID_LENGTH),
+      timestamp: Date.now(),
+      ...action
+    };
+    this.data.actionLog.push(log);
+  }
+  getRecentActions(count = DISPLAY_LIMITS.COMPACT_LIST_ITEMS) {
+    return this.data.actionLog.slice(-count);
+  }
+  getActionLog() {
+    return this.data.actionLog;
+  }
+  // Phase
+  setPhase(phase) {
+    this.data.currentPhase = phase;
+  }
+  getPhase() {
+    return this.data.currentPhase;
+  }
+  // Export to prompt (minimal summary)
+  toPrompt() {
+    const lines = [];
+    if (this.data.engagement) {
+      lines.push(`Engagement: ${this.data.engagement.name} (${this.data.engagement.client})`);
+    }
+    const scope = this.getScope();
+    if (scope) {
+      lines.push(`Scope: CIDR=[${scope.allowedCidrs.join(", ")}] Domains=[${scope.allowedDomains.join(", ")}]`);
+    }
+    const targets = this.getAllTargets();
+    if (targets.length > 0) {
+      const byCategory = /* @__PURE__ */ new Map();
+      for (const t of targets) {
+        const cat = t.primaryCategory || SERVICE_CATEGORIES.NETWORK;
+        if (!byCategory.has(cat)) {
+          byCategory.set(cat, []);
+        }
+        byCategory.get(cat).push(t);
+      }
+      lines.push(`Targets (${targets.length}):`);
+      for (const [cat, catTargets] of byCategory) {
+        lines.push(`  [${cat}] ${catTargets.length} hosts`);
+        for (const t of catTargets.slice(0, 3)) {
+          const ports = t.ports.map((p) => `${p.port}/${p.service}`).join(", ");
+          lines.push(`    ${t.ip}${t.hostname ? ` (${t.hostname})` : ""}: ${ports || "unknown"}`);
+        }
+      }
+    }
+    const findings = this.getFindings();
+    if (findings.length > 0) {
+      const bySeverity = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+      for (const f of findings) {
+        bySeverity[f.severity]++;
+      }
+      lines.push(`Findings: ${findings.length} total (crit:${bySeverity.critical} high:${bySeverity.high} medium:${bySeverity.medium})`);
+      const criticalHigh = findings.filter((f) => f.severity === "critical" || f.severity === "high");
+      if (criticalHigh.length > 0) {
+        lines.push(`  Critical/High:`);
+        for (const f of criticalHigh.slice(0, 5)) {
+          lines.push(`    [${f.severity.toUpperCase()}] ${f.title} (${f.category || "general"})`);
+        }
+      }
+    }
+    const loot = this.getLoot();
+    if (loot.length > 0) {
+      const byType = /* @__PURE__ */ new Map();
+      for (const l of loot) {
+        byType.set(l.type, (byType.get(l.type) || 0) + 1);
+      }
+      lines.push(`Loot: ${loot.length} items (${Array.from(byType.entries()).map(([t, c]) => `${t}:${c}`).join(", ")})`);
+    }
+    const todo = this.getTodo();
+    if (todo.length > 0) {
+      lines.push(`TODO (${todo.length}):`);
+      for (const t of todo.slice(0, DISPLAY_LIMITS.COMPACT_LIST_ITEMS)) {
+        const status = t.status === "done" ? "[x]" : t.status === "in_progress" ? "[->]" : "[ ]";
+        lines.push(`  ${status} ${t.content} (${t.priority})`);
+      }
+    }
+    lines.push(`Phase: ${this.getPhase()}`);
+    return lines.join("\n");
+  }
+};
+// src/engine/events.ts
+var AgentEventEmitter = class {
+  listeners = /* @__PURE__ */ new Map();
+  /**
+   * Subscribe to events
+   */
+  on(eventType, listener) {
+    if (!this.listeners.has(eventType)) {
+      this.listeners.set(eventType, []);
+    }
+    this.listeners.get(eventType).push(listener);
+  }
+  /**
+   * Subscribe to all events
+   */
+  onAny(listener) {
+    const allKey = "*";
+    if (!this.listeners.has(allKey)) {
+      this.listeners.set(allKey, []);
+    }
+    this.listeners.get(allKey).push(listener);
+  }
+  /**
+   * Unsubscribe from events
+   */
+  off(eventType, listener) {
+    const listeners = this.listeners.get(eventType);
+    if (listeners) {
+      const index = listeners.indexOf(listener);
+      if (index > -1) {
+        listeners.splice(index, 1);
+      }
+    }
+  }
+  /**
+   * Emit an event
+   */
+  emit(event) {
+    const listeners = this.listeners.get(event.type);
+    if (listeners) {
+      for (const listener of listeners) {
+        listener(event);
+      }
+    }
+    const anyListeners = this.listeners.get("*");
+    if (anyListeners) {
+      for (const listener of anyListeners) {
+        listener(event);
+      }
+    }
+  }
+  /**
+   * Remove all listeners
+   */
+  removeAllListeners() {
+    this.listeners.clear();
+  }
+  /**
+   * Get listener count for an event type
+   */
+  listenerCount(eventType) {
+    return this.listeners.get(eventType)?.length || 0;
+  }
+};
+// src/engine/scope.ts
+var ScopeGuard = class {
+  constructor(state) {
+    this.state = state;
+  }
+  /**
+   * Check if a tool call is within allowed scope
+   */
+  check(toolCall) {
+    const passiveTools = [
+      TOOL_NAMES.READ_FILE,
+      TOOL_NAMES.SEARCH_CVE,
+      TOOL_NAMES.PARSE_NMAP,
+      TOOL_NAMES.WEB_SEARCH,
+      TOOL_NAMES.ADD_FINDING,
+      TOOL_NAMES.UPDATE_TODO,
+      TOOL_NAMES.GET_STATE,
+      TOOL_NAMES.HELP
+    ];
+    if (passiveTools.includes(toolCall.name)) {
+      return { allowed: true };
+    }
+    const scope = this.state.getScope();
+    if (!scope) {
+      return { allowed: false, reason: "No scope defined. Use /scope to set allowed targets." };
+    }
+    let command = "";
+    if (toolCall.name === TOOL_NAMES.RUN_CMD) {
+      command = String(toolCall.input.command || "");
+    }
+    if (!command) {
+      return { allowed: true };
+    }
+    const targets = this.extractTargets(command);
+    const violations = [];
+    for (const target of targets) {
+      if (!this.isTargetInScope(target)) {
+        violations.push(target);
+      }
+    }
+    if (violations.length > 0) {
+      return {
+        allowed: false,
+        reason: `Target(s) outside approved scope: ${violations.join(", ")}`,
+        violations
+      };
+    }
+    return { allowed: true };
+  }
+  /**
+   * Public helper to check if a specific target is in scope
+   */
+  isTargetInScope(target) {
+    const scope = this.state.getScope();
+    if (!scope) return false;
+    if (scope.exclusions.some((e) => target === e || target.endsWith(`.${e}`))) {
+      return false;
+    }
+    if (scope.allowedDomains.some((d) => target === d)) {
+      return true;
+    }
+    if (scope.allowedCidrs.some((c) => this.matchesCidr(target, c))) {
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Simple CIDR matching (IP-only for now)
+   */
+  matchesCidr(target, cidr) {
+    if (target === cidr) return true;
+    if (cidr.includes("/")) {
+      const [network, mask] = cidr.split("/");
+      if (mask === "24") {
+        const networkPrefix = network.split(".").slice(0, 3).join(".");
+        const targetPrefix = target.split(".").slice(0, 3).join(".");
+        return networkPrefix === targetPrefix;
+      }
+      if (mask === "8") {
+        const networkPrefix = network.split(".")[0];
+        const targetPrefix = target.split(".")[0];
+        return networkPrefix === targetPrefix;
+      }
+      if (mask === "16") {
+        const networkPrefix = network.split(".").slice(0, 2).join(".");
+        const targetPrefix = target.split(".").slice(0, 2).join(".");
+        return networkPrefix === targetPrefix;
+      }
+    }
+    return target === cidr;
+  }
+  /**
+   * Extract IPs and Domains from string
+   */
+  extractTargets(text) {
+    const targets = /* @__PURE__ */ new Set();
+    const ipv4Regex = /\b(?:\d{1,3}\.){3}\d{1,3}\b/g;
+    (text.match(ipv4Regex) || []).forEach((ip) => targets.add(ip));
+    const domainRegex = /\b[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,}\b/gi;
+    (text.match(domainRegex) || []).forEach((d) => targets.add(d.toLowerCase()));
+    return targets;
+  }
+};
+// src/engine/approval.ts
+var CATEGORY_APPROVAL = {
+  [SERVICE_CATEGORIES.NETWORK]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.WEB]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.DATABASE]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.AD]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.EMAIL]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.REMOTE_ACCESS]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.FILE_SHARING]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.CLOUD]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.CONTAINER]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.API]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.WIRELESS]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.ICS]: APPROVAL_LEVELS.BLOCK
+};
+function getApprovalLevel(toolCall) {
+  if (toolCall.metadata?.approval) return toolCall.metadata.approval;
+  if (toolCall.metadata?.category) {
+    const categoryLevel = CATEGORY_APPROVAL[toolCall.metadata.category];
+    if (categoryLevel === APPROVAL_LEVELS.BLOCK) return APPROVAL_LEVELS.BLOCK;
+  }
+  const tool = toolCall.name;
+  const input = toolCall.input;
+  if (tool === TOOL_NAMES.RUN_CMD) {
+    const command = String(input.command || "").toLowerCase();
+    if (["whois", "dig", "curl -i"].some((p) => command.includes(p))) {
+      return APPROVAL_LEVELS.AUTO;
+    }
+    if ([CORE_BINARIES.NMAP, CORE_BINARIES.FFUF, CORE_BINARIES.NUCLEI].some((p) => command.includes(p))) {
+      if (toolCall.metadata?.category && CATEGORY_APPROVAL[toolCall.metadata.category] === APPROVAL_LEVELS.REVIEW) {
+        return APPROVAL_LEVELS.REVIEW;
+      }
+      return APPROVAL_LEVELS.CONFIRM;
+    }
+    if ([CORE_BINARIES.SQLMAP, CORE_BINARIES.METASPLOIT, "impacket"].some((p) => command.includes(p))) {
+      return APPROVAL_LEVELS.REVIEW;
+    }
+  }
+  const autoTools = [TOOL_NAMES.READ_FILE, TOOL_NAMES.SEARCH_CVE, TOOL_NAMES.PARSE_NMAP, TOOL_NAMES.WEB_SEARCH, TOOL_NAMES.ADD_FINDING];
+  if (autoTools.includes(tool)) return APPROVAL_LEVELS.AUTO;
+  return APPROVAL_LEVELS.CONFIRM;
+}
+var ApprovalGate = class {
+  constructor(autoApprove = false) {
+    this.autoApprove = autoApprove;
+  }
+  /**
+   * Set auto-approve mode
+   */
+  setAutoApprove(enabled) {
+    this.autoApprove = enabled;
+  }
+  async request(toolCall) {
+    if (this.autoApprove) return { approved: true, reason: "Auto-approve enabled" };
+    const level = getApprovalLevel(toolCall);
+    if (level === APPROVAL_LEVELS.AUTO) return { approved: true };
+    if (level === APPROVAL_LEVELS.BLOCK) return { approved: false, reason: "Policy blocked execution" };
+    return { approved: true, reason: `Auto-approved in non-interactive: ${toolCall.name}` };
+  }
+};
+// src/engine/tools-base.ts
+import { execFileSync } from "child_process";
+import { readFileSync, existsSync, writeFileSync, mkdirSync } from "fs";
+import { join } from "path";
+var DEFAULT_COMMAND_TIMEOUT = 3e4;
+async function runCommand(command, args = [], options = {}) {
+  try {
+    const parts = command.trim().split(/\s+/);
+    const execPath = parts[0];
+    const execArgs = [...parts.slice(1), ...args];
+    const result = execFileSync(execPath, execArgs, {
+      encoding: "utf-8",
+      stdio: "pipe",
+      timeout: DEFAULT_COMMAND_TIMEOUT,
+      ...options
+    });
+    return {
+      success: true,
+      output: result.toString().trim()
+    };
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: error.message || String(error)
+    };
+  }
+}
+async function readFileContent(filePath) {
+  try {
+    if (!existsSync(filePath)) {
+      return {
+        success: false,
+        output: "",
+        error: `File not found: ${filePath}`
+      };
+    }
+    const content = readFileSync(filePath, "utf-8");
+    return {
+      success: true,
+      output: content
+    };
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: error.message || String(error)
+    };
+  }
+}
+async function writeFileContent(filePath, content) {
+  try {
+    const dir = join(filePath, "..");
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+    writeFileSync(filePath, content, "utf-8");
+    return {
+      success: true,
+      output: `Written to ${filePath}`
+    };
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: error.message || String(error)
+    };
+  }
+}
+// src/engine/tools-mid.ts
+import { execFileSync as execFileSync2 } from "child_process";
+async function parseNmap(xmlPath) {
+  try {
+    const fileResult = await readFileContent(xmlPath);
+    if (!fileResult.success) {
+      return fileResult;
+    }
+    const xmlContent = fileResult.output;
+    const results = {
+      targets: [],
+      summary: { totalTargets: 0, openPorts: 0, servicesFound: 0 }
+    };
+    const hostRegex = /<host[^>]*>[\s\S]*?<\/host>/g;
+    const hosts = xmlContent.match(hostRegex) || [];
+    for (const hostBlock of hosts) {
+      const ipMatch = hostBlock.match(/<address[^>]*addr="([^"]+)"/);
+      const ip = ipMatch ? ipMatch[1] : "";
+      const hostnameMatch = hostBlock.match(/<hostname[^>]*name="([^"]+)"/);
+      const hostname = hostnameMatch ? hostnameMatch[1] : void 0;
+      const ports = [];
+      const portRegex = /<port[^>]*protocol="([^"]*)"[^>]*portid="(\d+)">[\s\S]*?<\/port>/g;
+      let portMatch;
+      while ((portMatch = portRegex.exec(hostBlock)) !== null) {
+        const protocol = portMatch[1];
+        const port = parseInt(portMatch[2]);
+        const stateMatch = portMatch[0].match(/<state[^>]*state="([^"]+)"/);
+        const state = stateMatch ? stateMatch[1] : "";
+        const serviceMatch = portMatch[0].match(/<service[^>]*name="([^"]*)"(?:[^>]*version="([^"]*)")?/);
+        const service = serviceMatch ? serviceMatch[1] : void 0;
+        const version = serviceMatch && serviceMatch[2] ? serviceMatch[2] : void 0;
+        if (state === "open") {
+          ports.push({ port, protocol, state, service, version });
+          results.summary.openPorts++;
+          if (service) results.summary.servicesFound++;
+        }
+      }
+      if (ip) {
+        results.targets.push({ ip, hostname, ports });
+        results.summary.totalTargets++;
+      }
+    }
+    return {
+      success: true,
+      output: JSON.stringify(results, null, 2)
+    };
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: error.message || String(error)
+    };
+  }
+}
+async function searchCVE(service, version) {
+  try {
+    return searchExploitDB(service, version);
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: error.message || String(error)
+    };
+  }
+}
+async function searchExploitDB(service, version) {
+  try {
+    const query = version ? `${service} ${version}` : service;
+    try {
+      const output = execFileSync2("searchsploit", [query, "--color", "never"], {
+        encoding: "utf-8",
+        stdio: ["ignore", "pipe", "pipe"],
+        timeout: 1e4
+      });
+      const lines = output.trim().split("\n").slice(0, 20);
+      return {
+        success: true,
+        output: lines.join("\n") || `No exploits found for ${query}`
+      };
+    } catch (e) {
+      const stderr = String(e.stderr || "");
+      const stdout = String(e.stdout || "");
+      if (stderr.includes("No results")) {
+        return {
+          success: true,
+          output: `No exploits found for ${query}`
+        };
+      }
+      return {
+        success: true,
+        output: stdout || `No exploits found for ${query}`
+      };
+    }
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: error.message || String(error)
+    };
+  }
+}
+async function webSearch(query, engine = "duckduckgo") {
+  try {
+    let results = [];
+    if (engine === "duckduckgo") {
+      const url = `https://html.duckduckgo.com/html/?q=${encodeURIComponent(query)}`;
+      try {
+        const html = execFileSync2("curl", ["-s", "-L", "-A", "Mozilla/5.0", url], {
+          encoding: "utf-8",
+          stdio: ["ignore", "pipe", "pipe"],
+          timeout: 15e3
+        });
+        const titleRegex = /class="result__a"[^>]*>([^<]+)</g;
+        const matches = html.match(titleRegex) || [];
+        results = matches.map((m) => m.replace(/class="result__a"[^>]*>/, "")).slice(0, 10);
+      } catch (e) {
+        results = [`Web search failed: ${e.message}`];
+      }
+    } else {
+      results = ["Search engine not supported. Use: duckduckgo"];
+    }
+    const formatted = results.map((r, i) => `${i + 1}. ${r}`).join("\n");
+    return {
+      success: true,
+      output: formatted || `No results found for: ${query}`
+    };
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: error.message || String(error)
+    };
+  }
+}
+async function extractURLs(text) {
+  try {
+    const urlRegex = /https?:\/\/[^\s<>"{}|\\^`\[\]]+/g;
+    const urls = text.match(urlRegex) || [];
+    const uniqueURLs = [...new Set(urls)];
+    return {
+      success: true,
+      output: JSON.stringify({
+        count: uniqueURLs.length,
+        urls: uniqueURLs
+      }, null, 2)
+    };
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: error.message || String(error)
+    };
+  }
+}
+// src/engine/tools.ts
+var ToolRegistry = class {
+  constructor(state, scopeGuard, approvalGate, events, subAgentExecutor) {
+    this.state = state;
+    this.scopeGuard = scopeGuard;
+    this.approvalGate = approvalGate;
+    this.events = events;
+    this.subAgentExecutor = subAgentExecutor;
+    this.registerLowLevelTools();
+    this.registerMidLevelTools();
+    this.registerHighLevelTools();
+  }
+  tools = /* @__PURE__ */ new Map();
+  /**
+   * Get all registered tools
+   */
+  getAll() {
+    return Array.from(this.tools.values());
+  }
+  /**
+   * Get tool by name
+   */
+  getTool(name) {
+    return this.tools.get(name);
+  }
+  /**
+   * Execute tool with full pipeline
+   */
+  async execute(toolCall) {
+    const tool = this.getTool(toolCall.name);
+    if (!tool) {
+      return {
+        success: false,
+        output: "",
+        error: `Unknown tool: ${toolCall.name}`
+      };
+    }
+    const scopeResult = this.scopeGuard.check(toolCall);
+    if (!scopeResult.allowed) {
+      return {
+        success: false,
+        output: "",
+        error: scopeResult.reason
+      };
+    }
+    const approval = await this.approvalGate.request(toolCall);
+    if (!approval.approved) {
+      this.state.logAction({
+        tool: toolCall.name,
+        command: JSON.stringify(toolCall.input),
+        approval: "denied",
+        noiseLevel: "none",
+        outputSummary: approval.reason || "Denied"
+      });
+      return {
+        success: false,
+        output: "",
+        error: approval.reason || "Execution denied"
+      };
+    }
+    const result = await tool.execute(toolCall.input);
+    this.state.logAction({
+      tool: toolCall.name,
+      command: JSON.stringify(toolCall.input),
+      approval: approval.approved ? "auto" : "user_confirmed",
+      noiseLevel: getNoiseLevel(toolCall),
+      outputSummary: result.output.slice(0, 200)
+    });
+    return result;
+  }
+  /**
+   * Register low-level tools
+   */
+  registerLowLevelTools() {
+    this.tools.set(TOOL_NAMES.RUN_CMD, {
+      name: TOOL_NAMES.RUN_CMD,
+      description: "Execute shell command safely. Use for reconnaissance, scanning, and exploitation.",
+      parameters: {
+        command: { type: "string", description: 'The shell command to execute (e.g., "nmap -sV 10.0.0.1")' }
+      },
+      required: ["command"],
+      execute: async (params) => {
+        const command = params.command;
+        return await runCommand(command, []);
+      }
+    });
+    this.tools.set(TOOL_NAMES.READ_FILE, {
+      name: TOOL_NAMES.READ_FILE,
+      description: "Read local file content (logs, configs, evidence)",
+      parameters: {
+        path: { type: "string", description: "Path to the file" }
+      },
+      required: ["path"],
+      execute: async (params) => {
+        const filePath = params.path;
+        return await readFileContent(filePath);
+      }
+    });
+    this.tools.set(TOOL_NAMES.WRITE_FILE, {
+      name: TOOL_NAMES.WRITE_FILE,
+      description: "Write content to file (creates parent directories if needed)",
+      parameters: {
+        path: { type: "string", description: "Absolute path to the file" },
+        content: { type: "string", description: "File content" }
+      },
+      required: ["path", "content"],
+      execute: async (params) => {
+        const filePath = params.path;
+        const content = params.content;
+        return await writeFileContent(filePath, content);
+      }
+    });
+  }
+  /**
+   * Register mid-level tools
+   */
+  registerMidLevelTools() {
+    this.tools.set(TOOL_NAMES.PARSE_NMAP, {
+      name: TOOL_NAMES.PARSE_NMAP,
+      description: "Parse nmap XML output to structured JSON",
+      parameters: {
+        path: { type: "string", description: "Path to nmap XML output file" }
+      },
+      required: ["path"],
+      execute: async (params) => {
+        const xmlPath = params.path;
+        return await parseNmap(xmlPath);
+      }
+    });
+    this.tools.set(TOOL_NAMES.SEARCH_CVE, {
+      name: TOOL_NAMES.SEARCH_CVE,
+      description: "Search CVE and Exploit-DB for vulnerabilities",
+      parameters: {
+        service: { type: "string", description: 'Service name (e.g., "apache", "ssh")' },
+        version: { type: "string", description: "Version number (optional)" }
+      },
+      required: ["service"],
+      execute: async (params) => {
+        const service = params.service;
+        const version = params.version;
+        return await searchCVE(service, version);
+      }
+    });
+    this.tools.set(TOOL_NAMES.WEB_SEARCH, {
+      name: TOOL_NAMES.WEB_SEARCH,
+      description: "Search web for reconnaissance info",
+      parameters: {
+        query: { type: "string", description: "Search query" }
+      },
+      required: ["query"],
+      execute: async (params) => {
+        const query = params.query;
+        const engine = params.engine || "duckduckgo";
+        return await webSearch(query, engine);
+      }
+    });
+    this.tools.set(TOOL_NAMES.EXTRACT_URLS, {
+      name: TOOL_NAMES.EXTRACT_URLS,
+      description: "Extract and deduplicate URLs from text",
+      parameters: {
+        text: { type: "string", description: "Input text containing URLs" }
+      },
+      required: ["text"],
+      execute: async (params) => {
+        const text = params.text;
+        return await extractURLs(text);
+      }
+    });
+  }
+  /**
+   * Register high-level tools
+   */
+  registerHighLevelTools() {
+    this.tools.set(TOOL_NAMES.SPAWN_SUB, {
+      name: TOOL_NAMES.SPAWN_SUB,
+      description: "Spawn a sub-agent with specialized prompt",
+      parameters: {
+        task: { type: "string", description: "Specific task for sub-agent" },
+        agent_type: { type: "string", description: "Sub-agent type (recon, web, exploit)" }
+      },
+      required: ["task"],
+      execute: async (params) => {
+        const task = params.task;
+        const agentType = params.agent_type || AGENT_ROLES.RECON;
+        if (!this.subAgentExecutor) {
+          return { success: false, output: "SubAgentExecutor not initialized in registry" };
+        }
+        const systemPrompt = this.getSpecializedPrompt(agentType, task);
+        const result = await this.subAgentExecutor.executeSubTask(task, systemPrompt);
+        return {
+          success: result.completed,
+          output: result.output
+        };
+      }
+    });
+    this.tools.set(TOOL_NAMES.ADD_FINDING, {
+      name: TOOL_NAMES.ADD_FINDING,
+      description: "Add a security finding",
+      parameters: {
+        title: { type: "string", description: "Finding title" },
+        severity: { type: "string", description: "Severity (info, low, medium, high, critical)" },
+        affected: { type: "array", items: { type: "string" }, description: "Affected host:port" },
+        description: { type: "string", description: "Finding detail" }
+      },
+      required: ["title", "severity"],
+      execute: async (params) => {
+        this.state.addFinding({
+          id: Math.random().toString(ID_RADIX).substring(ID_LENGTH),
+          title: params.title,
+          severity: params.severity,
+          affected: params.affected || [],
+          description: params.description || "",
+          evidence: [],
+          verified: false,
+          remediation: "",
+          foundAt: Date.now()
+        });
+        return {
+          success: true,
+          output: `Finding added: ${params.title}`
+        };
+      }
+    });
+    this.tools.set(TOOL_NAMES.UPDATE_TODO, {
+      name: TOOL_NAMES.UPDATE_TODO,
+      description: "Update plan / TODO list",
+      parameters: {
+        action: { type: "string", description: "add, complete" },
+        content: { type: "string", description: "Task content" }
+      },
+      required: ["action"],
+      execute: async (params) => {
+        if (params.action === TODO_ACTIONS.ADD) {
+          this.state.addTodo(params.content, params.priority);
+        } else if (params.action === TODO_ACTIONS.COMPLETE) {
+          this.state.completeTodo(params.id);
+        }
+        return {
+          success: true,
+          output: "TODO updated"
+        };
+      }
+    });
+    this.tools.set(TOOL_NAMES.GET_STATE, {
+      name: TOOL_NAMES.GET_STATE,
+      description: "Get current engagement state summary",
+      parameters: {},
+      execute: async (params) => {
+        return {
+          success: true,
+          output: this.state.toPrompt()
+        };
+      }
+    });
+    this.tools.set(TOOL_NAMES.SET_SCOPE, {
+      name: TOOL_NAMES.SET_SCOPE,
+      description: "Set engagement scope",
+      parameters: {
+        allowed: { type: "array", items: { type: "string" }, description: "Allowed CIDRs or domains" },
+        exclusions: { type: "array", items: { type: "string" }, description: "Excluded targets" }
+      },
+      required: ["allowed"],
+      execute: async (params) => {
+        const allowed = params.allowed || [];
+        const exclusions = params.exclusions || [];
+        this.state.setScope({
+          allowedCidrs: allowed.filter((a) => a.includes("/")),
+          allowedDomains: allowed.filter((a) => !a.includes("/")),
+          exclusions,
+          noDOS: true,
+          noSocial: true
+        });
+        return {
+          success: true,
+          output: `Scope set: ${allowed.length} targets`
+        };
+      }
+    });
+    this.tools.set(TOOL_NAMES.ADD_TARGET, {
+      name: TOOL_NAMES.ADD_TARGET,
+      description: "Add target to engagement",
+      parameters: {
+        ip: { type: "string", description: "IP address" },
+        hostname: { type: "string", description: "Hostname (optional)" }
+      },
+      required: ["ip"],
+      execute: async (params) => {
+        const ip = params.ip;
+        const hostname = params.hostname;
+        this.state.addTarget({
+          ip,
+          hostname,
+          ports: [],
+          tags: [],
+          firstSeen: Date.now()
+        });
+        return {
+          success: true,
+          output: `Target added: ${ip}`
+        };
+      }
+    });
+    this.tools.set(TOOL_NAMES.ASK_USER, {
+      name: TOOL_NAMES.ASK_USER,
+      description: "Ask the user a question and wait for input. Use when you need clarification, authorization, or additional information.",
+      parameters: {
+        question: { type: "string", description: "Question to ask" }
+      },
+      required: ["question"],
+      execute: async (params) => {
+        const question = params.question;
+        return {
+          success: true,
+          output: `[ASK_USER] ${question}
+(Waiting for user response via TUI input)`
+        };
+      }
+    });
+  }
+  /**
+   * Get specialized prompt for sub-agent type
+   * Opus4.7: Agents are prompts, not code
+   */
+  getSpecializedPrompt(agentType, task) {
+    const prompts = {
+      [AGENT_ROLES.RECON]: `You are a RECONNAISSANCE specialist.
+Your task: ${task}
+Focus on: Information gathering, OSINT, passive reconnaissance, target discovery
+Return: Structured target and port information for the main agent.`,
+      [AGENT_ROLES.WEB]: `You are a WEB APPLICATION specialist.
+Your task: ${task}
+Focus on: Web app discovery, enumeration, vulnerability scanning
+Return: Web application structure, endpoints, vulnerabilities found.`,
+      [AGENT_ROLES.EXPLOTER]: `You are an EXPLOITATION specialist.
+Your task: ${task}
+Focus on: Exploit research, proof-of-concept testing
+Return: Exploit results, shell access, credentials obtained.`
+    };
+    return prompts[agentType] || prompts[AGENT_ROLES.RECON];
+  }
+};
+function getNoiseLevel(toolCall) {
+  if (toolCall.name === TOOL_NAMES.RUN_CMD) {
+    const command = String(toolCall.input.command || "").toLowerCase();
+    if (command.includes(CORE_BINARIES.NMAP) || command.includes(CORE_BINARIES.MASSCAN)) return NOISE_LEVELS.HIGH;
+    if (command.includes(CORE_BINARIES.NUCLEI) || command.includes(CORE_BINARIES.NIKTO)) return NOISE_LEVELS.HIGH;
+    if (command.includes(CORE_BINARIES.FFUF) || command.includes(CORE_BINARIES.GOBUSTER)) return NOISE_LEVELS.MEDIUM;
+  }
+  return NOISE_LEVELS.LOW;
+}
+// src/domains/registry.ts
+import { join as join2, dirname } from "path";
+import { fileURLToPath } from "url";
+var __dirname = dirname(fileURLToPath(import.meta.url));
+var DOMAINS = {
+  [SERVICE_CATEGORIES.NETWORK]: {
+    id: SERVICE_CATEGORIES.NETWORK,
+    name: "Network Infrastructure",
+    description: "Vulnerability scanning, port mapping, and network service exploitation.",
+    promptPath: join2(__dirname, "network/prompt.md")
+  },
+  [SERVICE_CATEGORIES.WEB]: {
+    id: SERVICE_CATEGORIES.WEB,
+    name: "Web Application",
+    description: "Web app security testing, injection attacks, and auth bypass.",
+    promptPath: join2(__dirname, "web/prompt.md")
+  },
+  [SERVICE_CATEGORIES.DATABASE]: {
+    id: SERVICE_CATEGORIES.DATABASE,
+    name: "Database Security",
+    description: "SQL injection, database enumeration, and data extraction.",
+    promptPath: join2(__dirname, "database/prompt.md")
+  },
+  [SERVICE_CATEGORIES.AD]: {
+    id: SERVICE_CATEGORIES.AD,
+    name: "Active Directory",
+    description: "Kerberos, LDAP, and Windows domain privilege escalation.",
+    promptPath: join2(__dirname, "ad/prompt.md")
+  },
+  [SERVICE_CATEGORIES.EMAIL]: {
+    id: SERVICE_CATEGORIES.EMAIL,
+    name: "Email Services",
+    description: "SMTP, IMAP, POP3 security and user enumeration.",
+    promptPath: join2(__dirname, "email/prompt.md")
+  },
+  [SERVICE_CATEGORIES.REMOTE_ACCESS]: {
+    id: SERVICE_CATEGORIES.REMOTE_ACCESS,
+    name: "Remote Access",
+    description: "SSH, RDP, VNC and other remote control protocols.",
+    promptPath: join2(__dirname, "remote-access/prompt.md")
+  },
+  [SERVICE_CATEGORIES.FILE_SHARING]: {
+    id: SERVICE_CATEGORIES.FILE_SHARING,
+    name: "File Sharing",
+    description: "SMB, NFS, FTP and shared resource security.",
+    promptPath: join2(__dirname, "file-sharing/prompt.md")
+  },
+  [SERVICE_CATEGORIES.CLOUD]: {
+    id: SERVICE_CATEGORIES.CLOUD,
+    name: "Cloud Infrastructure",
+    description: "AWS, Azure, and GCP security and misconfiguration.",
+    promptPath: join2(__dirname, "cloud/prompt.md")
+  },
+  [SERVICE_CATEGORIES.CONTAINER]: {
+    id: SERVICE_CATEGORIES.CONTAINER,
+    name: "Container Systems",
+    description: "Docker and Kubernetes security testing.",
+    promptPath: join2(__dirname, "container/prompt.md")
+  },
+  [SERVICE_CATEGORIES.API]: {
+    id: SERVICE_CATEGORIES.API,
+    name: "API Security",
+    description: "REST, GraphQL, and SOAP API security testing.",
+    promptPath: join2(__dirname, "api/prompt.md")
+  },
+  [SERVICE_CATEGORIES.WIRELESS]: {
+    id: SERVICE_CATEGORIES.WIRELESS,
+    name: "Wireless Networks",
+    description: "WiFi and Bluetooth security testing.",
+    promptPath: join2(__dirname, "wireless/prompt.md")
+  },
+  [SERVICE_CATEGORIES.ICS]: {
+    id: SERVICE_CATEGORIES.ICS,
+    name: "Industrial Systems",
+    description: "Critical infrastructure - Modbus, DNP3, ENIP.",
+    promptPath: join2(__dirname, "ics/prompt.md")
+  }
+};
+// src/engine/tools-registry.ts
+var PORT_CATEGORY_MAP = {
+  // Web
+  80: SERVICE_CATEGORIES.WEB,
+  443: SERVICE_CATEGORIES.WEB,
+  8080: SERVICE_CATEGORIES.WEB,
+  8443: SERVICE_CATEGORIES.WEB,
+  8e3: SERVICE_CATEGORIES.WEB,
+  8888: SERVICE_CATEGORIES.WEB,
+  // Database
+  1433: SERVICE_CATEGORIES.DATABASE,
+  // MSSQL
+  3306: SERVICE_CATEGORIES.DATABASE,
+  // MySQL
+  5432: SERVICE_CATEGORIES.DATABASE,
+  // PostgreSQL
+  27017: SERVICE_CATEGORIES.DATABASE,
+  // MongoDB
+  6379: SERVICE_CATEGORIES.DATABASE,
+  // Redis
+  9042: SERVICE_CATEGORIES.DATABASE,
+  // Cassandra
+  9200: SERVICE_CATEGORIES.DATABASE,
+  // Elasticsearch
+  // Active Directory
+  88: SERVICE_CATEGORIES.AD,
+  // Kerberos
+  389: SERVICE_CATEGORIES.AD,
+  // LDAP
+  636: SERVICE_CATEGORIES.AD,
+  // LDAPS
+  3268: SERVICE_CATEGORIES.AD,
+  // LDAP GC
+  3269: SERVICE_CATEGORIES.AD,
+  // LDAP GC SSL
+  445: SERVICE_CATEGORIES.AD,
+  // SMB (also file_sharing)
+  // Email
+  25: SERVICE_CATEGORIES.EMAIL,
+  // SMTP
+  587: SERVICE_CATEGORIES.EMAIL,
+  // SMTP Submission
+  465: SERVICE_CATEGORIES.EMAIL,
+  // SMTPS
+  110: SERVICE_CATEGORIES.EMAIL,
+  // POP3
+  143: SERVICE_CATEGORIES.EMAIL,
+  // IMAP
+  993: SERVICE_CATEGORIES.EMAIL,
+  // IMAPS
+  995: SERVICE_CATEGORIES.EMAIL,
+  // POP3S
+  // Remote Access
+  22: SERVICE_CATEGORIES.REMOTE_ACCESS,
+  // SSH
+  3389: SERVICE_CATEGORIES.REMOTE_ACCESS,
+  // RDP
+  5900: SERVICE_CATEGORIES.REMOTE_ACCESS,
+  // VNC
+  5901: SERVICE_CATEGORIES.REMOTE_ACCESS,
+  // VNC
+  // File Sharing
+  21: SERVICE_CATEGORIES.FILE_SHARING,
+  // FTP
+  139: SERVICE_CATEGORIES.FILE_SHARING,
+  // NetBIOS
+  2049: SERVICE_CATEGORIES.FILE_SHARING,
+  // NFS
+  111: SERVICE_CATEGORIES.FILE_SHARING,
+  // RPC
+  // Container
+  2375: SERVICE_CATEGORIES.CONTAINER,
+  // Docker API
+  2376: SERVICE_CATEGORIES.CONTAINER,
+  // Docker API TLS
+  5e3: SERVICE_CATEGORIES.CONTAINER,
+  // Docker Registry
+  // Cloud (detected via banner, common on 443)
+  // API
+  3e3: SERVICE_CATEGORIES.API,
+  5001: SERVICE_CATEGORIES.API,
+  8001: SERVICE_CATEGORIES.API,
+  // Wireless
+  // ICS
+  502: SERVICE_CATEGORIES.ICS,
+  // Modbus
+  102: SERVICE_CATEGORIES.ICS,
+  // ISO-TSAP
+  2e4: SERVICE_CATEGORIES.ICS,
+  // DNP3
+  44818: SERVICE_CATEGORIES.ICS
+  // Ethernet/IP
+};
+var SERVICE_CATEGORY_MAP = {
+  // Web
+  [SERVICES.HTTP]: SERVICE_CATEGORIES.WEB,
+  [SERVICES.HTTPS]: SERVICE_CATEGORIES.WEB,
+  "http-proxy": SERVICE_CATEGORIES.WEB,
+  "ssl/http": SERVICE_CATEGORIES.WEB,
+  "nginx": SERVICE_CATEGORIES.WEB,
+  "apache": SERVICE_CATEGORIES.WEB,
+  "iis": SERVICE_CATEGORIES.WEB,
+  // Database
+  [SERVICES.MYSQL]: SERVICE_CATEGORIES.DATABASE,
+  [SERVICES.MSSQL]: SERVICE_CATEGORIES.DATABASE,
+  [SERVICES.POSTGRES]: SERVICE_CATEGORIES.DATABASE,
+  [SERVICES.MONGODB]: SERVICE_CATEGORIES.DATABASE,
+  [SERVICES.REDIS]: SERVICE_CATEGORIES.DATABASE,
+  [SERVICES.ELASTIC]: SERVICE_CATEGORIES.DATABASE,
+  "cassandra": SERVICE_CATEGORIES.DATABASE,
+  // Active Directory
+  "kerberos": SERVICE_CATEGORIES.AD,
+  "ldap": SERVICE_CATEGORIES.AD,
+  "ldaps": SERVICE_CATEGORIES.AD,
+  "microsoft-ds": SERVICE_CATEGORIES.AD,
+  "netbios-ssn": SERVICE_CATEGORIES.AD,
+  // Email
+  "smtp": SERVICE_CATEGORIES.EMAIL,
+  "pop3": SERVICE_CATEGORIES.EMAIL,
+  "imap": SERVICE_CATEGORIES.EMAIL,
+  // Remote Access
+  [SERVICES.SSH]: SERVICE_CATEGORIES.REMOTE_ACCESS,
+  "ms-wbt-server": SERVICE_CATEGORIES.REMOTE_ACCESS,
+  // RDP
+  "vnc": SERVICE_CATEGORIES.REMOTE_ACCESS,
+  // File Sharing
+  [SERVICES.FTP]: SERVICE_CATEGORIES.FILE_SHARING,
+  "ftp-data": SERVICE_CATEGORIES.FILE_SHARING,
+  "nfs": SERVICE_CATEGORIES.FILE_SHARING,
+  "rpcbind": SERVICE_CATEGORIES.FILE_SHARING,
+  // Container
+  "docker": SERVICE_CATEGORIES.CONTAINER,
+  "docker-swap": SERVICE_CATEGORIES.CONTAINER,
+  // Cloud APIs
+  "aws-s3": SERVICE_CATEGORIES.CLOUD,
+  "azure-storage": SERVICE_CATEGORIES.CLOUD,
+  // Wireless
+  // ICS
+  "modbus": SERVICE_CATEGORIES.ICS,
+  "iso-tsap": SERVICE_CATEGORIES.ICS,
+  "dnp3": SERVICE_CATEGORIES.ICS,
+  "enip": SERVICE_CATEGORIES.ICS
+};
+var CATEGORY_APPROVAL2 = {
+  [SERVICE_CATEGORIES.NETWORK]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.WEB]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.DATABASE]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.AD]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.EMAIL]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.REMOTE_ACCESS]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.FILE_SHARING]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.CLOUD]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.CONTAINER]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.API]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.WIRELESS]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.ICS]: APPROVAL_LEVELS.BLOCK
+  // Requires explicit written authorization
+};
+var CATEGORY_DESCRIPTIONS = Object.entries(DOMAINS).reduce((acc, [id, info]) => {
+  acc[id] = info.description;
+  return acc;
+}, {});
+var CategorizedToolRegistry = class extends ToolRegistry {
+  categories;
+  constructor(state, scopeGuard, approvalGate, events, subAgentExecutor) {
+    super(state, scopeGuard, approvalGate, events, subAgentExecutor);
+    this.categories = /* @__PURE__ */ new Map();
+    this.initializeCategories();
+  }
+  /**
+   * Initialize all tool categories with core tools from parent ToolRegistry
+   *
+   * Every service category gets the base tools (run_cmd, read_file, write_file, etc.)
+   * Sub-agents need at least these core tools to function.
+   * spawn_sub is explicitly excluded to prevent recursion (1-level only).
+   */
+  initializeCategories() {
+    const coreToolNames = [
+      TOOL_NAMES.RUN_CMD,
+      TOOL_NAMES.READ_FILE,
+      TOOL_NAMES.WRITE_FILE,
+      TOOL_NAMES.PARSE_NMAP,
+      TOOL_NAMES.SEARCH_CVE,
+      TOOL_NAMES.WEB_SEARCH,
+      TOOL_NAMES.EXTRACT_URLS,
+      TOOL_NAMES.ADD_FINDING,
+      TOOL_NAMES.UPDATE_TODO,
+      TOOL_NAMES.GET_STATE,
+      TOOL_NAMES.ADD_TARGET,
+      TOOL_NAMES.ASK_USER
+    ];
+    const coreTools = [];
+    for (const name of coreToolNames) {
+      const tool = this.getTool(name);
+      if (tool) {
+        coreTools.push(tool);
+      }
+    }
+    for (const category of Object.keys(CATEGORY_DESCRIPTIONS)) {
+      this.categories.set(category, {
+        name: category,
+        description: CATEGORY_DESCRIPTIONS[category],
+        tools: [...coreTools],
+        // Each category gets a copy of core tools
+        subAgentPrompt: "",
+        // Loaded from Domain Registry or prompt files at runtime
+        dangerLevel: this.getDangerLevel(category),
+        defaultApproval: CATEGORY_APPROVAL2[category],
+        commonPorts: this.getCommonPorts(category),
+        commonServices: this.getCommonServices(category)
+      });
+    }
+  }
+  /**
+   * Get danger level for category
+   */
+  getDangerLevel(category) {
+    const passive = [SERVICE_CATEGORIES.NETWORK];
+    const active = [SERVICE_CATEGORIES.WEB, SERVICE_CATEGORIES.API, SERVICE_CATEGORIES.EMAIL, SERVICE_CATEGORIES.FILE_SHARING];
+    if (passive.includes(category)) return DANGER_LEVELS.PASSIVE;
+    if (active.includes(category)) return DANGER_LEVELS.ACTIVE;
+    return DANGER_LEVELS.EXPLOIT;
+  }
+  /**
+   * Get common ports for category
+   */
+  getCommonPorts(category) {
+    const ports = {
+      [SERVICE_CATEGORIES.NETWORK]: [1, 7, 9, 21, 22, 23, 25, 53, 79, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5432, 5900, 8080],
+      [SERVICE_CATEGORIES.WEB]: [80, 443, 8e3, 8080, 8443, 8888],
+      [SERVICE_CATEGORIES.DATABASE]: [1433, 3306, 5432, 6379, 9042, 9200, 27017, 1521],
+      [SERVICE_CATEGORIES.AD]: [88, 135, 139, 389, 445, 636, 3268, 3269, 5722],
+      [SERVICE_CATEGORIES.EMAIL]: [25, 110, 143, 465, 587, 993, 995],
+      [SERVICE_CATEGORIES.REMOTE_ACCESS]: [22, 23, 3389, 5900, 5901],
+      [SERVICE_CATEGORIES.FILE_SHARING]: [21, 139, 445, 2049, 111],
+      [SERVICE_CATEGORIES.CLOUD]: [443],
+      // Detected via banner
+      [SERVICE_CATEGORIES.CONTAINER]: [2375, 2376, 5e3],
+      [SERVICE_CATEGORIES.API]: [3e3, 5e3, 5001, 8e3, 8001, 8080],
+      [SERVICE_CATEGORIES.WIRELESS]: [],
+      [SERVICE_CATEGORIES.ICS]: [102, 502, 44818, 2e4]
+    };
+    return ports[category] || [];
+  }
+  /**
+   * Get common services for category
+   */
+  getCommonServices(category) {
+    const services = {
+      [SERVICE_CATEGORIES.NETWORK]: [SERVICES.FTP, SERVICES.SSH, "telnet", "smtp", SERVICES.HTTP, "pop3", "imap", SERVICES.HTTPS],
+      [SERVICE_CATEGORIES.WEB]: [SERVICES.HTTP, SERVICES.HTTPS, "nginx", "apache", "iis"],
+      [SERVICE_CATEGORIES.DATABASE]: [SERVICES.MYSQL, SERVICES.MSSQL, SERVICES.POSTGRES, SERVICES.MONGODB, SERVICES.REDIS, SERVICES.ELASTIC],
+      [SERVICE_CATEGORIES.AD]: ["kerberos", "ldap", "microsoft-ds", "netbios-ssn"],
+      [SERVICE_CATEGORIES.EMAIL]: ["smtp", "pop3", "imap"],
+      [SERVICE_CATEGORIES.REMOTE_ACCESS]: [SERVICES.SSH, "ms-wbt-server", "vnc"],
+      [SERVICE_CATEGORIES.FILE_SHARING]: [SERVICES.FTP, "microsoft-ds", "nfs"],
+      [SERVICE_CATEGORIES.CLOUD]: [SERVICES.HTTP, SERVICES.HTTPS],
+      // Detected via banner analysis
+      [SERVICE_CATEGORIES.CONTAINER]: ["docker"],
+      [SERVICE_CATEGORIES.API]: [SERVICES.HTTP, SERVICES.HTTPS],
+      [SERVICE_CATEGORIES.WIRELESS]: [],
+      [SERVICE_CATEGORIES.ICS]: ["modbus", "iso-tsap", "dnp3", "enip"]
+    };
+    return services[category] || [];
+  }
+  /**
+   * Get all tools in a category
+   */
+  getByCategory(category) {
+    return this.categories.get(category)?.tools || [];
+  }
+  /**
+   * Get category definition
+   */
+  getCategory(category) {
+    return this.categories.get(category);
+  }
+  /**
+   * Get all categories
+   */
+  getAllCategories() {
+    return Array.from(this.categories.values());
+  }
+  /**
+   * Suggest tools based on discovered target
+   */
+  suggestTools(target) {
+    const suggestions = [];
+    for (const port of target.ports) {
+      const category = this.detectCategoryFromPort(port.port, port.service);
+      if (category && !suggestions.find((s) => s.category === category)) {
+        const catTools = this.getByCategory(category);
+        suggestions.push({
+          category,
+          tools: catTools.map((t) => t.name)
+        });
+      }
+    }
+    if (target.hostname) {
+      const cloudCat = this.detectCloudProvider(target.hostname);
+      if (cloudCat && !suggestions.find((s) => s.category === cloudCat)) {
+        const catTools = this.getByCategory(cloudCat);
+        suggestions.push({
+          category: cloudCat,
+          tools: catTools.map((t) => t.name)
+        });
+      }
+    }
+    return suggestions;
+  }
+  /**
+   * Detect category from port number and service name
+   */
+  detectCategoryFromPort(port, serviceName) {
+    if (PORT_CATEGORY_MAP[port]) {
+      return PORT_CATEGORY_MAP[port];
+    }
+    if (serviceName && SERVICE_CATEGORY_MAP[serviceName.toLowerCase()]) {
+      return SERVICE_CATEGORY_MAP[serviceName.toLowerCase()];
+    }
+    if (port >= 8e3 && port <= 9e3) return SERVICE_CATEGORIES.WEB;
+    if (port >= 3e3 && port <= 3500) return SERVICE_CATEGORIES.API;
+    return null;
+  }
+  /**
+   * Detect cloud provider from hostname
+   */
+  detectCloudProvider(hostname) {
+    const cloudProviders = [
+      "amazonaws.com",
+      "aws",
+      "s3.amazonaws.com",
+      "azure.com",
+      "azurewebsites.net",
+      "windows.net",
+      "gcp",
+      "googleusercontent.com",
+      "appspot.com",
+      "digitalocean.com",
+      "do.co",
+      "herokuapp.com",
+      "vercel.app",
+      "netlify.app"
+    ];
+    const lowerHostname = hostname.toLowerCase();
+    for (const provider of cloudProviders) {
+      if (lowerHostname.includes(provider)) {
+        return SERVICE_CATEGORIES.CLOUD;
+      }
+    }
+    return null;
+  }
+  /**
+   * Suggest sub-agent type for target
+   */
+  suggestSubAgent(target) {
+    const suggestions = this.suggestTools(target);
+    const priority = [
+      SERVICE_CATEGORIES.ICS,
+      // Critical - block
+      SERVICE_CATEGORIES.AD,
+      // High value - review
+      SERVICE_CATEGORIES.DATABASE,
+      // High value - review
+      SERVICE_CATEGORIES.CLOUD,
+      // High value - review
+      SERVICE_CATEGORIES.CONTAINER,
+      // Escalation - review
+      SERVICE_CATEGORIES.REMOTE_ACCESS,
+      // Access - review
+      SERVICE_CATEGORIES.WEB,
+      // Common - confirm
+      SERVICE_CATEGORIES.API,
+      // Common - confirm
+      SERVICE_CATEGORIES.EMAIL,
+      // Info - confirm
+      SERVICE_CATEGORIES.FILE_SHARING,
+      // Access - confirm
+      SERVICE_CATEGORIES.NETWORK,
+      // Basic - confirm
+      SERVICE_CATEGORIES.WIRELESS
+      // Special - review
+    ];
+    for (const cat of priority) {
+      if (suggestions.find((s) => s.category === cat)) {
+        return cat;
+      }
+    }
+    return PHASES.RECON;
+  }
+  /**
+   * Get approval level for category
+   */
+  getApprovalForCategory(category) {
+    return CATEGORY_APPROVAL2[category];
+  }
+  /**
+   * Check if category requires special handling
+   */
+  isHighRiskCategory(category) {
+    return [SERVICE_CATEGORIES.ICS, SERVICE_CATEGORIES.AD, SERVICE_CATEGORIES.DATABASE, SERVICE_CATEGORIES.CLOUD, SERVICE_CATEGORIES.CONTAINER].includes(category);
+  }
+  /**
+   * Get service fingerprint from port data
+   */
+  fingerprintService(port) {
+    const category = this.detectCategoryFromPort(port.port, port.service);
+    if (!category) return null;
+    return {
+      port: port.port,
+      service: port.service,
+      version: port.version,
+      banner: port.notes[0] || void 0,
+      category,
+      confidence: port.version ? 0.9 : 0.7
+    };
+  }
+  /**
+   * Get category description
+   */
+  getCategoryDescription(category) {
+    return CATEGORY_DESCRIPTIONS[category];
+  }
+};
+// src/shared/utils/logger.ts
+var COLORS = {
+  reset: "\x1B[0m",
+  dim: "\x1B[2m",
+  red: "\x1B[31m",
+  yellow: "\x1B[33m",
+  green: "\x1B[32m",
+  blue: "\x1B[34m",
+  magenta: "\x1B[35m",
+  cyan: "\x1B[36m"
+};
+var levelColors = {
+  [0 /* DEBUG */]: COLORS.dim,
+  [1 /* INFO */]: COLORS.green,
+  [2 /* WARN */]: COLORS.yellow,
+  [3 /* ERROR */]: COLORS.red,
+  [999 /* SILENT */]: COLORS.reset
+};
+var levelNames = {
+  [0 /* DEBUG */]: "DEBUG",
+  [1 /* INFO */]: "INFO",
+  [2 /* WARN */]: "WARN",
+  [3 /* ERROR */]: "ERROR",
+  [999 /* SILENT */]: "SILENT"
+};
+var Logger = class {
+  constructor(component, config = {}) {
+    this.component = component;
+    this.config = {
+      minLevel: config.minLevel ?? 1 /* INFO */,
+      includeTimestamp: config.includeTimestamp ?? true,
+      includeComponent: config.includeComponent ?? true,
+      colorOutput: config.colorOutput ?? true,
+      outputToFile: config.outputToFile ?? false,
+      logFilePath: config.logFilePath
+    };
+  }
+  config;
+  logBuffer = [];
+  maxBufferSize = 1e3;
+  /**
+   * Set minimum log level
+   */
+  setMinLevel(level) {
+    this.config.minLevel = level;
+  }
+  /**
+   * Log at a specific level
+   */
+  log(level, message, data) {
+    if (level < this.config.minLevel) {
+      return;
+    }
+    const entry = {
+      timestamp: Date.now(),
+      level,
+      component: this.component,
+      message,
+      data
+    };
+    this.logBuffer.push(entry);
+    if (this.logBuffer.length > this.maxBufferSize) {
+      this.logBuffer.shift();
+    }
+    const formatted = this.formatEntry(entry);
+    console.log(formatted);
+  }
+  /**
+   * Format a log entry for output
+   */
+  formatEntry(entry) {
+    const parts = [];
+    if (this.config.includeTimestamp) {
+      const date = new Date(entry.timestamp);
+      const ts = date.toISOString().split("T")[1].slice(0, -1);
+      parts.push(this.config.colorOutput ? COLORS.dim + ts + COLORS.reset : ts);
+    }
+    const levelName = levelNames[entry.level];
+    const levelColor = this.config.colorOutput ? levelColors[entry.level] : "";
+    parts.push(levelColor + `[${levelName}]` + (this.config.colorOutput ? COLORS.reset : ""));
+    if (this.config.includeComponent) {
+      const comp = this.config.colorOutput ? COLORS.cyan + entry.component + COLORS.reset : entry.component;
+      parts.push(`[${comp}]`);
+    }
+    parts.push(entry.message);
+    if (entry.data) {
+      const dataStr = Object.entries(entry.data).map(([k, v]) => `${k}=${JSON.stringify(v)}`).join(" ");
+      parts.push(this.config.colorOutput ? COLORS.dim + dataStr + COLORS.reset : dataStr);
+    }
+    return parts.join(" ");
+  }
+  /**
+   * Debug level logging
+   */
+  debug(message, data) {
+    this.log(0 /* DEBUG */, message, data);
+  }
+  /**
+   * Info level logging
+   */
+  info(message, data) {
+    this.log(1 /* INFO */, message, data);
+  }
+  /**
+   * Warning level logging
+   */
+  warn(message, data) {
+    this.log(2 /* WARN */, message, data);
+  }
+  /**
+   * Error level logging
+   */
+  error(message, data) {
+    this.log(3 /* ERROR */, message, data);
+  }
+  /**
+   * Get all log entries
+   */
+  getLogs() {
+    return [...this.logBuffer];
+  }
+  /**
+   * Get logs by level
+   */
+  getLogsByLevel(minLevel) {
+    return this.logBuffer.filter((entry) => entry.level >= minLevel);
+  }
+  /**
+   * Clear log buffer
+   */
+  clearLogs() {
+    this.logBuffer = [];
+  }
+  /**
+   * Export logs to string
+   */
+  exportLogs() {
+    return this.logBuffer.map((entry) => this.formatEntry(entry)).join("\n");
+  }
+};
+var agentLogger = new Logger("Agent", {
+  minLevel: 1 /* INFO */,
+  colorOutput: true
+});
+// src/shared/utils/config.ts
+import path from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+var __filename = fileURLToPath2(import.meta.url);
+var __dirname2 = path.dirname(__filename);
+function getApiKey() {
+  return process.env.PENTEST_API_KEY || "";
+}
+function getBaseUrl() {
+  return process.env.PENTEST_BASE_URL || void 0;
+}
+function getModel() {
+  return process.env.PENTEST_MODEL || "";
+}
+// src/engine/llm.ts
+import Anthropic from "@anthropic-ai/sdk";
+var LLMClient = class {
+  client;
+  model;
+  constructor() {
+    this.client = new Anthropic({
+      apiKey: getApiKey(),
+      baseURL: getBaseUrl(),
+      dangerouslyAllowBrowser: true
+    });
+    this.model = getModel();
+  }
+  /**
+   * Generate response from messages and tools (non-streaming)
+   */
+  async generateResponse(messages, tools, systemPrompt) {
+    const response = await this.client.messages.create({
+      model: this.model,
+      max_tokens: 4096,
+      system: systemPrompt,
+      messages: messages.filter((m) => m.role !== "system"),
+      tools
+    });
+    const textBlock = response.content.find((b) => b.type === "text");
+    const toolBlocks = response.content.filter((b) => b.type === "tool_use");
+    return {
+      content: textBlock?.type === "text" ? textBlock.text : "",
+      toolCalls: toolBlocks.map((b) => ({
+        id: b.id,
+        name: b.name,
+        input: b.input
+      })),
+      rawResponse: response
+    };
+  }
+  /**
+   * Generate response with streaming support for real-time thinking display
+   * This is like opencode's reasoning stream handling
+   */
+  async generateResponseStream(messages, tools, systemPrompt, callbacks) {
+    const stream = await this.client.messages.create({
+      model: this.model,
+      max_tokens: 4096,
+      system: systemPrompt,
+      messages: messages.filter((m) => m.role !== "system"),
+      tools,
+      stream: true
+    });
+    let fullContent = "";
+    const toolCallsMap = /* @__PURE__ */ new Map();
+    callbacks?.onThinkingStart?.(systemPrompt ? "processing" : "default", 0);
+    for await (const event of stream) {
+      switch (event.type) {
+        case "content_block_start":
+          if (event.content_block.type === "text") {
+          } else if (event.content_block.type === "tool_use") {
+            const toolId = event.content_block.id;
+            toolCallsMap.set(toolId, { id: toolId, name: "", input: {} });
+          }
+          break;
+        case "content_block_delta":
+          if (event.delta.type === "text_delta") {
+            const text = event.delta.text;
+            fullContent += text;
+            callbacks?.onThinkingDelta?.(text);
+          } else if (event.delta.type === "input_json_delta") {
+          }
+          break;
+        case "content_block_stop":
+          break;
+        case "message_start":
+          break;
+        case "message_delta":
+          break;
+        case "message_stop":
+          break;
+      }
+    }
+    callbacks?.onThinkingEnd?.();
+    const toolCalls = Array.from(toolCallsMap.values());
+    return {
+      content: fullContent,
+      toolCalls: toolCalls.length > 0 ? toolCalls : void 0,
+      rawResponse: null
+    };
+  }
+  /**
+   * Get current model name
+   */
+  getModelName() {
+    return this.model;
+  }
+};
+var llmInstance = null;
+function getLLMClient() {
+  if (!llmInstance) {
+    llmInstance = new LLMClient();
+  }
+  return llmInstance;
+}
+// src/agents/core-agent.ts
+var CoreAgent = class {
+  llm;
+  state;
+  events;
+  toolRegistry;
+  agentType;
+  maxIterations;
+  constructor(agentType, state, events, toolRegistry, maxIterations) {
+    this.agentType = agentType;
+    this.state = state;
+    this.events = events;
+    this.toolRegistry = toolRegistry;
+    this.llm = getLLMClient();
+    this.maxIterations = maxIterations || AGENT_LIMITS.MAX_ITERATIONS;
+  }
+  /**
+   * The core loop: think -> act -> observe
+   */
+  async run(task, systemPrompt) {
+    const messages = [{ role: "user", content: task }];
+    let toolsExecutedCount = 0;
+    for (let iteration = 0; iteration < this.maxIterations; iteration++) {
+      const result = await this.step(iteration, messages, systemPrompt);
+      toolsExecutedCount += result.toolsExecuted;
+      if (result.completed) {
+        return {
+          output: result.output,
+          iterations: iteration + 1,
+          toolsExecuted: toolsExecutedCount,
+          completed: true
+        };
+      }
+    }
+    return {
+      output: "Max iterations reached",
+      iterations: this.maxIterations,
+      toolsExecuted: toolsExecutedCount,
+      completed: false
+    };
+  }
+  /**
+   * Execute a single iteration step with real-time thinking display
+   */
+  async step(iteration, messages, systemPrompt) {
+    const phase = this.state.getPhase();
+    this.emitThinkingStart(phase, iteration);
+    this.emitThink(iteration);
+    const response = await this.llm.generateResponseStream(
+      messages,
+      this.getToolSchemas(),
+      systemPrompt,
+      {
+        onThinkingStart: (phase2, iter) => {
+        },
+        onThinkingDelta: (content) => {
+          this.emitThinkingDelta(content, phase);
+        },
+        onThinkingEnd: () => {
+          this.emitThinkingEnd(phase);
+        }
+      }
+    );
+    messages.push({ role: "assistant", content: response.content });
+    if (!response.toolCalls || response.toolCalls.length === 0) {
+      this.emitComplete(response.content, iteration, 0);
+      return { output: response.content, toolsExecuted: 0, completed: true };
+    }
+    const results = await this.processToolCalls(response.toolCalls);
+    this.addToolResultsToMessages(messages, results);
+    return { output: "", toolsExecuted: results.length, completed: false };
+  }
+  emitThink(iteration) {
+    this.events.emit({
+      type: "think",
+      timestamp: Date.now(),
+      data: {
+        thought: `${this.agentType} agent iteration ${iteration + 1}: Decision making`,
+        phase: this.state.getPhase()
+      }
+    });
+  }
+  /**
+   * Emit thinking start event - like opencode's reasoning-start
+   */
+  emitThinkingStart(phase, iteration) {
+    this.events.emit({
+      type: "thinking_start",
+      timestamp: Date.now(),
+      data: {
+        phase,
+        iteration
+      }
+    });
+  }
+  /**
+   * Emit thinking delta event - like opencode's reasoning-delta
+   * This provides real-time transparency of the model's thinking process
+   */
+  emitThinkingDelta(content, phase) {
+    this.events.emit({
+      type: "thinking_delta",
+      timestamp: Date.now(),
+      data: {
+        content,
+        phase
+      }
+    });
+  }
+  /**
+   * Emit thinking end event - like opencode's reasoning-end
+   */
+  emitThinkingEnd(phase) {
+    this.events.emit({
+      type: "thinking_end",
+      timestamp: Date.now(),
+      data: {
+        phase
+      }
+    });
+  }
+  emitComplete(output, iteration, toolsExecuted) {
+    this.events.emit({
+      type: "complete",
+      timestamp: Date.now(),
+      data: {
+        finalOutput: output,
+        iterations: iteration + 1,
+        toolsExecuted
+      }
+    });
+  }
+  addToolResultsToMessages(messages, results) {
+    for (const res of results) {
+      messages.push({
+        role: "user",
+        content: [
+          {
+            type: "tool_result",
+            tool_use_id: res.toolCallId,
+            content: res.output,
+            is_error: !!res.error
+          }
+        ]
+      });
+    }
+  }
+  async processToolCalls(toolCalls) {
+    const results = [];
+    for (const call of toolCalls) {
+      const toolName = call.name;
+      const toolInput = call.input;
+      try {
+        const result = await this.toolRegistry.execute({ name: toolName, input: toolInput });
+        results.push({ toolCallId: call.id, output: result.output, error: result.error });
+      } catch (error) {
+        results.push({ toolCallId: call.id, output: String(error), error: String(error) });
+      }
+    }
+    return results;
+  }
+  getToolSchemas() {
+    return this.toolRegistry.getAll().map((t) => ({
+      name: t.name,
+      description: t.description,
+      input_schema: {
+        type: "object",
+        properties: t.parameters,
+        required: t.required || []
+      }
+    }));
+  }
+};
+// src/agents/prompt-builder.ts
+import { readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
+import { join as join3, dirname as dirname2 } from "path";
+import { fileURLToPath as fileURLToPath3 } from "url";
+var __dirname3 = dirname2(fileURLToPath3(import.meta.url));
+var PromptBuilder = class {
+  state;
+  promptDir;
+  constructor(state) {
+    this.state = state;
+    this.promptDir = join3(__dirname3, "../shared/prompts");
+  }
+  /**
+   * Build complete prompt for LLM iteration
+   */
+  build(userInput, phase) {
+    return [
+      this.loadFragment("base.md"),
+      this.loadPhasePrompt(phase),
+      this.getScopeFragment(),
+      this.getStateFragment(),
+      this.getTodoFragment(),
+      `User Context: ${userInput}`
+    ].join("\n\n");
+  }
+  loadFragment(filename) {
+    const path2 = join3(this.promptDir, filename);
+    if (!existsSync2(path2)) return "";
+    return readFileSync2(path2, "utf-8");
+  }
+  loadPhasePrompt(phase) {
+    const path2 = join3(this.promptDir, "phases", `${phase}.md`);
+    return existsSync2(path2) ? `<phase-instructions phase="${phase}">
+${readFileSync2(path2, "utf-8")}
+</phase-instructions>` : "";
+  }
+  getScopeFragment() {
+    const scope = this.state.getScope();
+    if (!scope) return "<scope>NO SCOPE DEFINED. STOP.</scope>";
+    return `<scope type="ABSOLUTE_CONSTRAINT">
+Authorized CIDR: ${scope.allowedCidrs.join(", ")}
+Authorized Domains: ${scope.allowedDomains.join(", ")}
+Exclusions: ${scope.exclusions.join(", ") || "none"}
+NoDoS: ${scope.noDOS} | NoSocial: ${scope.noSocial}
+</scope>`;
+  }
+  getStateFragment() {
+    return `<current-state>
+${this.state.toPrompt()}
+</current-state>`;
+  }
+  getTodoFragment() {
+    const todo = this.state.getTodo();
+    const list = todo.map((t) => `[${t.status === "done" ? "x" : " "}] ${t.content} (${t.priority})`).join("\n");
+    return `<todo>
+${list || "Create initial plan"}
+</todo>`;
+  }
+};
+// src/agents/sub-agent-executor.ts
+var SubAgentExecutor = class extends CoreAgent {
+  constructor(state, events, toolRegistry) {
+    super(AGENT_ROLES.RECON, state, events, toolRegistry);
+  }
+  /**
+   * Entry point for executing a sub-task
+   */
+  async executeSubTask(task, systemPrompt) {
+    console.log(`[SubAgent] Executing specialized task: ${task.slice(0, 50)}...`);
+    return await this.run(task, systemPrompt);
+  }
+};
+// src/agents/main-agent.ts
+var MainAgent = class extends CoreAgent {
+  promptBuilder;
+  approvalGate;
+  scopeGuard;
+  userInput = "";
+  constructor() {
+    const state = new SharedState();
+    const events = new AgentEventEmitter();
+    const approvalGate = new ApprovalGate(false);
+    const scopeGuard = new ScopeGuard(state);
+    const subAgentExecutor = new SubAgentExecutor(state, events, null);
+    const toolRegistry = new CategorizedToolRegistry(state, scopeGuard, approvalGate, events, subAgentExecutor);
+    subAgentExecutor.toolRegistry = toolRegistry;
+    super(AGENT_ROLES.ORCHESTRATOR, state, events, toolRegistry);
+    this.approvalGate = approvalGate;
+    this.scopeGuard = scopeGuard;
+    this.promptBuilder = new PromptBuilder(state);
+  }
+  /**
+   * Public entry point for running the agent with a simple string input
+   */
+  async execute(userInput) {
+    this.userInput = userInput;
+    this.emitStart(userInput);
+    this.initializeTask();
+    const result = await this.run(userInput, this.getCurrentPrompt());
+    return result.output;
+  }
+  /**
+   * Override CoreAgent.run to enforce dynamic prompt injection per iteration
+   * But keep the signature compatible with CoreAgent
+   */
+  async run(task, _systemPrompt) {
+    return super.run(task, _systemPrompt);
+  }
+  /**
+   * Override step to ensure prompt is always fresh with latest state
+   */
+  async step(iteration, messages, _unusedPrompt) {
+    const dynamicPrompt = this.getCurrentPrompt();
+    const result = await super.step(iteration, messages, dynamicPrompt);
+    this.emitStateChange();
+    return result;
+  }
+  // --- Internal Helpers (Refactored for Readability) ---
+  initializeTask() {
+    if (this.state.getTodo().length === 0) {
+      this.state.addTodo("Initial reconnaissance and target discovery", PRIORITIES.HIGH);
+    }
+  }
+  getCurrentPrompt() {
+    const phase = this.state.getPhase() || PHASES.RECON;
+    return this.promptBuilder.build(this.userInput, phase);
+  }
+  emitStart(userInput) {
+    this.events.emit({
+      type: "start",
+      timestamp: Date.now(),
+      data: { userInput, phase: this.state.getPhase() }
+    });
+  }
+  emitStateChange() {
+    this.events.emit({
+      type: "state_change",
+      timestamp: Date.now(),
+      data: {
+        phase: this.state.getPhase(),
+        targets: this.state.getTargets().size,
+        findings: this.state.getFindings().length,
+        todo: this.state.getTodo().length,
+        loot: this.state.getLoot().length
+      }
+    });
+  }
+  // --- Public API Surface ---
+  setAutoApprove(enabled) {
+    this.approvalGate.setAutoApprove(enabled);
+  }
+  getState() {
+    return this.state;
+  }
+  getPhase() {
+    return this.state.getPhase() || PHASES.RECON;
+  }
+  getEventEmitter() {
+    return this.events;
+  }
+  setScope(allowed, exclusions = []) {
+    this.state.setScope({
+      allowedCidrs: allowed.filter((a) => a.includes("/")),
+      allowedDomains: allowed.filter((a) => !a.includes("/")),
+      exclusions,
+      noDOS: true,
+      noSocial: true
+    });
+  }
+  addTarget(ip) {
+    this.state.addTarget({
+      ip,
+      ports: [],
+      tags: [],
+      firstSeen: Date.now(),
+      hostname: ""
+    });
+    this.emitStateChange();
+  }
+};
+// src/shared/constants/thought.ts
+var THOUGHT_TYPE = {
+  THINKING: "thinking",
+  // LLM text streaming
+  REASONING: "reasoning",
+  // LLM extended thinking
+  PLANNING: "planning",
+  // Strategic planning
+  OBSERVATION: "observation",
+  // Observing results
+  HYPOTHESIS: "hypothesis",
+  // Forming hypothesis
+  REFLECTION: "reflection",
+  // Self-reflection
+  ACTION: "action",
+  // Taking action
+  RESULT: "result",
+  // Action result
+  STUCK: "stuck",
+  // Detected stuck state
+  BREAKTHROUGH: "breakthrough"
+  // Found breakthrough
+};
+// src/shared/constants/theme.ts
+var THEME = {
+  // Backgrounds (deep dark with blue tint)
+  bg: {
+    primary: "#050505",
+    // Deepest black
+    secondary: "#0a0c10",
+    // Dark void
+    tertiary: "#0f172a",
+    // Slate dark
+    elevated: "#1e293b",
+    // Bright slate
+    input: "#020617"
+    // Midnight
+  },
+  // Text colors
+  text: {
+    primary: "#f8fafc",
+    // Near white
+    secondary: "#94a3b8",
+    // Muted slate
+    muted: "#64748b",
+    // Blue-gray
+    accent: "#38bdf8",
+    // Sky blue
+    highlight: "#ffffff"
+    // Pure white
+  },
+  // Status colors
+  status: {
+    success: "#22c55e",
+    // Green
+    warning: "#f59e0b",
+    // Amber
+    error: "#ef4444",
+    // Red
+    info: "#3b82f6",
+    // Blue
+    running: "#0ea5e9",
+    // Sky
+    pending: "#64748b"
+    // Slate
+  },
+  // Severity colors
+  semantic: {
+    critical: "#7f1d1d",
+    // Dark red
+    high: "#ef4444",
+    // Red
+    medium: "#f97316",
+    // Orange
+    low: "#eab308",
+    // Yellow
+    info: "#3b82f6"
+    // Blue
+  },
+  // Border colors
+  border: {
+    default: "#1e293b",
+    focus: "#38bdf8",
+    error: "#ef4444",
+    success: "#22c55e"
+  },
+  // Phase colors
+  phase: {
+    recon: "#94a3b8",
+    enum: "#38bdf8",
+    vuln: "#f59e0b",
+    exploit: "#ef4444",
+    privesc: "#8b5cf6",
+    persist: "#22c55e",
+    report: "#64748b"
+  },
+  // Accent colors
+  accent: {
+    pink: "#f472b6",
+    rose: "#fb7185",
+    fuchsia: "#e879f9",
+    purple: "#a78bfa",
+    violet: "#8b5cf6",
+    indigo: "#818cf8",
+    blue: "#60a5fa",
+    cyan: "#22d3ee",
+    teal: "#2dd4bf",
+    emerald: "#34d399",
+    green: "#4ade80",
+    lime: "#a3e635",
+    yellow: "#facc15",
+    amber: "#fbbf24",
+    orange: "#fb923c",
+    red: "#f87171"
+  },
+  // Gradients
+  gradient: {
+    cyber: ["#00d4ff", "#00ff9f"],
+    danger: ["#ef4444", "#7f1d1d"],
+    success: ["#22c55e", "#14532d"],
+    gold: ["#f59e0b", "#78350f"],
+    royal: ["#818cf8", "#312e81"]
+  },
+  // Spinner color (Sky blue)
+  spinner: "#38bdf8",
+  // Identity color
+  identity: "#38bdf8"
+};
+var ASCII_BANNER = `
+  \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557
+  \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D
+  \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2588\u2557
+  \u2588\u2588\u2554\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u255D  \u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u255D  \u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551
+  \u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D
+  \u255A\u2550\u255D     \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D
+  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+                  A U T O N O M O U S   S E C U R I T Y   A G E N T
+`;
+var THOUGHT_LABELS = {
+  [THOUGHT_TYPE.THINKING]: "[think]",
+  [THOUGHT_TYPE.REASONING]: "[reason]",
+  [THOUGHT_TYPE.PLANNING]: "[plan]",
+  [THOUGHT_TYPE.OBSERVATION]: "[observe]",
+  [THOUGHT_TYPE.HYPOTHESIS]: "[hypothesis]",
+  [THOUGHT_TYPE.REFLECTION]: "[reflect]",
+  [THOUGHT_TYPE.ACTION]: "[action]",
+  [THOUGHT_TYPE.RESULT]: "[result]",
+  [THOUGHT_TYPE.STUCK]: "[stuck]",
+  [THOUGHT_TYPE.BREAKTHROUGH]: "[!]"
+};
+// src/platform/tui/components/footer.tsx
+import { Box, Text } from "ink";
+import { jsx, jsxs } from "react/jsx-runtime";
+var Footer = ({ phase, targets, findings, todo, elapsedTime, isProcessing }) => {
+  return /* @__PURE__ */ jsxs(
+    Box,
+    {
+      paddingX: 1,
+      marginTop: 0,
+      justifyContent: "space-between",
+      children: [
+        /* @__PURE__ */ jsxs(Box, { gap: 2, children: [
+          /* @__PURE__ */ jsxs(Text, { color: THEME.text.accent, children: [
+            "Phase: ",
+            /* @__PURE__ */ jsx(Text, { color: THEME.text.primary, children: phase })
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: THEME.text.secondary, children: [
+            "Targets: ",
+            /* @__PURE__ */ jsx(Text, { color: THEME.text.primary, children: targets })
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: THEME.status.warning, children: [
+            "Findings: ",
+            /* @__PURE__ */ jsx(Text, { color: THEME.text.primary, children: findings })
+          ] }),
+          /* @__PURE__ */ jsxs(Text, { color: THEME.text.muted, children: [
+            "Tasks: ",
+            /* @__PURE__ */ jsx(Text, { color: THEME.text.primary, children: todo })
+          ] })
+        ] }),
+        /* @__PURE__ */ jsxs(Box, { children: [
+          /* @__PURE__ */ jsx(Text, { color: isProcessing ? THEME.status.running : THEME.text.muted, children: isProcessing ? "\u25CF Running " : "\u25CB Idle " }),
+          /* @__PURE__ */ jsxs(Text, { color: THEME.text.secondary, children: [
+            Math.floor(elapsedTime / 60),
+            "m ",
+            Math.floor(elapsedTime % 60),
+            "s"
+          ] })
+        ] })
+      ]
+    }
+  );
+};
+var footer_default = Footer;
+// src/platform/tui/app.tsx
+import { jsx as jsx2, jsxs as jsxs2 } from "react/jsx-runtime";
+var App = ({ autoApprove = false, target }) => {
+  const { exit } = useApp();
+  const [messages, setMessages] = useState([]);
+  const [input, setInput] = useState("");
+  const [isProcessing, setIsProcessing] = useState(false);
+  const [currentStatus, setCurrentStatus] = useState("");
+  const [elapsedTime, setElapsedTime] = useState(0);
+  const [thinking, setThinking] = useState({ isActive: false, content: "", phase: "" });
+  const [stats, setStats] = useState({
+    phase: "init",
+    targets: 0,
+    findings: 0,
+    todo: 0
+  });
+  const [agent] = useState(() => {
+    const ag = new MainAgent();
+    if (autoApprove) {
+      ag.setAutoApprove(true);
+    }
+    if (target) {
+      ag.addTarget(target);
+      ag.setScope([target]);
+    }
+    return ag;
+  });
+  const startTimeRef = useRef(0);
+  const timerRef = useRef(null);
+  const startTimer = useCallback(() => {
+    startTimeRef.current = Date.now();
+    timerRef.current = setInterval(() => {
+      setElapsedTime(Math.floor((Date.now() - startTimeRef.current) / 1e3));
+    }, 1e3);
+  }, []);
+  const stopTimer = useCallback(() => {
+    if (timerRef.current) {
+      clearInterval(timerRef.current);
+      timerRef.current = null;
+    }
+    const duration = Math.floor((Date.now() - startTimeRef.current) / 100) / 10;
+    setElapsedTime(0);
+    return duration;
+  }, []);
+  const addMessage = useCallback((type, content) => {
+    const id = Math.random().toString(36).substring(7);
+    setMessages((prev) => [...prev, { id, type, content, timestamp: /* @__PURE__ */ new Date() }]);
+  }, []);
+  useEffect(() => {
+    if (target) {
+      addMessage("system", `Target: ${target}`);
+    }
+    if (autoApprove) {
+      addMessage("system", "YOLO Mode: Auto-approving all tool executions");
+    }
+    const events = agent.getEventEmitter();
+    events.on("thinking_start", (event) => {
+      setThinking({ isActive: true, content: "", phase: event.data.phase });
+    });
+    events.on("thinking_delta", (event) => {
+      setThinking((prev) => {
+        const newContent = prev.content + event.data.content;
+        return {
+          ...prev,
+          content: newContent.slice(-500)
+          // Keep only last 500 chars for display
+        };
+      });
+    });
+    events.on("thinking_end", (event) => {
+      setThinking((prev) => ({ ...prev, isActive: false }));
+    });
+    events.on("tool_call", (event) => {
+      const data = event.data;
+      setCurrentStatus(`Executing: ${data.toolName}`);
+      let inputStr = "";
+      try {
+        if (data.input) {
+          const str = JSON.stringify(data.input);
+          inputStr = str.length > 50 ? str.substring(0, 47) + "..." : str;
+        }
+      } catch (e) {
+      }
+      addMessage("tool", `  \u23BF ${data.toolName} ${inputStr}`);
+    });
+    events.on("tool_result", (event) => {
+      const data = event.data;
+      const icon = data.success ? "\u2713" : "\u2717";
+      const output = data.output || "";
+      const preview = output.slice(0, 300).replace(/\n/g, " ");
+      const more = output.length > 300 ? "..." : "";
+      addMessage("result", `    ${icon} ${preview}${more}`);
+    });
+    events.on("think", (event) => {
+      const data = event.data;
+      const thought = data.thought.length > 100 ? data.thought.substring(0, 97) + "..." : data.thought;
+      setCurrentStatus(thought);
+    });
+    events.on("complete", (event) => {
+      const data = event.data;
+      addMessage("system", `\u2713 Complete (${data.toolsExecuted} tools)`);
+    });
+    events.on("error", (event) => {
+      const data = event.data;
+      addMessage("error", data.message || "An error occurred");
+    });
+    const updateStats = () => {
+      const state = agent.getState();
+      setStats({
+        phase: agent.getPhase(),
+        targets: state.getTargets().size,
+        findings: state.getFindings().length,
+        todo: state.getTodo().length
+      });
+    };
+    events.on("state_change", updateStats);
+    events.on("start", updateStats);
+    events.on("complete", updateStats);
+    updateStats();
+    return () => {
+      if (timerRef.current) clearInterval(timerRef.current);
+      events.off("state_change", updateStats);
+      events.off("start", updateStats);
+      events.off("complete", updateStats);
+    };
+  }, [agent, target, autoApprove, addMessage, startTimer]);
+  const handleExit = useCallback(async () => {
+    setCurrentStatus("Exiting");
+    if (timerRef.current) {
+      clearInterval(timerRef.current);
+    }
+    exit();
+  }, [exit]);
+  useEffect(() => {
+    const onExit = () => {
+      handleExit();
+    };
+    process.on("SIGINT", onExit);
+    process.on("SIGTERM", onExit);
+    return () => {
+      process.off("SIGINT", onExit);
+      process.off("SIGTERM", onExit);
+    };
+  }, [handleExit, exit]);
+  const handleSubmit = useCallback(async (value) => {
+    const trimmed = value.trim();
+    if (!trimmed) return;
+    setInput("");
+    addMessage("user", trimmed);
+    if (trimmed.startsWith("/")) {
+      const [cmd, ...args] = trimmed.slice(1).split(" ");
+      switch (cmd) {
+        case "help":
+        case "h":
+          addMessage("system", `
+\u2500\u2500 Commands \u2500\u2500
+/target <ip>     Set target
+/start [goal]    Start autonomous pentest
+/stop            Stop operation
+/findings        Show findings
+/status          Show status
+/clear           Clear screen
+/exit            Exit
+\u2500\u2500 Examples \u2500\u2500
+/target 192.168.1.1
+/start "Recon the target"
+/findings
+                    `);
+          return;
+        case "target":
+        case "t":
+          if (args[0]) {
+            agent.addTarget(args[0]);
+            agent.setScope([args[0]]);
+            addMessage("system", `Target \u2192 ${args[0]}`);
+          } else {
+            addMessage("system", "Usage: /target <ip>");
+          }
+          return;
+        case "start":
+        case "s":
+          if (!agent.getState().getTargets().size) {
+            addMessage("error", "Set target first: /target <ip>");
+            return;
+          }
+          setIsProcessing(true);
+          startTimer();
+          setCurrentStatus("Initializing");
+          addMessage("system", `Starting: ${args.join(" ") || "Perform comprehensive penetration testing"}`);
+          try {
+            await agent.execute(args.join(" ") || "Perform comprehensive penetration testing");
+          } catch (e) {
+            addMessage("error", e instanceof Error ? e.message : String(e));
+          }
+          stopTimer();
+          setIsProcessing(false);
+          setCurrentStatus("");
+          return;
+        case "stop":
+          addMessage("system", "Stopping...");
+          setIsProcessing(false);
+          setCurrentStatus("");
+          return;
+        case "findings":
+        case "f":
+          const findings = agent.getState().getFindings();
+          if (findings.length === 0) {
+            addMessage("system", "No findings.");
+          } else {
+            addMessage("system", `--- ${findings.length} Findings ---`);
+            findings.forEach((f) => addMessage("system", `[${f.severity}] ${f.title}`));
+          }
+          return;
+        case "status":
+          const state = agent.getState();
+          addMessage("system", `Status:
+   Phase: ${agent.getPhase()}
+   Targets: ${state.getTargets().size}
+   Findings: ${state.getFindings().length}
+   TODO: ${state.getTodo().length}
+                    `);
+          return;
+        case "clear":
+        case "c":
+          setMessages([]);
+          return;
+        case "exit":
+        case "quit":
+        case "q":
+          await handleExit();
+          return;
+        default:
+          addMessage("error", `Unknown command: /${cmd}`);
+          return;
+      }
+    }
+    setIsProcessing(true);
+    startTimer();
+    setCurrentStatus("Thinking");
+    try {
+      const response = await agent.execute(trimmed);
+      addMessage("assistant", response);
+    } catch (e) {
+      addMessage("error", e instanceof Error ? e.message : String(e));
+    } finally {
+      stopTimer();
+      setIsProcessing(false);
+      setCurrentStatus("");
+    }
+  }, [agent, addMessage, startTimer, stopTimer, handleExit]);
+  useInput((input2, key) => {
+    if (key.ctrl && input2 === "c") {
+      if (isProcessing) {
+        setIsProcessing(false);
+        stopTimer();
+        setCurrentStatus("");
+        addMessage("system", "Interrupted");
+      } else {
+        exit();
+      }
+      return;
+    }
+  });
+  return /* @__PURE__ */ jsxs2(Box2, { flexDirection: "column", paddingX: 1, children: [
+    /* @__PURE__ */ jsx2(Box2, { flexDirection: "column", marginBottom: 1, flexGrow: 1, children: /* @__PURE__ */ jsx2(Static, { items: messages, children: (msg) => {
+      const colors = {
+        user: THEME.text.accent,
+        assistant: THEME.text.primary,
+        system: THEME.text.muted,
+        error: THEME.status.error,
+        tool: THEME.status.running,
+        result: THEME.text.muted,
+        thinking: THEME.status.warning
+      };
+      const prefixes = {
+        user: "\u276F",
+        assistant: ">",
+        system: "\u2022",
+        error: "\u2717",
+        tool: "  \u23BF",
+        result: "  \u2713",
+        thinking: "\u{1F9E0}"
+      };
+      return /* @__PURE__ */ jsx2(Box2, { children: /* @__PURE__ */ jsxs2(Text2, { color: colors[msg.type], dimColor: msg.type === "result", children: [
+        prefixes[msg.type],
+        " ",
+        msg.content
+      ] }) }, msg.id);
+    } }) }),
+    /* @__PURE__ */ jsxs2(Box2, { flexDirection: "column", marginTop: 0, children: [
+      thinking.isActive && thinking.content && /* @__PURE__ */ jsxs2(Box2, { marginBottom: 1, children: [
+        /* @__PURE__ */ jsx2(Text2, { color: THEME.status.running, children: /* @__PURE__ */ jsx2(Spinner, { type: "dots" }) }),
+        /* @__PURE__ */ jsxs2(Text2, { color: THEME.text.muted, children: [
+          " ",
+          "Thinking: "
+        ] }),
+        /* @__PURE__ */ jsx2(Text2, { color: THEME.text.secondary, dimColor: true, children: thinking.content.slice(-200) })
+      ] }),
+      isProcessing && !thinking.isActive && /* @__PURE__ */ jsxs2(Box2, { marginBottom: 1, children: [
+        /* @__PURE__ */ jsx2(Text2, { color: THEME.spinner, children: /* @__PURE__ */ jsx2(Spinner, { type: "dots" }) }),
+        /* @__PURE__ */ jsxs2(Text2, { color: THEME.text.muted, children: [
+          " ",
+          currentStatus || "Processing"
+        ] })
+      ] }),
+      /* @__PURE__ */ jsx2(
+        Box2,
+        {
+          borderStyle: "single",
+          borderColor: THEME.border.default,
+          paddingX: 1,
+          children: /* @__PURE__ */ jsxs2(Box2, { children: [
+            /* @__PURE__ */ jsx2(Text2, { color: THEME.text.secondary, children: "\u25B8" }),
+            /* @__PURE__ */ jsx2(Text2, { children: " " }),
+            /* @__PURE__ */ jsx2(
+              TextInput,
+              {
+                value: input,
+                onChange: setInput,
+                onSubmit: handleSubmit,
+                placeholder: "Message or /help..."
+              }
+            )
+          ] })
+        }
+      ),
+      /* @__PURE__ */ jsx2(
+        footer_default,
+        {
+          phase: stats.phase,
+          targets: stats.targets,
+          findings: stats.findings,
+          todo: stats.todo,
+          elapsedTime,
+          isProcessing
+        }
+      )
+    ] })
+  ] });
+};
+var app_default = App;
+// src/shared/constants/_shared/signal.const.ts
+var EXIT_CODE = {
+  SUCCESS: 0,
+  ERROR: 1,
+  // Unix convention: 128 + signal number
+  SIGINT: 130,
+  // 128 + 2
+  SIGTERM: 143,
+  // 128 + 15
+  SIGKILL: 137
+  // 128 + 9
+};
+// src/platform/tui/main.tsx
+import { jsx as jsx3 } from "react/jsx-runtime";
+var program = new Command();
+program.name("pentesting").version(APP_VERSION).description(APP_DESCRIPTION).option("--dangerously-skip-permissions", "Skip all permission prompts (dangerous!)").option("-t, --target <target>", "Set initial target");
+program.command("interactive", { isDefault: true }).alias("i").description("Start interactive TUI mode").action(async () => {
+  const opts = program.opts();
+  const skipPermissions = opts.dangerouslySkipPermissions || false;
+  console.clear();
+  console.log(gradient([...THEME.gradient.cyber]).multiline(ASCII_BANNER));
+  console.log(
+    "   " + chalk.hex(THEME.text.secondary)(`v${APP_VERSION}`) + chalk.hex(THEME.text.muted)(" \u2502 ") + chalk.hex(THEME.text.accent)("Type /help for commands") + "\n"
+  );
+  if (skipPermissions) {
+    console.log(chalk.hex(THEME.status.error)("[!] WARNING: Running with --dangerously-skip-permissions"));
+    console.log(chalk.hex(THEME.status.error)("[!] All tool executions will be auto-approved!\n"));
+  }
+  const { waitUntilExit } = render(
+    /* @__PURE__ */ jsx3(
+      app_default,
+      {
+        autoApprove: skipPermissions,
+        target: opts.target
+      }
+    )
+  );
+  await waitUntilExit();
+});
+program.command("run <objective>").alias("r").description("Run a single objective and exit").option("-o, --output <file>", "Output file for results").option("--max-steps <n>", "Maximum number of steps", "50").action(async (objective, options) => {
+  const opts = program.opts();
+  const skipPermissions = opts.dangerouslySkipPermissions || false;
+  console.log(gradient([...THEME.gradient.cyber]).multiline(ASCII_BANNER));
+  if (skipPermissions) {
+    console.log(chalk.hex(THEME.status.error)("[!] WARNING: Running with --dangerously-skip-permissions\n"));
+  }
+  console.log(chalk.hex(THEME.text.accent)(`[target] Objective: ${objective}
+`));
+  const agent = new MainAgent();
+  if (skipPermissions) {
+    agent.setAutoApprove(true);
+  }
+  if (opts.target) {
+    agent.addTarget(opts.target);
+    agent.setScope([opts.target]);
+  }
+  const shutdown = async (exitCode = 0) => {
+    process.exit(exitCode);
+  };
+  process.on("SIGINT", () => shutdown(EXIT_CODE.SIGINT));
+  process.on("SIGTERM", () => shutdown(EXIT_CODE.SIGTERM));
+  try {
+    const result = await agent.execute(objective);
+    console.log(chalk.hex(THEME.status.success)("\n[+] Assessment complete!\n"));
+    console.log(result);
+    if (options.output) {
+      const fs = await import("fs/promises");
+      await fs.writeFile(options.output, JSON.stringify({ result }, null, 2));
+      console.log(chalk.hex(THEME.text.accent)(`
+[+] Report saved to: ${options.output}`));
+    }
+    await shutdown(0);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    console.error(chalk.hex(THEME.status.error)(`
+[-] Failed: ${errorMessage}`));
+    await shutdown(1);
+  }
+});
+program.command("scan <target>").description("Quick scan a target").option("-s, --scan-type <type>", "Scan type (quick|full|stealth|service|vuln)", "quick").option("-p, --ports <ports>", "Specific ports to scan").action(async (target, options) => {
+  const opts = program.opts();
+  const skipPermissions = opts.dangerouslySkipPermissions || false;
+  console.log(gradient([...THEME.gradient.cyber]).multiline(ASCII_BANNER));
+  console.log(chalk.hex(THEME.text.accent)(`
+[scan] Target: ${target} (${options.scanType})
+`));
+  const agent = new MainAgent();
+  if (skipPermissions) {
+    agent.setAutoApprove(true);
+  }
+  agent.addTarget(target);
+  agent.setScope([target]);
+  const shutdown = async (exitCode = 0) => {
+    process.exit(exitCode);
+  };
+  process.on("SIGINT", () => shutdown(EXIT_CODE.SIGINT));
+  process.on("SIGTERM", () => shutdown(EXIT_CODE.SIGTERM));
+  try {
+    await agent.execute(`Perform a ${options.scanType} scan on ${target}${options.ports ? ` focusing on ports ${options.ports}` : ""}. Analyze the results and identify potential vulnerabilities.`);
+    console.log(chalk.hex(THEME.status.success)("[+] Scan complete!"));
+    await shutdown(0);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    console.error(chalk.hex(THEME.status.error)(`[-] Scan failed: ${errorMessage}`));
+    await shutdown(1);
+  }
+});
+program.command("help-extended").description("Show extended help with examples").action(() => {
+  console.log(gradient([...THEME.gradient.cyber]).multiline(ASCII_BANNER));
+  console.log(`
+${chalk.hex(THEME.text.accent)(APP_NAME + " - Autonomous Penetration Testing AI")}
+${chalk.hex(THEME.status.warning)("Usage:")}
+  ${chalk.hex(THEME.status.success)("$ pentesting")}                                   Start interactive mode
+  ${chalk.hex(THEME.status.success)("$ pentesting -t 192.168.1.1")}                     Start with target
+  ${chalk.hex(THEME.status.success)("$ pentesting --dangerously-skip-permissions")}    Auto-approve all tools
+${chalk.hex(THEME.status.warning)("Commands:")}
+  ${chalk.hex(THEME.text.accent)("pentesting")}                       Interactive TUI mode
+  ${chalk.hex(THEME.text.accent)("pentesting run <objective>")}       Run single objective
+  ${chalk.hex(THEME.text.accent)("pentesting scan <target>")}         Quick scan target
+${chalk.hex(THEME.status.warning)("Options:")}
+  ${chalk.hex(THEME.text.accent)("--dangerously-skip-permissions")}    Skip all permission prompts
+  ${chalk.hex(THEME.text.accent)("-t, --target <ip>")}                 Set target
+  ${chalk.hex(THEME.text.accent)("-o, --output <file>")}               Save results to file
+${chalk.hex(THEME.status.warning)("Interactive Commands:")}
+  ${chalk.hex(THEME.text.accent)("/target <ip>")}     Set target
+  ${chalk.hex(THEME.text.accent)("/start")}           Start autonomous mode
+  ${chalk.hex(THEME.text.accent)("/config")}          Manage configuration
+  ${chalk.hex(THEME.text.accent)("/hint <text>")}     Provide hint
+  ${chalk.hex(THEME.text.accent)("/findings")}        Show findings
+  ${chalk.hex(THEME.text.accent)("/reset")}           Reset session
+${chalk.hex(THEME.status.warning)("Examples:")}
+  ${chalk.hex(THEME.text.muted)("# Full autonomous mode")}
+  $ pentesting --dangerously-skip-permissions -t 10.10.10.5
+  ${chalk.hex(THEME.text.muted)("# Run specific objective")}
+  $ pentesting run "Find SQL injection" -t http://target.com -o report.json
+  ${chalk.hex(THEME.text.muted)("# Quick vulnerability scan")}
+  $ pentesting scan 192.168.1.1 -s vuln
+${chalk.hex(THEME.status.warning)("Environment:")}
+  ${chalk.hex(THEME.text.accent)("PENTEST_API_KEY")}      Required - LLM API key
+  ${chalk.hex(THEME.text.accent)("PENTEST_BASE_URL")}     Optional - AI API base URL
+  ${chalk.hex(THEME.text.accent)("PENTEST_MODEL")}        Optional - Model override
+`);
+});
+program.parse();