pentesting 0.47.2 → 0.47.4

package/dist/main.js

@@ -105,7 +105,27 @@ var DISPLAY_LIMITS = {
   /** Prefix length for sensitive value redaction */
   REDACT_PREFIX: 4,
   /** Max characters for raw JSON error preview */
-  RAW_JSON_ERROR_PREVIEW: 500
+  RAW_JSON_ERROR_PREVIEW: 500,
+  // ─── Memory/History Slice Sizes (§4-3 Extract Magic Values) ─────
+  /** Recent credentials to include in context */
+  RECENT_CREDENTIALS: 5,
+  /** Recent failures to analyze for patterns */
+  RECENT_FAILURES: 5,
+  /** Recent successes to include in summary */
+  RECENT_SUCCESSES: 3,
+  /** Recent insights to display */
+  RECENT_INSIGHTS: 3,
+  /** Recent memory events to include */
+  RECENT_MEMORY_EVENTS: 10,
+  /** Summary window - small (for quick summaries) */
+  SUMMARY_WINDOW_SMALL: 100,
+  /** Summary window - large (for detailed summaries) */
+  SUMMARY_WINDOW_LARGE: 500,
+  // ─── Evidence Display ────────────────────────────────────────
+  /** Max evidence items to show in finding preview */
+  EVIDENCE_ITEMS_PREVIEW: 3,
+  /** Max characters per evidence item in preview */
+  EVIDENCE_PREVIEW_LENGTH: 120
 };
 var AGENT_LIMITS = {
   /** Maximum agent loop iterations — generous to allow complex tasks.
@@ -311,7 +331,7 @@ var ORPHAN_PROCESS_NAMES = [
 
 // src/shared/constants/agent.ts
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.47.2";
+var APP_VERSION = "0.47.4";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -653,12 +673,44 @@ var TODO_STATUSES = {
   DONE: "done",
   SKIPPED: "skipped"
 };
+var LOOT_TYPES = {
+  CREDENTIAL: "credential",
+  SESSION: "session",
+  HASH: "hash",
+  TOKEN: "token",
+  FILE: "file",
+  TICKET: "ticket",
+  SSH_KEY: "ssh_key",
+  CERTIFICATE: "certificate",
+  API_KEY: "api_key"
+};
+var ATTACK_TACTICS = {
+  INITIAL_ACCESS: "initial_access",
+  EXECUTION: "execution",
+  PERSISTENCE: "persistence",
+  PRIV_ESC: "privilege_escalation",
+  DEFENSE_EVASION: "defense_evasion",
+  CREDENTIAL_ACCESS: "credential_access",
+  DISCOVERY: "discovery",
+  LATERAL_MOVEMENT: "lateral_movement",
+  COLLECTION: "collection",
+  EXFILTRATION: "exfiltration",
+  C2: "command_and_control",
+  IMPACT: "impact"
+};
 var APPROVAL_STATUSES = {
   AUTO: "auto",
   USER_CONFIRMED: "user_confirmed",
   USER_REVIEWED: "user_reviewed",
   DENIED: "denied"
 };
+var SEVERITIES = {
+  CRITICAL: "critical",
+  HIGH: "high",
+  MEDIUM: "medium",
+  LOW: "low",
+  INFO: "info"
+};
 var PRIORITIES = {
   HIGH: "high",
   MEDIUM: "medium",
@@ -757,6 +809,73 @@ function ensureDirExists(dirPath) {
   }
 }
 
+// src/shared/constants/time.ts
+var MS_PER_MINUTE = 6e4;
+var SECONDS_PER_MINUTE = 60;
+var SECONDS_PER_HOUR = 3600;
+
+// src/shared/constants/paths.ts
+import path from "path";
+import { fileURLToPath } from "url";
+var __filename = fileURLToPath(import.meta.url);
+var __dirname = path.dirname(__filename);
+var PROJECT_ROOT = path.resolve(__dirname, "../../../");
+var PENTESTING_ROOT = ".pentesting";
+var WORK_DIR = `${PENTESTING_ROOT}/tmp`;
+var MEMORY_DIR = `${PENTESTING_ROOT}/memory`;
+var REPORTS_DIR = `${PENTESTING_ROOT}/reports`;
+var SESSIONS_DIR = `${PENTESTING_ROOT}/sessions`;
+var LOOT_DIR = `${PENTESTING_ROOT}/loot`;
+var OUTPUTS_DIR = `${PENTESTING_ROOT}/outputs`;
+var DEBUG_DIR = `${PENTESTING_ROOT}/debug`;
+var JOURNAL_DIR = `${PENTESTING_ROOT}/journal`;
+var WORKSPACE = {
+  /** Root directory */
+  get ROOT() {
+    return path.resolve(PENTESTING_ROOT);
+  },
+  /** Temporary files */
+  get TMP() {
+    return path.resolve(WORK_DIR);
+  },
+  /** Persistent memory */
+  get MEMORY() {
+    return path.resolve(MEMORY_DIR);
+  },
+  /** Generated reports */
+  get REPORTS() {
+    return path.resolve(REPORTS_DIR);
+  },
+  /** Session snapshots */
+  get SESSIONS() {
+    return path.resolve(SESSIONS_DIR);
+  },
+  /** Captured loot */
+  get LOOT() {
+    return path.resolve(LOOT_DIR);
+  },
+  /** Full tool outputs */
+  get OUTPUTS() {
+    return path.resolve(OUTPUTS_DIR);
+  },
+  /** Debug logs */
+  get DEBUG() {
+    return path.resolve(DEBUG_DIR);
+  },
+  /** Persistent per-turn journal (§13 memo system) */
+  get JOURNAL() {
+    return path.resolve(JOURNAL_DIR);
+  }
+};
+
+// src/shared/constants/orchestrator.ts
+var GRACEFUL_SHUTDOWN_WAIT_MS = 200;
+var PROCESS_OUTPUT_TRUNCATION_LIMIT = 1e4;
+var LONG_RUNNING_THRESHOLD_MS = 5 * MS_PER_MINUTE;
+var VERY_LONG_RUNNING_THRESHOLD_MS = 15 * MS_PER_MINUTE;
+var MAX_RECOMMENDATIONS_FOR_HEALTHY = 2;
+var DEFAULT_DIRECTIVE_FOCUS = PHASES.RECON;
+
 // src/shared/utils/command-security-lists.ts
 var ALLOWED_BINARIES = /* @__PURE__ */ new Set([
   // Network scanning
@@ -964,7 +1083,7 @@ var SAFE_PIPE_TARGETS = /* @__PURE__ */ new Set([
   "python3",
   "python"
 ]);
-var SAFE_REDIRECT_PATHS = ["/tmp/", "/root/", "/var/log/", "/opt/"];
+var SAFE_REDIRECT_PATHS = [`${WORK_DIR}/`];
 var BLOCKED_BINARIES = /* @__PURE__ */ new Set([
   "rm",
   "shred",
@@ -989,50 +1108,6 @@ var BLOCKED_BINARIES = /* @__PURE__ */ new Set([
 // src/shared/utils/debug-logger.ts
 import { appendFileSync, writeFileSync } from "fs";
 import { join } from "path";
-
-// src/shared/constants/paths.ts
-import path from "path";
-import { fileURLToPath } from "url";
-import { homedir } from "os";
-var __filename = fileURLToPath(import.meta.url);
-var __dirname = path.dirname(__filename);
-var PROJECT_ROOT = path.resolve(__dirname, "../../../");
-var WORKSPACE_DIR_NAME = ".pentesting";
-function getWorkspaceRoot() {
-  return path.join(homedir(), WORKSPACE_DIR_NAME);
-}
-var WORKSPACE = {
-  /** Root directory (resolved lazily via getWorkspaceRoot) */
-  get ROOT() {
-    return getWorkspaceRoot();
-  },
-  /** Per-session state snapshots */
-  get SESSIONS() {
-    return path.join(getWorkspaceRoot(), "sessions");
-  },
-  /** Debug logs */
-  get DEBUG() {
-    return path.join(getWorkspaceRoot(), "debug");
-  },
-  /** Generated reports */
-  get REPORTS() {
-    return path.join(getWorkspaceRoot(), "reports");
-  },
-  /** Downloaded loot, captured files */
-  get LOOT() {
-    return path.join(getWorkspaceRoot(), "loot");
-  },
-  /** Temporary files for active operations */
-  get TEMP() {
-    return path.join(getWorkspaceRoot(), "temp");
-  },
-  /** Full tool output files saved by Context Digest */
-  get OUTPUTS() {
-    return path.join(getWorkspaceRoot(), "outputs");
-  }
-};
-
-// src/shared/utils/debug-logger.ts
 var DebugLogger = class _DebugLogger {
   static instance;
   logPath;
@@ -1123,16 +1198,16 @@ var SHELL_CHARS = {
 };
 function validateCommand(command) {
   if (!command || typeof command !== "string") {
-    return { safe: false, error: "Empty or invalid command" };
+    return { isSafe: false, error: "Empty or invalid command" };
   }
   const normalizedCommand = command.trim();
   if (normalizedCommand.length === 0) {
-    return { safe: false, error: "Empty command" };
+    return { isSafe: false, error: "Empty command" };
   }
   for (const pattern of INJECTION_PATTERNS) {
     if (pattern.test(normalizedCommand)) {
       return {
-        safe: false,
+        isSafe: false,
         error: `Injection pattern detected: ${pattern.source}`,
         suggestion: "Avoid command substitution ($(), ``), variable expansion (${}) and control characters."
       };
@@ -1141,13 +1216,13 @@ function validateCommand(command) {
   const subCommands = splitChainedCommands(normalizedCommand);
   for (const subCmd of subCommands) {
     const result2 = validateSingleCommand(subCmd.trim());
-    if (!result2.safe) {
+    if (!result2.isSafe) {
       return result2;
     }
   }
   const primaryBinary = extractBinary(subCommands[0].trim());
   return {
-    safe: true,
+    isSafe: true,
     binary: primaryBinary || void 0,
     args: normalizedCommand.split(/\s+/).slice(1)
   };
@@ -1202,14 +1277,14 @@ function validateSingleCommand(command) {
     if (!binary) continue;
     if (BLOCKED_BINARIES.has(binary)) {
       return {
-        safe: false,
+        isSafe: false,
         error: `Binary '${binary}' is blocked for security reasons`,
         suggestion: `'${binary}' is not allowed. Use a different approach.`
       };
     }
     if (idx > 0 && !SAFE_PIPE_TARGETS.has(binary) && !ALLOWED_BINARIES.has(binary)) {
       return {
-        safe: false,
+        isSafe: false,
         error: `Pipe target '${binary}' is not in the allowed list`,
         suggestion: `Piping to '${binary}' is not allowed. Safe pipe targets: head, tail, grep, awk, sed, cut, sort, uniq, wc, jq, tee.`
       };
@@ -1219,10 +1294,10 @@ function validateSingleCommand(command) {
     }
   }
   const redirectResult = validateRedirects(command);
-  if (!redirectResult.safe) {
+  if (!redirectResult.isSafe) {
     return redirectResult;
   }
-  return { safe: true };
+  return { isSafe: true };
 }
 function splitByPipe(command) {
   const parts = [];
@@ -1265,33 +1340,91 @@ function stripRedirects(segment) {
   return segment.replace(/\d*>\s*&\d+/g, "").replace(/\d*>>\s*\S+/g, "").replace(/\d*>\s*\S+/g, "").replace(/<\s*\S+/g, "").trim();
 }
 function validateRedirects(command) {
-  const redirectPattern = /(\d*)>{1,2}\s*([^\s|;&]+)/g;
-  let match;
-  while ((match = redirectPattern.exec(command)) !== null) {
-    const target = match[2];
-    if (target.startsWith("&") || target === "/dev/null") continue;
-    const isAllowed = SAFE_REDIRECT_PATHS.some((p) => target.startsWith(p));
-    if (!isAllowed) {
-      return {
-        safe: false,
-        error: `Redirect to '${target}' is not in allowed paths`,
-        suggestion: `Redirect output to /tmp/ or /root/ paths. Example: > /tmp/output.txt`
-      };
+  const redirects = extractRedirectTargets(command);
+  for (const { type, fd, target } of redirects) {
+    if (type === ">" || type === ">>") {
+      if (target.startsWith("&") || target === "/dev/null") continue;
+      const isAllowed = SAFE_REDIRECT_PATHS.some((p) => target.startsWith(p));
+      if (!isAllowed) {
+        return {
+          isSafe: false,
+          error: `Redirect to '${target}' is not in allowed paths`,
+          suggestion: `Redirect output to ${WORK_DIR}/ paths. Example: > ${WORK_DIR}/output.txt`
+        };
+      }
+    } else if (type === "<") {
+      const isAllowed = SAFE_REDIRECT_PATHS.some((p) => target.startsWith(p));
+      if (!isAllowed) {
+        return {
+          isSafe: false,
+          error: `Input redirect from '${target}' is not in allowed paths`,
+          suggestion: `Input redirect only from ${WORK_DIR}/ paths.`
+        };
+      }
     }
   }
-  const inputRedirectPattern = /<\s*([^\s|;&]+)/g;
-  while ((match = inputRedirectPattern.exec(command)) !== null) {
-    const source = match[1];
-    const isAllowed = SAFE_REDIRECT_PATHS.some((p) => source.startsWith(p));
-    if (!isAllowed) {
-      return {
-        safe: false,
-        error: `Input redirect from '${source}' is not in allowed paths`,
-        suggestion: `Input redirect only from /tmp/ or /root/ paths.`
-      };
+  return { isSafe: true };
+}
+function extractRedirectTargets(command) {
+  const redirects = [];
+  let inSingle = false;
+  let inDouble = false;
+  let i = 0;
+  while (i < command.length) {
+    const ch = command[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      i++;
+      continue;
     }
+    if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      i++;
+      continue;
+    }
+    if (!inSingle && !inDouble) {
+      if (ch === ">" || ch === "<") {
+        const isAppend = ch === ">" && command[i + 1] === ">";
+        const type = isAppend ? ">>" : ch;
+        const jump = isAppend ? 2 : 1;
+        let fd = "";
+        if (ch === ">") {
+          let b = i - 1;
+          while (b >= 0 && /\d/.test(command[b])) {
+            fd = command[b] + fd;
+            b--;
+          }
+        }
+        i += jump;
+        while (i < command.length && /\s/.test(command[i])) i++;
+        let target = "";
+        let targetInSingle = false;
+        let targetInDouble = false;
+        while (i < command.length) {
+          const tc = command[i];
+          if (tc === "'" && !targetInDouble) {
+            targetInSingle = !targetInSingle;
+            i++;
+            continue;
+          }
+          if (tc === '"' && !targetInSingle) {
+            targetInDouble = !targetInDouble;
+            i++;
+            continue;
+          }
+          if (!targetInSingle && !targetInDouble && /[\s|;&<>]/.test(tc)) break;
+          target += tc;
+          i++;
+        }
+        if (target) {
+          redirects.push({ type, fd, target });
+        }
+        continue;
+      }
+    }
+    i++;
   }
-  return { safe: true };
+  return redirects;
 }
 function extractBinary(command) {
   const parts = command.trim().split(/\s+/);
@@ -1514,7 +1647,7 @@ function clearCommandEventEmitter() {
 async function runCommand(command, args = [], options = {}) {
   const fullCommand = args.length > 0 ? `${command} ${args.join(" ")}` : command;
   const validation = validateCommand(fullCommand);
-  if (!validation.safe) {
+  if (!validation.isSafe) {
     return {
       success: false,
       output: "",
@@ -1688,6 +1821,34 @@ function createTempFile(suffix = "") {
   return join2(tmpdir(), generateTempFilename(suffix));
 }
 
+// src/shared/constants/files.ts
+var FILE_EXTENSIONS = {
+  // Data formats
+  JSON: ".json",
+  MARKDOWN: ".md",
+  TXT: ".txt",
+  XML: ".xml",
+  // Network capture
+  PCAP: ".pcap",
+  HOSTS: ".hosts",
+  MITM: ".mitm",
+  // Process I/O
+  STDOUT: ".stdout",
+  STDERR: ".stderr",
+  STDIN: ".stdin",
+  // Scripts
+  SH: ".sh",
+  PY: ".py",
+  CJS: ".cjs",
+  // Config
+  ENV: ".env",
+  BAK: ".bak"
+};
+var SPECIAL_FILES = {
+  LATEST_STATE: "latest.json",
+  README: "README.md"
+};
+
 // src/engine/process-cleanup.ts
 import { unlinkSync } from "fs";
 
@@ -1877,9 +2038,9 @@ function logEvent(processId, event, detail) {
 }
 function startBackgroundProcess(command, options = {}) {
   const processId = generatePrefixedId("bg");
-  const stdoutFile = createTempFile(".stdout");
-  const stderrFile = createTempFile(".stderr");
-  const stdinFile = createTempFile(".stdin");
+  const stdoutFile = createTempFile(FILE_EXTENSIONS.STDOUT);
+  const stderrFile = createTempFile(FILE_EXTENSIONS.STDERR);
+  const stdinFile = createTempFile(FILE_EXTENSIONS.STDIN);
   const { tags, port, role, isInteractive } = detectProcessRole(command);
   let wrappedCmd;
   if (isInteractive) {
@@ -2531,13 +2692,13 @@ var AttackGraph = class {
    * Record a credential discovery and create spray edges.
    */
   addCredential(username, password, source) {
-    const credId = this.addNode("credential", `${username}:***`, {
+    const credId = this.addNode(NODE_TYPE.CREDENTIAL, `${username}:***`, {
       username,
       password,
       source
     });
     for (const [id, node] of this.nodes) {
-      if (node.type === "service") {
+      if (node.type === NODE_TYPE.SERVICE) {
         const svc = String(node.data.service || "");
         if (["ssh", "ftp", "rdp", "smb", "http", "mysql", "postgresql", "mssql", "winrm", "vnc", "telnet"].some((s) => svc.includes(s))) {
           this.addEdge(credId, id, "can_try_on", 0.6);
@@ -2550,7 +2711,7 @@ var AttackGraph = class {
    * Record a vulnerability finding.
    */
   addVulnerability(title, target, severity, hasExploit = false) {
-    const vulnId = this.addNode("vulnerability", title, {
+    const vulnId = this.addNode(NODE_TYPE.VULNERABILITY, title, {
       target,
       severity,
       hasExploit
@@ -2561,7 +2722,7 @@ var AttackGraph = class {
       }
     }
     if (hasExploit) {
-      const accessId = this.addNode("access", `shell via ${title}`, {
+      const accessId = this.addNode(NODE_TYPE.ACCESS, `shell via ${title}`, {
         via: title,
         status: GRAPH_STATUS.POTENTIAL
       });
@@ -2573,14 +2734,14 @@ var AttackGraph = class {
    * Record gained access.
    */
   addAccess(host, level, via) {
-    const accessId = this.addNode("access", `${level}@${host}`, {
+    const accessId = this.addNode(NODE_TYPE.ACCESS, `${level}@${host}`, {
       host,
       level,
       via
     });
     this.markSucceeded(accessId);
     if (["root", "admin", "SYSTEM", "Administrator"].includes(level)) {
-      const lootId = this.addNode("loot", `flags on ${host}`, {
+      const lootId = this.addNode(NODE_TYPE.LOOT, `flags on ${host}`, {
         host,
         status: GRAPH_STATUS.NEEDS_SEARCH
       });
@@ -2592,7 +2753,7 @@ var AttackGraph = class {
    * Record OSINT discovery (Docker image, GitHub repo, company info, etc.)
    */
   addOSINT(category, detail, data = {}) {
-    const osintId = this.addNode("osint", `${category}: ${detail}`, {
+    const osintId = this.addNode(NODE_TYPE.OSINT, `${category}: ${detail}`, {
       category,
       detail,
       ...data
@@ -2979,7 +3140,7 @@ var WorkingMemory = class {
     const lines = ["<working-memory>"];
     if (failures.length > 0) {
       lines.push(`\u26A0\uFE0F FAILED ATTEMPTS (${failures.length} \u2014 DO NOT REPEAT):`);
-      for (const f of failures.slice(-5)) {
+      for (const f of failures.slice(-DISPLAY_LIMITS.RECENT_FAILURES)) {
         lines.push(`  \u2717 ${f.content}`);
       }
     }
@@ -2989,13 +3150,13 @@ var WorkingMemory = class {
     }
     if (successes.length > 0) {
       lines.push(`\u2705 RECENT SUCCESSES (${successes.length}):`);
-      for (const s of successes.slice(-3)) {
+      for (const s of successes.slice(-DISPLAY_LIMITS.RECENT_SUCCESSES)) {
         lines.push(`  \u2713 ${s.content}`);
       }
     }
     if (insights.length > 0) {
       lines.push(`\u{1F4A1} INSIGHTS:`);
-      for (const i of insights.slice(-3)) {
+      for (const i of insights.slice(-DISPLAY_LIMITS.RECENT_INSIGHTS)) {
         lines.push(`  \u2192 ${i.content}`);
       }
     }
@@ -3048,9 +3209,9 @@ var EpisodicMemory = class {
   toPrompt() {
     if (this.events.length === 0) return "";
     const lines = ["<session-timeline>"];
-    const recent = this.events.slice(-10);
+    const recent = this.events.slice(-DISPLAY_LIMITS.RECENT_MEMORY_EVENTS);
     for (const e of recent) {
-      const mins = Math.floor((Date.now() - e.timestamp) / 6e4);
+      const mins = Math.floor((Date.now() - e.timestamp) / MS_PER_MINUTE);
       const icon = {
         tool_success: "\u2705",
         tool_failure: "\u274C",
@@ -3069,7 +3230,6 @@ var EpisodicMemory = class {
     this.events = [];
   }
 };
-var MEMORY_DIR = "/tmp/pentesting-memory";
 var MEMORY_FILE = join3(MEMORY_DIR, "persistent-knowledge.json");
 var PersistentMemory = class {
   knowledge;
@@ -3186,7 +3346,7 @@ var DynamicTechniqueLibrary = class {
     });
     if (this.techniques.length > this.maxTechniques) {
       this.techniques.sort((a, b) => {
-        if (a.verified !== b.verified) return a.verified ? -1 : 1;
+        if (a.isVerified !== b.isVerified) return a.isVerified ? -1 : 1;
         return b.learnedAt - a.learnedAt;
       });
       this.techniques = this.techniques.slice(0, this.maxTechniques);
@@ -3222,7 +3382,7 @@ var DynamicTechniqueLibrary = class {
         source: `Web search: "${query}"`,
         technique: tech,
         applicableTo,
-        verified: false,
+        isVerified: false,
         fromQuery: query
       });
     }
@@ -3233,7 +3393,7 @@ var DynamicTechniqueLibrary = class {
   verify(techniqueSubstring) {
     for (const t of this.techniques) {
       if (t.technique.toLowerCase().includes(techniqueSubstring.toLowerCase())) {
-        t.verified = true;
+        t.isVerified = true;
       }
     }
   }
@@ -3261,8 +3421,8 @@ var DynamicTechniqueLibrary = class {
    */
   toPrompt() {
     if (this.techniques.length === 0) return "";
-    const verified = this.techniques.filter((t) => t.verified);
-    const unverified = this.techniques.filter((t) => !t.verified);
+    const verified = this.techniques.filter((t) => t.isVerified);
+    const unverified = this.techniques.filter((t) => !t.isVerified);
     const lines = ["<learned-techniques>"];
     if (verified.length > 0) {
       lines.push("VERIFIED (worked in this session):");
@@ -3539,8 +3699,8 @@ var SharedState = class {
     return this.data.currentPhase;
   }
   // --- CTF Mode ---
-  setCtfMode(enabled) {
-    this.data.ctfMode = enabled;
+  setCtfMode(shouldEnable) {
+    this.data.ctfMode = shouldEnable;
   }
   isCtfMode() {
     return this.data.ctfMode;
@@ -3826,20 +3986,6 @@ var ScopeGuard = class {
 };
 
 // src/engine/approval.ts
-var CATEGORY_APPROVAL = {
-  [SERVICE_CATEGORIES.NETWORK]: APPROVAL_LEVELS.CONFIRM,
-  [SERVICE_CATEGORIES.WEB]: APPROVAL_LEVELS.CONFIRM,
-  [SERVICE_CATEGORIES.DATABASE]: APPROVAL_LEVELS.REVIEW,
-  [SERVICE_CATEGORIES.AD]: APPROVAL_LEVELS.REVIEW,
-  [SERVICE_CATEGORIES.EMAIL]: APPROVAL_LEVELS.CONFIRM,
-  [SERVICE_CATEGORIES.REMOTE_ACCESS]: APPROVAL_LEVELS.REVIEW,
-  [SERVICE_CATEGORIES.FILE_SHARING]: APPROVAL_LEVELS.CONFIRM,
-  [SERVICE_CATEGORIES.CLOUD]: APPROVAL_LEVELS.REVIEW,
-  [SERVICE_CATEGORIES.CONTAINER]: APPROVAL_LEVELS.REVIEW,
-  [SERVICE_CATEGORIES.API]: APPROVAL_LEVELS.CONFIRM,
-  [SERVICE_CATEGORIES.WIRELESS]: APPROVAL_LEVELS.REVIEW,
-  [SERVICE_CATEGORIES.ICS]: APPROVAL_LEVELS.BLOCK
-};
 var ApprovalGate = class {
   constructor(shouldAutoApprove = false) {
     this.shouldAutoApprove = shouldAutoApprove;
@@ -3847,8 +3993,8 @@ var ApprovalGate = class {
   /**
    * Set auto-approve mode
    */
-  setAutoApprove(enabled) {
-    this.shouldAutoApprove = enabled;
+  setAutoApprove(shouldEnable) {
+    this.shouldAutoApprove = shouldEnable;
   }
   /**
    * Get current auto-approve mode
@@ -4143,7 +4289,7 @@ function autoExtractStructured(toolName, output) {
     data.vulnerabilities = vulns;
     hasData = true;
   }
-  if (toolName === "parse_nmap" || /nmap scan report/i.test(output)) {
+  if (toolName === TOOL_NAMES.PARSE_NMAP || /nmap scan report/i.test(output)) {
     const nmap = extractNmapStructured(output);
     if (nmap.structured.openPorts && nmap.structured.openPorts.length > 0) {
       data.openPorts = nmap.structured.openPorts;
@@ -4548,7 +4694,8 @@ Used ports: ${usedPorts.join(", ")}
 [!] STRATEGY ADAPTATION REQUIRED:
 1. Try the next available port (e.g., ${nextPort} or 4445, 9001)
 2. If this is for a listener, update your Mission/Checklist with the NEW port so other agents know.
-3. Check bg_process({ action: "list" }) to see if you can stop the conflicting process.`
+3. Check bg_process({ action: "list" }) to see if you can stop the conflicting process.`,
+              error: `Port ${requestedPort} already in use`
             };
           }
         }
@@ -4695,7 +4842,7 @@ ${output.stderr.slice(-SYSTEM_LIMITS.MAX_STDERR_SLICE) || "(empty)"}` + connecti
           if (!cmd) return { success: false, output: "", error: "Missing command for interact. Provide the command to execute on the target." };
           const waitMs = Math.min(params.wait_ms || SYSTEM_LIMITS.DEFAULT_WAIT_MS_INTERACT, SYSTEM_LIMITS.MAX_WAIT_MS_INTERACT);
           const result2 = await sendToProcess(processId, cmd, waitMs);
-          if (!result2.success) return { success: false, output: result2.output };
+          if (!result2.success) return { success: false, output: result2.output, error: result2.output };
           return {
             success: true,
             output: `Command sent: ${cmd}
@@ -4711,7 +4858,7 @@ ${result2.output}`
           if (!processId) return { success: false, output: "", error: "Missing process_id for promote" };
           const desc = params.description;
           const success = promoteToShell(processId, desc);
-          if (!success) return { success: false, output: `Process ${processId} not found` };
+          if (!success) return { success: false, output: `Process ${processId} not found`, error: `Process ${processId} not found` };
           return {
             success: true,
             output: `[OK] Process ${processId} promoted to ACTIVE SHELL.
@@ -4861,7 +5008,8 @@ Examples:
       if (!validPhases.includes(newPhase)) {
         return {
           success: false,
-          output: `Invalid phase. Valid phases: ${validPhases.join(", ")}`
+          output: `Invalid phase. Valid phases: ${validPhases.join(", ")}`,
+          error: `Invalid phase: ${newPhase}`
         };
       }
       state.setPhase(newPhase);
@@ -4989,6 +5137,36 @@ function formatValidation(result2) {
 }
 
 // src/engine/tools/pentest-target-tools.ts
+function isPortArray(value) {
+  if (!Array.isArray(value)) return false;
+  return value.every(
+    (item) => typeof item === "object" && item !== null && typeof item.port === "number"
+  );
+}
+function parsePorts(value) {
+  return isPortArray(value) ? value : [];
+}
+function isValidSeverity(value) {
+  return typeof value === "string" && Object.values(SEVERITIES).includes(value);
+}
+function parseSeverity(value) {
+  return isValidSeverity(value) ? value : "medium";
+}
+function isValidLootType(value) {
+  return typeof value === "string" && Object.values(LOOT_TYPES).includes(value);
+}
+function parseLootType(value) {
+  return isValidLootType(value) ? value : "file";
+}
+function isValidAttackTactic(value) {
+  return typeof value === "string" && Object.values(ATTACK_TACTICS).includes(value);
+}
+function parseStringArray(value) {
+  return Array.isArray(value) && value.every((v) => typeof v === "string") ? value : [];
+}
+function parseString(value, defaultValue = "") {
+  return typeof value === "string" ? value : defaultValue;
+}
 var createTargetTools = (state) => [
   {
     name: TOOL_NAMES.ADD_TARGET,
@@ -5020,10 +5198,10 @@ The target will be tracked in SharedState and available for all agents.`,
     },
     required: ["ip"],
     execute: async (p) => {
-      const ip = p.ip;
+      const ip = parseString(p.ip);
       const existing = state.getTarget(ip);
       if (existing) {
-        const newPorts = p.ports || [];
+        const newPorts = parsePorts(p.ports);
         for (const np of newPorts) {
           const exists = existing.ports.some((ep) => ep.port === np.port);
           if (!exists) {
@@ -5037,11 +5215,11 @@ The target will be tracked in SharedState and available for all agents.`,
             state.attackGraph.addService(ip, np.port, np.service || "unknown", np.version);
           }
         }
-        if (p.hostname) existing.hostname = p.hostname;
-        if (p.tags) existing.tags = [.../* @__PURE__ */ new Set([...existing.tags, ...p.tags])];
+        if (p.hostname) existing.hostname = parseString(p.hostname);
+        if (p.tags) existing.tags = [.../* @__PURE__ */ new Set([...existing.tags, ...parseStringArray(p.tags)])];
         return { success: true, output: `Target ${ip} updated. Total ports: ${existing.ports.length}` };
       }
-      const ports = (p.ports || []).map((port) => ({
+      const ports = parsePorts(p.ports).map((port) => ({
         port: port.port,
         service: port.service || "unknown",
         version: port.version,
@@ -5050,9 +5228,9 @@ The target will be tracked in SharedState and available for all agents.`,
       }));
       state.addTarget({
         ip,
-        hostname: p.hostname,
+        hostname: parseString(p.hostname) || void 0,
         ports,
-        tags: p.tags || [],
+        tags: parseStringArray(p.tags),
         firstSeen: Date.now()
       });
       return { success: true, output: `Target ${ip} added.${p.hostname ? ` Hostname: ${p.hostname}` : ""} Ports: ${ports.length}` };
@@ -5071,30 +5249,30 @@ Types: credential, hash, token, ssh_key, api_key, file, session, ticket, certifi
     },
     required: ["type", "host", "detail"],
     execute: async (p) => {
-      const lootType = p.type;
+      const lootTypeStr = parseString(p.type);
       const crackableTypes = ["hash"];
-      const detail = p.detail;
-      const host = p.host;
+      const detail = parseString(p.detail);
+      const host = parseString(p.host);
       state.addLoot({
-        type: lootType,
+        type: parseLootType(lootTypeStr),
         host,
         detail,
         obtainedAt: Date.now(),
-        isCrackable: crackableTypes.includes(lootType),
+        isCrackable: crackableTypes.includes(lootTypeStr),
         isCracked: false
       });
-      if (["credential", "token", "ssh_key", "api_key"].includes(lootType)) {
+      if (["credential", "token", "ssh_key", "api_key"].includes(lootTypeStr)) {
         const parts = detail.split(":");
         if (parts.length >= 2) {
           state.attackGraph.addCredential(parts[0], parts.slice(1).join(":"), host);
         }
       }
-      state.episodicMemory.record("access_gained", `Loot [${lootType}] from ${host}: ${detail.slice(0, DISPLAY_LIMITS.MEMORY_EVENT_PREVIEW)}`);
+      state.episodicMemory.record("access_gained", `Loot [${lootTypeStr}] from ${host}: ${detail.slice(0, DISPLAY_LIMITS.MEMORY_EVENT_PREVIEW)}`);
       return {
         success: true,
-        output: `Loot recorded: [${lootType}] from ${host}
+        output: `Loot recorded: [${lootTypeStr}] from ${host}
 Detail: ${detail}
-` + (crackableTypes.includes(lootType) ? `This is crackable. Consider: hash_crack({ hashes: "${detail.slice(0, DISPLAY_LIMITS.LOOT_DETAIL_PREVIEW)}..." })` : `Consider credential reuse / lateral movement with this loot.`)
+` + (crackableTypes.includes(lootTypeStr) ? `This is crackable. Consider: hash_crack({ hashes: "${detail.slice(0, DISPLAY_LIMITS.LOOT_DETAIL_PREVIEW)}..." })` : `Consider credential reuse / lateral movement with this loot.`)
       };
     }
   },
@@ -5113,12 +5291,13 @@ Findings without evidence are marked as UNVERIFIED and have low credibility.`,
     },
     required: ["title", "severity", "description", "evidence"],
     execute: async (p) => {
-      const evidence = p.evidence || [];
-      const title = p.title;
-      const severity = p.severity;
-      const affected = p.affected || [];
-      const description = p.description || "";
+      const evidence = parseStringArray(p.evidence);
+      const title = parseString(p.title);
+      const severity = parseSeverity(p.severity);
+      const affected = parseStringArray(p.affected);
+      const description = parseString(p.description);
       const validation = validateFinding(evidence, severity);
+      const attackPattern = parseString(p.attackPattern);
       state.addFinding({
         id: generateId(AGENT_LIMITS.ID_RADIX, AGENT_LIMITS.ID_LENGTH),
         title,
@@ -5129,7 +5308,7 @@ Findings without evidence are marked as UNVERIFIED and have low credibility.`,
         isVerified: validation.isVerified,
         remediation: "",
         foundAt: Date.now(),
-        ...p.attackPattern ? { attackPattern: p.attackPattern } : {}
+        ...attackPattern && isValidAttackTactic(attackPattern) ? { attackPattern } : {}
       });
       const hasExploit = validation.isVerified;
       const target = affected[0] || "unknown";
@@ -5147,7 +5326,7 @@ ${formatValidation(validation)}`
   }
 ];
 
-// src/engine/tools-mid.ts
+// src/engine/tools/intel-utils.ts
 import { execFileSync } from "child_process";
 
 // src/shared/utils/config.ts
@@ -5160,7 +5339,7 @@ var ENV_KEYS = {
   THINKING: "PENTEST_THINKING",
   THINKING_BUDGET: "PENTEST_THINKING_BUDGET"
 };
-var DEFAULT_SEARCH_API_URL = "https://api.search.brave.com/res/v1/web/search";
+var DEFAULT_SEARCH_API_URL = "https://open.bigmodel.cn/api/paas/v4/tools/web-search-pro";
 function getApiKey() {
   return process.env[ENV_KEYS.API_KEY] || "";
 }
@@ -5171,7 +5350,10 @@ function getModel() {
   return process.env[ENV_KEYS.MODEL] || "";
 }
 function getSearchApiKey() {
-  return process.env[ENV_KEYS.SEARCH_API_KEY];
+  if (process.env[ENV_KEYS.SEARCH_API_KEY]) {
+    return process.env[ENV_KEYS.SEARCH_API_KEY];
+  }
+  return process.env[ENV_KEYS.API_KEY];
 }
 function getSearchApiUrl() {
   return process.env[ENV_KEYS.SEARCH_API_URL] || DEFAULT_SEARCH_API_URL;
@@ -5543,50 +5725,60 @@ var DEFAULT_BROWSER_OPTIONS = {
 
 // src/engine/tools/web-browser.ts
 async function browseUrl(url, options = {}) {
-  const browserOptions = { ...DEFAULT_BROWSER_OPTIONS, ...options };
-  const { installed, browserInstalled } = await checkPlaywright();
-  if (!installed || !browserInstalled) {
-    const installResult = await installPlaywright();
-    if (!installResult.success) {
+  try {
+    const browserOptions = { ...DEFAULT_BROWSER_OPTIONS, ...options };
+    const { installed, browserInstalled } = await checkPlaywright();
+    if (!installed || !browserInstalled) {
+      const installResult = await installPlaywright();
+      if (!installResult.success) {
+        return {
+          success: false,
+          output: "",
+          error: `Playwright not available and auto-install failed: ${installResult.output}`
+        };
+      }
+    }
+    const screenshotPath = browserOptions.screenshot ? join6(join6(tmpdir3(), BROWSER_PATHS.TEMP_DIR_NAME), `screenshot-${Date.now()}.png`) : void 0;
+    const script = buildBrowseScript(url, browserOptions, screenshotPath);
+    const result2 = await runPlaywrightScript(script, browserOptions.timeout, "browse");
+    if (!result2.success) {
       return {
         success: false,
-        output: "",
-        error: `Playwright not available and auto-install failed: ${installResult.output}`
+        output: result2.output,
+        error: result2.error
+      };
+    }
+    if (result2.parsedData) {
+      return {
+        success: true,
+        output: formatBrowserOutput(result2.parsedData, browserOptions),
+        screenshots: screenshotPath ? [screenshotPath] : void 0,
+        extractedData: result2.parsedData
       };
     }
-  }
-  const screenshotPath = browserOptions.screenshot ? join6(join6(tmpdir3(), BROWSER_PATHS.TEMP_DIR_NAME), `screenshot-${Date.now()}.png`) : void 0;
-  const script = buildBrowseScript(url, browserOptions, screenshotPath);
-  const result2 = await runPlaywrightScript(script, browserOptions.timeout, "browse");
-  if (!result2.success) {
     return {
-      success: false,
-      output: result2.output,
-      error: result2.error
+      success: true,
+      output: result2.output || "Navigation completed",
+      screenshots: screenshotPath ? [screenshotPath] : void 0
     };
-  }
-  if (result2.parsedData) {
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     return {
-      success: true,
-      output: formatBrowserOutput(result2.parsedData, browserOptions),
-      screenshots: screenshotPath ? [screenshotPath] : void 0,
-      extractedData: result2.parsedData
+      success: false,
+      output: "",
+      error: `Browser error: ${msg}`
     };
   }
-  return {
-    success: true,
-    output: result2.output || "Navigation completed",
-    screenshots: screenshotPath ? [screenshotPath] : void 0
-  };
 }
 async function fillAndSubmitForm(url, formData, options = {}) {
-  const browserOptions = { ...DEFAULT_BROWSER_OPTIONS, ...options };
-  const safeUrl = safeJsString(url);
-  const safeFormData = JSON.stringify(formData);
-  const playwrightPath = getPlaywrightPath();
-  const safePlaywrightPath = safeJsString(playwrightPath);
-  const headlessMode = process.env.HEADLESS !== "false";
-  const script = `
+  try {
+    const browserOptions = { ...DEFAULT_BROWSER_OPTIONS, ...options };
+    const safeUrl = safeJsString(url);
+    const safeFormData = JSON.stringify(formData);
+    const playwrightPath = getPlaywrightPath();
+    const safePlaywrightPath = safeJsString(playwrightPath);
+    const headlessMode = process.env.HEADLESS !== "false";
+    const script = `
 const { chromium } = require(${safePlaywrightPath});
 
 (async () => {
@@ -5626,27 +5818,35 @@ const { chromium } = require(${safePlaywrightPath});
     }
 })();
 `;
-  const result2 = await runPlaywrightScript(script, browserOptions.timeout, "form");
-  if (!result2.success) {
+    const result2 = await runPlaywrightScript(script, browserOptions.timeout, "form");
+    if (!result2.success) {
+      return {
+        success: false,
+        output: result2.output,
+        error: result2.error
+      };
+    }
+    if (result2.parsedData) {
+      const data = result2.parsedData;
+      return {
+        success: true,
+        output: `Form submitted. Current URL: ${data.url}
+Title: ${data.title}`,
+        extractedData: result2.parsedData
+      };
+    }
     return {
-      success: false,
-      output: result2.output,
-      error: result2.error
+      success: true,
+      output: result2.output || "Form submitted"
     };
-  }
-  if (result2.parsedData) {
-    const data = result2.parsedData;
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
     return {
-      success: true,
-      output: `Form submitted. Current URL: ${data.url}
-Title: ${data.title}`,
-      extractedData: result2.parsedData
+      success: false,
+      output: "",
+      error: `Form submission error: ${msg}`
     };
   }
-  return {
-    success: true,
-    output: result2.output || "Form submitted"
-  };
 }
 async function webSearchWithBrowser(query, engine = "google") {
   const searchUrls = {
@@ -5663,6 +5863,7 @@ async function webSearchWithBrowser(query, engine = "google") {
 }
 
 // src/engine/web-search-providers.ts
+var SEARCH_TIMEOUT_MS = 15e3;
 function getErrorMessage(error) {
   return error instanceof Error ? error.message : String(error);
 }
@@ -5670,25 +5871,43 @@ async function searchWithGLM(query, apiKey, apiUrl) {
   debugLog("search", "GLM request START", { apiUrl, query });
   const requestBody = {
     model: "web-search-pro",
-    messages: [{ role: "user", content: query }],
+    messages: [{ role: LLM_ROLES.USER, content: query }],
     stream: false
   };
   debugLog("search", "GLM request body", requestBody);
-  const response = await fetch(apiUrl, {
-    method: "POST",
-    headers: {
-      [SEARCH_HEADER.CONTENT_TYPE]: "application/json",
-      [SEARCH_HEADER.AUTHORIZATION]: `Bearer ${apiKey}`
-    },
-    body: JSON.stringify(requestBody)
-  });
+  let response;
+  try {
+    response = await fetch(apiUrl, {
+      method: "POST",
+      headers: {
+        [SEARCH_HEADER.CONTENT_TYPE]: "application/json",
+        [SEARCH_HEADER.AUTHORIZATION]: `Bearer ${apiKey}`
+      },
+      body: JSON.stringify(requestBody),
+      signal: AbortSignal.timeout(SEARCH_TIMEOUT_MS)
+    });
+  } catch (err) {
+    const msg = getErrorMessage(err);
+    debugLog("search", "GLM fetch FAILED (network)", { error: msg });
+    return { success: false, output: "", error: `GLM search network error: ${msg}. Check internet connection or API endpoint.` };
+  }
   debugLog("search", "GLM response status", { status: response.status, ok: response.ok });
   if (!response.ok) {
-    const errorText = await response.text();
+    let errorText = "";
+    try {
+      errorText = await response.text();
+    } catch {
+    }
     debugLog("search", "GLM response ERROR", { status: response.status, error: errorText });
-    throw new Error(`GLM Search API error: ${response.status} - ${errorText}`);
+    return { success: false, output: "", error: `GLM Search API error ${response.status}: ${errorText.slice(0, 500)}` };
+  }
+  let data;
+  try {
+    data = await response.json();
+  } catch (err) {
+    debugLog("search", "GLM JSON parse FAILED", { error: getErrorMessage(err) });
+    return { success: false, output: "", error: `GLM search returned invalid JSON: ${getErrorMessage(err)}` };
   }
-  const data = await response.json();
   debugLog("search", "GLM response data", { hasChoices: !!data.choices, choicesCount: data.choices?.length });
   let results = "";
   if (data.choices?.[0]?.message?.content) {
@@ -5716,19 +5935,37 @@ async function searchWithBrave(query, apiKey, apiUrl) {
   debugLog("search", "Brave request START", { apiUrl, query });
   const url = `${apiUrl}?q=${encodeURIComponent(query)}&count=${SEARCH_LIMIT.DEFAULT_RESULT_COUNT}`;
   debugLog("search", "Brave request URL", { url });
-  const response = await fetch(url, {
-    headers: {
-      [SEARCH_HEADER.ACCEPT]: "application/json",
-      [SEARCH_HEADER.X_SUBSCRIPTION_TOKEN]: apiKey
-    }
-  });
+  let response;
+  try {
+    response = await fetch(url, {
+      headers: {
+        [SEARCH_HEADER.ACCEPT]: "application/json",
+        [SEARCH_HEADER.X_SUBSCRIPTION_TOKEN]: apiKey
+      },
+      signal: AbortSignal.timeout(SEARCH_TIMEOUT_MS)
+    });
+  } catch (err) {
+    const msg = getErrorMessage(err);
+    debugLog("search", "Brave fetch FAILED (network)", { error: msg });
+    return { success: false, output: "", error: `Brave search network error: ${msg}. Check internet connection.` };
+  }
   debugLog("search", "Brave response status", { status: response.status, ok: response.ok });
   if (!response.ok) {
-    const errorText = await response.text();
+    let errorText = "";
+    try {
+      errorText = await response.text();
+    } catch {
+    }
     debugLog("search", "Brave response ERROR", { status: response.status, error: errorText });
-    throw new Error(`Brave API error: ${response.status}`);
+    return { success: false, output: "", error: `Brave API error ${response.status}: ${errorText.slice(0, 500)}` };
+  }
+  let data;
+  try {
+    data = await response.json();
+  } catch (err) {
+    debugLog("search", "Brave JSON parse FAILED", { error: getErrorMessage(err) });
+    return { success: false, output: "", error: `Brave search returned invalid JSON: ${getErrorMessage(err)}` };
   }
-  const data = await response.json();
   const results = data.web?.results || [];
   debugLog("search", "Brave results count", { count: results.length });
   if (results.length === 0) {
@@ -5744,21 +5981,39 @@ async function searchWithBrave(query, apiKey, apiUrl) {
 }
 async function searchWithSerper(query, apiKey, apiUrl) {
   debugLog("search", "Serper request START", { apiUrl, query });
-  const response = await fetch(apiUrl, {
-    method: "POST",
-    headers: {
-      [SEARCH_HEADER.CONTENT_TYPE]: "application/json",
-      [SEARCH_HEADER.X_API_KEY]: apiKey
-    },
-    body: JSON.stringify({ q: query })
-  });
+  let response;
+  try {
+    response = await fetch(apiUrl, {
+      method: "POST",
+      headers: {
+        [SEARCH_HEADER.CONTENT_TYPE]: "application/json",
+        [SEARCH_HEADER.X_API_KEY]: apiKey
+      },
+      body: JSON.stringify({ q: query }),
+      signal: AbortSignal.timeout(SEARCH_TIMEOUT_MS)
+    });
+  } catch (err) {
+    const msg = getErrorMessage(err);
+    debugLog("search", "Serper fetch FAILED (network)", { error: msg });
+    return { success: false, output: "", error: `Serper search network error: ${msg}. Check internet connection.` };
+  }
   debugLog("search", "Serper response status", { status: response.status, ok: response.ok });
   if (!response.ok) {
-    const errorText = await response.text();
+    let errorText = "";
+    try {
+      errorText = await response.text();
+    } catch {
+    }
     debugLog("search", "Serper response ERROR", { status: response.status, error: errorText });
-    throw new Error(`Serper API error: ${response.status}`);
+    return { success: false, output: "", error: `Serper API error ${response.status}: ${errorText.slice(0, 500)}` };
+  }
+  let data;
+  try {
+    data = await response.json();
+  } catch (err) {
+    debugLog("search", "Serper JSON parse FAILED", { error: getErrorMessage(err) });
+    return { success: false, output: "", error: `Serper search returned invalid JSON: ${getErrorMessage(err)}` };
   }
-  const data = await response.json();
   const results = data.organic || [];
   debugLog("search", "Serper results count", { count: results.length });
   if (results.length === 0) {
@@ -5773,48 +6028,40 @@ async function searchWithSerper(query, apiKey, apiUrl) {
   return { success: true, output: formatted };
 }
 async function searchWithGenericApi(query, apiKey, apiUrl) {
-  const response = await fetch(apiUrl, {
-    method: "POST",
-    headers: {
-      [SEARCH_HEADER.CONTENT_TYPE]: "application/json",
-      [SEARCH_HEADER.AUTHORIZATION]: `Bearer ${apiKey}`,
-      [SEARCH_HEADER.X_API_KEY]: apiKey
-    },
-    body: JSON.stringify({ query, q: query })
-  });
+  let response;
+  try {
+    response = await fetch(apiUrl, {
+      method: "POST",
+      headers: {
+        [SEARCH_HEADER.CONTENT_TYPE]: "application/json",
+        [SEARCH_HEADER.AUTHORIZATION]: `Bearer ${apiKey}`,
+        [SEARCH_HEADER.X_API_KEY]: apiKey
+      },
+      body: JSON.stringify({ query, q: query }),
+      signal: AbortSignal.timeout(SEARCH_TIMEOUT_MS)
+    });
+  } catch (err) {
+    const msg = getErrorMessage(err);
+    return { success: false, output: "", error: `Search API network error: ${msg}. Check internet connection or API endpoint.` };
+  }
   if (!response.ok) {
-    const errorText = await response.text();
-    throw new Error(`Search API error: ${response.status} - ${errorText}`);
+    let errorText = "";
+    try {
+      errorText = await response.text();
+    } catch {
+    }
+    return { success: false, output: "", error: `Search API error ${response.status}: ${errorText.slice(0, 500)}` };
+  }
+  let data;
+  try {
+    data = await response.json();
+  } catch (err) {
+    return { success: false, output: "", error: `Search API returned invalid JSON: ${getErrorMessage(err)}` };
   }
-  const data = await response.json();
   return { success: true, output: JSON.stringify(data, null, 2) };
 }
-async function searchWithPlaywright(query) {
-  debugLog("search", "Playwright Google search START", { query });
-  try {
-    const result2 = await webSearchWithBrowser(query, "google");
-    if (!result2.success) {
-      return {
-        success: false,
-        output: "",
-        error: `Playwright search failed: ${result2.error}. Set SEARCH_API_KEY for reliable search (Brave API by default).`
-      };
-    }
-    debugLog("search", "Playwright Google search COMPLETE", { outputLength: result2.output.length });
-    return {
-      success: true,
-      output: result2.output || `No results found for: ${query}`
-    };
-  } catch (error) {
-    return {
-      success: false,
-      output: "",
-      error: `Playwright search error: ${getErrorMessage(error)}. Set SEARCH_API_KEY for reliable search (Brave API by default).`
-    };
-  }
-}
 
-// src/engine/tools-mid.ts
+// src/engine/tools/intel-utils.ts
 var PORT_STATE2 = {
   OPEN: "open",
   CLOSED: "closed",
@@ -5925,31 +6172,46 @@ async function searchExploitDB(service, version) {
 }
 async function webSearch(query, _engine) {
   debugLog("search", "webSearch START", { query });
+  const apiKey = getSearchApiKey();
+  const apiUrl = getSearchApiUrl();
+  debugLog("search", "Search API config", {
+    hasApiKey: !!apiKey,
+    apiUrl,
+    apiKeyPrefix: apiKey ? apiKey.slice(0, DISPLAY_LIMITS.API_KEY_PREFIX) + "..." : null
+  });
+  if (!apiKey) {
+    return {
+      success: false,
+      output: "",
+      error: `SEARCH_API_KEY is required for web search. Set it in your environment:
+
+  # Brave Search (recommended - free tier available)
+  export SEARCH_API_KEY=your_brave_api_key
+  # Get key at: https://brave.com/search/api/
+
+  # Or GLM Web Search (\u667A\u8C31 AI)
+  export SEARCH_API_KEY=your_glm_api_key
+  export SEARCH_API_URL=https://open.bigmodel.cn/api/paas/v4/tools/web-search-pro
+
+  # Or Serper (Google)
+  export SEARCH_API_KEY=your_serper_key
+  export SEARCH_API_URL=https://google.serper.dev/search`
+    };
+  }
   try {
-    const apiKey = getSearchApiKey();
-    const apiUrl = getSearchApiUrl();
-    debugLog("search", "Search API config", {
-      hasApiKey: !!apiKey,
-      apiUrl,
-      apiKeyPrefix: apiKey ? apiKey.slice(0, DISPLAY_LIMITS.API_KEY_PREFIX) + "..." : null
-    });
-    if (apiKey) {
-      if (apiUrl.includes(SEARCH_URL_PATTERN.GLM) || apiUrl.includes(SEARCH_URL_PATTERN.ZHIPU)) {
-        debugLog("search", "Using GLM search");
-        return await searchWithGLM(query, apiKey, apiUrl);
-      } else if (apiUrl.includes(SEARCH_URL_PATTERN.BRAVE)) {
-        debugLog("search", "Using Brave search");
-        return await searchWithBrave(query, apiKey, apiUrl);
-      } else if (apiUrl.includes(SEARCH_URL_PATTERN.SERPER)) {
-        debugLog("search", "Using Serper search");
-        return await searchWithSerper(query, apiKey, apiUrl);
-      } else {
-        debugLog("search", "Using generic search API");
-        return await searchWithGenericApi(query, apiKey, apiUrl);
-      }
+    if (apiUrl.includes(SEARCH_URL_PATTERN.GLM) || apiUrl.includes(SEARCH_URL_PATTERN.ZHIPU)) {
+      debugLog("search", "Using GLM search");
+      return await searchWithGLM(query, apiKey, apiUrl);
+    } else if (apiUrl.includes(SEARCH_URL_PATTERN.BRAVE)) {
+      debugLog("search", "Using Brave search");
+      return await searchWithBrave(query, apiKey, apiUrl);
+    } else if (apiUrl.includes(SEARCH_URL_PATTERN.SERPER)) {
+      debugLog("search", "Using Serper search");
+      return await searchWithSerper(query, apiKey, apiUrl);
+    } else {
+      debugLog("search", "Using generic search API");
+      return await searchWithGenericApi(query, apiKey, apiUrl);
     }
-    debugLog("search", "SEARCH_API_KEY not set \u2014 falling back to Playwright Google search");
-    return await searchWithPlaywright(query);
   } catch (error) {
     debugLog("search", "webSearch ERROR", { error: getErrorMessage2(error) });
     return {
@@ -6332,7 +6594,8 @@ ${results.join("\n\n")}`
         }
         return {
           success: false,
-          output: `Category ${category} not found in any edition.`
+          output: `Category ${category} not found in any edition.`,
+          error: `Category ${category} not found`
         };
       }
       if (edition === "all") {
@@ -6343,7 +6606,7 @@ ${results.join("\n\n")}`
       }
       const data = OWASP_FULL_HISTORY[edition];
       if (!data) {
-        return { success: false, output: `Year ${edition} not found in database. Reference 2017-2025.` };
+        return { success: false, output: `Year ${edition} not found in database. Reference 2017-2025.`, error: `Edition ${edition} not found` };
       }
       return {
         success: true,
@@ -6888,8 +7151,8 @@ Returns: All available wordlists with their paths, sizes, and categories.`,
       }
     },
     execute: async (p) => {
-      const { existsSync: existsSync10, statSync: statSync2, readdirSync: readdirSync3 } = await import("fs");
-      const { join: join12 } = await import("path");
+      const { existsSync: existsSync11, statSync: statSync3, readdirSync: readdirSync4 } = await import("fs");
+      const { join: join13 } = await import("path");
       const category = p.category || "";
       const search = p.search || "";
       const minSize = p.min_size || 0;
@@ -6925,7 +7188,7 @@ Returns: All available wordlists with their paths, sizes, and categories.`,
       const processFile = (fullPath, fileName) => {
         const ext = fileName.split(".").pop()?.toLowerCase();
         if (!WORDLIST_EXTENSIONS.has(ext || "")) return;
-        const stats = statSync2(fullPath);
+        const stats = statSync3(fullPath);
         if (stats.size < minSize) return;
         if (!matchesCategory(fullPath)) return;
         if (!matchesSearch(fullPath, fileName)) return;
@@ -6935,16 +7198,16 @@ Returns: All available wordlists with their paths, sizes, and categories.`,
         results.push("");
       };
       const scanDir = (dirPath, maxDepth = 3, depth = 0) => {
-        if (depth > maxDepth || !existsSync10(dirPath)) return;
+        if (depth > maxDepth || !existsSync11(dirPath)) return;
         let entries;
         try {
-          entries = readdirSync3(dirPath, { withFileTypes: true });
+          entries = readdirSync4(dirPath, { withFileTypes: true });
         } catch {
           return;
         }
         for (const entry of entries) {
           if (entry.name.startsWith(".") || SKIP_DIRS.has(entry.name)) continue;
-          const fullPath = join12(dirPath, entry.name);
+          const fullPath = join13(dirPath, entry.name);
           if (entry.isDirectory()) {
             scanDir(fullPath, maxDepth, depth + 1);
             continue;
@@ -7235,7 +7498,7 @@ Requires root/sudo privileges.`,
       const iface = p.interface || "any";
       const filter = p.filter || "";
       const duration = p.duration || NETWORK_CONFIG.DEFAULT_SNIFF_DURATION;
-      const outputFile = p.output_file || createTempFile(".pcap");
+      const outputFile = p.output_file || createTempFile(FILE_EXTENSIONS.PCAP);
       const count = p.count || NETWORK_CONFIG.DEFAULT_PACKET_COUNT;
       const extractCreds = p.extract_creds !== false;
       const filterFlag = filter ? `"${filter}"` : "";
@@ -7320,9 +7583,9 @@ Requires root/sudo privileges.`,
       const spoofIp = p.spoof_ip;
       const iface = p.interface || "";
       const duration = p.duration || NETWORK_CONFIG.DEFAULT_SPOOF_DURATION;
-      const hostsFile = createTempFile(".hosts");
-      const { writeFileSync: writeFileSync8 } = await import("fs");
-      writeFileSync8(hostsFile, `${spoofIp}	${domain}
+      const hostsFile = createTempFile(FILE_EXTENSIONS.HOSTS);
+      const { writeFileSync: writeFileSync9 } = await import("fs");
+      writeFileSync9(hostsFile, `${spoofIp}	${domain}
 ${spoofIp}	*.${domain}
 `);
       const ifaceFlag = iface ? `-i ${iface}` : "";
@@ -7372,7 +7635,7 @@ Combine with arp_spoof for transparent proxying.`,
       const port = p.port || NETWORK_CONFIG.DEFAULT_PROXY_PORT;
       const targetHost = p.target_host;
       const duration = p.duration || NETWORK_CONFIG.DEFAULT_SPOOF_DURATION;
-      const outputFile = p.output_file || createTempFile(".mitm");
+      const outputFile = p.output_file || createTempFile(FILE_EXTENSIONS.MITM);
       const sslInsecure = p.ssl_insecure !== false;
       let cmd;
       const sslFlag = sslInsecure ? "--ssl-insecure" : "";
@@ -7436,7 +7699,7 @@ This is a high-level tool that combines tcpdump capture with protocol analysis.`
       const iface = p.interface || "any";
       const protocols = p.protocols || "all";
       const duration = p.duration || NETWORK_CONFIG.DEFAULT_SNIFF_DURATION;
-      const outputFile = createTempFile(".pcap");
+      const outputFile = createTempFile(FILE_EXTENSIONS.PCAP);
       let bpfFilter = `host ${target}`;
       if (protocols !== "all") {
         const protoFilters = [];
@@ -7587,15 +7850,6 @@ var ZombieHunter = class {
   }
 };
 
-// src/shared/constants/orchestrator.ts
-var GRACEFUL_SHUTDOWN_WAIT_MS = 200;
-var PROCESS_OUTPUT_TRUNCATION_LIMIT = 1e4;
-var MS_PER_MINUTE = 6e4;
-var LONG_RUNNING_THRESHOLD_MS = 5 * MS_PER_MINUTE;
-var VERY_LONG_RUNNING_THRESHOLD_MS = 15 * MS_PER_MINUTE;
-var MAX_RECOMMENDATIONS_FOR_HEALTHY = 2;
-var DEFAULT_DIRECTIVE_FOCUS = PHASES.RECON;
-
 // src/engine/resource/health-monitor.ts
 var HEALTH_STATUS = {
   HEALTHY: "healthy",
@@ -7838,6 +8092,86 @@ Returns recommendations on process status, port conflicts, long-running tasks, e
   }
 ];
 
+// src/shared/constants/service-ports.ts
+var SERVICE_PORTS = {
+  SSH: 22,
+  FTP: 21,
+  TELNET: 23,
+  SMTP: 25,
+  DNS: 53,
+  HTTP: 80,
+  POP3: 110,
+  IMAP: 143,
+  SMB_NETBIOS: 139,
+  KERBEROS: 88,
+  LDAP: 389,
+  SMB: 445,
+  HTTPS: 443,
+  SMTPS: 465,
+  SMTP_TLS: 587,
+  MODBUS: 502,
+  IMAPS: 993,
+  POP3S: 995,
+  MSSQL: 1433,
+  MYSQL: 3306,
+  RDP: 3389,
+  POSTGRESQL: 5432,
+  VNC: 5900,
+  REDIS: 6379,
+  DOCKER_HTTP: 2375,
+  DOCKER_HTTPS: 2376,
+  KUBERNETES_API: 6443,
+  HTTP_ALT: 8080,
+  HTTPS_ALT: 8443,
+  NFS: 2049,
+  DNP3: 2e4,
+  MONGODB: 27017,
+  ELASTICSEARCH: 9200,
+  MEMCACHED: 11211,
+  NODE_DEFAULT: 3e3,
+  FLASK_DEFAULT: 5e3,
+  DJANGO_DEFAULT: 8e3
+};
+var CRITICAL_SERVICE_PORTS = [
+  SERVICE_PORTS.SSH,
+  SERVICE_PORTS.RDP,
+  SERVICE_PORTS.MYSQL,
+  SERVICE_PORTS.POSTGRESQL,
+  SERVICE_PORTS.REDIS,
+  SERVICE_PORTS.MONGODB
+];
+var NO_AUTH_CRITICAL_PORTS = [
+  SERVICE_PORTS.REDIS,
+  SERVICE_PORTS.MONGODB,
+  SERVICE_PORTS.ELASTICSEARCH,
+  SERVICE_PORTS.MEMCACHED
+];
+var WEB_SERVICE_PORTS = [
+  SERVICE_PORTS.HTTP,
+  SERVICE_PORTS.HTTPS,
+  SERVICE_PORTS.HTTP_ALT,
+  SERVICE_PORTS.HTTPS_ALT,
+  SERVICE_PORTS.NODE_DEFAULT,
+  SERVICE_PORTS.FLASK_DEFAULT,
+  SERVICE_PORTS.DJANGO_DEFAULT
+];
+var PLAINTEXT_HTTP_PORTS = [
+  SERVICE_PORTS.HTTP,
+  SERVICE_PORTS.HTTP_ALT,
+  SERVICE_PORTS.NODE_DEFAULT
+];
+var DATABASE_PORTS = [
+  SERVICE_PORTS.MYSQL,
+  SERVICE_PORTS.POSTGRESQL,
+  SERVICE_PORTS.MSSQL,
+  SERVICE_PORTS.MONGODB,
+  SERVICE_PORTS.REDIS
+];
+var SMB_PORTS = [
+  SERVICE_PORTS.SMB,
+  SERVICE_PORTS.SMB_NETBIOS
+];
+
 // src/domains/network/tools.ts
 var NETWORK_TOOLS = [
   {
@@ -7883,7 +8217,7 @@ var NETWORK_CONFIG2 = {
   tools: NETWORK_TOOLS,
   dangerLevel: DANGER_LEVELS.ACTIVE,
   defaultApproval: APPROVAL_LEVELS.CONFIRM,
-  commonPorts: [21, 22, 80, 443, 445, 3389, 8080],
+  commonPorts: [SERVICE_PORTS.FTP, SERVICE_PORTS.SSH, SERVICE_PORTS.HTTP, SERVICE_PORTS.HTTPS, SERVICE_PORTS.SMB, SERVICE_PORTS.RDP, SERVICE_PORTS.HTTP_ALT],
   commonServices: [SERVICES.FTP, SERVICES.SSH, SERVICES.HTTP, SERVICES.HTTPS, SERVICES.SMB]
 };
 
@@ -7946,7 +8280,7 @@ var WEB_CONFIG = {
   tools: WEB_TOOLS,
   dangerLevel: DANGER_LEVELS.ACTIVE,
   defaultApproval: APPROVAL_LEVELS.CONFIRM,
-  commonPorts: [80, 443, 8080],
+  commonPorts: [SERVICE_PORTS.HTTP, SERVICE_PORTS.HTTPS, SERVICE_PORTS.HTTP_ALT],
   commonServices: [SERVICES.HTTP, SERVICES.HTTPS]
 };
 
@@ -7981,12 +8315,12 @@ var DATABASE_TOOLS = [
     description: "MySQL enumeration - version, users, databases",
     parameters: {
       target: { type: "string", description: "Target IP/hostname" },
-      port: { type: "string", description: "Port (default 3306)" }
+      port: { type: "string", description: `Port (default ${SERVICE_PORTS.MYSQL})` }
     },
     required: ["target"],
     execute: async (params) => {
       const target = params.target;
-      const port = params.port || "3306";
+      const port = params.port || String(SERVICE_PORTS.MYSQL);
       return await runCommand("mysql", ["-h", target, "-P", port, "-e", "SELECT VERSION(), USER(), DATABASE();"]);
     }
   },
@@ -8007,12 +8341,12 @@ var DATABASE_TOOLS = [
     description: "Redis enumeration",
     parameters: {
       target: { type: "string", description: "Target IP" },
-      port: { type: "string", description: "Port (default 6379)" }
+      port: { type: "string", description: `Port (default ${SERVICE_PORTS.REDIS})` }
     },
     required: ["target"],
     execute: async (params) => {
       const target = params.target;
-      const port = params.port || "6379";
+      const port = params.port || String(SERVICE_PORTS.REDIS);
       return await runCommand("redis-cli", ["-h", target, "-p", port, "INFO"]);
     }
   },
@@ -8044,7 +8378,7 @@ var DATABASE_CONFIG = {
   tools: DATABASE_TOOLS,
   dangerLevel: DANGER_LEVELS.EXPLOIT,
   defaultApproval: APPROVAL_LEVELS.REVIEW,
-  commonPorts: [1433, 3306, 5432, 6379, 27017],
+  commonPorts: [SERVICE_PORTS.MSSQL, SERVICE_PORTS.MYSQL, SERVICE_PORTS.POSTGRESQL, SERVICE_PORTS.REDIS, SERVICE_PORTS.MONGODB],
   commonServices: [SERVICES.MYSQL, SERVICES.POSTGRES, SERVICES.REDIS, SERVICES.MONGODB]
 };
 
@@ -8097,7 +8431,7 @@ var AD_CONFIG = {
   tools: AD_TOOLS,
   dangerLevel: DANGER_LEVELS.EXPLOIT,
   defaultApproval: APPROVAL_LEVELS.REVIEW,
-  commonPorts: [88, 389, 445],
+  commonPorts: [SERVICE_PORTS.KERBEROS, SERVICE_PORTS.LDAP, SERVICE_PORTS.SMB],
   commonServices: [SERVICES.AD, SERVICES.SMB]
 };
 
@@ -8121,7 +8455,7 @@ var EMAIL_CONFIG = {
   tools: EMAIL_TOOLS,
   dangerLevel: DANGER_LEVELS.ACTIVE,
   defaultApproval: APPROVAL_LEVELS.CONFIRM,
-  commonPorts: [25, 110, 143, 465, 587, 993, 995],
+  commonPorts: [SERVICE_PORTS.SMTP, SERVICE_PORTS.POP3, SERVICE_PORTS.IMAP, SERVICE_PORTS.SMTPS, SERVICE_PORTS.SMTP_TLS, SERVICE_PORTS.IMAPS, SERVICE_PORTS.POP3S],
   commonServices: [SERVICES.SMTP, SERVICES.POP3, SERVICES.IMAP]
 };
 
@@ -8146,7 +8480,7 @@ var REMOTE_ACCESS_TOOLS = [
     },
     required: ["target"],
     execute: async (params) => {
-      return await runCommand("nmap", ["-p", "3389", "--script", "rdp-enum-encryption,rdp-ntlm-info", params.target]);
+      return await runCommand("nmap", ["-p", String(SERVICE_PORTS.RDP), "--script", "rdp-enum-encryption,rdp-ntlm-info", params.target]);
     }
   }
 ];
@@ -8156,7 +8490,7 @@ var REMOTE_ACCESS_CONFIG = {
   tools: REMOTE_ACCESS_TOOLS,
   dangerLevel: DANGER_LEVELS.ACTIVE,
   defaultApproval: APPROVAL_LEVELS.REVIEW,
-  commonPorts: [22, 3389, 5900],
+  commonPorts: [SERVICE_PORTS.SSH, SERVICE_PORTS.RDP, SERVICE_PORTS.VNC],
   commonServices: [SERVICES.SSH, SERVICES.RDP, SERVICES.VNC]
 };
 
@@ -8170,7 +8504,7 @@ var FILE_SHARING_TOOLS = [
     },
     required: ["target"],
     execute: async (params) => {
-      return await runCommand("nmap", ["-p", "21", "--script", "ftp-anon,ftp-syst", params.target]);
+      return await runCommand("nmap", ["-p", String(SERVICE_PORTS.FTP), "--script", "ftp-anon,ftp-syst", params.target]);
     }
   },
   {
@@ -8191,7 +8525,7 @@ var FILE_SHARING_CONFIG = {
   tools: FILE_SHARING_TOOLS,
   dangerLevel: DANGER_LEVELS.ACTIVE,
   defaultApproval: APPROVAL_LEVELS.CONFIRM,
-  commonPorts: [21, 139, 445, 2049],
+  commonPorts: [SERVICE_PORTS.FTP, SERVICE_PORTS.SMB_NETBIOS, SERVICE_PORTS.SMB, SERVICE_PORTS.NFS],
   commonServices: [SERVICES.FTP, SERVICES.SMB, SERVICES.NFS]
 };
 
@@ -8235,7 +8569,7 @@ var CLOUD_CONFIG = {
   tools: CLOUD_TOOLS,
   dangerLevel: DANGER_LEVELS.EXPLOIT,
   defaultApproval: APPROVAL_LEVELS.REVIEW,
-  commonPorts: [443],
+  commonPorts: [SERVICE_PORTS.HTTPS],
   commonServices: [SERVICES.HTTP, SERVICES.HTTPS]
 };
 
@@ -8270,7 +8604,7 @@ var CONTAINER_CONFIG = {
   tools: CONTAINER_TOOLS,
   dangerLevel: DANGER_LEVELS.EXPLOIT,
   defaultApproval: APPROVAL_LEVELS.REVIEW,
-  commonPorts: [2375, 2376, 5e3, 6443],
+  commonPorts: [SERVICE_PORTS.DOCKER_HTTP, SERVICE_PORTS.DOCKER_HTTPS, SERVICE_PORTS.FLASK_DEFAULT, SERVICE_PORTS.KUBERNETES_API],
   commonServices: [SERVICES.DOCKER, SERVICES.KUBERNETES]
 };
 
@@ -8333,7 +8667,7 @@ var API_CONFIG = {
   tools: API_TOOLS,
   dangerLevel: DANGER_LEVELS.ACTIVE,
   defaultApproval: APPROVAL_LEVELS.CONFIRM,
-  commonPorts: [3e3, 5e3, 8e3, 8080],
+  commonPorts: [SERVICE_PORTS.NODE_DEFAULT, SERVICE_PORTS.FLASK_DEFAULT, SERVICE_PORTS.DJANGO_DEFAULT, SERVICE_PORTS.HTTP_ALT],
   commonServices: [SERVICES.HTTP, SERVICES.HTTPS]
 };
 
@@ -8371,7 +8705,7 @@ var ICS_TOOLS = [
     },
     required: ["target"],
     execute: async (params) => {
-      return await runCommand("nmap", ["-p", "502", "--script", "modbus-discover", params.target]);
+      return await runCommand("nmap", ["-p", String(SERVICE_PORTS.MODBUS), "--script", "modbus-discover", params.target]);
     }
   }
 ];
@@ -8381,7 +8715,7 @@ var ICS_CONFIG = {
   tools: ICS_TOOLS,
   dangerLevel: DANGER_LEVELS.ACTIVE,
   defaultApproval: APPROVAL_LEVELS.BLOCK,
-  commonPorts: [502, 2e4],
+  commonPorts: [SERVICE_PORTS.MODBUS, SERVICE_PORTS.DNP3],
   commonServices: [SERVICES.MODBUS, SERVICES.DNP3]
 };
 
@@ -8443,8 +8777,18 @@ var ToolRegistry = class {
       this.logDeniedAction(toolCall, approval.reason || "Execution denied");
       return { success: false, output: "", error: approval.reason || "Denied by policy" };
     }
-    const result2 = await tool.execute(toolCall.input);
-    const command = String(toolCall.input.command || toolCall.input.url || toolCall.input.query || "");
+    let result2;
+    try {
+      result2 = await tool.execute(toolCall.input);
+    } catch (execError) {
+      const errMsg = execError instanceof Error ? execError.message : String(execError);
+      result2 = {
+        success: false,
+        output: "",
+        error: `Tool execution error: ${errMsg}`
+      };
+    }
+    const command = String(toolCall.input.command || toolCall.input.url || toolCall.input.query || JSON.stringify(toolCall.input));
     if (result2.success) {
       this.state.workingMemory.recordSuccess(toolCall.name, command, result2.output || "");
     } else {
@@ -8547,7 +8891,7 @@ var SERVICE_CATEGORY_MAP = {
   "docker": SERVICE_CATEGORIES.CONTAINER,
   "modbus": SERVICE_CATEGORIES.ICS
 };
-var CATEGORY_APPROVAL2 = {
+var CATEGORY_APPROVAL = {
   [SERVICE_CATEGORIES.NETWORK]: APPROVAL_LEVELS.CONFIRM,
   [SERVICE_CATEGORIES.WEB]: APPROVAL_LEVELS.CONFIRM,
   [SERVICE_CATEGORIES.DATABASE]: APPROVAL_LEVELS.REVIEW,
@@ -8696,6 +9040,10 @@ var DOMAINS = {
 };
 
 // src/engine/tools-registry.ts
+var VALID_CATEGORIES = Object.values(SERVICE_CATEGORIES);
+function isValidCategory(id) {
+  return VALID_CATEGORIES.includes(id);
+}
 var CategorizedToolRegistry = class extends ToolRegistry {
   categories = /* @__PURE__ */ new Map();
   constructor(state, scopeGuard, approvalGate, events) {
@@ -8727,13 +9075,13 @@ var CategorizedToolRegistry = class extends ToolRegistry {
     ];
     const coreTools = coreToolNames.map((name) => this.getTool(name)).filter((t) => !!t);
     Object.keys(DOMAINS).forEach((id) => {
-      const cat = id;
-      this.categories.set(cat, {
-        name: cat,
-        description: DOMAINS[cat]?.description || "",
+      if (!isValidCategory(id)) return;
+      this.categories.set(id, {
+        name: id,
+        description: DOMAINS[id]?.description || "",
         tools: [...coreTools],
-        dangerLevel: this.calculateDanger(cat),
-        defaultApproval: CATEGORY_APPROVAL2[cat] || "confirm"
+        dangerLevel: this.calculateDanger(id),
+        defaultApproval: CATEGORY_APPROVAL[id] || "confirm"
       });
     });
   }
@@ -8750,19 +9098,17 @@ var CategorizedToolRegistry = class extends ToolRegistry {
       const cat = ServiceParser.detectCategory(p.port, p.service);
       if (cat && !seen.has(cat)) {
         seen.add(cat);
-        const suggestion = {
+        results.push({
           category: cat,
           tools: this.getByCategory(cat).map((t) => t.name)
-        };
-        results.push(suggestion);
+        });
       }
     });
     if (target.hostname && ServiceParser.isCloudHostname(target.hostname) && !seen.has(SERVICE_CATEGORIES.CLOUD)) {
-      const cloudSuggestion = {
+      results.push({
         category: SERVICE_CATEGORIES.CLOUD,
         tools: this.getByCategory(SERVICE_CATEGORIES.CLOUD).map((t) => t.name)
-      };
-      results.push(cloudSuggestion);
+      });
     }
     return results;
   }
@@ -8801,7 +9147,7 @@ var CategorizedToolRegistry = class extends ToolRegistry {
     return Array.from(this.categories.values());
   }
   getApprovalForCategory(cat) {
-    return CATEGORY_APPROVAL2[cat] || "confirm";
+    return CATEGORY_APPROVAL[cat] || "confirm";
   }
 };
 
@@ -8886,14 +9232,28 @@ var LLM_ERROR_TYPES = {
 var HTTP_STATUS = { BAD_REQUEST: 400, UNAUTHORIZED: 401, FORBIDDEN: 403, RATE_LIMIT: 429 };
 var NETWORK_ERROR_CODES = {
   ECONNRESET: "ECONNRESET",
+  ECONNREFUSED: "ECONNREFUSED",
   ETIMEDOUT: "ETIMEDOUT",
   ENOTFOUND: "ENOTFOUND",
-  CONNECT_TIMEOUT: "UND_ERR_CONNECT_TIMEOUT"
+  CONNECT_TIMEOUT: "UND_ERR_CONNECT_TIMEOUT",
+  SOCKET_TIMEOUT: "UND_ERR_SOCKET"
 };
 var TRANSIENT_NETWORK_ERRORS = [
   NETWORK_ERROR_CODES.ECONNRESET,
+  NETWORK_ERROR_CODES.ECONNREFUSED,
   NETWORK_ERROR_CODES.ETIMEDOUT,
-  NETWORK_ERROR_CODES.ENOTFOUND
+  NETWORK_ERROR_CODES.ENOTFOUND,
+  NETWORK_ERROR_CODES.SOCKET_TIMEOUT
+];
+var NETWORK_ERROR_PATTERNS = [
+  "fetch failed",
+  "network error",
+  "econnrefused",
+  "econnreset",
+  "enotfound",
+  "etimedout",
+  "socket hang up",
+  "dns lookup failed"
 ];
 var LLMError = class extends Error {
   /** Structured error information */
@@ -8920,12 +9280,17 @@ function classifyError(error) {
   if (statusCode === HTTP_STATUS.BAD_REQUEST) {
     return { type: LLM_ERROR_TYPES.INVALID_REQUEST, message: errorMessage, statusCode, isRetryable: false, suggestedAction: "Modify request" };
   }
-  if (e.code && TRANSIENT_NETWORK_ERRORS.includes(e.code)) {
+  const errorCode = e.code || e.cause?.code;
+  if (errorCode && TRANSIENT_NETWORK_ERRORS.includes(errorCode)) {
     return { type: LLM_ERROR_TYPES.NETWORK_ERROR, message: errorMessage, isRetryable: true, suggestedAction: "Check network" };
   }
-  if (errorMessage.toLowerCase().includes("timeout") || e.code === NETWORK_ERROR_CODES.CONNECT_TIMEOUT) {
+  if (errorMessage.toLowerCase().includes("timeout") || errorCode === NETWORK_ERROR_CODES.CONNECT_TIMEOUT) {
     return { type: LLM_ERROR_TYPES.TIMEOUT, message: errorMessage, isRetryable: true, suggestedAction: "Retry" };
   }
+  const lowerMsg = errorMessage.toLowerCase();
+  if (NETWORK_ERROR_PATTERNS.some((pattern) => lowerMsg.includes(pattern))) {
+    return { type: LLM_ERROR_TYPES.NETWORK_ERROR, message: errorMessage, isRetryable: true, suggestedAction: "Check network" };
+  }
   return { type: LLM_ERROR_TYPES.UNKNOWN, message: errorMessage, statusCode, isRetryable: false, suggestedAction: "Analyze error" };
 }
 
@@ -9004,7 +9369,11 @@ var LLMClient = class {
       signal
     });
     if (!response.ok) {
-      const errorBody = await response.text();
+      let errorBody = `HTTP ${response.status}`;
+      try {
+        errorBody = await response.text();
+      } catch {
+      }
       const error = new Error(errorBody);
       error.status = response.status;
       throw error;
@@ -9340,7 +9709,7 @@ function saveState(state) {
 }
 function pruneOldSessions(sessionsDir) {
   try {
-    const sessionFiles = readdirSync(sessionsDir).filter((f) => f.endsWith(".json") && f !== "latest.json").map((f) => ({
+    const sessionFiles = readdirSync(sessionsDir).filter((f) => f.endsWith(FILE_EXTENSIONS.JSON) && f !== SPECIAL_FILES.LATEST_STATE).map((f) => ({
       name: f,
       path: join9(sessionsDir, f),
       mtime: statSync(join9(sessionsDir, f)).mtimeMs
@@ -9377,7 +9746,10 @@ function loadState(state) {
       state.addLoot(loot);
     }
     for (const item of snapshot.todo) {
-      state.addTodo(item.content, item.priority);
+      const id = state.addTodo(item.content, item.priority);
+      if (item.status && item.status !== "pending") {
+        state.updateTodo(id, { status: item.status });
+      }
     }
     const validPhases = new Set(Object.values(PHASES));
     const restoredPhase = validPhases.has(snapshot.currentPhase) ? snapshot.currentPhase : PHASES.RECON;
@@ -9387,6 +9759,20 @@ function loadState(state) {
     }
     if (snapshot.missionChecklist?.length > 0) {
       state.addMissionChecklistItems(snapshot.missionChecklist.map((c) => c.text));
+      const restoredChecklist = state.getMissionChecklist();
+      const baseIndex = restoredChecklist.length - snapshot.missionChecklist.length;
+      const completedUpdates = [];
+      for (let i = 0; i < snapshot.missionChecklist.length; i++) {
+        if (snapshot.missionChecklist[i].isCompleted && restoredChecklist[baseIndex + i]) {
+          completedUpdates.push({
+            id: restoredChecklist[baseIndex + i].id,
+            isCompleted: true
+          });
+        }
+      }
+      if (completedUpdates.length > 0) {
+        state.updateMissionChecklist(completedUpdates);
+      }
     }
     return true;
   } catch (err) {
@@ -9400,8 +9786,9 @@ function clearWorkspace() {
   const dirsToClean = [
     { path: WORKSPACE.SESSIONS, label: "sessions" },
     { path: WORKSPACE.DEBUG, label: "debug logs" },
-    { path: WORKSPACE.TEMP, label: "temp files" },
-    { path: WORKSPACE.OUTPUTS, label: "outputs" }
+    { path: WORKSPACE.TMP, label: "temp files" },
+    { path: WORKSPACE.OUTPUTS, label: "outputs" },
+    { path: WORKSPACE.JOURNAL, label: "journal" }
   ];
   for (const dir of dirsToClean) {
     try {
@@ -9481,387 +9868,97 @@ function appendBlockedCommandHints(lines, errorLower) {
   if (errorLower.includes("pipe target") || errorLower.includes("injection")) {
     lines.push(`Fix: Use the tool's built-in output options instead of shell pipes.`);
     lines.push(`Alternative approaches:`);
-    lines.push(`  1. Save output to file: command > /tmp/output.txt, then use read_file("/tmp/output.txt")`);
-    lines.push(`  2. Use tool-specific flags: nmap -oN /tmp/scan.txt, curl -o /tmp/page.html`);
+    lines.push(`  1. Save output to file: command > ${WORK_DIR}/output.txt, then use read_file("${WORK_DIR}/output.txt")`);
+    lines.push(`  2. Use tool-specific flags: nmap -oN ${WORK_DIR}/scan.txt, curl -o ${WORK_DIR}/page.html`);
     lines.push(`  3. Use browse_url for web content instead of curl | grep`);
     lines.push(`  4. If filtering output: run the command first, then read_file + parse results`);
   } else if (errorLower.includes("redirect")) {
-    lines.push(`Fix: Redirect to /tmp/ or /root/ paths only.`);
-    lines.push(`Example: command > /tmp/output.txt or command 2>&1 > /tmp/errors.txt`);
+    lines.push(`Fix: Redirect to ${WORK_DIR}/ path.`);
+    lines.push(`Example: command > ${WORK_DIR}/output.txt or command 2>&1 > ${WORK_DIR}/errors.txt`);
   } else {
     lines.push(`Fix: Simplify the command. Avoid chaining complex operations.`);
     lines.push(`Break into multiple steps: run_cmd \u2192 read_file \u2192 run_cmd.`);
   }
 }
 
-// src/shared/utils/output-compressor.ts
-var MIN_COMPRESS_LENGTH = 3e3;
-var SUMMARY_HEADER = "\u2550\u2550\u2550 INTELLIGENCE SUMMARY (auto-extracted) \u2550\u2550\u2550";
-var SUMMARY_FOOTER = "\u2550\u2550\u2550 END SUMMARY \u2014 Full output follows \u2550\u2550\u2550";
-var EXTRACT_LIMITS = {
-  NMAP_PORTS: 30,
-  NMAP_VULNS: 10,
-  LINPEAS_SUDO: 500,
-  LINPEAS_WRITABLE: 300,
-  LINPEAS_CRON: 5,
-  LINPEAS_PASSWORDS: 5,
-  ENUM4LINUX_SHARES: 10,
-  DIRBUST_PATHS: 20,
-  SQLMAP_INJECTIONS: 5,
-  HASH_NTLM: 5,
-  HASH_PREVIEW_LEN: 100,
-  GENERIC_CREDS: 5,
-  GENERIC_PATHS: 10
-};
-var TOOL_SIGNATURES = [
-  {
-    name: "nmap",
-    signatures: [/Nmap scan report/i, /PORT\s+STATE\s+SERVICE/i, /Nmap done:/i],
-    extract: extractNmapIntel
-  },
-  {
-    name: "linpeas",
-    signatures: [/linpeas/i, /╔══.*╗/, /Linux Privilege Escalation/i],
-    extract: extractLinpeasIntel
-  },
-  {
-    name: "enum4linux",
-    signatures: [/enum4linux/i, /Starting enum4linux/i, /\|\s+Target\s+Information/i],
-    extract: extractEnum4linuxIntel
-  },
-  {
-    name: "gobuster/ffuf/feroxbuster",
-    signatures: [/Gobuster/i, /FFUF/i, /feroxbuster/i, /Status:\s*\d{3}/],
-    extract: extractDirBustIntel
-  },
-  {
-    name: "sqlmap",
-    signatures: [/sqlmap/i, /\[INFO\]\s+testing/i, /Parameter:\s+/i],
-    extract: extractSqlmapIntel
-  },
-  {
-    name: "hash_dump",
-    signatures: [/\$[0-9]\$/, /\$2[aby]\$/, /:[0-9]+:[a-f0-9]{32}:/i],
-    extract: extractHashIntel
-  }
-];
-function compressToolOutput(output, toolName) {
-  if (!output || output.length < MIN_COMPRESS_LENGTH) {
-    return output;
-  }
-  let intel = [];
-  let detectedTool = "";
-  for (const sig of TOOL_SIGNATURES) {
-    const matched = sig.signatures.some((s) => s.test(output));
-    if (matched) {
-      detectedTool = sig.name;
-      intel = sig.extract(output);
-      break;
-    }
-  }
-  if (intel.length === 0) {
-    intel = extractGenericIntel(output);
-    detectedTool = toolName || "unknown";
-  }
-  if (intel.length === 0) {
-    return output;
-  }
-  const summary = [
-    SUMMARY_HEADER,
-    `Tool: ${detectedTool} | Output length: ${output.length} chars`,
-    "",
-    ...intel,
-    "",
-    SUMMARY_FOOTER,
-    ""
-  ].join("\n");
-  return summary + output;
-}
-function extractNmapIntel(output) {
-  const intel = [];
-  const lines = output.split("\n");
-  const hostMatches = output.match(/Nmap scan report for\s+(\S+)/gi);
-  const openPorts = output.match(/^\d+\/\w+\s+open\s+/gm);
-  if (hostMatches) intel.push(`Hosts scanned: ${hostMatches.length}`);
-  if (openPorts) intel.push(`Open ports found: ${openPorts.length}`);
-  const portLines = lines.filter((l) => /^\d+\/\w+\s+open\s+/.test(l.trim()));
-  if (portLines.length > 0) {
-    intel.push("Open ports:");
-    for (const pl of portLines.slice(0, EXTRACT_LIMITS.NMAP_PORTS)) {
-      intel.push(`  ${pl.trim()}`);
-    }
-  }
-  const vulnLines = lines.filter(
-    (l) => /VULNERABLE|CVE-\d{4}-\d+|exploit|CRITICAL/i.test(l)
-  );
-  if (vulnLines.length > 0) {
-    intel.push("\u26A0\uFE0F  Vulnerability indicators:");
-    for (const vl of vulnLines.slice(0, EXTRACT_LIMITS.NMAP_VULNS)) {
-      intel.push(`  ${vl.trim()}`);
-    }
-  }
-  const osMatch = output.match(/OS details:\s*(.+)/i) || output.match(/Running:\s*(.+)/i);
-  if (osMatch) intel.push(`OS: ${osMatch[1].trim()}`);
-  return intel;
-}
-function extractLinpeasIntel(output) {
-  const intel = [];
-  const suidSection = output.match(/SUID[\s\S]*?(?=\n[═╔╗━]+|\n\n\n)/i);
-  if (suidSection) {
-    const suidBins = suidSection[0].match(/\/\S+/g);
-    if (suidBins) {
-      const interestingSuid = suidBins.filter(
-        (b) => /python|perl|ruby|node|bash|vim|less|more|nano|find|nmap|awk|env|php|gcc|gdb|docker|strace|ltrace/i.test(b)
-      );
-      if (interestingSuid.length > 0) {
-        intel.push(`\u{1F534} Exploitable SUID binaries: ${interestingSuid.join(", ")}`);
-      }
-    }
-  }
-  const sudoMatch = output.match(/User \S+ may run[\s\S]*?(?=\n\n|\n[═╔╗━])/i);
-  if (sudoMatch) {
-    intel.push(`\u{1F534} sudo -l: ${sudoMatch[0].trim().slice(0, EXTRACT_LIMITS.LINPEAS_SUDO)}`);
-  }
-  const writableMatch = output.match(/Interesting writable[\s\S]*?(?=\n\n|\n[═╔╗━])/i);
-  if (writableMatch) {
-    intel.push(`\u{1F4DD} Writable: ${writableMatch[0].trim().slice(0, EXTRACT_LIMITS.LINPEAS_WRITABLE)}`);
-  }
-  const cronMatch = output.match(/Cron[\s\S]*?(?=\n\n|\n[═╔╗━])/i);
-  if (cronMatch) {
-    const cronLines = cronMatch[0].split("\n").filter((l) => l.includes("*") || /\/(root|cron)/i.test(l));
-    if (cronLines.length > 0) {
-      intel.push("\u23F0 Cron entries:");
-      cronLines.slice(0, EXTRACT_LIMITS.LINPEAS_CRON).forEach((c) => intel.push(`  ${c.trim()}`));
-    }
-  }
-  const kernelMatch = output.match(/Linux version\s+(\S+)/i) || output.match(/Kernel:\s*(\S+)/i);
-  if (kernelMatch) intel.push(`\u{1F427} Kernel: ${kernelMatch[1]}`);
-  const passLines = output.split("\n").filter(
-    (l) => /password\s*[=:]\s*\S+/i.test(l) && !/\*\*\*|example|sample/i.test(l)
-  );
-  if (passLines.length > 0) {
-    intel.push("\u{1F511} Potential credentials found:");
-    passLines.slice(0, EXTRACT_LIMITS.LINPEAS_PASSWORDS).forEach((p) => intel.push(`  ${p.trim()}`));
-  }
-  const cveMatches = output.match(/CVE-\d{4}-\d+/gi);
-  if (cveMatches) {
-    const uniqueCves = [...new Set(cveMatches)];
-    intel.push(`\u26A0\uFE0F  CVEs mentioned: ${uniqueCves.join(", ")}`);
-  }
-  return intel;
-}
-function extractEnum4linuxIntel(output) {
-  const intel = [];
-  const userMatches = output.match(/user:\[(\S+?)\]/gi);
-  if (userMatches) {
-    const users = userMatches.map((u) => u.replace(/user:\[|\]/gi, ""));
-    intel.push(`\u{1F464} Users found: ${users.join(", ")}`);
-  }
-  const shareMatches = output.match(/Mapping: (\S+),\s*Listing: (\S+)/gi) || output.match(/\\\\\S+\\\\\S+/g);
-  if (shareMatches) {
-    intel.push(`\u{1F4C2} Shares: ${shareMatches.slice(0, EXTRACT_LIMITS.ENUM4LINUX_SHARES).join(", ")}`);
-  }
-  const domainMatch = output.match(/Domain:\s*\[(\S+?)\]/i) || output.match(/Workgroup:\s*\[(\S+?)\]/i);
-  if (domainMatch) intel.push(`\u{1F3E2} Domain: ${domainMatch[1]}`);
-  const policyMatch = output.match(/Password Complexity|Account Lockout/i);
-  if (policyMatch) intel.push("\u{1F510} Password policy information found");
-  return intel;
-}
-function extractDirBustIntel(output) {
-  const intel = [];
-  const lines = output.split("\n");
-  const interestingPaths = [];
-  for (const line of lines) {
-    const match = line.match(/(?:Status:\s*(\d{3})|(\d{3})\s+\d+\s+\d+).*?(\/\S+)/);
-    if (match) {
-      const status = match[1] || match[2];
-      const path2 = match[3];
-      if (["200", "301", "302", "403"].includes(status)) {
-        interestingPaths.push(`[${status}] ${path2}`);
-      }
-    }
-    const ffufMatch = line.match(/(\S+)\s+\[Status:\s*(\d+),?\s*Size:\s*(\d+)/);
-    if (ffufMatch && ["200", "301", "302", "403"].includes(ffufMatch[2])) {
-      interestingPaths.push(`[${ffufMatch[2]}] ${ffufMatch[1]} (${ffufMatch[3]}b)`);
-    }
-  }
-  if (interestingPaths.length > 0) {
-    intel.push(`\u{1F4C1} Discovered paths (${interestingPaths.length}):`);
-    interestingPaths.slice(0, EXTRACT_LIMITS.DIRBUST_PATHS).forEach((p) => intel.push(`  ${p}`));
-    if (interestingPaths.length > EXTRACT_LIMITS.DIRBUST_PATHS) {
-      intel.push(`  ... and ${interestingPaths.length - EXTRACT_LIMITS.DIRBUST_PATHS} more`);
-    }
-  }
-  return intel;
-}
-function extractSqlmapIntel(output) {
-  const intel = [];
-  const injectionTypes = output.match(/Type:\s*(\S.*?)(?:\n|$)/gi);
-  if (injectionTypes) {
-    intel.push("\u{1F489} SQL injection found:");
-    injectionTypes.slice(0, EXTRACT_LIMITS.SQLMAP_INJECTIONS).forEach((t) => intel.push(`  ${t.trim()}`));
-  }
-  const dbMatch = output.match(/back-end DBMS:\s*(.+)/i);
-  if (dbMatch) intel.push(`\u{1F5C4}\uFE0F DBMS: ${dbMatch[1].trim()}`);
-  const dbListMatch = output.match(/available databases.*?:\s*([\s\S]*?)(?=\n\[|\n$)/i);
-  if (dbListMatch) {
-    intel.push(`\u{1F4CA} Databases: ${dbListMatch[1].trim().replace(/\n/g, ", ")}`);
-  }
-  const tableMatches = output.match(/Database:\s*\S+\s+Table:\s*\S+/gi);
-  if (tableMatches) {
-    intel.push(`\u{1F4CB} Tables dumped: ${tableMatches.length}`);
-  }
-  return intel;
-}
-function extractHashIntel(output) {
-  const intel = [];
-  const lines = output.split("\n");
-  const md5Hashes = lines.filter((l) => /\b[a-f0-9]{32}\b/i.test(l) && !l.includes("{"));
-  const sha256Hashes = lines.filter((l) => /\b[a-f0-9]{64}\b/i.test(l));
-  const unixHashes = lines.filter((l) => /\$[0-9]\$|\$2[aby]\$|\$6\$|\$5\$/i.test(l));
-  const ntlmHashes = lines.filter((l) => /:[0-9]+:[a-f0-9]{32}:[a-f0-9]{32}:::/i.test(l));
-  if (md5Hashes.length > 0) intel.push(`#\uFE0F\u20E3 MD5 hashes: ${md5Hashes.length}`);
-  if (sha256Hashes.length > 0) intel.push(`#\uFE0F\u20E3 SHA256 hashes: ${sha256Hashes.length}`);
-  if (unixHashes.length > 0) intel.push(`#\uFE0F\u20E3 Unix crypt hashes: ${unixHashes.length}`);
-  if (ntlmHashes.length > 0) {
-    intel.push(`#\uFE0F\u20E3 NTLM hashes: ${ntlmHashes.length}`);
-    ntlmHashes.slice(0, EXTRACT_LIMITS.HASH_NTLM).forEach((h) => intel.push(`  ${h.trim().slice(0, EXTRACT_LIMITS.HASH_PREVIEW_LEN)}`));
-  }
-  return intel;
-}
-function extractGenericIntel(output) {
-  const intel = [];
-  const credPatterns = output.match(/(?:password|passwd|pwd|credentials?)\s*[=:]\s*\S+/gi);
-  if (credPatterns) {
-    intel.push("\u{1F511} Potential credentials detected:");
-    credPatterns.slice(0, EXTRACT_LIMITS.GENERIC_CREDS).forEach((c) => intel.push(`  ${c.trim()}`));
-  }
-  const cves = output.match(/CVE-\d{4}-\d+/gi);
-  if (cves) {
-    const unique = [...new Set(cves)];
-    intel.push(`\u26A0\uFE0F  CVEs mentioned: ${unique.join(", ")}`);
-  }
-  const ips = output.match(/\b(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\b/g);
-  if (ips) {
-    const uniqueIps = [...new Set(ips)].filter(
-      (ip) => !ip.startsWith("0.") && !ip.startsWith("255.") && ip !== "127.0.0.1"
-    );
-    if (uniqueIps.length > 0 && uniqueIps.length <= 20) {
-      intel.push(`\u{1F310} IP addresses found: ${uniqueIps.join(", ")}`);
-    }
-  }
-  const paths = output.match(/\/(?:etc\/(?:shadow|passwd|sudoers)|root\/|home\/\S+|var\/www\/\S+|opt\/\S+)\S*/g);
-  if (paths) {
-    const uniquePaths = [...new Set(paths)].slice(0, EXTRACT_LIMITS.GENERIC_PATHS);
-    intel.push(`\u{1F4C2} Interesting paths: ${uniquePaths.join(", ")}`);
-  }
-  const flagPatterns = output.match(/(?:flag|secret|key|token)\{[^}]+\}/gi);
-  if (flagPatterns) {
-    intel.push("\u{1F3F4} FLAG/SECRET patterns detected:");
-    flagPatterns.forEach((f) => intel.push(`  ${f}`));
-  }
-  return intel;
-}
-
 // src/shared/utils/context-digest.ts
 import { writeFileSync as writeFileSync7, mkdirSync as mkdirSync3, existsSync as existsSync7 } from "fs";
-var PASSTHROUGH_THRESHOLD = 3e3;
-var LAYER2_THRESHOLD = 8e3;
-var LAYER3_THRESHOLD = 5e4;
-var MAX_REDUCED_LINES = 500;
+var PASSTHROUGH_THRESHOLD = 500;
+var PREPROCESS_THRESHOLD = 3e3;
+var MAX_PREPROCESSED_LINES = 800;
 var getOutputDir = () => WORKSPACE.OUTPUTS;
 var MAX_DUPLICATE_DISPLAY = 3;
-var LAYER3_MAX_INPUT_CHARS = 8e4;
+var ANALYST_MAX_INPUT_CHARS = 8e4;
 var FALLBACK_MAX_CHARS = 3e4;
-var SIGNAL_PATTERNS = [
-  /error|fail|denied|refused|timeout|exception/i,
-  /warning|warn|deprecated|insecure/i,
-  /success|found|detected|discovered|vulnerable|VULNERABLE/i,
-  /password|passwd|credential|secret|key|token|hash/i,
-  /CVE-\d{4}-\d+/i,
-  /\d+\/\w+\s+open\s+/,
-  // nmap open port
-  /flag\{|ctf\{|HTB\{|THM\{/i,
-  // CTF flags
-  /root:|admin:|www-data:|nobody:/,
-  // /etc/passwd entries
-  /\$[0-9]\$|\$2[aby]\$/,
-  // password hashes
-  /\b(?:192\.168|10\.|172\.(?:1[6-9]|2\d|3[01]))\.\d+\.\d+\b/,
-  // internal IPs
-  /BEGIN\s+(?:RSA|DSA|EC|OPENSSH)\s+PRIVATE\s+KEY/i,
-  // private keys
-  /Authorization:|Bearer\s+|Basic\s+/i
-  // auth tokens
-];
-var NOISE_PATTERNS = [
-  /^\s*$/,
-  // blank lines
-  /^\[[\d:]+\]\s*$/,
-  // timestamp-only lines
-  /^#+\s*$/,
-  // separator lines
-  /^\s*Progress:\s*\[?[#=\-\s>]+\]?\s*\d+/i,
-  // progress bars
-  /\d+\s+requests?\s+(?:sent|made)/i,
-  // request counters
-  /^\s*(?:\.{3,}|={5,}|-{5,})\s*$/
-  // decoration lines
-];
-async function digestToolOutput(output, toolName, toolInput, llmDigestFn) {
+async function digestToolOutput(output, toolName, toolInput, analystFn) {
   const originalLength = output.length;
   if (originalLength < PASSTHROUGH_THRESHOLD) {
     return {
       digestedOutput: output,
       fullOutputPath: null,
-      layersApplied: [],
+      analystUsed: false,
+      memo: null,
       originalLength,
       digestedLength: originalLength,
       compressionRatio: 1
     };
   }
-  const layersApplied = [];
-  let processed = output;
-  let savedOutputPath = null;
-  processed = compressToolOutput(processed, toolName);
-  layersApplied.push(1);
-  if (processed.length > LAYER2_THRESHOLD) {
-    processed = structuralReduce(processed);
-    layersApplied.push(2);
-  }
-  if (processed.length > LAYER3_THRESHOLD) {
-    savedOutputPath = saveFullOutput(output, toolName);
-    if (llmDigestFn) {
-      try {
-        const context = `Tool: ${toolName}${toolInput ? ` | Input: ${toolInput}` : ""}`;
-        const digest = await llmDigestFn(processed, context);
-        processed = formatLLMDigest(digest, savedOutputPath, originalLength);
-        layersApplied.push(3);
-      } catch (err) {
-        debugLog("general", "Context Digest Layer 3 failed, falling back", { toolName, error: String(err) });
-        processed = formatFallbackDigest(processed, savedOutputPath, originalLength);
-        layersApplied.push(3);
-      }
-    } else {
-      processed = formatFallbackDigest(processed, savedOutputPath, originalLength);
+  const savedOutputPath = saveFullOutput(output, toolName);
+  let preprocessed = output;
+  if (originalLength > PREPROCESS_THRESHOLD) {
+    preprocessed = structuralPreprocess(output);
+  }
+  if (analystFn) {
+    try {
+      const context = `Tool: ${toolName}${toolInput ? ` | Input: ${toolInput}` : ""}`;
+      const rawAnalystResponse = await analystFn(preprocessed, context);
+      const memo6 = parseAnalystMemo(rawAnalystResponse);
+      const formatted = formatAnalystDigest(rawAnalystResponse, savedOutputPath, originalLength);
+      return {
+        digestedOutput: formatted,
+        fullOutputPath: savedOutputPath,
+        analystUsed: true,
+        memo: memo6,
+        originalLength,
+        digestedLength: formatted.length,
+        compressionRatio: formatted.length / originalLength
+      };
+    } catch (err) {
+      debugLog("general", "Analyst LLM failed, falling back to truncation", {
+        toolName,
+        error: String(err)
+      });
     }
-  } else if (layersApplied.includes(2)) {
-    savedOutputPath = saveFullOutput(output, toolName);
   }
+  const fallback = formatFallbackDigest(preprocessed, savedOutputPath, originalLength);
   return {
-    digestedOutput: processed,
+    digestedOutput: fallback,
     fullOutputPath: savedOutputPath,
-    layersApplied,
+    analystUsed: false,
+    memo: null,
     originalLength,
-    digestedLength: processed.length,
-    compressionRatio: processed.length / originalLength
+    digestedLength: fallback.length,
+    compressionRatio: fallback.length / originalLength
   };
 }
-function structuralReduce(output) {
+var NOISE_PATTERNS = [
+  /^\s*$/,
+  // blank lines
+  /^\[[\d:]+\]\s*$/,
+  // timestamp-only lines
+  /^#+\s*$/,
+  // separator lines
+  /^\s*Progress:\s*\[?[#=\-\s>]+\]?\s*\d/i,
+  // progress bars
+  /\d+\s+requests?\s+(?:sent|made)/i,
+  // request counters
+  /^\s*(?:\.{3,}|={5,}|-{5,})\s*$/
+  // decoration lines
+];
+function structuralPreprocess(output) {
   let cleaned = stripAnsi(output);
   const lines = cleaned.split("\n");
   const result2 = [];
-  const duplicateCounts = /* @__PURE__ */ new Map();
   let lastLine = "";
   let consecutiveDupes = 0;
   for (const line of lines) {
@@ -9869,11 +9966,9 @@ function structuralReduce(output) {
     if (NOISE_PATTERNS.some((p) => p.test(trimmed))) {
       continue;
     }
-    const isSignal = SIGNAL_PATTERNS.some((p) => p.test(trimmed));
     const normalized = normalizeLine(trimmed);
-    if (normalized === normalizeLine(lastLine) && !isSignal) {
+    if (normalized === normalizeLine(lastLine)) {
       consecutiveDupes++;
-      duplicateCounts.set(normalized, (duplicateCounts.get(normalized) || 1) + 1);
       continue;
     }
     if (consecutiveDupes > 0) {
@@ -9896,57 +9991,124 @@ function structuralReduce(output) {
       result2.push(lastLine);
     }
   }
-  if (result2.length > MAX_REDUCED_LINES) {
-    const headSize = Math.floor(MAX_REDUCED_LINES * 0.4);
-    const tailSize = Math.floor(MAX_REDUCED_LINES * 0.3);
-    const signalBudget = MAX_REDUCED_LINES - headSize - tailSize;
+  if (result2.length > MAX_PREPROCESSED_LINES) {
+    const headSize = Math.floor(MAX_PREPROCESSED_LINES * 0.5);
+    const tailSize = Math.floor(MAX_PREPROCESSED_LINES * 0.3);
     const head = result2.slice(0, headSize);
     const tail = result2.slice(-tailSize);
-    const middle = result2.slice(headSize, -tailSize);
-    const middleSignals = middle.filter((line) => SIGNAL_PATTERNS.some((p) => p.test(line))).slice(0, signalBudget);
-    const skipped = middle.length - middleSignals.length;
+    const skipped = result2.length - headSize - tailSize;
     cleaned = [
       ...head,
       "",
-      `... [${skipped} routine lines skipped \u2014 ${middleSignals.length} important lines preserved] ...`,
-      "",
-      ...middleSignals,
-      "",
-      `... [resuming last ${tailSize} lines] ...`,
+      `... [${skipped} lines skipped for Analyst LLM context \u2014 full output saved to file] ...`,
       "",
       ...tail
     ].join("\n");
   } else {
     cleaned = result2.join("\n");
   }
+  if (cleaned.length > ANALYST_MAX_INPUT_CHARS) {
+    cleaned = cleaned.slice(0, ANALYST_MAX_INPUT_CHARS) + `
+... [truncated at ${ANALYST_MAX_INPUT_CHARS} chars for Analyst LLM \u2014 full output saved to file]`;
+  }
   return cleaned;
 }
-var DIGEST_SYSTEM_PROMPT = `You are a pentesting output analyst. Given raw tool output, extract ONLY actionable intelligence. Be terse and structured.
+var ANALYST_SYSTEM_PROMPT = `You are an independent pentesting output analyst. You receive raw tool output and must extract ONLY actionable intelligence for the main attack agent.
 
 FORMAT YOUR RESPONSE EXACTLY LIKE THIS:
+
 ## Key Findings
-- [finding 1]
+- [finding 1 with exact values: ports, versions, paths]
 - [finding 2]
 
 ## Credentials/Secrets
-- [any discovered credentials, hashes, tokens, keys]
+- [any discovered credentials, hashes, tokens, keys, certificates]
+- (write "None found" if none)
 
 ## Attack Vectors
-- [exploitable services, vulnerabilities, misconfigurations]
+- [exploitable services, vulnerabilities, misconfigurations, CVEs]
+- (write "None identified" if none)
+
+## Failures/Errors
+- [what was attempted and FAILED \u2014 include the FULL command, wordlist, target, and the reason WHY it failed]
+- [e.g.: "SSH brute force: hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.0.0.1 \u2014 connection refused (port filtered)"]
+- [e.g.: "SQLi on /login with sqlmap --tamper=space2comment \u2014 input sanitized, WAF detected (ModSecurity)"]
+- (write "No failures" if everything succeeded)
+
+## Suspicious Signals
+- [anomalies that are NOT confirmed vulnerabilities but suggest exploitable surface]
+- [e.g.: "Response time 3x slower on /admin path \u2014 possible auth check or backend processing"]
+- [e.g.: "X-Debug-Token header present \u2014 debug mode may be enabled"]
+- [e.g.: "Verbose error message reveals stack trace / internal path / DB schema"]
+- [e.g.: "Unexpected 302 redirect with session param leaked in URL"]
+- (write "No suspicious signals" if nothing anomalous)
+
+## Attack Value
+- [ONE word: HIGH / MED / LOW / NONE]
+- Reasoning: [1 sentence why \u2014 what makes this worth pursuing or abandoning]
 
 ## Next Steps
 - [recommended immediate actions based on findings]
 
 RULES:
-- Be EXTREMELY concise \u2014 max 30 lines total
-- Only include ACTIONABLE findings \u2014 skip routine/expected results
+- Include EXACT values: port numbers, versions, usernames, file paths, IPs, full commands used
+- For failures: include the COMPLETE command with all flags, wordlists, and targets \u2014 "brute force failed" alone is USELESS
+- Look for the UNEXPECTED \u2014 non-standard ports, unusual banners, timing anomalies, error leaks
+- Credentials include: passwords, hashes, API keys, tokens, private keys, cookies, session IDs
+- Flag any information disclosure: server versions, internal paths, stack traces, debug output
 - If nothing interesting found, say "No actionable findings in this output"
-- Include exact values: port numbers, versions, usernames, file paths
-- Never include decorative output, banners, or progress information`;
-function formatLLMDigest(digest, filePath, originalChars) {
+- Never include decorative output, banners, or progress information
+- Do NOT miss subtle signals: unusual HTTP headers, non-standard responses, timing differences
+- Write as much detail as needed \u2014 do NOT artificially shorten. Every detail matters for strategy.
+
+## Reflection
+- What this output tells us: [1-line assessment]
+- Recommended next action: [1-2 specific follow-up actions]`;
+function parseAnalystMemo(response) {
+  const sections = {};
+  let currentSection = "";
+  let reflectionLines = [];
+  let attackValueLine = "NONE";
+  let attackValueReasoning = "";
+  for (const line of response.split("\n")) {
+    if (line.startsWith("## ")) {
+      currentSection = line.replace("## ", "").trim().toLowerCase();
+      sections[currentSection] = [];
+    } else if (currentSection === "reflection") {
+      if (line.trim()) reflectionLines.push(line.trim());
+    } else if (currentSection === "attack value") {
+      const match = line.match(/\b(HIGH|MED|LOW|NONE)\b/);
+      if (match) attackValueLine = match[1];
+      const reasonMatch = line.match(/[Rr]easoning:\s*(.+)/);
+      if (reasonMatch) attackValueReasoning = reasonMatch[1].trim();
+    } else if (currentSection) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      const content = trimmed.replace(/^(?:-|\*|\d+[.)]\s*)\s*/, "").trim();
+      if (content) sections[currentSection].push(content);
+    }
+  }
+  const filterNone = (items) => items.filter((i) => !/(^none|^no )/i.test(i.trim()));
+  const rawValue = attackValueLine.toUpperCase();
+  const attackValue = ["HIGH", "MED", "LOW", "NONE"].includes(rawValue) ? rawValue : "LOW";
+  return {
+    keyFindings: filterNone(sections["key findings"] || []),
+    credentials: filterNone(sections["credentials/secrets"] || []),
+    attackVectors: filterNone(sections["attack vectors"] || []),
+    failures: filterNone(sections["failures/errors"] || []),
+    suspicions: filterNone(sections["suspicious signals"] || []),
+    attackValue,
+    nextSteps: filterNone(sections["next steps"] || []),
+    reflection: [
+      attackValueReasoning ? `[${attackValue}] ${attackValueReasoning}` : "",
+      ...reflectionLines
+    ].filter(Boolean).join(" | ")
+  };
+}
+function formatAnalystDigest(digest, filePath, originalChars) {
   return [
     "\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557",
-    "\u2551  CONTEXT DIGEST (LLM-summarized)                        \u2551",
+    "\u2551  ANALYST DIGEST (Independent LLM analysis)              \u2551",
     "\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D",
     "",
     digest,
@@ -9956,29 +10118,26 @@ function formatLLMDigest(digest, filePath, originalChars) {
   ].join("\n");
 }
 function formatFallbackDigest(processed, filePath, originalChars) {
-  const lines = processed.split("\n");
-  const summaryEndIdx = lines.findIndex((l) => l.includes("END SUMMARY"));
-  const summaryBlock = summaryEndIdx > 0 ? lines.slice(0, summaryEndIdx + 1).join("\n") : "";
-  const remaining = summaryEndIdx > 0 ? lines.slice(summaryEndIdx + 1).join("\n") : processed;
   const maxChars = FALLBACK_MAX_CHARS;
-  let truncatedRemaining = remaining;
-  if (remaining.length > maxChars) {
+  let truncated = processed;
+  if (processed.length > maxChars) {
     const headChars = Math.floor(maxChars * 0.6);
     const tailChars = Math.floor(maxChars * 0.4);
-    const skipped = remaining.length - headChars - tailChars;
-    truncatedRemaining = remaining.slice(0, headChars) + `
+    const skipped = processed.length - headChars - tailChars;
+    truncated = processed.slice(0, headChars) + `
 
-... [${skipped} chars omitted \u2014 read full output from file] ...
+... [${skipped} chars omitted \u2014 Analyst LLM unavailable, read full output from file] ...
 
-` + remaining.slice(-tailChars);
+` + processed.slice(-tailChars);
   }
   return [
-    summaryBlock,
-    truncatedRemaining,
+    "\u26A0\uFE0F ANALYST UNAVAILABLE \u2014 showing truncated raw output:",
+    "",
+    truncated,
     "",
     `\u{1F4C2} Full output saved: ${filePath} (${originalChars} chars)`,
     `\u{1F4A1} Use read_file("${filePath}") to see the complete raw output.`
-  ].filter(Boolean).join("\n");
+  ].join("\n");
 }
 function stripAnsi(text) {
   return text.replace(/\x1B\[[0-9;]*[a-zA-Z]/g, "").replace(/\x1B\[[\d;]*m/g, "");
@@ -10004,20 +10163,21 @@ function saveFullOutput(output, toolName) {
 }
 function createLLMDigestFn(llmClient) {
   return async (text, context) => {
-    const truncatedText = text.length > LAYER3_MAX_INPUT_CHARS ? text.slice(0, LAYER3_MAX_INPUT_CHARS) + `
-... [truncated for summarization, ${text.length - LAYER3_MAX_INPUT_CHARS} chars omitted]` : text;
-    const messages = [{ role: "user", content: `Analyze this pentesting tool output and extract actionable intelligence.
+    const messages = [{
+      role: LLM_ROLES.USER,
+      content: `Analyze this pentesting tool output and extract actionable intelligence.
 
 Context: ${context}
 
 --- OUTPUT START ---
-${truncatedText}
---- OUTPUT END ---` }];
+${text}
+--- OUTPUT END ---`
+    }];
     const response = await llmClient.generateResponse(
       messages,
       void 0,
-      // no tools — summarization only
-      DIGEST_SYSTEM_PROMPT
+      // no tools — analysis only
+      ANALYST_SYSTEM_PROMPT
     );
     return response.content || "No actionable findings extracted.";
   };
@@ -10032,6 +10192,16 @@ var CoreAgent = class _CoreAgent {
   agentType;
   maxIterations;
   abortController = null;
+  /**
+   * Collected tool execution records for the current turn.
+   * MainAgent reads this after each step to write journal entries.
+   * Cleared at the start of each step.
+   */
+  turnToolJournal = [];
+  /** Aggregated memo from all tools in the current turn */
+  turnMemo = { keyFindings: [], credentials: [], attackVectors: [], failures: [], suspicions: [], attackValue: "LOW", nextSteps: [] };
+  /** Analyst reflections collected during this turn (1-line assessments) */
+  turnReflections = [];
   constructor(agentType, state, events, toolRegistry, maxIterations) {
     this.agentType = agentType;
     this.state = state;
@@ -10159,7 +10329,22 @@ RULES:
           });
           continue;
         }
-        throw error;
+        const unexpectedMsg = error instanceof Error ? error.message : String(error);
+        this.events.emit({
+          type: EVENT_TYPES.ERROR,
+          timestamp: Date.now(),
+          data: {
+            message: `Unexpected error: ${unexpectedMsg}`,
+            phase: this.state.getPhase(),
+            isRecoverable: true
+          }
+        });
+        messages.push({
+          role: LLM_ROLES.USER,
+          content: `\u26A0\uFE0F UNEXPECTED ERROR: ${unexpectedMsg}
+This may be a transient issue. Continue your task \u2014 retry the last action or try an alternative approach.`
+        });
+        continue;
       }
     }
     const summary = `Max iterations (${this.maxIterations}) reached. Progress: ${progress.totalToolsExecuted} tools executed (${progress.toolSuccesses} succeeded, ${progress.toolErrors} failed). Current phase: ${this.state.getPhase()}. Findings: ${this.state.getFindings?.()?.length ?? "unknown"}.`;
@@ -10477,27 +10662,62 @@ ${firstLine}`, phase }
           progress.blockedCommandPatterns.clear();
         }
       }
+      const rawOutputForTUI = outputText;
+      let digestedOutputForLLM = outputText;
+      let digestResult = null;
       try {
         const llmDigestFn = createLLMDigestFn(this.llm);
-        const digestResult = await digestToolOutput(
+        digestResult = await digestToolOutput(
           outputText,
           call.name,
           JSON.stringify(call.input).slice(0, DISPLAY_LIMITS.OUTPUT_SUMMARY),
           llmDigestFn
         );
-        outputText = digestResult.digestedOutput;
+        digestedOutputForLLM = digestResult.digestedOutput;
       } catch {
-        if (outputText.length > AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH) {
-          const truncated = outputText.slice(0, AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH);
-          const remaining = outputText.length - AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH;
-          outputText = `${truncated}
+        if (digestedOutputForLLM.length > AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH) {
+          const truncated = digestedOutputForLLM.slice(0, AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH);
+          const remaining = digestedOutputForLLM.length - AGENT_LIMITS.MAX_TOOL_OUTPUT_LENGTH;
+          digestedOutputForLLM = `${truncated}
 
 ... [TRUNCATED ${remaining} characters for context hygiene] ...
 \u{1F4A1} TIP: If you need to see the full output, use a tool to read the file directly or run the command with | head, | tail, or | grep.`;
         }
       }
-      this.emitToolResult(call.name, result2.success, outputText, result2.error, Date.now() - toolStartTime);
-      return { toolCallId: call.id, output: outputText, error: result2.error };
+      this.emitToolResult(call.name, result2.success, rawOutputForTUI, result2.error, Date.now() - toolStartTime);
+      const inputSummary = JSON.stringify(call.input);
+      this.turnToolJournal.push({
+        name: call.name,
+        inputSummary,
+        success: result2.success,
+        analystSummary: digestResult?.memo ? digestResult.memo.keyFindings.join("; ") || "No key findings" : digestedOutputForLLM,
+        outputFile: digestResult?.fullOutputPath ?? null
+      });
+      if (digestResult?.memo) {
+        const m = digestResult.memo;
+        this.turnMemo.keyFindings.push(...m.keyFindings);
+        this.turnMemo.credentials.push(...m.credentials);
+        this.turnMemo.attackVectors.push(...m.attackVectors);
+        this.turnMemo.failures.push(...m.failures);
+        this.turnMemo.suspicions.push(...m.suspicions);
+        const VALUE_RANK = { HIGH: 3, MED: 2, LOW: 1, NONE: 0 };
+        if ((VALUE_RANK[m.attackValue] ?? 0) > (VALUE_RANK[this.turnMemo.attackValue] ?? 0)) {
+          this.turnMemo.attackValue = m.attackValue;
+        }
+        this.turnMemo.nextSteps.push(...m.nextSteps);
+        if (m.reflection) this.turnReflections.push(m.reflection);
+      }
+      if (digestResult?.memo?.credentials.length) {
+        for (const cred of digestResult.memo.credentials) {
+          this.state.addLoot({
+            type: "credential",
+            host: "auto-extracted",
+            detail: cred,
+            obtainedAt: Date.now()
+          });
+        }
+      }
+      return { toolCallId: call.id, output: digestedOutputForLLM, error: result2.error };
     } catch (error) {
       const errorMsg = String(error);
       const enrichedError = this.enrichToolError({ toolName: call.name, input: call.input, error: errorMsg, originalOutput: "", progress });
@@ -10572,8 +10792,8 @@ ${firstLine}`, phase }
 };
 
 // src/agents/prompt-builder.ts
-import { readFileSync as readFileSync5, existsSync as existsSync8, readdirSync as readdirSync2 } from "fs";
-import { join as join10, dirname as dirname5 } from "path";
+import { readFileSync as readFileSync6, existsSync as existsSync9, readdirSync as readdirSync3 } from "fs";
+import { join as join11, dirname as dirname5 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
 
 // src/shared/constants/prompts.ts
@@ -10634,73 +10854,6 @@ var INITIAL_TASKS = {
   RECON: "Initial reconnaissance and target discovery"
 };
 
-// src/shared/constants/service-ports.ts
-var SERVICE_PORTS = {
-  SSH: 22,
-  FTP: 21,
-  TELNET: 23,
-  SMTP: 25,
-  DNS: 53,
-  HTTP: 80,
-  POP3: 110,
-  IMAP: 143,
-  SMB_NETBIOS: 139,
-  SMB: 445,
-  HTTPS: 443,
-  MSSQL: 1433,
-  MYSQL: 3306,
-  RDP: 3389,
-  POSTGRESQL: 5432,
-  REDIS: 6379,
-  HTTP_ALT: 8080,
-  HTTPS_ALT: 8443,
-  MONGODB: 27017,
-  ELASTICSEARCH: 9200,
-  MEMCACHED: 11211,
-  NODE_DEFAULT: 3e3,
-  FLASK_DEFAULT: 5e3,
-  DJANGO_DEFAULT: 8e3
-};
-var CRITICAL_SERVICE_PORTS = [
-  SERVICE_PORTS.SSH,
-  SERVICE_PORTS.RDP,
-  SERVICE_PORTS.MYSQL,
-  SERVICE_PORTS.POSTGRESQL,
-  SERVICE_PORTS.REDIS,
-  SERVICE_PORTS.MONGODB
-];
-var NO_AUTH_CRITICAL_PORTS = [
-  SERVICE_PORTS.REDIS,
-  SERVICE_PORTS.MONGODB,
-  SERVICE_PORTS.ELASTICSEARCH,
-  SERVICE_PORTS.MEMCACHED
-];
-var WEB_SERVICE_PORTS = [
-  SERVICE_PORTS.HTTP,
-  SERVICE_PORTS.HTTPS,
-  SERVICE_PORTS.HTTP_ALT,
-  SERVICE_PORTS.HTTPS_ALT,
-  SERVICE_PORTS.NODE_DEFAULT,
-  SERVICE_PORTS.FLASK_DEFAULT,
-  SERVICE_PORTS.DJANGO_DEFAULT
-];
-var PLAINTEXT_HTTP_PORTS = [
-  SERVICE_PORTS.HTTP,
-  SERVICE_PORTS.HTTP_ALT,
-  SERVICE_PORTS.NODE_DEFAULT
-];
-var DATABASE_PORTS = [
-  SERVICE_PORTS.MYSQL,
-  SERVICE_PORTS.POSTGRESQL,
-  SERVICE_PORTS.MSSQL,
-  SERVICE_PORTS.MONGODB,
-  SERVICE_PORTS.REDIS
-];
-var SMB_PORTS = [
-  SERVICE_PORTS.SMB,
-  SERVICE_PORTS.SMB_NETBIOS
-];
-
 // src/shared/constants/scoring.ts
 var ATTACK_SCORING = {
   /** Base score for all attack prioritization */
@@ -10861,10 +11014,229 @@ function getAttacksForService(service, port) {
   return attacks;
 }
 
+// src/shared/utils/journal.ts
+import { writeFileSync as writeFileSync8, readFileSync as readFileSync5, existsSync as existsSync8, readdirSync as readdirSync2, statSync as statSync2, unlinkSync as unlinkSync5 } from "fs";
+import { join as join10 } from "path";
+var MAX_JOURNAL_ENTRIES = 50;
+var SUMMARY_REGEN_INTERVAL = 10;
+var MAX_OUTPUT_FILES = 30;
+var TURN_PREFIX = "turn-";
+var SUMMARY_FILE = "summary.md";
+function writeJournalEntry(entry) {
+  try {
+    const journalDir = WORKSPACE.JOURNAL;
+    ensureDirExists(journalDir);
+    const padded = String(entry.turn).padStart(4, "0");
+    const filePath = join10(journalDir, `${TURN_PREFIX}${padded}.json`);
+    writeFileSync8(filePath, JSON.stringify(entry, null, 2), "utf-8");
+    return filePath;
+  } catch (err) {
+    debugLog("general", "Failed to write journal entry", { turn: entry.turn, error: String(err) });
+    return null;
+  }
+}
+function readJournalSummary() {
+  try {
+    const summaryPath = join10(WORKSPACE.JOURNAL, SUMMARY_FILE);
+    if (!existsSync8(summaryPath)) return "";
+    return readFileSync5(summaryPath, "utf-8");
+  } catch {
+    return "";
+  }
+}
+function getRecentEntries(count = MAX_JOURNAL_ENTRIES) {
+  try {
+    const journalDir = WORKSPACE.JOURNAL;
+    if (!existsSync8(journalDir)) return [];
+    const files = readdirSync2(journalDir).filter((f) => f.startsWith(TURN_PREFIX) && f.endsWith(".json")).sort().slice(-count);
+    const entries = [];
+    for (const file of files) {
+      try {
+        const raw = readFileSync5(join10(journalDir, file), "utf-8");
+        entries.push(JSON.parse(raw));
+      } catch {
+      }
+    }
+    return entries;
+  } catch {
+    return [];
+  }
+}
+function getNextTurnNumber() {
+  try {
+    const journalDir = WORKSPACE.JOURNAL;
+    if (!existsSync8(journalDir)) return 1;
+    const files = readdirSync2(journalDir).filter((f) => f.startsWith(TURN_PREFIX) && f.endsWith(".json")).sort();
+    if (files.length === 0) return 1;
+    const lastFile = files[files.length - 1];
+    const match = lastFile.match(/turn-(\d+)\.json/);
+    return match ? parseInt(match[1], 10) + 1 : 1;
+  } catch {
+    return 1;
+  }
+}
+function shouldRegenerateSummary(currentTurn) {
+  return currentTurn > 0 && currentTurn % SUMMARY_REGEN_INTERVAL === 0;
+}
+function regenerateJournalSummary() {
+  try {
+    const entries = getRecentEntries();
+    if (entries.length === 0) return;
+    const journalDir = WORKSPACE.JOURNAL;
+    ensureDirExists(journalDir);
+    const summary = buildSummaryFromEntries(entries);
+    const summaryPath = join10(journalDir, SUMMARY_FILE);
+    writeFileSync8(summaryPath, summary, "utf-8");
+    debugLog("general", "Journal summary regenerated", {
+      entries: entries.length,
+      summaryLength: summary.length
+    });
+  } catch (err) {
+    debugLog("general", "Failed to regenerate journal summary", { error: String(err) });
+  }
+}
+function buildSummaryFromEntries(entries) {
+  const attempts = [];
+  const findings = [];
+  const credentials = [];
+  const successes = [];
+  const failures = [];
+  const suspicions = [];
+  const nextSteps = [];
+  const reflections = [];
+  const VALUE_ORDER = { HIGH: 0, MED: 1, LOW: 2, NONE: 3 };
+  const reversed = [...entries].reverse();
+  for (const entry of reversed) {
+    const value = entry.memo.attackValue || "LOW";
+    for (const tool of entry.tools) {
+      attempts.push({
+        turn: entry.turn,
+        phase: entry.phase,
+        ok: tool.success,
+        name: tool.name,
+        input: tool.inputSummary,
+        value
+      });
+    }
+    for (const finding of entry.memo.keyFindings) {
+      const line = `- [T${entry.turn}|\u26A1${value}] ${finding}`;
+      if (!findings.includes(line)) findings.push(line);
+    }
+    for (const cred of entry.memo.credentials) {
+      const line = `- [T${entry.turn}] ${cred}`;
+      if (!credentials.includes(line)) credentials.push(line);
+    }
+    for (const vector of entry.memo.attackVectors) {
+      const line = `- [T${entry.turn}] ${vector}`;
+      if (!successes.includes(line)) successes.push(line);
+    }
+    for (const fail of entry.memo.failures) {
+      const line = `- [T${entry.turn}] ${fail}`;
+      if (!failures.includes(line)) failures.push(line);
+    }
+    for (const tool of entry.tools) {
+      if (!tool.success) {
+        const detail = `${tool.name}(${tool.inputSummary}): ${tool.analystSummary}`;
+        const line = `- [T${entry.turn}] ${detail}`;
+        if (!failures.includes(line)) failures.push(line);
+      }
+    }
+    for (const s of entry.memo.suspicions || []) {
+      const line = `- [T${entry.turn}] ${s}`;
+      if (!suspicions.includes(line)) suspicions.push(line);
+    }
+    if (nextSteps.length < 5) {
+      for (const step of entry.memo.nextSteps) {
+        if (!nextSteps.includes(`- ${step}`)) nextSteps.push(`- ${step}`);
+      }
+    }
+    if (entry.reflection) {
+      reflections.push(`- [T${entry.turn}|\u26A1${value}] ${entry.reflection}`);
+    }
+  }
+  attempts.sort((a, b) => {
+    const vd = (VALUE_ORDER[a.value] ?? 3) - (VALUE_ORDER[b.value] ?? 3);
+    return vd !== 0 ? vd : b.turn - a.turn;
+  });
+  const attemptLines = attempts.map(
+    (a) => `- [T${a.turn}|${a.phase}|\u26A1${a.value}] ${a.ok ? "\u2705" : "\u274C"} ${a.name}: ${a.input}`
+  );
+  const lastTurn = entries[entries.length - 1]?.turn || 0;
+  const sections = [
+    `# Session Journal Summary`,
+    `> Turn ${lastTurn} / ${(/* @__PURE__ */ new Date()).toISOString().slice(0, 19)}`,
+    ""
+  ];
+  const addSection = (title, items) => {
+    if (items.length === 0) return;
+    sections.push(`## ${title}`);
+    sections.push(...items);
+    sections.push("");
+  };
+  if (attemptLines.length > 0) {
+    sections.push("## Techniques Tried (by attack value)");
+    sections.push("> \u26A1HIGH=keep drilling \u26A1MED=worth exploring \u26A1LOW=low priority \u26A1NONE=abandon");
+    sections.push(...attemptLines);
+    sections.push("");
+  }
+  addSection("\u{1F9E0} Analyst Analysis (attack value rationale)", reflections);
+  addSection("\u{1F50D} Suspicious Signals (unconfirmed, needs investigation)", suspicions);
+  addSection("\u{1F4CB} Key Findings", findings);
+  addSection("\u{1F511} Credentials Obtained", credentials);
+  addSection("\u2705 Successful Attack Vectors", successes);
+  addSection("\u274C Failure Causes (do not repeat)", failures);
+  addSection("\u27A1\uFE0F Next Recommendations", nextSteps);
+  return sections.join("\n");
+}
+function rotateJournalEntries() {
+  try {
+    const journalDir = WORKSPACE.JOURNAL;
+    if (!existsSync8(journalDir)) return;
+    const files = readdirSync2(journalDir).filter((f) => f.startsWith(TURN_PREFIX) && f.endsWith(".json")).sort();
+    if (files.length <= MAX_JOURNAL_ENTRIES) return;
+    const toDelete = files.slice(0, files.length - MAX_JOURNAL_ENTRIES);
+    for (const file of toDelete) {
+      try {
+        unlinkSync5(join10(journalDir, file));
+      } catch {
+      }
+    }
+    debugLog("general", "Journal entries rotated", {
+      deleted: toDelete.length,
+      remaining: MAX_JOURNAL_ENTRIES
+    });
+  } catch {
+  }
+}
+function rotateOutputFiles() {
+  try {
+    const outputDir = WORKSPACE.OUTPUTS;
+    if (!existsSync8(outputDir)) return;
+    const files = readdirSync2(outputDir).filter((f) => f.endsWith(".txt")).map((f) => ({
+      name: f,
+      path: join10(outputDir, f),
+      mtime: statSync2(join10(outputDir, f)).mtimeMs
+    })).sort((a, b) => b.mtime - a.mtime);
+    if (files.length <= MAX_OUTPUT_FILES) return;
+    const toDelete = files.slice(MAX_OUTPUT_FILES);
+    for (const file of toDelete) {
+      try {
+        unlinkSync5(file.path);
+      } catch {
+      }
+    }
+    debugLog("general", "Output files rotated", {
+      deleted: toDelete.length,
+      remaining: MAX_OUTPUT_FILES
+    });
+  } catch {
+  }
+}
+
 // src/agents/prompt-builder.ts
 var __dirname4 = dirname5(fileURLToPath4(import.meta.url));
-var PROMPTS_DIR = join10(__dirname4, "prompts");
-var TECHNIQUES_DIR = join10(PROMPTS_DIR, PROMPT_PATHS.TECHNIQUES_DIR);
+var PROMPTS_DIR = join11(__dirname4, "prompts");
+var TECHNIQUES_DIR = join11(PROMPTS_DIR, PROMPT_PATHS.TECHNIQUES_DIR);
 var { AGENT_FILES } = PROMPT_PATHS;
 var PHASE_PROMPT_MAP = {
   // Direct mappings — phase has its own prompt file
@@ -10938,6 +11310,7 @@ var PromptBuilder = class {
    * 13. Learned techniques (#7: dynamic technique library)
    * 14. Persistent memory (#12: cross-session knowledge)
    * ★ 15. STRATEGIC DIRECTIVE — LLM-generated tactical instructions (D-CIPHER)
+   * ★ 15b. SESSION JOURNAL — compressed history of past turns (§13 memo system)
    * 16. User context
    */
   async build(userInput, phase) {
@@ -10963,8 +11336,10 @@ var PromptBuilder = class {
       // #12
       this.getDynamicTechniquesFragment(),
       // #7
-      this.getPersistentMemoryFragment()
+      this.getPersistentMemoryFragment(),
       // #12
+      this.getJournalFragment()
+      // §13 session journal
     ];
     const strategistDirective = await this.getStrategistFragment();
     if (strategistDirective) {
@@ -10988,8 +11363,8 @@ ${content}
    * Load a prompt file from src/agents/prompts/
    */
   loadPromptFile(filename) {
-    const path2 = join10(PROMPTS_DIR, filename);
-    return existsSync8(path2) ? readFileSync5(path2, PROMPT_CONFIG.ENCODING) : "";
+    const path2 = join11(PROMPTS_DIR, filename);
+    return existsSync9(path2) ? readFileSync6(path2, PROMPT_CONFIG.ENCODING) : "";
   }
   /**
    * Load phase-specific prompt.
@@ -11032,18 +11407,18 @@ ${content}
    *    as general reference — NO code change needed to add new techniques.
    *
    * The map is an optimization (priority ordering), not a gate.
-   * "마크다운 파일 하나를 폴더에 넣으면, PromptBuilder가 자동으로 발견하고 로드한다."
+   * "Drop a markdown file in the folder, PromptBuilder auto-discovers and loads it."
    */
   loadPhaseRelevantTechniques(phase) {
-    if (!existsSync8(TECHNIQUES_DIR)) return "";
+    if (!existsSync9(TECHNIQUES_DIR)) return "";
     const priorityTechniques = PHASE_TECHNIQUE_MAP[phase] || [];
     const loadedSet = /* @__PURE__ */ new Set();
     const fragments = [];
     for (const technique of priorityTechniques) {
-      const filePath = join10(TECHNIQUES_DIR, `${technique}.md`);
+      const filePath = join11(TECHNIQUES_DIR, `${technique}.md`);
       try {
-        if (!existsSync8(filePath)) continue;
-        const content = readFileSync5(filePath, PROMPT_CONFIG.ENCODING);
+        if (!existsSync9(filePath)) continue;
+        const content = readFileSync6(filePath, PROMPT_CONFIG.ENCODING);
         if (content) {
           fragments.push(`<technique-reference category="${technique}">
 ${content}
@@ -11054,10 +11429,10 @@ ${content}
       }
     }
     try {
-      const allFiles = readdirSync2(TECHNIQUES_DIR).filter((f) => f.endsWith(".md") && f !== "README.md" && !loadedSet.has(f));
+      const allFiles = readdirSync3(TECHNIQUES_DIR).filter((f) => f.endsWith(".md") && f !== "README.md" && !loadedSet.has(f));
       for (const file of allFiles) {
-        const filePath = join10(TECHNIQUES_DIR, file);
-        const content = readFileSync5(filePath, PROMPT_CONFIG.ENCODING);
+        const filePath = join11(TECHNIQUES_DIR, file);
+        const content = readFileSync6(filePath, PROMPT_CONFIG.ENCODING);
         if (content) {
           const category = file.replace(".md", "");
           fragments.push(`<technique-reference category="${category}">
@@ -11160,6 +11535,23 @@ ${lines.join("\n")}
     }
     return this.state.persistentMemory.toPrompt(services);
   }
+  // --- §13: Session Journal Summary ---
+  /**
+   * Load journal summary from .pentesting/journal/summary.md
+   * Provides compressed history of past turns — what worked, what failed,
+   * what was discovered. Main LLM uses this for continuity across many turns.
+   */
+  getJournalFragment() {
+    try {
+      const summary = readJournalSummary();
+      if (!summary) return "";
+      return `<session-journal>
+${summary}
+</session-journal>`;
+    } catch {
+      return "";
+    }
+  }
   // --- D-CIPHER: Strategist Meta-Prompting ---
   /**
    * Generate strategic directive via Strategist LLM.
@@ -11172,29 +11564,11 @@ ${lines.join("\n")}
 };
 
 // src/agents/strategist.ts
-import { readFileSync as readFileSync6, existsSync as existsSync9 } from "fs";
-import { join as join11, dirname as dirname6 } from "path";
+import { readFileSync as readFileSync7, existsSync as existsSync10 } from "fs";
+import { join as join12, dirname as dirname6 } from "path";
 import { fileURLToPath as fileURLToPath5 } from "url";
-
-// src/shared/constants/strategist.ts
-var STRATEGIST_LIMITS = {
-  /** Maximum characters of state context sent to Strategist LLM.
-   *  WHY: Keeps Strategist input focused and affordable (~3-5K tokens).
-   *  Full state can be 20K+; Strategist needs summary, not everything. */
-  MAX_INPUT_CHARS: 15e3,
-  /** Maximum characters for the Strategist's response.
-   *  WHY: Directives should be terse and actionable (~800-1500 tokens).
-   *  Enhanced format includes SITUATION, priorities, EXHAUSTED, and SEARCH ORDERS. */
-  MAX_OUTPUT_CHARS: 5e3,
-  /** Maximum lines in the directive output.
-   *  WHY: Forces concise, prioritized directives while allowing
-   *  structured format (priorities + exhausted + search orders). */
-  MAX_DIRECTIVE_LINES: 60
-};
-
-// src/agents/strategist.ts
 var __dirname5 = dirname6(fileURLToPath5(import.meta.url));
-var STRATEGIST_PROMPT_PATH = join11(__dirname5, "prompts", "strategist-system.md");
+var STRATEGIST_PROMPT_PATH = join12(__dirname5, "prompts", "strategist-system.md");
 var Strategist = class {
   llm;
   state;
@@ -11245,24 +11619,33 @@ var Strategist = class {
     const sections = [];
     sections.push("## Engagement State");
     sections.push(this.state.toPrompt());
-    const timeline = this.state.episodicMemory.toPrompt();
-    if (timeline) {
-      sections.push("");
-      sections.push("## Recent Actions");
-      sections.push(timeline);
-    }
     const failures = this.state.workingMemory.toPrompt();
     if (failures) {
       sections.push("");
       sections.push("## Failed Attempts (DO NOT REPEAT THESE)");
       sections.push(failures);
     }
+    try {
+      const journalSummary = readJournalSummary();
+      if (journalSummary) {
+        sections.push("");
+        sections.push("## Session Journal (past turns summary)");
+        sections.push(journalSummary);
+      }
+    } catch {
+    }
     const graph = this.state.attackGraph.toPrompt();
     if (graph) {
       sections.push("");
       sections.push("## Attack Graph");
       sections.push(graph);
     }
+    const timeline = this.state.episodicMemory.toPrompt();
+    if (timeline) {
+      sections.push("");
+      sections.push("## Recent Actions");
+      sections.push(timeline);
+    }
     const techniques = this.state.dynamicTechniques.toPrompt();
     if (techniques) {
       sections.push("");
@@ -11278,16 +11661,12 @@ var Strategist = class {
       sections.push(`## Challenge Type: ${analysis.primaryType.toUpperCase()} (${(analysis.confidence * 100).toFixed(0)}%)`);
       sections.push(analysis.strategySuggestion);
     }
-    let input = sections.join("\n");
-    if (input.length > STRATEGIST_LIMITS.MAX_INPUT_CHARS) {
-      input = input.slice(0, STRATEGIST_LIMITS.MAX_INPUT_CHARS) + "\n\n... [state truncated for Strategist context]";
-    }
-    return input;
+    return sections.join("\n");
   }
   // ─── LLM Call ───────────────────────────────────────────────
   async callLLM(input) {
     const messages = [{
-      role: "user",
+      role: LLM_ROLES.USER,
       content: `Analyze this penetration test situation and write a tactical directive for the attack agent.
 
 ${input}`
@@ -11299,9 +11678,6 @@ ${input}`
       this.systemPrompt
     );
     let content = response.content || "";
-    if (content.length > STRATEGIST_LIMITS.MAX_OUTPUT_CHARS) {
-      content = content.slice(0, STRATEGIST_LIMITS.MAX_OUTPUT_CHARS) + "\n... [directive truncated]";
-    }
     const cost = response.usage ? response.usage.input_tokens + response.usage.output_tokens : 0;
     this.totalTokenCost += cost;
     return {
@@ -11316,7 +11692,7 @@ ${input}`
    */
   formatForPrompt(directive, isStale = false) {
     if (!directive.content) return "";
-    const age = Math.floor((Date.now() - directive.generatedAt) / 6e4);
+    const age = Math.floor((Date.now() - directive.generatedAt) / MS_PER_MINUTE);
     const staleWarning = isStale ? `
 NOTE: This directive is from ${age}min ago (Strategist call failed this turn). Verify assumptions are still valid.` : "";
     return [
@@ -11331,8 +11707,8 @@ NOTE: This directive is from ${age}min ago (Strategist call failed this turn). V
   // ─── System Prompt Loading ──────────────────────────────────
   loadSystemPrompt() {
     try {
-      if (existsSync9(STRATEGIST_PROMPT_PATH)) {
-        return readFileSync6(STRATEGIST_PROMPT_PATH, "utf-8");
+      if (existsSync10(STRATEGIST_PROMPT_PATH)) {
+        return readFileSync7(STRATEGIST_PROMPT_PATH, "utf-8");
       }
     } catch {
     }
@@ -11374,6 +11750,8 @@ var MainAgent = class extends CoreAgent {
   approvalGate;
   scopeGuard;
   userInput = "";
+  /** Monotonic turn counter for journal entries */
+  turnCounter = 0;
   constructor(state, events, toolRegistry, approvalGate, scopeGuard) {
     super(AGENT_ROLES.ORCHESTRATOR, state, events, toolRegistry);
     this.approvalGate = approvalGate;
@@ -11411,8 +11789,34 @@ var MainAgent = class extends CoreAgent {
    * The Strategist LLM generates a fresh tactical directive every turn.
    */
   async step(iteration, messages, _unusedPrompt, progress) {
+    if (this.turnCounter === 0) {
+      this.turnCounter = getNextTurnNumber();
+    }
+    this.turnToolJournal = [];
+    this.turnMemo = { keyFindings: [], credentials: [], attackVectors: [], failures: [], suspicions: [], attackValue: "LOW", nextSteps: [] };
+    this.turnReflections = [];
     const dynamicPrompt = await this.getCurrentPrompt();
     const result2 = await super.step(iteration, messages, dynamicPrompt, progress);
+    if (this.turnToolJournal.length > 0) {
+      try {
+        const entry = {
+          turn: this.turnCounter,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          phase: this.state.getPhase(),
+          tools: this.turnToolJournal,
+          memo: this.turnMemo,
+          reflection: this.turnReflections.length > 0 ? this.turnReflections.join(" | ") : this.turnMemo.nextSteps.join("; ")
+        };
+        writeJournalEntry(entry);
+        if (shouldRegenerateSummary(this.turnCounter)) {
+          regenerateJournalSummary();
+        }
+        rotateJournalEntries();
+        rotateOutputFiles();
+      } catch {
+      }
+      this.turnCounter++;
+    }
     this.emitStateChange();
     return result2;
   }
@@ -11465,8 +11869,8 @@ var MainAgent = class extends CoreAgent {
     });
   }
   // ─── Public API Surface ─────────────────────────────────────
-  setAutoApprove(enabled) {
-    this.approvalGate.setAutoApprove(enabled);
+  setAutoApprove(shouldEnable) {
+    this.approvalGate.setAutoApprove(shouldEnable);
   }
   getState() {
     return this.state;
@@ -11978,9 +12382,10 @@ var useAgentEvents = (agent, eventsRef, state) => {
     const onReasoningDelta = (e) => {
       reasoningBufferRef.current += e.data.content;
       const chars = reasoningBufferRef.current.length;
-      const estTokens = Math.round(chars / 4);
+      const estTokens = Math.round(chars / LLM_LIMITS.charsPerTokenEstimate);
+      const firstLine = reasoningBufferRef.current.split("\n")[0]?.slice(0, TUI_DISPLAY_LIMITS.reasoningPreviewChars) || "";
       setCurrentStatus(`Reasoning (~${estTokens} tokens)
-${reasoningBufferRef.current}`);
+${firstLine}`);
     };
     const onReasoningEnd = () => {
       const text = reasoningBufferRef.current.trim();
@@ -12439,7 +12844,7 @@ var MessageList = memo(({ messages }) => {
     if (msg.type === "thinking") {
       const lines = msg.content.split("\n");
       const charCount = msg.content.length;
-      const estTokens = Math.round(charCount / 4);
+      const estTokens = Math.round(charCount / LLM_LIMITS.charsPerTokenEstimate);
       return /* @__PURE__ */ jsxs2(Box2, { flexDirection: "column", marginTop: 0, marginBottom: 1, children: [
         /* @__PURE__ */ jsxs2(Box2, { children: [
           /* @__PURE__ */ jsx2(Text2, { color: THEME.cyan, bold: true, children: "Reasoning" }),
@@ -12701,9 +13106,9 @@ import { memo as memo5 } from "react";
 import { Box as Box5, Text as Text6 } from "ink";
 import { jsx as jsx6, jsxs as jsxs5 } from "react/jsx-runtime";
 var formatElapsed = (totalSeconds) => {
-  const hours = Math.floor(totalSeconds / 3600);
-  const minutes = Math.floor(totalSeconds % 3600 / 60);
-  const seconds = Math.floor(totalSeconds % 60);
+  const hours = Math.floor(totalSeconds / SECONDS_PER_HOUR);
+  const minutes = Math.floor(totalSeconds % SECONDS_PER_HOUR / SECONDS_PER_MINUTE);
+  const seconds = Math.floor(totalSeconds % SECONDS_PER_MINUTE);
   const pad = (n) => String(n).padStart(2, "0");
   if (hours > 0) {
     return `${hours}:${pad(minutes)}:${pad(seconds)}`;
@@ -12857,11 +13262,11 @@ var App = ({ autoApprove = false, target }) => {
           }
           if (f.evidence.length > 0) {
             findingLines.push(`    Evidence:`);
-            f.evidence.slice(0, 3).forEach((e) => {
-              const preview = e.length > 120 ? e.slice(0, 120) + "..." : e;
+            f.evidence.slice(0, DISPLAY_LIMITS.EVIDENCE_ITEMS_PREVIEW).forEach((e) => {
+              const preview = e.length > DISPLAY_LIMITS.EVIDENCE_PREVIEW_LENGTH ? e.slice(0, DISPLAY_LIMITS.EVIDENCE_PREVIEW_LENGTH) + "..." : e;
               findingLines.push(`      \u25B8 ${preview}`);
             });
-            if (f.evidence.length > 3) findingLines.push(`      ... +${f.evidence.length - 3} more`);
+            if (f.evidence.length > DISPLAY_LIMITS.EVIDENCE_ITEMS_PREVIEW) findingLines.push(`      ... +${f.evidence.length - DISPLAY_LIMITS.EVIDENCE_ITEMS_PREVIEW} more`);
           }
           findingLines.push("");
         });