pentesting 0.8.39 → 0.8.42

package/dist/index.js

@@ -32,8 +32,8 @@ import TextInput from "ink-text-input";
 import Spinner from "ink-spinner";
 
 // src/core/agent/autonomous-agent.ts
-import Anthropic from "@anthropic-ai/sdk";
-import { EventEmitter as EventEmitter4 } from "events";
+import Anthropic3 from "@anthropic-ai/sdk";
+import { EventEmitter as EventEmitter7 } from "events";
 
 // src/core/prompts/autonomous-prompt.ts
 var AUTONOMOUS_HACKING_PROMPT = `You are Pentesting, an elite autonomous penetration testing AI designed for CTF competitions and professional security assessments. You operate with minimal human intervention, making intelligent decisions, adapting to obstacles, and persistently pursuing objectives until complete system compromise.
@@ -220,6 +220,115 @@ Analyze your situation honestly:
    - Manual testing vs. automated?
 
 Based on this reflection, propose 3 completely different approaches to try next.`;
+var STRATEGY_PLANNING_PROMPT = `You are the strategic coordinator for this penetration test. Before executing ANY action, validate the strategy.
+
+## STRATEGIC VALIDATION PROCESS
+
+### 1. INTENT VERIFICATION
+\`\`\`
+[INTENT CHECK]
+- What is the user's objective?
+- What phase are we in?
+- What have we accomplished so far?
+- What is the immediate goal?
+\`\`\`
+
+### 2. PLAN FORMULATION
+\`\`\`
+[PLAN PROPOSAL]
+Given the current state, I propose:
+1. [Primary approach] - Expected outcome: X
+2. [Backup approach] - If primary fails: Y
+3. [Alternative] - If we need to pivot: Z
+\`\`\`
+
+### 3. PLAN VALIDATION (Self-Check)
+\`\`\`
+[VALIDATION]
+\u25A1 Is this aligned with BFS (surface mapping first)?
+\u25A1 Have I completed reconnaissance before deep testing?
+\u25A1 Is this the highest ROI action right now?
+\u25A1 Am I avoiding rabbit holes (SSL testing too early, etc.)?
+\u25A1 Is the tool/command correct for this task?
+\`\`\`
+
+### 4. AGENT COORDINATION
+When switching agents or techniques:
+\`\`\`
+[HANDOFF]
+From: [current agent/approach]
+To: [next agent/approach]
+Reason: [why this switch makes sense]
+Context passed: [what the next agent needs to know]
+\`\`\`
+
+### 5. DECISION LOG
+After each significant decision:
+\`\`\`
+[DECISION]
+Action: [what was done]
+Result: [what happened]
+Learning: [what we now know]
+Next: [logical next step]
+\`\`\`
+
+## ANTI-PATTERNS TO DETECT AND PREVENT
+
+- \u274C SSL/TLS testing before full surface mapping
+- \u274C Deep diving one endpoint before discovering others
+- \u274C Brute force without any intelligence
+- \u274C Repeating failed commands with minor changes
+- \u274C Ignoring discovered information
+- \u274C Skipping subdomain/directory enumeration
+
+## SUCCESS PATTERNS TO FOLLOW
+
+- \u2705 Port scan \u2192 Web discovery (subdomain + directory) \u2192 Technology detection \u2192 CVE check
+- \u2705 Find all endpoints first, then prioritize by value
+- \u2705 Use discovered info (usernames, versions) in subsequent attacks
+- \u2705 Pivot quickly when stuck (max 3 attempts per approach)
+- \u2705 Document findings as we go`;
+var AGENT_COLLABORATION_PROMPT = `When collaborating with other specialized agents:
+
+## AGENT ROLES
+- **Recon Agent**: Surface discovery, OSINT, subdomain/directory enumeration
+- **Exploit Agent**: Vulnerability exploitation, payload delivery
+- **PrivEsc Agent**: Privilege escalation on compromised hosts
+- **Web Agent**: Web application testing, injection attacks
+- **Crypto Agent**: Cryptographic analysis, hash cracking
+
+## COLLABORATION PROTOCOL
+
+### 1. TASK DELEGATION
+\`\`\`
+[DELEGATE]
+From: [current agent]
+To: [specialized agent]
+Task: [specific task]
+Expected output: [what we need back]
+\`\`\`
+
+### 2. RESULTS HANDOFF
+\`\`\`
+[HANDOFF]
+Agent: [which agent completed]
+Findings: [key discoveries]
+Recommended next: [what should happen next]
+\`\`\`
+
+### 3. CONFLICT RESOLUTION
+When agents disagree on approach:
+- Consider ROI of each approach
+- Check if one requires prerequisites the other provides
+- Default to BFS (broader coverage) over DFS (deep focus)
+- Escalate to user only if truly ambiguous
+
+### 4. KNOWLEDGE SHARING
+All agents maintain shared context:
+- Discovered hosts and services
+- Obtained credentials
+- Failed approaches (don't repeat)
+- Current attack surface map`;
 
 // src/core/tools/tool-definitions.ts
 var SYSTEM_TOOLS = [
@@ -4150,6 +4259,868 @@ function buildAgentSystemPrompt(basePrompt, agent) {
 ${agent.systemPrompt}`;
 }
 
+// src/core/agent/agent-orchestrator.ts
+import Anthropic from "@anthropic-ai/sdk";
+import { EventEmitter as EventEmitter4 } from "events";
+var ORCHESTRATOR_EVENT = {
+  AGENT_START: "agent_start",
+  AGENT_COMPLETE: "agent_complete",
+  AGENT_ERROR: "agent_error",
+  ALL_COMPLETE: "all_complete",
+  FINDING: "finding"
+};
+var AgentOrchestrator = class extends EventEmitter4 {
+  client;
+  agents = /* @__PURE__ */ new Map();
+  initialized = false;
+  constructor(apiKey) {
+    super();
+    this.client = new Anthropic({
+      apiKey: apiKey || LLM_API_KEY || process.env.PENTEST_API_KEY,
+      baseURL: LLM_BASE_URL
+    });
+  }
+  /**
+   * Initialize with built-in agents
+   */
+  async initialize() {
+    if (this.initialized) return;
+    for (const agent of BUILTIN_AGENTS) {
+      this.agents.set(agent.name, agent);
+    }
+    this.initialized = true;
+  }
+  /**
+   * Launch multiple agents in parallel
+   */
+  async launchParallel(tasks) {
+    await this.initialize();
+    console.log(`\u{1F680} Launching ${tasks.length} agents in parallel...`);
+    const startTime = Date.now();
+    const promises = tasks.map((task) => this.executeAgent(task));
+    const results = await Promise.allSettled(promises);
+    const duration = Date.now() - startTime;
+    console.log(`\u2705 All agents completed in ${(duration / 1e3).toFixed(1)}s`);
+    const finalResults = results.map((result, index) => {
+      if (result.status === "fulfilled") {
+        return result.value;
+      } else {
+        return {
+          agent: tasks[index].agent,
+          success: false,
+          output: "",
+          findings: [],
+          duration: 0,
+          error: result.reason?.message || "Agent failed"
+        };
+      }
+    });
+    this.emit(ORCHESTRATOR_EVENT.ALL_COMPLETE, {
+      results: finalResults,
+      duration
+    });
+    return finalResults;
+  }
+  /**
+   * Execute a single agent
+   */
+  async executeAgent(task) {
+    const startTime = Date.now();
+    this.emit(ORCHESTRATOR_EVENT.AGENT_START, { agent: task.agent, prompt: task.prompt });
+    try {
+      const agentDef = this.agents.get(task.agent);
+      const systemPrompt = agentDef ? buildAgentSystemPrompt("You are a security expert. Report findings clearly.", agentDef) : `You are a security expert focused on ${task.agent}. Be thorough and report findings in JSON format.`;
+      const response = await withRetry(
+        () => this.client.messages.create({
+          model: LLM_MODEL,
+          max_tokens: LLM_MAX_TOKENS,
+          system: systemPrompt,
+          messages: [
+            { role: "user", content: task.prompt }
+          ]
+        }),
+        { maxRetries: 2 }
+      );
+      const output = response.content.filter((b) => b.type === "text").map((b) => b.text).join("\n");
+      const findings = this.parseFindings(output, task.agent);
+      const duration = Date.now() - startTime;
+      const result = {
+        agent: task.agent,
+        success: true,
+        output,
+        findings,
+        duration
+      };
+      this.emit(ORCHESTRATOR_EVENT.AGENT_COMPLETE, result);
+      for (const finding of findings) {
+        this.emit(ORCHESTRATOR_EVENT.FINDING, finding);
+      }
+      return result;
+    } catch (error) {
+      const errorMsg = error instanceof Error ? error.message : String(error);
+      this.emit(ORCHESTRATOR_EVENT.AGENT_ERROR, { agent: task.agent, error: errorMsg });
+      return {
+        agent: task.agent,
+        success: false,
+        output: "",
+        findings: [],
+        duration: Date.now() - startTime,
+        error: errorMsg
+      };
+    }
+  }
+  /**
+   * Parse findings from agent output
+   */
+  parseFindings(output, agentName) {
+    const findings = [];
+    const jsonMatch = output.match(/```json\n?([\s\S]*?)\n?```/);
+    if (jsonMatch) {
+      try {
+        const parsed = JSON.parse(jsonMatch[1]);
+        if (Array.isArray(parsed)) {
+          return parsed.map((f) => this.normalizeFinding(f, agentName));
+        } else if (parsed.findings) {
+          return parsed.findings.map((f) => this.normalizeFinding(f, agentName));
+        }
+      } catch {
+      }
+    }
+    const patterns = [
+      { regex: /CVE-\d{4}-\d+/gi, type: "vulnerability", severity: "high" },
+      { regex: /open port[s]?[:\s]+(\d+)/gi, type: "info", severity: "info" },
+      { regex: /admin|root|password/gi, type: "credential", severity: "high" },
+      { regex: /shell access|RCE|command injection/gi, type: "vulnerability", severity: "critical" },
+      { regex: /SQL injection|XSS|SSRF/gi, type: "vulnerability", severity: "high" }
+    ];
+    for (const pattern of patterns) {
+      const matches = output.match(pattern.regex);
+      if (matches) {
+        for (const match of [...new Set(matches)]) {
+          findings.push({
+            id: `finding_${Date.now()}_${Math.random().toString(36).substring(2, 6)}`,
+            type: pattern.type,
+            title: match,
+            description: `Found by ${agentName}: ${match}`,
+            confidence: 60,
+            severity: pattern.severity,
+            evidence: [match],
+            exploitability: "possible"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+  /**
+   * Normalize a finding object
+   */
+  normalizeFinding(raw, agentName) {
+    const f = raw;
+    return {
+      id: f.id || `finding_${Date.now()}_${Math.random().toString(36).substring(2, 6)}`,
+      type: f.type || "info",
+      title: f.title || "Unknown finding",
+      description: f.description || `Found by ${agentName}`,
+      confidence: f.confidence || 50,
+      severity: f.severity || "medium",
+      evidence: f.evidence || [],
+      exploitability: f.exploitability || "possible",
+      nextSteps: f.nextSteps
+    };
+  }
+  /**
+   * Get available agent names
+   */
+  getAgentNames() {
+    return Array.from(this.agents.keys());
+  }
+};
+function consolidateFindings(results) {
+  const allFindings = [];
+  for (const result of results) {
+    allFindings.push(...result.findings);
+  }
+  const findingMap = /* @__PURE__ */ new Map();
+  for (const finding of allFindings) {
+    const key = `${finding.type}:${finding.title}`;
+    if (findingMap.has(key)) {
+      const existing = findingMap.get(key);
+      existing.confidence = Math.min(100, existing.confidence + 10);
+      existing.evidence.push(...finding.evidence);
+    } else {
+      findingMap.set(key, { ...finding });
+    }
+  }
+  return Array.from(findingMap.values()).sort((a, b) => b.confidence - a.confidence);
+}
+var orchestratorInstance = null;
+function getOrchestrator(apiKey) {
+  if (!orchestratorInstance) {
+    orchestratorInstance = new AgentOrchestrator(apiKey);
+  }
+  return orchestratorInstance;
+}
+
+// src/core/agent/agent-memory.ts
+import { EventEmitter as EventEmitter5 } from "events";
+var MEMORY_EVENT = {
+  ENTRY_ADDED: "entry_added",
+  STATE_UPDATED: "state_updated",
+  HANDOFF: "handoff",
+  COMPACTION: "compaction"
+};
+var AgentMemory = class _AgentMemory extends EventEmitter5 {
+  // Short-term memory (current session)
+  shortTermMemory = [];
+  // Long-term memory (persisted across sessions)
+  longTermMemory = [];
+  // Episodic memory (specific events/interactions)
+  episodicMemory = /* @__PURE__ */ new Map();
+  // Shared state across all agents
+  sharedState;
+  // Agent contexts
+  agentContexts = /* @__PURE__ */ new Map();
+  // Memory limits
+  SHORT_TERM_LIMIT = 100;
+  LONG_TERM_LIMIT = 1e3;
+  COMPACTION_THRESHOLD = 80;
+  // % of limit
+  constructor(target = "") {
+    super();
+    this.sharedState = this.initializeState(target);
+  }
+  // ===== State Management =====
+  initializeState(target) {
+    return {
+      target,
+      discoveredHosts: [],
+      discoveredServices: /* @__PURE__ */ new Map(),
+      credentials: [],
+      currentPhase: "recon",
+      completedPhases: [],
+      attackSurface: /* @__PURE__ */ new Map(),
+      vulnerabilities: [],
+      failedApproaches: []
+    };
+  }
+  getSharedState() {
+    return this.sharedState;
+  }
+  updateState(updates) {
+    this.sharedState = { ...this.sharedState, ...updates };
+    this.emit(MEMORY_EVENT.STATE_UPDATED, this.sharedState);
+  }
+  // ===== Memory Operations =====
+  addMemory(entry) {
+    const fullEntry = {
+      ...entry,
+      id: `mem_${Date.now()}_${Math.random().toString(36).substring(2, 8)}`,
+      timestamp: /* @__PURE__ */ new Date()
+    };
+    this.shortTermMemory.push(fullEntry);
+    if (entry.importance >= 70) {
+      this.longTermMemory.push(fullEntry);
+    }
+    if (!this.episodicMemory.has(entry.agent)) {
+      this.episodicMemory.set(entry.agent, []);
+    }
+    this.episodicMemory.get(entry.agent).push(fullEntry);
+    this.emit(MEMORY_EVENT.ENTRY_ADDED, fullEntry);
+    this.checkCompaction();
+    return fullEntry;
+  }
+  // ===== Memory Retrieval =====
+  getRecentMemories(count = 10) {
+    return this.shortTermMemory.slice(-count);
+  }
+  getMemoriesByAgent(agentName) {
+    return this.episodicMemory.get(agentName) || [];
+  }
+  getMemoriesByType(type) {
+    return [...this.shortTermMemory, ...this.longTermMemory].filter((m) => m.type === type);
+  }
+  getImportantMemories(threshold = 70) {
+    return this.longTermMemory.filter((m) => m.importance >= threshold);
+  }
+  searchMemories(query) {
+    const lowerQuery = query.toLowerCase();
+    return [...this.shortTermMemory, ...this.longTermMemory].filter((m) => m.content.toLowerCase().includes(lowerQuery)).sort((a, b) => b.importance - a.importance);
+  }
+  // ===== Agent Context Management =====
+  setAgentContext(context) {
+    this.agentContexts.set(context.agentName, context);
+  }
+  getAgentContext(agentName) {
+    return this.agentContexts.get(agentName);
+  }
+  getAllAgentContexts() {
+    return Array.from(this.agentContexts.values());
+  }
+  // ===== Agent Handoff =====
+  /**
+   * Create a handoff package for transferring context between agents
+   */
+  createHandoff(fromAgent, toAgent, task, relevantContext) {
+    const handoffId = `handoff_${Date.now()}`;
+    const relevantMemories = this.shortTermMemory.filter(
+      (m) => m.agent === fromAgent || relevantContext.some((c) => m.content.includes(c))
+    ).slice(-20);
+    const contextSummary = this.createContextSummary(fromAgent, task);
+    this.addMemory({
+      type: "handoff",
+      agent: "orchestrator",
+      content: `Handoff: ${fromAgent} \u2192 ${toAgent} for task: ${task}`,
+      importance: 80,
+      metadata: { fromAgent, toAgent, task, handoffId }
+    });
+    this.emit(MEMORY_EVENT.HANDOFF, { fromAgent, toAgent, task, handoffId });
+    return {
+      handoffId,
+      context: contextSummary,
+      sharedState: this.sharedState,
+      relevantMemories
+    };
+  }
+  /**
+   * Create a summarized context for handoff
+   */
+  createContextSummary(agentName, task) {
+    const agentMemories = this.getMemoriesByAgent(agentName).slice(-10);
+    const findings = this.getMemoriesByType("finding").slice(-5);
+    const errors = this.getMemoriesByType("error").slice(-3);
+    return `
+## Context Summary for: ${task}
+
+### Target
+- Primary: ${this.sharedState.target}
+- Phase: ${this.sharedState.currentPhase}
+- Hosts discovered: ${this.sharedState.discoveredHosts.length}
+
+### Recent Actions by ${agentName}
+${agentMemories.map((m) => `- ${m.content.slice(0, 100)}`).join("\n")}
+
+### Key Findings
+${findings.map((f) => `- [${f.agent}] ${f.content.slice(0, 100)}`).join("\n")}
+
+### Failed Approaches (avoid these)
+${this.sharedState.failedApproaches.slice(-5).map((f) => `- ${f.approach}: ${f.reason}`).join("\n")}
+
+### Credentials Found
+${this.sharedState.credentials.map((c) => `- ${c.username}:${c.password} (${c.source})`).join("\n") || "None"}
+`;
+  }
+  // ===== Attack Surface Tracking =====
+  addToAttackSurface(category, items) {
+    const existing = this.sharedState.attackSurface.get(category) || [];
+    const newItems = items.filter((i) => !existing.includes(i));
+    this.sharedState.attackSurface.set(category, [...existing, ...newItems]);
+    if (newItems.length > 0) {
+      this.addMemory({
+        type: "discovery",
+        agent: "orchestrator",
+        content: `Attack surface expanded [${category}]: ${newItems.join(", ")}`,
+        importance: 60
+      });
+    }
+  }
+  getAttackSurface() {
+    return this.sharedState.attackSurface;
+  }
+  getAttackSurfaceSummary() {
+    const summary = [];
+    for (const [category, items] of this.sharedState.attackSurface) {
+      summary.push(`${category}: ${items.length} items`);
+    }
+    return summary.join(", ");
+  }
+  // ===== Failed Approach Tracking =====
+  recordFailedApproach(approach, reason) {
+    this.sharedState.failedApproaches.push({
+      approach,
+      reason,
+      timestamp: /* @__PURE__ */ new Date()
+    });
+  }
+  hasFailedBefore(approach) {
+    return this.sharedState.failedApproaches.some(
+      (f) => f.approach.toLowerCase().includes(approach.toLowerCase())
+    );
+  }
+  // ===== Memory Compaction =====
+  checkCompaction() {
+    if (this.shortTermMemory.length >= this.SHORT_TERM_LIMIT * (this.COMPACTION_THRESHOLD / 100)) {
+      this.compactShortTermMemory();
+    }
+    if (this.longTermMemory.length >= this.LONG_TERM_LIMIT * (this.COMPACTION_THRESHOLD / 100)) {
+      this.compactLongTermMemory();
+    }
+  }
+  compactShortTermMemory() {
+    const sorted = [...this.shortTermMemory].sort((a, b) => {
+      const importanceDiff = b.importance - a.importance;
+      if (importanceDiff !== 0) return importanceDiff;
+      return b.timestamp.getTime() - a.timestamp.getTime();
+    });
+    this.shortTermMemory = sorted.slice(0, Math.floor(this.SHORT_TERM_LIMIT * 0.5));
+    this.emit(MEMORY_EVENT.COMPACTION, { type: "short-term", remaining: this.shortTermMemory.length });
+  }
+  compactLongTermMemory() {
+    this.longTermMemory = this.longTermMemory.sort((a, b) => b.importance - a.importance).slice(0, Math.floor(this.LONG_TERM_LIMIT * 0.7));
+    this.emit(MEMORY_EVENT.COMPACTION, { type: "long-term", remaining: this.longTermMemory.length });
+  }
+  // ===== Serialization =====
+  toJSON() {
+    return {
+      shortTermMemory: this.shortTermMemory,
+      longTermMemory: this.longTermMemory,
+      sharedState: {
+        ...this.sharedState,
+        discoveredServices: Object.fromEntries(this.sharedState.discoveredServices),
+        attackSurface: Object.fromEntries(this.sharedState.attackSurface)
+      },
+      agentContexts: Object.fromEntries(this.agentContexts)
+    };
+  }
+  static fromJSON(data) {
+    const memory = new _AgentMemory();
+    const parsed = data;
+    memory.shortTermMemory = parsed.shortTermMemory || [];
+    memory.longTermMemory = parsed.longTermMemory || [];
+    if (parsed.sharedState) {
+      memory.sharedState = {
+        ...parsed.sharedState,
+        discoveredServices: new Map(Object.entries(parsed.sharedState.discoveredServices || {})),
+        attackSurface: new Map(Object.entries(parsed.sharedState.attackSurface || {}))
+      };
+    }
+    if (parsed.agentContexts) {
+      memory.agentContexts = new Map(Object.entries(parsed.agentContexts));
+    }
+    return memory;
+  }
+};
+var memoryInstance = null;
+function getAgentMemory(target) {
+  if (!memoryInstance) {
+    memoryInstance = new AgentMemory(target);
+  }
+  return memoryInstance;
+}
+
+// src/core/agent/supervisor-agent.ts
+import Anthropic2 from "@anthropic-ai/sdk";
+import { EventEmitter as EventEmitter6 } from "events";
+var SUPERVISOR_EVENT = {
+  PLAN_CREATED: "plan_created",
+  PHASE_STARTED: "phase_started",
+  PHASE_COMPLETED: "phase_completed",
+  TASK_DELEGATED: "task_delegated",
+  TASK_COMPLETED: "task_completed",
+  STRATEGY_ADJUSTED: "strategy_adjusted",
+  DECISION_MADE: "decision_made"
+};
+var SupervisorAgent = class extends EventEmitter6 {
+  client;
+  orchestrator;
+  memory;
+  currentPlan = null;
+  // Agent capability mapping
+  agentCapabilities = /* @__PURE__ */ new Map([
+    ["target-explorer", ["recon", "scanning", "enumeration", "osint", "subdomain", "directory"]],
+    ["exploit-researcher", ["cve", "exploit", "vulnerability", "payload", "metasploit"]],
+    ["privesc-master", ["privilege", "escalation", "root", "system", "linux", "windows"]],
+    ["web-hacker", ["web", "sql", "xss", "injection", "http", "api", "form"]],
+    ["crypto-solver", ["crypto", "hash", "password", "decrypt", "encode"]],
+    ["forensics-analyst", ["forensics", "memory", "file", "log", "steganography"]],
+    ["reverse-engineer", ["binary", "reverse", "debug", "exploit", "buffer"]],
+    ["attack-architect", ["strategy", "plan", "attack", "chain", "prioritize"]],
+    ["finding-reviewer", ["validate", "verify", "review", "confidence", "false positive"]]
+  ]);
+  constructor(apiKey) {
+    super();
+    this.client = new Anthropic2({
+      apiKey: apiKey || LLM_API_KEY || process.env.PENTEST_API_KEY,
+      baseURL: LLM_BASE_URL
+    });
+    this.orchestrator = getOrchestrator(apiKey);
+    this.memory = getAgentMemory();
+  }
+  // ===== Task Planning =====
+  /**
+   * Create an execution plan for the given objective
+   */
+  async createPlan(objective, target) {
+    const planPrompt = `
+${STRATEGY_PLANNING_PROMPT}
+
+Create an execution plan for:
+Objective: ${objective}
+Target: ${target}
+
+Respond with a JSON plan:
+{
+    "phases": [
+        {
+            "name": "Phase name",
+            "description": "What this phase accomplishes",
+            "agents": ["agent-name"],
+            "tasks": [
+                {
+                    "description": "Task description",
+                    "assignedAgent": "agent-name"
+                }
+            ]
+        }
+    ]
+}
+
+Rules:
+1. Start with reconnaissance (BFS - map attack surface first)
+2. Discovery before exploitation
+3. Use specialized agents for their strengths
+4. Include validation steps
+5. Plan for fallbacks
+`;
+    try {
+      const response = await this.client.messages.create({
+        model: LLM_MODEL,
+        max_tokens: 2048,
+        messages: [{ role: "user", content: planPrompt }]
+      });
+      const text = response.content.filter((b) => b.type === "text").map((b) => b.text).join("");
+      const jsonMatch = text.match(/\{[\s\S]*\}/);
+      if (jsonMatch) {
+        const parsed = JSON.parse(jsonMatch[0]);
+        this.currentPlan = this.buildPlan(objective, parsed);
+      } else {
+        this.currentPlan = this.createDefaultPlan(objective, target);
+      }
+    } catch {
+      this.currentPlan = this.createDefaultPlan(objective, target);
+    }
+    this.emit(SUPERVISOR_EVENT.PLAN_CREATED, this.currentPlan);
+    this.memory.addMemory({
+      type: "decision",
+      agent: "supervisor",
+      content: `Plan created: ${this.currentPlan.phases.length} phases for ${objective}`,
+      importance: 90
+    });
+    return this.currentPlan;
+  }
+  buildPlan(objective, parsed) {
+    return {
+      id: `plan_${Date.now()}`,
+      objective,
+      status: "planning",
+      currentPhaseIndex: 0,
+      phases: parsed.phases.map((phase, idx) => ({
+        id: `phase_${idx}`,
+        name: phase.name,
+        description: phase.description,
+        agents: phase.agents || [],
+        status: "pending",
+        findings: [],
+        tasks: (phase.tasks || []).map((task, tidx) => ({
+          id: `task_${idx}_${tidx}`,
+          description: task.description,
+          assignedAgent: task.assignedAgent || this.selectBestAgent(task.description),
+          status: "pending"
+        }))
+      }))
+    };
+  }
+  createDefaultPlan(objective, target) {
+    return {
+      id: `plan_${Date.now()}`,
+      objective,
+      status: "planning",
+      currentPhaseIndex: 0,
+      phases: [
+        {
+          id: "phase_0",
+          name: "Reconnaissance",
+          description: "Map attack surface - ports, subdomains, directories",
+          agents: ["target-explorer"],
+          status: "pending",
+          findings: [],
+          tasks: [
+            { id: "task_0_0", description: `Port scan ${target}`, assignedAgent: "target-explorer", status: "pending" },
+            { id: "task_0_1", description: `Subdomain enumeration for ${target}`, assignedAgent: "target-explorer", status: "pending" },
+            { id: "task_0_2", description: `Directory bruteforce on web services`, assignedAgent: "web-hacker", status: "pending" }
+          ]
+        },
+        {
+          id: "phase_1",
+          name: "Analysis",
+          description: "Analyze findings and identify vulnerabilities",
+          agents: ["attack-architect", "finding-reviewer"],
+          status: "pending",
+          findings: [],
+          tasks: [
+            { id: "task_1_0", description: "Analyze attack surface and prioritize targets", assignedAgent: "attack-architect", status: "pending" },
+            { id: "task_1_1", description: "CVE research for discovered services", assignedAgent: "exploit-researcher", status: "pending" }
+          ]
+        },
+        {
+          id: "phase_2",
+          name: "Exploitation",
+          description: "Attempt exploitation of identified vulnerabilities",
+          agents: ["exploit-researcher", "web-hacker"],
+          status: "pending",
+          findings: [],
+          tasks: [
+            { id: "task_2_0", description: "Exploit high-priority vulnerabilities", assignedAgent: "exploit-researcher", status: "pending" }
+          ]
+        }
+      ]
+    };
+  }
+  // ===== Agent Selection =====
+  /**
+   * Select the best agent for a given task
+   */
+  selectBestAgent(taskDescription) {
+    const lowerTask = taskDescription.toLowerCase();
+    let bestAgent = "target-explorer";
+    let bestScore = 0;
+    for (const [agent, capabilities] of this.agentCapabilities) {
+      const score = capabilities.filter((cap) => lowerTask.includes(cap)).length;
+      if (score > bestScore) {
+        bestScore = score;
+        bestAgent = agent;
+      }
+    }
+    return bestAgent;
+  }
+  /**
+   * Get agents for a specific phase
+   */
+  getAgentsForPhase(phaseName) {
+    const phaseMapping = {
+      "recon": ["target-explorer"],
+      "reconnaissance": ["target-explorer"],
+      "scan": ["target-explorer"],
+      "enum": ["target-explorer", "web-hacker"],
+      "enumeration": ["target-explorer", "web-hacker"],
+      "analysis": ["attack-architect", "finding-reviewer"],
+      "vuln": ["exploit-researcher", "web-hacker"],
+      "vulnerability": ["exploit-researcher", "web-hacker"],
+      "exploit": ["exploit-researcher", "web-hacker"],
+      "exploitation": ["exploit-researcher", "web-hacker"],
+      "privesc": ["privesc-master"],
+      "privilege": ["privesc-master"],
+      "post": ["privesc-master", "forensics-analyst"]
+    };
+    const lowerPhase = phaseName.toLowerCase();
+    for (const [key, agents] of Object.entries(phaseMapping)) {
+      if (lowerPhase.includes(key)) {
+        return agents;
+      }
+    }
+    return ["target-explorer"];
+  }
+  // ===== Task Execution =====
+  /**
+   * Execute the current plan
+   */
+  async executePlan() {
+    if (!this.currentPlan) {
+      throw new Error("No plan created. Call createPlan() first.");
+    }
+    this.currentPlan.status = "executing";
+    const allFindings = [];
+    for (let i = 0; i < this.currentPlan.phases.length; i++) {
+      this.currentPlan.currentPhaseIndex = i;
+      const phase = this.currentPlan.phases[i];
+      this.emit(SUPERVISOR_EVENT.PHASE_STARTED, phase);
+      phase.status = "in_progress";
+      try {
+        const phaseFindings = await this.executePhase(phase);
+        phase.findings = phaseFindings;
+        allFindings.push(...phaseFindings);
+        phase.status = "completed";
+        this.emit(SUPERVISOR_EVENT.PHASE_COMPLETED, phase);
+        await this.evaluateProgress(phaseFindings);
+      } catch (error) {
+        phase.status = "failed";
+        this.memory.recordFailedApproach(
+          phase.name,
+          error instanceof Error ? error.message : "Unknown error"
+        );
+      }
+    }
+    this.currentPlan.status = "completed";
+    return consolidateFindings(allFindings.map((f) => ({
+      agent: "supervisor",
+      success: true,
+      output: "",
+      findings: [f],
+      duration: 0
+    })));
+  }
+  /**
+   * Execute a single phase
+   */
+  async executePhase(phase) {
+    const tasks = phase.tasks.map((task) => ({
+      agent: task.assignedAgent,
+      prompt: this.buildTaskPrompt(task, phase),
+      priority: 1
+    }));
+    await this.orchestrator.initialize();
+    const results = await this.orchestrator.launchParallel(tasks);
+    for (let i = 0; i < phase.tasks.length; i++) {
+      const task = phase.tasks[i];
+      const result = results[i];
+      task.status = result.success ? "completed" : "failed";
+      task.result = result.output;
+      task.error = result.error;
+      this.emit(SUPERVISOR_EVENT.TASK_COMPLETED, { task, result });
+      this.memory.addMemory({
+        type: result.success ? "action" : "error",
+        agent: task.assignedAgent,
+        content: result.success ? `Completed: ${task.description}` : `Failed: ${task.description} - ${result.error}`,
+        importance: result.success ? 60 : 70
+      });
+    }
+    return consolidateFindings(results);
+  }
+  buildTaskPrompt(task, phase) {
+    const handoff = this.memory.createHandoff(
+      "supervisor",
+      task.assignedAgent,
+      task.description,
+      [phase.name, task.description]
+    );
+    return `
+${AGENT_COLLABORATION_PROMPT}
+
+## Your Task
+${task.description}
+
+## Phase Context
+Phase: ${phase.name}
+Description: ${phase.description}
+
+## Shared Context
+${handoff.context}
+
+## Instructions
+1. Complete the task thoroughly
+2. Report all findings in structured format
+3. Suggest next steps based on discoveries
+4. Be efficient - BFS over DFS
+
+Provide your findings in JSON format when possible.
+`;
+  }
+  // ===== Strategy Evaluation =====
+  /**
+   * Evaluate progress and adjust strategy if needed
+   */
+  async evaluateProgress(findings) {
+    const criticalFindings = findings.filter((f) => f.severity === "critical" || f.severity === "high");
+    const failedApproaches = this.memory.getSharedState().failedApproaches;
+    if (criticalFindings.length > 0) {
+      this.memory.addMemory({
+        type: "decision",
+        agent: "supervisor",
+        content: `Strategy adjustment: Found ${criticalFindings.length} critical/high findings. Prioritizing exploitation.`,
+        importance: 85
+      });
+      this.emit(SUPERVISOR_EVENT.STRATEGY_ADJUSTED, {
+        reason: "Critical findings discovered",
+        adjustment: "Prioritize exploitation",
+        findings: criticalFindings
+      });
+    }
+    if (failedApproaches.length >= 3) {
+      this.memory.addMemory({
+        type: "decision",
+        agent: "supervisor",
+        content: `Strategy adjustment: ${failedApproaches.length} failed approaches. Recommending pivot.`,
+        importance: 80
+      });
+    }
+  }
+  // ===== Decision Making =====
+  /**
+   * Make a decision about next action
+   */
+  async makeDecision(situation) {
+    const decisionPrompt = `
+${STRATEGY_PLANNING_PROMPT}
+
+Current situation:
+${situation}
+
+Shared state:
+- Target: ${this.memory.getSharedState().target}
+- Phase: ${this.memory.getSharedState().currentPhase}
+- Attack surface: ${this.memory.getAttackSurfaceSummary()}
+- Failed approaches: ${this.memory.getSharedState().failedApproaches.map((f) => f.approach).join(", ")}
+
+Make a decision:
+1. What action should we take?
+2. Which agent should handle it?
+3. What's your reasoning?
+4. What are alternatives if this fails?
+
+Respond with JSON:
+{
+    "action": "description of action",
+    "agent": "agent-name",
+    "reasoning": "why this is the best choice",
+    "confidence": 0-100,
+    "alternatives": ["alt1", "alt2"]
+}
+`;
+    try {
+      const response = await this.client.messages.create({
+        model: LLM_MODEL,
+        max_tokens: 1024,
+        messages: [{ role: "user", content: decisionPrompt }]
+      });
+      const text = response.content.filter((b) => b.type === "text").map((b) => b.text).join("");
+      const jsonMatch = text.match(/\{[\s\S]*\}/);
+      if (jsonMatch) {
+        const decision = JSON.parse(jsonMatch[0]);
+        this.emit(SUPERVISOR_EVENT.DECISION_MADE, decision);
+        this.memory.addMemory({
+          type: "decision",
+          agent: "supervisor",
+          content: `Decision: ${decision.action} (${decision.agent}, ${decision.confidence}% confidence)`,
+          importance: 75
+        });
+        return decision;
+      }
+    } catch {
+    }
+    return {
+      action: "Continue with reconnaissance",
+      agent: "target-explorer",
+      reasoning: "Default action when unsure",
+      confidence: 50,
+      alternatives: ["web-hacker", "exploit-researcher"]
+    };
+  }
+  // ===== Getters =====
+  getCurrentPlan() {
+    return this.currentPlan;
+  }
+  getMemory() {
+    return this.memory;
+  }
+};
+var supervisorInstance = null;
+function getSupervisor(apiKey) {
+  if (!supervisorInstance) {
+    supervisorInstance = new SupervisorAgent(apiKey);
+  }
+  return supervisorInstance;
+}
+
 // src/commands/index.ts
 var SCAN_COMMAND = {
   name: "scan",
@@ -4466,7 +5437,7 @@ var DEFAULT_PHASES = [
   { id: PHASE_ID.EXFIL, name: "Data Exfiltration", shortName: "Exfil", status: PHASE_STATUS.PENDING, attempts: 0 },
   { id: PHASE_ID.REPORT, name: "Reporting", shortName: "Report", status: PHASE_STATUS.PENDING, attempts: 0 }
 ];
-var AutonomousHackingAgent = class extends EventEmitter4 {
+var AutonomousHackingAgent = class extends EventEmitter7 {
   client;
   state;
   config;
@@ -4481,6 +5452,9 @@ var AutonomousHackingAgent = class extends EventEmitter4 {
   mcpManager;
   contextManager;
   approvalManager;
+  orchestrator;
+  agentMemory;
+  supervisor;
   // Token usage tracking
   tokenUsage = {
     input: 0,
@@ -4499,7 +5473,7 @@ var AutonomousHackingAgent = class extends EventEmitter4 {
   // Max attempts per phase
   constructor(apiKey, config) {
     super();
-    this.client = new Anthropic({
+    this.client = new Anthropic3({
       apiKey: apiKey || LLM_API_KEY || process.env.PENTEST_API_KEY,
       baseURL: LLM_BASE_URL
     });
@@ -4509,6 +5483,9 @@ var AutonomousHackingAgent = class extends EventEmitter4 {
     this.mcpManager = getMCPManager();
     this.contextManager = new ContextManager(this.client);
     this.approvalManager = getApprovalManager({ yoloMode: config?.autoApprove });
+    this.orchestrator = getOrchestrator(apiKey);
+    this.agentMemory = getAgentMemory();
+    this.supervisor = getSupervisor(apiKey);
     this.state = this.createInitialState();
     this.initSystems();
   }
@@ -4919,25 +5896,161 @@ What went wrong and what different approach should be tried?
     this.think(THOUGHT_TYPE.REFLECTION, reflection);
     return reflection;
   }
+  // ===== Strategy Validation =====
+  async validateStrategy(proposedAction) {
+    this.think(THOUGHT_TYPE.PLANNING, "[strategy] Validating action strategy...");
+    const validationPrompt = `
+${STRATEGY_PLANNING_PROMPT}
+
+Current situation:
+- Target: ${this.state.target.primary}
+- Current phase: ${this.getCurrentPhase().shortName}
+- Discovered services: ${this.state.target.services.map((s) => `${s.host}:${s.port} (${s.service})`).join(", ") || "none"}
+- Attack surface mapped: ${this.state.target.discovered.length} hosts, ${this.state.target.services.length} services
+- Subdomains found: ${this.state.target.discovered.filter((d) => d.includes(".")).length}
+
+Proposed action: ${proposedAction}
+
+Validate this action:
+1. Is this aligned with BFS (surface mapping first)?
+2. Have we completed reconnaissance before deep testing?
+3. Is this the highest ROI action right now?
+4. Should we adjust the approach?
+
+Respond with JSON:
+{
+    "valid": true/false,
+    "adjustedAction": "if invalid, suggest better action",
+    "reasoning": "brief explanation"
+}
+`;
+    try {
+      const response = await this.client.messages.create({
+        model: LLM_MODEL,
+        max_tokens: 1024,
+        messages: [{ role: "user", content: validationPrompt }]
+      });
+      const text = response.content.filter((b) => b.type === "text").map((b) => b.text).join("");
+      const jsonMatch = text.match(/\{[\s\S]*\}/);
+      if (jsonMatch) {
+        const result = JSON.parse(jsonMatch[0]);
+        if (!result.valid) {
+          this.think(THOUGHT_TYPE.REFLECTION, `[strategy] Action adjusted: ${result.reasoning}`);
+        }
+        return result;
+      }
+    } catch {
+    }
+    return { valid: true, reasoning: "Validation skipped" };
+  }
+  // ===== Agent Collaboration =====
+  /**
+   * Delegate a task to a specialist agent and get results
+   */
+  async delegateToSpecialist(agentName, task, context) {
+    this.think(THOUGHT_TYPE.PLANNING, `[delegate] Delegating to ${agentName}: ${task.slice(0, 50)}...`);
+    await this.orchestrator.initialize();
+    const agentTask = {
+      agent: agentName,
+      prompt: `${AGENT_COLLABORATION_PROMPT}
+
+Context from main agent:
+${context}
+
+Your task:
+${task}
+
+Provide your analysis and findings. Include:
+1. Key discoveries
+2. Recommended next actions
+3. Any concerns or issues found`,
+      priority: 1
+    };
+    try {
+      const results = await this.orchestrator.launchParallel([agentTask]);
+      const result = results[0];
+      if (result.success) {
+        const consolidatedFindings = consolidateFindings(results);
+        const findingsSummary = consolidatedFindings.map((f) => `- [${f.severity.toUpperCase()}] ${f.title} (${f.confidence}% confidence)`).join("\n");
+        this.think(THOUGHT_TYPE.REFLECTION, `[delegate] ${agentName} completed: ${result.findings.length} findings`);
+        return {
+          success: true,
+          findings: findingsSummary || result.output.slice(0, 500),
+          recommendation: result.findings[0]?.nextSteps?.join(", ") || "Continue with main approach"
+        };
+      }
+      return {
+        success: false,
+        findings: result.error || "Agent failed",
+        recommendation: "Try alternative approach"
+      };
+    } catch (error) {
+      return {
+        success: false,
+        findings: error instanceof Error ? error.message : "Unknown error",
+        recommendation: "Fallback to main agent"
+      };
+    }
+  }
+  /**
+   * Consult multiple agents for strategy validation
+   */
+  async consultAgents(question) {
+    this.think(THOUGHT_TYPE.PLANNING, "[consult] Consulting specialist agents...");
+    const tasks = [
+      {
+        agent: "attack-architect",
+        prompt: `Strategic question: ${question}
+
+Provide your expert opinion on the best approach.`,
+        priority: 1
+      },
+      {
+        agent: "finding-reviewer",
+        prompt: `Review this approach: ${question}
+
+Validate if this is the right strategy.`,
+        priority: 1
+      }
+    ];
+    await this.orchestrator.initialize();
+    const results = await this.orchestrator.launchParallel(tasks);
+    const opinions = results.filter((r) => r.success).map((r) => `**${r.agent}**: ${r.output.slice(0, 200)}...`).join("\n\n");
+    this.think(THOUGHT_TYPE.REFLECTION, "[consult] Received opinions from specialists");
+    return opinions || "No specialist opinions available";
+  }
   // ===== Progress Detection =====
   recordProgress(type) {
     this.resetStuckCounter();
     this.state.lastProgressTime = /* @__PURE__ */ new Date();
+    let message = "";
+    let importance = 60;
     switch (type) {
       case "discovery":
-        this.think(THOUGHT_TYPE.BREAKTHROUGH, "[target] New target discovered!");
+        message = "[target] New target discovered!";
+        importance = 65;
         break;
       case "credential":
-        this.think(THOUGHT_TYPE.BREAKTHROUGH, "[cred] Credential obtained!");
+        message = "[cred] Credential obtained!";
+        importance = 85;
         break;
       case "access":
-        this.think(THOUGHT_TYPE.BREAKTHROUGH, "[access] Access obtained!");
+        message = "[access] Access obtained!";
+        importance = 90;
         break;
       case "exploit":
-        this.think(THOUGHT_TYPE.BREAKTHROUGH, "[exploit] Exploit successful!");
+        message = "[exploit] Exploit successful!";
+        importance = 95;
         this.state.successfulExploits++;
         break;
     }
+    this.think(THOUGHT_TYPE.BREAKTHROUGH, message);
+    this.agentMemory.addMemory({
+      type: type === "exploit" ? "action" : type === "credential" ? "credential" : "discovery",
+      agent: this.currentAgent?.name || "autonomous-agent",
+      content: message,
+      importance
+    });
   }
   // ===== Finding Management =====
   addFinding(finding) {
@@ -5686,14 +6799,14 @@ Respond helpfully to the user's message. If they ask to perform security testing
 // src/core/session/session-manager.ts
 import * as fs4 from "fs/promises";
 import * as path4 from "path";
-import { EventEmitter as EventEmitter5 } from "events";
+import { EventEmitter as EventEmitter8 } from "events";
 var SESSIONS_DIR = ".pentesting/sessions";
 function generateSessionId() {
   const timestamp = Date.now().toString(36);
   const random = Math.random().toString(36).substring(2, 8);
   return `session_${timestamp}_${random}`;
 }
-var SessionManager = class extends EventEmitter5 {
+var SessionManager = class extends EventEmitter8 {
   sessionsDir;
   currentSession = null;
   constructor(baseDir) {
@@ -6012,7 +7125,7 @@ function getSlashCommandRegistry() {
 // src/core/context/context-manager.ts
 import { existsSync as existsSync2, mkdirSync, readFileSync as readFileSync2, writeFileSync, renameSync } from "fs";
 import { join as join4, dirname as dirname3 } from "path";
-import { EventEmitter as EventEmitter6 } from "events";
+import { EventEmitter as EventEmitter9 } from "events";
 var CONTEXT_EVENT = {
   MESSAGE_ADDED: "message_added",
   CHECKPOINT_CREATED: "checkpoint_created",
@@ -6020,7 +7133,7 @@ var CONTEXT_EVENT = {
   CLEARED: "cleared",
   COMPACTED: "compacted"
 };
-var ContextManager2 = class extends EventEmitter6 {
+var ContextManager2 = class extends EventEmitter9 {
   filePath;
   state;
   maxMessages;
@@ -6731,9 +7844,9 @@ import { homedir } from "os";
 import { join as join7 } from "path";
 
 // src/cli/utils/keyboard-listener.ts
-import { EventEmitter as EventEmitter7 } from "events";
+import { EventEmitter as EventEmitter10 } from "events";
 import * as readline2 from "readline";
-var KeyboardListener = class extends EventEmitter7 {
+var KeyboardListener = class extends EventEmitter10 {
   isListening = false;
   isPaused = false;
   stdin = process.stdin;
@@ -6958,7 +8071,7 @@ function getKeyboardListener() {
 }
 
 // src/utils/input-queue.ts
-import { EventEmitter as EventEmitter8 } from "events";
+import { EventEmitter as EventEmitter11 } from "events";
 var INPUT_QUEUE_EVENT = {
   QUEUED: "queued",
   // Message added to queue
@@ -6971,7 +8084,7 @@ var INPUT_QUEUE_EVENT = {
   SHUTDOWN: "shutdown"
   // Queue shutdown
 };
-var InputQueue = class extends EventEmitter8 {
+var InputQueue = class extends EventEmitter11 {
   queue = [];
   isShutdown = false;
   isPaused = false;
@@ -7442,7 +8555,8 @@ var App = ({ autoApprove = false, target }) => {
       inputQueue.enqueue(trimmed);
       setQueuedCount(inputQueue.length);
       setInput("");
-      addMessage(MESSAGE_TYPE.SYSTEM, `  \u{1F4E5} Queued (${inputQueue.length} pending): ${trimmed.slice(0, 50)}${trimmed.length > 50 ? "..." : ""}`);
+      addMessage(MESSAGE_TYPE.USER, trimmed);
+      addMessage(MESSAGE_TYPE.SYSTEM, `  \u{1F4E5} Queued (${inputQueue.length} pending)`);
       return;
     }
     setInput("");