pentesting 0.73.8 → 0.73.10

package/dist/{chunk-DN7INJ7C.js → chunk-OP3YVCKB.js}

@@ -4,6 +4,7 @@ import {
   APPROVAL_STATUSES,
   ATTACK_TACTICS,
   ATTACK_VALUE_RANK,
+  AttackGraph,
   CATEGORY_APPROVAL,
   CONFIDENCE_THRESHOLDS,
   DANGER_LEVELS,
@@ -41,6 +42,9 @@ import {
   WORKSPACE,
   WORK_DIR,
   WorkingMemory,
+  buildCampaignMemorySummary,
+  buildMemoryBranchIndex,
+  buildSnapshotResumeHints,
   cleanupAllProcesses,
   createTempFile,
   debugLog,
@@ -52,6 +56,7 @@ import {
   getProcessOutput,
   getTorBrowserArgs,
   getUsedPorts,
+  isBranchMemoryEnabled,
   listBackgroundProcesses,
   llmNodeCooldownPolicy,
   llmNodeOutputParsing,
@@ -64,7 +69,7 @@ import {
   startBackgroundProcess,
   stopBackgroundProcess,
   writeFileContent
-} from "./chunk-26G2YIOA.js";
+} from "./chunk-TFYJWIQF.js";
 import {
   DETECTION_PATTERNS,
   HEALTH_CONFIG,
@@ -78,7 +83,7 @@ import {
   __require,
   getProcessEventLog,
   logEvent
-} from "./chunk-KAUE3MSR.js";
+} from "./chunk-S5ZMXFHR.js";
 
 // src/shared/utils/config/env.ts
 var ENV_KEYS = {
@@ -2458,7 +2463,9 @@ function validateFinding(evidence) {
 }
 
 // src/agents/tool-executor/result-handler/journal.ts
+var TOOL_SIGNAL_OUTPUT_LIMIT = 180;
 function recordJournalMemo(call, result, contextOutputForLLM, digestResult, turnState, state) {
+  state.lastToolSignal = buildLatestToolSignal(call, result, digestResult);
   turnState.toolJournal.push({
     name: call.name,
     inputSummary: JSON.stringify(call.input),
@@ -2534,6 +2541,30 @@ function recordJournalMemo(call, result, contextOutputForLLM, digestResult, turn
     state.setPhase(PHASES.VULN_ANALYSIS);
   }
 }
+function buildLatestToolSignal(call, result, digestResult) {
+  const input = JSON.stringify(call.input);
+  const outputPreview = summarizeToolSignalField(result.output, TOOL_SIGNAL_OUTPUT_LIMIT);
+  const keyFindings = digestResult?.memo?.keyFindings?.slice(0, 2).join("; ") ?? "";
+  const nextSteps = digestResult?.memo?.nextSteps?.slice(0, 2).join("; ") ?? "";
+  return [
+    `tool=${call.name}`,
+    `success=${result.success ? "true" : "false"}`,
+    input ? `input=${input}` : "",
+    outputPreview ? `output=${outputPreview}` : "",
+    keyFindings ? `findings=${keyFindings}` : "",
+    nextSteps ? `next=${nextSteps}` : ""
+  ].filter(Boolean).join(" | ");
+}
+function summarizeToolSignalField(value, limit) {
+  const normalized = value.replace(/\s+/g, " ").trim();
+  if (!normalized) {
+    return "";
+  }
+  if (normalized.length <= limit) {
+    return normalized;
+  }
+  return `${normalized.slice(0, limit - 3)}...`;
+}
 
 // src/agents/tool-executor/parallel-executor.ts
 async function processToolCalls(toolCalls, deps, progress) {
@@ -6701,989 +6732,6 @@ function createTriager(llm) {
   return new Triager(llm);
 }
 
-// src/shared/utils/attack-graph/types.ts
-var GRAPH_STATUS = {
-  NEEDS_SEARCH: "needs_search",
-  POTENTIAL: "potential"
-};
-var GRAPH_LIMITS = {
-  /** Maximum recommended attack chains to return */
-  MAX_CHAINS: 10,
-  /** Maximum chains to show in prompt */
-  PROMPT_CHAINS: 5,
-  /** Maximum unexploited vulns to show in prompt */
-  PROMPT_VULNS: 5,
-  /** Maximum failed paths to show in prompt */
-  PROMPT_FAILED: 5,
-  /** Maximum DFS depth for chain discovery */
-  MAX_CHAIN_DEPTH: 6,
-  /** Maximum nodes to display in ASCII graph */
-  ASCII_MAX_NODES: 30
-};
-var NODE_TYPE = {
-  HOST: "host",
-  SERVICE: "service",
-  CREDENTIAL: "credential",
-  VULNERABILITY: "vulnerability",
-  ACCESS: "access",
-  LOOT: "loot",
-  OSINT: "osint",
-  // ─── Active Directory Node Types (2차 — Hard/Insane support) ───
-  /** AD domain object (e.g. DOMAIN.LOCAL) */
-  DOMAIN: "domain",
-  /** AD user or computer account */
-  USER_ACCOUNT: "user-account",
-  /** Group Policy Object — may grant code exec if writable */
-  GPO: "gpo",
-  /** ACL entry — WriteDACL/GenericAll/etc. on another object */
-  ACL: "acl",
-  /** ADCS certificate template — ESC1-13 attack surface */
-  CERTIFICATE_TEMPLATE: "certificate-template"
-};
-var NODE_STATUS = {
-  DISCOVERED: "discovered",
-  ATTEMPTED: "attempted",
-  SUCCEEDED: "succeeded",
-  FAILED: "failed"
-};
-var EDGE_STATUS = {
-  UNTESTED: "untested",
-  TESTING: "testing",
-  SUCCEEDED: "succeeded",
-  FAILED: "failed"
-};
-var IMPACT_WEIGHT = {
-  critical: 4,
-  high: 3,
-  medium: 2,
-  low: 1
-};
-
-// src/shared/utils/attack-graph/node.ts
-function generateNodeId(type, label) {
-  return `${type}:${label}`.toLowerCase().replace(/\s+/g, "_");
-}
-function createNode(type, label, data = {}, status = NODE_STATUS.DISCOVERED) {
-  const id = generateNodeId(type, label);
-  return {
-    id,
-    type,
-    label,
-    data,
-    status,
-    discoveredAt: Date.now()
-  };
-}
-function canMarkAttempted(node) {
-  return node.status === NODE_STATUS.DISCOVERED;
-}
-
-// src/shared/utils/attack-graph/edge.ts
-function createEdge(from, to, relation, confidence = 0.5, status = EDGE_STATUS.UNTESTED) {
-  return {
-    from,
-    to,
-    relation,
-    confidence,
-    status
-  };
-}
-function edgeExists(edges, fromId, toId, relation) {
-  return edges.some(
-    (e) => e.from === fromId && e.to === toId && e.relation === relation
-  );
-}
-function getIncomingEdges(edges, nodeId) {
-  return edges.filter((e) => e.to === nodeId);
-}
-function markEdgeSucceeded(edge) {
-  return {
-    ...edge,
-    status: EDGE_STATUS.SUCCEEDED
-  };
-}
-function markEdgeFailed(edge, reason) {
-  return {
-    ...edge,
-    status: EDGE_STATUS.FAILED,
-    failReason: reason
-  };
-}
-function isTestableEdge(edge) {
-  return edge.status === EDGE_STATUS.UNTESTED || edge.status === EDGE_STATUS.TESTING;
-}
-
-// src/shared/utils/attack-graph/factories/host-service.ts
-function createHostNode(ip, hostname) {
-  return createNode(NODE_TYPE.HOST, ip, { ip, hostname });
-}
-function createServiceNode(host, port, service, version) {
-  const hostId = generateNodeId(NODE_TYPE.HOST, host);
-  const node = createNode(
-    NODE_TYPE.SERVICE,
-    `${host}:${port}`,
-    { host, port, service, version }
-  );
-  const hostEdge = createEdge(hostId, node.id, "has_service", 0.95);
-  return { node, hostEdge };
-}
-function findTargetServices(nodes, target) {
-  const results = [];
-  for (const node of nodes.values()) {
-    if (node.type === NODE_TYPE.SERVICE && node.label.includes(target)) {
-      results.push(node);
-    }
-  }
-  return results;
-}
-
-// src/shared/utils/attack-graph/factories/credential-exploit.ts
-var AUTH_SERVICES = [
-  "ssh",
-  "ftp",
-  "rdp",
-  "smb",
-  "http",
-  "mysql",
-  "postgresql",
-  "mssql",
-  "winrm",
-  "vnc",
-  "telnet"
-];
-var HIGH_PRIVILEGE_LEVELS = ["root", "admin", "SYSTEM", "Administrator"];
-function createCredentialNode(username, password, source) {
-  return createNode(
-    NODE_TYPE.CREDENTIAL,
-    `${username}:***`,
-    { username, password, source }
-  );
-}
-function createCredentialSprayEdges(credId, nodes) {
-  const edges = [];
-  for (const [id, node] of nodes) {
-    if (node.type === NODE_TYPE.SERVICE) {
-      const svc = String(node.data.service || "");
-      if (AUTH_SERVICES.some((s) => svc.includes(s))) {
-        edges.push(createEdge(credId, id, "can_try_on", 0.6));
-      }
-    }
-  }
-  return edges;
-}
-function createVulnerabilityNode(title, target, severity, hasExploit = false) {
-  return createNode(
-    NODE_TYPE.VULNERABILITY,
-    title,
-    { target, severity, hasExploit }
-  );
-}
-function createVersionSearchNode(service, version) {
-  return createNode(
-    NODE_TYPE.VULNERABILITY,
-    `CVE search: ${service} ${version}`,
-    { service, version, status: GRAPH_STATUS.NEEDS_SEARCH }
-  );
-}
-function createAccessNode(host, level, via) {
-  return createNode(
-    NODE_TYPE.ACCESS,
-    `${level}@${host}`,
-    { host, level, via }
-  );
-}
-function createPotentialAccessNode(exploitTitle) {
-  return createNode(
-    NODE_TYPE.ACCESS,
-    `shell via ${exploitTitle}`,
-    { via: exploitTitle, status: GRAPH_STATUS.POTENTIAL }
-  );
-}
-function isHighPrivilege(level) {
-  return HIGH_PRIVILEGE_LEVELS.includes(level);
-}
-
-// src/shared/utils/attack-graph/factories/osint-loot.ts
-function createLootNode(host) {
-  return createNode(
-    NODE_TYPE.LOOT,
-    `flags on ${host}`,
-    { host, status: GRAPH_STATUS.NEEDS_SEARCH }
-  );
-}
-function createOSINTNode(category, detail, data = {}) {
-  return createNode(
-    NODE_TYPE.OSINT,
-    `${category}: ${detail}`,
-    { category, detail, ...data }
-  );
-}
-function findOSINTRelatedNodes(nodes, detail) {
-  const results = [];
-  for (const [id, node] of nodes) {
-    if (node.type === NODE_TYPE.HOST || node.type === NODE_TYPE.SERVICE) {
-      const hostIp = String(node.data.ip || node.data.host || "");
-      const hostname = String(node.data.hostname || "");
-      if (hostIp && detail.includes(hostIp) || hostname && detail.includes(hostname)) {
-        results.push({ id, node });
-      }
-    }
-  }
-  return results;
-}
-function formatFailedPath(from, to, reason) {
-  return `${from} \u2192 ${to}${reason ? ` (${reason})` : ""}`;
-}
-function formatFailedNode(label, reason) {
-  return `${label}${reason ? ` (${reason})` : ""}`;
-}
-
-// src/shared/utils/attack-graph/chain-discovery.ts
-var IMPACT_WEIGHT_MAP = {
-  [NODE_TYPE.LOOT]: SEVERITIES.CRITICAL,
-  [NODE_TYPE.DOMAIN]: SEVERITIES.CRITICAL,
-  [NODE_TYPE.CERTIFICATE_TEMPLATE]: SEVERITIES.HIGH
-};
-function recommendChains(nodes, edges) {
-  const chains = [];
-  const visited = /* @__PURE__ */ new Set();
-  const goalTypes = [
-    NODE_TYPE.ACCESS,
-    NODE_TYPE.LOOT,
-    NODE_TYPE.DOMAIN,
-    NODE_TYPE.CERTIFICATE_TEMPLATE
-  ];
-  const entryNodeTypes = [
-    NODE_TYPE.HOST,
-    NODE_TYPE.SERVICE,
-    NODE_TYPE.CREDENTIAL,
-    NODE_TYPE.OSINT
-  ];
-  const entryNodes = Array.from(nodes.values()).filter(
-    (n) => entryNodeTypes.includes(n.type)
-  );
-  const ctx = { nodes, edges, goalTypes, results: chains };
-  for (const entry of entryNodes) {
-    visited.clear();
-    dfsChains(entry.id, [], [], visited, ctx);
-  }
-  return prioritizeChains(chains);
-}
-function prioritizeChains(chains) {
-  const seen = /* @__PURE__ */ new Set();
-  const unique = chains.filter((c) => {
-    if (seen.has(c.description)) return false;
-    seen.add(c.description);
-    return true;
-  });
-  unique.sort(
-    (a, b) => b.probability * (IMPACT_WEIGHT[b.impact] || 1) - a.probability * (IMPACT_WEIGHT[a.impact] || 1)
-  );
-  return unique.slice(0, GRAPH_LIMITS.MAX_CHAINS);
-}
-function dfsChains(nodeId, path2, pathEdges, visited, ctx) {
-  const { nodes, edges, goalTypes, results } = ctx;
-  const node = nodes.get(nodeId);
-  if (!node || visited.has(nodeId) || path2.length >= GRAPH_LIMITS.MAX_CHAIN_DEPTH || node.status === NODE_STATUS.FAILED) {
-    return;
-  }
-  visited.add(nodeId);
-  path2.push(node);
-  if (isGoalReached(node, goalTypes, path2)) {
-    results.push(buildChain(path2, pathEdges, node));
-  }
-  const outEdges = edges.filter((e) => e.from === nodeId && e.status !== EDGE_STATUS.FAILED);
-  for (const edge of outEdges) {
-    dfsChains(edge.to, path2, [...pathEdges, edge], visited, ctx);
-  }
-  path2.pop();
-  visited.delete(nodeId);
-}
-function isGoalReached(node, goalTypes, path2) {
-  return goalTypes.includes(node.type) && node.status !== NODE_STATUS.SUCCEEDED && path2.length > 1;
-}
-function buildChain(path2, edges, targetNode) {
-  return {
-    steps: [...path2],
-    edges: [...edges],
-    description: path2.map((n) => n.label).join(" \u2192 "),
-    probability: edges.reduce((acc, e) => acc * e.confidence, 1),
-    impact: estimateImpact(targetNode),
-    length: path2.length
-  };
-}
-function estimateImpact(node) {
-  if (IMPACT_WEIGHT_MAP[node.type]) return IMPACT_WEIGHT_MAP[node.type];
-  if (node.type === NODE_TYPE.ACCESS) {
-    const level = String(node.data.level || "");
-    return ["root", "SYSTEM", "Administrator", "admin"].includes(level) ? SEVERITIES.CRITICAL : SEVERITIES.HIGH;
-  }
-  if (node.type === NODE_TYPE.VULNERABILITY) {
-    const sev = String(node.data.severity || "").toLowerCase();
-    if (sev === "critical") return SEVERITIES.CRITICAL;
-    if (sev === "high") return SEVERITIES.HIGH;
-    if (sev === "medium") return SEVERITIES.MEDIUM;
-  }
-  return SEVERITIES.LOW;
-}
-function extractSuccessfulChain(nodes, edges) {
-  const succeededNodes = Array.from(nodes.values()).filter((n) => n.status === NODE_STATUS.SUCCEEDED);
-  if (succeededNodes.length < 2) return null;
-  const succeededEdges = edges.filter((e) => e.status === EDGE_STATUS.SUCCEEDED);
-  const { chainLabels, toolsUsed } = traceSucceededPath(succeededNodes, succeededEdges, nodes);
-  if (chainLabels.length < 2) return null;
-  const serviceProfile = succeededNodes.length > 0 ? succeededNodes.map((n) => abstractifyLabel(n.label)).filter(Boolean).join(" + ") : "unknown";
-  return {
-    serviceProfile,
-    chainSummary: chainLabels.join(" \u2192 "),
-    toolsUsed: [...new Set(toolsUsed.filter(Boolean))]
-  };
-}
-function traceSucceededPath(succeededNodes, succeededEdges, nodes) {
-  const labels = [];
-  const tools = [];
-  const visited = /* @__PURE__ */ new Set();
-  const incomingTargets = new Set(succeededEdges.map((e) => e.to));
-  const entryNodes = succeededNodes.filter((n) => !incomingTargets.has(n.id));
-  const queue = entryNodes.length > 0 ? [entryNodes[0]] : [succeededNodes[0]];
-  while (queue.length > 0) {
-    const current = queue.shift();
-    if (visited.has(current.id)) continue;
-    visited.add(current.id);
-    labels.push(abstractifyLabel(current.label));
-    if (current.technique) tools.push(current.technique.split(" ")[0]);
-    const nextEdges = succeededEdges.filter((e) => e.from === current.id);
-    for (const edge of nextEdges) {
-      const nextNode = nodes.get(edge.to);
-      if (nextNode?.status === NODE_STATUS.SUCCEEDED) {
-        if (edge.action) tools.push(edge.action.split(" ")[0]);
-        queue.push(nextNode);
-      }
-    }
-  }
-  return { chainLabels: labels, toolsUsed: tools };
-}
-function abstractifyLabel(label) {
-  let result = label.replace(/^(host|service|vulnerability|access|loot|osint|credential|cve_search):/i, "").replace(/^https?:\/\/|^ftp:\/\//gi, "").replace(/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(:\d+)?\b/g, "").replace(/:\d{2,5}\b/g, "").replace(/\b[0-9a-f]{16,}\b/gi, "").replace(/(\d+\.\d+)\.\d+/g, "$1.x").trim().replace(/\s+/g, " ");
-  return result || label;
-}
-
-// src/shared/utils/attack-graph/prompt-formatter.ts
-function formatGraphForPrompt(nodes, edges, failedPaths) {
-  if (nodes.size === 0) return "";
-  const lines = ["<attack-graph>"];
-  const nodesByType = {};
-  const nodesByStatus = {};
-  for (const node of nodes.values()) {
-    nodesByType[node.type] = (nodesByType[node.type] || 0) + 1;
-    nodesByStatus[node.status] = (nodesByStatus[node.status] || 0) + 1;
-  }
-  lines.push(`Nodes: ${Object.entries(nodesByType).map(([t, c]) => `${c} ${t}s`).join(", ")}`);
-  lines.push(`Status: ${Object.entries(nodesByStatus).map(([s, c]) => `${c} ${s}`).join(", ")}`);
-  lines.push(`Edges: ${edges.length} (${edges.filter((e) => e.status === EDGE_STATUS.FAILED).length} failed)`);
-  const chains = recommendChains(nodes, edges);
-  if (chains.length > 0) {
-    lines.push("");
-    lines.push("RECOMMENDED ATTACK PATHS (try these):");
-    for (let i = 0; i < Math.min(GRAPH_LIMITS.PROMPT_CHAINS, chains.length); i++) {
-      const c = chains[i];
-      const prob = (c.probability * 100).toFixed(0);
-      lines.push(`  PATH ${i + 1} [${c.impact.toUpperCase()} | ${prob}%]: ${c.description}`);
-    }
-  }
-  if (failedPaths.length > 0) {
-    lines.push("");
-    lines.push("FAILED PATHS (DO NOT RETRY):");
-    for (const fp of failedPaths.slice(-GRAPH_LIMITS.PROMPT_FAILED)) {
-      lines.push(`  \u2717 ${fp}`);
-    }
-  }
-  const unexploitedVulns = Array.from(nodes.values()).filter((n) => n.type === NODE_TYPE.VULNERABILITY && n.status !== NODE_STATUS.SUCCEEDED && n.status !== NODE_STATUS.FAILED);
-  if (unexploitedVulns.length > 0) {
-    lines.push("");
-    lines.push(`UNEXPLOITED VULNERABILITIES (${unexploitedVulns.length}):`);
-    for (const v of unexploitedVulns.slice(0, GRAPH_LIMITS.PROMPT_VULNS)) {
-      const sev = v.data.severity || "unknown";
-      const status = v.status === NODE_STATUS.ATTEMPTED ? " \u23F3 testing" : "";
-      lines.push(`  - ${v.label} (${sev})${status}`);
-    }
-  }
-  const accessNodes = Array.from(nodes.values()).filter((n) => n.type === NODE_TYPE.ACCESS && n.status === NODE_STATUS.SUCCEEDED);
-  if (accessNodes.length > 0) {
-    lines.push("");
-    lines.push("ACHIEVED ACCESS:");
-    for (const a of accessNodes) {
-      lines.push(`  \u2713 ${a.label}`);
-    }
-  }
-  const credNodes = Array.from(nodes.values()).filter((n) => n.type === NODE_TYPE.CREDENTIAL);
-  if (credNodes.length > 0) {
-    lines.push("");
-    lines.push(`CREDENTIALS (${credNodes.length} \u2014 try on all services):`);
-    for (const c of credNodes) {
-      const source = c.data.source || "unknown";
-      const sprayEdges = edges.filter((e) => e.from === c.id && e.relation === "can_try_on");
-      const testedCount = sprayEdges.filter((e) => e.status !== EDGE_STATUS.UNTESTED).length;
-      lines.push(`  \u{1F511} ${c.label} (from: ${source}) [sprayed: ${testedCount}/${sprayEdges.length}]`);
-    }
-  }
-  lines.push("</attack-graph>");
-  return lines.join("\n");
-}
-
-// src/shared/utils/attack-graph/formatters/icons.ts
-var TYPE_ICONS = {
-  [NODE_TYPE.HOST]: "\u{1F5A5}",
-  [NODE_TYPE.SERVICE]: "\u2699",
-  [NODE_TYPE.VULNERABILITY]: "\u26A0",
-  [NODE_TYPE.CREDENTIAL]: "\u{1F511}",
-  [NODE_TYPE.ACCESS]: "\u{1F513}",
-  [NODE_TYPE.LOOT]: "\u{1F3F4}",
-  [NODE_TYPE.OSINT]: "\u{1F50D}",
-  // AD node icons (2차 — Hard/Insane support)
-  [NODE_TYPE.DOMAIN]: "\u{1F3F0}",
-  [NODE_TYPE.USER_ACCOUNT]: "\u{1F464}",
-  [NODE_TYPE.GPO]: "\u{1F4CB}",
-  [NODE_TYPE.ACL]: "\u{1F510}",
-  [NODE_TYPE.CERTIFICATE_TEMPLATE]: "\u{1F4DC}"
-};
-var STATUS_ICONS2 = {
-  [NODE_STATUS.DISCOVERED]: "\u25CB",
-  [NODE_STATUS.ATTEMPTED]: "\u25D0",
-  [NODE_STATUS.SUCCEEDED]: "\u25CF",
-  [NODE_STATUS.FAILED]: "\u2717"
-};
-
-// src/shared/utils/attack-graph/formatters/stats.ts
-function getGraphStats(nodes, edges) {
-  const succeeded = Array.from(nodes.values()).filter((n) => n.status === NODE_STATUS.SUCCEEDED).length;
-  const failed = Array.from(nodes.values()).filter((n) => n.status === NODE_STATUS.FAILED).length;
-  return {
-    nodes: nodes.size,
-    edges: edges.length,
-    succeeded,
-    failed,
-    chains: recommendChains(nodes, edges).length
-  };
-}
-
-// src/shared/utils/attack-graph/formatters/graph-ascii.ts
-function formatGraphAsASCII(nodes, edges) {
-  if (nodes.size === 0) return "(Empty attack graph \u2014 no discoveries yet)";
-  const lines = [];
-  lines.push("\u250C\u2500\u2500\u2500 Attack Graph \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510");
-  const groups = {};
-  for (const node of nodes.values()) {
-    if (!groups[node.type]) groups[node.type] = [];
-    groups[node.type].push(node);
-  }
-  const typeSummary = Object.entries(groups).map(([t, ns]) => `${TYPE_ICONS[t] || "\xB7"} ${ns.length}`).join("  ");
-  lines.push(`\u2502 ${typeSummary}`);
-  for (const [type, typeNodes] of Object.entries(groups)) {
-    const icon = TYPE_ICONS[type] || "\xB7";
-    lines.push(`\u2502`);
-    lines.push(`\u2502 ${icon} ${type.toUpperCase()} (${typeNodes.length})`);
-    for (const node of typeNodes) {
-      const sIcon = STATUS_ICONS2[node.status] || "?";
-      const fail = node.status === NODE_STATUS.FAILED && node.failReason ? ` \u2014 ${node.failReason}` : "";
-      let detail = "";
-      if (type === NODE_TYPE.CREDENTIAL) {
-        const source = node.data.source ? ` (from: ${node.data.source})` : "";
-        detail = source;
-      } else if (type === NODE_TYPE.VULNERABILITY) {
-        const sev = node.data.severity ? ` [${String(node.data.severity).toUpperCase()}]` : "";
-        const exploit = node.data.hasExploit ? " [EXPLOIT]" : "";
-        const target = node.data.target ? ` \u2192 ${node.data.target}` : "";
-        detail = `${sev}${exploit}${target}`;
-      } else if (type === NODE_TYPE.ACCESS) {
-        const via = node.data.via ? ` via ${node.data.via}` : "";
-        detail = via;
-      } else if (type === NODE_TYPE.SERVICE) {
-        const ver = node.data.version ? ` (${node.data.version})` : "";
-        detail = ver;
-      }
-      const outEdges = edges.filter((e) => e.from === node.id);
-      const edgeStr = outEdges.length > 0 ? ` \u2192 ${outEdges.map((e) => {
-        const target = nodes.get(e.to);
-        const eName = target ? target.label : e.to;
-        const eStatus = e.status === EDGE_STATUS.FAILED ? " \u2717" : e.status === EDGE_STATUS.SUCCEEDED ? " \u2713" : "";
-        return `${eName}${eStatus}`;
-      }).join(", ")}` : "";
-      lines.push(`\u2502   ${sIcon} ${node.label}${detail}${fail}${edgeStr}`);
-    }
-  }
-  const succeededNodes = Array.from(nodes.values()).filter((n) => n.status === NODE_STATUS.SUCCEEDED);
-  if (succeededNodes.length > 0) {
-    lines.push(`\u2502`);
-    lines.push(`\u251C\u2500\u2500\u2500 Exploited \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524`);
-    for (const n of succeededNodes) {
-      const via = n.data.via ? ` via ${n.data.via}` : "";
-      lines.push(`\u2502 \u25CF ${n.label}${via}`);
-    }
-  }
-  const stats = getGraphStats(nodes, edges);
-  lines.push(`\u2502`);
-  lines.push(`\u251C\u2500\u2500\u2500 Summary \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524`);
-  lines.push(`\u2502 Nodes: ${stats.nodes} | Edges: ${stats.edges} | Succeeded: ${stats.succeeded} | Failed: ${stats.failed} | Chains: ${stats.chains}`);
-  lines.push(`\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518`);
-  return lines.join("\n");
-}
-
-// src/shared/utils/attack-graph/formatters/paths-list.ts
-function formatPathsList(nodes, edges, failedPaths) {
-  const chains = recommendChains(nodes, edges);
-  if (chains.length === 0) {
-    if (nodes.size === 0) return "No attack graph data yet. Start reconnaissance first.";
-    return "No viable attack paths found. All paths may be exhausted or failed.";
-  }
-  const lines = [];
-  lines.push(`\u2500\u2500\u2500 ${chains.length} Attack Paths (sorted by priority) \u2500\u2500\u2500`);
-  lines.push("");
-  for (let i = 0; i < chains.length; i++) {
-    const c = chains[i];
-    const prob = (c.probability * 100).toFixed(0);
-    const impactColors = {
-      [SEVERITIES.CRITICAL]: "\u{1F534}",
-      [SEVERITIES.HIGH]: "\u{1F7E0}",
-      [SEVERITIES.MEDIUM]: "\u{1F7E1}",
-      [SEVERITIES.LOW]: "\u{1F7E2}"
-    };
-    const impactIcon = impactColors[c.impact] || "\u26AA";
-    lines.push(`${impactIcon} PATH ${i + 1} [${c.impact.toUpperCase()} | prob: ${prob}% | steps: ${c.length}]`);
-    lines.push(`   ${c.description}`);
-    for (const edge of c.edges) {
-      const statusTag = edge.status === EDGE_STATUS.UNTESTED ? "  ?" : edge.status === EDGE_STATUS.TESTING ? "  \u23F3" : edge.status === EDGE_STATUS.SUCCEEDED ? "  \u2713" : "  \u2717";
-      lines.push(`   ${statusTag} ${edge.from.split(":").pop()} \u2014[${edge.relation}]\u2192 ${edge.to.split(":").pop()}`);
-    }
-    lines.push("");
-  }
-  if (failedPaths.length > 0) {
-    lines.push(`\u2500\u2500\u2500 Failed Paths (${failedPaths.length}) \u2500\u2500\u2500`);
-    for (const fp of failedPaths) {
-      lines.push(`   \u2717 ${fp}`);
-    }
-  }
-  return lines.join("\n");
-}
-
-// src/shared/utils/attack-graph/operations/infrastructure.ts
-function registerHost(graph, ip, hostname) {
-  const node = createHostNode(ip, hostname);
-  if (!graph.nodes.has(node.id)) {
-    graph.nodes.set(node.id, node);
-  }
-  return node.id;
-}
-function registerService(graph, host, port, service, version) {
-  const hostId = registerHost(graph, host);
-  const { node, hostEdge } = createServiceNode(host, port, service, version);
-  if (!graph.nodes.has(node.id)) {
-    graph.nodes.set(node.id, node);
-  }
-  if (hostEdge && !edgeExists(graph.edges, hostEdge.from, hostEdge.to, hostEdge.relation)) {
-    graph.edges.push(hostEdge);
-  }
-  if (version) {
-    const vulnNode = createVersionSearchNode(service, version);
-    if (!graph.nodes.has(vulnNode.id)) {
-      graph.nodes.set(vulnNode.id, vulnNode);
-    }
-    graph.addEdge(node.id, vulnNode.id, "may_have", 0.3);
-  }
-  return node.id;
-}
-
-// src/shared/utils/attack-graph/operations/security.ts
-function registerCredential(graph, username, password, source) {
-  const node = createCredentialNode(username, password, source);
-  if (!graph.nodes.has(node.id)) {
-    graph.nodes.set(node.id, node);
-  }
-  const sprayEdges = createCredentialSprayEdges(node.id, graph.nodes);
-  for (const edge of sprayEdges) {
-    if (!edgeExists(graph.edges, edge.from, edge.to, edge.relation)) {
-      graph.edges.push(edge);
-    }
-  }
-  return node.id;
-}
-function registerVulnerability(graph, title, target, severity, hasExploit = false) {
-  const vulnNode = createVulnerabilityNode(title, target, severity, hasExploit);
-  if (!graph.nodes.has(vulnNode.id)) {
-    graph.nodes.set(vulnNode.id, vulnNode);
-  }
-  const targetServices = findTargetServices(graph.nodes, target);
-  for (const svc of targetServices) {
-    graph.addEdge(svc.id, vulnNode.id, "has_vulnerability", 0.8);
-  }
-  if (hasExploit) {
-    const accessNode = createPotentialAccessNode(title);
-    if (!graph.nodes.has(accessNode.id)) {
-      graph.nodes.set(accessNode.id, accessNode);
-    }
-    graph.addEdge(vulnNode.id, accessNode.id, "leads_to", 0.7);
-  }
-  return vulnNode.id;
-}
-function registerAccess(graph, host, level, via) {
-  const accessNode = createAccessNode(host, level, via);
-  if (!graph.nodes.has(accessNode.id)) {
-    graph.nodes.set(accessNode.id, accessNode);
-  }
-  const node = graph.nodes.get(accessNode.id);
-  if (node) {
-    node.status = NODE_STATUS.SUCCEEDED;
-    node.resolvedAt = Date.now();
-    const incomingEdges = getIncomingEdges(graph.edges, accessNode.id);
-    for (const edge of incomingEdges) {
-      Object.assign(edge, markEdgeSucceeded(edge));
-    }
-  }
-  if (isHighPrivilege(level)) {
-    const lootNode = createLootNode(host);
-    if (!graph.nodes.has(lootNode.id)) {
-      graph.nodes.set(lootNode.id, lootNode);
-    }
-    graph.addEdge(accessNode.id, lootNode.id, "can_access", 0.9);
-  }
-  return accessNode.id;
-}
-
-// src/shared/utils/attack-graph/operations/discovery.ts
-function registerOSINT(graph, category, detail, data = {}) {
-  const osintNode = createOSINTNode(category, detail, data);
-  if (!graph.nodes.has(osintNode.id)) {
-    graph.nodes.set(osintNode.id, osintNode);
-  }
-  const relatedNodes = findOSINTRelatedNodes(graph.nodes, detail);
-  for (const { id } of relatedNodes) {
-    graph.addEdge(osintNode.id, id, "relates_to", 0.5);
-  }
-  return osintNode.id;
-}
-
-// src/shared/utils/attack-graph/status-management.ts
-function markNodeAttemptedInGraph(nodes, nodeId) {
-  const node = nodes.get(nodeId);
-  if (node && canMarkAttempted(node)) {
-    node.status = NODE_STATUS.ATTEMPTED;
-    node.attemptedAt = Date.now();
-  }
-}
-function markNodeSucceededInGraph(nodes, edges, nodeId) {
-  const node = nodes.get(nodeId);
-  if (node) {
-    node.status = NODE_STATUS.SUCCEEDED;
-    node.resolvedAt = Date.now();
-    const incomingEdges = getIncomingEdges(edges, nodeId);
-    for (const edge of incomingEdges) {
-      if (edge.status === EDGE_STATUS.TESTING) {
-        Object.assign(edge, markEdgeSucceeded(edge));
-      }
-    }
-  }
-}
-function markNodeFailedInGraph(nodes, edges, nodeId, reason, callbacks) {
-  const node = nodes.get(nodeId);
-  if (node) {
-    node.status = NODE_STATUS.FAILED;
-    node.resolvedAt = Date.now();
-    node.failReason = reason;
-    callbacks.onFailedPath(formatFailedNode(node.label, reason));
-    const incomingEdges = getIncomingEdges(edges, nodeId);
-    for (const edge of incomingEdges) {
-      if (isTestableEdge(edge)) {
-        Object.assign(edge, markEdgeFailed(edge, reason));
-      }
-    }
-  }
-}
-function markEdgeTestingInList(edges, fromId, toId) {
-  for (const edge of edges) {
-    if (edge.from === fromId && edge.to === toId) {
-      edge.status = EDGE_STATUS.TESTING;
-    }
-  }
-}
-function markEdgeFailedInList(edges, fromId, toId, reason, callbacks) {
-  for (const edge of edges) {
-    if (edge.from === fromId && edge.to === toId) {
-      edge.status = EDGE_STATUS.FAILED;
-      edge.failReason = reason;
-    }
-  }
-  callbacks.onFailedPath(formatFailedPath(fromId, toId, reason));
-}
-
-// src/shared/utils/attack-graph/store.ts
-var AttackGraphStore = class {
-  nodes = /* @__PURE__ */ new Map();
-  edges = [];
-  failedPaths = [];
-  /** Reset the store to an empty state. */
-  reset() {
-    this.nodes.clear();
-    this.edges = [];
-    this.failedPaths = [];
-  }
-  /**
-   * Set/update a node with IMP-1 cap.
-   * Evicts oldest 'discovered' node when limit reached.
-   */
-  setNode(id, node) {
-    if (!this.nodes.has(id) && this.nodes.size >= AGENT_LIMITS.MAX_ATTACK_NODES) {
-      const oldestDiscovered = Array.from(this.nodes.entries()).find(([, n]) => n.status === "discovered");
-      if (oldestDiscovered) {
-        this.nodes.delete(oldestDiscovered[0]);
-      }
-    }
-    this.nodes.set(id, node);
-  }
-  /** Get node by ID. */
-  getNode(id) {
-    return this.nodes.get(id);
-  }
-  /** Check if node exists. */
-  hasNode(id) {
-    return this.nodes.has(id);
-  }
-  /**
-   * Add an edge with IMP-15 deduplication and IMP-1 cap.
-   * Deduplication key: from + to + relation.
-   */
-  addEdge(edge) {
-    const isDuplicate = this.edges.some(
-      (e) => e.from === edge.from && e.to === edge.to && e.relation === edge.relation
-    );
-    if (isDuplicate) return;
-    this.edges.push(edge);
-    if (this.edges.length > AGENT_LIMITS.MAX_ATTACK_EDGES) {
-      const prunableIdx = this.edges.findIndex(
-        (e) => e.status === "failed" || e.status === "untested"
-      );
-      if (prunableIdx >= 0) {
-        this.edges.splice(prunableIdx, 1);
-      }
-    }
-  }
-  /**
-   * Record a failed path with IMP-1 cap.
-   * Keeps only the most recent MAX_FAILED_PATHS entries.
-   */
-  recordFailedPath(path2) {
-    this.failedPaths.push(path2);
-    if (this.failedPaths.length > AGENT_LIMITS.MAX_FAILED_PATHS) {
-      this.failedPaths = this.failedPaths.slice(-AGENT_LIMITS.MAX_FAILED_PATHS);
-    }
-  }
-  /** Get internal nodes map reference (for operations). */
-  getNodesMap() {
-    return this.nodes;
-  }
-  /** Get internal edges list reference (for operations). */
-  getEdgesList() {
-    return this.edges;
-  }
-  /** Get failed paths list. */
-  getFailedPaths() {
-    return this.failedPaths;
-  }
-  /** Get all nodes as array. */
-  getAllNodes() {
-    return Array.from(this.nodes.values());
-  }
-  /** Get all edges as array. */
-  getAllEdges() {
-    return [...this.edges];
-  }
-};
-
-// src/shared/utils/attack-graph/core.ts
-var AttackGraph = class {
-  store = new AttackGraphStore();
-  // ─── Core Graph Operations ──────────────────────────────────
-  /** Reset the graph to an empty state. */
-  reset() {
-    this.store.reset();
-  }
-  /**
-   * Add a node to the attack graph.
-   */
-  addNode(type, label, data = {}) {
-    const node = createNode(type, label, data);
-    if (!this.store.hasNode(node.id)) {
-      this.store.setNode(node.id, node);
-    }
-    return node.id;
-  }
-  /**
-   * Add an edge (relationship) between two nodes.
-   */
-  addEdge(fromId, toId, relation, confidence = 0.5) {
-    if (!edgeExists(this.store.getEdgesList(), fromId, toId, relation)) {
-      this.store.addEdge(createEdge(fromId, toId, relation, confidence));
-    }
-  }
-  /**
-   * Get node by ID.
-   */
-  getNode(nodeId) {
-    return this.store.getNode(nodeId);
-  }
-  // ─── Status Management ──────────────────────────────────────
-  /**
-   * Mark a node as being attempted (in-progress attack).
-   */
-  markAttempted(nodeId) {
-    markNodeAttemptedInGraph(this.store.getNodesMap(), nodeId);
-  }
-  /**
-   * Mark a node as successfully exploited/achieved.
-   */
-  markSucceeded(nodeId) {
-    markNodeSucceededInGraph(this.store.getNodesMap(), this.store.getEdgesList(), nodeId);
-  }
-  /**
-   * Mark a node as failed (attack didn't work).
-   */
-  markFailed(nodeId, reason) {
-    markNodeFailedInGraph(this.store.getNodesMap(), this.store.getEdgesList(), nodeId, reason, {
-      onFailedPath: (path2) => this.store.recordFailedPath(path2)
-    });
-  }
-  /**
-   * Mark an edge as being tested.
-   */
-  markEdgeTesting(fromId, toId) {
-    markEdgeTestingInList(this.store.getEdgesList(), fromId, toId);
-  }
-  /**
-   * Mark an edge as failed.
-   */
-  markEdgeFailed(fromId, toId, reason) {
-    markEdgeFailedInList(this.store.getEdgesList(), fromId, toId, reason, {
-      onFailedPath: (path2) => this.store.recordFailedPath(path2)
-    });
-  }
-  // ─── Domain-Specific Registration ───────────────────────────
-  /** Internal graph container for domain operations */
-  get graphContainer() {
-    return {
-      nodes: this.store.getNodesMap(),
-      edges: this.store.getEdgesList(),
-      addEdge: this.addEdge.bind(this),
-      markSucceeded: this.markSucceeded.bind(this)
-    };
-  }
-  /**
-   * Record a host discovery.
-   */
-  addHost(ip, hostname) {
-    return registerHost(this.graphContainer, ip, hostname);
-  }
-  /**
-   * Record a service discovery and auto-create edges.
-   */
-  addService(host, port, service, version) {
-    return registerService(this.graphContainer, host, port, service, version);
-  }
-  /**
-   * Record a credential discovery and create spray edges.
-   */
-  addCredential(username, password, source) {
-    return registerCredential(this.graphContainer, username, password, source);
-  }
-  /**
-   * Record a vulnerability finding.
-   */
-  addVulnerability(title, target, severity, hasExploit = false) {
-    return registerVulnerability(this.graphContainer, title, target, severity, hasExploit);
-  }
-  /**
-   * Record gained access.
-   */
-  addAccess(host, level, via) {
-    return registerAccess(this.graphContainer, host, level, via);
-  }
-  /**
-   * Record OSINT discovery (Docker image, GitHub repo, company info, etc.)
-   */
-  addOSINT(category, detail, data = {}) {
-    return registerOSINT(this.graphContainer, category, detail, data);
-  }
-  /**
-   * Record an Active Directory object (domain, user-account, GPO, ACL, certificate-template).
-   *
-   * WHY: AD attacks chain through complex object relationships (ACL → user → cert → DA).
-   * Tracking these as graph nodes lets the Strategist see multi-hop AD paths.
-   *
-   * type: 'domain' | 'user-account' | 'gpo' | 'acl' | 'certificate-template'
-   * label: human-readable name (e.g. "CORP.LOCAL", "svc_sql", "ESC1-vulnerable")
-   * data: freeform metadata (members, rights, target, confidence, etc.)
-   */
-  addDomainObject(type, label, data = {}) {
-    return this.addNode(type, label, { adObject: true, ...data });
-  }
-  // ─── Chain Discovery (DFS) ──────────────────────────────────
-  /**
-   * Find all viable attack paths using DFS.
-   */
-  recommendChains() {
-    return recommendChains(this.store.getNodesMap(), this.store.getEdgesList());
-  }
-  // ─── Prompt Generation ──────────────────────────────────────
-  /**
-   * Format attack graph status for prompt injection.
-   */
-  toPrompt() {
-    return formatGraphForPrompt(this.store.getNodesMap(), this.store.getEdgesList(), this.store.getFailedPaths());
-  }
-  // ─── TUI Visualization ──────────────────────────────────────
-  /**
-   * Generate ASCII visualization for TUI /graph command.
-   */
-  toASCII() {
-    return formatGraphAsASCII(this.store.getNodesMap(), this.store.getEdgesList());
-  }
-  /**
-   * Generate path listing for TUI /paths command.
-   */
-  toPathsList() {
-    return formatPathsList(this.store.getNodesMap(), this.store.getEdgesList(), this.store.getFailedPaths());
-  }
-  // ─── Stats ──────────────────────────────────────────────────
-  /**
-   * Get graph stats for metrics display.
-   */
-  getStats() {
-    return getGraphStats(this.store.getNodesMap(), this.store.getEdgesList());
-  }
-  /**
-   * Get all nodes.
-   */
-  getAllNodes() {
-    return this.store.getAllNodes();
-  }
-  /**
-   * Get all edges.
-   */
-  getAllEdges() {
-    return this.store.getAllEdges();
-  }
-  /**
-   * Get failed paths list.
-   */
-  getFailedPaths() {
-    return this.store.getFailedPaths();
-  }
-  /**
-   * Check if the graph has any data.
-   */
-  isEmpty() {
-    return this.store.getNodesMap().size === 0;
-  }
-};
-
 // src/engine/state/models/engagement.ts
 function safeList4(values) {
   return Array.isArray(values) ? values.filter((value) => typeof value === "string") : [];
@@ -8255,6 +7303,12 @@ var SharedState = class {
    *      Injected into prompt as <triage-memo> for the main LLM.
    */
   lastTriageMemo = "";
+  /**
+   * Compact last tool-result signal for branch activation.
+   * WHY: Raw tool output is too large and not persisted into next prompt build.
+   *      This stores only a narrow routing hint derived from the latest tool call.
+   */
+  lastToolSignal = "";
   /**
    * Artifacts for CTF / Non-Network tasks (e.g., .bin files, source code).
    */
@@ -8294,6 +7348,7 @@ var SharedState = class {
     this.activeDelegatedExecution = null;
     this.lastReflection = "";
     this.lastTriageMemo = "";
+    this.lastToolSignal = "";
   }
   // Delegation to MissionState
   setMissionSummary(summary) {
@@ -8531,6 +7586,8 @@ function buildStrategistPrompt(input) {
   if (policyDocument) sections.push("", "## Policy Memory", policyDocument);
   const graph = state.attackGraph.toPrompt();
   if (graph) sections.push("", "## Attack Graph", graph);
+  const campaignMemory = isBranchMemoryEnabled("strategist") ? buildCampaignMemorySummary(buildMemoryBranchIndex(state)) : "";
+  if (campaignMemory) sections.push("", "## Ranked Branches", campaignMemory);
   const timeline = state.episodicMemory.toPrompt();
   if (timeline) sections.push("", "## Recent Actions", timeline);
   const techniques = state.dynamicTechniques.toPrompt();
@@ -8689,6 +7746,39 @@ function extractTag(content, tag) {
 function parseBoolean(value) {
   return value.trim().toLowerCase() === "true";
 }
+function parseNumber(value) {
+  const parsed = Number.parseInt(value.trim(), 10);
+  return Number.isFinite(parsed) ? parsed : 0;
+}
+function buildDefaultTurnPolicy(shouldForwardToMain, directResponse) {
+  if (!shouldForwardToMain) {
+    return {
+      classification: directResponse.trim() ? "direct_answer" : "policy_update_only",
+      executionMode: "none",
+      turnBudget: 0,
+      continueCondition: "until_first_result",
+      stopReasonTarget: "answer_ready"
+    };
+  }
+  return void 0;
+}
+function parseTurnPolicy(response, shouldForwardToMain, directResponse) {
+  const classification = extractTag(response, "input_classification");
+  const executionMode = extractTag(response, "execution_mode");
+  const turnBudget = extractTag(response, "turn_budget");
+  const continueCondition = extractTag(response, "continue_condition");
+  const stopReasonTarget = extractTag(response, "stop_reason_target");
+  if (!classification || !executionMode || !turnBudget || !continueCondition || !stopReasonTarget) {
+    return buildDefaultTurnPolicy(shouldForwardToMain, directResponse);
+  }
+  return {
+    classification,
+    executionMode,
+    turnBudget: Math.max(0, parseNumber(turnBudget)),
+    continueCondition,
+    stopReasonTarget
+  };
+}
 var InputProcessor = class extends AuxiliaryLLMBase {
   constructor(llm) {
     super(llm, {
@@ -8718,6 +7808,7 @@ var InputProcessor = class extends AuxiliaryLLMBase {
     const policyDocument = extractTag(response, "policy_document_markdown");
     const policyUpdateSummary = extractTag(response, "policy_update_summary");
     const insightSummary = extractTag(response, "insight_summary");
+    const turnPolicy = parseTurnPolicy(response, shouldForwardToMain, directResponse);
     return {
       shouldForwardToMain,
       forwardedInput,
@@ -8726,6 +7817,7 @@ var InputProcessor = class extends AuxiliaryLLMBase {
       policyDocument,
       policyUpdateSummary,
       insightSummary,
+      turnPolicy,
       success: true
     };
   }
@@ -8738,6 +7830,7 @@ var InputProcessor = class extends AuxiliaryLLMBase {
       policyDocument: "",
       policyUpdateSummary: "",
       insightSummary: "",
+      turnPolicy: void 0,
       success: false
     };
   }
@@ -8811,11 +7904,13 @@ async function executeUpdatePhase(p, state, events) {
   const primaryTarget = targets[0]?.ip ?? "unknown";
   const loot = state.getLoot();
   const usableCreds = loot.filter((l) => USABLE_CREDENTIAL_LOOT_TYPES.has(l.type)).map((l) => l.detail).slice(0, 10);
+  const resumeHints = isBranchMemoryEnabled("resume_hints") ? buildSnapshotResumeHints(buildMemoryBranchIndex(state)) : [];
   saveSessionSnapshot({
     target: primaryTarget,
     phase: newPhase,
     achieved: [`Phase transition: ${oldPhase} \u2192 ${newPhase}. Reason: ${reason}`],
     next: [`Continue from ${newPhase} phase on ${primaryTarget}`],
+    resumeHints,
     credentials: usableCreds,
     savedAt: Date.now()
   });
@@ -8838,11 +7933,13 @@ Reason: ${reason}
 
 // src/domains/engagement/handlers/snapshot.ts
 async function executeSaveSessionSnapshot(p, state) {
+  const resumeHints = isBranchMemoryEnabled("resume_hints") ? buildSnapshotResumeHints(buildMemoryBranchIndex(state)) : [];
   const snapshot = {
     target: p.target,
     phase: state.getPhase(),
     achieved: p.achieved || [],
     next: p.next || [],
+    resumeHints,
     credentials: p.credentials || [],
     notes: p.notes,
     savedAt: Date.now()
@@ -8855,6 +7952,7 @@ Target: ${snapshot.target}
 Phase: ${snapshot.phase}
 Achieved: ${snapshot.achieved.length} items
 Next: ${snapshot.next.length} priorities
+Resume hints: ${snapshot.resumeHints?.length ?? 0}
 Creds: ${snapshot.credentials.length}`
   };
 }
@@ -11956,7 +11054,7 @@ After completion: record key loot/findings from the sub-agent output to canonica
           rootTaskId: activeExecution.rootTaskId
         }
       });
-      const { AgentTool } = await import("./agent-tool-Y6CG5KRL.js");
+      const { AgentTool } = await import("./agent-tool-K3ETJX2V.js");
       const executor = new AgentTool(state, events, scopeGuard, approvalGate);
       try {
         const result = await executor.execute(input);
@@ -12239,10 +11337,6 @@ export {
   DEFAULT_MODEL,
   getApiKey,
   getModel,
-  NODE_TYPE,
-  NODE_STATUS,
-  EDGE_STATUS,
-  extractSuccessfulChain,
   getTimeAdaptiveStrategy,
   SharedState,
   HealthMonitor,