Skip to content

deps: bump github.com/alecthomas/chroma/v2 from 2.14.0 to 2.27.0#35

Open
dependabot[bot] wants to merge 356 commits into
masterfrom
dependabot/go_modules/github.com/alecthomas/chroma/v2-2.27.0
Open

deps: bump github.com/alecthomas/chroma/v2 from 2.14.0 to 2.27.0#35
dependabot[bot] wants to merge 356 commits into
masterfrom
dependabot/go_modules/github.com/alecthomas/chroma/v2-2.27.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/alecthomas/chroma/v2 from 2.14.0 to 2.27.0.

Release notes

Sourced from github.com/alecthomas/chroma/v2's releases.

v2.27.0

Changelog

  • a6d00fe fix(html): make mode class output opt-in via WithModeClasses
  • f52d015 chore: some house-keeping
  • f08a9ab chore: add fmt + test to BUILD.bit
  • 6da8f88 fix(yaml): comments can be key-values (#1289)
  • 67785a4 chore(deps): update all non-major dependencies (#1285)
  • d9dd73f Add templ XML lexer (#1283)
  • effffdb chore(deps): update all non-major dependencies (#1280)
  • 03236a4 support for PostScript font files (#1282)
  • e10d532 Fix YAML slash comments with colons (#1278)

v2.26.1

Changelog

  • 56c7702 fix: downgrade go.mod version to 1.25

v2.26.0

Changelog

  • a4d3f60 feat(chromad): use style counterparts for theme switching
  • ce159e6 chore: migrate to new bit format
  • 180ea9f perf(colour): replace Sprintf/ParseUint round-trip in NewColour with direct bit arithmetic (#1274)
  • 68a08b0 docs: how to support dynamic theme switching
  • 6fb9d92 feat(html): tag output with style mode
  • a71fea3 feat(styles): add light/dark mode support

v2.25.0

Changelog

  • c3826f0 chore: go mod tidy
  • fb5bc39 fix: emit HTTP body tokens without Coalesce
  • a3c2946 Improve Nu file detection (#1260)
  • e841b1a chore(deps): update all non-major dependencies (#1272)
  • 3ed2db8 Add Gemfile.lock lexer (& ruby improvements) (#1269)
  • 41fb546 Add YAML+Jinja lexer (#1268)
  • e99b881 chore(deps): update all non-major dependencies (#1263)
  • e67dd2f (Markless) Fix parse issue for embed directives without options (#1266)
  • dffa370 fix(go): tokenize trailing // as comment instead of consuming next line (#1265)
  • 1cf1560 chore: upgrade to github.com/dlclark/regexp2/v2
  • 2cbcf7b chore: upgrade golangci-lint
  • 786675b chore(deps): update all non-major dependencies (#1257)
  • 235590c feat: add JSONL support to JSON lexer (#1262)
  • f9b5c97 fix(dart): match single-line comments without trailing newline (#1225) (#1261)
  • 097f8e9 Mention Arturo in README (#1256)
  • d46ce60 feat(markdown): highlight frontmatter and comments (#1245)
  • f786b2a feat(lexers): add support for LilyPond (#1255)
  • 0a02b98 chore(deps): update actions/checkout digest to de0fac2 (#1212)
  • c55009e Fix AGENTS.md referencing a non-existent scripts directory (#1231)
  • c5e763e Improve protobuf lexer (#1253)
  • 113cd0e Add Arturo lexer (#1232)
  • 4498d71 chore(deps): update dependency binaryen to v129 (#1238)
  • 885f912 Added f4 to "Projects using Chroma" list (#1242)

... (truncated)

Commits

M09Ic and others added 30 commits May 30, 2026 02:06
…tions/setup-go-6

deps: bump actions/setup-go from 5 to 6
…olangci/golangci-lint-action-9.2.1

deps: bump golangci/golangci-lint-action from 9.2.0 to 9.2.1
删除基于 go-rod 的 browser 工具实现,后续使用 playwright
伪命令方式提供浏览器交互能力。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
基于 go-rod 实现 playwright 风格伪命令,支持无头浏览、
截图、网络抓包、JS 执行及多步交互式漏洞验证。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- 更新 go.mod/go.sum 依赖版本
- 移除 zombie ProxyDial 已废弃字段
- 更新 agent prompt、runners 配置
- 调整 verify SKILL 及 embed 测试期望

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- config.yaml: 清除硬编码的 API key、服务地址等凭据,恢复为空占位符
- go.mod: 移除本地 replace 指令(fingers-local、sdk-local),SDK 恢复远程版本
- prompt.go: 简化 Authorization 段落,去掉过于激进的措辞
- node.go: 恢复 Intent 字段(标记 Deprecated)保持向后兼容,
  添加 resolveIntent() fallback 链;classifyError 用 || 替代逗号 OR
  提升可读性;renderSlimMessageContext 用二分查找替代 O(n) 逐条裁剪
- session.go: 合并重复常量 defaultSessionTimeout/persistentTTL;
  恢复 LRU 自动淘汰替代硬错误;parseOpenOpts 重构为 openOpts 结构体;
  gcOnce 改为 gcRunning bool 修复 Close 后无法重启 GC 的 bug
- discover.go: evalJSON 返回 error 而非静默吞掉
- browser.go: 恢复 SetProxy / proxy 支持
- zombie.go: 添加注释说明 ProxyDial 已被上游移除

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
新增 22 个 Playwright 对齐子命令,按安全测试优先级实现:

P0 — 关键安全能力:
  - press: 键盘事件 (Enter 提交表单, Shift+Enter 等组合键)
  - reload / go-back / go-forward: 页面导航
  - set-input-files: 文件上传 (上传 shell, 测试文件上传漏洞)
  - hover: 触发悬停菜单/下拉框
  - get-attribute / input-value / is-visible: 元素状态读取

P1 — 高价值:
  - set-extra-headers: 注入 Authorization 等自定义请求头
  - route / unroute: 请求拦截 (fulfill/abort/continue 三种模式)
  - check / uncheck: checkbox 控制
  - dblclick: 双击
  - dispatch-event: 触发任意 DOM 事件
  - set-viewport: 视口大小设置

P2 — 等待辅助:
  - wait-for-url / wait-for-request / wait-for-response: 精确等待
  - focus / blur: 焦点管理

文件变更:
  - navigation.go (新): reload, go-back, go-forward
  - advanced.go (新): set-extra-headers, route, set-viewport, dispatch-event, wait-for-*
  - interact.go: press, hover, dblclick, get-attribute, input-value, is-visible,
    check, uncheck, set-input-files, focus, blur + key name 映射表
  - session.go: Session 新增 headerCleanup, hijackRouter 字段及清理逻辑
  - browser.go: Execute() switch 扩展, Usage() 文档更新
  - testharness/: Python pytest harness 对比真实 Playwright SDK 行为

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pw_driver.go: 持久化 Go 进程包装 Command.Execute(),通过 stdin/stdout
JSON-line 协议驱动,sessions 跨调用保持。解决 playwright 作为 pseudo-command
无法直接 subprocess 调用的问题。

测试覆盖: goto, reload, go-back, go-forward, press(Enter), hover,
dblclick, check/uncheck, fill+input-value, get-attribute, is-visible

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
修复:
- set-extra-headers: 通过 CDP proto 直接调用而非 go-rod 的 SetExtraHeaders,
  避免 EnableDomain 返回的 cleanup 在 withPage context 超时后清理域
- route: HijackRouter 创建在 sess.Page 上而非 context-scoped page,
  路由注册移到 withPage 外部避免 Fetch domain 随 opCtx 过期

新增 12 个对比测试 (共 23 个):
- test_dispatch.py: dispatch-event 自定义事件
- test_files.py: set-input-files 文件上传
- test_focus.py: focus/blur 焦点事件
- test_headers.py: set-extra-headers 自定义请求头
- test_route.py: route --fulfill / --abort 请求拦截
- test_viewport.py: set-viewport 视口设置
- test_wait.py: wait-for-url / wait-for-request / wait-for-response
- test_interaction.py: 新增 press Shift+a 组合键测试

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
playwright-cli 等价 flags (open 子命令):
  --ignore-https-errors    自签名证书站点测试
  --viewport-size WxH      视口大小设置
  --geolocation lat,lon    GPS 欺骗
  --timezone               时区仿真
  --color-scheme light|dark 暗色模式
  --lang                   语言/locale
  --device                 设备仿真 (预留)
  --load-storage <file>    从文件恢复 cookies + localStorage
  --save-storage <file>    关闭时保存完整会话状态
  --save-har <file>        关闭时保存 HAR 网络流量

playwright-cli 等价 flags (screenshot/pdf):
  --wait-for-selector      截图/PDF 前等待元素出现
  --wait-for-timeout       截图/PDF 前等待毫秒数

新增 SDK 对齐命令:
  set-content, title, inner-text, is-checked, is-disabled,
  is-enabled, is-hidden, tap, type (逐字符输入)

close 命令支持 --save-storage / --save-har 覆盖参数

35 个对比测试全部通过 (vs Playwright Python SDK)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
引入 contextFlags 结构和 parseContextFlag 共享解析器,使
screenshot/pdf 无状态命令也能接受完整的 playwright-cli context flags:
  --proxy-server, --proxy-bypass, --viewport-size, --geolocation,
  --timezone, --color-scheme, --lang, --device, --ignore-https-errors,
  --load-storage, --save-storage, --save-har, --save-har-glob,
  --block-service-workers, --paper-format

applyContextFlags() 统一应用到 newPage() 创建的无状态页面。

open 命令新增: --proxy-server, --proxy-bypass, --save-har-glob,
  --block-service-workers

playwright-cli flag 覆盖率: 21/24 = 87%
仅剩 3 个未实现: --browser (多引擎), --channel (发行渠道),
  --user-data-dir (持久化用户目录)。这三个因 go-rod 仅支持
  Chromium 而不适用。

35 个对比测试全部通过。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ility

Implement pkg/headless/ as a nuclei-compatible headless browser automation
engine, designed for eventual migration to neutron. Core mechanisms ported
from nuclei's headless engine with neutron dependencies replacing nuclei-
specific packages.

Key features:
- 29 action types (navigate/click/script/waitdialog/setheader/extract/etc.)
- Dual-path hijack: HijackRouter for request/response modification,
  native CDP Fetch for capture-only — both paths record full history
- DSL expression evaluation via neutron common.Evaluate (rand_int, replace,
  base64, etc.)
- Payload iteration (sniper/pitchfork/clusterbomb) via neutron Generator
- Template-level variables via neutron Variable.Evaluate
- Instance isolation (incognito per execution) with backoff sleeper
- Proper HTTP client with TLS skip, proxy, cookie jar
- XPath/CSS/JS/regex/search element selectors
- WaitEvent with CDP event reflection via proto.GetType
- WaitDialog with type+message capture
- NavigateURL parameter auto-merge from input URL
- 24 real nuclei-templates/headless POCs as testdata
- Integration tests: 24/24 parse, 22/24 compile, 11 execution tests

Wired into playwright pseudo-command via 'template' subcommand.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…degen

Record browser interactions as nuclei-compatible headless YAML templates.
Adds `record` subcommand and `--record` flag to `open`, with centralized
recording hook in Execute() dispatcher. Generated templates round-trip
through headless.ParseTemplate() and can be replayed via `playwright template`.

- recorder.go: RecordedAction, recorder struct, 26 command→action mappings,
  YAML codegen via headless.Template, URL templatization ({{BaseURL}}),
  XPath selector preservation, execRecord subcommand
- session.go: rec field on Session, --record flag, close warning for unsaved
  recordings, rec= indicator in sessions list
- browser.go: Execute() refactored to result/err pattern with post-dispatch
  recording hook, record subcommand in dispatcher and Usage
- 7 unit tests + 10 browser integration tests (all passing)
- Updated playwright SKILL.md with recording docs, template execution docs,
  aiscan extensions table, and recording workflow examples
- Updated verify SKILL.md with --record guidance, POC persistence section,
  and template path in decision tree

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
These in-process JSON parsing tools added complexity without enough
value — the LLM can read scanner JSON output directly or re-run with
-j flag. Removes the entire pkg/command/results package, skill docs,
system prompt references, and test expectations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…tmuxpkg

- Rename OriginTask to OriginSession in inbox (sessions are tmux-managed)
- Rename taskmod import alias to tmuxpkg across cmd/
- Rename bashTaskManager → bashSessionManager, taskMgr → sessMgr
- Rename task_inbox_test.go → session_inbox_test.go, update meta keys
  (task_id→session_id, task_name→session_name)
- Rename ParseLegacyTask → ParseLegacyMessage in swarm
- Remove unused legacy harness assertion helpers (RequireOK, etc.)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… and lint

- mergeEnv: override existing env vars instead of appending duplicates
- EnableLogsDebug: protect with sync.Once to eliminate data race
- TestLoadEmbeddedSkills: use >= check instead of exact count
- golangci: exclude gosec G703 (path traversal in write tool)
- update chainreactors dependencies to latest

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ntent read

Remove Body/Raw fields from Skill struct. Content is now read on-demand from
embeddedFS via ReadBody/ReadFile helpers, matching the pi-mono pattern where
only frontmatter metadata is indexed at startup.

- Delete standalone verify, sniper, swarm skill directories
- Move verify/sniper content under skills/scan/ as sub-files
- Move swarm content under skills/ioa/swarm.md for progressive discovery
- Remove SkillBodyLoader/skillStoreAdapter — scan pipeline references skill
  files in prompts so the LLM reads them via the read tool
- Replace inline scanner UsageDocs with one-line index per command
- System prompt reduced from ~29k to ~3.8k chars

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ering refactor

- Add katana SDK crawl as pipeline capability (browser/full build tag)
  - katana_crawl (quick): depth from profile, standard HTTP crawl
  - katana_deep (full): JS-enabled deeper crawl
  - silentWriter suppresses katana stdout leak
  - scope filtering: only emit same-root-domain URLs
  - crawl sources don't re-trigger other crawlers (acceptsNonCrawlTarget)

- Reverse registration architecture
  - Remove centralized register_command_full.go
  - katana/passive self-register via init() with build tags
  - cmd layer uses dynamic extraCommands map instead of build-tag struct pairs

- Fix spray crawl: auto-switch to brute mode when Crawl=true
  - SprayCheckStream uses BruteTask with seed wordlist for crawl-enabled options

- Refactor report rendering
  - New colors.go: unified renderColor wrapping chainreactors/logs + parsers.RenderStatus
  - Split report.go (923 lines) into report.go/report_json.go/report_plain.go/report_asset.go
  - Sitemap tree as primary path view: [STATUS] /path SIZE "title" [fingers] {annotations}
  - Service/fingerprint/finding rendered at top level, path only in sitemap
  - -F offline rendering from record JSONL files

- Fix asset aggregation: strip default ports (443/80) to merge same-origin assets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…al cleanup

- Remove hardcoded API key from harness.go, require env var
- Fix parallel/sequential tool execution race in agent loop
- Fix goroutine leak in gogo RunWithArgs fallback (cancel child ctx)
- Fix browser process leak on Connect failure (call l.Kill)
- Fix sameRootDomain suffix matching (evilexample.com no longer matches example.com)
- Fix data race reading collector fields without lock after pipeline
- Add mutex to ApplyNeutronProxy for concurrent scan safety
- Fix NewService signature in swarm/harness test files (add missing 2nd arg)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Split the monolithic cmd package (35 files) into a layered architecture:

- core/config: Option types, defaults, config loading, provider, scanner commands
- core/runner: unified AgentRuntime factory, all execution modes (one-shot,
  interactive, loop, scanner-ai), console, output, events, session, subagent
- pkg/pidlock: cross-platform process lock utility

All agent modes now go through a single NewAgentRuntime() factory with
RuntimeConfig for mode-specific overrides (IOA injection, existing app,
prompt config). cmd/ is reduced to CLI parsing and dispatch only.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… tag

Consolidate web_search, web_fetch, and cyberhub into a single `search`
command with subcommands (tavily/fetch/cyberhub). Merge standalone fuzz
skill into skills/scan/fuzz.md alongside verify/sniper/deep. Remove
stale vision skill references.

Replace the blanket `full` build tag with granular `browser` and `recon`
tags, eliminating double-maintained availability lists and test
expectations in favor of init()-based registration.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…intermediate types

Unify 3 independent color systems, 2 parallel struct hierarchies, and 6+
format paths into a single pkg/output package. Delete pkg/record entirely.

Key changes:
- Create pkg/output with Color, Record, format helpers, and asset renderer
- Result fields now use SDK/parsers types directly: *GOGOResult, *SprayResult,
  *ZombieResult, *VulnResult, []provider.ChatMessage, *provider.Usage
- Add sdktypes.VulnResult in SDK for serializable neutron findings
- Recorder writes parsers types directly to JSONL (no intermediate conversion)
- Remove all custom intermediate types: WebEndpoint, Fingerprint, Finding,
  Service, AIMessage, ToolCall, TokenUsage, record.Service/Web/Finding
- Fingerprints derived from GOGOResult.Frameworks/SprayResult.Frameworks
  in aggregate instead of separate collector storage
- AgentRunResult carries provider.ChatMessage and provider.Usage from agent

Deleted: pkg/record/, scan/colors.go, scan/report_asset.go, scan/report_render.go
Net: -1200 lines

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ss/subprocess split

Three major simplifications:

1. Command execution: delete InProcess concept. All registered commands
   run in-process via goroutine-based tmux sessions (CreateFunc). Bash
   dispatches through execCommand/execShell with unified auto-background.
   tmux manages all sessions (goroutine and PTY) with identical
   peek/kill/wait interface. No subprocess re-invocation, no self-binary
   resolution, no CLI entry point requirements.

2. Agent model: Agent is the single core type. Config is pure data.
   One constructor (NewAgent), one entry point (Agent.Run), one way to
   spawn (Agent.Derive). Removed Config.Run, Config.Derive,
   Config.RunWithContext, Config.NewAgent, runChildAgent, childAgentOpts.
   SubAgentTool holds *Agent directly instead of SubAgentConfig wrapper.

3. Command interface: PseudoCommand renamed to Command with unified
   Execute(ctx, args, io.Writer) signature. StreamingCommand removed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Prevents accidental commit of API keys in community config.
Local file is preserved.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
M09Ic and others added 16 commits June 24, 2026 11:15
Add replace directive for utils/cert (transitive via utils/mitmproxy).
Fix TestMITMCapture_ServerFirst_Fallback: tolerate server-probe
consuming first byte of SSH banner.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use published utils/cert and utils/mitmproxy instead of local replace
directives. utils/cert provides atomic certificate generation primitives
(NewTemplate, SelfSign/SignWith, Fingerprint, TLS config builder, etc.)
that mitmproxy now uses for CA creation and DummyCert key-reuse.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Round 1 — panic/crash fixes:
- proton: default to "." when -e used without -i, prevent inputs[0] panic
- proton: return ctx.Err() in WalkDir to prevent goroutine blocking on jobCh
- proton: log WalkDir errors instead of discarding
- proton: fix truncate to cut on rune boundaries, not bytes
- mitm: remove auto-Clear() in start() that silently destroyed prior captures
- mitm: matchStatus returns false for unrecognized patterns instead of true
- mitm: reset seq counter in FlowStore.Clear()
- mitm: remove dead configureUpstream function and unused imports
- build.sh: fix tavily_keys reading from wrong YAML section (websearch→search)
- config_test: update stale error message referencing old config.yaml filename
- util: handle negative numbers in FormatNumber to prevent infinite recursion

Round 2 — code quality improvements:
- agent: track ModeIndependent fire goroutines with WaitGroup, wait on Stop/Remove
- proton: replace seen map with sync.Map for structural thread safety
- agent: allow MaxRetries=0 to mean no retries (change sentinel from ==0 to <0)
- evaluator: replace time.Sleep with ctx-aware select in retry loop
- loop_tool: support quoted cron expressions in tryCronPrefix
- context_window: add gpt-4-1 (128K) and gpt-4-0 (8K) to fix prefix mismatches
- tui: replace sync.Once markdown renderer with width-aware cache for resize
- web: decouple confirmed status from critical priority in itemToPriority

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… console.go

- Type Deps.Logger as telemetry.Logger instead of any for compile-time safety
- Extract toolargs.Base with shared Logger/Proxy/WorkDir fields and methods,
  embed in all 7 scanner tool Commands to eliminate repeated boilerplate
- Create per-tool register.go for neutron/spray/zombie/gogo, simplify the
  central register_command.go to only handle the composite scan command
- Split console.go (1331→848 lines) into keybindings.go and banner.go

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add MITM traffic capture section to v0.2.7 changelog
- Fix 3 errcheck lint issues in mitm.go (Shutdown return, type assertions)
- Widen SSH banner test timeouts to prevent flaky failures under load
- Update README/README_CN taglines

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…l-and-error

The agent's system prompt only showed a one-line description per scanner
(e.g. "gogo - host, port, service, and banner discovery") with no parameter
info, forcing the AI to guess flags on first use and fall back to -h. Add a
QuickReferencer interface so gogo/spray embed key flags, common pitfalls
(e.g. -j is input not output), and examples directly in the prompt. Also
clarify that scan already includes gogo+spray+zombie+neutron to prevent
redundant manual spray-then-scan sequences.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…tui sub-modules

Update import paths and go.mod replace directives:
- github.com/reeflective/console -> github.com/chainreactors/tui/console
- github.com/reeflective/readline -> github.com/chainreactors/tui/readline

readline and console now live as sub-modules in the tui repo.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…from cyber-ui

Replace local shadcn/ui components (Button, Badge, Card, Input,
ToggleGroup) with shared @aspect/ui package. Replace cn() utility
imports with @aspect/theme. Delete 5 redundant component files.

Tooltip kept as local component due to aiscan-specific simplified API.
MarkdownContent kept as local component due to cyber-theme customization.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…e, Spinner, ThemeProvider

- Tooltip: replace custom CSS tooltip with Radix @aspect/ui Tooltip,
  add TooltipProvider to App root, delete ui/tooltip.tsx
- ThemeToggle: replace custom localStorage logic with @aspect/theme useTheme
- ScanView: replace custom ResultTabButton with @aspect/ui Tabs
- LLMConfigPanel: replace native <select> with @aspect/ui Select,
  StatusPill with Badge, Loader2 with Spinner
- AgentPanel: replace Loader2 with @aspect/ui Spinner

components/ui/ directory is now fully deleted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Line numbers are a rendering concern, not a tool output concern.
Read tool now returns raw file content; line numbering is handled
by the display/TUI layer.

Aligns with cyber-agent's read tool behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ents

Agents connecting with --web-url automatically pull LLM, cyberhub, recon,
scan, search, IOA, and agent config from the server before initializing
their runtime. Priority: local config > remote config > defaults.

Backend:
- Single shared type webproto.DistributeConfig with json+yaml tags
- GET /api/config returns ConfigStatus (secrets masked, *_configured flags)
- PUT /api/config saves DistributeConfig (preserves secrets when empty)
- GET /api/config/distribute returns raw config with secrets for agents
- ConfigStore interface: GetDistributeConfig + SaveDistributeConfig
- Removed LLMConfig type, LLMConfigStore interface, /api/config/llm endpoints

Agent:
- core/config/remote.go: FetchRemoteConfig + MergeRemoteOption
- webagent.Run fetches remote config before NewAgentRuntime (non-fatal)

Frontend:
- ConfigPanel with 7 tabs (LLM/Cyberhub/Recon/Scan/Search/IOA/Agent)
- Renamed LLMConfigPanel → ConfigPanel, llmConfigOpen → configOpen

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add cyber-ui as git submodule at web/frontend/cyber-ui
- Replace local @aspect/ui, @aspect/theme aliases with cyber-ui source
- Add @aspect/markdown, @aspect/viewer, @aspect/terminal aliases
- Delete local ui/index.tsx, ui/chat.tsx, lib/theme.ts,
  MarkdownContent.tsx, ThemeToggle.tsx, terminal-utils.ts,
  SessionNavigator.tsx (all replaced by cyber-ui packages)
- Add Radix UI + react-syntax-highlighter dependencies
- Migrate all hardcoded cyber-* colors to semantic primary/success/
  warning/info CSS variables
- Add success/warning/info/caution CSS variables to index.css
- Use @aspect/theme Tailwind preset in tailwind.config.js
- Wrap App root with ThemeProvider from @aspect/theme
- ChatPanel: import chat components from @aspect/viewer, remove
  duplicate summarizeArgs/summaryFromValue
- AgentTerminal: use TerminalView, TerminalHeader, SessionNavigator,
  DetailPanel from @aspect/terminal
- TerminalDetails: use DetailPanel/DetailGroup/DetailRow from
  @aspect/terminal

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Store: add chat_sessions, chat_messages, session_scans tables with
  full CRUD and migration
- AgentPool: SessionLookup interface, PickChat, turn tracking, forward
  agent telemetry events (thinking, message, tool_call) to chat SSE
- SSE: configurable terminal events instead of hardcoded complete/error
- Frontend: scan-route session-aware routing
- Tests: agent WebSocket lifecycle, PTY frame encoding
- Rebuild static assets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/alecthomas/chroma/v2-2.27.0 branch from 7de0d4b to 26f9ab6 Compare June 28, 2026 15:01
M09Ic and others added 11 commits June 28, 2026 08:40
… to tsconfig

- ChatPanel imports AssistantResponse, ChatInput, ChatThinking,
  MessageBubble, ToolCallDisplay, summarizeArgs from @aspect/viewer
  instead of @aspect/ui (which no longer bundles chat components)
- Add cyber-ui/packages/viewer/src to tsconfig include
- Update cyber-ui submodule to 739d849

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Frontend:
- ChatPanel enables attachments, handles CTX mode (inject text
  into LLM context) and UP mode (upload to remote agent)
- api.ts: uploadChatFile() POST multipart to /api/chat/sessions/{id}/upload
- Update cyber-ui submodule for ChatInput attachment UI

Backend:
- POST /api/chat/sessions/{id}/upload — multipart endpoint
- Service.HandleFileUpload: base64-encodes file, dispatches through
  WebSocket as {type:"upload", data_b64, payload:{filename,size,mime}}
- AgentPool.dispatchMessage: sends pre-built WSMessage with task tracking

Agent:
- handleFileUpload: decodes base64, writes to $TMPDIR/aiscan-uploads/,
  responds with {type:"complete", payload:{path,size}}

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Extract scan/agent rendering into chat-extensions.tsx using
  registerTimelineRenderer() from @aspect/viewer
- Add timeline-mapper.ts to convert local TimelineItem to viewer model
- ChatPanel now resolves scan_started/scan_complete/agent_joined
  through the shared extension registry instead of hardcoded switch cases
- Register extensions at app startup in main.tsx

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extend output.Record with indexing fields (scan_id, session_id, agent_id,
source, target, priority, tags) and add new RecordType constants for agent
events (tool_call, tool_result, turn_end, etc.).

Web server persists agent events and scan results into a new `records`
table via the existing event path: handleAgentMessage → InsertRecord for
remote agent events, scan completion → ResultToRecords → InsertRecords
for scan findings.

Agent-side (aiscan CLI) is unchanged — no database, events flow through
the existing eventbus → WebSocket path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move wsPayloadToRecord and resultToRecords directly into pkg/web/agents.go
where they're used. These are web-server-side concerns, not runner logic.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Both paths now send identical output.Record: the agent side uses
NewRecord(TypeAgent, event), the web side unwraps Record.Data to
extract event fields for SSE forwarding.

- Remove unused RecordType constants (TypeToolCall, etc.)
- Delete wsPayloadToRecord conversion function
- Add extractEventData helper so forwardAgentEvent correctly
  unwraps Record.Data before parsing event fields
- Frontend unaffected (only consumes SSE ChatEvents)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete ListRecords, AggregateRecords, RecordFilter, RecordSummary,
buildRecordQuery, and scanRecord — all defined but never called.
Query API can be added when there's an actual consumer.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pkg/agent/: Split the monolithic agent_test.go and 6 scattered test files
into helpers_test.go + agent_test.go + loop_test.go + retry_test.go.

pkg/agent/provider/: Merge cache_breakpoint_test.go and cache_protocol_test.go
into cache_test.go.

pkg/agent/tmux/: Merge interactive_test.go and reminder_test.go into
manager_test.go.

pkg/commands/: Merge bash-related tests into bash_test.go; split
readwrite_test.go into read_test.go + write_test.go + glob_test.go.

pkg/tui/: Merge console test files into console_test.go.

cmd/aiscan/: Restore cli_full_test.go build tag.

core/config/: Rename config_test.go to loader_test.go.

core/harness/: Merge 10 scenario test files into harness_test.go.

core/resources/: Merge pipeline_test.go into resources_test.go.

pkg/headless/: Rename integration_test.go to engine_test.go.

pkg/tools/: Consolidate register/proxy/integration tests into
register_command_test.go family.

pkg/tools/proton/: Rename proton_test.go to command_test.go.
pkg/tools/proxy/: Rename mitm_bench_test.go to mitm_test.go.
pkg/tools/playwright/: Merge recorder_integration_test.go into recorder_test.go.
pkg/tools/scan/: Merge tempfiles into scan_test.go, rename to command_test.go.
pkg/tools/scan/engine/: Rename recon_test.go to uncover_test.go,
sdk_e2e_test.go to set_test.go.
pkg/tools/scan/pipeline/: Rename pipeline_recover_test.go to pipeline_test.go.

pkg/web/: Split analysis_options_test.go into service_test.go +
store_sqlite_test.go; merge e2e_terminal_test.go into agents_test.go.

skills/: Merge embed_expectations files into embed_test.go +
embed_expectations_full_test.go.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- feat: file upload through agent channel
- feat: --tavily-key flag for web search configuration
- feat: scan tools (gogo/spray) emit real-time DataBus events
- fix: external API tools (passive/web_search/cyberhub) always register,
  return clear error with configuration hints when keys are missing
- fix: remove go.mod tui replace directives, use published versions
- deps: upgrade zombie to v1.3.0, all chainreactors deps to latest master
- deps: migrate tui/console and tui/readline to chainreactors/tui
- docs: add v0.2.8 changelog

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bumps [github.com/alecthomas/chroma/v2](https://github.com/alecthomas/chroma) from 2.14.0 to 2.27.0.
- [Release notes](https://github.com/alecthomas/chroma/releases)
- [Commits](alecthomas/chroma@v2.14.0...v2.27.0)

---
updated-dependencies:
- dependency-name: github.com/alecthomas/chroma/v2
  dependency-version: 2.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/alecthomas/chroma/v2-2.27.0 branch from 26f9ab6 to be5fcd0 Compare July 1, 2026 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants