feat(agent): add expire_benchmarks action to re-benchmark agents

Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>

Author: unclesp1d3r

GOTCHAS.md

@@ -213,6 +213,8 @@ Referenced from [AGENTS.md](AGENTS.md) — read the relevant section before work
 
 - Broadcast partials (rendered by `broadcast_replace_to`/`broadcast_replace_later_to`) run in background jobs with NO `current_user` — partials must not reference `current_user` or session data
 - For targeted broadcasts, extract small partials (e.g., `_index_state.html.erb`) that wrap a single element with a stable DOM ID, following the Agent `broadcast_index_state` pattern
+- Never fragment-cache content containing `safe_can?` calls in broadcast-rendered partials — Sidekiq has no `current_user`, so `safe_can?` returns false and poisons the cache for all users. Keep auth-gated elements outside cache blocks.
+- Use `saved_changes.keys.intersect?(FIELDS)` or `saved_change_to_<attr>?` guards in `after_update_commit` callbacks to avoid broadcasting tabs whose data didn't change (see `Agent#broadcast_tab_updates`)
 
 **Logging Patterns:**
 

app/controllers/agents_controller.rb

@@ -75,6 +75,17 @@ def update
     end
   end
 
+  # POST /agents/1/expire_benchmarks
+  # Deletes all benchmarks for the agent and transitions it to pending,
+  # forcing the agent to re-benchmark on its next heartbeat.
+  def expire_benchmarks
+    @agent.hashcat_benchmarks.destroy_all
+    @agent.check_benchmark_age
+
+    redirect_to agent_url(@agent, anchor: "capabilities"),
+                notice: "Benchmarks expired. The agent will re-benchmark on its next check-in."
+  end
+
   # DELETE /agents/1 or /agents/1.json
   def destroy
     @agent.destroy!

app/controllers/api/v1/client/tasks_controller.rb

@@ -40,8 +40,14 @@ def show
 
   # Initializes a new task for the agent.
   # If the task is nil, it renders a no content status.
+  #
+  # Task assignment is benchmark-gated, not state-gated: if the agent has benchmarks
+  # for a hash type, it can receive tasks for that type regardless of state.
+  # We activate pending agents with benchmarks as a side effect so the UI reflects
+  # reality, but this never blocks task assignment.
   def new
     @task = TaskAssignmentService.new(@agent).find_next_task
+    activate_pending_agent_with_benchmarks
     head(:no_content) if @task.nil?
     # When @task exists, Jbuilder template (new.json.jbuilder) renders automatically
   end
@@ -225,6 +231,19 @@ def submit_status
 
   private
 
+  # Activates a pending agent that has benchmark data on record.
+  # This is a UI-correctness side effect, not a task assignment gate.
+  def activate_pending_agent_with_benchmarks
+    return unless @agent.pending? && @agent.hashcat_benchmarks.exists?
+    return unless @agent.activate
+
+    Rails.logger.info(
+      "[AgentLifecycle] auto_activate: agent_id=#{@agent.id} " \
+      "reason=pending_with_benchmarks benchmark_count=#{@agent.hashcat_benchmarks.count} " \
+      "timestamp=#{Time.zone.now}"
+    )
+  end
+
   # Finds and sets the @task instance variable for the current agent.
   # This method is used as a before_action callback to ensure tasks exist and belong to the agent.
   # If the task is not found, it uses enhanced error handling from TaskErrorHandling concern.

app/models/ability.rb

@@ -60,6 +60,7 @@ def initialize(user)
     can :read, Agent, projects: { id: user.all_project_ids } # User can read agents in their projects
     can :update, Agent, user: user # User can update their own agents
     can :destroy, Agent, user: user # User can destroy their own agents
+    can :expire_benchmarks, Agent, user: user # User can force re-benchmark their own agents
 
     # Project permissions
     can :read, Project, project_users: { user_id: user.id } # User can read projects they are associated with

app/models/agent.rb

@@ -88,6 +88,12 @@ class Agent < ApplicationRecord
     quadrillion: "PH/s"
   }.freeze
 
+  # Fields whose changes should trigger a configuration tab broadcast.
+  CONFIGURATION_BROADCAST_FIELDS = %w[
+    enabled client_signature last_ipaddress advanced_configuration
+    custom_label operating_system
+  ].freeze
+
   belongs_to :user, touch: true
   has_and_belongs_to_many :projects, touch: true
   has_many :tasks, dependent: :destroy
@@ -136,23 +142,31 @@ def broadcast_index_last_seen
       locals: { agent: self }
   end
 
+
   # Broadcasts updates to individual tab streams instead of the root agent stream.
   # This allows each tab panel to update independently without affecting the active tab state.
+  #
+  # Overview: always broadcast (last_seen, state, metrics change frequently).
+  # Configuration: only when config-relevant fields change.
+  # Capabilities: only when state changes (benchmark data arrives via state transitions).
   def broadcast_tab_updates
     broadcast_replace_later_to [self, :overview],
       target: ActionView::RecordIdentifier.dom_id(self, :overview),
       partial: "agents/overview_tab",
       locals: { agent: self }
 
-    broadcast_replace_later_to [self, :configuration],
-      target: ActionView::RecordIdentifier.dom_id(self, :configuration),
-      partial: "agents/configuration_tab",
-      locals: { agent: self }
+    if saved_changes.keys.intersect?(CONFIGURATION_BROADCAST_FIELDS)
+      broadcast_replace_later_to [self, :configuration],
+        target: ActionView::RecordIdentifier.dom_id(self, :configuration),
+        partial: "agents/configuration_tab",
+        locals: { agent: self }
+    end
 
-    broadcast_replace_later_to [self, :capabilities],
-      target: ActionView::RecordIdentifier.dom_id(self, :capabilities),
-      partial: "agents/capabilities_tab",
-      locals: { agent: self }
+    return unless saved_change_to_state?
+      broadcast_replace_later_to [self, :capabilities],
+        target: ActionView::RecordIdentifier.dom_id(self, :capabilities),
+        partial: "agents/capabilities_tab",
+        locals: { agent: self }
   end
 
   # The operating system of the agent.

app/services/task_assignment_service.rb

@@ -129,18 +129,21 @@ def find_unassigned_paused_task
     task = nil
 
     Task.transaction do
-      task = Task.with_state(:paused)
-                 .where(claimed_by_agent_id: nil)
-                 .where.not(agent_id: agent.id)
-                 .joins(:agent)
-                 .where(
-                   "tasks.paused_at IS NULL OR tasks.paused_at < :grace_cutoff OR agents.state IN (:orphan_states)",
-                   grace_cutoff: ApplicationConfig.agent_considered_offline_time.ago,
-                   orphan_states: %w[offline stopped]
-                 )
-                 .joins(attack: { campaign: :hash_list })
-                 .where(campaigns: { project_id: agent.project_ids })
-                 .where(hash_lists: { hash_type_id: allowed_hash_type_ids })
+      scope = Task.with_state(:paused)
+                   .where(claimed_by_agent_id: nil)
+                   .where.not(agent_id: agent.id)
+                   .joins(:agent)
+                   .where(
+                     "tasks.paused_at IS NULL OR tasks.paused_at < :grace_cutoff OR agents.state IN (:orphan_states)",
+                     grace_cutoff: ApplicationConfig.agent_considered_offline_time.ago,
+                     orphan_states: %w[offline stopped]
+                   )
+                   .joins(attack: { campaign: :hash_list })
+                   .where(hash_lists: { hash_type_id: allowed_hash_type_ids })
+
+      scope = scope.where(campaigns: { project_id: agent.project_ids }) if agent.project_ids.present?
+
+      task = scope
                  .where("EXISTS (SELECT 1 FROM hash_items WHERE hash_items.hash_list_id = hash_lists.id AND hash_items.cracked = false)")
                  .order(:id)
                  .lock("FOR UPDATE OF tasks SKIP LOCKED")
@@ -191,8 +194,6 @@ def find_unassigned_paused_task
   #
   # @return [Task, nil] the found or newly created task, or nil if none available
   def find_task_from_available_attacks
-    return nil if agent.project_ids.blank?
-
     available_attacks.each do |attack|
       next if attack.uncracked_count.zero?
 
@@ -302,19 +303,24 @@ def create_new_task_if_eligible(attack)
 
   # Returns attacks available for the agent based on projects and hash types.
   #
+  # Agents with no project assignments can work on any project (same convention
+  # as attack resources like word lists, rule lists, and Task#agent_compatible?).
+  #
   # Ordering strategy:
   # 1. campaigns.priority DESC: Higher campaign priority first (high=2, normal=0, deferred=-1)
   # 2. attacks.complexity_value: Within same priority, simpler attacks first
   # 3. attacks.created_at: Tie-breaker for same priority and complexity
   #
   # @return [ActiveRecord::Relation<Attack>] attacks ordered by campaign priority, complexity, creation time
   def available_attacks
-    Attack.incomplete
-          .joins(campaign: { hash_list: :hash_type })
-          .includes(campaign: %i[hash_list project])
-          .where(campaigns: { project_id: agent.project_ids })
-          .where(hash_lists: { hash_type_id: allowed_hash_type_ids })
-          .order("campaigns.priority DESC, attacks.complexity_value, attacks.created_at")
+    scope = Attack.incomplete
+                  .joins(campaign: { hash_list: :hash_type })
+                  .includes(campaign: %i[hash_list project])
+                  .where(hash_lists: { hash_type_id: allowed_hash_type_ids })
+
+    scope = scope.where(campaigns: { project_id: agent.project_ids }) if agent.project_ids.present?
+
+    scope.order("campaigns.priority DESC, attacks.complexity_value, attacks.created_at")
   end
 
   # Returns hash type IDs the agent can work on, cached for performance.

app/views/agents/_capabilities_tab.html.erb

@@ -31,9 +31,9 @@
         <div class="card-body">
           <% benchmarks = agent.last_benchmarks %>
           <% if benchmarks&.any? %>
-            <% cache agent do %>
-              <% if agent.last_benchmark_date.present? %>
-                <div class="alert alert-info mb-3">
+            <% if agent.last_benchmark_date.present? %>
+              <div class="alert alert-info mb-3 d-flex justify-content-between align-items-center">
+                <div>
                   <small>
                     Last benchmarked: <%= time_ago_in_words(agent.last_benchmark_date) %> ago
                     (<%= agent.last_benchmark_date.to_fs(:short) %>)
@@ -42,8 +42,17 @@
                     <span class="badge bg-warning ms-2">Stale</span>
                   <% end %>
                 </div>
-              <% end %>
+                <% if safe_can?(:expire_benchmarks, agent) %>
+                  <%= button_to "Expire Benchmarks",
+                        expire_benchmarks_agent_path(agent),
+                        method: :post,
+                        class: "btn btn-outline-warning btn-sm",
+                        data: { turbo_confirm: "This will delete all benchmarks and force the agent to re-benchmark on its next check-in. Continue?" } %>
+                <% end %>
+              </div>
+            <% end %>
 
+            <% cache [agent.id, :benchmarks, agent.hashcat_benchmarks.maximum(:updated_at)] do %>
               <div class="table-responsive">
                 <table class="table table-sm table-hover">
                   <thead>

config/routes.rb

@@ -338,6 +338,9 @@
   get "system_health", to: "system_health#index", as: :system_health
 
   resources :agents do
+    member do
+      post :expire_benchmarks
+    end
     collection do
       get :cards
     end