- DECISION_DOCTRINE injected into exploit/grey/chain prompts: analyse responses to
pick the technique; map & connect routes (endpoint output → next endpoint input);
hunt sensitive flows; mine parameters (incl. hidden from JS/source maps) and test
per-param; mock realistic (non-PII) data to reach deeper logic; exploit the
authenticated surface after login and compare roles; build PoCs when a proof
needs an artifact; bypass 401/403/redirect controls.
- REPL /auth now supports multiple named identities (/auth admin <hdr>, /auth user
<hdr>; bare token → Bearer). With >=2 roles the run gets the access-control
directive (IDOR/BOLA/BFLA/privesc, authorized-vs-unauthorized) and tests both.
- +6 decision agents (library 389): param_miner, endpoint_flow_linker,
authenticated_surface_exploit, clickjacking_poc (HTML PoC), csrf_poc (HTML PoC),
access_control_bypass.
- Docs: counts 383->389, RELEASE + /auth help updated.
- tool_doctrine: agents now actively DRIVE the browser on JS/SPA targets — use
the Playwright MCP (render, read live DOM, click client-side routes, watch the
network to find the real API, screenshot proof); when no MCP, use the Playwright
CLI (write+run a small script / npx playwright screenshot) to render and capture
XHR/fetch traffic — complementing curl (which only sees the empty shell).
- probe: detect SPAs (<app-root>, ng-version, near-empty body + linked scripts →
Angular/React/Vue/SPA) and note in recon that the browser is required, so the
SPA agents get selected.
- +8 SPA/API agents (library 383): spa_api_discovery, spa_hidden_admin,
login_sqli_bypass, dom_xss_spa, api_bola_numeric_ids,
register_privilege_mass_assign, jwt_forgery_spa, spa_business_logic.
- Docs: README/RELEASE/TUTORIAL counts + notes.