whale-code 6.4.0

package/dist/server/handlers/inventory.js

@@ -0,0 +1,447 @@
+// server/handlers/inventory.ts — Inventory management handlers
+export async function handleInventory(sb, args, storeId) {
+    const sid = storeId;
+    switch (args.action) {
+        case "adjust": {
+            const productId = args.product_id;
+            const locationId = args.location_id;
+            const adjustment = args.adjustment;
+            const reason = args.reason || "Manual adjustment";
+            const { data: product } = await sb.from("products").select("name, sku").eq("id", productId).eq("store_id", sid).single();
+            const { data: location } = await sb.from("locations").select("name").eq("id", locationId).eq("store_id", sid).single();
+            // Atomic RPC — row-locked, includes audit trail
+            const { data: result, error: rpcError } = await sb.rpc("atomic_inventory_adjust", {
+                p_store_id: sid, p_product_id: productId, p_location_id: locationId,
+                p_adjustment: adjustment, p_reason: reason,
+            });
+            if (rpcError)
+                return { success: false, error: rpcError.message };
+            const rpcResult = result;
+            if (!rpcResult.success)
+                return { success: false, error: rpcResult.error || "Adjust failed" };
+            const d = rpcResult.data || {};
+            const sign = adjustment >= 0 ? "+" : "";
+            return {
+                success: true,
+                data: {
+                    intent: `Adjust inventory for ${product?.name || 'product'} at ${location?.name || 'location'}: ${sign}${adjustment} units`,
+                    product: product ? { id: productId, name: product.name, sku: product.sku } : { id: productId },
+                    location: location ? { id: locationId, name: location.name } : { id: locationId },
+                    adjustment, reason,
+                    before_state: { quantity: d.before },
+                    after_state: { quantity: d.after },
+                    change: { from: d.before, to: d.after, delta: adjustment }
+                }
+            };
+        }
+        case "set": {
+            const productId = args.product_id;
+            const locationId = args.location_id;
+            const newQty = args.quantity;
+            const { data: product } = await sb.from("products").select("name, sku").eq("id", productId).eq("store_id", sid).single();
+            const { data: location } = await sb.from("locations").select("name").eq("id", locationId).eq("store_id", sid).single();
+            // Atomic RPC — row-locked, includes audit trail
+            const { data: result, error: rpcError } = await sb.rpc("atomic_inventory_set", {
+                p_store_id: sid, p_product_id: productId, p_location_id: locationId,
+                p_quantity: newQty, p_reason: `Set to ${newQty}`,
+            });
+            if (rpcError)
+                return { success: false, error: rpcError.message };
+            const rpcResult = result;
+            if (!rpcResult.success)
+                return { success: false, error: rpcResult.error || "Set failed" };
+            const d = rpcResult.data || {};
+            const delta = d.delta || 0;
+            const sign = delta >= 0 ? "+" : "";
+            return {
+                success: true,
+                data: {
+                    intent: `Set inventory for ${product?.name || 'product'} at ${location?.name || 'location'} to ${newQty} units`,
+                    product: product ? { id: productId, name: product.name, sku: product.sku } : { id: productId },
+                    location: location ? { id: locationId, name: location.name } : { id: locationId },
+                    before_state: { quantity: d.before },
+                    after_state: { quantity: d.after },
+                    change: { from: d.before, to: d.after, delta, description: `${sign}${delta} units` }
+                }
+            };
+        }
+        case "transfer": {
+            // C3 FIX: Use atomic RPC with row-level locking instead of separate upserts
+            const qty = args.quantity;
+            const productId = args.product_id;
+            const fromLocationId = args.from_location_id;
+            const toLocationId = args.to_location_id;
+            const { data: product } = await sb.from("products").select("name, sku").eq("id", productId).eq("store_id", sid).single();
+            const { data: fromLocation } = await sb.from("locations").select("name").eq("id", fromLocationId).eq("store_id", sid).single();
+            const { data: toLocation } = await sb.from("locations").select("name").eq("id", toLocationId).eq("store_id", sid).single();
+            // Atomic transfer — row-locked, transactional, no race conditions
+            const { data: result, error: rpcError } = await sb.rpc("atomic_inventory_transfer", {
+                p_store_id: sid,
+                p_product_id: productId,
+                p_from_location_id: fromLocationId,
+                p_to_location_id: toLocationId,
+                p_quantity: qty,
+            });
+            if (rpcError) {
+                return { success: false, error: rpcError.message };
+            }
+            const rpcResult = result;
+            if (!rpcResult.success) {
+                return { success: false, error: rpcResult.error || "Transfer failed" };
+            }
+            const transferData = rpcResult.data || {};
+            return {
+                success: true,
+                data: {
+                    intent: `Transfer ${qty} units of ${product?.name || 'product'} from ${fromLocation?.name || 'source'} to ${toLocation?.name || 'destination'}`,
+                    product: product ? { id: productId, name: product.name, sku: product.sku } : { id: productId },
+                    from_location: fromLocation ? { id: fromLocationId, name: fromLocation.name } : { id: fromLocationId },
+                    to_location: toLocation ? { id: toLocationId, name: toLocation.name } : { id: toLocationId },
+                    quantity_transferred: qty,
+                    before_state: { from_quantity: transferData.source_before, to_quantity: transferData.dest_before, total: (transferData.source_before || 0) + (transferData.dest_before || 0) },
+                    after_state: { from_quantity: transferData.source_after, to_quantity: transferData.dest_after, total: (transferData.source_after || 0) + (transferData.dest_after || 0) }
+                }
+            };
+        }
+        case "bulk_set": {
+            const items = args.items;
+            if (!items || !Array.isArray(items) || items.length === 0)
+                return { success: false, error: "items array is required" };
+            const results = [];
+            for (const item of items) {
+                const { data: result, error: rpcError } = await sb.rpc("atomic_inventory_set", {
+                    p_store_id: sid, p_product_id: item.product_id, p_location_id: item.location_id,
+                    p_quantity: item.quantity, p_reason: "Bulk set",
+                });
+                if (rpcError) {
+                    results.push({ product_id: item.product_id, location_id: item.location_id, ok: "no", error: rpcError.message });
+                    continue;
+                }
+                const r = result;
+                if (!r.success) {
+                    results.push({ product_id: item.product_id, location_id: item.location_id, ok: "no", error: r.error });
+                    continue;
+                }
+                results.push({ product_id: item.product_id, location_id: item.location_id, ok: "yes", before: r.data?.before, after: r.data?.after });
+            }
+            const succeeded = results.filter(r => r.ok === "yes").length;
+            return { success: true, data: { total: items.length, succeeded, failed: items.length - succeeded, results } };
+        }
+        case "bulk_adjust": {
+            const items = args.items;
+            if (!items || !Array.isArray(items) || items.length === 0)
+                return { success: false, error: "items array is required" };
+            const results = [];
+            for (const item of items) {
+                const { data: result, error: rpcError } = await sb.rpc("atomic_inventory_adjust", {
+                    p_store_id: sid, p_product_id: item.product_id, p_location_id: item.location_id,
+                    p_adjustment: item.adjustment, p_reason: "Bulk adjustment",
+                });
+                if (rpcError) {
+                    results.push({ product_id: item.product_id, location_id: item.location_id, ok: "no", error: rpcError.message });
+                    continue;
+                }
+                const r = result;
+                if (!r.success) {
+                    results.push({ product_id: item.product_id, location_id: item.location_id, ok: "no", error: r.error });
+                    continue;
+                }
+                results.push({ product_id: item.product_id, location_id: item.location_id, ok: "yes", before: r.data?.before, after: r.data?.after });
+            }
+            const succeeded = results.filter(r => r.ok === "yes").length;
+            return { success: true, data: { total: items.length, succeeded, failed: items.length - succeeded, results } };
+        }
+        case "bulk_clear": {
+            const locationId = args.location_id;
+            if (!locationId)
+                return { success: false, error: "location_id is required" };
+            // Fetch items with stock > 0, then use atomic_inventory_set for audit trail
+            const { data: items, error: fetchErr } = await sb.from("inventory")
+                .select("product_id, quantity").eq("store_id", sid).eq("location_id", locationId).gt("quantity", 0);
+            if (fetchErr)
+                return { success: false, error: fetchErr.message };
+            if (!items || items.length === 0)
+                return { success: true, data: { location_id: locationId, items_cleared: 0 } };
+            const results = [];
+            for (const item of items) {
+                const { data: result, error: rpcError } = await sb.rpc("atomic_inventory_set", {
+                    p_store_id: sid, p_product_id: item.product_id, p_location_id: locationId,
+                    p_quantity: 0, p_reason: "Bulk clear",
+                });
+                if (rpcError) {
+                    results.push({ product_id: item.product_id, success: false, error: rpcError.message });
+                    continue;
+                }
+                const r = result;
+                if (!r.success) {
+                    results.push({ product_id: item.product_id, success: false, error: r.error });
+                    continue;
+                }
+                results.push({ product_id: item.product_id, success: true, before: r.data?.before });
+            }
+            const succeeded = results.filter(r => r.success).length;
+            return { success: true, data: { location_id: locationId, items_cleared: succeeded, total: items.length, results } };
+        }
+        default:
+            return { success: false, error: `Unknown inventory action: ${args.action}` };
+    }
+}
+// Resolve location name/slug to UUID — accepts UUID passthrough, name, or slug
+async function resolveLocationId(sb, sid, input) {
+    if (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(input)) {
+        const { data } = await sb.from("locations").select("id, name").eq("id", input).eq("store_id", sid).single();
+        return data;
+    }
+    const clean = input.replace(/-/g, " ");
+    const { data } = await sb.from("locations").select("id, name").eq("store_id", sid)
+        .or(`name.ilike.%${clean}%,slug.ilike.%${input}%`).limit(1);
+    return data?.[0] || null;
+}
+export async function handleInventoryQuery(sb, args, storeId) {
+    const sid = storeId;
+    switch (args.action) {
+        case "summary": {
+            const { data, error } = await sb.from("inventory")
+                .select("*, product:products(name, sku), location:locations(name)")
+                .eq("store_id", sid).limit(1000);
+            if (error)
+                return { success: false, error: error.message };
+            const byLocation = {};
+            for (const row of data || []) {
+                const locId = row.location_id;
+                if (!byLocation[locId])
+                    byLocation[locId] = { location_id: locId, location_name: row.location?.name || locId, items: 0, total_qty: 0 };
+                byLocation[locId].items++;
+                byLocation[locId].total_qty += row.quantity || 0;
+            }
+            return { success: true, data: { total_items: data?.length || 0, by_location: Object.values(byLocation) } };
+        }
+        case "velocity": {
+            const days = args.days || 30;
+            const categoryId = args.category_id;
+            const productId = args.product_id;
+            const locationId = args.location_id;
+            const limit = args.limit || 50;
+            const { data, error } = await sb.rpc("get_product_velocity", {
+                p_store_id: sid, p_days: days, p_location_id: locationId || null,
+                p_category_id: categoryId || null, p_product_id: productId || null, p_limit: limit
+            });
+            if (error)
+                return { success: false, error: error.message };
+            const products = (data || []).map((row) => ({
+                productId: row.product_id, name: row.product_name, sku: row.product_sku,
+                category: row.category_name, locationId: row.location_id, locationName: row.location_name,
+                totalQty: row.units_sold, totalRevenue: row.revenue, orderCount: row.order_count,
+                velocityPerDay: row.daily_velocity, revenuePerDay: row.daily_revenue,
+                currentStock: row.current_stock, daysOfStock: row.days_of_stock,
+                avgPrice: row.avg_unit_price, stockAlert: row.stock_status
+            }));
+            return { success: true, data: { days, filters: { categoryId, locationId, productId }, products } };
+        }
+        case "by_location": {
+            let q = sb.from("inventory").select("product_id, location_id, quantity, product:products(name, sku, category:categories!primary_category_id(name)), location:locations(name)")
+                .eq("store_id", sid);
+            if (args.location_id || args.location) {
+                const locInput = (args.location_id || args.location);
+                const loc = await resolveLocationId(sb, sid, locInput);
+                if (!loc)
+                    return { success: false, error: `Location not found: "${locInput}". Use locations tool to list available locations.` };
+                q = q.eq("location_id", loc.id);
+            }
+            if (args.limit)
+                q = q.limit(args.limit);
+            const { data, error } = await q.order("quantity", { ascending: false });
+            if (error)
+                return { success: false, error: error.message };
+            const flattened = (data || []).map((row) => ({
+                product_id: row.product_id,
+                product_name: row.product?.name || "—",
+                product_sku: row.product?.sku || "—",
+                category: row.product?.category?.name || null,
+                location_id: row.location_id,
+                location_name: row.location?.name || "—",
+                quantity: row.quantity,
+            }));
+            return { success: true, count: flattened.length, data: flattened };
+        }
+        case "in_stock": {
+            let inStockQ = sb.from("inventory")
+                .select("product_id, location_id, quantity, product:products(name, sku, category:categories!primary_category_id(name)), location:locations(name)")
+                .eq("store_id", sid).gt("quantity", 0);
+            if (args.location_id || args.location) {
+                const locInput = (args.location_id || args.location);
+                const loc = await resolveLocationId(sb, sid, locInput);
+                if (!loc)
+                    return { success: false, error: `Location not found: "${locInput}". Use locations tool to list available locations.` };
+                inStockQ = inStockQ.eq("location_id", loc.id);
+            }
+            if (args.limit)
+                inStockQ = inStockQ.limit(args.limit);
+            const { data, error } = await inStockQ.order("quantity", { ascending: false });
+            if (error)
+                return { success: false, error: error.message };
+            const flattened = (data || []).map((row) => ({
+                product_id: row.product_id,
+                product_name: row.product?.name || "—",
+                product_sku: row.product?.sku || "—",
+                category: row.product?.category?.name || null,
+                location_id: row.location_id,
+                location_name: row.location?.name || "—",
+                quantity: row.quantity,
+            }));
+            return { success: true, count: flattened.length, data: flattened };
+        }
+        case "by_category": {
+            // Pre-grouped inventory by category — compact summary the LLM can use directly
+            let catQ = sb.from("inventory")
+                .select("product_id, location_id, quantity, product:products!inner(name, sku, status, primary_category_id, category:categories!primary_category_id(name, parent_id)), location:locations(name)")
+                .eq("store_id", sid).gt("quantity", 0)
+                .eq("product.status", "published");
+            // Optional location filter
+            let locationName = null;
+            if (args.location_id || args.location) {
+                const locInput = (args.location_id || args.location);
+                const loc = await resolveLocationId(sb, sid, locInput);
+                if (!loc)
+                    return { success: false, error: `Location not found: "${locInput}". Use locations tool to list available locations.` };
+                catQ = catQ.eq("location_id", loc.id);
+                locationName = loc.name;
+            }
+            const { data, error } = await catQ;
+            // Optional category filter — includes sub-categories
+            let categoryFilter = null;
+            if (args.category) {
+                const catInput = args.category;
+                const isUuid = /^[0-9a-f]{8}-/i.test(catInput);
+                let parentId = null;
+                if (isUuid) {
+                    parentId = catInput;
+                }
+                else {
+                    const { data: cats } = await sb.from("categories").select("id").ilike("name", `%${catInput}%`).eq("store_id", sid).limit(1);
+                    if (cats?.length)
+                        parentId = cats[0].id;
+                }
+                if (parentId) {
+                    const { data: children } = await sb.from("categories").select("id").eq("parent_id", parentId).eq("store_id", sid);
+                    categoryFilter = new Set([parentId, ...(children || []).map(c => c.id)]);
+                }
+                else {
+                    // Category name didn't match anything — filter out everything
+                    categoryFilter = new Set();
+                }
+            }
+            if (error)
+                return { success: false, error: error.message };
+            // Group by category
+            const catMap = {};
+            for (const row of data || []) {
+                // Apply category filter if set
+                if (categoryFilter) {
+                    const prodCatId = row.product?.primary_category_id;
+                    if (!prodCatId || !categoryFilter.has(prodCatId))
+                        continue;
+                }
+                const cat = row.product?.category?.name || "Uncategorized";
+                const pName = row.product?.name || "—";
+                const pSku = row.product?.sku || "—";
+                const locName = row.location?.name || "—";
+                const qty = row.quantity || 0;
+                if (!catMap[cat])
+                    catMap[cat] = { products: {}, total_qty: 0 };
+                catMap[cat].total_qty += qty;
+                const pKey = row.product_id;
+                if (!catMap[cat].products[pKey])
+                    catMap[cat].products[pKey] = { name: pName, sku: pSku, total_qty: 0, locations: [] };
+                catMap[cat].products[pKey].total_qty += qty;
+                if (!catMap[cat].products[pKey].locations.includes(locName))
+                    catMap[cat].products[pKey].locations.push(locName);
+            }
+            // Format as pre-rendered markdown — the CLI formatter drops nested arrays,
+            // so we render products-per-category here to prevent the agent from losing
+            // the product→category mapping and reconstructing it incorrectly.
+            const categories = Object.entries(catMap)
+                .sort((a, b) => b[1].total_qty - a[1].total_qty)
+                .map(([cat, info]) => ({
+                category: cat,
+                total_qty: Math.round(info.total_qty * 100) / 100,
+                product_count: Object.keys(info.products).length,
+                products: Object.values(info.products)
+                    .sort((a, b) => b.total_qty - a.total_qty)
+                    .map(p => ({ name: p.name, sku: p.sku, qty: Math.round(p.total_qty * 100) / 100 })),
+            }));
+            const totalProducts = categories.reduce((s, c) => s + c.product_count, 0);
+            const header = locationName ? `Inventory at ${locationName}` : "Inventory by Category";
+            const lines = [
+                `## ${header}${args.category ? ` — ${args.category}` : ""}`,
+                `${categories.length} categories, ${totalProducts} products in stock\n`,
+            ];
+            for (const cat of categories) {
+                lines.push(`### ${cat.category} (${cat.product_count} products, ${cat.total_qty} units)`);
+                lines.push("| Product | SKU | Qty |");
+                lines.push("| --- | --- | ---: |");
+                for (const p of cat.products) {
+                    lines.push(`| ${p.name} | ${p.sku} | ${p.qty} |`);
+                }
+                lines.push("");
+            }
+            lines.push("This is the COMPLETE inventory breakdown. Every in-stock product is listed under its correct category. Do NOT re-fetch individual categories or call in_stock — all data is here.");
+            return { success: true, data: lines.join("\n") };
+        }
+        case "out_of_stock": {
+            // Find all published products with zero or no inventory across all locations
+            const { data: products, error: pErr } = await sb.from("products")
+                .select("id, name, sku, category:categories!primary_category_id(name)").eq("store_id", sid).eq("status", "published");
+            if (pErr)
+                return { success: false, error: pErr.message };
+            const { data: inv } = await sb.from("inventory")
+                .select("product_id, quantity").eq("store_id", sid);
+            // Sum stock per product
+            const stockMap = {};
+            for (const row of inv || []) {
+                stockMap[row.product_id] = (stockMap[row.product_id] || 0) + (row.quantity || 0);
+            }
+            const outOfStock = (products || [])
+                .filter(p => !stockMap[p.id] || stockMap[p.id] <= 0)
+                .map(p => ({ product_id: p.id, name: p.name, sku: p.sku, category: p.category?.name || null, total_stock: stockMap[p.id] || 0 }));
+            return { success: true, count: outOfStock.length, total_products: products?.length || 0, data: outOfStock };
+        }
+        default:
+            return { success: false, error: `Unknown inventory_query action: ${args.action}` };
+    }
+}
+export async function handleInventoryAudit(sb, args, storeId) {
+    const sid = storeId;
+    switch (args.action) {
+        case "start": {
+            const { data, error } = await sb.from("inventory_audits")
+                .insert({ store_id: sid, location_id: args.location_id, status: "in_progress", started_at: new Date().toISOString() })
+                .select().single();
+            return error ? { success: false, error: error.message } : { success: true, data };
+        }
+        case "count": {
+            // Verify the parent audit belongs to this store before updating items
+            const { data: audit } = await sb.from("inventory_audits").select("id").eq("id", args.audit_id).eq("store_id", sid).single();
+            if (!audit)
+                return { success: false, error: "Audit not found" };
+            const { data, error } = await sb.from("inventory_audit_items")
+                .update({ counted_quantity: args.counted })
+                .eq("audit_id", args.audit_id).eq("product_id", args.product_id).select().single();
+            return error ? { success: false, error: error.message } : { success: true, data };
+        }
+        case "complete": {
+            const { data, error } = await sb.from("inventory_audits")
+                .update({ status: "completed", completed_at: new Date().toISOString() })
+                .eq("id", args.audit_id).eq("store_id", sid).select().single();
+            return error ? { success: false, error: error.message } : { success: true, data };
+        }
+        case "summary": {
+            const { data, error } = await sb.from("inventory_audits")
+                .select("*, items:inventory_audit_items(*)").eq("store_id", sid)
+                .order("created_at", { ascending: false }).limit(args.limit || 5);
+            return error ? { success: false, error: error.message } : { success: true, data };
+        }
+        default:
+            return { success: false, error: `Unknown inventory_audit action: ${args.action}` };
+    }
+}

package/dist/server/handlers/kali.d.ts

@@ -0,0 +1,10 @@
+import type { SupabaseClient } from "@supabase/supabase-js";
+export interface KaliProgressEvent {
+    type: "stdout" | "stderr";
+    data: string;
+}
+export declare function handleKali(_sb: SupabaseClient, args: Record<string, unknown>, _storeId?: string, onToolProgress?: (progress: KaliProgressEvent) => void): Promise<{
+    success: boolean;
+    data?: unknown;
+    error?: string;
+}>;

package/dist/server/handlers/kali.js

@@ -0,0 +1,210 @@
+// server/handlers/kali.ts — Kali Linux remote execution
+// Proxies commands to a dedicated Fly.io Kali machine via internal network.
+// Pattern: same as browser.ts — external execution environment, handler is a thin proxy.
+// Supports NDJSON streaming for exec actions via exec_stream on kali-box.
+const KALI_BOX_URL = process.env.KALI_BOX_URL || "http://kali-box.internal:8080";
+const KALI_AUTH_TOKEN = process.env.KALI_AUTH_TOKEN || "";
+const MAX_OUTPUT_CHARS = 500 * 1024; // 500KB safety cap — context_management handles limits
+const VALID_ACTIONS = new Set([
+    "exec", "exec_stream", "exec_bg", "bg_status", "bg_kill", "bg_list",
+    "upload", "download", "info", "sessions", "reset",
+]);
+const FORWARD_KEYS = [
+    "command", "session_id", "timeout", "job_id",
+    "path", "content", "encoding", "tail",
+];
+function truncate(text) {
+    if (!text || text.length <= MAX_OUTPUT_CHARS)
+        return text;
+    return text.substring(0, MAX_OUTPUT_CHARS) + `\n...[truncated, ${text.length} total chars]`;
+}
+/**
+ * Read NDJSON lines from a ReadableStream (Node.js or web).
+ * Yields parsed JSON objects, one per newline-delimited line.
+ */
+async function* readNDJSON(body) {
+    const reader = body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    try {
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            buffer += decoder.decode(value, { stream: true });
+            // Process complete lines
+            let newlineIdx;
+            while ((newlineIdx = buffer.indexOf("\n")) !== -1) {
+                const line = buffer.substring(0, newlineIdx).trim();
+                buffer = buffer.substring(newlineIdx + 1);
+                if (line) {
+                    try {
+                        yield JSON.parse(line);
+                    }
+                    catch {
+                        // Skip malformed JSON lines
+                    }
+                }
+            }
+        }
+        // Process any remaining buffer
+        const remaining = buffer.trim();
+        if (remaining) {
+            try {
+                yield JSON.parse(remaining);
+            }
+            catch {
+                // Skip malformed final fragment
+            }
+        }
+    }
+    finally {
+        reader.releaseLock();
+    }
+}
+export async function handleKali(_sb, args, _storeId, onToolProgress) {
+    const action = args.action;
+    if (!action) {
+        return { success: false, error: "action is required" };
+    }
+    if (!VALID_ACTIONS.has(action)) {
+        return { success: false, error: `Unknown action: ${action}. Valid: ${[...VALID_ACTIONS].join(", ")}` };
+    }
+    if ((action === "exec" || action === "exec_stream" || action === "exec_bg") && !args.command) {
+        return { success: false, error: "command is required for exec/exec_bg" };
+    }
+    if (!KALI_AUTH_TOKEN) {
+        return { success: false, error: "KALI_AUTH_TOKEN not configured on whale-agent" };
+    }
+    // Build payload — only forward recognized keys
+    const payload = { action };
+    for (const key of FORWARD_KEYS) {
+        if (args[key] !== undefined)
+            payload[key] = args[key];
+    }
+    // Command timeout + HTTP buffer
+    const cmdTimeout = Math.min(args.timeout || 30000, 600000);
+    const httpTimeout = cmdTimeout + 10000; // 10s buffer over command timeout
+    // ── Streaming path: exec actions use exec_stream on kali-box ──────
+    if ((action === "exec" || action === "exec_stream") && onToolProgress) {
+        payload.action = "exec_stream";
+        payload.timeout = cmdTimeout;
+        try {
+            const controller = new AbortController();
+            const timer = setTimeout(() => controller.abort(), httpTimeout);
+            const resp = await fetch(KALI_BOX_URL, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    Authorization: `Bearer ${KALI_AUTH_TOKEN}`,
+                },
+                body: JSON.stringify(payload),
+                signal: controller.signal,
+            });
+            clearTimeout(timer);
+            if (!resp.ok) {
+                const text = await resp.text().catch(() => "");
+                return { success: false, error: `Kali box HTTP ${resp.status}: ${text.substring(0, 500)}` };
+            }
+            if (!resp.body) {
+                return { success: false, error: "Kali box returned no response body for exec_stream" };
+            }
+            // Read NDJSON stream — emit progress for each chunk, accumulate for final result
+            let stdout = "";
+            let stderr = "";
+            let doneEvent = null;
+            for await (const line of readNDJSON(resp.body)) {
+                if (line.type === "stdout") {
+                    const data = String(line.data || "");
+                    stdout += data;
+                    // Filter out the CWD marker line from progress events
+                    if (!data.includes("__KALI_END_")) {
+                        onToolProgress({ type: "stdout", data });
+                    }
+                }
+                else if (line.type === "stderr") {
+                    const data = String(line.data || "");
+                    stderr += data;
+                    onToolProgress({ type: "stderr", data });
+                }
+                else if (line.type === "done") {
+                    doneEvent = line;
+                }
+            }
+            // Strip CWD marker from accumulated stdout (same as non-streaming path)
+            const markerIdx = stdout.lastIndexOf("__KALI_END_");
+            if (markerIdx !== -1) {
+                stdout = stdout.substring(0, markerIdx);
+            }
+            // Build final result (same shape as non-streaming exec)
+            const exitCode = doneEvent ? doneEvent.exit_code ?? -1 : -1;
+            const result = {
+                success: exitCode === 0,
+                stdout: truncate(stdout.replace(/\s+$/, "")),
+                stderr: truncate(stderr.replace(/\s+$/, "")),
+                exit_code: exitCode,
+                killed: doneEvent?.killed ?? false,
+                cwd: doneEvent?.cwd ?? "",
+                duration_ms: doneEvent?.duration_ms ?? 0,
+            };
+            return { success: exitCode === 0, data: result };
+        }
+        catch (err) {
+            if (err instanceof Error && err.name === "AbortError") {
+                return { success: false, error: `Kali box streaming request timed out after ${httpTimeout}ms` };
+            }
+            const msg = err instanceof Error ? err.message : String(err);
+            if (msg.includes("ECONNREFUSED") || msg.includes("ENOTFOUND") || msg.includes("fetch failed")) {
+                return {
+                    success: false,
+                    error: `Cannot reach kali-box at ${KALI_BOX_URL}. Ensure the kali-box Fly.io app is running (fly status -a kali-box).`,
+                };
+            }
+            return { success: false, error: `Kali box streaming error: ${msg}` };
+        }
+    }
+    // ── Standard path: non-exec actions or no progress callback ───────
+    if (action === "exec")
+        payload.timeout = cmdTimeout;
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), httpTimeout);
+        const resp = await fetch(KALI_BOX_URL, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${KALI_AUTH_TOKEN}`,
+            },
+            body: JSON.stringify(payload),
+            signal: controller.signal,
+        });
+        clearTimeout(timer);
+        if (!resp.ok) {
+            const text = await resp.text().catch(() => "");
+            return { success: false, error: `Kali box HTTP ${resp.status}: ${text.substring(0, 500)}` };
+        }
+        const result = (await resp.json());
+        // Truncate large text fields before returning to agent
+        if (typeof result.stdout === "string")
+            result.stdout = truncate(result.stdout);
+        if (typeof result.stderr === "string")
+            result.stderr = truncate(result.stderr);
+        if (typeof result.content === "string")
+            result.content = truncate(result.content);
+        return { success: result.success !== false, data: result };
+    }
+    catch (err) {
+        if (err instanceof Error && err.name === "AbortError") {
+            return { success: false, error: `Kali box request timed out after ${httpTimeout}ms` };
+        }
+        const msg = err instanceof Error ? err.message : String(err);
+        // Friendly message for connection failures
+        if (msg.includes("ECONNREFUSED") || msg.includes("ENOTFOUND") || msg.includes("fetch failed")) {
+            return {
+                success: false,
+                error: `Cannot reach kali-box at ${KALI_BOX_URL}. Ensure the kali-box Fly.io app is running (fly status -a kali-box).`,
+            };
+        }
+        return { success: false, error: `Kali box error: ${msg}` };
+    }
+}