Hackbrowser — Integrated Browser Security Testing
- Autonomous browser-based vulnerability scanner with Playwright integration
- Multi-credential support with manual-login and automated modes
- Live telemetry panel injected into target pages
- Intelligence Layer: priority scoring, journey awareness, out-of-scope filtering
- TUI integration: launch dialog, sidebar status, LLM cost tracking
/hackbrowserslash command for quick launch- Headless mode support
- Stop mechanism (
/hackbrowser-stop) - Hackbrowser subprocess isolation from main binary
Performance Improvements
- Agent initialization: 4.3s → ~500ms (lightweight directory scan with
Skill.dirsOnly()) - First message response: 19.9s → <1s (lazy skill loading in SkillTool)
- Log file growth: 11GB/3min → <100MB (permission evaluate at DEBUG level + filtered invalid rules)
- Startup warnings: 15,214 duplicate skill warnings silenced (moved to DEBUG)
- Skill permission checks: Eliminated repeated permission checks and index rebuilds
Agent Prompt Improvements
- Reworked agent prompts for web-application, cloud-security, internal-network, and mobile-application testers
- Statically injected WSTG skills into vulnerability tester agents
- Orchestrator web-proxy-agent prompt improvements
Ingest & Normalization Pipeline
- 4-tier URL path normalization pipeline
- Ingest queue with pause/resume support (
/qpause,/qresume) - Strict ingest isolation (Katman 3 hardening)
- Ingest context management with
excludeHistoryandIngestSummary
Bug Fixes
- Fixed undefined permission rule errors causing TypeError
- Fixed TypeScript agent type mismatch in SkillTool execute context
- Fixed Prettier breaking skill signatures (added
.cyberstrike/skill/**to.prettierignore) - Fixed massive log spam in permission evaluate
- Fixed Playwright external build + npm dependency issues
- Fixed hackbrowser dialog launch bug