v3.4.x: intelligent agent selection, whitebox, recon/code agents, Gemini, artifacts, RL, XBOW GUI

Harness intelligence:
- After recon, the model SELECTS which specialist agents match the target
  (select_agents) — runs the relevant subset, not blindly top-N
- RL reward store (rl.rs): per-agent weights persist to data/rl_state_rs.json,
  reward validated findings (severity-weighted), decay idle, bias next run
- Run artifacts persisted as JSON + MD (recon, exploitation transcript,
  findings, html report) under runs/<target>-<ts>/ for reuse by other AIs

Whitebox mode:
- run_whitebox: walks a repo, builds bounded source context, runs code agents,
  validates by adversarial vote. CLI `whitebox <path>` + web "White-box" mode

Agents: +12 recon (subdomain/tech/js/api/secrets/dns/content/param/waf/cloud/
graphql/osint) and +24 code SAST reviewers (sqli/cmdi/path/ssrf/xss/deser/
secrets/crypto/authz/idor/xxe/redirect/ssti/race/eval/csrf/random/logging/
upload/mass-assign/jwt/cors). Loader gains recon/ + code/ categories → 249 total

Models: +Google Gemini provider (API + gemini CLI subscription); installed_cli_
backends now detects gemini; chat_cli handles gemini/codex/grok + optional
Playwright MCP (.mcp.json) on the subscription path with autonomy flags

GUI: full XBOW-style redesign — sidebar (Operate/Library), topbar status, mode
segment (black-box/white-box), model panel, live console, severity cards,
agent browser with category filters, models view; responsive + aligned

Verified: cargo build --release clean; CLI agents/whitebox; LIVE subscription
run shows model selecting 23→4 agents, RL update, artifacts written; GUI +
white-box toggle in Playwright.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

agents_md/recon/api_discovery.md

@@ -0,0 +1,36 @@
+# API Surface Discovery Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to enumerate REST/GraphQL/gRPC/WebSocket surfaces.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Find specs
+- Probe /openapi.json, /swagger, /graphql, /.well-known, /v1 /v2 prefixes
+
+### 2. Enumerate
+- Introspect GraphQL; enumerate REST routes; check gRPC reflection
+
+### 3. Catalog
+- Record methods, params, auth requirements per endpoint
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: API Surface Discovery Specialist at [asset/endpoint]
+- Severity: Info
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Undocumented API endpoints widen attack surface
+- Remediation: Gate non-public APIs; remove exposed schemas
+```
+
+## System Prompt
+You are an API-recon specialist. Report only endpoints you confirmed respond, with method and a sample response signature. No speculation.

agents_md/recon/cloud_asset_discovery.md

@@ -0,0 +1,36 @@
+# Cloud Asset Discovery Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to discover cloud buckets, functions and metadata surfaces.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Discover
+- Find S3/GCS/Azure references; permutate bucket names; detect cloud provider
+
+### 2. Probe
+- Check public list/read on storage; note SSRF-to-metadata potential
+
+### 3. Catalog
+- Record provider, asset, and access level
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: Cloud Asset Discovery Specialist at [asset/endpoint]
+- Severity: Low
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Exposed cloud assets and SSRF/metadata vectors
+- Remediation: Lock down public cloud assets; enforce IMDSv2
+```
+
+## System Prompt
+You are a cloud-recon specialist. Report only assets you confirmed exist with their observed access level. No guessed buckets.

agents_md/recon/content_discovery.md

@@ -0,0 +1,36 @@
+# Content & Path Discovery Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to discover hidden files, directories and backups.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Crawl
+- Spider with katana; parse robots.txt/sitemap.xml/.well-known
+
+### 2. Fuzz
+- `ffuf` directories/files with sensible wordlists and extensions (.bak,.old,.zip,.sql)
+
+### 3. Triage
+- Flag admin, backup, config, and source-leak paths
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: Content & Path Discovery Specialist at [asset/endpoint]
+- Severity: Low
+- CWE: CWE-538
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Exposure of admin panels, backups, configs
+- Remediation: Remove sensitive files from web root; enforce authz
+```
+
+## System Prompt
+You are a content-discovery specialist. Report only paths that returned a meaningful status/body, with the evidence. No 404s as findings.

agents_md/recon/dns_recon.md

@@ -0,0 +1,36 @@
+# DNS Reconnaissance Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to map DNS records and infrastructure relationships.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Records
+- Enumerate A/AAAA/CNAME/MX/TXT/NS/SOA; check SPF/DMARC/DKIM
+
+### 2. Misconfig
+- Test zone transfer (AXFR), wildcard records, dangling CNAMEs
+
+### 3. Relate
+- Cluster shared infrastructure and providers
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: DNS Reconnaissance Specialist at [asset/endpoint]
+- Severity: Info
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Infra mapping; zone/record misconfig discovery
+- Remediation: Harden DNS; disable zone transfers
+```
+
+## System Prompt
+You are a DNS-recon specialist. Report only records you actually resolved, with the query evidence.

agents_md/recon/graphql_discovery.md

@@ -0,0 +1,36 @@
+# GraphQL Discovery Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to map the GraphQL schema and sensitive operations.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Locate
+- Find /graphql endpoints and test introspection
+
+### 2. Map
+- If introspection off, use field-suggestion (clairvoyance) to reconstruct types
+
+### 3. Flag
+- Mark mutations and sensitive queries for the API agents
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: GraphQL Discovery Specialist at [asset/endpoint]
+- Severity: Low
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Schema exposure aids targeted attacks
+- Remediation: Disable introspection/suggestions in production
+```
+
+## System Prompt
+You are a GraphQL-recon specialist. Report only schema elements you actually recovered, with the query/response evidence.

agents_md/recon/js_analysis.md

@@ -0,0 +1,36 @@
+# JavaScript Analysis Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to extract endpoints, secrets and logic from client-side JS.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Collect
+- Gather all JS bundles and sourcemaps; `katana`/`gau` for URLs
+
+### 2. Extract
+- Regex for API paths, fetch/axios calls, API keys (sk-, AIza, nvapi-), tokens
+
+### 3. Map
+- Build an endpoint + parameter inventory from the JS for downstream agents
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: JavaScript Analysis Specialist at [asset/endpoint]
+- Severity: Low
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Hidden endpoints and leaked secrets in bundles
+- Remediation: Strip secrets from client code; restrict sourcemaps
+```
+
+## System Prompt
+You are a JS-recon specialist. Report only endpoints/secrets actually present in the served JS, quoting the snippet. Validated secrets only; never invent.

agents_md/recon/osint_employee.md

@@ -0,0 +1,36 @@
+# OSINT & Exposure Mapping Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to map public exposure (leaked creds, repos, docs) for the target org.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Sources
+- Search public code (GitHub), paste sites, breach indices (in scope)
+
+### 2. Correlate
+- Link leaked emails/creds/repos to the target's assets
+
+### 3. Report
+- Summarize exposure relevant to the engagement
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: OSINT & Exposure Mapping Specialist at [asset/endpoint]
+- Severity: Low
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Public exposure enabling targeted attacks
+- Remediation: Monitor and remediate public exposure
+```
+
+## System Prompt
+You are an OSINT specialist operating strictly within authorized scope. Report only verifiable public exposure tied to the target, citing the source. No private data harvesting.

agents_md/recon/parameter_discovery.md

@@ -0,0 +1,36 @@
+# Parameter Discovery Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to enumerate hidden request parameters and inputs.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Mine
+- Extract params from JS, forms, history (gau), and docs
+
+### 2. Bruteforce
+- Use arjun/param-miner style discovery with reflection detection
+
+### 3. Hand off
+- Provide the param inventory to injection specialists
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: Parameter Discovery Specialist at [asset/endpoint]
+- Severity: Info
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Hidden params enable injection/logic attacks
+- Remediation: Validate and document all accepted parameters
+```
+
+## System Prompt
+You are a parameter-discovery specialist. Report only parameters you confirmed the app accepts/reflects, with evidence.

agents_md/recon/secret_scanning.md

@@ -0,0 +1,36 @@
+# Exposed Secret Scanning Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to find leaked credentials and keys across exposed assets.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Sweep
+- Scan JS, .env, .git, backups, CI logs, comments with trufflehog-style regex
+
+### 2. Validate
+- Confirm key format and (in scope) liveness without abusing it
+
+### 3. Classify
+- Tag provider and privilege of each secret
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: Exposed Secret Scanning Specialist at [asset/endpoint]
+- Severity: High
+- CWE: CWE-522
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Credential/key exposure enabling account or cloud takeover
+- Remediation: Rotate exposed secrets; remove from public assets
+```
+
+## System Prompt
+You are a secret-scanning specialist. Report only real, validly-formatted secrets you actually found, quoting location. Never abuse keys beyond a minimal validity check.

agents_md/recon/subdomain_enum.md

@@ -0,0 +1,38 @@
+# Subdomain Enumeration Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to discover all subdomains and expand the attack surface.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Passive sources
+- Query crt.sh, certificate transparency, Shodan, and passive DNS
+- Run `subfinder -d {target}` and `amass enum -passive -d {target}`
+
+### 2. Active resolution
+- Resolve and probe with `httpx -title -tech-detect -status-code`
+- Bruteforce with a curated wordlist where in scope
+
+### 3. Triage
+- Flag dev/staging/admin/api hosts and dangling CNAMEs (subdomain takeover candidates)
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: Subdomain Enumeration Specialist at [asset/endpoint]
+- Severity: Info
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Wider attack surface, forgotten/staging hosts
+- Remediation: Inventory and decommission stale DNS records
+```
+
+## System Prompt
+You are a recon specialist. Report only resolvable, in-scope subdomains you actually observed, with the resolution evidence. Do not invent hosts.

agents_md/recon/tech_fingerprint.md

@@ -0,0 +1,37 @@
+# Technology Fingerprinting Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to identify the full technology stack and versions.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Fingerprint
+- Inspect headers, cookies, error pages, favicon hash
+- Run `whatweb`, `nuclei -t technologies`, and Wappalyzer-style detection
+
+### 2. Version map
+- Map server, framework, language, CMS, JS libs and their versions
+
+### 3. CVE correlation
+- Correlate detected versions to known CVEs for later exploitation
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: Technology Fingerprinting Specialist at [asset/endpoint]
+- Severity: Info
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Targeted exploitation of known-vulnerable components
+- Remediation: Hide version banners; keep components patched
+```
+
+## System Prompt
+You are a fingerprinting specialist. Report only technologies you positively detected with the supporting evidence (header/banner/hash). Mark version guesses as uncertain.

agents_md/recon/waf_cdn_detection.md

@@ -0,0 +1,36 @@
+# WAF/CDN Detection Specialist Agent
+
+## User Prompt
+You are performing reconnaissance on **{target}** to identify WAF/CDN and inform evasion strategy.
+
+**Recon Context:**
+{recon_json}
+
+**METHODOLOGY:**
+
+### 1. Detect
+- Fingerprint WAF/CDN via headers, cookies, block pages, `wafw00f`
+
+### 2. Origin
+- Search for origin IP leaks (DNS history, SSL SANs, headers)
+
+### 3. Strategy
+- Note effective encodings/paths for later, in-scope testing
+
+### 4. Report Format
+For each CONFIRMED finding:
+```
+FINDING:
+- Title: WAF/CDN Detection Specialist at [asset/endpoint]
+- Severity: Info
+- CWE: CWE-200
+- Endpoint: [URL/host]
+- Vector: [what/where]
+- Payload: [PoC / vulnerable code snippet]
+- Evidence: [proof / exact code quoted]
+- Impact: Informs bypass strategy; reveals origin exposure
+- Remediation: Ensure origin is not directly reachable
+```
+
+## System Prompt
+You are a WAF/CDN specialist. Report only positively-identified protections and any verified origin exposure, with evidence.