pentesting 0.24.2 → 0.24.4

package/dist/main.js

@@ -286,7 +286,7 @@ var ORPHAN_PROCESS_NAMES = [
 var ID_LENGTH = AGENT_LIMITS.ID_LENGTH;
 var ID_RADIX = AGENT_LIMITS.ID_RADIX;
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.24.2";
+var APP_VERSION = "0.24.4";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -560,11 +560,6 @@ var UI_COMMANDS = {
 };
 var PASSIVE_BINARIES = ["whois", "dig", "curl -i"];
 var EXPLOIT_BINARIES = ["impacket"];
-var MASK_PARTS = {
-  C24: "24",
-  C16: "16",
-  C8: "8"
-};
 var COMMAND_EVENT_TYPES = {
   TOOL_MISSING: "tool_missing",
   TOOL_INSTALL: "tool_install",
@@ -870,6 +865,10 @@ var WORKSPACE = {
   /** Temporary files for active operations */
   get TEMP() {
     return path.join(getWorkspaceRoot(), "temp");
+  },
+  /** Full tool output files saved by Context Digest */
+  get OUTPUTS() {
+    return path.join(getWorkspaceRoot(), "outputs");
   }
 };
 
@@ -2164,7 +2163,9 @@ var SharedState = class {
       missionChecklist: [],
       ctfMode: true,
       // CTF mode ON by default
-      flags: []
+      flags: [],
+      startedAt: Date.now(),
+      deadlineAt: 0
     };
   }
   // --- Mission & Persistent Context ---
@@ -2322,6 +2323,42 @@ var SharedState = class {
   getFlags() {
     return this.data.flags;
   }
+  // --- Time Management ---
+  /** Set a deadline for time-aware strategy (e.g., CTF competition end time) */
+  setDeadline(deadlineMs) {
+    this.data.deadlineAt = deadlineMs;
+  }
+  /** Get milliseconds since agent started */
+  getElapsedMs() {
+    return Date.now() - this.data.startedAt;
+  }
+  /** Get remaining milliseconds until deadline (0 if no deadline) */
+  getRemainingMs() {
+    if (this.data.deadlineAt === 0) return 0;
+    return Math.max(0, this.data.deadlineAt - Date.now());
+  }
+  /** Get time status string for prompt injection */
+  getTimeStatus() {
+    const elapsed = this.getElapsedMs();
+    const mins = Math.floor(elapsed / 6e4);
+    let status = `\u23F1 Elapsed: ${mins}min`;
+    if (this.data.deadlineAt > 0) {
+      const remainingMs = this.getRemainingMs();
+      const remainingMins = Math.floor(remainingMs / 6e4);
+      if (remainingMins <= 0) {
+        status += " | \u26A0\uFE0F TIME IS UP \u2014 submit any flags you have NOW";
+      } else if (remainingMins <= 15) {
+        status += ` | \u{1F534} ${remainingMins}min LEFT \u2014 FINAL PUSH: submit flags, check obvious locations, env vars, DBs`;
+      } else if (remainingMins <= 30) {
+        status += ` | \u{1F7E1} ${remainingMins}min LEFT \u2014 wrap up current vector, ensure all findings are captured`;
+      } else if (remainingMins <= 60) {
+        status += ` | \u{1F7E0} ${remainingMins}min LEFT \u2014 focus on highest-probability vectors only`;
+      } else {
+        status += ` | \u{1F7E2} ${remainingMins}min remaining`;
+      }
+    }
+    return status;
+  }
   /**
    * @remarks
    * WHY: Delegating complex string builder to specialized serializer.
@@ -2493,30 +2530,43 @@ var ScopeGuard = class {
     return false;
   }
   /**
-   * Simple CIDR matching (IP-only for now)
+   * Accurate CIDR matching using bitwise arithmetic.
+   * Supports any prefix length /0 through /32.
+   * No external dependencies — pure math.
    */
   matchesCidr(target, cidr) {
     if (target === cidr) return true;
     if (cidr.includes("/")) {
-      const [network, mask] = cidr.split("/");
-      if (mask === MASK_PARTS.C24) {
-        const networkPrefix = network.split(".").slice(0, 3).join(".");
-        const targetPrefix = target.split(".").slice(0, 3).join(".");
-        return networkPrefix === targetPrefix;
+      const [network, maskStr] = cidr.split("/");
+      const maskBits = parseInt(maskStr, 10);
+      if (isNaN(maskBits) || maskBits < 0 || maskBits > 32) {
+        return target === cidr;
       }
-      if (mask === MASK_PARTS.C8) {
-        const networkPrefix = network.split(".")[0];
-        const targetPrefix = target.split(".")[0];
-        return networkPrefix === targetPrefix;
-      }
-      if (mask === MASK_PARTS.C16) {
-        const networkPrefix = network.split(".").slice(0, 2).join(".");
-        const targetPrefix = target.split(".").slice(0, 2).join(".");
-        return networkPrefix === targetPrefix;
+      const targetInt = this.ipToUint32(target);
+      const networkInt = this.ipToUint32(network);
+      if (targetInt === null || networkInt === null) {
+        return target === cidr;
       }
+      const mask = maskBits === 0 ? 0 : ~0 << 32 - maskBits >>> 0;
+      return (targetInt & mask) >>> 0 === (networkInt & mask) >>> 0;
     }
     return target === cidr;
   }
+  /**
+   * Convert IPv4 dotted-decimal string to unsigned 32-bit integer.
+   * Returns null if the string is not a valid IPv4 address.
+   */
+  ipToUint32(ip) {
+    const parts = ip.split(".");
+    if (parts.length !== 4) return null;
+    let result2 = 0;
+    for (const part of parts) {
+      const octet = parseInt(part, 10);
+      if (isNaN(octet) || octet < 0 || octet > 255) return null;
+      result2 = (result2 << 8 | octet) >>> 0;
+    }
+    return result2;
+  }
   /**
    * Extract IPs and Domains from string
    */
@@ -4803,7 +4853,7 @@ Returns: All available wordlists with their paths, sizes, and categories.`,
       }
     },
     execute: async (p) => {
-      const { existsSync: existsSync7, statSync: statSync2, readdirSync: readdirSync3 } = await import("fs");
+      const { existsSync: existsSync8, statSync: statSync2, readdirSync: readdirSync3 } = await import("fs");
       const { join: join10 } = await import("path");
       const category = p.category || "";
       const search = p.search || "";
@@ -4850,7 +4900,7 @@ Returns: All available wordlists with their paths, sizes, and categories.`,
         results.push("");
       };
       const scanDir = (dirPath, maxDepth = 3, depth = 0) => {
-        if (depth > maxDepth || !existsSync7(dirPath)) return;
+        if (depth > maxDepth || !existsSync8(dirPath)) return;
         let entries;
         try {
           entries = readdirSync3(dirPath, { withFileTypes: true });
@@ -5233,8 +5283,8 @@ Requires root/sudo privileges.`,
       const iface = p.interface || "";
       const duration = p.duration || NETWORK_CONFIG.DEFAULT_SPOOF_DURATION;
       const hostsFile = createTempFile(".hosts");
-      const { writeFileSync: writeFileSync6 } = await import("fs");
-      writeFileSync6(hostsFile, `${spoofIp}	${domain}
+      const { writeFileSync: writeFileSync7 } = await import("fs");
+      writeFileSync7(hostsFile, `${spoofIp}	${domain}
 ${spoofIp}	*.${domain}
 `);
       const ifaceFlag = iface ? `-i ${iface}` : "";
@@ -6651,7 +6701,7 @@ var FLAG_PATTERNS = {
   // Generic CTF flag formats
   generic: /flag\{[^}]+\}/gi,
   curly_upper: /FLAG\{[^}]+\}/g,
-  // Platform-specific (major competitions)
+  // Platform-specific — Major International Competitions
   htb: /HTB\{[^}]+\}/g,
   thm: /THM\{[^}]+\}/g,
   picoCTF: /picoCTF\{[^}]+\}/g,
@@ -6667,8 +6717,65 @@ var FLAG_PATTERNS = {
   // hxp CTF
   zer0pts: /zer0pts\{[^}]+\}/g,
   // zer0pts CTF
+  // Asia-Pacific Major Competitions
+  seccon: /SECCON\{[^}]+\}/g,
+  // SECCON CTF (Japan)
+  hitcon: /hitcon\{[^}]+\}/gi,
+  // HITCON CTF (Taiwan)
+  codegate: /codegate\{[^}]+\}/gi,
+  // Codegate CTF (Korea)
+  wacon: /WACON\{[^}]+\}/g,
+  // WACON CTF (Korea)
+  linectf: /LINECTF\{[^}]+\}/g,
+  // LINE CTF (Korea/Japan)
+  tsgctf: /TSGCTF\{[^}]+\}/g,
+  // TSG CTF (Japan)
+  kosenctf: /KosenCTF\{[^}]+\}/g,
+  // Kosen CTF (Japan)
+  asis: /ASIS\{[^}]+\}/g,
+  // ASIS CTF (Iran)
+  // Americas / Europe Major Competitions
+  plaidctf: /PCTF\{[^}]+\}/g,
+  // PlaidCTF (PPP)
+  dicectf: /dice\{[^}]+\}/gi,
+  // DiceCTF
+  rwctf: /rwctf\{[^}]+\}/gi,
+  // Real World CTF
+  rctf: /RCTF\{[^}]+\}/g,
+  // RCTF
+  n1ctf: /N1CTF\{[^}]+\}/g,
+  // N1CTF (Nu1L)
+  bctf: /BCTF\{[^}]+\}/g,
+  // BCTF
+  _0ctf: /0CTF\{[^}]+\}/g,
+  // 0CTF (Shanghai)
+  defcamp: /CTF\{[^}]+\}/g,
+  // DefCamp
+  insomnihack: /INS\{[^}]+\}/g,
+  // Insomni'hack
+  justctf: /justCTF\{[^}]+\}/g,
+  // justCTF
+  lactf: /lactf\{[^}]+\}/gi,
+  // LA CTF (UCLA)
+  damctf: /dam\{[^}]+\}/gi,
+  // DamCTF
+  tjctf: /tjctf\{[^}]+\}/gi,
+  // TJCTF
+  buckeye: /buckeye\{[^}]+\}/gi,
+  // BuckeyeCTF
+  uiuctf: /uiuctf\{[^}]+\}/gi,
+  // UIUCTF
+  // Platform-specific
+  cyber_apocalypse: /HTB\{[^}]+\}/g,
+  // HTB Cyber Apocalypse (same as HTB)
+  offshift: /oS\{[^}]+\}/g,
+  // Offshift CTF
+  imaginaryctf: /ictf\{[^}]+\}/gi,
+  // ImaginaryCTF
+  corctf: /corctf\{[^}]+\}/gi,
+  // corCTF
+  // Generic CTFd format — catches most custom competitions
   ctfd_generic: /[A-Z]{2,10}\{[^}]+\}/g,
-  // Generic CTFd format
   // Hash-style flags (HTB user.txt / root.txt — 32-char hex)
   hash_flag: /\b[a-f0-9]{32}\b/g,
   // Base64-encoded flag detection (common in steganography/forensics)
@@ -6765,6 +6872,520 @@ function appendBlockedCommandHints(lines, errorLower) {
   }
 }
 
+// src/shared/utils/output-compressor.ts
+var MIN_COMPRESS_LENGTH = 3e3;
+var SUMMARY_HEADER = "\u2550\u2550\u2550 INTELLIGENCE SUMMARY (auto-extracted) \u2550\u2550\u2550";
+var SUMMARY_FOOTER = "\u2550\u2550\u2550 END SUMMARY \u2014 Full output follows \u2550\u2550\u2550";
+var TOOL_SIGNATURES = [
+  {
+    name: "nmap",
+    signatures: [/Nmap scan report/i, /PORT\s+STATE\s+SERVICE/i, /Nmap done:/i],
+    extract: extractNmapIntel
+  },
+  {
+    name: "linpeas",
+    signatures: [/linpeas/i, /╔══.*╗/, /Linux Privilege Escalation/i],
+    extract: extractLinpeasIntel
+  },
+  {
+    name: "enum4linux",
+    signatures: [/enum4linux/i, /Starting enum4linux/i, /\|\s+Target\s+Information/i],
+    extract: extractEnum4linuxIntel
+  },
+  {
+    name: "gobuster/ffuf/feroxbuster",
+    signatures: [/Gobuster/i, /FFUF/i, /feroxbuster/i, /Status:\s*\d{3}/],
+    extract: extractDirBustIntel
+  },
+  {
+    name: "sqlmap",
+    signatures: [/sqlmap/i, /\[INFO\]\s+testing/i, /Parameter:\s+/i],
+    extract: extractSqlmapIntel
+  },
+  {
+    name: "hash_dump",
+    signatures: [/\$[0-9]\$/, /\$2[aby]\$/, /:[0-9]+:[a-f0-9]{32}:/i],
+    extract: extractHashIntel
+  }
+];
+function compressToolOutput(output, toolName) {
+  if (!output || output.length < MIN_COMPRESS_LENGTH) {
+    return output;
+  }
+  let intel = [];
+  let detectedTool = "";
+  for (const sig of TOOL_SIGNATURES) {
+    const matched = sig.signatures.some((s) => s.test(output));
+    if (matched) {
+      detectedTool = sig.name;
+      intel = sig.extract(output);
+      break;
+    }
+  }
+  if (intel.length === 0) {
+    intel = extractGenericIntel(output);
+    detectedTool = toolName || "unknown";
+  }
+  if (intel.length === 0) {
+    return output;
+  }
+  const summary = [
+    SUMMARY_HEADER,
+    `Tool: ${detectedTool} | Output length: ${output.length} chars`,
+    "",
+    ...intel,
+    "",
+    SUMMARY_FOOTER,
+    ""
+  ].join("\n");
+  return summary + output;
+}
+function extractNmapIntel(output) {
+  const intel = [];
+  const lines = output.split("\n");
+  const hostMatches = output.match(/Nmap scan report for\s+(\S+)/gi);
+  const openPorts = output.match(/^\d+\/\w+\s+open\s+/gm);
+  if (hostMatches) intel.push(`Hosts scanned: ${hostMatches.length}`);
+  if (openPorts) intel.push(`Open ports found: ${openPorts.length}`);
+  const portLines = lines.filter((l) => /^\d+\/\w+\s+open\s+/.test(l.trim()));
+  if (portLines.length > 0) {
+    intel.push("Open ports:");
+    for (const pl of portLines.slice(0, 30)) {
+      intel.push(`  ${pl.trim()}`);
+    }
+  }
+  const vulnLines = lines.filter(
+    (l) => /VULNERABLE|CVE-\d{4}-\d+|exploit|CRITICAL/i.test(l)
+  );
+  if (vulnLines.length > 0) {
+    intel.push("\u26A0\uFE0F  Vulnerability indicators:");
+    for (const vl of vulnLines.slice(0, 10)) {
+      intel.push(`  ${vl.trim()}`);
+    }
+  }
+  const osMatch = output.match(/OS details:\s*(.+)/i) || output.match(/Running:\s*(.+)/i);
+  if (osMatch) intel.push(`OS: ${osMatch[1].trim()}`);
+  return intel;
+}
+function extractLinpeasIntel(output) {
+  const intel = [];
+  const suidSection = output.match(/SUID[\s\S]*?(?=\n[═╔╗━]+|\n\n\n)/i);
+  if (suidSection) {
+    const suidBins = suidSection[0].match(/\/\S+/g);
+    if (suidBins) {
+      const interestingSuid = suidBins.filter(
+        (b) => /python|perl|ruby|node|bash|vim|less|more|nano|find|nmap|awk|env|php|gcc|gdb|docker|strace|ltrace/i.test(b)
+      );
+      if (interestingSuid.length > 0) {
+        intel.push(`\u{1F534} Exploitable SUID binaries: ${interestingSuid.join(", ")}`);
+      }
+    }
+  }
+  const sudoMatch = output.match(/User \S+ may run[\s\S]*?(?=\n\n|\n[═╔╗━])/i);
+  if (sudoMatch) {
+    intel.push(`\u{1F534} sudo -l: ${sudoMatch[0].trim().slice(0, 500)}`);
+  }
+  const writableMatch = output.match(/Interesting writable[\s\S]*?(?=\n\n|\n[═╔╗━])/i);
+  if (writableMatch) {
+    intel.push(`\u{1F4DD} Writable: ${writableMatch[0].trim().slice(0, 300)}`);
+  }
+  const cronMatch = output.match(/Cron[\s\S]*?(?=\n\n|\n[═╔╗━])/i);
+  if (cronMatch) {
+    const cronLines = cronMatch[0].split("\n").filter((l) => l.includes("*") || /\/(root|cron)/i.test(l));
+    if (cronLines.length > 0) {
+      intel.push("\u23F0 Cron entries:");
+      cronLines.slice(0, 5).forEach((c) => intel.push(`  ${c.trim()}`));
+    }
+  }
+  const kernelMatch = output.match(/Linux version\s+(\S+)/i) || output.match(/Kernel:\s*(\S+)/i);
+  if (kernelMatch) intel.push(`\u{1F427} Kernel: ${kernelMatch[1]}`);
+  const passLines = output.split("\n").filter(
+    (l) => /password\s*[=:]\s*\S+/i.test(l) && !/\*\*\*|example|sample/i.test(l)
+  );
+  if (passLines.length > 0) {
+    intel.push("\u{1F511} Potential credentials found:");
+    passLines.slice(0, 5).forEach((p) => intel.push(`  ${p.trim()}`));
+  }
+  const cveMatches = output.match(/CVE-\d{4}-\d+/gi);
+  if (cveMatches) {
+    const uniqueCves = [...new Set(cveMatches)];
+    intel.push(`\u26A0\uFE0F  CVEs mentioned: ${uniqueCves.join(", ")}`);
+  }
+  return intel;
+}
+function extractEnum4linuxIntel(output) {
+  const intel = [];
+  const userMatches = output.match(/user:\[(\S+?)\]/gi);
+  if (userMatches) {
+    const users = userMatches.map((u) => u.replace(/user:\[|\]/gi, ""));
+    intel.push(`\u{1F464} Users found: ${users.join(", ")}`);
+  }
+  const shareMatches = output.match(/Mapping: (\S+),\s*Listing: (\S+)/gi) || output.match(/\\\\\S+\\\\\S+/g);
+  if (shareMatches) {
+    intel.push(`\u{1F4C2} Shares: ${shareMatches.slice(0, 10).join(", ")}`);
+  }
+  const domainMatch = output.match(/Domain:\s*\[(\S+?)\]/i) || output.match(/Workgroup:\s*\[(\S+?)\]/i);
+  if (domainMatch) intel.push(`\u{1F3E2} Domain: ${domainMatch[1]}`);
+  const policyMatch = output.match(/Password Complexity|Account Lockout/i);
+  if (policyMatch) intel.push("\u{1F510} Password policy information found");
+  return intel;
+}
+function extractDirBustIntel(output) {
+  const intel = [];
+  const lines = output.split("\n");
+  const interestingPaths = [];
+  for (const line of lines) {
+    const match = line.match(/(?:Status:\s*(\d{3})|(\d{3})\s+\d+\s+\d+).*?(\/\S+)/);
+    if (match) {
+      const status = match[1] || match[2];
+      const path2 = match[3];
+      if (["200", "301", "302", "403"].includes(status)) {
+        interestingPaths.push(`[${status}] ${path2}`);
+      }
+    }
+    const ffufMatch = line.match(/(\S+)\s+\[Status:\s*(\d+),?\s*Size:\s*(\d+)/);
+    if (ffufMatch && ["200", "301", "302", "403"].includes(ffufMatch[2])) {
+      interestingPaths.push(`[${ffufMatch[2]}] ${ffufMatch[1]} (${ffufMatch[3]}b)`);
+    }
+  }
+  if (interestingPaths.length > 0) {
+    intel.push(`\u{1F4C1} Discovered paths (${interestingPaths.length}):`);
+    interestingPaths.slice(0, 20).forEach((p) => intel.push(`  ${p}`));
+    if (interestingPaths.length > 20) {
+      intel.push(`  ... and ${interestingPaths.length - 20} more`);
+    }
+  }
+  return intel;
+}
+function extractSqlmapIntel(output) {
+  const intel = [];
+  const injectionTypes = output.match(/Type:\s*(\S.*?)(?:\n|$)/gi);
+  if (injectionTypes) {
+    intel.push("\u{1F489} SQL injection found:");
+    injectionTypes.slice(0, 5).forEach((t) => intel.push(`  ${t.trim()}`));
+  }
+  const dbMatch = output.match(/back-end DBMS:\s*(.+)/i);
+  if (dbMatch) intel.push(`\u{1F5C4}\uFE0F DBMS: ${dbMatch[1].trim()}`);
+  const dbListMatch = output.match(/available databases.*?:\s*([\s\S]*?)(?=\n\[|\n$)/i);
+  if (dbListMatch) {
+    intel.push(`\u{1F4CA} Databases: ${dbListMatch[1].trim().replace(/\n/g, ", ")}`);
+  }
+  const tableMatches = output.match(/Database:\s*\S+\s+Table:\s*\S+/gi);
+  if (tableMatches) {
+    intel.push(`\u{1F4CB} Tables dumped: ${tableMatches.length}`);
+  }
+  return intel;
+}
+function extractHashIntel(output) {
+  const intel = [];
+  const lines = output.split("\n");
+  const md5Hashes = lines.filter((l) => /\b[a-f0-9]{32}\b/i.test(l) && !l.includes("{"));
+  const sha256Hashes = lines.filter((l) => /\b[a-f0-9]{64}\b/i.test(l));
+  const unixHashes = lines.filter((l) => /\$[0-9]\$|\$2[aby]\$|\$6\$|\$5\$/i.test(l));
+  const ntlmHashes = lines.filter((l) => /:[0-9]+:[a-f0-9]{32}:[a-f0-9]{32}:::/i.test(l));
+  if (md5Hashes.length > 0) intel.push(`#\uFE0F\u20E3 MD5 hashes: ${md5Hashes.length}`);
+  if (sha256Hashes.length > 0) intel.push(`#\uFE0F\u20E3 SHA256 hashes: ${sha256Hashes.length}`);
+  if (unixHashes.length > 0) intel.push(`#\uFE0F\u20E3 Unix crypt hashes: ${unixHashes.length}`);
+  if (ntlmHashes.length > 0) {
+    intel.push(`#\uFE0F\u20E3 NTLM hashes: ${ntlmHashes.length}`);
+    ntlmHashes.slice(0, 5).forEach((h) => intel.push(`  ${h.trim().slice(0, 100)}`));
+  }
+  return intel;
+}
+function extractGenericIntel(output) {
+  const intel = [];
+  const credPatterns = output.match(/(?:password|passwd|pwd|credentials?)\s*[=:]\s*\S+/gi);
+  if (credPatterns) {
+    intel.push("\u{1F511} Potential credentials detected:");
+    credPatterns.slice(0, 5).forEach((c) => intel.push(`  ${c.trim()}`));
+  }
+  const cves = output.match(/CVE-\d{4}-\d+/gi);
+  if (cves) {
+    const unique = [...new Set(cves)];
+    intel.push(`\u26A0\uFE0F  CVEs mentioned: ${unique.join(", ")}`);
+  }
+  const ips = output.match(/\b(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\b/g);
+  if (ips) {
+    const uniqueIps = [...new Set(ips)].filter(
+      (ip) => !ip.startsWith("0.") && !ip.startsWith("255.") && ip !== "127.0.0.1"
+    );
+    if (uniqueIps.length > 0 && uniqueIps.length <= 20) {
+      intel.push(`\u{1F310} IP addresses found: ${uniqueIps.join(", ")}`);
+    }
+  }
+  const paths = output.match(/\/(?:etc\/(?:shadow|passwd|sudoers)|root\/|home\/\S+|var\/www\/\S+|opt\/\S+)\S*/g);
+  if (paths) {
+    const uniquePaths = [...new Set(paths)].slice(0, 10);
+    intel.push(`\u{1F4C2} Interesting paths: ${uniquePaths.join(", ")}`);
+  }
+  const flagPatterns = output.match(/(?:flag|secret|key|token)\{[^}]+\}/gi);
+  if (flagPatterns) {
+    intel.push("\u{1F3F4} FLAG/SECRET patterns detected:");
+    flagPatterns.forEach((f) => intel.push(`  ${f}`));
+  }
+  return intel;
+}
+
+// src/shared/utils/context-digest.ts
+import { writeFileSync as writeFileSync6, mkdirSync as mkdirSync2, existsSync as existsSync6 } from "fs";
+var PASSTHROUGH_THRESHOLD = 3e3;
+var LAYER2_THRESHOLD = 8e3;
+var LAYER3_THRESHOLD = 5e4;
+var MAX_REDUCED_LINES = 500;
+var getOutputDir = () => WORKSPACE.OUTPUTS;
+var MAX_DUPLICATE_DISPLAY = 3;
+var LAYER3_MAX_INPUT_CHARS = 8e4;
+var FALLBACK_MAX_CHARS = 3e4;
+var SIGNAL_PATTERNS = [
+  /error|fail|denied|refused|timeout|exception/i,
+  /warning|warn|deprecated|insecure/i,
+  /success|found|detected|discovered|vulnerable|VULNERABLE/i,
+  /password|passwd|credential|secret|key|token|hash/i,
+  /CVE-\d{4}-\d+/i,
+  /\d+\/\w+\s+open\s+/,
+  // nmap open port
+  /flag\{|ctf\{|HTB\{|THM\{/i,
+  // CTF flags
+  /root:|admin:|www-data:|nobody:/,
+  // /etc/passwd entries
+  /\$[0-9]\$|\$2[aby]\$/,
+  // password hashes
+  /\b(?:192\.168|10\.|172\.(?:1[6-9]|2\d|3[01]))\.\d+\.\d+\b/,
+  // internal IPs
+  /BEGIN\s+(?:RSA|DSA|EC|OPENSSH)\s+PRIVATE\s+KEY/i,
+  // private keys
+  /Authorization:|Bearer\s+|Basic\s+/i
+  // auth tokens
+];
+var NOISE_PATTERNS = [
+  /^\s*$/,
+  // blank lines
+  /^\[[\d:]+\]\s*$/,
+  // timestamp-only lines
+  /^#+\s*$/,
+  // separator lines
+  /^\s*Progress:\s*\[?[#=\-\s>]+\]?\s*\d+/i,
+  // progress bars
+  /\d+\s+requests?\s+(?:sent|made)/i,
+  // request counters
+  /^\s*(?:\.{3,}|={5,}|-{5,})\s*$/
+  // decoration lines
+];
+async function digestToolOutput(output, toolName, toolInput, llmDigestFn) {
+  const originalLength = output.length;
+  if (originalLength < PASSTHROUGH_THRESHOLD) {
+    return {
+      digestedOutput: output,
+      fullOutputPath: null,
+      layersApplied: [],
+      originalLength,
+      digestedLength: originalLength,
+      compressionRatio: 1
+    };
+  }
+  const layersApplied = [];
+  let processed = output;
+  let savedOutputPath = null;
+  processed = compressToolOutput(processed, toolName);
+  layersApplied.push(1);
+  if (processed.length > LAYER2_THRESHOLD) {
+    processed = structuralReduce(processed);
+    layersApplied.push(2);
+  }
+  if (processed.length > LAYER3_THRESHOLD) {
+    savedOutputPath = saveFullOutput(output, toolName);
+    if (llmDigestFn) {
+      try {
+        const context = `Tool: ${toolName}${toolInput ? ` | Input: ${toolInput}` : ""}`;
+        const digest = await llmDigestFn(processed, context);
+        processed = formatLLMDigest(digest, savedOutputPath, originalLength);
+        layersApplied.push(3);
+      } catch (err) {
+        debugLog("general", "Context Digest Layer 3 failed, falling back", { toolName, error: String(err) });
+        processed = formatFallbackDigest(processed, savedOutputPath, originalLength);
+        layersApplied.push(3);
+      }
+    } else {
+      processed = formatFallbackDigest(processed, savedOutputPath, originalLength);
+    }
+  } else if (layersApplied.includes(2)) {
+    savedOutputPath = saveFullOutput(output, toolName);
+  }
+  return {
+    digestedOutput: processed,
+    fullOutputPath: savedOutputPath,
+    layersApplied,
+    originalLength,
+    digestedLength: processed.length,
+    compressionRatio: processed.length / originalLength
+  };
+}
+function structuralReduce(output) {
+  let cleaned = stripAnsi(output);
+  const lines = cleaned.split("\n");
+  const result2 = [];
+  const duplicateCounts = /* @__PURE__ */ new Map();
+  let lastLine = "";
+  let consecutiveDupes = 0;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (NOISE_PATTERNS.some((p) => p.test(trimmed))) {
+      continue;
+    }
+    const isSignal = SIGNAL_PATTERNS.some((p) => p.test(trimmed));
+    const normalized = normalizeLine(trimmed);
+    if (normalized === normalizeLine(lastLine) && !isSignal) {
+      consecutiveDupes++;
+      duplicateCounts.set(normalized, (duplicateCounts.get(normalized) || 1) + 1);
+      continue;
+    }
+    if (consecutiveDupes > 0) {
+      if (consecutiveDupes <= MAX_DUPLICATE_DISPLAY) {
+        for (let i = 0; i < consecutiveDupes; i++) {
+          result2.push(lastLine);
+        }
+      } else {
+        result2.push(`  ... (${consecutiveDupes} similar lines collapsed)`);
+      }
+      consecutiveDupes = 0;
+    }
+    result2.push(line);
+    lastLine = trimmed;
+  }
+  if (consecutiveDupes > MAX_DUPLICATE_DISPLAY) {
+    result2.push(`  ... (${consecutiveDupes} similar lines collapsed)`);
+  } else {
+    for (let i = 0; i < consecutiveDupes; i++) {
+      result2.push(lastLine);
+    }
+  }
+  if (result2.length > MAX_REDUCED_LINES) {
+    const headSize = Math.floor(MAX_REDUCED_LINES * 0.4);
+    const tailSize = Math.floor(MAX_REDUCED_LINES * 0.3);
+    const signalBudget = MAX_REDUCED_LINES - headSize - tailSize;
+    const head = result2.slice(0, headSize);
+    const tail = result2.slice(-tailSize);
+    const middle = result2.slice(headSize, -tailSize);
+    const middleSignals = middle.filter((line) => SIGNAL_PATTERNS.some((p) => p.test(line))).slice(0, signalBudget);
+    const skipped = middle.length - middleSignals.length;
+    cleaned = [
+      ...head,
+      "",
+      `... [${skipped} routine lines skipped \u2014 ${middleSignals.length} important lines preserved] ...`,
+      "",
+      ...middleSignals,
+      "",
+      `... [resuming last ${tailSize} lines] ...`,
+      "",
+      ...tail
+    ].join("\n");
+  } else {
+    cleaned = result2.join("\n");
+  }
+  return cleaned;
+}
+var DIGEST_SYSTEM_PROMPT = `You are a pentesting output analyst. Given raw tool output, extract ONLY actionable intelligence. Be terse and structured.
+
+FORMAT YOUR RESPONSE EXACTLY LIKE THIS:
+## Key Findings
+- [finding 1]
+- [finding 2]
+
+## Credentials/Secrets
+- [any discovered credentials, hashes, tokens, keys]
+
+## Attack Vectors
+- [exploitable services, vulnerabilities, misconfigurations]
+
+## Next Steps
+- [recommended immediate actions based on findings]
+
+RULES:
+- Be EXTREMELY concise \u2014 max 30 lines total
+- Only include ACTIONABLE findings \u2014 skip routine/expected results
+- If nothing interesting found, say "No actionable findings in this output"
+- Include exact values: port numbers, versions, usernames, file paths
+- Never include decorative output, banners, or progress information`;
+function formatLLMDigest(digest, filePath, originalChars) {
+  return [
+    "\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557",
+    "\u2551  CONTEXT DIGEST (LLM-summarized)                        \u2551",
+    "\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D",
+    "",
+    digest,
+    "",
+    `\u{1F4C2} Full output saved: ${filePath} (${originalChars} chars)`,
+    `\u{1F4A1} Use read_file("${filePath}") to see the complete raw output if needed.`
+  ].join("\n");
+}
+function formatFallbackDigest(processed, filePath, originalChars) {
+  const lines = processed.split("\n");
+  const summaryEndIdx = lines.findIndex((l) => l.includes("END SUMMARY"));
+  const summaryBlock = summaryEndIdx > 0 ? lines.slice(0, summaryEndIdx + 1).join("\n") : "";
+  const remaining = summaryEndIdx > 0 ? lines.slice(summaryEndIdx + 1).join("\n") : processed;
+  const maxChars = FALLBACK_MAX_CHARS;
+  let truncatedRemaining = remaining;
+  if (remaining.length > maxChars) {
+    const headChars = Math.floor(maxChars * 0.6);
+    const tailChars = Math.floor(maxChars * 0.4);
+    const skipped = remaining.length - headChars - tailChars;
+    truncatedRemaining = remaining.slice(0, headChars) + `
+
+... [${skipped} chars omitted \u2014 read full output from file] ...
+
+` + remaining.slice(-tailChars);
+  }
+  return [
+    summaryBlock,
+    truncatedRemaining,
+    "",
+    `\u{1F4C2} Full output saved: ${filePath} (${originalChars} chars)`,
+    `\u{1F4A1} Use read_file("${filePath}") to see the complete raw output.`
+  ].filter(Boolean).join("\n");
+}
+function stripAnsi(text) {
+  return text.replace(/\x1B\[[0-9;]*[a-zA-Z]/g, "").replace(/\x1B\[[\d;]*m/g, "");
+}
+function normalizeLine(line) {
+  return line.replace(/\d+/g, "N").replace(/0x[a-f0-9]+/gi, "H").replace(/\s+/g, " ").trim().toLowerCase();
+}
+function saveFullOutput(output, toolName) {
+  try {
+    const outputDir = getOutputDir();
+    if (!existsSync6(outputDir)) {
+      mkdirSync2(outputDir, { recursive: true });
+    }
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
+    const safeName = toolName.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, 30);
+    const filePath = `${outputDir}/${timestamp}_${safeName}.txt`;
+    writeFileSync6(filePath, output, "utf-8");
+    return filePath;
+  } catch (err) {
+    debugLog("general", "Failed to save full output to file", { toolName, error: String(err) });
+    return "(failed to save \u2014 output too large or disk full)";
+  }
+}
+function createLLMDigestFn(llmClient) {
+  return async (text, context) => {
+    const truncatedText = text.length > LAYER3_MAX_INPUT_CHARS ? text.slice(0, LAYER3_MAX_INPUT_CHARS) + `
+... [truncated for summarization, ${text.length - LAYER3_MAX_INPUT_CHARS} chars omitted]` : text;
+    const messages = [{ role: "user", content: `Analyze this pentesting tool output and extract actionable intelligence.
+
+Context: ${context}
+
+--- OUTPUT START ---
+${truncatedText}
+--- OUTPUT END ---` }];
+    const response = await llmClient.generateResponse(
+      messages,
+      void 0,
+      // no tools — summarization only
+      DIGEST_SYSTEM_PROMPT
+    );
+    return response.content || "No actionable findings extracted.";
+  };
+}
+
 // src/agents/core-agent.ts
 var CoreAgent = class _CoreAgent {
   llm;
@@ -7154,14 +7775,7 @@ Please decide how to handle this error and continue.`;
         input: call.input
       });
       let outputText = result2.output ?? "";
-      if (outputText.length > AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH) {
-        const truncated = outputText.slice(0, AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH);
-        const remaining = outputText.length - AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH;
-        outputText = `${truncated}
-
-... [TRUNCATED ${remaining} characters for context hygiene] ...
-\u{1F4A1} TIP: If you need to see the full output, use a tool to read the file directly or run the command with | head, | tail, or | grep.`;
-      }
+      this.scanForFlags(outputText);
       if (result2.error) {
         outputText = this.enrichToolError({ toolName: call.name, input: call.input, error: result2.error, originalOutput: outputText, progress });
         if (progress) progress.toolErrors++;
@@ -7171,8 +7785,26 @@ Please decide how to handle this error and continue.`;
           progress.blockedCommandPatterns.clear();
         }
       }
+      try {
+        const llmDigestFn = createLLMDigestFn(this.llm);
+        const digestResult = await digestToolOutput(
+          outputText,
+          call.name,
+          JSON.stringify(call.input).slice(0, 200),
+          llmDigestFn
+        );
+        outputText = digestResult.digestedOutput;
+      } catch {
+        if (outputText.length > AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH) {
+          const truncated = outputText.slice(0, AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH);
+          const remaining = outputText.length - AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH;
+          outputText = `${truncated}
+
+... [TRUNCATED ${remaining} characters for context hygiene] ...
+\u{1F4A1} TIP: If you need to see the full output, use a tool to read the file directly or run the command with | head, | tail, or | grep.`;
+        }
+      }
       this.emitToolResult(call.name, result2.success, outputText, result2.error, Date.now() - toolStartTime);
-      this.scanForFlags(outputText);
       return { toolCallId: call.id, output: outputText, error: result2.error };
     } catch (error) {
       const errorMsg = String(error);
@@ -7248,7 +7880,7 @@ Please decide how to handle this error and continue.`;
 };
 
 // src/agents/prompt-builder.ts
-import { readFileSync as readFileSync4, existsSync as existsSync6, readdirSync as readdirSync2 } from "fs";
+import { readFileSync as readFileSync4, existsSync as existsSync7, readdirSync as readdirSync2 } from "fs";
 import { join as join9, dirname as dirname5 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
 
@@ -7363,7 +7995,8 @@ var PromptBuilder = class {
    * 5. Scope constraints
    * 6. Current state (targets, findings, loot, active processes)
    * 7. TODO list
-   * 8. User context
+   * 8. Time awareness (elapsed + deadline)
+   * 9. User context
    */
   build(userInput, phase) {
     const fragments = [
@@ -7375,6 +8008,7 @@ var PromptBuilder = class {
       this.getScopeFragment(),
       this.getStateFragment(),
       this.getTodoFragment(),
+      this.getTimeFragment(),
       PROMPT_DEFAULTS.USER_CONTEXT(userInput)
     ];
     return fragments.filter((f) => !!f).join("\n\n");
@@ -7395,7 +8029,7 @@ ${content}
    */
   loadPromptFile(filename) {
     const path2 = join9(PROMPTS_DIR, filename);
-    return existsSync6(path2) ? readFileSync4(path2, PROMPT_CONFIG.ENCODING) : "";
+    return existsSync7(path2) ? readFileSync4(path2, PROMPT_CONFIG.ENCODING) : "";
   }
   /**
    * Load phase-specific prompt.
@@ -7441,14 +8075,14 @@ ${content}
    * "마크다운 파일 하나를 폴더에 넣으면, PromptBuilder가 자동으로 발견하고 로드한다."
    */
   loadPhaseRelevantTechniques(phase) {
-    if (!existsSync6(TECHNIQUES_DIR)) return "";
+    if (!existsSync7(TECHNIQUES_DIR)) return "";
     const priorityTechniques = PHASE_TECHNIQUE_MAP[phase] || [];
     const loadedSet = /* @__PURE__ */ new Set();
     const fragments = [];
     for (const technique of priorityTechniques) {
       const filePath = join9(TECHNIQUES_DIR, `${technique}.md`);
       try {
-        if (!existsSync6(filePath)) continue;
+        if (!existsSync7(filePath)) continue;
         const content = readFileSync4(filePath, PROMPT_CONFIG.ENCODING);
         if (content) {
           fragments.push(`<technique-reference category="${technique}">
@@ -7494,6 +8128,11 @@ ${content}
     const list = todo.map((t) => `[${t.status === TODO_STATUSES.DONE ? "x" : " "}] ${t.content} (${t.priority})`).join("\n");
     return PROMPT_XML.TODO(list || PROMPT_DEFAULTS.EMPTY_TODO);
   }
+  getTimeFragment() {
+    return `<time-status>
+${this.state.getTimeStatus()}
+</time-status>`;
+  }
 };
 
 // src/agents/main-agent.ts
@@ -7731,16 +8370,16 @@ var THEME = {
   },
   // Status colors
   status: {
-    success: "#22c55e",
-    // Green
+    success: "#10b981",
+    // Emerald
     warning: "#f59e0b",
     // Amber
     error: "#ef4444",
     // Red
-    info: "#3b82f6",
-    // Blue
-    running: "#0ea5e9",
+    info: "#0ea5e9",
     // Sky
+    running: "#38bdf8",
+    // Bright Sky
     pending: "#64748b"
     // Slate
   },
@@ -7795,7 +8434,23 @@ var THEME = {
   },
   // Gradients
   gradient: {
-    cyber: ["#00d4ff", "#00ff9f"],
+    cyber: [
+      "#38bdf8",
+      // Sky 400
+      "#34c6f4",
+      "#30d0f0",
+      "#2cd9ec",
+      "#28e3e8",
+      "#22d3ee",
+      // Cyan 400
+      "#25dbd6",
+      "#28e4be",
+      "#2dd4bf",
+      // Teal 400
+      "#31dbac",
+      "#34d399"
+      // Emerald 400
+    ],
     danger: ["#ef4444", "#7f1d1d"],
     success: ["#22c55e", "#14532d"],
     gold: ["#f59e0b", "#78350f"],
@@ -7807,32 +8462,12 @@ var THEME = {
   identity: "#38bdf8"
 };
 var ASCII_BANNER = `
-                    \u2571\u2594\u2594\u2572
-                  \u2571\u2594    \u2594\u2572
-                \u2571\u2594   \u2694   \u2594\u2572
-              \u2571\u2594             \u2594\u2572
-            \u2571\u2594                 \u2594\u2572
-          \u2571\u2594                     \u2594\u2572
-        \u2571\u2594                         \u2594\u2572
-      \u2571\u2594                             \u2594\u2572
-        \u2572\u2581                         \u2581\u2571
-          \u2572\u2581\u2581                   \u2581\u2581\u2571
-              \u2572\u2581\u2581           \u2581\u2581\u2571
-           \u2500\u2500\u2500\u2500\u2500\u2573\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2573\u2500\u2500\u2500\u2500\u2500
-                 \u2572         \u2571
-                  \u2572       \u2571
-                   \u2572     \u2571
-                    \u2572   \u2571
-                     \u2572 \u2571
-                      \u25C9
-
-    \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
-    \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D
-    \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557   \u2588\u2588\u2551
-    \u2588\u2588\u2554\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u255D  \u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u255D  \u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551   \u2588\u2588\u2551
-    \u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551
-    \u255A\u2550\u255D     \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D   \u255A\u2550\u255D
-             A U T O N O M O U S   P E N T E S T   A G E N T
+    ____             __              __  _             
+   / __ \\___  ____  / /____  _______/ /_(_)___  ____ _ 
+  / /_/ / _ \\/ __ \\/ __/ _ \\/ ___/ __/ / / __ \\/ __ \`/ 
+ / ____/  __/ / / / /_/  __(__  ) /_/ / / / / / /_/ /  
+/_/    \\___/_/ /_/\\__/\\___/____/\\__/_/_/_/ /_/\\__, /   
+                                             /____/    
 `;
 var ICONS = {
   // Status