pentesting 0.43.0 → 0.44.0

package/dist/main.js

@@ -10,7 +10,6 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
 import { render } from "ink";
 import { Command } from "commander";
 import chalk from "chalk";
-import gradient from "gradient-string";
 
 // src/platform/tui/app.tsx
 import { useState as useState4, useCallback as useCallback4, useEffect as useEffect4, useRef as useRef4 } from "react";
@@ -307,14 +306,12 @@ var ORPHAN_PROCESS_NAMES = [
   "dnsspoof",
   "tcpdump",
   "tshark",
-  "socat",
-  "nc",
-  "python"
+  "socat"
 ];
 
 // src/shared/constants/agent.ts
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.43.0";
+var APP_VERSION = "0.44.0";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -342,6 +339,146 @@ var SENSITIVE_INPUT_TYPES = [
   INPUT_TYPES.CREDENTIAL
 ];
 
+// src/shared/utils/time-strategy.ts
+var PHASE_RATIOS = {
+  /** Sprint ends at 25% of total time */
+  SPRINT_END: 0.25,
+  /** Exploit phase ends at 50% of total time */
+  EXPLOIT_END: 0.5,
+  /** Creative phase ends at 75% of total time */
+  CREATIVE_END: 0.75
+  // Harvest: 75%-100%
+};
+var DEFAULT_DURATION_SEC = 86400;
+var MIN_DURATION_SEC = 300;
+var MAX_DURATION_SEC = 604800;
+var MS_PER_SEC = 1e3;
+function getSessionDurationMs() {
+  const envValue = process.env.PENTEST_DURATION;
+  if (envValue) {
+    const parsed = parseInt(envValue, 10);
+    if (!isNaN(parsed) && parsed > 0) {
+      const clamped = Math.max(MIN_DURATION_SEC, Math.min(MAX_DURATION_SEC, parsed));
+      return clamped * MS_PER_SEC;
+    }
+  }
+  return DEFAULT_DURATION_SEC * MS_PER_SEC;
+}
+function computeDeadline(startedAt) {
+  return startedAt + getSessionDurationMs();
+}
+function formatDuration(totalSec) {
+  if (totalSec <= 0) return "0s";
+  const h = Math.floor(totalSec / 3600);
+  const m = Math.floor(totalSec % 3600 / 60);
+  const s = Math.floor(totalSec % 60);
+  if (h > 0 && m > 0) return `${h}h${m}m`;
+  if (h > 0) return `${h}h`;
+  if (m > 0 && s > 0) return `${m}m${s}s`;
+  if (m > 0) return `${m}m`;
+  return `${s}s`;
+}
+function getTimeAdaptiveStrategy(elapsedMs, deadlineMs) {
+  let totalMs;
+  let remainingMs;
+  if (deadlineMs > 0) {
+    remainingMs = Math.max(0, deadlineMs - Date.now());
+    totalMs = elapsedMs + remainingMs;
+  } else {
+    totalMs = getSessionDurationMs();
+    remainingMs = Math.max(0, totalMs - elapsedMs);
+  }
+  if (totalMs <= 0) totalMs = 1;
+  const progress = Math.min(1, elapsedMs / totalMs);
+  const remainingSec = Math.floor(remainingMs / MS_PER_SEC);
+  const totalDurationSec = Math.floor(totalMs / MS_PER_SEC);
+  const elapsedStr = formatDuration(Math.floor(elapsedMs / MS_PER_SEC));
+  const remainStr = formatDuration(remainingSec);
+  const totalStr = formatDuration(totalDurationSec);
+  const pctStr = `${Math.floor(progress * 100)}%`;
+  if (progress >= PHASE_RATIOS.CREATIVE_END) {
+    return {
+      phase: "harvest",
+      label: "HARVEST",
+      urgency: "critical",
+      progress,
+      totalDurationSec,
+      remainingSec,
+      directive: [
+        `\u{1F3C1} HARVEST MODE [${pctStr} elapsed, ${remainStr} of ${totalStr} remaining]:`,
+        "- STOP exploring new attack vectors. Exploit what you HAVE.",
+        "- Submit ALL discovered flags immediately",
+        "- Check obvious flag locations: /root/flag.txt, user.txt, env vars, DB tables",
+        "- Re-check previously accessed systems for missed flags/proof",
+        "- Collect and record ALL evidence and proof files",
+        "- Write final report with all findings",
+        "- Credential spray ALL discovered creds on ALL remaining services",
+        remainingSec <= 300 ? "- \u26A0\uFE0F FINAL 5 MINUTES \u2014 submit everything NOW, stop all scans" : "- Focus on highest-confidence paths only"
+      ].join("\n")
+    };
+  }
+  if (progress >= PHASE_RATIOS.EXPLOIT_END) {
+    return {
+      phase: "creative",
+      label: "CREATIVE",
+      urgency: "high",
+      progress,
+      totalDurationSec,
+      remainingSec,
+      directive: [
+        `\u{1F52C} CREATIVE MODE [${pctStr} elapsed, ${remainStr} of ${totalStr} remaining]:`,
+        "- Try advanced techniques: chained exploits, custom tools, race conditions",
+        "- Binary analysis for SUID/custom binaries, kernel exploits for privesc",
+        "- Protocol-level attacks: SMB relay, Kerberoasting, ADCS abuse",
+        '- Search for latest bypasses: web_search("{defense} bypass {year}")',
+        "- If stuck >5min on any vector, SWITCH immediately",
+        "- Start preparing evidence collection for final phase",
+        "- If all targets are compromised \u2192 skip to harvest immediately"
+      ].join("\n")
+    };
+  }
+  if (progress >= PHASE_RATIOS.SPRINT_END) {
+    return {
+      phase: "exploit",
+      label: "EXPLOIT",
+      urgency: "medium",
+      progress,
+      totalDurationSec,
+      remainingSec,
+      directive: [
+        `\u{1F3AF} EXPLOIT MODE [${pctStr} elapsed, ${remainStr} of ${totalStr} remaining]:`,
+        "- Concentrate on discovered vectors with highest success probability",
+        "- Run parallel exploitation attempts on multiple targets",
+        "- Search for CVE PoCs for every identified service+version",
+        "- Chain: credentials \u2192 spray everywhere, LFI \u2192 config \u2192 DB creds",
+        "- Keep background scans running for new targets",
+        "- Time-box each vector: 10min max then switch",
+        "- If all vectors exhausted early \u2192 move to creative techniques immediately"
+      ].join("\n")
+    };
+  }
+  return {
+    phase: "sprint",
+    label: "SPRINT",
+    urgency: "low",
+    progress,
+    totalDurationSec,
+    remainingSec,
+    directive: [
+      `\u26A1 SPRINT MODE [${pctStr} elapsed, ${remainStr} of ${totalStr} remaining]:`,
+      "- RustScan first for fast port discovery \u2192 then nmap -Pn -sV -sC on found ports",
+      "- ALWAYS use nmap -Pn (no exceptions \u2014 firewalls block ICMP)",
+      "- Run ALL scans in parallel (rustscan, nmap UDP, web fuzzing, CVE search)",
+      "- Try default/weak credentials on every discovered service IMMEDIATELY",
+      "- Check for exposed files (.env, .git, backup.sql, phpinfo)",
+      "- Anonymous access: FTP, SMB null session, Redis no auth, MongoDB",
+      "- OSINT: web_search for target intel, shodan, github repos",
+      "- Goal: Maximum attack surface discovery + instant wins",
+      "- \u26A1 If recon completes early \u2192 ATTACK IMMEDIATELY, do not wait for this phase to end"
+    ].join("\n")
+  };
+}
+
 // src/shared/utils/id.ts
 var ID_DEFAULT_RADIX = 36;
 var ID_DEFAULT_LENGTH = 6;
@@ -2027,7 +2164,7 @@ async function cleanupAllProcesses() {
   backgroundProcesses.clear();
   for (const name of ORPHAN_PROCESS_NAMES) {
     try {
-      execSync2(`pkill -f "${name}" 2>/dev/null || true`, { stdio: "ignore", timeout: SYSTEM_LIMITS.PROCESS_OP_TIMEOUT_MS });
+      execSync2(`pkill -x "${name}" 2>/dev/null || true`, { stdio: "ignore", timeout: SYSTEM_LIMITS.PROCESS_OP_TIMEOUT_MS });
     } catch {
     }
   }
@@ -2652,6 +2789,22 @@ var AttackGraph = class {
         if (nodeCount >= GRAPH_LIMITS.ASCII_MAX_NODES) break;
         const sIcon = statusIcons[node.status] || "?";
         const fail = node.status === NODE_STATUS.FAILED && node.failReason ? ` \u2014 ${node.failReason}` : "";
+        let detail = "";
+        if (type === NODE_TYPE.CREDENTIAL) {
+          const source = node.data.source ? ` (from: ${node.data.source})` : "";
+          detail = source;
+        } else if (type === NODE_TYPE.VULNERABILITY) {
+          const sev = node.data.severity ? ` [${String(node.data.severity).toUpperCase()}]` : "";
+          const exploit = node.data.hasExploit ? " [EXPLOIT]" : "";
+          const target = node.data.target ? ` \u2192 ${node.data.target}` : "";
+          detail = `${sev}${exploit}${target}`;
+        } else if (type === NODE_TYPE.ACCESS) {
+          const via = node.data.via ? ` via ${node.data.via}` : "";
+          detail = via;
+        } else if (type === NODE_TYPE.SERVICE) {
+          const ver = node.data.version ? ` (${node.data.version})` : "";
+          detail = ver;
+        }
         const outEdges = this.edges.filter((e) => e.from === node.id);
         const edgeStr = outEdges.length > 0 ? ` \u2192 ${outEdges.map((e) => {
           const target = this.nodes.get(e.to);
@@ -2659,10 +2812,19 @@ var AttackGraph = class {
           const eStatus = e.status === EDGE_STATUS.FAILED ? " \u2717" : e.status === EDGE_STATUS.SUCCEEDED ? " \u2713" : "";
           return `${eName}${eStatus}`;
         }).join(", ")}` : "";
-        lines.push(`\u2502   ${sIcon} ${node.label}${fail}${edgeStr}`);
+        lines.push(`\u2502   ${sIcon} ${node.label}${detail}${fail}${edgeStr}`);
         nodeCount++;
       }
     }
+    const succeededNodes = Array.from(this.nodes.values()).filter((n) => n.status === NODE_STATUS.SUCCEEDED);
+    if (succeededNodes.length > 0) {
+      lines.push(`\u2502`);
+      lines.push(`\u251C\u2500\u2500\u2500 Exploited \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524`);
+      for (const n of succeededNodes) {
+        const via = n.data.via ? ` via ${n.data.via}` : "";
+        lines.push(`\u2502 \u25CF ${n.label}${via}`);
+      }
+    }
     const stats = this.getStats();
     lines.push(`\u2502`);
     lines.push(`\u251C\u2500\u2500\u2500 Summary \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524`);
@@ -3183,6 +3345,7 @@ var SharedState = class {
   // ─── Improvement #7: Dynamic Technique Library ────────────────
   dynamicTechniques = new DynamicTechniqueLibrary();
   constructor() {
+    const now = Date.now();
     this.data = {
       engagement: null,
       targets: /* @__PURE__ */ new Map(),
@@ -3196,8 +3359,10 @@ var SharedState = class {
       ctfMode: true,
       // CTF mode ON by default
       flags: [],
-      startedAt: Date.now(),
-      deadlineAt: 0,
+      startedAt: now,
+      // Auto-configure from PENTEST_DURATION env (seconds).
+      // Defaults to 24h if not set. Can be overridden via setDeadline().
+      deadlineAt: computeDeadline(now),
       challengeAnalysis: null
     };
   }
@@ -3206,6 +3371,7 @@ var SharedState = class {
    * Used by /clear command to start a fresh session without recreating the agent.
    */
   reset() {
+    const now = Date.now();
     this.data = {
       engagement: null,
       targets: /* @__PURE__ */ new Map(),
@@ -3218,8 +3384,8 @@ var SharedState = class {
       missionChecklist: [],
       ctfMode: true,
       flags: [],
-      startedAt: Date.now(),
-      deadlineAt: 0,
+      startedAt: now,
+      deadlineAt: computeDeadline(now),
       challengeAnalysis: null
     };
     this.attackGraph.reset();
@@ -3404,24 +3570,28 @@ var SharedState = class {
     if (this.data.deadlineAt === 0) return 0;
     return Math.max(0, this.data.deadlineAt - Date.now());
   }
-  /** Get time status string for prompt injection */
+  /** Get time status string for prompt injection (ratio-based, aligned with PHASE_RATIOS) */
   getTimeStatus() {
     const elapsed = this.getElapsedMs();
     const mins = Math.floor(elapsed / 6e4);
     let status = `\u23F1 Elapsed: ${mins}min`;
     if (this.data.deadlineAt > 0) {
       const remainingMs = this.getRemainingMs();
+      const totalMs = elapsed + remainingMs;
+      const progress = totalMs > 0 ? elapsed / totalMs : 1;
       const remainingMins = Math.floor(remainingMs / 6e4);
-      if (remainingMins <= 0) {
+      if (remainingMs <= 0) {
         status += " | \u26A0\uFE0F TIME IS UP \u2014 submit any flags you have NOW";
-      } else if (remainingMins <= 15) {
+      } else if (progress >= 0.95) {
         status += ` | \u{1F534} ${remainingMins}min LEFT \u2014 FINAL PUSH: submit flags, check obvious locations, env vars, DBs`;
-      } else if (remainingMins <= 30) {
-        status += ` | \u{1F7E1} ${remainingMins}min LEFT \u2014 wrap up current vector, ensure all findings are captured`;
-      } else if (remainingMins <= 60) {
-        status += ` | \u{1F7E0} ${remainingMins}min LEFT \u2014 focus on highest-probability vectors only`;
+      } else if (progress >= 0.75) {
+        status += ` | \u{1F7E1} ${remainingMins}min LEFT \u2014 HARVEST: wrap up, collect evidence, submit flags`;
+      } else if (progress >= 0.5) {
+        status += ` | \u{1F7E0} ${remainingMins}min LEFT \u2014 CREATIVE: advanced techniques, switch if stuck`;
+      } else if (progress >= 0.25) {
+        status += ` | \u{1F535} ${remainingMins}min LEFT \u2014 EXPLOIT: focus on discovered vectors`;
       } else {
-        status += ` | \u{1F7E2} ${remainingMins}min remaining`;
+        status += ` | \u{1F7E2} ${remainingMins}min remaining \u2014 SPRINT: recon + quick wins`;
       }
     }
     return status;
@@ -4912,26 +5082,31 @@ Detail: ${detail}
   },
   {
     name: TOOL_NAMES.ADD_FINDING,
-    description: "Add a security finding. Always include attackPattern for MITRE ATT&CK mapping.",
+    description: `Add a security finding with full details.
+ALWAYS provide: description (HOW you exploited it, step-by-step), evidence (actual command output proving success), and attackPattern (MITRE ATT&CK tactic).
+Findings without evidence are marked as UNVERIFIED and have low credibility.`,
     parameters: {
-      title: { type: "string", description: "Finding title" },
+      title: { type: "string", description: 'Concise finding title (e.g., "Path Traversal via /download endpoint")' },
       severity: { type: "string", description: "Severity: critical, high, medium, low, info" },
-      affected: { type: "array", items: { type: "string" }, description: "Affected host:port" },
+      affected: { type: "array", items: { type: "string" }, description: 'Affected host:port or URLs (e.g., ["ctf.example.com:443/download"])' },
+      description: { type: "string", description: "Detailed description: what the vulnerability is, how you exploited it step-by-step, what access it gives, and the impact. Include credentials found, methods used, and exploitation chain." },
+      evidence: { type: "array", items: { type: "string" }, description: 'Actual command outputs proving the finding (e.g., ["curl output showing /etc/passwd", "uid=0(root) gid=0(root)"]). Copy real output here.' },
       attackPattern: { type: "string", description: "MITRE ATT&CK tactic: initial_access, execution, persistence, privilege_escalation, defense_evasion, credential_access, discovery, lateral_movement, collection, exfiltration, command_and_control, impact" }
     },
-    required: ["title", "severity"],
+    required: ["title", "severity", "description", "evidence"],
     execute: async (p) => {
       const evidence = p.evidence || [];
       const title = p.title;
       const severity = p.severity;
       const affected = p.affected || [];
+      const description = p.description || "";
       const validation = validateFinding(evidence, severity);
       state.addFinding({
         id: generateId(AGENT_LIMITS.ID_RADIX, AGENT_LIMITS.ID_LENGTH),
         title,
         severity,
         affected,
-        description: p.description || "",
+        description,
         evidence,
         isVerified: validation.isVerified,
         remediation: "",
@@ -8686,6 +8861,11 @@ var NETWORK_ERROR_CODES = {
   ENOTFOUND: "ENOTFOUND",
   CONNECT_TIMEOUT: "UND_ERR_CONNECT_TIMEOUT"
 };
+var TRANSIENT_NETWORK_ERRORS = [
+  NETWORK_ERROR_CODES.ECONNRESET,
+  NETWORK_ERROR_CODES.ETIMEDOUT,
+  NETWORK_ERROR_CODES.ENOTFOUND
+];
 var LLMError = class extends Error {
   /** Structured error information */
   errorInfo;
@@ -8696,8 +8876,11 @@ var LLMError = class extends Error {
   }
 };
 function classifyError(error) {
+  if (error === null || error === void 0) {
+    return { type: LLM_ERROR_TYPES.UNKNOWN, message: String(error), isRetryable: false, suggestedAction: "Analyze error" };
+  }
   const e = error;
-  const statusCode = e.status || e.statusCode;
+  const statusCode = e?.status || e?.statusCode;
   const errorMessage = e?.error?.error?.message || e?.error?.message || e?.message || String(error);
   if (statusCode === HTTP_STATUS.RATE_LIMIT || errorMessage.toLowerCase().includes("rate limit")) {
     return { type: LLM_ERROR_TYPES.RATE_LIMIT, message: errorMessage, statusCode, isRetryable: true, suggestedAction: "Wait and retry" };
@@ -8708,7 +8891,7 @@ function classifyError(error) {
   if (statusCode === HTTP_STATUS.BAD_REQUEST) {
     return { type: LLM_ERROR_TYPES.INVALID_REQUEST, message: errorMessage, statusCode, isRetryable: false, suggestedAction: "Modify request" };
   }
-  if (e.code === NETWORK_ERROR_CODES.ECONNRESET || e.code === NETWORK_ERROR_CODES.ETIMEDOUT || e.code === NETWORK_ERROR_CODES.ENOTFOUND) {
+  if (e.code && TRANSIENT_NETWORK_ERRORS.includes(e.code)) {
     return { type: LLM_ERROR_TYPES.NETWORK_ERROR, message: errorMessage, isRetryable: true, suggestedAction: "Check network" };
   }
   if (errorMessage.toLowerCase().includes("timeout") || e.code === NETWORK_ERROR_CODES.CONNECT_TIMEOUT) {
@@ -10317,100 +10500,6 @@ var INITIAL_TASKS = {
   RECON: "Initial reconnaissance and target discovery"
 };
 
-// src/shared/utils/time-strategy.ts
-var TIME_CONSTANTS = {
-  /** Milliseconds per minute */
-  MS_PER_MINUTE: 6e4,
-  /** Minutes threshold for sprint-to-exploit switch (no deadline mode) */
-  SPRINT_MINUTES: 10,
-  /** Deadline percentage thresholds for phase transitions */
-  PHASE_SPRINT: 0.25,
-  PHASE_EXPLOIT: 0.5,
-  PHASE_CREATIVE: 0.75
-};
-function getTimeAdaptiveStrategy(elapsedMs, deadlineMs) {
-  if (deadlineMs === 0) {
-    const mins = Math.floor(elapsedMs / TIME_CONSTANTS.MS_PER_MINUTE);
-    if (mins < TIME_CONSTANTS.SPRINT_MINUTES) {
-      return {
-        phase: "sprint",
-        label: "SPRINT",
-        urgency: "low",
-        directive: `\u26A1 SPRINT MODE (${mins}min elapsed): Parallel reconnaissance. Full port scan + service enumeration + default credentials. Attack immediately on any finding.`
-      };
-    }
-    return {
-      phase: "exploit",
-      label: "EXPLOIT",
-      urgency: "low",
-      directive: `\u{1F3AF} EXPLOIT MODE (${mins}min elapsed): Focus on discovered vectors. Chain findings. Build custom tools if needed.`
-    };
-  }
-  const totalMs = deadlineMs - (deadlineMs > Date.now() ? Date.now() - elapsedMs : 0);
-  const remainingMs = Math.max(0, deadlineMs - Date.now());
-  const pct = totalMs > 0 ? 1 - remainingMs / totalMs : 1;
-  const remainingMins = Math.floor(remainingMs / TIME_CONSTANTS.MS_PER_MINUTE);
-  if (pct < TIME_CONSTANTS.PHASE_SPRINT) {
-    return {
-      phase: "sprint",
-      label: "SPRINT",
-      urgency: "low",
-      directive: [
-        `\u26A1 SPRINT MODE (${remainingMins}min remaining):`,
-        "- Run ALL scans in parallel (nmap TCP/UDP, web fuzzing, CVE search)",
-        "- Try default/weak credentials on every discovered service IMMEDIATELY",
-        "- Check for exposed files (.env, .git, backup.sql, phpinfo)",
-        "- Anonymous access: FTP, SMB null session, Redis no auth, MongoDB",
-        "- Goal: Maximum attack surface discovery + instant wins"
-      ].join("\n")
-    };
-  }
-  if (pct < TIME_CONSTANTS.PHASE_EXPLOIT) {
-    return {
-      phase: "exploit",
-      label: "EXPLOIT",
-      urgency: "medium",
-      directive: [
-        `\u{1F3AF} EXPLOIT MODE (${remainingMins}min remaining):`,
-        "- Concentrate on discovered vectors with highest success probability",
-        "- Run parallel exploitation attempts on multiple targets",
-        "- Search for CVE PoCs for every identified service+version",
-        "- Chain: credentials \u2192 spray everywhere, LFI \u2192 config \u2192 DB creds",
-        "- Keep background scans running for new targets"
-      ].join("\n")
-    };
-  }
-  if (pct < TIME_CONSTANTS.PHASE_CREATIVE) {
-    return {
-      phase: "creative",
-      label: "CREATIVE",
-      urgency: "high",
-      directive: [
-        `\u{1F52C} CREATIVE MODE (${remainingMins}min remaining):`,
-        "- Try advanced techniques: chained exploits, custom tools, race conditions",
-        "- Binary analysis for SUID/custom binaries, kernel exploits for privesc",
-        "- Protocol-level attacks: SMB relay, Kerberoasting, ADCS abuse",
-        '- Search for latest bypasses: web_search("{defense} bypass 2025")',
-        "- If stuck >5min on any vector, SWITCH immediately"
-      ].join("\n")
-    };
-  }
-  return {
-    phase: "harvest",
-    label: "HARVEST",
-    urgency: "critical",
-    directive: [
-      `\u{1F3C1} HARVEST MODE (${remainingMins}min remaining \u2014 FINAL PUSH):`,
-      "- STOP exploring new vectors. Focus on what you HAVE.",
-      "- Submit ALL discovered flags immediately",
-      "- Check obvious flag locations: /root/flag.txt, env vars, DB tables",
-      "- Re-check previously accessed systems for missed flags",
-      "- Collect and record ALL evidence and proof files",
-      "- Write final report with all findings"
-    ].join("\n")
-  };
-}
-
 // src/shared/constants/service-ports.ts
 var SERVICE_PORTS = {
   SSH: 22,
@@ -10960,12 +11049,13 @@ var STRATEGIST_LIMITS = {
    *  Full state can be 20K+; Strategist needs summary, not everything. */
   MAX_INPUT_CHARS: 15e3,
   /** Maximum characters for the Strategist's response.
-   *  WHY: Directives should be terse and actionable (~500-800 tokens).
-   *  Longer = more cost, less focus. */
-  MAX_OUTPUT_CHARS: 3e3,
+   *  WHY: Directives should be terse and actionable (~800-1500 tokens).
+   *  Enhanced format includes SITUATION, priorities, EXHAUSTED, and SEARCH ORDERS. */
+  MAX_OUTPUT_CHARS: 5e3,
   /** Maximum lines in the directive output.
-   *  WHY: Forces concise, prioritized directives. */
-  MAX_DIRECTIVE_LINES: 40
+   *  WHY: Forces concise, prioritized directives while allowing
+   *  structured format (priorities + exhausted + search orders). */
+  MAX_DIRECTIVE_LINES: 60
 };
 
 // src/agents/strategist.ts
@@ -11134,11 +11224,14 @@ NOTE: This directive is from ${age}min ago (Strategist call failed this turn). V
     this.totalCalls = 0;
   }
 };
-var FALLBACK_SYSTEM_PROMPT = `You are a penetration testing strategist.
-Analyze the situation and write a precise tactical directive for the attack agent.
-Be specific: name exact tools, commands, and parameters.
-Maximum 30 lines. Prioritize by probability of success.
-NEVER suggest approaches listed in the failed attempts section.`;
+var FALLBACK_SYSTEM_PROMPT = `You are an elite autonomous penetration testing STRATEGIST \u2014 a red team tactical commander.
+Analyze the engagement state and issue precise attack orders for the execution agent.
+Format: SITUATION line, numbered PRIORITY items with ACTION/SEARCH/SUCCESS/FALLBACK/CHAIN fields, EXHAUSTED list, and SEARCH ORDERS.
+Be surgically specific: name exact tools, commands, parameters, and wordlists. The agent copy-pastes your commands.
+Include mandatory web_search directives for every unknown service/version.
+Detect stalls (repeated failures, no progress) and force completely different attack vectors.
+Chain every finding: "If X works \u2192 immediately do Y \u2192 which enables Z."
+Maximum 50 lines. Zero preamble. Direct imperatives only. Never repeat failed approaches.`;
 
 // src/agents/main-agent.ts
 var MainAgent = class extends CoreAgent {
@@ -11319,7 +11412,7 @@ var AgentFactory = class {
 };
 
 // src/platform/tui/utils/format.ts
-var formatDuration = (ms) => {
+var formatDuration2 = (ms) => {
   const totalSec = ms / 1e3;
   if (totalSec < 60) return `${totalSec.toFixed(1)}s`;
   const minutes = Math.floor(totalSec / 60);
@@ -11333,7 +11426,7 @@ var formatTokens = (count) => {
 };
 var formatMeta = (ms, tokens) => {
   const parts = [];
-  if (ms > 0) parts.push(formatDuration(ms));
+  if (ms > 0) parts.push(formatDuration2(ms));
   if (tokens > 0) parts.push(`\u2191 ${formatTokens(tokens)} tokens`);
   return parts.length > 0 ? `(${parts.join(" \xB7 ")})` : "";
 };
@@ -11367,135 +11460,59 @@ var formatInlineStatus = () => {
 import { useState, useRef, useCallback } from "react";
 
 // src/shared/constants/theme.ts
+var COLORS = {
+  primary: "#e11d48",
+  // Rose 600 - red team primary
+  accent: "#fb923c",
+  // Orange 400 - fire accent
+  secondary: "#94a3b8",
+  // Slate - secondary/muted
+  white: "#f8fafc",
+  // Main text
+  red: "#ff4500",
+  // OrangeRed - Error/Critical (distinct from rose primary)
+  yellow: "#facc15"
+  // Yellow 400 - Warning/Pending (pure yellow)
+};
 var THEME = {
-  // Backgrounds (deep dark with blue tint)
+  ...COLORS,
   bg: {
     primary: "#050505",
-    // Deepest black
-    secondary: "#0a0c10",
-    // Dark void
-    tertiary: "#0f172a",
-    // Slate dark
-    elevated: "#1e293b",
-    // Bright slate
     input: "#020617"
-    // Midnight
   },
-  // Text colors
   text: {
-    primary: "#f8fafc",
-    // Near white
-    secondary: "#cbd5e1",
-    // Brighter slate
-    muted: "#94a3b8",
-    // Lighter blue-gray
-    accent: "#1d4ed8",
-    // Blue 700 - deep blue
-    highlight: "#ffffff"
-    // Pure white
+    primary: COLORS.white,
+    secondary: COLORS.secondary,
+    muted: "#64748b",
+    accent: COLORS.accent
+    // Using Emerald for "accented" text
   },
-  // Status colors (deep blue-focused)
   status: {
-    success: "#10b981",
-    // Emerald
-    warning: "#f59e0b",
-    // Amber
-    error: "#ef4444",
-    // Red
-    info: "#1d4ed8",
-    // Blue 700
-    running: "#1e40af",
-    // Blue 800 (AI activity)
-    pending: "#64748b"
-    // Slate
-  },
-  // Severity colors
-  semantic: {
-    critical: "#7f1d1d",
-    // Dark red
-    high: "#ef4444",
-    // Red
-    medium: "#f97316",
-    // Orange
-    low: "#eab308",
-    // Yellow
-    info: "#1d4ed8"
-    // Blue 700
+    success: COLORS.accent,
+    // Success feels good in emerald
+    warning: COLORS.yellow,
+    error: COLORS.red,
+    running: COLORS.primary
+    // System operations in blue
   },
-  // Border colors
   border: {
     default: "#1e293b",
-    focus: "#3b82f6",
-    // Blue 500 (UI decorative)
-    error: "#ef4444",
-    success: "#22c55e"
+    focus: COLORS.primary,
+    error: COLORS.red
   },
-  // Phase colors (deep blue-focused)
-  phase: {
-    recon: "#94a3b8",
-    enum: "#1d4ed8",
-    // Blue 700 (phase indicator)
-    vuln: "#f59e0b",
-    exploit: "#ef4444",
-    privesc: "#8b5cf6",
-    persist: "#22c55e",
-    report: "#64748b"
-  },
-  // Accent colors (NO cyan/teal - pure blue palette)
-  accent: {
-    pink: "#f472b6",
-    rose: "#fb7185",
-    fuchsia: "#e879f9",
-    purple: "#a78bfa",
-    violet: "#8b5cf6",
-    indigo: "#818cf8",
-    blue: "#1d4ed8",
-    // Blue 700 - primary accent
-    emerald: "#34d399",
-    green: "#4ade80",
-    lime: "#a3e635",
-    yellow: "#facc15",
-    amber: "#fbbf24",
-    orange: "#fb923c",
-    red: "#f87171"
-  },
-  // Gradients (deep blue-focused)
   gradient: {
-    cyber: [
-      "#3b82f6",
-      // Blue 500
-      "#3584f4",
-      "#2f86f2",
-      "#2988f0",
-      "#238aee",
-      "#1d8cec",
-      // Mid blue
-      "#1d7ad8",
-      "#1d78c6",
-      "#1d76b4",
-      "#1d74a2",
-      "#1e40af"
-      // Blue 800
-    ],
-    danger: ["#ef4444", "#7f1d1d"],
-    success: ["#22c55e", "#14532d"],
-    gold: ["#f59e0b", "#78350f"],
-    royal: ["#818cf8", "#312e81"]
+    cyber: [COLORS.primary, "#f43f5e", "#fb923c"]
+    // Red team fire gradient: rose → pink → amber
   },
-  // Spinner color (deep blue — UI feedback)
-  spinner: "#3b82f6",
-  // Blue 500
-  // Identity color (branded accent - deep blue)
-  identity: "#1d4ed8"
-  // Blue 700
+  spinner: COLORS.primary
 };
 var ASCII_BANNER = `
-    ____             __              __  _             
-   / __ \\___  ____  / /____  _______/ /_(_)___  ____ _ 
-  / /_/ / _ \\/ __ \\/ __/ _ \\/ ___/ __/ / / __ \\/ __ \`/ 
- / ____/  __/ / / / /_/  __(__  ) /_/ / / / / / /_/ /  
-/_/    \\___/_/ /_/\\__/\\___/____/\\__/_/_/_/ /_/\\__, /   
-                                             /____/    
+  \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 
+  \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D 
+  \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2588\u2557
+  \u2588\u2588\u2554\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u255D  \u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u255D  \u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551
+  \u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D
+  \u255A\u2550\u255D     \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D 
 `;
 var ICONS = {
   // Status
@@ -11509,7 +11526,7 @@ var ICONS = {
   target: "\u25C8",
   // Diamond for target
   scan: "\u25CE",
-  exploit: "\u26A1",
+  exploit: "\u2607",
   shell: "\u276F",
   // Progress
   pending: "\u25CB",
@@ -11521,9 +11538,9 @@ var ICONS = {
   medium: "\u25C7",
   low: "\u25E6",
   // Security
-  lock: "\u{1F512}",
-  unlock: "\u{1F513}",
-  key: "\u{1F511}",
+  lock: "\u22A1",
+  unlock: "\u2B1A",
+  key: "\u26B7",
   flag: "\u2691",
   // Simple flag
   pwned: "\u25C8"
@@ -11580,7 +11597,7 @@ var MESSAGE_STYLES = {
     error: THEME.status.error,
     tool: THEME.status.running,
     result: THEME.text.muted,
-    status: THEME.accent.blue
+    status: THEME.primary
   },
   prefixes: {
     user: "\u276F",
@@ -11641,21 +11658,9 @@ var useAgentState = () => {
   const [isProcessing, setIsProcessing] = useState(false);
   const [currentStatus, setCurrentStatus] = useState("");
   const [elapsedTime, setElapsedTime] = useState(0);
-  const [retryState, setRetryState] = useState({
-    isRetrying: false,
-    attempt: 0,
-    maxRetries: 0,
-    delayMs: 0,
-    error: "",
-    countdown: 0
-  });
+  const [retryState, setRetryState] = useState({ status: "idle" });
   const [currentTokens, setCurrentTokens] = useState(0);
-  const [inputRequest, setInputRequest] = useState({
-    isActive: false,
-    prompt: "",
-    isPassword: false,
-    resolve: null
-  });
+  const [inputRequest, setInputRequest] = useState({ status: "inactive" });
   const [stats, setStats] = useState({ phase: DEFAULTS.INIT_PHASE, targets: 0, findings: 0, todo: 0 });
   const lastResponseMetaRef = useRef(null);
   const startTimeRef = useRef(0);
@@ -11796,7 +11801,7 @@ var useAgentEvents = (agent, eventsRef, state) => {
         const isPassword = /password|passphrase/i.test(p);
         const inputType = /sudo/i.test(p) ? "sudo_password" : isPassword ? "password" : "text";
         setInputRequest({
-          isActive: true,
+          status: "active",
           prompt: p.trim(),
           isPassword,
           inputType,
@@ -11810,7 +11815,7 @@ var useAgentEvents = (agent, eventsRef, state) => {
         const isPassword = hiddenTypes.includes(request.type);
         const displayPrompt = buildCredentialPrompt(request);
         setInputRequest({
-          isActive: true,
+          status: "active",
           prompt: displayPrompt,
           isPassword,
           inputType: request.type,
@@ -11891,7 +11896,7 @@ function handleRetry(e, addMessage, setRetryState, retryCountdownRef, retryCount
   const retryNum = retryCountRef.current;
   addMessage("system", `\u27F3 Retry #${retryNum} \xB7 ${e.data.error} \xB7 waiting ${delaySec}s...`);
   setRetryState({
-    isRetrying: true,
+    status: "retrying",
     attempt: retryNum,
     maxRetries: e.data.maxRetries,
     delayMs: e.data.delayMs,
@@ -11903,10 +11908,10 @@ function handleRetry(e, addMessage, setRetryState, retryCountdownRef, retryCount
   retryCountdownRef.current = setInterval(() => {
     remaining -= 1;
     if (remaining <= 0) {
-      setRetryState((prev) => ({ ...prev, isRetrying: false, countdown: 0 }));
+      setRetryState({ status: "idle" });
       if (retryCountdownRef.current) clearInterval(retryCountdownRef.current);
     } else {
-      setRetryState((prev) => ({ ...prev, countdown: remaining }));
+      setRetryState((prev) => prev.status === "retrying" ? { ...prev, countdown: remaining } : prev);
     }
   }, 1e3);
 }
@@ -12001,9 +12006,9 @@ var useAgent = (shouldAutoApprove, target) => {
   inputRequestRef.current = inputRequest;
   const cancelInputRequest = useCallback2(() => {
     const ir = inputRequestRef.current;
-    if (ir.isActive && ir.resolve) {
+    if (ir.status === "active") {
       ir.resolve(null);
-      setInputRequest({ isActive: false, prompt: "", isPassword: false, resolve: null });
+      setInputRequest({ status: "inactive" });
       addMessage("system", "Input cancelled");
     }
   }, [setInputRequest, addMessage]);
@@ -12045,7 +12050,7 @@ import { Box as Box2, Text as Text2, Static } from "ink";
 // src/platform/tui/components/inline-status.tsx
 import { Box, Text } from "ink";
 import { Fragment, jsx, jsxs } from "react/jsx-runtime";
-function formatDuration2(ms) {
+function formatDuration3(ms) {
   const seconds = Math.floor(ms / 1e3);
   if (seconds < 60) return `${seconds}s`;
   const minutes = Math.floor(seconds / 60);
@@ -12057,13 +12062,13 @@ function formatDuration2(ms) {
 }
 function getRoleColor(role) {
   const roleColors = {
-    listener: THEME.accent.blue,
-    active_shell: THEME.accent.green,
-    server: THEME.accent.blue,
-    sniffer: THEME.accent.amber,
-    spoofer: THEME.accent.orange,
-    proxy: THEME.accent.purple,
-    callback: THEME.accent.pink,
+    listener: THEME.primary,
+    active_shell: THEME.primary,
+    server: THEME.secondary,
+    sniffer: THEME.yellow,
+    spoofer: THEME.yellow,
+    proxy: THEME.primary,
+    callback: THEME.primary,
     background: THEME.text.muted
   };
   return roleColors[role] || THEME.text.secondary;
@@ -12087,7 +12092,7 @@ function StatusIndicator({ running, exitCode }) {
   ] });
 }
 function ProcessRow({ proc, compact }) {
-  const duration = formatDuration2(proc.durationMs);
+  const duration = formatDuration3(proc.durationMs);
   const port = proc.listeningPort ? `:${proc.listeningPort}` : "";
   const purpose = proc.purpose || proc.description || "";
   const truncatedPurpose = compact && purpose.length > TUI_DISPLAY_LIMITS.purposeMaxLength ? purpose.slice(0, TUI_DISPLAY_LIMITS.purposeTruncated) + "..." : purpose;
@@ -12260,7 +12265,7 @@ var StatusDisplay = memo3(({
   };
   const meta = formatMeta(elapsedTime * 1e3, currentTokens);
   return /* @__PURE__ */ jsxs3(Box3, { flexDirection: "column", marginTop: 0, children: [
-    retryState.isRetrying && /* @__PURE__ */ jsxs3(Box3, { marginBottom: 1, children: [
+    retryState.status === "retrying" && /* @__PURE__ */ jsxs3(Box3, { marginBottom: 1, children: [
       /* @__PURE__ */ jsx4(Text4, { color: THEME.status.warning, children: /* @__PURE__ */ jsx4(MusicSpinner, { color: THEME.status.warning }) }),
       /* @__PURE__ */ jsxs3(Text4, { color: THEME.status.warning, children: [
         " \u27F3 Retry #",
@@ -12270,13 +12275,13 @@ var StatusDisplay = memo3(({
         " \xB7 ",
         truncateError(retryState.error)
       ] }),
-      /* @__PURE__ */ jsxs3(Text4, { color: THEME.accent.blue, bold: true, children: [
+      /* @__PURE__ */ jsxs3(Text4, { color: THEME.primary, bold: true, children: [
         " \xB7 ",
         retryState.countdown,
         "s"
       ] })
     ] }),
-    isProcessing && !retryState.isRetrying && /* @__PURE__ */ jsxs3(Box3, { marginBottom: 1, children: [
+    isProcessing && retryState.status !== "retrying" && /* @__PURE__ */ jsxs3(Box3, { marginBottom: 1, children: [
       /* @__PURE__ */ jsx4(Text4, { color: THEME.spinner, children: /* @__PURE__ */ jsx4(MusicSpinner, { color: THEME.spinner }) }),
       /* @__PURE__ */ jsxs3(Text4, { color: THEME.text.muted, children: [
         " ",
@@ -12325,11 +12330,13 @@ var ChatInput = memo4(({
   const onChangeRef = useRef3(onChange);
   onChangeRef.current = onChange;
   useInput(useCallback3((_input, key) => {
-    if (inputRequestRef.current.isActive) return;
+    if (inputRequestRef.current.status === "active") return;
     if (key.tab && isSlashModeRef.current && !hasArgsRef.current && suggestionsRef.current.length > 0) {
       const best = suggestionsRef.current[0];
       const argsHint = best.args ? " " : "";
-      onChangeRef.current(`/${best.name}${argsHint}`);
+      const completed = `/${best.name}${argsHint}`;
+      onChangeRef.current("");
+      setTimeout(() => onChangeRef.current(completed), 0);
     }
   }, []));
   return /* @__PURE__ */ jsxs4(Box4, { flexDirection: "column", children: [
@@ -12343,7 +12350,7 @@ var ChatInput = memo4(({
         marginBottom: 0,
         children: suggestions.map((cmd, i) => {
           const isFirst = i === 0;
-          const nameColor = isFirst ? THEME.text.accent : THEME.text.secondary;
+          const nameColor = isFirst ? THEME.primary : THEME.text.secondary;
           const aliasText = cmd.alias ? ` /${cmd.alias}` : "";
           const argsText = cmd.args ? ` ${cmd.args}` : "";
           return /* @__PURE__ */ jsxs4(Box4, { children: [
@@ -12357,7 +12364,7 @@ var ChatInput = memo4(({
               " \u2014 ",
               cmd.description
             ] }),
-            isFirst && /* @__PURE__ */ jsx5(Text5, { color: THEME.accent.blue, children: " [Tab]" })
+            isFirst && /* @__PURE__ */ jsx5(Text5, { color: THEME.primary, children: " [Tab]" })
           ] }, cmd.name);
         })
       }
@@ -12366,9 +12373,9 @@ var ChatInput = memo4(({
       Box4,
       {
         borderStyle: "single",
-        borderColor: inputRequest.isActive ? THEME.status.warning : THEME.border.default,
+        borderColor: inputRequest.status === "active" ? THEME.status.warning : THEME.border.default,
         paddingX: 1,
-        children: inputRequest.isActive ? /* @__PURE__ */ jsxs4(Box4, { children: [
+        children: inputRequest.status === "active" ? /* @__PURE__ */ jsxs4(Box4, { children: [
           /* @__PURE__ */ jsx5(Text5, { color: THEME.status.warning, children: "[auth]" }),
           /* @__PURE__ */ jsxs4(Text5, { color: THEME.text.muted, children: [
             " ",
@@ -12427,7 +12434,7 @@ var Footer = memo5(({ phase, targets, findings, todo, elapsedTime, isProcessing
         /* @__PURE__ */ jsxs5(Box5, { gap: 2, children: [
           /* @__PURE__ */ jsxs5(Text6, { color: THEME.text.muted, children: [
             "Phase: ",
-            /* @__PURE__ */ jsx6(Text6, { color: THEME.accent.blue, children: phase })
+            /* @__PURE__ */ jsx6(Text6, { color: THEME.primary, children: phase })
           ] }),
           /* @__PURE__ */ jsxs5(Text6, { color: THEME.text.muted, children: [
             "Targets: ",
@@ -12485,7 +12492,7 @@ var App = ({ autoApprove = false, target }) => {
   inputRequestRef.current = inputRequest;
   const handleExit = useCallback4(() => {
     const ir = inputRequestRef.current;
-    if (ir.isActive && ir.resolve) ir.resolve(null);
+    if (ir.status === "active") ir.resolve(null);
     cleanupAllProcesses().catch(() => {
     });
     exit();
@@ -12549,8 +12556,29 @@ var App = ({ autoApprove = false, target }) => {
           addMessage("system", "No findings.");
           break;
         }
-        addMessage("system", `--- ${findings.length} Findings ---`);
-        findings.forEach((f) => addMessage("system", `[${f.severity}] ${f.title}${f.attackPattern ? ` (ATT&CK: ${f.attackPattern})` : ""}`));
+        const findingLines = [`\u2500\u2500\u2500 ${findings.length} Findings \u2500\u2500\u2500`, ""];
+        findings.forEach((f, i) => {
+          const verified = f.isVerified ? `[${ICONS.success}] Verified` : `[${ICONS.warning}] Unverified`;
+          const atk = f.attackPattern ? ` | ATT&CK: ${f.attackPattern}` : "";
+          findingLines.push(`[${i + 1}] [${f.severity.toUpperCase()}] ${f.title}`);
+          findingLines.push(`    ${verified}${atk}`);
+          if (f.affected.length > 0) {
+            findingLines.push(`    Affected: ${f.affected.join(", ")}`);
+          }
+          if (f.description) {
+            findingLines.push(`    ${f.description}`);
+          }
+          if (f.evidence.length > 0) {
+            findingLines.push(`    Evidence:`);
+            f.evidence.slice(0, 3).forEach((e) => {
+              const preview = e.length > 120 ? e.slice(0, 120) + "..." : e;
+              findingLines.push(`      \u25B8 ${preview}`);
+            });
+            if (f.evidence.length > 3) findingLines.push(`      ... +${f.evidence.length - 3} more`);
+          }
+          findingLines.push("");
+        });
+        addMessage("system", findingLines.join("\n"));
         break;
       case UI_COMMANDS.ASSETS:
       case UI_COMMANDS.ASSETS_SHORT:
@@ -12614,17 +12642,17 @@ ${procData.stdout || "(no output)"}
   }, [addMessage, executeTask, handleCommand]);
   const handleSecretSubmit = useCallback4((value) => {
     const ir = inputRequestRef.current;
-    if (!ir.isActive || !ir.resolve) return;
+    if (ir.status !== "active") return;
     const displayText = ir.isPassword ? "\u2022".repeat(value.length) : value;
     const promptLabel = ir.prompt || "Input";
     addMessage("system", `\u21B3 ${promptLabel} ${displayText}`);
     ir.resolve(value);
-    setInputRequest({ isActive: false, prompt: "", isPassword: false, resolve: null });
+    setInputRequest({ status: "inactive" });
     setSecretInput("");
   }, [addMessage, setInputRequest]);
   useInput2(useCallback4((ch, key) => {
     if (key.escape) {
-      if (inputRequestRef.current.isActive) cancelInputRequest();
+      if (inputRequestRef.current.status === "active") cancelInputRequest();
       else if (isProcessingRef.current) abort();
     }
     if (key.ctrl && ch === "c") handleExit();
@@ -12711,9 +12739,9 @@ program.command("interactive", { isDefault: true }).alias("i").description("Star
   const opts = program.opts();
   const skipPermissions = opts.dangerouslySkipPermissions || false;
   console.clear();
-  console.log(gradient([...THEME.gradient.cyber]).multiline(ASCII_BANNER));
+  console.log(chalk.hex(THEME.primary)(ASCII_BANNER));
   console.log(
-    "   " + chalk.hex(THEME.text.secondary)(`v${APP_VERSION}`) + chalk.hex(THEME.text.muted)(" \u2502 ") + chalk.hex(THEME.accent.blue)("Type /help for commands") + "\n"
+    "   " + chalk.hex(THEME.text.secondary)(`v${APP_VERSION}`) + chalk.hex(THEME.text.muted)(" \u2502 ") + chalk.hex(THEME.primary)("Type /help for commands") + "\n"
   );
   if (skipPermissions) {
     console.log(chalk.hex(THEME.status.error)("[!] WARNING: Running with --dangerously-skip-permissions"));
@@ -12733,11 +12761,11 @@ program.command("interactive", { isDefault: true }).alias("i").description("Star
 program.command("run <objective>").alias("r").description("Run a single objective and exit").option("-o, --output <file>", "Output file for results").option("--max-steps <n>", "Maximum number of steps", String(CLI_DEFAULT.MAX_STEPS)).action(async (objective, options) => {
   const opts = program.opts();
   const skipPermissions = opts.dangerouslySkipPermissions || false;
-  console.log(gradient([...THEME.gradient.cyber]).multiline(ASCII_BANNER));
+  console.log(chalk.hex(THEME.primary)(ASCII_BANNER));
   if (skipPermissions) {
     console.log(chalk.hex(THEME.status.error)("[!] WARNING: Running with --dangerously-skip-permissions\n"));
   }
-  console.log(chalk.hex(THEME.accent.blue)(`[target] Objective: ${objective}
+  console.log(chalk.hex(THEME.primary)(`[target] Objective: ${objective}
 `));
   const agent = AgentFactory.createMainAgent(skipPermissions);
   if (skipPermissions) {
@@ -12759,7 +12787,7 @@ program.command("run <objective>").alias("r").description("Run a single objectiv
     if (options.output) {
       const fs = await import("fs/promises");
       await fs.writeFile(options.output, JSON.stringify({ result: result2 }, null, 2));
-      console.log(chalk.hex(THEME.accent.blue)(`
+      console.log(chalk.hex(THEME.primary)(`
 [+] Report saved to: ${options.output}`));
     }
     await shutdown(0);
@@ -12773,8 +12801,8 @@ program.command("run <objective>").alias("r").description("Run a single objectiv
 program.command("scan <target>").description("Quick scan a target").option("-s, --scan-type <type>", `Scan type (${CLI_SCAN_TYPES.join("|")})`, CLI_DEFAULT.SCAN_TYPE).option("-p, --ports <ports>", "Specific ports to scan").action(async (target, options) => {
   const opts = program.opts();
   const skipPermissions = opts.dangerouslySkipPermissions || false;
-  console.log(gradient([...THEME.gradient.cyber]).multiline(ASCII_BANNER));
-  console.log(chalk.hex(THEME.accent.blue)(`
+  console.log(chalk.hex(THEME.primary)(ASCII_BANNER));
+  console.log(chalk.hex(THEME.primary)(`
 [scan] Target: ${target} (${options.scanType})
 `));
   const agent = AgentFactory.createMainAgent(skipPermissions);
@@ -12796,11 +12824,11 @@ program.command("scan <target>").description("Quick scan a target").option("-s,
   }
 });
 program.command("help-extended").description("Show extended help with examples").action(() => {
-  console.log(gradient([...THEME.gradient.cyber]).multiline(ASCII_BANNER));
+  console.log(chalk.hex(THEME.primary)(ASCII_BANNER));
   console.log(`
-${chalk.hex(THEME.accent.blue)(APP_NAME + " - Autonomous Penetration Testing AI")}
+${chalk.hex(THEME.primary)(APP_NAME + " - Autonomous Penetration Testing AI")}
 
-${chalk.hex(THEME.status.warning)("Usage:")}
+  ${chalk.hex(THEME.status.warning)("Usage:")}
 
   ${chalk.hex(THEME.status.success)("$ pentesting")}                                   Start interactive mode
   ${chalk.hex(THEME.status.success)("$ pentesting -t 192.168.1.1")}                     Start with target
@@ -12808,24 +12836,24 @@ ${chalk.hex(THEME.status.warning)("Usage:")}
 
 ${chalk.hex(THEME.status.warning)("Commands:")}
 
-  ${chalk.hex(THEME.accent.blue)("pentesting")}                       Interactive TUI mode
-  ${chalk.hex(THEME.accent.blue)("pentesting run <objective>")}       Run single objective
-  ${chalk.hex(THEME.accent.blue)("pentesting scan <target>")}         Quick scan target
+  ${chalk.hex(THEME.primary)("pentesting")}                       Interactive TUI mode
+  ${chalk.hex(THEME.primary)("pentesting run <objective>")}       Run single objective
+  ${chalk.hex(THEME.primary)("pentesting scan <target>")}         Quick scan target
 
 ${chalk.hex(THEME.status.warning)("Options:")}
 
-  ${chalk.hex(THEME.accent.blue)("--dangerously-skip-permissions")}    Skip all permission prompts
-  ${chalk.hex(THEME.accent.blue)("-t, --target <ip>")}                 Set target
-  ${chalk.hex(THEME.accent.blue)("-o, --output <file>")}               Save results to file
+  ${chalk.hex(THEME.primary)("--dangerously-skip-permissions")}    Skip all permission prompts
+  ${chalk.hex(THEME.primary)("-t, --target <ip>")}                 Set target
+  ${chalk.hex(THEME.primary)("-o, --output <file>")}               Save results to file
 
 ${chalk.hex(THEME.status.warning)("Interactive Commands:")}
 
-  ${chalk.hex(THEME.accent.blue)("/target <ip>")}     Set target
-  ${chalk.hex(THEME.accent.blue)("/start")}           Start autonomous mode
-  ${chalk.hex(THEME.accent.blue)("/config")}          Manage configuration
-  ${chalk.hex(THEME.accent.blue)("/hint <text>")}     Provide hint
-  ${chalk.hex(THEME.accent.blue)("/findings")}        Show findings
-  ${chalk.hex(THEME.accent.blue)("/reset")}           Reset session
+  ${chalk.hex(THEME.primary)("/target <ip>")}     Set target
+  ${chalk.hex(THEME.primary)("/start")}           Start autonomous mode
+  ${chalk.hex(THEME.primary)("/config")}          Manage configuration
+  ${chalk.hex(THEME.primary)("/hint <text>")}     Provide hint
+  ${chalk.hex(THEME.primary)("/findings")}        Show findings
+  ${chalk.hex(THEME.primary)("/reset")}           Reset session
 
 ${chalk.hex(THEME.status.warning)("Examples:")}
 
@@ -12840,9 +12868,9 @@ ${chalk.hex(THEME.status.warning)("Examples:")}
 
 ${chalk.hex(THEME.status.warning)("Environment:")}
 
-  ${chalk.hex(THEME.accent.blue)("PENTEST_API_KEY")}      Required - LLM API key
-  ${chalk.hex(THEME.accent.blue)("PENTEST_BASE_URL")}     Optional - AI API base URL
-  ${chalk.hex(THEME.accent.blue)("PENTEST_MODEL")}        Optional - Model override
+  ${chalk.hex(THEME.primary)("PENTEST_API_KEY")}      Required - LLM API key
+  ${chalk.hex(THEME.primary)("PENTEST_BASE_URL")}     Optional - AI API base URL
+  ${chalk.hex(THEME.primary)("PENTEST_MODEL")}        Optional - Model override
 `);
 });
 program.parse();