diff --git a/backend/app/api/v1/endpoints/agent_tasks.py b/backend/app/api/v1/endpoints/agent_tasks.py
index 799760f..fb76ebe 100644
--- a/backend/app/api/v1/endpoints/agent_tasks.py
+++ b/backend/app/api/v1/endpoints/agent_tasks.py
@@ -597,11 +597,50 @@ async def _initialize_tools(
     }
     
     # Verification 工具
+    # 🔥 导入沙箱工具
+    from app.services.agent.tools import (
+        SandboxTool, SandboxHttpTool, VulnerabilityVerifyTool, SandboxManager,
+        # 多语言代码测试工具
+        PhpTestTool, PythonTestTool, JavaScriptTestTool, JavaTestTool,
+        GoTestTool, RubyTestTool, ShellTestTool, UniversalCodeTestTool,
+        # 漏洞验证专用工具
+        CommandInjectionTestTool, SqlInjectionTestTool, XssTestTool,
+        PathTraversalTestTool, SstiTestTool, DeserializationTestTool,
+        UniversalVulnTestTool,
+    )
+
+    # 🔥 初始化沙箱管理器
+    sandbox_manager = SandboxManager()
+    await sandbox_manager.initialize()
+    logger.info(f"✅ Sandbox initialized (available: {sandbox_manager.is_available})")
+
     verification_tools = {
         **base_tools,
-        # 强制使用沙箱工具，移除 LLM 模拟验证工具
-        # "vulnerability_validation": VulnerabilityValidationTool(llm_service),
-        # "dataflow_analysis": DataFlowAnalysisTool(llm_service),
+        # 🔥 沙箱验证工具
+        "sandbox_exec": SandboxTool(sandbox_manager),
+        "sandbox_http": SandboxHttpTool(sandbox_manager),
+        "verify_vulnerability": VulnerabilityVerifyTool(sandbox_manager),
+
+        # 🔥 多语言代码测试工具
+        "php_test": PhpTestTool(sandbox_manager, project_root),
+        "python_test": PythonTestTool(sandbox_manager, project_root),
+        "javascript_test": JavaScriptTestTool(sandbox_manager, project_root),
+        "java_test": JavaTestTool(sandbox_manager, project_root),
+        "go_test": GoTestTool(sandbox_manager, project_root),
+        "ruby_test": RubyTestTool(sandbox_manager, project_root),
+        "shell_test": ShellTestTool(sandbox_manager, project_root),
+        "universal_code_test": UniversalCodeTestTool(sandbox_manager, project_root),
+
+        # 🔥 漏洞验证专用工具
+        "test_command_injection": CommandInjectionTestTool(sandbox_manager, project_root),
+        "test_sql_injection": SqlInjectionTestTool(sandbox_manager, project_root),
+        "test_xss": XssTestTool(sandbox_manager, project_root),
+        "test_path_traversal": PathTraversalTestTool(sandbox_manager, project_root),
+        "test_ssti": SstiTestTool(sandbox_manager, project_root),
+        "test_deserialization": DeserializationTestTool(sandbox_manager, project_root),
+        "universal_vuln_test": UniversalVulnTestTool(sandbox_manager, project_root),
+
+        # 报告工具
         "create_vulnerability_report": CreateVulnerabilityReportTool(),
     }
     
diff --git a/backend/app/services/agent/agents/analysis.py b/backend/app/services/agent/agents/analysis.py
index 1d18d71..e222a60 100644
--- a/backend/app/services/agent/agents/analysis.py
+++ b/backend/app/services/agent/agents/analysis.py
@@ -190,19 +190,15 @@ class AnalysisAgent(BaseAgent):
 
     
     def _parse_llm_response(self, response: str) -> AnalysisStep:
-        """解析 LLM 响应"""
+        """解析 LLM 响应 - 增强版，更健壮地提取思考内容"""
         step = AnalysisStep(thought="")
-        
-        # 提取 Thought
+
+        # 🔥 首先尝试提取明确的 Thought 标记
         thought_match = re.search(r'Thought:\s*(.*?)(?=Action:|Final Answer:|$)', response, re.DOTALL)
         if thought_match:
             step.thought = thought_match.group(1).strip()
-        elif not re.search(r'Action:|Final Answer:', response):
-             # 🔥 Fallback: If no markers found, treat the whole response as Thought
-             if response.strip():
-                 step.thought = response.strip()
-        
-        # 检查是否是最终答案
+
+        # 🔥 检查是否是最终答案
         final_match = re.search(r'Final Answer:\s*(.*?)$', response, re.DOTALL)
         if final_match:
             step.is_final = True
@@ -211,23 +207,40 @@ class AnalysisAgent(BaseAgent):
             answer_text = re.sub(r'```\s*', '', answer_text)
             # 使用增强的 JSON 解析器
             step.final_answer = AgentJsonParser.parse(
-                answer_text, 
+                answer_text,
                 default={"findings": [], "raw_answer": answer_text}
             )
             # 确保 findings 格式正确
             if "findings" in step.final_answer:
                 step.final_answer["findings"] = [
-                    f for f in step.final_answer["findings"] 
+                    f for f in step.final_answer["findings"]
                     if isinstance(f, dict)
                 ]
+
+            # 🔥 如果没有提取到 thought，使用 Final Answer 前的内容作为思考
+            if not step.thought:
+                before_final = response[:response.find('Final Answer:')].strip()
+                if before_final:
+                    before_final = re.sub(r'^Thought:\s*', '', before_final)
+                    step.thought = before_final[:500] if len(before_final) > 500 else before_final
+
             return step
-        
-        # 提取 Action
+
+        # 🔥 提取 Action
         action_match = re.search(r'Action:\s*(\w+)', response)
         if action_match:
             step.action = action_match.group(1).strip()
-        
-        # 提取 Action Input
+
+            # 🔥 如果没有提取到 thought，提取 Action 之前的内容作为思考
+            if not step.thought:
+                action_pos = response.find('Action:')
+                if action_pos > 0:
+                    before_action = response[:action_pos].strip()
+                    before_action = re.sub(r'^Thought:\s*', '', before_action)
+                    if before_action:
+                        step.thought = before_action[:500] if len(before_action) > 500 else before_action
+
+        # 🔥 提取 Action Input
         input_match = re.search(r'Action Input:\s*(.*?)(?=Thought:|Action:|Observation:|$)', response, re.DOTALL)
         if input_match:
             input_text = input_match.group(1).strip()
@@ -238,7 +251,12 @@ class AnalysisAgent(BaseAgent):
                 input_text,
                 default={"raw_input": input_text}
             )
-        
+
+        # 🔥 最后的 fallback：如果整个响应没有任何标记，整体作为思考
+        if not step.thought and not step.action and not step.is_final:
+            if response.strip():
+                step.thought = response.strip()[:500]
+
         return step
     
 
@@ -304,9 +322,12 @@ class AnalysisAgent(BaseAgent):
 """
         
         initial_message += f"""{handoff_context if handoff_context else f'''## 上下文信息
-### 高风险区域
+### ⚠️ 高风险区域（来自 Recon Agent，必须优先分析）
+以下是 Recon Agent 识别的高风险区域，请**务必优先**读取和分析这些文件：
 {json.dumps(high_risk_areas[:20], ensure_ascii=False)}
 
+**重要**: 请使用 read_file 工具读取上述高风险文件，不要假设文件路径或使用其他路径。
+
 ### 入口点 (前10个)
 {json.dumps(entry_points[:10], ensure_ascii=False, indent=2)}
 
@@ -316,13 +337,20 @@ class AnalysisAgent(BaseAgent):
 ## 任务
 {task_context or task or '进行全面的安全漏洞分析，发现代码中的安全问题。'}
 
+## ⚠️ 分析策略要求
+1. **首先**：使用 read_file 读取上面列出的高风险文件
+2. **然后**：分析这些文件中的安全问题
+3. **最后**：如果需要，使用 smart_scan 或其他工具扩展分析
+
+**禁止**：不要跳过高风险区域直接做全局扫描
+
 ## 目标漏洞类型
 {config.get('target_vulnerabilities', ['all'])}
 
 ## 可用工具
 {self.get_tools_description()}
 
-请开始你的安全分析。首先思考分析策略，然后选择合适的工具开始分析。"""
+请开始你的安全分析。首先读取高风险区域的文件，然后分析其中的安全问题。"""
         
         # 🔥 记录工作开始
         self.record_work("开始安全漏洞分析")
diff --git a/backend/app/services/agent/agents/base.py b/backend/app/services/agent/agents/base.py
index c3cbf51..9f7c7be 100644
--- a/backend/app/services/agent/agents/base.py
+++ b/backend/app/services/agent/agents/base.py
@@ -16,6 +16,7 @@ from dataclasses import dataclass, field
 from enum import Enum
 from datetime import datetime, timezone
 import asyncio
+import json
 import logging
 import uuid
 
@@ -1036,26 +1037,49 @@ class BaseAgent(ABC):
             
             if result.success:
                 output = str(result.data)
-                
+
                 # 包含 metadata 中的额外信息
                 if result.metadata:
                     if "issues" in result.metadata:
-                        import json
                         output += f"\n\n发现的问题:\n{json.dumps(result.metadata['issues'], ensure_ascii=False, indent=2)}"
                     if "findings" in result.metadata:
-                        import json
                         output += f"\n\n发现:\n{json.dumps(result.metadata['findings'][:10], ensure_ascii=False, indent=2)}"
-                
+
                 # 截断过长输出
                 if len(output) > 6000:
                     output = output[:6000] + f"\n\n... [输出已截断，共 {len(str(result.data))} 字符]"
                 return output
             else:
-                return f"工具执行失败: {result.error}"
-                
+                # 🔥 输出详细的错误信息，包括原始错误
+                error_msg = f"""⚠️ 工具执行失败
+
+**工具**: {tool_name}
+**参数**: {json.dumps(tool_input, ensure_ascii=False, indent=2) if tool_input else '无'}
+**错误**: {result.error}
+
+请根据错误信息调整参数或尝试其他方法。"""
+                return error_msg
+
         except Exception as e:
+            import traceback
             logger.error(f"Tool execution error: {e}")
-            return f"工具执行错误: {str(e)}"
+            # 🔥 输出完整的原始错误信息，包括堆栈跟踪
+            error_msg = f"""❌ 工具执行异常
+
+**工具**: {tool_name}
+**参数**: {json.dumps(tool_input, ensure_ascii=False, indent=2) if tool_input else '无'}
+**错误类型**: {type(e).__name__}
+**错误信息**: {str(e)}
+**堆栈跟踪**:
+```
+{traceback.format_exc()}
+```
+
+请分析错误原因，可能需要：
+1. 检查参数格式是否正确
+2. 尝试使用其他工具
+3. 如果是权限或资源问题，跳过该操作"""
+            return error_msg
     
     def get_tools_description(self) -> str:
         """生成工具描述文本（用于 prompt）"""
diff --git a/backend/app/services/agent/agents/orchestrator.py b/backend/app/services/agent/agents/orchestrator.py
index f43f503..24d6df0 100644
--- a/backend/app/services/agent/agents/orchestrator.py
+++ b/backend/app/services/agent/agents/orchestrator.py
@@ -159,6 +159,9 @@ class OrchestratorAgent(BaseAgent):
         
         # 🔥 跟踪已调度的 Agent 任务，避免重复调度
         self._dispatched_tasks: Dict[str, int] = {}  # agent_name -> dispatch_count
+
+        # 🔥 保存各个 Agent 的完整结果，用于传递给后续 Agent
+        self._agent_results: Dict[str, Dict[str, Any]] = {}  # agent_name -> full result data
     
     def register_sub_agent(self, name: str, agent: BaseAgent):
         """注册子 Agent"""
@@ -216,6 +219,7 @@ class OrchestratorAgent(BaseAgent):
         
         self._steps = []
         self._all_findings = []
+        self._agent_results = {}  # 🔥 重置 Agent 结果缓存
         final_result = None
         error_message = None  # 🔥 跟踪错误信息
         
@@ -625,16 +629,23 @@ Action Input: {{"参数": "值"}}
             # 确保 project_info 包含 root 路径
             if "root" not in project_info:
                 project_info["root"] = self._runtime_context.get("project_root", ".")
-            
+
+            # 🔥 FIX: 构建完整的 previous_results，包含所有已执行 Agent 的结果
+            previous_results = {
+                "findings": self._all_findings,  # 传递已收集的发现
+            }
+
+            # 🔥 将之前 Agent 的完整结果传递给后续 Agent
+            for prev_agent, prev_data in self._agent_results.items():
+                previous_results[prev_agent] = {"data": prev_data}
+
             sub_input = {
                 "task": task,
                 "task_context": context,
                 "project_info": project_info,
                 "config": self._runtime_context.get("config", {}),
                 "project_root": self._runtime_context.get("project_root", "."),
-                "previous_results": {
-                    "findings": self._all_findings,  # 传递已收集的发现
-                },
+                "previous_results": previous_results,
             }
             
             # 🔥 执行子 Agent 前检查取消状态
@@ -647,11 +658,18 @@ Action Input: {{"参数": "值"}}
             # 🔥 执行后再次检查取消状态
             if self.is_cancelled:
                 return f"## {agent_name} Agent 执行中断\n\n任务已被用户取消"
-            
+
             # 🔥 处理子 Agent 结果 - 不同 Agent 返回不同的数据结构
+            # 🔥 DEBUG: 添加诊断日志
+            logger.info(f"[Orchestrator] Processing {agent_name} result: success={result.success}, data_type={type(result.data).__name__}, data_keys={list(result.data.keys()) if isinstance(result.data, dict) else 'N/A'}")
+
             if result.success and result.data:
                 data = result.data
 
+                # 🔥 FIX: 保存 Agent 的完整结果，供后续 Agent 使用
+                self._agent_results[agent_name] = data
+                logger.info(f"[Orchestrator] Saved {agent_name} result with keys: {list(data.keys())}")
+
                 # 🔥 CRITICAL FIX: 收集发现 - 支持多种字段名
                 # findings 字段通常来自 Analysis/Verification Agent
                 # initial_findings 来自 Recon Agent
@@ -662,21 +680,112 @@ Action Input: {{"参数": "值"}}
                 # 即使 findings 为空列表，也检查 initial_findings
                 if "initial_findings" in data:
                     initial = data.get("initial_findings", [])
-                    logger.info(f"[Orchestrator] {agent_name} has {len(initial)} initial_findings")
+                    logger.info(f"[Orchestrator] {agent_name} has {len(initial)} initial_findings, types: {[type(f).__name__ for f in initial[:3]]}")
                     for f in initial:
                         if isinstance(f, dict):
                             # 🔥 Normalize finding format - 处理 Recon 返回的格式
                             normalized = self._normalize_finding(f)
                             if normalized not in raw_findings:
                                 raw_findings.append(normalized)
-                        elif isinstance(f, str):
-                            # String finding from Recon - skip, it's just an observation
-                            logger.debug(f"[Orchestrator] Skipping string finding: {f[:50]}...")
+                                logger.info(f"[Orchestrator] Added dict finding from initial_findings")
+                        elif isinstance(f, str) and f.strip():
+                            # 🔥 FIX: Convert string finding to dict format instead of skipping
+                            # Recon Agent 有时候会返回字符串格式的发现
+                            # 尝试从字符串中提取文件路径（格式如 "app.py:36 - 描述"）
+                            file_path = ""
+                            line_start = 0
+                            if ":" in f:
+                                parts = f.split(":", 1)
+                                potential_file = parts[0].strip()
+                                # 检查是否像文件路径
+                                if "." in potential_file and "/" not in potential_file[:3]:
+                                    file_path = potential_file
+                                    # 尝试提取行号
+                                    if len(parts) > 1:
+                                        remaining = parts[1].strip()
+                                        line_match = remaining.split()[0] if remaining else ""
+                                        if line_match.isdigit():
+                                            line_start = int(line_match)
+
+                            string_finding = {
+                                "title": f[:100] if len(f) > 100 else f,
+                                "description": f,
+                                "file_path": file_path,
+                                "line_start": line_start,
+                                "severity": "medium",  # 默认中等严重度，Analysis 会重新评估
+                                "vulnerability_type": "potential_issue",
+                                "source": "recon",
+                                "needs_verification": True,
+                                "confidence": 0.5,  # 较低置信度，需要进一步分析
+                            }
+                            logger.info(f"[Orchestrator] Converted string finding to dict: {f[:80]}... (file={file_path}, line={line_start})")
+                            raw_findings.append(string_finding)
+                else:
+                    logger.info(f"[Orchestrator] {agent_name} has no 'initial_findings' key in data")
 
                 # 🔥 Also check high_risk_areas from Recon for potential findings
                 if agent_name == "recon" and "high_risk_areas" in data:
                     high_risk = data.get("high_risk_areas", [])
                     logger.info(f"[Orchestrator] {agent_name} identified {len(high_risk)} high risk areas")
+                    # 🔥 FIX: 将 high_risk_areas 也转换为发现
+                    for area in high_risk:
+                        if isinstance(area, str) and area.strip():
+                            # 尝试从描述中提取文件路径和漏洞类型
+                            file_path = ""
+                            line_start = 0
+                            vuln_type = "potential_issue"
+
+                            # 🔥 FIX: 改进文件路径提取逻辑
+                            # 格式1: "file.py:36 - 描述" -> 提取 file.py 和 36
+                            # 格式2: "描述性文本" -> 不提取文件路径
+                            if ":" in area:
+                                parts = area.split(":", 1)
+                                potential_file = parts[0].strip()
+                                # 只有当 parts[0] 看起来像文件路径时才提取
+                                # 文件路径通常包含 . 且没有空格（或只在结尾有扩展名）
+                                if ("." in potential_file and
+                                    " " not in potential_file and
+                                    len(potential_file) < 100 and
+                                    any(potential_file.endswith(ext) for ext in ['.py', '.js', '.ts', '.java', '.go', '.php', '.rb', '.c', '.cpp', '.h'])):
+                                    file_path = potential_file
+                                    # 尝试提取行号
+                                    if len(parts) > 1:
+                                        remaining = parts[1].strip()
+                                        line_match = remaining.split()[0] if remaining else ""
+                                        if line_match.isdigit():
+                                            line_start = int(line_match)
+
+                            # 推断漏洞类型
+                            area_lower = area.lower()
+                            if "command" in area_lower or "命令" in area_lower or "subprocess" in area_lower:
+                                vuln_type = "command_injection"
+                            elif "sql" in area_lower:
+                                vuln_type = "sql_injection"
+                            elif "xss" in area_lower:
+                                vuln_type = "xss"
+                            elif "path" in area_lower or "traversal" in area_lower or "路径" in area_lower:
+                                vuln_type = "path_traversal"
+                            elif "ssrf" in area_lower:
+                                vuln_type = "ssrf"
+                            elif "secret" in area_lower or "密钥" in area_lower or "key" in area_lower:
+                                vuln_type = "hardcoded_secret"
+
+                            high_risk_finding = {
+                                "title": area[:100] if len(area) > 100 else area,
+                                "description": area,
+                                "file_path": file_path,
+                                "line_start": line_start,
+                                "severity": "high",  # 高风险区域默认高严重度
+                                "vulnerability_type": vuln_type,
+                                "source": "recon_high_risk",
+                                "needs_verification": True,
+                                "confidence": 0.6,
+                            }
+                            raw_findings.append(high_risk_finding)
+                            logger.info(f"[Orchestrator] Converted high_risk_area to finding: {area[:60]}... (file={file_path}, type={vuln_type})")
+
+                # 🔥 初始化 valid_findings，确保后续代码可以访问
+                valid_findings = []
 
                 if raw_findings:
                     # 只添加字典格式的发现
diff --git a/backend/app/services/agent/agents/recon.py b/backend/app/services/agent/agents/recon.py
index 4a76889..72f1792 100644
--- a/backend/app/services/agent/agents/recon.py
+++ b/backend/app/services/agent/agents/recon.py
@@ -70,20 +70,15 @@ class ReconAgent(BaseAgent):
         self._steps: List[ReconStep] = []
     
     def _parse_llm_response(self, response: str) -> ReconStep:
-        """解析 LLM 响应"""
+        """解析 LLM 响应 - 增强版，更健壮地提取思考内容"""
         step = ReconStep(thought="")
-        
-        # 提取 Thought
+
+        # 🔥 首先尝试提取明确的 Thought 标记
         thought_match = re.search(r'Thought:\s*(.*?)(?=Action:|Final Answer:|$)', response, re.DOTALL)
         if thought_match:
             step.thought = thought_match.group(1).strip()
-        elif not re.search(r'Action:|Final Answer:', response):
-             # 🔥 Fallback: If no markers found, treat the whole response as Thought
-             # This prevents empty steps loops "Decision: Continue Thinking"
-             if response.strip():
-                 step.thought = response.strip()
-        
-        # 检查是否是最终答案
+
+        # 🔥 检查是否是最终答案
         final_match = re.search(r'Final Answer:\s*(.*?)$', response, re.DOTALL)
         if final_match:
             step.is_final = True
@@ -92,29 +87,45 @@ class ReconAgent(BaseAgent):
             answer_text = re.sub(r'```\s*', '', answer_text)
             # 使用增强的 JSON 解析器
             step.final_answer = AgentJsonParser.parse(
-                answer_text, 
+                answer_text,
                 default={"raw_answer": answer_text}
             )
             # 确保 findings 格式正确
             if "initial_findings" in step.final_answer:
                 step.final_answer["initial_findings"] = [
-                    f for f in step.final_answer["initial_findings"] 
+                    f for f in step.final_answer["initial_findings"]
                     if isinstance(f, dict)
                 ]
+
+            # 🔥 如果没有提取到 thought，使用 Final Answer 前的内容作为思考
+            if not step.thought:
+                before_final = response[:response.find('Final Answer:')].strip()
+                if before_final:
+                    # 移除可能的 Thought: 前缀
+                    before_final = re.sub(r'^Thought:\s*', '', before_final)
+                    step.thought = before_final[:500] if len(before_final) > 500 else before_final
+
             return step
-        
-        # 提取 Action
+
+        # 🔥 提取 Action
         action_match = re.search(r'Action:\s*(\w+)', response)
         if action_match:
             step.action = action_match.group(1).strip()
-        
-        # 提取 Action Input
+
+            # 🔥 如果没有提取到 thought，提取 Action 之前的内容作为思考
+            if not step.thought:
+                action_pos = response.find('Action:')
+                if action_pos > 0:
+                    before_action = response[:action_pos].strip()
+                    # 移除可能的 Thought: 前缀
+                    before_action = re.sub(r'^Thought:\s*', '', before_action)
+                    if before_action:
+                        step.thought = before_action[:500] if len(before_action) > 500 else before_action
+
+        # 🔥 提取 Action Input
         input_match = re.search(r'Action Input:\s*(.*?)(?=Thought:|Action:|Observation:|$)', response, re.DOTALL)
         if input_match:
             input_text = input_match.group(1).strip()
-    
-
-
             input_text = re.sub(r'```json\s*', '', input_text)
             input_text = re.sub(r'```\s*', '', input_text)
             # 使用增强的 JSON 解析器
@@ -122,7 +133,12 @@ class ReconAgent(BaseAgent):
                 input_text,
                 default={"raw_input": input_text}
             )
-        
+
+        # 🔥 最后的 fallback：如果整个响应没有任何标记，整体作为思考
+        if not step.thought and not step.action and not step.is_final:
+            if response.strip():
+                step.thought = response.strip()[:500]
+
         return step
     
 
diff --git a/backend/app/services/agent/agents/verification.py b/backend/app/services/agent/agents/verification.py
index a8d29c8..dff3595 100644
--- a/backend/app/services/agent/agents/verification.py
+++ b/backend/app/services/agent/agents/verification.py
@@ -44,13 +44,70 @@ VERIFICATION_SYSTEM_PROMPT = """你是 DeepAudit 的漏洞验证 Agent，一个*
 - **list_files**: 列出目录文件
   参数: directory (str), pattern (str)
 
-### 沙箱验证 (必须使用)
+### 沙箱核心工具
 - **sandbox_exec**: 在沙箱中执行命令
   参数: command (str), timeout (int)
 - **sandbox_http**: 发送 HTTP 请求测试
   参数: method (str), url (str), data (dict), headers (dict)
 - **verify_vulnerability**: 自动化漏洞验证
-  参数: vulnerability_type (str), target (str), payload (str)
+  参数: vulnerability_type (str), target_url (str), payload (str), expected_pattern (str)
+
+### 🔥 多语言代码测试工具 (按语言选择)
+- **php_test**: 测试 PHP 代码，支持模拟 GET/POST 参数
+  参数: file_path (str), php_code (str), get_params (dict), post_params (dict), timeout (int)
+  示例: {"file_path": "vuln.php", "get_params": {"cmd": "whoami"}}
+
+- **python_test**: 测试 Python 代码，支持模拟 Flask/Django 请求
+  参数: file_path (str), code (str), request_params (dict), form_data (dict), timeout (int)
+  示例: {"code": "import os; os.system(params['cmd'])", "request_params": {"cmd": "id"}}
+
+- **javascript_test**: 测试 JavaScript/Node.js 代码
+  参数: file_path (str), code (str), req_query (dict), req_body (dict), timeout (int)
+  示例: {"code": "exec(req.query.cmd)", "req_query": {"cmd": "id"}}
+
+- **java_test**: 测试 Java 代码，支持模拟 Servlet 请求
+  参数: file_path (str), code (str), request_params (dict), timeout (int)
+
+- **go_test**: 测试 Go 代码
+  参数: file_path (str), code (str), args (list), timeout (int)
+
+- **ruby_test**: 测试 Ruby 代码，支持模拟 Rails 请求
+  参数: file_path (str), code (str), params (dict), timeout (int)
+
+- **shell_test**: 测试 Shell/Bash 脚本
+  参数: file_path (str), code (str), args (list), env (dict), timeout (int)
+
+- **universal_code_test**: 通用多语言测试工具 (自动检测语言)
+  参数: language (str), file_path (str), code (str), params (dict), timeout (int)
+
+### 🔥 漏洞验证专用工具 (按漏洞类型选择，推荐使用)
+- **test_command_injection**: 专门测试命令注入漏洞
+  参数: target_file (str), param_name (str), test_command (str), language (str)
+  示例: {"target_file": "vuln.php", "param_name": "cmd", "test_command": "whoami"}
+
+- **test_sql_injection**: 专门测试 SQL 注入漏洞
+  参数: target_file (str), param_name (str), db_type (str), injection_type (str)
+  示例: {"target_file": "login.php", "param_name": "username", "db_type": "mysql"}
+
+- **test_xss**: 专门测试 XSS 漏洞
+  参数: target_file (str), param_name (str), xss_type (str), context (str)
+  示例: {"target_file": "search.php", "param_name": "q", "xss_type": "reflected"}
+
+- **test_path_traversal**: 专门测试路径遍历漏洞
+  参数: target_file (str), param_name (str), target_path (str)
+  示例: {"target_file": "download.php", "param_name": "file", "target_path": "/etc/passwd"}
+
+- **test_ssti**: 专门测试模板注入漏洞
+  参数: target_file (str), param_name (str), template_engine (str)
+  示例: {"target_file": "render.py", "param_name": "name", "template_engine": "jinja2"}
+
+- **test_deserialization**: 专门测试反序列化漏洞
+  参数: target_file (str), language (str), serialization_format (str)
+  示例: {"target_file": "api.php", "language": "php", "serialization_format": "php_serialize"}
+
+- **universal_vuln_test**: 通用漏洞测试工具 (自动选择测试策略)
+  参数: vuln_type (str), target_file (str), param_name (str), additional_params (dict)
+  支持: command_injection, sql_injection, xss, path_traversal, ssti, deserialization
 
 ## 工作方式
 你将收到一批待验证的漏洞发现。对于每个发现，你需要：
@@ -82,7 +139,7 @@ Final Answer: [JSON 格式的验证报告]
             "poc": {
                 "description": "PoC 描述",
                 "steps": ["步骤1", "步骤2"],
-                "payload": "测试 payload"
+                "payload": "curl 'http://target/vuln.php?cmd=id' 或完整利用代码"
             },
             "impact": "实际影响分析",
             "recommendation": "修复建议"
@@ -104,20 +161,56 @@ Final Answer: [JSON 格式的验证报告]
 - **false_positive**: 确认是误报，有明确理由
 
 ## 验证策略建议
+
+### 对于命令注入漏洞
+1. 使用 **test_command_injection** 工具，它会自动构建测试环境
+2. 或使用对应语言的测试工具 (php_test, python_test 等)
+3. 检查命令输出是否包含 uid=, root, www-data 等特征
+
+### 对于 SQL 注入漏洞
+1. 使用 **test_sql_injection** 工具
+2. 提供数据库类型 (mysql, postgresql, sqlite)
+3. 检查是否能执行 UNION 查询或提取数据
+
+### 对于 XSS 漏洞
+1. 使用 **test_xss** 工具
+2. 指定 XSS 类型 (reflected, stored, dom)
+3. 检查 payload 是否在输出中未转义
+
+### 对于路径遍历漏洞
+1. 使用 **test_path_traversal** 工具
+2. 尝试读取 /etc/passwd 或其他已知文件
+3. 检查是否能访问目标文件
+
+### 对于模板注入 (SSTI) 漏洞
+1. 使用 **test_ssti** 工具
+2. 指定模板引擎 (jinja2, twig, freemarker 等)
+3. 检查数学表达式是否被执行
+
+### 对于反序列化漏洞
+1. 使用 **test_deserialization** 工具
+2. 指定语言和序列化格式
+3. 检查是否能执行任意代码
+
+### 对于其他漏洞
 1. **上下文分析**: 用 read_file 获取更多代码上下文
-2. **数据流追踪**: 用 dataflow_analysis 确认污点传播
-3. **LLM 深度分析**: 用 vulnerability_validation 进行专业分析
-4. **沙箱测试**: 对高危漏洞用沙箱进行安全测试
+2. **通用测试**: 使用 universal_vuln_test 或 universal_code_test
+3. **沙箱测试**: 对高危漏洞用沙箱进行安全测试
 
 ## 重要原则
 1. **质量优先** - 宁可漏报也不要误报太多
 2. **深入理解** - 理解代码逻辑，不要表面判断
 3. **证据支撑** - 判定要有依据
 4. **安全第一** - 沙箱测试要谨慎
-5. **🔥 PoC 生成** - 对于 confirmed 和 likely 的漏洞，**必须**生成 PoC:
+5. **🔥 PoC 生成** - 对于 confirmed 和 likely 的漏洞，**必须**生成完整的 PoC:
    - poc.description: 简要描述这个 PoC 的作用
    - poc.steps: 详细的复现步骤列表
-   - poc.payload: 实际的攻击载荷或测试代码
+   - poc.payload: **完整的**利用代码或命令，例如:
+     - Web漏洞: 完整URL如 `http://target/path?param=<payload>`
+     - 命令注入: 完整的 curl 命令或 HTTP 请求
+     - SQL注入: 完整的利用语句或请求
+     - 代码执行: 可直接运行的利用脚本
+   - ⚠️ payload 字段必须是**可直接复制执行**的完整利用代码，不要只写参数值
 
 现在开始验证漏洞发现！"""
 
@@ -168,19 +261,15 @@ class VerificationAgent(BaseAgent):
 
     
     def _parse_llm_response(self, response: str) -> VerificationStep:
-        """解析 LLM 响应"""
+        """解析 LLM 响应 - 增强版，更健壮地提取思考内容"""
         step = VerificationStep(thought="")
-        
-        # 提取 Thought
+
+        # 🔥 首先尝试提取明确的 Thought 标记
         thought_match = re.search(r'Thought:\s*(.*?)(?=Action:|Final Answer:|$)', response, re.DOTALL)
         if thought_match:
             step.thought = thought_match.group(1).strip()
-        elif not re.search(r'Action:|Final Answer:', response):
-             # 🔥 Fallback: If no markers found, treat the whole response as Thought
-             if response.strip():
-                 step.thought = response.strip()
-        
-        # 检查是否是最终答案
+
+        # 🔥 检查是否是最终答案
         final_match = re.search(r'Final Answer:\s*(.*?)$', response, re.DOTALL)
         if final_match:
             step.is_final = True
@@ -189,23 +278,40 @@ class VerificationAgent(BaseAgent):
             answer_text = re.sub(r'```\s*', '', answer_text)
             # 使用增强的 JSON 解析器
             step.final_answer = AgentJsonParser.parse(
-                answer_text, 
+                answer_text,
                 default={"findings": [], "raw_answer": answer_text}
             )
             # 确保 findings 格式正确
             if "findings" in step.final_answer:
                 step.final_answer["findings"] = [
-                    f for f in step.final_answer["findings"] 
+                    f for f in step.final_answer["findings"]
                     if isinstance(f, dict)
                 ]
+
+            # 🔥 如果没有提取到 thought，使用 Final Answer 前的内容作为思考
+            if not step.thought:
+                before_final = response[:response.find('Final Answer:')].strip()
+                if before_final:
+                    before_final = re.sub(r'^Thought:\s*', '', before_final)
+                    step.thought = before_final[:500] if len(before_final) > 500 else before_final
+
             return step
-        
-        # 提取 Action
+
+        # 🔥 提取 Action
         action_match = re.search(r'Action:\s*(\w+)', response)
         if action_match:
             step.action = action_match.group(1).strip()
-        
-        # 提取 Action Input
+
+            # 🔥 如果没有提取到 thought，提取 Action 之前的内容作为思考
+            if not step.thought:
+                action_pos = response.find('Action:')
+                if action_pos > 0:
+                    before_action = response[:action_pos].strip()
+                    before_action = re.sub(r'^Thought:\s*', '', before_action)
+                    if before_action:
+                        step.thought = before_action[:500] if len(before_action) > 500 else before_action
+
+        # 🔥 提取 Action Input
         input_match = re.search(r'Action Input:\s*(.*?)(?=Thought:|Action:|Observation:|$)', response, re.DOTALL)
         if input_match:
             input_text = input_match.group(1).strip()
@@ -216,7 +322,12 @@ class VerificationAgent(BaseAgent):
                 input_text,
                 default={"raw_input": input_text}
             )
-        
+
+        # 🔥 最后的 fallback：如果整个响应没有任何标记，整体作为思考
+        if not step.thought and not step.action and not step.is_final:
+            if response.strip():
+                step.thought = response.strip()[:500]
+
         return step
     
     async def run(self, input_data: Dict[str, Any]) -> AgentResult:
@@ -297,7 +408,24 @@ class VerificationAgent(BaseAgent):
         
         # 去重
         findings_to_verify = self._deduplicate(findings_to_verify)
-        
+
+        # 🔥 FIX: 优先处理有明确文件路径的发现，将没有文件路径的发现放到后面
+        # 这确保 Analysis 的具体发现优先于 Recon 的泛化描述
+        def has_valid_file_path(finding: Dict) -> bool:
+            file_path = finding.get("file_path", "")
+            return bool(file_path and file_path.strip() and file_path.lower() not in ["unknown", "n/a", ""])
+
+        findings_with_path = [f for f in findings_to_verify if has_valid_file_path(f)]
+        findings_without_path = [f for f in findings_to_verify if not has_valid_file_path(f)]
+
+        # 合并：有路径的在前，没路径的在后
+        findings_to_verify = findings_with_path + findings_without_path
+
+        if findings_with_path:
+            logger.info(f"[Verification] 优先处理 {len(findings_with_path)} 个有明确文件路径的发现")
+        if findings_without_path:
+            logger.info(f"[Verification] 还有 {len(findings_without_path)} 个发现需要自行定位文件")
+
         if not findings_to_verify:
             logger.warning(f"[Verification] 没有需要验证的发现! previous_results keys: {list(previous_results.keys()) if isinstance(previous_results, dict) else 'not dict'}")
             await self.emit_event("warning", "没有需要验证的发现 - 可能是数据格式问题")
@@ -322,11 +450,25 @@ class VerificationAgent(BaseAgent):
         
         findings_summary = []
         for i, f in enumerate(findings_to_verify):
+            # 🔥 FIX: 正确处理 file_path 格式，可能包含行号 (如 "app.py:36")
+            file_path = f.get('file_path', 'unknown')
+            line_start = f.get('line_start', 0)
+
+            # 如果 file_path 已包含行号，提取出来
+            if isinstance(file_path, str) and ':' in file_path:
+                parts = file_path.split(':', 1)
+                if len(parts) == 2 and parts[1].split()[0].isdigit():
+                    file_path = parts[0]
+                    try:
+                        line_start = int(parts[1].split()[0])
+                    except ValueError:
+                        pass
+
             findings_summary.append(f"""
 ### 发现 {i+1}: {f.get('title', 'Unknown')}
 - 类型: {f.get('vulnerability_type', 'unknown')}
 - 严重度: {f.get('severity', 'medium')}
-- 文件: {f.get('file_path', 'unknown')}:{f.get('line_start', 0)}
+- 文件: {file_path} (行 {line_start})
 - 代码:
 ```
 {f.get('code_snippet', 'N/A')[:500]}
@@ -341,13 +483,22 @@ class VerificationAgent(BaseAgent):
 ## 待验证发现
 {''.join(findings_summary)}
 
+## ⚠️ 重要验证指南
+1. **直接使用上面列出的文件路径** - 不要猜测或搜索其他路径
+2. **如果文件路径包含冒号和行号** (如 "app.py:36"), 请提取文件名 "app.py" 并使用 read_file 读取
+3. **先读取文件内容，再判断漏洞是否存在**
+4. **不要假设文件在子目录中** - 使用发现中提供的精确路径
+
 ## 验证要求
 - 验证级别: {config.get('verification_level', 'standard')}
 
 ## 可用工具
 {self.get_tools_description()}
 
-请开始验证。对于每个发现，思考如何验证它，使用合适的工具获取更多信息，然后判断是否为真实漏洞。
+请开始验证。对于每个发现：
+1. 首先使用 read_file 读取发现中指定的文件（使用精确路径）
+2. 分析代码上下文
+3. 判断是否为真实漏洞
 {f"特别注意 Analysis Agent 提到的关注点。" if handoff_context else ""}"""
 
         # 初始化对话历史
diff --git a/backend/app/services/agent/graph/runner.py b/backend/app/services/agent/graph/runner.py
index 69822d5..f50d88c 100644
--- a/backend/app/services/agent/graph/runner.py
+++ b/backend/app/services/agent/graph/runner.py
@@ -197,6 +197,13 @@ class AgentRunner:
         from app.services.agent.tools import (
             ThinkTool, ReflectTool,
             CreateVulnerabilityReportTool,
+            # 多语言代码测试工具
+            PhpTestTool, PythonTestTool, JavaScriptTestTool, JavaTestTool,
+            GoTestTool, RubyTestTool, ShellTestTool, UniversalCodeTestTool,
+            # 漏洞验证专用工具
+            CommandInjectionTestTool, SqlInjectionTestTool, XssTestTool,
+            PathTraversalTestTool, SstiTestTool, DeserializationTestTool,
+            UniversalVulnTestTool,
         )
         # 🔥 导入知识查询工具
         from app.services.agent.knowledge import (
@@ -282,6 +289,8 @@ class AgentRunner:
                 network_mode=settings.SANDBOX_NETWORK_MODE,
             )
             self.sandbox_manager = SandboxManager(config=sandbox_config)
+            # 🔥 必须调用 initialize() 来连接 Docker
+            await self.sandbox_manager.initialize()
         except Exception as e:
             logger.warning(f"❌ Sandbox Manager initialization failed: {e}")
             import traceback
@@ -289,15 +298,38 @@ class AgentRunner:
             # 尝试创建默认管理器作为后备
             try:
                 self.sandbox_manager = SandboxManager()
+                # 🔥 同样需要调用 initialize()
+                await self.sandbox_manager.initialize()
                 logger.info("⚠️ Created fallback SandboxManager (Docker might be unavailable)")
             except Exception as e2:
                 logger.error(f"❌ Failed to create fallback SandboxManager: {e2}")
 
         # 始终注册沙箱工具，即使 Docker 不可用（工具内部会检查）
         if self.sandbox_manager:
+            # 🔥 沙箱核心工具
             self.verification_tools["sandbox_exec"] = SandboxTool(self.sandbox_manager)
             self.verification_tools["sandbox_http"] = SandboxHttpTool(self.sandbox_manager)
             self.verification_tools["verify_vulnerability"] = VulnerabilityVerifyTool(self.sandbox_manager)
+
+            # 🔥 多语言代码测试工具
+            self.verification_tools["php_test"] = PhpTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["python_test"] = PythonTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["javascript_test"] = JavaScriptTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["java_test"] = JavaTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["go_test"] = GoTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["ruby_test"] = RubyTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["shell_test"] = ShellTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["universal_code_test"] = UniversalCodeTestTool(self.sandbox_manager, self.project_root)
+
+            # 🔥 漏洞验证专用工具
+            self.verification_tools["test_command_injection"] = CommandInjectionTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["test_sql_injection"] = SqlInjectionTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["test_xss"] = XssTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["test_path_traversal"] = PathTraversalTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["test_ssti"] = SstiTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["test_deserialization"] = DeserializationTestTool(self.sandbox_manager, self.project_root)
+            self.verification_tools["universal_vuln_test"] = UniversalVulnTestTool(self.sandbox_manager, self.project_root)
+
             logger.info(f"✅ Sandbox tools initialized (Docker available: {self.sandbox_manager.is_available})")
         else:
              logger.error("❌ Sandbox tools NOT initialized due to critical manager failure")
diff --git a/backend/app/services/agent/json_parser.py b/backend/app/services/agent/json_parser.py
index ec9c2cd..6347130 100644
--- a/backend/app/services/agent/json_parser.py
+++ b/backend/app/services/agent/json_parser.py
@@ -1,6 +1,6 @@
 """
 Agent JSON 解析工具
-从 LLM 响应中安全地解析 JSON，参考 llm/service.py 的实现
+从 LLM 响应中安全地解析 JSON，优先使用 json-repair 库
 """
 
 import json
@@ -14,14 +14,15 @@ logger = logging.getLogger(__name__)
 try:
     from json_repair import repair_json
     JSON_REPAIR_AVAILABLE = True
+    logger.info("✅ json-repair 库已加载")
 except ImportError:
     JSON_REPAIR_AVAILABLE = False
-    logger.debug("json-repair library not available")
+    logger.warning("⚠️ json-repair 库未安装，将使用备用解析方法")
 
 
 class AgentJsonParser:
-    """Agent 专用的 JSON 解析器"""
-    
+    """Agent 专用的 JSON 解析器 - 优先使用 json-repair"""
+
     @staticmethod
     def clean_text(text: str) -> str:
         """清理文本中的控制字符"""
@@ -30,7 +31,7 @@ class AgentJsonParser:
         # 移除 BOM 和零宽字符
         text = text.replace('\ufeff', '').replace('\u200b', '').replace('\u200c', '').replace('\u200d', '')
         return text
-    
+
     @staticmethod
     def fix_json_format(text: str) -> str:
         """修复常见的 JSON 格式问题"""
@@ -40,7 +41,66 @@ class AgentJsonParser:
         # 修复未转义的换行符（在字符串值中）
         text = re.sub(r':\s*"([^"]*)\n([^"]*)"', r': "\1\\n\2"', text)
         return text
-    
+
+    @classmethod
+    def extract_json_string(cls, text: str) -> str:
+        """从文本中提取 JSON 字符串部分"""
+        # 先尝试从 markdown 代码块提取
+        md_match = re.search(r'```(?:json)?\s*([\s\S]*?)\s*```', text)
+        if md_match:
+            return md_match.group(1).strip()
+
+        # 找到第一个 { 或 [
+        start_brace = text.find('{')
+        start_bracket = text.find('[')
+
+        if start_brace == -1 and start_bracket == -1:
+            return text  # 没有找到，返回原文
+
+        if start_brace == -1:
+            start_idx = start_bracket
+        elif start_bracket == -1:
+            start_idx = start_brace
+        else:
+            start_idx = min(start_brace, start_bracket)
+
+        # 找到最后一个 } 或 ]
+        end_brace = text.rfind('}')
+        end_bracket = text.rfind(']')
+
+        if end_brace == -1 and end_bracket == -1:
+            return text[start_idx:]  # 没有找到结尾，返回从开始到末尾
+
+        end_idx = max(end_brace, end_bracket) + 1
+
+        return text[start_idx:end_idx]
+
+    @classmethod
+    def repair_with_library(cls, text: str) -> Dict[str, Any]:
+        """使用 json-repair 库修复并解析 JSON"""
+        if not JSON_REPAIR_AVAILABLE:
+            raise ValueError("json-repair library not available")
+
+        # 提取 JSON 字符串
+        json_str = cls.extract_json_string(text)
+
+        if not json_str.strip():
+            raise ValueError("No JSON content found")
+
+        # 使用 json-repair 修复并解析
+        repaired = repair_json(json_str, return_objects=True)
+
+        if isinstance(repaired, dict):
+            return repaired
+        elif isinstance(repaired, list):
+            # 如果返回列表，包装为字典
+            return {"items": repaired}
+        elif isinstance(repaired, str):
+            # 如果返回字符串，尝试再次解析
+            return json.loads(repaired)
+
+        raise ValueError(f"json-repair returned unexpected type: {type(repaired)}")
+
     @classmethod
     def extract_from_markdown(cls, text: str) -> Dict[str, Any]:
         """从 markdown 代码块提取 JSON"""
@@ -48,35 +108,35 @@ class AgentJsonParser:
         if match:
             return json.loads(match.group(1))
         raise ValueError("No markdown code block found")
-    
+
     @classmethod
     def extract_json_object(cls, text: str) -> Dict[str, Any]:
         """智能提取 JSON 对象"""
         start_idx = text.find('{')
         if start_idx == -1:
             raise ValueError("No JSON object found")
-        
+
         # 考虑字符串内的花括号和转义字符
         brace_count = 0
         in_string = False
         escape_next = False
         end_idx = -1
-        
+
         for i in range(start_idx, len(text)):
             char = text[i]
-            
+
             if escape_next:
                 escape_next = False
                 continue
-            
+
             if char == '\\':
                 escape_next = True
                 continue
-            
+
             if char == '"' and not escape_next:
                 in_string = not in_string
                 continue
-            
+
             if not in_string:
                 if char == '{':
                     brace_count += 1
@@ -85,7 +145,7 @@ class AgentJsonParser:
                     if brace_count == 0:
                         end_idx = i + 1
                         break
-        
+
         if end_idx == -1:
             # 如果找不到完整的 JSON，尝试使用最后一个 }
             last_brace = text.rfind('}')
@@ -93,68 +153,45 @@ class AgentJsonParser:
                 end_idx = last_brace + 1
             else:
                 raise ValueError("Incomplete JSON object")
-        
+
         json_str = text[start_idx:end_idx]
         # 修复格式问题
         json_str = re.sub(r',(\s*[}\]])', r'\1', json_str)
-        
+
         return json.loads(json_str)
-    
+
     @classmethod
     def fix_truncated_json(cls, text: str) -> Dict[str, Any]:
         """修复截断的 JSON"""
         start_idx = text.find('{')
         if start_idx == -1:
             raise ValueError("Cannot fix truncated JSON")
-        
+
         json_str = text[start_idx:]
-        
+
         # 计算缺失的闭合符号
         open_braces = json_str.count('{')
         close_braces = json_str.count('}')
         open_brackets = json_str.count('[')
         close_brackets = json_str.count(']')
-        
+
         # 补全缺失的闭合符号
         json_str += ']' * max(0, open_brackets - close_brackets)
         json_str += '}' * max(0, open_braces - close_braces)
-        
+
         # 修复格式
         json_str = re.sub(r',(\s*[}\]])', r'\1', json_str)
         return json.loads(json_str)
-    
-    @classmethod
-    def repair_with_library(cls, text: str) -> Dict[str, Any]:
-        """使用 json-repair 库修复损坏的 JSON"""
-        if not JSON_REPAIR_AVAILABLE:
-            raise ValueError("json-repair library not available")
-        
-        start_idx = text.find('{')
-        if start_idx == -1:
-            raise ValueError("No JSON object found for repair")
-        
-        end_idx = text.rfind('}')
-        if end_idx > start_idx:
-            json_str = text[start_idx:end_idx + 1]
-        else:
-            json_str = text[start_idx:]
-        
-        repaired = repair_json(json_str, return_objects=True)
-        
-        if isinstance(repaired, dict):
-            return repaired
-        
-        raise ValueError(f"json-repair returned unexpected type: {type(repaired)}")
-    
+
     @classmethod
     def parse(cls, text: str, default: Optional[Dict[str, Any]] = None) -> Dict[str, Any]:
         """
-        从 LLM 响应中解析 JSON（增强版）
-        
+        从 LLM 响应中解析 JSON（优先使用 json-repair）
+
         Args:
             text: LLM 响应文本
             default: 解析失败时返回的默认值，如果为 None 则抛出异常
-            
+
         Returns:
             解析后的字典
         """
@@ -163,19 +200,25 @@ class AgentJsonParser:
                 logger.warning("LLM 响应为空，返回默认值")
                 return default
             raise ValueError("LLM 响应内容为空")
-        
+
         clean = cls.clean_text(text)
-        
-        # 尝试多种方式解析
-        attempts = [
+
+        # 🔥 优先使用 json-repair，它能处理大多数格式问题
+        attempts = []
+
+        # 如果 json-repair 可用，优先使用它
+        if JSON_REPAIR_AVAILABLE:
+            attempts.append(("json-repair", lambda: cls.repair_with_library(text)))
+
+        # 然后尝试其他方法作为后备
+        attempts.extend([
             ("直接解析", lambda: json.loads(text)),
             ("清理后解析", lambda: json.loads(cls.fix_json_format(clean))),
             ("Markdown 提取", lambda: cls.extract_from_markdown(text)),
             ("智能提取", lambda: cls.extract_json_object(clean)),
             ("截断修复", lambda: cls.fix_truncated_json(clean)),
-            ("json-repair", lambda: cls.repair_with_library(text)),
-        ]
-        
+        ])
+
         last_error = None
         for name, attempt in attempts:
             try:
@@ -187,30 +230,30 @@ class AgentJsonParser:
             except Exception as e:
                 last_error = e
                 logger.debug(f"JSON 解析方法 '{name}' 失败: {e}")
-        
+
         # 所有尝试都失败
         if default is not None:
             logger.warning(f"JSON 解析失败，返回默认值。原始内容: {text[:200]}...")
             return default
-        
+
         logger.error(f"❌ 无法解析 JSON，原始内容: {text[:500]}...")
         raise ValueError(f"无法解析 JSON: {last_error}")
-    
+
     @classmethod
     def parse_findings(cls, text: str) -> List[Dict[str, Any]]:
         """
         专门解析 findings 列表
-        
+
         Args:
             text: LLM 响应文本
-            
+
         Returns:
             findings 列表（每个元素都是字典）
         """
         try:
             result = cls.parse(text, default={"findings": []})
             findings = result.get("findings", [])
-            
+
             # 确保每个 finding 都是字典
             valid_findings = []
             for f in findings:
@@ -219,33 +262,70 @@ class AgentJsonParser:
                 elif isinstance(f, str):
                     # 尝试将字符串解析为 JSON
                     try:
-                        parsed = json.loads(f)
+                        # 优先使用 json-repair
+                        if JSON_REPAIR_AVAILABLE:
+                            parsed = repair_json(f, return_objects=True)
+                        else:
+                            parsed = json.loads(f)
                         if isinstance(parsed, dict):
                             valid_findings.append(parsed)
-                    except json.JSONDecodeError:
+                    except Exception:
                         logger.warning(f"跳过无效的 finding（字符串）: {f[:100]}...")
                 else:
                     logger.warning(f"跳过无效的 finding（类型: {type(f)}）")
-            
+
             return valid_findings
-            
+
         except Exception as e:
             logger.error(f"解析 findings 失败: {e}")
             return []
-    
+
     @classmethod
     def safe_get(cls, data: Union[Dict, str, Any], key: str, default: Any = None) -> Any:
         """
         安全地从数据中获取值
-        
+
         Args:
             data: 可能是字典或其他类型
             key: 要获取的键
             default: 默认值
-            
+
         Returns:
             获取的值或默认值
         """
         if isinstance(data, dict):
             return data.get(key, default)
         return default
+
+    @classmethod
+    def parse_any(cls, text: str, default: Any = None) -> Any:
+        """
+        解析任意 JSON 类型（对象、数组、字符串等）
+
+        Args:
+            text: LLM 响应文本
+            default: 解析失败时返回的默认值
+
+        Returns:
+            解析后的 Python 对象
+        """
+        if not text or not text.strip():
+            return default
+
+        clean = cls.clean_text(text)
+        json_str = cls.extract_json_string(clean)
+
+        # 优先使用 json-repair
+        if JSON_REPAIR_AVAILABLE:
+            try:
+                return repair_json(json_str, return_objects=True)
+            except Exception as e:
+                logger.debug(f"json-repair 解析失败: {e}")
+
+        # 后备方法
+        try:
+            return json.loads(json_str)
+        except Exception as e:
+            logger.debug(f"标准 JSON 解析失败: {e}")
+
+        return default
diff --git a/backend/app/services/agent/prompts/system_prompts.py b/backend/app/services/agent/prompts/system_prompts.py
index 650b9da..efcd467 100644
--- a/backend/app/services/agent/prompts/system_prompts.py
+++ b/backend/app/services/agent/prompts/system_prompts.py
@@ -130,6 +130,34 @@ Action: 工具名称
 Action Input: {"参数1": "值1", "参数2": "值2"}
 ```
 
+### 错误处理指南
+
+当工具执行返回错误时，你会收到详细的错误信息，包括：
+- 工具名称和参数
+- 错误类型和错误信息
+- 堆栈跟踪（如有）
+
+**错误处理策略**：
+
+1. **参数错误** - 检查并修正参数格式
+   - 确保 JSON 格式正确
+   - 检查必填参数是否提供
+   - 验证参数类型（字符串、数字、列表等）
+
+2. **资源不存在** - 调整目标
+   - 文件不存在：使用 list_files 确认路径
+   - 工具不可用：使用其他替代工具
+
+3. **权限/超时错误** - 跳过或简化
+   - 记录问题，继续其他分析
+   - 尝试更小范围的操作
+
+4. **沙箱错误** - 检查环境
+   - Docker 不可用时使用代码分析替代
+   - 记录无法验证的原因
+
+**重要**：遇到错误时，不要放弃！分析错误原因，尝试其他方法完成任务。
+
 ### 完成输出格式
 
 ```
@@ -379,6 +407,22 @@ RECON_SYSTEM_PROMPT = f"""你是 DeepAudit 的侦察 Agent，负责收集和分
 - 调试设置
 - 密钥管理
 
+## 工作方式
+每一步，你需要输出：
+
+```
+Thought: [分析当前情况，思考需要收集什么信息]
+Action: [工具名称]
+Action Input: {{"参数1": "值1"}}
+```
+
+当你完成信息收集后，输出：
+
+```
+Thought: [总结收集到的所有信息]
+Final Answer: [JSON 格式的结果]
+```
+
 ## 输出格式
 
 ```
@@ -392,12 +436,33 @@ Final Answer: {{
     "entry_points": [
         {{"type": "...", "file": "...", "line": ..., "method": "..."}}
     ],
-    "high_risk_areas": [...],
-    "initial_findings": [...],
+    "high_risk_areas": [
+        "文件路径:行号 - 风险描述"
+    ],
+    "initial_findings": [
+        {{"title": "...", "file_path": "...", "line_start": ..., "description": "..."}}
+    ],
     "summary": "项目侦察总结"
 }}
 ```
 
+## ⚠️ 重要输出要求
+
+### high_risk_areas 格式要求
+每个高风险区域**必须**包含具体的文件路径，格式为：
+- `"app.py:36 - SECRET_KEY 硬编码"`
+- `"utils/file.py:120 - 使用用户输入构造文件路径"`
+- `"api/views.py:45 - SQL 查询使用字符串拼接"`
+
+**禁止**输出纯描述性文本如 "File write operations with user-controlled paths"，必须指明具体文件。
+
+### initial_findings 格式要求
+每个发现**必须**包含：
+- `title`: 漏洞标题
+- `file_path`: 具体文件路径
+- `line_start`: 行号
+- `description`: 详细描述
+
 {TOOL_USAGE_GUIDE}
 """
 
diff --git a/backend/app/services/agent/tools/__init__.py b/backend/app/services/agent/tools/__init__.py
index 7bb6d86..d9ad13f 100644
--- a/backend/app/services/agent/tools/__init__.py
+++ b/backend/app/services/agent/tools/__init__.py
@@ -15,7 +15,35 @@ from .rag_tool import RAGQueryTool, SecurityCodeSearchTool, FunctionContextTool
 from .pattern_tool import PatternMatchTool
 from .code_analysis_tool import CodeAnalysisTool, DataFlowAnalysisTool, VulnerabilityValidationTool
 from .file_tool import FileReadTool, FileSearchTool, ListFilesTool
-from .sandbox_tool import SandboxTool, SandboxHttpTool, VulnerabilityVerifyTool, SandboxManager
+from .sandbox_tool import (
+    SandboxTool,
+    SandboxHttpTool,
+    VulnerabilityVerifyTool,
+    SandboxManager,
+)
+
+# 🔥 多语言代码测试工具
+from .sandbox_language import (
+    PhpTestTool,
+    PythonTestTool,
+    JavaScriptTestTool,
+    JavaTestTool,
+    GoTestTool,
+    RubyTestTool,
+    ShellTestTool,
+    UniversalCodeTestTool,
+)
+
+# 🔥 漏洞验证专用工具
+from .sandbox_vuln import (
+    CommandInjectionTestTool,
+    SqlInjectionTestTool,
+    XssTestTool,
+    PathTraversalTestTool,
+    SstiTestTool,
+    DeserializationTestTool,
+    UniversalVulnTestTool,
+)
 
 # 外部安全工具
 from .external_tools import (
@@ -77,6 +105,25 @@ __all__ = [
     "SandboxHttpTool",
     "VulnerabilityVerifyTool",
     "SandboxManager",
+
+    # 🔥 多语言代码测试工具
+    "PhpTestTool",
+    "PythonTestTool",
+    "JavaScriptTestTool",
+    "JavaTestTool",
+    "GoTestTool",
+    "RubyTestTool",
+    "ShellTestTool",
+    "UniversalCodeTestTool",
+
+    # 🔥 漏洞验证专用工具
+    "CommandInjectionTestTool",
+    "SqlInjectionTestTool",
+    "XssTestTool",
+    "PathTraversalTestTool",
+    "SstiTestTool",
+    "DeserializationTestTool",
+    "UniversalVulnTestTool",
     
     # 外部安全工具
     "SemgrepTool",
diff --git a/backend/app/services/agent/tools/sandbox_language.py b/backend/app/services/agent/tools/sandbox_language.py
new file mode 100644
index 0000000..b41a087
--- /dev/null
+++ b/backend/app/services/agent/tools/sandbox_language.py
@@ -0,0 +1,1162 @@
+"""
+多语言代码测试工具
+支持 PHP, Python, JavaScript, Java, Go, Ruby 等语言的沙箱测试
+"""
+
+import asyncio
+import json
+import logging
+import os
+import tempfile
+from typing import Optional, Dict, Any, List
+from pydantic import BaseModel, Field
+from dataclasses import dataclass
+
+from .base import AgentTool, ToolResult
+from .sandbox_tool import SandboxManager
+
+logger = logging.getLogger(__name__)
+
+
+# ============ 通用语言测试基类 ============
+
+class LanguageTestInput(BaseModel):
+    """语言测试通用输入"""
+    code: Optional[str] = Field(default=None, description="要执行的代码（与 file_path 二选一）")
+    file_path: Optional[str] = Field(default=None, description="项目中的文件路径（与 code 二选一）")
+    params: Optional[Dict[str, str]] = Field(default=None, description="模拟的请求参数")
+    env_vars: Optional[Dict[str, str]] = Field(default=None, description="环境变量")
+    timeout: int = Field(default=30, description="超时时间（秒）")
+
+
+class BaseLanguageTestTool(AgentTool):
+    """语言测试工具基类"""
+
+    LANGUAGE_NAME = "unknown"
+    LANGUAGE_CMD = "echo"
+    FILE_EXTENSION = ".txt"
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+    @property
+    def args_schema(self):
+        return LanguageTestInput
+
+    def _read_file(self, file_path: str) -> Optional[str]:
+        """读取文件内容"""
+        full_path = os.path.join(self.project_root, file_path)
+        if not os.path.exists(full_path):
+            return None
+        with open(full_path, 'r', encoding='utf-8', errors='ignore') as f:
+            return f.read()
+
+    def _build_wrapper_code(self, code: str, params: Optional[Dict[str, str]]) -> str:
+        """构建包装代码 - 子类实现"""
+        raise NotImplementedError
+
+    def _build_command(self, code: str) -> str:
+        """构建执行命令 - 子类实现"""
+        raise NotImplementedError
+
+    def _analyze_output(self, result: Dict[str, Any], params: Optional[Dict[str, str]]) -> Dict[str, Any]:
+        """分析输出结果"""
+        is_vulnerable = False
+        evidence = None
+
+        if result["exit_code"] == 0 and result.get("stdout"):
+            stdout = result["stdout"].strip().lower()
+
+            # 通用漏洞特征检测
+            vuln_indicators = [
+                ("uid=", "命令执行成功 (uid)"),
+                ("root:", "命令执行成功 (passwd)"),
+                ("www-data", "命令执行成功 (www-data)"),
+                ("nobody", "命令执行成功 (nobody)"),
+                ("daemon", "命令执行成功 (daemon)"),
+                ("/bin/", "路径泄露"),
+                ("/etc/", "敏感路径访问"),
+                ("sql syntax", "SQL 错误"),
+                ("mysql", "数据库信息泄露"),
+                ("postgresql", "数据库信息泄露"),
+                ("sqlite", "数据库信息泄露"),
+                ("syntax error", "代码执行错误"),
+                ("stack trace", "堆栈跟踪泄露"),
+                ("exception", "异常信息泄露"),
+            ]
+
+            for indicator, desc in vuln_indicators:
+                if indicator in stdout:
+                    is_vulnerable = True
+                    evidence = f"{desc}: 输出包含 '{indicator}'"
+                    break
+
+            # 检查参数是否被执行
+            if params and not is_vulnerable:
+                for key, value in params.items():
+                    if value.lower() in stdout:
+                        is_vulnerable = True
+                        evidence = f"参数 '{key}' 的值出现在输出中"
+                        break
+
+        return {
+            "is_vulnerable": is_vulnerable,
+            "evidence": evidence,
+        }
+
+    async def _execute(
+        self,
+        code: Optional[str] = None,
+        file_path: Optional[str] = None,
+        params: Optional[Dict[str, str]] = None,
+        env_vars: Optional[Dict[str, str]] = None,
+        timeout: int = 30,
+        **kwargs
+    ) -> ToolResult:
+        """执行语言测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(
+                success=False,
+                error="沙箱环境不可用 (Docker Unavailable)",
+            )
+
+        # 获取代码
+        if file_path:
+            code = self._read_file(file_path)
+            if code is None:
+                return ToolResult(
+                    success=False,
+                    error=f"文件不存在: {file_path}",
+                )
+
+        if not code:
+            return ToolResult(
+                success=False,
+                error="必须提供 code 或 file_path",
+            )
+
+        # 构建包装代码
+        wrapped_code = self._build_wrapper_code(code, params)
+
+        # 构建命令
+        command = self._build_command(wrapped_code)
+
+        # 执行
+        result = await self.sandbox_manager.execute_command(
+            command=command,
+            timeout=timeout,
+            env=env_vars,
+        )
+
+        # 分析结果
+        analysis = self._analyze_output(result, params)
+
+        # 格式化输出
+        output_parts = [f"🔬 {self.LANGUAGE_NAME} 测试结果\n"]
+
+        if file_path:
+            output_parts.append(f"文件: {file_path}")
+        if params:
+            output_parts.append(f"参数: {json.dumps(params, ensure_ascii=False)}")
+
+        output_parts.append(f"\n退出码: {result['exit_code']}")
+
+        if result["stdout"]:
+            stdout = result["stdout"][:3000]
+            output_parts.append(f"\n输出:\n```\n{stdout}\n```")
+
+        if result["stderr"]:
+            stderr = result["stderr"][:1000]
+            output_parts.append(f"\n错误:\n```\n{stderr}\n```")
+
+        if analysis["is_vulnerable"]:
+            output_parts.append(f"\n🔴 **漏洞确认**: {analysis['evidence']}")
+        else:
+            output_parts.append(f"\n🟡 未能确认漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "exit_code": result["exit_code"],
+                "is_vulnerable": analysis["is_vulnerable"],
+                "evidence": analysis["evidence"],
+                "language": self.LANGUAGE_NAME,
+            }
+        )
+
+
+# ============ PHP 测试工具 ============
+
+class PhpTestTool(BaseLanguageTestTool):
+    """PHP 代码测试工具"""
+
+    LANGUAGE_NAME = "PHP"
+    LANGUAGE_CMD = "php"
+    FILE_EXTENSION = ".php"
+
+    @property
+    def name(self) -> str:
+        return "php_test"
+
+    @property
+    def description(self) -> str:
+        return """在沙箱中测试 PHP 代码，支持模拟 $_GET/$_POST/$_REQUEST 参数。
+
+输入:
+- code: PHP 代码（与 file_path 二选一）
+- file_path: 项目中的 PHP 文件路径
+- params: 模拟参数，如 {"cmd": "whoami", "id": "1"}
+- timeout: 超时秒数
+
+示例:
+1. 测试文件: {"file_path": "vuln.php", "params": {"cmd": "whoami"}}
+2. 测试代码: {"code": "<?php echo shell_exec($_GET['cmd']); ?>", "params": {"cmd": "id"}}"""
+
+    def _build_wrapper_code(self, code: str, params: Optional[Dict[str, str]]) -> str:
+        """构建 PHP 包装代码
+
+        注意: php -r 不需要 <?php 标签，所以这里生成的是纯 PHP 代码
+        """
+        wrapper_parts = []
+
+        # 模拟超全局变量
+        if params:
+            for key, value in params.items():
+                escaped_value = value.replace("'", "\\'")
+                wrapper_parts.append(f"$_GET['{key}'] = '{escaped_value}';")
+                wrapper_parts.append(f"$_POST['{key}'] = '{escaped_value}';")
+                wrapper_parts.append(f"$_REQUEST['{key}'] = '{escaped_value}';")
+
+        # 清理原代码的 PHP 标签（因为 php -r 不需要它们）
+        clean_code = code.strip()
+        if clean_code.startswith("<?php"):
+            clean_code = clean_code[5:].strip()
+        elif clean_code.startswith("<?"):
+            clean_code = clean_code[2:].strip()
+        if clean_code.endswith("?>"):
+            clean_code = clean_code[:-2].strip()
+
+        wrapper_parts.append(clean_code)
+
+        return "\n".join(wrapper_parts)
+
+    def _build_command(self, code: str) -> str:
+        """构建 PHP 执行命令"""
+        escaped_code = code.replace("'", "'\"'\"'")
+        return f"php -r '{escaped_code}'"
+
+
+# ============ Python 测试工具 ============
+
+class PythonTestInput(LanguageTestInput):
+    """Python 测试输入"""
+    flask_mode: bool = Field(default=False, description="是否模拟 Flask 请求环境")
+    django_mode: bool = Field(default=False, description="是否模拟 Django 请求环境")
+
+
+class PythonTestTool(BaseLanguageTestTool):
+    """Python 代码测试工具"""
+
+    LANGUAGE_NAME = "Python"
+    LANGUAGE_CMD = "python3"
+    FILE_EXTENSION = ".py"
+
+    @property
+    def name(self) -> str:
+        return "python_test"
+
+    @property
+    def description(self) -> str:
+        return """在沙箱中测试 Python 代码，支持模拟 Flask/Django 请求参数。
+
+输入:
+- code: Python 代码（与 file_path 二选一）
+- file_path: 项目中的 Python 文件路径
+- params: 模拟参数，如 {"cmd": "whoami", "user_id": "1"}
+- flask_mode: 是否模拟 Flask request.args/form
+- django_mode: 是否模拟 Django request.GET/POST
+- timeout: 超时秒数
+
+示例:
+1. Flask 模式: {"file_path": "app.py", "params": {"cmd": "id"}, "flask_mode": true}
+2. 命令行参数: {"code": "import os; os.system(input())", "params": {"input": "whoami"}}"""
+
+    @property
+    def args_schema(self):
+        return PythonTestInput
+
+    def _build_wrapper_code(self, code: str, params: Optional[Dict[str, str]],
+                           flask_mode: bool = False, django_mode: bool = False) -> str:
+        """构建 Python 包装代码"""
+        wrapper_parts = []
+
+        if params:
+            if flask_mode:
+                # 模拟 Flask request
+                wrapper_parts.append("""
+class MockMultiDict(dict):
+    def get(self, key, default=None, type=None):
+        value = super().get(key, default)
+        if type and value is not None:
+            try:
+                return type(value)
+            except:
+                return default
+        return value
+    def getlist(self, key):
+        value = self.get(key)
+        return [value] if value else []
+
+class MockRequest:
+    def __init__(self, params):
+        self.args = MockMultiDict(params)
+        self.form = MockMultiDict(params)
+        self.values = MockMultiDict(params)
+        self.data = params
+        self.json = params
+        self.method = 'GET'
+        self.path = '/'
+        self.headers = {}
+    def get_json(self, force=False, silent=False):
+        return self.json
+
+import sys
+sys.modules['flask'] = type(sys)('flask')
+""")
+                params_str = json.dumps(params)
+                wrapper_parts.append(f"request = MockRequest({params_str})")
+
+            elif django_mode:
+                # 模拟 Django request
+                wrapper_parts.append("""
+class MockQueryDict(dict):
+    def get(self, key, default=None):
+        return super().get(key, default)
+    def getlist(self, key):
+        value = self.get(key)
+        return [value] if value else []
+
+class MockRequest:
+    def __init__(self, params):
+        self.GET = MockQueryDict(params)
+        self.POST = MockQueryDict(params)
+        self.method = 'GET'
+        self.path = '/'
+        self.META = {}
+        self.body = b''
+""")
+                params_str = json.dumps(params)
+                wrapper_parts.append(f"request = MockRequest({params_str})")
+            else:
+                # 普通模式：设置命令行参数和环境变量
+                wrapper_parts.append("import sys, os")
+                args = ["script.py"] + list(params.values())
+                wrapper_parts.append(f"sys.argv = {args}")
+                for key, value in params.items():
+                    wrapper_parts.append(f"os.environ['{key.upper()}'] = '{value}'")
+
+        wrapper_parts.append(code)
+        return "\n".join(wrapper_parts)
+
+    def _build_command(self, code: str) -> str:
+        """构建 Python 执行命令"""
+        escaped_code = code.replace("'", "'\"'\"'")
+        return f"python3 -c '{escaped_code}'"
+
+    async def _execute(
+        self,
+        code: Optional[str] = None,
+        file_path: Optional[str] = None,
+        params: Optional[Dict[str, str]] = None,
+        env_vars: Optional[Dict[str, str]] = None,
+        timeout: int = 30,
+        flask_mode: bool = False,
+        django_mode: bool = False,
+        **kwargs
+    ) -> ToolResult:
+        """执行 Python 测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        if file_path:
+            code = self._read_file(file_path)
+            if code is None:
+                return ToolResult(success=False, error=f"文件不存在: {file_path}")
+
+        if not code:
+            return ToolResult(success=False, error="必须提供 code 或 file_path")
+
+        wrapped_code = self._build_wrapper_code(code, params, flask_mode, django_mode)
+        command = self._build_command(wrapped_code)
+
+        result = await self.sandbox_manager.execute_command(
+            command=command,
+            timeout=timeout,
+            env=env_vars,
+        )
+
+        analysis = self._analyze_output(result, params)
+
+        output_parts = [f"🐍 Python 测试结果\n"]
+        if file_path:
+            output_parts.append(f"文件: {file_path}")
+        if flask_mode:
+            output_parts.append("模式: Flask")
+        elif django_mode:
+            output_parts.append("模式: Django")
+        if params:
+            output_parts.append(f"参数: {json.dumps(params, ensure_ascii=False)}")
+
+        output_parts.append(f"\n退出码: {result['exit_code']}")
+
+        if result["stdout"]:
+            output_parts.append(f"\n输出:\n```\n{result['stdout'][:3000]}\n```")
+        if result["stderr"]:
+            output_parts.append(f"\n错误:\n```\n{result['stderr'][:1000]}\n```")
+
+        if analysis["is_vulnerable"]:
+            output_parts.append(f"\n🔴 **漏洞确认**: {analysis['evidence']}")
+        else:
+            output_parts.append(f"\n🟡 未能确认漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "exit_code": result["exit_code"],
+                "is_vulnerable": analysis["is_vulnerable"],
+                "evidence": analysis["evidence"],
+                "language": "Python",
+            }
+        )
+
+
+# ============ JavaScript/Node.js 测试工具 ============
+
+class JavaScriptTestInput(LanguageTestInput):
+    """JavaScript 测试输入"""
+    express_mode: bool = Field(default=False, description="是否模拟 Express.js 请求环境")
+
+
+class JavaScriptTestTool(BaseLanguageTestTool):
+    """JavaScript/Node.js 代码测试工具"""
+
+    LANGUAGE_NAME = "JavaScript"
+    LANGUAGE_CMD = "node"
+    FILE_EXTENSION = ".js"
+
+    @property
+    def name(self) -> str:
+        return "javascript_test"
+
+    @property
+    def description(self) -> str:
+        return """在沙箱中测试 JavaScript/Node.js 代码，支持模拟 Express.js 请求。
+
+输入:
+- code: JavaScript 代码（与 file_path 二选一）
+- file_path: 项目中的 JS 文件路径
+- params: 模拟参数，如 {"cmd": "whoami", "id": "1"}
+- express_mode: 是否模拟 Express req 对象
+- timeout: 超时秒数
+
+示例:
+1. Express 模式: {"file_path": "route.js", "params": {"cmd": "id"}, "express_mode": true}
+2. 普通模式: {"code": "require('child_process').execSync(process.argv[2])", "params": {"arg": "whoami"}}"""
+
+    @property
+    def args_schema(self):
+        return JavaScriptTestInput
+
+    def _build_wrapper_code(self, code: str, params: Optional[Dict[str, str]],
+                           express_mode: bool = False) -> str:
+        """构建 JavaScript 包装代码"""
+        wrapper_parts = []
+
+        if params:
+            if express_mode:
+                # 模拟 Express request 对象
+                params_json = json.dumps(params)
+                wrapper_parts.append(f"""
+const req = {{
+    query: {params_json},
+    body: {params_json},
+    params: {params_json},
+    get: function(header) {{ return this.headers[header]; }},
+    headers: {{}},
+    method: 'GET',
+    path: '/',
+    url: '/',
+}};
+const res = {{
+    send: function(data) {{ console.log(data); return this; }},
+    json: function(data) {{ console.log(JSON.stringify(data)); return this; }},
+    status: function(code) {{ return this; }},
+    end: function() {{ return this; }},
+}};
+""")
+            else:
+                # 普通模式：设置进程参数
+                wrapper_parts.append("const params = " + json.dumps(params) + ";")
+                args = ["node", "script.js"] + list(params.values())
+                wrapper_parts.append(f"process.argv = {json.dumps(args)};")
+
+        wrapper_parts.append(code)
+        return "\n".join(wrapper_parts)
+
+    def _build_command(self, code: str) -> str:
+        """构建 Node.js 执行命令"""
+        escaped_code = code.replace("'", "'\"'\"'")
+        return f"node -e '{escaped_code}'"
+
+    async def _execute(
+        self,
+        code: Optional[str] = None,
+        file_path: Optional[str] = None,
+        params: Optional[Dict[str, str]] = None,
+        env_vars: Optional[Dict[str, str]] = None,
+        timeout: int = 30,
+        express_mode: bool = False,
+        **kwargs
+    ) -> ToolResult:
+        """执行 JavaScript 测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        if file_path:
+            code = self._read_file(file_path)
+            if code is None:
+                return ToolResult(success=False, error=f"文件不存在: {file_path}")
+
+        if not code:
+            return ToolResult(success=False, error="必须提供 code 或 file_path")
+
+        wrapped_code = self._build_wrapper_code(code, params, express_mode)
+        command = self._build_command(wrapped_code)
+
+        result = await self.sandbox_manager.execute_command(
+            command=command,
+            timeout=timeout,
+            env=env_vars,
+        )
+
+        analysis = self._analyze_output(result, params)
+
+        output_parts = [f"📜 JavaScript 测试结果\n"]
+        if file_path:
+            output_parts.append(f"文件: {file_path}")
+        if express_mode:
+            output_parts.append("模式: Express.js")
+        if params:
+            output_parts.append(f"参数: {json.dumps(params, ensure_ascii=False)}")
+
+        output_parts.append(f"\n退出码: {result['exit_code']}")
+
+        if result["stdout"]:
+            output_parts.append(f"\n输出:\n```\n{result['stdout'][:3000]}\n```")
+        if result["stderr"]:
+            output_parts.append(f"\n错误:\n```\n{result['stderr'][:1000]}\n```")
+
+        if analysis["is_vulnerable"]:
+            output_parts.append(f"\n🔴 **漏洞确认**: {analysis['evidence']}")
+        else:
+            output_parts.append(f"\n🟡 未能确认漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "exit_code": result["exit_code"],
+                "is_vulnerable": analysis["is_vulnerable"],
+                "evidence": analysis["evidence"],
+                "language": "JavaScript",
+            }
+        )
+
+
+# ============ Java 测试工具 ============
+
+class JavaTestTool(BaseLanguageTestTool):
+    """Java 代码测试工具"""
+
+    LANGUAGE_NAME = "Java"
+    FILE_EXTENSION = ".java"
+
+    @property
+    def name(self) -> str:
+        return "java_test"
+
+    @property
+    def description(self) -> str:
+        return """在沙箱中测试 Java 代码，支持模拟 Servlet 请求参数。
+
+输入:
+- code: Java 代码（与 file_path 二选一）
+- file_path: 项目中的 Java 文件路径
+- params: 模拟参数，如 {"cmd": "whoami"}
+- timeout: 超时秒数
+
+示例:
+{"code": "Runtime.getRuntime().exec(args[0])", "params": {"arg": "whoami"}}
+
+注意: Java 代码会被包装在 main 方法中执行。"""
+
+    def _build_wrapper_code(self, code: str, params: Optional[Dict[str, str]]) -> str:
+        """构建 Java 包装代码"""
+        # 检测是否是完整类
+        if "class " in code and "public static void main" in code:
+            return code
+
+        # 构建模拟请求参数
+        param_init = ""
+        if params:
+            params_entries = ", ".join([f'"{k}", "{v}"' for k, v in params.items()])
+            param_init = f"""
+        java.util.Map<String, String> request = new java.util.HashMap<>();
+        String[][] entries = {{{params_entries.replace(', ', '}, {')}}};
+        for (String[] e : entries) {{ request.put(e[0], e[1]); }}
+        String[] args = new String[]{{{', '.join([f'"{v}"' for v in params.values()])}}};
+"""
+
+        wrapper = f"""
+import java.io.*;
+import java.util.*;
+
+public class Test {{
+    public static void main(String[] argv) throws Exception {{
+        {param_init}
+        {code}
+    }}
+}}
+"""
+        return wrapper
+
+    def _build_command(self, code: str) -> str:
+        """构建 Java 执行命令"""
+        # Java 需要先编译再执行
+        escaped_code = code.replace("'", "'\"'\"'").replace("\\", "\\\\")
+        return f"echo '{escaped_code}' > /tmp/Test.java && javac /tmp/Test.java && java -cp /tmp Test"
+
+    async def _execute(
+        self,
+        code: Optional[str] = None,
+        file_path: Optional[str] = None,
+        params: Optional[Dict[str, str]] = None,
+        env_vars: Optional[Dict[str, str]] = None,
+        timeout: int = 60,  # Java 编译需要更长时间
+        **kwargs
+    ) -> ToolResult:
+        """执行 Java 测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        if file_path:
+            code = self._read_file(file_path)
+            if code is None:
+                return ToolResult(success=False, error=f"文件不存在: {file_path}")
+
+        if not code:
+            return ToolResult(success=False, error="必须提供 code 或 file_path")
+
+        wrapped_code = self._build_wrapper_code(code, params)
+        command = self._build_command(wrapped_code)
+
+        result = await self.sandbox_manager.execute_command(
+            command=command,
+            timeout=timeout,
+            env=env_vars,
+        )
+
+        analysis = self._analyze_output(result, params)
+
+        output_parts = [f"☕ Java 测试结果\n"]
+        if file_path:
+            output_parts.append(f"文件: {file_path}")
+        if params:
+            output_parts.append(f"参数: {json.dumps(params, ensure_ascii=False)}")
+
+        output_parts.append(f"\n退出码: {result['exit_code']}")
+
+        if result["stdout"]:
+            output_parts.append(f"\n输出:\n```\n{result['stdout'][:3000]}\n```")
+        if result["stderr"]:
+            output_parts.append(f"\n错误:\n```\n{result['stderr'][:1000]}\n```")
+
+        if analysis["is_vulnerable"]:
+            output_parts.append(f"\n🔴 **漏洞确认**: {analysis['evidence']}")
+        else:
+            output_parts.append(f"\n🟡 未能确认漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "exit_code": result["exit_code"],
+                "is_vulnerable": analysis["is_vulnerable"],
+                "evidence": analysis["evidence"],
+                "language": "Java",
+            }
+        )
+
+
+# ============ Go 测试工具 ============
+
+class GoTestTool(BaseLanguageTestTool):
+    """Go 代码测试工具"""
+
+    LANGUAGE_NAME = "Go"
+    FILE_EXTENSION = ".go"
+
+    @property
+    def name(self) -> str:
+        return "go_test"
+
+    @property
+    def description(self) -> str:
+        return """在沙箱中测试 Go 代码。
+
+输入:
+- code: Go 代码（与 file_path 二选一）
+- file_path: 项目中的 Go 文件路径
+- params: 模拟参数（作为命令行参数或环境变量）
+- timeout: 超时秒数
+
+示例:
+{"code": "exec.Command(os.Args[1]).Output()", "params": {"cmd": "whoami"}}"""
+
+    def _build_wrapper_code(self, code: str, params: Optional[Dict[str, str]]) -> str:
+        """构建 Go 包装代码"""
+        # 检测是否是完整包
+        if "package main" in code and "func main()" in code:
+            return code
+
+        imports = ["fmt", "os"]
+        if "exec." in code:
+            imports.append("os/exec")
+        if "http." in code:
+            imports.append("net/http")
+        if "io" in code:
+            imports.append("io")
+
+        imports_str = "\n".join([f'    "{imp}"' for imp in imports])
+
+        # 模拟参数
+        param_code = ""
+        if params:
+            args = ["program"] + list(params.values())
+            param_code = f"    os.Args = []string{{{', '.join([f'\"{a}\"' for a in args])}}}\n"
+            for key, value in params.items():
+                param_code += f'    os.Setenv("{key.upper()}", "{value}")\n'
+
+        wrapper = f"""package main
+
+import (
+{imports_str}
+)
+
+func main() {{
+{param_code}
+    {code}
+}}
+"""
+        return wrapper
+
+    def _build_command(self, code: str) -> str:
+        """构建 Go 执行命令"""
+        escaped_code = code.replace("'", "'\"'\"'").replace("\\", "\\\\")
+        return f"echo '{escaped_code}' > /tmp/main.go && go run /tmp/main.go"
+
+    async def _execute(
+        self,
+        code: Optional[str] = None,
+        file_path: Optional[str] = None,
+        params: Optional[Dict[str, str]] = None,
+        env_vars: Optional[Dict[str, str]] = None,
+        timeout: int = 60,
+        **kwargs
+    ) -> ToolResult:
+        """执行 Go 测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        if file_path:
+            code = self._read_file(file_path)
+            if code is None:
+                return ToolResult(success=False, error=f"文件不存在: {file_path}")
+
+        if not code:
+            return ToolResult(success=False, error="必须提供 code 或 file_path")
+
+        wrapped_code = self._build_wrapper_code(code, params)
+        command = self._build_command(wrapped_code)
+
+        result = await self.sandbox_manager.execute_command(
+            command=command,
+            timeout=timeout,
+            env=env_vars,
+        )
+
+        analysis = self._analyze_output(result, params)
+
+        output_parts = [f"🔵 Go 测试结果\n"]
+        if file_path:
+            output_parts.append(f"文件: {file_path}")
+        if params:
+            output_parts.append(f"参数: {json.dumps(params, ensure_ascii=False)}")
+
+        output_parts.append(f"\n退出码: {result['exit_code']}")
+
+        if result["stdout"]:
+            output_parts.append(f"\n输出:\n```\n{result['stdout'][:3000]}\n```")
+        if result["stderr"]:
+            output_parts.append(f"\n错误:\n```\n{result['stderr'][:1000]}\n```")
+
+        if analysis["is_vulnerable"]:
+            output_parts.append(f"\n🔴 **漏洞确认**: {analysis['evidence']}")
+        else:
+            output_parts.append(f"\n🟡 未能确认漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "exit_code": result["exit_code"],
+                "is_vulnerable": analysis["is_vulnerable"],
+                "evidence": analysis["evidence"],
+                "language": "Go",
+            }
+        )
+
+
+# ============ Ruby 测试工具 ============
+
+class RubyTestInput(LanguageTestInput):
+    """Ruby 测试输入"""
+    rails_mode: bool = Field(default=False, description="是否模拟 Rails 请求环境")
+
+
+class RubyTestTool(BaseLanguageTestTool):
+    """Ruby 代码测试工具"""
+
+    LANGUAGE_NAME = "Ruby"
+    LANGUAGE_CMD = "ruby"
+    FILE_EXTENSION = ".rb"
+
+    @property
+    def name(self) -> str:
+        return "ruby_test"
+
+    @property
+    def description(self) -> str:
+        return """在沙箱中测试 Ruby 代码，支持模拟 Rails 请求参数。
+
+输入:
+- code: Ruby 代码（与 file_path 二选一）
+- file_path: 项目中的 Ruby 文件路径
+- params: 模拟参数，如 {"cmd": "whoami"}
+- rails_mode: 是否模拟 Rails params
+- timeout: 超时秒数
+
+示例:
+1. Rails 模式: {"file_path": "controller.rb", "params": {"cmd": "id"}, "rails_mode": true}
+2. 普通模式: {"code": "system(ARGV[0])", "params": {"cmd": "whoami"}}"""
+
+    @property
+    def args_schema(self):
+        return RubyTestInput
+
+    def _build_wrapper_code(self, code: str, params: Optional[Dict[str, str]],
+                           rails_mode: bool = False) -> str:
+        """构建 Ruby 包装代码"""
+        wrapper_parts = []
+
+        if params:
+            if rails_mode:
+                # 模拟 Rails params
+                params_ruby = "{ " + ", ".join([f'"{k}" => "{v}"' for k, v in params.items()]) + " }"
+                wrapper_parts.append(f"""
+class HashWithIndifferentAccess < Hash
+  def [](key)
+    super(key.to_s) || super(key.to_sym)
+  end
+end
+
+def params
+  @params ||= HashWithIndifferentAccess.new.merge({params_ruby})
+end
+
+class Request
+  attr_accessor :params, :method, :path
+  def initialize(p)
+    @params = p
+    @method = 'GET'
+    @path = '/'
+  end
+end
+
+request = Request.new(params)
+""")
+            else:
+                # 普通模式
+                for i, (key, value) in enumerate(params.items()):
+                    wrapper_parts.append(f'ARGV[{i}] = "{value}"')
+                    wrapper_parts.append(f'ENV["{key.upper()}"] = "{value}"')
+
+        wrapper_parts.append(code)
+        return "\n".join(wrapper_parts)
+
+    def _build_command(self, code: str) -> str:
+        """构建 Ruby 执行命令"""
+        escaped_code = code.replace("'", "'\"'\"'")
+        return f"ruby -e '{escaped_code}'"
+
+    async def _execute(
+        self,
+        code: Optional[str] = None,
+        file_path: Optional[str] = None,
+        params: Optional[Dict[str, str]] = None,
+        env_vars: Optional[Dict[str, str]] = None,
+        timeout: int = 30,
+        rails_mode: bool = False,
+        **kwargs
+    ) -> ToolResult:
+        """执行 Ruby 测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        if file_path:
+            code = self._read_file(file_path)
+            if code is None:
+                return ToolResult(success=False, error=f"文件不存在: {file_path}")
+
+        if not code:
+            return ToolResult(success=False, error="必须提供 code 或 file_path")
+
+        wrapped_code = self._build_wrapper_code(code, params, rails_mode)
+        command = self._build_command(wrapped_code)
+
+        result = await self.sandbox_manager.execute_command(
+            command=command,
+            timeout=timeout,
+            env=env_vars,
+        )
+
+        analysis = self._analyze_output(result, params)
+
+        output_parts = [f"💎 Ruby 测试结果\n"]
+        if file_path:
+            output_parts.append(f"文件: {file_path}")
+        if rails_mode:
+            output_parts.append("模式: Rails")
+        if params:
+            output_parts.append(f"参数: {json.dumps(params, ensure_ascii=False)}")
+
+        output_parts.append(f"\n退出码: {result['exit_code']}")
+
+        if result["stdout"]:
+            output_parts.append(f"\n输出:\n```\n{result['stdout'][:3000]}\n```")
+        if result["stderr"]:
+            output_parts.append(f"\n错误:\n```\n{result['stderr'][:1000]}\n```")
+
+        if analysis["is_vulnerable"]:
+            output_parts.append(f"\n🔴 **漏洞确认**: {analysis['evidence']}")
+        else:
+            output_parts.append(f"\n🟡 未能确认漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "exit_code": result["exit_code"],
+                "is_vulnerable": analysis["is_vulnerable"],
+                "evidence": analysis["evidence"],
+                "language": "Ruby",
+            }
+        )
+
+
+# ============ Bash/Shell 测试工具 ============
+
+class ShellTestTool(BaseLanguageTestTool):
+    """Shell/Bash 脚本测试工具"""
+
+    LANGUAGE_NAME = "Shell"
+    LANGUAGE_CMD = "bash"
+    FILE_EXTENSION = ".sh"
+
+    @property
+    def name(self) -> str:
+        return "shell_test"
+
+    @property
+    def description(self) -> str:
+        return """在沙箱中测试 Shell/Bash 脚本。
+
+输入:
+- code: Shell 代码（与 file_path 二选一）
+- file_path: 项目中的 Shell 脚本路径
+- params: 模拟参数（作为位置参数 $1, $2... 或环境变量）
+- timeout: 超时秒数
+
+示例:
+{"code": "eval $1", "params": {"1": "whoami"}}"""
+
+    def _build_wrapper_code(self, code: str, params: Optional[Dict[str, str]]) -> str:
+        """构建 Shell 包装代码"""
+        wrapper_parts = ["#!/bin/bash"]
+
+        if params:
+            for key, value in params.items():
+                # 设置位置参数和环境变量
+                if key.isdigit():
+                    # 位置参数需要特殊处理
+                    pass
+                else:
+                    wrapper_parts.append(f'export {key.upper()}="{value}"')
+
+        wrapper_parts.append(code)
+        return "\n".join(wrapper_parts)
+
+    def _build_command(self, code: str) -> str:
+        """构建 Shell 执行命令"""
+        escaped_code = code.replace("'", "'\"'\"'")
+        return f"bash -c '{escaped_code}'"
+
+
+# ============ 通用多语言测试工具 ============
+
+class UniversalCodeTestInput(BaseModel):
+    """通用代码测试输入"""
+    language: str = Field(..., description="编程语言: php, python, javascript, java, go, ruby, shell")
+    code: Optional[str] = Field(default=None, description="要执行的代码")
+    file_path: Optional[str] = Field(default=None, description="文件路径")
+    params: Optional[Dict[str, str]] = Field(default=None, description="模拟参数")
+    framework_mode: Optional[str] = Field(default=None, description="框架模式: flask, django, express, rails")
+    timeout: int = Field(default=30, description="超时秒数")
+
+
+class UniversalCodeTestTool(AgentTool):
+    """通用多语言代码测试工具 - 自动选择合适的语言测试器"""
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+        # 初始化所有语言测试器
+        self._testers = {
+            "php": PhpTestTool(sandbox_manager, project_root),
+            "python": PythonTestTool(sandbox_manager, project_root),
+            "javascript": JavaScriptTestTool(sandbox_manager, project_root),
+            "js": JavaScriptTestTool(sandbox_manager, project_root),
+            "node": JavaScriptTestTool(sandbox_manager, project_root),
+            "java": JavaTestTool(sandbox_manager, project_root),
+            "go": GoTestTool(sandbox_manager, project_root),
+            "golang": GoTestTool(sandbox_manager, project_root),
+            "ruby": RubyTestTool(sandbox_manager, project_root),
+            "rb": RubyTestTool(sandbox_manager, project_root),
+            "shell": ShellTestTool(sandbox_manager, project_root),
+            "bash": ShellTestTool(sandbox_manager, project_root),
+        }
+
+    @property
+    def name(self) -> str:
+        return "code_test"
+
+    @property
+    def description(self) -> str:
+        return """通用多语言代码测试工具，支持 PHP, Python, JavaScript, Java, Go, Ruby, Shell。
+
+自动根据语言选择合适的测试环境，支持各种框架的请求模拟。
+
+输入:
+- language: 编程语言 (php, python, javascript, java, go, ruby, shell)
+- code: 代码内容（与 file_path 二选一）
+- file_path: 文件路径
+- params: 模拟参数
+- framework_mode: 框架模式 (flask, django, express, rails)
+- timeout: 超时秒数
+
+示例:
+1. PHP: {"language": "php", "file_path": "vuln.php", "params": {"cmd": "id"}}
+2. Python Flask: {"language": "python", "code": "os.system(request.args.get('cmd'))", "params": {"cmd": "whoami"}, "framework_mode": "flask"}
+3. Node.js: {"language": "javascript", "code": "require('child_process').execSync(req.query.cmd)", "params": {"cmd": "id"}, "framework_mode": "express"}"""
+
+    @property
+    def args_schema(self):
+        return UniversalCodeTestInput
+
+    async def _execute(
+        self,
+        language: str,
+        code: Optional[str] = None,
+        file_path: Optional[str] = None,
+        params: Optional[Dict[str, str]] = None,
+        framework_mode: Optional[str] = None,
+        timeout: int = 30,
+        **kwargs
+    ) -> ToolResult:
+        """执行通用代码测试"""
+        language = language.lower().strip()
+
+        tester = self._testers.get(language)
+        if not tester:
+            return ToolResult(
+                success=False,
+                error=f"不支持的语言: {language}。支持: {list(self._testers.keys())}",
+            )
+
+        # 构建测试参数
+        test_kwargs = {
+            "code": code,
+            "file_path": file_path,
+            "params": params,
+            "timeout": timeout,
+        }
+
+        # 处理框架模式
+        if framework_mode:
+            fm = framework_mode.lower()
+            if fm == "flask":
+                test_kwargs["flask_mode"] = True
+            elif fm == "django":
+                test_kwargs["django_mode"] = True
+            elif fm == "express":
+                test_kwargs["express_mode"] = True
+            elif fm == "rails":
+                test_kwargs["rails_mode"] = True
+
+        return await tester._execute(**test_kwargs)
diff --git a/backend/app/services/agent/tools/sandbox_tool.py b/backend/app/services/agent/tools/sandbox_tool.py
index fcdc777..72831be 100644
--- a/backend/app/services/agent/tools/sandbox_tool.py
+++ b/backend/app/services/agent/tools/sandbox_tool.py
@@ -44,17 +44,24 @@ class SandboxManager:
     async def initialize(self):
         """初始化 Docker 客户端"""
         if self._initialized:
+            logger.info("✅ SandboxManager already initialized")
             return
-        
+
         try:
             import docker
+            logger.info("🔄 Attempting to connect to Docker...")
             self._docker_client = docker.from_env()
             # 测试连接
             self._docker_client.ping()
             self._initialized = True
-            logger.info("Docker sandbox manager initialized")
+            logger.info("✅ Docker sandbox manager initialized successfully")
+        except ImportError as e:
+            logger.error(f"❌ Docker library not installed: {e}")
+            self._docker_client = None
         except Exception as e:
-            logger.warning(f"Docker not available: {e}")
+            logger.warning(f"❌ Docker not available: {e}")
+            import traceback
+            logger.warning(f"Docker connection traceback: {traceback.format_exc()}")
             self._docker_client = None
     
     @property
@@ -462,12 +469,13 @@ class SandboxTool(AgentTool):
     沙箱执行工具
     在安全隔离的环境中执行代码和命令
     """
-    
+
     # 允许的命令前缀
     ALLOWED_COMMANDS = [
         "python", "python3", "node", "curl", "wget",
         "cat", "head", "tail", "grep", "find", "ls",
         "echo", "printf", "test", "id", "whoami",
+        "php",  # 🔥 添加 PHP 支持
     ]
     
     def __init__(self, sandbox_manager: Optional[SandboxManager] = None):
@@ -763,3 +771,398 @@ class VulnerabilityVerifyTool(AgentTool):
             }
         )
 
+
+# ============ PHP 测试工具 ============
+
+class PhpTestInput(BaseModel):
+    """PHP 测试输入"""
+    php_code: Optional[str] = Field(default=None, description="要执行的 PHP 代码（可选，与 file_path 二选一）")
+    file_path: Optional[str] = Field(default=None, description="要测试的 PHP 文件路径（可选，与 php_code 二选一）")
+    get_params: Optional[Dict[str, str]] = Field(default=None, description="模拟的 GET 参数，如 {'cmd': 'whoami'}")
+    post_params: Optional[Dict[str, str]] = Field(default=None, description="模拟的 POST 参数")
+    timeout: int = Field(default=30, description="超时时间（秒）")
+
+
+class PhpTestTool(AgentTool):
+    """
+    PHP 代码测试工具
+    在沙箱中执行 PHP 代码，支持模拟 GET/POST 参数
+    """
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+    @property
+    def name(self) -> str:
+        return "php_test"
+
+    @property
+    def description(self) -> str:
+        return """在沙箱中测试 PHP 代码，支持模拟 GET/POST 参数。
+专门用于验证 PHP 漏洞（如命令注入、SQL 注入等）。
+
+输入 (二选一):
+- php_code: 直接提供要执行的 PHP 代码
+- file_path: 项目中的 PHP 文件路径
+
+模拟参数:
+- get_params: 模拟 $_GET 参数，如 {"cmd": "whoami", "id": "1"}
+- post_params: 模拟 $_POST 参数
+
+示例:
+1. 测试命令注入:
+   {"file_path": "vuln.php", "get_params": {"cmd": "whoami"}}
+
+2. 直接测试代码:
+   {"php_code": "<?php echo shell_exec($_GET['cmd']); ?>", "get_params": {"cmd": "id"}}
+
+⚠️ 在沙箱中执行，不影响真实环境。"""
+
+    @property
+    def args_schema(self):
+        return PhpTestInput
+
+    async def _execute(
+        self,
+        php_code: Optional[str] = None,
+        file_path: Optional[str] = None,
+        get_params: Optional[Dict[str, str]] = None,
+        post_params: Optional[Dict[str, str]] = None,
+        timeout: int = 30,
+        **kwargs
+    ) -> ToolResult:
+        """执行 PHP 测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(
+                success=False,
+                error="沙箱环境不可用 (Docker Unavailable)",
+            )
+
+        # 构建 PHP 代码
+        if file_path:
+            # 从文件读取
+            import os
+            full_path = os.path.join(self.project_root, file_path)
+            if not os.path.exists(full_path):
+                return ToolResult(
+                    success=False,
+                    error=f"文件不存在: {file_path}",
+                )
+            with open(full_path, 'r', encoding='utf-8', errors='ignore') as f:
+                php_code = f.read()
+
+        if not php_code:
+            return ToolResult(
+                success=False,
+                error="必须提供 php_code 或 file_path",
+            )
+
+        # 构建模拟 $_GET 和 $_POST 的包装代码
+        wrapper_parts = ["<?php"]
+
+        # 模拟 $_GET
+        if get_params:
+            for key, value in get_params.items():
+                # 安全转义
+                escaped_value = value.replace("'", "\\'")
+                wrapper_parts.append(f"$_GET['{key}'] = '{escaped_value}';")
+
+        # 模拟 $_POST
+        if post_params:
+            for key, value in post_params.items():
+                escaped_value = value.replace("'", "\\'")
+                wrapper_parts.append(f"$_POST['{key}'] = '{escaped_value}';")
+
+        # 移除 php_code 开头的 <?php 标签
+        clean_code = php_code.strip()
+        if clean_code.startswith("<?php"):
+            clean_code = clean_code[5:].strip()
+        if clean_code.startswith("<?"):
+            clean_code = clean_code[2:].strip()
+        if clean_code.endswith("?>"):
+            clean_code = clean_code[:-2].strip()
+
+        wrapper_parts.append(clean_code)
+        wrapper_parts.append("?>")
+
+        full_php_code = "\n".join(wrapper_parts)
+
+        # 在沙箱中执行
+        # 使用 php -r 直接执行代码
+        import shlex
+        escaped_code = full_php_code.replace("'", "'\"'\"'")
+        command = f"php -r '{escaped_code}'"
+
+        result = await self.sandbox_manager.execute_command(
+            command=command,
+            timeout=timeout,
+        )
+
+        # 格式化输出
+        output_parts = ["🐘 PHP 测试结果\n"]
+
+        if get_params:
+            output_parts.append(f"模拟 GET 参数: {get_params}")
+        if post_params:
+            output_parts.append(f"模拟 POST 参数: {post_params}")
+
+        output_parts.append(f"\n退出码: {result['exit_code']}")
+
+        if result["stdout"]:
+            stdout = result["stdout"][:3000]
+            output_parts.append(f"\n输出:\n```\n{stdout}\n```")
+
+        if result["stderr"]:
+            stderr = result["stderr"][:1000]
+            output_parts.append(f"\n错误:\n```\n{stderr}\n```")
+
+        # 判断是否执行成功
+        is_vulnerable = False
+        evidence = None
+
+        if result["exit_code"] == 0 and result["stdout"]:
+            # 检查是否有命令执行输出
+            stdout_lower = result["stdout"].lower()
+            if get_params and "cmd" in get_params:
+                cmd_value = get_params["cmd"].lower()
+                # 检查常见命令输出
+                if cmd_value in ["whoami", "id"]:
+                    if "root" in stdout_lower or "uid=" in stdout_lower or "www-data" in stdout_lower:
+                        is_vulnerable = True
+                        evidence = f"命令 '{get_params['cmd']}' 执行成功，输出: {result['stdout'][:200]}"
+                elif cmd_value.startswith("echo "):
+                    expected = cmd_value[5:].lower()
+                    if expected in stdout_lower:
+                        is_vulnerable = True
+                        evidence = f"Echo 命令执行成功"
+                else:
+                    # 通用检查：有输出就可能成功
+                    if len(result["stdout"].strip()) > 0:
+                        is_vulnerable = True
+                        evidence = f"命令可能执行成功，输出: {result['stdout'][:200]}"
+
+        if is_vulnerable:
+            output_parts.append(f"\n🔴 **漏洞确认**: {evidence}")
+        else:
+            output_parts.append(f"\n🟡 未能确认漏洞执行（可能需要检查输出）")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "exit_code": result["exit_code"],
+                "is_vulnerable": is_vulnerable,
+                "evidence": evidence,
+                "stdout": result["stdout"][:500] if result["stdout"] else None,
+            }
+        )
+
+
+# ============ 命令注入专用测试工具 ============
+
+class CommandInjectionTestInput(BaseModel):
+    """命令注入测试输入"""
+    target_file: str = Field(description="目标文件路径（如 'vuln.php'）")
+    param_name: str = Field(default="cmd", description="注入参数名（默认 'cmd'）")
+    test_command: str = Field(default="id", description="测试命令（默认 'id'）")
+    language: str = Field(default="php", description="目标语言 (php, python, node)")
+
+
+class CommandInjectionTestTool(AgentTool):
+    """
+    命令注入专用测试工具
+    智能检测和验证命令注入漏洞
+    """
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+    @property
+    def name(self) -> str:
+        return "test_command_injection"
+
+    @property
+    def description(self) -> str:
+        return """专门用于测试命令注入漏洞的工具。
+
+输入:
+- target_file: 目标文件路径
+- param_name: 注入参数名（默认 'cmd'）
+- test_command: 测试命令（默认 'id'，也可用 'whoami', 'echo test'）
+- language: 目标语言（php, python, node）
+
+示例:
+{"target_file": "ttt/t.php", "param_name": "cmd", "test_command": "whoami"}
+
+自动执行:
+1. 读取目标文件代码
+2. 构建包含测试命令的执行环境
+3. 在沙箱中执行并分析结果
+4. 判断命令注入是否成功"""
+
+    @property
+    def args_schema(self):
+        return CommandInjectionTestInput
+
+    async def _execute(
+        self,
+        target_file: str,
+        param_name: str = "cmd",
+        test_command: str = "id",
+        language: str = "php",
+        **kwargs
+    ) -> ToolResult:
+        """执行命令注入测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(
+                success=False,
+                error="沙箱环境不可用 (Docker Unavailable)",
+            )
+
+        import os
+        full_path = os.path.join(self.project_root, target_file)
+
+        if not os.path.exists(full_path):
+            return ToolResult(
+                success=False,
+                error=f"文件不存在: {target_file}",
+            )
+
+        # 读取文件内容
+        with open(full_path, 'r', encoding='utf-8', errors='ignore') as f:
+            code_content = f.read()
+
+        output_parts = ["🎯 命令注入测试\n"]
+        output_parts.append(f"目标文件: {target_file}")
+        output_parts.append(f"注入参数: {param_name}")
+        output_parts.append(f"测试命令: {test_command}")
+        output_parts.append(f"语言: {language}")
+
+        # 根据语言构建测试
+        if language.lower() == "php":
+            result = await self._test_php_injection(code_content, param_name, test_command)
+        elif language.lower() == "python":
+            result = await self._test_python_injection(code_content, param_name, test_command)
+        else:
+            return ToolResult(
+                success=False,
+                error=f"暂不支持语言: {language}",
+            )
+
+        output_parts.append(f"\n退出码: {result['exit_code']}")
+
+        if result.get("stdout"):
+            output_parts.append(f"\n命令输出:\n```\n{result['stdout'][:2000]}\n```")
+
+        if result.get("stderr"):
+            output_parts.append(f"\n错误输出:\n```\n{result['stderr'][:500]}\n```")
+
+        # 分析结果
+        is_vulnerable = False
+        evidence = None
+        poc = None
+
+        if result["exit_code"] == 0 and result.get("stdout"):
+            stdout = result["stdout"].strip()
+            # 检查命令执行特征
+            if test_command in ["id", "whoami"]:
+                if "uid=" in stdout or "root" in stdout or "www-data" in stdout or stdout.strip():
+                    is_vulnerable = True
+                    evidence = f"命令 '{test_command}' 成功执行，输出: {stdout[:200]}"
+                    poc = f"curl 'http://target/{target_file}?{param_name}={test_command}'"
+            elif test_command.startswith("echo "):
+                expected = test_command[5:]
+                if expected in stdout:
+                    is_vulnerable = True
+                    evidence = f"Echo 测试成功"
+                    poc = f"curl 'http://target/{target_file}?{param_name}=echo+test'"
+            else:
+                if len(stdout) > 0:
+                    is_vulnerable = True
+                    evidence = f"命令可能执行成功，输出: {stdout[:200]}"
+                    poc = f"curl 'http://target/{target_file}?{param_name}={test_command}'"
+
+        if is_vulnerable:
+            output_parts.append(f"\n\n🔴 **漏洞已确认!**")
+            output_parts.append(f"证据: {evidence}")
+            output_parts.append(f"\nPoC: `{poc}`")
+        else:
+            output_parts.append(f"\n\n🟡 未能确认漏洞")
+            if result.get("stderr"):
+                output_parts.append(f"可能原因: 执行错误或参数未正确传递")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "is_vulnerable": is_vulnerable,
+                "evidence": evidence,
+                "poc": poc,
+                "exit_code": result["exit_code"],
+            }
+        )
+
+    async def _test_php_injection(self, code: str, param_name: str, test_command: str) -> Dict[str, Any]:
+        """测试 PHP 命令注入"""
+        # 构建模拟环境
+        wrapper = f"""<?php
+$_GET['{param_name}'] = '{test_command}';
+$_POST['{param_name}'] = '{test_command}';
+$_REQUEST['{param_name}'] = '{test_command}';
+"""
+        # 移除原代码的 PHP 标签
+        clean_code = code.strip()
+        if clean_code.startswith("<?php"):
+            clean_code = clean_code[5:]
+        elif clean_code.startswith("<?"):
+            clean_code = clean_code[2:]
+        if clean_code.endswith("?>"):
+            clean_code = clean_code[:-2]
+
+        full_code = wrapper + clean_code + "\n?>"
+
+        # 转义并执行
+        escaped_code = full_code.replace("'", "'\"'\"'")
+        command = f"php -r '{escaped_code}'"
+
+        return await self.sandbox_manager.execute_command(command, timeout=30)
+
+    async def _test_python_injection(self, code: str, param_name: str, test_command: str) -> Dict[str, Any]:
+        """测试 Python 命令注入"""
+        # 模拟 request.args.get
+        wrapper = f"""
+import sys
+class MockArgs:
+    def get(self, key, default=None):
+        if key == '{param_name}':
+            return '{test_command}'
+        return default
+
+class MockRequest:
+    args = MockArgs()
+    form = MockArgs()
+
+request = MockRequest()
+sys.argv = ['script.py', '{test_command}']
+
+"""
+        full_code = wrapper + code
+
+        escaped_code = full_code.replace("'", "'\"'\"'")
+        command = f"python3 -c '{escaped_code}'"
+
+        return await self.sandbox_manager.execute_command(command, timeout=30)
\ No newline at end of file
diff --git a/backend/app/services/agent/tools/sandbox_vuln.py b/backend/app/services/agent/tools/sandbox_vuln.py
new file mode 100644
index 0000000..128fa51
--- /dev/null
+++ b/backend/app/services/agent/tools/sandbox_vuln.py
@@ -0,0 +1,1565 @@
+"""
+漏洞验证专用工具
+支持各类经典漏洞的沙箱验证测试
+"""
+
+import asyncio
+import json
+import logging
+import os
+import re
+import tempfile
+from typing import Optional, Dict, Any, List
+from pydantic import BaseModel, Field
+from dataclasses import dataclass
+from enum import Enum
+
+from .base import AgentTool, ToolResult
+from .sandbox_tool import SandboxManager
+
+logger = logging.getLogger(__name__)
+
+
+class VulnType(str, Enum):
+    """漏洞类型枚举"""
+    SQL_INJECTION = "sql_injection"
+    COMMAND_INJECTION = "command_injection"
+    CODE_INJECTION = "code_injection"
+    XSS = "xss"
+    PATH_TRAVERSAL = "path_traversal"
+    SSRF = "ssrf"
+    XXE = "xxe"
+    DESERIALIZATION = "deserialization"
+    SSTI = "ssti"
+    LDAP_INJECTION = "ldap_injection"
+    NOSQL_INJECTION = "nosql_injection"
+    XPATH_INJECTION = "xpath_injection"
+
+
+# ============ 命令注入测试工具 ============
+
+class CommandInjectionTestInput(BaseModel):
+    """命令注入测试输入"""
+    target_file: str = Field(..., description="目标文件路径")
+    param_name: str = Field(default="cmd", description="注入参数名")
+    test_command: str = Field(default="id", description="测试命令: id, whoami, echo test, cat /etc/passwd")
+    language: str = Field(default="auto", description="语言: auto, php, python, javascript, java, go, ruby, shell")
+    injection_point: Optional[str] = Field(default=None, description="注入点描述，如 'shell_exec($_GET[cmd])'")
+
+
+class CommandInjectionTestTool(AgentTool):
+    """
+    命令注入漏洞测试工具
+
+    支持多种语言和框架，自动构建测试环境
+    """
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+    @property
+    def name(self) -> str:
+        return "test_command_injection"
+
+    @property
+    def description(self) -> str:
+        return """专门测试命令注入漏洞的工具。
+
+支持语言: PHP, Python, JavaScript, Java, Go, Ruby, Shell
+
+输入:
+- target_file: 目标文件路径
+- param_name: 注入参数名 (默认 'cmd')
+- test_command: 测试命令 (默认 'id')
+  - 'id' - 显示用户ID
+  - 'whoami' - 显示用户名
+  - 'cat /etc/passwd' - 读取密码文件
+  - 'echo VULN_TEST' - 输出测试字符串
+- language: 语言 (auto 自动检测)
+
+示例:
+1. PHP: {"target_file": "vuln.php", "param_name": "cmd", "test_command": "whoami"}
+2. Python: {"target_file": "app.py", "param_name": "cmd", "language": "python"}
+3. 自定义: {"target_file": "api.js", "test_command": "echo PWNED"}
+
+漏洞确认条件:
+- 命令输出包含预期结果 (uid=, root, www-data 等)
+- 或自定义 echo 内容出现在输出中"""
+
+    @property
+    def args_schema(self):
+        return CommandInjectionTestInput
+
+    def _detect_language(self, file_path: str, code: str) -> str:
+        """自动检测语言"""
+        ext = os.path.splitext(file_path)[1].lower()
+        ext_map = {
+            ".php": "php",
+            ".py": "python",
+            ".js": "javascript",
+            ".ts": "javascript",
+            ".java": "java",
+            ".go": "go",
+            ".rb": "ruby",
+            ".sh": "shell",
+            ".bash": "shell",
+        }
+        if ext in ext_map:
+            return ext_map[ext]
+
+        # 基于内容检测
+        if "<?php" in code or "<?=" in code:
+            return "php"
+        if "import " in code and ("os." in code or "subprocess" in code):
+            return "python"
+        if "require(" in code or "import " in code:
+            return "javascript"
+        if "package main" in code:
+            return "go"
+        if "class " in code and "public " in code:
+            return "java"
+        if "#!/bin/bash" in code or "#!/bin/sh" in code:
+            return "shell"
+
+        return "shell"  # 默认
+
+    async def _execute(
+        self,
+        target_file: str,
+        param_name: str = "cmd",
+        test_command: str = "id",
+        language: str = "auto",
+        injection_point: Optional[str] = None,
+        **kwargs
+    ) -> ToolResult:
+        """执行命令注入测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        # 读取目标文件
+        full_path = os.path.join(self.project_root, target_file)
+        if not os.path.exists(full_path):
+            return ToolResult(success=False, error=f"文件不存在: {target_file}")
+
+        with open(full_path, 'r', encoding='utf-8', errors='ignore') as f:
+            code = f.read()
+
+        # 检测语言
+        if language == "auto":
+            language = self._detect_language(target_file, code)
+
+        # 根据语言构建测试
+        result = await self._test_by_language(language, code, param_name, test_command)
+
+        # 分析结果
+        is_vulnerable = False
+        evidence = None
+        poc = None
+
+        if result["exit_code"] == 0 and result.get("stdout"):
+            stdout = result["stdout"].strip()
+
+            # 检测命令执行特征
+            if test_command in ["id", "whoami"]:
+                patterns = ["uid=", "root", "www-data", "nobody", "daemon", "sandbox"]
+                for pattern in patterns:
+                    if pattern in stdout.lower():
+                        is_vulnerable = True
+                        evidence = f"命令 '{test_command}' 执行成功，输出包含 '{pattern}'"
+                        break
+                # 如果有任何输出且包含典型格式
+                if not is_vulnerable and stdout:
+                    is_vulnerable = True
+                    evidence = f"命令 '{test_command}' 有输出: {stdout[:100]}"
+
+            elif test_command.startswith("echo "):
+                expected = test_command[5:]
+                if expected.lower() in stdout.lower():
+                    is_vulnerable = True
+                    evidence = f"Echo 命令执行成功，输出包含 '{expected}'"
+
+            elif test_command.startswith("cat "):
+                if ":" in stdout or "root" in stdout.lower() or "bin" in stdout.lower():
+                    is_vulnerable = True
+                    evidence = f"文件读取成功: {stdout[:100]}"
+
+            else:
+                # 通用检测
+                if len(stdout) > 0:
+                    is_vulnerable = True
+                    evidence = f"命令可能执行成功，输出: {stdout[:200]}"
+
+        if is_vulnerable:
+            poc = f"curl 'http://target/{target_file}?{param_name}={test_command.replace(' ', '+')}"
+
+        # 格式化输出
+        output_parts = ["🎯 命令注入测试结果\n"]
+        output_parts.append(f"目标文件: {target_file}")
+        output_parts.append(f"语言: {language}")
+        output_parts.append(f"注入参数: {param_name}")
+        output_parts.append(f"测试命令: {test_command}")
+
+        output_parts.append(f"\n退出码: {result['exit_code']}")
+
+        if result.get("stdout"):
+            output_parts.append(f"\n命令输出:\n```\n{result['stdout'][:2000]}\n```")
+        if result.get("stderr"):
+            output_parts.append(f"\n错误输出:\n```\n{result['stderr'][:500]}\n```")
+
+        if is_vulnerable:
+            output_parts.append(f"\n\n🔴 **漏洞已确认!**")
+            output_parts.append(f"证据: {evidence}")
+            if poc:
+                output_parts.append(f"\nPoC: `{poc}`")
+        else:
+            output_parts.append(f"\n\n🟡 未能确认漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "vulnerability_type": "command_injection",
+                "is_vulnerable": is_vulnerable,
+                "evidence": evidence,
+                "poc": poc,
+                "language": language,
+            }
+        )
+
+    async def _test_by_language(self, language: str, code: str, param_name: str, test_command: str) -> Dict:
+        """根据语言执行测试"""
+        if language == "php":
+            return await self._test_php(code, param_name, test_command)
+        elif language == "python":
+            return await self._test_python(code, param_name, test_command)
+        elif language in ["javascript", "js", "node"]:
+            return await self._test_javascript(code, param_name, test_command)
+        elif language == "java":
+            return await self._test_java(code, param_name, test_command)
+        elif language in ["go", "golang"]:
+            return await self._test_go(code, param_name, test_command)
+        elif language in ["ruby", "rb"]:
+            return await self._test_ruby(code, param_name, test_command)
+        else:
+            return await self._test_shell(code, param_name, test_command)
+
+    async def _test_php(self, code: str, param_name: str, test_command: str) -> Dict:
+        """测试 PHP 命令注入
+
+        注意: php -r 不需要 <?php 标签，直接执行纯 PHP 代码
+        """
+        # 模拟超全局变量（不需要 <?php 标签）
+        wrapper = f"""$_GET['{param_name}'] = '{test_command}';
+$_POST['{param_name}'] = '{test_command}';
+$_REQUEST['{param_name}'] = '{test_command}';
+"""
+        # 清理原代码的 PHP 标签
+        clean_code = code.strip()
+        if clean_code.startswith("<?php"):
+            clean_code = clean_code[5:]
+        elif clean_code.startswith("<?"):
+            clean_code = clean_code[2:]
+        if clean_code.endswith("?>"):
+            clean_code = clean_code[:-2]
+
+        full_code = wrapper + clean_code.strip()
+        escaped = full_code.replace("'", "'\"'\"'")
+        return await self.sandbox_manager.execute_command(f"php -r '{escaped}'", timeout=30)
+
+    async def _test_python(self, code: str, param_name: str, test_command: str) -> Dict:
+        """测试 Python 命令注入"""
+        wrapper = f"""
+import sys, os
+
+class MockArgs:
+    def get(self, key, default=None):
+        if key == '{param_name}':
+            return '{test_command}'
+        return default
+
+class MockRequest:
+    args = MockArgs()
+    form = MockArgs()
+    values = MockArgs()
+
+request = MockRequest()
+sys.argv = ['script.py', '{test_command}']
+os.environ['{param_name.upper()}'] = '{test_command}'
+
+"""
+        full_code = wrapper + code
+        escaped = full_code.replace("'", "'\"'\"'")
+        return await self.sandbox_manager.execute_command(f"python3 -c '{escaped}'", timeout=30)
+
+    async def _test_javascript(self, code: str, param_name: str, test_command: str) -> Dict:
+        """测试 JavaScript 命令注入"""
+        wrapper = f"""
+const req = {{
+    query: {{ '{param_name}': '{test_command}' }},
+    body: {{ '{param_name}': '{test_command}' }},
+    params: {{ '{param_name}': '{test_command}' }},
+}};
+process.argv = ['node', 'script.js', '{test_command}'];
+process.env['{param_name.upper()}'] = '{test_command}';
+
+"""
+        full_code = wrapper + code
+        escaped = full_code.replace("'", "'\"'\"'")
+        return await self.sandbox_manager.execute_command(f"node -e '{escaped}'", timeout=30)
+
+    async def _test_java(self, code: str, param_name: str, test_command: str) -> Dict:
+        """测试 Java 命令注入"""
+        # 简化处理 - Java 需要完整类结构
+        wrapper = f"""
+import java.io.*;
+import java.util.*;
+
+public class Test {{
+    public static void main(String[] args) throws Exception {{
+        Map<String, String> params = new HashMap<>();
+        params.put("{param_name}", "{test_command}");
+        String[] argv = new String[]{{"{test_command}"}};
+
+        {code}
+    }}
+}}
+"""
+        escaped = wrapper.replace("'", "'\"'\"'").replace("\\", "\\\\")
+        return await self.sandbox_manager.execute_command(
+            f"echo '{escaped}' > /tmp/Test.java && javac /tmp/Test.java 2>&1 && java -cp /tmp Test 2>&1",
+            timeout=60
+        )
+
+    async def _test_go(self, code: str, param_name: str, test_command: str) -> Dict:
+        """测试 Go 命令注入"""
+        if "package main" not in code:
+            code = f"""package main
+
+import (
+    "fmt"
+    "os"
+    "os/exec"
+)
+
+func main() {{
+    os.Args = []string{{"program", "{test_command}"}}
+    os.Setenv("{param_name.upper()}", "{test_command}")
+    params := map[string]string{{"{param_name}": "{test_command}"}}
+    _ = params
+
+    {code}
+}}
+"""
+        escaped = code.replace("'", "'\"'\"'").replace("\\", "\\\\")
+        return await self.sandbox_manager.execute_command(
+            f"echo '{escaped}' > /tmp/main.go && go run /tmp/main.go 2>&1",
+            timeout=60
+        )
+
+    async def _test_ruby(self, code: str, param_name: str, test_command: str) -> Dict:
+        """测试 Ruby 命令注入"""
+        wrapper = f"""
+ARGV[0] = "{test_command}"
+ENV["{param_name.upper()}"] = "{test_command}"
+
+def params
+  @params ||= {{ "{param_name}" => "{test_command}" }}
+end
+
+"""
+        full_code = wrapper + code
+        escaped = full_code.replace("'", "'\"'\"'")
+        return await self.sandbox_manager.execute_command(f"ruby -e '{escaped}'", timeout=30)
+
+    async def _test_shell(self, code: str, param_name: str, test_command: str) -> Dict:
+        """测试 Shell 命令注入"""
+        wrapper = f"""#!/bin/bash
+export {param_name.upper()}="{test_command}"
+set -- "{test_command}"
+
+"""
+        full_code = wrapper + code
+        escaped = full_code.replace("'", "'\"'\"'")
+        return await self.sandbox_manager.execute_command(f"bash -c '{escaped}'", timeout=30)
+
+
+# ============ SQL 注入测试工具 ============
+
+class SqlInjectionTestInput(BaseModel):
+    """SQL 注入测试输入"""
+    target_file: str = Field(..., description="目标文件路径")
+    param_name: str = Field(default="id", description="注入参数名")
+    payload: str = Field(default="1' OR '1'='1", description="SQL 注入 payload")
+    language: str = Field(default="auto", description="语言: auto, php, python, javascript, java, go, ruby")
+    db_type: str = Field(default="mysql", description="数据库类型: mysql, postgresql, sqlite, oracle, mssql")
+
+
+class SqlInjectionTestTool(AgentTool):
+    """SQL 注入漏洞测试工具"""
+
+    # SQL 错误特征
+    SQL_ERROR_PATTERNS = {
+        "mysql": [
+            r"SQL syntax.*MySQL",
+            r"Warning.*mysql_",
+            r"MySQLSyntaxErrorException",
+            r"valid MySQL result",
+            r"check the manual that corresponds to your MySQL",
+            r"mysql_fetch",
+            r"mysqli_",
+        ],
+        "postgresql": [
+            r"PostgreSQL.*ERROR",
+            r"Warning.*pg_",
+            r"valid PostgreSQL result",
+            r"Npgsql\.",
+            r"PSQLException",
+        ],
+        "sqlite": [
+            r"SQLite.*error",
+            r"sqlite3\.OperationalError",
+            r"SQLITE_ERROR",
+            r"SQLite3::SQLException",
+        ],
+        "oracle": [
+            r"ORA-\d{5}",
+            r"Oracle error",
+            r"Oracle.*Driver",
+            r"Warning.*oci_",
+        ],
+        "mssql": [
+            r"ODBC Driver.*SQL Server",
+            r"SqlException",
+            r"Unclosed quotation mark",
+            r"SQL Server.*Error",
+        ],
+        "generic": [
+            r"SQL syntax",
+            r"unclosed quotation",
+            r"quoted string not properly terminated",
+            r"sql error",
+            r"database error",
+            r"query failed",
+        ],
+    }
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+    @property
+    def name(self) -> str:
+        return "test_sql_injection"
+
+    @property
+    def description(self) -> str:
+        return """专门测试 SQL 注入漏洞的工具。
+
+支持数据库: MySQL, PostgreSQL, SQLite, Oracle, MSSQL
+
+输入:
+- target_file: 目标文件路径
+- param_name: 注入参数名 (默认 'id')
+- payload: SQL 注入 payload (默认 "1' OR '1'='1")
+- language: 语言 (auto 自动检测)
+- db_type: 数据库类型 (默认 mysql)
+
+常用 Payload:
+- 布尔盲注: "1' AND '1'='1"
+- 联合查询: "1' UNION SELECT 1,2,3--"
+- 报错注入: "1' AND extractvalue(1,concat(0x7e,version()))--"
+- 时间盲注: "1' AND SLEEP(5)--"
+
+示例:
+{"target_file": "login.php", "param_name": "username", "payload": "admin'--"}"""
+
+    @property
+    def args_schema(self):
+        return SqlInjectionTestInput
+
+    def _detect_sql_error(self, output: str, db_type: str = "mysql") -> Optional[str]:
+        """检测 SQL 错误特征"""
+        output_lower = output.lower()
+
+        # 先检测特定数据库
+        patterns = self.SQL_ERROR_PATTERNS.get(db_type, [])
+        for pattern in patterns:
+            if re.search(pattern, output, re.IGNORECASE):
+                return f"检测到 {db_type.upper()} 错误: {pattern}"
+
+        # 通用检测
+        for pattern in self.SQL_ERROR_PATTERNS["generic"]:
+            if re.search(pattern, output, re.IGNORECASE):
+                return f"检测到 SQL 错误: {pattern}"
+
+        return None
+
+    async def _execute(
+        self,
+        target_file: str,
+        param_name: str = "id",
+        payload: str = "1' OR '1'='1",
+        language: str = "auto",
+        db_type: str = "mysql",
+        **kwargs
+    ) -> ToolResult:
+        """执行 SQL 注入测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        # 读取目标文件
+        full_path = os.path.join(self.project_root, target_file)
+        if not os.path.exists(full_path):
+            return ToolResult(success=False, error=f"文件不存在: {target_file}")
+
+        with open(full_path, 'r', encoding='utf-8', errors='ignore') as f:
+            code = f.read()
+
+        # 检测语言
+        if language == "auto":
+            ext = os.path.splitext(target_file)[1].lower()
+            language = {".php": "php", ".py": "python", ".js": "javascript"}.get(ext, "php")
+
+        # 执行测试
+        result = await self._test_sql_injection(language, code, param_name, payload)
+
+        # 分析结果
+        is_vulnerable = False
+        evidence = None
+
+        if result.get("stdout") or result.get("stderr"):
+            output = (result.get("stdout", "") + result.get("stderr", ""))
+            error_detected = self._detect_sql_error(output, db_type)
+            if error_detected:
+                is_vulnerable = True
+                evidence = error_detected
+
+            # 检测数据泄露
+            if not is_vulnerable:
+                leak_patterns = [
+                    r"\d+\s*\|\s*\d+",  # 表格输出
+                    r"admin|root|user",  # 用户名泄露
+                    r"password|passwd|pwd",  # 密码相关
+                ]
+                for pattern in leak_patterns:
+                    if re.search(pattern, output, re.IGNORECASE):
+                        is_vulnerable = True
+                        evidence = f"可能存在数据泄露: {pattern}"
+                        break
+
+        # 构建 PoC
+        poc = None
+        if is_vulnerable:
+            encoded_payload = payload.replace("'", "%27").replace(" ", "+")
+            poc = f"curl 'http://target/{target_file}?{param_name}={encoded_payload}'"
+
+        # 格式化输出
+        output_parts = ["💉 SQL 注入测试结果\n"]
+        output_parts.append(f"目标文件: {target_file}")
+        output_parts.append(f"数据库类型: {db_type}")
+        output_parts.append(f"注入参数: {param_name}")
+        output_parts.append(f"Payload: {payload}")
+
+        output_parts.append(f"\n退出码: {result.get('exit_code', -1)}")
+
+        if result.get("stdout"):
+            output_parts.append(f"\n输出:\n```\n{result['stdout'][:2000]}\n```")
+        if result.get("stderr"):
+            output_parts.append(f"\n错误:\n```\n{result['stderr'][:1000]}\n```")
+
+        if is_vulnerable:
+            output_parts.append(f"\n\n🔴 **SQL 注入漏洞确认!**")
+            output_parts.append(f"证据: {evidence}")
+            if poc:
+                output_parts.append(f"\nPoC: `{poc}`")
+        else:
+            output_parts.append(f"\n\n🟡 未能确认 SQL 注入漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "vulnerability_type": "sql_injection",
+                "is_vulnerable": is_vulnerable,
+                "evidence": evidence,
+                "poc": poc,
+                "db_type": db_type,
+            }
+        )
+
+    async def _test_sql_injection(self, language: str, code: str, param_name: str, payload: str) -> Dict:
+        """根据语言测试 SQL 注入"""
+        # 使用安全的 payload 转义
+        safe_payload = payload.replace("'", "\\'")
+
+        if language == "php":
+            # php -r 不需要 <?php 标签
+            wrapper = f"""$_GET['{param_name}'] = '{safe_payload}';
+$_POST['{param_name}'] = '{safe_payload}';
+$_REQUEST['{param_name}'] = '{safe_payload}';
+error_reporting(E_ALL);
+ini_set('display_errors', 1);
+"""
+            clean_code = code.strip()
+            if clean_code.startswith("<?php"):
+                clean_code = clean_code[5:]
+            elif clean_code.startswith("<?"):
+                clean_code = clean_code[2:]
+            if clean_code.endswith("?>"):
+                clean_code = clean_code[:-2]
+
+            full_code = wrapper + clean_code.strip()
+            escaped = full_code.replace("'", "'\"'\"'")
+            return await self.sandbox_manager.execute_command(f"php -r '{escaped}'", timeout=30)
+
+        elif language == "python":
+            wrapper = f"""
+import sys
+class MockArgs:
+    def get(self, key, default=None):
+        if key == '{param_name}':
+            return '''{safe_payload}'''
+        return default
+
+class MockRequest:
+    args = MockArgs()
+    form = MockArgs()
+
+request = MockRequest()
+"""
+            full_code = wrapper + code
+            escaped = full_code.replace("'", "'\"'\"'")
+            return await self.sandbox_manager.execute_command(f"python3 -c '{escaped}'", timeout=30)
+
+        else:
+            return {"exit_code": -1, "stdout": "", "stderr": f"不支持的语言: {language}"}
+
+
+# ============ XSS 测试工具 ============
+
+class XssTestInput(BaseModel):
+    """XSS 测试输入"""
+    target_file: str = Field(..., description="目标文件路径")
+    param_name: str = Field(default="input", description="注入参数名")
+    payload: str = Field(default="<script>alert('XSS')</script>", description="XSS payload")
+    xss_type: str = Field(default="reflected", description="XSS 类型: reflected, stored, dom")
+    language: str = Field(default="auto", description="语言: auto, php, python, javascript")
+
+
+class XssTestTool(AgentTool):
+    """XSS 漏洞测试工具"""
+
+    XSS_PAYLOADS = [
+        "<script>alert('XSS')</script>",
+        "<img src=x onerror=alert('XSS')>",
+        "<svg onload=alert('XSS')>",
+        "javascript:alert('XSS')",
+        "'><script>alert('XSS')</script>",
+        "\"><script>alert('XSS')</script>",
+        "<body onload=alert('XSS')>",
+    ]
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+    @property
+    def name(self) -> str:
+        return "test_xss"
+
+    @property
+    def description(self) -> str:
+        return """专门测试 XSS (跨站脚本) 漏洞的工具。
+
+支持类型: Reflected XSS, Stored XSS, DOM XSS
+
+输入:
+- target_file: 目标文件路径
+- param_name: 注入参数名 (默认 'input')
+- payload: XSS payload (默认 "<script>alert('XSS')</script>")
+- xss_type: XSS 类型 (reflected, stored, dom)
+
+常用 Payload:
+- Script 标签: <script>alert('XSS')</script>
+- 事件处理: <img src=x onerror=alert('XSS')>
+- SVG: <svg onload=alert('XSS')>
+
+示例:
+{"target_file": "search.php", "param_name": "q", "payload": "<script>alert(1)</script>"}"""
+
+    @property
+    def args_schema(self):
+        return XssTestInput
+
+    async def _execute(
+        self,
+        target_file: str,
+        param_name: str = "input",
+        payload: str = "<script>alert('XSS')</script>",
+        xss_type: str = "reflected",
+        language: str = "auto",
+        **kwargs
+    ) -> ToolResult:
+        """执行 XSS 测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        # 读取目标文件
+        full_path = os.path.join(self.project_root, target_file)
+        if not os.path.exists(full_path):
+            return ToolResult(success=False, error=f"文件不存在: {target_file}")
+
+        with open(full_path, 'r', encoding='utf-8', errors='ignore') as f:
+            code = f.read()
+
+        # 检测语言
+        if language == "auto":
+            ext = os.path.splitext(target_file)[1].lower()
+            language = {".php": "php", ".py": "python", ".js": "javascript"}.get(ext, "php")
+
+        # 执行测试
+        result = await self._test_xss(language, code, param_name, payload)
+
+        # 分析结果 - 检查 payload 是否被反射
+        is_vulnerable = False
+        evidence = None
+
+        if result.get("stdout"):
+            output = result["stdout"]
+
+            # 检查 payload 是否原样出现在输出中
+            if payload in output:
+                is_vulnerable = True
+                evidence = "XSS payload 被原样反射到输出中"
+
+            # 检查关键字符是否被编码
+            elif "<script>" in payload and "<script>" not in output:
+                if "&lt;script&gt;" in output:
+                    evidence = "Payload 被 HTML 编码 (部分防护)"
+                else:
+                    evidence = "Payload 未出现在输出中"
+
+            # 检查事件处理器
+            elif "onerror=" in payload or "onload=" in payload:
+                if "onerror=" in output or "onload=" in output:
+                    is_vulnerable = True
+                    evidence = "事件处理器 payload 被反射"
+
+        # 构建 PoC
+        poc = None
+        if is_vulnerable:
+            encoded_payload = payload.replace("<", "%3C").replace(">", "%3E").replace("'", "%27")
+            poc = f"curl 'http://target/{target_file}?{param_name}={encoded_payload}'"
+
+        # 格式化输出
+        output_parts = ["🔍 XSS 测试结果\n"]
+        output_parts.append(f"目标文件: {target_file}")
+        output_parts.append(f"XSS 类型: {xss_type}")
+        output_parts.append(f"注入参数: {param_name}")
+        output_parts.append(f"Payload: {payload}")
+
+        output_parts.append(f"\n退出码: {result.get('exit_code', -1)}")
+
+        if result.get("stdout"):
+            output_parts.append(f"\n输出:\n```html\n{result['stdout'][:2000]}\n```")
+
+        if is_vulnerable:
+            output_parts.append(f"\n\n🔴 **XSS 漏洞确认!**")
+            output_parts.append(f"证据: {evidence}")
+            if poc:
+                output_parts.append(f"\nPoC: `{poc}`")
+        else:
+            output_parts.append(f"\n\n🟡 未能确认 XSS 漏洞")
+            if evidence:
+                output_parts.append(f"备注: {evidence}")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "vulnerability_type": "xss",
+                "xss_type": xss_type,
+                "is_vulnerable": is_vulnerable,
+                "evidence": evidence,
+                "poc": poc,
+            }
+        )
+
+    async def _test_xss(self, language: str, code: str, param_name: str, payload: str) -> Dict:
+        """测试 XSS"""
+        # 转义 payload 中的特殊字符
+        safe_payload = payload.replace("'", "\\'").replace('"', '\\"')
+
+        if language == "php":
+            # php -r 不需要 <?php 标签
+            wrapper = f"""$_GET['{param_name}'] = '{safe_payload}';
+$_POST['{param_name}'] = '{safe_payload}';
+$_REQUEST['{param_name}'] = '{safe_payload}';
+"""
+            clean_code = code.strip()
+            if clean_code.startswith("<?php"):
+                clean_code = clean_code[5:]
+            elif clean_code.startswith("<?"):
+                clean_code = clean_code[2:]
+            if clean_code.endswith("?>"):
+                clean_code = clean_code[:-2]
+
+            full_code = wrapper + clean_code.strip()
+            escaped = full_code.replace("'", "'\"'\"'")
+            return await self.sandbox_manager.execute_command(f"php -r '{escaped}'", timeout=30)
+
+        elif language == "python":
+            wrapper = f"""
+class MockArgs:
+    def get(self, key, default=None):
+        if key == '{param_name}':
+            return '''{safe_payload}'''
+        return default
+
+class MockRequest:
+    args = MockArgs()
+    form = MockArgs()
+
+request = MockRequest()
+"""
+            full_code = wrapper + code
+            escaped = full_code.replace("'", "'\"'\"'")
+            return await self.sandbox_manager.execute_command(f"python3 -c '{escaped}'", timeout=30)
+
+        else:
+            return {"exit_code": -1, "stdout": "", "stderr": f"不支持的语言: {language}"}
+
+
+# ============ 路径遍历测试工具 ============
+
+class PathTraversalTestInput(BaseModel):
+    """路径遍历测试输入"""
+    target_file: str = Field(..., description="目标文件路径")
+    param_name: str = Field(default="file", description="文件参数名")
+    payload: str = Field(default="../../../etc/passwd", description="路径遍历 payload")
+    language: str = Field(default="auto", description="语言")
+
+
+class PathTraversalTestTool(AgentTool):
+    """路径遍历漏洞测试工具"""
+
+    TRAVERSAL_PAYLOADS = [
+        "../../../etc/passwd",
+        "....//....//....//etc/passwd",
+        "..%2f..%2f..%2fetc/passwd",
+        "..%252f..%252f..%252fetc/passwd",
+        "/etc/passwd",
+        "....\\....\\....\\windows\\win.ini",
+        "..\\..\\..\\windows\\win.ini",
+    ]
+
+    SENSITIVE_FILES = {
+        "unix": [
+            "/etc/passwd",
+            "/etc/shadow",
+            "/etc/hosts",
+            "/proc/self/environ",
+            "/var/log/apache2/access.log",
+        ],
+        "windows": [
+            "C:\\Windows\\win.ini",
+            "C:\\Windows\\System32\\drivers\\etc\\hosts",
+            "C:\\boot.ini",
+        ]
+    }
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+    @property
+    def name(self) -> str:
+        return "test_path_traversal"
+
+    @property
+    def description(self) -> str:
+        return """专门测试路径遍历/LFI/RFI 漏洞的工具。
+
+输入:
+- target_file: 目标文件路径
+- param_name: 文件参数名 (默认 'file')
+- payload: 路径遍历 payload (默认 "../../../etc/passwd")
+
+常用 Payload:
+- Unix: ../../../etc/passwd
+- 编码绕过: ..%2f..%2f..%2fetc/passwd
+- 双写绕过: ....//....//....//etc/passwd
+- Windows: ..\\..\\..\\windows\\win.ini
+
+示例:
+{"target_file": "download.php", "param_name": "file", "payload": "../../../etc/passwd"}"""
+
+    @property
+    def args_schema(self):
+        return PathTraversalTestInput
+
+    async def _execute(
+        self,
+        target_file: str,
+        param_name: str = "file",
+        payload: str = "../../../etc/passwd",
+        language: str = "auto",
+        **kwargs
+    ) -> ToolResult:
+        """执行路径遍历测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        # 读取目标文件
+        full_path = os.path.join(self.project_root, target_file)
+        if not os.path.exists(full_path):
+            return ToolResult(success=False, error=f"文件不存在: {target_file}")
+
+        with open(full_path, 'r', encoding='utf-8', errors='ignore') as f:
+            code = f.read()
+
+        # 检测语言
+        if language == "auto":
+            ext = os.path.splitext(target_file)[1].lower()
+            language = {".php": "php", ".py": "python", ".js": "javascript"}.get(ext, "php")
+
+        # 执行测试
+        result = await self._test_traversal(language, code, param_name, payload)
+
+        # 分析结果
+        is_vulnerable = False
+        evidence = None
+
+        if result.get("stdout"):
+            output = result["stdout"]
+
+            # 检测敏感文件内容特征
+            passwd_patterns = [
+                r"root:.*:0:0:",
+                r"daemon:.*:",
+                r"nobody:.*:",
+                r"www-data:",
+            ]
+
+            for pattern in passwd_patterns:
+                if re.search(pattern, output):
+                    is_vulnerable = True
+                    evidence = "成功读取 /etc/passwd 文件内容"
+                    break
+
+            # Windows 特征
+            if not is_vulnerable:
+                win_patterns = [
+                    r"\[fonts\]",
+                    r"\[extensions\]",
+                    r"for 16-bit app support",
+                ]
+                for pattern in win_patterns:
+                    if re.search(pattern, output, re.IGNORECASE):
+                        is_vulnerable = True
+                        evidence = "成功读取 Windows 系统文件"
+                        break
+
+        # 构建 PoC
+        poc = None
+        if is_vulnerable:
+            encoded_payload = payload.replace("../", "..%2f")
+            poc = f"curl 'http://target/{target_file}?{param_name}={encoded_payload}'"
+
+        # 格式化输出
+        output_parts = ["📁 路径遍历测试结果\n"]
+        output_parts.append(f"目标文件: {target_file}")
+        output_parts.append(f"参数名: {param_name}")
+        output_parts.append(f"Payload: {payload}")
+
+        output_parts.append(f"\n退出码: {result.get('exit_code', -1)}")
+
+        if result.get("stdout"):
+            output_parts.append(f"\n输出:\n```\n{result['stdout'][:2000]}\n```")
+
+        if is_vulnerable:
+            output_parts.append(f"\n\n🔴 **路径遍历漏洞确认!**")
+            output_parts.append(f"证据: {evidence}")
+            if poc:
+                output_parts.append(f"\nPoC: `{poc}`")
+        else:
+            output_parts.append(f"\n\n🟡 未能确认路径遍历漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "vulnerability_type": "path_traversal",
+                "is_vulnerable": is_vulnerable,
+                "evidence": evidence,
+                "poc": poc,
+            }
+        )
+
+    async def _test_traversal(self, language: str, code: str, param_name: str, payload: str) -> Dict:
+        """测试路径遍历"""
+        if language == "php":
+            # php -r 不需要 <?php 标签
+            wrapper = f"""$_GET['{param_name}'] = '{payload}';
+$_POST['{param_name}'] = '{payload}';
+$_REQUEST['{param_name}'] = '{payload}';
+"""
+            clean_code = code.strip()
+            if clean_code.startswith("<?php"):
+                clean_code = clean_code[5:]
+            elif clean_code.startswith("<?"):
+                clean_code = clean_code[2:]
+            if clean_code.endswith("?>"):
+                clean_code = clean_code[:-2]
+
+            full_code = wrapper + clean_code.strip()
+            escaped = full_code.replace("'", "'\"'\"'")
+            return await self.sandbox_manager.execute_command(f"php -r '{escaped}'", timeout=30)
+
+        elif language == "python":
+            wrapper = f"""
+class MockArgs:
+    def get(self, key, default=None):
+        if key == '{param_name}':
+            return '{payload}'
+        return default
+
+class MockRequest:
+    args = MockArgs()
+
+request = MockRequest()
+"""
+            full_code = wrapper + code
+            escaped = full_code.replace("'", "'\"'\"'")
+            return await self.sandbox_manager.execute_command(f"python3 -c '{escaped}'", timeout=30)
+
+        else:
+            return {"exit_code": -1, "stdout": "", "stderr": f"不支持的语言: {language}"}
+
+
+# ============ SSTI (服务端模板注入) 测试工具 ============
+
+class SstiTestInput(BaseModel):
+    """SSTI 测试输入"""
+    target_file: str = Field(..., description="目标文件路径")
+    param_name: str = Field(default="name", description="注入参数名")
+    payload: str = Field(default="{{7*7}}", description="SSTI payload")
+    template_engine: str = Field(default="auto", description="模板引擎: auto, jinja2, twig, freemarker, velocity, smarty")
+
+
+class SstiTestTool(AgentTool):
+    """SSTI (服务端模板注入) 漏洞测试工具"""
+
+    SSTI_PAYLOADS = {
+        "jinja2": [
+            "{{7*7}}",
+            "{{config}}",
+            "{{''.__class__.__mro__[2].__subclasses__()}}",
+        ],
+        "twig": [
+            "{{7*7}}",
+            "{{_self.env.getFilter('id')}}",
+        ],
+        "freemarker": [
+            "${7*7}",
+            "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"id\")}",
+        ],
+        "velocity": [
+            "#set($x=7*7)$x",
+            "#set($str=$class.inspect(\"java.lang.Runtime\").type.getRuntime().exec(\"id\"))",
+        ],
+        "smarty": [
+            "{7*7}",
+            "{php}echo `id`;{/php}",
+        ],
+    }
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+    @property
+    def name(self) -> str:
+        return "test_ssti"
+
+    @property
+    def description(self) -> str:
+        return """专门测试 SSTI (服务端模板注入) 漏洞的工具。
+
+支持模板引擎: Jinja2, Twig, Freemarker, Velocity, Smarty
+
+输入:
+- target_file: 目标文件路径
+- param_name: 注入参数名
+- payload: SSTI payload (默认 "{{7*7}}")
+- template_engine: 模板引擎类型
+
+常用 Payload:
+- Jinja2/Twig: {{7*7}}, {{config}}
+- Freemarker: ${7*7}
+- Velocity: #set($x=7*7)$x
+- Smarty: {7*7}
+
+示例:
+{"target_file": "render.py", "param_name": "name", "payload": "{{7*7}}", "template_engine": "jinja2"}"""
+
+    @property
+    def args_schema(self):
+        return SstiTestInput
+
+    async def _execute(
+        self,
+        target_file: str,
+        param_name: str = "name",
+        payload: str = "{{7*7}}",
+        template_engine: str = "auto",
+        **kwargs
+    ) -> ToolResult:
+        """执行 SSTI 测试"""
+        try:
+            await self.sandbox_manager.initialize()
+        except Exception as e:
+            logger.warning(f"Sandbox init failed: {e}")
+
+        if not self.sandbox_manager.is_available:
+            return ToolResult(success=False, error="沙箱环境不可用")
+
+        # 读取目标文件
+        full_path = os.path.join(self.project_root, target_file)
+        if not os.path.exists(full_path):
+            return ToolResult(success=False, error=f"文件不存在: {target_file}")
+
+        with open(full_path, 'r', encoding='utf-8', errors='ignore') as f:
+            code = f.read()
+
+        # 检测语言和模板引擎
+        ext = os.path.splitext(target_file)[1].lower()
+        language = {".php": "php", ".py": "python", ".js": "javascript", ".java": "java"}.get(ext, "python")
+
+        if template_engine == "auto":
+            if "jinja" in code.lower() or "render_template" in code:
+                template_engine = "jinja2"
+            elif "twig" in code.lower():
+                template_engine = "twig"
+            elif "freemarker" in code.lower():
+                template_engine = "freemarker"
+            else:
+                template_engine = "jinja2"
+
+        # 执行测试
+        result = await self._test_ssti(language, code, param_name, payload)
+
+        # 分析结果
+        is_vulnerable = False
+        evidence = None
+
+        if result.get("stdout"):
+            output = result["stdout"]
+
+            # 检测数学表达式计算结果
+            if "{{7*7}}" in payload or "${7*7}" in payload or "{7*7}" in payload:
+                if "49" in output:
+                    is_vulnerable = True
+                    evidence = "模板表达式 7*7 被计算为 49"
+
+            # 检测配置泄露
+            if "{{config}}" in payload:
+                if "secret" in output.lower() or "debug" in output.lower():
+                    is_vulnerable = True
+                    evidence = "模板可以访问配置对象"
+
+            # 检测命令执行
+            if "id" in payload or "whoami" in payload:
+                if "uid=" in output or "root" in output.lower():
+                    is_vulnerable = True
+                    evidence = "SSTI 导致远程代码执行"
+
+        # 构建 PoC
+        poc = None
+        if is_vulnerable:
+            encoded_payload = payload.replace("{", "%7B").replace("}", "%7D")
+            poc = f"curl 'http://target/{target_file}?{param_name}={encoded_payload}'"
+
+        # 格式化输出
+        output_parts = ["🎭 SSTI 测试结果\n"]
+        output_parts.append(f"目标文件: {target_file}")
+        output_parts.append(f"模板引擎: {template_engine}")
+        output_parts.append(f"参数名: {param_name}")
+        output_parts.append(f"Payload: {payload}")
+
+        output_parts.append(f"\n退出码: {result.get('exit_code', -1)}")
+
+        if result.get("stdout"):
+            output_parts.append(f"\n输出:\n```\n{result['stdout'][:2000]}\n```")
+
+        if is_vulnerable:
+            output_parts.append(f"\n\n🔴 **SSTI 漏洞确认!**")
+            output_parts.append(f"证据: {evidence}")
+            if poc:
+                output_parts.append(f"\nPoC: `{poc}`")
+        else:
+            output_parts.append(f"\n\n🟡 未能确认 SSTI 漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "vulnerability_type": "ssti",
+                "template_engine": template_engine,
+                "is_vulnerable": is_vulnerable,
+                "evidence": evidence,
+                "poc": poc,
+            }
+        )
+
+    async def _test_ssti(self, language: str, code: str, param_name: str, payload: str) -> Dict:
+        """测试 SSTI"""
+        safe_payload = payload.replace("'", "\\'")
+
+        if language == "python":
+            wrapper = f"""
+class MockArgs:
+    def get(self, key, default=None):
+        if key == '{param_name}':
+            return '''{safe_payload}'''
+        return default
+
+class MockRequest:
+    args = MockArgs()
+    form = MockArgs()
+
+request = MockRequest()
+"""
+            full_code = wrapper + code
+            escaped = full_code.replace("'", "'\"'\"'")
+            return await self.sandbox_manager.execute_command(f"python3 -c '{escaped}'", timeout=30)
+
+        elif language == "php":
+            # php -r 不需要 <?php 标签
+            wrapper = f"""$_GET['{param_name}'] = '{safe_payload}';
+$_POST['{param_name}'] = '{safe_payload}';
+"""
+            clean_code = code.strip()
+            if clean_code.startswith("<?php"):
+                clean_code = clean_code[5:]
+            elif clean_code.startswith("<?"):
+                clean_code = clean_code[2:]
+            if clean_code.endswith("?>"):
+                clean_code = clean_code[:-2]
+
+            full_code = wrapper + clean_code.strip()
+            escaped = full_code.replace("'", "'\"'\"'")
+            return await self.sandbox_manager.execute_command(f"php -r '{escaped}'", timeout=30)
+
+        else:
+            return {"exit_code": -1, "stdout": "", "stderr": f"不支持的语言: {language}"}
+
+
+# ============ 反序列化测试工具 ============
+
+class DeserializationTestInput(BaseModel):
+    """反序列化测试输入"""
+    target_file: str = Field(..., description="目标文件路径")
+    language: str = Field(default="auto", description="语言: auto, php, python, java, ruby")
+    payload_type: str = Field(default="detect", description="payload 类型: detect, pickle, yaml, php_serialize")
+
+
+class DeserializationTestTool(AgentTool):
+    """反序列化漏洞测试工具"""
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+    @property
+    def name(self) -> str:
+        return "test_deserialization"
+
+    @property
+    def description(self) -> str:
+        return """测试不安全反序列化漏洞的工具。
+
+支持语言: PHP (unserialize), Python (pickle, yaml), Java, Ruby (Marshal)
+
+输入:
+- target_file: 目标文件路径
+- language: 语言
+- payload_type: payload 类型 (detect 自动检测)
+
+检测模式:
+- 分析代码中是否存在危险的反序列化调用
+- 检测用户可控数据是否进入反序列化函数
+
+危险函数:
+- PHP: unserialize()
+- Python: pickle.loads(), yaml.load(), eval()
+- Java: ObjectInputStream.readObject()
+- Ruby: Marshal.load()
+
+示例:
+{"target_file": "api.py", "language": "python"}"""
+
+    @property
+    def args_schema(self):
+        return DeserializationTestInput
+
+    async def _execute(
+        self,
+        target_file: str,
+        language: str = "auto",
+        payload_type: str = "detect",
+        **kwargs
+    ) -> ToolResult:
+        """执行反序列化漏洞检测"""
+        # 读取目标文件
+        full_path = os.path.join(self.project_root, target_file)
+        if not os.path.exists(full_path):
+            return ToolResult(success=False, error=f"文件不存在: {target_file}")
+
+        with open(full_path, 'r', encoding='utf-8', errors='ignore') as f:
+            code = f.read()
+
+        # 检测语言
+        if language == "auto":
+            ext = os.path.splitext(target_file)[1].lower()
+            language = {
+                ".php": "php",
+                ".py": "python",
+                ".java": "java",
+                ".rb": "ruby",
+            }.get(ext, "unknown")
+
+        # 分析代码中的反序列化调用
+        is_vulnerable = False
+        evidence = None
+        dangerous_calls = []
+
+        if language == "php":
+            # PHP 反序列化
+            patterns = [
+                (r"unserialize\s*\(\s*\$_(GET|POST|REQUEST|COOKIE)", "直接反序列化用户输入"),
+                (r"unserialize\s*\(", "使用 unserialize"),
+            ]
+            for pattern, desc in patterns:
+                if re.search(pattern, code, re.IGNORECASE):
+                    dangerous_calls.append(desc)
+                    if "$_" in pattern:
+                        is_vulnerable = True
+                        evidence = desc
+
+        elif language == "python":
+            # Python 反序列化
+            patterns = [
+                (r"pickle\.loads?\s*\(", "使用 pickle"),
+                (r"yaml\.load\s*\([^)]*Loader\s*=\s*None", "yaml.load 不安全调用"),
+                (r"yaml\.unsafe_load", "yaml.unsafe_load"),
+                (r"marshal\.loads?\s*\(", "使用 marshal"),
+                (r"shelve\.open", "使用 shelve"),
+            ]
+            for pattern, desc in patterns:
+                if re.search(pattern, code):
+                    dangerous_calls.append(desc)
+                    # 检查是否用户可控
+                    if "request" in code.lower() or "input" in code.lower():
+                        is_vulnerable = True
+                        evidence = f"{desc} 且可能接受用户输入"
+
+        elif language == "java":
+            # Java 反序列化
+            patterns = [
+                (r"ObjectInputStream", "使用 ObjectInputStream"),
+                (r"readObject\s*\(\s*\)", "调用 readObject"),
+                (r"XMLDecoder", "使用 XMLDecoder"),
+            ]
+            for pattern, desc in patterns:
+                if re.search(pattern, code):
+                    dangerous_calls.append(desc)
+
+        elif language == "ruby":
+            # Ruby 反序列化
+            patterns = [
+                (r"Marshal\.load", "使用 Marshal.load"),
+                (r"YAML\.load", "使用 YAML.load"),
+            ]
+            for pattern, desc in patterns:
+                if re.search(pattern, code):
+                    dangerous_calls.append(desc)
+
+        # 格式化输出
+        output_parts = ["🔓 反序列化漏洞检测结果\n"]
+        output_parts.append(f"目标文件: {target_file}")
+        output_parts.append(f"语言: {language}")
+
+        if dangerous_calls:
+            output_parts.append(f"\n发现的危险调用:")
+            for call in dangerous_calls:
+                output_parts.append(f"  - {call}")
+
+        if is_vulnerable:
+            output_parts.append(f"\n\n🔴 **存在反序列化漏洞风险!**")
+            output_parts.append(f"证据: {evidence}")
+            output_parts.append(f"\n建议: 避免反序列化不可信数据，使用 JSON 等安全格式")
+        elif dangerous_calls:
+            output_parts.append(f"\n\n🟡 存在潜在风险")
+            output_parts.append(f"建议: 检查反序列化数据来源是否可信")
+        else:
+            output_parts.append(f"\n\n🟢 未发现明显的反序列化漏洞")
+
+        return ToolResult(
+            success=True,
+            data="\n".join(output_parts),
+            metadata={
+                "vulnerability_type": "deserialization",
+                "language": language,
+                "is_vulnerable": is_vulnerable,
+                "evidence": evidence,
+                "dangerous_calls": dangerous_calls,
+            }
+        )
+
+
+# ============ 通用漏洞测试工具 ============
+
+class UniversalVulnTestInput(BaseModel):
+    """通用漏洞测试输入"""
+    target_file: str = Field(..., description="目标文件路径")
+    vuln_type: str = Field(..., description="漏洞类型: command_injection, sql_injection, xss, path_traversal, ssti, deserialization")
+    param_name: str = Field(default="input", description="参数名")
+    payload: Optional[str] = Field(default=None, description="自定义 payload")
+    language: str = Field(default="auto", description="语言")
+
+
+class UniversalVulnTestTool(AgentTool):
+    """通用漏洞测试工具 - 自动选择合适的测试器"""
+
+    def __init__(self, sandbox_manager: Optional[SandboxManager] = None, project_root: str = "."):
+        super().__init__()
+        self.sandbox_manager = sandbox_manager or SandboxManager()
+        self.project_root = project_root
+
+        # 初始化所有漏洞测试器
+        self._testers = {
+            "command_injection": CommandInjectionTestTool(sandbox_manager, project_root),
+            "cmd": CommandInjectionTestTool(sandbox_manager, project_root),
+            "rce": CommandInjectionTestTool(sandbox_manager, project_root),
+            "sql_injection": SqlInjectionTestTool(sandbox_manager, project_root),
+            "sqli": SqlInjectionTestTool(sandbox_manager, project_root),
+            "xss": XssTestTool(sandbox_manager, project_root),
+            "path_traversal": PathTraversalTestTool(sandbox_manager, project_root),
+            "lfi": PathTraversalTestTool(sandbox_manager, project_root),
+            "rfi": PathTraversalTestTool(sandbox_manager, project_root),
+            "ssti": SstiTestTool(sandbox_manager, project_root),
+            "deserialization": DeserializationTestTool(sandbox_manager, project_root),
+        }
+
+        # 默认 payloads
+        self._default_payloads = {
+            "command_injection": "id",
+            "sql_injection": "1' OR '1'='1",
+            "xss": "<script>alert('XSS')</script>",
+            "path_traversal": "../../../etc/passwd",
+            "ssti": "{{7*7}}",
+        }
+
+    @property
+    def name(self) -> str:
+        return "vuln_test"
+
+    @property
+    def description(self) -> str:
+        return """通用漏洞测试工具，支持多种漏洞类型的自动化测试。
+
+支持的漏洞类型:
+- command_injection (cmd/rce): 命令注入
+- sql_injection (sqli): SQL 注入
+- xss: 跨站脚本
+- path_traversal (lfi/rfi): 路径遍历
+- ssti: 服务端模板注入
+- deserialization: 不安全反序列化
+
+输入:
+- target_file: 目标文件路径
+- vuln_type: 漏洞类型
+- param_name: 参数名
+- payload: 自定义 payload (可选)
+- language: 语言 (auto 自动检测)
+
+示例:
+1. 命令注入: {"target_file": "api.php", "vuln_type": "command_injection", "param_name": "cmd"}
+2. SQL 注入: {"target_file": "login.php", "vuln_type": "sql_injection", "param_name": "username", "payload": "admin'--"}
+3. XSS: {"target_file": "search.php", "vuln_type": "xss", "param_name": "q"}"""
+
+    @property
+    def args_schema(self):
+        return UniversalVulnTestInput
+
+    async def _execute(
+        self,
+        target_file: str,
+        vuln_type: str,
+        param_name: str = "input",
+        payload: Optional[str] = None,
+        language: str = "auto",
+        **kwargs
+    ) -> ToolResult:
+        """执行通用漏洞测试"""
+        vuln_type = vuln_type.lower().strip()
+
+        tester = self._testers.get(vuln_type)
+        if not tester:
+            return ToolResult(
+                success=False,
+                error=f"不支持的漏洞类型: {vuln_type}。支持: {list(self._testers.keys())}",
+            )
+
+        # 使用默认 payload
+        if not payload:
+            payload = self._default_payloads.get(vuln_type, "test")
+
+        # 构建测试参数
+        test_kwargs = {
+            "target_file": target_file,
+            "param_name": param_name,
+            "language": language,
+        }
+
+        # 根据漏洞类型添加特定参数
+        if vuln_type in ["command_injection", "cmd", "rce"]:
+            test_kwargs["test_command"] = payload
+        elif vuln_type in ["sql_injection", "sqli"]:
+            test_kwargs["payload"] = payload
+        elif vuln_type == "xss":
+            test_kwargs["payload"] = payload
+        elif vuln_type in ["path_traversal", "lfi", "rfi"]:
+            test_kwargs["payload"] = payload
+        elif vuln_type == "ssti":
+            test_kwargs["payload"] = payload
+
+        return await tester._execute(**test_kwargs)
diff --git a/frontend/src/assets/styles/globals.css b/frontend/src/assets/styles/globals.css
index e89b08f..ce9506c 100644
--- a/frontend/src/assets/styles/globals.css
+++ b/frontend/src/assets/styles/globals.css
@@ -11,69 +11,95 @@
 }
 
 /*
-  DeepAudit Design System v2.0
-  Aesthetic: Cyberpunk Terminal / Cassette Futurism / Hacker Dark
-  Core Palette: Orange (#FF6B2C), Emerald, Deep Blacks, Grays
-  Philosophy: Dark, professional, high-tech, clean
+  DeepAudit Design System v3.0
+  Aesthetic: Cyberpunk Hacker / Mechanical Retro Terminal / Cassette Futurism
+  Core Palette: Phosphor Orange (#FF6B2C), Matrix Green, CRT Blue, Deep Void Black
+  Philosophy: High contrast, readable, cinematic, immersive hacker atmosphere
+
+  Design Principles:
+  - Phosphor glow effects mimicking CRT monitors
+  - Cassette tape-inspired mechanical elements
+  - High contrast text for readability (WCAG AA compliant)
+  - Subtle scanline overlays for authenticity
+  - Warm amber/orange accent with cool cyan highlights
 */
 
 @layer base {
   :root {
-    /* Force dark mode colors for cyberpunk aesthetic */
-    --background: 240 10% 4%;           /* #0a0a0f - Deep black */
-    --foreground: 0 0% 95%;             /* Almost white text */
+    /* ====== Core Background System ====== */
+    /* Void Black - Deep space black with subtle blue undertone */
+    --background: 230 15% 4%;           /* #08090d - Deeper void */
+    --foreground: 45 10% 88%;           /* Warm off-white, easier on eyes */
 
-    /* Card & Surfaces - Darker with subtle blue tint */
-    --card: 240 10% 6%;                 /* #0d0d14 */
-    --card-foreground: 0 0% 95%;
+    /* Card & Surfaces - Layered depth system */
+    --card: 230 15% 7%;                 /* #0e1014 - Elevated surface */
+    --card-foreground: 45 10% 88%;
 
-    /* Popover - Slightly elevated surface */
-    --popover: 240 10% 8%;              /* #101018 */
-    --popover-foreground: 0 0% 95%;
+    /* Popover - Floating elements */
+    --popover: 230 15% 9%;              /* #121418 - Highest elevation */
+    --popover-foreground: 45 10% 88%;
 
-    /* Primary - Vibrant Orange (Core brand) */
-    --primary: 16 100% 58%;             /* #FF6B2C */
+    /* ====== Accent Color System ====== */
+    /* Primary - Phosphor Orange (CRT warm glow) */
+    --primary: 18 100% 55%;             /* #FF5F1F - Brighter, more vibrant */
     --primary-foreground: 0 0% 100%;
 
-    /* Secondary - Cyan/Teal accent */
-    --secondary: 180 70% 45%;           /* Teal */
+    /* Secondary - Matrix Cyan (Cool contrast) */
+    --secondary: 185 85% 45%;           /* #0EB5C4 - Electric cyan */
     --secondary-foreground: 0 0% 100%;
 
-    /* Success - Emerald Green */
-    --success: 160 84% 39%;             /* #10b981 */
+    /* Success - Terminal Green (Classic hacker) */
+    --success: 145 80% 42%;             /* #15C46A - Phosphor green */
     --success-foreground: 0 0% 100%;
 
-    /* Muted - Dark grey for subtle elements */
-    --muted: 240 10% 12%;
-    --muted-foreground: 240 5% 55%;
+    /* Muted - CRT Grey (Inactive elements) */
+    --muted: 230 10% 14%;
+    --muted-foreground: 230 8% 55%;
 
-    /* Accent - Purple/Violet for thinking/AI */
-    --accent: 270 70% 55%;              /* Violet */
+    /* Accent - Synthwave Purple (AI/Thinking) */
+    --accent: 280 75% 58%;              /* #A855F7 - Neon purple */
     --accent-foreground: 0 0% 100%;
 
-    /* Destructive - Red for errors */
-    --destructive: 0 84% 60%;           /* Rose */
+    /* Destructive - Alarm Red */
+    --destructive: 0 85% 55%;           /* #E53935 - Warning red */
     --destructive-foreground: 0 0% 100%;
 
-    /* Borders & Inputs */
-    --border: 240 10% 18%;              /* Subtle dark border */
-    --input: 240 10% 15%;
-    --ring: 16 100% 58%;                /* Orange focus ring */
+    /* Warning - Amber Alert */
+    --warning: 38 95% 55%;              /* #F59E0B - Caution amber */
+    --warning-foreground: 0 0% 10%;
 
-    /* Border radius - Sharp cyber aesthetic */
-    --radius: 4px;
+    /* ====== Border & Input System ====== */
+    --border: 230 12% 20%;              /* Subtle visible border */
+    --input: 230 15% 12%;
+    --ring: 18 100% 55%;                /* Orange focus ring */
 
-    /* Shadows - Subtle glow effects */
-    --shadow-sm: 0 1px 2px rgba(0, 0, 0, 0.5);
-    --shadow-md: 0 4px 8px rgba(0, 0, 0, 0.5);
-    --shadow-lg: 0 8px 16px rgba(0, 0, 0, 0.5);
-    --shadow-focus: 0 0 0 2px rgba(255, 107, 44, 0.3);
-    --shadow-glow-primary: 0 0 20px rgba(255, 107, 44, 0.15);
-    --shadow-glow-success: 0 0 20px rgba(16, 185, 129, 0.15);
-    --shadow-glow-accent: 0 0 20px rgba(139, 92, 246, 0.15);
+    /* ====== Design Tokens ====== */
+    --radius: 3px;                      /* Sharper, more technical */
+
+    /* ====== Shadow & Glow System ====== */
+    --shadow-sm: 0 1px 3px rgba(0, 0, 0, 0.6);
+    --shadow-md: 0 4px 12px rgba(0, 0, 0, 0.5);
+    --shadow-lg: 0 8px 24px rgba(0, 0, 0, 0.6);
+    --shadow-focus: 0 0 0 2px rgba(255, 95, 31, 0.4);
+
+    /* Phosphor Glow Effects */
+    --glow-primary: 0 0 20px rgba(255, 95, 31, 0.25), 0 0 40px rgba(255, 95, 31, 0.1);
+    --glow-success: 0 0 20px rgba(21, 196, 106, 0.25), 0 0 40px rgba(21, 196, 106, 0.1);
+    --glow-accent: 0 0 20px rgba(168, 85, 247, 0.25), 0 0 40px rgba(168, 85, 247, 0.1);
+    --glow-cyan: 0 0 20px rgba(14, 181, 196, 0.25), 0 0 40px rgba(14, 181, 196, 0.1);
+    --glow-red: 0 0 20px rgba(229, 57, 53, 0.25), 0 0 40px rgba(229, 57, 53, 0.1);
+
+    /* CRT Screen Effect */
+    --crt-flicker: rgba(255, 255, 255, 0.02);
+    --scanline-color: rgba(0, 0, 0, 0.08);
+
+    /* Cassette Tape Colors */
+    --tape-brown: #2a1f1a;
+    --tape-cream: #e8e0d0;
+    --tape-label: #1a1a1a;
   }
 
-  /* Keep dark mode as default - no light mode needed */
+  /* Dark mode is the only mode */
   .dark {
     /* Same as root - always dark */
   }
@@ -91,242 +117,420 @@
 
   body {
     @apply bg-background text-foreground font-mono antialiased;
-    background-color: hsl(240 10% 4%);
+    background-color: hsl(230 15% 4%);
     transition: background-color 0.2s ease;
+    /* Subtle CRT curvature effect on body */
+    background-image:
+      radial-gradient(ellipse at center, transparent 0%, transparent 70%, rgba(0,0,0,0.3) 100%);
   }
 
-  /* Typography Hierarchy */
+  /* ====== Typography System - High Contrast, Readable ====== */
   h1 {
-    @apply font-display font-bold tracking-tight text-3xl text-white;
+    @apply font-display font-bold tracking-tight text-3xl;
+    color: #f0e6d3; /* Warm white - easier on eyes */
     letter-spacing: -0.02em;
+    text-shadow: 0 0 30px rgba(255, 95, 31, 0.15);
   }
 
   h2 {
-    @apply font-display font-bold tracking-tight text-2xl text-white;
+    @apply font-display font-bold tracking-tight text-2xl;
+    color: #ebe2d0;
     letter-spacing: -0.01em;
   }
 
   h3 {
-    @apply font-display font-bold tracking-tight text-xl text-white;
+    @apply font-display font-bold tracking-tight text-xl;
+    color: #e5dcc8;
   }
 
   h4 {
-    @apply font-display font-semibold tracking-tight text-lg text-gray-100;
+    @apply font-display font-semibold tracking-tight text-lg;
+    color: #ddd4c0;
   }
 
   h5, h6 {
-    @apply font-display font-semibold text-base text-gray-200;
+    @apply font-display font-semibold text-base;
+    color: #d5ccb8;
   }
 
-  /* Focus states */
+  /* Paragraph text - optimized for readability */
+  p, span, div {
+    color: #c8c0b0; /* Warm grey - reduces eye strain */
+  }
+
+  /* Code blocks - high contrast for readability */
+  code, pre {
+    color: #e8e0d0;
+    background-color: rgba(0, 0, 0, 0.3);
+  }
+
+  /* Focus states - Phosphor glow */
   button:focus-visible,
   input:focus-visible,
   textarea:focus-visible,
   select:focus-visible {
     outline: none;
-    box-shadow: var(--shadow-focus);
+    box-shadow: var(--shadow-focus), var(--glow-primary);
   }
 
-  /* Custom selection */
+  /* Custom selection - Warm highlight */
   ::selection {
-    background: rgba(255, 107, 44, 0.3);
-    color: white;
+    background: rgba(255, 95, 31, 0.35);
+    color: #ffffff;
+  }
+
+  /* Links - Cyan accent */
+  a {
+    color: hsl(var(--secondary));
+    transition: all 0.15s ease;
+  }
+
+  a:hover {
+    color: hsl(185 85% 55%);
+    text-shadow: 0 0 10px rgba(14, 181, 196, 0.3);
   }
 }
 
 @layer utilities {
-  /* ============ Cyberpunk Card Styles ============ */
+  /* ============ Cyberpunk Card Styles - Enhanced ============ */
   .cyber-card {
-    @apply bg-[#0c0c12] border border-gray-800/60 rounded-lg overflow-hidden;
-    box-shadow: var(--shadow-md);
+    @apply bg-[#0a0c10] border border-[#1a2030]/80 rounded overflow-hidden;
+    box-shadow: var(--shadow-md), inset 0 1px 0 rgba(255,255,255,0.02);
     transition: all 0.2s ease;
+    position: relative;
+  }
+
+  /* Subtle corner accents */
+  .cyber-card::before {
+    content: '';
+    position: absolute;
+    top: 0;
+    left: 0;
+    width: 20px;
+    height: 20px;
+    border-top: 1px solid rgba(255, 95, 31, 0.3);
+    border-left: 1px solid rgba(255, 95, 31, 0.3);
+    pointer-events: none;
+  }
+
+  .cyber-card::after {
+    content: '';
+    position: absolute;
+    bottom: 0;
+    right: 0;
+    width: 20px;
+    height: 20px;
+    border-bottom: 1px solid rgba(255, 95, 31, 0.3);
+    border-right: 1px solid rgba(255, 95, 31, 0.3);
+    pointer-events: none;
   }
 
   .cyber-card:hover {
-    @apply border-gray-700/80;
-    box-shadow: var(--shadow-lg);
+    @apply border-[#2a3545];
+    box-shadow: var(--shadow-lg), var(--glow-primary);
   }
 
   .cyber-card-glow {
     @apply cyber-card;
-    box-shadow: var(--shadow-md), var(--shadow-glow-primary);
+    box-shadow: var(--shadow-md), var(--glow-primary);
   }
 
   .cyber-card-header {
-    @apply flex items-center gap-2 px-4 py-3 bg-[#0a0a0f] border-b border-gray-800/50;
+    @apply flex items-center gap-2 px-4 py-3 bg-[#080a0e] border-b border-[#1a2030]/60;
+    background-image: linear-gradient(180deg, rgba(255,255,255,0.02) 0%, transparent 100%);
   }
 
-  /* ============ Terminal Window Style ============ */
+  /* ============ Terminal Window Style - CRT Monitor ============ */
   .terminal-window {
-    @apply bg-[#0c0c12] border border-gray-800/60 rounded-lg overflow-hidden;
+    @apply bg-[#050608] border border-[#1a2030] rounded overflow-hidden;
+    box-shadow:
+      inset 0 0 100px rgba(0,0,0,0.5),
+      0 0 30px rgba(0,0,0,0.8);
+    position: relative;
+  }
+
+  /* CRT Scanline effect */
+  .terminal-window::before {
+    content: '';
+    position: absolute;
+    top: 0;
+    left: 0;
+    right: 0;
+    bottom: 0;
+    background: repeating-linear-gradient(
+      0deg,
+      transparent,
+      transparent 2px,
+      rgba(0, 0, 0, 0.1) 2px,
+      rgba(0, 0, 0, 0.1) 4px
+    );
+    pointer-events: none;
+    z-index: 10;
   }
 
   .terminal-header {
-    @apply flex items-center gap-2 px-4 py-2.5 bg-[#0a0a0f] border-b border-gray-800/50;
+    @apply flex items-center gap-2 px-4 py-2.5 bg-[#0a0c10] border-b border-[#1a2030]/60;
+    background-image:
+      linear-gradient(90deg, rgba(255, 95, 31, 0.05) 0%, transparent 50%, rgba(14, 181, 196, 0.05) 100%);
   }
 
   .terminal-dots {
-    @apply flex items-center gap-1.5;
+    @apply flex items-center gap-2;
   }
 
   .terminal-dot {
-    @apply w-3 h-3 rounded-full;
+    @apply w-3 h-3 rounded-full transition-all duration-200;
   }
 
-  .terminal-dot-red { @apply bg-red-500/80; }
-  .terminal-dot-yellow { @apply bg-yellow-500/80; }
-  .terminal-dot-green { @apply bg-green-500/80; }
+  .terminal-dot-red {
+    background: radial-gradient(circle at 30% 30%, #ff6b6b, #cc3333);
+    box-shadow: 0 0 6px rgba(255, 107, 107, 0.5);
+  }
+  .terminal-dot-yellow {
+    background: radial-gradient(circle at 30% 30%, #ffd93d, #cc9900);
+    box-shadow: 0 0 6px rgba(255, 217, 61, 0.5);
+  }
+  .terminal-dot-green {
+    background: radial-gradient(circle at 30% 30%, #6bcb77, #2e8b3a);
+    box-shadow: 0 0 6px rgba(107, 203, 119, 0.5);
+  }
 
   .terminal-title {
-    @apply text-[11px] text-gray-500 ml-3 font-mono tracking-wider;
+    @apply text-[11px] text-[#5a6577] ml-3 font-mono tracking-[0.15em] uppercase;
   }
 
   .terminal-content {
     @apply p-4 font-mono text-sm;
+    color: #b8c0cc;
+    text-shadow: 0 0 2px rgba(184, 192, 204, 0.3);
   }
 
-  /* ============ Cyber Buttons ============ */
+  /* ============ Cyber Buttons - Mechanical Feel ============ */
   .cyber-btn {
     @apply font-mono font-semibold py-2 px-4 rounded transition-all duration-150;
-    @apply border border-gray-700/50 bg-gray-800/50;
-    @apply hover:bg-gray-700/50 hover:border-gray-600;
-    @apply disabled:opacity-50 disabled:cursor-not-allowed;
+    @apply border border-[#2a3545]/80 bg-[#0d1015];
+    @apply disabled:opacity-40 disabled:cursor-not-allowed;
+    position: relative;
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+    font-size: 12px;
+  }
+
+  .cyber-btn:hover:not(:disabled) {
+    @apply bg-[#151a22] border-[#3a4555];
+    transform: translateY(-1px);
+  }
+
+  .cyber-btn:active:not(:disabled) {
+    transform: translateY(0);
   }
 
   .cyber-btn-primary {
-    @apply cyber-btn bg-primary/90 border-primary/50 text-white;
-    @apply hover:bg-primary hover:border-primary;
-    box-shadow: 0 0 15px rgba(255, 107, 44, 0.2);
+    @apply cyber-btn text-white;
+    background: linear-gradient(180deg, #ff6a2c 0%, #e55a1c 100%);
+    border-color: rgba(255, 106, 44, 0.5);
+    box-shadow: 0 0 20px rgba(255, 95, 31, 0.2), inset 0 1px 0 rgba(255,255,255,0.1);
   }
 
-  .cyber-btn-primary:hover {
-    box-shadow: 0 0 25px rgba(255, 107, 44, 0.3);
+  .cyber-btn-primary:hover:not(:disabled) {
+    background: linear-gradient(180deg, #ff7a3c 0%, #f56a2c 100%);
+    box-shadow: 0 0 30px rgba(255, 95, 31, 0.35), inset 0 1px 0 rgba(255,255,255,0.15);
   }
 
   .cyber-btn-success {
-    @apply cyber-btn bg-emerald-600/90 border-emerald-500/50 text-white;
-    @apply hover:bg-emerald-500 hover:border-emerald-400;
+    @apply cyber-btn text-white;
+    background: linear-gradient(180deg, #15c46a 0%, #10a855 100%);
+    border-color: rgba(21, 196, 106, 0.5);
+    box-shadow: 0 0 20px rgba(21, 196, 106, 0.2);
+  }
+
+  .cyber-btn-success:hover:not(:disabled) {
+    background: linear-gradient(180deg, #20d475 0%, #15b860 100%);
+    box-shadow: 0 0 30px rgba(21, 196, 106, 0.35);
   }
 
   .cyber-btn-ghost {
     @apply cyber-btn bg-transparent border-transparent;
-    @apply hover:bg-gray-800/50 hover:border-gray-700/50;
+    @apply hover:bg-[#1a2030]/60 hover:border-[#2a3545]/60;
   }
 
   .cyber-btn-outline {
-    @apply cyber-btn bg-transparent border-gray-600;
-    @apply text-gray-300 hover:bg-gray-800/50 hover:text-white;
+    @apply cyber-btn bg-transparent border-[#3a4555];
+    @apply text-[#a8b0c0] hover:bg-[#1a2030]/60 hover:text-[#d0d8e8] hover:border-[#4a5565];
   }
 
-  /* ============ Cyber Input Fields ============ */
+  /* ============ Cyber Input Fields - CRT Style ============ */
   .cyber-input {
-    @apply bg-[#0a0a0f] border border-gray-700/50 px-4 py-2.5 rounded font-mono text-sm text-gray-200;
-    @apply placeholder:text-gray-600;
-    @apply focus:border-primary/50 focus:outline-none;
-    transition: border-color 0.15s ease, box-shadow 0.15s ease;
+    @apply bg-[#060810] border border-[#2a3545]/70 px-4 py-2.5 rounded font-mono text-sm;
+    color: #d0d8e8;
+    transition: all 0.15s ease;
+  }
+
+  .cyber-input::placeholder {
+    color: #4a5565;
   }
 
   .cyber-input:focus {
-    box-shadow: 0 0 0 2px rgba(255, 107, 44, 0.2);
+    @apply border-primary/60 outline-none;
+    box-shadow: 0 0 0 2px rgba(255, 95, 31, 0.2), 0 0 20px rgba(255, 95, 31, 0.1);
+    background-color: #080a10;
   }
 
-  /* ============ Cyber Badges ============ */
+  .cyber-input:hover:not(:focus) {
+    border-color: #3a4555;
+  }
+
+  /* ============ Cyber Badges - Status Indicators ============ */
   .cyber-badge {
-    @apply inline-flex items-center px-2 py-0.5 rounded text-[10px] font-mono font-bold uppercase tracking-wider;
+    @apply inline-flex items-center px-2.5 py-1 rounded text-[10px] font-mono font-bold uppercase tracking-wider;
     @apply border;
+    text-shadow: 0 0 10px currentColor;
   }
 
   .cyber-badge-primary {
-    @apply cyber-badge bg-primary/20 text-primary border-primary/40;
+    @apply cyber-badge;
+    background: rgba(255, 95, 31, 0.15);
+    color: #ff8a4c;
+    border-color: rgba(255, 95, 31, 0.4);
+    box-shadow: 0 0 15px rgba(255, 95, 31, 0.15);
   }
 
   .cyber-badge-success {
-    @apply cyber-badge bg-emerald-500/20 text-emerald-400 border-emerald-500/40;
+    @apply cyber-badge;
+    background: rgba(21, 196, 106, 0.15);
+    color: #3dd68c;
+    border-color: rgba(21, 196, 106, 0.4);
+    box-shadow: 0 0 15px rgba(21, 196, 106, 0.15);
   }
 
   .cyber-badge-warning {
-    @apply cyber-badge bg-amber-500/20 text-amber-400 border-amber-500/40;
+    @apply cyber-badge;
+    background: rgba(245, 158, 11, 0.15);
+    color: #fbbf24;
+    border-color: rgba(245, 158, 11, 0.4);
+    box-shadow: 0 0 15px rgba(245, 158, 11, 0.15);
   }
 
   .cyber-badge-danger {
-    @apply cyber-badge bg-rose-500/20 text-rose-400 border-rose-500/40;
+    @apply cyber-badge;
+    background: rgba(229, 57, 53, 0.15);
+    color: #f87171;
+    border-color: rgba(229, 57, 53, 0.4);
+    box-shadow: 0 0 15px rgba(229, 57, 53, 0.15);
   }
 
   .cyber-badge-info {
-    @apply cyber-badge bg-sky-500/20 text-sky-400 border-sky-500/40;
+    @apply cyber-badge;
+    background: rgba(14, 181, 196, 0.15);
+    color: #22d3ee;
+    border-color: rgba(14, 181, 196, 0.4);
+    box-shadow: 0 0 15px rgba(14, 181, 196, 0.15);
   }
 
   .cyber-badge-muted {
-    @apply cyber-badge bg-gray-500/20 text-gray-400 border-gray-500/40;
+    @apply cyber-badge;
+    background: rgba(100, 116, 139, 0.15);
+    color: #94a3b8;
+    border-color: rgba(100, 116, 139, 0.4);
   }
 
-  /* ============ Severity Badges ============ */
+  /* ============ Severity Badges - Enhanced Glow ============ */
   .severity-critical {
-    @apply text-rose-300 bg-rose-500/20 border border-rose-500/40;
+    background: rgba(220, 38, 38, 0.2);
+    color: #fca5a5;
+    border: 1px solid rgba(220, 38, 38, 0.5);
+    box-shadow: 0 0 20px rgba(220, 38, 38, 0.25);
+    text-shadow: 0 0 8px rgba(220, 38, 38, 0.5);
   }
 
   .severity-high {
-    @apply text-orange-300 bg-orange-500/20 border border-orange-500/40;
+    background: rgba(234, 88, 12, 0.2);
+    color: #fdba74;
+    border: 1px solid rgba(234, 88, 12, 0.5);
+    box-shadow: 0 0 20px rgba(234, 88, 12, 0.25);
+    text-shadow: 0 0 8px rgba(234, 88, 12, 0.5);
   }
 
   .severity-medium {
-    @apply text-amber-300 bg-amber-500/20 border border-amber-500/40;
+    background: rgba(245, 158, 11, 0.2);
+    color: #fcd34d;
+    border: 1px solid rgba(245, 158, 11, 0.5);
+    box-shadow: 0 0 20px rgba(245, 158, 11, 0.25);
+    text-shadow: 0 0 8px rgba(245, 158, 11, 0.5);
   }
 
   .severity-low {
-    @apply text-sky-300 bg-sky-500/20 border border-sky-500/40;
+    background: rgba(14, 181, 196, 0.2);
+    color: #67e8f9;
+    border: 1px solid rgba(14, 181, 196, 0.5);
+    box-shadow: 0 0 20px rgba(14, 181, 196, 0.25);
+    text-shadow: 0 0 8px rgba(14, 181, 196, 0.5);
   }
 
   .severity-info {
-    @apply text-slate-300 bg-slate-500/20 border border-slate-500/40;
+    background: rgba(100, 116, 139, 0.2);
+    color: #cbd5e1;
+    border: 1px solid rgba(100, 116, 139, 0.5);
   }
 
-  /* ============ Status Indicators ============ */
+  /* ============ Status Indicators - Phosphor Glow ============ */
   .status-dot {
     @apply w-2 h-2 rounded-full;
+    position: relative;
   }
 
   .status-active {
-    @apply bg-emerald-400;
-    box-shadow: 0 0 8px rgba(52, 211, 153, 0.5);
+    background: radial-gradient(circle, #34d399 0%, #10b981 100%);
+    box-shadow: 0 0 10px rgba(52, 211, 153, 0.6), 0 0 20px rgba(52, 211, 153, 0.3);
+    animation: pulse-glow 2s ease-in-out infinite;
   }
 
   .status-warning {
-    @apply bg-amber-400;
-    box-shadow: 0 0 8px rgba(251, 191, 36, 0.5);
+    background: radial-gradient(circle, #fcd34d 0%, #f59e0b 100%);
+    box-shadow: 0 0 10px rgba(251, 191, 36, 0.6), 0 0 20px rgba(251, 191, 36, 0.3);
+    animation: pulse-glow 2s ease-in-out infinite;
   }
 
   .status-error {
-    @apply bg-rose-400;
-    box-shadow: 0 0 8px rgba(251, 113, 133, 0.5);
+    background: radial-gradient(circle, #f87171 0%, #ef4444 100%);
+    box-shadow: 0 0 10px rgba(248, 113, 113, 0.6), 0 0 20px rgba(248, 113, 113, 0.3);
+    animation: pulse-glow 1.5s ease-in-out infinite;
   }
 
   .status-inactive {
-    @apply bg-gray-500;
+    @apply bg-[#3a4555];
   }
 
-  /* ============ Glow Effects ============ */
+  /* ============ Phosphor Glow Effects ============ */
   .glow-primary {
-    box-shadow: 0 0 20px rgba(255, 107, 44, 0.3);
+    box-shadow: var(--glow-primary);
   }
 
   .glow-success {
-    box-shadow: 0 0 20px rgba(16, 185, 129, 0.3);
+    box-shadow: var(--glow-success);
   }
 
   .glow-accent {
-    box-shadow: 0 0 20px rgba(139, 92, 246, 0.3);
+    box-shadow: var(--glow-accent);
+  }
+
+  .glow-cyan {
+    box-shadow: var(--glow-cyan);
   }
 
   .text-glow-primary {
-    text-shadow: 0 0 20px rgba(255, 107, 44, 0.5);
+    text-shadow: 0 0 20px rgba(255, 95, 31, 0.5), 0 0 40px rgba(255, 95, 31, 0.25);
   }
 
   .text-glow-success {
-    text-shadow: 0 0 20px rgba(16, 185, 129, 0.5);
+    text-shadow: 0 0 20px rgba(21, 196, 106, 0.5), 0 0 40px rgba(21, 196, 106, 0.25);
   }
 
-  /* ============ Scanline Effect ============ */
+  .text-glow-cyan {
+    text-shadow: 0 0 20px rgba(14, 181, 196, 0.5), 0 0 40px rgba(14, 181, 196, 0.25);
+  }
+
+  /* ============ CRT Scanline Effect ============ */
   .scanline-overlay {
     position: relative;
   }
@@ -342,29 +546,36 @@
       0deg,
       transparent,
       transparent 2px,
-      rgba(0, 0, 0, 0.1) 2px,
-      rgba(0, 0, 0, 0.1) 4px
+      rgba(0, 0, 0, 0.08) 2px,
+      rgba(0, 0, 0, 0.08) 4px
     );
     pointer-events: none;
     z-index: 10;
   }
 
-  /* ============ Grid Background ============ */
+  /* ============ Grid Background - Cyberpunk ============ */
   .cyber-grid {
     background-image:
-      linear-gradient(rgba(255, 107, 44, 0.03) 1px, transparent 1px),
-      linear-gradient(90deg, rgba(255, 107, 44, 0.03) 1px, transparent 1px);
+      linear-gradient(rgba(255, 95, 31, 0.04) 1px, transparent 1px),
+      linear-gradient(90deg, rgba(255, 95, 31, 0.04) 1px, transparent 1px);
     background-size: 32px 32px;
   }
 
   .cyber-grid-subtle {
     background-image:
-      linear-gradient(rgba(255, 255, 255, 0.02) 1px, transparent 1px),
-      linear-gradient(90deg, rgba(255, 255, 255, 0.02) 1px, transparent 1px);
+      linear-gradient(rgba(14, 181, 196, 0.02) 1px, transparent 1px),
+      linear-gradient(90deg, rgba(14, 181, 196, 0.02) 1px, transparent 1px);
     background-size: 24px 24px;
   }
 
-  /* ============ Vignette Effect ============ */
+  .cyber-grid-dense {
+    background-image:
+      linear-gradient(rgba(255, 95, 31, 0.03) 1px, transparent 1px),
+      linear-gradient(90deg, rgba(255, 95, 31, 0.03) 1px, transparent 1px);
+    background-size: 16px 16px;
+  }
+
+  /* ============ Vignette Effect - CRT Monitor ============ */
   .vignette {
     position: relative;
   }
@@ -373,45 +584,61 @@
     content: '';
     position: absolute;
     inset: 0;
-    background: radial-gradient(ellipse at center, transparent 0%, transparent 50%, rgba(0, 0, 0, 0.4) 100%);
+    background: radial-gradient(ellipse at center, transparent 0%, transparent 50%, rgba(0, 0, 0, 0.5) 100%);
     pointer-events: none;
   }
 
-  /* ============ Custom Scrollbar ============ */
+  /* ============ Gradient Background ============ */
+  .gradient-bg {
+    background: linear-gradient(180deg, #08090d 0%, #0a0c10 50%, #0d1015 100%);
+  }
+
+  /* ============ Custom Scrollbar - Minimal Cyberpunk ============ */
   .custom-scrollbar::-webkit-scrollbar {
-    width: 8px;
-    height: 8px;
+    width: 6px;
+    height: 6px;
   }
 
   .custom-scrollbar::-webkit-scrollbar-track {
-    background: #0a0a0f;
-    border-radius: 4px;
+    background: #08090d;
+    border-radius: 3px;
   }
 
   .custom-scrollbar::-webkit-scrollbar-thumb {
-    background: #2a2a35;
-    border-radius: 4px;
+    background: linear-gradient(180deg, #2a3545 0%, #1a2535 100%);
+    border-radius: 3px;
+    border: 1px solid #1a2535;
   }
 
   .custom-scrollbar::-webkit-scrollbar-thumb:hover {
-    background: #3a3a45;
+    background: linear-gradient(180deg, #3a4555 0%, #2a3545 100%);
   }
 
-  /* ============ Animations ============ */
+  .custom-scrollbar::-webkit-scrollbar-corner {
+    background: #08090d;
+  }
+
+  /* ============ Animations - Enhanced CRT Feel ============ */
   @keyframes pulse-glow {
-    0%, 100% { opacity: 1; box-shadow: 0 0 10px currentColor; }
-    50% { opacity: 0.7; box-shadow: 0 0 20px currentColor; }
+    0%, 100% {
+      opacity: 1;
+      filter: brightness(1);
+    }
+    50% {
+      opacity: 0.8;
+      filter: brightness(1.1);
+    }
   }
 
   @keyframes blink {
-    0%, 50% { opacity: 1; }
-    51%, 100% { opacity: 0; }
+    0%, 49% { opacity: 1; }
+    50%, 100% { opacity: 0; }
   }
 
   @keyframes fadeSlideIn {
     from {
       opacity: 0;
-      transform: translateY(10px);
+      transform: translateY(8px);
     }
     to {
       opacity: 1;
@@ -419,6 +646,33 @@
     }
   }
 
+  @keyframes glitch {
+    0%, 100% { transform: translate(0); }
+    20% { transform: translate(-2px, 2px); }
+    40% { transform: translate(-2px, -2px); }
+    60% { transform: translate(2px, 2px); }
+    80% { transform: translate(2px, -2px); }
+  }
+
+  @keyframes scanline-move {
+    0% { transform: translateY(-100%); }
+    100% { transform: translateY(100vh); }
+  }
+
+  @keyframes flicker {
+    0%, 100% { opacity: 1; }
+    92% { opacity: 1; }
+    93% { opacity: 0.8; }
+    94% { opacity: 1; }
+    95% { opacity: 0.9; }
+    96% { opacity: 1; }
+  }
+
+  @keyframes typing {
+    from { width: 0; }
+    to { width: 100%; }
+  }
+
   .animate-pulse-glow {
     animation: pulse-glow 2s ease-in-out infinite;
   }
@@ -431,100 +685,229 @@
     animation: fadeSlideIn 0.3s ease-out forwards;
   }
 
-  /* ============ Section Headers ============ */
+  .animate-glitch {
+    animation: glitch 0.3s ease-in-out;
+  }
+
+  .animate-flicker {
+    animation: flicker 3s linear infinite;
+  }
+
+  /* ============ Section Headers - Enhanced ============ */
   .section-header {
-    @apply flex items-center gap-3 mb-4 pb-3 border-b border-gray-800/50;
+    @apply flex items-center gap-3 mb-4 pb-3 border-b border-[#1a2535];
+    position: relative;
+  }
+
+  .section-header::after {
+    content: '';
+    position: absolute;
+    bottom: -1px;
+    left: 0;
+    width: 60px;
+    height: 2px;
+    background: linear-gradient(90deg, rgba(255, 95, 31, 0.8), transparent);
   }
 
   .section-title {
-    @apply text-lg font-bold text-white uppercase tracking-wider;
+    @apply text-lg font-bold uppercase tracking-wider;
+    color: #e8e0d0;
+    text-shadow: 0 0 20px rgba(255, 95, 31, 0.2);
   }
 
-  /* ============ Stat Cards ============ */
+  /* ============ Stat Cards - Dashboard Style ============ */
   .stat-card {
     @apply cyber-card p-4;
     @apply flex items-center justify-between;
   }
 
   .stat-value {
-    @apply text-3xl font-bold text-white;
+    @apply text-3xl font-bold;
+    color: #f0e6d3;
+    text-shadow: 0 0 15px rgba(255, 95, 31, 0.2);
   }
 
   .stat-label {
-    @apply text-xs text-gray-500 uppercase tracking-wider font-mono;
+    @apply text-[10px] uppercase tracking-[0.15em] font-mono font-bold;
+    color: #5a6577;
   }
 
   .stat-icon {
-    @apply w-12 h-12 rounded-lg flex items-center justify-center;
-    @apply bg-gray-800/50 border border-gray-700/50;
+    @apply w-12 h-12 rounded flex items-center justify-center;
+    background: linear-gradient(135deg, #1a2030 0%, #0d1015 100%);
+    border: 1px solid #2a3545;
   }
 
-  /* ============ Table Styles ============ */
+  /* ============ Table Styles - Data Grid ============ */
   .cyber-table {
     @apply w-full text-sm;
   }
 
   .cyber-table thead {
-    @apply bg-gray-900/50 border-b border-gray-800;
+    background: linear-gradient(180deg, #0d1015 0%, #0a0c10 100%);
+    border-bottom: 1px solid #2a3545;
   }
 
   .cyber-table th {
-    @apply px-4 py-3 text-left text-xs font-mono font-bold uppercase tracking-wider text-gray-400;
+    @apply px-4 py-3 text-left text-[10px] font-mono font-bold uppercase tracking-[0.15em];
+    color: #6a7587;
   }
 
   .cyber-table td {
-    @apply px-4 py-3 border-b border-gray-800/50;
+    @apply px-4 py-3 border-b border-[#1a2030]/60;
+    color: #b8c0cc;
   }
 
   .cyber-table tbody tr:hover {
-    @apply bg-gray-800/30;
+    background: rgba(255, 95, 31, 0.03);
+  }
+
+  .cyber-table tbody tr {
+    transition: background-color 0.15s ease;
   }
 
   /* ============ Empty State ============ */
   .empty-state {
-    @apply flex flex-col items-center justify-center py-12 text-center;
+    @apply flex flex-col items-center justify-center py-16 text-center;
   }
 
   .empty-state-icon {
-    @apply w-16 h-16 text-gray-600 mb-4;
+    @apply w-20 h-20 mb-6;
+    color: #3a4555;
   }
 
   .empty-state-title {
-    @apply text-lg font-semibold text-gray-400 mb-2;
+    @apply text-lg font-semibold mb-2;
+    color: #8a95a5;
   }
 
   .empty-state-description {
-    @apply text-sm text-gray-500;
+    @apply text-sm;
+    color: #5a6577;
   }
 
-  /* ============ Corner Decorations ============ */
+  /* ============ Corner Decorations - Cassette Tape Style ============ */
   .corner-decoration {
-    @apply absolute text-[10px] font-mono text-gray-700 z-30;
+    @apply absolute text-[9px] font-mono z-30;
+    color: #3a4555;
+    letter-spacing: 0.1em;
   }
 
-  .corner-tl { @apply top-4 left-4; }
-  .corner-tr { @apply top-4 right-4 text-right; }
-  .corner-bl { @apply bottom-4 left-4; }
-  .corner-br { @apply bottom-4 right-4 text-right; }
+  .corner-tl { @apply top-3 left-3; }
+  .corner-tr { @apply top-3 right-3 text-right; }
+  .corner-bl { @apply bottom-3 left-3; }
+  .corner-br { @apply bottom-3 right-3 text-right; }
 
-  /* ============ Loading States ============ */
+  /* ============ Loading States - Terminal Style ============ */
   .loading-spinner {
-    @apply w-8 h-8 border-2 border-gray-700 border-t-primary rounded-full animate-spin;
+    @apply w-8 h-8 border-2 border-[#2a3545] border-t-primary rounded-full animate-spin;
   }
 
   .loading-dots {
-    @apply flex gap-1;
+    @apply flex gap-1.5;
   }
 
   .loading-dots span {
-    @apply w-2 h-2 bg-primary rounded-full animate-bounce;
+    @apply w-2 h-2 rounded-full animate-bounce;
+    background: linear-gradient(135deg, #ff6a2c 0%, #e55a1c 100%);
+    box-shadow: 0 0 10px rgba(255, 95, 31, 0.4);
   }
 
   .loading-dots span:nth-child(2) {
-    animation-delay: 0.1s;
+    animation-delay: 0.15s;
   }
 
   .loading-dots span:nth-child(3) {
-    animation-delay: 0.2s;
+    animation-delay: 0.3s;
+  }
+
+  /* ============ Cassette Tape Elements ============ */
+  .tape-label {
+    background: linear-gradient(180deg, #1a1a1a 0%, #0d0d0d 100%);
+    border: 1px solid #2a2a2a;
+    border-radius: 2px;
+    padding: 4px 8px;
+    font-size: 9px;
+    letter-spacing: 0.15em;
+    text-transform: uppercase;
+    color: #8a8a8a;
+  }
+
+  .tape-reel {
+    width: 24px;
+    height: 24px;
+    border-radius: 50%;
+    background: linear-gradient(135deg, #2a2a2a 0%, #1a1a1a 100%);
+    border: 2px solid #3a3a3a;
+    position: relative;
+  }
+
+  .tape-reel::before {
+    content: '';
+    position: absolute;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+    width: 8px;
+    height: 8px;
+    border-radius: 50%;
+    background: #0a0a0a;
+    border: 1px solid #2a2a2a;
+  }
+
+  /* ============ HUD Elements ============ */
+  .hud-border {
+    position: relative;
+  }
+
+  .hud-border::before,
+  .hud-border::after {
+    content: '';
+    position: absolute;
+    width: 10px;
+    height: 10px;
+  }
+
+  .hud-border::before {
+    top: 0;
+    left: 0;
+    border-top: 2px solid rgba(255, 95, 31, 0.5);
+    border-left: 2px solid rgba(255, 95, 31, 0.5);
+  }
+
+  .hud-border::after {
+    bottom: 0;
+    right: 0;
+    border-bottom: 2px solid rgba(255, 95, 31, 0.5);
+    border-right: 2px solid rgba(255, 95, 31, 0.5);
+  }
+
+  /* ============ Data Display ============ */
+  .data-value {
+    font-family: 'JetBrains Mono', 'Roboto Mono', monospace;
+    color: #22d3ee;
+    text-shadow: 0 0 10px rgba(34, 211, 238, 0.3);
+  }
+
+  .data-label {
+    font-size: 9px;
+    text-transform: uppercase;
+    letter-spacing: 0.15em;
+    color: #5a6577;
+  }
+
+  /* ============ Noise Texture Overlay ============ */
+  .noise-overlay {
+    position: relative;
+  }
+
+  .noise-overlay::after {
+    content: '';
+    position: absolute;
+    inset: 0;
+    background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 256 256' xmlns='http://www.w3.org/2000/svg'%3E%3Cfilter id='noiseFilter'%3E%3CfeTurbulence type='fractalNoise' baseFrequency='0.9' numOctaves='4' stitchTiles='stitch'/%3E%3C/filter%3E%3Crect width='100%25' height='100%25' filter='url(%23noiseFilter)'/%3E%3C/svg%3E");
+    opacity: 0.02;
+    pointer-events: none;
+    mix-blend-mode: overlay;
   }
 }
diff --git a/frontend/src/components/audit/TerminalProgressDialog.tsx b/frontend/src/components/audit/TerminalProgressDialog.tsx
index 8ce6ba2..16f734f 100644
--- a/frontend/src/components/audit/TerminalProgressDialog.tsx
+++ b/frontend/src/components/audit/TerminalProgressDialog.tsx
@@ -432,12 +432,13 @@ export default function TerminalProgressDialog({
     return (
         <Dialog open={open} onOpenChange={onOpenChange}>
             <DialogPortal>
-                <DialogOverlay className="bg-black/80 backdrop-blur-sm" />
+                <DialogOverlay className="bg-black/85 backdrop-blur-md" />
                 <DialogPrimitive.Content
                     className={cn(
                         "fixed left-[50%] top-[50%] z-50 translate-x-[-50%] translate-y-[-50%]",
                         "w-[95vw] max-w-[1000px] h-[85vh] max-h-[700px]",
-                        "cyber-card p-0 gap-0 overflow-hidden",
+                        "bg-[#08090d] border border-[#1a2535] rounded overflow-hidden",
+                        "shadow-[0_0_60px_rgba(0,0,0,0.8),inset_0_1px_0_rgba(255,255,255,0.02)]",
                         "data-[state=open]:animate-in data-[state=closed]:animate-out",
                         "data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0",
                         "data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95",
@@ -453,30 +454,44 @@ export default function TerminalProgressDialog({
                         </DialogPrimitive.Description>
                     </VisuallyHidden.Root>
 
+                    {/* Scanline overlay */}
+                    <div className="absolute inset-0 pointer-events-none z-20 opacity-30"
+                        style={{
+                            backgroundImage: "repeating-linear-gradient(0deg, transparent, transparent 2px, rgba(0,0,0,0.1) 2px, rgba(0,0,0,0.1) 4px)",
+                        }}
+                    />
+
                     {/* Header */}
-                    <div className="cyber-card-header justify-between">
+                    <div className="flex items-center justify-between px-4 py-3 bg-[#0a0c10] border-b border-[#1a2535]"
+                        style={{ backgroundImage: "linear-gradient(90deg, rgba(255, 95, 31, 0.05) 0%, transparent 50%, rgba(14, 181, 196, 0.05) 100%)" }}>
                         <div className="flex items-center gap-3">
-                            <Terminal className="w-5 h-5 text-primary" />
+                            <Terminal className="w-5 h-5 text-primary" style={{ filter: "drop-shadow(0 0 8px rgba(255, 95, 31, 0.5))" }} />
                             <div>
-                                <span className="text-lg font-bold uppercase tracking-wider text-white">AUDIT_TERMINAL</span>
-                                <span className="text-xs text-gray-500 ml-2">v2.0</span>
+                                <span className="text-lg font-bold uppercase tracking-[0.15em] text-[#f0e6d3]" style={{ textShadow: "0 0 20px rgba(255, 95, 31, 0.3)" }}>AUDIT_TERMINAL</span>
+                                <span className="text-[10px] text-[#5a6577] ml-2 tracking-wider">v3.0</span>
                             </div>
                         </div>
 
                         <div className="flex items-center gap-4">
                             {/* 状态指示灯 */}
-                            <div className="flex items-center gap-2 px-3 py-1 bg-gray-900 rounded border border-gray-800">
-                                <div className={`w-2 h-2 rounded-full ${!isCompleted && !isFailed && !isCancelled ? 'bg-emerald-400 shadow-[0_0_6px_rgba(52,211,153,0.6)] animate-pulse' : 'bg-gray-600'}`} />
-                                <div className={`w-2 h-2 rounded-full ${isFailed ? 'bg-rose-400 shadow-[0_0_6px_rgba(251,113,133,0.6)]' : 'bg-gray-600'}`} />
-                                <div className={`w-2 h-2 rounded-full ${isCompleted ? 'bg-sky-400 shadow-[0_0_6px_rgba(56,189,248,0.6)]' : 'bg-gray-600'}`} />
+                            <div className="flex items-center gap-2.5 px-3 py-1.5 bg-[#060810] rounded border border-[#1a2535]">
+                                <div className={`w-2.5 h-2.5 rounded-full transition-all duration-300 ${!isCompleted && !isFailed && !isCancelled
+                                    ? 'bg-[#3dd68c] shadow-[0_0_10px_rgba(61,214,140,0.7)] animate-pulse'
+                                    : 'bg-[#3a4555]'}`} />
+                                <div className={`w-2.5 h-2.5 rounded-full transition-all duration-300 ${isFailed
+                                    ? 'bg-[#f87171] shadow-[0_0_10px_rgba(248,113,113,0.7)]'
+                                    : 'bg-[#3a4555]'}`} />
+                                <div className={`w-2.5 h-2.5 rounded-full transition-all duration-300 ${isCompleted
+                                    ? 'bg-[#22d3ee] shadow-[0_0_10px_rgba(34,211,238,0.7)]'
+                                    : 'bg-[#3a4555]'}`} />
                             </div>
 
                             <button
                                 type="button"
-                                className="w-8 h-8 flex items-center justify-center hover:bg-rose-500/20 rounded transition-colors"
+                                className="w-8 h-8 flex items-center justify-center hover:bg-[#e53935]/20 rounded transition-all duration-200 group"
                                 onClick={() => onOpenChange(false)}
                             >
-                                <XIcon className="w-5 h-5 text-gray-400 hover:text-rose-400" />
+                                <XIcon className="w-5 h-5 text-[#6a7587] group-hover:text-[#f87171] transition-colors" />
                             </button>
                         </div>
                     </div>
@@ -484,19 +499,22 @@ export default function TerminalProgressDialog({
                     {/* Main Content */}
                     <div className="flex h-[calc(100%-56px)]">
                         {/* Left Sidebar - Task Info */}
-                        <div className="w-48 p-4 border-r border-gray-800 bg-gray-900/30 flex flex-col gap-4">
-                            <div className="space-y-1">
-                                <div className="text-[10px] font-bold text-gray-600 uppercase tracking-wider">Task ID</div>
-                                <div className="text-xs font-mono text-primary truncate bg-gray-900 p-2 rounded border border-gray-800">
+                        <div className="w-48 p-4 border-r border-[#1a2535] bg-[#060810] flex flex-col gap-4">
+                            <div className="space-y-1.5">
+                                <div className="text-[9px] font-bold text-[#5a6577] uppercase tracking-[0.15em]">Task ID</div>
+                                <div className="text-xs font-mono text-primary truncate bg-[#0a0c10] p-2.5 rounded border border-[#1a2535]"
+                                    style={{ textShadow: "0 0 10px rgba(255, 95, 31, 0.3)" }}>
                                     {taskId?.slice(0, 8)}...
                                 </div>
                             </div>
 
-                            <div className="space-y-1">
-                                <div className="text-[10px] font-bold text-gray-600 uppercase tracking-wider">Type</div>
-                                <div className="flex items-center gap-2 bg-gray-900 p-2 rounded border border-gray-800">
-                                    {taskType === 'repository' ? <Cpu className="w-3 h-3 text-sky-400" /> : <HardDrive className="w-3 h-3 text-amber-400" />}
-                                    <span className="text-xs font-bold text-gray-300 uppercase">{taskType}</span>
+                            <div className="space-y-1.5">
+                                <div className="text-[9px] font-bold text-[#5a6577] uppercase tracking-[0.15em]">Type</div>
+                                <div className="flex items-center gap-2 bg-[#0a0c10] p-2.5 rounded border border-[#1a2535]">
+                                    {taskType === 'repository'
+                                        ? <Cpu className="w-3.5 h-3.5 text-[#22d3ee]" style={{ filter: "drop-shadow(0 0 6px rgba(34, 211, 238, 0.5))" }} />
+                                        : <HardDrive className="w-3.5 h-3.5 text-[#fbbf24]" style={{ filter: "drop-shadow(0 0 6px rgba(251, 191, 36, 0.5))" }} />}
+                                    <span className="text-xs font-bold text-[#d0d8e8] uppercase tracking-wider">{taskType}</span>
                                 </div>
                             </div>
 
@@ -504,7 +522,7 @@ export default function TerminalProgressDialog({
 
                             {/* Status Badge */}
                             <div className="space-y-2">
-                                <div className="text-[10px] font-bold text-gray-600 uppercase tracking-wider">Status</div>
+                                <div className="text-[9px] font-bold text-[#5a6577] uppercase tracking-[0.15em]">Status</div>
                                 {isCancelled ? (
                                     <Badge className="w-full justify-center cyber-badge-warning">CANCELLED</Badge>
                                 ) : isCompleted ? (
@@ -520,17 +538,18 @@ export default function TerminalProgressDialog({
                         {/* Terminal Screen */}
                         <div className="flex-1 flex flex-col">
                             {/* Terminal Output */}
-                            <div className="flex-1 bg-[#0a0a0f] p-4 overflow-y-auto font-mono text-sm custom-scrollbar relative">
+                            <div className="flex-1 bg-[#050608] p-4 overflow-y-auto font-mono text-sm custom-scrollbar relative">
                                 {/* Grid background */}
-                                <div className="absolute inset-0 cyber-grid-subtle pointer-events-none opacity-30" />
+                                <div className="absolute inset-0 cyber-grid-subtle pointer-events-none opacity-40" />
 
                                 <div className="relative z-10 space-y-0.5 pb-10">
                                     {logs.map((log) => (
-                                        <div key={log.id} className="flex items-start gap-3 hover:bg-white/5 px-2 py-0.5 transition-colors group rounded">
-                                            <span className="text-gray-600 text-xs flex-shrink-0 w-20 font-mono">
+                                        <div key={log.id} className="flex items-start gap-3 hover:bg-[#ffffff]/[0.03] px-2 py-0.5 transition-colors group rounded">
+                                            <span className="text-[#4a5565] text-xs flex-shrink-0 w-20 font-mono">
                                                 {log.timestamp}
                                             </span>
-                                            <span className={`${getLogColor(log.type)} flex-1 font-mono text-sm`}>
+                                            <span className={`${getLogColor(log.type)} flex-1 font-mono text-sm`}
+                                                style={{ textShadow: log.type === 'success' ? '0 0 8px rgba(61, 214, 140, 0.3)' : log.type === 'error' ? '0 0 8px rgba(248, 113, 113, 0.3)' : log.type === 'warning' ? '0 0 8px rgba(251, 191, 36, 0.3)' : 'none' }}>
                                                 {log.message}
                                             </span>
                                         </div>
@@ -538,8 +557,8 @@ export default function TerminalProgressDialog({
 
                                     {!isCompleted && !isFailed && !isCancelled && (
                                         <div className="flex items-center gap-3 mt-4 px-2">
-                                            <span className="text-gray-600 text-xs w-20 font-mono">{currentTime}</span>
-                                            <span className="text-primary animate-pulse font-bold">_</span>
+                                            <span className="text-[#4a5565] text-xs w-20 font-mono">{currentTime}</span>
+                                            <span className="text-primary animate-pulse font-bold" style={{ textShadow: "0 0 10px rgba(255, 95, 31, 0.5)" }}>_</span>
                                         </div>
                                     )}
                                     <div ref={logsEndRef} />
@@ -547,11 +566,11 @@ export default function TerminalProgressDialog({
                             </div>
 
                             {/* Bottom Controls */}
-                            <div className="h-14 px-4 border-t border-gray-800 bg-gray-900/50 flex items-center justify-between">
-                                <div className="flex items-center gap-2 text-xs text-gray-500 font-mono">
-                                    <Activity className="w-3 h-3" />
+                            <div className="h-14 px-4 border-t border-[#1a2535] bg-[#0a0c10]/90 flex items-center justify-between">
+                                <div className="flex items-center gap-2 text-xs text-[#6a7587] font-mono tracking-wide">
+                                    <Activity className="w-3.5 h-3.5" />
                                     <span>
-                                        {isCompleted ? "任务已完成" : isFailed ? "任务失败" : isCancelled ? "任务已取消" : "正在执行..."}
+                                        {isCompleted ? "TASK COMPLETED" : isFailed ? "TASK FAILED" : isCancelled ? "TASK CANCELLED" : "EXECUTING..."}
                                     </span>
                                 </div>
 
@@ -561,9 +580,9 @@ export default function TerminalProgressDialog({
                                             size="sm"
                                             variant="outline"
                                             onClick={handleCancel}
-                                            className="h-8 cyber-btn-outline text-amber-400 border-amber-500/30 hover:bg-amber-500/10 hover:border-amber-500/50"
+                                            className="h-8 bg-transparent border-[#fbbf24]/40 text-[#fbbf24] hover:bg-[#fbbf24]/10 hover:border-[#fbbf24]/60 font-mono uppercase tracking-wider text-[10px]"
                                         >
-                                            <AlertTriangle className="w-3 h-3 mr-1" />
+                                            <AlertTriangle className="w-3 h-3 mr-1.5" />
                                             取消任务
                                         </Button>
                                     )}
@@ -573,9 +592,9 @@ export default function TerminalProgressDialog({
                                             size="sm"
                                             variant="outline"
                                             onClick={() => window.open('/logs', '_blank')}
-                                            className="h-8 cyber-btn-outline"
+                                            className="h-8 bg-transparent border-[#6a7587]/40 text-[#a8b0c0] hover:bg-[#1a2030]/50 hover:border-[#6a7587]/60 font-mono uppercase tracking-wider text-[10px]"
                                         >
-                                            <Activity className="w-3 h-3 mr-1" />
+                                            <Activity className="w-3 h-3 mr-1.5" />
                                             查看日志
                                         </Button>
                                     )}
@@ -584,9 +603,9 @@ export default function TerminalProgressDialog({
                                         <Button
                                             size="sm"
                                             onClick={() => onOpenChange(false)}
-                                            className="h-8 cyber-btn-primary"
+                                            className="h-8 cyber-btn-primary font-mono uppercase tracking-wider text-[10px]"
                                         >
-                                            <CheckCircle2 className="w-3 h-3 mr-1" />
+                                            <CheckCircle2 className="w-3 h-3 mr-1.5" />
                                             确认
                                         </Button>
                                     )}
diff --git a/frontend/src/pages/AgentAudit/index.tsx b/frontend/src/pages/AgentAudit/index.tsx
index e85b529..ac5782c 100644
--- a/frontend/src/pages/AgentAudit/index.tsx
+++ b/frontend/src/pages/AgentAudit/index.tsx
@@ -673,37 +673,25 @@ function AgentAuditPageContent() {
 
   if (isLoading && !task) {
     return (
-      <div className="h-screen bg-[#0a0a0f] flex items-center justify-center relative overflow-hidden">
+      <div className="h-screen bg-[#08090d] flex items-center justify-center relative overflow-hidden">
         {/* Grid background */}
-        <div className="absolute inset-0 opacity-[0.02]"
-          style={{
-            backgroundImage: `
-              linear-gradient(rgba(255,107,44,0.5) 1px, transparent 1px),
-              linear-gradient(90deg, rgba(255,107,44,0.5) 1px, transparent 1px)
-            `,
-            backgroundSize: '32px 32px',
-          }}
-        />
-        <div className="flex items-center gap-3 text-gray-400 relative z-10">
+        <div className="absolute inset-0 cyber-grid opacity-30" />
+        {/* Vignette */}
+        <div className="absolute inset-0 vignette pointer-events-none" />
+        <div className="flex items-center gap-3 text-[#8a95a5] relative z-10">
           <Loader2 className="w-5 h-5 animate-spin text-primary" />
-          <span className="font-mono text-sm">Loading audit task...</span>
+          <span className="font-mono text-sm tracking-wide">LOADING AUDIT TASK...</span>
         </div>
       </div>
     );
   }
 
   return (
-    <div className="h-screen bg-[#0a0a0f] flex flex-col overflow-hidden relative">
+    <div className="h-screen bg-[#08090d] flex flex-col overflow-hidden relative">
       {/* Subtle grid background */}
-      <div className="absolute inset-0 opacity-[0.015] pointer-events-none"
-        style={{
-          backgroundImage: `
-            linear-gradient(rgba(255,107,44,0.5) 1px, transparent 1px),
-            linear-gradient(90deg, rgba(255,107,44,0.5) 1px, transparent 1px)
-          `,
-          backgroundSize: '48px 48px',
-        }}
-      />
+      <div className="absolute inset-0 cyber-grid-subtle opacity-40 pointer-events-none" />
+      {/* Scanline effect */}
+      <div className="absolute inset-0 scanline-overlay pointer-events-none opacity-50" />
 
       {/* Header */}
       <Header
@@ -718,24 +706,24 @@ function AgentAuditPageContent() {
       {/* Main content */}
       <div className="flex-1 flex overflow-hidden relative">
         {/* Left Panel - Activity Log */}
-        <div className="w-3/4 flex flex-col border-r border-gray-800/50">
+        <div className="w-3/4 flex flex-col border-r border-[#1a2535]">
           {/* Log header */}
-          <div className="flex-shrink-0 h-11 border-b border-gray-800/50 flex items-center justify-between px-4 bg-[#0d0d12]/80 backdrop-blur-sm">
-            <div className="flex items-center gap-3 text-xs text-gray-400">
+          <div className="flex-shrink-0 h-11 border-b border-[#1a2535] flex items-center justify-between px-4 bg-[#0a0c10]/90 backdrop-blur-sm">
+            <div className="flex items-center gap-3 text-xs text-[#8a95a5]">
               <div className="flex items-center gap-2">
-                <Terminal className="w-4 h-4 text-gray-500" />
-                <span className="uppercase font-bold tracking-wider text-gray-300">Activity Log</span>
+                <Terminal className="w-4 h-4 text-[#5a6577]" />
+                <span className="uppercase font-bold tracking-[0.15em] text-[#d0d8e8]">Activity Log</span>
               </div>
               {isConnected && (
-                <div className="flex items-center gap-1.5 text-green-400">
+                <div className="flex items-center gap-1.5 text-[#3dd68c]">
                   <span className="relative flex h-2 w-2">
-                    <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-green-400 opacity-75"></span>
-                    <span className="relative inline-flex rounded-full h-2 w-2 bg-green-400"></span>
+                    <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-[#3dd68c] opacity-75"></span>
+                    <span className="relative inline-flex rounded-full h-2 w-2 bg-[#3dd68c] shadow-[0_0_8px_rgba(61,214,140,0.5)]"></span>
                   </span>
-                  <span className="text-[10px] font-mono uppercase">Live</span>
+                  <span className="text-[10px] font-mono uppercase tracking-wider">Live</span>
                 </div>
               )}
-              <Badge variant="outline" className="h-5 px-1.5 text-[10px] border-gray-700/50 text-gray-500 font-mono">
+              <Badge variant="outline" className="h-5 px-1.5 text-[10px] border-[#2a3545] text-[#6a7587] font-mono bg-[#0d1015]">
                 {filteredLogs.length}{!showAllLogs && logs.length !== filteredLogs.length ? ` / ${logs.length}` : ''}
               </Badge>
             </div>
@@ -743,11 +731,11 @@ function AgentAuditPageContent() {
             <button
               onClick={() => setAutoScroll(!isAutoScroll)}
               className={`
-                flex items-center gap-1.5 text-[10px] px-2 py-1 rounded font-mono uppercase tracking-wider
+                flex items-center gap-1.5 text-[10px] px-2.5 py-1 rounded font-mono uppercase tracking-wider
                 transition-all duration-200
                 ${isAutoScroll
-                  ? 'bg-primary/20 text-primary border border-primary/30'
-                  : 'text-gray-500 hover:text-gray-300 border border-transparent hover:border-gray-700'
+                  ? 'bg-primary/15 text-primary border border-primary/40 shadow-[0_0_10px_rgba(255,95,31,0.15)]'
+                  : 'text-[#6a7587] hover:text-[#a8b0c0] border border-transparent hover:border-[#2a3545] hover:bg-[#1a2030]/50'
                 }
               `}
             >
@@ -757,17 +745,17 @@ function AgentAuditPageContent() {
           </div>
 
           {/* Log content */}
-          <div className="flex-1 overflow-y-auto p-4 custom-scrollbar">
+          <div className="flex-1 overflow-y-auto p-4 custom-scrollbar bg-[#060810]/50">
             {/* Filter indicator */}
             {selectedAgentId && !showAllLogs && (
-              <div className="mb-3 px-3 py-2 bg-primary/5 border border-primary/20 rounded flex items-center justify-between">
+              <div className="mb-3 px-3 py-2 bg-primary/8 border border-primary/25 rounded flex items-center justify-between">
                 <div className="flex items-center gap-2 text-xs text-primary">
                   <Filter className="w-3.5 h-3.5" />
-                  <span>Filtering logs for selected agent</span>
+                  <span className="tracking-wide">Filtering logs for selected agent</span>
                 </div>
                 <button
                   onClick={() => selectAgent(null)}
-                  className="text-[10px] text-gray-400 hover:text-white transition-colors font-mono uppercase"
+                  className="text-[10px] text-[#6a7587] hover:text-[#d0d8e8] transition-colors font-mono uppercase tracking-wider"
                 >
                   Clear
                 </button>
@@ -777,21 +765,21 @@ function AgentAuditPageContent() {
             {/* Logs */}
             {filteredLogs.length === 0 ? (
               <div className="h-full flex items-center justify-center">
-                <div className="text-center text-gray-600">
+                <div className="text-center text-[#4a5565]">
                   {isRunning ? (
                     <div className="flex flex-col items-center gap-3">
-                      <Loader2 className="w-6 h-6 animate-spin text-gray-500" />
-                      <span className="text-sm">
+                      <Loader2 className="w-6 h-6 animate-spin text-[#5a6577]" />
+                      <span className="text-sm font-mono tracking-wide">
                         {selectedAgentId && !showAllLogs
-                          ? 'Waiting for activity from selected agent...'
-                          : 'Waiting for agent activity...'}
+                          ? 'WAITING FOR ACTIVITY FROM SELECTED AGENT...'
+                          : 'WAITING FOR AGENT ACTIVITY...'}
                       </span>
                     </div>
                   ) : (
-                    <span className="text-sm">
+                    <span className="text-sm font-mono tracking-wide">
                       {selectedAgentId && !showAllLogs
-                        ? 'No activity from selected agent'
-                        : 'No activity yet'}
+                        ? 'NO ACTIVITY FROM SELECTED AGENT'
+                        : 'NO ACTIVITY YET'}
                     </span>
                   )}
                 </div>
@@ -813,36 +801,36 @@ function AgentAuditPageContent() {
 
           {/* Status bar */}
           {task && (
-            <div className="flex-shrink-0 h-9 border-t border-gray-800/50 flex items-center justify-between px-4 text-xs bg-[#0d0d12]/80 backdrop-blur-sm">
+            <div className="flex-shrink-0 h-9 border-t border-[#1a2535] flex items-center justify-between px-4 text-xs bg-[#0a0c10]/90 backdrop-blur-sm">
               <span>
                 {isRunning ? (
-                  <span className="flex items-center gap-2 text-green-400">
+                  <span className="flex items-center gap-2 text-[#3dd68c]">
                     <span className="relative flex h-1.5 w-1.5">
-                      <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-green-400 opacity-75"></span>
-                      <span className="relative inline-flex rounded-full h-1.5 w-1.5 bg-green-400"></span>
+                      <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-[#3dd68c] opacity-75"></span>
+                      <span className="relative inline-flex rounded-full h-1.5 w-1.5 bg-[#3dd68c] shadow-[0_0_6px_rgba(61,214,140,0.5)]"></span>
                     </span>
-                    <span className="font-mono">{statusVerb}{'.'.repeat(statusDots)}</span>
+                    <span className="font-mono tracking-wide">{statusVerb}{'.'.repeat(statusDots)}</span>
                   </span>
                 ) : isComplete ? (
-                  <span className="text-gray-500 font-mono">Audit {task.status}</span>
+                  <span className="text-[#6a7587] font-mono tracking-wide">AUDIT {task.status?.toUpperCase()}</span>
                 ) : (
-                  <span className="text-gray-600 font-mono">Ready</span>
+                  <span className="text-[#4a5565] font-mono tracking-wide">READY</span>
                 )}
               </span>
-              <div className="flex items-center gap-4 font-mono text-gray-500">
+              <div className="flex items-center gap-4 font-mono text-[#6a7587]">
                 <span>
-                  <span className="text-primary">{task.progress_percentage?.toFixed(0) || 0}</span>
-                  <span className="text-gray-600">%</span>
+                  <span className="text-primary text-glow-primary">{task.progress_percentage?.toFixed(0) || 0}</span>
+                  <span className="text-[#4a5565]">%</span>
                 </span>
-                <span className="text-gray-700">|</span>
+                <span className="text-[#2a3545]">│</span>
                 <span>
-                  <span className="text-gray-400">{task.analyzed_files}</span>
-                  <span className="text-gray-600">/{task.total_files} files</span>
+                  <span className="text-[#a8b0c0]">{task.analyzed_files}</span>
+                  <span className="text-[#4a5565]">/{task.total_files} files</span>
                 </span>
-                <span className="text-gray-700">|</span>
+                <span className="text-[#2a3545]">│</span>
                 <span>
-                  <span className="text-gray-400">{task.tool_calls_count || 0}</span>
-                  <span className="text-gray-600"> tools</span>
+                  <span className="text-[#a8b0c0]">{task.tool_calls_count || 0}</span>
+                  <span className="text-[#4a5565]"> tools</span>
                 </span>
               </div>
             </div>
@@ -850,16 +838,16 @@ function AgentAuditPageContent() {
         </div>
 
         {/* Right Panel - Agent Tree + Stats */}
-        <div className="w-1/4 flex flex-col bg-[#0b0b10]">
+        <div className="w-1/4 flex flex-col bg-[#080a0e]">
           {/* Agent Tree section */}
-          <div className="flex-1 flex flex-col border-b border-gray-800/50 overflow-hidden">
+          <div className="flex-1 flex flex-col border-b border-[#1a2535] overflow-hidden">
             {/* Tree header */}
-            <div className="flex-shrink-0 h-11 border-b border-gray-800/50 flex items-center justify-between px-4 bg-[#0d0d12]/80">
-              <div className="flex items-center gap-2 text-xs text-gray-400">
-                <Bot className="w-4 h-4 text-gray-500" />
-                <span className="uppercase font-bold tracking-wider text-gray-300">Agent Tree</span>
+            <div className="flex-shrink-0 h-11 border-b border-[#1a2535] flex items-center justify-between px-4 bg-[#0a0c10]/90">
+              <div className="flex items-center gap-2 text-xs text-[#8a95a5]">
+                <Bot className="w-4 h-4 text-[#5a6577]" />
+                <span className="uppercase font-bold tracking-[0.15em] text-[#d0d8e8]">Agent Tree</span>
                 {agentTree && (
-                  <Badge variant="outline" className="h-5 px-1.5 text-[10px] border-gray-700/50 text-gray-500 font-mono">
+                  <Badge variant="outline" className="h-5 px-1.5 text-[10px] border-[#2a3545] text-[#6a7587] font-mono bg-[#0d1015]">
                     {agentTree.total_agents}
                   </Badge>
                 )}
@@ -868,16 +856,16 @@ function AgentAuditPageContent() {
                 {selectedAgentId && !showAllLogs && (
                   <button
                     onClick={() => selectAgent(null)}
-                    className="text-[10px] text-primary hover:text-primary/80 transition-colors font-mono uppercase"
+                    className="text-[10px] text-primary hover:text-primary/80 transition-colors font-mono uppercase tracking-wider"
                   >
                     Show All
                   </button>
                 )}
                 {agentTree && agentTree.running_agents > 0 && (
-                  <div className="flex items-center gap-1.5 text-green-400">
+                  <div className="flex items-center gap-1.5 text-[#3dd68c]">
                     <span className="relative flex h-1.5 w-1.5">
-                      <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-green-400 opacity-75"></span>
-                      <span className="relative inline-flex rounded-full h-1.5 w-1.5 bg-green-400"></span>
+                      <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-[#3dd68c] opacity-75"></span>
+                      <span className="relative inline-flex rounded-full h-1.5 w-1.5 bg-[#3dd68c] shadow-[0_0_6px_rgba(61,214,140,0.5)]"></span>
                     </span>
                     <span className="text-[10px] font-mono">{agentTree.running_agents}</span>
                   </div>
@@ -886,7 +874,7 @@ function AgentAuditPageContent() {
             </div>
 
             {/* Tree content */}
-            <div className="flex-1 overflow-y-auto p-2 custom-scrollbar">
+            <div className="flex-1 overflow-y-auto p-2 custom-scrollbar bg-[#060810]/50">
               {treeNodes.length > 0 ? (
                 treeNodes.map(node => (
                   <AgentTreeNodeItem
@@ -897,14 +885,14 @@ function AgentAuditPageContent() {
                   />
                 ))
               ) : (
-                <div className="h-full flex items-center justify-center text-gray-600 text-xs">
+                <div className="h-full flex items-center justify-center text-[#4a5565] text-xs">
                   {isRunning ? (
                     <div className="flex items-center gap-2">
                       <Loader2 className="w-3 h-3 animate-spin" />
-                      <span>Initializing agents...</span>
+                      <span className="font-mono tracking-wide">INITIALIZING AGENTS...</span>
                     </div>
                   ) : (
-                    'No agents yet'
+                    <span className="font-mono tracking-wide">NO AGENTS YET</span>
                   )}
                 </div>
               )}