pentesting 0.73.2 → 0.73.3

package/dist/{chunk-BGEXGHPB.js → chunk-BKWCGMSV.js}

@@ -46,6 +46,7 @@ import {
   debugLog,
   ensureDirExists,
   generateId,
+  generatePrefixedId,
   getActiveSessionRuntime,
   getErrorMessage,
   getProcessOutput,
@@ -60,11 +61,12 @@ import {
   startBackgroundProcess,
   stopBackgroundProcess,
   writeFileContent
-} from "./chunk-KBJPZDIL.js";
+} from "./chunk-UB7RW6LM.js";
 import {
   DETECTION_PATTERNS,
   HEALTH_CONFIG,
   PROCESS_ACTIONS,
+  PROCESS_EVENTS,
   PROCESS_ICONS,
   PROCESS_LIMITS,
   PROCESS_ROLES,
@@ -74,8 +76,9 @@ import {
   getProcessEventLog,
   llmNodeCooldownPolicy,
   llmNodeOutputParsing,
-  llmNodeSystemPrompt
-} from "./chunk-YFDJI3GO.js";
+  llmNodeSystemPrompt,
+  logEvent
+} from "./chunk-GLO6TOJN.js";
 
 // src/shared/utils/config/env.ts
 var ENV_KEYS = {
@@ -363,88 +366,99 @@ async function makeRequest(baseUrl, apiKey, body, signal) {
 
 // src/engine/llm-client/stream-processor.ts
 function processStreamEvent(event, requestId, context) {
-  const { toolCallsMap, callbacks, onContent, onReasoning, onUsage, getTotalChars, currentBlockRef } = context;
   switch (event.type) {
     case LLM_SSE_EVENT.CONTENT_BLOCK_START:
-      if (event.content_block) {
-        const blockType = event.content_block.type;
-        if (blockType === LLM_BLOCK_TYPE.TEXT) {
-          currentBlockRef.value = LLM_BLOCK_TYPE.TEXT;
-          context.onTextStart?.();
-          callbacks?.onOutputStart?.();
-        } else if (blockType === LLM_BLOCK_TYPE.THINKING || blockType === LLM_BLOCK_TYPE.REASONING) {
-          currentBlockRef.value = LLM_BLOCK_TYPE.REASONING;
-          context.onReasoningStart?.();
-          callbacks?.onReasoningStart?.();
-        } else if (blockType === LLM_BLOCK_TYPE.TOOL_USE) {
-          currentBlockRef.value = LLM_BLOCK_TYPE.TOOL_USE;
-          toolCallsMap.set(event.content_block.id || "", {
-            id: event.content_block.id || "",
-            name: event.content_block.name || "",
-            input: {},
-            _pendingJson: "",
-            _index: event.index
-          });
-        }
-      }
+      handleContentBlockStart(event, context);
       break;
     case LLM_SSE_EVENT.CONTENT_BLOCK_DELTA:
-      if (event.delta) {
-        if (event.delta.type === LLM_DELTA_TYPE.TEXT_DELTA && event.delta.text) {
-          onContent(event.delta.text);
-          callbacks?.onOutputDelta?.(event.delta.text);
-        } else if (
-          // Anthropic: thinking_delta / GLM-DeepSeek: reasoning_delta
-          event.delta.type === LLM_DELTA_TYPE.THINKING_DELTA && event.delta.thinking || event.delta.type === LLM_DELTA_TYPE.REASONING_DELTA && event.delta.reasoning
-        ) {
-          const chunk = event.delta.thinking || event.delta.reasoning || "";
-          onReasoning(chunk);
-          callbacks?.onReasoningDelta?.(chunk);
-        } else if (event.delta.type === LLM_DELTA_TYPE.INPUT_JSON_DELTA && event.delta.partial_json) {
-          const index = event.index;
-          if (index !== void 0) {
-            const toolCall = Array.from(toolCallsMap.values()).find((t) => t._index === index);
-            if (toolCall) {
-              toolCall._pendingJson = (toolCall._pendingJson || "") + event.delta.partial_json;
-              debugLog("llm", `[${requestId}] JSON DELTA applied`, { index, toolId: toolCall.id, json: event.delta.partial_json });
-            } else {
-              debugLog("llm", `[${requestId}] JSON DELTA no tool found for index`, { index });
-            }
-          }
-        }
-        const estimatedOutput = Math.ceil(getTotalChars() / LLM_LIMITS.charsPerTokenEstimate);
-        callbacks?.onUsageUpdate?.({ input_tokens: 0, output_tokens: estimatedOutput });
-      }
+      handleContentBlockDelta(event, requestId, context);
       break;
-    case LLM_SSE_EVENT.CONTENT_BLOCK_STOP: {
-      const stoppedType = currentBlockRef.value;
-      currentBlockRef.value = null;
-      if (stoppedType === LLM_BLOCK_TYPE.TEXT) {
-        context.onTextEnd?.();
-        callbacks?.onOutputEnd?.();
-      } else if (stoppedType === LLM_BLOCK_TYPE.REASONING) {
-        context.onReasoningEnd?.();
-        callbacks?.onReasoningEnd?.();
-      }
+    case LLM_SSE_EVENT.CONTENT_BLOCK_STOP:
+      handleContentBlockStop(context);
       break;
-    }
     case LLM_SSE_EVENT.MESSAGE_START:
-      if (event.message?.usage) {
-        onUsage({ input_tokens: event.message.usage.input_tokens || 0, output_tokens: event.message.usage.output_tokens || 0 });
-        callbacks?.onUsageUpdate?.({ input_tokens: event.message.usage.input_tokens || 0, output_tokens: event.message.usage.output_tokens || 0 });
-      }
+      handleMessageStart(event, context);
       break;
     case LLM_SSE_EVENT.MESSAGE_DELTA:
-      if (event.usage) {
-        onUsage({ input_tokens: 0, output_tokens: event.usage.output_tokens || 0 });
-        callbacks?.onUsageUpdate?.({ input_tokens: 0, output_tokens: event.usage.output_tokens || 0 });
-      }
+      handleMessageDelta(event, context);
       break;
     case LLM_SSE_EVENT.ERROR:
       if (event.error) throw new Error(`${event.error.type}: ${event.error.message}`);
       break;
   }
 }
+function handleContentBlockStart(event, context) {
+  if (!event.content_block) return;
+  const { toolCallsMap, callbacks, currentBlockRef } = context;
+  const blockType = event.content_block.type;
+  if (blockType === LLM_BLOCK_TYPE.TEXT) {
+    currentBlockRef.value = LLM_BLOCK_TYPE.TEXT;
+    context.onTextStart?.();
+    callbacks?.onOutputStart?.();
+  } else if (blockType === LLM_BLOCK_TYPE.THINKING || blockType === LLM_BLOCK_TYPE.REASONING) {
+    currentBlockRef.value = LLM_BLOCK_TYPE.REASONING;
+    context.onReasoningStart?.();
+    callbacks?.onReasoningStart?.();
+  } else if (blockType === LLM_BLOCK_TYPE.TOOL_USE) {
+    currentBlockRef.value = LLM_BLOCK_TYPE.TOOL_USE;
+    toolCallsMap.set(event.content_block.id || "", {
+      id: event.content_block.id || "",
+      name: event.content_block.name || "",
+      input: {},
+      _pendingJson: "",
+      _index: event.index
+    });
+  }
+}
+function handleContentBlockDelta(event, requestId, context) {
+  if (!event.delta) return;
+  const { toolCallsMap, callbacks, onContent, onReasoning, getTotalChars } = context;
+  if (event.delta.type === LLM_DELTA_TYPE.TEXT_DELTA && event.delta.text) {
+    onContent(event.delta.text);
+    callbacks?.onOutputDelta?.(event.delta.text);
+  } else if (event.delta.type === LLM_DELTA_TYPE.THINKING_DELTA && event.delta.thinking || event.delta.type === LLM_DELTA_TYPE.REASONING_DELTA && event.delta.reasoning) {
+    const chunk = event.delta.thinking || event.delta.reasoning || "";
+    onReasoning(chunk);
+    callbacks?.onReasoningDelta?.(chunk);
+  } else if (event.delta.type === LLM_DELTA_TYPE.INPUT_JSON_DELTA && event.delta.partial_json) {
+    const index = event.index;
+    if (index !== void 0) {
+      const toolCall = Array.from(toolCallsMap.values()).find((t) => t._index === index);
+      if (toolCall) {
+        toolCall._pendingJson = (toolCall._pendingJson || "") + event.delta.partial_json;
+        debugLog("llm", `[${requestId}] JSON DELTA applied`, { index, toolId: toolCall.id, json: event.delta.partial_json });
+      } else {
+        debugLog("llm", `[${requestId}] JSON DELTA no tool found for index`, { index });
+      }
+    }
+  }
+  const estimatedOutput = Math.ceil(getTotalChars() / LLM_LIMITS.charsPerTokenEstimate);
+  callbacks?.onUsageUpdate?.({ input_tokens: 0, output_tokens: estimatedOutput });
+}
+function handleContentBlockStop(context) {
+  const { callbacks, currentBlockRef } = context;
+  const stoppedType = currentBlockRef.value;
+  currentBlockRef.value = null;
+  if (stoppedType === LLM_BLOCK_TYPE.TEXT) {
+    context.onTextEnd?.();
+    callbacks?.onOutputEnd?.();
+  } else if (stoppedType === LLM_BLOCK_TYPE.REASONING) {
+    context.onReasoningEnd?.();
+    callbacks?.onReasoningEnd?.();
+  }
+}
+function handleMessageStart(event, context) {
+  if (!event.message?.usage) return;
+  const { onUsage, callbacks } = context;
+  onUsage({ input_tokens: event.message.usage.input_tokens || 0, output_tokens: event.message.usage.output_tokens || 0 });
+  callbacks?.onUsageUpdate?.({ input_tokens: event.message.usage.input_tokens || 0, output_tokens: event.message.usage.output_tokens || 0 });
+}
+function handleMessageDelta(event, context) {
+  if (!event.usage) return;
+  const { onUsage, callbacks } = context;
+  onUsage({ input_tokens: 0, output_tokens: event.usage.output_tokens || 0 });
+  callbacks?.onUsageUpdate?.({ input_tokens: 0, output_tokens: event.usage.output_tokens || 0 });
+}
 function createStreamContext(callbacks) {
   let fullContent = "";
   let fullReasoning = "";
@@ -476,7 +490,6 @@ var LLMClient = class {
   apiKey;
   baseUrl;
   model;
-  requestCount = 0;
   constructor() {
     this.apiKey = getApiKey();
     this.baseUrl = getBaseUrl() || LLM_API.DEFAULT_BASE_URL;
@@ -493,6 +506,7 @@ var LLMClient = class {
     return this.model;
   }
   async executeNonStream(messages, tools, systemPrompt, callbacks) {
+    const requestId = incrementGlobalRequestCount();
     const thinking = isThinkingEnabled() ? { type: "enabled", budget_tokens: getThinkingBudget() } : void 0;
     const requestBody = {
       model: this.model,
@@ -502,13 +516,14 @@ var LLMClient = class {
       tools,
       ...thinking && { thinking }
     };
-    debugLog("llm", "Non-stream request", { model: this.model, toolCount: tools?.length, thinking: !!thinking });
+    debugLog("llm", `[${requestId}] Non-stream request START`, { model: this.model, toolCount: tools?.length, thinking: !!thinking });
     const response = await makeRequest(this.baseUrl, this.apiKey, requestBody, callbacks?.abortSignal);
     const data = await response.json();
     const textBlock = data.content.find((b) => b.type === LLM_BLOCK_TYPE.TEXT);
     const toolBlocks = data.content.filter((b) => b.type === LLM_BLOCK_TYPE.TOOL_USE);
-    debugLog("llm", "Non-stream response", { toolCount: toolBlocks.length, tools: toolBlocks.map((t) => ({ id: t.id, name: t.name, input: t.input })) });
+    debugLog("llm", `[${requestId}] Non-stream response`, { toolCount: toolBlocks.length, tools: toolBlocks.map((t) => ({ id: t.id, name: t.name, input: t.input })) });
     const usage = { input_tokens: data.usage?.input_tokens || 0, output_tokens: data.usage?.output_tokens || 0 };
+    addGlobalTokenUsage(usage);
     callbacks?.onUsageUpdate?.(usage);
     return {
       content: textBlock?.text || "",
@@ -518,8 +533,7 @@ var LLMClient = class {
     };
   }
   async executeStream(messages, tools, systemPrompt, callbacks) {
-    this.requestCount++;
-    const requestId = this.requestCount;
+    const requestId = incrementGlobalRequestCount();
     const thinking = isThinkingEnabled() ? { type: LLM_THINKING_MODE.ENABLED, budget_tokens: getThinkingBudget() } : void 0;
     const requestBody = {
       model: this.model,
@@ -560,6 +574,9 @@ var LLMClient = class {
     }
     const toolCalls = resolveToolCalls(toolCallsMap);
     const stripped = stripThinkTags(contentChunks.join(""), reasoningChunks.join(""));
+    if (usage.input_tokens > 0 || usage.output_tokens > 0) {
+      addGlobalTokenUsage(usage);
+    }
     return {
       content: stripped.cleanText,
       toolCalls: toolCalls.length > 0 ? toolCalls : void 0,
@@ -621,12 +638,27 @@ function resolveToolCalls(toolCallsMap) {
 
 // src/engine/llm-client/factory.ts
 var llmInstance = null;
+var globalRequestCount = 0;
+var globalTokenUsage = { input_tokens: 0, output_tokens: 0 };
 function getLLMClient() {
   if (!llmInstance) {
     llmInstance = new LLMClient();
   }
   return llmInstance;
 }
+function incrementGlobalRequestCount() {
+  return ++globalRequestCount;
+}
+function getGlobalRequestCount() {
+  return globalRequestCount;
+}
+function addGlobalTokenUsage(usage) {
+  globalTokenUsage.input_tokens += usage.input_tokens || 0;
+  globalTokenUsage.output_tokens += usage.output_tokens || 0;
+}
+function getGlobalTokenUsage() {
+  return globalTokenUsage;
+}
 
 // src/engine/auxiliary-llm/auxiliary-llm-base.ts
 var AuxiliaryLLMBase = class {
@@ -1706,19 +1738,8 @@ var CHALLENGE_TYPE_SIGNALS = {
     "escape"
   ]
 };
-function analyzeChallenge(reconData) {
-  if (!reconData || reconData.trim().length === 0) {
-    return {
-      primaryType: "unknown",
-      secondaryTypes: [],
-      confidence: 0,
-      matchedSignals: [],
-      recommendedTechniques: TYPE_TECHNIQUE_MAP.unknown,
-      recommendedPhasePrompt: TYPE_PHASE_PROMPT_MAP.unknown
-    };
-  }
-  const lowerData = reconData.toLowerCase();
-  const scores = {
+function initializeScores() {
+  return {
     web: { score: 0, signals: [] },
     pwn: { score: 0, signals: [] },
     crypto: { score: 0, signals: [] },
@@ -1728,6 +1749,8 @@ function analyzeChallenge(reconData) {
     network: { score: 0, signals: [] },
     unknown: { score: 0, signals: [] }
   };
+}
+function matchKeywordSignals(lowerData, scores) {
   for (const [type, signals] of Object.entries(CHALLENGE_TYPE_SIGNALS)) {
     const challengeType = type;
     if (!(challengeType in scores)) continue;
@@ -1738,6 +1761,8 @@ function analyzeChallenge(reconData) {
       }
     }
   }
+}
+function applyRegexBoosts(reconData, lowerData, scores) {
   if (WEB_PORT_PATTERN.test(reconData)) {
     scores.web.score += 2;
     scores.web.signals.push("web-port");
@@ -1758,6 +1783,8 @@ function analyzeChallenge(reconData) {
     scores.crypto.score += 3;
     scores.crypto.signals.push("crypto-file");
   }
+}
+function calculateAnalysisResult(scores) {
   const sorted = Object.entries(scores).filter(([type]) => type !== "unknown").sort(([, a], [, b]) => b.score - a.score);
   const [primaryType, primaryData] = sorted[0];
   const totalSignals = sorted.reduce((sum, [, data]) => sum + data.score, 0);
@@ -1773,6 +1800,16 @@ function analyzeChallenge(reconData) {
     recommendedPhasePrompt: TYPE_PHASE_PROMPT_MAP[primaryType] || TYPE_PHASE_PROMPT_MAP.unknown
   };
 }
+function analyzeChallenge(reconData) {
+  if (!reconData || reconData.trim().length === 0) {
+    return calculateAnalysisResult(initializeScores());
+  }
+  const lowerData = reconData.toLowerCase();
+  const scores = initializeScores();
+  matchKeywordSignals(lowerData, scores);
+  applyRegexBoosts(reconData, lowerData, scores);
+  return calculateAnalysisResult(scores);
+}
 
 // src/shared/utils/knowledge/challenge/formatter.ts
 function formatChallengeAnalysis(analysis) {
@@ -2746,13 +2783,13 @@ var CoreAgent = class _CoreAgent {
   maxIterations;
   abortController = null;
   toolExecutor = null;
-  constructor(agentType, state, events, toolRegistry, maxIterations) {
-    this.agentType = agentType;
-    this.state = state;
-    this.events = events;
-    this.toolRegistry = toolRegistry;
+  constructor(options) {
+    this.agentType = options.agentType;
+    this.state = options.state;
+    this.events = options.events;
+    this.toolRegistry = options.toolRegistry;
     this.llm = getLLMClient();
-    this.maxIterations = maxIterations || AGENT_LIMITS.MAX_ITERATIONS;
+    this.maxIterations = options.maxIterations || AGENT_LIMITS.MAX_ITERATIONS;
   }
   setToolRegistry(registry) {
     this.toolRegistry = registry;
@@ -2772,14 +2809,19 @@ var CoreAgent = class _CoreAgent {
   // Over 4+ hour sessions this can accumulate GB of tool results in memory.
   // This cap ensures messages never exceed a safe size regardless of extractor health.
   static MAX_MESSAGES_HARD_CAP = 50;
+  static MAX_MESSAGES_CHAR_CAP = 1e6;
   trimMessagesIfNeeded(messages) {
-    if (messages.length <= _CoreAgent.MAX_MESSAGES_HARD_CAP) return;
-    const firstMsg = messages[0];
-    const keptCount = _CoreAgent.MAX_MESSAGES_HARD_CAP - 1;
-    const recentMessages = messages.slice(-keptCount);
-    messages.length = 0;
-    if (firstMsg) messages.push(firstMsg);
-    messages.push(...recentMessages);
+    let totalChars = messages.reduce((sum, m) => {
+      const len = typeof m.content === "string" ? m.content.length : JSON.stringify(m.content).length;
+      return sum + len;
+    }, 0);
+    if (messages.length <= _CoreAgent.MAX_MESSAGES_HARD_CAP && totalChars <= _CoreAgent.MAX_MESSAGES_CHAR_CAP) return;
+    while (messages.length > 2 && (messages.length > _CoreAgent.MAX_MESSAGES_HARD_CAP || totalChars > _CoreAgent.MAX_MESSAGES_CHAR_CAP)) {
+      const removed = messages.splice(1, 1)[0];
+      if (removed) {
+        totalChars -= typeof removed.content === "string" ? removed.content.length : JSON.stringify(removed.content).length;
+      }
+    }
   }
   /** The core loop: Think → Act → Observe */
   async run(task, systemPrompt) {
@@ -3232,10 +3274,250 @@ auto-proxied by the system \u2014 no extra work needed for those.`,
   execute: async (params) => writeFileContent(params.path, params.content)
 };
 
+// src/engine/tools/system/shell-tools.ts
+function createShellTool(name, description, parameters, required, execute) {
+  return {
+    name,
+    description,
+    parameters,
+    required,
+    execute
+  };
+}
+function getShellCheckCommand(profile) {
+  switch (profile) {
+    case "stability":
+      return "echo $TERM && tty && stty -a";
+    case "post":
+      return "id && whoami && hostname && ip a | head -n 20";
+    case "environment":
+      return "pwd && uname -a && cat /etc/os-release 2>/dev/null | head -n 5";
+    case "identity":
+    default:
+      return "id && whoami && hostname";
+  }
+}
+function getShellUpgradeCommand(method) {
+  switch (method || "python_pty") {
+    case "python_pty":
+      return `python3 -c 'import pty; pty.spawn("/bin/bash")' || python -c 'import pty; pty.spawn("/bin/bash")'`;
+    case "script":
+      return "script -q /dev/null -c /bin/bash";
+    case "perl":
+      return q(`perl -e 'exec "/bin/bash";'`);
+    case "ruby":
+      return q(`ruby -e 'exec "/bin/bash"'`);
+    case "socat_probe":
+      return "command -v socat && socat -h | head -n 5";
+    case "stty_probe":
+      return "echo $TERM && tty && stty -a";
+    default:
+      return null;
+  }
+}
+function outputLooksStabilized(output) {
+  const normalized = output.toLowerCase();
+  return normalized.includes("xterm") || normalized.includes("/dev/pts/") || normalized.includes("rows") || normalized.includes("columns");
+}
+function q(value) {
+  return value;
+}
+async function executeShellUpgrade(processId, method, waitMs) {
+  const command = getShellUpgradeCommand(method);
+  if (!command) {
+    return {
+      success: false,
+      output: "",
+      error: `Unknown shell upgrade method: ${method}. Use: python_pty, script, perl, ruby, socat_probe, stty_probe`
+    };
+  }
+  logEvent(processId, PROCESS_EVENTS.SHELL_UPGRADE_ATTEMPTED, `Shell upgrade method: ${method || "python_pty"}`);
+  return handleInteractAction(processId, command, waitMs);
+}
+function buildListenerCommand(port, bind) {
+  return bind ? `nc -lvnp ${port} -s ${bind}` : `nc -lvnp ${port}`;
+}
+function executeListenerStart(port, bind, purpose) {
+  if (!Number.isFinite(port) || port <= 0) {
+    return {
+      success: false,
+      output: "",
+      error: "Invalid port. Provide a positive numeric port."
+    };
+  }
+  const usedPorts = getUsedPorts();
+  if (usedPorts.includes(port)) {
+    return {
+      success: false,
+      output: `[X] PORT CONFLICT: Port ${port} is already in use.
+Used ports: ${usedPorts.join(", ")}`,
+      error: `Port ${port} already in use`
+    };
+  }
+  const command = buildListenerCommand(port, bind);
+  const portMatch = command.match(DETECTION_PATTERNS.LISTENER);
+  if (!portMatch) {
+    return {
+      success: false,
+      output: "",
+      error: `Failed to build listener command for port ${port}`
+    };
+  }
+  const proc = startBackgroundProcess(command, {
+    description: `listener ${port}`,
+    purpose: purpose || `Reverse shell listener on port ${port}`
+  });
+  return {
+    success: true,
+    output: `Listener started.
+Process ID: ${proc.id}
+PID: ${proc.pid}
+Port: ${proc.listeningPort || port}
+Role: ${proc.role}
+Purpose: ${proc.purpose}`
+  };
+}
+var shellTools = [
+  createShellTool(
+    TOOL_NAMES.LISTENER_START,
+    "Start exactly one reverse-shell listener as a tracked background process.",
+    {
+      port: { type: "number", description: "Listener port" },
+      bind: { type: "string", description: "Optional local bind address" },
+      purpose: { type: "string", description: "Optional purpose for resource tracking" }
+    },
+    ["port"],
+    async (params) => executeListenerStart(
+      Number(params.port),
+      params.bind,
+      params.purpose
+    )
+  ),
+  createShellTool(
+    TOOL_NAMES.LISTENER_STATUS,
+    "Check a reverse-shell listener in detail. Use this instead of bg_process status when supervising callbacks.",
+    {
+      process_id: { type: "string", description: "Listener process ID" }
+    },
+    ["process_id"],
+    async (params) => handleStatusAction(params.process_id)
+  ),
+  createShellTool(
+    TOOL_NAMES.SHELL_PROMOTE,
+    "Promote a listener with a confirmed callback into the active shell role.",
+    {
+      process_id: { type: "string", description: "Listener process ID" },
+      description: { type: "string", description: "Optional shell description" }
+    },
+    ["process_id"],
+    async (params) => handlePromoteAction(params.process_id, params.description)
+  ),
+  createShellTool(
+    TOOL_NAMES.SHELL_EXEC,
+    "Execute a command through an active reverse shell and return new output.",
+    {
+      process_id: { type: "string", description: "Active shell process ID" },
+      command: { type: "string", description: "Command to execute through the shell" },
+      wait_ms: { type: "number", description: "Optional wait time for shell output" }
+    },
+    ["process_id", "command"],
+    async (params) => handleInteractAction(
+      params.process_id,
+      params.command,
+      params.wait_ms
+    )
+  ),
+  createShellTool(
+    TOOL_NAMES.SHELL_CHECK,
+    "Run a bounded shell quality or environment check. Profiles: identity, stability, environment, post.",
+    {
+      process_id: { type: "string", description: "Shell process ID" },
+      profile: { type: "string", description: "identity | stability | environment | post" },
+      wait_ms: { type: "number", description: "Optional wait time for shell output" }
+    },
+    ["process_id"],
+    async (params) => {
+      const processId = params.process_id;
+      const result = await handleInteractAction(
+        processId,
+        getShellCheckCommand(params.profile),
+        params.wait_ms
+      );
+      if (result.success && params.profile === "stability" && outputLooksStabilized(result.output)) {
+        logEvent(processId, PROCESS_EVENTS.SHELL_STABILIZED, "Shell stability confirmed by shell_check");
+      }
+      return result;
+    }
+  ),
+  createShellTool(
+    TOOL_NAMES.SHELL_UPGRADE,
+    "Send a bounded shell-upgrade attempt or upgrade probe through an active shell.",
+    {
+      process_id: { type: "string", description: "Shell process ID" },
+      method: { type: "string", description: "python_pty | script | perl | ruby | socat_probe | stty_probe" },
+      wait_ms: { type: "number", description: "Optional wait time for shell output" }
+    },
+    ["process_id"],
+    async (params) => executeShellUpgrade(
+      params.process_id,
+      params.method,
+      params.wait_ms
+    )
+  )
+];
+
+// src/engine/tools/system/offensive-bounded-tools.ts
+async function runBoundedForegroundCommand(command, timeout) {
+  return runCommand(command, [], timeout ? { timeout } : {});
+}
+function createBoundedCommandTool(name, description) {
+  return {
+    name,
+    description,
+    parameters: {
+      command: { type: "string", description: "Bounded foreground command for this phase-specific operation" },
+      timeout: { type: "number", description: "Optional timeout in ms" }
+    },
+    required: ["command"],
+    execute: async (params) => runBoundedForegroundCommand(
+      params.command,
+      params.timeout
+    )
+  };
+}
+var offensiveBoundedTools = [
+  createBoundedCommandTool(
+    TOOL_NAMES.EXPLOIT_CREDENTIAL_CHECK,
+    "Run a bounded exploit credential/token validation probe. Use after a chain dumps credentials or tokens."
+  ),
+  createBoundedCommandTool(
+    TOOL_NAMES.EXPLOIT_ARTIFACT_CHECK,
+    "Run a bounded exploit artifact validation probe. Use to verify the current artifact before replacing it."
+  ),
+  createBoundedCommandTool(
+    TOOL_NAMES.EXPLOIT_FOOTHOLD_CHECK,
+    "Run a bounded foothold confirmation probe after an exploit chain appears to land access."
+  ),
+  createBoundedCommandTool(
+    TOOL_NAMES.PWN_CRASH_REPRO,
+    "Run a bounded pwn crash reproduction command from the preserved crash state."
+  ),
+  createBoundedCommandTool(
+    TOOL_NAMES.PWN_OFFSET_CHECK,
+    "Run a bounded pwn offset verification command when control primitives are believed to be known."
+  ),
+  createBoundedCommandTool(
+    TOOL_NAMES.PWN_PAYLOAD_SMOKE,
+    "Run a bounded pwn payload smoke-test command against the latest exploit revision."
+  )
+];
+
 // src/engine/tools/system/index.ts
 var systemTools = [
   runCmdTool,
   bgProcessTool,
+  ...shellTools,
+  ...offensiveBoundedTools,
   readFileTool,
   writeFileTool
 ];
@@ -4253,9 +4535,7 @@ function isTransientHttpError(status) {
 async function parseNmap(xmlPath) {
   try {
     const fileResult = await readFileContent(xmlPath);
-    if (!fileResult.success) {
-      return fileResult;
-    }
+    if (!fileResult.success) return fileResult;
     const xmlContent = fileResult.output;
     const results = {
       targets: [],
@@ -4264,31 +4544,7 @@ async function parseNmap(xmlPath) {
     const hostRegex = /<host[^>]*>[\s\S]*?<\/host>/g;
     const hosts = xmlContent.match(hostRegex) || [];
     for (const hostBlock of hosts) {
-      const ipMatch = hostBlock.match(/<address[^>]*addr="([^"]+)"/);
-      const ip = ipMatch ? ipMatch[1] : "";
-      const hostnameMatch = hostBlock.match(/<hostname[^>]*name="([^"]+)"/);
-      const hostname = hostnameMatch ? hostnameMatch[1] : void 0;
-      const ports = [];
-      const portRegex = /<port[^>]*protocol="([^"]*)"[^>]*portid="(\d+)">[\s\S]*?<\/port>/g;
-      let portMatch;
-      while ((portMatch = portRegex.exec(hostBlock)) !== null) {
-        const protocol = portMatch[1];
-        const port = parseInt(portMatch[2]);
-        const stateMatch = portMatch[0].match(/<state[^>]*state="([^"]+)"/);
-        const state = stateMatch ? stateMatch[1] : "";
-        const serviceMatch = portMatch[0].match(/<service[^>]*name="([^"]*)"(?:[^>]*version="([^"]*)")?/);
-        const service = serviceMatch ? serviceMatch[1] : void 0;
-        const version = serviceMatch && serviceMatch[2] ? serviceMatch[2] : void 0;
-        if (state === PORT_STATE.OPEN) {
-          ports.push({ port, protocol, state, service, version });
-          results.summary.openPorts++;
-          if (service) results.summary.servicesFound++;
-        }
-      }
-      if (ip) {
-        results.targets.push({ ip, hostname, ports });
-        results.summary.totalTargets++;
-      }
+      parseHost(hostBlock, results);
     }
     return {
       success: true,
@@ -4302,6 +4558,37 @@ async function parseNmap(xmlPath) {
     };
   }
 }
+function parseHost(hostBlock, results) {
+  const ipMatch = hostBlock.match(/<address[^>]*addr="([^"]+)"/);
+  const ip = ipMatch ? ipMatch[1] : "";
+  const hostnameMatch = hostBlock.match(/<hostname[^>]*name="([^"]+)"/);
+  const hostname = hostnameMatch ? hostnameMatch[1] : void 0;
+  const ports = parsePorts(hostBlock, results);
+  if (ip) {
+    results.targets.push({ ip, hostname, ports });
+    results.summary.totalTargets++;
+  }
+}
+function parsePorts(hostBlock, results) {
+  const ports = [];
+  const portRegex = /<port[^>]*protocol="([^"]*)"[^>]*portid="(\d+)">[\s\S]*?<\/port>/g;
+  let portMatch;
+  while ((portMatch = portRegex.exec(hostBlock)) !== null) {
+    const protocol = portMatch[1];
+    const port = parseInt(portMatch[2]);
+    const stateMatch = portMatch[0].match(/<state[^>]*state="([^"]+)"/);
+    const state = stateMatch ? stateMatch[1] : "";
+    const serviceMatch = portMatch[0].match(/<service[^>]*name="([^"]*)"(?:[^>]*version="([^"]*)")?/);
+    const service = serviceMatch ? serviceMatch[1] : void 0;
+    const version = serviceMatch && serviceMatch[2] ? serviceMatch[2] : void 0;
+    if (state === PORT_STATE.OPEN) {
+      ports.push({ port, protocol, state, service, version });
+      results.summary.openPorts++;
+      if (service) results.summary.servicesFound++;
+    }
+  }
+  return ports;
+}
 
 // src/engine/tools/intel-utils/cve-search.ts
 import { execFileSync } from "child_process";
@@ -4861,54 +5148,57 @@ function getStorageAndAuthDumpSnippet(capturedVarName = "_capturedHeaders", safe
 }
 
 // src/engine/tools/web-browser/scripts/builder.ts
-function buildBrowseScript(url, options, screenshotPath, sessionPath) {
-  const safeUrl = safeJsString(url);
-  const safeUserAgent = safeJsString(options.userAgent || BROWSER_CONFIG.DEFAULT_USER_AGENT);
-  const safeScreenshotPath = screenshotPath ? safeJsString(screenshotPath) : "null";
-  const safeExtraHeaders = JSON.stringify(options.extraHeaders || {});
-  const playwrightPath = getPlaywrightPath();
-  const safePlaywrightPath = safeJsString(playwrightPath);
-  const safeSessionPath = sessionPath ? safeJsString(sessionPath) : null;
-  return `
-const { chromium } = require(${safePlaywrightPath});
+function buildCommonHeader(safePlaywrightPath) {
+  return `const { chromium } = require(${safePlaywrightPath});
 const fs = require('fs');
 
 (async () => {
     const browser = await chromium.launch({
         headless: true,
         args: ['${PLAYWRIGHT_ARG.NO_SANDBOX}', '${PLAYWRIGHT_ARG.DISABLE_SETUID_SANDBOX}', ${JSON.stringify(getTorBrowserArgs()).slice(1, -1)}].filter(Boolean)
-    });
-
-    // \xA74 Browser Session: load existing session if requested
+    });`;
+}
+function buildSessionContext(options, safeSessionPath) {
+  const safeUserAgent = options.userAgent ? safeJsString(options.userAgent) : "undefined";
+  const safeExtraHeaders = options.extraHeaders ? JSON.stringify(options.extraHeaders) : "{}";
+  const viewportStr = options.viewport ? `viewport: { width: ${options.viewport.width}, height: ${options.viewport.height} },` : "";
+  return `
     const contextOptions = {
-        userAgent: ${safeUserAgent},
-        viewport: { width: ${options.viewport.width}, height: ${options.viewport.height} },
-        extraHTTPHeaders: ${safeExtraHeaders}
+        ${options.userAgent ? `userAgent: ${safeUserAgent},` : ""}
+        ${viewportStr}
+        ${options.extraHeaders ? `extraHTTPHeaders: ${safeExtraHeaders},` : ""}
     };
     ${safeSessionPath && options.useSession ? `
     if (fs.existsSync(${safeSessionPath})) {
         contextOptions.storageState = ${safeSessionPath};
     }` : ""}
-
     const context = await browser.newContext(contextOptions);
+    const page = await context.newPage();`;
+}
+function buildSessionSave(saveSession, safeSessionPath, targetObj, authHeadersProp) {
+  if (!safeSessionPath || !saveSession) return "";
+  return `
+        await context.storageState({ path: ${safeSessionPath} });
+        ${targetObj}.sessionSaved = ${safeSessionPath};
 
-    const page = await context.newPage();
-
-    ${getNetworkAuthInterceptSnippet("_capturedHeaders")}
-
-    try {
-        await page.goto(${safeUrl}, { waitUntil: 'networkidle', timeout: ${options.timeout} });
-
-        // Wait for dynamic content
-        await page.waitForTimeout(${options.waitAfterLoad});
-
-        const result = { _interceptedAuth: _capturedHeaders };
-
-        // Extract title
-        result.title = await page.title();
-
-        // Extract text content
-        ${options.extractContent ? `
+        ${getStorageAndAuthDumpSnippet(authHeadersProp, safeSessionPath)}
+        ${targetObj}.authHeadersSaved = _authHeadersPath;
+        ${targetObj}.authHeadersNote = 'auth-headers.json contains intercepted network headers + full storage dump. LLM should inspect _storage field for unlabeled tokens.';
+    `;
+}
+function buildCommonFooter() {
+  return `
+    } catch (error) {
+        console.log(JSON.stringify({ error: error.message }));
+    } finally {
+        await browser.close();
+    }
+})();`;
+}
+function buildBrowseExtraction(options) {
+  let extraction = "";
+  if (options.extractContent) {
+    extraction += `
         result.text = await page.evaluate(() => {
             const body = document.body;
             const walker = document.createTreeWalker(body, NodeFilter.SHOW_TEXT, null, false);
@@ -4919,19 +5209,19 @@ const fs = require('fs');
                 if (content) text += content + '\\n';
             }
             return text.slice(0, ${BROWSER_LIMITS.MAX_TEXT_EXTRACTION});
-        });` : ""}
-
-        // Extract links
-        ${options.extractLinks ? `
+        });`;
+  }
+  if (options.extractLinks) {
+    extraction += `
         result.links = await page.evaluate(() => {
             return Array.from(document.querySelectorAll('a[href]')).map(a => ({
                 href: a.href,
                 text: a.textContent.trim().slice(0, ${DISPLAY_LIMITS.LINK_TEXT_PREVIEW})
             })).slice(0, ${BROWSER_LIMITS.MAX_LINKS_EXTRACTION});
-        });` : ""}
-
-        // Extract forms
-        ${options.extractForms ? `
+        });`;
+  }
+  if (options.extractForms) {
+    extraction += `
         result.forms = await page.evaluate(() => {
             return Array.from(document.querySelectorAll('form')).map(form => ({
                 action: form.action,
@@ -4944,69 +5234,42 @@ const fs = require('fs');
                     isRequired: input.required
                 }))
             }));
-        });` : ""}
-
-        // Take screenshot
-        ${screenshotPath ? `await page.screenshot({ path: ${safeScreenshotPath}, fullPage: false });` : ""}
+        });`;
+  }
+  return extraction;
+}
+function buildBrowseScript(url, options, screenshotPath, sessionPath) {
+  const safeUrl = safeJsString(url);
+  const safeScreenshotPath = screenshotPath ? safeJsString(screenshotPath) : "null";
+  const safePlaywrightPath = safeJsString(getPlaywrightPath());
+  const safeSessionPath = sessionPath ? safeJsString(sessionPath) : null;
+  options.userAgent = options.userAgent || BROWSER_CONFIG.DEFAULT_USER_AGENT;
+  return `
+${buildCommonHeader(safePlaywrightPath)}
+${buildSessionContext(options, safeSessionPath)}
+    ${getNetworkAuthInterceptSnippet("_capturedHeaders")}
+    try {
+        await page.goto(${safeUrl}, { waitUntil: 'networkidle', timeout: ${options.timeout} });
+        await page.waitForTimeout(${options.waitAfterLoad});
 
-        // \xA74 Browser Session: save state + capture auth headers (LLM-independent, no hardcoded keys)
-        ${safeSessionPath && options.saveSession ? `
-        await context.storageState({ path: ${safeSessionPath} });
-        result.sessionSaved = ${safeSessionPath};
+        const result = { _interceptedAuth: _capturedHeaders };
+        result.title = await page.title();
 
-        ${getStorageAndAuthDumpSnippet("result._interceptedAuth", safeSessionPath)}
-        result.authHeadersSaved = _authHeadersPath;
-        result.authHeadersNote = 'auth-headers.json contains intercepted network headers + full storage dump. LLM should inspect _storage field for unlabeled tokens.';
-        ` : ""}
+        ${buildBrowseExtraction(options)}
+        ${screenshotPath ? `await page.screenshot({ path: ${safeScreenshotPath}, fullPage: false });` : ""}
+        ${buildSessionSave(!!options.saveSession, safeSessionPath, "result", "result._interceptedAuth")}
 
         console.log(JSON.stringify(result));
-    } catch (error) {
-        console.log(JSON.stringify({ error: error.message }));
-    } finally {
-        await browser.close();
-    }
-})();
+${buildCommonFooter()}
 `;
 }
-function buildFormScript(params) {
-  const { safeUrl, safeFormData, safePlaywrightPath, timeout, useSession, saveSession, safeSessionPath } = params;
+function buildFormFillingLogic(safeFormData) {
   return `
-const { chromium } = require(${safePlaywrightPath});
-const fs = require('fs');
-
-(async () => {
-    const browser = await chromium.launch({
-        headless: true,
-        args: ['${PLAYWRIGHT_ARG.NO_SANDBOX}', '${PLAYWRIGHT_ARG.DISABLE_SETUID_SANDBOX}', ${JSON.stringify(getTorBrowserArgs()).slice(1, -1)}].filter(Boolean)
-    });
-
-    // \xA74 Session: load existing session if requested
-    const contextOptions = {};
-    ${safeSessionPath && useSession ? `
-    if (fs.existsSync(${safeSessionPath})) {
-        contextOptions.storageState = ${safeSessionPath};
-    }` : ""}
-    const context = await browser.newContext(contextOptions);
-    const page = await context.newPage();
-
-    ${getNetworkAuthInterceptSnippet("_capturedHeaders")}
-
-    try {
-        await page.goto(${safeUrl}, { waitUntil: 'networkidle', timeout: ${timeout} });
-
-        // \xA7LLM-AUTONOMY: Semantic form field matching via Accessibility Tree + multiple strategies.
-        // No hardcoded CSS selector rules. Tries in priority order:
-        //   1. name/id attribute (exact)
-        //   2. aria-label / placeholder semantic match (case-insensitive)
-        //   3. input[type] semantic inference (username\u2192text, password\u2192password)
         const formData = ${safeFormData};
         for (const [fieldKey, fieldValue] of Object.entries(formData)) {
             const lk = fieldKey.toLowerCase();
-
-            // Strategy 1: exact name/id/aria-label attribute
             let el = await page.$(\`[name="\${fieldKey}"], #\${fieldKey}\`);
 
-            // Strategy 2: semantic aria-label or placeholder match
             if (!el) {
                 el = await page.evaluateHandle((key) => {
                     const inputs = [...document.querySelectorAll('input, textarea, select')];
@@ -5019,22 +5282,16 @@ const fs = require('fs');
                 }, lk).then(h => h.asElement());
             }
 
-            // Strategy 3: type-based inference (username/email/user \u2192 type=text/email, password \u2192 type=password)
             if (!el) {
                 let inferredType = null;
                 if (['username', 'user', 'email', 'login'].includes(lk)) inferredType = ['text', 'email'];
                 if (['password', 'pass', 'pwd'].includes(lk)) inferredType = ['password'];
-                if (inferredType) {
-                    el = await page.$(\`input[type="\${inferredType[0]}"\${inferredType[1] ? \`, input[type="\${inferredType[1]}"\` : ''}]\`);
-                }
+                if (inferredType) el = await page.$(\`input[type="\${inferredType[0]}"\${inferredType[1] ? \`, input[type="\${inferredType[1]}"\` : ''}]\`);
             }
 
-            if (el) {
-                await el.fill(String(fieldValue));
-            }
+            if (el) await el.fill(String(fieldValue));
         }
 
-        // \xA7LLM-AUTONOMY: Submit via semantic search \u2014 finds any element that looks like a submit action.
         const submitEl = await page.$([
             'button[type="submit"]',
             'input[type="submit"]',
@@ -5047,27 +5304,29 @@ const fs = require('fs');
             await submitEl.click();
             await page.waitForLoadState('networkidle').catch(() => {});
         }
+    `;
+}
+function buildFormScript(params) {
+  const { safeUrl, safeFormData, safePlaywrightPath, timeout, useSession, saveSession, safeSessionPath } = params;
+  return `
+${buildCommonHeader(safePlaywrightPath)}
+${buildSessionContext({ useSession }, safeSessionPath)}
+    ${getNetworkAuthInterceptSnippet("_capturedHeaders")}
+    try {
+        await page.goto(${safeUrl}, { waitUntil: 'networkidle', timeout: ${timeout} });
 
-        // \xA74 Session: save state + capture real auth headers (no hardcoded keys)
-        ${safeSessionPath && saveSession ? `
-        await context.storageState({ path: ${safeSessionPath} });
-
-        ${getStorageAndAuthDumpSnippet("_capturedHeaders", safeSessionPath)}
-        ` : ""}
+        ${buildFormFillingLogic(safeFormData)}
 
         const result = {
             url: page.url(),
             title: await page.title(),
-            ${safeSessionPath && saveSession ? `authHeadersSaved: ${safeSessionPath}.replace('${BROWSER_PATHS.SESSION_FILE}', '${BROWSER_PATHS.AUTH_HEADERS_FILE}'),` : ""}
+            _interceptedAuth: _capturedHeaders
         };
 
+        ${buildSessionSave(saveSession, safeSessionPath, "result", "result._interceptedAuth")}
+
         console.log(JSON.stringify(result));
-    } catch (error) {
-        console.log(JSON.stringify({ error: error.message }));
-    } finally {
-        await browser.close();
-    }
-})();
+${buildCommonFooter()}
 `;
 }
 
@@ -7950,6 +8209,7 @@ var SessionState = class {
 };
 
 // src/engine/state/core/shared-state.ts
+var MAX_DELEGATED_TASKS = 50;
 var SharedState = class {
   attackGraph = new AttackGraph();
   targetState;
@@ -7985,6 +8245,7 @@ var SharedState = class {
    * Current objective for flexible task management.
    */
   currentObjective = null;
+  delegatedTasks = [];
   constructor() {
     this.targetState = new TargetState(this.attackGraph);
     this.findingState = new FindingState();
@@ -8010,6 +8271,7 @@ var SharedState = class {
     this.dynamicTechniques.clear();
     this.artifacts = [];
     this.currentObjective = null;
+    this.delegatedTasks = [];
     this.lastReflection = "";
     this.lastTriageMemo = "";
   }
@@ -8127,6 +8389,38 @@ var SharedState = class {
   getTimeStatus() {
     return this.sessionState.getTimeStatus();
   }
+  recordDelegatedTask(task) {
+    const now = Date.now();
+    const parentTask = task.resumeTaskId ? this.delegatedTasks.find((existing) => existing.id === task.resumeTaskId) : void 0;
+    const record = {
+      ...task,
+      parentTaskId: task.resumeTaskId || void 0,
+      rootTaskId: parentTask ? parentTask.rootTaskId || parentTask.id : task.resumeTaskId || void 0,
+      id: generatePrefixedId("delegated_task"),
+      createdAt: now,
+      updatedAt: now
+    };
+    this.delegatedTasks.push(record);
+    if (this.delegatedTasks.length > MAX_DELEGATED_TASKS) {
+      this.delegatedTasks = this.delegatedTasks.slice(this.delegatedTasks.length - MAX_DELEGATED_TASKS);
+    }
+    return record;
+  }
+  restoreDelegatedTask(task) {
+    this.delegatedTasks.push(task);
+    if (this.delegatedTasks.length > MAX_DELEGATED_TASKS) {
+      this.delegatedTasks = this.delegatedTasks.slice(this.delegatedTasks.length - MAX_DELEGATED_TASKS);
+    }
+  }
+  getDelegatedTasks() {
+    return [...this.delegatedTasks];
+  }
+  getActiveDelegatedTasks() {
+    return this.delegatedTasks.filter((task) => task.status === "waiting" || task.status === "running");
+  }
+  getDelegatedTask(taskId) {
+    return this.delegatedTasks.find((task) => task.id === taskId);
+  }
 };
 
 // src/shared/utils/policy/document.ts
@@ -8168,6 +8462,37 @@ function writePolicyDocument(content) {
   );
 }
 
+// src/engine/auxiliary-llm/strategist-prompt.ts
+function buildStrategistPrompt(input) {
+  const state = input.state;
+  const sections = ["## Engagement State", StateSerializer.toPrompt(state)];
+  const failures = state.workingMemory.toPrompt();
+  if (failures) sections.push("", "## Failed Attempts (DO NOT REPEAT THESE)", failures);
+  try {
+    const journalSummary = readJournalSummary();
+    if (journalSummary) sections.push("", "## Session Journal (past turns summary)", journalSummary);
+  } catch {
+  }
+  const policyDocument = readPolicyDocument();
+  if (policyDocument) sections.push("", "## Policy Memory", policyDocument);
+  const graph = state.attackGraph.toPrompt();
+  if (graph) sections.push("", "## Attack Graph", graph);
+  const timeline = state.episodicMemory.toPrompt();
+  if (timeline) sections.push("", "## Recent Actions", timeline);
+  const techniques = state.dynamicTechniques.toPrompt();
+  if (techniques) sections.push("", "## Learned Techniques", techniques);
+  sections.push("", "## Time", state.getTimeStatus());
+  const analysis = state.getChallengeAnalysis?.();
+  if (analysis && analysis.primaryType !== "unknown") {
+    sections.push(
+      "",
+      "## Challenge Type",
+      `${analysis.primaryType.toUpperCase()} (confidence: ${(analysis.confidence * 100).toFixed(0)}%)`
+    );
+  }
+  return sections.join("\n");
+}
+
 // src/engine/auxiliary-llm/strategist.ts
 var Strategist = class extends AuxiliaryLLMBase {
   lastDirective = null;
@@ -8184,33 +8509,7 @@ var Strategist = class extends AuxiliaryLLMBase {
   }
   // ─── Abstract impl ───────────────────────────────────────────────────────
   formatInput(input) {
-    const state = input.state;
-    const sections = ["## Engagement State", StateSerializer.toPrompt(state)];
-    const failures = state.workingMemory.toPrompt();
-    if (failures) sections.push("", "## Failed Attempts (DO NOT REPEAT THESE)", failures);
-    try {
-      const journalSummary = readJournalSummary();
-      if (journalSummary) sections.push("", "## Session Journal (past turns summary)", journalSummary);
-    } catch {
-    }
-    const policyDocument = readPolicyDocument();
-    if (policyDocument) sections.push("", "## Policy Memory", policyDocument);
-    const graph = state.attackGraph.toPrompt();
-    if (graph) sections.push("", "## Attack Graph", graph);
-    const timeline = state.episodicMemory.toPrompt();
-    if (timeline) sections.push("", "## Recent Actions", timeline);
-    const techniques = state.dynamicTechniques.toPrompt();
-    if (techniques) sections.push("", "## Learned Techniques", techniques);
-    sections.push("", "## Time", state.getTimeStatus());
-    const analysis = state.getChallengeAnalysis?.();
-    if (analysis && analysis.primaryType !== "unknown") {
-      sections.push(
-        "",
-        "## Challenge Type",
-        `${analysis.primaryType.toUpperCase()} (confidence: ${(analysis.confidence * 100).toFixed(0)}%)`
-      );
-    }
-    return sections.join("\n");
+    return buildStrategistPrompt(input);
   }
   parseOutput(_response) {
     throw new Error("Unused \u2014 execute() is overridden in Strategist");
@@ -8631,7 +8930,7 @@ function isPortArray(value) {
     (item) => typeof item === "object" && item !== null && typeof item.port === "number"
   );
 }
-function parsePorts(value) {
+function parsePorts2(value) {
   return isPortArray(value) ? value : [];
 }
 function isValidSeverity(value) {
@@ -8663,7 +8962,7 @@ var SPRAY_LOOT_TYPES = /* @__PURE__ */ new Set([
 // src/domains/engagement/handlers/target.ts
 async function executeAddTarget(p, state) {
   const ip = p.ip;
-  const ports = parsePorts(p.ports);
+  const ports = parsePorts2(p.ports);
   const os = p.os;
   const hostname = p.hostname;
   const existing = state.getTarget(ip);
@@ -9172,99 +9471,70 @@ function getContextRecommendations(context, variantCount) {
 }
 
 // src/shared/utils/payload-mutator/core.ts
+var TRANSFORM_STRATEGIES = {
+  [TRANSFORM_TYPE.URL]: (p, v) => {
+    v.push({ payload: urlEncode(p), transform: "url", description: "URL encoded (special chars only)" });
+    v.push({ payload: urlEncodeAll(p), transform: "url_full", description: "URL encoded (all chars)" });
+  },
+  [TRANSFORM_TYPE.DOUBLE_URL]: (p, v) => v.push({ payload: doubleUrlEncode(p), transform: "double_url", description: "Double URL encoded" }),
+  [TRANSFORM_TYPE.TRIPLE_URL]: (p, v) => v.push({ payload: tripleUrlEncode(p), transform: "triple_url", description: "Triple URL encoded" }),
+  [TRANSFORM_TYPE.UNICODE]: (p, v) => v.push({ payload: unicodeEncode(p), transform: "unicode", description: "Unicode escape sequences" }),
+  [TRANSFORM_TYPE.HTML_ENTITY_DEC]: (p, v) => v.push({ payload: htmlEntityDec(p), transform: "html_entity_dec", description: "HTML decimal entities" }),
+  [TRANSFORM_TYPE.HTML_ENTITY_HEX]: (p, v) => v.push({ payload: htmlEntityHex(p), transform: "html_entity_hex", description: "HTML hex entities" }),
+  [TRANSFORM_TYPE.HEX]: (p, v) => v.push({ payload: hexEncode(p), transform: "hex", description: "Hex encoded" }),
+  [TRANSFORM_TYPE.OCTAL]: (p, v) => v.push({ payload: octalEncode(p), transform: "octal", description: "Octal encoded" }),
+  [TRANSFORM_TYPE.BASE64]: (p, v) => v.push({ payload: base64Encode(p), transform: "base64", description: "Base64 encoded" }),
+  [TRANSFORM_TYPE.CASE_SWAP]: (p, v) => {
+    for (let i = 0; i < 3; i++) v.push({ payload: caseSwap(p), transform: "case_swap", description: `Case variation ${i + 1}` });
+  },
+  [TRANSFORM_TYPE.COMMENT_INSERT]: (p, v) => v.push({ payload: commentInsert(p), transform: "comment_insert", description: "SQL comments in keywords" }),
+  [TRANSFORM_TYPE.WHITESPACE_ALT]: (p, v) => {
+    v.push({ payload: whitespaceAlt(p), transform: "whitespace_alt", description: "Alternative whitespace chars" });
+    v.push({ payload: p.replace(/ /g, "/**/"), transform: "whitespace_comment", description: "Comment as whitespace" });
+    v.push({ payload: p.replace(/ /g, "+"), transform: "whitespace_plus", description: "Plus as whitespace" });
+  },
+  [TRANSFORM_TYPE.CHAR_FUNCTION]: (p, v) => {
+    v.push({ payload: charFunction(p, "mysql"), transform: "char_mysql", description: "MySQL CHAR() encoding" });
+    v.push({ payload: charFunction(p, "mssql"), transform: "char_mssql", description: "MSSQL CHAR() encoding" });
+    v.push({ payload: charFunction(p, "pg"), transform: "char_pg", description: "PostgreSQL CHR() encoding" });
+  },
+  [TRANSFORM_TYPE.CONCAT_SPLIT]: (p, v) => v.push({ payload: concatSplit(p), transform: "concat_split", description: "String split via CONCAT" }),
+  [TRANSFORM_TYPE.NULL_BYTE]: (p, v) => {
+    v.push({ payload: nullByteAppend(p), transform: "null_byte", description: "Null byte appended" });
+    v.push({ payload: p + "%00.jpg", transform: "null_byte_ext", description: "Null byte + fake extension" });
+  },
+  [TRANSFORM_TYPE.REVERSE]: (p, v) => v.push({ payload: reversePayload(p), transform: "reverse", description: "Reversed (use with rev | sh)" }),
+  [TRANSFORM_TYPE.UTF8_OVERLONG]: (p, v) => v.push({ payload: utf8Overlong(p), transform: "utf8_overlong", description: "UTF-8 overlong sequences" }),
+  [TRANSFORM_TYPE.MIXED_ENCODING]: (p, v) => v.push({ payload: mixedEncoding(p), transform: "mixed_encoding", description: "Mixed encoding (partial)" }),
+  [TRANSFORM_TYPE.TAG_ALTERNATIVE]: (p, v) => v.push(...generateXssAlternatives(p)),
+  [TRANSFORM_TYPE.EVENT_HANDLER]: (p, v) => v.push(...generateXssAlternatives(p)),
+  [TRANSFORM_TYPE.JS_ALTERNATIVE]: (p, v) => v.push(...generateXssAlternatives(p)),
+  [TRANSFORM_TYPE.KEYWORD_BYPASS]: (p, v) => {
+    v.push({ payload: keywordBypass(p), transform: "keyword_bypass", description: "Quote-inserted keyword bypass" });
+    v.push({ payload: spaceBypass(p), transform: "space_bypass", description: "$IFS space bypass" });
+  },
+  [TRANSFORM_TYPE.SPACE_BYPASS]: (p, v) => {
+    v.push({ payload: p.replace(/ /g, "${IFS}"), transform: "ifs", description: "$IFS space bypass" });
+    v.push({ payload: p.replace(/ /g, "%09"), transform: "tab", description: "Tab space bypass" });
+    v.push({ payload: p.replace(/ /g, "<"), transform: "redirect", description: "Redirect as separator" });
+    const parts = p.split(" ");
+    if (parts.length >= 2) v.push({ payload: `{${parts.join(",")}}`, transform: "brace", description: "Brace expansion" });
+  }
+};
 function mutatePayload(request) {
   const { payload, transforms, context = "generic", maxVariants = 20 } = request;
   const variants = [];
-  const recommendations = [];
   const activeTransforms = transforms || getDefaultTransforms(context);
   for (const transform of activeTransforms) {
-    switch (transform) {
-      case TRANSFORM_TYPE.URL:
-        variants.push({ payload: urlEncode(payload), transform: "url", description: "URL encoded (special chars only)" });
-        variants.push({ payload: urlEncodeAll(payload), transform: "url_full", description: "URL encoded (all chars)" });
-        break;
-      case TRANSFORM_TYPE.DOUBLE_URL:
-        variants.push({ payload: doubleUrlEncode(payload), transform: "double_url", description: "Double URL encoded" });
-        break;
-      case TRANSFORM_TYPE.TRIPLE_URL:
-        variants.push({ payload: tripleUrlEncode(payload), transform: "triple_url", description: "Triple URL encoded" });
-        break;
-      case TRANSFORM_TYPE.UNICODE:
-        variants.push({ payload: unicodeEncode(payload), transform: "unicode", description: "Unicode escape sequences" });
-        break;
-      case TRANSFORM_TYPE.HTML_ENTITY_DEC:
-        variants.push({ payload: htmlEntityDec(payload), transform: "html_entity_dec", description: "HTML decimal entities" });
-        break;
-      case TRANSFORM_TYPE.HTML_ENTITY_HEX:
-        variants.push({ payload: htmlEntityHex(payload), transform: "html_entity_hex", description: "HTML hex entities" });
-        break;
-      case TRANSFORM_TYPE.HEX:
-        variants.push({ payload: hexEncode(payload), transform: "hex", description: "Hex encoded" });
-        break;
-      case TRANSFORM_TYPE.OCTAL:
-        variants.push({ payload: octalEncode(payload), transform: "octal", description: "Octal encoded" });
-        break;
-      case TRANSFORM_TYPE.BASE64:
-        variants.push({ payload: base64Encode(payload), transform: "base64", description: "Base64 encoded" });
-        break;
-      case TRANSFORM_TYPE.CASE_SWAP:
-        for (let i = 0; i < 3; i++) {
-          variants.push({ payload: caseSwap(payload), transform: "case_swap", description: `Case variation ${i + 1}` });
-        }
-        break;
-      case TRANSFORM_TYPE.COMMENT_INSERT:
-        variants.push({ payload: commentInsert(payload), transform: "comment_insert", description: "SQL comments in keywords" });
-        break;
-      case TRANSFORM_TYPE.WHITESPACE_ALT:
-        variants.push({ payload: whitespaceAlt(payload), transform: "whitespace_alt", description: "Alternative whitespace chars" });
-        variants.push({ payload: payload.replace(/ /g, "/**/"), transform: "whitespace_comment", description: "Comment as whitespace" });
-        variants.push({ payload: payload.replace(/ /g, "+"), transform: "whitespace_plus", description: "Plus as whitespace" });
-        break;
-      case TRANSFORM_TYPE.CHAR_FUNCTION:
-        variants.push({ payload: charFunction(payload, "mysql"), transform: "char_mysql", description: "MySQL CHAR() encoding" });
-        variants.push({ payload: charFunction(payload, "mssql"), transform: "char_mssql", description: "MSSQL CHAR() encoding" });
-        variants.push({ payload: charFunction(payload, "pg"), transform: "char_pg", description: "PostgreSQL CHR() encoding" });
-        break;
-      case TRANSFORM_TYPE.CONCAT_SPLIT:
-        variants.push({ payload: concatSplit(payload), transform: "concat_split", description: "String split via CONCAT" });
-        break;
-      case TRANSFORM_TYPE.NULL_BYTE:
-        variants.push({ payload: nullByteAppend(payload), transform: "null_byte", description: "Null byte appended" });
-        variants.push({ payload: payload + "%00.jpg", transform: "null_byte_ext", description: "Null byte + fake extension" });
-        break;
-      case TRANSFORM_TYPE.REVERSE:
-        variants.push({ payload: reversePayload(payload), transform: "reverse", description: "Reversed (use with rev | sh)" });
-        break;
-      case TRANSFORM_TYPE.UTF8_OVERLONG:
-        variants.push({ payload: utf8Overlong(payload), transform: "utf8_overlong", description: "UTF-8 overlong sequences" });
-        break;
-      case TRANSFORM_TYPE.MIXED_ENCODING:
-        variants.push({ payload: mixedEncoding(payload), transform: "mixed_encoding", description: "Mixed encoding (partial)" });
-        break;
-      case TRANSFORM_TYPE.TAG_ALTERNATIVE:
-      case TRANSFORM_TYPE.EVENT_HANDLER:
-      case TRANSFORM_TYPE.JS_ALTERNATIVE:
-        variants.push(...generateXssAlternatives(payload));
-        break;
-      case TRANSFORM_TYPE.KEYWORD_BYPASS:
-        variants.push({ payload: keywordBypass(payload), transform: "keyword_bypass", description: "Quote-inserted keyword bypass" });
-        variants.push({ payload: spaceBypass(payload), transform: "space_bypass", description: "$IFS space bypass" });
-        break;
-      case TRANSFORM_TYPE.SPACE_BYPASS:
-        variants.push({ payload: payload.replace(/ /g, "${IFS}"), transform: "ifs", description: "$IFS space bypass" });
-        variants.push({ payload: payload.replace(/ /g, "%09"), transform: "tab", description: "Tab space bypass" });
-        variants.push({ payload: payload.replace(/ /g, "<"), transform: "redirect", description: "Redirect as separator" });
-        const parts = payload.split(" ");
-        if (parts.length >= 2) {
-          variants.push({ payload: `{${parts.join(",")}}`, transform: "brace", description: "Brace expansion" });
-        }
-        break;
+    const handler = TRANSFORM_STRATEGIES[transform];
+    if (handler) {
+      handler(payload, variants);
     }
   }
   if (context.startsWith("sql")) {
     variants.push(...generateSqlAlternatives(payload));
   }
-  recommendations.push(...getContextRecommendations(context, variants.length));
+  const recommendations = getContextRecommendations(context, variants.length);
   return {
     variants: variants.slice(0, maxVariants),
     recommendations
@@ -9324,8 +9594,8 @@ async function executeGetWordlists(p) {
   };
   const matchesSearch = (filePath, fileName) => {
     if (!search) return true;
-    const q = search.toLowerCase();
-    return fileName.toLowerCase().includes(q) || filePath.toLowerCase().includes(q);
+    const q2 = search.toLowerCase();
+    return fileName.toLowerCase().includes(q2) || filePath.toLowerCase().includes(q2);
   };
   const results = ["# Available Wordlists on System\n"];
   let totalCount = 0;
@@ -10653,7 +10923,7 @@ async function executeGoogleDork(args) {
   const output = [
     `=== Google Dork Queries for ${d} ===`,
     "",
-    ...selected.map((q, i) => `${i + 1}. https://www.google.com/search?q=${encodeURIComponent(q)}`),
+    ...selected.map((q2, i) => `${i + 1}. https://www.google.com/search?q=${encodeURIComponent(q2)}`),
     "",
     "Paste these URLs into a browser to search manually.",
     "Tip: Also try: https://pentest-tools.com/information-gathering/google-hacking"
@@ -10908,6 +11178,51 @@ function logSuccessfulAction(state, toolCall, approval, result) {
   });
 }
 
+// src/engine/parsers/security.ts
+function extractCredentials(output) {
+  const creds = [];
+  const patterns = [
+    // user:password from hydra, medusa, etc.
+    { regex: /login:\s*(\S+)\s+password:\s*(\S+)/gi, type: "password" },
+    // user:hash from hashdump, secretsdump, etc.
+    { regex: /(\S+):(\d+):([a-f0-9]{32}):([a-f0-9]{32})/g, type: "hash" },
+    // Generic user:pass pattern
+    { regex: /(?:username|user|login)\s*[:=]\s*['"]?(\S+?)['"]?\s+(?:password|pass|pwd)\s*[:=]\s*['"]?(\S+?)['"]?/gi, type: "password" },
+    // Database connection strings
+    { regex: /(?:postgres|mysql|mongodb):\/\/([^:]+):([^@]+)@/g, type: "password" },
+    // API tokens/keys
+    { regex: /(?:api[_-]?key|token|secret|bearer)\s*[:=]\s*['"]?([a-zA-Z0-9_\-]{20,})['"]?/gi, type: "token" }
+  ];
+  for (const { regex, type } of patterns) {
+    let match;
+    while ((match = regex.exec(output)) !== null) {
+      const username = match[1] || "unknown";
+      const credential = match[2] || match[1];
+      if (credential && !creds.some((c) => c.username === username && c.credential === credential)) {
+        creds.push({ username, credential, type, source: "auto-extracted" });
+      }
+    }
+  }
+  return creds;
+}
+function extractVulnerabilities(output) {
+  const vulns = [];
+  const cveRegex = /CVE-\d{4}-\d{4,}/g;
+  let match;
+  while ((match = cveRegex.exec(output)) !== null) {
+    const cveId = match[0];
+    if (!vulns.some((v) => v.id === cveId)) {
+      vulns.push({
+        id: cveId,
+        severity: "unknown",
+        description: `${cveId} referenced in output`,
+        hasExploit: /exploit|poc|proof.of.concept/i.test(output)
+      });
+    }
+  }
+  return vulns;
+}
+
 // src/engine/parsers/types.ts
 var PORT_STATE2 = {
   OPEN: "open",
@@ -10977,51 +11292,6 @@ function extractFuzzStructured(output) {
   };
 }
 
-// src/engine/parsers/security.ts
-function extractCredentials(output) {
-  const creds = [];
-  const patterns = [
-    // user:password from hydra, medusa, etc.
-    { regex: /login:\s*(\S+)\s+password:\s*(\S+)/gi, type: "password" },
-    // user:hash from hashdump, secretsdump, etc.
-    { regex: /(\S+):(\d+):([a-f0-9]{32}):([a-f0-9]{32})/g, type: "hash" },
-    // Generic user:pass pattern
-    { regex: /(?:username|user|login)\s*[:=]\s*['"]?(\S+?)['"]?\s+(?:password|pass|pwd)\s*[:=]\s*['"]?(\S+?)['"]?/gi, type: "password" },
-    // Database connection strings
-    { regex: /(?:postgres|mysql|mongodb):\/\/([^:]+):([^@]+)@/g, type: "password" },
-    // API tokens/keys
-    { regex: /(?:api[_-]?key|token|secret|bearer)\s*[:=]\s*['"]?([a-zA-Z0-9_\-]{20,})['"]?/gi, type: "token" }
-  ];
-  for (const { regex, type } of patterns) {
-    let match;
-    while ((match = regex.exec(output)) !== null) {
-      const username = match[1] || "unknown";
-      const credential = match[2] || match[1];
-      if (credential && !creds.some((c) => c.username === username && c.credential === credential)) {
-        creds.push({ username, credential, type, source: "auto-extracted" });
-      }
-    }
-  }
-  return creds;
-}
-function extractVulnerabilities(output) {
-  const vulns = [];
-  const cveRegex = /CVE-\d{4}-\d{4,}/g;
-  let match;
-  while ((match = cveRegex.exec(output)) !== null) {
-    const cveId = match[0];
-    if (!vulns.some((v) => v.id === cveId)) {
-      vulns.push({
-        id: cveId,
-        severity: "unknown",
-        description: `${cveId} referenced in output`,
-        hasExploit: /exploit|poc|proof.of.concept/i.test(output)
-      });
-    }
-  }
-  return vulns;
-}
-
 // src/shared/utils/binary-analysis/types.ts
 var RELRO_STATUS = {
   NO: "no",
@@ -11124,45 +11394,42 @@ function formatBinaryAnalysis(info) {
   return lines.join("\n");
 }
 
-// src/engine/parsers/index.ts
-function autoExtractStructured(toolName, output) {
-  if (!output || output.length < 10) return null;
-  const data = {};
-  let hasData = false;
-  const creds = extractCredentials(output);
-  if (creds && creds.length > 0) {
-    data.credentials = creds;
-    hasData = true;
-  }
-  const vulns = extractVulnerabilities(output);
-  if (vulns && vulns.length > 0) {
-    data.vulnerabilities = vulns;
-    hasData = true;
-  }
+// src/engine/parsers/auto-extractors.ts
+function extractNmapData(toolName, output, data) {
   if (toolName === TOOL_NAMES.PARSE_NMAP || /nmap scan report/i.test(output)) {
     const nmap = extractNmapStructured(output);
     if (nmap.structured.openPorts && nmap.structured.openPorts.length > 0) {
       data.openPorts = nmap.structured.openPorts;
       data.hosts = nmap.structured.hosts;
-      hasData = true;
+      return true;
     }
   }
+  return false;
+}
+function extractFuzzData(output, data) {
   if (/gobuster|ffuf|feroxbuster|dirbuster/i.test(output)) {
     const fuzz = extractFuzzStructured(output);
     if (fuzz.structured.paths && fuzz.structured.paths.length > 0) {
       data.paths = fuzz.structured.paths;
-      hasData = true;
+      return true;
     }
   }
+  return false;
+}
+function extractBinaryData(output, data) {
   if (/canary|RELRO|NX|PIE|Stack|FORTIFY/i.test(output) && /enabled|disabled|found|no /i.test(output)) {
     const binaryInfo = parseChecksec(output);
     if (binaryInfo.arch || binaryInfo.canary !== void 0 || binaryInfo.nx !== void 0) {
       data.binaryInfo = binaryInfo;
       data.binaryAnalysisSummary = formatBinaryAnalysis(binaryInfo);
-      hasData = true;
+      return true;
     }
   }
+  return false;
+}
+function extractOsintData(toolName, output, data) {
   if (toolName === TOOL_NAMES.WHOIS_LOOKUP || toolName === TOOL_NAMES.DNS_RECON || toolName === TOOL_NAMES.SUBDOMAIN_ENUM || toolName === TOOL_NAMES.HARVESTER || toolName === TOOL_NAMES.CERT_TRANSPARENCY) {
+    let hasData = false;
     const ipMatches = output.match(/\b(?:\d{1,3}\.){3}\d{1,3}\b/g);
     if (ipMatches && ipMatches.length > 0) {
       data.discoveredIPs = [...new Set(ipMatches)].slice(0, 50);
@@ -11173,21 +11440,52 @@ function autoExtractStructured(toolName, output) {
       data.discoveredSubdomains = [...new Set(subMatches)].slice(0, 100);
       hasData = true;
     }
+    return hasData;
   }
+  return false;
+}
+function extractCryptoData(toolName, output, data) {
   if (toolName === TOOL_NAMES.RSA_ANALYZE || toolName === TOOL_NAMES.HASH_IDENTIFY || toolName === TOOL_NAMES.PADDING_ORACLE_CHECK) {
     const weaknessMatches = output.match(/(?:FERMAT_FACTORED|SMALL_E|WEAK_N|Padding Oracle|hash type|cracked)[^\n]*/gi);
     if (weaknessMatches && weaknessMatches.length > 0) {
       data.cryptoWeaknesses = weaknessMatches.slice(0, 10);
-      hasData = true;
+      return true;
     }
   }
+  return false;
+}
+function extractForensicsData(toolName, output, data) {
   if (toolName === TOOL_NAMES.BINWALK_ANALYZE || toolName === TOOL_NAMES.STEGHIDE_EXTRACT || toolName === TOOL_NAMES.ZSTEG_ANALYZE || toolName === TOOL_NAMES.STEGSEEK) {
     const stegoMatches = output.match(/(?:JPEG|PNG|ZIP|embedded|hidden|extracted|passphrase|found)[^\n]*/gi);
     if (stegoMatches && stegoMatches.length > 0) {
       data.stegoHints = stegoMatches.slice(0, 10);
-      hasData = true;
+      return true;
     }
   }
+  return false;
+}
+
+// src/engine/parsers/index.ts
+function autoExtractStructured(toolName, output) {
+  if (!output || output.length < 10) return null;
+  const data = {};
+  let hasData = false;
+  const creds = extractCredentials(output);
+  if (creds && creds.length > 0) {
+    data.credentials = creds;
+    hasData = true;
+  }
+  const vulns = extractVulnerabilities(output);
+  if (vulns && vulns.length > 0) {
+    data.vulnerabilities = vulns;
+    hasData = true;
+  }
+  if (extractNmapData(toolName, output, data)) hasData = true;
+  if (extractFuzzData(output, data)) hasData = true;
+  if (extractBinaryData(output, data)) hasData = true;
+  if (extractOsintData(toolName, output, data)) hasData = true;
+  if (extractCryptoData(toolName, output, data)) hasData = true;
+  if (extractForensicsData(toolName, output, data)) hasData = true;
   return hasData ? data : null;
 }
 
@@ -11345,7 +11643,7 @@ function runPostExecutionPipeline(state, toolCall, result) {
 // src/engine/tool-registry/core.ts
 function validateRequiredParams(tool, input) {
   if (!tool.required || tool.required.length === 0) return [];
-  return tool.required.filter((param2) => !(param2 in input) || input[param2] === void 0);
+  return tool.required.filter((param2) => !(param2 in input) || input[param2] == null);
 }
 var ToolRegistry = class {
   constructor(state, scopeGuard, approvalGate, events) {
@@ -11553,7 +11851,16 @@ After completion: record key loot/findings from the sub-agent output to canonica
       task: { type: "string", description: "Delegated task goal" },
       target: { type: "string", description: "Optional target IP/URL/path" },
       context: { type: "string", description: "Optional extra context" },
-      time_limit_min: { type: "number", description: "Optional hint only" }
+      time_limit_min: { type: "number", description: "Optional hint only" },
+      worker_type: {
+        type: "string",
+        enum: ["general", "shell-supervisor", "exploit", "pwn"],
+        description: "Optional worker specialization for the delegated task"
+      },
+      resume_task_id: {
+        type: "string",
+        description: "Optional delegated task ID to resume/continue instead of creating a fresh chain"
+      }
     },
     required: ["task"],
     execute: async (params) => {
@@ -11568,18 +11875,43 @@ After completion: record key loot/findings from the sub-agent output to canonica
         task: params["task"],
         target: params["target"],
         context: params["context"],
-        timeLimitMin: params["time_limit_min"]
+        timeLimitMin: params["time_limit_min"],
+        workerType: params["worker_type"],
+        resumeTaskId: params["resume_task_id"]
       };
-      const { AgentTool } = await import("./agent-tool-HYQGTZC4.js");
+      const { AgentTool } = await import("./agent-tool-JEFUBDZE.js");
       const executor = new AgentTool(state, events, scopeGuard, approvalGate);
       const result = await executor.execute(input);
+      state.recordDelegatedTask({
+        task: input.task,
+        target: input.target,
+        context: input.context,
+        resumeTaskId: input.resumeTaskId,
+        workerType: input.workerType,
+        status: result.status,
+        summary: result.summary,
+        tried: result.tried,
+        findings: result.findings,
+        loot: result.loot,
+        sessions: result.sessions,
+        assets: result.assets,
+        suggestedNext: result.suggestedNext,
+        waitingOn: result.waitingOn,
+        resumeHint: result.resumeHint,
+        nextWorkerType: result.nextWorkerType
+      });
       const lines = [
         `[Status] ${result.status}`,
         `[Summary] ${result.summary}`,
         result.findings.length ? `[Findings] ${result.findings.join(" | ")}` : "",
         result.loot.length ? `[Loot] ${result.loot.join(" | ")}` : "",
         result.sessions.length ? `[Sessions] ${result.sessions.join(", ")}` : "",
+        result.assets.length ? `[Assets] ${result.assets.join(" | ")}` : "",
         result.tried.length ? `[Tried] ${result.tried.join(" | ")}` : "",
+        input.resumeTaskId ? `[ResumedFrom] ${input.resumeTaskId}` : "",
+        result.waitingOn ? `[Waiting] ${result.waitingOn}` : "",
+        result.resumeHint ? `[Resume] ${result.resumeHint}` : "",
+        result.nextWorkerType ? `[NextWorker] ${result.nextWorkerType}` : "",
         result.suggestedNext ? `[Next] ${result.suggestedNext}` : ""
       ].filter(Boolean);
       return { success: true, output: lines.join("\n") };
@@ -11618,6 +11950,18 @@ var CategorizedToolRegistry = class extends ToolRegistry {
       TOOL_NAMES.READ_FILE,
       TOOL_NAMES.WRITE_FILE,
       TOOL_NAMES.BG_PROCESS,
+      TOOL_NAMES.LISTENER_START,
+      TOOL_NAMES.LISTENER_STATUS,
+      TOOL_NAMES.SHELL_PROMOTE,
+      TOOL_NAMES.SHELL_EXEC,
+      TOOL_NAMES.SHELL_CHECK,
+      TOOL_NAMES.SHELL_UPGRADE,
+      TOOL_NAMES.EXPLOIT_CREDENTIAL_CHECK,
+      TOOL_NAMES.EXPLOIT_ARTIFACT_CHECK,
+      TOOL_NAMES.EXPLOIT_FOOTHOLD_CHECK,
+      TOOL_NAMES.PWN_CRASH_REPRO,
+      TOOL_NAMES.PWN_OFFSET_CHECK,
+      TOOL_NAMES.PWN_PAYLOAD_SMOKE,
       TOOL_NAMES.PARSE_NMAP,
       TOOL_NAMES.SEARCH_CVE,
       TOOL_NAMES.WEB_SEARCH,
@@ -11666,6 +12010,110 @@ var CategorizedToolRegistry = class extends ToolRegistry {
   }
 };
 
+// src/engine/agent-tool/shell-supervisor-lifecycle.ts
+function hasConnectionSignal(processId, stdout) {
+  if (DETECTION_PATTERNS.CONNECTION.some((pattern) => pattern.test(stdout))) {
+    return true;
+  }
+  return getProcessEventLog().some(
+    (event) => event.processId === processId && event.event === PROCESS_EVENTS.CONNECTION_DETECTED
+  );
+}
+function getRecentCommandDetails(processId) {
+  return getProcessEventLog().filter((event) => event.processId === processId && event.event === PROCESS_EVENTS.COMMAND_SENT).slice(-10).map((event) => event.detail.toLowerCase());
+}
+function hasEvent(processId, eventName) {
+  return getProcessEventLog().some(
+    (event) => event.processId === processId && event.event === eventName
+  );
+}
+function isPtyUpgradeCommand(detail) {
+  return detail.includes("pty.spawn(") || detail.includes("import pty; pty.spawn(") || detail.includes("script -qc") || detail.includes("script -q /dev/null -c /bin/bash") || detail.includes("script /dev/null -c bash") || detail.includes("stty raw -echo") || detail.includes("export term=") || detail.includes("export shell=") || detail.includes("stty rows") || detail.includes("stty columns") || detail.includes("tty") || detail.includes("/usr/bin/expect -c") || detail.includes('exec "/bin/bash"');
+}
+function isShellStabilized(stdout, commandDetails) {
+  const normalized = stdout.toLowerCase();
+  return normalized.includes("xterm") || normalized.includes("rows") || normalized.includes("columns") || commandDetails.some(
+    (detail) => detail.includes("export term=") || detail.includes("export shell=") || detail.includes("stty rows") || detail.includes("stty columns")
+  );
+}
+function isPostExploitationCommand(detail) {
+  return detail.includes("sudo -l") || detail.includes("ip a") || detail.includes("ip route") || detail.includes("ps aux") || detail.includes("ss -tlnp") || detail.includes("netstat -tlnp") || detail.includes("env | grep") || detail.includes("find / -perm -4000") || detail.includes("getcap -r /") || detail.includes("cat /etc/os-release") || detail.includes("uname -a") || detail.includes("whoami && hostname");
+}
+function getShellSupervisorLifecycleSnapshot() {
+  const processes = listBackgroundProcesses().filter(
+    (process2) => process2.isRunning && (process2.role === PROCESS_ROLES.ACTIVE_SHELL || process2.role === PROCESS_ROLES.LISTENER)
+  );
+  const activeShell = processes.find((process2) => process2.role === PROCESS_ROLES.ACTIVE_SHELL);
+  if (activeShell) {
+    const output = getProcessOutput(activeShell.id);
+    const commandDetails = getRecentCommandDetails(activeShell.id);
+    if (commandDetails.some(isPostExploitationCommand)) {
+      return {
+        phase: "post_exploitation_active",
+        activeShellId: activeShell.id,
+        recommendation: `Active shell ${activeShell.id} is already in post-exploitation flow. Keep reusing it for controlled enumeration, privilege escalation checks, and pivot preparation.`
+      };
+    }
+    if (hasEvent(activeShell.id, PROCESS_EVENTS.SHELL_STABILIZED) || output && isShellStabilized(output.stdout, commandDetails)) {
+      return {
+        phase: "active_shell_stabilized",
+        activeShellId: activeShell.id,
+        recommendation: `Active shell ${activeShell.id} appears stabilized. Reuse it for controlled enumeration and follow-up operations.`
+      };
+    }
+    if (hasEvent(activeShell.id, PROCESS_EVENTS.SHELL_UPGRADE_ATTEMPTED) || commandDetails.some(isPtyUpgradeCommand)) {
+      return {
+        phase: "active_shell_stabilizing",
+        activeShellId: activeShell.id,
+        recommendation: `Active shell ${activeShell.id} is in PTY stabilization flow. Verify TERM/TTY quality, then continue controlled enumeration.`
+      };
+    }
+    return {
+      phase: "active_shell_ready",
+      activeShellId: activeShell.id,
+      recommendation: `Reuse active shell ${activeShell.id}, validate stability, and upgrade PTY before broad enumeration.`
+    };
+  }
+  const listeners = processes.filter((process2) => process2.role === PROCESS_ROLES.LISTENER);
+  for (const listener of listeners) {
+    const output = getProcessOutput(listener.id);
+    if (!output) continue;
+    if (hasConnectionSignal(listener.id, output.stdout)) {
+      return {
+        phase: "listener_callback_detected",
+        listenerId: listener.id,
+        recommendation: `Listener ${listener.id} has a callback signal. Confirm status, promote immediately, then validate and stabilize the shell.`
+      };
+    }
+  }
+  if (listeners.length > 0) {
+    return {
+      phase: "listener_waiting",
+      listenerId: listeners[0]?.id,
+      recommendation: `Reuse listener ${listeners[0]?.id} and keep polling for a callback instead of opening a duplicate listener.`
+    };
+  }
+  return {
+    phase: "no_asset",
+    recommendation: "No shell or listener asset is active. Create exactly one listener only if the callback path still requires it."
+  };
+}
+function buildShellSupervisorLifecycleSection() {
+  const snapshot = getShellSupervisorLifecycleSnapshot();
+  const lines = [
+    "## Shell Supervisor Lifecycle",
+    `Current phase: ${snapshot.phase}`,
+    `Recommendation: ${snapshot.recommendation}`
+  ];
+  if (snapshot.activeShellId) {
+    lines.push(`Active shell: ${snapshot.activeShellId}`);
+  }
+  if (snapshot.listenerId) {
+    lines.push(`Tracked listener: ${snapshot.listenerId}`);
+  }
+  return lines.join("\n");
+}
+
 export {
   ENV_KEYS,
   DEFAULT_MODEL,
@@ -11680,6 +12128,8 @@ export {
   HealthMonitor,
   ZombieHunter,
   getLLMClient,
+  getGlobalRequestCount,
+  getGlobalTokenUsage,
   createContextExtractor,
   parseTurnNumbers,
   rotateTurnRecords,
@@ -11706,5 +12156,7 @@ export {
   formatChallengeAnalysis,
   setCurrentTurn,
   CoreAgent,
+  getShellSupervisorLifecycleSnapshot,
+  buildShellSupervisorLifecycleSection,
   CategorizedToolRegistry
 };