v4.4.18

v4.4.18 — Block out-of-scope tool calls and self-listener scans

Two scope-related agent bugs reported in the field are fixed.

Fixed

• Agent reported findings on third-party hosts. When scanning pentest-ground.com, the agent could pivot to an unrelated public host it discovered via recon (e.g. 159.223.74.62:9999 Grafana), fire payloads at it, and file a report_vulnerability against it. The existing in-scope guard only ran in passive mode; in active mode the agent was free to probe anything. There is now an unconditional in-scope guard that rejects any tool call whose host arguments are not a configured target or subdomain. Applies to terminal_execute, python_action, browser_action, page_agent, pageagent, and report_vulnerability.

• Self-listener loophole. When XALGORIX_BIND=0.0.0.0 and the operator typed the public/LAN IP back in as a target, the dashboard's own listener could be probed because isBlockedTarget only looked at loopback + RFC 1918 ranges. The check now also rejects any target whose port matches the running listener's port AND whose host matches the bind address, an unspecified address, or any local interface IP.

Behavior

• Hostless commands (grep 'password' notes.json, jq '.vulns[]' scan.json, etc.) still pass through.
• Subdomain match is separator-aware, so evilpentest-ground.com is NOT in scope of pentest-ground.com.
• The system prompt now opens with a TARGET SCOPE — HARD RULE section so the LLM knows the runtime will reject out-of-scope probes; the agent should re-target to the configured host instead of looping.
• The gate is a no-op when activityHosts is empty (CLI mode without targets piped in keeps working).

Verification

• go vet ./... clean
• go build ./... clean
• go test ./... -count=1 — all 26 packages pass
• go test -race on agent/web — no races
• 17 new scope test cases added at internal/agent/agent_scope_test.go

Changes

• b3cbac3 feat(scope): block out-of-scope tool calls and self-listener scans
• 01ecff4 release: v4.4.18