Changelog.

aegis ingest openapi|postman|har parses spec or trace files and writes Endpoint observations into the engagement DB. paths.txt and params.txt drop under artifacts/ingest/ for kiterunner / arjun / ffuf seeding. HAR import dedups by (method, normalised URL, sorted param names) so 50 hits on the same form don't pollute the DB. Out-of-scope hosts in the spec are flagged but not persisted.

graphql_audit now harvests Query type fields alongside mutations, probes each one unauthenticated, and flags sensitive names (user, admin, token, secret, role…) as high-severity findings. A 30-request burst against __typename detects missing rate limits at the GraphQL layer — the most common gap in modern stacks that enforce HTTP rate limits but never wire one at the operation layer.

Detection moved off substring matching onto a tag predicate model. Findings carry a tags list; chain rules match on tag sets. Library expanded from 5 → 22: mass assignment + admin, SSRF + IMDSv1, open bucket + Lambda, request smuggling + auth header, cache poisoning + auth cookie, prototype pollution + RCE sink, JWT alg-confusion + privileged, exposed .git, open registration + IDOR, race condition + auth bypass, plus five AD chains. Substring fallback still fires for pre-0.9.5 DBs.

19 catalog rows added (azurehound, roadtools, scoutsuite, gcp-iam-collector, gcp-scanner, pmapper, cloudsplaining, iamspy, impacket, kerbrute, bloodhound-python, ldapdomaindump, crackmapexec, certipy, kubectl-who-can, kube-bench, kube-hunter, kdigger). Nine new MCP tools in tools_cloud_ad.py: kerbrute_userenum, impacket_get_userspns, impacket_get_npusers, bloodhound_collect, certipy_find, scoutsuite_scan, cloudsplaining_scan, kube_bench_run, kube_hunter_scan. kerbrute + crackmapexec ship with destructive=True. 162 registered tools total.

Kerberoasting → service account compromise (high). AS-REP roasting → pre-auth-disabled user (high). DCSync → full domain compromise (critical). AdminSDHolder ACL backdoor (critical). Unconstrained delegation → silver/golden ticket (critical). 11 new ad_* tag constants drive the predicate matching.

EngagementState persists to <engagement_dir>/state.json after every phase advance. Re-running aegis run against the same directory resumes at the saved phase with the full prior state primed — tech stack, open ports, subdomains, endpoints, token spend, finalize_mode. Atomic write via tmp + os.replace: a crash mid-write leaves the previous snapshot intact.

--format sarif emits SARIF 2.1.0 for GitHub Code Scanning and GitLab Security. One rule per category, severity → result.level, partialFingerprints[evidence/v1] so re-runs dedupe across scans. --format h1 writes one HackerOne JSON per finding under reports/h1/ with markdown body sections (Summary / Affected Asset / Steps to Reproduce / Suggested Fix / References). --format bugcrowd produces a VRT-mapped JSON bundle with P1–P5 priority.

aegis.report.redact sweeps reports for emails, JWTs, AWS keys, GitHub PATs, Slack tokens, US SSNs, credit-card-shaped numbers, and phone numbers. IP redaction opt-in. Optional NANO-tier LLM second pass for contextual PII regex misses. Audit log records counts only — never content. Scope metadata (engagement_id, client) intentionally preserved.

aegis.report.webhook supports Slack (Block Kit), Discord (severity-coloured embeds), Linear (issue title/description/priority/labels), and a stable JSON schema for n8n / Zapier. Severity threshold gate skips low-priority noise. Network errors swallowed — a flaky channel never crashes aegis watch. New --webhook-format and --webhook-min-severity flags.

New subcommand walks every aegis.db under a root and reports findings, tokens, USD spent, tool failure rate, and per-phase cost. --json for machine output. Default layout discovers both flat <root>/aegis.db and nested <root>/<id>/aegis.db.

aegis shells --all queries a cross-engagement SQLite history at ~/.config/aegis/shells.db with optional --tool and --engagement filters. JSON snapshot of the last scan still ships unchanged. SQLite write errors swallowed so a corrupted history can't crash a scan.

Modal fuzzy launcher in the TUI over slash commands and the most-used MCP tool names. Up/Down/Enter/Esc. Slash commands needing an arg pre-fill the input bar; MCP tool names hand off as guidance for the agent.

Resume serialisation round-trip + atomic-write guarantees. SARIF/H1/Bugcrowd shape contracts. Webhook platform formatters + threshold + network failure modes. SQLite shell history schema + filters + resilience. AD chain rules + Cloud/AD wrapper degradation + parser correctness. 281/281 green.

New PhaseControl enum replaces the magic strings ("ok", "done", "advance", "jump", "abort") that signalled phase transitions in EngagementRunner. Every callsite migrated; backend errors that were silently swallowed now propagate explicitly. crashed:True is stamped on the summary when an unhandled exception escapes the phase loop.

sqlmap, commix, wpscan, nosqlmap, sstimap, smuggler now require operator approval before they run unless scope.yaml sets destructive_tests:true. New CONFIRM_REQUIRED event flows to the TUI; operator types /allow <id> or /deny <id>. Default-deny on a 120s timeout. confirm_before list lets engagements gate extra tools per-client.

Per-engagement SQLite DBs are now schema-managed. New baseline + add_finding_tags migrations. FindingsDB._ensure_schema handles three startup paths cleanly: brand-new, pre-alembic legacy, and already-managed. Adds Finding.tags column so the upcoming attack-chain rewrite can predicate on structured tags instead of substring matches.

aegis kb sync --kev pulls the CISA Known Exploited Vulnerabilities catalogue and flags every match in the KB. aegis kb sync --epss attaches the daily Exploit Prediction Scoring System probability + percentile. Reports can now badge CVE findings with [KEV] and EPSS 0.97 so operators triage in seconds.

Shared lazy state accessors, hallucination guard, NANO summariser, rate limiter, and phase-instruction renderer moved out of the 8552-line server.py into _ctx.py (440 lines). Capability-module split (tools_recon, tools_vuln, etc.) prepared but deferred; snapshot regression test locks the 153-tool registration surface against future loss.

34 new tests across orchestrator/loop.py, llm/factory.py, mcp_server/server.py, and the new gating + KEV/EPSS modules. Total suite up from 74 to 123. Caught a NameError waiting to happen — Path was used but never imported in factory.py.

Full rewrite of the scan UI in TypeScript + React + Ink. Tool cards with streaming output, agent reasoning pane, slash commands. Owns the terminal cleanly — no Rich.Live / Textual contention.

Tool cards default to a tight one-line summary. Press Ctrl+O (or Tab) to expand every card with framed output. Press again to collapse.

Tools run by Claude Code through MCP now render as proper cards. Synthesised from LLM_DECISION + TOOL_DONE events, with tool result lines surfaced.

/quit and Ctrl+C exit immediately. /stop injects a hard wrap-up note. /focus, /hunt, /pause, /resume all wire through.

Three distinct sections: shimmer status line, latest agent note in italic, history of prior notes. No more duplicated LLM_THINKING heartbeats.

Status verbs (Thinking…, Running…, Hunting…) get a 3-character bright wave sliding across them. Color matches verb semantics.

Activity feed + thinking pane in Textual. Tokenized commands, distinct finding glyphs. Reverted in favor of React/Ink.

First Textual scan UI with shells panel and hunt mode. Hit unfixable terminal contention issues; replaced.

aegis env use docker relays all tool calls through the container so users without local tools can still run engagements.

Live view of every running tool execution with status, runtime, and output preview.

Built-in claude CLI in the Docker image so the React/Ink TUI inside the container can also use Claude Code as its backend.

Haiku 4.5, Sonnet 4.6, Opus 4.7 — the freshest releases.

Self-contained image with all 80+ tools preinstalled. aegis docker build / run / shell.

aegis env install --missing walks the catalog and installs everything via pacman, yay, go install, pipx, or npm as appropriate.

Subcommands to build, pull, run, and inspect the Docker image.

36 MCP tools across 7 PTES phases. Claude calls them via real MCP protocol — no JSON-in-prose parsing.

Timing oracle, CSRF, SSTI, prototype pollution, race condition, header injection, OAuth flow, and more.

Findings in one phase queue follow-ups in the next. CVE in nuclei → nuclei-fuzz. Leaked secret → trufflehog deeper.

Cross-phase memory that survives session restarts. graphify_analyze, aegis_map.