Skip to content

deps: bump golang.org/x/image from 0.42.0 to 0.43.0 in the golang-x group across 1 directory#40

Open
dependabot[bot] wants to merge 362 commits into
masterfrom
dependabot/go_modules/golang-x-60aba6a77c
Open

deps: bump golang.org/x/image from 0.42.0 to 0.43.0 in the golang-x group across 1 directory#40
dependabot[bot] wants to merge 362 commits into
masterfrom
dependabot/go_modules/golang-x-60aba6a77c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps the golang-x group with 1 update in the / directory: golang.org/x/image.

Updates golang.org/x/image from 0.42.0 to 0.43.0

Commits
  • b5baf41 tiff: avoid overflow when reading IFD entries
  • e7513b5 tiff: limit the amount of data read in IFD entries
  • cb9f1a6 tiff: limit uncompressed data reads
  • 304d4cc tiff: reject tiles too much larger than the image
  • 7c04344 tiff: add buffer slice overflow checks for 32-bit systems
  • c5511df webp: require that VP8/VP8L dimensions match canvas dimensions
  • 38fd220 bmp: don't panic on too-large image, reject 0xN
  • f95dd26 font/sfnt: avoid panics from out-of-bounds access in invalid GPOS table
  • 1e486eb tiff: don't panic when decoding too-large image on 32-bit platforms
  • See full diff in compare view

M09Ic and others added 30 commits June 1, 2026 01:30
- config.yaml: 清除硬编码的 API key、服务地址等凭据,恢复为空占位符
- go.mod: 移除本地 replace 指令(fingers-local、sdk-local),SDK 恢复远程版本
- prompt.go: 简化 Authorization 段落,去掉过于激进的措辞
- node.go: 恢复 Intent 字段(标记 Deprecated)保持向后兼容,
  添加 resolveIntent() fallback 链;classifyError 用 || 替代逗号 OR
  提升可读性;renderSlimMessageContext 用二分查找替代 O(n) 逐条裁剪
- session.go: 合并重复常量 defaultSessionTimeout/persistentTTL;
  恢复 LRU 自动淘汰替代硬错误;parseOpenOpts 重构为 openOpts 结构体;
  gcOnce 改为 gcRunning bool 修复 Close 后无法重启 GC 的 bug
- discover.go: evalJSON 返回 error 而非静默吞掉
- browser.go: 恢复 SetProxy / proxy 支持
- zombie.go: 添加注释说明 ProxyDial 已被上游移除

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
新增 22 个 Playwright 对齐子命令,按安全测试优先级实现:

P0 — 关键安全能力:
  - press: 键盘事件 (Enter 提交表单, Shift+Enter 等组合键)
  - reload / go-back / go-forward: 页面导航
  - set-input-files: 文件上传 (上传 shell, 测试文件上传漏洞)
  - hover: 触发悬停菜单/下拉框
  - get-attribute / input-value / is-visible: 元素状态读取

P1 — 高价值:
  - set-extra-headers: 注入 Authorization 等自定义请求头
  - route / unroute: 请求拦截 (fulfill/abort/continue 三种模式)
  - check / uncheck: checkbox 控制
  - dblclick: 双击
  - dispatch-event: 触发任意 DOM 事件
  - set-viewport: 视口大小设置

P2 — 等待辅助:
  - wait-for-url / wait-for-request / wait-for-response: 精确等待
  - focus / blur: 焦点管理

文件变更:
  - navigation.go (新): reload, go-back, go-forward
  - advanced.go (新): set-extra-headers, route, set-viewport, dispatch-event, wait-for-*
  - interact.go: press, hover, dblclick, get-attribute, input-value, is-visible,
    check, uncheck, set-input-files, focus, blur + key name 映射表
  - session.go: Session 新增 headerCleanup, hijackRouter 字段及清理逻辑
  - browser.go: Execute() switch 扩展, Usage() 文档更新
  - testharness/: Python pytest harness 对比真实 Playwright SDK 行为

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pw_driver.go: 持久化 Go 进程包装 Command.Execute(),通过 stdin/stdout
JSON-line 协议驱动,sessions 跨调用保持。解决 playwright 作为 pseudo-command
无法直接 subprocess 调用的问题。

测试覆盖: goto, reload, go-back, go-forward, press(Enter), hover,
dblclick, check/uncheck, fill+input-value, get-attribute, is-visible

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
修复:
- set-extra-headers: 通过 CDP proto 直接调用而非 go-rod 的 SetExtraHeaders,
  避免 EnableDomain 返回的 cleanup 在 withPage context 超时后清理域
- route: HijackRouter 创建在 sess.Page 上而非 context-scoped page,
  路由注册移到 withPage 外部避免 Fetch domain 随 opCtx 过期

新增 12 个对比测试 (共 23 个):
- test_dispatch.py: dispatch-event 自定义事件
- test_files.py: set-input-files 文件上传
- test_focus.py: focus/blur 焦点事件
- test_headers.py: set-extra-headers 自定义请求头
- test_route.py: route --fulfill / --abort 请求拦截
- test_viewport.py: set-viewport 视口设置
- test_wait.py: wait-for-url / wait-for-request / wait-for-response
- test_interaction.py: 新增 press Shift+a 组合键测试

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
playwright-cli 等价 flags (open 子命令):
  --ignore-https-errors    自签名证书站点测试
  --viewport-size WxH      视口大小设置
  --geolocation lat,lon    GPS 欺骗
  --timezone               时区仿真
  --color-scheme light|dark 暗色模式
  --lang                   语言/locale
  --device                 设备仿真 (预留)
  --load-storage <file>    从文件恢复 cookies + localStorage
  --save-storage <file>    关闭时保存完整会话状态
  --save-har <file>        关闭时保存 HAR 网络流量

playwright-cli 等价 flags (screenshot/pdf):
  --wait-for-selector      截图/PDF 前等待元素出现
  --wait-for-timeout       截图/PDF 前等待毫秒数

新增 SDK 对齐命令:
  set-content, title, inner-text, is-checked, is-disabled,
  is-enabled, is-hidden, tap, type (逐字符输入)

close 命令支持 --save-storage / --save-har 覆盖参数

35 个对比测试全部通过 (vs Playwright Python SDK)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
引入 contextFlags 结构和 parseContextFlag 共享解析器,使
screenshot/pdf 无状态命令也能接受完整的 playwright-cli context flags:
  --proxy-server, --proxy-bypass, --viewport-size, --geolocation,
  --timezone, --color-scheme, --lang, --device, --ignore-https-errors,
  --load-storage, --save-storage, --save-har, --save-har-glob,
  --block-service-workers, --paper-format

applyContextFlags() 统一应用到 newPage() 创建的无状态页面。

open 命令新增: --proxy-server, --proxy-bypass, --save-har-glob,
  --block-service-workers

playwright-cli flag 覆盖率: 21/24 = 87%
仅剩 3 个未实现: --browser (多引擎), --channel (发行渠道),
  --user-data-dir (持久化用户目录)。这三个因 go-rod 仅支持
  Chromium 而不适用。

35 个对比测试全部通过。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ility

Implement pkg/headless/ as a nuclei-compatible headless browser automation
engine, designed for eventual migration to neutron. Core mechanisms ported
from nuclei's headless engine with neutron dependencies replacing nuclei-
specific packages.

Key features:
- 29 action types (navigate/click/script/waitdialog/setheader/extract/etc.)
- Dual-path hijack: HijackRouter for request/response modification,
  native CDP Fetch for capture-only — both paths record full history
- DSL expression evaluation via neutron common.Evaluate (rand_int, replace,
  base64, etc.)
- Payload iteration (sniper/pitchfork/clusterbomb) via neutron Generator
- Template-level variables via neutron Variable.Evaluate
- Instance isolation (incognito per execution) with backoff sleeper
- Proper HTTP client with TLS skip, proxy, cookie jar
- XPath/CSS/JS/regex/search element selectors
- WaitEvent with CDP event reflection via proto.GetType
- WaitDialog with type+message capture
- NavigateURL parameter auto-merge from input URL
- 24 real nuclei-templates/headless POCs as testdata
- Integration tests: 24/24 parse, 22/24 compile, 11 execution tests

Wired into playwright pseudo-command via 'template' subcommand.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…degen

Record browser interactions as nuclei-compatible headless YAML templates.
Adds `record` subcommand and `--record` flag to `open`, with centralized
recording hook in Execute() dispatcher. Generated templates round-trip
through headless.ParseTemplate() and can be replayed via `playwright template`.

- recorder.go: RecordedAction, recorder struct, 26 command→action mappings,
  YAML codegen via headless.Template, URL templatization ({{BaseURL}}),
  XPath selector preservation, execRecord subcommand
- session.go: rec field on Session, --record flag, close warning for unsaved
  recordings, rec= indicator in sessions list
- browser.go: Execute() refactored to result/err pattern with post-dispatch
  recording hook, record subcommand in dispatcher and Usage
- 7 unit tests + 10 browser integration tests (all passing)
- Updated playwright SKILL.md with recording docs, template execution docs,
  aiscan extensions table, and recording workflow examples
- Updated verify SKILL.md with --record guidance, POC persistence section,
  and template path in decision tree

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
These in-process JSON parsing tools added complexity without enough
value — the LLM can read scanner JSON output directly or re-run with
-j flag. Removes the entire pkg/command/results package, skill docs,
system prompt references, and test expectations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…tmuxpkg

- Rename OriginTask to OriginSession in inbox (sessions are tmux-managed)
- Rename taskmod import alias to tmuxpkg across cmd/
- Rename bashTaskManager → bashSessionManager, taskMgr → sessMgr
- Rename task_inbox_test.go → session_inbox_test.go, update meta keys
  (task_id→session_id, task_name→session_name)
- Rename ParseLegacyTask → ParseLegacyMessage in swarm
- Remove unused legacy harness assertion helpers (RequireOK, etc.)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… and lint

- mergeEnv: override existing env vars instead of appending duplicates
- EnableLogsDebug: protect with sync.Once to eliminate data race
- TestLoadEmbeddedSkills: use >= check instead of exact count
- golangci: exclude gosec G703 (path traversal in write tool)
- update chainreactors dependencies to latest

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ntent read

Remove Body/Raw fields from Skill struct. Content is now read on-demand from
embeddedFS via ReadBody/ReadFile helpers, matching the pi-mono pattern where
only frontmatter metadata is indexed at startup.

- Delete standalone verify, sniper, swarm skill directories
- Move verify/sniper content under skills/scan/ as sub-files
- Move swarm content under skills/ioa/swarm.md for progressive discovery
- Remove SkillBodyLoader/skillStoreAdapter — scan pipeline references skill
  files in prompts so the LLM reads them via the read tool
- Replace inline scanner UsageDocs with one-line index per command
- System prompt reduced from ~29k to ~3.8k chars

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ering refactor

- Add katana SDK crawl as pipeline capability (browser/full build tag)
  - katana_crawl (quick): depth from profile, standard HTTP crawl
  - katana_deep (full): JS-enabled deeper crawl
  - silentWriter suppresses katana stdout leak
  - scope filtering: only emit same-root-domain URLs
  - crawl sources don't re-trigger other crawlers (acceptsNonCrawlTarget)

- Reverse registration architecture
  - Remove centralized register_command_full.go
  - katana/passive self-register via init() with build tags
  - cmd layer uses dynamic extraCommands map instead of build-tag struct pairs

- Fix spray crawl: auto-switch to brute mode when Crawl=true
  - SprayCheckStream uses BruteTask with seed wordlist for crawl-enabled options

- Refactor report rendering
  - New colors.go: unified renderColor wrapping chainreactors/logs + parsers.RenderStatus
  - Split report.go (923 lines) into report.go/report_json.go/report_plain.go/report_asset.go
  - Sitemap tree as primary path view: [STATUS] /path SIZE "title" [fingers] {annotations}
  - Service/fingerprint/finding rendered at top level, path only in sitemap
  - -F offline rendering from record JSONL files

- Fix asset aggregation: strip default ports (443/80) to merge same-origin assets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…al cleanup

- Remove hardcoded API key from harness.go, require env var
- Fix parallel/sequential tool execution race in agent loop
- Fix goroutine leak in gogo RunWithArgs fallback (cancel child ctx)
- Fix browser process leak on Connect failure (call l.Kill)
- Fix sameRootDomain suffix matching (evilexample.com no longer matches example.com)
- Fix data race reading collector fields without lock after pipeline
- Add mutex to ApplyNeutronProxy for concurrent scan safety
- Fix NewService signature in swarm/harness test files (add missing 2nd arg)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Split the monolithic cmd package (35 files) into a layered architecture:

- core/config: Option types, defaults, config loading, provider, scanner commands
- core/runner: unified AgentRuntime factory, all execution modes (one-shot,
  interactive, loop, scanner-ai), console, output, events, session, subagent
- pkg/pidlock: cross-platform process lock utility

All agent modes now go through a single NewAgentRuntime() factory with
RuntimeConfig for mode-specific overrides (IOA injection, existing app,
prompt config). cmd/ is reduced to CLI parsing and dispatch only.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… tag

Consolidate web_search, web_fetch, and cyberhub into a single `search`
command with subcommands (tavily/fetch/cyberhub). Merge standalone fuzz
skill into skills/scan/fuzz.md alongside verify/sniper/deep. Remove
stale vision skill references.

Replace the blanket `full` build tag with granular `browser` and `recon`
tags, eliminating double-maintained availability lists and test
expectations in favor of init()-based registration.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…intermediate types

Unify 3 independent color systems, 2 parallel struct hierarchies, and 6+
format paths into a single pkg/output package. Delete pkg/record entirely.

Key changes:
- Create pkg/output with Color, Record, format helpers, and asset renderer
- Result fields now use SDK/parsers types directly: *GOGOResult, *SprayResult,
  *ZombieResult, *VulnResult, []provider.ChatMessage, *provider.Usage
- Add sdktypes.VulnResult in SDK for serializable neutron findings
- Recorder writes parsers types directly to JSONL (no intermediate conversion)
- Remove all custom intermediate types: WebEndpoint, Fingerprint, Finding,
  Service, AIMessage, ToolCall, TokenUsage, record.Service/Web/Finding
- Fingerprints derived from GOGOResult.Frameworks/SprayResult.Frameworks
  in aggregate instead of separate collector storage
- AgentRunResult carries provider.ChatMessage and provider.Usage from agent

Deleted: pkg/record/, scan/colors.go, scan/report_asset.go, scan/report_render.go
Net: -1200 lines

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ss/subprocess split

Three major simplifications:

1. Command execution: delete InProcess concept. All registered commands
   run in-process via goroutine-based tmux sessions (CreateFunc). Bash
   dispatches through execCommand/execShell with unified auto-background.
   tmux manages all sessions (goroutine and PTY) with identical
   peek/kill/wait interface. No subprocess re-invocation, no self-binary
   resolution, no CLI entry point requirements.

2. Agent model: Agent is the single core type. Config is pure data.
   One constructor (NewAgent), one entry point (Agent.Run), one way to
   spawn (Agent.Derive). Removed Config.Run, Config.Derive,
   Config.RunWithContext, Config.NewAgent, runChildAgent, childAgentOpts.
   SubAgentTool holds *Agent directly instead of SubAgentConfig wrapper.

3. Command interface: PseudoCommand renamed to Command with unified
   Execute(ctx, args, io.Writer) signature. StreamingCommand removed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Prevents accidental commit of API keys in community config.
Local file is preserved.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Port key improvements from feature/comprehensive-improvements-v3:

- swarm: broadcast message adds "type" field, fixes aide-ui unknown display
- agent: DefaultMaxRetries 2→9, reduces task interruption from transient API errors
- ioa: resolvingClient transparently resolves space names to IDs with cache;
  --space/--space_name aliases for --space_id; unknown names list available spaces
- passive: dynamic Usage shows configured sources; shodan-idb validates IP/CIDR
  input with actionable error; sourceList sorted for stable output
- resources: FullFingers merge preserves fingerprinthub template fingerprints;
  NewEngineWithFingers replaces NewEngine for correct initialization
- command: auto-inject --no-color for scan in registry (agent context);
  remove --no-color from scan/katana Usage to reduce LLM cognitive load
- docs: SKILL.md clarifies tmux pane as sole scan output channel

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…nd CLI

- Remove boundClient/toolAdapter/SDK NewTools indirection — three commands
  (ioa_space, ioa_send, ioa_read) now call client.Space/Send/Read directly
- Organize each command with subcommands:
  - ioa_space: join, list, nodes, topics
  - ioa_send: (broadcast), to --node, reply --to
  - ioa_read: (default), all, thread --id, new --after
- Auto-join configured space at startup via InitIOA + SetDefaultSpace
- LLM never needs to know space_id — binding handled internally
- 24 unit tests + 1 DeepSeek LLM integration test (TestLLMIOAToolUsage)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace 5 overlapping event mechanisms (Config.Emit, EventsWriter,
combineEventHandlers, recorder, aiTraceCollector) with a single generic
EventBus[T] that both agent and scan pipeline use.

- Add pkg/eventbus with generic Bus[T] (Subscribe/Emit)
- Agent: Config.Bus replaces Config.Emit, loop calls bus.Emit() directly
- Pipeline: Config.Bus replaces Config.Observe, collector is a subscriber
- Derive() propagates Bus so sub-agent events flow to parent
- Delete: recorder.go, ai_trace.go, combineEventHandlers, EventHandler type
- Delete: orphaned AITurn/AIRequest/AIToolCall/AIToolResult output types
- scan -f uses scanJSONLWriter subscribing to pipeline bus
- --events-file uses eventsFileSubscriber subscribing to agent bus

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove --space_id from all examples (auto-bound after join)
- Update ioa_space/ioa_send/ioa_read to show subcommand syntax
- Update task dispatch example to use `ioa_send to --node`

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CheckpointTool now supports pluggable sinks via OnCheckpoint(). When IOA
is configured, a sink is wired that sends checkpoint results as structured
messages (using IOAContent/IOAMeta) to the current space — other agents
can read findings without polling scan output.

Wiring: InitIOA → ioa.CheckpointSink → App.CheckpointSink →
        scan.WithCheckpointSink → CheckpointTool.OnCheckpoint

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Delete --events-file CLI flag; scan -f now writes both scan and agent
  data to the same JSONL file via scanJSONLWriter subscribing to both
  pipeline bus and parent agent bus
- Add SessionID to Event and EventJSON so parallel agents can be
  distinguished; Derive() generates a new SessionID per child agent
- Add emitter type (bus + sessionID) to stamp SessionID on every emit
  without burdening Config with runtime behavior
- Merge normalizeConfig + prepareConfig into Config.init() — single
  entry point for all config initialization
- Export agent event serialization (SerializableEvent, EventJSON) to
  pkg/agent/event_json.go so scan package can serialize agent events
- Delete dead telemetry.Recorder (zero external references)
- Fold AISkill/AIResponse into TypeToolCall via provider.ToolCall format
- Harness uses AISCAN_EVENTS_FILE env var instead of deleted CLI flag

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/golang-x-60aba6a77c branch from 0119401 to bf2bf34 Compare June 26, 2026 18:32
M09Ic and others added 7 commits June 27, 2026 03:53
…from cyber-ui

Replace local shadcn/ui components (Button, Badge, Card, Input,
ToggleGroup) with shared @aspect/ui package. Replace cn() utility
imports with @aspect/theme. Delete 5 redundant component files.

Tooltip kept as local component due to aiscan-specific simplified API.
MarkdownContent kept as local component due to cyber-theme customization.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…e, Spinner, ThemeProvider

- Tooltip: replace custom CSS tooltip with Radix @aspect/ui Tooltip,
  add TooltipProvider to App root, delete ui/tooltip.tsx
- ThemeToggle: replace custom localStorage logic with @aspect/theme useTheme
- ScanView: replace custom ResultTabButton with @aspect/ui Tabs
- LLMConfigPanel: replace native <select> with @aspect/ui Select,
  StatusPill with Badge, Loader2 with Spinner
- AgentPanel: replace Loader2 with @aspect/ui Spinner

components/ui/ directory is now fully deleted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Line numbers are a rendering concern, not a tool output concern.
Read tool now returns raw file content; line numbering is handled
by the display/TUI layer.

Aligns with cyber-agent's read tool behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ents

Agents connecting with --web-url automatically pull LLM, cyberhub, recon,
scan, search, IOA, and agent config from the server before initializing
their runtime. Priority: local config > remote config > defaults.

Backend:
- Single shared type webproto.DistributeConfig with json+yaml tags
- GET /api/config returns ConfigStatus (secrets masked, *_configured flags)
- PUT /api/config saves DistributeConfig (preserves secrets when empty)
- GET /api/config/distribute returns raw config with secrets for agents
- ConfigStore interface: GetDistributeConfig + SaveDistributeConfig
- Removed LLMConfig type, LLMConfigStore interface, /api/config/llm endpoints

Agent:
- core/config/remote.go: FetchRemoteConfig + MergeRemoteOption
- webagent.Run fetches remote config before NewAgentRuntime (non-fatal)

Frontend:
- ConfigPanel with 7 tabs (LLM/Cyberhub/Recon/Scan/Search/IOA/Agent)
- Renamed LLMConfigPanel → ConfigPanel, llmConfigOpen → configOpen

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add cyber-ui as git submodule at web/frontend/cyber-ui
- Replace local @aspect/ui, @aspect/theme aliases with cyber-ui source
- Add @aspect/markdown, @aspect/viewer, @aspect/terminal aliases
- Delete local ui/index.tsx, ui/chat.tsx, lib/theme.ts,
  MarkdownContent.tsx, ThemeToggle.tsx, terminal-utils.ts,
  SessionNavigator.tsx (all replaced by cyber-ui packages)
- Add Radix UI + react-syntax-highlighter dependencies
- Migrate all hardcoded cyber-* colors to semantic primary/success/
  warning/info CSS variables
- Add success/warning/info/caution CSS variables to index.css
- Use @aspect/theme Tailwind preset in tailwind.config.js
- Wrap App root with ThemeProvider from @aspect/theme
- ChatPanel: import chat components from @aspect/viewer, remove
  duplicate summarizeArgs/summaryFromValue
- AgentTerminal: use TerminalView, TerminalHeader, SessionNavigator,
  DetailPanel from @aspect/terminal
- TerminalDetails: use DetailPanel/DetailGroup/DetailRow from
  @aspect/terminal

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Store: add chat_sessions, chat_messages, session_scans tables with
  full CRUD and migration
- AgentPool: SessionLookup interface, PickChat, turn tracking, forward
  agent telemetry events (thinking, message, tool_call) to chat SSE
- SSE: configurable terminal events instead of hardcoded complete/error
- Frontend: scan-route session-aware routing
- Tests: agent WebSocket lifecycle, PTY frame encoding
- Rebuild static assets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/golang-x-60aba6a77c branch from bf2bf34 to bddfe7b Compare June 28, 2026 15:01
M09Ic and others added 3 commits June 28, 2026 08:40
… to tsconfig

- ChatPanel imports AssistantResponse, ChatInput, ChatThinking,
  MessageBubble, ToolCallDisplay, summarizeArgs from @aspect/viewer
  instead of @aspect/ui (which no longer bundles chat components)
- Add cyber-ui/packages/viewer/src to tsconfig include
- Update cyber-ui submodule to 739d849

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Frontend:
- ChatPanel enables attachments, handles CTX mode (inject text
  into LLM context) and UP mode (upload to remote agent)
- api.ts: uploadChatFile() POST multipart to /api/chat/sessions/{id}/upload
- Update cyber-ui submodule for ChatInput attachment UI

Backend:
- POST /api/chat/sessions/{id}/upload — multipart endpoint
- Service.HandleFileUpload: base64-encodes file, dispatches through
  WebSocket as {type:"upload", data_b64, payload:{filename,size,mime}}
- AgentPool.dispatchMessage: sends pre-built WSMessage with task tracking

Agent:
- handleFileUpload: decodes base64, writes to $TMPDIR/aiscan-uploads/,
  responds with {type:"complete", payload:{path,size}}

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/golang-x-60aba6a77c branch from bddfe7b to fbbeb8c Compare June 28, 2026 20:03
M09Ic and others added 14 commits June 28, 2026 22:54
- Extract scan/agent rendering into chat-extensions.tsx using
  registerTimelineRenderer() from @aspect/viewer
- Add timeline-mapper.ts to convert local TimelineItem to viewer model
- ChatPanel now resolves scan_started/scan_complete/agent_joined
  through the shared extension registry instead of hardcoded switch cases
- Register extensions at app startup in main.tsx

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extend output.Record with indexing fields (scan_id, session_id, agent_id,
source, target, priority, tags) and add new RecordType constants for agent
events (tool_call, tool_result, turn_end, etc.).

Web server persists agent events and scan results into a new `records`
table via the existing event path: handleAgentMessage → InsertRecord for
remote agent events, scan completion → ResultToRecords → InsertRecords
for scan findings.

Agent-side (aiscan CLI) is unchanged — no database, events flow through
the existing eventbus → WebSocket path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move wsPayloadToRecord and resultToRecords directly into pkg/web/agents.go
where they're used. These are web-server-side concerns, not runner logic.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Both paths now send identical output.Record: the agent side uses
NewRecord(TypeAgent, event), the web side unwraps Record.Data to
extract event fields for SSE forwarding.

- Remove unused RecordType constants (TypeToolCall, etc.)
- Delete wsPayloadToRecord conversion function
- Add extractEventData helper so forwardAgentEvent correctly
  unwraps Record.Data before parsing event fields
- Frontend unaffected (only consumes SSE ChatEvents)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete ListRecords, AggregateRecords, RecordFilter, RecordSummary,
buildRecordQuery, and scanRecord — all defined but never called.
Query API can be added when there's an actual consumer.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pkg/agent/: Split the monolithic agent_test.go and 6 scattered test files
into helpers_test.go + agent_test.go + loop_test.go + retry_test.go.

pkg/agent/provider/: Merge cache_breakpoint_test.go and cache_protocol_test.go
into cache_test.go.

pkg/agent/tmux/: Merge interactive_test.go and reminder_test.go into
manager_test.go.

pkg/commands/: Merge bash-related tests into bash_test.go; split
readwrite_test.go into read_test.go + write_test.go + glob_test.go.

pkg/tui/: Merge console test files into console_test.go.

cmd/aiscan/: Restore cli_full_test.go build tag.

core/config/: Rename config_test.go to loader_test.go.

core/harness/: Merge 10 scenario test files into harness_test.go.

core/resources/: Merge pipeline_test.go into resources_test.go.

pkg/headless/: Rename integration_test.go to engine_test.go.

pkg/tools/: Consolidate register/proxy/integration tests into
register_command_test.go family.

pkg/tools/proton/: Rename proton_test.go to command_test.go.
pkg/tools/proxy/: Rename mitm_bench_test.go to mitm_test.go.
pkg/tools/playwright/: Merge recorder_integration_test.go into recorder_test.go.
pkg/tools/scan/: Merge tempfiles into scan_test.go, rename to command_test.go.
pkg/tools/scan/engine/: Rename recon_test.go to uncover_test.go,
sdk_e2e_test.go to set_test.go.
pkg/tools/scan/pipeline/: Rename pipeline_recover_test.go to pipeline_test.go.

pkg/web/: Split analysis_options_test.go into service_test.go +
store_sqlite_test.go; merge e2e_terminal_test.go into agents_test.go.

skills/: Merge embed_expectations files into embed_test.go +
embed_expectations_full_test.go.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- feat: file upload through agent channel
- feat: --tavily-key flag for web search configuration
- feat: scan tools (gogo/spray) emit real-time DataBus events
- fix: external API tools (passive/web_search/cyberhub) always register,
  return clear error with configuration hints when keys are missing
- fix: remove go.mod tui replace directives, use published versions
- deps: upgrade zombie to v1.3.0, all chainreactors deps to latest master
- deps: migrate tui/console and tui/readline to chainreactors/tui
- docs: add v0.2.8 changelog

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add [match:name] / [extract] labels and class tag in text output
- Add extract/match breakdown in summary stats
- Add ShouldSkipFile() call in walkAndScan
- Fix stats double-counting: remove duplicate Files/Bytes increments
  (already counted by Scanner.ReadFile)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bumps the golang-x group with 1 update in the / directory: [golang.org/x/image](https://github.com/golang/image).


Updates `golang.org/x/image` from 0.42.0 to 0.43.0
- [Commits](golang/image@v0.42.0...v0.43.0)

---
updated-dependencies:
- dependency-name: golang.org/x/image
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang-x
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/golang-x-60aba6a77c branch from fbbeb8c to edf6945 Compare July 5, 2026 20:03
@M09Ic M09Ic force-pushed the master branch 2 times, most recently from 383525d to a51acd3 Compare July 6, 2026 07:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants