pentesting 0.73.13 → 0.73.14

package/README.md

@@ -44,9 +44,14 @@ docker run -it --rm \
   -e PENTEST_API_KEY="your_key" \
   -e PENTEST_BASE_URL="https://api.z.ai/api/anthropic" \
   -e PENTEST_MODEL="glm-4.7" \
+  -v pentesting-data:/tmp/.pentesting \
   agnusdei1207/pentesting
 ```
 
+Docker stores workspace state under `/tmp/.pentesting` inside the container.
+The entrypoint resets that directory on each fresh container start to avoid mixing stale state into a new run.
+Mount that path if you want access to `.pentesting/turns`, `.pentesting/sessions`, `.pentesting/memory`, and workspace artifacts after an OOM or while the same container is still alive.
+
 ### 🐉 Kali Linux (Native)
 
 ```bash

package/dist/{agent-tool-KHXXTHGS.js → agent-tool-MMDCBQ74.js}

@@ -5,7 +5,7 @@ import {
   createContextExtractor,
   getLLMClient,
   getShellSupervisorLifecycleSnapshot
-} from "./chunk-GILD75OT.js";
+} from "./chunk-4KLVUP3C.js";
 import {
   AGENT_ROLES,
   EVENT_TYPES,
@@ -13,14 +13,14 @@ import {
   TOOL_NAMES,
   getProcessOutput,
   listBackgroundProcesses
-} from "./chunk-4UNNRHYY.js";
+} from "./chunk-AEQNELCQ.js";
 import {
   DETECTION_PATTERNS,
   PROCESS_EVENTS,
   PROCESS_ROLES,
   getActiveProcessSummary,
   getProcessEventLog
-} from "./chunk-S5ZMXFHR.js";
+} from "./chunk-YZNPWDNS.js";
 
 // src/engine/agent-tool/completion-box.ts
 function createCompletionBox() {

package/dist/{chunk-GILD75OT.js → chunk-4KLVUP3C.js}

@@ -10,6 +10,7 @@ import {
   DANGER_LEVELS,
   DANGER_LEVEL_MAP,
   DEFAULTS,
+  DEFAULT_MODEL,
   DISPLAY_LIMITS,
   DynamicTechniqueLibrary,
   EVENT_TYPES,
@@ -52,11 +53,19 @@ import {
   generateId,
   generatePrefixedId,
   getActiveSessionRuntime,
+  getApiKey,
+  getBaseUrl,
   getErrorMessage,
+  getModel,
   getProcessOutput,
+  getSearchApiKey,
+  getSearchApiUrl,
+  getThinkingBudget,
   getTorBrowserArgs,
   getUsedPorts,
   isBranchMemoryEnabled,
+  isThinkingEnabled,
+  isZaiProvider,
   listBackgroundProcesses,
   llmNodeCooldownPolicy,
   llmNodeOutputParsing,
@@ -69,7 +78,7 @@ import {
   startBackgroundProcess,
   stopBackgroundProcess,
   writeFileContent
-} from "./chunk-4UNNRHYY.js";
+} from "./chunk-AEQNELCQ.js";
 import {
   DETECTION_PATTERNS,
   HEALTH_CONFIG,
@@ -83,59 +92,7 @@ import {
   __require,
   getProcessEventLog,
   logEvent
-} from "./chunk-S5ZMXFHR.js";
-
-// src/shared/utils/config/env.ts
-var ENV_KEYS = {
-  API_KEY: "PENTEST_API_KEY",
-  BASE_URL: "PENTEST_BASE_URL",
-  MODEL: "PENTEST_MODEL",
-  SEARCH_API_KEY: "SEARCH_API_KEY",
-  SEARCH_API_URL: "SEARCH_API_URL",
-  THINKING: "PENTEST_THINKING",
-  THINKING_BUDGET: "PENTEST_THINKING_BUDGET",
-  SCOPE_MODE: "PENTEST_SCOPE_MODE",
-  APPROVAL_MODE: "PENTEST_APPROVAL_MODE",
-  CONTAINERIZED: "PENTEST_CONTAINERIZED",
-  APP_VERSION: "PENTESTING_VERSION"
-};
-var DEFAULT_THINKING_BUDGET = 8e3;
-var DEFAULT_SEARCH_API_URL = "https://api.search.brave.com/res/v1/web/search";
-var DEFAULT_MODEL = "glm-4.7";
-function getApiKey() {
-  return process.env[ENV_KEYS.API_KEY] || "";
-}
-function getOptionalEnv(key) {
-  const value = process.env[key];
-  return value && value !== "" ? value : void 0;
-}
-function getBaseUrl() {
-  return getOptionalEnv(ENV_KEYS.BASE_URL);
-}
-function getModel() {
-  return process.env[ENV_KEYS.MODEL] || "";
-}
-function getSearchApiKey() {
-  const explicitKey = getOptionalEnv(ENV_KEYS.SEARCH_API_KEY);
-  if (explicitKey) {
-    return explicitKey;
-  }
-  return getOptionalEnv(ENV_KEYS.API_KEY);
-}
-function getSearchApiUrl() {
-  return process.env[ENV_KEYS.SEARCH_API_URL] || DEFAULT_SEARCH_API_URL;
-}
-function isZaiProvider() {
-  const baseUrl = getBaseUrl() || "";
-  return baseUrl.includes("z.ai");
-}
-function isThinkingEnabled() {
-  return process.env[ENV_KEYS.THINKING] !== "false";
-}
-function getThinkingBudget() {
-  const val = parseInt(process.env[ENV_KEYS.THINKING_BUDGET] || "", 10);
-  return isNaN(val) ? DEFAULT_THINKING_BUDGET : Math.max(1024, val);
-}
+} from "./chunk-YZNPWDNS.js";
 
 // src/shared/constants/llm/api.ts
 var LLM_API = {
@@ -558,14 +515,42 @@ var LLMClient = class {
     const currentBlockRef = { value: null };
     const toolCallsMap = /* @__PURE__ */ new Map();
     let totalChars = 0;
+    let storedContentChars = 0;
+    let storedReasoningChars = 0;
+    let contentWasTruncated = false;
+    let reasoningWasTruncated = false;
     let wasAborted = false;
     context.onContent = (text) => {
-      contentChunks.push(text);
       totalChars += text.length;
+      const remaining = LLM_LIMITS.streamStoredContentChars - storedContentChars;
+      if (remaining <= 0) {
+        contentWasTruncated = true;
+        return;
+      }
+      const slice = text.slice(0, remaining);
+      if (slice) {
+        contentChunks.push(slice);
+        storedContentChars += slice.length;
+      }
+      if (slice.length < text.length) {
+        contentWasTruncated = true;
+      }
     };
     context.onReasoning = (text) => {
-      reasoningChunks.push(text);
       totalChars += text.length;
+      const remaining = LLM_LIMITS.streamStoredReasoningChars - storedReasoningChars;
+      if (remaining <= 0) {
+        reasoningWasTruncated = true;
+        return;
+      }
+      const slice = text.slice(0, remaining);
+      if (slice) {
+        reasoningChunks.push(slice);
+        storedReasoningChars += slice.length;
+      }
+      if (slice.length < text.length) {
+        reasoningWasTruncated = true;
+      }
     };
     context.onUsage = (u) => {
       usage = u;
@@ -578,7 +563,13 @@ var LLMClient = class {
       throw new DOMException("Aborted string generation", "AbortError");
     }
     const toolCalls = resolveToolCalls(toolCallsMap);
-    const stripped = stripThinkTags(contentChunks.join(""), reasoningChunks.join(""));
+    const truncatedContent = contentWasTruncated ? `${contentChunks.join("")}
+
+...[assistant output truncated for memory safety]` : contentChunks.join("");
+    const truncatedReasoning = reasoningWasTruncated ? `${reasoningChunks.join("")}
+
+...[reasoning truncated for memory safety]` : reasoningChunks.join("");
+    const stripped = stripThinkTags(truncatedContent, truncatedReasoning);
     if (usage.input_tokens > 0 || usage.output_tokens > 0) {
       addGlobalTokenUsage(usage);
     }
@@ -2015,8 +2006,8 @@ var PASSTHROUGH_THRESHOLD = 2e3;
 var PREPROCESS_THRESHOLD = 3e3;
 var MAX_PREPROCESSED_LINES = 800;
 var MAX_DUPLICATE_DISPLAY = 3;
-var ANALYST_MAX_INPUT_CHARS = 8e4;
-var FALLBACK_MAX_CHARS = 3e4;
+var ANALYST_MAX_INPUT_CHARS = 4e4;
+var FALLBACK_MAX_CHARS = 15e3;
 var NOISE_PATTERNS = [
   /^\s*$/,
   // blank lines
@@ -2345,6 +2336,8 @@ function getAnalystSystemPrompt() {
 }
 function createLLMDigestFn(llmClient) {
   return async (text, context) => {
+    const cappedText = text.length > ANALYST_MAX_INPUT_CHARS ? `${text.slice(0, ANALYST_MAX_INPUT_CHARS)}
+... [truncated at ${ANALYST_MAX_INPUT_CHARS} chars before Analyst request]` : text;
     const messages = [{
       role: LLM_ROLES.USER,
       content: `Analyze this pentesting tool output and extract actionable intelligence.
@@ -2352,7 +2345,7 @@ function createLLMDigestFn(llmClient) {
 Context: ${context}
 
 --- OUTPUT START ---
-${text}
+${cappedText}
 --- OUTPUT END ---`
     }];
     const response = await llmClient.generateResponse(
@@ -3751,15 +3744,18 @@ var HealthMonitor = class {
   check() {
     const processes = this.checkProcesses();
     const ports = this.checkPorts();
-    const recommendations = this.generateRecommendations();
+    const memory = this.checkMemory();
+    const recommendations = this.generateRecommendations(memory);
     const overall = this.calculateOverall({
       zombies: processes.zombies,
+      memoryStatus: memory.status,
       recommendations
     });
     return {
       overall,
       processes,
       ports,
+      memory,
       recommendations
     };
   }
@@ -3795,10 +3791,42 @@ var HealthMonitor = class {
     }
     return { inUse, conflicts };
   }
+  /**
+   * Check Node.js process memory health.
+   */
+  checkMemory() {
+    const usage = process.memoryUsage();
+    const heapUsedRatio = usage.heapTotal > 0 ? usage.heapUsed / usage.heapTotal : 0;
+    if (heapUsedRatio >= HEALTH_CONFIG.MEMORY_CRITICAL_HEAP_RATIO || usage.rss >= HEALTH_CONFIG.MEMORY_CRITICAL_RSS_BYTES) {
+      return {
+        rssBytes: usage.rss,
+        heapUsedBytes: usage.heapUsed,
+        heapTotalBytes: usage.heapTotal,
+        heapUsedRatio,
+        status: HEALTH_STATUS.CRITICAL
+      };
+    }
+    if (heapUsedRatio >= HEALTH_CONFIG.MEMORY_WARNING_HEAP_RATIO || usage.rss >= HEALTH_CONFIG.MEMORY_WARNING_RSS_BYTES) {
+      return {
+        rssBytes: usage.rss,
+        heapUsedBytes: usage.heapUsed,
+        heapTotalBytes: usage.heapTotal,
+        heapUsedRatio,
+        status: HEALTH_STATUS.WARNING
+      };
+    }
+    return {
+      rssBytes: usage.rss,
+      heapUsedBytes: usage.heapUsed,
+      heapTotalBytes: usage.heapTotal,
+      heapUsedRatio,
+      status: HEALTH_STATUS.HEALTHY
+    };
+  }
   /**
    * Generate recommendations based on current state
    */
-  generateRecommendations() {
+  generateRecommendations(memory) {
     const recs = [];
     const procs = listBackgroundProcesses();
     for (const proc of procs) {
@@ -3810,6 +3838,15 @@ var HealthMonitor = class {
         recs.push(`[${proc.id}] ${proc.role} running for ${durMin}min`);
       }
     }
+    if (memory.status === HEALTH_STATUS.CRITICAL) {
+      recs.push(
+        `Memory critical: heap ${(memory.heapUsedRatio * 100).toFixed(0)}% (${this.formatBytes(memory.heapUsedBytes)}/${this.formatBytes(memory.heapTotalBytes)}), rss ${this.formatBytes(memory.rssBytes)} - reduce prompt/output volume immediately`
+      );
+    } else if (memory.status === HEALTH_STATUS.WARNING) {
+      recs.push(
+        `Memory warning: heap ${(memory.heapUsedRatio * 100).toFixed(0)}% (${this.formatBytes(memory.heapUsedBytes)}/${this.formatBytes(memory.heapTotalBytes)}), rss ${this.formatBytes(memory.rssBytes)}`
+      );
+    }
     return recs;
   }
   /**
@@ -3817,9 +3854,21 @@ var HealthMonitor = class {
    */
   calculateOverall(data) {
     if (data.zombies > 0) return HEALTH_STATUS.CRITICAL;
+    if (data.memoryStatus === HEALTH_STATUS.CRITICAL) return HEALTH_STATUS.CRITICAL;
+    if (data.memoryStatus === HEALTH_STATUS.WARNING) return HEALTH_STATUS.WARNING;
     if (data.recommendations.length > HEALTH_CONFIG.MAX_RECOMMENDATIONS_FOR_HEALTHY) return HEALTH_STATUS.WARNING;
     return HEALTH_STATUS.HEALTHY;
   }
+  formatBytes(bytes) {
+    const units = ["B", "KB", "MB", "GB"];
+    let value = bytes;
+    let unitIndex = 0;
+    while (value >= 1024 && unitIndex < units.length - 1) {
+      value /= 1024;
+      unitIndex++;
+    }
+    return `${value.toFixed(unitIndex === 0 ? 0 : 1)}${units[unitIndex]}`;
+  }
 };
 
 // src/engine/resource/zombie-hunter.ts
@@ -3905,6 +3954,9 @@ async function executeBgStatus() {
   }
   lines.push(`
 ## Health: ${health.overall.toUpperCase()}`);
+  lines.push(
+    `Memory: ${health.memory.status.toUpperCase()} heap=${(health.memory.heapUsedRatio * 100).toFixed(0)}% (${Math.round(health.memory.heapUsedBytes / 1024 / 1024)}MB/${Math.round(health.memory.heapTotalBytes / 1024 / 1024)}MB) rss=${Math.round(health.memory.rssBytes / 1024 / 1024)}MB`
+  );
   if (health.recommendations.length > 0) {
     lines.push("Recommendations:");
     for (const r of health.recommendations) {
@@ -3976,6 +4028,9 @@ async function executeHealthCheck() {
   const lines = [];
   lines.push(`Health: ${status.overall.toUpperCase()}`);
   lines.push(`Processes: ${status.processes.running}/${status.processes.total} running`);
+  lines.push(
+    `Memory: ${status.memory.status.toUpperCase()} heap=${(status.memory.heapUsedRatio * 100).toFixed(0)}% (${Math.round(status.memory.heapUsedBytes / 1024 / 1024)}MB/${Math.round(status.memory.heapTotalBytes / 1024 / 1024)}MB) rss=${Math.round(status.memory.rssBytes / 1024 / 1024)}MB`
+  );
   if (status.ports.inUse.length > 0) {
     lines.push(`Ports in use: ${status.ports.inUse.join(", ")}`);
   }
@@ -11084,7 +11139,7 @@ After completion: record key loot/findings from the sub-agent output to canonica
           rootTaskId: activeExecution.rootTaskId
         }
       });
-      const { AgentTool } = await import("./agent-tool-KHXXTHGS.js");
+      const { AgentTool } = await import("./agent-tool-MMDCBQ74.js");
       const executor = new AgentTool(state, events, scopeGuard, approvalGate);
       try {
         const result = await executor.execute(input);
@@ -11363,10 +11418,6 @@ function buildShellSupervisorLifecycleSection() {
 }
 
 export {
-  ENV_KEYS,
-  DEFAULT_MODEL,
-  getApiKey,
-  getModel,
   getTimeAdaptiveStrategy,
   SharedState,
   HealthMonitor,

package/dist/{chunk-4UNNRHYY.js → chunk-AEQNELCQ.js}

@@ -20,7 +20,7 @@ import {
   getRuntimeSectionOr,
   logEvent,
   setProcess
-} from "./chunk-S5ZMXFHR.js";
+} from "./chunk-YZNPWDNS.js";
 
 // src/shared/constants/time/conversions.ts
 var MS_PER_MINUTE = 6e4;
@@ -273,6 +273,10 @@ var LLM_LIMITS = {
   nonStreamMaxTokens: 65536,
   /** WHY dynamic: streaming calls are the main agent loop. Override via config. */
   streamMaxTokens: mainLlmTokens,
+  /** WHY: cap stored assistant content even when provider streams far more text. */
+  streamStoredContentChars: 6e4,
+  /** WHY: reasoning is only used for UI/think-tag extraction, not canonical memory. */
+  streamStoredReasoningChars: 24e3,
   /** WHY: ~3.5 chars/token is a reasonable average for mixed English/CJK content */
   charsPerTokenEstimate: 3.5,
   /** WHY: 5 minutes max timeout for streaming and non-streaming responses */
@@ -348,7 +352,7 @@ var INPUT_PROMPT_PATTERNS = [
 ];
 
 // src/shared/constants/agent.ts
-var APP_VERSION = "0.73.13";
+var APP_VERSION = "0.73.14";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -1067,17 +1071,133 @@ function getInputHandler() {
 // src/shared/constants/paths.ts
 import path2 from "path";
 
+// src/shared/utils/config/runtime-safety.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+
+// src/shared/utils/config/env.ts
+var ENV_KEYS = {
+  API_KEY: "PENTEST_API_KEY",
+  BASE_URL: "PENTEST_BASE_URL",
+  MODEL: "PENTEST_MODEL",
+  SEARCH_API_KEY: "SEARCH_API_KEY",
+  SEARCH_API_URL: "SEARCH_API_URL",
+  THINKING: "PENTEST_THINKING",
+  THINKING_BUDGET: "PENTEST_THINKING_BUDGET",
+  SCOPE_MODE: "PENTEST_SCOPE_MODE",
+  APPROVAL_MODE: "PENTEST_APPROVAL_MODE",
+  CONTAINERIZED: "PENTEST_CONTAINERIZED",
+  APP_VERSION: "PENTESTING_VERSION"
+};
+var DEFAULT_THINKING_BUDGET = 8e3;
+var DEFAULT_SEARCH_API_URL = "https://api.search.brave.com/res/v1/web/search";
+var DEFAULT_MODEL = "glm-4.7";
+function getApiKey() {
+  return process.env[ENV_KEYS.API_KEY] || "";
+}
+function getOptionalEnv(key) {
+  const value = process.env[key];
+  return value && value !== "" ? value : void 0;
+}
+function getBaseUrl() {
+  return getOptionalEnv(ENV_KEYS.BASE_URL);
+}
+function getModel() {
+  return process.env[ENV_KEYS.MODEL] || "";
+}
+function getSearchApiKey() {
+  const explicitKey = getOptionalEnv(ENV_KEYS.SEARCH_API_KEY);
+  if (explicitKey) {
+    return explicitKey;
+  }
+  return getOptionalEnv(ENV_KEYS.API_KEY);
+}
+function getSearchApiUrl() {
+  return process.env[ENV_KEYS.SEARCH_API_URL] || DEFAULT_SEARCH_API_URL;
+}
+function isZaiProvider() {
+  const baseUrl = getBaseUrl() || "";
+  return baseUrl.includes("z.ai");
+}
+function isThinkingEnabled() {
+  return process.env[ENV_KEYS.THINKING] !== "false";
+}
+function getThinkingBudget() {
+  const val = parseInt(process.env[ENV_KEYS.THINKING_BUDGET] || "", 10);
+  return isNaN(val) ? DEFAULT_THINKING_BUDGET : Math.max(1024, val);
+}
+
+// src/shared/utils/config/runtime-safety.ts
+var CONTAINER_MARKER_PATH = "/.dockerenv";
+var CGROUP_PATH = "/proc/1/cgroup";
+var CONTAINER_RUNTIME_PATTERN = /(docker|containerd|kubepods|podman)/i;
+var SCOPE_MODES = ["advisory", "enforce"];
+var APPROVAL_MODES = ["advisory", "require_auto_approve"];
+function getOptionalEnv2(key) {
+  const value = process.env[key];
+  return value && value !== "" ? value : void 0;
+}
+function getBooleanOverride(key) {
+  const value = getOptionalEnv2(key);
+  if (value === "true") return true;
+  if (value === "false") return false;
+  return void 0;
+}
+function getEnumEnv(key, allowed) {
+  const value = getOptionalEnv2(key);
+  return value && allowed.includes(value) ? value : void 0;
+}
+function isContainerizedRuntime() {
+  const override = getBooleanOverride(ENV_KEYS.CONTAINERIZED);
+  if (override !== void 0) return override;
+  if (existsSync2(CONTAINER_MARKER_PATH)) return true;
+  try {
+    const cgroup = readFileSync2(CGROUP_PATH, "utf-8");
+    return CONTAINER_RUNTIME_PATTERN.test(cgroup);
+  } catch {
+    return false;
+  }
+}
+function getScopeMode() {
+  const configured = getEnumEnv(ENV_KEYS.SCOPE_MODE, SCOPE_MODES);
+  if (configured) return configured;
+  return isContainerizedRuntime() ? "advisory" : "enforce";
+}
+function getApprovalMode() {
+  const configured = getEnumEnv(ENV_KEYS.APPROVAL_MODE, APPROVAL_MODES);
+  if (configured) return configured;
+  return isContainerizedRuntime() ? "advisory" : "require_auto_approve";
+}
+
 // src/agents/workspace-config.ts
 var DEFAULT_WORKSPACE_ROOT = ".pentesting";
 var DEFAULT_WORKSPACE_DIRECTORIES = {};
+var DOCKER_WORKSPACE_ROOT = "/tmp/.pentesting";
 function getWorkspaceConfig() {
   return getRuntimeSectionOr("workspace", {});
 }
 function getWorkspaceRoot() {
-  return getWorkspaceConfig().root ?? DEFAULT_WORKSPACE_ROOT;
+  const configuredRoot = getWorkspaceConfig().root ?? DEFAULT_WORKSPACE_ROOT;
+  return remapWorkspacePath(configuredRoot);
 }
 function getWorkspaceDirectories() {
-  return getWorkspaceConfig().directories ?? DEFAULT_WORKSPACE_DIRECTORIES;
+  const configured = getWorkspaceConfig().directories ?? DEFAULT_WORKSPACE_DIRECTORIES;
+  return Object.fromEntries(
+    Object.entries(configured).map(([key, value]) => [key, remapWorkspacePath(value)])
+  );
+}
+function remapWorkspacePath(pathValue) {
+  if (!isContainerizedRuntime()) {
+    return pathValue;
+  }
+  const normalized = pathValue.replace(/\/+$/, "");
+  const defaultRoot = DEFAULT_WORKSPACE_ROOT.replace(/\/+$/, "");
+  if (normalized === defaultRoot) {
+    return DOCKER_WORKSPACE_ROOT;
+  }
+  if (normalized.startsWith(`${defaultRoot}/`)) {
+    return `${DOCKER_WORKSPACE_ROOT}${normalized.slice(defaultRoot.length)}`;
+  }
+  return pathValue;
 }
 
 // src/shared/constants/files/extensions.ts
@@ -1125,9 +1245,9 @@ var SPECIAL_FILES = {
 };
 
 // src/shared/utils/file-ops/file-utils.ts
-import { existsSync as existsSync2, mkdirSync } from "fs";
+import { existsSync as existsSync3, mkdirSync } from "fs";
 function ensureDirExists(dirPath) {
-  if (!existsSync2(dirPath)) {
+  if (!existsSync3(dirPath)) {
     mkdirSync(dirPath, { recursive: true });
   }
 }
@@ -1438,7 +1558,7 @@ var BLOCKED_BINARIES = /* @__PURE__ */ new Set([
 ]);
 
 // src/shared/utils/debug/debug-logger.ts
-import { appendFileSync, writeFileSync, statSync, readFileSync as readFileSync2 } from "fs";
+import { appendFileSync, writeFileSync, statSync, readFileSync as readFileSync3 } from "fs";
 import { join } from "path";
 var ROTATE_BYTES = 5 * 1024 * 1024;
 var WIPE_BYTES = 20 * 1024 * 1024;
@@ -1490,7 +1610,7 @@ var DebugLogger = class _DebugLogger {
         writeFileSync(this.logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [GENERAL] === LOG WIPED (exceeded ${Math.round(WIPE_BYTES / 1024 / 1024)}MB) ===
 `);
       } else if (size > ROTATE_BYTES) {
-        const content = readFileSync2(this.logPath, "utf-8");
+        const content = readFileSync3(this.logPath, "utf-8");
         const half = content.slice(Math.floor(content.length / 2));
         const firstNewline = half.indexOf("\n");
         const trimmed = firstNewline >= 0 ? half.slice(firstNewline + 1) : half;
@@ -2526,7 +2646,7 @@ Suggestion: ${torLeak.suggestion}`
 }
 
 // src/engine/tools-base/file-operations.ts
-import { readFileSync as readFileSync3, existsSync as existsSync3, writeFileSync as writeFileSync2 } from "fs";
+import { readFileSync as readFileSync4, existsSync as existsSync4, writeFileSync as writeFileSync2 } from "fs";
 import { dirname } from "path";
 import { join as join2 } from "path";
 import { tmpdir } from "os";
@@ -2546,14 +2666,14 @@ function getErrorMessage(error) {
 // src/engine/tools-base/file-operations.ts
 async function readFileContent(filePath) {
   try {
-    if (!existsSync3(filePath)) {
+    if (!existsSync4(filePath)) {
       return {
         success: false,
         output: "",
         error: `File not found: ${filePath}`
       };
     }
-    const content = readFileSync3(filePath, "utf-8");
+    const content = readFileSync4(filePath, "utf-8");
     return {
       success: true,
       output: content
@@ -2664,7 +2784,7 @@ function startBackgroundProcess(command, options = {}) {
 }
 
 // src/engine/process/process-interaction.ts
-import { existsSync as existsSync4, readFileSync as readFileSync4, appendFileSync as appendFileSync2 } from "fs";
+import { existsSync as existsSync5, readFileSync as readFileSync5, appendFileSync as appendFileSync2 } from "fs";
 async function sendToProcess(processId, input, waitMs = SYSTEM_LIMITS.DEFAULT_WAIT_MS_INTERACT) {
   const proc = getProcess(processId);
   if (!proc) return { success: false, output: `Process ${processId} not found`, newOutput: "" };
@@ -2672,8 +2792,8 @@ async function sendToProcess(processId, input, waitMs = SYSTEM_LIMITS.DEFAULT_WA
   if (proc.hasExited) return { success: false, output: `Process ${processId} has exited`, newOutput: "" };
   let currentLen = 0;
   try {
-    if (existsSync4(proc.stdoutFile)) {
-      currentLen = readFileSync4(proc.stdoutFile, "utf-8").length;
+    if (existsSync5(proc.stdoutFile)) {
+      currentLen = readFileSync5(proc.stdoutFile, "utf-8").length;
     }
   } catch {
   }
@@ -2686,8 +2806,8 @@ async function sendToProcess(processId, input, waitMs = SYSTEM_LIMITS.DEFAULT_WA
   await new Promise((r) => setTimeout(r, waitMs));
   let fullStdout = "";
   try {
-    if (existsSync4(proc.stdoutFile)) {
-      fullStdout = readFileSync4(proc.stdoutFile, "utf-8");
+    if (existsSync5(proc.stdoutFile)) {
+      fullStdout = readFileSync5(proc.stdoutFile, "utf-8");
     }
   } catch {
   }
@@ -2709,7 +2829,7 @@ function promoteToShell(processId, description) {
 }
 
 // src/engine/process/process-monitor.ts
-import { existsSync as existsSync5, readFileSync as readFileSync5 } from "fs";
+import { existsSync as existsSync6, readFileSync as readFileSync6 } from "fs";
 function isProcessRunning(processId) {
   const proc = getProcess(processId);
   if (!proc) return false;
@@ -2722,8 +2842,8 @@ function isProcessRunning(processId) {
   proc.childPids = discoverAllDescendants(proc.pid);
   if (proc.role === PROCESS_ROLES.LISTENER) {
     try {
-      if (existsSync5(proc.stdoutFile)) {
-        const stdout = readFileSync5(proc.stdoutFile, "utf-8");
+      if (existsSync6(proc.stdoutFile)) {
+        const stdout = readFileSync6(proc.stdoutFile, "utf-8");
         if (detectConnection(stdout)) {
           promoteToShell(processId, "Reverse shell connected (auto-detected)");
           logEvent(processId, PROCESS_EVENTS.CONNECTION_DETECTED, `Connection detected on port ${proc.listeningPort}`);
@@ -2741,16 +2861,16 @@ function getProcessOutput(processId) {
   let stdout = "";
   let stderr = "";
   try {
-    if (existsSync5(proc.stdoutFile)) {
-      const content = readFileSync5(proc.stdoutFile, "utf-8");
+    if (existsSync6(proc.stdoutFile)) {
+      const content = readFileSync6(proc.stdoutFile, "utf-8");
       stdout = content.length > SYSTEM_LIMITS.MAX_STDOUT_SLICE ? `... [truncated ${content.length - SYSTEM_LIMITS.MAX_STDOUT_SLICE} chars] ...
 ` + content.slice(-SYSTEM_LIMITS.MAX_STDOUT_SLICE) : content;
     }
   } catch {
   }
   try {
-    if (existsSync5(proc.stderrFile)) {
-      const content = readFileSync5(proc.stderrFile, "utf-8");
+    if (existsSync6(proc.stderrFile)) {
+      const content = readFileSync6(proc.stderrFile, "utf-8");
       stderr = content.length > SYSTEM_LIMITS.MAX_STDERR_SLICE ? `... [truncated ${content.length - SYSTEM_LIMITS.MAX_STDERR_SLICE} chars] ...
 ` + content.slice(-SYSTEM_LIMITS.MAX_STDERR_SLICE) : content;
     }
@@ -2856,7 +2976,7 @@ async function cleanupAllProcesses() {
     cleanupDone = false;
     return;
   }
-  const { getBackgroundProcessesMap: getBackgroundProcessesMap2 } = await import("./process-registry-4Y3HB4YQ.js");
+  const { getBackgroundProcessesMap: getBackgroundProcessesMap2 } = await import("./process-registry-DNEZX4S5.js");
   const backgroundProcesses = getBackgroundProcessesMap2();
   terminateAllNatively(backgroundProcesses, "SIGTERM");
   await new Promise((r) => setTimeout(r, SYSTEM_LIMITS.CLEANUP_BATCH_WAIT_MS));
@@ -2923,7 +3043,7 @@ function cleanupOrphanProcesses() {
 }
 
 // src/engine/process/resource-summary.ts
-import { existsSync as existsSync6, readFileSync as readFileSync6 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync7 } from "fs";
 function formatActiveProcesses(running, lines) {
   if (running.length === 0) return;
   lines.push(`Active Assets (${running.length}):`);
@@ -2935,8 +3055,8 @@ function formatActiveProcesses(running, lines) {
     const roleIcon = PROCESS_ICONS[p.role] || PROCESS_ICONS[PROCESS_ROLES.BACKGROUND];
     let lastOutput = "";
     try {
-      if (p.stdoutFile && existsSync6(p.stdoutFile)) {
-        const content = readFileSync6(p.stdoutFile, "utf-8");
+      if (p.stdoutFile && existsSync7(p.stdoutFile)) {
+        const content = readFileSync7(p.stdoutFile, "utf-8");
         const outputLines = content.trim().split("\n");
         lastOutput = outputLines.slice(-SYSTEM_LIMITS.RECENT_OUTPUT_LINES).join(" | ").replace(/\n/g, " ");
       }
@@ -3410,7 +3530,7 @@ var EpisodicMemory = class {
 };
 
 // src/shared/utils/agent-memory/persistent-memory.ts
-import { existsSync as existsSync8, readFileSync as readFileSync8, writeFileSync as writeFileSync5 } from "fs";
+import { existsSync as existsSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync5 } from "fs";
 import { join as join4 } from "path";
 
 // src/shared/utils/agent-memory/similarity.ts
@@ -3439,7 +3559,7 @@ function matchesServiceProfile(serviceProfile, services) {
 }
 
 // src/shared/utils/agent-memory/session-snapshot.ts
-import { existsSync as existsSync7, readFileSync as readFileSync7, writeFileSync as writeFileSync4, unlinkSync as unlinkSync4 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync8, writeFileSync as writeFileSync4, unlinkSync as unlinkSync4 } from "fs";
 import { join as join3 } from "path";
 
 // src/agents/memory-rollout-config.ts
@@ -3473,8 +3593,8 @@ function saveSessionSnapshot(snapshot) {
 }
 function loadSessionSnapshot() {
   try {
-    if (existsSync7(SNAPSHOT_FILE)) {
-      return JSON.parse(readFileSync7(SNAPSHOT_FILE, "utf-8"));
+    if (existsSync8(SNAPSHOT_FILE)) {
+      return JSON.parse(readFileSync8(SNAPSHOT_FILE, "utf-8"));
     }
   } catch {
   }
@@ -3509,7 +3629,7 @@ function snapshotToPrompt() {
 }
 function clearSessionSnapshot() {
   try {
-    if (existsSync7(SNAPSHOT_FILE)) {
+    if (existsSync8(SNAPSHOT_FILE)) {
       unlinkSync4(SNAPSHOT_FILE);
     }
   } catch {
@@ -3659,8 +3779,8 @@ var PersistentMemory = class {
   }
   load() {
     try {
-      if (existsSync8(MEMORY_FILE)) {
-        const data = JSON.parse(readFileSync8(MEMORY_FILE, "utf-8"));
+      if (existsSync9(MEMORY_FILE)) {
+        const data = JSON.parse(readFileSync9(MEMORY_FILE, "utf-8"));
         return {
           ...data,
           exploitChains: data.exploitChains ?? []
@@ -5611,15 +5731,15 @@ function pruneOldSessions(sessionsDir) {
 }
 
 // src/engine/state/persistence/loader.ts
-import { readFileSync as readFileSync9, existsSync as existsSync9 } from "fs";
+import { readFileSync as readFileSync10, existsSync as existsSync10 } from "fs";
 import { join as join6 } from "path";
 function loadState(state3) {
   const latestFile = join6(WORKSPACE.SESSIONS, "latest.json");
-  if (!existsSync9(latestFile)) {
+  if (!existsSync10(latestFile)) {
     return false;
   }
   try {
-    const raw = readFileSync9(latestFile, "utf-8");
+    const raw = readFileSync10(latestFile, "utf-8");
     const snapshot = JSON.parse(raw);
     if (snapshot.version !== 1) {
       debugLog("general", `Unknown snapshot version: ${snapshot.version}`);
@@ -5669,7 +5789,7 @@ function loadState(state3) {
 }
 
 // src/engine/state/persistence/janitor.ts
-import { existsSync as existsSync10, rmSync } from "fs";
+import { existsSync as existsSync11, rmSync } from "fs";
 import path3 from "path";
 function clearWorkspace() {
   const cleared = [];
@@ -5687,7 +5807,7 @@ function clearWorkspace() {
   ];
   for (const dir2 of dirsToClean) {
     try {
-      if (existsSync10(dir2.path)) {
+      if (existsSync11(dir2.path)) {
         rmSync(dir2.path, { recursive: true, force: true });
         ensureDirExists(dir2.path);
         cleared.push(dir2.label);
@@ -5700,6 +5820,19 @@ function clearWorkspace() {
 }
 
 export {
+  ENV_KEYS,
+  DEFAULT_MODEL,
+  getApiKey,
+  getBaseUrl,
+  getModel,
+  getSearchApiKey,
+  getSearchApiUrl,
+  isZaiProvider,
+  isThinkingEnabled,
+  getThinkingBudget,
+  isContainerizedRuntime,
+  getScopeMode,
+  getApprovalMode,
   ensureDirExists,
   getWorkspaceConfig,
   FILE_EXTENSIONS,

package/dist/{chunk-S5ZMXFHR.js → chunk-YZNPWDNS.js}

@@ -136,8 +136,8 @@ var RUNTIME_CONFIG_LLM_NODES = {
       ".pentesting/workspace/tools/"
     ],
     limits: {
-      max_tokens: 128e3,
-      max_prompt_chars: 4e5
+      max_tokens: 49152,
+      max_prompt_chars: 18e4
     }
   },
   analyst: {
@@ -480,7 +480,7 @@ function definePromptLayer(layer) {
   return layer;
 }
 var RUNTIME_CONFIG_PROMPT_BUILDER = {
-  max_chars: 4e5,
+  max_chars: 18e4,
   truncation: "back",
   preserved_last: "user_context",
   layers: [
@@ -790,16 +790,16 @@ var RUNTIME_CONFIG_LIMITS = {
     eviction: "delete_oldest_first"
   },
   messages: {
-    context_extractor_per_msg_limit: 3e4,
+    context_extractor_per_msg_limit: 12e3,
     truncation_direction: "back"
   },
   prompt: {
-    max_chars: 4e5,
+    max_chars: 18e4,
     truncation_direction: "back",
     preserved_last: "user_context"
   },
   tool_output: {
-    max_chars: 2e5
+    max_chars: 6e4
   },
   agent_loop: {
     max_iterations: 500,
@@ -829,7 +829,7 @@ var RUNTIME_CONFIG_COMPRESSION = {
     strategy: "llm_compress",
     trigger: "every_turn",
     agent: "context_extractor",
-    per_msg_max_chars: 3e4,
+    per_msg_max_chars: 12e3,
     output_format: "<session-context>\n{value}\n</session-context>",
     write_mode: "replace_all",
     on_failure: "keep_existing"
@@ -1074,7 +1074,11 @@ var HEALTH_CONFIG = {
   // 5 minutes
   VERY_LONG_RUNNING_THRESHOLD_MS: 9e5,
   // 15 minutes
-  MAX_RECOMMENDATIONS_FOR_HEALTHY: 2
+  MAX_RECOMMENDATIONS_FOR_HEALTHY: 2,
+  MEMORY_WARNING_HEAP_RATIO: 0.7,
+  MEMORY_CRITICAL_HEAP_RATIO: 0.85,
+  MEMORY_WARNING_RSS_BYTES: 12e8,
+  MEMORY_CRITICAL_RSS_BYTES: 18e8
 };
 
 // src/engine/process/process-registry.ts

package/dist/main.js

@@ -2,8 +2,6 @@
 import {
   CategorizedToolRegistry,
   CoreAgent,
-  DEFAULT_MODEL,
-  ENV_KEYS,
   HealthMonitor,
   INITIAL_TASKS,
   PROMPT_CONFIG,
@@ -23,11 +21,9 @@ import {
   ensurePolicyDocument,
   formatChallengeAnalysis,
   formatTurnRecord,
-  getApiKey,
   getDefaultPolicyDocument,
   getGlobalRequestCount,
   getGlobalTokenUsage,
-  getModel,
   getNextTurnNumber,
   getServiceContext,
   getShellSupervisorLifecycleSnapshot,
@@ -39,7 +35,7 @@ import {
   rotateTurnRecords,
   setCurrentTurn,
   writePolicyDocument
-} from "./chunk-GILD75OT.js";
+} from "./chunk-4KLVUP3C.js";
 import {
   AGENT_ROLES,
   APP_DESCRIPTION,
@@ -48,8 +44,10 @@ import {
   COMMAND_EVENT_TYPES,
   CONFIDENCE_THRESHOLDS,
   DEFAULTS,
+  DEFAULT_MODEL,
   DISPLAY_LIMITS,
   EDGE_STATUS,
+  ENV_KEYS,
   EVENT_TYPES,
   INPUT_TYPES,
   LLM_LIMITS,
@@ -75,11 +73,16 @@ import {
   extractSuccessfulChain,
   flowLog,
   generateId,
+  getApiKey,
+  getApprovalMode,
   getErrorMessage,
+  getModel,
   getProcessOutput,
+  getScopeMode,
   getWorkspaceConfig,
   initDebugLogger,
   isBranchMemoryEnabled,
+  isContainerizedRuntime,
   listBackgroundProcesses,
   loadState,
   readRuntimeAssetFile,
@@ -88,12 +91,12 @@ import {
   setActiveSessionRuntime,
   setTorEnabled,
   snapshotToPrompt
-} from "./chunk-4UNNRHYY.js";
+} from "./chunk-AEQNELCQ.js";
 import {
   EXIT_CODES,
   getOptionalRuntimeSection,
   getRequiredRuntimeSection
-} from "./chunk-S5ZMXFHR.js";
+} from "./chunk-YZNPWDNS.js";
 
 // src/platform/tui/main.tsx
 import chalk4 from "chalk";
@@ -211,49 +214,6 @@ var ICONS = {
   pwned: "\u25C8"
 };
 
-// src/shared/utils/config/runtime-safety.ts
-import { existsSync, readFileSync } from "fs";
-var CONTAINER_MARKER_PATH = "/.dockerenv";
-var CGROUP_PATH = "/proc/1/cgroup";
-var CONTAINER_RUNTIME_PATTERN = /(docker|containerd|kubepods|podman)/i;
-var SCOPE_MODES = ["advisory", "enforce"];
-var APPROVAL_MODES = ["advisory", "require_auto_approve"];
-function getOptionalEnv(key) {
-  const value = process.env[key];
-  return value && value !== "" ? value : void 0;
-}
-function getBooleanOverride(key) {
-  const value = getOptionalEnv(key);
-  if (value === "true") return true;
-  if (value === "false") return false;
-  return void 0;
-}
-function getEnumEnv(key, allowed) {
-  const value = getOptionalEnv(key);
-  return value && allowed.includes(value) ? value : void 0;
-}
-function isContainerizedRuntime() {
-  const override = getBooleanOverride(ENV_KEYS.CONTAINERIZED);
-  if (override !== void 0) return override;
-  if (existsSync(CONTAINER_MARKER_PATH)) return true;
-  try {
-    const cgroup = readFileSync(CGROUP_PATH, "utf-8");
-    return CONTAINER_RUNTIME_PATTERN.test(cgroup);
-  } catch {
-    return false;
-  }
-}
-function getScopeMode() {
-  const configured = getEnumEnv(ENV_KEYS.SCOPE_MODE, SCOPE_MODES);
-  if (configured) return configured;
-  return isContainerizedRuntime() ? "advisory" : "enforce";
-}
-function getApprovalMode() {
-  const configured = getEnumEnv(ENV_KEYS.APPROVAL_MODE, APPROVAL_MODES);
-  if (configured) return configured;
-  return isContainerizedRuntime() ? "advisory" : "require_auto_approve";
-}
-
 // src/shared/utils/config/validation.ts
 function validateRequiredConfig() {
   const errors = [];
@@ -3285,7 +3245,7 @@ var makeRotateTurns = (_llm, _opts) => async (_ctx) => {
 };
 var makeSaveSession = (_llm, _opts) => async (ctx) => {
   try {
-    const { saveState: saveState2 } = await import("./persistence-U2N3KWFH.js");
+    const { saveState: saveState2 } = await import("./persistence-IGAKJZJ3.js");
     saveState2(ctx.state);
   } catch {
   }
@@ -3492,7 +3452,7 @@ function getRuntimePipelineConfig() {
 }
 
 // src/agents/prompt-builder/prompt-loader.ts
-import { readFileSync as readFileSync2 } from "fs";
+import { readFileSync } from "fs";
 import { join } from "path";
 
 // src/agents/prompt-sources.ts
@@ -3542,7 +3502,7 @@ function loadPromptFile(filename) {
   const path2 = join(getPromptsDir(), filename);
   try {
     const resolved = resolveRuntimeAssetPath(path2) ?? path2;
-    return readFileSync2(resolved, PROMPT_CONFIG.ENCODING);
+    return readFileSync(resolved, PROMPT_CONFIG.ENCODING);
   } catch {
     return "";
   }
@@ -3552,7 +3512,7 @@ function loadTechniqueFile(techniqueName) {
   const filePath = join(getTechniquesDir(), filename);
   try {
     const resolved = resolveRuntimeAssetPath(filePath) ?? filePath;
-    return readFileSync2(resolved, PROMPT_CONFIG.ENCODING);
+    return readFileSync(resolved, PROMPT_CONFIG.ENCODING);
   } catch {
     return "";
   }

package/dist/{persistence-U2N3KWFH.js → persistence-IGAKJZJ3.js}

@@ -3,8 +3,8 @@ import {
   clearWorkspace,
   loadState,
   saveState
-} from "./chunk-4UNNRHYY.js";
-import "./chunk-S5ZMXFHR.js";
+} from "./chunk-AEQNELCQ.js";
+import "./chunk-YZNPWDNS.js";
 export {
   StateSerializer,
   clearWorkspace,

package/dist/{process-registry-4Y3HB4YQ.js → process-registry-DNEZX4S5.js}

@@ -12,7 +12,7 @@ import {
   hasProcess,
   logEvent,
   setProcess
-} from "./chunk-S5ZMXFHR.js";
+} from "./chunk-YZNPWDNS.js";
 export {
   clearAllProcesses,
   deleteProcess,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.73.13",
+  "version": "0.73.14",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",