pentesting 0.47.2 → 0.47.3

package/dist/main.js

@@ -105,7 +105,27 @@ var DISPLAY_LIMITS = {
   /** Prefix length for sensitive value redaction */
   REDACT_PREFIX: 4,
   /** Max characters for raw JSON error preview */
-  RAW_JSON_ERROR_PREVIEW: 500
+  RAW_JSON_ERROR_PREVIEW: 500,
+  // ─── Memory/History Slice Sizes (§4-3 Extract Magic Values) ─────
+  /** Recent credentials to include in context */
+  RECENT_CREDENTIALS: 5,
+  /** Recent failures to analyze for patterns */
+  RECENT_FAILURES: 5,
+  /** Recent successes to include in summary */
+  RECENT_SUCCESSES: 3,
+  /** Recent insights to display */
+  RECENT_INSIGHTS: 3,
+  /** Recent memory events to include */
+  RECENT_MEMORY_EVENTS: 10,
+  /** Summary window - small (for quick summaries) */
+  SUMMARY_WINDOW_SMALL: 100,
+  /** Summary window - large (for detailed summaries) */
+  SUMMARY_WINDOW_LARGE: 500,
+  // ─── Evidence Display ────────────────────────────────────────
+  /** Max evidence items to show in finding preview */
+  EVIDENCE_ITEMS_PREVIEW: 3,
+  /** Max characters per evidence item in preview */
+  EVIDENCE_PREVIEW_LENGTH: 120
 };
 var AGENT_LIMITS = {
   /** Maximum agent loop iterations — generous to allow complex tasks.
@@ -311,7 +331,7 @@ var ORPHAN_PROCESS_NAMES = [
 
 // src/shared/constants/agent.ts
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.47.2";
+var APP_VERSION = "0.47.3";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -653,12 +673,44 @@ var TODO_STATUSES = {
   DONE: "done",
   SKIPPED: "skipped"
 };
+var LOOT_TYPES = {
+  CREDENTIAL: "credential",
+  SESSION: "session",
+  HASH: "hash",
+  TOKEN: "token",
+  FILE: "file",
+  TICKET: "ticket",
+  SSH_KEY: "ssh_key",
+  CERTIFICATE: "certificate",
+  API_KEY: "api_key"
+};
+var ATTACK_TACTICS = {
+  INITIAL_ACCESS: "initial_access",
+  EXECUTION: "execution",
+  PERSISTENCE: "persistence",
+  PRIV_ESC: "privilege_escalation",
+  DEFENSE_EVASION: "defense_evasion",
+  CREDENTIAL_ACCESS: "credential_access",
+  DISCOVERY: "discovery",
+  LATERAL_MOVEMENT: "lateral_movement",
+  COLLECTION: "collection",
+  EXFILTRATION: "exfiltration",
+  C2: "command_and_control",
+  IMPACT: "impact"
+};
 var APPROVAL_STATUSES = {
   AUTO: "auto",
   USER_CONFIRMED: "user_confirmed",
   USER_REVIEWED: "user_reviewed",
   DENIED: "denied"
 };
+var SEVERITIES = {
+  CRITICAL: "critical",
+  HIGH: "high",
+  MEDIUM: "medium",
+  LOW: "low",
+  INFO: "info"
+};
 var PRIORITIES = {
   HIGH: "high",
   MEDIUM: "medium",
@@ -757,6 +809,68 @@ function ensureDirExists(dirPath) {
   }
 }
 
+// src/shared/constants/time.ts
+var MS_PER_MINUTE = 6e4;
+var SECONDS_PER_MINUTE = 60;
+var SECONDS_PER_HOUR = 3600;
+
+// src/shared/constants/paths.ts
+import path from "path";
+import { fileURLToPath } from "url";
+var __filename = fileURLToPath(import.meta.url);
+var __dirname = path.dirname(__filename);
+var PROJECT_ROOT = path.resolve(__dirname, "../../../");
+var PENTESTING_ROOT = ".pentesting";
+var WORK_DIR = `${PENTESTING_ROOT}/tmp`;
+var MEMORY_DIR = `${PENTESTING_ROOT}/memory`;
+var REPORTS_DIR = `${PENTESTING_ROOT}/reports`;
+var SESSIONS_DIR = `${PENTESTING_ROOT}/sessions`;
+var LOOT_DIR = `${PENTESTING_ROOT}/loot`;
+var OUTPUTS_DIR = `${PENTESTING_ROOT}/outputs`;
+var DEBUG_DIR = `${PENTESTING_ROOT}/debug`;
+var WORKSPACE = {
+  /** Root directory */
+  get ROOT() {
+    return path.resolve(PENTESTING_ROOT);
+  },
+  /** Temporary files */
+  get TMP() {
+    return path.resolve(WORK_DIR);
+  },
+  /** Persistent memory */
+  get MEMORY() {
+    return path.resolve(MEMORY_DIR);
+  },
+  /** Generated reports */
+  get REPORTS() {
+    return path.resolve(REPORTS_DIR);
+  },
+  /** Session snapshots */
+  get SESSIONS() {
+    return path.resolve(SESSIONS_DIR);
+  },
+  /** Captured loot */
+  get LOOT() {
+    return path.resolve(LOOT_DIR);
+  },
+  /** Full tool outputs */
+  get OUTPUTS() {
+    return path.resolve(OUTPUTS_DIR);
+  },
+  /** Debug logs */
+  get DEBUG() {
+    return path.resolve(DEBUG_DIR);
+  }
+};
+
+// src/shared/constants/orchestrator.ts
+var GRACEFUL_SHUTDOWN_WAIT_MS = 200;
+var PROCESS_OUTPUT_TRUNCATION_LIMIT = 1e4;
+var LONG_RUNNING_THRESHOLD_MS = 5 * MS_PER_MINUTE;
+var VERY_LONG_RUNNING_THRESHOLD_MS = 15 * MS_PER_MINUTE;
+var MAX_RECOMMENDATIONS_FOR_HEALTHY = 2;
+var DEFAULT_DIRECTIVE_FOCUS = PHASES.RECON;
+
 // src/shared/utils/command-security-lists.ts
 var ALLOWED_BINARIES = /* @__PURE__ */ new Set([
   // Network scanning
@@ -964,7 +1078,7 @@ var SAFE_PIPE_TARGETS = /* @__PURE__ */ new Set([
   "python3",
   "python"
 ]);
-var SAFE_REDIRECT_PATHS = ["/tmp/", "/root/", "/var/log/", "/opt/"];
+var SAFE_REDIRECT_PATHS = [`${WORK_DIR}/`];
 var BLOCKED_BINARIES = /* @__PURE__ */ new Set([
   "rm",
   "shred",
@@ -989,50 +1103,6 @@ var BLOCKED_BINARIES = /* @__PURE__ */ new Set([
 // src/shared/utils/debug-logger.ts
 import { appendFileSync, writeFileSync } from "fs";
 import { join } from "path";
-
-// src/shared/constants/paths.ts
-import path from "path";
-import { fileURLToPath } from "url";
-import { homedir } from "os";
-var __filename = fileURLToPath(import.meta.url);
-var __dirname = path.dirname(__filename);
-var PROJECT_ROOT = path.resolve(__dirname, "../../../");
-var WORKSPACE_DIR_NAME = ".pentesting";
-function getWorkspaceRoot() {
-  return path.join(homedir(), WORKSPACE_DIR_NAME);
-}
-var WORKSPACE = {
-  /** Root directory (resolved lazily via getWorkspaceRoot) */
-  get ROOT() {
-    return getWorkspaceRoot();
-  },
-  /** Per-session state snapshots */
-  get SESSIONS() {
-    return path.join(getWorkspaceRoot(), "sessions");
-  },
-  /** Debug logs */
-  get DEBUG() {
-    return path.join(getWorkspaceRoot(), "debug");
-  },
-  /** Generated reports */
-  get REPORTS() {
-    return path.join(getWorkspaceRoot(), "reports");
-  },
-  /** Downloaded loot, captured files */
-  get LOOT() {
-    return path.join(getWorkspaceRoot(), "loot");
-  },
-  /** Temporary files for active operations */
-  get TEMP() {
-    return path.join(getWorkspaceRoot(), "temp");
-  },
-  /** Full tool output files saved by Context Digest */
-  get OUTPUTS() {
-    return path.join(getWorkspaceRoot(), "outputs");
-  }
-};
-
-// src/shared/utils/debug-logger.ts
 var DebugLogger = class _DebugLogger {
   static instance;
   logPath;
@@ -1123,16 +1193,16 @@ var SHELL_CHARS = {
 };
 function validateCommand(command) {
   if (!command || typeof command !== "string") {
-    return { safe: false, error: "Empty or invalid command" };
+    return { isSafe: false, error: "Empty or invalid command" };
   }
   const normalizedCommand = command.trim();
   if (normalizedCommand.length === 0) {
-    return { safe: false, error: "Empty command" };
+    return { isSafe: false, error: "Empty command" };
   }
   for (const pattern of INJECTION_PATTERNS) {
     if (pattern.test(normalizedCommand)) {
       return {
-        safe: false,
+        isSafe: false,
         error: `Injection pattern detected: ${pattern.source}`,
         suggestion: "Avoid command substitution ($(), ``), variable expansion (${}) and control characters."
       };
@@ -1141,13 +1211,13 @@ function validateCommand(command) {
   const subCommands = splitChainedCommands(normalizedCommand);
   for (const subCmd of subCommands) {
     const result2 = validateSingleCommand(subCmd.trim());
-    if (!result2.safe) {
+    if (!result2.isSafe) {
       return result2;
     }
   }
   const primaryBinary = extractBinary(subCommands[0].trim());
   return {
-    safe: true,
+    isSafe: true,
     binary: primaryBinary || void 0,
     args: normalizedCommand.split(/\s+/).slice(1)
   };
@@ -1202,14 +1272,14 @@ function validateSingleCommand(command) {
     if (!binary) continue;
     if (BLOCKED_BINARIES.has(binary)) {
       return {
-        safe: false,
+        isSafe: false,
         error: `Binary '${binary}' is blocked for security reasons`,
         suggestion: `'${binary}' is not allowed. Use a different approach.`
       };
     }
     if (idx > 0 && !SAFE_PIPE_TARGETS.has(binary) && !ALLOWED_BINARIES.has(binary)) {
       return {
-        safe: false,
+        isSafe: false,
         error: `Pipe target '${binary}' is not in the allowed list`,
         suggestion: `Piping to '${binary}' is not allowed. Safe pipe targets: head, tail, grep, awk, sed, cut, sort, uniq, wc, jq, tee.`
       };
@@ -1219,10 +1289,10 @@ function validateSingleCommand(command) {
     }
   }
   const redirectResult = validateRedirects(command);
-  if (!redirectResult.safe) {
+  if (!redirectResult.isSafe) {
     return redirectResult;
   }
-  return { safe: true };
+  return { isSafe: true };
 }
 function splitByPipe(command) {
   const parts = [];
@@ -1265,33 +1335,91 @@ function stripRedirects(segment) {
   return segment.replace(/\d*>\s*&\d+/g, "").replace(/\d*>>\s*\S+/g, "").replace(/\d*>\s*\S+/g, "").replace(/<\s*\S+/g, "").trim();
 }
 function validateRedirects(command) {
-  const redirectPattern = /(\d*)>{1,2}\s*([^\s|;&]+)/g;
-  let match;
-  while ((match = redirectPattern.exec(command)) !== null) {
-    const target = match[2];
-    if (target.startsWith("&") || target === "/dev/null") continue;
-    const isAllowed = SAFE_REDIRECT_PATHS.some((p) => target.startsWith(p));
-    if (!isAllowed) {
-      return {
-        safe: false,
-        error: `Redirect to '${target}' is not in allowed paths`,
-        suggestion: `Redirect output to /tmp/ or /root/ paths. Example: > /tmp/output.txt`
-      };
+  const redirects = extractRedirectTargets(command);
+  for (const { type, fd, target } of redirects) {
+    if (type === ">" || type === ">>") {
+      if (target.startsWith("&") || target === "/dev/null") continue;
+      const isAllowed = SAFE_REDIRECT_PATHS.some((p) => target.startsWith(p));
+      if (!isAllowed) {
+        return {
+          isSafe: false,
+          error: `Redirect to '${target}' is not in allowed paths`,
+          suggestion: `Redirect output to ${WORK_DIR}/ paths. Example: > ${WORK_DIR}/output.txt`
+        };
+      }
+    } else if (type === "<") {
+      const isAllowed = SAFE_REDIRECT_PATHS.some((p) => target.startsWith(p));
+      if (!isAllowed) {
+        return {
+          isSafe: false,
+          error: `Input redirect from '${target}' is not in allowed paths`,
+          suggestion: `Input redirect only from ${WORK_DIR}/ paths.`
+        };
+      }
     }
   }
-  const inputRedirectPattern = /<\s*([^\s|;&]+)/g;
-  while ((match = inputRedirectPattern.exec(command)) !== null) {
-    const source = match[1];
-    const isAllowed = SAFE_REDIRECT_PATHS.some((p) => source.startsWith(p));
-    if (!isAllowed) {
-      return {
-        safe: false,
-        error: `Input redirect from '${source}' is not in allowed paths`,
-        suggestion: `Input redirect only from /tmp/ or /root/ paths.`
-      };
+  return { isSafe: true };
+}
+function extractRedirectTargets(command) {
+  const redirects = [];
+  let inSingle = false;
+  let inDouble = false;
+  let i = 0;
+  while (i < command.length) {
+    const ch = command[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      i++;
+      continue;
+    }
+    if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      i++;
+      continue;
+    }
+    if (!inSingle && !inDouble) {
+      if (ch === ">" || ch === "<") {
+        const isAppend = ch === ">" && command[i + 1] === ">";
+        const type = isAppend ? ">>" : ch;
+        const jump = isAppend ? 2 : 1;
+        let fd = "";
+        if (ch === ">") {
+          let b = i - 1;
+          while (b >= 0 && /\d/.test(command[b])) {
+            fd = command[b] + fd;
+            b--;
+          }
+        }
+        i += jump;
+        while (i < command.length && /\s/.test(command[i])) i++;
+        let target = "";
+        let targetInSingle = false;
+        let targetInDouble = false;
+        while (i < command.length) {
+          const tc = command[i];
+          if (tc === "'" && !targetInDouble) {
+            targetInSingle = !targetInSingle;
+            i++;
+            continue;
+          }
+          if (tc === '"' && !targetInSingle) {
+            targetInDouble = !targetInDouble;
+            i++;
+            continue;
+          }
+          if (!targetInSingle && !targetInDouble && /[\s|;&<>]/.test(tc)) break;
+          target += tc;
+          i++;
+        }
+        if (target) {
+          redirects.push({ type, fd, target });
+        }
+        continue;
+      }
     }
+    i++;
   }
-  return { safe: true };
+  return redirects;
 }
 function extractBinary(command) {
   const parts = command.trim().split(/\s+/);
@@ -1514,7 +1642,7 @@ function clearCommandEventEmitter() {
 async function runCommand(command, args = [], options = {}) {
   const fullCommand = args.length > 0 ? `${command} ${args.join(" ")}` : command;
   const validation = validateCommand(fullCommand);
-  if (!validation.safe) {
+  if (!validation.isSafe) {
     return {
       success: false,
       output: "",
@@ -1688,6 +1816,34 @@ function createTempFile(suffix = "") {
   return join2(tmpdir(), generateTempFilename(suffix));
 }
 
+// src/shared/constants/files.ts
+var FILE_EXTENSIONS = {
+  // Data formats
+  JSON: ".json",
+  MARKDOWN: ".md",
+  TXT: ".txt",
+  XML: ".xml",
+  // Network capture
+  PCAP: ".pcap",
+  HOSTS: ".hosts",
+  MITM: ".mitm",
+  // Process I/O
+  STDOUT: ".stdout",
+  STDERR: ".stderr",
+  STDIN: ".stdin",
+  // Scripts
+  SH: ".sh",
+  PY: ".py",
+  CJS: ".cjs",
+  // Config
+  ENV: ".env",
+  BAK: ".bak"
+};
+var SPECIAL_FILES = {
+  LATEST_STATE: "latest.json",
+  README: "README.md"
+};
+
 // src/engine/process-cleanup.ts
 import { unlinkSync } from "fs";
 
@@ -1877,9 +2033,9 @@ function logEvent(processId, event, detail) {
 }
 function startBackgroundProcess(command, options = {}) {
   const processId = generatePrefixedId("bg");
-  const stdoutFile = createTempFile(".stdout");
-  const stderrFile = createTempFile(".stderr");
-  const stdinFile = createTempFile(".stdin");
+  const stdoutFile = createTempFile(FILE_EXTENSIONS.STDOUT);
+  const stderrFile = createTempFile(FILE_EXTENSIONS.STDERR);
+  const stdinFile = createTempFile(FILE_EXTENSIONS.STDIN);
   const { tags, port, role, isInteractive } = detectProcessRole(command);
   let wrappedCmd;
   if (isInteractive) {
@@ -2979,7 +3135,7 @@ var WorkingMemory = class {
     const lines = ["<working-memory>"];
     if (failures.length > 0) {
       lines.push(`\u26A0\uFE0F FAILED ATTEMPTS (${failures.length} \u2014 DO NOT REPEAT):`);
-      for (const f of failures.slice(-5)) {
+      for (const f of failures.slice(-DISPLAY_LIMITS.RECENT_FAILURES)) {
         lines.push(`  \u2717 ${f.content}`);
       }
     }
@@ -2989,13 +3145,13 @@ var WorkingMemory = class {
     }
     if (successes.length > 0) {
       lines.push(`\u2705 RECENT SUCCESSES (${successes.length}):`);
-      for (const s of successes.slice(-3)) {
+      for (const s of successes.slice(-DISPLAY_LIMITS.RECENT_SUCCESSES)) {
         lines.push(`  \u2713 ${s.content}`);
       }
     }
     if (insights.length > 0) {
       lines.push(`\u{1F4A1} INSIGHTS:`);
-      for (const i of insights.slice(-3)) {
+      for (const i of insights.slice(-DISPLAY_LIMITS.RECENT_INSIGHTS)) {
         lines.push(`  \u2192 ${i.content}`);
       }
     }
@@ -3048,9 +3204,9 @@ var EpisodicMemory = class {
   toPrompt() {
     if (this.events.length === 0) return "";
     const lines = ["<session-timeline>"];
-    const recent = this.events.slice(-10);
+    const recent = this.events.slice(-DISPLAY_LIMITS.RECENT_MEMORY_EVENTS);
     for (const e of recent) {
-      const mins = Math.floor((Date.now() - e.timestamp) / 6e4);
+      const mins = Math.floor((Date.now() - e.timestamp) / MS_PER_MINUTE);
       const icon = {
         tool_success: "\u2705",
         tool_failure: "\u274C",
@@ -3069,7 +3225,6 @@ var EpisodicMemory = class {
     this.events = [];
   }
 };
-var MEMORY_DIR = "/tmp/pentesting-memory";
 var MEMORY_FILE = join3(MEMORY_DIR, "persistent-knowledge.json");
 var PersistentMemory = class {
   knowledge;
@@ -3186,7 +3341,7 @@ var DynamicTechniqueLibrary = class {
     });
     if (this.techniques.length > this.maxTechniques) {
       this.techniques.sort((a, b) => {
-        if (a.verified !== b.verified) return a.verified ? -1 : 1;
+        if (a.isVerified !== b.isVerified) return a.isVerified ? -1 : 1;
         return b.learnedAt - a.learnedAt;
       });
       this.techniques = this.techniques.slice(0, this.maxTechniques);
@@ -3222,7 +3377,7 @@ var DynamicTechniqueLibrary = class {
         source: `Web search: "${query}"`,
         technique: tech,
         applicableTo,
-        verified: false,
+        isVerified: false,
         fromQuery: query
       });
     }
@@ -3233,7 +3388,7 @@ var DynamicTechniqueLibrary = class {
   verify(techniqueSubstring) {
     for (const t of this.techniques) {
       if (t.technique.toLowerCase().includes(techniqueSubstring.toLowerCase())) {
-        t.verified = true;
+        t.isVerified = true;
       }
     }
   }
@@ -3261,8 +3416,8 @@ var DynamicTechniqueLibrary = class {
    */
   toPrompt() {
     if (this.techniques.length === 0) return "";
-    const verified = this.techniques.filter((t) => t.verified);
-    const unverified = this.techniques.filter((t) => !t.verified);
+    const verified = this.techniques.filter((t) => t.isVerified);
+    const unverified = this.techniques.filter((t) => !t.isVerified);
     const lines = ["<learned-techniques>"];
     if (verified.length > 0) {
       lines.push("VERIFIED (worked in this session):");
@@ -3539,8 +3694,8 @@ var SharedState = class {
     return this.data.currentPhase;
   }
   // --- CTF Mode ---
-  setCtfMode(enabled) {
-    this.data.ctfMode = enabled;
+  setCtfMode(shouldEnable) {
+    this.data.ctfMode = shouldEnable;
   }
   isCtfMode() {
     return this.data.ctfMode;
@@ -3847,8 +4002,8 @@ var ApprovalGate = class {
   /**
    * Set auto-approve mode
    */
-  setAutoApprove(enabled) {
-    this.shouldAutoApprove = enabled;
+  setAutoApprove(shouldEnable) {
+    this.shouldAutoApprove = shouldEnable;
   }
   /**
    * Get current auto-approve mode
@@ -4989,6 +5144,36 @@ function formatValidation(result2) {
 }
 
 // src/engine/tools/pentest-target-tools.ts
+function isPortArray(value) {
+  if (!Array.isArray(value)) return false;
+  return value.every(
+    (item) => typeof item === "object" && item !== null && typeof item.port === "number"
+  );
+}
+function parsePorts(value) {
+  return isPortArray(value) ? value : [];
+}
+function isValidSeverity(value) {
+  return typeof value === "string" && Object.values(SEVERITIES).includes(value);
+}
+function parseSeverity(value) {
+  return isValidSeverity(value) ? value : "medium";
+}
+function isValidLootType(value) {
+  return typeof value === "string" && Object.values(LOOT_TYPES).includes(value);
+}
+function parseLootType(value) {
+  return isValidLootType(value) ? value : "file";
+}
+function isValidAttackTactic(value) {
+  return typeof value === "string" && Object.values(ATTACK_TACTICS).includes(value);
+}
+function parseStringArray(value) {
+  return Array.isArray(value) && value.every((v) => typeof v === "string") ? value : [];
+}
+function parseString(value, defaultValue = "") {
+  return typeof value === "string" ? value : defaultValue;
+}
 var createTargetTools = (state) => [
   {
     name: TOOL_NAMES.ADD_TARGET,
@@ -5020,10 +5205,10 @@ The target will be tracked in SharedState and available for all agents.`,
     },
     required: ["ip"],
     execute: async (p) => {
-      const ip = p.ip;
+      const ip = parseString(p.ip);
       const existing = state.getTarget(ip);
       if (existing) {
-        const newPorts = p.ports || [];
+        const newPorts = parsePorts(p.ports);
         for (const np of newPorts) {
           const exists = existing.ports.some((ep) => ep.port === np.port);
           if (!exists) {
@@ -5037,11 +5222,11 @@ The target will be tracked in SharedState and available for all agents.`,
             state.attackGraph.addService(ip, np.port, np.service || "unknown", np.version);
           }
         }
-        if (p.hostname) existing.hostname = p.hostname;
-        if (p.tags) existing.tags = [.../* @__PURE__ */ new Set([...existing.tags, ...p.tags])];
+        if (p.hostname) existing.hostname = parseString(p.hostname);
+        if (p.tags) existing.tags = [.../* @__PURE__ */ new Set([...existing.tags, ...parseStringArray(p.tags)])];
         return { success: true, output: `Target ${ip} updated. Total ports: ${existing.ports.length}` };
       }
-      const ports = (p.ports || []).map((port) => ({
+      const ports = parsePorts(p.ports).map((port) => ({
         port: port.port,
         service: port.service || "unknown",
         version: port.version,
@@ -5050,9 +5235,9 @@ The target will be tracked in SharedState and available for all agents.`,
       }));
       state.addTarget({
         ip,
-        hostname: p.hostname,
+        hostname: parseString(p.hostname) || void 0,
         ports,
-        tags: p.tags || [],
+        tags: parseStringArray(p.tags),
         firstSeen: Date.now()
       });
       return { success: true, output: `Target ${ip} added.${p.hostname ? ` Hostname: ${p.hostname}` : ""} Ports: ${ports.length}` };
@@ -5071,30 +5256,30 @@ Types: credential, hash, token, ssh_key, api_key, file, session, ticket, certifi
     },
     required: ["type", "host", "detail"],
     execute: async (p) => {
-      const lootType = p.type;
+      const lootTypeStr = parseString(p.type);
       const crackableTypes = ["hash"];
-      const detail = p.detail;
-      const host = p.host;
+      const detail = parseString(p.detail);
+      const host = parseString(p.host);
       state.addLoot({
-        type: lootType,
+        type: parseLootType(lootTypeStr),
         host,
         detail,
         obtainedAt: Date.now(),
-        isCrackable: crackableTypes.includes(lootType),
+        isCrackable: crackableTypes.includes(lootTypeStr),
         isCracked: false
       });
-      if (["credential", "token", "ssh_key", "api_key"].includes(lootType)) {
+      if (["credential", "token", "ssh_key", "api_key"].includes(lootTypeStr)) {
         const parts = detail.split(":");
         if (parts.length >= 2) {
           state.attackGraph.addCredential(parts[0], parts.slice(1).join(":"), host);
         }
       }
-      state.episodicMemory.record("access_gained", `Loot [${lootType}] from ${host}: ${detail.slice(0, DISPLAY_LIMITS.MEMORY_EVENT_PREVIEW)}`);
+      state.episodicMemory.record("access_gained", `Loot [${lootTypeStr}] from ${host}: ${detail.slice(0, DISPLAY_LIMITS.MEMORY_EVENT_PREVIEW)}`);
       return {
         success: true,
-        output: `Loot recorded: [${lootType}] from ${host}
+        output: `Loot recorded: [${lootTypeStr}] from ${host}
 Detail: ${detail}
-` + (crackableTypes.includes(lootType) ? `This is crackable. Consider: hash_crack({ hashes: "${detail.slice(0, DISPLAY_LIMITS.LOOT_DETAIL_PREVIEW)}..." })` : `Consider credential reuse / lateral movement with this loot.`)
+` + (crackableTypes.includes(lootTypeStr) ? `This is crackable. Consider: hash_crack({ hashes: "${detail.slice(0, DISPLAY_LIMITS.LOOT_DETAIL_PREVIEW)}..." })` : `Consider credential reuse / lateral movement with this loot.`)
       };
     }
   },
@@ -5113,12 +5298,13 @@ Findings without evidence are marked as UNVERIFIED and have low credibility.`,
     },
     required: ["title", "severity", "description", "evidence"],
     execute: async (p) => {
-      const evidence = p.evidence || [];
-      const title = p.title;
-      const severity = p.severity;
-      const affected = p.affected || [];
-      const description = p.description || "";
+      const evidence = parseStringArray(p.evidence);
+      const title = parseString(p.title);
+      const severity = parseSeverity(p.severity);
+      const affected = parseStringArray(p.affected);
+      const description = parseString(p.description);
       const validation = validateFinding(evidence, severity);
+      const attackPattern = parseString(p.attackPattern);
       state.addFinding({
         id: generateId(AGENT_LIMITS.ID_RADIX, AGENT_LIMITS.ID_LENGTH),
         title,
@@ -5129,7 +5315,7 @@ Findings without evidence are marked as UNVERIFIED and have low credibility.`,
         isVerified: validation.isVerified,
         remediation: "",
         foundAt: Date.now(),
-        ...p.attackPattern ? { attackPattern: p.attackPattern } : {}
+        ...attackPattern && isValidAttackTactic(attackPattern) ? { attackPattern } : {}
       });
       const hasExploit = validation.isVerified;
       const target = affected[0] || "unknown";
@@ -5147,7 +5333,7 @@ ${formatValidation(validation)}`
   }
 ];
 
-// src/engine/tools-mid.ts
+// src/engine/tools/intel-utils.ts
 import { execFileSync } from "child_process";
 
 // src/shared/utils/config.ts
@@ -5160,7 +5346,7 @@ var ENV_KEYS = {
   THINKING: "PENTEST_THINKING",
   THINKING_BUDGET: "PENTEST_THINKING_BUDGET"
 };
-var DEFAULT_SEARCH_API_URL = "https://api.search.brave.com/res/v1/web/search";
+var DEFAULT_SEARCH_API_URL = "https://open.bigmodel.cn/api/paas/v4/tools/web-search-pro";
 function getApiKey() {
   return process.env[ENV_KEYS.API_KEY] || "";
 }
@@ -5171,7 +5357,10 @@ function getModel() {
   return process.env[ENV_KEYS.MODEL] || "";
 }
 function getSearchApiKey() {
-  return process.env[ENV_KEYS.SEARCH_API_KEY];
+  if (process.env[ENV_KEYS.SEARCH_API_KEY]) {
+    return process.env[ENV_KEYS.SEARCH_API_KEY];
+  }
+  return process.env[ENV_KEYS.API_KEY];
 }
 function getSearchApiUrl() {
   return process.env[ENV_KEYS.SEARCH_API_URL] || DEFAULT_SEARCH_API_URL;
@@ -5663,14 +5852,11 @@ async function webSearchWithBrowser(query, engine = "google") {
 }
 
 // src/engine/web-search-providers.ts
-function getErrorMessage(error) {
-  return error instanceof Error ? error.message : String(error);
-}
 async function searchWithGLM(query, apiKey, apiUrl) {
   debugLog("search", "GLM request START", { apiUrl, query });
   const requestBody = {
     model: "web-search-pro",
-    messages: [{ role: "user", content: query }],
+    messages: [{ role: LLM_ROLES.USER, content: query }],
     stream: false
   };
   debugLog("search", "GLM request body", requestBody);
@@ -5789,38 +5975,14 @@ async function searchWithGenericApi(query, apiKey, apiUrl) {
   const data = await response.json();
   return { success: true, output: JSON.stringify(data, null, 2) };
 }
-async function searchWithPlaywright(query) {
-  debugLog("search", "Playwright Google search START", { query });
-  try {
-    const result2 = await webSearchWithBrowser(query, "google");
-    if (!result2.success) {
-      return {
-        success: false,
-        output: "",
-        error: `Playwright search failed: ${result2.error}. Set SEARCH_API_KEY for reliable search (Brave API by default).`
-      };
-    }
-    debugLog("search", "Playwright Google search COMPLETE", { outputLength: result2.output.length });
-    return {
-      success: true,
-      output: result2.output || `No results found for: ${query}`
-    };
-  } catch (error) {
-    return {
-      success: false,
-      output: "",
-      error: `Playwright search error: ${getErrorMessage(error)}. Set SEARCH_API_KEY for reliable search (Brave API by default).`
-    };
-  }
-}
 
-// src/engine/tools-mid.ts
+// src/engine/tools/intel-utils.ts
 var PORT_STATE2 = {
   OPEN: "open",
   CLOSED: "closed",
   FILTERED: "filtered"
 };
-function getErrorMessage2(error) {
+function getErrorMessage(error) {
   return error instanceof Error ? error.message : String(error);
 }
 async function parseNmap(xmlPath) {
@@ -5871,7 +6033,7 @@ async function parseNmap(xmlPath) {
     return {
       success: false,
       output: "",
-      error: getErrorMessage2(error)
+      error: getErrorMessage(error)
     };
   }
 }
@@ -5882,7 +6044,7 @@ async function searchCVE(service, version) {
     return {
       success: false,
       output: "",
-      error: getErrorMessage2(error)
+      error: getErrorMessage(error)
     };
   }
 }
@@ -5919,43 +6081,58 @@ async function searchExploitDB(service, version) {
     return {
       success: false,
       output: "",
-      error: getErrorMessage2(error)
+      error: getErrorMessage(error)
     };
   }
 }
 async function webSearch(query, _engine) {
   debugLog("search", "webSearch START", { query });
+  const apiKey = getSearchApiKey();
+  const apiUrl = getSearchApiUrl();
+  debugLog("search", "Search API config", {
+    hasApiKey: !!apiKey,
+    apiUrl,
+    apiKeyPrefix: apiKey ? apiKey.slice(0, DISPLAY_LIMITS.API_KEY_PREFIX) + "..." : null
+  });
+  if (!apiKey) {
+    return {
+      success: false,
+      output: "",
+      error: `SEARCH_API_KEY is required for web search. Set it in your environment:
+
+  # Brave Search (recommended - free tier available)
+  export SEARCH_API_KEY=your_brave_api_key
+  # Get key at: https://brave.com/search/api/
+
+  # Or GLM Web Search (\u667A\u8C31 AI)
+  export SEARCH_API_KEY=your_glm_api_key
+  export SEARCH_API_URL=https://open.bigmodel.cn/api/paas/v4/tools/web-search-pro
+
+  # Or Serper (Google)
+  export SEARCH_API_KEY=your_serper_key
+  export SEARCH_API_URL=https://google.serper.dev/search`
+    };
+  }
   try {
-    const apiKey = getSearchApiKey();
-    const apiUrl = getSearchApiUrl();
-    debugLog("search", "Search API config", {
-      hasApiKey: !!apiKey,
-      apiUrl,
-      apiKeyPrefix: apiKey ? apiKey.slice(0, DISPLAY_LIMITS.API_KEY_PREFIX) + "..." : null
-    });
-    if (apiKey) {
-      if (apiUrl.includes(SEARCH_URL_PATTERN.GLM) || apiUrl.includes(SEARCH_URL_PATTERN.ZHIPU)) {
-        debugLog("search", "Using GLM search");
-        return await searchWithGLM(query, apiKey, apiUrl);
-      } else if (apiUrl.includes(SEARCH_URL_PATTERN.BRAVE)) {
-        debugLog("search", "Using Brave search");
-        return await searchWithBrave(query, apiKey, apiUrl);
-      } else if (apiUrl.includes(SEARCH_URL_PATTERN.SERPER)) {
-        debugLog("search", "Using Serper search");
-        return await searchWithSerper(query, apiKey, apiUrl);
-      } else {
-        debugLog("search", "Using generic search API");
-        return await searchWithGenericApi(query, apiKey, apiUrl);
-      }
+    if (apiUrl.includes(SEARCH_URL_PATTERN.GLM) || apiUrl.includes(SEARCH_URL_PATTERN.ZHIPU)) {
+      debugLog("search", "Using GLM search");
+      return await searchWithGLM(query, apiKey, apiUrl);
+    } else if (apiUrl.includes(SEARCH_URL_PATTERN.BRAVE)) {
+      debugLog("search", "Using Brave search");
+      return await searchWithBrave(query, apiKey, apiUrl);
+    } else if (apiUrl.includes(SEARCH_URL_PATTERN.SERPER)) {
+      debugLog("search", "Using Serper search");
+      return await searchWithSerper(query, apiKey, apiUrl);
+    } else {
+      debugLog("search", "Using generic search API");
+      return await searchWithGenericApi(query, apiKey, apiUrl);
     }
-    debugLog("search", "SEARCH_API_KEY not set \u2014 falling back to Playwright Google search");
-    return await searchWithPlaywright(query);
   } catch (error) {
-    debugLog("search", "webSearch ERROR", { error: getErrorMessage2(error) });
+    debugLog("search", "webSearch ERROR", { error: getErrorMessage(error) });
     return {
       success: false,
       output: "",
-      error: getErrorMessage2(error)
+      error: getErrorMessage(error)
     };
   }
 }
@@ -7235,7 +7412,7 @@ Requires root/sudo privileges.`,
       const iface = p.interface || "any";
       const filter = p.filter || "";
       const duration = p.duration || NETWORK_CONFIG.DEFAULT_SNIFF_DURATION;
-      const outputFile = p.output_file || createTempFile(".pcap");
+      const outputFile = p.output_file || createTempFile(FILE_EXTENSIONS.PCAP);
       const count = p.count || NETWORK_CONFIG.DEFAULT_PACKET_COUNT;
       const extractCreds = p.extract_creds !== false;
       const filterFlag = filter ? `"${filter}"` : "";
@@ -7320,7 +7497,7 @@ Requires root/sudo privileges.`,
       const spoofIp = p.spoof_ip;
       const iface = p.interface || "";
       const duration = p.duration || NETWORK_CONFIG.DEFAULT_SPOOF_DURATION;
-      const hostsFile = createTempFile(".hosts");
+      const hostsFile = createTempFile(FILE_EXTENSIONS.HOSTS);
       const { writeFileSync: writeFileSync8 } = await import("fs");
       writeFileSync8(hostsFile, `${spoofIp}	${domain}
 ${spoofIp}	*.${domain}
@@ -7372,7 +7549,7 @@ Combine with arp_spoof for transparent proxying.`,
       const port = p.port || NETWORK_CONFIG.DEFAULT_PROXY_PORT;
       const targetHost = p.target_host;
       const duration = p.duration || NETWORK_CONFIG.DEFAULT_SPOOF_DURATION;
-      const outputFile = p.output_file || createTempFile(".mitm");
+      const outputFile = p.output_file || createTempFile(FILE_EXTENSIONS.MITM);
       const sslInsecure = p.ssl_insecure !== false;
       let cmd;
       const sslFlag = sslInsecure ? "--ssl-insecure" : "";
@@ -7436,7 +7613,7 @@ This is a high-level tool that combines tcpdump capture with protocol analysis.`
       const iface = p.interface || "any";
       const protocols = p.protocols || "all";
       const duration = p.duration || NETWORK_CONFIG.DEFAULT_SNIFF_DURATION;
-      const outputFile = createTempFile(".pcap");
+      const outputFile = createTempFile(FILE_EXTENSIONS.PCAP);
       let bpfFilter = `host ${target}`;
       if (protocols !== "all") {
         const protoFilters = [];
@@ -7587,15 +7764,6 @@ var ZombieHunter = class {
   }
 };
 
-// src/shared/constants/orchestrator.ts
-var GRACEFUL_SHUTDOWN_WAIT_MS = 200;
-var PROCESS_OUTPUT_TRUNCATION_LIMIT = 1e4;
-var MS_PER_MINUTE = 6e4;
-var LONG_RUNNING_THRESHOLD_MS = 5 * MS_PER_MINUTE;
-var VERY_LONG_RUNNING_THRESHOLD_MS = 15 * MS_PER_MINUTE;
-var MAX_RECOMMENDATIONS_FOR_HEALTHY = 2;
-var DEFAULT_DIRECTIVE_FOCUS = PHASES.RECON;
-
 // src/engine/resource/health-monitor.ts
 var HEALTH_STATUS = {
   HEALTHY: "healthy",
@@ -8696,6 +8864,10 @@ var DOMAINS = {
 };
 
 // src/engine/tools-registry.ts
+var VALID_CATEGORIES = Object.values(SERVICE_CATEGORIES);
+function isValidCategory(id) {
+  return VALID_CATEGORIES.includes(id);
+}
 var CategorizedToolRegistry = class extends ToolRegistry {
   categories = /* @__PURE__ */ new Map();
   constructor(state, scopeGuard, approvalGate, events) {
@@ -8727,13 +8899,13 @@ var CategorizedToolRegistry = class extends ToolRegistry {
     ];
     const coreTools = coreToolNames.map((name) => this.getTool(name)).filter((t) => !!t);
     Object.keys(DOMAINS).forEach((id) => {
-      const cat = id;
-      this.categories.set(cat, {
-        name: cat,
-        description: DOMAINS[cat]?.description || "",
+      if (!isValidCategory(id)) return;
+      this.categories.set(id, {
+        name: id,
+        description: DOMAINS[id]?.description || "",
         tools: [...coreTools],
-        dangerLevel: this.calculateDanger(cat),
-        defaultApproval: CATEGORY_APPROVAL2[cat] || "confirm"
+        dangerLevel: this.calculateDanger(id),
+        defaultApproval: CATEGORY_APPROVAL2[id] || "confirm"
       });
     });
   }
@@ -8750,19 +8922,17 @@ var CategorizedToolRegistry = class extends ToolRegistry {
       const cat = ServiceParser.detectCategory(p.port, p.service);
       if (cat && !seen.has(cat)) {
         seen.add(cat);
-        const suggestion = {
+        results.push({
           category: cat,
           tools: this.getByCategory(cat).map((t) => t.name)
-        };
-        results.push(suggestion);
+        });
       }
     });
     if (target.hostname && ServiceParser.isCloudHostname(target.hostname) && !seen.has(SERVICE_CATEGORIES.CLOUD)) {
-      const cloudSuggestion = {
+      results.push({
         category: SERVICE_CATEGORIES.CLOUD,
         tools: this.getByCategory(SERVICE_CATEGORIES.CLOUD).map((t) => t.name)
-      };
-      results.push(cloudSuggestion);
+      });
     }
     return results;
   }
@@ -9340,7 +9510,7 @@ function saveState(state) {
 }
 function pruneOldSessions(sessionsDir) {
   try {
-    const sessionFiles = readdirSync(sessionsDir).filter((f) => f.endsWith(".json") && f !== "latest.json").map((f) => ({
+    const sessionFiles = readdirSync(sessionsDir).filter((f) => f.endsWith(FILE_EXTENSIONS.JSON) && f !== SPECIAL_FILES.LATEST_STATE).map((f) => ({
       name: f,
       path: join9(sessionsDir, f),
       mtime: statSync(join9(sessionsDir, f)).mtimeMs
@@ -9481,13 +9651,13 @@ function appendBlockedCommandHints(lines, errorLower) {
   if (errorLower.includes("pipe target") || errorLower.includes("injection")) {
     lines.push(`Fix: Use the tool's built-in output options instead of shell pipes.`);
     lines.push(`Alternative approaches:`);
-    lines.push(`  1. Save output to file: command > /tmp/output.txt, then use read_file("/tmp/output.txt")`);
-    lines.push(`  2. Use tool-specific flags: nmap -oN /tmp/scan.txt, curl -o /tmp/page.html`);
+    lines.push(`  1. Save output to file: command > ${WORK_DIR}/output.txt, then use read_file("${WORK_DIR}/output.txt")`);
+    lines.push(`  2. Use tool-specific flags: nmap -oN ${WORK_DIR}/scan.txt, curl -o ${WORK_DIR}/page.html`);
     lines.push(`  3. Use browse_url for web content instead of curl | grep`);
     lines.push(`  4. If filtering output: run the command first, then read_file + parse results`);
   } else if (errorLower.includes("redirect")) {
-    lines.push(`Fix: Redirect to /tmp/ or /root/ paths only.`);
-    lines.push(`Example: command > /tmp/output.txt or command 2>&1 > /tmp/errors.txt`);
+    lines.push(`Fix: Redirect to ${WORK_DIR}/ path.`);
+    lines.push(`Example: command > ${WORK_DIR}/output.txt or command 2>&1 > ${WORK_DIR}/errors.txt`);
   } else {
     lines.push(`Fix: Simplify the command. Avoid chaining complex operations.`);
     lines.push(`Break into multiple steps: run_cmd \u2192 read_file \u2192 run_cmd.`);
@@ -10006,7 +10176,7 @@ function createLLMDigestFn(llmClient) {
   return async (text, context) => {
     const truncatedText = text.length > LAYER3_MAX_INPUT_CHARS ? text.slice(0, LAYER3_MAX_INPUT_CHARS) + `
 ... [truncated for summarization, ${text.length - LAYER3_MAX_INPUT_CHARS} chars omitted]` : text;
-    const messages = [{ role: "user", content: `Analyze this pentesting tool output and extract actionable intelligence.
+    const messages = [{ role: LLM_ROLES.USER, content: `Analyze this pentesting tool output and extract actionable intelligence.
 
 Context: ${context}
 
@@ -11287,7 +11457,7 @@ var Strategist = class {
   // ─── LLM Call ───────────────────────────────────────────────
   async callLLM(input) {
     const messages = [{
-      role: "user",
+      role: LLM_ROLES.USER,
       content: `Analyze this penetration test situation and write a tactical directive for the attack agent.
 
 ${input}`
@@ -11316,7 +11486,7 @@ ${input}`
    */
   formatForPrompt(directive, isStale = false) {
     if (!directive.content) return "";
-    const age = Math.floor((Date.now() - directive.generatedAt) / 6e4);
+    const age = Math.floor((Date.now() - directive.generatedAt) / MS_PER_MINUTE);
     const staleWarning = isStale ? `
 NOTE: This directive is from ${age}min ago (Strategist call failed this turn). Verify assumptions are still valid.` : "";
     return [
@@ -11465,8 +11635,8 @@ var MainAgent = class extends CoreAgent {
     });
   }
   // ─── Public API Surface ─────────────────────────────────────
-  setAutoApprove(enabled) {
-    this.approvalGate.setAutoApprove(enabled);
+  setAutoApprove(shouldEnable) {
+    this.approvalGate.setAutoApprove(shouldEnable);
   }
   getState() {
     return this.state;
@@ -11978,9 +12148,10 @@ var useAgentEvents = (agent, eventsRef, state) => {
     const onReasoningDelta = (e) => {
       reasoningBufferRef.current += e.data.content;
       const chars = reasoningBufferRef.current.length;
-      const estTokens = Math.round(chars / 4);
+      const estTokens = Math.round(chars / LLM_LIMITS.charsPerTokenEstimate);
+      const firstLine = reasoningBufferRef.current.split("\n")[0]?.slice(0, TUI_DISPLAY_LIMITS.reasoningPreviewChars) || "";
       setCurrentStatus(`Reasoning (~${estTokens} tokens)
-${reasoningBufferRef.current}`);
+${firstLine}`);
     };
     const onReasoningEnd = () => {
       const text = reasoningBufferRef.current.trim();
@@ -12439,7 +12610,7 @@ var MessageList = memo(({ messages }) => {
     if (msg.type === "thinking") {
       const lines = msg.content.split("\n");
       const charCount = msg.content.length;
-      const estTokens = Math.round(charCount / 4);
+      const estTokens = Math.round(charCount / LLM_LIMITS.charsPerTokenEstimate);
       return /* @__PURE__ */ jsxs2(Box2, { flexDirection: "column", marginTop: 0, marginBottom: 1, children: [
         /* @__PURE__ */ jsxs2(Box2, { children: [
           /* @__PURE__ */ jsx2(Text2, { color: THEME.cyan, bold: true, children: "Reasoning" }),
@@ -12701,9 +12872,9 @@ import { memo as memo5 } from "react";
 import { Box as Box5, Text as Text6 } from "ink";
 import { jsx as jsx6, jsxs as jsxs5 } from "react/jsx-runtime";
 var formatElapsed = (totalSeconds) => {
-  const hours = Math.floor(totalSeconds / 3600);
-  const minutes = Math.floor(totalSeconds % 3600 / 60);
-  const seconds = Math.floor(totalSeconds % 60);
+  const hours = Math.floor(totalSeconds / SECONDS_PER_HOUR);
+  const minutes = Math.floor(totalSeconds % SECONDS_PER_HOUR / SECONDS_PER_MINUTE);
+  const seconds = Math.floor(totalSeconds % SECONDS_PER_MINUTE);
   const pad = (n) => String(n).padStart(2, "0");
   if (hours > 0) {
     return `${hours}:${pad(minutes)}:${pad(seconds)}`;
@@ -12857,11 +13028,11 @@ var App = ({ autoApprove = false, target }) => {
           }
           if (f.evidence.length > 0) {
             findingLines.push(`    Evidence:`);
-            f.evidence.slice(0, 3).forEach((e) => {
-              const preview = e.length > 120 ? e.slice(0, 120) + "..." : e;
+            f.evidence.slice(0, DISPLAY_LIMITS.EVIDENCE_ITEMS_PREVIEW).forEach((e) => {
+              const preview = e.length > DISPLAY_LIMITS.EVIDENCE_PREVIEW_LENGTH ? e.slice(0, DISPLAY_LIMITS.EVIDENCE_PREVIEW_LENGTH) + "..." : e;
               findingLines.push(`      \u25B8 ${preview}`);
             });
-            if (f.evidence.length > 3) findingLines.push(`      ... +${f.evidence.length - 3} more`);
+            if (f.evidence.length > DISPLAY_LIMITS.EVIDENCE_ITEMS_PREVIEW) findingLines.push(`      ... +${f.evidence.length - DISPLAY_LIMITS.EVIDENCE_ITEMS_PREVIEW} more`);
           }
           findingLines.push("");
         });