pentesting 0.21.11 → 0.23.0

package/dist/main.js

@@ -90,7 +90,21 @@ var DISPLAY_LIMITS = {
   /** Max endpoints to sample */
   ENDPOINT_SAMPLE: 5,
   /** Purpose truncation length */
-  PURPOSE_TRUNCATE: 27
+  PURPOSE_TRUNCATE: 27,
+  /** Max characters for command description in background process */
+  COMMAND_DESCRIPTION_PREVIEW: 80,
+  /** Max characters for hash preview in tool output */
+  HASH_PREVIEW_LENGTH: 20,
+  /** Max characters for loot detail preview */
+  LOOT_DETAIL_PREVIEW: 30,
+  /** Max characters for link text preview in browser */
+  LINK_TEXT_PREVIEW: 100,
+  /** Prefix length for API key redaction in logs */
+  API_KEY_PREFIX: 8,
+  /** Prefix length for sensitive value redaction */
+  REDACT_PREFIX: 4,
+  /** Max characters for raw JSON error preview */
+  RAW_JSON_ERROR_PREVIEW: 500
 };
 var AGENT_LIMITS = {
   /** Maximum agent loop iterations — generous to allow complex tasks.
@@ -123,7 +137,17 @@ var AGENT_LIMITS = {
   /** Max chars of error text to include in web_search suggestion */
   ERROR_SEARCH_PREVIEW_SLICE: 50,
   /** How many consecutive identical blocks before warning + forcing alternative */
-  MAX_BLOCKED_BEFORE_WARN: 2
+  MAX_BLOCKED_BEFORE_WARN: 2,
+  /** Maximum action log entries to retain in memory.
+   *  WHY: actionLog grows unboundedly during long engagements.
+   *  Older entries are pruned to prevent memory bloat and oversized session files.
+   */
+  MAX_ACTION_LOG: 200,
+  /** Maximum session files to keep on disk.
+   *  WHY: Each save creates a timestamped .json in .pentesting/sessions/.
+   *  Without rotation, disk usage grows unboundedly across engagements.
+   */
+  MAX_SESSION_FILES: 10
 };
 
 // src/shared/constants/patterns.ts
@@ -150,14 +174,16 @@ var EXIT_CODES = {
   /** Process killed by SIGINT (Ctrl+C) */
   SIGINT: 130,
   /** Process killed by SIGTERM */
-  SIGTERM: 143
+  SIGTERM: 143,
+  /** Process killed by SIGKILL */
+  SIGKILL: 137
 };
 
 // src/shared/constants/agent.ts
 var ID_LENGTH = AGENT_LIMITS.ID_LENGTH;
 var ID_RADIX = AGENT_LIMITS.ID_RADIX;
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.21.11";
+var APP_VERSION = "0.23.0";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -406,7 +432,8 @@ var EVENT_TYPES = {
   RETRY: "retry",
   USAGE_UPDATE: "usage_update",
   INPUT_REQUEST: "input_request",
-  LOG: "log"
+  LOG: "log",
+  FLAG_FOUND: "flag_found"
 };
 var UI_COMMANDS = {
   HELP: "help",
@@ -423,6 +450,7 @@ var UI_COMMANDS = {
   ASSETS_SHORT: "a",
   LOGS: "logs",
   LOGS_SHORT: "l",
+  CTF: "ctf",
   EXIT: "exit",
   QUIT: "quit",
   EXIT_SHORT: "q"
@@ -454,13 +482,13 @@ var DEFAULTS = {
 };
 
 // src/engine/process-manager.ts
-import { spawn as spawn2, execSync as execSync2 } from "child_process";
-import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync, writeFileSync as writeFileSync2, appendFileSync } from "fs";
+import { spawn as spawn3, execSync as execSync2 } from "child_process";
+import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync, writeFileSync as writeFileSync3, appendFileSync as appendFileSync2 } from "fs";
 
 // src/engine/tools-base.ts
-import { spawn } from "child_process";
-import { readFileSync, existsSync as existsSync2, writeFileSync } from "fs";
-import { join, dirname } from "path";
+import { spawn as spawn2 } from "child_process";
+import { readFileSync, existsSync as existsSync2, writeFileSync as writeFileSync2 } from "fs";
+import { join as join2, dirname } from "path";
 import { tmpdir } from "os";
 
 // src/shared/utils/file-utils.ts
@@ -569,7 +597,7 @@ var ORPHAN_PROCESS_NAMES = [
   "python"
 ];
 
-// src/shared/utils/command-validator.ts
+// src/shared/utils/command-security-lists.ts
 var ALLOWED_BINARIES = /* @__PURE__ */ new Set([
   // Network scanning
   "nmap",
@@ -797,6 +825,131 @@ var BLOCKED_BINARIES = /* @__PURE__ */ new Set([
   "nft",
   "crontab"
 ]);
+
+// src/shared/utils/debug-logger.ts
+import { appendFileSync, writeFileSync } from "fs";
+import { join } from "path";
+
+// src/shared/constants/paths.ts
+import path from "path";
+import { fileURLToPath } from "url";
+import { homedir } from "os";
+var __filename = fileURLToPath(import.meta.url);
+var __dirname = path.dirname(__filename);
+var PROJECT_ROOT = path.resolve(__dirname, "../../../");
+var WORKSPACE_DIR_NAME = ".pentesting";
+function getWorkspaceRoot() {
+  return path.join(homedir(), WORKSPACE_DIR_NAME);
+}
+var WORKSPACE = {
+  /** Root directory (resolved lazily via getWorkspaceRoot) */
+  get ROOT() {
+    return getWorkspaceRoot();
+  },
+  /** Per-session state snapshots */
+  get SESSIONS() {
+    return path.join(getWorkspaceRoot(), "sessions");
+  },
+  /** Debug logs */
+  get DEBUG() {
+    return path.join(getWorkspaceRoot(), "debug");
+  },
+  /** Generated reports */
+  get REPORTS() {
+    return path.join(getWorkspaceRoot(), "reports");
+  },
+  /** Downloaded loot, captured files */
+  get LOOT() {
+    return path.join(getWorkspaceRoot(), "loot");
+  },
+  /** Temporary files for active operations */
+  get TEMP() {
+    return path.join(getWorkspaceRoot(), "temp");
+  }
+};
+var PATHS = {
+  ROOT: PROJECT_ROOT,
+  SRC: path.join(PROJECT_ROOT, "src"),
+  DIST: path.join(PROJECT_ROOT, "dist")
+};
+
+// src/shared/utils/debug-logger.ts
+var DebugLogger = class _DebugLogger {
+  static instance;
+  logPath;
+  initialized = false;
+  constructor(clearOnInit = false) {
+    const debugDir = WORKSPACE.DEBUG;
+    try {
+      ensureDirExists(debugDir);
+      this.logPath = join(debugDir, "debug.log");
+      if (clearOnInit) {
+        this.clear();
+      }
+      this.initialized = true;
+      this.log("general", "=== DEBUG LOGGER INITIALIZED ===");
+      this.log("general", `Log file: ${this.logPath}`);
+    } catch (e) {
+      console.error("[DebugLogger] Failed to initialize:", e);
+      this.logPath = "";
+    }
+  }
+  static getInstance(clearOnInit = false) {
+    if (!_DebugLogger.instance) {
+      _DebugLogger.instance = new _DebugLogger(clearOnInit);
+    }
+    return _DebugLogger.instance;
+  }
+  /** Reset the singleton instance (used by initDebugLogger) */
+  static resetInstance(clearOnInit = false) {
+    _DebugLogger.instance = new _DebugLogger(clearOnInit);
+    return _DebugLogger.instance;
+  }
+  log(category, message, data) {
+    if (!this.initialized || !this.logPath) return;
+    try {
+      const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+      let logLine = `[${timestamp}] [${category.toUpperCase()}] ${message}`;
+      if (data !== void 0) {
+        logLine += ` | ${JSON.stringify(data)}`;
+      }
+      logLine += "\n";
+      appendFileSync(this.logPath, logLine);
+    } catch (e) {
+      console.error("[DebugLogger] Write error:", e);
+    }
+  }
+  logRaw(category, label, raw) {
+    if (!this.initialized || !this.logPath) return;
+    try {
+      const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+      const logLine = `[${timestamp}] [${category.toUpperCase()}] ${label}:
+${raw}
+---
+`;
+      appendFileSync(this.logPath, logLine);
+    } catch (e) {
+      console.error("[DebugLogger] Write error:", e);
+    }
+  }
+  clear() {
+    if (!this.logPath) return;
+    try {
+      writeFileSync(this.logPath, "");
+    } catch (e) {
+      console.error("[DebugLogger] Clear error:", e);
+    }
+  }
+};
+var logger = DebugLogger.getInstance(false);
+function initDebugLogger() {
+  DebugLogger.resetInstance(true);
+}
+function debugLog(category, message, data) {
+  logger.log(category, message, data);
+}
+
+// src/shared/utils/command-validator.ts
 function validateCommand(command) {
   if (!command || typeof command !== "string") {
     return { safe: false, error: "Empty or invalid command" };
@@ -891,7 +1044,7 @@ function validateSingleCommand(command) {
       };
     }
     if (!ALLOWED_BINARIES.has(binary)) {
-      console.warn(`[Security] Unknown binary '${binary}' - use with caution`);
+      debugLog("security", `Unknown binary '${binary}' - use with caution`);
     }
   }
   const redirectResult = validateRedirects(command);
@@ -990,7 +1143,8 @@ function extractBinary(command) {
   return binary.toLowerCase();
 }
 
-// src/engine/tools-base.ts
+// src/engine/tool-auto-installer.ts
+import { spawn } from "child_process";
 var TOOL_PACKAGE_MAP = {
   "nmap": { apt: "nmap", brew: "nmap" },
   "masscan": { apt: "masscan", brew: "masscan" },
@@ -1044,15 +1198,7 @@ var TOOL_PACKAGE_MAP = {
   "evil-winrm": { apt: "evil-winrm", brew: "evil-winrm" },
   "netexec": { apt: "netexec", brew: "netexec" }
 };
-var globalEventEmitter = null;
-function setCommandEventEmitter(emitter) {
-  globalEventEmitter = emitter;
-}
 var installedTools = /* @__PURE__ */ new Set();
-var globalInputHandler = null;
-function setInputHandler(handler) {
-  globalInputHandler = handler;
-}
 async function detectPackageManager() {
   const managers = [
     { name: "apt", check: "which apt-get" },
@@ -1089,7 +1235,7 @@ function isCommandNotFound(stderr, stdout) {
   const toolName = toolMatch ? toolMatch[1] : null;
   return { missing: true, toolName };
 }
-async function installTool(toolName) {
+async function installTool(toolName, eventEmitter, inputHandler) {
   const pkgInfo = TOOL_PACKAGE_MAP[toolName];
   if (!pkgInfo) {
     return {
@@ -1112,7 +1258,7 @@ async function installTool(toolName) {
     };
   }
   const packageName = pkgInfo[pkgManager] || pkgInfo.apt;
-  globalEventEmitter?.({
+  eventEmitter?.({
     type: COMMAND_EVENT_TYPES.TOOL_INSTALL,
     message: `Installing missing tool: ${toolName}`,
     detail: `Using ${pkgManager} to install ${packageName}`
@@ -1132,10 +1278,10 @@ async function installTool(toolName) {
     let stdout = "";
     let stderr = "";
     const checkForSudoPrompt = async (data) => {
-      if (!globalInputHandler) return;
+      if (!inputHandler) return;
       for (const pattern of INPUT_PROMPT_PATTERNS) {
         if (pattern.test(data)) {
-          const userInput = await globalInputHandler(data.trim());
+          const userInput = await inputHandler(data.trim());
           if (userInput !== null && child.stdin.writable) {
             child.stdin.write(userInput + "\n");
           }
@@ -1155,14 +1301,14 @@ async function installTool(toolName) {
     });
     child.on("close", (code) => {
       if (code === 0) {
-        globalEventEmitter?.({
+        eventEmitter?.({
           type: COMMAND_EVENT_TYPES.TOOL_INSTALLED,
           message: `Successfully installed: ${toolName}`,
           detail: `Package: ${packageName}`
         });
         resolve({ success: true, output: `Successfully installed ${toolName}` });
       } else {
-        globalEventEmitter?.({
+        eventEmitter?.({
           type: COMMAND_EVENT_TYPES.TOOL_INSTALL_FAILED,
           message: `Failed to install: ${toolName}`,
           detail: stderr.slice(0, SYSTEM_LIMITS.MAX_ERROR_DETAIL_SLICE)
@@ -1178,6 +1324,16 @@ async function installTool(toolName) {
     });
   });
 }
+
+// src/engine/tools-base.ts
+var globalEventEmitter = null;
+function setCommandEventEmitter(emitter) {
+  globalEventEmitter = emitter;
+}
+var globalInputHandler = null;
+function setInputHandler(handler) {
+  globalInputHandler = handler;
+}
 async function runCommand(command, args = [], options = {}) {
   const fullCommand = args.length > 0 ? `${command} ${args.join(" ")}` : command;
   const validation = validateCommand(fullCommand);
@@ -1206,7 +1362,7 @@ async function runCommand(command, args = [], options = {}) {
       message: `${STATUS_MARKERS.WARNING} Tool not found: ${toolName}`,
       detail: `Attempting to install...`
     });
-    const installResult = await installTool(toolName);
+    const installResult = await installTool(toolName, globalEventEmitter, globalInputHandler);
     if (!installResult.success) {
       return {
         success: false,
@@ -1231,7 +1387,7 @@ async function executeCommandOnce(command, args = [], options = {}) {
       type: COMMAND_EVENT_TYPES.COMMAND_START,
       message: `Executing: ${command.slice(0, DISPLAY_LIMITS.COMMAND_PREVIEW)}${command.length > DISPLAY_LIMITS.COMMAND_PREVIEW ? "..." : ""}`
     });
-    const child = spawn("sh", ["-c", command], {
+    const child = spawn2("sh", ["-c", command], {
       timeout,
       env: { ...process.env, ...options.env },
       cwd: options.cwd
@@ -1337,7 +1493,7 @@ async function writeFileContent(filePath, content) {
   try {
     const dir = dirname(filePath);
     ensureDirExists(dir);
-    writeFileSync(filePath, content, "utf-8");
+    writeFileSync2(filePath, content, "utf-8");
     return {
       success: true,
       output: `Written to ${filePath}`
@@ -1352,7 +1508,7 @@ async function writeFileContent(filePath, content) {
   }
 }
 function createTempFile(suffix = "") {
-  return join(tmpdir(), generateTempFilename(suffix));
+  return join2(tmpdir(), generateTempFilename(suffix));
 }
 
 // src/engine/process-detector.ts
@@ -1510,12 +1666,12 @@ function startBackgroundProcess(command, options = {}) {
   const { tags, port, role, isInteractive } = detectProcessRole(command);
   let wrappedCmd;
   if (isInteractive) {
-    writeFileSync2(stdinFile, "", "utf-8");
+    writeFileSync3(stdinFile, "", "utf-8");
     wrappedCmd = `tail -f ${stdinFile} | ${command} > ${stdoutFile} 2> ${stderrFile}`;
   } else {
     wrappedCmd = `${command} > ${stdoutFile} 2> ${stderrFile}`;
   }
-  const child = spawn2("sh", ["-c", wrappedCmd], {
+  const child = spawn3("sh", ["-c", wrappedCmd], {
     detached: true,
     stdio: "ignore",
     cwd: options.cwd,
@@ -1569,7 +1725,7 @@ async function sendToProcess(processId, input, waitMs = SYSTEM_LIMITS.DEFAULT_WA
   } catch {
   }
   try {
-    appendFileSync(proc.stdinFile, input + "\n", "utf-8");
+    appendFileSync2(proc.stdinFile, input + "\n", "utf-8");
   } catch (error) {
     return { success: false, output: `Failed to send input: ${error}`, newOutput: "" };
   }
@@ -1977,6 +2133,16 @@ var StateSerializer = class {
     if (resourceInfo) {
       lines.push(resourceInfo);
     }
+    if (state.isCtfMode()) {
+      lines.push(`Mode: CTF \u{1F3F4}`);
+      const flags = state.getFlags();
+      if (flags.length > 0) {
+        lines.push(`Flags Found (${flags.length}):`);
+        for (const f of flags) {
+          lines.push(`  \u{1F3F4} ${f}`);
+        }
+      }
+    }
     lines.push(`Phase: ${state.getPhase()}`);
     return lines.join("\n");
   }
@@ -1995,7 +2161,10 @@ var SharedState = class {
       actionLog: [],
       currentPhase: PHASES.RECON,
       missionSummary: "",
-      missionChecklist: []
+      missionChecklist: [],
+      ctfMode: true,
+      // CTF mode ON by default
+      flags: []
     };
   }
   // --- Mission & Persistent Context ---
@@ -2125,6 +2294,9 @@ var SharedState = class {
       timestamp: Date.now(),
       ...action
     });
+    if (this.data.actionLog.length > AGENT_LIMITS.MAX_ACTION_LOG) {
+      this.data.actionLog.splice(0, this.data.actionLog.length - AGENT_LIMITS.MAX_ACTION_LOG);
+    }
   }
   getRecentActions(count = DISPLAY_LIMITS.COMPACT_LIST_ITEMS) {
     return this.data.actionLog.slice(-count);
@@ -2135,6 +2307,21 @@ var SharedState = class {
   getPhase() {
     return this.data.currentPhase;
   }
+  // --- CTF Mode ---
+  setCtfMode(enabled) {
+    this.data.ctfMode = enabled;
+  }
+  isCtfMode() {
+    return this.data.ctfMode;
+  }
+  addFlag(flag) {
+    if (this.data.flags.includes(flag)) return false;
+    this.data.flags.push(flag);
+    return true;
+  }
+  getFlags() {
+    return this.data.flags;
+  }
   /**
    * @remarks
    * WHY: Delegating complex string builder to specialized serializer.
@@ -2534,7 +2721,7 @@ Used ports: ${usedPorts.join(", ")}
         }
         try {
           const proc = startBackgroundProcess(command, {
-            description: command.slice(0, 80),
+            description: command.slice(0, DISPLAY_LIMITS.COMMAND_DESCRIPTION_PREVIEW),
             purpose: params.purpose
           });
           const portInfo = proc.listeningPort ? `
@@ -2907,7 +3094,7 @@ Types: credential, hash, token, ssh_key, api_key, file, session, ticket, certifi
         success: true,
         output: `Loot recorded: [${lootType}] from ${p.host}
 Detail: ${p.detail}
-` + (crackableTypes.includes(lootType) ? `This is crackable. Consider: hash_crack({ hashes: "${p.detail.slice(0, 30)}..." })` : `Consider credential reuse / lateral movement with this loot.`)
+` + (crackableTypes.includes(lootType) ? `This is crackable. Consider: hash_crack({ hashes: "${p.detail.slice(0, DISPLAY_LIMITS.LOOT_DETAIL_PREVIEW)}..." })` : `Consider credential reuse / lateral movement with this loot.`)
       };
     }
   },
@@ -2941,10 +3128,10 @@ Detail: ${p.detail}
 import { execFileSync } from "child_process";
 
 // src/shared/utils/config.ts
-import path from "path";
-import { fileURLToPath } from "url";
-var __filename = fileURLToPath(import.meta.url);
-var __dirname = path.dirname(__filename);
+import path2 from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+var __filename2 = fileURLToPath2(import.meta.url);
+var __dirname2 = path2.dirname(__filename2);
 var ENV_KEYS = {
   API_KEY: "PENTEST_API_KEY",
   BASE_URL: "PENTEST_BASE_URL",
@@ -2992,129 +3179,6 @@ var SEARCH_LIMIT = {
   TIMEOUT_MS: 1e4
 };
 
-// src/shared/utils/debug-logger.ts
-import { appendFileSync as appendFileSync2, writeFileSync as writeFileSync3 } from "fs";
-import { join as join2 } from "path";
-
-// src/shared/constants/paths.ts
-import path2 from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { homedir } from "os";
-var __filename2 = fileURLToPath2(import.meta.url);
-var __dirname2 = path2.dirname(__filename2);
-var PROJECT_ROOT = path2.resolve(__dirname2, "../../../");
-var WORKSPACE_DIR_NAME = ".pentesting";
-function getWorkspaceRoot() {
-  return path2.join(homedir(), WORKSPACE_DIR_NAME);
-}
-var WORKSPACE = {
-  /** Root directory (resolved lazily via getWorkspaceRoot) */
-  get ROOT() {
-    return getWorkspaceRoot();
-  },
-  /** Per-session state snapshots */
-  get SESSIONS() {
-    return path2.join(getWorkspaceRoot(), "sessions");
-  },
-  /** Debug logs */
-  get DEBUG() {
-    return path2.join(getWorkspaceRoot(), "debug");
-  },
-  /** Generated reports */
-  get REPORTS() {
-    return path2.join(getWorkspaceRoot(), "reports");
-  },
-  /** Downloaded loot, captured files */
-  get LOOT() {
-    return path2.join(getWorkspaceRoot(), "loot");
-  },
-  /** Temporary files for active operations */
-  get TEMP() {
-    return path2.join(getWorkspaceRoot(), "temp");
-  }
-};
-var PATHS = {
-  ROOT: PROJECT_ROOT,
-  SRC: path2.join(PROJECT_ROOT, "src"),
-  DIST: path2.join(PROJECT_ROOT, "dist")
-};
-
-// src/shared/utils/debug-logger.ts
-var DebugLogger = class _DebugLogger {
-  static instance;
-  logPath;
-  initialized = false;
-  constructor(clearOnInit = false) {
-    const debugDir = WORKSPACE.DEBUG;
-    try {
-      ensureDirExists(debugDir);
-      this.logPath = join2(debugDir, "debug.log");
-      if (clearOnInit) {
-        this.clear();
-      }
-      this.initialized = true;
-      this.log("general", "=== DEBUG LOGGER INITIALIZED ===");
-      this.log("general", `Log file: ${this.logPath}`);
-    } catch (e) {
-      console.error("[DebugLogger] Failed to initialize:", e);
-      this.logPath = "";
-    }
-  }
-  static getInstance(clearOnInit = false) {
-    if (!_DebugLogger.instance) {
-      _DebugLogger.instance = new _DebugLogger(clearOnInit);
-    }
-    return _DebugLogger.instance;
-  }
-  /** Reset the singleton instance (used by initDebugLogger) */
-  static resetInstance(clearOnInit = false) {
-    _DebugLogger.instance = new _DebugLogger(clearOnInit);
-    return _DebugLogger.instance;
-  }
-  log(category, message, data) {
-    if (!this.initialized || !this.logPath) return;
-    try {
-      const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-      let logLine = `[${timestamp}] [${category.toUpperCase()}] ${message}`;
-      if (data !== void 0) {
-        logLine += ` | ${JSON.stringify(data)}`;
-      }
-      logLine += "\n";
-      appendFileSync2(this.logPath, logLine);
-    } catch (e) {
-      console.error("[DebugLogger] Write error:", e);
-    }
-  }
-  logRaw(category, label, raw) {
-    if (!this.initialized || !this.logPath) return;
-    try {
-      const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-      const logLine = `[${timestamp}] [${category.toUpperCase()}] ${label}:
-${raw}
----
-`;
-      appendFileSync2(this.logPath, logLine);
-    } catch (e) {
-      console.error("[DebugLogger] Write error:", e);
-    }
-  }
-  clear() {
-    if (!this.logPath) return;
-    try {
-      writeFileSync3(this.logPath, "");
-    } catch (e) {
-      console.error("[DebugLogger] Clear error:", e);
-    }
-  }
-};
-var logger = DebugLogger.getInstance(false);
-function initDebugLogger() {
-  DebugLogger.resetInstance(true);
-}
-function debugLog(category, message, data) {
-  logger.log(category, message, data);
-}
-
 // src/engine/tools/web-browser.ts
 import { join as join5 } from "path";
 import { tmpdir as tmpdir3 } from "os";
@@ -3166,7 +3230,7 @@ var PLAYWRIGHT_SCRIPT = {
 };
 
 // src/engine/tools/web-browser-setup.ts
-import { spawn as spawn3 } from "child_process";
+import { spawn as spawn4 } from "child_process";
 import { existsSync as existsSync4 } from "fs";
 import { join as join3, dirname as dirname2 } from "path";
 function getPlaywrightPath() {
@@ -3187,12 +3251,12 @@ function getPlaywrightPath() {
 async function checkPlaywright() {
   try {
     const result2 = await new Promise((resolve) => {
-      const child = spawn3(PLAYWRIGHT_CMD.NPM, [PLAYWRIGHT_CMD.PLAYWRIGHT, PLAYWRIGHT_ACTION.VERSION], { shell: true });
+      const child = spawn4(PLAYWRIGHT_CMD.NPM, [PLAYWRIGHT_CMD.PLAYWRIGHT, PLAYWRIGHT_ACTION.VERSION], { shell: true });
       let stdout = "";
       child.stdout.on("data", (data) => stdout += data);
       child.on("close", (code) => {
         if (code === 0) {
-          const browserCheck = spawn3(PLAYWRIGHT_CMD.NPM, [PLAYWRIGHT_CMD.PLAYWRIGHT, PLAYWRIGHT_BROWSER.CHROMIUM, PLAYWRIGHT_ACTION.HELP], { shell: true });
+          const browserCheck = spawn4(PLAYWRIGHT_CMD.NPM, [PLAYWRIGHT_CMD.PLAYWRIGHT, PLAYWRIGHT_BROWSER.CHROMIUM, PLAYWRIGHT_ACTION.HELP], { shell: true });
           browserCheck.on("close", (browserCode) => {
             resolve({ installed: true, browserInstalled: browserCode === 0 });
           });
@@ -3210,7 +3274,7 @@ async function checkPlaywright() {
 }
 async function installPlaywright() {
   return new Promise((resolve) => {
-    const child = spawn3(PLAYWRIGHT_CMD.NPM, [PLAYWRIGHT_CMD.PLAYWRIGHT, PLAYWRIGHT_ACTION.INSTALL, PLAYWRIGHT_BROWSER.CHROMIUM], {
+    const child = spawn4(PLAYWRIGHT_CMD.NPM, [PLAYWRIGHT_CMD.PLAYWRIGHT, PLAYWRIGHT_ACTION.INSTALL, PLAYWRIGHT_BROWSER.CHROMIUM], {
       shell: true,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -3232,7 +3296,7 @@ async function installPlaywright() {
 }
 
 // src/engine/tools/web-browser-script.ts
-import { spawn as spawn4 } from "child_process";
+import { spawn as spawn5 } from "child_process";
 import { writeFileSync as writeFileSync4, unlinkSync as unlinkSync2 } from "fs";
 import { join as join4 } from "path";
 import { tmpdir as tmpdir2 } from "os";
@@ -3259,7 +3323,7 @@ function runPlaywrightScript(script, timeout, scriptPrefix) {
       join4(process.cwd(), "node_modules"),
       process.env.NODE_PATH || ""
     ].filter(Boolean).join(":");
-    const child = spawn4(PLAYWRIGHT_CMD.NODE, [scriptPath], {
+    const child = spawn5(PLAYWRIGHT_CMD.NODE, [scriptPath], {
       timeout: timeout + PLAYWRIGHT_SCRIPT.SPAWN_TIMEOUT_BUFFER_MS,
       env: { ...process.env, NODE_PATH: nodePathDirs }
     });
@@ -3362,7 +3426,7 @@ const { chromium } = require(${safePlaywrightPath});
         result.links = await page.evaluate(() => {
             return Array.from(document.querySelectorAll('a[href]')).map(a => ({
                 href: a.href,
-                text: a.textContent.trim().slice(0, 100)
+                text: a.textContent.trim().slice(0, ${DISPLAY_LIMITS.LINK_TEXT_PREVIEW})
             })).slice(0, ${BROWSER_LIMITS.MAX_LINKS_EXTRACTION});
         });` : ""}
 
@@ -3411,11 +3475,11 @@ function formatBrowserOutput(data, options) {
   }
   if (data.links && options.extractLinks && data.links.length > 0) {
     lines.push(`## Links (${data.links.length} found)`);
-    data.links.slice(0, 20).forEach((link) => {
+    data.links.slice(0, DISPLAY_LIMITS.LINKS_PREVIEW).forEach((link) => {
       lines.push(`- [${link.text || "no text"}](${link.href})`);
     });
-    if (data.links.length > 20) {
-      lines.push(`... and ${data.links.length - 20} more`);
+    if (data.links.length > DISPLAY_LIMITS.LINKS_PREVIEW) {
+      lines.push(`... and ${data.links.length - DISPLAY_LIMITS.LINKS_PREVIEW} more`);
     }
     lines.push("");
   }
@@ -3570,146 +3634,10 @@ async function webSearchWithBrowser(query, engine = "google") {
   });
 }
 
-// src/engine/tools-mid.ts
+// src/engine/web-search-providers.ts
 function getErrorMessage(error) {
   return error instanceof Error ? error.message : String(error);
 }
-async function parseNmap(xmlPath) {
-  try {
-    const fileResult = await readFileContent(xmlPath);
-    if (!fileResult.success) {
-      return fileResult;
-    }
-    const xmlContent = fileResult.output;
-    const results = {
-      targets: [],
-      summary: { totalTargets: 0, openPorts: 0, servicesFound: 0 }
-    };
-    const hostRegex = /<host[^>]*>[\s\S]*?<\/host>/g;
-    const hosts = xmlContent.match(hostRegex) || [];
-    for (const hostBlock of hosts) {
-      const ipMatch = hostBlock.match(/<address[^>]*addr="([^"]+)"/);
-      const ip = ipMatch ? ipMatch[1] : "";
-      const hostnameMatch = hostBlock.match(/<hostname[^>]*name="([^"]+)"/);
-      const hostname = hostnameMatch ? hostnameMatch[1] : void 0;
-      const ports = [];
-      const portRegex = /<port[^>]*protocol="([^"]*)"[^>]*portid="(\d+)">[\s\S]*?<\/port>/g;
-      let portMatch;
-      while ((portMatch = portRegex.exec(hostBlock)) !== null) {
-        const protocol = portMatch[1];
-        const port = parseInt(portMatch[2]);
-        const stateMatch = portMatch[0].match(/<state[^>]*state="([^"]+)"/);
-        const state = stateMatch ? stateMatch[1] : "";
-        const serviceMatch = portMatch[0].match(/<service[^>]*name="([^"]*)"(?:[^>]*version="([^"]*)")?/);
-        const service = serviceMatch ? serviceMatch[1] : void 0;
-        const version = serviceMatch && serviceMatch[2] ? serviceMatch[2] : void 0;
-        if (state === "open") {
-          ports.push({ port, protocol, state, service, version });
-          results.summary.openPorts++;
-          if (service) results.summary.servicesFound++;
-        }
-      }
-      if (ip) {
-        results.targets.push({ ip, hostname, ports });
-        results.summary.totalTargets++;
-      }
-    }
-    return {
-      success: true,
-      output: JSON.stringify(results, null, 2)
-    };
-  } catch (error) {
-    return {
-      success: false,
-      output: "",
-      error: getErrorMessage(error)
-    };
-  }
-}
-async function searchCVE(service, version) {
-  try {
-    return searchExploitDB(service, version);
-  } catch (error) {
-    return {
-      success: false,
-      output: "",
-      error: getErrorMessage(error)
-    };
-  }
-}
-async function searchExploitDB(service, version) {
-  try {
-    const query = version ? `${service} ${version}` : service;
-    try {
-      const output = execFileSync("searchsploit", [query, "--color", "never"], {
-        encoding: "utf-8",
-        stdio: ["ignore", "pipe", "pipe"],
-        timeout: SEARCH_LIMIT.TIMEOUT_MS
-      });
-      const lines = output.trim().split("\n").slice(0, SEARCH_LIMIT.MAX_OUTPUT_LINES);
-      return {
-        success: true,
-        output: lines.join("\n") || `No exploits found for ${query}`
-      };
-    } catch (e) {
-      const execError = e;
-      const stderr = String(execError.stderr || "");
-      const stdout = String(execError.stdout || "");
-      if (stderr.includes("No results")) {
-        return {
-          success: true,
-          output: `No exploits found for ${query}`
-        };
-      }
-      return {
-        success: true,
-        output: stdout || `No exploits found for ${query}`
-      };
-    }
-  } catch (error) {
-    return {
-      success: false,
-      output: "",
-      error: getErrorMessage(error)
-    };
-  }
-}
-async function webSearch(query, _engine) {
-  debugLog("search", "webSearch START", { query });
-  try {
-    const apiKey = getSearchApiKey();
-    const apiUrl = getSearchApiUrl();
-    debugLog("search", "Search API config", {
-      hasApiKey: !!apiKey,
-      apiUrl,
-      apiKeyPrefix: apiKey ? apiKey.slice(0, 8) + "..." : null
-    });
-    if (apiKey) {
-      if (apiUrl.includes(SEARCH_URL_PATTERN.GLM) || apiUrl.includes(SEARCH_URL_PATTERN.ZHIPU)) {
-        debugLog("search", "Using GLM search");
-        return await searchWithGLM(query, apiKey, apiUrl);
-      } else if (apiUrl.includes(SEARCH_URL_PATTERN.BRAVE)) {
-        debugLog("search", "Using Brave search");
-        return await searchWithBrave(query, apiKey, apiUrl);
-      } else if (apiUrl.includes(SEARCH_URL_PATTERN.SERPER)) {
-        debugLog("search", "Using Serper search");
-        return await searchWithSerper(query, apiKey, apiUrl);
-      } else {
-        debugLog("search", "Using generic search API");
-        return await searchWithGenericApi(query, apiKey, apiUrl);
-      }
-    }
-    debugLog("search", "SEARCH_API_KEY not set \u2014 falling back to Playwright Google search");
-    return await searchWithPlaywright(query);
-  } catch (error) {
-    debugLog("search", "webSearch ERROR", { error: getErrorMessage(error) });
-    return {
-      success: false,
-      output: "",
-      error: getErrorMessage(error)
-    };
-  }
-}
 async function searchWithGLM(query, apiKey, apiUrl) {
   debugLog("search", "GLM request START", { apiUrl, query });
   const requestBody = {
@@ -3836,24 +3764,165 @@ async function searchWithGenericApi(query, apiKey, apiUrl) {
 async function searchWithPlaywright(query) {
   debugLog("search", "Playwright Google search START", { query });
   try {
-    const result2 = await webSearchWithBrowser(query, "google");
-    if (!result2.success) {
+    const result2 = await webSearchWithBrowser(query, "google");
+    if (!result2.success) {
+      return {
+        success: false,
+        output: "",
+        error: `Playwright search failed: ${result2.error}. Set SEARCH_API_KEY for reliable search (Brave API by default).`
+      };
+    }
+    debugLog("search", "Playwright Google search COMPLETE", { outputLength: result2.output.length });
+    return {
+      success: true,
+      output: result2.output || `No results found for: ${query}`
+    };
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: `Playwright search error: ${getErrorMessage(error)}. Set SEARCH_API_KEY for reliable search (Brave API by default).`
+    };
+  }
+}
+
+// src/engine/tools-mid.ts
+function getErrorMessage2(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+async function parseNmap(xmlPath) {
+  try {
+    const fileResult = await readFileContent(xmlPath);
+    if (!fileResult.success) {
+      return fileResult;
+    }
+    const xmlContent = fileResult.output;
+    const results = {
+      targets: [],
+      summary: { totalTargets: 0, openPorts: 0, servicesFound: 0 }
+    };
+    const hostRegex = /<host[^>]*>[\s\S]*?<\/host>/g;
+    const hosts = xmlContent.match(hostRegex) || [];
+    for (const hostBlock of hosts) {
+      const ipMatch = hostBlock.match(/<address[^>]*addr="([^"]+)"/);
+      const ip = ipMatch ? ipMatch[1] : "";
+      const hostnameMatch = hostBlock.match(/<hostname[^>]*name="([^"]+)"/);
+      const hostname = hostnameMatch ? hostnameMatch[1] : void 0;
+      const ports = [];
+      const portRegex = /<port[^>]*protocol="([^"]*)"[^>]*portid="(\d+)">[\s\S]*?<\/port>/g;
+      let portMatch;
+      while ((portMatch = portRegex.exec(hostBlock)) !== null) {
+        const protocol = portMatch[1];
+        const port = parseInt(portMatch[2]);
+        const stateMatch = portMatch[0].match(/<state[^>]*state="([^"]+)"/);
+        const state = stateMatch ? stateMatch[1] : "";
+        const serviceMatch = portMatch[0].match(/<service[^>]*name="([^"]*)"(?:[^>]*version="([^"]*)")?/);
+        const service = serviceMatch ? serviceMatch[1] : void 0;
+        const version = serviceMatch && serviceMatch[2] ? serviceMatch[2] : void 0;
+        if (state === "open") {
+          ports.push({ port, protocol, state, service, version });
+          results.summary.openPorts++;
+          if (service) results.summary.servicesFound++;
+        }
+      }
+      if (ip) {
+        results.targets.push({ ip, hostname, ports });
+        results.summary.totalTargets++;
+      }
+    }
+    return {
+      success: true,
+      output: JSON.stringify(results, null, 2)
+    };
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: getErrorMessage2(error)
+    };
+  }
+}
+async function searchCVE(service, version) {
+  try {
+    return searchExploitDB(service, version);
+  } catch (error) {
+    return {
+      success: false,
+      output: "",
+      error: getErrorMessage2(error)
+    };
+  }
+}
+async function searchExploitDB(service, version) {
+  try {
+    const query = version ? `${service} ${version}` : service;
+    try {
+      const output = execFileSync("searchsploit", [query, "--color", "never"], {
+        encoding: "utf-8",
+        stdio: ["ignore", "pipe", "pipe"],
+        timeout: SEARCH_LIMIT.TIMEOUT_MS
+      });
+      const lines = output.trim().split("\n").slice(0, SEARCH_LIMIT.MAX_OUTPUT_LINES);
       return {
-        success: false,
-        output: "",
-        error: `Playwright search failed: ${result2.error}. Set SEARCH_API_KEY for reliable search (Brave API by default).`
+        success: true,
+        output: lines.join("\n") || `No exploits found for ${query}`
+      };
+    } catch (e) {
+      const execError = e;
+      const stderr = String(execError.stderr || "");
+      const stdout = String(execError.stdout || "");
+      if (stderr.includes("No results")) {
+        return {
+          success: true,
+          output: `No exploits found for ${query}`
+        };
+      }
+      return {
+        success: true,
+        output: stdout || `No exploits found for ${query}`
       };
     }
-    debugLog("search", "Playwright Google search COMPLETE", { outputLength: result2.output.length });
+  } catch (error) {
     return {
-      success: true,
-      output: result2.output || `No results found for: ${query}`
+      success: false,
+      output: "",
+      error: getErrorMessage2(error)
     };
+  }
+}
+async function webSearch(query, _engine) {
+  debugLog("search", "webSearch START", { query });
+  try {
+    const apiKey = getSearchApiKey();
+    const apiUrl = getSearchApiUrl();
+    debugLog("search", "Search API config", {
+      hasApiKey: !!apiKey,
+      apiUrl,
+      apiKeyPrefix: apiKey ? apiKey.slice(0, DISPLAY_LIMITS.API_KEY_PREFIX) + "..." : null
+    });
+    if (apiKey) {
+      if (apiUrl.includes(SEARCH_URL_PATTERN.GLM) || apiUrl.includes(SEARCH_URL_PATTERN.ZHIPU)) {
+        debugLog("search", "Using GLM search");
+        return await searchWithGLM(query, apiKey, apiUrl);
+      } else if (apiUrl.includes(SEARCH_URL_PATTERN.BRAVE)) {
+        debugLog("search", "Using Brave search");
+        return await searchWithBrave(query, apiKey, apiUrl);
+      } else if (apiUrl.includes(SEARCH_URL_PATTERN.SERPER)) {
+        debugLog("search", "Using Serper search");
+        return await searchWithSerper(query, apiKey, apiUrl);
+      } else {
+        debugLog("search", "Using generic search API");
+        return await searchWithGenericApi(query, apiKey, apiUrl);
+      }
+    }
+    debugLog("search", "SEARCH_API_KEY not set \u2014 falling back to Playwright Google search");
+    return await searchWithPlaywright(query);
   } catch (error) {
+    debugLog("search", "webSearch ERROR", { error: getErrorMessage2(error) });
     return {
       success: false,
       output: "",
-      error: `Playwright search error: ${getErrorMessage(error)}. Set SEARCH_API_KEY for reliable search (Brave API by default).`
+      error: getErrorMessage2(error)
     };
   }
 }
@@ -4185,6 +4254,10 @@ Can extract forms and inputs for security testing.`,
   {
     name: TOOL_NAMES.GET_OWASP_KNOWLEDGE,
     description: `Get OWASP Top 10 vulnerability knowledge (2017, 2021, 2025 editions).
+This is BOOTSTRAP knowledge for initial direction. Use it to quickly
+orient your attack approach, then try attacks based on what you learn.
+If built-in knowledge isn't enough, use web_search for version-specific details.
+
 Returns structured information about:
 - OWASP Top 10 category details (detection methods, test payloads, tools)
 - Common vulnerability patterns
@@ -4263,10 +4336,14 @@ Returns a step-by-step guide for:
   },
   {
     name: TOOL_NAMES.GET_CVE_INFO,
-    description: `Get information about known CVEs. Use this to:
-- Look up vulnerability details
-- Check if a service version has known vulnerabilities
-- Get exploit information
+    description: `Get information about known CVEs from local bootstrap database.
+This is a STARTING POINT \u2014 use it first for quick lookups on major CVEs.
+If the CVE isn't found locally or you need more detail, then use web_search.
+
+Use this to:
+- Quick-check if a well-known CVE exists locally
+- Get initial exploit hints for common vulnerabilities
+- If not found or insufficient, use web_search for full details and PoCs
 
 Includes critical CVEs like Log4Shell, Spring4Shell, EternalBlue, XZ Backdoor, etc.
 If CVE not found locally, use web_search to find it online.`,
@@ -4634,7 +4711,7 @@ Common wordlists are automatically searched in /usr/share/wordlists (rockyou.txt
       const cmd = `hashcat -m ${format || HASHCAT_MODES.MD5} "${hashes}" "${wordlistPath}" --force`;
       if (background) {
         const proc = startBackgroundProcess(cmd, {
-          description: `Cracking hashes: ${hashes.slice(0, 20)}...`,
+          description: `Cracking hashes: ${hashes.slice(0, DISPLAY_LIMITS.HASH_PREVIEW_LENGTH)}...`,
           purpose: `Attempting to crack ${format || "unknown"} hashes using ${wordlist}`
         });
         return {
@@ -4741,72 +4818,61 @@ Returns: All available wordlists with their paths, sizes, and categories.`,
         "/usr/share/dirb/",
         "/opt/wordlists/"
       ];
-      const results = [];
-      results.push("# Available Wordlists on System\\n");
+      const CATEGORY_KEYWORDS = {
+        passwords: ["password", "rockyou"],
+        usernames: ["user"],
+        web: ["web", "content", "raft"],
+        dns: ["dns", "subdomain"],
+        fuzzing: ["fuzz", "injection"],
+        api: ["api"]
+      };
+      const WORDLIST_EXTENSIONS = /* @__PURE__ */ new Set(["txt", "lst", "dict", "list", "wlist"]);
+      const SKIP_DIRS = /* @__PURE__ */ new Set([".", "doc"]);
+      const matchesCategory = (filePath) => {
+        if (!category) return true;
+        const pathLower = filePath.toLowerCase();
+        const keywords = CATEGORY_KEYWORDS[category.toLowerCase()] || [category.toLowerCase()];
+        return keywords.some((kw) => pathLower.includes(kw));
+      };
+      const matchesSearch = (filePath, fileName) => {
+        if (!search) return true;
+        const q = search.toLowerCase();
+        return fileName.toLowerCase().includes(q) || filePath.toLowerCase().includes(q);
+      };
+      const results = ["# Available Wordlists on System\\n"];
       let totalCount = 0;
-      const scanDir = (dirPath, maxDepth = 3, currentDepth = 0) => {
-        if (currentDepth > maxDepth) return;
-        if (!existsSync7(dirPath)) return;
+      const processFile = (fullPath, fileName) => {
+        const ext = fileName.split(".").pop()?.toLowerCase();
+        if (!WORDLIST_EXTENSIONS.has(ext || "")) return;
+        const stats = statSync2(fullPath);
+        if (stats.size < minSize) return;
+        if (!matchesCategory(fullPath)) return;
+        if (!matchesSearch(fullPath, fileName)) return;
+        totalCount++;
+        results.push(`### ${fullPath}`);
+        results.push(`- Size: ${Math.round(stats.size / 1024)} KB (${stats.size.toLocaleString()} bytes)`);
+        results.push("");
+      };
+      const scanDir = (dirPath, maxDepth = 3, depth = 0) => {
+        if (depth > maxDepth || !existsSync7(dirPath)) return;
+        let entries;
         try {
-          const entries = readdirSync3(dirPath, { withFileTypes: true });
-          for (const entry of entries) {
-            const fullPath = join10(dirPath, entry.name);
-            if (entry.isDirectory()) {
-              if (entry.name.startsWith(".")) continue;
-              if (entry.name === "doc") continue;
-              scanDir(fullPath, maxDepth, currentDepth + 1);
-            } else if (entry.isFile()) {
-              const ext = entry.name.split(".").pop()?.toLowerCase();
-              if (!["txt", "lst", "dict", "list", "wlist"].includes(ext || "")) {
-                continue;
-              }
-              try {
-                const stats = statSync2(fullPath);
-                const sizeBytes = stats.size;
-                if (sizeBytes < minSize) continue;
-                const relPath = fullPath;
-                const filename = entry.name;
-                const sizeKB = Math.round(sizeBytes / 1024);
-                if (category) {
-                  const pathLower = relPath.toLowerCase();
-                  let matchesCategory = false;
-                  switch (category.toLowerCase()) {
-                    case "passwords":
-                      matchesCategory = pathLower.includes("password") || pathLower.includes("rockyou");
-                      break;
-                    case "usernames":
-                      matchesCategory = pathLower.includes("user");
-                      break;
-                    case "web":
-                      matchesCategory = pathLower.includes("web") || pathLower.includes("content") || pathLower.includes("raft");
-                      break;
-                    case "dns":
-                      matchesCategory = pathLower.includes("dns") || pathLower.includes("subdomain");
-                      break;
-                    case "fuzzing":
-                      matchesCategory = pathLower.includes("fuzz") || pathLower.includes("injection");
-                      break;
-                    case "api":
-                      matchesCategory = pathLower.includes("api");
-                      break;
-                    default:
-                      matchesCategory = pathLower.includes(category.toLowerCase());
-                  }
-                  if (!matchesCategory) continue;
-                }
-                if (search && !filename.toLowerCase().includes(search.toLowerCase()) && !relPath.toLowerCase().includes(search.toLowerCase())) {
-                  continue;
-                }
-                totalCount++;
-                results.push(`### ${relPath}`);
-                results.push(`- Size: ${sizeKB} KB (${sizeBytes.toLocaleString()} bytes)`);
-                results.push("");
-              } catch {
-                continue;
-              }
-            }
-          }
+          entries = readdirSync3(dirPath, { withFileTypes: true });
         } catch {
+          return;
+        }
+        for (const entry of entries) {
+          if (entry.name.startsWith(".") || SKIP_DIRS.has(entry.name)) continue;
+          const fullPath = join10(dirPath, entry.name);
+          if (entry.isDirectory()) {
+            scanDir(fullPath, maxDepth, depth + 1);
+            continue;
+          }
+          if (!entry.isFile()) continue;
+          try {
+            processFile(fullPath, entry.name);
+          } catch {
+          }
         }
       };
       for (const basePath of scanPaths) {
@@ -6062,237 +6128,6 @@ var CategorizedToolRegistry = class extends ToolRegistry {
   }
 };
 
-// src/shared/constants/service-ports.ts
-var SERVICE_PORTS = {
-  SSH: 22,
-  FTP: 21,
-  TELNET: 23,
-  SMTP: 25,
-  DNS: 53,
-  HTTP: 80,
-  POP3: 110,
-  IMAP: 143,
-  SMB_NETBIOS: 139,
-  SMB: 445,
-  HTTPS: 443,
-  MSSQL: 1433,
-  MYSQL: 3306,
-  RDP: 3389,
-  POSTGRESQL: 5432,
-  REDIS: 6379,
-  HTTP_ALT: 8080,
-  HTTPS_ALT: 8443,
-  MONGODB: 27017,
-  ELASTICSEARCH: 9200,
-  MEMCACHED: 11211,
-  NODE_DEFAULT: 3e3,
-  FLASK_DEFAULT: 5e3,
-  DJANGO_DEFAULT: 8e3
-};
-var CRITICAL_SERVICE_PORTS = [
-  SERVICE_PORTS.SSH,
-  SERVICE_PORTS.RDP,
-  SERVICE_PORTS.MYSQL,
-  SERVICE_PORTS.POSTGRESQL,
-  SERVICE_PORTS.REDIS,
-  SERVICE_PORTS.MONGODB
-];
-var NO_AUTH_CRITICAL_PORTS = [
-  SERVICE_PORTS.REDIS,
-  SERVICE_PORTS.MONGODB,
-  SERVICE_PORTS.ELASTICSEARCH,
-  SERVICE_PORTS.MEMCACHED
-];
-var WEB_SERVICE_PORTS = [
-  SERVICE_PORTS.HTTP,
-  SERVICE_PORTS.HTTPS,
-  SERVICE_PORTS.HTTP_ALT,
-  SERVICE_PORTS.HTTPS_ALT,
-  SERVICE_PORTS.NODE_DEFAULT,
-  SERVICE_PORTS.FLASK_DEFAULT,
-  SERVICE_PORTS.DJANGO_DEFAULT
-];
-var PLAINTEXT_HTTP_PORTS = [
-  SERVICE_PORTS.HTTP,
-  SERVICE_PORTS.HTTP_ALT,
-  SERVICE_PORTS.NODE_DEFAULT
-];
-var DATABASE_PORTS = [
-  SERVICE_PORTS.MYSQL,
-  SERVICE_PORTS.POSTGRESQL,
-  SERVICE_PORTS.MSSQL,
-  SERVICE_PORTS.MONGODB,
-  SERVICE_PORTS.REDIS
-];
-var SMB_PORTS = [
-  SERVICE_PORTS.SMB,
-  SERVICE_PORTS.SMB_NETBIOS
-];
-
-// src/shared/utils/logger.ts
-var COLORS = {
-  reset: "\x1B[0m",
-  dim: "\x1B[2m",
-  red: "\x1B[31m",
-  yellow: "\x1B[33m",
-  green: "\x1B[32m",
-  blue: "\x1B[34m",
-  magenta: "\x1B[35m",
-  cyan: "\x1B[36m"
-};
-var levelColors = {
-  [0 /* DEBUG */]: COLORS.dim,
-  [1 /* INFO */]: COLORS.green,
-  [2 /* WARN */]: COLORS.yellow,
-  [3 /* ERROR */]: COLORS.red,
-  [999 /* SILENT */]: COLORS.reset
-};
-var levelNames = {
-  [0 /* DEBUG */]: "DEBUG",
-  [1 /* INFO */]: "INFO",
-  [2 /* WARN */]: "WARN",
-  [3 /* ERROR */]: "ERROR",
-  [999 /* SILENT */]: "SILENT"
-};
-var Logger = class {
-  constructor(component, config = {}) {
-    this.component = component;
-    this.config = {
-      minLevel: config.minLevel ?? 1 /* INFO */,
-      includeTimestamp: config.includeTimestamp ?? true,
-      includeComponent: config.includeComponent ?? true,
-      colorOutput: config.colorOutput ?? true,
-      outputToFile: config.outputToFile ?? false,
-      logFilePath: config.logFilePath
-    };
-  }
-  config;
-  logBuffer = [];
-  maxBufferSize = 1e3;
-  /**
-   * Set minimum log level
-   */
-  setMinLevel(level) {
-    this.config.minLevel = level;
-  }
-  /**
-   * Log at a specific level
-   */
-  log(level, message, data) {
-    if (level < this.config.minLevel) {
-      return;
-    }
-    const entry = {
-      timestamp: Date.now(),
-      level,
-      component: this.component,
-      message,
-      data
-    };
-    this.logBuffer.push(entry);
-    if (this.logBuffer.length > this.maxBufferSize) {
-      this.logBuffer.shift();
-    }
-    const formatted = this.formatEntry(entry);
-    console.log(formatted);
-  }
-  /**
-   * Format a log entry for output
-   */
-  formatEntry(entry) {
-    const parts = [];
-    if (this.config.includeTimestamp) {
-      const date = new Date(entry.timestamp);
-      const ts = date.toISOString().split("T")[1].slice(0, -1);
-      parts.push(this.config.colorOutput ? COLORS.dim + ts + COLORS.reset : ts);
-    }
-    const levelName = levelNames[entry.level];
-    const levelColor = this.config.colorOutput ? levelColors[entry.level] : "";
-    parts.push(levelColor + `[${levelName}]` + (this.config.colorOutput ? COLORS.reset : ""));
-    if (this.config.includeComponent) {
-      const comp = this.config.colorOutput ? COLORS.cyan + entry.component + COLORS.reset : entry.component;
-      parts.push(`[${comp}]`);
-    }
-    parts.push(entry.message);
-    if (entry.data) {
-      const dataStr = Object.entries(entry.data).map(([k, v]) => `${k}=${JSON.stringify(v)}`).join(" ");
-      parts.push(this.config.colorOutput ? COLORS.dim + dataStr + COLORS.reset : dataStr);
-    }
-    return parts.join(" ");
-  }
-  /**
-   * Debug level logging
-   */
-  debug(message, data) {
-    this.log(0 /* DEBUG */, message, data);
-  }
-  /**
-   * Info level logging
-   */
-  info(message, data) {
-    this.log(1 /* INFO */, message, data);
-  }
-  /**
-   * Warning level logging
-   */
-  warn(message, data) {
-    this.log(2 /* WARN */, message, data);
-  }
-  /**
-   * Error level logging
-   */
-  error(message, data) {
-    this.log(3 /* ERROR */, message, data);
-  }
-  /**
-   * Get all log entries
-   */
-  getLogs() {
-    return [...this.logBuffer];
-  }
-  /**
-   * Get logs by level
-   */
-  getLogsByLevel(minLevel) {
-    return this.logBuffer.filter((entry) => entry.level >= minLevel);
-  }
-  /**
-   * Clear log buffer
-   */
-  clearLogs() {
-    this.logBuffer = [];
-  }
-  /**
-   * Export logs to string
-   */
-  exportLogs() {
-    return this.logBuffer.map((entry) => this.formatEntry(entry)).join("\n");
-  }
-};
-var agentLogger = new Logger("Agent", {
-  minLevel: 1 /* INFO */,
-  colorOutput: true
-});
-
-// src/shared/constants/_shared/http.const.ts
-var HTTP_STATUS = {
-  // 2xx Success
-  OK: 200,
-  CREATED: 201,
-  NO_CONTENT: 204,
-  // 4xx Client Errors
-  BAD_REQUEST: 400,
-  UNAUTHORIZED: 401,
-  FORBIDDEN: 403,
-  NOT_FOUND: 404,
-  RATE_LIMIT: 429,
-  // 5xx Server Errors
-  INTERNAL_ERROR: 500,
-  BAD_GATEWAY: 502,
-  SERVICE_UNAVAILABLE: 503,
-  GATEWAY_TIMEOUT: 504
-};
-
 // src/shared/constants/llm/api.ts
 var LLM_API = {
   /** Default Anthropic API base URL */
@@ -6364,7 +6199,26 @@ var LLM_ERROR_TYPES = {
   UNKNOWN: "unknown"
 };
 
-// src/engine/llm.ts
+// src/shared/constants/_shared/http.const.ts
+var HTTP_STATUS = {
+  // 2xx Success
+  OK: 200,
+  CREATED: 201,
+  NO_CONTENT: 204,
+  // 4xx Client Errors
+  BAD_REQUEST: 400,
+  UNAUTHORIZED: 401,
+  FORBIDDEN: 403,
+  NOT_FOUND: 404,
+  RATE_LIMIT: 429,
+  // 5xx Server Errors
+  INTERNAL_ERROR: 500,
+  BAD_GATEWAY: 502,
+  SERVICE_UNAVAILABLE: 503,
+  GATEWAY_TIMEOUT: 504
+};
+
+// src/engine/llm-types.ts
 var LLMError = class extends Error {
   /** Structured error information */
   errorInfo;
@@ -6395,6 +6249,8 @@ function classifyError(error) {
   }
   return { type: LLM_ERROR_TYPES.UNKNOWN, message: errorMessage, statusCode, isRetryable: false, suggestedAction: "Analyze error" };
 }
+
+// src/engine/llm.ts
 var LLMClient = class {
   apiKey;
   baseUrl;
@@ -6404,7 +6260,7 @@ var LLMClient = class {
     this.apiKey = getApiKey();
     this.baseUrl = getBaseUrl() || LLM_API.DEFAULT_BASE_URL;
     this.model = getModel();
-    debugLog("llm", "LLMClient constructed", { model: this.model, baseUrl: this.baseUrl, apiKeyPrefix: this.apiKey.slice(0, 8) + "..." });
+    debugLog("llm", "LLMClient constructed", { model: this.model, baseUrl: this.baseUrl, apiKeyPrefix: this.apiKey.slice(0, DISPLAY_LIMITS.API_KEY_PREFIX) + "..." });
   }
   /**
    * Generate a non-streaming response
@@ -6584,7 +6440,7 @@ var LLMClient = class {
           toolCall.input = parseResult.data;
           debugLog("llm", `[${requestId}] Tool parsed OK`, { id, name: toolCall.name, input: toolCall.input });
         } else {
-          toolCall.input = { _parse_error: parseResult.error, _raw_json: toolCall._pendingJson.slice(0, 500) };
+          toolCall.input = { _parse_error: parseResult.error, _raw_json: toolCall._pendingJson.slice(0, DISPLAY_LIMITS.RAW_JSON_ERROR_PREVIEW) };
           debugLog("llm", `[${requestId}] Tool parse FAILED`, { id, name: toolCall.name, error: parseResult.error, raw: toolCall._pendingJson });
         }
         delete toolCall._pendingJson;
@@ -6734,7 +6590,7 @@ var __filename3 = fileURLToPath4(import.meta.url);
 var __dirname4 = dirname4(__filename3);
 
 // src/engine/state-persistence.ts
-import { writeFileSync as writeFileSync5, readFileSync as readFileSync3, existsSync as existsSync5, readdirSync, statSync } from "fs";
+import { writeFileSync as writeFileSync5, readFileSync as readFileSync3, existsSync as existsSync5, readdirSync, statSync, unlinkSync as unlinkSync3 } from "fs";
 import { join as join8, basename } from "path";
 function saveState(state) {
   const sessionsDir = WORKSPACE.SESSIONS;
@@ -6747,7 +6603,7 @@ function saveState(state) {
     findings: state.getFindings(),
     loot: state.getLoot(),
     todo: state.getTodo(),
-    actionLog: state.getRecentActions(9999),
+    actionLog: state.getRecentActions(AGENT_LIMITS.MAX_ACTION_LOG),
     currentPhase: state.getPhase(),
     missionSummary: state.getMissionSummary(),
     missionChecklist: state.getMissionChecklist()
@@ -6757,8 +6613,23 @@ function saveState(state) {
   writeFileSync5(sessionFile, JSON.stringify(snapshot, null, 2), "utf-8");
   const latestFile = join8(sessionsDir, "latest.json");
   writeFileSync5(latestFile, JSON.stringify(snapshot, null, 2), "utf-8");
+  pruneOldSessions(sessionsDir);
   return sessionFile;
 }
+function pruneOldSessions(sessionsDir) {
+  try {
+    const sessionFiles = readdirSync(sessionsDir).filter((f) => f.endsWith(".json") && f !== "latest.json").map((f) => ({
+      name: f,
+      path: join8(sessionsDir, f),
+      mtime: statSync(join8(sessionsDir, f)).mtimeMs
+    })).sort((a, b) => b.mtime - a.mtime);
+    const toDelete = sessionFiles.slice(AGENT_LIMITS.MAX_SESSION_FILES);
+    for (const file of toDelete) {
+      unlinkSync3(file.path);
+    }
+  } catch {
+  }
+}
 function loadState(state) {
   const latestFile = join8(WORKSPACE.SESSIONS, "latest.json");
   if (!existsSync5(latestFile)) {
@@ -6768,7 +6639,7 @@ function loadState(state) {
     const raw = readFileSync3(latestFile, "utf-8");
     const snapshot = JSON.parse(raw);
     if (snapshot.version !== 1) {
-      console.warn(`[StatePersistence] Unknown snapshot version: ${snapshot.version}`);
+      debugLog("general", `Unknown snapshot version: ${snapshot.version}`);
       return false;
     }
     if (snapshot.engagement) {
@@ -6786,7 +6657,9 @@ function loadState(state) {
     for (const item of snapshot.todo) {
       state.addTodo(item.content, item.priority);
     }
-    state.setPhase(snapshot.currentPhase);
+    const validPhases = new Set(Object.values(PHASES));
+    const restoredPhase = validPhases.has(snapshot.currentPhase) ? snapshot.currentPhase : PHASES.RECON;
+    state.setPhase(restoredPhase);
     if (snapshot.missionSummary) {
       state.setMissionSummary(snapshot.missionSummary);
     }
@@ -6795,11 +6668,130 @@ function loadState(state) {
     }
     return true;
   } catch (err) {
-    console.warn(`[StatePersistence] Failed to load state: ${err}`);
+    debugLog("general", `Failed to load state: ${err}`);
     return false;
   }
 }
 
+// src/shared/utils/ctf-knowledge.ts
+var FLAG_PATTERNS = {
+  // Generic CTF flag formats
+  generic: /flag\{[^}]+\}/gi,
+  curly_upper: /FLAG\{[^}]+\}/g,
+  // Platform-specific (major competitions)
+  htb: /HTB\{[^}]+\}/g,
+  thm: /THM\{[^}]+\}/g,
+  picoCTF: /picoCTF\{[^}]+\}/g,
+  defcon_ooo: /OOO\{[^}]+\}/g,
+  // DEF CON CTF (Order of the Overflow)
+  csaw: /CSAW\{[^}]+\}/g,
+  // CSAW CTF
+  google: /CTF\{[^}]+\}/g,
+  // Google CTF
+  dragon: /DrgnS\{[^}]+\}/g,
+  // Dragon Sector
+  hxp: /hxp\{[^}]+\}/g,
+  // hxp CTF
+  zer0pts: /zer0pts\{[^}]+\}/g,
+  // zer0pts CTF
+  ctfd_generic: /[A-Z]{2,10}\{[^}]+\}/g,
+  // Generic CTFd format
+  // Hash-style flags (HTB user.txt / root.txt — 32-char hex)
+  hash_flag: /\b[a-f0-9]{32}\b/g,
+  // Base64-encoded flag detection (common in steganography/forensics)
+  base64_flag: /flag\{[A-Za-z0-9_+\-/=]+\}/gi
+};
+var MIN_FLAG_SCAN_LENGTH = 5;
+function detectFlags(output) {
+  if (!output || output.length < MIN_FLAG_SCAN_LENGTH) return [];
+  const found = /* @__PURE__ */ new Set();
+  for (const pattern of Object.values(FLAG_PATTERNS)) {
+    pattern.lastIndex = 0;
+    const matches = output.match(pattern);
+    if (matches) {
+      for (const m of matches) found.add(m);
+    }
+  }
+  return Array.from(found);
+}
+
+// src/agents/tool-error-enrichment.ts
+function enrichToolErrorContext(ctx) {
+  const { toolName, input, error, originalOutput, progress } = ctx;
+  const lines = [];
+  if (originalOutput) lines.push(originalOutput);
+  lines.push("");
+  lines.push(`[TOOL ERROR ANALYSIS]`);
+  lines.push(`Tool: ${toolName}`);
+  lines.push(`Error: ${error}`);
+  const errorLower = error.toLowerCase();
+  if (isBlockedCommandError(errorLower)) {
+    trackBlockedPattern(progress, toolName, errorLower);
+    appendBlockedCommandHints(lines, errorLower);
+  } else if (isMissingParamError(errorLower)) {
+    const providedParams = Object.keys(input).join(", ") || "none";
+    lines.push(`Provided parameters: ${providedParams}`);
+    lines.push(`Fix: Check the tool's required parameters and provide ALL required values.`);
+    lines.push(`Action: Retry this tool call with the missing parameter(s) added.`);
+  } else if (isNotFoundError(errorLower)) {
+    lines.push(`Fix: The tool or command may not be installed.`);
+    lines.push(`Actions: (1) Try an alternative tool, (2) Use web_search to find installation instructions, or (3) Use a different approach entirely.`);
+  } else if (isPermissionError(errorLower)) {
+    lines.push(`Fix: Insufficient permissions for this operation.`);
+    lines.push(`Actions: (1) Try with sudo if appropriate, (2) Use a different approach, or (3) Check if the target path/resource is correct.`);
+  } else if (isConnectionError(errorLower)) {
+    lines.push(`Fix: Cannot reach the target service.`);
+    lines.push(`Actions: (1) Verify the target host/port is correct, (2) Check if the service is running, (3) Try a different port or protocol.`);
+  } else if (isInvalidInputError(errorLower)) {
+    lines.push(`Fix: The input format is incorrect.`);
+    lines.push(`Actions: (1) Check the input format and fix it, (2) Use web_search to find the correct syntax, or (3) Try a simpler input.`);
+  } else {
+    lines.push(`Actions: (1) Analyze the error and modify your approach, (2) Use web_search("${toolName} ${errorLower.slice(0, AGENT_LIMITS.ERROR_SEARCH_PREVIEW_SLICE)}") to research the error, (3) Try an alternative tool or method.`);
+  }
+  return lines.join("\n");
+}
+function isBlockedCommandError(e) {
+  return e.includes("command blocked") || e.includes("injection pattern") || e.includes("not in the allowed") || e.includes("not in allowed paths");
+}
+function isMissingParamError(e) {
+  return e.includes("missing") && e.includes("parameter") || e.includes("required") && e.includes("missing") || e.includes("is required");
+}
+function isNotFoundError(e) {
+  return e.includes("not found") || e.includes("command not found") || e.includes("no such file");
+}
+function isPermissionError(e) {
+  return e.includes("permission denied") || e.includes("access denied") || e.includes("eacces");
+}
+function isConnectionError(e) {
+  return e.includes("connection refused") || e.includes("econnrefused") || e.includes("connection reset") || e.includes("timeout");
+}
+function isInvalidInputError(e) {
+  return e.includes("invalid") || e.includes("malformed") || e.includes("syntax error");
+}
+function trackBlockedPattern(progress, toolName, errorLower) {
+  if (!progress) return;
+  const patternKey = `${toolName}:${errorLower.slice(0, AGENT_LIMITS.BLOCKED_PATTERN_KEY_SLICE)}`;
+  const count = (progress.blockedCommandPatterns.get(patternKey) || 0) + 1;
+  progress.blockedCommandPatterns.set(patternKey, count);
+  progress.totalBlockedCommands++;
+}
+function appendBlockedCommandHints(lines, errorLower) {
+  if (errorLower.includes("pipe target") || errorLower.includes("injection")) {
+    lines.push(`Fix: Use the tool's built-in output options instead of shell pipes.`);
+    lines.push(`Alternative approaches:`);
+    lines.push(`  1. Save output to file: command > /tmp/output.txt, then use read_file("/tmp/output.txt")`);
+    lines.push(`  2. Use tool-specific flags: nmap -oN /tmp/scan.txt, curl -o /tmp/page.html`);
+    lines.push(`  3. Use browse_url for web content instead of curl | grep`);
+    lines.push(`  4. If filtering output: run the command first, then read_file + parse results`);
+  } else if (errorLower.includes("redirect")) {
+    lines.push(`Fix: Redirect to /tmp/ or /root/ paths only.`);
+    lines.push(`Example: command > /tmp/output.txt or command 2>&1 > /tmp/errors.txt`);
+  } else {
+    lines.push(`Fix: Simplify the command. Avoid chaining complex operations.`);
+    lines.push(`Break into multiple steps: run_cmd \u2192 read_file \u2192 run_cmd.`);
+  }
+}
+
 // src/agents/core-agent.ts
 var CoreAgent = class _CoreAgent {
   llm;
@@ -6870,44 +6862,28 @@ var CoreAgent = class _CoreAgent {
           const phase = this.state.getPhase();
           const targets = this.state.getTargets().size;
           const findings = this.state.getFindings().length;
-          const phaseActions = {
-            [PHASES.RECON]: `RECON PHASE: Start scanning NOW.
-\u2192 run_cmd({ command: "nmap -sV -sC -p- --min-rate=1000 <target>" })
-\u2192 run_cmd({ command: "ffuf -u http://<target>/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc all -fc 404" })`,
-            [PHASES.VULN_ANALYSIS]: `VULN ANALYSIS: You have ${targets} target(s). Search CVEs NOW.
-\u2192 For every discovered service+version: web_search("{service} {version} exploit hacktricks")
-\u2192 web_search("{service} {version} CVE PoC github")`,
-            [PHASES.EXPLOIT]: `EXPLOIT PHASE: You have ${findings} finding(s). ATTACK NOW.
-\u2192 Pick the highest-severity finding and write an exploit script.
-\u2192 web_search("{CVE} PoC github") \u2192 browse_url \u2192 write_file \u2192 run_cmd`,
-            [PHASES.POST_EXPLOIT]: `POST-EXPLOIT: Escalate privileges and move laterally.
-\u2192 bg_process interact: "cat /etc/passwd && cat /etc/shadow && sudo -l"
-\u2192 web_search("{OS} privilege escalation hacktricks")`,
-            [PHASES.PRIV_ESC]: `PRIVESC: Escalate NOW.
-\u2192 run_cmd({ command: "sudo -l && find / -perm -4000 -type f 2>/dev/null" })
-\u2192 web_search("{kernel_version} privilege escalation exploit")`,
-            [PHASES.LATERAL]: `LATERAL MOVEMENT: Spread to other hosts.
-\u2192 Reuse discovered credentials on all known hosts
-\u2192 run_cmd({ command: "for ip in $(cat /tmp/hosts); do sshpass -p '<cred>' ssh user@$ip id; done" })`,
-            [PHASES.WEB]: `WEB PHASE: Test injection points.
-\u2192 get_web_attack_surface with target URL
-\u2192 Test every parameter for SQLi, SSTI, XSS, command injection`
+          const phaseDirection = {
+            [PHASES.RECON]: `RECON: Scan targets. Enumerate services and versions.`,
+            [PHASES.VULN_ANALYSIS]: `VULN ANALYSIS: ${targets} target(s) discovered. Search for CVEs and known exploits.`,
+            [PHASES.EXPLOIT]: `EXPLOIT: ${findings} finding(s) available. Attack the highest-severity one.`,
+            [PHASES.POST_EXPLOIT]: `POST-EXPLOIT: Escalate privileges. Search for escalation paths.`,
+            [PHASES.PRIV_ESC]: `PRIVESC: Find and exploit privilege escalation vectors.`,
+            [PHASES.LATERAL]: `LATERAL: Reuse discovered credentials on other hosts.`,
+            [PHASES.WEB]: `WEB: Enumerate the attack surface. Test every input for injection.`
           };
-          const phaseHint = phaseActions[phase] || phaseActions[PHASES.RECON];
+          const direction = phaseDirection[phase] || phaseDirection[PHASES.RECON];
           messages.push({
             role: LLM_ROLES.USER,
-            content: `[CTF ALERT] DEADLOCK: ${AGENT_LIMITS.MAX_CONSECUTIVE_IDLE} turns with ZERO tool calls. You are WASTING CTF TIME!
+            content: `\u26A1 DEADLOCK: ${AGENT_LIMITS.MAX_CONSECUTIVE_IDLE} turns with ZERO tool calls.
 Phase: ${phase} | Targets: ${targets} | Findings: ${findings} | Tools executed: ${progress.totalToolsExecuted} (${progress.toolSuccesses}\u2713 ${progress.toolErrors}\u2717)
 
-${phaseHint}
+${direction}
 
-CTF SPEED RULES:
-- \u26A1 EVERY turn MUST have tool calls \u2014 NO exceptions
-- \u26A1 PARALLELIZE: Run 3-5 tools simultaneously when possible
-- \u26A1 NO planning: "Let me..." is forbidden \u2014 JUST ACT
-- \u26A1 web_search is your weapon: Use it immediately when stuck
-- \u26A1 1 fail \u2260 stop: Try DIFFERENT approach immediately
-- \u26A1 NEVER output text without a tool call`
+RULES:
+- Every turn MUST have tool calls
+- If stuck: search for techniques (web_search)
+- If failed: try a DIFFERENT approach
+- ACT NOW \u2014 do not plan or explain`
           });
         }
       } catch (error) {
@@ -7103,7 +7079,7 @@ Please decide how to handle this error and continue.`;
         toolName,
         success,
         output,
-        outputSummary: output.slice(0, 200),
+        outputSummary: output.slice(0, DISPLAY_LIMITS.OUTPUT_SUMMARY),
         error,
         duration
       }
@@ -7214,7 +7190,7 @@ Please decide how to handle this error and continue.`;
 \u{1F4A1} TIP: If you need to see the full output, use a tool to read the file directly or run the command with | head, | tail, or | grep.`;
       }
       if (result2.error) {
-        outputText = this.enrichToolErrorContext({ toolName: call.name, input: call.input, error: result2.error, originalOutput: outputText, progress });
+        outputText = this.enrichToolError({ toolName: call.name, input: call.input, error: result2.error, originalOutput: outputText, progress });
         if (progress) progress.toolErrors++;
       } else {
         if (progress) {
@@ -7223,78 +7199,21 @@ Please decide how to handle this error and continue.`;
         }
       }
       this.emitToolResult(call.name, result2.success, outputText, result2.error, Date.now() - toolStartTime);
+      this.scanForFlags(outputText);
       return { toolCallId: call.id, output: outputText, error: result2.error };
     } catch (error) {
       const errorMsg = String(error);
-      const enrichedError = this.enrichToolErrorContext({ toolName: call.name, input: call.input, error: errorMsg, originalOutput: "", progress });
+      const enrichedError = this.enrichToolError({ toolName: call.name, input: call.input, error: errorMsg, originalOutput: "", progress });
       if (progress) progress.toolErrors++;
       this.emitToolResult(call.name, false, enrichedError, errorMsg, Date.now() - toolStartTime);
       return { toolCallId: call.id, output: enrichedError, error: errorMsg };
     }
   }
   /**
-   * Enrich tool error messages with actionable context so the LLM can self-correct.
-   * Instead of just showing the raw error, we add hints about what went wrong
-   * and what the agent can do to fix it.
+   * Enrich tool error — delegates to extracted module (§3-1)
    */
-  enrichToolErrorContext(ctx) {
-    const { toolName, input, error, originalOutput, progress } = ctx;
-    const lines = [];
-    if (originalOutput) {
-      lines.push(originalOutput);
-    }
-    lines.push("");
-    lines.push(`[TOOL ERROR ANALYSIS]`);
-    lines.push(`Tool: ${toolName}`);
-    lines.push(`Error: ${error}`);
-    const errorLower = error.toLowerCase();
-    if (errorLower.includes("command blocked") || errorLower.includes("injection pattern") || errorLower.includes("not in the allowed") || errorLower.includes("not in allowed paths")) {
-      if (progress) {
-        const patternKey = `${toolName}:${errorLower.slice(0, AGENT_LIMITS.BLOCKED_PATTERN_KEY_SLICE)}`;
-        const count = (progress.blockedCommandPatterns.get(patternKey) || 0) + 1;
-        progress.blockedCommandPatterns.set(patternKey, count);
-        progress.totalBlockedCommands++;
-        if (count >= AGENT_LIMITS.MAX_BLOCKED_BEFORE_WARN) {
-          lines.push(`
-\u26A0\uFE0F REPEAT BLOCK DETECTED (${count}x same pattern). STOP retrying this approach.`);
-          lines.push(`You have been blocked ${progress.totalBlockedCommands} times total this session.`);
-        }
-      }
-      if (errorLower.includes("pipe target") || errorLower.includes("injection")) {
-        lines.push(`Fix: Use the tool's built-in output options instead of shell pipes.`);
-        lines.push(`Alternative approaches:`);
-        lines.push(`  1. Save output to file: command > /tmp/output.txt, then use read_file("/tmp/output.txt")`);
-        lines.push(`  2. Use tool-specific flags: nmap -oN /tmp/scan.txt, curl -o /tmp/page.html`);
-        lines.push(`  3. Use browse_url for web content instead of curl | grep`);
-        lines.push(`  4. If filtering output: run the command first, then read_file + parse results`);
-      } else if (errorLower.includes("redirect")) {
-        lines.push(`Fix: Redirect to /tmp/ or /root/ paths only.`);
-        lines.push(`Example: command > /tmp/output.txt or command 2>&1 > /tmp/errors.txt`);
-      } else {
-        lines.push(`Fix: Simplify the command. Avoid chaining complex operations.`);
-        lines.push(`Break into multiple steps: run_cmd \u2192 read_file \u2192 run_cmd.`);
-      }
-    } else if (errorLower.includes("missing") && errorLower.includes("parameter") || errorLower.includes("required") && errorLower.includes("missing") || errorLower.includes("is required")) {
-      const providedParams = Object.keys(input).join(", ") || "none";
-      lines.push(`Provided parameters: ${providedParams}`);
-      lines.push(`Fix: Check the tool's required parameters and provide ALL required values.`);
-      lines.push(`Action: Retry this tool call with the missing parameter(s) added.`);
-    } else if (errorLower.includes("not found") || errorLower.includes("command not found") || errorLower.includes("no such file")) {
-      lines.push(`Fix: The tool or command may not be installed.`);
-      lines.push(`Actions: (1) Try an alternative tool, (2) Use web_search to find installation instructions, or (3) Use a different approach entirely.`);
-    } else if (errorLower.includes("permission denied") || errorLower.includes("access denied") || errorLower.includes("eacces")) {
-      lines.push(`Fix: Insufficient permissions for this operation.`);
-      lines.push(`Actions: (1) Try with sudo if appropriate, (2) Use a different approach, or (3) Check if the target path/resource is correct.`);
-    } else if (errorLower.includes("connection refused") || errorLower.includes("econnrefused") || errorLower.includes("connection reset") || errorLower.includes("timeout")) {
-      lines.push(`Fix: Cannot reach the target service.`);
-      lines.push(`Actions: (1) Verify the target host/port is correct, (2) Check if the service is running, (3) Try a different port or protocol.`);
-    } else if (errorLower.includes("invalid") || errorLower.includes("malformed") || errorLower.includes("syntax error")) {
-      lines.push(`Fix: The input format is incorrect.`);
-      lines.push(`Actions: (1) Check the input format and fix it, (2) Use web_search to find the correct syntax, or (3) Try a simpler input.`);
-    } else {
-      lines.push(`Actions: (1) Analyze the error and modify your approach, (2) Use web_search("${toolName} ${errorLower.slice(0, AGENT_LIMITS.ERROR_SEARCH_PREVIEW_SLICE)}") to research the error, (3) Try an alternative tool or method.`);
-    }
-    return lines.join("\n");
+  enrichToolError(ctx) {
+    return enrichToolErrorContext(ctx);
   }
   getToolSchemas() {
     if (!this.toolRegistry) {
@@ -7311,6 +7230,35 @@ Please decide how to handle this error and continue.`;
     }));
   }
   // ─────────────────────────────────────────────────────────────────
+  // SUBSECTION: CTF Flag Detection
+  // ─────────────────────────────────────────────────────────────────
+  /**
+   * Scan tool output for CTF flag patterns.
+   * When a new flag is detected, store it in state and emit event.
+   *
+   * @remarks
+   * WHY: Automatic flag detection eliminates manual flag hunting in CTF competitions.
+   * Called after every tool execution — zero overhead when CTF mode is OFF.
+   */
+  scanForFlags(output) {
+    if (!this.state.isCtfMode()) return;
+    const flags = detectFlags(output);
+    for (const flag of flags) {
+      const isNew = this.state.addFlag(flag);
+      if (isNew) {
+        this.events.emit({
+          type: EVENT_TYPES.FLAG_FOUND,
+          timestamp: Date.now(),
+          data: {
+            flag,
+            totalFlags: this.state.getFlags().length,
+            phase: this.state.getPhase()
+          }
+        });
+      }
+    }
+  }
+  // ─────────────────────────────────────────────────────────────────
   // SUBSECTION: Abort Helpers
   // ─────────────────────────────────────────────────────────────────
   isAbortError(error) {
@@ -7327,13 +7275,14 @@ Please decide how to handle this error and continue.`;
 };
 
 // src/agents/prompt-builder.ts
-import { readFileSync as readFileSync4, existsSync as existsSync6 } from "fs";
+import { readFileSync as readFileSync4, existsSync as existsSync6, readdirSync as readdirSync2 } from "fs";
 import { join as join9, dirname as dirname5 } from "path";
 import { fileURLToPath as fileURLToPath5 } from "url";
 
 // src/shared/constants/prompts.ts
 var PROMPT_PATHS = {
   BASE: "base.md",
+  CTF_MODE: "ctf-mode.md",
   AGENT_FILES: {
     ORCHESTRATOR: "orchestrator.md",
     RECON: "recon.md",
@@ -7413,15 +7362,15 @@ var CORE_KNOWLEDGE_FILES = [
   // Detection avoidance (always relevant)
 ];
 var PHASE_TECHNIQUE_MAP = {
-  [PHASES.RECON]: ["network-svc", "shells"],
-  [PHASES.VULN_ANALYSIS]: ["injection", "network-svc", "file-attacks"],
-  [PHASES.EXPLOIT]: ["injection", "shells", "file-attacks", "network-svc"],
-  [PHASES.POST_EXPLOIT]: ["privesc", "lateral", "auth-access", "shells"],
-  [PHASES.PRIV_ESC]: ["privesc", "auth-access", "shells"],
-  [PHASES.LATERAL]: ["lateral", "ad-attack", "auth-access"],
+  [PHASES.RECON]: ["network-svc", "shells", "crypto"],
+  [PHASES.VULN_ANALYSIS]: ["injection", "network-svc", "file-attacks", "crypto", "reversing"],
+  [PHASES.EXPLOIT]: ["injection", "shells", "file-attacks", "network-svc", "pwn", "container-escape", "reversing"],
+  [PHASES.POST_EXPLOIT]: ["privesc", "lateral", "auth-access", "shells", "container-escape", "forensics"],
+  [PHASES.PRIV_ESC]: ["privesc", "auth-access", "shells", "pwn", "container-escape"],
+  [PHASES.LATERAL]: ["lateral", "ad-attack", "auth-access", "container-escape"],
   [PHASES.PERSISTENCE]: ["shells", "privesc"],
-  [PHASES.EXFIL]: ["lateral", "network-svc"],
-  [PHASES.WEB]: ["injection", "file-attacks", "auth-access"],
+  [PHASES.EXFIL]: ["lateral", "network-svc", "forensics"],
+  [PHASES.WEB]: ["injection", "file-attacks", "auth-access", "crypto"],
   [PHASES.REPORT]: []
   // Report phase needs no attack techniques
 };
@@ -7446,6 +7395,7 @@ var PromptBuilder = class {
   build(userInput, phase) {
     const fragments = [
       this.loadPromptFile(PROMPT_PATHS.BASE),
+      this.loadCtfModePrompt(),
       this.loadPhasePrompt(phase),
       this.loadCoreKnowledge(phase),
       this.loadPhaseRelevantTechniques(phase),
@@ -7456,6 +7406,17 @@ var PromptBuilder = class {
     ];
     return fragments.filter((f) => !!f).join("\n\n");
   }
+  /**
+   * Load CTF mode prompt when CTF mode is active.
+   * Adds ~3K tokens of CTF-specific strategy and flag hunting protocol.
+   */
+  loadCtfModePrompt() {
+    if (!this.state.isCtfMode()) return "";
+    const content = this.loadPromptFile(PROMPT_PATHS.CTF_MODE);
+    return content ? `<ctf-mode active="true">
+${content}
+</ctf-mode>` : "";
+  }
   /**
    * Load a prompt file from src/agents/prompts/
    */
@@ -7496,19 +7457,22 @@ ${content}
     return fragments.join("\n\n");
   }
   /**
-   * Load only technique files relevant to the current phase.
-   * Phase→technique mapping defined in PHASE_TECHNIQUE_MAP.
+   * Load technique files relevant to the current phase.
+   *
+   * Loading strategy (Philosophy §11 — zero-code extension):
+   * 1. PHASE_TECHNIQUE_MAP defines priority techniques per phase (loaded first)
+   * 2. Any .md file in techniques/ NOT in the map is auto-discovered and loaded
+   *    as general reference — NO code change needed to add new techniques.
    *
-   * Saves ~15-20K tokens vs loading all 8 technique files.
-   * If a technique is needed but not mapped, the agent can always
-   * use web_search to look up specific attack techniques on demand.
+   * The map is an optimization (priority ordering), not a gate.
+   * "마크다운 파일 하나를 폴더에 넣으면, PromptBuilder가 자동으로 발견하고 로드한다."
    */
   loadPhaseRelevantTechniques(phase) {
     if (!existsSync6(TECHNIQUES_DIR)) return "";
-    const relevantTechniques = PHASE_TECHNIQUE_MAP[phase] || [];
-    if (relevantTechniques.length === 0) return "";
+    const priorityTechniques = PHASE_TECHNIQUE_MAP[phase] || [];
+    const loadedSet = /* @__PURE__ */ new Set();
     const fragments = [];
-    for (const technique of relevantTechniques) {
+    for (const technique of priorityTechniques) {
       const filePath = join9(TECHNIQUES_DIR, `${technique}.md`);
       try {
         if (!existsSync6(filePath)) continue;
@@ -7517,10 +7481,25 @@ ${content}
           fragments.push(`<technique-reference category="${technique}">
 ${content}
 </technique-reference>`);
+          loadedSet.add(`${technique}.md`);
         }
       } catch {
       }
     }
+    try {
+      const allFiles = readdirSync2(TECHNIQUES_DIR).filter((f) => f.endsWith(".md") && f !== "README.md" && !loadedSet.has(f));
+      for (const file of allFiles) {
+        const filePath = join9(TECHNIQUES_DIR, file);
+        const content = readFileSync4(filePath, PROMPT_CONFIG.ENCODING);
+        if (content) {
+          const category = file.replace(".md", "");
+          fragments.push(`<technique-reference category="${category}">
+${content}
+</technique-reference>`);
+        }
+      }
+    } catch {
+    }
     return fragments.join("\n\n");
   }
   getScopeFragment() {
@@ -7649,6 +7628,14 @@ var MainAgent = class extends CoreAgent {
   getEventEmitter() {
     return this.events;
   }
+  toggleCtfMode() {
+    const newState = !this.state.isCtfMode();
+    this.state.setCtfMode(newState);
+    return newState;
+  }
+  isCtfMode() {
+    return this.state.isCtfMode();
+  }
   setScope(allowed, exclusions = []) {
     this.state.setScope({
       allowedCidrs: allowed.filter((a) => a.includes("/")),
@@ -7741,30 +7728,6 @@ var formatInlineStatus = () => {
 // src/platform/tui/hooks/useAgentState.ts
 import { useState, useRef, useCallback } from "react";
 
-// src/shared/constants/thought.ts
-var THOUGHT_TYPE = {
-  THINKING: "thinking",
-  // LLM text streaming
-  REASONING: "reasoning",
-  // LLM extended thinking
-  PLANNING: "planning",
-  // Strategic planning
-  OBSERVATION: "observation",
-  // Observing results
-  HYPOTHESIS: "hypothesis",
-  // Forming hypothesis
-  REFLECTION: "reflection",
-  // Self-reflection
-  ACTION: "action",
-  // Taking action
-  RESULT: "result",
-  // Action result
-  STUCK: "stuck",
-  // Detected stuck state
-  BREAKTHROUGH: "breakthrough"
-  // Found breakthrough
-};
-
 // src/shared/constants/theme.ts
 var THEME = {
   // Backgrounds (deep dark with blue tint)
@@ -7912,18 +7875,6 @@ var ICONS = {
   pwned: "\u25C8"
   // Compromised
 };
-var THOUGHT_LABELS = {
-  [THOUGHT_TYPE.THINKING]: "[think]",
-  [THOUGHT_TYPE.REASONING]: "[reason]",
-  [THOUGHT_TYPE.PLANNING]: "[plan]",
-  [THOUGHT_TYPE.OBSERVATION]: "[observe]",
-  [THOUGHT_TYPE.HYPOTHESIS]: "[hypothesis]",
-  [THOUGHT_TYPE.REFLECTION]: "[reflect]",
-  [THOUGHT_TYPE.ACTION]: "[action]",
-  [THOUGHT_TYPE.RESULT]: "[result]",
-  [THOUGHT_TYPE.STUCK]: "[stuck]",
-  [THOUGHT_TYPE.BREAKTHROUGH]: "[!]"
-};
 
 // src/platform/tui/constants/display.ts
 var TUI_DISPLAY_LIMITS = {
@@ -7952,7 +7903,19 @@ var TUI_DISPLAY_LIMITS = {
   /** Timer update interval in ms */
   timerInterval: 1e3,
   /** Exit delay in ms */
-  exitDelay: 100
+  exitDelay: 100,
+  /** Purpose text max length before truncation */
+  purposeMaxLength: 30,
+  /** Purpose text truncated length */
+  purposeTruncated: 27,
+  /** Tool detail preview length in flow display */
+  toolDetailPreview: 100,
+  /** Observe detail preview length in flow display */
+  observeDetailPreview: 80,
+  /** Max flow nodes to display */
+  maxFlowNodes: 50,
+  /** Max stopped processes to show */
+  maxStoppedProcesses: 3
 };
 var MESSAGE_STYLES = {
   colors: {
@@ -7983,6 +7946,7 @@ var HELP_TEXT = `
 /findings        Show discovered vulnerabilities
 /assets          List active background processes (listeners, shells)
 /logs <id>       Show full logs for a specific asset
+/ctf             Toggle CTF mode (default: ON)
 /auto            Toggle auto-approve mode
 /clear           Clear screen
 /exit            Exit
@@ -7991,11 +7955,13 @@ var HELP_TEXT = `
 \u2022 Auto-install missing tools (apt/brew)
 \u2022 Transparent command execution
 \u2022 Interactive sudo password input
+\u2022 CTF mode: Auto flag detection & CTF-specific prompts
 
 \u2500\u2500 Examples \u2500\u2500
 /target 192.168.1.1
 /start "Full pentest on target"
 /findings
+/ctf             (toggle CTF/standard mode)
 /auto            (toggle approval mode)
 `;
 
@@ -8140,6 +8106,9 @@ var useAgentEvents = (agent, eventsRef, state) => {
       lastStepTokensRef.current = stepTokens;
       setCurrentTokens(tokenAccumRef.current + stepTokens);
     };
+    const onFlagFound = (e) => {
+      addMessage("system", `\u{1F3F4} FLAG FOUND: ${e.data.flag}  (total: ${e.data.totalFlags})`);
+    };
     setInputHandler((p) => {
       return new Promise((resolve) => {
         const isPassword = /password|passphrase/i.test(p);
@@ -8192,6 +8161,7 @@ var useAgentEvents = (agent, eventsRef, state) => {
     events.on(EVENT_TYPES.ERROR, onError);
     events.on(EVENT_TYPES.RETRY, onRetry);
     events.on(EVENT_TYPES.USAGE_UPDATE, onUsageUpdate);
+    events.on(EVENT_TYPES.FLAG_FOUND, onFlagFound);
     events.on(EVENT_TYPES.STATE_CHANGE, updateStats);
     events.on(EVENT_TYPES.START, updateStats);
     updateStats();
@@ -8415,7 +8385,7 @@ function ProcessRow({ proc, compact }) {
   const duration = formatDuration2(proc.durationMs);
   const port = proc.listeningPort ? `:${proc.listeningPort}` : "";
   const purpose = proc.purpose || proc.description || "";
-  const truncatedPurpose = compact && purpose.length > 30 ? purpose.slice(0, 27) + "..." : purpose;
+  const truncatedPurpose = compact && purpose.length > TUI_DISPLAY_LIMITS.purposeMaxLength ? purpose.slice(0, TUI_DISPLAY_LIMITS.purposeTruncated) + "..." : purpose;
   return /* @__PURE__ */ jsxs(Box, { children: [
     /* @__PURE__ */ jsx(StatusIndicator, { running: proc.running, exitCode: proc.exitCode }),
     /* @__PURE__ */ jsxs(Text, { color: THEME.text.muted, children: [
@@ -8472,10 +8442,10 @@ var InlineStatus = ({
         stopped.length,
         ")"
       ] }),
-      stopped.slice(0, 3).map((proc) => /* @__PURE__ */ jsx(ProcessRow, { proc, compact }, proc.id)),
-      stopped.length > 3 && /* @__PURE__ */ jsxs(Text, { color: THEME.text.muted, children: [
+      stopped.slice(0, TUI_DISPLAY_LIMITS.maxStoppedProcesses).map((proc) => /* @__PURE__ */ jsx(ProcessRow, { proc, compact }, proc.id)),
+      stopped.length > TUI_DISPLAY_LIMITS.maxStoppedProcesses && /* @__PURE__ */ jsxs(Text, { color: THEME.text.muted, children: [
         "  ... and ",
-        stopped.length - 3,
+        stopped.length - TUI_DISPLAY_LIMITS.maxStoppedProcesses,
         " more"
       ] })
     ] }),
@@ -8812,6 +8782,10 @@ var App = ({ autoApprove = false, target }) => {
 ${procData.stdout || "(no output)"}
 --- End Log ---`);
         break;
+      case UI_COMMANDS.CTF:
+        const ctfEnabled = agent.toggleCtfMode();
+        addMessage("system", ctfEnabled ? "\u{1F3F4} CTF mode ON \u2014 flag detection active, CTF prompts loaded" : "\u{1F512} CTF mode OFF \u2014 standard pentest mode");
+        break;
       case "auto":
         setAutoApproveMode((prev) => {
           const newVal = !prev;
@@ -8908,19 +8882,6 @@ ${procData.stdout || "(no output)"}
 };
 var app_default = App;
 
-// src/shared/constants/_shared/signal.const.ts
-var EXIT_CODE = {
-  SUCCESS: 0,
-  ERROR: 1,
-  // Unix convention: 128 + signal number
-  SIGINT: 130,
-  // 128 + 2
-  SIGTERM: 143,
-  // 128 + 15
-  SIGKILL: 137
-  // 128 + 9
-};
-
 // src/shared/constants/cli-defaults.const.ts
 var CLI_DEFAULT = {
   /** Default maximum steps for run command */
@@ -8991,8 +8952,8 @@ program.command("run <objective>").alias("r").description("Run a single objectiv
   const shutdown = async (exitCode = 0) => {
     process.exit(exitCode);
   };
-  process.on("SIGINT", () => shutdown(EXIT_CODE.SIGINT));
-  process.on("SIGTERM", () => shutdown(EXIT_CODE.SIGTERM));
+  process.on("SIGINT", () => shutdown(EXIT_CODES.SIGINT));
+  process.on("SIGTERM", () => shutdown(EXIT_CODES.SIGTERM));
   try {
     const result2 = await agent.execute(objective);
     console.log(chalk.hex(THEME.status.success)("\n[+] Assessment complete!\n"));
@@ -9024,8 +8985,8 @@ program.command("scan <target>").description("Quick scan a target").option("-s,
   const shutdown = async (exitCode = 0) => {
     process.exit(exitCode);
   };
-  process.on("SIGINT", () => shutdown(EXIT_CODE.SIGINT));
-  process.on("SIGTERM", () => shutdown(EXIT_CODE.SIGTERM));
+  process.on("SIGINT", () => shutdown(EXIT_CODES.SIGINT));
+  process.on("SIGTERM", () => shutdown(EXIT_CODES.SIGTERM));
   try {
     await agent.execute(`Perform a ${options.scanType} scan on ${target}${options.ports ? ` focusing on ports ${options.ports}` : ""}. Analyze the results and identify potential vulnerabilities.`);
     console.log(chalk.hex(THEME.status.success)("[+] Scan complete!"));