sicario-red-team 0.1.0

package/bin/sicario.js

@@ -0,0 +1,87 @@
+#!/usr/bin/env node
+import dotenv from 'dotenv';
+import path from 'path';
+import fs from 'fs';
+
+// Silently initialize dotenv
+dotenv.config({ quiet: true });
+
+// Load .env.local if it exists (for Convex)
+const envLocalPath = path.resolve(process.cwd(), '.env.local');
+if (fs.existsSync(envLocalPath)) {
+    dotenv.config({ path: envLocalPath, override: true, quiet: true });
+}
+
+import { Command } from 'commander';
+import { pathToFileURL, fileURLToPath } from 'url';
+import pc from 'picocolors';
+import { getApiKey, setApiKey } from '../src-cli/utils/config.js';
+import { createRequire } from 'module';
+const require = createRequire(import.meta.url);
+const clack = require('@clack/prompts');
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+const program = new Command();
+
+program
+  .name('sicario')
+  .description('Autonomous Agentic Red-Teaming Swarm Protocol')
+  .version('0.1.0');
+
+// Use a more robust way to import the command logic relative to this file
+const hitCommandPath = pathToFileURL(path.join(__dirname, '../src-cli/commands/hit.js')).href;
+
+program
+  .command('hit')
+  .description('Launch an autonomous swarm attack on a target')
+  .option('-t, --target <url>', 'Target URL')
+  .option('-a, --agents <number>', 'Number of agents to deploy', (val) => parseInt(val), 3)
+  .option('-d, --debug', 'Enable verbose debug logging', false)
+  .option('--auth <string>', 'Session token or cookie string for authenticated scans')
+  .action(async (options) => {
+    try {
+      // API Key Check & Viral Hook
+      let apiKey = process.env.CEREBRAS_API_KEY || getApiKey();
+      
+      if (!apiKey) {
+        clack.intro(pc.magenta(pc.bold('Project Sicario - First Run Onboarding')));
+        clack.note(
+          'Sicario requires a Cerebras inference engine to simulate business logic attacks.\n' +
+          pc.cyan('Get your free key here: https://cloud.cerebras.ai'),
+          'IDENTITY REQUIRED'
+        );
+        
+        const key = await clack.password({
+          message: 'Paste your Cerebras API Key',
+          validate: (value) => {
+            if (!value) return 'Key is required to proceed';
+            if (!value.startsWith('csk-')) return 'Invalid key format (should start with csk-)';
+          },
+        });
+
+        if (clack.isCancel(key)) {
+            clack.cancel('Operation aborted. Sicario cannot hunt without a brain.');
+            process.exit(0);
+        }
+
+        setApiKey(key);
+        process.env.CEREBRAS_API_KEY = key;
+        clack.log.success('Key saved to ~/.sicario/config. Resuming mission...');
+      }
+
+      const { hitCommand } = await import(hitCommandPath);
+      await hitCommand(options.target, options);
+    } catch (err) {
+      console.error('Fatal: Failed to load command logic.');
+      console.error(err);
+      process.exit(1);
+    }
+  });
+
+try {
+  program.parse(process.argv);
+} catch (err) {
+  console.error(err);
+}

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "sicario-red-team",
+  "version": "0.1.0",
+  "description": "Autonomous Agentic Red-Teaming Swarm Protocol",
+  "type": "module",
+  "files": [
+    "bin",
+    "src-cli"
+  ],
+  "bin": {
+    "sicario": "./bin/sicario.js"
+  },
+  "scripts": {
+    "start": "node bin/sicario.js"
+  },
+  "dependencies": {
+    "@cerebras/cerebras_cloud_sdk": "^1.0.0",
+    "@clack/prompts": "^0.7.0",
+    "commander": "^12.0.0",
+    "convex": "^1.10.0",
+    "dotenv": "^17.3.1",
+    "ini": "^4.1.1",
+    "picocolors": "^1.0.0",
+    "playwright": "^1.42.0"
+  }
+}

package/src-cli/commands/hit.js

@@ -0,0 +1,132 @@
+import { createRequire } from 'module';
+const require = createRequire(import.meta.url);
+const clack = require('@clack/prompts');
+const { intro, outro, log, note, text, isCancel, cancel } = clack;
+import pc from 'picocolors';
+import 'dotenv/config';
+import { ConvexClient } from 'convex/browser';
+import { runScout } from '../nodes/scout.js';
+import { runBreacher } from '../nodes/breacher.js';
+import { theme } from '../utils/theme.js';
+
+// Initialize Convex Client (will use CONVEX_URL from .env)
+const client = process.env.CONVEX_URL ? new ConvexClient(process.env.CONVEX_URL) : null;
+
+export async function hitCommand(target, options) {
+
+    let finalTarget = target;
+    if (!finalTarget) {
+        finalTarget = await text({
+            message: 'Establish target lock',
+            placeholder: 'https://staging.example.com',
+            validate: (value) => {
+                if (!value) return 'Target is required';
+                if (!value.startsWith('http')) return 'Invalid URL format';
+            },
+        });
+
+        if (isCancel(finalTarget)) {
+            cancel('Operation aborted by user.');
+            process.exit(0);
+        }
+    }
+
+    intro(theme.brand('Project Sicario - Autonomous Swarm Protocol'));
+
+    let missionId = null;
+    let breachReport = { vulnerabilityFound: false };
+
+    try {
+        if (client) {
+            try {
+                missionId = await client.mutation('handler:startMission', { targetUrl: finalTarget });
+            } catch (err) {
+                log.warn('Convex sync disabled or failed: ' + err.message);
+            }
+        }
+
+        // 3. [Scout] Recon
+        log.step('[Scout] : Initiating live reconnaissance...');
+        if (client && missionId) await client.mutation('handler:logMessage', { missionId, type: 'Scout', message: 'Initiating live reconnaissance...' });
+        let elements = [];
+        try {
+            elements = await runScout(finalTarget, { auth: options.auth });
+            log.success('[Scout] : Perimeter mapped.');
+            if (client && missionId) await client.mutation('handler:logMessage', { missionId, type: 'Scout', message: 'Perimeter mapped.' });
+            
+            if (client && missionId) {
+                await client.mutation('handler:syncPerimeter', { 
+                    missionId, 
+                    interactiveElements: elements 
+                });
+            }
+        } catch (error) {
+            log.error('[Scout] : Reconnaissance failed.');
+            log.error(error.message);
+            throw error;
+        }
+
+        // 4. [Ghost] Jitter
+        log.step('[Ghost] : WAF bypassed. Biometric jitter active.');
+        if (client && missionId) await client.mutation('handler:logMessage', { missionId, type: 'Ghost', message: 'WAF bypassed. Biometric jitter active.' });
+        await new Promise(resolve => setTimeout(resolve, 1000));
+        log.success('[Ghost] : Obfuscation layer verified.');
+        if (client && missionId) await client.mutation('handler:logMessage', { missionId, type: 'Ghost', message: 'Obfuscation layer verified.' });
+
+        // 5. [Breacher] Analysis
+        log.step('[Breacher] : Analyzing DOM for logic flaws via Cerebras...');
+        if (client && missionId) await client.mutation('handler:logMessage', { missionId, type: 'Breacher', message: 'Analyzing DOM for logic flaws via Cerebras...' });
+        try {
+            breachReport = await runBreacher(elements);
+            log.success('[Breacher] : Analysis complete.');
+            if (client && missionId) await client.mutation('handler:logMessage', { missionId, type: 'Breacher', message: 'Analysis complete.' });
+
+            if (breachReport.vulnerabilityFound) {
+                console.log('\n' + theme.exploit(`${breachReport.title} locked on ${breachReport.targetElement}`));
+                console.log(pc.red(`Vector: ${breachReport.vector}`));
+                console.log(pc.red(`Severity: ${breachReport.severity}\n`));
+
+                if (client && missionId) {
+                    await client.mutation('handler:logExploit', {
+                        missionId,
+                        title: breachReport.title,
+                        vector: breachReport.vector,
+                        severity: breachReport.severity,
+                        target: breachReport.targetElement,
+                        mitigation: breachReport.mitigation // Ensure backend supports this
+                    });
+                }
+
+                if (breachReport.mitigation) {
+                    note(pc.cyan(breachReport.mitigation), 'FIX RECOMMENDATION');
+                }
+            } else {
+                log.info(theme.dim('No high-value business logic targets identified.'));
+            }
+        } catch (error) {
+            log.error('[Breacher] : Analysis node failure.');
+            log.error(error.message);
+        }
+
+        // 6. Mission Dossier
+        const summaryLines = [
+            `${theme.dim('Target')}           ${theme.bold(finalTarget)}`,
+            `${theme.dim('Nodes Recalled')}   ${theme.bold('3 (Scout, Ghost, Breacher)')}`,
+            `${theme.dim('Breaches Found')}    ${breachReport.vulnerabilityFound ? pc.red(pc.bold('1')) : theme.bold('0')}`,
+            `${theme.dim('Status')}           ${theme.success('MISSION SUCCESSFUL')}`
+        ];
+
+        note(summaryLines.join('\n'), 'MISSION DOSSIER');
+
+    } catch (error) {
+        log.error(`Mission failed: ${error.message}`);
+    } finally {
+        // THE FIX: Always close the mission in Convex, no matter what happens
+        if (client && missionId) {
+            await client.mutation('handler:closeMission', { missionId });
+        }
+        outro(theme.brand('Mission complete. Trace extraction successful.'));
+        process.exit(0);
+    }
+}
+

package/src-cli/nodes/breacher.js

@@ -0,0 +1,56 @@
+import Cerebras from '@cerebras/cerebras_cloud_sdk';
+import 'dotenv/config';
+
+/**
+ * Breacher Node: Analyzes interactive elements for OWASP Business Logic Abuse vectors.
+ * Uses Cerebras AI to hypothesize vulnerabilities.
+ * @param {Array} domElements - Array of extracted DOM elements.
+ * @returns {Promise<Object>} - A strict JSON report of findings.
+ */
+export async function runBreacher(domElements) {
+    const client = new Cerebras({
+        apiKey: process.env.CEREBRAS_API_KEY,
+    });
+
+    const systemPrompt = `
+You are 'The Breacher', an elite, autonomous SecOps AI. Your sole objective is to analyze a JSON array of web elements (DOM) and identify critical OWASP Business Logic vulnerabilities.
+
+### YOUR RULES OF ENGAGEMENT:
+1. FOCUS ONLY ON BUSINESS LOGIC: Look for vectors allowing Action Limit Overruns (using coupons multiple times), Concurrent Workflow Bypassing (skipping checkout steps), or Price/State Manipulation.
+2. NO BASIC FLAWS: DO NOT report standard XSS, SQLi, or CSRF vulnerabilities. 
+3. GROUNDED REALITY: You may only formulate an attack if the specific elements required (e.g., a checkout button, a promo code input) exist in the provided JSON array.
+4. ZERO HALLUCINATIONS: If the DOM array does not contain high-value business logic targets (e.g., it is just a simple blog or static page), you MUST report no vulnerabilities.
+
+### MANDATORY OUTPUT FORMAT:
+You must respond ONLY with a valid, raw JSON object. Do not include markdown formatting, conversational text, or explanations outside the JSON structure.
+
+Use this exact schema:
+{
+  "vulnerabilityFound": boolean,
+  "title": string | null,
+  "targetElement": string | null, // The ID or Name of the exploited element
+  "vector": string | null, // A strict, 1-sentence technical explanation of the logic flaw
+  "severity": "LOW" | "MEDIUM" | "HIGH" | "CRITICAL" | null,
+  "mitigation": string | null // A brief, 2-sentence technical recommendation for fixing the logic flaw
+}
+`;
+
+    const userPrompt = `DOM Elements: ${JSON.stringify(domElements)}`;
+
+    try {
+        const completion = await client.chat.completions.create({
+            messages: [
+                { role: 'system', content: systemPrompt },
+                { role: 'user', content: userPrompt }
+            ],
+            model: 'llama3.1-8b', // Adjust model as needed
+            response_format: { type: 'json_object' }
+        });
+
+        return JSON.parse(completion.choices[0].message.content);
+
+    } catch (error) {
+        console.error('Breacher Error:', error);
+        throw error;
+    }
+}

package/src-cli/nodes/scout.js

@@ -0,0 +1,100 @@
+import { chromium } from 'playwright';
+import fs from 'fs';
+import path from 'path';
+
+/**
+ * Scout Node: Performs live reconnaissance on a target URL.
+ * Extracts interactive elements for vulnerability analysis.
+ * @param {string} url - The URL to scan.
+ * @param {Object} options - Scan options (e.g., auth).
+ * @returns {Promise<Array>} - A clean array of interactive elements.
+ */
+export async function runScout(url, options = {}) {
+    const browser = await chromium.launch({ headless: true });
+    const context = await browser.newContext();
+
+    // 0. Session Injection (The Authentication Engine)
+    if (options.auth) {
+        const domain = new URL(url).hostname;
+        let cookies = [];
+
+        // Check if auth is a path to cookie.json
+        if (options.auth.endsWith('.json') && fs.existsSync(options.auth)) {
+            try {
+                const data = JSON.parse(fs.readFileSync(options.auth, 'utf-8'));
+                // Playwright expects array of cookies
+                cookies = Array.isArray(data) ? data : [data];
+                // Ensure domain matches if not specified
+                cookies = cookies.map(c => ({
+                    ...c,
+                    domain: c.domain || domain,
+                    path: c.path || '/'
+                }));
+            } catch (err) {
+                console.error(`Failed to parse cookie file: ${err.message}`);
+            }
+        } else {
+            // Treat as raw cookie string (session=123; token=abc)
+            const cookiePairs = options.auth.split(';').map(p => p.trim());
+            cookies = cookiePairs.map(pair => {
+                const [name, ...valueParts] = pair.split('=');
+                return {
+                    name: name.trim(),
+                    value: valueParts.join('=').trim(),
+                    domain,
+                    path: '/'
+                };
+            });
+        }
+
+        if (cookies.length > 0) {
+            await context.addCookies(cookies);
+        }
+    }
+
+    const page = await context.newPage();
+
+    try {
+        // 1. Go to the URL
+        await page.goto(url, { waitUntil: 'networkidle' });
+
+        // 2. THE FIX: Wait for the SPA to actually render UI elements.
+        // We tell Playwright to wait until it sees at least one button or input.
+        await page.waitForSelector('button, input', { timeout: 10000 }).catch(() => {
+            // If it times out, it might just be a static page, so we proceed anyway.
+        });
+
+        // Optional: Juice Shop has a massive "Dismiss" popup on first load.
+        // A true Scout will try to close modals to see the DOM underneath.
+        const dismissButton = await page.$('button.close-dialog');
+        if (dismissButton) await dismissButton.click();
+
+        // 3. Extract the DOM
+        const interactiveElements = await page.evaluate(() => {
+            const elements = document.querySelectorAll('button, input, a, form');
+            const extracted = [];
+
+            elements.forEach((el) => {
+                if (el.offsetWidth > 0 && el.offsetHeight > 0) {
+                    extracted.push({
+                        tag: el.tagName.toLowerCase(),
+                        id: el.id || null,
+                        name: el.name || null,
+                        type: el.type || null,
+                        text: el.innerText ? el.innerText.trim().substring(0, 50) : null,
+                        href: el.href || null
+                    });
+                }
+            });
+
+            return extracted;
+        });
+
+        await browser.close();
+        return interactiveElements;
+
+    } catch (error) {
+        await browser.close();
+        throw new Error(`Scout failed to map perimeter: ${error.message}`);
+    }
+}

package/src-cli/services/breacher.js

@@ -0,0 +1,59 @@
+import Cerebras from '@cerebras/cerebras_cloud_sdk';
+
+export const BreacherService = {
+  /**
+   * Generates a tactical exploit hypothesis based on reconnaissance data.
+   */
+  async hypothesize(reconData) {
+    const apiKey = process.env.CEREBRAS_API_KEY;
+    
+    if (!apiKey) {
+      // Fallback for demo/mock if API key is missing
+      return {
+        vulnerability: 'Action Limit Overrun (ALO)',
+        vector: 'Concurrent Coupon Invalidation Race Condition',
+        payload: "promo code 'WELCOME20' via multi-threaded bridge",
+        impact: 'Infinite discount stacking possible',
+        severity: 'HIGH'
+      };
+    }
+
+    const prompt = `
+      You are the [Breacher] node in the Project Sicario autonomous red-teaming swarm.
+      Your goal is to hypothesize a high-impact logic vulnerability.
+      
+      CRITICAL: You MUST ONLY use the interactive elements provided in the reconnaissance data below. 
+      If no matching element exists for a vulnerability (e.g., no file input for a file upload exploit), DO NOT hypothesize it.
+      
+      Reconnaissance Data:
+      - Target URL: ${reconData.url}
+      - Interactive Elements: ${reconData.elementCount}
+      - Elements Found: ${JSON.stringify(reconData.elements)}
+
+      Respond in JSON format:
+      {
+        "vulnerability": "Name of the logic exploit",
+        "targetElement": "The specific HTML element from the list you are targeting",
+        "vector": "Technical vector description",
+        "payload": "Tactical payload or action performed",
+        "impact": "Business impact of success",
+        "severity": "CRITICAL|HIGH|MEDIUM"
+      }
+    `;
+
+    const client = new Cerebras({ apiKey });
+    
+    try {
+      const completion = await client.chat.completions.create({
+        messages: [{ role: 'user', content: prompt }],
+        model: 'llama3.1-8b', 
+        response_format: { type: 'json_object' }
+      });
+
+      return JSON.parse(completion.choices[0].message.content);
+    } catch (error) {
+      console.error('[Breacher] AI reasoning failed:', error.message);
+      throw error;
+    }
+  }
+};

package/src-cli/services/ghost.js

@@ -0,0 +1,34 @@
+import pc from 'picocolors';
+
+export const GhostService = {
+  /**
+   * Applies behavioral stealth to a Playwright browser context.
+   */
+  async applyStealth(context) {
+    // Randomize User-Agent (simulating diverse consumer hardware)
+    const userAgents = [
+      'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36',
+      'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36',
+      'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36'
+    ];
+    const randomUA = userAgents[Math.floor(Math.random() * userAgents.length)];
+    
+    await context.setExtraHTTPHeaders({
+      'User-Agent': randomUA,
+      'Accept-Language': 'en-US,en;q=0.9',
+    });
+
+    // Potential for more advanced stealth (e.g. evasions plugin) in future phases
+    return context;
+  },
+
+  /**
+   * Simulates human-like mouse movement jitter.
+   */
+  async humanJitter(page) {
+    const { width, height } = page.viewportSize() || { width: 1280, height: 720 };
+    const x = Math.floor(Math.random() * width);
+    const y = Math.floor(Math.random() * height);
+    await page.mouse.move(x, y, { steps: Math.floor(Math.random() * 10) + 5 });
+  }
+};

package/src-cli/services/handler.js

@@ -0,0 +1,60 @@
+import { ConvexClient } from "convex/browser";
+
+export class HandlerService {
+  constructor(url) {
+    this.client = url ? new ConvexClient(url) : null;
+    this.missionId = null;
+    this.api = null;
+    this.initialized = false;
+  }
+
+  async _init() {
+    if (this.initialized) return;
+    try {
+      this.api = await import("../../convex/_generated/api.js");
+      this.initialized = true;
+    } catch (err) {
+      // Generated files missing - proceed in offline mode
+      this.initialized = true;
+    }
+  }
+
+  async startMission(target, agents) {
+    await this._init();
+    if (!this.client || !this.api) return null;
+    try {
+      this.missionId = await this.client.mutation(this.api.api.missions.startMission, { target, agents });
+      return this.missionId;
+    } catch (err) {
+      return null;
+    }
+  }
+
+  async log(agent, message) {
+    if (!this.client || !this.missionId || !this.api) return;
+    try {
+      await this.client.mutation(this.api.api.missions.updateLog, {
+        missionId: this.missionId,
+        agent,
+        message,
+      });
+    } catch (err) {
+    }
+  }
+
+  async complete(status, vulnerabilities, executionTime) {
+    if (!this.client || !this.missionId || !this.api) return;
+    try {
+      await this.client.mutation(this.api.api.missions.completeMission, {
+        missionId: this.missionId,
+        status,
+        vulnerabilities,
+        executionTime,
+      });
+    } catch (err) {
+    }
+  }
+}
+
+// Global instance for the current session
+export const handler = new HandlerService(process.env.CONVEX_URL);

package/src-cli/services/scout.js

@@ -0,0 +1,50 @@
+import { chromium } from 'playwright';
+import { GhostService } from './ghost.js';
+
+export const ScoutService = {
+  /**
+   * Runs actual reconnaissance on a target URL.
+   * Maps interactive elements and returns the attack surface metadata.
+   */
+  async runRecon(targetUrl) {
+    const browser = await chromium.launch({ headless: true });
+    const context = await browser.newContext();
+    
+    // Apply Ghost stealth
+    await GhostService.applyStealth(context);
+    
+    const page = await context.newPage();
+    
+    try {
+      // Navigate to target
+      await page.goto(targetUrl, { waitUntil: 'networkidle', timeout: 30000 });
+      
+      // Simulate human reading behavior
+      await GhostService.humanJitter(page);
+
+      // Extract interactive elements
+      const elements = await page.evaluate(() => {
+        const sel = 'button, input, a, select, [role="button"], [onclick]';
+        const found = document.querySelectorAll(sel);
+        return Array.from(found).map(el => ({
+          tag: el.tagName.toLowerCase(),
+          type: el.type || null,
+          text: el.textContent?.trim().slice(0, 30) || '',
+          id: el.id || null
+        }));
+      });
+
+      await browser.close();
+      
+      return {
+        url: targetUrl,
+        elementCount: elements.length,
+        elements: elements.slice(0, 10), // Return sample for logging
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      await browser.close();
+      throw error;
+    }
+  }
+};

package/src-cli/utils/config.js

@@ -0,0 +1,38 @@
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import ini from 'ini';
+
+const CONFIG_DIR = path.join(os.homedir(), '.sicario');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config');
+
+export function getConfig() {
+    if (!fs.existsSync(CONFIG_FILE)) {
+        return {};
+    }
+    try {
+        const content = fs.readFileSync(CONFIG_FILE, 'utf-8');
+        return ini.parse(content);
+    } catch (err) {
+        return {};
+    }
+}
+
+export function saveConfig(config) {
+    if (!fs.existsSync(CONFIG_DIR)) {
+        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+    const content = ini.stringify(config);
+    fs.writeFileSync(CONFIG_FILE, content, 'utf-8');
+}
+
+export function getApiKey() {
+    const config = getConfig();
+    return process.env.CEREBRAS_API_KEY || config.CEREBRAS_API_KEY;
+}
+
+export function setApiKey(key) {
+    const config = getConfig();
+    config.CEREBRAS_API_KEY = key;
+    saveConfig(config);
+}

package/src-cli/utils/simulator.js

@@ -0,0 +1,124 @@
+import { createRequire } from 'module';
+const require = createRequire(import.meta.url);
+const clack = require('@clack/prompts');
+const { spinner, log } = clack;
+import { theme } from './theme.js';
+import { runScout } from '../nodes/scout.js';
+import { BreacherService } from '../services/breacher.js';
+import { handler } from '../services/handler.js';
+
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+
+export async function simulateSwarm(target, agentCount) {
+  const s = spinner();
+  
+  // Initialize Swarm Memory (Convex)
+  await handler.startMission(target, agentCount);
+
+  // Step 1: The Handler
+  log.message(theme.handler('Deploying the swarm...'));
+  s.start(theme.dim('Synchronizing global memory...'));
+  await sleep(1500);
+  s.stop(theme.success('Memory synced. All units online.'));
+  await handler.log('Handler', 'Swarm units deployed. All nodes online.');
+
+  // Step 2: Scout (REAL PLAYWRIGHT EXECUTION)
+  let elements = [];
+  s.start(theme.dim(`[Scout] : Initiating recursive reconnaissance on ${target}...`));
+  try {
+    elements = await runScout(target);
+    s.stop(theme.scout(`Perimeter mapped. ${elements.length} interactive elements found.`));
+    await handler.log('Scout', `Reconnaissance complete. Mapped ${elements.length} interactive elements.`);
+  } catch (err) {
+    s.stop(theme.danger(`[Scout] : Perimeter breach failed.`));
+    await handler.complete('FAILED', 0, '0s');
+    throw err;
+  }
+
+  // Step 3: Ghost
+  // We apply the 'wait' pattern to ensure TUI stability in PowerShell
+  s.start(theme.dim('Bypassing detection vectors...'));
+  await sleep(2500);
+  s.stop(theme.ghost('WAF bypassed. Biometric jitter active.'));
+  await handler.log('Ghost', 'Behavioral stealth applied. WAF detection bypassed.');
+
+  // Step 4: Breacher (Grounded AI Reasoning)
+  s.start(theme.dim('[Breacher] : Analyzing target surface for logic flaws...'));
+  
+  // Convert elements for Breacher
+  const reconData = { 
+    elementCount: elements.length, 
+    elements: elements.slice(0, 10), // Pass sample to AI
+    url: target 
+  };
+
+  // Dynamic Decision: If reconnaissance is too low, abort breach
+  if (elements.length <= 1) {
+    await sleep(2500);
+    s.stop(theme.dim('[Breacher] : No high-value operational targets identified. Skipping exploitation.'));
+    
+    // Step 5: Cleaner
+    s.start(theme.dim('Commencing extraction...'));
+    await sleep(1500);
+    s.stop(theme.cleaner('Scrubbing test artifacts... Footprint cleared.'));
+    
+    await handler.complete('COMPLETED', 0, '4.2s');
+    return { vulnerabilities: 0, executionTime: '4.2s', agentsUsed: agentCount };
+  }
+
+  // Real AI Hypothesis
+  let hypothesis;
+  try {
+    hypothesis = await BreacherService.hypothesize(reconData);
+    s.stop(theme.dim('[Breacher] : Business logic analyzed. Strategy formulated.'));
+    await handler.log('Breacher', `Targeting logic vulnerability: ${hypothesis.vulnerability}`);
+  } catch (err) {
+    s.stop(theme.warning('[Breacher] : AI reasoning node timeout. Falling back to heuristic mapping.'));
+    hypothesis = {
+      vulnerability: 'Generic Logic Bypass',
+      vector: 'Unvalidated multi-step workflow',
+      payload: 'Bypassing state validation',
+      impact: 'Potential state corruption',
+      severity: 'MEDIUM'
+    };
+    await handler.log('Breacher', 'AI reasoning node timeout. Using heuristic fallback.');
+  }
+  
+  // FIXED: Preventing [object Object] by ensuring string coercion or defaulting to N/A
+  const targetDesc = typeof hypothesis.targetElement === 'object' 
+    ? JSON.stringify(hypothesis.targetElement) 
+    : String(hypothesis.targetElement || 'N/A');
+
+  log.step(theme.breacher(`Targeting ${hypothesis.vulnerability}...`));
+  log.step(theme.breacher(`Target Element: ${targetDesc}`));
+  await sleep(1500);
+  log.step(theme.breacher(`Vector: ${hypothesis.vector}`));
+  await sleep(1500);
+
+  s.start(theme.dim('[Breacher] : Executing logic bypass...'));
+  await sleep(2500);
+  s.stop(theme.warning('Logic vulnerability exposed.'));
+  await handler.log('Breacher', `Exploit successful: ${hypothesis.vulnerability}`);
+
+  // Discovery Summary (Outside of spinner)
+  log.error(theme.exploit(hypothesis.vulnerability));
+  log.message(theme.danger(`  ${theme.bold('[Breacher]')} ${hypothesis.payload}`));
+  log.message(theme.danger(`  Target: ${targetDesc}`));
+  log.message(theme.dim(`  Severity: ${hypothesis.severity}  |  Impact: ${hypothesis.impact}`));
+  
+  await sleep(1500);
+
+  // Step 5: Cleaner
+  s.start(theme.dim('Commencing extraction...'));
+  await sleep(2000);
+  s.stop(theme.cleaner('Scrubbing test artifacts... Footprint cleared.'));
+  await handler.log('Cleaner', 'Swarm recalled. All traces removed.');
+  
+  await handler.complete('COMPLETED', 1, '18.2s');
+  
+  return {
+    vulnerabilities: 1,
+    executionTime: '18.2s',
+    agentsUsed: agentCount
+  };
+}

package/src-cli/utils/theme.js

@@ -0,0 +1,25 @@
+import pc from 'picocolors';
+
+export const theme = {
+  // Brand Colors
+  brand: (txt) => pc.bold(pc.red(txt)),
+  danger: (txt) => pc.red(txt),
+  warning: (txt) => pc.yellow(txt),
+  success: (txt) => pc.green(txt),
+  info: (txt) => pc.blue(txt),
+  
+  // Terminal Vibe
+  dim: (txt) => pc.gray(txt),
+  bold: (txt) => pc.bold(txt),
+  italic: (txt) => pc.italic(txt),
+  
+  // Tactical Callsigns (Elite Vibe)
+  handler: (txt) => pc.bgBlack(pc.white(pc.bold(` 🖥️ THE HANDLER `))) + ' ' + pc.dim(txt),
+  scout: (txt) => pc.cyan(pc.bold(`[Scout]`)) + ' ' + pc.dim(`: ${txt}`),
+  ghost: (txt) => pc.magenta(pc.bold(`[Ghost]`)) + ' ' + pc.dim(`: ${txt}`),
+  breacher: (txt) => pc.red(pc.bold(`[Breacher]`)) + ' ' + pc.dim(`: ${txt}`),
+  cleaner: (txt) => pc.gray(pc.bold(`[Cleaner]`)) + ' ' + pc.dim(`: ${txt}`),
+  
+  // Exploit Alert (High Impact)
+  exploit: (txt) => pc.bgRed(pc.white(pc.bold(` ⚠ EXPLOIT SUCCESSFUL `))) + ' ' + pc.bold(pc.red(txt)),
+};