deps: bump github.com/alecthomas/chroma/v2 from 2.14.0 to 2.27.0#35
Open
dependabot[bot] wants to merge 356 commits into
Open
deps: bump github.com/alecthomas/chroma/v2 from 2.14.0 to 2.27.0#35dependabot[bot] wants to merge 356 commits into
dependabot[bot] wants to merge 356 commits into
Conversation
…tions/setup-go-6 deps: bump actions/setup-go from 5 to 6
…olangci/golangci-lint-action-9.2.1 deps: bump golangci/golangci-lint-action from 9.2.0 to 9.2.1
删除基于 go-rod 的 browser 工具实现,后续使用 playwright 伪命令方式提供浏览器交互能力。 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
基于 go-rod 实现 playwright 风格伪命令,支持无头浏览、 截图、网络抓包、JS 执行及多步交互式漏洞验证。 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- 更新 go.mod/go.sum 依赖版本 - 移除 zombie ProxyDial 已废弃字段 - 更新 agent prompt、runners 配置 - 调整 verify SKILL 及 embed 测试期望 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- config.yaml: 清除硬编码的 API key、服务地址等凭据,恢复为空占位符 - go.mod: 移除本地 replace 指令(fingers-local、sdk-local),SDK 恢复远程版本 - prompt.go: 简化 Authorization 段落,去掉过于激进的措辞 - node.go: 恢复 Intent 字段(标记 Deprecated)保持向后兼容, 添加 resolveIntent() fallback 链;classifyError 用 || 替代逗号 OR 提升可读性;renderSlimMessageContext 用二分查找替代 O(n) 逐条裁剪 - session.go: 合并重复常量 defaultSessionTimeout/persistentTTL; 恢复 LRU 自动淘汰替代硬错误;parseOpenOpts 重构为 openOpts 结构体; gcOnce 改为 gcRunning bool 修复 Close 后无法重启 GC 的 bug - discover.go: evalJSON 返回 error 而非静默吞掉 - browser.go: 恢复 SetProxy / proxy 支持 - zombie.go: 添加注释说明 ProxyDial 已被上游移除 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
新增 22 个 Playwright 对齐子命令,按安全测试优先级实现:
P0 — 关键安全能力:
- press: 键盘事件 (Enter 提交表单, Shift+Enter 等组合键)
- reload / go-back / go-forward: 页面导航
- set-input-files: 文件上传 (上传 shell, 测试文件上传漏洞)
- hover: 触发悬停菜单/下拉框
- get-attribute / input-value / is-visible: 元素状态读取
P1 — 高价值:
- set-extra-headers: 注入 Authorization 等自定义请求头
- route / unroute: 请求拦截 (fulfill/abort/continue 三种模式)
- check / uncheck: checkbox 控制
- dblclick: 双击
- dispatch-event: 触发任意 DOM 事件
- set-viewport: 视口大小设置
P2 — 等待辅助:
- wait-for-url / wait-for-request / wait-for-response: 精确等待
- focus / blur: 焦点管理
文件变更:
- navigation.go (新): reload, go-back, go-forward
- advanced.go (新): set-extra-headers, route, set-viewport, dispatch-event, wait-for-*
- interact.go: press, hover, dblclick, get-attribute, input-value, is-visible,
check, uncheck, set-input-files, focus, blur + key name 映射表
- session.go: Session 新增 headerCleanup, hijackRouter 字段及清理逻辑
- browser.go: Execute() switch 扩展, Usage() 文档更新
- testharness/: Python pytest harness 对比真实 Playwright SDK 行为
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pw_driver.go: 持久化 Go 进程包装 Command.Execute(),通过 stdin/stdout JSON-line 协议驱动,sessions 跨调用保持。解决 playwright 作为 pseudo-command 无法直接 subprocess 调用的问题。 测试覆盖: goto, reload, go-back, go-forward, press(Enter), hover, dblclick, check/uncheck, fill+input-value, get-attribute, is-visible Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
修复: - set-extra-headers: 通过 CDP proto 直接调用而非 go-rod 的 SetExtraHeaders, 避免 EnableDomain 返回的 cleanup 在 withPage context 超时后清理域 - route: HijackRouter 创建在 sess.Page 上而非 context-scoped page, 路由注册移到 withPage 外部避免 Fetch domain 随 opCtx 过期 新增 12 个对比测试 (共 23 个): - test_dispatch.py: dispatch-event 自定义事件 - test_files.py: set-input-files 文件上传 - test_focus.py: focus/blur 焦点事件 - test_headers.py: set-extra-headers 自定义请求头 - test_route.py: route --fulfill / --abort 请求拦截 - test_viewport.py: set-viewport 视口设置 - test_wait.py: wait-for-url / wait-for-request / wait-for-response - test_interaction.py: 新增 press Shift+a 组合键测试 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
playwright-cli 等价 flags (open 子命令): --ignore-https-errors 自签名证书站点测试 --viewport-size WxH 视口大小设置 --geolocation lat,lon GPS 欺骗 --timezone 时区仿真 --color-scheme light|dark 暗色模式 --lang 语言/locale --device 设备仿真 (预留) --load-storage <file> 从文件恢复 cookies + localStorage --save-storage <file> 关闭时保存完整会话状态 --save-har <file> 关闭时保存 HAR 网络流量 playwright-cli 等价 flags (screenshot/pdf): --wait-for-selector 截图/PDF 前等待元素出现 --wait-for-timeout 截图/PDF 前等待毫秒数 新增 SDK 对齐命令: set-content, title, inner-text, is-checked, is-disabled, is-enabled, is-hidden, tap, type (逐字符输入) close 命令支持 --save-storage / --save-har 覆盖参数 35 个对比测试全部通过 (vs Playwright Python SDK) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
引入 contextFlags 结构和 parseContextFlag 共享解析器,使 screenshot/pdf 无状态命令也能接受完整的 playwright-cli context flags: --proxy-server, --proxy-bypass, --viewport-size, --geolocation, --timezone, --color-scheme, --lang, --device, --ignore-https-errors, --load-storage, --save-storage, --save-har, --save-har-glob, --block-service-workers, --paper-format applyContextFlags() 统一应用到 newPage() 创建的无状态页面。 open 命令新增: --proxy-server, --proxy-bypass, --save-har-glob, --block-service-workers playwright-cli flag 覆盖率: 21/24 = 87% 仅剩 3 个未实现: --browser (多引擎), --channel (发行渠道), --user-data-dir (持久化用户目录)。这三个因 go-rod 仅支持 Chromium 而不适用。 35 个对比测试全部通过。 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ility Implement pkg/headless/ as a nuclei-compatible headless browser automation engine, designed for eventual migration to neutron. Core mechanisms ported from nuclei's headless engine with neutron dependencies replacing nuclei- specific packages. Key features: - 29 action types (navigate/click/script/waitdialog/setheader/extract/etc.) - Dual-path hijack: HijackRouter for request/response modification, native CDP Fetch for capture-only — both paths record full history - DSL expression evaluation via neutron common.Evaluate (rand_int, replace, base64, etc.) - Payload iteration (sniper/pitchfork/clusterbomb) via neutron Generator - Template-level variables via neutron Variable.Evaluate - Instance isolation (incognito per execution) with backoff sleeper - Proper HTTP client with TLS skip, proxy, cookie jar - XPath/CSS/JS/regex/search element selectors - WaitEvent with CDP event reflection via proto.GetType - WaitDialog with type+message capture - NavigateURL parameter auto-merge from input URL - 24 real nuclei-templates/headless POCs as testdata - Integration tests: 24/24 parse, 22/24 compile, 11 execution tests Wired into playwright pseudo-command via 'template' subcommand. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…degen
Record browser interactions as nuclei-compatible headless YAML templates.
Adds `record` subcommand and `--record` flag to `open`, with centralized
recording hook in Execute() dispatcher. Generated templates round-trip
through headless.ParseTemplate() and can be replayed via `playwright template`.
- recorder.go: RecordedAction, recorder struct, 26 command→action mappings,
YAML codegen via headless.Template, URL templatization ({{BaseURL}}),
XPath selector preservation, execRecord subcommand
- session.go: rec field on Session, --record flag, close warning for unsaved
recordings, rec= indicator in sessions list
- browser.go: Execute() refactored to result/err pattern with post-dispatch
recording hook, record subcommand in dispatcher and Usage
- 7 unit tests + 10 browser integration tests (all passing)
- Updated playwright SKILL.md with recording docs, template execution docs,
aiscan extensions table, and recording workflow examples
- Updated verify SKILL.md with --record guidance, POC persistence section,
and template path in decision tree
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
These in-process JSON parsing tools added complexity without enough value — the LLM can read scanner JSON output directly or re-run with -j flag. Removes the entire pkg/command/results package, skill docs, system prompt references, and test expectations. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…tmuxpkg - Rename OriginTask to OriginSession in inbox (sessions are tmux-managed) - Rename taskmod import alias to tmuxpkg across cmd/ - Rename bashTaskManager → bashSessionManager, taskMgr → sessMgr - Rename task_inbox_test.go → session_inbox_test.go, update meta keys (task_id→session_id, task_name→session_name) - Rename ParseLegacyTask → ParseLegacyMessage in swarm - Remove unused legacy harness assertion helpers (RequireOK, etc.) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… and lint - mergeEnv: override existing env vars instead of appending duplicates - EnableLogsDebug: protect with sync.Once to eliminate data race - TestLoadEmbeddedSkills: use >= check instead of exact count - golangci: exclude gosec G703 (path traversal in write tool) - update chainreactors dependencies to latest Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ntent read Remove Body/Raw fields from Skill struct. Content is now read on-demand from embeddedFS via ReadBody/ReadFile helpers, matching the pi-mono pattern where only frontmatter metadata is indexed at startup. - Delete standalone verify, sniper, swarm skill directories - Move verify/sniper content under skills/scan/ as sub-files - Move swarm content under skills/ioa/swarm.md for progressive discovery - Remove SkillBodyLoader/skillStoreAdapter — scan pipeline references skill files in prompts so the LLM reads them via the read tool - Replace inline scanner UsageDocs with one-line index per command - System prompt reduced from ~29k to ~3.8k chars Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ering refactor
- Add katana SDK crawl as pipeline capability (browser/full build tag)
- katana_crawl (quick): depth from profile, standard HTTP crawl
- katana_deep (full): JS-enabled deeper crawl
- silentWriter suppresses katana stdout leak
- scope filtering: only emit same-root-domain URLs
- crawl sources don't re-trigger other crawlers (acceptsNonCrawlTarget)
- Reverse registration architecture
- Remove centralized register_command_full.go
- katana/passive self-register via init() with build tags
- cmd layer uses dynamic extraCommands map instead of build-tag struct pairs
- Fix spray crawl: auto-switch to brute mode when Crawl=true
- SprayCheckStream uses BruteTask with seed wordlist for crawl-enabled options
- Refactor report rendering
- New colors.go: unified renderColor wrapping chainreactors/logs + parsers.RenderStatus
- Split report.go (923 lines) into report.go/report_json.go/report_plain.go/report_asset.go
- Sitemap tree as primary path view: [STATUS] /path SIZE "title" [fingers] {annotations}
- Service/fingerprint/finding rendered at top level, path only in sitemap
- -F offline rendering from record JSONL files
- Fix asset aggregation: strip default ports (443/80) to merge same-origin assets
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…al cleanup - Remove hardcoded API key from harness.go, require env var - Fix parallel/sequential tool execution race in agent loop - Fix goroutine leak in gogo RunWithArgs fallback (cancel child ctx) - Fix browser process leak on Connect failure (call l.Kill) - Fix sameRootDomain suffix matching (evilexample.com no longer matches example.com) - Fix data race reading collector fields without lock after pipeline - Add mutex to ApplyNeutronProxy for concurrent scan safety - Fix NewService signature in swarm/harness test files (add missing 2nd arg) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Split the monolithic cmd package (35 files) into a layered architecture: - core/config: Option types, defaults, config loading, provider, scanner commands - core/runner: unified AgentRuntime factory, all execution modes (one-shot, interactive, loop, scanner-ai), console, output, events, session, subagent - pkg/pidlock: cross-platform process lock utility All agent modes now go through a single NewAgentRuntime() factory with RuntimeConfig for mode-specific overrides (IOA injection, existing app, prompt config). cmd/ is reduced to CLI parsing and dispatch only. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… tag Consolidate web_search, web_fetch, and cyberhub into a single `search` command with subcommands (tavily/fetch/cyberhub). Merge standalone fuzz skill into skills/scan/fuzz.md alongside verify/sniper/deep. Remove stale vision skill references. Replace the blanket `full` build tag with granular `browser` and `recon` tags, eliminating double-maintained availability lists and test expectations in favor of init()-based registration. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…intermediate types Unify 3 independent color systems, 2 parallel struct hierarchies, and 6+ format paths into a single pkg/output package. Delete pkg/record entirely. Key changes: - Create pkg/output with Color, Record, format helpers, and asset renderer - Result fields now use SDK/parsers types directly: *GOGOResult, *SprayResult, *ZombieResult, *VulnResult, []provider.ChatMessage, *provider.Usage - Add sdktypes.VulnResult in SDK for serializable neutron findings - Recorder writes parsers types directly to JSONL (no intermediate conversion) - Remove all custom intermediate types: WebEndpoint, Fingerprint, Finding, Service, AIMessage, ToolCall, TokenUsage, record.Service/Web/Finding - Fingerprints derived from GOGOResult.Frameworks/SprayResult.Frameworks in aggregate instead of separate collector storage - AgentRunResult carries provider.ChatMessage and provider.Usage from agent Deleted: pkg/record/, scan/colors.go, scan/report_asset.go, scan/report_render.go Net: -1200 lines Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ss/subprocess split Three major simplifications: 1. Command execution: delete InProcess concept. All registered commands run in-process via goroutine-based tmux sessions (CreateFunc). Bash dispatches through execCommand/execShell with unified auto-background. tmux manages all sessions (goroutine and PTY) with identical peek/kill/wait interface. No subprocess re-invocation, no self-binary resolution, no CLI entry point requirements. 2. Agent model: Agent is the single core type. Config is pure data. One constructor (NewAgent), one entry point (Agent.Run), one way to spawn (Agent.Derive). Removed Config.Run, Config.Derive, Config.RunWithContext, Config.NewAgent, runChildAgent, childAgentOpts. SubAgentTool holds *Agent directly instead of SubAgentConfig wrapper. 3. Command interface: PseudoCommand renamed to Command with unified Execute(ctx, args, io.Writer) signature. StreamingCommand removed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Prevents accidental commit of API keys in community config. Local file is preserved. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add replace directive for utils/cert (transitive via utils/mitmproxy). Fix TestMITMCapture_ServerFirst_Fallback: tolerate server-probe consuming first byte of SSH banner. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use published utils/cert and utils/mitmproxy instead of local replace directives. utils/cert provides atomic certificate generation primitives (NewTemplate, SelfSign/SignWith, Fingerprint, TLS config builder, etc.) that mitmproxy now uses for CA creation and DummyCert key-reuse. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Round 1 — panic/crash fixes: - proton: default to "." when -e used without -i, prevent inputs[0] panic - proton: return ctx.Err() in WalkDir to prevent goroutine blocking on jobCh - proton: log WalkDir errors instead of discarding - proton: fix truncate to cut on rune boundaries, not bytes - mitm: remove auto-Clear() in start() that silently destroyed prior captures - mitm: matchStatus returns false for unrecognized patterns instead of true - mitm: reset seq counter in FlowStore.Clear() - mitm: remove dead configureUpstream function and unused imports - build.sh: fix tavily_keys reading from wrong YAML section (websearch→search) - config_test: update stale error message referencing old config.yaml filename - util: handle negative numbers in FormatNumber to prevent infinite recursion Round 2 — code quality improvements: - agent: track ModeIndependent fire goroutines with WaitGroup, wait on Stop/Remove - proton: replace seen map with sync.Map for structural thread safety - agent: allow MaxRetries=0 to mean no retries (change sentinel from ==0 to <0) - evaluator: replace time.Sleep with ctx-aware select in retry loop - loop_tool: support quoted cron expressions in tryCronPrefix - context_window: add gpt-4-1 (128K) and gpt-4-0 (8K) to fix prefix mismatches - tui: replace sync.Once markdown renderer with width-aware cache for resize - web: decouple confirmed status from critical priority in itemToPriority Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… console.go - Type Deps.Logger as telemetry.Logger instead of any for compile-time safety - Extract toolargs.Base with shared Logger/Proxy/WorkDir fields and methods, embed in all 7 scanner tool Commands to eliminate repeated boilerplate - Create per-tool register.go for neutron/spray/zombie/gogo, simplify the central register_command.go to only handle the composite scan command - Split console.go (1331→848 lines) into keybindings.go and banner.go Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add MITM traffic capture section to v0.2.7 changelog - Fix 3 errcheck lint issues in mitm.go (Shutdown return, type assertions) - Widen SSH banner test timeouts to prevent flaky failures under load - Update README/README_CN taglines Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…l-and-error The agent's system prompt only showed a one-line description per scanner (e.g. "gogo - host, port, service, and banner discovery") with no parameter info, forcing the AI to guess flags on first use and fall back to -h. Add a QuickReferencer interface so gogo/spray embed key flags, common pitfalls (e.g. -j is input not output), and examples directly in the prompt. Also clarify that scan already includes gogo+spray+zombie+neutron to prevent redundant manual spray-then-scan sequences. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…tui sub-modules Update import paths and go.mod replace directives: - github.com/reeflective/console -> github.com/chainreactors/tui/console - github.com/reeflective/readline -> github.com/chainreactors/tui/readline readline and console now live as sub-modules in the tui repo. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…from cyber-ui Replace local shadcn/ui components (Button, Badge, Card, Input, ToggleGroup) with shared @aspect/ui package. Replace cn() utility imports with @aspect/theme. Delete 5 redundant component files. Tooltip kept as local component due to aiscan-specific simplified API. MarkdownContent kept as local component due to cyber-theme customization. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…e, Spinner, ThemeProvider - Tooltip: replace custom CSS tooltip with Radix @aspect/ui Tooltip, add TooltipProvider to App root, delete ui/tooltip.tsx - ThemeToggle: replace custom localStorage logic with @aspect/theme useTheme - ScanView: replace custom ResultTabButton with @aspect/ui Tabs - LLMConfigPanel: replace native <select> with @aspect/ui Select, StatusPill with Badge, Loader2 with Spinner - AgentPanel: replace Loader2 with @aspect/ui Spinner components/ui/ directory is now fully deleted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Line numbers are a rendering concern, not a tool output concern. Read tool now returns raw file content; line numbering is handled by the display/TUI layer. Aligns with cyber-agent's read tool behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ents Agents connecting with --web-url automatically pull LLM, cyberhub, recon, scan, search, IOA, and agent config from the server before initializing their runtime. Priority: local config > remote config > defaults. Backend: - Single shared type webproto.DistributeConfig with json+yaml tags - GET /api/config returns ConfigStatus (secrets masked, *_configured flags) - PUT /api/config saves DistributeConfig (preserves secrets when empty) - GET /api/config/distribute returns raw config with secrets for agents - ConfigStore interface: GetDistributeConfig + SaveDistributeConfig - Removed LLMConfig type, LLMConfigStore interface, /api/config/llm endpoints Agent: - core/config/remote.go: FetchRemoteConfig + MergeRemoteOption - webagent.Run fetches remote config before NewAgentRuntime (non-fatal) Frontend: - ConfigPanel with 7 tabs (LLM/Cyberhub/Recon/Scan/Search/IOA/Agent) - Renamed LLMConfigPanel → ConfigPanel, llmConfigOpen → configOpen Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add cyber-ui as git submodule at web/frontend/cyber-ui - Replace local @aspect/ui, @aspect/theme aliases with cyber-ui source - Add @aspect/markdown, @aspect/viewer, @aspect/terminal aliases - Delete local ui/index.tsx, ui/chat.tsx, lib/theme.ts, MarkdownContent.tsx, ThemeToggle.tsx, terminal-utils.ts, SessionNavigator.tsx (all replaced by cyber-ui packages) - Add Radix UI + react-syntax-highlighter dependencies - Migrate all hardcoded cyber-* colors to semantic primary/success/ warning/info CSS variables - Add success/warning/info/caution CSS variables to index.css - Use @aspect/theme Tailwind preset in tailwind.config.js - Wrap App root with ThemeProvider from @aspect/theme - ChatPanel: import chat components from @aspect/viewer, remove duplicate summarizeArgs/summaryFromValue - AgentTerminal: use TerminalView, TerminalHeader, SessionNavigator, DetailPanel from @aspect/terminal - TerminalDetails: use DetailPanel/DetailGroup/DetailRow from @aspect/terminal Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Store: add chat_sessions, chat_messages, session_scans tables with full CRUD and migration - AgentPool: SessionLookup interface, PickChat, turn tracking, forward agent telemetry events (thinking, message, tool_call) to chat SSE - SSE: configurable terminal events instead of hardcoded complete/error - Frontend: scan-route session-aware routing - Tests: agent WebSocket lifecycle, PTY frame encoding - Rebuild static assets Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
7de0d4b to
26f9ab6
Compare
… to tsconfig - ChatPanel imports AssistantResponse, ChatInput, ChatThinking, MessageBubble, ToolCallDisplay, summarizeArgs from @aspect/viewer instead of @aspect/ui (which no longer bundles chat components) - Add cyber-ui/packages/viewer/src to tsconfig include - Update cyber-ui submodule to 739d849 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Frontend:
- ChatPanel enables attachments, handles CTX mode (inject text
into LLM context) and UP mode (upload to remote agent)
- api.ts: uploadChatFile() POST multipart to /api/chat/sessions/{id}/upload
- Update cyber-ui submodule for ChatInput attachment UI
Backend:
- POST /api/chat/sessions/{id}/upload — multipart endpoint
- Service.HandleFileUpload: base64-encodes file, dispatches through
WebSocket as {type:"upload", data_b64, payload:{filename,size,mime}}
- AgentPool.dispatchMessage: sends pre-built WSMessage with task tracking
Agent:
- handleFileUpload: decodes base64, writes to $TMPDIR/aiscan-uploads/,
responds with {type:"complete", payload:{path,size}}
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Extract scan/agent rendering into chat-extensions.tsx using registerTimelineRenderer() from @aspect/viewer - Add timeline-mapper.ts to convert local TimelineItem to viewer model - ChatPanel now resolves scan_started/scan_complete/agent_joined through the shared extension registry instead of hardcoded switch cases - Register extensions at app startup in main.tsx Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extend output.Record with indexing fields (scan_id, session_id, agent_id, source, target, priority, tags) and add new RecordType constants for agent events (tool_call, tool_result, turn_end, etc.). Web server persists agent events and scan results into a new `records` table via the existing event path: handleAgentMessage → InsertRecord for remote agent events, scan completion → ResultToRecords → InsertRecords for scan findings. Agent-side (aiscan CLI) is unchanged — no database, events flow through the existing eventbus → WebSocket path. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move wsPayloadToRecord and resultToRecords directly into pkg/web/agents.go where they're used. These are web-server-side concerns, not runner logic. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Both paths now send identical output.Record: the agent side uses NewRecord(TypeAgent, event), the web side unwraps Record.Data to extract event fields for SSE forwarding. - Remove unused RecordType constants (TypeToolCall, etc.) - Delete wsPayloadToRecord conversion function - Add extractEventData helper so forwardAgentEvent correctly unwraps Record.Data before parsing event fields - Frontend unaffected (only consumes SSE ChatEvents) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete ListRecords, AggregateRecords, RecordFilter, RecordSummary, buildRecordQuery, and scanRecord — all defined but never called. Query API can be added when there's an actual consumer. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pkg/agent/: Split the monolithic agent_test.go and 6 scattered test files into helpers_test.go + agent_test.go + loop_test.go + retry_test.go. pkg/agent/provider/: Merge cache_breakpoint_test.go and cache_protocol_test.go into cache_test.go. pkg/agent/tmux/: Merge interactive_test.go and reminder_test.go into manager_test.go. pkg/commands/: Merge bash-related tests into bash_test.go; split readwrite_test.go into read_test.go + write_test.go + glob_test.go. pkg/tui/: Merge console test files into console_test.go. cmd/aiscan/: Restore cli_full_test.go build tag. core/config/: Rename config_test.go to loader_test.go. core/harness/: Merge 10 scenario test files into harness_test.go. core/resources/: Merge pipeline_test.go into resources_test.go. pkg/headless/: Rename integration_test.go to engine_test.go. pkg/tools/: Consolidate register/proxy/integration tests into register_command_test.go family. pkg/tools/proton/: Rename proton_test.go to command_test.go. pkg/tools/proxy/: Rename mitm_bench_test.go to mitm_test.go. pkg/tools/playwright/: Merge recorder_integration_test.go into recorder_test.go. pkg/tools/scan/: Merge tempfiles into scan_test.go, rename to command_test.go. pkg/tools/scan/engine/: Rename recon_test.go to uncover_test.go, sdk_e2e_test.go to set_test.go. pkg/tools/scan/pipeline/: Rename pipeline_recover_test.go to pipeline_test.go. pkg/web/: Split analysis_options_test.go into service_test.go + store_sqlite_test.go; merge e2e_terminal_test.go into agents_test.go. skills/: Merge embed_expectations files into embed_test.go + embed_expectations_full_test.go. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- feat: file upload through agent channel - feat: --tavily-key flag for web search configuration - feat: scan tools (gogo/spray) emit real-time DataBus events - fix: external API tools (passive/web_search/cyberhub) always register, return clear error with configuration hints when keys are missing - fix: remove go.mod tui replace directives, use published versions - deps: upgrade zombie to v1.3.0, all chainreactors deps to latest master - deps: migrate tui/console and tui/readline to chainreactors/tui - docs: add v0.2.8 changelog Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bumps [github.com/alecthomas/chroma/v2](https://github.com/alecthomas/chroma) from 2.14.0 to 2.27.0. - [Release notes](https://github.com/alecthomas/chroma/releases) - [Commits](alecthomas/chroma@v2.14.0...v2.27.0) --- updated-dependencies: - dependency-name: github.com/alecthomas/chroma/v2 dependency-version: 2.27.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
26f9ab6 to
be5fcd0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github.com/alecthomas/chroma/v2 from 2.14.0 to 2.27.0.
Release notes
Sourced from github.com/alecthomas/chroma/v2's releases.
... (truncated)
Commits
a6d00fefix(html): make mode class output opt-in via WithModeClassesf52d015chore: some house-keepingf08a9abchore: add fmt + test to BUILD.bit6da8f88fix(yaml): comments can be key-values (#1289)67785a4chore(deps): update all non-major dependencies (#1285)d9dd73fAdd templ XML lexer (#1283)effffdbchore(deps): update all non-major dependencies (#1280)03236a4support for PostScript font files (#1282)e10d532Fix YAML slash comments with colons (#1278)56c7702fix: downgrade go.mod version to 1.25