Wave Coordinator¶
Overview¶
The wave coordinator dispatches test agents in waves of 3 concurrent agents, with health checks between waves.
Wave Schedule (V3 Pragmatica)¶
12 waves + 1 flag-gated wave, 31 sub-agents total:
graph LR
W0["Wave 0<br/>sqli, xss, idor<br/>Opus High"] --> W1["Wave 1<br/>cmdi, authz, jwt<br/>Opus High"]
W1 --> W2["Wave 2<br/>oauth, session, csrf<br/>Opus High/Med"]
W2 --> W3["Wave 3<br/>dom, ssrf-core, ssti<br/>Opus High"]
W3 --> W4["Wave 4<br/>ssrf-vector, rest, gql<br/>Opus Med"]
W4 --> W5["Wave 5<br/>business, race, mfa<br/>Opus High/Med"]
W5 --> W6["Wave 6<br/>hpp-crlf, bypass, smuggle<br/>Opus Med/High"]
W6 --> W7["Wave 7<br/>cache, host-method, matrix<br/>Opus Med/High"]
W7 --> W8["Wave 8<br/>prototype, upload, deser<br/>Opus Med"]
W8 --> W9["Wave 9<br/>storage, takeover, k8s<br/>Opus Med"]
W9 --> W10["Wave 10<br/>crypto, exceptions, supply<br/>Sonnet/Opus"]
W10 --> W11["Wave 11<br/>misc overflow<br/>Opus Med"]
W11 --> W12["Wave 12*<br/>llm, mobile<br/>Sonnet<br/>*Flag-gated"]
style W0 fill:#4a148c,color:#fff
style W1 fill:#4a148c,color:#fff
style W2 fill:#6a1b9a,color:#fff
style W3 fill:#4a148c,color:#fff
style W4 fill:#6a1b9a,color:#fff
style W5 fill:#4a148c,color:#fff
style W6 fill:#6a1b9a,color:#fff
style W7 fill:#6a1b9a,color:#fff
style W8 fill:#6a1b9a,color:#fff
style W9 fill:#6a1b9a,color:#fff
style W10 fill:#7b1fa2,color:#fff
style W11 fill:#6a1b9a,color:#fff
style W12 fill:#7b1fa2,color:#fff| Wave | Agents | Model Tier |
|---|---|---|
| 0 | injection:sqli, injection:xss, access:idor | Opus high |
| 1 | injection:cmdi, access:authz, auth:jwt | Opus high |
| 2 | auth:oauth, auth:session, client:csrf-cors | Opus high/medium |
| 3 | client:dom, ssrf:core, injection:ssti-xxe | Opus high |
| 4 | ssrf:vector, api:rest, api:graphql | Opus medium |
| 5 | logic:business, logic:race, advanced:mfa | Opus high/medium |
| 6 | advanced:hpp-crlf, advanced:bypass, infra:smuggling | Opus medium/high |
| 7 | infra:cache, advanced:host-method, access:matrix | Opus medium/high |
| 8 | api:prototype, logic:upload, deser | Opus medium |
| 9 | cloud:storage, cloud:takeover, cloud:k8s-cicd | Opus medium |
| 10 | crypto, exceptions, supply-chain | Sonnet/Opus medium |
| 11 | injection:misc, client:misc, (overflow) | Opus medium |
| 12 | llm (if --llm), mobile (if --mobile) | Sonnet |
Fast/Bug-Bounty Mode¶
Increases to 5 agents/wave, compressing the schedule to ~7 waves.
Health Checks¶
Between each wave:
- Verify auth tokens are still valid
- Check for rate limiting (429 responses)
- Pause 60s if rate limited before next wave
Pipeline Tier Overlap¶
Independent work starts early:
| Tier | Starts After | Skills |
|---|---|---|
| Tier 1 | Phase 0 | crypto, supply-chain, exceptions |
| Tier 2 | Phase 1 | cloud, infra base |
| Tier 3 | Phase 2 + /route | All injection, auth, access, etc. |
Checkpoints¶
Each wave writes completion status to checkpoint.json for resume support via the /resume skill.