pentesting 0.23.0 → 0.24.1

package/dist/main.js

@@ -127,11 +127,16 @@ var AGENT_LIMITS = {
   /** ID radix for generation */
   ID_RADIX: 36,
   /** Maximum token budget for LLM response (matches LLM_LIMITS.streamMaxTokens) */
-  MAX_TOKENS: 16384,
+  MAX_TOKENS: 128e3,
   /** Maximum consecutive idle iterations before nudging agent (deadlock prevention) */
   MAX_CONSECUTIVE_IDLE: 3,
-  /** Maximum tool output length before truncation (context hygiene) */
-  MAX_TOOL_OUTPUT_LENGTH: 1e4,
+  /** Maximum tool output length before truncation (context hygiene)
+   *  WHY 200K: pentesting tools (linpeas, enum4linux, nmap -sV --script=*)
+   *  routinely produce 100K+ chars with critical findings scattered throughout.
+   *  Truncation loses data the agent can never recover.
+   *  Let the LLM see everything and summarize — it's what LLMs are good at.
+   */
+  MAX_TOOL_OUTPUT_LENGTH: 2e5,
   /** Max chars to include in blocked pattern tracking key (loop detection) */
   BLOCKED_PATTERN_KEY_SLICE: 80,
   /** Max chars of error text to include in web_search suggestion */
@@ -161,7 +166,7 @@ var INPUT_PROMPT_PATTERNS = [
   /\(Y\/n\)/i
 ];
 
-// src/shared/constants/exit-codes.ts
+// src/shared/constants/system.ts
 var EXIT_CODES = {
   /** Successful execution */
   SUCCESS: 0,
@@ -178,12 +183,110 @@ var EXIT_CODES = {
   /** Process killed by SIGKILL */
   SIGKILL: 137
 };
+var PROCESS_ROLES = {
+  LISTENER: "listener",
+  ACTIVE_SHELL: "active_shell",
+  SERVER: "server",
+  SNIFFER: "sniffer",
+  SPOOFER: "spoofer",
+  CALLBACK: "callback",
+  PROXY: "proxy",
+  BACKGROUND: "background"
+};
+var PROCESS_ICONS = {
+  [PROCESS_ROLES.LISTENER]: "[LISTENER]",
+  [PROCESS_ROLES.ACTIVE_SHELL]: "[SHELL]",
+  [PROCESS_ROLES.SERVER]: "[SERVER]",
+  [PROCESS_ROLES.SNIFFER]: "[SNIFFER]",
+  [PROCESS_ROLES.SPOOFER]: "[SPOOFER]",
+  [PROCESS_ROLES.CALLBACK]: "[CALLBACK]",
+  [PROCESS_ROLES.PROXY]: "[PROXY]",
+  [PROCESS_ROLES.BACKGROUND]: "[BG]"
+};
+var STATUS_MARKERS = {
+  RUNNING: "[RUNNING]",
+  STOPPED: "[STOPPED]",
+  WARNING: "[WARNING]",
+  INTERACTIVE: "[INTERACTIVE]",
+  EXITED: "[EXITED]"
+};
+var PROCESS_EVENTS = {
+  STARTED: "started",
+  CONNECTION_DETECTED: "connection_detected",
+  ROLE_CHANGED: "role_changed",
+  COMMAND_SENT: "command_sent",
+  STOPPED: "stopped",
+  DIED: "died",
+  ZOMBIE_CLEANED: "zombie_cleaned"
+};
+var SYSTEM_LIMITS = {
+  /** Maximum wait time for interactive shell responses (10 seconds) */
+  MAX_WAIT_MS_INTERACT: 1e4,
+  /** Default wait time for interactive shell responses (2 seconds) */
+  DEFAULT_WAIT_MS_INTERACT: 2e3,
+  /** Maximum characters for process description */
+  MAX_DESCRIPTION_LENGTH: 80,
+  /** Maximum characters for stored command string */
+  MAX_COMMAND_LENGTH: 200,
+  /** Maximum characters to show from stdout
+   *  WHY 50K: background processes (linpeas, scans, shells) produce large
+   *  output with findings scattered throughout. Let the LLM see it all. */
+  MAX_STDOUT_SLICE: 5e4,
+  /** Maximum characters to show from stderr */
+  MAX_STDERR_SLICE: 5e3,
+  /** Maximum characters for error detail messages */
+  MAX_ERROR_DETAIL_SLICE: 2e3,
+  /** Maximum characters for input prompt previews */
+  MAX_PROMPT_PREVIEW: 50,
+  /** Maximum characters for input snippets in logs */
+  MAX_INPUT_SLICE: 100,
+  /** Maximum events to keep in process event log */
+  MAX_EVENT_LOG: 30,
+  /** Wait time for child PID discovery via pgrep */
+  CHILD_PID_DISCOVERY_MS: 500,
+  /** Wait time between SIGTERM and SIGKILL during graceful shutdown */
+  SHUTDOWN_WAIT_MS: 500,
+  /** Wait time between process cleanup batches */
+  CLEANUP_BATCH_WAIT_MS: 300,
+  /** Timeout for pgrep and pkill operations */
+  PROCESS_OP_TIMEOUT_MS: 2e3,
+  /** Port range for web services (development servers) */
+  WEB_PORT_RANGE: { MIN: 8e3, MAX: 9e3 },
+  /** Port range for API services */
+  API_PORT_RANGE: { MIN: 3e3, MAX: 3500 }
+};
+var DETECTION_PATTERNS = {
+  LISTENER: /-(?:lvnp|nlvp|lp|p)\s+(\d+)/,
+  HTTP_SERVER: /(?:http\.server|SimpleHTTPServer)\s+(\d+)/,
+  GENERIC_PORT: /-(?:p|port|S)\s+(?:\S+:)?(\d+)/,
+  CONNECTION: [
+    /connection\s+from/i,
+    /connect\s+to/i,
+    /\$\s*$/m,
+    /#\s*$/m,
+    /bash-\d/i,
+    /sh-\d/i,
+    /www-data/i
+  ]
+};
+var ORPHAN_PROCESS_NAMES = [
+  "arpspoof",
+  "ettercap",
+  "mitmdump",
+  "mitmproxy",
+  "dnsspoof",
+  "tcpdump",
+  "tshark",
+  "socat",
+  "nc",
+  "python"
+];
 
 // src/shared/constants/agent.ts
 var ID_LENGTH = AGENT_LIMITS.ID_LENGTH;
 var ID_RADIX = AGENT_LIMITS.ID_RADIX;
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.23.0";
+var APP_VERSION = "0.24.1";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -499,104 +602,6 @@ function ensureDirExists(dirPath) {
   }
 }
 
-// src/shared/constants/system.ts
-var PROCESS_ROLES = {
-  LISTENER: "listener",
-  ACTIVE_SHELL: "active_shell",
-  SERVER: "server",
-  SNIFFER: "sniffer",
-  SPOOFER: "spoofer",
-  CALLBACK: "callback",
-  PROXY: "proxy",
-  BACKGROUND: "background"
-};
-var PROCESS_ICONS = {
-  [PROCESS_ROLES.LISTENER]: "[LISTENER]",
-  [PROCESS_ROLES.ACTIVE_SHELL]: "[SHELL]",
-  [PROCESS_ROLES.SERVER]: "[SERVER]",
-  [PROCESS_ROLES.SNIFFER]: "[SNIFFER]",
-  [PROCESS_ROLES.SPOOFER]: "[SPOOFER]",
-  [PROCESS_ROLES.CALLBACK]: "[CALLBACK]",
-  [PROCESS_ROLES.PROXY]: "[PROXY]",
-  [PROCESS_ROLES.BACKGROUND]: "[BG]"
-};
-var STATUS_MARKERS = {
-  RUNNING: "[RUNNING]",
-  STOPPED: "[STOPPED]",
-  WARNING: "[WARNING]",
-  INTERACTIVE: "[INTERACTIVE]",
-  EXITED: "[EXITED]"
-};
-var PROCESS_EVENTS = {
-  STARTED: "started",
-  CONNECTION_DETECTED: "connection_detected",
-  ROLE_CHANGED: "role_changed",
-  COMMAND_SENT: "command_sent",
-  STOPPED: "stopped",
-  DIED: "died",
-  ZOMBIE_CLEANED: "zombie_cleaned"
-};
-var SYSTEM_LIMITS = {
-  /** Maximum wait time for interactive shell responses (10 seconds) */
-  MAX_WAIT_MS_INTERACT: 1e4,
-  /** Default wait time for interactive shell responses (2 seconds) */
-  DEFAULT_WAIT_MS_INTERACT: 2e3,
-  /** Maximum characters for process description */
-  MAX_DESCRIPTION_LENGTH: 80,
-  /** Maximum characters for stored command string */
-  MAX_COMMAND_LENGTH: 200,
-  /** Maximum characters to show from stdout */
-  MAX_STDOUT_SLICE: 3e3,
-  /** Maximum characters to show from stderr */
-  MAX_STDERR_SLICE: 500,
-  /** Maximum characters for error detail messages */
-  MAX_ERROR_DETAIL_SLICE: 200,
-  /** Maximum characters for input prompt previews */
-  MAX_PROMPT_PREVIEW: 50,
-  /** Maximum characters for input snippets in logs */
-  MAX_INPUT_SLICE: 100,
-  /** Maximum events to keep in process event log */
-  MAX_EVENT_LOG: 30,
-  /** Wait time for child PID discovery via pgrep */
-  CHILD_PID_DISCOVERY_MS: 500,
-  /** Wait time between SIGTERM and SIGKILL during graceful shutdown */
-  SHUTDOWN_WAIT_MS: 500,
-  /** Wait time between process cleanup batches */
-  CLEANUP_BATCH_WAIT_MS: 300,
-  /** Timeout for pgrep and pkill operations */
-  PROCESS_OP_TIMEOUT_MS: 2e3,
-  /** Port range for web services (development servers) */
-  WEB_PORT_RANGE: { MIN: 8e3, MAX: 9e3 },
-  /** Port range for API services */
-  API_PORT_RANGE: { MIN: 3e3, MAX: 3500 }
-};
-var DETECTION_PATTERNS = {
-  LISTENER: /-(?:lvnp|nlvp|lp|p)\s+(\d+)/,
-  HTTP_SERVER: /(?:http\.server|SimpleHTTPServer)\s+(\d+)/,
-  GENERIC_PORT: /-(?:p|port|S)\s+(?:\S+:)?(\d+)/,
-  CONNECTION: [
-    /connection\s+from/i,
-    /connect\s+to/i,
-    /\$\s*$/m,
-    /#\s*$/m,
-    /bash-\d/i,
-    /sh-\d/i,
-    /www-data/i
-  ]
-};
-var ORPHAN_PROCESS_NAMES = [
-  "arpspoof",
-  "ettercap",
-  "mitmdump",
-  "mitmproxy",
-  "dnsspoof",
-  "tcpdump",
-  "tshark",
-  "socat",
-  "nc",
-  "python"
-];
-
 // src/shared/utils/command-security-lists.ts
 var ALLOWED_BINARIES = /* @__PURE__ */ new Set([
   // Network scanning
@@ -867,11 +872,6 @@ var WORKSPACE = {
     return path.join(getWorkspaceRoot(), "temp");
   }
 };
-var PATHS = {
-  ROOT: PROJECT_ROOT,
-  SRC: path.join(PROJECT_ROOT, "src"),
-  DIST: path.join(PROJECT_ROOT, "dist")
-};
 
 // src/shared/utils/debug-logger.ts
 var DebugLogger = class _DebugLogger {
@@ -3128,10 +3128,6 @@ Detail: ${p.detail}
 import { execFileSync } from "child_process";
 
 // src/shared/utils/config.ts
-import path2 from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-var __filename2 = fileURLToPath2(import.meta.url);
-var __dirname2 = path2.dirname(__filename2);
 var ENV_KEYS = {
   API_KEY: "PENTEST_API_KEY",
   BASE_URL: "PENTEST_BASE_URL",
@@ -5505,7 +5501,7 @@ var ZombieHunter = class {
 
 // src/shared/constants/orchestrator.ts
 var GRACEFUL_SHUTDOWN_WAIT_MS = 200;
-var PROCESS_OUTPUT_TRUNCATION_LIMIT = 500;
+var PROCESS_OUTPUT_TRUNCATION_LIMIT = 1e4;
 var MS_PER_MINUTE = 6e4;
 var LONG_RUNNING_THRESHOLD_MS = 5 * MS_PER_MINUTE;
 var VERY_LONG_RUNNING_THRESHOLD_MS = 15 * MS_PER_MINUTE;
@@ -5884,15 +5880,6 @@ var CLOUD_KEYWORDS = [
   "heroku",
   "vercel"
 ];
-var PASSIVE_CATEGORIES = [
-  SERVICE_CATEGORIES.NETWORK
-];
-var ACTIVE_CATEGORIES = [
-  SERVICE_CATEGORIES.WEB,
-  SERVICE_CATEGORIES.API,
-  SERVICE_CATEGORIES.EMAIL,
-  SERVICE_CATEGORIES.FILE_SHARING
-];
 var DANGER_LEVEL_MAP = {
   [SERVICE_CATEGORIES.NETWORK]: DANGER_LEVELS.PASSIVE,
   [SERVICE_CATEGORIES.WEB]: DANGER_LEVELS.ACTIVE,
@@ -5941,80 +5928,80 @@ var ServiceParser = class {
 
 // src/domains/registry.ts
 import { join as join6, dirname as dirname3 } from "path";
-import { fileURLToPath as fileURLToPath3 } from "url";
-var __dirname3 = dirname3(fileURLToPath3(import.meta.url));
+import { fileURLToPath as fileURLToPath2 } from "url";
+var __dirname2 = dirname3(fileURLToPath2(import.meta.url));
 var DOMAINS = {
   [SERVICE_CATEGORIES.NETWORK]: {
     id: SERVICE_CATEGORIES.NETWORK,
     name: "Network Infrastructure",
     description: "Vulnerability scanning, port mapping, and network service exploitation.",
-    promptPath: join6(__dirname3, "network/prompt.md")
+    promptPath: join6(__dirname2, "network/prompt.md")
   },
   [SERVICE_CATEGORIES.WEB]: {
     id: SERVICE_CATEGORIES.WEB,
     name: "Web Application",
     description: "Web app security testing, injection attacks, and auth bypass.",
-    promptPath: join6(__dirname3, "web/prompt.md")
+    promptPath: join6(__dirname2, "web/prompt.md")
   },
   [SERVICE_CATEGORIES.DATABASE]: {
     id: SERVICE_CATEGORIES.DATABASE,
     name: "Database Security",
     description: "SQL injection, database enumeration, and data extraction.",
-    promptPath: join6(__dirname3, "database/prompt.md")
+    promptPath: join6(__dirname2, "database/prompt.md")
   },
   [SERVICE_CATEGORIES.AD]: {
     id: SERVICE_CATEGORIES.AD,
     name: "Active Directory",
     description: "Kerberos, LDAP, and Windows domain privilege escalation.",
-    promptPath: join6(__dirname3, "ad/prompt.md")
+    promptPath: join6(__dirname2, "ad/prompt.md")
   },
   [SERVICE_CATEGORIES.EMAIL]: {
     id: SERVICE_CATEGORIES.EMAIL,
     name: "Email Services",
     description: "SMTP, IMAP, POP3 security and user enumeration.",
-    promptPath: join6(__dirname3, "email/prompt.md")
+    promptPath: join6(__dirname2, "email/prompt.md")
   },
   [SERVICE_CATEGORIES.REMOTE_ACCESS]: {
     id: SERVICE_CATEGORIES.REMOTE_ACCESS,
     name: "Remote Access",
     description: "SSH, RDP, VNC and other remote control protocols.",
-    promptPath: join6(__dirname3, "remote-access/prompt.md")
+    promptPath: join6(__dirname2, "remote-access/prompt.md")
   },
   [SERVICE_CATEGORIES.FILE_SHARING]: {
     id: SERVICE_CATEGORIES.FILE_SHARING,
     name: "File Sharing",
     description: "SMB, NFS, FTP and shared resource security.",
-    promptPath: join6(__dirname3, "file-sharing/prompt.md")
+    promptPath: join6(__dirname2, "file-sharing/prompt.md")
   },
   [SERVICE_CATEGORIES.CLOUD]: {
     id: SERVICE_CATEGORIES.CLOUD,
     name: "Cloud Infrastructure",
     description: "AWS, Azure, and GCP security and misconfiguration.",
-    promptPath: join6(__dirname3, "cloud/prompt.md")
+    promptPath: join6(__dirname2, "cloud/prompt.md")
   },
   [SERVICE_CATEGORIES.CONTAINER]: {
     id: SERVICE_CATEGORIES.CONTAINER,
     name: "Container Systems",
     description: "Docker and Kubernetes security testing.",
-    promptPath: join6(__dirname3, "container/prompt.md")
+    promptPath: join6(__dirname2, "container/prompt.md")
   },
   [SERVICE_CATEGORIES.API]: {
     id: SERVICE_CATEGORIES.API,
     name: "API Security",
     description: "REST, GraphQL, and SOAP API security testing.",
-    promptPath: join6(__dirname3, "api/prompt.md")
+    promptPath: join6(__dirname2, "api/prompt.md")
   },
   [SERVICE_CATEGORIES.WIRELESS]: {
     id: SERVICE_CATEGORIES.WIRELESS,
     name: "Wireless Networks",
     description: "WiFi and Bluetooth security testing.",
-    promptPath: join6(__dirname3, "wireless/prompt.md")
+    promptPath: join6(__dirname2, "wireless/prompt.md")
   },
   [SERVICE_CATEGORIES.ICS]: {
     id: SERVICE_CATEGORIES.ICS,
     name: "Industrial Systems",
     description: "Critical infrastructure - Modbus, DNP3, ENIP.",
-    promptPath: join6(__dirname3, "ics/prompt.md")
+    promptPath: join6(__dirname2, "ics/prompt.md")
   }
 };
 
@@ -6185,8 +6172,12 @@ var RETRY_CONFIG = {
   // Initial delay for rate limit retry (exponential backoff)
 };
 var LLM_LIMITS = {
-  nonStreamMaxTokens: 8192,
-  streamMaxTokens: 16384,
+  /** WHY 64K: non-streaming calls (orchestrator, summaries) benefit from
+   *  generous output budgets. Don't force premature truncation. */
+  nonStreamMaxTokens: 65536,
+  /** WHY 128K: streaming calls are the main agent loop. Max out so the LLM
+   *  can produce full analysis, tool calls, and reasoning without cutoff. */
+  streamMaxTokens: 128e3,
   /** WHY: ~3.5 chars/token is a reasonable average for mixed English/CJK content */
   charsPerTokenEstimate: 3.5
 };
@@ -6199,26 +6190,8 @@ var LLM_ERROR_TYPES = {
   UNKNOWN: "unknown"
 };
 
-// src/shared/constants/_shared/http.const.ts
-var HTTP_STATUS = {
-  // 2xx Success
-  OK: 200,
-  CREATED: 201,
-  NO_CONTENT: 204,
-  // 4xx Client Errors
-  BAD_REQUEST: 400,
-  UNAUTHORIZED: 401,
-  FORBIDDEN: 403,
-  NOT_FOUND: 404,
-  RATE_LIMIT: 429,
-  // 5xx Server Errors
-  INTERNAL_ERROR: 500,
-  BAD_GATEWAY: 502,
-  SERVICE_UNAVAILABLE: 503,
-  GATEWAY_TIMEOUT: 504
-};
-
 // src/engine/llm-types.ts
+var HTTP_STATUS = { BAD_REQUEST: 400, UNAUTHORIZED: 401, FORBIDDEN: 403, RATE_LIMIT: 429 };
 var LLMError = class extends Error {
   /** Structured error information */
   errorInfo;
@@ -6584,14 +6557,14 @@ function logLLM(message, data) {
 }
 
 // src/engine/orchestrator/orchestrator.ts
-import { fileURLToPath as fileURLToPath4 } from "url";
+import { fileURLToPath as fileURLToPath3 } from "url";
 import { dirname as dirname4, join as join7 } from "path";
-var __filename3 = fileURLToPath4(import.meta.url);
-var __dirname4 = dirname4(__filename3);
+var __filename2 = fileURLToPath3(import.meta.url);
+var __dirname3 = dirname4(__filename2);
 
 // src/engine/state-persistence.ts
 import { writeFileSync as writeFileSync5, readFileSync as readFileSync3, existsSync as existsSync5, readdirSync, statSync, unlinkSync as unlinkSync3 } from "fs";
-import { join as join8, basename } from "path";
+import { join as join8 } from "path";
 function saveState(state) {
   const sessionsDir = WORKSPACE.SESSIONS;
   ensureDirExists(sessionsDir);
@@ -7277,7 +7250,7 @@ Please decide how to handle this error and continue.`;
 // src/agents/prompt-builder.ts
 import { readFileSync as readFileSync4, existsSync as existsSync6, readdirSync as readdirSync2 } from "fs";
 import { join as join9, dirname as dirname5 } from "path";
-import { fileURLToPath as fileURLToPath5 } from "url";
+import { fileURLToPath as fileURLToPath4 } from "url";
 
 // src/shared/constants/prompts.ts
 var PROMPT_PATHS = {
@@ -7331,8 +7304,8 @@ var INITIAL_TASKS = {
 };
 
 // src/agents/prompt-builder.ts
-var __dirname5 = dirname5(fileURLToPath5(import.meta.url));
-var PROMPTS_DIR = join9(__dirname5, "prompts");
+var __dirname4 = dirname5(fileURLToPath4(import.meta.url));
+var PROMPTS_DIR = join9(__dirname4, "prompts");
 var TECHNIQUES_DIR = join9(PROMPTS_DIR, PROMPT_PATHS.TECHNIQUES_DIR);
 var { AGENT_FILES } = PROMPT_PATHS;
 var PHASE_PROMPT_MAP = {
@@ -7421,8 +7394,8 @@ ${content}
    * Load a prompt file from src/agents/prompts/
    */
   loadPromptFile(filename) {
-    const path3 = join9(PROMPTS_DIR, filename);
-    return existsSync6(path3) ? readFileSync4(path3, PROMPT_CONFIG.ENCODING) : "";
+    const path2 = join9(PROMPTS_DIR, filename);
+    return existsSync6(path2) ? readFileSync4(path2, PROMPT_CONFIG.ENCODING) : "";
   }
   /**
    * Load phase-specific prompt.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.23.0",
+  "version": "0.24.1",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",