pentesting 0.70.11 → 0.72.8

package/dist/chunk-6YWYFB6E.js

@@ -0,0 +1,3160 @@
+import {
+  DETECTION_PATTERNS,
+  EXIT_CODES,
+  ORPHAN_PROCESS_NAMES,
+  PROCESS_EVENTS,
+  PROCESS_ICONS,
+  PROCESS_ROLES,
+  STATUS_MARKERS,
+  SYSTEM_LIMITS,
+  clearAllProcesses,
+  deleteProcess,
+  getAllProcessIds,
+  getAllProcesses,
+  getBackgroundProcessesMap,
+  getLimits,
+  getPipelineConfig,
+  getProcess,
+  getProcessEventLog,
+  logEvent,
+  setProcess
+} from "./chunk-74KL4OOU.js";
+
+// src/shared/constants/time/conversions.ts
+var MS_PER_MINUTE = 6e4;
+
+// src/shared/constants/time/timeouts.ts
+var TOOL_TIMEOUTS = {
+  /** Default timeout for most shell commands (30 minutes) */
+  DEFAULT_COMMAND: 18e5,
+  /** Quick operations like whois, dig */
+  QUICK: 15e3,
+  /** Search operations (searchsploit, web search) */
+  SEARCH: 3e4,
+  /** Directory brute force operations (60 minutes) */
+  DIR_BRUTEFORCE: 36e5,
+  /** Port scanning operations (60 minutes) */
+  PORT_SCAN: 36e5,
+  /** Full web application scan (60 minutes) */
+  WEB_SCAN: 36e5
+};
+var CURL_MAX_TIME_SEC = 600;
+
+// src/shared/constants/limits/display.ts
+var DISPLAY_LIMITS = {
+  /** Max characters to show in tool input preview */
+  TOOL_INPUT_PREVIEW: 50,
+  /** Max characters after truncation indicator */
+  TOOL_INPUT_TRUNCATED: 30,
+  /** Max characters to show in tool output preview */
+  TOOL_OUTPUT_PREVIEW: 200,
+  /** Max characters to show in tool output slice (events) */
+  TOOL_OUTPUT_SLICE: 80,
+  /** Max characters to show in tool error preview (events) */
+  TOOL_ERROR_SLICE: 120,
+  /** Max characters for delegate output preview */
+  DELEGATE_OUTPUT_SLICE: 60,
+  /** Max characters for command preview in logs */
+  COMMAND_PREVIEW: 300,
+  /** Max characters for output summary in agent loop */
+  OUTPUT_SUMMARY: 200,
+  /** Max characters for error preview in logs */
+  ERROR_PREVIEW: 100,
+  /** Max characters for status thought preview */
+  STATUS_THOUGHT_PREVIEW: 60,
+  /** Max characters after truncation for status */
+  STATUS_THOUGHT_TRUNCATED: 40,
+  /** Max characters for thought snippet in events */
+  THOUGHT_SNIPPET: 80,
+  /** Max characters for retry error preview */
+  RETRY_ERROR_PREVIEW: 60,
+  /** Max characters after truncation for retry error */
+  RETRY_ERROR_TRUNCATED: 57,
+  /** Exit delay in ms */
+  EXIT_DELAY: 100,
+  /** Max characters in reasoning buffer */
+  REASONING_BUFFER: 5e3,
+  /** Max characters in reasoning history slice */
+  REASONING_HISTORY_SLICE: 1e3,
+  /** Timer update interval in ms */
+  TIMER_INTERVAL: 1e3,
+  /** Default number of compact list items to display */
+  COMPACT_LIST_ITEMS: 7,
+  /** Number of targets to preview in state summary */
+  TARGET_PREVIEW: 3,
+  /** Number of important findings to preview */
+  FINDING_PREVIEW: 5,
+  /** Number of hashes to preview */
+  HASH_PREVIEW: 20,
+  /** Number of loot items to preview */
+  LOOT_PREVIEW: 30,
+  /** Number of recent process events to show */
+  RECENT_EVENT_COUNT: 5,
+  /** Max links to preview in browser output */
+  LINKS_PREVIEW: 20,
+  /** Max endpoints to sample */
+  ENDPOINT_SAMPLE: 5,
+  /** Purpose truncation length */
+  PURPOSE_TRUNCATE: 27,
+  /** Max characters for command description in background process */
+  COMMAND_DESCRIPTION_PREVIEW: 80,
+  /** Max characters for hash preview in tool output */
+  HASH_PREVIEW_LENGTH: 20,
+  /** Max characters for loot detail preview */
+  LOOT_DETAIL_PREVIEW: 30,
+  /** Max characters for episodic memory event detail preview */
+  MEMORY_EVENT_PREVIEW: 50,
+  /** Max characters for link text preview in browser */
+  LINK_TEXT_PREVIEW: 100,
+  /** Prefix length for API key redaction in logs */
+  API_KEY_PREFIX: 8,
+  /** Prefix length for sensitive value redaction */
+  REDACT_PREFIX: 4,
+  /** Max characters for raw JSON error preview */
+  RAW_JSON_ERROR_PREVIEW: 500,
+  // ─── Memory/History Slice Sizes (§4-3 Extract Magic Values) ─────
+  /** Recent credentials to include in context */
+  RECENT_CREDENTIALS: 5,
+  /** Recent failures to analyze for patterns */
+  RECENT_FAILURES: 5,
+  /** Recent successes to include in summary */
+  RECENT_SUCCESSES: 3,
+  /** Recent insights to display */
+  RECENT_INSIGHTS: 3,
+  /** Recent memory events to include */
+  RECENT_MEMORY_EVENTS: 10,
+  /** Summary window - small (for quick summaries) */
+  SUMMARY_WINDOW_SMALL: 100,
+  /** Summary window - large (for detailed summaries) */
+  SUMMARY_WINDOW_LARGE: 500,
+  // ─── Evidence Display ────────────────────────────────────────
+  /** Max evidence items to show in finding preview */
+  EVIDENCE_ITEMS_PREVIEW: 3,
+  /** Max characters per evidence item in preview */
+  EVIDENCE_PREVIEW_LENGTH: 120,
+  /** Max characters for API error response body */
+  API_ERROR_PREVIEW: 500,
+  /** Max characters per session/storage value in auth capture */
+  SESSION_VALUE_PREVIEW: 300
+};
+
+// src/shared/constants/llm/config.ts
+var RETRY_CONFIG = {
+  baseDelayMs: 2e3,
+  maxDelayMs: 6e4,
+  jitterMs: 1e3,
+  /** WHY Infinity: Rate limit (429) errors are transient infrastructure delays. 
+   *  Infinite fixed-interval retries allow the agent to eventually recover 
+   *  without failing the entire engagement. */
+  autoRetryMaxAttempts: Infinity,
+  autoRetryDelayMs: 1e4
+  // 10s fixed interval for 429/network errors
+};
+var config = getPipelineConfig();
+var mainLlmTokens = config.llm_nodes?.["main_llm"]?.limits?.max_tokens ?? 128e3;
+var strategistTokens = config.llm_nodes?.["strategist"]?.limits?.max_tokens ?? 262144;
+var LLM_LIMITS = {
+  /** WHY 64K: non-streaming calls (orchestrator, summaries) benefit from
+   *  generous output budgets. Don't force premature truncation. */
+  nonStreamMaxTokens: 65536,
+  /** WHY dynamic: streaming calls are the main agent loop. Override via config. */
+  streamMaxTokens: mainLlmTokens,
+  /** WHY: ~3.5 chars/token is a reasonable average for mixed English/CJK content */
+  charsPerTokenEstimate: 3.5,
+  /** WHY: 5 minutes max timeout for streaming and non-streaming responses */
+  fetchTimeoutMs: 3e5,
+  /** WHY dynamic: Total liberation for reporting and complex strategy. */
+  orchestratorMaxTokens: strategistTokens
+};
+var LLM_ERROR_TYPES = {
+  RATE_LIMIT: "rate_limit",
+  AUTH_ERROR: "auth_error",
+  INVALID_REQUEST: "invalid_request",
+  NETWORK_ERROR: "network_error",
+  TIMEOUT: "timeout",
+  UNKNOWN: "unknown"
+};
+
+// src/shared/constants/limits/agent.ts
+var { agent_loop, state, tool_output, prompt } = getLimits();
+var AGENT_LIMITS = {
+  // ─── Agent Loop ───────────────────────────────────────────────
+  MAX_ITERATIONS: agent_loop.max_iterations,
+  MAX_CONSECUTIVE_IDLE: agent_loop.max_consecutive_idle,
+  MAX_SESSION_FILES: agent_loop.max_session_files,
+  PERIODIC_REPORT_INTERVAL: agent_loop.periodic_report_every_n_turns,
+  // ─── Prompt ───────────────────────────────────────────────────
+  MAX_PROMPT_CHARS: prompt.max_chars,
+  // ─── Tool Output ──────────────────────────────────────────────
+  MAX_TOOL_OUTPUT_LENGTH: tool_output.max_chars,
+  // ─── SharedState Growth Limits ────────────────────────────────
+  MAX_FINDINGS: state.max_findings,
+  MAX_LOOT: state.max_loot,
+  MAX_ACTION_LOG: state.max_action_log,
+  MAX_FAILED_PATHS: state.max_failed_paths,
+  MAX_ATTACK_NODES: state.max_attack_nodes,
+  MAX_ATTACK_EDGES: state.max_attack_edges,
+  // ─── Fixed Infrastructure Constants (not tunable via yaml) ───
+  /** Infinite retry on LLM errors — rate limit recovery */
+  MAX_CONSECUTIVE_LLM_ERRORS: agent_loop.max_consecutive_llm_errors === "infinity" || agent_loop.max_consecutive_llm_errors === Infinity ? Infinity : Number(agent_loop.max_consecutive_llm_errors ?? Infinity),
+  MAX_RETRIES: agent_loop.max_retries ?? 3,
+  MAX_INSTALL_RETRIES: 1,
+  // kept as fixed internal infrastructure config
+  MAX_TOKENS: LLM_LIMITS.streamMaxTokens,
+  ID_LENGTH: 7,
+  ID_RADIX: 36,
+  BLOCKED_PATTERN_KEY_SLICE: 80,
+  ERROR_SEARCH_PREVIEW_SLICE: 50,
+  MAX_BLOCKED_BEFORE_WARN: 2
+};
+
+// src/shared/constants/limits/memory.ts
+var { state: state2, archive } = getLimits();
+var MEMORY_LIMITS = {
+  WORKING_MEMORY_MAX_ENTRIES: state2.working_memory_max,
+  EPISODIC_MEMORY_MAX_EVENTS: state2.episodic_memory_max,
+  CONSECUTIVE_FAIL_THRESHOLD: state2.consecutive_fail_threshold,
+  DYNAMIC_TECHNIQUES_MAX: state2.dynamic_techniques_max,
+  TECHNIQUE_FAILURE_DECAY: state2.technique_failure_decay,
+  TECHNIQUE_PRUNE_THRESHOLD: state2.technique_prune_threshold,
+  MAX_TURN_ENTRIES: archive.max_turn_entries,
+  /** Maximum unverified techniques to show in prompt (display-only, not in yaml) */
+  PROMPT_UNVERIFIED_TECHNIQUES: 10
+};
+
+// src/shared/constants/patterns.ts
+var INPUT_PROMPT_PATTERNS = [
+  /\[sudo\] password/i,
+  /Password:/i,
+  /password for/i,
+  /Enter passphrase/i,
+  /Are you sure.*\(yes\/no\)/i,
+  /\(y\/N\)/i,
+  /\(Y\/n\)/i
+];
+
+// src/shared/constants/agent.ts
+var APP_NAME = "Pentest AI";
+var APP_VERSION = "0.72.8";
+var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
+var LLM_ROLES = {
+  SYSTEM: "system",
+  USER: "user",
+  ASSISTANT: "assistant"
+};
+var INPUT_TYPES = {
+  TEXT: "text",
+  PASSWORD: "password",
+  SUDO_PASSWORD: "sudo_password",
+  SSH_PASSWORD: "ssh_password",
+  SSH_KEY: "ssh_key",
+  PASSPHRASE: "passphrase",
+  API_KEY: "api_key",
+  CREDENTIAL: "credential",
+  CONFIRMATION: "confirmation",
+  CHOICE: "choice"
+};
+var SENSITIVE_INPUT_TYPES = [
+  INPUT_TYPES.PASSWORD,
+  INPUT_TYPES.SUDO_PASSWORD,
+  INPUT_TYPES.SSH_PASSWORD,
+  INPUT_TYPES.PASSPHRASE,
+  INPUT_TYPES.API_KEY,
+  INPUT_TYPES.CREDENTIAL
+];
+var AUXILIARY_WORK_TYPES = {
+  EXTRACTION: "context_extraction",
+  REFLECTION: "reflection",
+  POST_STEP: "post_step_tasks",
+  TURN_ARCHIVE: "turn_archive",
+  TURN_CYCLE: "turn_cycle"
+};
+
+// src/shared/constants/protocol/phases.ts
+var PHASES = {
+  RECON: "recon",
+  VULN_ANALYSIS: "vulnerability_analysis",
+  EXPLOIT: "exploit",
+  POST_EXPLOIT: "post_exploitation",
+  PRIV_ESC: "privilege_escalation",
+  LATERAL: "lateral_movement",
+  PERSISTENCE: "persistence",
+  EXFIL: "exfiltration",
+  WEB: "web",
+  REPORT: "report",
+  // CTF-specific phases
+  PWN: "pwn",
+  CRYPTO: "crypto",
+  FORENSICS: "forensics"
+};
+var PHASE_TRANSITIONS = {
+  [PHASES.RECON]: [PHASES.VULN_ANALYSIS, PHASES.WEB, PHASES.RECON, PHASES.PWN, PHASES.CRYPTO, PHASES.FORENSICS],
+  [PHASES.WEB]: [PHASES.VULN_ANALYSIS, PHASES.EXPLOIT, PHASES.RECON],
+  [PHASES.VULN_ANALYSIS]: [PHASES.EXPLOIT, PHASES.RECON, PHASES.WEB, PHASES.VULN_ANALYSIS],
+  [PHASES.EXPLOIT]: [PHASES.POST_EXPLOIT, PHASES.PRIV_ESC, PHASES.VULN_ANALYSIS, PHASES.LATERAL],
+  [PHASES.PRIV_ESC]: [PHASES.POST_EXPLOIT, PHASES.LATERAL, PHASES.EXPLOIT],
+  [PHASES.LATERAL]: [PHASES.POST_EXPLOIT, PHASES.EXPLOIT, PHASES.RECON],
+  [PHASES.PERSISTENCE]: [PHASES.POST_EXPLOIT, PHASES.LATERAL],
+  [PHASES.EXFIL]: [PHASES.POST_EXPLOIT, PHASES.REPORT],
+  [PHASES.POST_EXPLOIT]: [PHASES.PERSISTENCE, PHASES.EXFIL, PHASES.LATERAL, PHASES.REPORT],
+  [PHASES.REPORT]: [],
+  // CTF: 각 Phase에서 exploit/report로 전환 가능; 서로 간 전환도 허용
+  [PHASES.PWN]: [PHASES.EXPLOIT, PHASES.REPORT, PHASES.CRYPTO, PHASES.FORENSICS],
+  [PHASES.CRYPTO]: [PHASES.EXPLOIT, PHASES.REPORT, PHASES.PWN, PHASES.FORENSICS],
+  [PHASES.FORENSICS]: [PHASES.EXPLOIT, PHASES.REPORT, PHASES.PWN, PHASES.CRYPTO]
+};
+var AGENT_ROLES = {
+  ORCHESTRATOR: "orchestrator"
+};
+
+// src/shared/constants/protocol/services.ts
+var SERVICES = {
+  HTTP: "http",
+  HTTPS: "https",
+  SSH: "ssh",
+  FTP: "ftp",
+  SMB: "smb",
+  AD: "ad",
+  MYSQL: "mysql",
+  MSSQL: "mssql",
+  POSTGRES: "postgresql",
+  MONGODB: "mongodb",
+  REDIS: "redis",
+  ELASTIC: "elasticsearch",
+  API: "api",
+  // AD / Directory services
+  KERBEROS: "kerberos",
+  LDAP: "ldap",
+  // Network/Infrastructure services
+  NFS: "nfs",
+  RDP: "rdp",
+  VNC: "vnc",
+  // Container services
+  DOCKER: "docker",
+  KUBERNETES: "kubernetes",
+  // Wireless services
+  WIFI: "wifi",
+  BLUETOOTH: "bluetooth",
+  // ICS/SCADA services
+  MODBUS: "modbus",
+  DNP3: "dnp3",
+  S7COMM: "s7comm",
+  // Email services
+  SMTP: "smtp",
+  POP3: "pop3",
+  IMAP: "imap"
+};
+var SERVICE_CATEGORIES = {
+  NETWORK: "network",
+  WEB: "web",
+  DATABASE: "database",
+  AD: "ad",
+  EMAIL: "email",
+  REMOTE_ACCESS: "remote_access",
+  FILE_SHARING: "file_sharing",
+  CLOUD: "cloud",
+  CONTAINER: "container",
+  API: "api",
+  WIRELESS: "wireless",
+  ICS: "ics"
+};
+var APPROVAL_LEVELS = {
+  AUTO: "auto",
+  CONFIRM: "confirm",
+  REVIEW: "review",
+  BLOCK: "block"
+};
+var DANGER_LEVELS = {
+  PASSIVE: "passive",
+  ACTIVE: "active",
+  EXPLOIT: "exploit"
+};
+var CATEGORY_APPROVAL = {
+  [SERVICE_CATEGORIES.NETWORK]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.WEB]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.DATABASE]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.AD]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.EMAIL]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.REMOTE_ACCESS]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.FILE_SHARING]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.CLOUD]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.CONTAINER]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.API]: APPROVAL_LEVELS.CONFIRM,
+  [SERVICE_CATEGORIES.WIRELESS]: APPROVAL_LEVELS.REVIEW,
+  [SERVICE_CATEGORIES.ICS]: APPROVAL_LEVELS.BLOCK
+};
+var DANGER_LEVEL_MAP = {
+  [SERVICE_CATEGORIES.NETWORK]: DANGER_LEVELS.PASSIVE,
+  [SERVICE_CATEGORIES.WEB]: DANGER_LEVELS.ACTIVE,
+  [SERVICE_CATEGORIES.API]: DANGER_LEVELS.ACTIVE,
+  [SERVICE_CATEGORIES.EMAIL]: DANGER_LEVELS.ACTIVE,
+  [SERVICE_CATEGORIES.REMOTE_ACCESS]: DANGER_LEVELS.EXPLOIT,
+  [SERVICE_CATEGORIES.FILE_SHARING]: DANGER_LEVELS.ACTIVE,
+  [SERVICE_CATEGORIES.DATABASE]: DANGER_LEVELS.EXPLOIT,
+  [SERVICE_CATEGORIES.AD]: DANGER_LEVELS.EXPLOIT,
+  [SERVICE_CATEGORIES.CLOUD]: DANGER_LEVELS.EXPLOIT,
+  [SERVICE_CATEGORIES.CONTAINER]: DANGER_LEVELS.EXPLOIT,
+  [SERVICE_CATEGORIES.WIRELESS]: DANGER_LEVELS.EXPLOIT,
+  [SERVICE_CATEGORIES.ICS]: DANGER_LEVELS.EXPLOIT
+};
+
+// src/shared/constants/protocol/pentest.ts
+var TODO_STATUSES = {
+  PENDING: "pending",
+  IN_PROGRESS: "in_progress",
+  DONE: "done",
+  SKIPPED: "skipped"
+};
+var LOOT_TYPES = {
+  CREDENTIAL: "credential",
+  SESSION: "session",
+  HASH: "hash",
+  TOKEN: "token",
+  FILE: "file",
+  TICKET: "ticket",
+  SSH_KEY: "ssh_key",
+  CERTIFICATE: "certificate",
+  API_KEY: "api_key"
+};
+var APPROVAL_STATUSES = {
+  AUTO: "auto",
+  USER_CONFIRMED: "user_confirmed",
+  USER_REVIEWED: "user_reviewed",
+  DENIED: "denied"
+};
+var SEVERITIES = {
+  CRITICAL: "critical",
+  HIGH: "high",
+  MEDIUM: "medium",
+  LOW: "low",
+  INFO: "info"
+};
+var PRIORITIES = {
+  HIGH: "high",
+  MEDIUM: "medium",
+  LOW: "low"
+};
+var NOISE_LEVELS = {
+  LOW: "low",
+  MEDIUM: "medium",
+  HIGH: "high"
+};
+var DEFAULTS = {
+  ENGAGEMENT_NAME: "auto-assessment",
+  ENGAGEMENT_CLIENT: "internal",
+  UNKNOWN_PHASE: "unknown",
+  INIT_PHASE: "init",
+  /** Fallback service name when port fingerprinting yielded no result */
+  UNKNOWN_SERVICE: "unknown",
+  /** Default port state when not explicitly specified */
+  PORT_STATE_OPEN: "open"
+};
+var WORDLISTS = {
+  ROCKYOU: "/usr/share/wordlists/rockyou.txt",
+  COMMON_PASSWORDS: "/usr/share/seclists/Passwords/common-passwords.txt",
+  PASSWORDS_10K: "/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt",
+  USERNAMES: "/usr/share/seclists/Usernames/top-usernames-shortlist.txt",
+  DIRB_COMMON: "/usr/share/wordlists/dirb/common.txt",
+  RAFT_MEDIUM_DIRS: "/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt",
+  SUBDOMAINS: "/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt",
+  API_ENDPOINTS: "/usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt",
+  API_FUZZ: "/usr/share/seclists/Fuzzing/api-fuzz.txt"
+};
+var HASHCAT_MODES = {
+  MD5: "0",
+  SHA1: "100",
+  NTLM: "1000",
+  SHA256: "1400",
+  bcrypt: "3200",
+  WPA: "2500"
+};
+var NOISE_CLASSIFICATION = {
+  HIGH: [
+    "arp_spoof",
+    "mitm_proxy",
+    "packet_sniff",
+    "dns_spoof",
+    "traffic_intercept",
+    "nmap",
+    "nuclei",
+    "nikto"
+  ],
+  MEDIUM: [
+    "ffuf",
+    "gobuster",
+    "dirsearch",
+    "feroxbuster"
+  ],
+  LOW_VISIBILITY: [
+    "update_mission",
+    "get_state",
+    "update_phase",
+    "update_todo",
+    "add_target",
+    "add_finding",
+    "add_loot",
+    "set_scope",
+    "bg_status",
+    "bg_cleanup",
+    "health_check",
+    "ask_user"
+  ]
+};
+
+// src/shared/constants/tool-names.ts
+var TOOL_NAMES = {
+  // Basic Tools
+  RUN_CMD: "run_cmd",
+  READ_FILE: "read_file",
+  WRITE_FILE: "write_file",
+  BG_PROCESS: "bg_process",
+  // Intelligence & Research
+  PARSE_NMAP: "parse_nmap",
+  SEARCH_CVE: "search_cve",
+  WEB_SEARCH: "web_search",
+  BROWSE_URL: "browse_url",
+  EXTRACT_URLS: "extract_urls",
+  GET_CVE_INFO: "get_cve_info",
+  GET_OWASP_KNOWLEDGE: "get_owasp_knowledge",
+  GET_WEB_ATTACK_SURFACE: "get_web_attack_surface",
+  FILL_FORM: "fill_form",
+  // Payload Engineering
+  PAYLOAD_MUTATE: "payload_mutate",
+  GET_WORDLISTS: "get_wordlists",
+  // High-level / Engine Tools
+  ADD_FINDING: "add_finding",
+  UPDATE_MISSION: "update_mission",
+  UPDATE_TODO: "update_todo",
+  UPDATE_PHASE: "update_phase",
+  HASH_CRACK: "hash_crack",
+  ADD_LOOT: "add_loot",
+  GET_STATE: "get_state",
+  SET_SCOPE: "set_scope",
+  ADD_TARGET: "add_target",
+  ASK_USER: "ask_user",
+  HELP: "help",
+  // Session Management (3차 Insane — long session resumption)
+  SAVE_SESSION_SNAPSHOT: "save_session_snapshot",
+  // Resource Management
+  BG_STATUS: "bg_status",
+  BG_CLEANUP: "bg_cleanup",
+  HEALTH_CHECK: "health_check",
+  // Database Specialized
+  SQLMAP_BASIC: "sqlmap_basic",
+  SQLMAP_ADVANCED: "sqlmap_advanced",
+  MYSQL_ENUM: "mysql_enum",
+  POSTGRES_ENUM: "postgres_enum",
+  REDIS_ENUM: "redis_enum",
+  DB_BRUTE: "db_brute_common",
+  // Network Specialized
+  NMAP_QUICK: "nmap_quick",
+  NMAP_FULL: "nmap_full",
+  RUSTSCAN: "rustscan_fast",
+  // Web Specialized
+  HTTP_FINGERPRINT: "http_fingerprint",
+  WAF_DETECT: "waf_detect",
+  DIRSEARCH: "dirsearch",
+  NUCLEI_WEB: "nuclei_web",
+  // AD Specialized
+  BLOODHOUND_COLLECT: "bloodhound_collect",
+  KERBEROAST: "kerberoast",
+  LDAP_ENUM: "ldap_enum",
+  // API Specialized
+  API_DISCOVER: "api_discover",
+  GRAPHQL_INTROSPECT: "graphql_introspect",
+  SWAGGER_PARSE: "swagger_parse",
+  API_FUZZ: "api_fuzz",
+  // Cloud Specialized
+  AWS_S3_CHECK: "aws_s3_check",
+  CLOUD_META_CHECK: "cloud_meta_check",
+  // Container Specialized
+  DOCKER_PS: "docker_ps",
+  KUBE_GET_PODS: "kube_get_pods",
+  // Service Enumeration
+  SMTP_ENUM: "smtp_enum",
+  FTP_ENUM: "ftp_enum",
+  SMB_ENUM: "smb_enum",
+  MODBUS_ENUM: "modbus_enum",
+  SSH_ENUM: "ssh_enum",
+  RDP_ENUM: "rdp_enum",
+  WIFI_SCAN: "wifi_scan",
+  // Network Attack Tools
+  ARP_SPOOF: "arp_spoof",
+  MITM_PROXY: "mitm_proxy",
+  PACKET_SNIFF: "packet_sniff",
+  DNS_SPOOF: "dns_spoof",
+  TRAFFIC_INTERCEPT: "traffic_intercept",
+  ANALYZE_PCAP: "analyze_pcap",
+  // IMP-3: PWN / Binary Exploitation
+  CHECKSEC: "checksec",
+  FILE_INFO: "file_info",
+  STRINGS_BINARY: "strings_binary",
+  PATTERN_CREATE: "pattern_create",
+  PATTERN_OFFSET: "pattern_offset",
+  ONE_GADGET: "one_gadget",
+  ROP_GADGETS: "rop_gadgets",
+  LTRACE_BINARY: "ltrace_binary",
+  STRACE_BINARY: "strace_binary",
+  PWN_TEMPLATE: "pwn_template",
+  // IMP-4: Crypto Attacks
+  RSA_ANALYZE: "rsa_analyze",
+  FREQUENCY_ANALYSIS: "frequency_analysis",
+  HASH_IDENTIFY: "hash_identify",
+  XOR_DECODE: "xor_decode",
+  BASE_DECODE: "base_decode",
+  PADDING_ORACLE_CHECK: "padding_oracle_check",
+  // IMP-5: Digital Forensics
+  BINWALK_ANALYZE: "binwalk_analyze",
+  STEGHIDE_EXTRACT: "steghide_extract",
+  ZSTEG_ANALYZE: "zsteg_analyze",
+  EXIF_DATA: "exif_data",
+  PCAP_ANALYZE: "pcap_analyze",
+  FOREMOST_CARVE: "foremost_carve",
+  VOLATILITY_ANALYZE: "volatility_analyze",
+  STEGSEEK: "stegseek",
+  // IMP-12: OSINT
+  WHOIS_LOOKUP: "whois_lookup",
+  DNS_RECON: "dns_recon",
+  SUBDOMAIN_ENUM: "subdomain_enum",
+  HARVESTER: "harvester",
+  SHODAN_QUERY: "shodan_query",
+  CERT_TRANSPARENCY: "cert_transparency",
+  GOOGLE_DORK: "google_dork"
+};
+
+// src/shared/constants/attack.ts
+var ATTACK_TACTICS = {
+  INITIAL_ACCESS: "initial_access",
+  EXECUTION: "execution",
+  PERSISTENCE: "persistence",
+  PRIV_ESC: "privilege_escalation",
+  DEFENSE_EVASION: "defense_evasion",
+  CREDENTIAL_ACCESS: "credential_access",
+  DISCOVERY: "discovery",
+  LATERAL_MOVEMENT: "lateral_movement",
+  COLLECTION: "collection",
+  EXFILTRATION: "exfiltration",
+  C2: "command_and_control",
+  IMPACT: "impact"
+};
+var ATTACK_VALUE_RANK = {
+  HIGH: 3,
+  MED: 2,
+  LOW: 1,
+  NONE: 0
+};
+var CONFIDENCE_THRESHOLDS = {
+  /** ≥80: exploit confirmed, shell access, flag captured */
+  CONFIRMED: 80,
+  /** ≥50: strong but not yet proven */
+  PROBABLE: 50,
+  /** ≥25: initial discovery, weak signal */
+  POSSIBLE: 25,
+  /** <25: speculation only */
+  NONE: 0
+};
+
+// src/shared/constants/event-types.ts
+var EVENT_TYPES = {
+  START: "start",
+  PHASE_CHANGE: "phase_change",
+  STATE_CHANGE: "state_change",
+  REASONING_START: "reasoning_start",
+  REASONING_DELTA: "reasoning_delta",
+  REASONING_END: "reasoning_end",
+  AI_RESPONSE: "ai_response",
+  TOOL_CALL: "tool_call",
+  TOOL_RESULT: "tool_result",
+  ERROR: "error",
+  COMPLETE: "complete",
+  THINK: "think",
+  APPROVAL_ASK: "approval_ask",
+  APPROVAL_RESULT: "approval_result",
+  DELEGATE: "delegate",
+  DELEGATE_RESULT: "delegate_result",
+  ESCALATE: "escalate",
+  AGENT_SWITCH: "agent_switch",
+  OBSERVE: "observe",
+  RETRY: "retry",
+  USAGE_UPDATE: "usage_update",
+  INPUT_REQUEST: "input_request",
+  FLAG_FOUND: "flag_found",
+  NOTIFICATION: "notification",
+  AUXILIARY_WORK_START: "auxiliary_work_start",
+  AUXILIARY_WORK_END: "auxiliary_work_end",
+  QUEUE_DRAINED: "queue_drained"
+};
+var COMMAND_EVENT_TYPES = {
+  TOOL_MISSING: "tool_missing",
+  TOOL_INSTALL: "tool_install",
+  TOOL_INSTALLED: "tool_installed",
+  TOOL_INSTALL_FAILED: "tool_install_failed",
+  TOOL_RETRY: "tool_retry",
+  COMMAND_START: "command_start",
+  COMMAND_SUCCESS: "command_success",
+  COMMAND_FAILED: "command_failed",
+  COMMAND_ERROR: "command_error",
+  INPUT_REQUIRED: "input_required",
+  COMMAND_STDOUT: "command_stdout",
+  PROCESS_NOTIFICATION: "process_notification"
+};
+
+// src/shared/constants/ui-commands.ts
+var UI_COMMANDS = {
+  HELP: "help",
+  HELP_SHORT: "h",
+  CLEAR: "clear",
+  CLEAR_SHORT: "c",
+  TARGET: "target",
+  TARGET_SHORT: "t",
+  START: "start",
+  START_SHORT: "s",
+  FINDINGS: "findings",
+  FINDINGS_SHORT: "f",
+  ASSETS: "assets",
+  ASSETS_SHORT: "a",
+  LOGS: "logs",
+  LOGS_SHORT: "l",
+  CTF: "ctf",
+  TOR: "tor",
+  AUTO: "auto",
+  LAYOUT: "layout",
+  GRAPH: "graph",
+  GRAPH_SHORT: "g",
+  PATHS: "paths",
+  PATHS_SHORT: "p",
+  EXIT: "exit",
+  QUIT: "quit",
+  EXIT_SHORT: "q"
+};
+
+// src/engine/process/process-lifecycle.ts
+import { spawn as spawn4 } from "child_process";
+import { writeFileSync as writeFileSync3, unlinkSync } from "fs";
+
+// src/engine/process/process-tree.ts
+import { execSync } from "child_process";
+function discoverChildPids(parentPid) {
+  try {
+    const result = execSync(`pgrep -P ${parentPid} 2>/dev/null || true`, {
+      encoding: "utf-8",
+      timeout: SYSTEM_LIMITS.PROCESS_OP_TIMEOUT_MS
+    }).trim();
+    if (!result) return [];
+    return result.split("\n").map((s) => parseInt(s.trim(), 10)).filter((n) => !isNaN(n) && n > 0);
+  } catch {
+    return [];
+  }
+}
+function discoverAllDescendants(pid, visited = /* @__PURE__ */ new Set()) {
+  if (visited.has(pid)) return [];
+  visited.add(pid);
+  const children = discoverChildPids(pid);
+  const all = [...children];
+  for (const child of children) {
+    all.push(...discoverAllDescendants(child, visited));
+  }
+  return all;
+}
+function isPidAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function killProcessTree(pid, childPids, waitMs = SYSTEM_LIMITS.SHUTDOWN_WAIT_MS) {
+  try {
+    process.kill(-pid, "SIGTERM");
+  } catch {
+    try {
+      process.kill(pid, "SIGTERM");
+    } catch {
+    }
+  }
+  for (const childPid of childPids) {
+    try {
+      process.kill(childPid, "SIGTERM");
+    } catch {
+    }
+  }
+  await new Promise((r) => setTimeout(r, waitMs));
+  if (isPidAlive(pid)) {
+    try {
+      process.kill(-pid, "SIGKILL");
+    } catch {
+    }
+    try {
+      process.kill(pid, "SIGKILL");
+    } catch {
+    }
+  }
+  for (const childPid of childPids) {
+    if (isPidAlive(childPid)) {
+      try {
+        process.kill(childPid, "SIGKILL");
+      } catch {
+      }
+    }
+  }
+}
+function killProcessTreeSync(pid, childPids) {
+  try {
+    process.kill(-pid, "SIGKILL");
+  } catch {
+  }
+  try {
+    process.kill(pid, "SIGKILL");
+  } catch {
+  }
+  for (const childPid of childPids) {
+    try {
+      process.kill(childPid, "SIGKILL");
+    } catch {
+    }
+  }
+}
+
+// src/engine/process/process-detector.ts
+function detectProcessRole(command) {
+  const tags = [];
+  let port;
+  let role = PROCESS_ROLES.BACKGROUND;
+  let isInteractive = false;
+  const cmd = command.toLowerCase();
+  if (cmd.includes("-lvnp") || cmd.includes("-nlvp") || cmd.includes("-lp") || cmd.includes("nc") && cmd.includes("listen")) {
+    tags.push(PROCESS_ROLES.LISTENER);
+    role = PROCESS_ROLES.LISTENER;
+    isInteractive = true;
+    const portMatch = command.match(DETECTION_PATTERNS.LISTENER);
+    if (portMatch) port = parseInt(portMatch[1], 10);
+  }
+  if (cmd.includes("http.server") || cmd.includes("simplehttpserver") || cmd.includes("httpd") || cmd.includes("php -s")) {
+    tags.push(PROCESS_ROLES.SERVER);
+    role = PROCESS_ROLES.SERVER;
+    const portMatch = command.match(DETECTION_PATTERNS.HTTP_SERVER);
+    if (portMatch) port = parseInt(portMatch[1], 10);
+    if (!port) {
+      const genericPort = command.match(DETECTION_PATTERNS.GENERIC_PORT);
+      if (genericPort) port = parseInt(genericPort[1], 10);
+      else if (cmd.includes("http.server")) port = SYSTEM_LIMITS.WEB_PORT_RANGE.MIN;
+    }
+  }
+  if (cmd.includes("tcpdump") || cmd.includes("tshark")) {
+    tags.push(PROCESS_ROLES.SNIFFER);
+    role = PROCESS_ROLES.SNIFFER;
+  }
+  if (cmd.includes("arpspoof") || cmd.includes("dnsspoof") || cmd.includes("ettercap")) {
+    tags.push(PROCESS_ROLES.SPOOFER);
+    role = PROCESS_ROLES.SPOOFER;
+  }
+  if (cmd.includes("mitm") || cmd.includes("proxy") || cmd.includes("intercept")) {
+    tags.push(PROCESS_ROLES.PROXY);
+    role = PROCESS_ROLES.PROXY;
+  }
+  if (cmd.includes("callback") || cmd.includes("oob")) {
+    tags.push(PROCESS_ROLES.CALLBACK);
+    role = PROCESS_ROLES.CALLBACK;
+  }
+  if (cmd.includes("socat") && cmd.includes("listen")) {
+    tags.push(PROCESS_ROLES.LISTENER);
+    role = PROCESS_ROLES.LISTENER;
+    isInteractive = true;
+  }
+  if (tags.length === 0) tags.push(PROCESS_ROLES.BACKGROUND);
+  return { tags, port, role, isInteractive };
+}
+function detectConnection(stdout) {
+  return DETECTION_PATTERNS.CONNECTION.some((p) => p.test(stdout));
+}
+
+// src/engine/tools-base/event-emitter.ts
+var globalEventEmitter = null;
+var globalInputHandler = null;
+function setCommandEventEmitter(emitter) {
+  globalEventEmitter = emitter;
+}
+function setInputHandler(handler) {
+  globalInputHandler = handler;
+}
+function clearInputHandler() {
+  globalInputHandler = null;
+}
+function clearCommandEventEmitter() {
+  globalEventEmitter = null;
+}
+function getEventEmitter() {
+  return globalEventEmitter;
+}
+function getInputHandler() {
+  return globalInputHandler;
+}
+
+// src/shared/constants/paths.ts
+import path from "path";
+var _dirs = null;
+var _root = null;
+function getRoot() {
+  if (_root === null) {
+    const ws = getPipelineConfig().workspace;
+    _root = ws?.root ?? ".pentesting";
+  }
+  return _root;
+}
+function getDirs() {
+  if (_dirs === null) {
+    const ws = getPipelineConfig().workspace;
+    _dirs = ws?.directories ?? {};
+  }
+  return _dirs;
+}
+function dir(key, fallback) {
+  return getDirs()[key] ?? fallback;
+}
+var PENTESTING_ROOT = getRoot();
+var WORK_DIR = dir("workspace", `${getRoot()}/workspace`);
+var MEMORY_DIR = dir("memory", `${getRoot()}/memory`);
+var WORKSPACE = {
+  get ROOT() {
+    return path.resolve(getRoot());
+  },
+  get TMP() {
+    return path.resolve(dir("workspace", `${getRoot()}/workspace`));
+  },
+  get MEMORY() {
+    return path.resolve(dir("memory", `${getRoot()}/memory`));
+  },
+  get REPORTS() {
+    return path.resolve(dir("reports", `${getRoot()}/reports`));
+  },
+  get SESSIONS() {
+    return path.resolve(dir("sessions", `${getRoot()}/sessions`));
+  },
+  get LOOT() {
+    return path.resolve(dir("loot", `${getRoot()}/loot`));
+  },
+  get DEBUG() {
+    return path.resolve(dir("debug", `${getRoot()}/debug`));
+  },
+  /** DEPRECATED — kept for clearWorkspace cleanup only */
+  get OUTPUTS() {
+    return path.resolve(`${getRoot()}/outputs`);
+  },
+  /** DEPRECATED — kept for clearWorkspace cleanup only */
+  get JOURNAL() {
+    return path.resolve(`${getRoot()}/journal`);
+  },
+  /** DEPRECATED — kept for clearWorkspace cleanup only */
+  get ARCHIVE() {
+    return path.resolve(dir("archive", `${getRoot()}/archive`));
+  },
+  /** Turn insight files root: .pentesting/turns/ */
+  get TURNS() {
+    return path.resolve(dir("turns", `${getRoot()}/turns`));
+  },
+  /**
+   * Resolve the insight file for a specific turn: .pentesting/turns/{N}.md
+   * Pipeline.yaml: workspace.turn_structure → single file per turn
+   */
+  turnPath(turn) {
+    return path.resolve(dir("turns", `${getRoot()}/turns`), `${turn}.md`);
+  }
+};
+
+// src/shared/utils/command-validator/security-lists.ts
+var ALLOWED_BINARIES = /* @__PURE__ */ new Set([
+  // Network scanning
+  "nmap",
+  "rustscan",
+  // Web scanning
+  "ffuf",
+  "gobuster",
+  "dirb",
+  "dirsearch",
+  "nikto",
+  "nuclei",
+  "whatweb",
+  // Vulnerability scanning
+  "sqlmap",
+  "zap",
+  "wpscan",
+  // Password attacks
+  "hydra",
+  "john",
+  "hashcat",
+  "medusa",
+  // Network tools
+  "netcat",
+  "nc",
+  "ncat",
+  "socat",
+  "curl",
+  "wget",
+  "ping",
+  "traceroute",
+  // DNS
+  "dig",
+  "nslookup",
+  "host",
+  "dnsrecon",
+  // SMB/AD
+  "smbclient",
+  "rpcclient",
+  "crackmapexec",
+  "netexec",
+  "bloodhound",
+  "impacket-smbclient",
+  "impacket-psexec",
+  "impacket-wmiexec",
+  "impacket-secretsdump",
+  "impacket-getTGT",
+  "impacket-getST",
+  "impacket-GetNPUsers",
+  "impacket-GetUserSPNs",
+  // Exploitation
+  "metasploit",
+  "msfconsole",
+  "msfvenom",
+  // Misc pentesting
+  "whois",
+  "searchsploit",
+  "seclists",
+  "enum4linux",
+  "evil-winrm",
+  // Shell utilities (safe pipe targets & general tools)
+  "head",
+  "tail",
+  "grep",
+  "egrep",
+  "fgrep",
+  "awk",
+  "sed",
+  "cut",
+  "tr",
+  "sort",
+  "uniq",
+  "wc",
+  "tee",
+  "xargs",
+  "cat",
+  "less",
+  "more",
+  "echo",
+  "printf",
+  "true",
+  "false",
+  "test",
+  "find",
+  "ls",
+  "file",
+  "strings",
+  "xxd",
+  "base64",
+  "python3",
+  "python",
+  "perl",
+  "ruby",
+  "php",
+  "node",
+  "jq",
+  "xmllint",
+  // Package management (for auto-install)
+  "apt-get",
+  "apt",
+  "dpkg",
+  "pip",
+  "pip3",
+  // System info
+  "id",
+  "whoami",
+  "hostname",
+  "uname",
+  "env",
+  "printenv",
+  "which",
+  "type",
+  "ps",
+  "top",
+  "free",
+  "df",
+  "du",
+  "lsof",
+  "ss",
+  "netstat",
+  // File operations (safe subset)
+  "cp",
+  "mv",
+  "mkdir",
+  "touch",
+  "ln",
+  // SSH/SCP
+  "ssh",
+  "scp",
+  "sshpass",
+  "ssh-keygen",
+  // Network sniffing
+  "tcpdump",
+  "tshark",
+  // Proxy
+  "proxychains",
+  "proxychains4",
+  "chisel",
+  // Binary analysis
+  "radare2",
+  "r2",
+  "gdb",
+  "strace",
+  "ltrace",
+  "objdump",
+  "readelf",
+  // Git
+  "git",
+  // Sudo
+  "sudo",
+  // Misc
+  "sleep",
+  "date",
+  "md5sum",
+  "sha256sum",
+  "sha1sum",
+  "tar",
+  "gzip",
+  "gunzip",
+  "zip",
+  "unzip",
+  "openssl",
+  "certutil"
+]);
+var INJECTION_PATTERNS = [
+  /\$\(/,
+  // Command substitution $(...)
+  /`/,
+  // Backtick command substitution
+  /\$\{/,
+  // Variable expansion ${...}
+  /\$\[/,
+  // Arithmetic expansion $[...]
+  /\0/,
+  // Null byte injection
+  /\n/,
+  // Newline injection
+  /\r/
+  // Carriage return injection
+];
+var SAFE_PIPE_TARGETS = /* @__PURE__ */ new Set([
+  "head",
+  "tail",
+  "grep",
+  "egrep",
+  "fgrep",
+  "awk",
+  "sed",
+  "cut",
+  "tr",
+  "sort",
+  "uniq",
+  "wc",
+  "tee",
+  "xargs",
+  "less",
+  "more",
+  "cat",
+  "jq",
+  "xmllint",
+  "strings",
+  "base64",
+  "xxd",
+  "python3",
+  "python"
+]);
+var SAFE_REDIRECT_PATHS = [`${WORK_DIR}/`];
+var BLOCKED_BINARIES = /* @__PURE__ */ new Set([
+  "rm",
+  "shred",
+  "wipe",
+  "mkfs",
+  "fdisk",
+  "parted",
+  "dd",
+  "shutdown",
+  "reboot",
+  "poweroff",
+  "init",
+  "systemctl",
+  "docker",
+  "kubectl",
+  "iptables",
+  "ip6tables",
+  "nft",
+  "crontab"
+]);
+
+// src/shared/utils/debug/debug-logger.ts
+import { appendFileSync, writeFileSync, statSync, readFileSync } from "fs";
+import { join } from "path";
+
+// src/shared/utils/file-ops/file-utils.ts
+import { existsSync, mkdirSync } from "fs";
+function ensureDirExists(dirPath) {
+  if (!existsSync(dirPath)) {
+    mkdirSync(dirPath, { recursive: true });
+  }
+}
+function fileTimestamp() {
+  return (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
+}
+function sanitizeFilename(name, maxLength = 30) {
+  return name.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, maxLength);
+}
+
+// src/shared/constants/files/extensions.ts
+var FILE_EXTENSIONS = {
+  // Data formats
+  JSON: ".json",
+  MARKDOWN: ".md",
+  TXT: ".txt",
+  XML: ".xml",
+  // Network capture
+  PCAP: ".pcap",
+  HOSTS: ".hosts",
+  MITM: ".mitm",
+  // Process I/O
+  STDOUT: ".stdout",
+  STDERR: ".stderr",
+  STDIN: ".stdin",
+  // Scripts
+  SH: ".sh",
+  PY: ".py",
+  CJS: ".cjs",
+  // Config
+  ENV: ".env",
+  BAK: ".bak"
+};
+
+// src/shared/constants/files/special.ts
+var SPECIAL_FILES = {
+  /** Latest state snapshot */
+  LATEST_STATE: "latest.json",
+  /** README */
+  README: "README.md",
+  /** Session summary (single source — LLM primary, deterministic fallback) */
+  SUMMARY: "summary.md",
+  /** Persistent knowledge store */
+  PERSISTENT_KNOWLEDGE: "persistent-knowledge.json",
+  /** Debug log file */
+  DEBUG_LOG: "debug.log",
+  /**
+   * Session snapshot for Insane-level long session resumption (3차).
+   * Stores current phase, achieved foothold, next steps, credentials.
+   * Written by PlaybookSynthesizer on flag capture / manual update_mission.
+   */
+  SESSION_SNAPSHOT: "session-snapshot.json"
+};
+
+// src/shared/constants/files/patterns.ts
+var FILE_PATTERNS = {
+  /** Tool output filename: nmap.txt, gobuster.txt (sanitized) */
+  toolOutput(toolName) {
+    return `${sanitizeFilename(toolName)}.txt`;
+  },
+  /** Generate session snapshot filename: 2026-02-21T08-30-15.json */
+  session() {
+    return `${fileTimestamp()}.json`;
+  }
+};
+
+// src/shared/utils/debug/debug-logger.ts
+var ROTATE_BYTES = 5 * 1024 * 1024;
+var WIPE_BYTES = 20 * 1024 * 1024;
+var ROTATE_CHECK_INTERVAL = 500;
+var DebugLogger = class _DebugLogger {
+  static instance;
+  logPath;
+  initialized = false;
+  writeCount = 0;
+  constructor(clearOnInit = false) {
+    const debugDir = WORKSPACE.DEBUG;
+    try {
+      ensureDirExists(debugDir);
+      this.logPath = join(debugDir, SPECIAL_FILES.DEBUG_LOG);
+      if (clearOnInit) {
+        this.clear();
+      }
+      this.initialized = true;
+      this.log("general", "=== DEBUG LOGGER INITIALIZED ===");
+      this.log("general", `Log file: ${this.logPath}`);
+    } catch (e) {
+      console.error("[DebugLogger] Failed to initialize:", e);
+      this.logPath = "";
+    }
+  }
+  static getInstance(clearOnInit = false) {
+    if (!_DebugLogger.instance) {
+      _DebugLogger.instance = new _DebugLogger(clearOnInit);
+    }
+    return _DebugLogger.instance;
+  }
+  /** Reset the singleton instance (used by initDebugLogger) */
+  static resetInstance(clearOnInit = false) {
+    _DebugLogger.instance = new _DebugLogger(clearOnInit);
+    return _DebugLogger.instance;
+  }
+  /**
+   * Rotate or wipe debug.log if it exceeds size thresholds.
+   * Called every ROTATE_CHECK_INTERVAL writes to amortize statSync cost.
+   *
+   * Policy:
+   *   > 20 MB → wipe entirely (too much data, disk pressure)
+   *   > 5 MB  → keep latest half (recent logs more useful than old ones)
+   */
+  rotateIfNeeded() {
+    try {
+      const size = statSync(this.logPath).size;
+      if (size > WIPE_BYTES) {
+        writeFileSync(this.logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [GENERAL] === LOG WIPED (exceeded ${Math.round(WIPE_BYTES / 1024 / 1024)}MB) ===
+`);
+      } else if (size > ROTATE_BYTES) {
+        const content = readFileSync(this.logPath, "utf-8");
+        const half = content.slice(Math.floor(content.length / 2));
+        const firstNewline = half.indexOf("\n");
+        const trimmed = firstNewline >= 0 ? half.slice(firstNewline + 1) : half;
+        writeFileSync(this.logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [GENERAL] === LOG ROTATED (exceeded ${Math.round(ROTATE_BYTES / 1024 / 1024)}MB, kept latest half) ===
+` + trimmed);
+      }
+    } catch {
+    }
+  }
+  log(category, message, data) {
+    if (!this.initialized || !this.logPath) return;
+    try {
+      const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+      let logLine = `[${timestamp}] [${category.toUpperCase()}] ${message}`;
+      if (data !== void 0) {
+        logLine += ` | ${JSON.stringify(data)}`;
+      }
+      logLine += "\n";
+      appendFileSync(this.logPath, logLine);
+      if (++this.writeCount % ROTATE_CHECK_INTERVAL === 0) {
+        this.rotateIfNeeded();
+      }
+    } catch (e) {
+      console.error("[DebugLogger] Write error:", e);
+    }
+  }
+  logRaw(category, label, raw) {
+    if (!this.initialized || !this.logPath) return;
+    try {
+      const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+      const logLine = `[${timestamp}] [${category.toUpperCase()}] ${label}:
+${raw}
+---
+`;
+      appendFileSync(this.logPath, logLine);
+      if (++this.writeCount % ROTATE_CHECK_INTERVAL === 0) {
+        this.rotateIfNeeded();
+      }
+    } catch (e) {
+      console.error("[DebugLogger] Write error:", e);
+    }
+  }
+  clear() {
+    if (!this.logPath) return;
+    try {
+      writeFileSync(this.logPath, "");
+    } catch (e) {
+      console.error("[DebugLogger] Clear error:", e);
+    }
+  }
+};
+var logger = DebugLogger.getInstance(false);
+function initDebugLogger() {
+  DebugLogger.resetInstance(true);
+}
+function debugLog(category, message, data) {
+  logger.log(category, message, data);
+}
+function flowLog(actor, direction, store, detail) {
+  logger.log("flow", `${actor} ${direction} ${store}: ${detail}`);
+}
+
+// src/shared/utils/command-validator/types.ts
+var SHELL_OPERATORS = {
+  AND: "&&",
+  OR: "||",
+  SEQUENCE: ";",
+  PIPE: "|",
+  BACKGROUND: "&"
+};
+var SHELL_CHARS = {
+  SINGLE_QUOTE: "'",
+  DOUBLE_QUOTE: '"',
+  BACKTICK: "`"
+};
+
+// src/shared/utils/command-validator/splitter.ts
+function splitChainedCommands(command) {
+  const parts = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  let i = 0;
+  while (i < command.length) {
+    const ch = command[i];
+    if (ch === SHELL_CHARS.SINGLE_QUOTE && !inDouble) {
+      inSingle = !inSingle;
+      current += ch;
+      i++;
+      continue;
+    }
+    if (ch === SHELL_CHARS.DOUBLE_QUOTE && !inSingle) {
+      inDouble = !inDouble;
+      current += ch;
+      i++;
+      continue;
+    }
+    if (!inSingle && !inDouble) {
+      if (ch === "&" && command[i + 1] === "&" || ch === "|" && command[i + 1] === "|") {
+        if (current.trim()) parts.push(current.trim());
+        current = "";
+        i += 2;
+        continue;
+      }
+      if (ch === SHELL_OPERATORS.SEQUENCE) {
+        if (current.trim()) parts.push(current.trim());
+        current = "";
+        i++;
+        continue;
+      }
+    }
+    current += ch;
+    i++;
+  }
+  if (current.trim()) parts.push(current.trim());
+  return parts.length > 0 ? parts : [command];
+}
+function splitByPipe(command) {
+  const parts = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  let i = 0;
+  while (i < command.length) {
+    const ch = command[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      current += ch;
+      i++;
+      continue;
+    }
+    if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      current += ch;
+      i++;
+      continue;
+    }
+    if (!inSingle && !inDouble && ch === "|") {
+      if (command[i + 1] === "|") {
+        current += "||";
+        i += 2;
+        continue;
+      }
+      if (current.trim()) parts.push(current.trim());
+      current = "";
+      i++;
+      continue;
+    }
+    current += ch;
+    i++;
+  }
+  if (current.trim()) parts.push(current.trim());
+  return parts;
+}
+
+// src/shared/utils/command-validator/redirect.ts
+function stripRedirects(segment) {
+  return segment.replace(/\d*>\s*&\d+/g, "").replace(/\d*>>\s*\S+/g, "").replace(/\d*>\s*\S+/g, "").replace(/<\s*\S+/g, "").trim();
+}
+function validateRedirects(command) {
+  const redirects = extractRedirectTargets(command);
+  for (const { type, target } of redirects) {
+    if (type === ">" || type === ">>") {
+      if (target.startsWith("&") || target === "/dev/null") continue;
+      const isAllowed = SAFE_REDIRECT_PATHS.some((p) => target.startsWith(p));
+      if (!isAllowed) {
+        return {
+          isSafe: false,
+          error: `Redirect to '${target}' is not in allowed paths`,
+          suggestion: `Redirect output to ${WORK_DIR}/ paths. Example: > ${WORK_DIR}/output.txt`
+        };
+      }
+    } else if (type === "<") {
+      const isAllowed = SAFE_REDIRECT_PATHS.some((p) => target.startsWith(p));
+      if (!isAllowed) {
+        return {
+          isSafe: false,
+          error: `Input redirect from '${target}' is not in allowed paths`,
+          suggestion: `Input redirect only from ${WORK_DIR}/ paths.`
+        };
+      }
+    }
+  }
+  return { isSafe: true };
+}
+function extractRedirectTargets(command) {
+  const redirects = [];
+  let inSingle = false;
+  let inDouble = false;
+  let i = 0;
+  while (i < command.length) {
+    const ch = command[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      i++;
+      continue;
+    }
+    if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      i++;
+      continue;
+    }
+    if (!inSingle && !inDouble) {
+      if (ch === ">" || ch === "<") {
+        const isAppend = ch === ">" && command[i + 1] === ">";
+        const type = isAppend ? ">>" : ch;
+        const jump = isAppend ? 2 : 1;
+        let fd = "";
+        if (ch === ">") {
+          let b = i - 1;
+          while (b >= 0 && /\d/.test(command[b])) {
+            fd = command[b] + fd;
+            b--;
+          }
+        }
+        i += jump;
+        while (i < command.length && /\s/.test(command[i])) i++;
+        let target = "";
+        let targetInSingle = false;
+        let targetInDouble = false;
+        while (i < command.length) {
+          const tc = command[i];
+          if (tc === "'" && !targetInDouble) {
+            targetInSingle = !targetInSingle;
+            i++;
+            continue;
+          }
+          if (tc === '"' && !targetInSingle) {
+            targetInDouble = !targetInDouble;
+            i++;
+            continue;
+          }
+          if (!targetInSingle && !targetInDouble && /[\s|;&<>]/.test(tc)) break;
+          target += tc;
+          i++;
+        }
+        if (target) {
+          redirects.push({ type, fd, target });
+        }
+        continue;
+      }
+    }
+    i++;
+  }
+  return redirects;
+}
+
+// src/shared/utils/command-validator/binary.ts
+function extractBinary(command) {
+  const parts = command.trim().split(/\s+/);
+  let binary = parts[0];
+  if (!binary) return null;
+  let idx = 0;
+  while (idx < parts.length && ["sudo", "env", "timeout"].includes(parts[idx])) {
+    idx++;
+    if (parts[idx - 1] === "env") {
+      while (idx < parts.length && parts[idx].includes("=")) idx++;
+    }
+    if (parts[idx - 1] === "timeout") {
+      if (idx < parts.length && /^\d/.test(parts[idx])) idx++;
+    }
+  }
+  binary = parts[idx] || parts[0];
+  if (binary.includes("/")) {
+    binary = binary.split("/").pop() || binary;
+  }
+  return binary.toLowerCase();
+}
+
+// src/shared/utils/command-validator/validator.ts
+function validateCommand(command) {
+  if (!command || typeof command !== "string") {
+    return { isSafe: false, error: "Empty or invalid command" };
+  }
+  const normalizedCommand = command.trim();
+  if (normalizedCommand.length === 0) {
+    return { isSafe: false, error: "Empty command" };
+  }
+  for (const pattern of INJECTION_PATTERNS) {
+    if (pattern.test(normalizedCommand)) {
+      return {
+        isSafe: false,
+        error: `Injection pattern detected: ${pattern.source}`,
+        suggestion: "Avoid command substitution ($(), ``), variable expansion (${}) and control characters."
+      };
+    }
+  }
+  const subCommands = splitChainedCommands(normalizedCommand);
+  for (const subCmd of subCommands) {
+    const result = validateSingleCommand(subCmd.trim());
+    if (!result.isSafe) {
+      return result;
+    }
+  }
+  return { isSafe: true };
+}
+function validateSingleCommand(command) {
+  const pipeSegments = splitByPipe(command);
+  for (let idx = 0; idx < pipeSegments.length; idx++) {
+    const segment = pipeSegments[idx].trim();
+    if (!segment) continue;
+    const cleanSegment = stripRedirects(segment);
+    const binary = extractBinary(cleanSegment);
+    if (!binary) continue;
+    if (BLOCKED_BINARIES.has(binary)) {
+      return {
+        isSafe: false,
+        error: `Binary '${binary}' is blocked for security reasons`,
+        suggestion: `'${binary}' is not allowed. Use a different approach.`
+      };
+    }
+    if (idx > 0 && !SAFE_PIPE_TARGETS.has(binary) && !ALLOWED_BINARIES.has(binary)) {
+      return {
+        isSafe: false,
+        error: `Pipe target '${binary}' is not in the allowed list`,
+        suggestion: `Piping to '${binary}' is not allowed. Safe pipe targets: head, tail, grep, awk, sed, cut, sort, uniq, wc, jq, tee.`
+      };
+    }
+    if (!ALLOWED_BINARIES.has(binary)) {
+      debugLog("security", `Unknown binary '${binary}' - use with caution`);
+    }
+  }
+  const redirectResult = validateRedirects(command);
+  if (!redirectResult.isSafe) {
+    return redirectResult;
+  }
+  return { isSafe: true };
+}
+
+// src/engine/tool-installer/detector.ts
+import { spawn } from "child_process";
+async function detectPackageManager() {
+  const managers = [
+    { name: "apt", check: "which apt" },
+    { name: "brew", check: "which brew" }
+  ];
+  for (const mgr of managers) {
+    try {
+      const result = await new Promise((resolve) => {
+        const child = spawn("sh", ["-c", mgr.check]);
+        child.on("close", (code) => resolve(code === 0));
+        child.on("error", () => resolve(false));
+      });
+      if (result) return mgr.name;
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+function isCommandNotFound(stderr, stdout) {
+  const combined = (stderr + stdout).toLowerCase();
+  return [
+    /command not found/,
+    /not found/,
+    /no such file or directory/,
+    /is not recognized/,
+    /cannot find/,
+    /not installed/,
+    /unable to locate package/,
+    /enoent/
+  ].some((p) => p.test(combined));
+}
+
+// src/engine/tool-installer/engine.ts
+import { spawn as spawn2 } from "child_process";
+
+// src/engine/tool-installer/package-map.ts
+var TOOL_PACKAGE_MAP = {
+  "nmap": { apt: "nmap", brew: "nmap" },
+  "rustscan": { apt: "rustscan", brew: "rustscan" },
+  "ffuf": { apt: "ffuf", brew: "ffuf" },
+  "gobuster": { apt: "gobuster", brew: "gobuster" },
+  "nuclei": { apt: "nuclei", brew: "nuclei" },
+  "nikto": { apt: "nikto", brew: "nikto" },
+  "sqlmap": { apt: "sqlmap", brew: "sqlmap" },
+  "hydra": { apt: "hydra", brew: "hydra" },
+  "john": { apt: "john", brew: "john" },
+  "hashcat": { apt: "hashcat", brew: "hashcat" },
+  "enum4linux": { apt: "enum4linux", brew: "enum4linux" },
+  "smbclient": { apt: "smbclient", brew: "samba" },
+  "crackmapexec": { apt: "crackmapexec", brew: "crackmapexec" },
+  "bloodhound": { apt: "bloodhound", brew: "bloodhound" },
+  "kerberoast": { apt: "kerberoast", brew: "kerberoast" },
+  "impacket": { apt: "python3-impacket", brew: "impacket", pip: "impacket" },
+  "curl": { apt: "curl", brew: "curl" },
+  "wget": { apt: "wget", brew: "wget" },
+  "jq": { apt: "jq", brew: "jq" },
+  "whois": { apt: "whois", brew: "whois" },
+  "dig": { apt: "dnsutils", brew: "bind" },
+  "netcat": { apt: "netcat", brew: "netcat" },
+  "nc": { apt: "netcat", brew: "netcat" },
+  "ssh": { apt: "openssh-client", brew: "openssh" },
+  "scp": { apt: "openssh-client", brew: "openssh" },
+  "ftp": { apt: "ftp", brew: "inetutils" },
+  "telnet": { apt: "telnet", brew: "telnet" },
+  "snmpwalk": { apt: "snmp", brew: "net-snmp" },
+  "onesixtyone": { apt: "onesixtyone", brew: "onesixtyone" },
+  "seclists": { apt: "seclists", brew: "seclists" },
+  "wfuzz": { apt: "wfuzz", brew: "wfuzz", pip: "wfuzz" },
+  "dirsearch": { apt: "dirsearch", brew: "dirsearch", pip: "dirsearch" },
+  "wafw00f": { apt: "wafw00f", brew: "wafw00f", pip: "wafw00f" },
+  "feroxbuster": { apt: "feroxbuster", brew: "feroxbuster" },
+  "subfinder": { apt: "subfinder", brew: "subfinder" },
+  "amass": { apt: "amass", brew: "amass" },
+  "httpx": { apt: "httpx-toolkit", brew: "httpx" },
+  "naabu": { apt: "naabu", brew: "naabu" },
+  "dnsx": { apt: "dnsx", brew: "dnsx" },
+  // Network attack tools
+  "arpspoof": { apt: "dsniff", brew: "dsniff" },
+  "ettercap": { apt: "ettercap-text-only", brew: "ettercap" },
+  "mitmproxy": { apt: "mitmproxy", brew: "mitmproxy", pip: "mitmproxy" },
+  "tcpdump": { apt: "tcpdump", brew: "tcpdump" },
+  "tshark": { apt: "tshark", brew: "wireshark" },
+  "bettercap": { apt: "bettercap", brew: "bettercap" },
+  "responder": { apt: "responder", brew: "responder", pip: "Responder" },
+  "searchsploit": { apt: "exploitdb", brew: "exploitdb" },
+  "kerbrute": { apt: "kerbrute", brew: "kerbrute" },
+  "evil-winrm": { apt: "evil-winrm", brew: "evil-winrm" },
+  "netexec": { apt: "netexec", brew: "netexec" },
+  // Forensic / analysis tools
+  "file": { apt: "file", brew: "file-formula" },
+  "xxd": { apt: "xxd", brew: "vim" },
+  "binwalk": { apt: "binwalk", brew: "binwalk", pip: "binwalk" },
+  "strings": { apt: "binutils", brew: "binutils" },
+  // IMP-7: PWN domain tools
+  "checksec": { apt: "checksec", brew: "checksec", pip: "checksec" },
+  "gdb": { apt: "gdb", brew: "gdb" },
+  "pwndbg": { apt: "pwndbg", brew: "pwndbg" },
+  "ROPgadget": { pip: "ROPgadget" },
+  "one_gadget": { gem: "one_gadget" },
+  "pwntools": { pip: "pwntools" },
+  "ltrace": { apt: "ltrace", brew: "ltrace" },
+  "strace": { apt: "strace", brew: "strace" },
+  // IMP-7: Crypto domain tools
+  "hashid": { pip: "hashid" },
+  "padbuster": { apt: "padbuster", brew: "padbuster" },
+  "rsactftool": { pip: "RsaCtfTool" },
+  // IMP-7: Forensics domain tools
+  "steghide": { apt: "steghide", brew: "steghide" },
+  "zsteg": { gem: "zsteg" },
+  "stegseek": { apt: "stegseek" },
+  "exiftool": { apt: "libimage-exiftool-perl", brew: "exiftool" },
+  "foremost": { apt: "foremost", brew: "foremost" },
+  "volatility": { apt: "volatility", pip: "volatility3" },
+  "vol3": { pip: "volatility3" },
+  // IMP-12: OSINT domain tools (tools not already listed above)
+  "theHarvester": { apt: "theharvester", pip: "theHarvester" },
+  "theharvester": { apt: "theharvester", pip: "theHarvester" },
+  "shodan": { pip: "shodan" },
+  "metabagoofil": { apt: "metabagoofil" },
+  "spiderfoot": { apt: "spiderfoot" },
+  "recon-ng": { apt: "recon-ng" }
+};
+
+// src/engine/tool-installer/engine.ts
+var installedTools = /* @__PURE__ */ new Set();
+function installViaSimpleCmd(toolName, cmd, label, emitter) {
+  emitter?.({ type: COMMAND_EVENT_TYPES.TOOL_INSTALL, message: `Installing via ${label}`, detail: cmd });
+  return new Promise((resolve) => {
+    const child = spawn2("sh", ["-c", cmd]);
+    let out = "";
+    child.stdout.on("data", (d) => {
+      out += d.toString();
+    });
+    child.stderr.on("data", (d) => {
+      out += d.toString();
+    });
+    child.on("close", (code) => {
+      resolve(code === 0 ? { success: true, output: `Installed ${toolName} via ${label}` } : { success: false, output: `${label} install failed: ${out}` });
+    });
+    child.on("error", (err) => resolve({ success: false, output: err.message }));
+  });
+}
+async function tryAlternateManagers(toolName, pkgInfo, emitter) {
+  if (pkgInfo.pip) {
+    return installViaSimpleCmd(toolName, `pip3 install ${pkgInfo.pip} 2>&1 || pip install ${pkgInfo.pip} 2>&1`, "pip", emitter);
+  }
+  if (pkgInfo.gem) {
+    return installViaSimpleCmd(toolName, `gem install ${pkgInfo.gem} 2>&1`, "gem", emitter);
+  }
+  return null;
+}
+async function installTool(toolName, eventEmitter, inputHandler) {
+  const pkgInfo = TOOL_PACKAGE_MAP[toolName];
+  if (!pkgInfo) {
+    return { success: false, output: `Unknown tool: ${toolName}. No package mapping available.` };
+  }
+  if (installedTools.has(toolName)) {
+    return { success: false, output: `Already attempted to install ${toolName} this session.` };
+  }
+  installedTools.add(toolName);
+  const pkgManager = await detectPackageManager();
+  if (!pkgManager || !pkgInfo[pkgManager]) {
+    const altResult = await tryAlternateManagers(toolName, pkgInfo, eventEmitter);
+    if (altResult) return altResult;
+    if (!pkgManager) {
+      return { success: false, output: "No supported package manager (apt, brew, pip, gem). Install manually." };
+    }
+  }
+  const packageName = pkgInfo[pkgManager] ?? pkgInfo.apt;
+  if (!packageName) {
+    return { success: false, output: `No ${String(pkgManager)} package for ${toolName}. Try: pip install ${pkgInfo.pip ?? toolName}` };
+  }
+  eventEmitter?.({
+    type: COMMAND_EVENT_TYPES.TOOL_INSTALL,
+    message: `Installing missing tool: ${toolName}`,
+    detail: `Using ${String(pkgManager)} to install ${packageName}`
+  });
+  let installCmd;
+  if (pkgManager === "apt") {
+    installCmd = `apt update -qq 2>/dev/null; apt install -y ${packageName}`;
+  } else if (pkgManager === "brew") {
+    installCmd = `brew install ${packageName}`;
+  } else {
+    return { success: false, output: `Unsupported package manager: ${String(pkgManager)}` };
+  }
+  return new Promise((resolve) => {
+    const child = spawn2("sh", ["-c", installCmd], {
+      env: { ...process.env, DEBIAN_FRONTEND: "noninteractive" }
+    });
+    let stdout = "";
+    let stderr = "";
+    const checkForSudoPrompt = async (data) => {
+      if (!inputHandler) return;
+      for (const pattern of INPUT_PROMPT_PATTERNS) {
+        if (pattern.test(data)) {
+          const userInput = await inputHandler(data.trim());
+          if (userInput !== null && child.stdin.writable) {
+            child.stdin.write(userInput + "\n");
+          }
+          return;
+        }
+      }
+    };
+    child.stdout.on("data", (data) => {
+      const text = data.toString();
+      stdout += text;
+      checkForSudoPrompt(text);
+    });
+    child.stderr.on("data", (data) => {
+      const text = data.toString();
+      stderr += text;
+      checkForSudoPrompt(text);
+    });
+    child.on("close", (code) => {
+      if (code === 0) {
+        eventEmitter?.({
+          type: COMMAND_EVENT_TYPES.TOOL_INSTALLED,
+          message: `Successfully installed: ${toolName}`,
+          detail: `Package: ${packageName}`
+        });
+        resolve({ success: true, output: `Successfully installed ${toolName}` });
+      } else {
+        eventEmitter?.({
+          type: COMMAND_EVENT_TYPES.TOOL_INSTALL_FAILED,
+          message: `Failed to install: ${toolName}`,
+          detail: stderr.slice(0, SYSTEM_LIMITS.MAX_ERROR_DETAIL_SLICE)
+        });
+        resolve({
+          success: false,
+          output: `Failed to install ${toolName}: ${stderr.slice(0, SYSTEM_LIMITS.MAX_ERROR_DETAIL_SLICE)}`
+        });
+      }
+    });
+    child.on("error", (err) => {
+      resolve({ success: false, output: `Install error: ${err.message}` });
+    });
+  });
+}
+
+// src/shared/utils/config/env.ts
+var ENV_KEYS = {
+  API_KEY: "PENTEST_API_KEY",
+  BASE_URL: "PENTEST_BASE_URL",
+  MODEL: "PENTEST_MODEL",
+  SEARCH_API_KEY: "SEARCH_API_KEY",
+  SEARCH_API_URL: "SEARCH_API_URL",
+  THINKING: "PENTEST_THINKING",
+  THINKING_BUDGET: "PENTEST_THINKING_BUDGET",
+  APP_VERSION: "PENTESTING_VERSION"
+};
+var DEFAULT_SEARCH_API_URL = "https://api.search.brave.com/res/v1/web/search";
+var DEFAULT_MODEL = "glm-4.7";
+function getApiKey() {
+  return process.env[ENV_KEYS.API_KEY] || "";
+}
+function getBaseUrl() {
+  return process.env[ENV_KEYS.BASE_URL] || void 0;
+}
+function getModel() {
+  return process.env[ENV_KEYS.MODEL] || "";
+}
+function getSearchApiKey() {
+  if (process.env[ENV_KEYS.SEARCH_API_KEY]) {
+    return process.env[ENV_KEYS.SEARCH_API_KEY];
+  }
+  return process.env[ENV_KEYS.API_KEY];
+}
+function getSearchApiUrl() {
+  return process.env[ENV_KEYS.SEARCH_API_URL] || DEFAULT_SEARCH_API_URL;
+}
+function isZaiProvider() {
+  const baseUrl = getBaseUrl() || "";
+  return baseUrl.includes("z.ai");
+}
+function isThinkingEnabled() {
+  return process.env[ENV_KEYS.THINKING] !== "false";
+}
+function getThinkingBudget() {
+  const val = parseInt(process.env[ENV_KEYS.THINKING_BUDGET] || "", 10);
+  return isNaN(val) ? 8e3 : Math.max(1024, val);
+}
+
+// src/shared/utils/config/tor/core.ts
+var TOR_PROXY = {
+  /** SOCKS5 proxy host (Tor daemon listens here) */
+  SOCKS_HOST: "127.0.0.1",
+  /** SOCKS5 proxy port */
+  SOCKS_PORT: 9050,
+  /** Shell wrapper command for proxying CLI tools */
+  WRAPPER_CMD: "proxychains4",
+  /** Flags for the wrapper command (-q = quiet, no banners) */
+  WRAPPER_FLAGS: "-q"
+};
+var torEnabled = false;
+function isTorEnabled() {
+  return torEnabled;
+}
+function setTorEnabled(enabled) {
+  torEnabled = enabled;
+}
+function getTorBrowserArgs() {
+  if (!isTorEnabled()) return [];
+  return [`--proxy-server=socks5://${TOR_PROXY.SOCKS_HOST}:${TOR_PROXY.SOCKS_PORT}`];
+}
+
+// src/shared/utils/config/tor/wrapper.ts
+function wrapCommandForTor(command) {
+  if (!isTorEnabled()) return command;
+  const SOCKS = `${TOR_PROXY.SOCKS_HOST}:${TOR_PROXY.SOCKS_PORT}`;
+  if (/\bcurl\b/.test(command)) {
+    if (/--socks5|--proxy\b|-x\s/.test(command)) return command;
+    return command.replace(/\bcurl\b/, `curl --socks5-hostname ${SOCKS}`);
+  }
+  if (/\bwget\b/.test(command)) {
+    if (/--execute.*proxy|http_proxy|https_proxy/i.test(command)) return command;
+    return command.replace(
+      /\bwget\b/,
+      `wget -e use_proxy=yes -e http_proxy=socks5h://${SOCKS} -e https_proxy=socks5h://${SOCKS}`
+    );
+  }
+  if (/\bsqlmap\b/.test(command)) {
+    if (/--tor\b|--proxy\b/.test(command)) return command;
+    return command.replace(
+      /\bsqlmap\b/,
+      `sqlmap --tor --tor-type=SOCKS5 --tor-port=${TOR_PROXY.SOCKS_PORT}`
+    );
+  }
+  if (/\bgobuster\b/.test(command)) {
+    if (/--proxy\b/.test(command)) return command;
+    return command.replace(/\bgobuster\b/, `gobuster --proxy socks5://${SOCKS}`);
+  }
+  if (/\bffuf\b/.test(command)) {
+    if (/-x\s/.test(command)) return command;
+    return command.replace(/\bffuf\b/, `ffuf -x socks5://${SOCKS}`);
+  }
+  if (/\bnmap\b/.test(command)) {
+    let nmapCmd = command;
+    nmapCmd = nmapCmd.replace(/\s-s[SAXFN]\b/g, " -sT");
+    if (!/\s-Pn\b/.test(nmapCmd)) {
+      nmapCmd = nmapCmd.replace(/\bnmap\b/, "nmap -Pn");
+    }
+    return `${TOR_PROXY.WRAPPER_CMD} ${TOR_PROXY.WRAPPER_FLAGS} ${nmapCmd}`;
+  }
+  return `${TOR_PROXY.WRAPPER_CMD} ${TOR_PROXY.WRAPPER_FLAGS} ${command}`;
+}
+
+// src/shared/utils/config/tor/leak-detector.ts
+function checkTorLeakRisk(command) {
+  if (!isTorEnabled()) return { safe: true };
+  if (/\bping\b/.test(command)) {
+    return {
+      safe: false,
+      reason: "ping uses ICMP \u2014 bypasses Tor, real IP exposed to target",
+      suggestion: "Use TCP probe instead: curl --socks5-hostname 127.0.0.1:9050 -s --connect-timeout 5 http://<target>:<port>"
+    };
+  }
+  if (/\btraceroute\b|\btracepath\b|\bmtr\b/.test(command)) {
+    return {
+      safe: false,
+      reason: "traceroute/tracepath/mtr uses ICMP/UDP \u2014 bypasses Tor, real IP exposed",
+      suggestion: "Skip traceroute when Tor is enabled (reveals all hops including your IP)"
+    };
+  }
+  if (/\bdig\b/.test(command) || /\bnslookup\b/.test(command) || /(?:^|[;&|\s])host(?:\s|$)/.test(command)) {
+    return {
+      safe: false,
+      reason: "dig/host/nslookup use UDP \u2014 DNS query bypasses Tor, real IP visible to DNS server",
+      suggestion: `Use DNS-over-HTTPS: curl --socks5-hostname ${TOR_PROXY.SOCKS_HOST}:${TOR_PROXY.SOCKS_PORT} "https://dns.google/resolve?name=<host>&type=A"`
+    };
+  }
+  if (/\bnmap\b/.test(command) && /\s-sU\b/.test(command)) {
+    return {
+      safe: false,
+      reason: "nmap -sU (UDP scan) bypasses Tor \u2014 UDP is not routed through SOCKS5",
+      suggestion: `Skip UDP scan with Tor ON. Use TCP scan: ${TOR_PROXY.WRAPPER_CMD} ${TOR_PROXY.WRAPPER_FLAGS} nmap -sT -Pn`
+    };
+  }
+  return { safe: true };
+}
+
+// src/shared/utils/config/validation.ts
+function validateRequiredConfig() {
+  const errors = [];
+  if (!getApiKey()) {
+    errors.push(
+      `[config] PENTEST_API_KEY is required.
+  Export it before running:
+    export PENTEST_API_KEY=your_api_key
+  For z.ai: get your key at https://api.z.ai`
+    );
+  }
+  const budgetRaw = process.env[ENV_KEYS.THINKING_BUDGET];
+  if (budgetRaw !== void 0 && budgetRaw !== "") {
+    const parsed = parseInt(budgetRaw, 10);
+    if (isNaN(parsed) || parsed < 1024) {
+      errors.push(
+        `[config] PENTEST_THINKING_BUDGET must be an integer \u2265 1024 (got: "${budgetRaw}")`
+      );
+    }
+  }
+  return errors;
+}
+
+// src/engine/tools-base/command-executor/internal.ts
+import { spawn as spawn3 } from "child_process";
+function injectCurlMaxTime(command, timeoutSec) {
+  if (!/\bcurl\b/.test(command)) return command;
+  if (/--max-time\b|-m\s+\d/.test(command)) return command;
+  return command.replace(/\bcurl\b/, `curl --max-time ${timeoutSec}`);
+}
+function prepareCommand(command) {
+  const safeCommand = injectCurlMaxTime(command, CURL_MAX_TIME_SEC);
+  const torLeak = checkTorLeakRisk(safeCommand);
+  if (!torLeak.safe) {
+    return {
+      safeCommand,
+      execCommand: "",
+      error: `\u{1F6D1} TOR IP LEAK BLOCKED
+Reason: ${torLeak.reason}
+Suggestion: ${torLeak.suggestion}`
+    };
+  }
+  return { safeCommand, execCommand: wrapCommandForTor(safeCommand) };
+}
+function setupTimeout(child, timeoutMs, onTimeout) {
+  return setTimeout(() => {
+    onTimeout();
+    try {
+      process.kill(-child.pid, "SIGKILL");
+    } catch {
+      try {
+        child.kill("SIGKILL");
+      } catch {
+      }
+    }
+  }, timeoutMs);
+}
+var ProcessIOHandler = class {
+  constructor(child, processState, eventEmitter, inputHandler) {
+    this.child = child;
+    this.processState = processState;
+    this.eventEmitter = eventEmitter;
+    this.inputHandler = inputHandler;
+  }
+  stdout = "";
+  stderr = "";
+  inputHandled = false;
+  async checkForInputPrompt(data) {
+    if (this.inputHandled || !this.inputHandler || this.processState.terminated) return;
+    for (const pattern of INPUT_PROMPT_PATTERNS) {
+      if (pattern.test(data)) {
+        this.inputHandled = true;
+        this.eventEmitter?.({
+          type: COMMAND_EVENT_TYPES.INPUT_REQUIRED,
+          message: `Input required: ${data.trim().slice(0, SYSTEM_LIMITS.MAX_PROMPT_PREVIEW)}`,
+          detail: "Waiting for user input..."
+        });
+        try {
+          const userInput = await this.inputHandler(data.trim());
+          if (userInput !== null && !this.processState.terminated && this.child.stdin?.writable) {
+            this.child.stdin.write(userInput + "\n");
+          }
+        } catch {
+        }
+        return;
+      }
+    }
+  }
+  handleStdout(data) {
+    const text = data.toString();
+    this.stdout += text;
+    if (this.stdout.length > SYSTEM_LIMITS.MAX_STDOUT_SLICE) {
+      this.stdout = this.stdout.slice(-SYSTEM_LIMITS.MAX_STDOUT_SLICE);
+    }
+    const lines = text.split("\n").map((l) => l.trim()).filter(Boolean);
+    if (lines.length > 0) {
+      this.eventEmitter?.({
+        type: COMMAND_EVENT_TYPES.COMMAND_STDOUT,
+        message: lines[lines.length - 1]
+      });
+    }
+    this.checkForInputPrompt(text);
+  }
+  handleStderr(data) {
+    const text = data.toString();
+    this.stderr += text;
+    if (this.stderr.length > SYSTEM_LIMITS.MAX_STDERR_SLICE) {
+      this.stderr = this.stderr.slice(-SYSTEM_LIMITS.MAX_STDERR_SLICE);
+    }
+    this.checkForInputPrompt(text);
+  }
+};
+async function executeCommandOnce(command, options = {}) {
+  return new Promise((resolve) => {
+    const eventEmitter = getEventEmitter();
+    const { safeCommand, execCommand, error } = prepareCommand(command);
+    if (error) {
+      return resolve({ success: false, output: "", error });
+    }
+    eventEmitter?.({
+      type: COMMAND_EVENT_TYPES.COMMAND_START,
+      message: `Executing: ${safeCommand.slice(0, DISPLAY_LIMITS.COMMAND_PREVIEW)}${safeCommand.length > DISPLAY_LIMITS.COMMAND_PREVIEW ? "..." : ""}`
+    });
+    const child = spawn3("sh", ["-c", execCommand], {
+      detached: true,
+      env: { ...process.env, ...options.env },
+      cwd: options.cwd
+    });
+    const processState = { terminated: false, timedOut: false };
+    const timeoutMs = options.timeout ?? TOOL_TIMEOUTS.DEFAULT_COMMAND;
+    const killTimer = setupTimeout(child, timeoutMs, () => {
+      processState.timedOut = true;
+      processState.terminated = true;
+    });
+    const ioHandler = new ProcessIOHandler(child, processState, eventEmitter, getInputHandler());
+    child.stdout.on("data", (d) => ioHandler.handleStdout(d));
+    child.stderr.on("data", (d) => ioHandler.handleStderr(d));
+    child.on("close", (code) => {
+      clearTimeout(killTimer);
+      processState.terminated = true;
+      const outTrimmed = ioHandler.stdout.trim();
+      const errTrimmed = ioHandler.stderr.trim();
+      if (processState.timedOut) {
+        eventEmitter?.({ type: COMMAND_EVENT_TYPES.COMMAND_FAILED, message: `Command timed out after ${Math.round(timeoutMs / 1e3)}s` });
+        return resolve({
+          success: false,
+          output: outTrimmed,
+          error: `Command timed out after ${Math.round(timeoutMs / 1e3)}s. Output so far:
+${(ioHandler.stdout + ioHandler.stderr).trim().slice(-500)}`
+        });
+      }
+      if (code === 0) {
+        eventEmitter?.({ type: COMMAND_EVENT_TYPES.COMMAND_SUCCESS, message: `Command completed` });
+        return resolve({ success: true, output: outTrimmed || errTrimmed });
+      }
+      eventEmitter?.({ type: COMMAND_EVENT_TYPES.COMMAND_FAILED, message: `Command failed (exit ${code})`, detail: errTrimmed.slice(0, SYSTEM_LIMITS.MAX_INPUT_SLICE) });
+      return resolve({ success: false, output: outTrimmed, error: errTrimmed || `Process exited with code ${code}` });
+    });
+    child.on("error", (err) => {
+      clearTimeout(killTimer);
+      processState.terminated = true;
+      eventEmitter?.({ type: COMMAND_EVENT_TYPES.COMMAND_ERROR, message: `Command error: ${err.message}` });
+      resolve({ success: false, output: "", error: err.message || String(err) });
+    });
+  });
+}
+
+// src/engine/tools-base/command-executor/runner.ts
+async function runCommand(command, args = [], options = {}) {
+  const eventEmitter = getEventEmitter();
+  const inputHandler = getInputHandler();
+  const fullCommand = args.length > 0 ? `${command} ${args.join(" ")}` : command;
+  const validation = validateCommand(fullCommand);
+  if (!validation.isSafe) {
+    return {
+      success: false,
+      output: "",
+      error: `Command blocked: ${validation.error}`
+    };
+  }
+  const torLeak = checkTorLeakRisk(fullCommand);
+  if (!torLeak.safe) {
+    return {
+      success: false,
+      output: "",
+      error: `\u{1F6D1} TOR IP LEAK BLOCKED
+Reason: ${torLeak.reason}
+Suggestion: ${torLeak.suggestion}`
+    };
+  }
+  const timeout = options.timeout ?? TOOL_TIMEOUTS.DEFAULT_COMMAND;
+  const maxRetries = options.maxRetries ?? AGENT_LIMITS.MAX_INSTALL_RETRIES;
+  const tokens = command.trim().split(/\s+/);
+  const binaryPath = tokens[0] || "";
+  const toolName = binaryPath.split("/").pop() || binaryPath;
+  let lastResult = { success: false, output: "", error: "Unknown error" };
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    if (attempt === 0 && toolName && !toolName.includes("=") && !["cd", "ls", "pwd", "echo", "cat"].includes(toolName)) {
+      const checkResult = await executeCommandOnce(`which ${toolName}`, { timeout: 2e3 });
+      if (!checkResult.success) {
+        eventEmitter?.({
+          type: COMMAND_EVENT_TYPES.TOOL_MISSING,
+          message: `${STATUS_MARKERS.INFO} Tool not found: ${toolName}`,
+          detail: `Pre-emptively attempting to install...`
+        });
+        const installResult2 = await installTool(toolName, eventEmitter, inputHandler);
+        if (!installResult2.success) {
+          eventEmitter?.({
+            type: COMMAND_EVENT_TYPES.TOOL_INSTALL_FAILED,
+            message: `Eager install failed for ${toolName}`,
+            detail: installResult2.output
+          });
+        }
+      }
+    }
+    const result = await executeCommandOnce(fullCommand, { ...options, timeout });
+    if (result.success) {
+      return result;
+    }
+    const missing = isCommandNotFound(result.error || "", result.output);
+    if (!missing || attempt >= maxRetries) {
+      return result;
+    }
+    lastResult = result;
+    eventEmitter?.({
+      type: COMMAND_EVENT_TYPES.TOOL_MISSING,
+      message: `${STATUS_MARKERS.WARNING} Tool not found: ${toolName}`,
+      detail: `Attempting to install...`
+    });
+    const installResult = await installTool(toolName, eventEmitter, inputHandler);
+    if (!installResult.success) {
+      return {
+        success: false,
+        output: result.output,
+        error: `${result.error}
+
+[Auto-install failed: ${installResult.output}]`
+      };
+    }
+    eventEmitter?.({
+      type: COMMAND_EVENT_TYPES.TOOL_RETRY,
+      message: `Retrying command after installing ${toolName}...`,
+      detail: command.slice(0, DISPLAY_LIMITS.COMMAND_PREVIEW)
+    });
+  }
+  return lastResult;
+}
+
+// src/engine/tools-base/file-operations.ts
+import { readFileSync as readFileSync2, existsSync as existsSync2, writeFileSync as writeFileSync2 } from "fs";
+import { dirname } from "path";
+import { join as join2 } from "path";
+import { tmpdir } from "os";
+
+// src/shared/utils/id-gen/id-generator.ts
+var ID_DEFAULT_RADIX = 36;
+var ID_DEFAULT_LENGTH = 6;
+var generateId = (radix = 36, length = 8) => Math.random().toString(radix).substring(2, 2 + length);
+var generatePrefixedId = (prefix, radix = ID_DEFAULT_RADIX, randomLength = ID_DEFAULT_LENGTH) => `${prefix}_${Date.now()}_${Math.random().toString(radix).slice(2, 2 + randomLength)}`;
+var generateTempFilename = (suffix = "", prefix = "pentest") => `${prefix}-${Date.now()}-${Math.random().toString(ID_DEFAULT_RADIX).slice(2, 2 + ID_DEFAULT_LENGTH)}${suffix}`;
+
+// src/shared/utils/error-utils/error-utils.ts
+function getErrorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+
+// src/engine/tools-base/file-operations.ts
+async function readFileContent(filePath) {
+  try {
+    if (!existsSync2(filePath)) {
+      return {
+        success: false,
+        output: "",
+        error: `File not found: ${filePath}`
+      };
+    }
+    const content = readFileSync2(filePath, "utf-8");
+    return {
+      success: true,
+      output: content
+    };
+  } catch (error) {
+    const message = getErrorMessage(error);
+    return {
+      success: false,
+      output: "",
+      error: message
+    };
+  }
+}
+async function writeFileContent(filePath, content) {
+  try {
+    const dir2 = dirname(filePath);
+    ensureDirExists(dir2);
+    writeFileSync2(filePath, content, "utf-8");
+    return {
+      success: true,
+      output: `Written to ${filePath}`
+    };
+  } catch (error) {
+    const message = getErrorMessage(error);
+    return {
+      success: false,
+      output: "",
+      error: message
+    };
+  }
+}
+function createTempFile(suffix = "") {
+  return join2(tmpdir(), generateTempFilename(suffix));
+}
+
+// src/engine/process/process-lifecycle.ts
+function startBackgroundProcess(command, options = {}) {
+  const processId = generatePrefixedId("bg");
+  const stdoutFile = createTempFile(FILE_EXTENSIONS.STDOUT);
+  const stderrFile = createTempFile(FILE_EXTENSIONS.STDERR);
+  const stdinFile = createTempFile(FILE_EXTENSIONS.STDIN);
+  const { tags, port, role, isInteractive } = detectProcessRole(command);
+  const torLeak = checkTorLeakRisk(command);
+  if (!torLeak.safe) {
+    for (const f of [stdoutFile, stderrFile, stdinFile]) {
+      try {
+        unlinkSync(f);
+      } catch {
+      }
+    }
+    throw new Error(`\u{1F6D1} TOR IP LEAK BLOCKED \u2014 ${torLeak.reason}. ${torLeak.suggestion}`);
+  }
+  const torCommand = wrapCommandForTor(command);
+  let wrappedCmd;
+  if (isInteractive) {
+    writeFileSync3(stdinFile, "", "utf-8");
+    wrappedCmd = `tail -f ${stdinFile} | ${torCommand} > ${stdoutFile} 2> ${stderrFile}`;
+  } else {
+    wrappedCmd = `${torCommand} > ${stdoutFile} 2> ${stderrFile}`;
+  }
+  const child = spawn4("sh", ["-c", wrappedCmd], {
+    detached: true,
+    stdio: "ignore",
+    cwd: options.cwd,
+    env: { ...process.env, ...options.env }
+  });
+  child.unref();
+  const purpose = options.purpose || (role === "listener" ? `Listening on port ${port || "?"} for incoming connection` : role === "server" ? `Serving files on port ${port || "?"}` : role === "sniffer" ? "Capturing network traffic" : command.slice(0, SYSTEM_LIMITS.MAX_DESCRIPTION_LENGTH));
+  const bgProcess = {
+    id: processId,
+    pid: child.pid,
+    command: command.slice(0, SYSTEM_LIMITS.MAX_COMMAND_LENGTH),
+    description: options.description || command.slice(0, SYSTEM_LIMITS.MAX_DESCRIPTION_LENGTH),
+    startedAt: Date.now(),
+    stdoutFile,
+    stderrFile,
+    stdinFile,
+    childProcess: child,
+    hasExited: false,
+    exitCode: null,
+    listeningPort: port,
+    childPids: [],
+    tags,
+    role,
+    purpose,
+    isInteractive
+  };
+  child.on("exit", (code) => {
+    bgProcess.hasExited = true;
+    bgProcess.exitCode = code;
+    logEvent(processId, PROCESS_EVENTS.DIED, `Process exited with code ${code}`);
+    const emitter = getEventEmitter();
+    if (emitter) {
+      emitter({
+        type: COMMAND_EVENT_TYPES.PROCESS_NOTIFICATION,
+        message: `Process finished: ${bgProcess.description} (exit ${code}). Ready for analysis.`
+      });
+    }
+  });
+  setProcess(processId, bgProcess);
+  logEvent(processId, PROCESS_EVENTS.STARTED, `${role} started: ${command.slice(0, SYSTEM_LIMITS.MAX_DESCRIPTION_LENGTH)} (PID:${child.pid})`);
+  setTimeout(() => {
+    if (!bgProcess.hasExited) {
+      bgProcess.childPids = discoverAllDescendants(bgProcess.pid);
+    }
+  }, SYSTEM_LIMITS.CHILD_PID_DISCOVERY_MS);
+  return bgProcess;
+}
+
+// src/engine/process/process-interaction.ts
+import { existsSync as existsSync3, readFileSync as readFileSync3, appendFileSync as appendFileSync2 } from "fs";
+async function sendToProcess(processId, input, waitMs = SYSTEM_LIMITS.DEFAULT_WAIT_MS_INTERACT) {
+  const proc = getProcess(processId);
+  if (!proc) return { success: false, output: `Process ${processId} not found`, newOutput: "" };
+  if (!proc.isInteractive) return { success: false, output: `Process ${processId} is not interactive`, newOutput: "" };
+  if (proc.hasExited) return { success: false, output: `Process ${processId} has exited`, newOutput: "" };
+  let currentLen = 0;
+  try {
+    if (existsSync3(proc.stdoutFile)) {
+      currentLen = readFileSync3(proc.stdoutFile, "utf-8").length;
+    }
+  } catch {
+  }
+  try {
+    appendFileSync2(proc.stdinFile, input + "\n", "utf-8");
+  } catch (error) {
+    return { success: false, output: `Failed to send input: ${error}`, newOutput: "" };
+  }
+  logEvent(processId, PROCESS_EVENTS.COMMAND_SENT, `Sent: ${input.slice(0, SYSTEM_LIMITS.MAX_INPUT_SLICE)}`);
+  await new Promise((r) => setTimeout(r, waitMs));
+  let fullStdout = "";
+  try {
+    if (existsSync3(proc.stdoutFile)) {
+      fullStdout = readFileSync3(proc.stdoutFile, "utf-8");
+    }
+  } catch {
+  }
+  const newOutput = fullStdout.slice(currentLen);
+  return {
+    success: true,
+    output: fullStdout.slice(-SYSTEM_LIMITS.MAX_STDOUT_SLICE),
+    newOutput: newOutput || "(no new output \u2014 command may need more time)"
+  };
+}
+function promoteToShell(processId, description) {
+  const proc = getProcess(processId);
+  if (!proc) return false;
+  proc.role = PROCESS_ROLES.ACTIVE_SHELL;
+  proc.purpose = description || "Reverse shell connected \u2014 target access available";
+  proc.isInteractive = true;
+  logEvent(processId, PROCESS_EVENTS.ROLE_CHANGED, `Promoted to active_shell: ${proc.purpose}`);
+  return true;
+}
+
+// src/engine/process/process-monitor.ts
+import { existsSync as existsSync4, readFileSync as readFileSync4 } from "fs";
+function isProcessRunning(processId) {
+  const proc = getProcess(processId);
+  if (!proc) return false;
+  if (proc.hasExited) return false;
+  if (!isPidAlive(proc.pid)) {
+    proc.hasExited = true;
+    logEvent(processId, PROCESS_EVENTS.DIED, "Process no longer alive (PID check failed)");
+    return false;
+  }
+  proc.childPids = discoverAllDescendants(proc.pid);
+  if (proc.role === PROCESS_ROLES.LISTENER) {
+    try {
+      if (existsSync4(proc.stdoutFile)) {
+        const stdout = readFileSync4(proc.stdoutFile, "utf-8");
+        if (detectConnection(stdout)) {
+          promoteToShell(processId, "Reverse shell connected (auto-detected)");
+          logEvent(processId, PROCESS_EVENTS.CONNECTION_DETECTED, `Connection detected on port ${proc.listeningPort}`);
+        }
+      }
+    } catch {
+    }
+  }
+  return true;
+}
+function getProcessOutput(processId) {
+  const proc = getProcess(processId);
+  if (!proc) return null;
+  const running = isProcessRunning(processId);
+  let stdout = "";
+  let stderr = "";
+  try {
+    if (existsSync4(proc.stdoutFile)) {
+      const content = readFileSync4(proc.stdoutFile, "utf-8");
+      stdout = content.length > SYSTEM_LIMITS.MAX_STDOUT_SLICE ? `... [truncated ${content.length - SYSTEM_LIMITS.MAX_STDOUT_SLICE} chars] ...
+` + content.slice(-SYSTEM_LIMITS.MAX_STDOUT_SLICE) : content;
+    }
+  } catch {
+  }
+  try {
+    if (existsSync4(proc.stderrFile)) {
+      const content = readFileSync4(proc.stderrFile, "utf-8");
+      stderr = content.length > SYSTEM_LIMITS.MAX_STDERR_SLICE ? `... [truncated ${content.length - SYSTEM_LIMITS.MAX_STDERR_SLICE} chars] ...
+` + content.slice(-SYSTEM_LIMITS.MAX_STDERR_SLICE) : content;
+    }
+  } catch {
+  }
+  return {
+    stdout,
+    stderr,
+    isRunning: running,
+    exitCode: proc.exitCode,
+    durationMs: Date.now() - proc.startedAt,
+    listeningPort: proc.listeningPort,
+    childPids: proc.childPids,
+    tags: proc.tags,
+    role: proc.role,
+    purpose: proc.purpose,
+    isInteractive: proc.isInteractive
+  };
+}
+function listBackgroundProcesses() {
+  const result = [];
+  for (const [id, proc] of getAllProcessEntries()) {
+    const isRunning = isProcessRunning(id);
+    result.push({
+      id,
+      pid: proc.pid,
+      command: proc.command,
+      description: proc.description,
+      isRunning,
+      durationMs: Date.now() - proc.startedAt,
+      exitCode: proc.exitCode,
+      listeningPort: proc.listeningPort,
+      childPids: proc.childPids,
+      tags: proc.tags,
+      role: proc.role,
+      purpose: proc.purpose,
+      isInteractive: proc.isInteractive,
+      stdoutFile: proc.stdoutFile
+    });
+  }
+  return result;
+}
+function getUsedPorts() {
+  const ports = [];
+  for (const proc of getAllProcesses()) {
+    if (proc.listeningPort && isProcessRunning(proc.id)) ports.push(proc.listeningPort);
+  }
+  return ports;
+}
+function getAllProcessEntries() {
+  const entries = [];
+  for (const proc of getAllProcesses()) {
+    entries.push([proc.id, proc]);
+  }
+  return entries;
+}
+
+// src/engine/process/process-stopper.ts
+import { execSync as execSync2 } from "child_process";
+import { unlinkSync as unlinkSync2 } from "fs";
+var cleanupDone = false;
+async function stopBackgroundProcess(processId) {
+  const proc = getProcess(processId);
+  if (!proc) return { success: false, output: `Process ${processId} not found` };
+  const wasActiveShell = proc.role === PROCESS_ROLES.ACTIVE_SHELL;
+  const finalOutput = getProcessOutput(processId);
+  if (!proc.hasExited) {
+    proc.childPids = discoverAllDescendants(proc.pid);
+    await killProcessTree(proc.pid, proc.childPids);
+  }
+  try {
+    unlinkSync2(proc.stdoutFile);
+  } catch {
+  }
+  try {
+    unlinkSync2(proc.stderrFile);
+  } catch {
+  }
+  try {
+    unlinkSync2(proc.stdinFile);
+  } catch {
+  }
+  logEvent(processId, PROCESS_EVENTS.STOPPED, `Stopped ${proc.role} (PID:${proc.pid}, children:${proc.childPids.length})`);
+  deleteProcess(processId);
+  const childInfo = proc.childPids.length > 0 ? `
+Child PIDs also killed: ${proc.childPids.join(", ")}` : "";
+  const shellWarning = wasActiveShell ? `
+${STATUS_MARKERS.WARNING} WARNING: Active shell was terminated. Target access lost.` : "";
+  return {
+    success: true,
+    output: `Process stopped (PID: ${proc.pid}, role: ${proc.role}).${childInfo}${shellWarning}
+stdout:
+${finalOutput?.stdout?.slice(-SYSTEM_LIMITS.MAX_STDOUT_SLICE) || "(empty)"}
+stderr:
+${finalOutput?.stderr?.slice(-SYSTEM_LIMITS.MAX_STDERR_SLICE) || "(empty)"}`
+  };
+}
+async function cleanupAllProcesses() {
+  if (cleanupDone) return;
+  cleanupDone = true;
+  const ids = getAllProcessIds();
+  if (ids.length === 0) {
+    cleanupDone = false;
+    return;
+  }
+  const { getBackgroundProcessesMap: getBackgroundProcessesMap2 } = await import("./process-registry-BDTYM4MC.js");
+  const backgroundProcesses = getBackgroundProcessesMap2();
+  terminateAllNatively(backgroundProcesses, "SIGTERM");
+  await new Promise((r) => setTimeout(r, SYSTEM_LIMITS.CLEANUP_BATCH_WAIT_MS));
+  terminateAllNatively(backgroundProcesses, "SIGKILL");
+  cleanupTemporaryFiles(backgroundProcesses);
+  clearAllProcesses();
+  cleanupOrphanProcesses();
+  cleanupDone = false;
+}
+function terminateAllNatively(processes, signal) {
+  for (const [_id, proc] of processes) {
+    if (!proc.hasExited && (signal === "SIGTERM" || isPidAlive(proc.pid))) {
+      proc.childPids = discoverAllDescendants(proc.pid);
+      try {
+        process.kill(-proc.pid, signal);
+      } catch {
+        try {
+          process.kill(proc.pid, signal);
+        } catch {
+        }
+        for (const childPid of proc.childPids) {
+          try {
+            process.kill(childPid, signal);
+          } catch {
+          }
+        }
+      }
+    }
+  }
+}
+function cleanupTemporaryFiles(processes) {
+  for (const [, proc] of processes) {
+    try {
+      unlinkSync2(proc.stdoutFile);
+    } catch {
+    }
+    try {
+      unlinkSync2(proc.stderrFile);
+    } catch {
+    }
+    try {
+      unlinkSync2(proc.stdinFile);
+    } catch {
+    }
+  }
+}
+function cleanupOrphanProcesses() {
+  let hasPkill = false;
+  try {
+    execSync2("command -v pkill", { stdio: "ignore" });
+    hasPkill = true;
+  } catch {
+  }
+  if (!hasPkill) return;
+  for (const name of ORPHAN_PROCESS_NAMES) {
+    try {
+      execSync2(`pkill -x "${name}" 2>/dev/null || true`, {
+        stdio: "ignore",
+        timeout: SYSTEM_LIMITS.PROCESS_OP_TIMEOUT_MS
+      });
+    } catch {
+    }
+  }
+}
+
+// src/engine/process/resource-summary.ts
+import { existsSync as existsSync5, readFileSync as readFileSync5 } from "fs";
+function getResourceSummary() {
+  const procs = listBackgroundProcesses();
+  const running = procs.filter((p) => p.isRunning);
+  const exited = procs.filter((p) => !p.isRunning);
+  const ports = getUsedPorts();
+  const recentEvents = getProcessEventLog().slice(-SYSTEM_LIMITS.RECENT_EVENTS_IN_SUMMARY);
+  if (running.length === 0 && exited.length === 0 && recentEvents.length === 0) return "";
+  const lines = [];
+  if (running.length > 0) {
+    lines.push(`Active Assets (${running.length}):`);
+    for (const p of running) {
+      const dur = Math.round(p.durationMs / 1e3);
+      const portInfo = p.listeningPort ? ` port:${p.listeningPort}` : "";
+      const childInfo = p.childPids.length > 0 ? ` children:${p.childPids.join(",")}` : "";
+      const interactiveFlag = p.isInteractive ? ` ${STATUS_MARKERS.INTERACTIVE}` : "";
+      const roleIcon = PROCESS_ICONS[p.role] || PROCESS_ICONS[PROCESS_ROLES.BACKGROUND];
+      let lastOutput = "";
+      try {
+        if (p.stdoutFile && existsSync5(p.stdoutFile)) {
+          const content = readFileSync5(p.stdoutFile, "utf-8");
+          const outputLines = content.trim().split("\n");
+          lastOutput = outputLines.slice(-SYSTEM_LIMITS.RECENT_OUTPUT_LINES).join(" | ").replace(/\n/g, " ");
+        }
+      } catch {
+      }
+      const outputSnippet = lastOutput ? `
+    > Log: ${lastOutput}` : "";
+      lines.push(`  ${roleIcon} [${p.id}] PID:${p.pid}${portInfo}${childInfo}${interactiveFlag} [${p.role}] ${p.purpose} (${dur}s)${outputSnippet}`);
+    }
+  }
+  const orphans = [];
+  for (const p of exited) {
+    if (p.childPids.length > 0) {
+      const aliveChildren = p.childPids.filter((pid) => isPidAlive(pid));
+      if (aliveChildren.length > 0) {
+        orphans.push({ id: p.id, childPids: aliveChildren });
+      }
+    }
+  }
+  if (orphans.length > 0) {
+    lines.push(`
+${STATUS_MARKERS.WARNING} SUSPECTED ZOMBIES (Orphaned Children):`);
+    for (const o of orphans) {
+      lines.push(`  [${o.id}] Exited parent has alive children: ${o.childPids.join(", ")}`);
+    }
+    lines.push(`  \u2192 Recommendation: Run bg_process({ action: "stop", process_id: "ID" }) to clean up.`);
+  }
+  if (ports.length > 0) {
+    lines.push(`
+Ports In Use: ${ports.join(", ")}`);
+  }
+  const activeShells = running.filter((p) => p.role === PROCESS_ROLES.ACTIVE_SHELL);
+  if (activeShells.length > 0) {
+    lines.push(`
+[SHELL] ACTIVE REVERSE SHELLS \u2014 These are your CLI into the target:`);
+    for (const s of activeShells) {
+      lines.push(`  \u2192 [${s.id}] Use interact to execute commands. Upgrade if unstable.`);
+    }
+  }
+  if (exited.length > 0) {
+    lines.push(`Exited Processes (${exited.length}):`);
+    for (const p of exited) {
+      lines.push(`  ${STATUS_MARKERS.EXITED} [${p.id}] exit:${p.exitCode} [${p.role}] ${p.description}`);
+    }
+  }
+  if (recentEvents.length > 0) {
+    lines.push(`Recent Process Events:`);
+    for (const e of recentEvents.slice(-SYSTEM_LIMITS.RECENT_EVENTS_DISPLAY)) {
+      const ago = Math.round((Date.now() - e.timestamp) / 1e3);
+      lines.push(`  ${ago}s ago: [${e.event}] ${e.detail}`);
+    }
+  }
+  return lines.join("\n");
+}
+
+// src/engine/process/process-cleanup.ts
+import { unlinkSync as unlinkSync3 } from "fs";
+function syncCleanupAllProcesses(processMap) {
+  for (const [, proc] of processMap) {
+    if (!proc.hasExited) {
+      killProcessTreeSync(proc.pid, proc.childPids);
+    }
+    try {
+      unlinkSync3(proc.stdoutFile);
+    } catch {
+    }
+    try {
+      unlinkSync3(proc.stderrFile);
+    } catch {
+    }
+    try {
+      unlinkSync3(proc.stdinFile);
+    } catch {
+    }
+  }
+}
+function registerExitHandlers(processMap) {
+  process.on("exit", () => {
+    syncCleanupAllProcesses(processMap);
+  });
+  process.on("SIGINT", () => {
+    syncCleanupAllProcesses(processMap);
+    processMap.clear();
+    process.exit(EXIT_CODES.SIGINT);
+  });
+  process.on("SIGTERM", () => {
+    syncCleanupAllProcesses(processMap);
+    processMap.clear();
+    process.exit(EXIT_CODES.SIGTERM);
+  });
+}
+
+// src/engine/process/process-manager.ts
+registerExitHandlers(getBackgroundProcessesMap());
+
+// src/engine/state/persistence/serializer.ts
+var UNVERIFIED_CHAIN_DEPTH_THRESHOLD = 2;
+var ACTIONABLE_LOOT_TYPES = /* @__PURE__ */ new Set([
+  LOOT_TYPES.CREDENTIAL,
+  LOOT_TYPES.TOKEN,
+  LOOT_TYPES.HASH,
+  LOOT_TYPES.API_KEY,
+  LOOT_TYPES.SSH_KEY,
+  LOOT_TYPES.TICKET,
+  LOOT_TYPES.SESSION
+]);
+var StateSerializer = class {
+  /**
+   * Convert full state to a compact prompt summary
+   */
+  static toPrompt(state3) {
+    const lines = [];
+    this.formatContextAndMission(state3, lines);
+    this.formatArtifactsAndObjectives(state3, lines);
+    this.formatTargets(state3, lines);
+    this.formatFindings(state3, lines);
+    this.formatLoot(state3, lines);
+    this.formatTodos(state3, lines);
+    this.formatEnvironment(state3, lines);
+    const snapshot = state3.persistentMemory.snapshotToPrompt();
+    if (snapshot) lines.push(snapshot);
+    lines.push(`Phase: ${state3.getPhase()}`);
+    return lines.join("\n");
+  }
+  static formatArtifactsAndObjectives(state3, lines) {
+    if (state3.currentObjective) {
+      lines.push(`Current Objective: ${state3.currentObjective}`);
+    }
+    if (state3.artifacts && state3.artifacts.length > 0) {
+      lines.push(`Artifacts (${state3.artifacts.length}):`);
+      for (const a of state3.artifacts) {
+        lines.push(`  [${a.type}] ${a.id}: ${a.description}`);
+      }
+    }
+  }
+  static formatContextAndMission(state3, lines) {
+    const engagement = state3.getEngagement();
+    const scope = state3.getScope();
+    if (engagement) {
+      lines.push(`Engagement: ${engagement.name} (${engagement.client})`);
+    }
+    if (scope) {
+      lines.push(`Scope: CIDR=[${scope.allowedCidrs.join(", ")}] Domains=[${scope.allowedDomains.join(", ")}]`);
+    }
+    const mission = state3.getMissionSummary();
+    if (mission) {
+      lines.push(`MISSION: ${mission}`);
+    }
+    const checklist = state3.getMissionChecklist();
+    if (checklist.length > 0) {
+      lines.push(`STRATEGIC CHECKLIST:`);
+      for (const item of checklist) {
+        const status = item.isCompleted ? "[x]" : "[ ]";
+        lines.push(`  ${status} ${item.text} [${item.id}]`);
+      }
+    }
+  }
+  static formatTargets(state3, lines) {
+    const targets = state3.getAllTargets();
+    if (targets.length === 0) return;
+    const byCategory = /* @__PURE__ */ new Map();
+    for (const t of targets) {
+      const cat = t.primaryCategory || SERVICE_CATEGORIES.NETWORK;
+      if (!byCategory.has(cat)) byCategory.set(cat, []);
+      byCategory.get(cat).push(t);
+    }
+    lines.push(`Targets (${targets.length}):`);
+    for (const [cat, catTargets] of byCategory) {
+      lines.push(`  [${cat}] ${catTargets.length} hosts`);
+      for (const t of catTargets.slice(0, DISPLAY_LIMITS.TARGET_PREVIEW)) {
+        const ports = (t.ports || []).map((p) => `${p.port}/${p.service}`).join(", ");
+        lines.push(`    ${t.ip}${t.hostname ? ` (${t.hostname})` : ""}: ${ports || "unknown"}`);
+      }
+    }
+  }
+  static formatFindings(state3, lines) {
+    const findings = state3.getFindings();
+    if (findings.length === 0) return;
+    const confirmed = findings.filter((f) => f.confidence >= CONFIDENCE_THRESHOLDS.CONFIRMED).length;
+    const probable = findings.filter((f) => f.confidence >= CONFIDENCE_THRESHOLDS.PROBABLE && f.confidence < CONFIDENCE_THRESHOLDS.CONFIRMED).length;
+    const possible = findings.filter((f) => f.confidence < CONFIDENCE_THRESHOLDS.PROBABLE).length;
+    const unverifiedChain = findings.filter((f) => (f.inferenceDepth ?? 0) >= UNVERIFIED_CHAIN_DEPTH_THRESHOLD).length;
+    lines.push(`Findings: ${findings.length} total (confirmed:${confirmed} probable:${probable} possible:${possible}${unverifiedChain > 0 ? ` \u26A0\uFE0Funverified-chain:${unverifiedChain}` : ""})`);
+    const highPriority = findings.filter((f) => f.confidence >= CONFIDENCE_THRESHOLDS.CONFIRMED).sort((a, b) => b.confidence - a.confidence);
+    if (highPriority.length > 0) {
+      lines.push(`  Confirmed Findings (\u2265${CONFIDENCE_THRESHOLDS.CONFIRMED}):`);
+      for (const f of highPriority.slice(0, DISPLAY_LIMITS.FINDING_PREVIEW)) {
+        const tactic = f.attackPattern ? ` [ATT&CK:${f.attackPattern}]` : "";
+        lines.push(`    [conf:${f.confidence}|${f.severity.toUpperCase()}] ${f.title} (${f.category || "general"})${tactic}`);
+      }
+    }
+    if (unverifiedChain > 0) {
+      const unverified = findings.filter((f) => (f.inferenceDepth ?? 0) >= UNVERIFIED_CHAIN_DEPTH_THRESHOLD).sort((a, b) => (b.inferenceDepth ?? 0) - (a.inferenceDepth ?? 0));
+      lines.push(`  \u26A0\uFE0F Unverified Inference Chain Findings (direct verification recommended):`);
+      for (const f of unverified.slice(0, DISPLAY_LIMITS.FINDING_PREVIEW)) {
+        lines.push(`    [depth:${f.inferenceDepth}|conf:${f.confidence}] ${f.title}`);
+      }
+    }
+  }
+  static formatLoot(state3, lines) {
+    const loot = state3.getLoot();
+    if (loot.length === 0) return;
+    const actionable = loot.filter((l) => ACTIONABLE_LOOT_TYPES.has(l.type));
+    const other = loot.filter((l) => !ACTIONABLE_LOOT_TYPES.has(l.type));
+    lines.push(`Loot (${loot.length} items):`);
+    for (const l of actionable.slice(0, DISPLAY_LIMITS.COMPACT_LIST_ITEMS)) {
+      lines.push(`  \u26A1 USABLE [${l.type}] ${l.host}: ${l.detail}`);
+    }
+    if (actionable.length > DISPLAY_LIMITS.COMPACT_LIST_ITEMS) {
+      lines.push(`  ... +${actionable.length - DISPLAY_LIMITS.COMPACT_LIST_ITEMS} more usable items`);
+    }
+    if (other.length > 0) {
+      lines.push(`  \u{1F4C1} Other: ${other.length} items (files, certificates, etc.)`);
+    }
+    if (actionable.length > 0) {
+      lines.push(`  \u26A0\uFE0F Cross-service attack: Try ALL \u26A1 USABLE credentials/tokens on ALL discovered services.`);
+    }
+  }
+  static formatTodos(state3, lines) {
+    const todo = state3.getTodo();
+    if (todo.length === 0) return;
+    lines.push(`TODO (${todo.length}):`);
+    for (const t of todo.slice(0, DISPLAY_LIMITS.COMPACT_LIST_ITEMS)) {
+      const status = t.status === TODO_STATUSES.DONE ? "[x]" : t.status === TODO_STATUSES.IN_PROGRESS ? "[->]" : "[ ]";
+      lines.push(`  ${status} ${t.content} (${t.priority})`);
+    }
+  }
+  static formatEnvironment(state3, lines) {
+    const resourceInfo = getResourceSummary();
+    if (resourceInfo) {
+      lines.push(resourceInfo);
+    }
+    const flags = state3.getFlags();
+    if (flags.length > 0) {
+      lines.push(`Flags Found (${flags.length}): \u{1F3F4}`);
+      for (const f of flags) {
+        lines.push(`  \u{1F3F4} ${f}`);
+      }
+    }
+    if (isTorEnabled()) {
+      lines.push(
+        `Tor Proxy: ON \u{1F9C5}
+Standard tools auto-proxied (curl, wget, nmap, sqlmap, gobuster, ffuf, hydra, etc.)
+Custom scripts: route ALL target connections through SOCKS5 127.0.0.1:9050.
+BLOCKED (leak real IP): ping, traceroute, dig, nslookup, nmap -sU`
+      );
+    } else {
+      lines.push(`Tor Proxy: OFF \u2014 direct connections.`);
+    }
+  }
+};
+
+// src/engine/state/persistence/saver.ts
+import { writeFileSync as writeFileSync4, readdirSync, statSync as statSync2, unlinkSync as unlinkSync4 } from "fs";
+import { join as join3 } from "path";
+function saveState(state3) {
+  const sessionsDir = WORKSPACE.SESSIONS;
+  ensureDirExists(sessionsDir);
+  const snapshot = {
+    version: 1,
+    savedAt: Date.now(),
+    engagement: state3.getEngagement(),
+    targets: Array.from(state3.getTargets().entries()).map(([key, value]) => ({ key, value })),
+    findings: state3.getFindings(),
+    loot: state3.getLoot(),
+    todo: state3.getTodo(),
+    actionLog: state3.getRecentActions(AGENT_LIMITS.MAX_ACTION_LOG),
+    currentPhase: state3.getPhase(),
+    missionSummary: state3.getMissionSummary(),
+    missionChecklist: state3.getMissionChecklist()
+  };
+  const sessionFile = join3(sessionsDir, FILE_PATTERNS.session());
+  const json = JSON.stringify(snapshot, null, 2);
+  writeFileSync4(sessionFile, json, "utf-8");
+  const latestFile = join3(sessionsDir, "latest.json");
+  writeFileSync4(latestFile, json, "utf-8");
+  pruneOldSessions(sessionsDir);
+  return sessionFile;
+}
+function pruneOldSessions(sessionsDir) {
+  try {
+    const sessionFiles = readdirSync(sessionsDir).filter((f) => f.endsWith(FILE_EXTENSIONS.JSON) && f !== SPECIAL_FILES.LATEST_STATE).map((f) => {
+      const filePath = join3(sessionsDir, f);
+      return {
+        name: f,
+        path: filePath,
+        mtime: statSync2(filePath).mtimeMs
+      };
+    }).sort((a, b) => b.mtime - a.mtime);
+    const toDelete = sessionFiles.slice(AGENT_LIMITS.MAX_SESSION_FILES);
+    for (const file of toDelete) {
+      unlinkSync4(file.path);
+    }
+  } catch {
+  }
+}
+
+// src/engine/state/persistence/loader.ts
+import { readFileSync as readFileSync6, existsSync as existsSync6 } from "fs";
+import { join as join4 } from "path";
+function loadState(state3) {
+  const latestFile = join4(WORKSPACE.SESSIONS, "latest.json");
+  if (!existsSync6(latestFile)) {
+    return false;
+  }
+  try {
+    const raw = readFileSync6(latestFile, "utf-8");
+    const snapshot = JSON.parse(raw);
+    if (snapshot.version !== 1) {
+      debugLog("general", `Unknown snapshot version: ${snapshot.version}`);
+      return false;
+    }
+    if (snapshot.engagement) {
+      state3.setEngagement(snapshot.engagement);
+    }
+    for (const { value } of snapshot.targets) {
+      state3.addTarget(value);
+    }
+    for (const finding of snapshot.findings) {
+      const legacyFinding = finding;
+      if (typeof legacyFinding.confidence !== "number") {
+        legacyFinding.confidence = legacyFinding.isVerified === true ? 80 : 25;
+      }
+      state3.addFinding(legacyFinding);
+    }
+    for (const loot of snapshot.loot) {
+      state3.addLoot(loot);
+    }
+    for (const item of snapshot.todo) {
+      state3.restoreTodoItem(item);
+    }
+    const validPhases = new Set(Object.values(PHASES));
+    const restoredPhase = validPhases.has(snapshot.currentPhase) ? snapshot.currentPhase : PHASES.RECON;
+    state3.setPhase(restoredPhase);
+    if (snapshot.missionSummary) {
+      state3.setMissionSummary(snapshot.missionSummary);
+    }
+    if (snapshot.missionChecklist?.length > 0) {
+      state3.restoreMissionChecklist(snapshot.missionChecklist);
+    }
+    return true;
+  } catch (err) {
+    debugLog("general", `Failed to load state: ${err}`);
+    return false;
+  }
+}
+
+// src/engine/state/persistence/janitor.ts
+import { existsSync as existsSync7, rmSync } from "fs";
+function clearWorkspace() {
+  const cleared = [];
+  const errors = [];
+  const dirsToClean = [
+    { path: WORKSPACE.TURNS, label: "turn insights" },
+    { path: WORKSPACE.ARCHIVE, label: "archive (legacy)" },
+    { path: WORKSPACE.DEBUG, label: "debug logs" },
+    { path: WORKSPACE.TMP, label: "workspace/temp" },
+    { path: WORKSPACE.OUTPUTS, label: "outputs (legacy)" },
+    { path: WORKSPACE.JOURNAL, label: "journal (legacy)" },
+    { path: WORKSPACE.LOOT, label: "loot" },
+    { path: WORKSPACE.REPORTS, label: "reports" }
+  ];
+  for (const dir2 of dirsToClean) {
+    try {
+      if (existsSync7(dir2.path)) {
+        rmSync(dir2.path, { recursive: true, force: true });
+        ensureDirExists(dir2.path);
+        cleared.push(dir2.label);
+      }
+    } catch (err) {
+      errors.push(`${dir2.label}: ${getErrorMessage(err)}`);
+    }
+  }
+  return { cleared, errors };
+}
+
+export {
+  ensureDirExists,
+  WORK_DIR,
+  WORKSPACE,
+  FILE_EXTENSIONS,
+  SPECIAL_FILES,
+  FILE_PATTERNS,
+  initDebugLogger,
+  debugLog,
+  flowLog,
+  DEFAULT_MODEL,
+  getApiKey,
+  getBaseUrl,
+  getModel,
+  getSearchApiKey,
+  getSearchApiUrl,
+  isZaiProvider,
+  isThinkingEnabled,
+  getThinkingBudget,
+  isTorEnabled,
+  setTorEnabled,
+  getTorBrowserArgs,
+  validateRequiredConfig,
+  MS_PER_MINUTE,
+  DISPLAY_LIMITS,
+  RETRY_CONFIG,
+  LLM_LIMITS,
+  LLM_ERROR_TYPES,
+  AGENT_LIMITS,
+  MEMORY_LIMITS,
+  APP_NAME,
+  APP_VERSION,
+  APP_DESCRIPTION,
+  LLM_ROLES,
+  INPUT_TYPES,
+  SENSITIVE_INPUT_TYPES,
+  AUXILIARY_WORK_TYPES,
+  PHASES,
+  PHASE_TRANSITIONS,
+  AGENT_ROLES,
+  SERVICES,
+  SERVICE_CATEGORIES,
+  APPROVAL_LEVELS,
+  DANGER_LEVELS,
+  CATEGORY_APPROVAL,
+  DANGER_LEVEL_MAP,
+  TODO_STATUSES,
+  LOOT_TYPES,
+  APPROVAL_STATUSES,
+  SEVERITIES,
+  PRIORITIES,
+  NOISE_LEVELS,
+  DEFAULTS,
+  WORDLISTS,
+  HASHCAT_MODES,
+  NOISE_CLASSIFICATION,
+  TOOL_NAMES,
+  ATTACK_TACTICS,
+  ATTACK_VALUE_RANK,
+  CONFIDENCE_THRESHOLDS,
+  EVENT_TYPES,
+  COMMAND_EVENT_TYPES,
+  UI_COMMANDS,
+  generateId,
+  generatePrefixedId,
+  setCommandEventEmitter,
+  setInputHandler,
+  clearInputHandler,
+  clearCommandEventEmitter,
+  runCommand,
+  getErrorMessage,
+  readFileContent,
+  writeFileContent,
+  createTempFile,
+  startBackgroundProcess,
+  sendToProcess,
+  promoteToShell,
+  getProcessOutput,
+  listBackgroundProcesses,
+  getUsedPorts,
+  stopBackgroundProcess,
+  cleanupAllProcesses,
+  StateSerializer,
+  saveState,
+  loadState,
+  clearWorkspace
+};