v3.3.0 GUI dashboard + reports + model expansion + root fix

Engine:
- Fix: inject IS_SANDBOX=1 so Claude Code's --dangerously-skip-permissions
  works under root (real backend runs were exiting rc=1 immediately)
- models: expand to 40 models / 13 providers, tagged CLI vs API
  (NVIDIA NIM, DeepSeek, Mistral, Qwen/DashScope, Groq, Together, OpenRouter,
  Ollama, Gemini) — Qwen/DeepSeek/Llama usable via API
- backends: on_start callback surfaces the exact argv ("what runs behind it")
- orchestrator: require a Playwright screenshot per confirmed finding; collect
  results/activity.json; auto-generate reports after a run
- report.py: HTML always + PDF via Typst engine (.typ source emitted too)

Web dashboard (webgui/, stdlib only — no npm/build):
- Sidebar dashboard (PentAGI-style): Run / Agents / Insights / Reports / Settings
- Multi-target runs; live execution console + per-task activity; finding cards
  with screenshots; backend+provider+model pickers (CLI & API)
- Agents tab: browse 213 + add new .md agents from the UI
- Insights: interactive RL-weight + severity charts
- Reports: download/preview PDF + HTML
- Settings/API: execution mode, per-provider API keys, orchestrator, verbosity
- Endpoints: /api/agents (GET/POST), /api/rl, /api/config, /api/reports,
  /reports/* + /shots/* static serving

Cleanup: retire replaced web stack (frontend React, FastAPI backend, core
orchestration, old test) to legacy/. Active engine + GUI are fully standalone.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitignore

@@ -87,3 +87,7 @@ data/rl_state.json
 neurosploit_gui_*.png
 neurosploit_demo_*.png
 logs/webgui.log
+
+# generated reports
+reports/report.*
+reports/*.pdf

README.md

@@ -114,18 +114,28 @@ data-driven builder, `scripts/build_agents.py`). It is picked up automatically.
 Outputs land in `results/<target>/findings.json` and `reports/`, and the RL
 state updates in `data/rl_state.json`.
 
-### Minimalist web GUI
+### Web dashboard
 
-A zero-dependency (Python stdlib only) web front-end exposes just the essential
-options — target URL, backend, model, collaborator, and the RL / Playwright-MCP
-toggles — and launches an engagement with a live progress console:
+A zero-dependency (Python stdlib only) dashboard — no npm, no build step:
 
 ```bash
 python3 webgui/server.py        # → http://127.0.0.1:8787
 ```
 
-No npm, no build step. It calls `neurosploit_agent` directly. (The previous heavy
-React app remains under `frontend/` but is no longer the primary interface.)
+Tabs:
+- **Run** — multi-target input, backend + provider + model pickers (40 models
+  across CLI and API providers), verbosity, RL/MCP toggles, a live execution
+  console (shows the exact backend command and per-task activity), and findings
+  with screenshots.
+- **Agents** — browse all 213 agents and **add new `.md` agents** from the UI;
+  the main orchestrator picks them up on the next run.
+- **Insights** — interactive chart of RL agent weights + findings by severity.
+- **Reports** — download/preview the **PDF + HTML** reports (Typst engine).
+- **Settings · API** — execution mode (CLI vs API), per-provider API keys,
+  orchestrator selection, default verbosity.
+
+It calls `neurosploit_agent` directly. The previous React app and FastAPI backend
+were retired to `legacy/` (`frontend_react/`, `backend_fastapi/`).
 
 ### Backends
 

legacy/README.md

@@ -11,6 +11,10 @@ Kept for reference and migration only — **not** used by the v3.3.0 engine.
 | `neurosploit_legacy.py` | The 2,500-line monolithic CLI/orchestrator (`NeuroSploitv2`) |
 | `agents_python/` | Hand-coded Python agent classes (web/exploitation/lateral/privesc/persistence/recon) |
 | `custom_agents/` | Example custom Python agent |
+| `core/` | Old orchestration support (llm_manager, sandbox, report_generator, …) |
+| `backend_fastapi/` | Old FastAPI backend — replaced by `webgui/server.py` (stdlib) |
+| `frontend_react/` | Old React/Vite dashboard — replaced by the minimalist `webgui/` |
+| `test_agent_run.py` | Test harness for the old Python agents |
 
 ## What replaced it