pentesting 0.40.1 → 0.40.3

package/dist/main.js

@@ -305,10 +305,8 @@ var ORPHAN_PROCESS_NAMES = [
 ];
 
 // src/shared/constants/agent.ts
-var ID_LENGTH = AGENT_LIMITS.ID_LENGTH;
-var ID_RADIX = AGENT_LIMITS.ID_RADIX;
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.40.1";
+var APP_VERSION = "0.40.3";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -591,7 +589,7 @@ var DEFAULTS = {
 
 // src/engine/process-manager.ts
 import { spawn as spawn3, execSync as execSync2 } from "child_process";
-import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync, writeFileSync as writeFileSync3, appendFileSync as appendFileSync2 } from "fs";
+import { readFileSync as readFileSync2, existsSync as existsSync3, unlinkSync as unlinkSync2, writeFileSync as writeFileSync3, appendFileSync as appendFileSync2 } from "fs";
 
 // src/engine/tools-base.ts
 import { spawn as spawn2 } from "child_process";
@@ -1520,58 +1518,8 @@ function createTempFile(suffix = "") {
   return join2(tmpdir(), generateTempFilename(suffix));
 }
 
-// src/engine/process-detector.ts
-function detectProcessRole(command) {
-  const tags = [];
-  let port;
-  let role = PROCESS_ROLES.BACKGROUND;
-  let isInteractive = false;
-  const cmd = command.toLowerCase();
-  if (cmd.includes("-lvnp") || cmd.includes("-nlvp") || cmd.includes("-lp") || cmd.includes("nc") && cmd.includes("listen")) {
-    tags.push(PROCESS_ROLES.LISTENER);
-    role = PROCESS_ROLES.LISTENER;
-    isInteractive = true;
-    const portMatch = command.match(DETECTION_PATTERNS.LISTENER);
-    if (portMatch) port = parseInt(portMatch[1], 10);
-  }
-  if (cmd.includes("http.server") || cmd.includes("simplehttpserver") || cmd.includes("httpd") || cmd.includes("php -s")) {
-    tags.push(PROCESS_ROLES.SERVER);
-    role = PROCESS_ROLES.SERVER;
-    const portMatch = command.match(DETECTION_PATTERNS.HTTP_SERVER);
-    if (portMatch) port = parseInt(portMatch[1], 10);
-    if (!port) {
-      const genericPort = command.match(DETECTION_PATTERNS.GENERIC_PORT);
-      if (genericPort) port = parseInt(genericPort[1], 10);
-      else if (cmd.includes("http.server")) port = SYSTEM_LIMITS.WEB_PORT_RANGE.MIN;
-    }
-  }
-  if (cmd.includes("tcpdump") || cmd.includes("tshark")) {
-    tags.push(PROCESS_ROLES.SNIFFER);
-    role = PROCESS_ROLES.SNIFFER;
-  }
-  if (cmd.includes("arpspoof") || cmd.includes("dnsspoof") || cmd.includes("ettercap")) {
-    tags.push(PROCESS_ROLES.SPOOFER);
-    role = PROCESS_ROLES.SPOOFER;
-  }
-  if (cmd.includes("mitm") || cmd.includes("proxy") || cmd.includes("intercept")) {
-    tags.push(PROCESS_ROLES.PROXY);
-    role = PROCESS_ROLES.PROXY;
-  }
-  if (cmd.includes("callback") || cmd.includes("oob")) {
-    tags.push(PROCESS_ROLES.CALLBACK);
-    role = PROCESS_ROLES.CALLBACK;
-  }
-  if (cmd.includes("socat") && cmd.includes("listen")) {
-    tags.push(PROCESS_ROLES.LISTENER);
-    role = PROCESS_ROLES.LISTENER;
-    isInteractive = true;
-  }
-  if (tags.length === 0) tags.push(PROCESS_ROLES.BACKGROUND);
-  return { tags, port, role, isInteractive };
-}
-function detectConnection(stdout) {
-  return DETECTION_PATTERNS.CONNECTION.some((p) => p.test(stdout));
-}
+// src/engine/process-cleanup.ts
+import { unlinkSync } from "fs";
 
 // src/engine/process-tree.ts
 import { execSync } from "child_process";
@@ -1657,9 +1605,99 @@ function killProcessTreeSync(pid, childPids) {
   }
 }
 
+// src/engine/process-cleanup.ts
+function syncCleanupAllProcesses(processMap) {
+  for (const [, proc] of processMap) {
+    if (!proc.hasExited) {
+      killProcessTreeSync(proc.pid, proc.childPids);
+    }
+    try {
+      unlinkSync(proc.stdoutFile);
+    } catch {
+    }
+    try {
+      unlinkSync(proc.stderrFile);
+    } catch {
+    }
+    try {
+      unlinkSync(proc.stdinFile);
+    } catch {
+    }
+  }
+}
+function registerExitHandlers(processMap) {
+  process.on("exit", () => {
+    syncCleanupAllProcesses(processMap);
+  });
+  process.on("SIGINT", () => {
+    syncCleanupAllProcesses(processMap);
+    processMap.clear();
+    process.exit(EXIT_CODES.SIGINT);
+  });
+  process.on("SIGTERM", () => {
+    syncCleanupAllProcesses(processMap);
+    processMap.clear();
+    process.exit(EXIT_CODES.SIGTERM);
+  });
+}
+
+// src/engine/process-detector.ts
+function detectProcessRole(command) {
+  const tags = [];
+  let port;
+  let role = PROCESS_ROLES.BACKGROUND;
+  let isInteractive = false;
+  const cmd = command.toLowerCase();
+  if (cmd.includes("-lvnp") || cmd.includes("-nlvp") || cmd.includes("-lp") || cmd.includes("nc") && cmd.includes("listen")) {
+    tags.push(PROCESS_ROLES.LISTENER);
+    role = PROCESS_ROLES.LISTENER;
+    isInteractive = true;
+    const portMatch = command.match(DETECTION_PATTERNS.LISTENER);
+    if (portMatch) port = parseInt(portMatch[1], 10);
+  }
+  if (cmd.includes("http.server") || cmd.includes("simplehttpserver") || cmd.includes("httpd") || cmd.includes("php -s")) {
+    tags.push(PROCESS_ROLES.SERVER);
+    role = PROCESS_ROLES.SERVER;
+    const portMatch = command.match(DETECTION_PATTERNS.HTTP_SERVER);
+    if (portMatch) port = parseInt(portMatch[1], 10);
+    if (!port) {
+      const genericPort = command.match(DETECTION_PATTERNS.GENERIC_PORT);
+      if (genericPort) port = parseInt(genericPort[1], 10);
+      else if (cmd.includes("http.server")) port = SYSTEM_LIMITS.WEB_PORT_RANGE.MIN;
+    }
+  }
+  if (cmd.includes("tcpdump") || cmd.includes("tshark")) {
+    tags.push(PROCESS_ROLES.SNIFFER);
+    role = PROCESS_ROLES.SNIFFER;
+  }
+  if (cmd.includes("arpspoof") || cmd.includes("dnsspoof") || cmd.includes("ettercap")) {
+    tags.push(PROCESS_ROLES.SPOOFER);
+    role = PROCESS_ROLES.SPOOFER;
+  }
+  if (cmd.includes("mitm") || cmd.includes("proxy") || cmd.includes("intercept")) {
+    tags.push(PROCESS_ROLES.PROXY);
+    role = PROCESS_ROLES.PROXY;
+  }
+  if (cmd.includes("callback") || cmd.includes("oob")) {
+    tags.push(PROCESS_ROLES.CALLBACK);
+    role = PROCESS_ROLES.CALLBACK;
+  }
+  if (cmd.includes("socat") && cmd.includes("listen")) {
+    tags.push(PROCESS_ROLES.LISTENER);
+    role = PROCESS_ROLES.LISTENER;
+    isInteractive = true;
+  }
+  if (tags.length === 0) tags.push(PROCESS_ROLES.BACKGROUND);
+  return { tags, port, role, isInteractive };
+}
+function detectConnection(stdout) {
+  return DETECTION_PATTERNS.CONNECTION.some((p) => p.test(stdout));
+}
+
 // src/engine/process-manager.ts
 var backgroundProcesses = /* @__PURE__ */ new Map();
 var cleanupDone = false;
+registerExitHandlers(backgroundProcesses);
 var processEventLog = [];
 function logEvent(processId, event, detail) {
   processEventLog.push({ timestamp: Date.now(), processId, event, detail });
@@ -1833,15 +1871,15 @@ async function stopBackgroundProcess(processId) {
     await killProcessTree(proc.pid, proc.childPids);
   }
   try {
-    unlinkSync(proc.stdoutFile);
+    unlinkSync2(proc.stdoutFile);
   } catch {
   }
   try {
-    unlinkSync(proc.stderrFile);
+    unlinkSync2(proc.stderrFile);
   } catch {
   }
   try {
-    unlinkSync(proc.stdinFile);
+    unlinkSync2(proc.stdinFile);
   } catch {
   }
   logEvent(processId, PROCESS_EVENTS.STOPPED, `Stopped ${proc.role} (PID:${proc.pid}, children:${proc.childPids.length})`);
@@ -1939,15 +1977,15 @@ async function cleanupAllProcesses() {
   }
   for (const [, proc] of backgroundProcesses) {
     try {
-      unlinkSync(proc.stdoutFile);
+      unlinkSync2(proc.stdoutFile);
     } catch {
     }
     try {
-      unlinkSync(proc.stderrFile);
+      unlinkSync2(proc.stderrFile);
     } catch {
     }
     try {
-      unlinkSync(proc.stdinFile);
+      unlinkSync2(proc.stdinFile);
     } catch {
     }
   }
@@ -2033,39 +2071,6 @@ Ports In Use: ${ports.join(", ")}`);
   }
   return lines.join("\n");
 }
-function syncCleanupAllProcesses() {
-  for (const [, proc] of backgroundProcesses) {
-    if (!proc.hasExited) {
-      killProcessTreeSync(proc.pid, proc.childPids);
-    }
-    try {
-      unlinkSync(proc.stdoutFile);
-    } catch {
-    }
-    try {
-      unlinkSync(proc.stderrFile);
-    } catch {
-    }
-    try {
-      unlinkSync(proc.stdinFile);
-    } catch {
-    }
-  }
-}
-process.on("exit", () => {
-  syncCleanupAllProcesses();
-});
-process.on("SIGINT", () => {
-  syncCleanupAllProcesses();
-  backgroundProcesses.clear();
-  process.exit(EXIT_CODES.SIGINT);
-});
-process.on("SIGTERM", () => {
-  syncCleanupAllProcesses();
-  backgroundProcesses.clear();
-  process.exit(EXIT_CODES.SIGTERM);
-});
-var stopProcess = stopBackgroundProcess;
 
 // src/engine/state-serializer.ts
 var StateSerializer = class {
@@ -2134,7 +2139,7 @@ var StateSerializer = class {
     if (todo.length > 0) {
       lines.push(`TODO (${todo.length}):`);
       for (const t of todo.slice(0, DISPLAY_LIMITS.COMPACT_LIST_ITEMS)) {
-        const status = t.status === "done" ? "[x]" : t.status === "in_progress" ? "[->]" : "[ ]";
+        const status = t.status === TODO_STATUSES.DONE ? "[x]" : t.status === TODO_STATUSES.IN_PROGRESS ? "[->]" : "[ ]";
         lines.push(`  ${status} ${t.content} (${t.priority})`);
       }
     }
@@ -2598,6 +2603,13 @@ var PersistentMemory = class {
   getSuccessfulTechniques(service) {
     return this.knowledge.successfulTechniques.filter((t) => t.service.toLowerCase().includes(service.toLowerCase())).sort((a, b) => b.successCount - a.successCount);
   }
+  /**
+   * Clear all knowledge (for testing isolation).
+   */
+  clear() {
+    this.knowledge = { successfulTechniques: [], failurePatterns: [], techFacts: [] };
+    this.save();
+  }
   /**
    * Format for prompt injection (most relevant persistent knowledge).
    */
@@ -2852,7 +2864,7 @@ var SharedState = class {
   }
   addMissionChecklistItems(items) {
     for (const text of items) {
-      const id = generateId(ID_RADIX, ID_LENGTH);
+      const id = generateId(AGENT_LIMITS.ID_RADIX, AGENT_LIMITS.ID_LENGTH);
       this.data.missionChecklist.push({ id, text, isCompleted: false });
     }
   }
@@ -2872,7 +2884,7 @@ var SharedState = class {
       this.data.engagement.scope = scope;
     } else {
       this.data.engagement = {
-        id: generateId(ID_RADIX, ID_LENGTH),
+        id: generateId(AGENT_LIMITS.ID_RADIX, AGENT_LIMITS.ID_LENGTH),
         name: DEFAULTS.ENGAGEMENT_NAME,
         client: DEFAULTS.ENGAGEMENT_CLIENT,
         scope,
@@ -2932,7 +2944,7 @@ var SharedState = class {
   }
   // --- TODO Management ---
   addTodo(content, priority = PRIORITIES.MEDIUM) {
-    const id = generateId(ID_RADIX, ID_LENGTH);
+    const id = generateId(AGENT_LIMITS.ID_RADIX, AGENT_LIMITS.ID_LENGTH);
     const item = { id, content, status: TODO_STATUSES.PENDING, priority };
     this.data.todo.push(item);
     return id;
@@ -2950,7 +2962,7 @@ var SharedState = class {
   // --- Logs & Phase ---
   logAction(action) {
     this.data.actionLog.push({
-      id: generateId(ID_RADIX, ID_LENGTH),
+      id: generateId(AGENT_LIMITS.ID_RADIX, AGENT_LIMITS.ID_LENGTH),
       timestamp: Date.now(),
       ...action
     });
@@ -4130,7 +4142,7 @@ Next steps:
         }
         case "stop": {
           if (!processId) return { success: false, output: "", error: "Missing process_id" };
-          return stopProcess(processId);
+          return stopBackgroundProcess(processId);
         }
         case "stop_all": {
           const procs = listBackgroundProcesses();
@@ -4464,7 +4476,7 @@ Detail: ${detail}
       const affected = p.affected || [];
       const validation = validateFinding(evidence, severity);
       state.addFinding({
-        id: generateId(ID_RADIX, ID_LENGTH),
+        id: generateId(AGENT_LIMITS.ID_RADIX, AGENT_LIMITS.ID_LENGTH),
         title,
         severity,
         affected,
@@ -4659,7 +4671,7 @@ async function installPlaywright() {
 
 // src/engine/tools/web-browser-script.ts
 import { spawn as spawn5 } from "child_process";
-import { writeFileSync as writeFileSync5, unlinkSync as unlinkSync2 } from "fs";
+import { writeFileSync as writeFileSync5, unlinkSync as unlinkSync3 } from "fs";
 import { join as join5 } from "path";
 import { tmpdir as tmpdir2 } from "os";
 function safeJsString(str) {
@@ -4695,7 +4707,7 @@ function runPlaywrightScript(script, timeout, scriptPrefix) {
     child.stderr.on("data", (data) => stderr += data);
     child.on("close", (code) => {
       try {
-        unlinkSync2(scriptPath);
+        unlinkSync3(scriptPath);
       } catch {
       }
       if (code !== 0) {
@@ -4722,7 +4734,7 @@ function runPlaywrightScript(script, timeout, scriptPrefix) {
     });
     child.on("error", (err) => {
       try {
-        unlinkSync2(scriptPath);
+        unlinkSync3(scriptPath);
       } catch {
       }
       resolve({
@@ -6469,7 +6481,7 @@ Combine with packet_sniff to capture intercepted traffic.`,
       });
       await new Promise((r) => setTimeout(r, (duration + NETWORK_CONFIG.WAIT_BUFFER_SECONDS) * 1e3));
       const output = getProcessOutput(proc.id);
-      await stopProcess(proc.id);
+      await stopBackgroundProcess(proc.id);
       await runCommand(NETWORK_COMMANDS.IP_FORWARD_DISABLE);
       return {
         success: true,
@@ -6523,7 +6535,7 @@ Requires root/sudo privileges.`,
       });
       await new Promise((r) => setTimeout(r, (duration + NETWORK_CONFIG.WAIT_BUFFER_SECONDS) * 1e3));
       const captureOutput = getProcessOutput(proc.id);
-      await stopProcess(proc.id);
+      await stopBackgroundProcess(proc.id);
       let output = `Packet Capture Results:
 Interface: ${iface}
 Filter: ${filter || "none"}
@@ -6610,7 +6622,7 @@ ${spoofIp}	*.${domain}
       });
       await new Promise((r) => setTimeout(r, (duration + NETWORK_CONFIG.WAIT_BUFFER_SECONDS) * 1e3));
       const output = getProcessOutput(proc.id);
-      await stopProcess(proc.id);
+      await stopBackgroundProcess(proc.id);
       return {
         success: true,
         output: `DNS Spoofing Results:
@@ -6662,7 +6674,7 @@ Combine with arp_spoof for transparent proxying.`,
       });
       await new Promise((r) => setTimeout(r, (duration + NETWORK_CONFIG.WAIT_BUFFER_SECONDS) * 1e3));
       const procOutput = getProcessOutput(proc.id);
-      await stopProcess(proc.id);
+      await stopBackgroundProcess(proc.id);
       let flowSummary = "";
       const readFlows = await runCommand(`mitmdump -r ${outputFile} -n 2>&1 | head -50`);
       if (readFlows.success && readFlows.output) {
@@ -6731,7 +6743,7 @@ This is a high-level tool that combines tcpdump capture with protocol analysis.`
         description: `Traffic intercept on ${target}`
       });
       await new Promise((r) => setTimeout(r, (duration + NETWORK_CONFIG.WAIT_BUFFER_SECONDS) * 1e3));
-      await stopProcess(proc.id);
+      await stopBackgroundProcess(proc.id);
       let output = `Traffic Interception Report
 ${"=".repeat(50)}
 Target: ${target}
@@ -7063,7 +7075,7 @@ If killOrphans is true, also cleans up child processes whose parent has died.`,
     async execute(params) {
       const results = [];
       if (params.processId) {
-        const procResult = await stopProcess(params.processId);
+        const procResult = await stopBackgroundProcess(params.processId);
         results.push(`Stopped ${params.processId}: ${procResult.success ? "success" : "failed"}`);
         if (procResult.output) {
           results.push(procResult.output.slice(0, PROCESS_OUTPUT_TRUNCATION_LIMIT));
@@ -7116,6 +7128,548 @@ Returns recommendations on process status, port conflicts, long-running tasks, e
   }
 ];
 
+// src/domains/network/tools.ts
+var NETWORK_TOOLS = [
+  {
+    name: TOOL_NAMES.NMAP_QUICK,
+    description: "Quick nmap scan - fast discovery",
+    parameters: {
+      target: { type: "string", description: "Target IP/CIDR" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("nmap", ["-Pn", "-T4", "-F", target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.NMAP_FULL,
+    description: "Full nmap scan - comprehensive",
+    parameters: {
+      target: { type: "string", description: "Target IP/CIDR" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("nmap", ["-Pn", "-T4", "-sV", "-O", "-p-", target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.RUSTSCAN,
+    description: "RustScan - very fast port discovery",
+    parameters: {
+      target: { type: "string", description: "Target IP" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("rustscan", ["-a", target, "--range", "1-65535"]);
+    }
+  }
+];
+var NETWORK_CONFIG2 = {
+  name: SERVICE_CATEGORIES.NETWORK,
+  description: "Network reconnaissance - scanning, OS fingerprinting",
+  tools: NETWORK_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [21, 22, 80, 443, 445, 3389, 8080],
+  commonServices: [SERVICES.FTP, SERVICES.SSH, SERVICES.HTTP, SERVICES.HTTPS, SERVICES.SMB]
+};
+
+// src/domains/web/tools.ts
+var WEB_TOOLS = [
+  {
+    name: TOOL_NAMES.HTTP_FINGERPRINT,
+    description: "HTTP fingerprinting - detect WAF, server type",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("curl", ["-sI", target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.WAF_DETECT,
+    description: "WAF detection using wafw00f",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("wafw00f", [target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.DIRSEARCH,
+    description: "Directory bruteforcing",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("dirsearch", ["-u", target, "--quiet"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.NUCLEI_WEB,
+    description: "Nuclei web vulnerability scanner",
+    parameters: {
+      target: { type: "string", description: "Target URL" },
+      severity: { type: "string", description: "Severities to check" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const severity = params.severity || "medium,critical,high";
+      return await runCommand("nuclei", ["-u", target, "-s", severity, "-silent"]);
+    }
+  }
+];
+var WEB_CONFIG = {
+  name: SERVICE_CATEGORIES.WEB,
+  description: "Web application testing - HTTP/HTTPS, APIs",
+  tools: WEB_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [80, 443, 8080],
+  commonServices: [SERVICES.HTTP, SERVICES.HTTPS]
+};
+
+// src/domains/database/tools.ts
+var DATABASE_TOOLS = [
+  {
+    name: TOOL_NAMES.SQLMAP_BASIC,
+    description: "SQL injection testing with sqlmap - basic scan",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("sqlmap", ["-u", target, "--batch", "--risk=1", "--level=1"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.SQLMAP_ADVANCED,
+    description: "SQL injection with sqlmap - full enumeration",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("sqlmap", ["-u", target, "--batch", "--risk=3", "--level=5", "--dbs", "--tables"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.MYSQL_ENUM,
+    description: "MySQL enumeration - version, users, databases",
+    parameters: {
+      target: { type: "string", description: "Target IP/hostname" },
+      port: { type: "string", description: "Port (default 3306)" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const port = params.port || "3306";
+      return await runCommand("mysql", ["-h", target, "-P", port, "-e", "SELECT VERSION(), USER(), DATABASE();"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.POSTGRES_ENUM,
+    description: "PostgreSQL enumeration",
+    parameters: {
+      target: { type: "string", description: "Target IP" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("psql", ["-h", target, "-U", "postgres", "-c", "SELECT version(); SELECT datname FROM pg_database;"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.REDIS_ENUM,
+    description: "Redis enumeration",
+    parameters: {
+      target: { type: "string", description: "Target IP" },
+      port: { type: "string", description: "Port (default 6379)" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const port = params.port || "6379";
+      return await runCommand("redis-cli", ["-h", target, "-p", port, "INFO"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.DB_BRUTE,
+    description: "Brute force database credentials",
+    parameters: {
+      target: { type: "string", description: "Target IP" },
+      service: { type: "string", description: "Service (mysql, postgres, etc.)" }
+    },
+    required: ["target", "service"],
+    execute: async (params) => {
+      const target = params.target;
+      const service = params.service || SERVICES.MYSQL;
+      return await runCommand("hydra", [
+        "-L",
+        WORDLISTS.USERNAMES,
+        "-P",
+        WORDLISTS.COMMON_PASSWORDS,
+        target,
+        service
+      ]);
+    }
+  }
+];
+var DATABASE_CONFIG = {
+  name: SERVICE_CATEGORIES.DATABASE,
+  description: "Database exploitation - SQL injection, credential extraction",
+  tools: DATABASE_TOOLS,
+  dangerLevel: DANGER_LEVELS.EXPLOIT,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [1433, 3306, 5432, 6379, 27017],
+  commonServices: [SERVICES.MYSQL, SERVICES.POSTGRES, SERVICES.REDIS, SERVICES.MONGODB]
+};
+
+// src/domains/ad/tools.ts
+var AD_TOOLS = [
+  {
+    name: TOOL_NAMES.BLOODHOUND_COLLECT,
+    description: "BloodHound data collection",
+    parameters: {
+      target: { type: "string", description: "Target DC IP" },
+      domain: { type: "string", description: "Domain name" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const domain = params.domain || "DOMAIN";
+      return await runCommand("bloodhound-python", ["-c", "All", "-d", domain, target, "--zip"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.KERBEROAST,
+    description: "Kerberoasting attack",
+    parameters: {
+      target: { type: "string", description: "DC IP" },
+      user: { type: "string", description: "Domain user" },
+      password: { type: "string", description: "Password" }
+    },
+    required: ["target", "user", "password"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("GetUserSPNs.py", ["-dc-ip", target, `${params.user}:${params.password}`]);
+    }
+  },
+  {
+    name: TOOL_NAMES.LDAP_ENUM,
+    description: "LDAP enumeration",
+    parameters: {
+      target: { type: "string", description: "LDAP Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("ldapsearch", ["-x", "-H", `ldap://${target}`, "-b", ""]);
+    }
+  }
+];
+var AD_CONFIG = {
+  name: SERVICE_CATEGORIES.AD,
+  description: "Active Directory and Windows domain",
+  tools: AD_TOOLS,
+  dangerLevel: DANGER_LEVELS.EXPLOIT,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [88, 389, 445],
+  commonServices: [SERVICES.AD, SERVICES.SMB]
+};
+
+// src/domains/email/tools.ts
+var EMAIL_TOOLS = [
+  {
+    name: TOOL_NAMES.SMTP_ENUM,
+    description: "SMTP user enumeration",
+    parameters: {
+      target: { type: "string", description: "SMTP server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("smtp-user-enum", ["-M", "VRFY", "-t", params.target]);
+    }
+  }
+];
+var EMAIL_CONFIG = {
+  name: SERVICE_CATEGORIES.EMAIL,
+  description: "Email services - SMTP, IMAP, POP3",
+  tools: EMAIL_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [25, 110, 143, 465, 587, 993, 995],
+  commonServices: [SERVICES.SMTP, SERVICES.POP3, SERVICES.IMAP]
+};
+
+// src/domains/remote-access/tools.ts
+var REMOTE_ACCESS_TOOLS = [
+  {
+    name: TOOL_NAMES.SSH_ENUM,
+    description: "SSH enumeration",
+    parameters: {
+      target: { type: "string", description: "SSH Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("ssh-audit", [params.target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.RDP_ENUM,
+    description: "RDP enumeration",
+    parameters: {
+      target: { type: "string", description: "RDP Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("nmap", ["-p", "3389", "--script", "rdp-enum-encryption,rdp-ntlm-info", params.target]);
+    }
+  }
+];
+var REMOTE_ACCESS_CONFIG = {
+  name: SERVICE_CATEGORIES.REMOTE_ACCESS,
+  description: "Remote access services - SSH, RDP, VNC",
+  tools: REMOTE_ACCESS_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [22, 3389, 5900],
+  commonServices: [SERVICES.SSH, SERVICES.RDP, SERVICES.VNC]
+};
+
+// src/domains/file-sharing/tools.ts
+var FILE_SHARING_TOOLS = [
+  {
+    name: TOOL_NAMES.FTP_ENUM,
+    description: "FTP enumeration",
+    parameters: {
+      target: { type: "string", description: "FTP Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("nmap", ["-p", "21", "--script", "ftp-anon,ftp-syst", params.target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.SMB_ENUM,
+    description: "SMB enumeration",
+    parameters: {
+      target: { type: "string", description: "SMB Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("enum4linux", ["-a", params.target]);
+    }
+  }
+];
+var FILE_SHARING_CONFIG = {
+  name: SERVICE_CATEGORIES.FILE_SHARING,
+  description: "File sharing protocols - SMB, FTP, NFS",
+  tools: FILE_SHARING_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [21, 139, 445, 2049],
+  commonServices: [SERVICES.FTP, SERVICES.SMB, SERVICES.NFS]
+};
+
+// src/domains/cloud/tools.ts
+var CLOUD_TOOLS = [
+  {
+    name: TOOL_NAMES.AWS_S3_CHECK,
+    description: "S3 bucket security check",
+    parameters: {
+      bucket: { type: "string", description: "Bucket name" }
+    },
+    required: ["bucket"],
+    execute: async (params) => {
+      const bucket = params.bucket;
+      return await runCommand("aws", ["s3", "ls", `s3://${bucket}`, "--no-sign-request"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.CLOUD_META_CHECK,
+    description: "Check cloud metadata service access",
+    parameters: {
+      provider: { type: "string", description: "aws, azure, or gcp" }
+    },
+    required: ["provider"],
+    execute: async (params) => {
+      const provider = params.provider;
+      if (provider === "aws") return await runCommand("curl", ["http://169.254.169.254/latest/meta-data/"]);
+      if (provider === "azure") return await runCommand("curl", ["-H", "Metadata:true", "http://169.254.169.254/metadata/instance?api-version=2021-02-01"]);
+      return await runCommand("curl", ["-H", "Metadata-Flavor: Google", "http://metadata.google.internal/computeMetadata/v1/"]);
+    }
+  }
+];
+var CLOUD_CONFIG = {
+  name: SERVICE_CATEGORIES.CLOUD,
+  description: "Cloud infrastructure - AWS, Azure, GCP",
+  tools: CLOUD_TOOLS,
+  dangerLevel: DANGER_LEVELS.EXPLOIT,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [443],
+  commonServices: [SERVICES.HTTP, SERVICES.HTTPS]
+};
+
+// src/domains/container/tools.ts
+var CONTAINER_TOOLS = [
+  {
+    name: TOOL_NAMES.DOCKER_PS,
+    description: "List running Docker containers",
+    parameters: {
+      host: { type: "string", description: "Docker host" }
+    },
+    required: ["host"],
+    execute: async (params) => {
+      return await runCommand("docker", ["-H", params.host, "ps"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.KUBE_GET_PODS,
+    description: "List Kubernetes pods",
+    parameters: {
+      context: { type: "string", description: "Kube context" }
+    },
+    required: ["context"],
+    execute: async (params) => {
+      return await runCommand("kubectl", ["--context", params.context, "get", "pods"]);
+    }
+  }
+];
+var CONTAINER_CONFIG = {
+  name: SERVICE_CATEGORIES.CONTAINER,
+  description: "Container platforms - Docker, Kubernetes",
+  tools: CONTAINER_TOOLS,
+  dangerLevel: DANGER_LEVELS.EXPLOIT,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [2375, 2376, 5e3, 6443],
+  commonServices: [SERVICES.DOCKER, SERVICES.KUBERNETES]
+};
+
+// src/domains/api/tools.ts
+var API_TOOLS = [
+  {
+    name: TOOL_NAMES.API_DISCOVER,
+    description: "API endpoint discovery - using Arjun",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("arjun", ["-u", target, "-t", "20"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.GRAPHQL_INTROSPECT,
+    description: "GraphQL introspection - schema discovery",
+    parameters: {
+      target: { type: "string", description: "GQL Endpoint" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("curl", ["-X", "POST", target, "-H", "Content-Type: application/json", "-d", '{"query":"{__schema {queryType {name}}}"}']);
+    }
+  },
+  {
+    name: TOOL_NAMES.SWAGGER_PARSE,
+    description: "Parse Swagger/OpenAPI specification",
+    parameters: {
+      spec: { type: "string", description: "URL to swagger.json/yaml" }
+    },
+    required: ["spec"],
+    execute: async (params) => {
+      const spec = params.spec;
+      return await runCommand("swagger-codegen", ["generate", "-i", spec, "-l", "html2"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.API_FUZZ,
+    description: "General API fuzzing",
+    parameters: {
+      target: { type: "string", description: "Base API URL" },
+      wordlist: { type: "string", description: "Wordlist path" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const wordlist = params.wordlist || WORDLISTS.API_FUZZ;
+      return await runCommand("ffuf", ["-u", `${target}/FUZZ`, "-w", wordlist, "-mc", "all"]);
+    }
+  }
+];
+var API_CONFIG = {
+  name: SERVICE_CATEGORIES.API,
+  description: "API testing - REST, GraphQL, SOAP",
+  tools: API_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [3e3, 5e3, 8e3, 8080],
+  commonServices: [SERVICES.HTTP, SERVICES.HTTPS]
+};
+
+// src/domains/wireless/tools.ts
+var WIRELESS_TOOLS = [
+  {
+    name: TOOL_NAMES.WIFI_SCAN,
+    description: "WiFi network scanning",
+    parameters: {
+      interface: { type: "string", description: "Wireless interface" }
+    },
+    required: ["interface"],
+    execute: async (params) => {
+      return await runCommand("iwlist", [params.interface, "scanning"]);
+    }
+  }
+];
+var WIRELESS_CONFIG = {
+  name: SERVICE_CATEGORIES.WIRELESS,
+  description: "Wireless security - WiFi, Bluetooth",
+  tools: WIRELESS_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [],
+  commonServices: [SERVICES.WIFI, SERVICES.BLUETOOTH]
+};
+
+// src/domains/ics/tools.ts
+var ICS_TOOLS = [
+  {
+    name: TOOL_NAMES.MODBUS_ENUM,
+    description: "Modbus enumeration",
+    parameters: {
+      target: { type: "string", description: "ICS Device" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("nmap", ["-p", "502", "--script", "modbus-discover", params.target]);
+    }
+  }
+];
+var ICS_CONFIG = {
+  name: SERVICE_CATEGORIES.ICS,
+  description: "Industrial control systems - Modbus, DNP3, EtherNet/IP",
+  tools: ICS_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.BLOCK,
+  commonPorts: [502, 2e4],
+  commonServices: [SERVICES.MODBUS, SERVICES.DNP3]
+};
+
 // src/engine/tools.ts
 var ToolRegistry = class {
   constructor(state, scopeGuard, approvalGate, events) {
@@ -7132,7 +7686,20 @@ var ToolRegistry = class {
       ...createPentestTools(this.state),
       ...createAgentTools(),
       ...createNetworkAttackTools(),
-      ...resourceTools
+      ...resourceTools,
+      // Domain-specific tools (§3-3)
+      ...NETWORK_TOOLS,
+      ...WEB_TOOLS,
+      ...DATABASE_TOOLS,
+      ...AD_TOOLS,
+      ...EMAIL_TOOLS,
+      ...REMOTE_ACCESS_TOOLS,
+      ...FILE_SHARING_TOOLS,
+      ...CLOUD_TOOLS,
+      ...CONTAINER_TOOLS,
+      ...API_TOOLS,
+      ...WIRELESS_TOOLS,
+      ...ICS_TOOLS
     ];
     allTools.forEach((t) => this.tools.set(t.name, t));
   }
@@ -7971,7 +8538,7 @@ var __filename2 = fileURLToPath3(import.meta.url);
 var __dirname3 = dirname4(__filename2);
 
 // src/engine/state-persistence.ts
-import { writeFileSync as writeFileSync6, readFileSync as readFileSync4, existsSync as existsSync6, readdirSync, statSync, unlinkSync as unlinkSync3 } from "fs";
+import { writeFileSync as writeFileSync6, readFileSync as readFileSync4, existsSync as existsSync6, readdirSync, statSync, unlinkSync as unlinkSync4 } from "fs";
 import { join as join9 } from "path";
 function saveState(state) {
   const sessionsDir = WORKSPACE.SESSIONS;
@@ -8006,7 +8573,7 @@ function pruneOldSessions(sessionsDir) {
     })).sort((a, b) => b.mtime - a.mtime);
     const toDelete = sessionFiles.slice(AGENT_LIMITS.MAX_SESSION_FILES);
     for (const file of toDelete) {
-      unlinkSync3(file.path);
+      unlinkSync4(file.path);
     }
   } catch {
   }
@@ -8974,22 +9541,22 @@ Please decide how to handle this error and continue.`;
   /** Tools that are safe to run in parallel (read-only or per-key state mutations) */
   static PARALLEL_SAFE_TOOLS = /* @__PURE__ */ new Set([
     // Read-only intelligence tools
-    "get_state",
-    "parse_nmap",
-    "search_cve",
-    "web_search",
-    "browse_url",
-    "read_file",
-    "get_owasp_knowledge",
-    "get_web_attack_surface",
-    "get_cve_info",
-    "fill_form",
+    TOOL_NAMES.GET_STATE,
+    TOOL_NAMES.PARSE_NMAP,
+    TOOL_NAMES.SEARCH_CVE,
+    TOOL_NAMES.WEB_SEARCH,
+    TOOL_NAMES.BROWSE_URL,
+    TOOL_NAMES.READ_FILE,
+    TOOL_NAMES.GET_OWASP_KNOWLEDGE,
+    TOOL_NAMES.GET_WEB_ATTACK_SURFACE,
+    TOOL_NAMES.GET_CVE_INFO,
+    TOOL_NAMES.FILL_FORM,
     // State recording (per-key mutations, no external side effects)
-    "add_target",
-    "add_finding",
-    "add_loot",
-    "update_mission",
-    "update_todo"
+    TOOL_NAMES.ADD_TARGET,
+    TOOL_NAMES.ADD_FINDING,
+    TOOL_NAMES.ADD_LOOT,
+    TOOL_NAMES.UPDATE_MISSION,
+    TOOL_NAMES.UPDATE_TODO
   ]);
   async processToolCalls(toolCalls, progress) {
     if (toolCalls.length <= 1) {
@@ -9303,6 +9870,233 @@ function getTimeAdaptiveStrategy(elapsedMs, deadlineMs) {
   };
 }
 
+// src/shared/constants/service-ports.ts
+var SERVICE_PORTS = {
+  SSH: 22,
+  FTP: 21,
+  TELNET: 23,
+  SMTP: 25,
+  DNS: 53,
+  HTTP: 80,
+  POP3: 110,
+  IMAP: 143,
+  SMB_NETBIOS: 139,
+  SMB: 445,
+  HTTPS: 443,
+  MSSQL: 1433,
+  MYSQL: 3306,
+  RDP: 3389,
+  POSTGRESQL: 5432,
+  REDIS: 6379,
+  HTTP_ALT: 8080,
+  HTTPS_ALT: 8443,
+  MONGODB: 27017,
+  ELASTICSEARCH: 9200,
+  MEMCACHED: 11211,
+  NODE_DEFAULT: 3e3,
+  FLASK_DEFAULT: 5e3,
+  DJANGO_DEFAULT: 8e3
+};
+var CRITICAL_SERVICE_PORTS = [
+  SERVICE_PORTS.SSH,
+  SERVICE_PORTS.RDP,
+  SERVICE_PORTS.MYSQL,
+  SERVICE_PORTS.POSTGRESQL,
+  SERVICE_PORTS.REDIS,
+  SERVICE_PORTS.MONGODB
+];
+var NO_AUTH_CRITICAL_PORTS = [
+  SERVICE_PORTS.REDIS,
+  SERVICE_PORTS.MONGODB,
+  SERVICE_PORTS.ELASTICSEARCH,
+  SERVICE_PORTS.MEMCACHED
+];
+var WEB_SERVICE_PORTS = [
+  SERVICE_PORTS.HTTP,
+  SERVICE_PORTS.HTTPS,
+  SERVICE_PORTS.HTTP_ALT,
+  SERVICE_PORTS.HTTPS_ALT,
+  SERVICE_PORTS.NODE_DEFAULT,
+  SERVICE_PORTS.FLASK_DEFAULT,
+  SERVICE_PORTS.DJANGO_DEFAULT
+];
+var PLAINTEXT_HTTP_PORTS = [
+  SERVICE_PORTS.HTTP,
+  SERVICE_PORTS.HTTP_ALT,
+  SERVICE_PORTS.NODE_DEFAULT
+];
+var DATABASE_PORTS = [
+  SERVICE_PORTS.MYSQL,
+  SERVICE_PORTS.POSTGRESQL,
+  SERVICE_PORTS.MSSQL,
+  SERVICE_PORTS.MONGODB,
+  SERVICE_PORTS.REDIS
+];
+var SMB_PORTS = [
+  SERVICE_PORTS.SMB,
+  SERVICE_PORTS.SMB_NETBIOS
+];
+
+// src/shared/constants/scoring.ts
+var ATTACK_SCORING = {
+  /** Base score for all attack prioritization */
+  BASE_SCORE: 50,
+  /** Maximum possible score */
+  MAX_SCORE: 100,
+  /** Bonus for critical infrastructure services (SSH, RDP, DB, etc.) */
+  CRITICAL_SERVICE_BONUS: 20,
+  /** Bonus when service version is known (enables CVE lookup) */
+  VERSION_KNOWN_BONUS: 15,
+  /** Bonus when known critical CVE exists for the service version */
+  CRITICAL_CVE_BONUS: 30,
+  /** Bonus for sensitive services running without authentication */
+  NO_AUTH_BONUS: 25,
+  /** Bonus for plaintext HTTP on service ports (no HTTPS) */
+  PLAINTEXT_HTTP_BONUS: 10
+};
+
+// src/shared/utils/attack-knowledge-base.ts
+var SERVICE_VULN_MAP = {
+  // Apache
+  "apache/2.4.49": {
+    cves: ["CVE-2021-41773"],
+    exploits: ['curl --path-as-is "http://TARGET/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"'],
+    priority: "critical",
+    checks: ["Path traversal to RCE"]
+  },
+  "apache/2.4.50": {
+    cves: ["CVE-2021-42013"],
+    exploits: ['curl --path-as-is "http://TARGET/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd"'],
+    priority: "critical",
+    checks: ["Path traversal bypass"]
+  },
+  // SSH
+  "openssh/7.2": {
+    cves: ["CVE-2016-10009", "CVE-2016-10010"],
+    exploits: ["Check for Roaming auth bypass"],
+    priority: "medium",
+    checks: ["Version disclosure", "Weak algorithms"]
+  },
+  // vsftpd
+  "vsftpd/2.3.4": {
+    cves: ["CVE-2011-2523"],
+    exploits: ["Connect with username containing :) to trigger backdoor on port 6200"],
+    priority: "critical",
+    checks: ["Backdoor trigger: user:)"]
+  },
+  // SMB
+  "samba/3.0": {
+    cves: ["CVE-2004-0882"],
+    exploits: ["trans2open exploit"],
+    priority: "high",
+    checks: ["SMBv1 enabled"]
+  },
+  "smb": {
+    cves: ["MS17-010"],
+    exploits: ["EternalBlue exploit"],
+    priority: "critical",
+    checks: ["nmap --script smb-vuln-ms17-010"]
+  },
+  // MySQL
+  "mysql/5.0": {
+    cves: ["CVE-2012-2122"],
+    exploits: ["MariaDB/CMySQL authentication bypass"],
+    priority: "high",
+    checks: ["Try root without password", "mysql -u root"]
+  },
+  // Redis
+  "redis": {
+    cves: [],
+    exploits: ["Unauthenticated RCE via CONFIG SET dir + SLAVEOF"],
+    priority: "critical",
+    checks: ["redis-cli -h TARGET ping", "CONFIG GET dir"]
+  },
+  // Jenkins
+  "jenkins": {
+    cves: [],
+    exploits: ["Script Console RCE", "CVE-2019-1003000"],
+    priority: "high",
+    checks: ["/scriptText endpoint", "/manage/scriptConsole"]
+  },
+  // Elasticsearch
+  "elasticsearch/1": {
+    cves: ["CVE-2014-3120"],
+    exploits: ["Groovy sandbox bypass RCE"],
+    priority: "critical",
+    checks: ["Dynamic script execution"]
+  }
+};
+
+// src/shared/utils/attack-intelligence.ts
+function calculateAttackPriority(findings) {
+  let score = ATTACK_SCORING.BASE_SCORE;
+  if (CRITICAL_SERVICE_PORTS.includes(findings.port)) {
+    score += ATTACK_SCORING.CRITICAL_SERVICE_BONUS;
+  }
+  if (findings.version) {
+    score += ATTACK_SCORING.VERSION_KNOWN_BONUS;
+    const key = `${findings.service.toLowerCase()}/${findings.version.split(".")[0]}`;
+    if (SERVICE_VULN_MAP[key]?.priority === "critical") {
+      score += ATTACK_SCORING.CRITICAL_CVE_BONUS;
+    }
+  }
+  if (!findings.hasAuth && NO_AUTH_CRITICAL_PORTS.includes(findings.port)) {
+    score += ATTACK_SCORING.NO_AUTH_BONUS;
+  }
+  if (PLAINTEXT_HTTP_PORTS.includes(findings.port) && !findings.isHttps) {
+    score += ATTACK_SCORING.PLAINTEXT_HTTP_BONUS;
+  }
+  return Math.min(score, ATTACK_SCORING.MAX_SCORE);
+}
+function getAttacksForService(service, port) {
+  const attacks = [];
+  const svc = service.toLowerCase();
+  if (WEB_SERVICE_PORTS.includes(port)) {
+    attacks.push(
+      "OWASP-A01: Directory brute force",
+      "OWASP-A03: SQLi testing",
+      "OWASP-A03: XSS testing",
+      "OWASP-A05: Header analysis",
+      "OWASP-A10: SSRF testing",
+      "OWASP-A06: Version fingerprinting"
+    );
+  }
+  if (port === SERVICE_PORTS.SSH || svc.includes("ssh")) {
+    attacks.push(
+      "SSH version scan",
+      "Brute force common credentials",
+      "SSH key enumeration",
+      "Check for weak algorithms"
+    );
+  }
+  if (SMB_PORTS.includes(port) || svc.includes("smb")) {
+    attacks.push(
+      "MS17-010 EternalBlue check",
+      "SMB enumeration",
+      "Null session test",
+      "Share enumeration"
+    );
+  }
+  if (DATABASE_PORTS.includes(port) || svc.includes("sql") || svc.includes("mongo") || svc.includes("redis")) {
+    attacks.push(
+      "Default credential test",
+      "Unauthenticated access check",
+      "SQLi through web app",
+      "UDF injection",
+      "NoSQL injection"
+    );
+  }
+  if (port === SERVICE_PORTS.FTP || svc.includes("ftp")) {
+    attacks.push(
+      "Anonymous login test",
+      "Brute force credentials",
+      "VSFTPD backdoor check",
+      "Directory traversal"
+    );
+  }
+  return attacks;
+}
+
 // src/agents/prompt-builder.ts
 var __dirname4 = dirname5(fileURLToPath4(import.meta.url));
 var PROMPTS_DIR = join10(__dirname4, "prompts");
@@ -9366,6 +10160,7 @@ var PromptBuilder = class {
    * 8. Time awareness + adaptive strategy (#8)
    * 9. Challenge analysis (#2: Auto-Prompter)
    * 10. Attack graph (#6: recommended attack chains)
+   * 10b. Attack intelligence — per-service attack suggestions
    * 11. Working memory (#12: failed/succeeded attempts)
    * 12. Session timeline (#12: episodic memory)
    * 13. Learned techniques (#7: dynamic technique library)
@@ -9387,6 +10182,8 @@ var PromptBuilder = class {
       // #2
       this.getAttackGraphFragment(),
       // #6
+      this.getAttackIntelligenceFragment(),
+      // service-specific attacks
       this.getWorkingMemoryFragment(),
       // #12
       this.getEpisodicMemoryFragment(),
@@ -9540,6 +10337,30 @@ ${strategy.directive}
   getAttackGraphFragment() {
     return this.state.attackGraph.toPrompt();
   }
+  // --- Attack Intelligence: per-service bootstrapped attack suggestions ---
+  getAttackIntelligenceFragment() {
+    const targets = this.state.getAllTargets();
+    if (targets.length === 0) return "";
+    const lines = [];
+    for (const target of targets) {
+      for (const port of target.ports) {
+        const attacks = getAttacksForService(port.service || "", port.port);
+        if (attacks.length === 0) continue;
+        const priority = calculateAttackPriority({
+          service: port.service || "",
+          version: port.version,
+          port: port.port
+        });
+        lines.push(`[${target.ip}:${port.port}] ${port.service || "unknown"} (priority: ${priority}/100)`);
+        attacks.forEach((a) => lines.push(`  - ${a}`));
+      }
+    }
+    if (lines.length === 0) return "";
+    return `<attack-intelligence>
+Bootstrap attack suggestions (try these first, adapt if they fail):
+${lines.join("\n")}
+</attack-intelligence>`;
+  }
   // --- Improvement #12: Working Memory ---
   getWorkingMemoryFragment() {
     return this.state.workingMemory.toPrompt();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.40.1",
+  "version": "0.40.3",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",